OLD | NEW |
---|---|
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 /* $Id$ */ | 8 /* $Id$ */ |
9 | 9 |
10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
11 | 11 |
12 #include "cert.h" | 12 #include "cert.h" |
13 #include "ssl.h" | 13 #include "ssl.h" |
14 #include "cryptohi.h" /* for DSAU_ stuff */ | 14 #include "cryptohi.h" /* for DSAU_ stuff */ |
15 #include "keyhi.h" | 15 #include "keyhi.h" |
16 #include "secder.h" | 16 #include "secder.h" |
17 #include "secitem.h" | 17 #include "secitem.h" |
18 #include "sechash.h" | |
18 | 19 |
19 #include "sslimpl.h" | 20 #include "sslimpl.h" |
20 #include "sslproto.h" | 21 #include "sslproto.h" |
21 #include "sslerr.h" | 22 #include "sslerr.h" |
22 #include "prtime.h" | 23 #include "prtime.h" |
23 #include "prinrval.h" | 24 #include "prinrval.h" |
24 #include "prerror.h" | 25 #include "prerror.h" |
25 #include "pratom.h" | 26 #include "pratom.h" |
26 #include "prthread.h" | 27 #include "prthread.h" |
27 | 28 |
28 #include "pk11func.h" | 29 #include "pk11func.h" |
29 #include "secmod.h" | 30 #include "secmod.h" |
30 #ifndef NO_PKCS11_BYPASS | 31 #ifndef NO_PKCS11_BYPASS |
31 #include "blapi.h" | 32 #include "blapi.h" |
32 #endif | 33 #endif |
33 | 34 |
35 /* This is a bodge to allow this code to be compiled against older NSS headers | |
36 * that don't contain the TLS 1.2 changes. */ | |
37 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 | |
38 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | |
39 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | |
40 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | |
41 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
42 #endif | |
43 | |
34 #include <stdio.h> | 44 #include <stdio.h> |
35 #ifdef NSS_ENABLE_ZLIB | 45 #ifdef NSS_ENABLE_ZLIB |
36 #include "zlib.h" | 46 #include "zlib.h" |
37 #endif | 47 #endif |
38 | 48 |
39 #ifndef PK11_SETATTRS | 49 #ifndef PK11_SETATTRS |
40 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ | 50 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ |
41 (x)->pValue=(v); (x)->ulValueLen = (l); | 51 (x)->pValue=(v); (x)->ulValueLen = (l); |
42 #endif | 52 #endif |
43 | 53 |
(...skipping 13 matching lines...) Expand all Loading... | |
57 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); | 67 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); |
58 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 68 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
59 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 69 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
60 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 70 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
61 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 71 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
62 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); | 72 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); |
63 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 73 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
64 const unsigned char *b, | 74 const unsigned char *b, |
65 unsigned int l); | 75 unsigned int l); |
66 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 76 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
77 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); | |
67 | 78 |
68 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 79 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
69 int maxOutputLen, const unsigned char *input, | 80 int maxOutputLen, const unsigned char *input, |
70 int inputLen); | 81 int inputLen); |
71 | 82 |
72 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 83 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
73 #define MIN_SEND_BUF_LENGTH 4000 | 84 #define MIN_SEND_BUF_LENGTH 4000 |
74 | 85 |
75 /* This list of SSL3 cipher suites is sorted in descending order of | 86 /* This list of SSL3 cipher suites is sorted in descending order of |
76 * precedence (desirability). It only includes cipher suites we implement. | 87 * precedence (desirability). It only includes cipher suites we implement. |
(...skipping 727 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
804 SECStatus | 815 SECStatus |
805 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, | 816 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, |
806 PRBool isTLS) | 817 PRBool isTLS) |
807 { | 818 { |
808 SECStatus rv = SECFailure; | 819 SECStatus rv = SECFailure; |
809 PRBool doDerEncode = PR_FALSE; | 820 PRBool doDerEncode = PR_FALSE; |
810 int signatureLen; | 821 int signatureLen; |
811 SECItem hashItem; | 822 SECItem hashItem; |
812 | 823 |
813 buf->data = NULL; | 824 buf->data = NULL; |
814 signatureLen = PK11_SignatureLen(key); | |
815 if (signatureLen <= 0) { | |
816 PORT_SetError(SEC_ERROR_INVALID_KEY); | |
817 goto done; | |
818 } | |
819 | |
820 buf->len = (unsigned)signatureLen; | |
821 buf->data = (unsigned char *)PORT_Alloc(signatureLen); | |
822 if (!buf->data) | |
823 goto done; /* error code was set. */ | |
824 | 825 |
825 switch (key->keyType) { | 826 switch (key->keyType) { |
826 case rsaKey: | 827 case rsaKey: |
827 » hashItem.data = hash->md5; | 828 » hashItem.data = hash->u.raw; |
828 » hashItem.len = sizeof(SSL3Hashes); | 829 » hashItem.len = hash->len; |
829 break; | 830 break; |
830 case dsaKey: | 831 case dsaKey: |
831 doDerEncode = isTLS; | 832 doDerEncode = isTLS; |
832 » hashItem.data = hash->sha; | 833 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
833 » hashItem.len = sizeof(hash->sha); | 834 » * In that case, we use just the SHA1 part. */ |
835 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | |
836 » hashItem.data = hash->u.s.sha; | |
837 » hashItem.len = sizeof(hash->u.s.sha); | |
838 » } else { | |
839 » hashItem.data = hash->u.raw; | |
840 » hashItem.len = hash->len; | |
841 » } | |
834 break; | 842 break; |
835 #ifdef NSS_ENABLE_ECC | 843 #ifdef NSS_ENABLE_ECC |
836 case ecKey: | 844 case ecKey: |
837 doDerEncode = PR_TRUE; | 845 doDerEncode = PR_TRUE; |
838 » hashItem.data = hash->sha; | 846 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
839 » hashItem.len = sizeof(hash->sha); | 847 » * In that case, we use just the SHA1 part. */ |
848 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | |
849 » hashItem.data = hash->u.s.sha; | |
850 » hashItem.len = sizeof(hash->u.s.sha); | |
851 » } else { | |
852 » hashItem.data = hash->u.raw; | |
853 » hashItem.len = hash->len; | |
854 » } | |
840 break; | 855 break; |
841 #endif /* NSS_ENABLE_ECC */ | 856 #endif /* NSS_ENABLE_ECC */ |
842 default: | 857 default: |
843 PORT_SetError(SEC_ERROR_INVALID_KEY); | 858 PORT_SetError(SEC_ERROR_INVALID_KEY); |
844 goto done; | 859 goto done; |
845 } | 860 } |
846 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); | 861 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); |
847 | 862 |
848 rv = PK11_Sign(key, buf, &hashItem); | 863 if (hash->hashAlg == SEC_OID_UNKNOWN) { |
864 » signatureLen = PK11_SignatureLen(key); | |
865 » if (signatureLen <= 0) { | |
866 » PORT_SetError(SEC_ERROR_INVALID_KEY); | |
867 » goto done; | |
868 » } | |
869 | |
870 » buf->len = (unsigned)signatureLen; | |
871 » buf->data = (unsigned char *)PORT_Alloc(signatureLen); | |
872 » if (!buf->data) | |
873 » goto done; /* error code was set. */ | |
874 | |
875 » rv = PK11_Sign(key, buf, &hashItem); | |
876 } else { | |
877 » rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem); | |
wtc
2013/05/28 17:50:25
I figured out how to use the NSS high-level signat
| |
878 } | |
849 if (rv != SECSuccess) { | 879 if (rv != SECSuccess) { |
850 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 880 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
851 } else if (doDerEncode) { | 881 } else if (doDerEncode) { |
852 SECItem derSig = {siBuffer, NULL, 0}; | 882 SECItem derSig = {siBuffer, NULL, 0}; |
853 | 883 |
854 /* This also works for an ECDSA signature */ | 884 /* This also works for an ECDSA signature */ |
855 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); | 885 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); |
856 if (rv == SECSuccess) { | 886 if (rv == SECSuccess) { |
857 PORT_Free(buf->data); /* discard unencoded signature. */ | 887 PORT_Free(buf->data); /* discard unencoded signature. */ |
858 *buf = derSig; /* give caller encoded signature. */ | 888 *buf = derSig; /* give caller encoded signature. */ |
(...skipping 13 matching lines...) Expand all Loading... | |
872 | 902 |
873 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ | 903 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ |
874 SECStatus | 904 SECStatus |
875 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, | 905 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, |
876 SECItem *buf, PRBool isTLS, void *pwArg) | 906 SECItem *buf, PRBool isTLS, void *pwArg) |
877 { | 907 { |
878 SECKEYPublicKey * key; | 908 SECKEYPublicKey * key; |
879 SECItem * signature = NULL; | 909 SECItem * signature = NULL; |
880 SECStatus rv; | 910 SECStatus rv; |
881 SECItem hashItem; | 911 SECItem hashItem; |
882 #ifdef NSS_ENABLE_ECC | 912 SECOidTag encAlg; |
883 unsigned int len; | 913 SECOidTag hashAlg; |
884 #endif /* NSS_ENABLE_ECC */ | |
885 | 914 |
886 | 915 |
887 PRINT_BUF(60, (NULL, "check signed hashes", | 916 PRINT_BUF(60, (NULL, "check signed hashes", |
888 buf->data, buf->len)); | 917 buf->data, buf->len)); |
889 | 918 |
890 key = CERT_ExtractPublicKey(cert); | 919 key = CERT_ExtractPublicKey(cert); |
891 if (key == NULL) { | 920 if (key == NULL) { |
892 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | 921 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
893 return SECFailure; | 922 return SECFailure; |
894 } | 923 } |
895 | 924 |
925 hashAlg = hash->hashAlg; | |
896 switch (key->keyType) { | 926 switch (key->keyType) { |
897 case rsaKey: | 927 case rsaKey: |
898 » hashItem.data = hash->md5; | 928 » encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; |
899 » hashItem.len = sizeof(SSL3Hashes); | 929 » hashItem.data = hash->u.raw; |
930 » hashItem.len = hash->len; | |
900 break; | 931 break; |
901 case dsaKey: | 932 case dsaKey: |
902 » hashItem.data = hash->sha; | 933 » encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; |
903 » hashItem.len = sizeof(hash->sha); | 934 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
935 » * In that case, we use just the SHA1 part. */ | |
936 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | |
937 » hashItem.data = hash->u.s.sha; | |
938 » hashItem.len = sizeof(hash->u.s.sha); | |
939 » } else { | |
940 » hashItem.data = hash->u.raw; | |
941 » hashItem.len = hash->len; | |
942 » } | |
904 /* Allow DER encoded DSA signatures in SSL 3.0 */ | 943 /* Allow DER encoded DSA signatures in SSL 3.0 */ |
905 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { | 944 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { |
906 signature = DSAU_DecodeDerSig(buf); | 945 signature = DSAU_DecodeDerSig(buf); |
907 if (!signature) { | 946 if (!signature) { |
908 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 947 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
909 return SECFailure; | 948 return SECFailure; |
910 } | 949 } |
911 buf = signature; | 950 buf = signature; |
912 } | 951 } |
913 break; | 952 break; |
914 | 953 |
915 #ifdef NSS_ENABLE_ECC | 954 #ifdef NSS_ENABLE_ECC |
916 case ecKey: | 955 case ecKey: |
917 » hashItem.data = hash->sha; | 956 » encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; |
918 » hashItem.len = sizeof(hash->sha); | 957 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
919 » /* | 958 » * In that case, we use just the SHA1 part. |
920 » * ECDSA signatures always encode the integers r and s | 959 » * ECDSA signatures always encode the integers r and s using ASN.1 |
921 » * using ASN (unlike DSA where ASN encoding is used | 960 » * (unlike DSA where ASN.1 encoding is used with TLS but not with |
922 » * with TLS but not with SSL3) | 961 » * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. |
923 */ | 962 */ |
924 » len = SECKEY_SignatureLen(key); | 963 » if (hash->hashAlg == SEC_OID_UNKNOWN) { |
925 » if (len == 0) { | 964 » hashAlg = SEC_OID_SHA1; |
926 » SECKEY_DestroyPublicKey(key); | 965 » hashItem.data = hash->u.s.sha; |
927 » PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); | 966 » hashItem.len = sizeof(hash->u.s.sha); |
928 » return SECFailure; | 967 » } else { |
968 » hashItem.data = hash->u.raw; | |
969 » hashItem.len = hash->len; | |
929 } | 970 } |
930 signature = DSAU_DecodeDerSigToLen(buf, len); | |
931 if (!signature) { | |
932 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | |
933 return SECFailure; | |
934 } | |
935 buf = signature; | |
936 break; | 971 break; |
937 #endif /* NSS_ENABLE_ECC */ | 972 #endif /* NSS_ENABLE_ECC */ |
938 | 973 |
939 default: | 974 default: |
940 SECKEY_DestroyPublicKey(key); | 975 SECKEY_DestroyPublicKey(key); |
941 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 976 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
942 return SECFailure; | 977 return SECFailure; |
943 } | 978 } |
944 | 979 |
945 PRINT_BUF(60, (NULL, "hash(es) to be verified", | 980 PRINT_BUF(60, (NULL, "hash(es) to be verified", |
946 hashItem.data, hashItem.len)); | 981 hashItem.data, hashItem.len)); |
947 | 982 |
948 rv = PK11_Verify(key, buf, &hashItem, pwArg); | 983 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) { |
wtc
2013/05/28 17:50:25
Please let me know if you find this boolean expres
agl
2013/05/28 20:21:13
Based on my understanding I would write:
// VFY_V
wtc
2013/05/28 23:22:19
Done.
| |
984 » /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded. | |
985 » * So it would be more complicated to verify DSA signatures with | |
986 » * VFY_VerifyDigestDirect. */ | |
987 » rv = PK11_Verify(key, buf, &hashItem, pwArg); | |
988 } else { | |
989 » rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg, | |
990 » » » » pwArg); | |
991 } | |
949 SECKEY_DestroyPublicKey(key); | 992 SECKEY_DestroyPublicKey(key); |
950 if (signature) { | 993 if (signature) { |
951 SECITEM_FreeItem(signature, PR_TRUE); | 994 SECITEM_FreeItem(signature, PR_TRUE); |
952 } | 995 } |
953 if (rv != SECSuccess) { | 996 if (rv != SECSuccess) { |
954 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 997 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
955 } | 998 } |
956 return rv; | 999 return rv; |
957 } | 1000 } |
958 | 1001 |
959 | 1002 |
960 /* Caller must set hiLevel error code. */ | 1003 /* Caller must set hiLevel error code. */ |
961 /* Called from ssl3_ComputeExportRSAKeyHash | 1004 /* Called from ssl3_ComputeExportRSAKeyHash |
962 * ssl3_ComputeDHKeyHash | 1005 * ssl3_ComputeDHKeyHash |
963 * which are called from ssl3_HandleServerKeyExchange. | 1006 * which are called from ssl3_HandleServerKeyExchange. |
1007 * | |
1008 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify | |
1009 * the pre-1.2, MD5/SHA1 combination hash. | |
964 */ | 1010 */ |
965 SECStatus | 1011 SECStatus |
966 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen, | 1012 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg, |
967 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1013 » » » PRUint8 * hashBuf, unsigned int bufLen, |
1014 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | |
968 { | 1015 { |
969 SECStatus rv = SECSuccess; | 1016 SECStatus rv = SECSuccess; |
970 | 1017 |
971 #ifndef NO_PKCS11_BYPASS | 1018 #ifndef NO_PKCS11_BYPASS |
972 if (bypassPKCS11) { | 1019 if (bypassPKCS11) { |
973 » MD5_HashBuf (hashes->md5, hashBuf, bufLen); | 1020 » if (hashAlg == SEC_OID_UNKNOWN) { |
974 » SHA1_HashBuf(hashes->sha, hashBuf, bufLen); | 1021 » MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen); |
1022 » SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); | |
1023 » hashes->len = MD5_LENGTH + SHA1_LENGTH; | |
1024 » } else if (hashAlg == SEC_OID_SHA1) { | |
1025 » SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); | |
1026 » hashes->len = SHA1_LENGTH; | |
1027 » } else if (hashAlg == SEC_OID_SHA256) { | |
1028 » SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); | |
1029 » hashes->len = SHA256_LENGTH; | |
1030 » } else if (hashAlg == SEC_OID_SHA384) { | |
1031 » SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); | |
1032 » hashes->len = SHA384_LENGTH; | |
1033 » } else { | |
1034 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | |
1035 » return SECFailure; | |
1036 » } | |
975 } else | 1037 } else |
976 #endif | 1038 #endif |
977 { | 1039 { |
978 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen); | 1040 » if (hashAlg == SEC_OID_UNKNOWN) { |
979 » if (rv != SECSuccess) { | 1041 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); |
980 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 1042 » if (rv != SECSuccess) { |
981 » rv = SECFailure; | 1043 » » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
982 » goto done; | 1044 » » rv = SECFailure; |
983 » } | 1045 » » goto done; |
1046 » } | |
984 | 1047 |
985 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen); | 1048 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); |
986 » if (rv != SECSuccess) { | 1049 » if (rv != SECSuccess) { |
987 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 1050 » » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
988 » rv = SECFailure; | 1051 » » rv = SECFailure; |
1052 » } | |
1053 » hashes->len = MD5_LENGTH + SHA1_LENGTH; | |
1054 » } else { | |
1055 » hashes->len = HASH_ResultLenByOidTag(hashAlg); | |
1056 » if (hashes->len > sizeof(hashes->u.raw)) { | |
1057 » » ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | |
1058 » » rv = SECFailure; | |
1059 » » goto done; | |
1060 » } | |
1061 » rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen); | |
1062 » if (rv != SECSuccess) { | |
1063 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |
1064 » » rv = SECFailure; | |
1065 » } | |
989 } | 1066 } |
990 } | 1067 } |
1068 hashes->hashAlg = hashAlg; | |
1069 | |
991 done: | 1070 done: |
992 return rv; | 1071 return rv; |
993 } | 1072 } |
994 | 1073 |
995 /* Caller must set hiLevel error code. | 1074 /* Caller must set hiLevel error code. |
996 ** Called from ssl3_SendServerKeyExchange and | 1075 ** Called from ssl3_SendServerKeyExchange and |
997 ** ssl3_HandleServerKeyExchange. | 1076 ** ssl3_HandleServerKeyExchange. |
998 */ | 1077 */ |
999 static SECStatus | 1078 static SECStatus |
1000 ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent, | 1079 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg, |
1080 » » » SECItem modulus, SECItem publicExponent, | |
1001 SSL3Random *client_rand, SSL3Random *server_rand, | 1081 SSL3Random *client_rand, SSL3Random *server_rand, |
1002 SSL3Hashes *hashes, PRBool bypassPKCS11) | 1082 SSL3Hashes *hashes, PRBool bypassPKCS11) |
1003 { | 1083 { |
1004 PRUint8 * hashBuf; | 1084 PRUint8 * hashBuf; |
1005 PRUint8 * pBuf; | 1085 PRUint8 * pBuf; |
1006 SECStatus rv = SECSuccess; | 1086 SECStatus rv = SECSuccess; |
1007 unsigned int bufLen; | 1087 unsigned int bufLen; |
1008 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1088 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
1009 | 1089 |
1010 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; | 1090 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; |
(...skipping 15 matching lines...) Expand all Loading... | |
1026 pBuf += 2; | 1106 pBuf += 2; |
1027 memcpy(pBuf, modulus.data, modulus.len); | 1107 memcpy(pBuf, modulus.data, modulus.len); |
1028 pBuf += modulus.len; | 1108 pBuf += modulus.len; |
1029 pBuf[0] = (PRUint8)(publicExponent.len >> 8); | 1109 pBuf[0] = (PRUint8)(publicExponent.len >> 8); |
1030 pBuf[1] = (PRUint8)(publicExponent.len); | 1110 pBuf[1] = (PRUint8)(publicExponent.len); |
1031 pBuf += 2; | 1111 pBuf += 2; |
1032 memcpy(pBuf, publicExponent.data, publicExponent.len); | 1112 memcpy(pBuf, publicExponent.data, publicExponent.len); |
1033 pBuf += publicExponent.len; | 1113 pBuf += publicExponent.len; |
1034 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1114 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
1035 | 1115 |
1036 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); | 1116 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
1117 » » » » bypassPKCS11); | |
1037 | 1118 |
1038 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); | 1119 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); |
1039 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH)); | 1120 if (hashAlg == SEC_OID_UNKNOWN) { |
1040 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); | 1121 » PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", |
1122 » » hashes->u.s.md5, MD5_LENGTH)); | |
1123 » PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", | |
1124 » » hashes->u.s.sha, SHA1_LENGTH)); | |
1125 } else { | |
1126 » PRINT_BUF(95, (NULL, "RSAkey hash: result", | |
1127 » » hashes->u.raw, hashes->len)); | |
1128 } | |
1041 | 1129 |
1042 if (hashBuf != buf && hashBuf != NULL) | 1130 if (hashBuf != buf && hashBuf != NULL) |
1043 PORT_Free(hashBuf); | 1131 PORT_Free(hashBuf); |
1044 return rv; | 1132 return rv; |
1045 } | 1133 } |
1046 | 1134 |
1047 /* Caller must set hiLevel error code. */ | 1135 /* Caller must set hiLevel error code. */ |
1048 /* Called from ssl3_HandleServerKeyExchange. */ | 1136 /* Called from ssl3_HandleServerKeyExchange. */ |
1049 static SECStatus | 1137 static SECStatus |
1050 ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys, | 1138 ssl3_ComputeDHKeyHash(SECOidTag hashAlg, |
1051 » » » SSL3Random *client_rand, SSL3Random *server_rand, | 1139 » » SECItem dh_p, SECItem dh_g, SECItem dh_Ys, |
1052 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1140 » » SSL3Random *client_rand, SSL3Random *server_rand, |
1141 » » SSL3Hashes *hashes, PRBool bypassPKCS11) | |
1053 { | 1142 { |
1054 PRUint8 * hashBuf; | 1143 PRUint8 * hashBuf; |
1055 PRUint8 * pBuf; | 1144 PRUint8 * pBuf; |
1056 SECStatus rv = SECSuccess; | 1145 SECStatus rv = SECSuccess; |
1057 unsigned int bufLen; | 1146 unsigned int bufLen; |
1058 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1147 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
1059 | 1148 |
1060 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; | 1149 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; |
1061 if (bufLen <= sizeof buf) { | 1150 if (bufLen <= sizeof buf) { |
1062 hashBuf = buf; | 1151 hashBuf = buf; |
(...skipping 18 matching lines...) Expand all Loading... | |
1081 pBuf += 2; | 1170 pBuf += 2; |
1082 memcpy(pBuf, dh_g.data, dh_g.len); | 1171 memcpy(pBuf, dh_g.data, dh_g.len); |
1083 pBuf += dh_g.len; | 1172 pBuf += dh_g.len; |
1084 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); | 1173 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); |
1085 pBuf[1] = (PRUint8)(dh_Ys.len); | 1174 pBuf[1] = (PRUint8)(dh_Ys.len); |
1086 pBuf += 2; | 1175 pBuf += 2; |
1087 memcpy(pBuf, dh_Ys.data, dh_Ys.len); | 1176 memcpy(pBuf, dh_Ys.data, dh_Ys.len); |
1088 pBuf += dh_Ys.len; | 1177 pBuf += dh_Ys.len; |
1089 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1178 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
1090 | 1179 |
1091 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); | 1180 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
1181 » » » » bypassPKCS11); | |
1092 | 1182 |
1093 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); | 1183 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); |
1094 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH)); | 1184 if (hashAlg == SEC_OID_UNKNOWN) { |
1095 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); | 1185 » PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", |
1186 » » hashes->u.s.md5, MD5_LENGTH)); | |
1187 » PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", | |
1188 » » hashes->u.s.sha, SHA1_LENGTH)); | |
1189 } else { | |
1190 » PRINT_BUF(95, (NULL, "DHkey hash: result", | |
1191 » » hashes->u.raw, hashes->len)); | |
1192 } | |
1096 | 1193 |
1097 if (hashBuf != buf && hashBuf != NULL) | 1194 if (hashBuf != buf && hashBuf != NULL) |
1098 PORT_Free(hashBuf); | 1195 PORT_Free(hashBuf); |
1099 return rv; | 1196 return rv; |
1100 } | 1197 } |
1101 | 1198 |
1102 static void | 1199 static void |
1103 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) | 1200 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) |
1104 { | 1201 { |
1105 num->low++; | 1202 num->low++; |
(...skipping 2077 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3183 */ | 3280 */ |
3184 static SECStatus | 3281 static SECStatus |
3185 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) | 3282 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) |
3186 { | 3283 { |
3187 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 3284 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
3188 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; | 3285 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; |
3189 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 3286 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
3190 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 3287 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
3191 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 3288 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
3192 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 3289 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
3290 PRBool isTLS12= | |
3291 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | |
3193 /* | 3292 /* |
3194 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH | 3293 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH |
3195 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size | 3294 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size |
3196 * data into a 48-byte value. | 3295 * data into a 48-byte value. |
3197 */ | 3296 */ |
3198 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || | 3297 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || |
3199 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); | 3298 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); |
3200 SECStatus rv = SECFailure; | 3299 SECStatus rv = SECFailure; |
3201 CK_MECHANISM_TYPE master_derive; | 3300 CK_MECHANISM_TYPE master_derive; |
3202 CK_MECHANISM_TYPE key_derive; | 3301 CK_MECHANISM_TYPE key_derive; |
3203 SECItem params; | 3302 SECItem params; |
3204 CK_FLAGS keyFlags; | 3303 CK_FLAGS keyFlags; |
3205 CK_VERSION pms_version; | 3304 CK_VERSION pms_version; |
3206 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; | 3305 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; |
3207 | 3306 |
3208 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 3307 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3209 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 3308 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
3210 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 3309 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
3211 if (isTLS) { | 3310 if (isTLS12) { |
3311 » if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; | |
3312 » else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256; | |
3313 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; | |
3314 » keyFlags = CKF_SIGN | CKF_VERIFY; | |
3315 } else if (isTLS) { | |
3212 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; | 3316 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; |
3213 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; | 3317 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; |
3214 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 3318 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
3215 keyFlags = CKF_SIGN | CKF_VERIFY; | 3319 keyFlags = CKF_SIGN | CKF_VERIFY; |
3216 } else { | 3320 } else { |
3217 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 3321 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
3218 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; | 3322 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; |
3219 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 3323 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
3220 keyFlags = 0; | 3324 keyFlags = 0; |
3221 } | 3325 } |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3359 */ | 3463 */ |
3360 static SECStatus | 3464 static SECStatus |
3361 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) | 3465 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) |
3362 { | 3466 { |
3363 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 3467 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
3364 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 3468 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
3365 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 3469 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
3366 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 3470 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
3367 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 3471 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
3368 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 3472 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
3473 PRBool isTLS12= | |
3474 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | |
3369 /* following variables used in PKCS11 path */ | 3475 /* following variables used in PKCS11 path */ |
3370 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; | 3476 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; |
3371 PK11SlotInfo * slot = NULL; | 3477 PK11SlotInfo * slot = NULL; |
3372 PK11SymKey * symKey = NULL; | 3478 PK11SymKey * symKey = NULL; |
3373 void * pwArg = ss->pkcs11PinArg; | 3479 void * pwArg = ss->pkcs11PinArg; |
3374 int keySize; | 3480 int keySize; |
3375 CK_SSL3_KEY_MAT_PARAMS key_material_params; | 3481 CK_SSL3_KEY_MAT_PARAMS key_material_params; |
3376 CK_SSL3_KEY_MAT_OUT returnedKeys; | 3482 CK_SSL3_KEY_MAT_OUT returnedKeys; |
3377 CK_MECHANISM_TYPE key_derive; | 3483 CK_MECHANISM_TYPE key_derive; |
3378 CK_MECHANISM_TYPE bulk_mechanism; | 3484 CK_MECHANISM_TYPE bulk_mechanism; |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3416 returnedKeys.pIVServer = NULL; | 3522 returnedKeys.pIVServer = NULL; |
3417 } | 3523 } |
3418 | 3524 |
3419 calg = cipher_def->calg; | 3525 calg = cipher_def->calg; |
3420 PORT_Assert( alg2Mech[calg].calg == calg); | 3526 PORT_Assert( alg2Mech[calg].calg == calg); |
3421 bulk_mechanism = alg2Mech[calg].cmech; | 3527 bulk_mechanism = alg2Mech[calg].cmech; |
3422 | 3528 |
3423 params.data = (unsigned char *)&key_material_params; | 3529 params.data = (unsigned char *)&key_material_params; |
3424 params.len = sizeof(key_material_params); | 3530 params.len = sizeof(key_material_params); |
3425 | 3531 |
3426 if (isTLS) { | 3532 if (isTLS12) { |
3533 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; | |
3534 } else if (isTLS) { | |
3427 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 3535 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
3428 } else { | 3536 } else { |
3429 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 3537 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
3430 } | 3538 } |
3431 | 3539 |
3432 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and | 3540 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and |
3433 * DERIVE by DEFAULT */ | 3541 * DERIVE by DEFAULT */ |
3434 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, | 3542 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, |
3435 bulk_mechanism, CKA_ENCRYPT, keySize); | 3543 bulk_mechanism, CKA_ENCRYPT, keySize); |
3436 if (!symKey) { | 3544 if (!symKey) { |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3473 PK11_FreeSymKey(symKey); | 3581 PK11_FreeSymKey(symKey); |
3474 return SECSuccess; | 3582 return SECSuccess; |
3475 | 3583 |
3476 | 3584 |
3477 loser: | 3585 loser: |
3478 if (symKey) PK11_FreeSymKey(symKey); | 3586 if (symKey) PK11_FreeSymKey(symKey); |
3479 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 3587 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
3480 return SECFailure; | 3588 return SECFailure; |
3481 } | 3589 } |
3482 | 3590 |
3591 /* ssl3_InitTLS12HandshakeHash creates a handshake hash context for TLS 1.2, | |
3592 * if needed, and hashes in any buffered messages in ss->ssl3.hs.messages. */ | |
3593 static SECStatus | |
3594 ssl3_InitTLS12HandshakeHash(sslSocket *ss) | |
3595 { | |
3596 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2 && | |
3597 ss->ssl3.hs.tls12_handshake_hash == NULL) { | |
3598 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 | |
3599 * then this will need to be updated. */ | |
3600 ss->ssl3.hs.tls12_handshake_hash = | |
3601 PK11_CreateDigestContext(SEC_OID_SHA256); | |
3602 if (!ss->ssl3.hs.tls12_handshake_hash || | |
3603 PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash) != SECSuccess) { | |
3604 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |
3605 return SECFailure; | |
3606 } | |
3607 } | |
3608 | |
3609 if (ss->ssl3.hs.tls12_handshake_hash && ss->ssl3.hs.messages.len > 0) { | |
3610 if (PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, | |
3611 ss->ssl3.hs.messages.buf, | |
3612 ss->ssl3.hs.messages.len) != SECSuccess) { | |
3613 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |
3614 return SECFailure; | |
3615 } | |
3616 } | |
3617 | |
3618 if (ss->ssl3.hs.messages.buf && !ss->opt.bypassPKCS11) { | |
3619 PORT_Free(ss->ssl3.hs.messages.buf); | |
3620 ss->ssl3.hs.messages.buf = NULL; | |
3621 ss->ssl3.hs.messages.len = 0; | |
3622 ss->ssl3.hs.messages.space = 0; | |
3623 } | |
3624 | |
3625 return SECSuccess; | |
3626 } | |
3627 | |
3483 static SECStatus | 3628 static SECStatus |
3484 ssl3_RestartHandshakeHashes(sslSocket *ss) | 3629 ssl3_RestartHandshakeHashes(sslSocket *ss) |
3485 { | 3630 { |
3486 SECStatus rv = SECSuccess; | 3631 SECStatus rv = SECSuccess; |
3487 | 3632 |
3633 ss->ssl3.hs.messages.len = 0; | |
3488 #ifndef NO_PKCS11_BYPASS | 3634 #ifndef NO_PKCS11_BYPASS |
3489 if (ss->opt.bypassPKCS11) { | 3635 if (ss->opt.bypassPKCS11) { |
3490 ss->ssl3.hs.messages.len = 0; | |
3491 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); | 3636 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); |
3492 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); | 3637 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); |
3493 } else | 3638 } else |
3494 #endif | 3639 #endif |
3495 { | 3640 { |
3641 if (ss->ssl3.hs.tls12_handshake_hash) { | |
3642 rv = PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash); | |
3643 if (rv != SECSuccess) { | |
3644 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |
3645 return rv; | |
3646 } | |
3647 } | |
3496 rv = PK11_DigestBegin(ss->ssl3.hs.md5); | 3648 rv = PK11_DigestBegin(ss->ssl3.hs.md5); |
3497 if (rv != SECSuccess) { | 3649 if (rv != SECSuccess) { |
3498 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3650 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
3499 return rv; | 3651 return rv; |
3500 } | 3652 } |
3501 rv = PK11_DigestBegin(ss->ssl3.hs.sha); | 3653 rv = PK11_DigestBegin(ss->ssl3.hs.sha); |
3502 if (rv != SECSuccess) { | 3654 if (rv != SECSuccess) { |
3503 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3655 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3504 return rv; | 3656 return rv; |
3505 } | 3657 } |
3506 } | 3658 } |
3507 return rv; | 3659 return rv; |
3508 } | 3660 } |
3509 | 3661 |
3510 static SECStatus | 3662 static SECStatus |
3511 ssl3_NewHandshakeHashes(sslSocket *ss) | 3663 ssl3_NewHandshakeHashes(sslSocket *ss) |
3512 { | 3664 { |
3513 PK11Context *md5 = NULL; | 3665 PK11Context *md5 = NULL; |
3514 PK11Context *sha = NULL; | 3666 PK11Context *sha = NULL; |
3515 | 3667 |
3516 /* | 3668 /* |
3517 * note: We should probably lookup an SSL3 slot for these | 3669 * note: We should probably lookup an SSL3 slot for these |
3518 * handshake hashes in hopes that we wind up with the same slots | 3670 * handshake hashes in hopes that we wind up with the same slots |
3519 * that the master secret will wind up in ... | 3671 * that the master secret will wind up in ... |
3520 */ | 3672 */ |
3521 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); | 3673 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); |
3522 #ifndef NO_PKCS11_BYPASS | 3674 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); |
3523 if (ss->opt.bypassPKCS11) { | 3675 ss->ssl3.hs.messages.buf = NULL; |
3524 » PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); | 3676 ss->ssl3.hs.messages.space = 0; |
3525 » ss->ssl3.hs.messages.buf = NULL; | 3677 |
3526 » ss->ssl3.hs.messages.space = 0; | 3678 ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); |
3527 } else | 3679 ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); |
3528 #endif | 3680 ss->ssl3.hs.tls12_handshake_hash = NULL; |
3529 { | 3681 if (md5 == NULL) { |
3530 » ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); | 3682 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
3531 » ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); | 3683 » goto loser; |
3532 » if (md5 == NULL) { | 3684 } |
3533 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3685 if (sha == NULL) { |
3534 » goto loser; | 3686 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3535 » } | 3687 » goto loser; |
3536 » if (sha == NULL) { | |
3537 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |
3538 » goto loser; | |
3539 » } | |
3540 } | 3688 } |
3541 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { | 3689 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { |
3542 return SECSuccess; | 3690 return SECSuccess; |
3543 } | 3691 } |
3544 | 3692 |
3545 loser: | 3693 loser: |
3546 if (md5 != NULL) { | 3694 if (md5 != NULL) { |
3547 PK11_DestroyContext(md5, PR_TRUE); | 3695 PK11_DestroyContext(md5, PR_TRUE); |
3548 ss->ssl3.hs.md5 = NULL; | 3696 ss->ssl3.hs.md5 = NULL; |
3549 } | 3697 } |
(...skipping 17 matching lines...) Expand all Loading... | |
3567 static SECStatus | 3715 static SECStatus |
3568 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, | 3716 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, |
3569 unsigned int l) | 3717 unsigned int l) |
3570 { | 3718 { |
3571 SECStatus rv = SECSuccess; | 3719 SECStatus rv = SECSuccess; |
3572 | 3720 |
3573 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 3721 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
3574 | 3722 |
3575 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); | 3723 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); |
3576 | 3724 |
3725 if ((ss->version == 0 || ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) && | |
3726 !ss->opt.bypassPKCS11 && | |
3727 ss->ssl3.hs.tls12_handshake_hash == NULL) { | |
3728 /* For TLS 1.2 connections we need to buffer the handshake messages | |
3729 * until we have established which PRF hash function to use. */ | |
3730 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); | |
3731 if (rv != SECSuccess) { | |
3732 return rv; | |
3733 } | |
3734 } | |
3735 | |
3577 #ifndef NO_PKCS11_BYPASS | 3736 #ifndef NO_PKCS11_BYPASS |
3578 if (ss->opt.bypassPKCS11) { | 3737 if (ss->opt.bypassPKCS11) { |
3579 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); | 3738 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); |
3580 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); | 3739 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); |
3581 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) | 3740 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) |
3582 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); | 3741 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); |
3583 #endif | 3742 #endif |
3584 return rv; | 3743 return rv; |
3585 } | 3744 } |
3586 #endif | 3745 #endif |
3587 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); | 3746 if (ss->ssl3.hs.tls12_handshake_hash) { |
3588 if (rv != SECSuccess) { | 3747 » rv = PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, b, l); |
3589 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3748 » if (rv != SECSuccess) { |
3590 » return rv; | 3749 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
3591 } | 3750 » return rv; |
3592 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); | 3751 » } |
3593 if (rv != SECSuccess) { | 3752 } else { |
3594 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3753 » rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
3595 » return rv; | 3754 » if (rv != SECSuccess) { |
3755 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | |
3756 » return rv; | |
3757 » } | |
3758 » rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); | |
3759 » if (rv != SECSuccess) { | |
3760 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |
3761 » return rv; | |
3762 » } | |
3596 } | 3763 } |
3597 return rv; | 3764 return rv; |
3598 } | 3765 } |
3599 | 3766 |
3600 /************************************************************************** | 3767 /************************************************************************** |
3601 * Append Handshake functions. | 3768 * Append Handshake functions. |
3602 * All these functions set appropriate error codes. | 3769 * All these functions set appropriate error codes. |
3603 * Most rely on ssl3_AppendHandshake to set the error code. | 3770 * Most rely on ssl3_AppendHandshake to set the error code. |
3604 **************************************************************************/ | 3771 **************************************************************************/ |
3605 SECStatus | 3772 SECStatus |
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3737 /* Fragment length -- set to the packet length because not fragmented */ | 3904 /* Fragment length -- set to the packet length because not fragmented */ |
3738 rv = ssl3_AppendHandshakeNumber(ss, length, 3); | 3905 rv = ssl3_AppendHandshakeNumber(ss, length, 3); |
3739 if (rv != SECSuccess) { | 3906 if (rv != SECSuccess) { |
3740 return rv; /* error code set by AppendHandshake, if applicable. */ | 3907 return rv; /* error code set by AppendHandshake, if applicable. */ |
3741 } | 3908 } |
3742 } | 3909 } |
3743 | 3910 |
3744 return rv; /* error code set by AppendHandshake, if applicable. */ | 3911 return rv; /* error code set by AppendHandshake, if applicable. */ |
3745 } | 3912 } |
3746 | 3913 |
3914 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of | |
3915 * |sigAndHash| to the current handshake message. */ | |
3916 SECStatus | |
3917 ssl3_AppendSignatureAndHashAlgorithm( | |
3918 sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash) | |
3919 { | |
3920 unsigned char serialized[2]; | |
3921 | |
3922 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg); | |
3923 if (serialized[0] == 0) { | |
3924 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | |
3925 return SECFailure; | |
3926 } | |
3927 | |
3928 serialized[1] = sigAndHash->sigAlg; | |
3929 | |
3930 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); | |
3931 } | |
3932 | |
3747 /************************************************************************** | 3933 /************************************************************************** |
3748 * Consume Handshake functions. | 3934 * Consume Handshake functions. |
3749 * | 3935 * |
3750 * All data used in these functions is protected by two locks, | 3936 * All data used in these functions is protected by two locks, |
3751 * the RecvBufLock and the SSL3HandshakeLock | 3937 * the RecvBufLock and the SSL3HandshakeLock |
3752 **************************************************************************/ | 3938 **************************************************************************/ |
3753 | 3939 |
3754 /* Read up the next "bytes" number of bytes from the (decrypted) input | 3940 /* Read up the next "bytes" number of bytes from the (decrypted) input |
3755 * stream "b" (which is *length bytes long). Copy them into buffer "v". | 3941 * stream "b" (which is *length bytes long). Copy them into buffer "v". |
3756 * Reduces *length by bytes. Advances *b by bytes. | 3942 * Reduces *length by bytes. Advances *b by bytes. |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3843 return ssl3_DecodeError(ss); | 4029 return ssl3_DecodeError(ss); |
3844 } | 4030 } |
3845 i->data = *b; | 4031 i->data = *b; |
3846 i->len = count; | 4032 i->len = count; |
3847 *b += count; | 4033 *b += count; |
3848 *length -= count; | 4034 *length -= count; |
3849 } | 4035 } |
3850 return SECSuccess; | 4036 return SECSuccess; |
3851 } | 4037 } |
3852 | 4038 |
4039 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the | |
4040 * SECOidTag used internally by NSS. */ | |
4041 static const struct { | |
4042 int tlsHash; | |
4043 SECOidTag oid; | |
4044 } tlsHashOIDMap[] = { | |
4045 { tls_hash_md5, SEC_OID_MD5 }, | |
4046 { tls_hash_sha1, SEC_OID_SHA1 }, | |
4047 { tls_hash_sha224, SEC_OID_SHA224 }, | |
4048 { tls_hash_sha256, SEC_OID_SHA256 }, | |
4049 { tls_hash_sha384, SEC_OID_SHA384 }, | |
4050 { tls_hash_sha512, SEC_OID_SHA512 } | |
4051 }; | |
4052 | |
4053 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. | |
4054 * If the hash is not recognised, SEC_OID_UNKNOWN is returned. | |
4055 * | |
4056 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
4057 SECOidTag | |
4058 ssl3_TLSHashAlgorithmToOID(int hashFunc) | |
4059 { | |
4060 unsigned int i; | |
4061 | |
4062 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { | |
4063 if (hashFunc == tlsHashOIDMap[i].tlsHash) { | |
4064 return tlsHashOIDMap[i].oid; | |
4065 } | |
4066 } | |
4067 return SEC_OID_UNKNOWN; | |
4068 } | |
4069 | |
4070 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm identifier . | |
agl
2013/05/28 20:21:13
You appear to have wrapped lines at 80 chars, but
wtc
2013/05/28 23:22:19
Done.
| |
4071 * If the hash is not recognised, zero is returned. | |
4072 * | |
4073 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
4074 static int | |
4075 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid) | |
4076 { | |
4077 unsigned int i; | |
4078 | |
4079 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { | |
4080 if (oid == tlsHashOIDMap[i].oid) { | |
4081 return tlsHashOIDMap[i].tlsHash; | |
4082 } | |
4083 } | |
4084 return 0; | |
4085 } | |
4086 | |
4087 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm | |
4088 * identifier for a given KeyType. */ | |
4089 static SECStatus | |
4090 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, | |
4091 TLSSignatureAlgorithm *out) | |
4092 { | |
4093 switch (keyType) { | |
4094 case rsaKey: | |
4095 *out = tls_sig_rsa; | |
4096 return SECSuccess; | |
4097 case dsaKey: | |
4098 *out = tls_sig_dsa; | |
4099 return SECSuccess; | |
4100 case ecKey: | |
4101 *out = tls_sig_ecdsa; | |
4102 return SECSuccess; | |
4103 default: | |
wtc
2013/05/28 17:50:25
clang warns if this switch statement doesn't handl
| |
4104 PORT_SetError(SEC_ERROR_INVALID_KEY); | |
4105 return SECFailure; | |
4106 } | |
4107 } | |
4108 | |
4109 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature | |
4110 * algorithm identifier for the given certificate. */ | |
4111 static SECStatus | |
4112 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert, | |
4113 TLSSignatureAlgorithm *out) | |
4114 { | |
4115 SECKEYPublicKey *key; | |
4116 KeyType keyType; | |
4117 | |
4118 key = CERT_ExtractPublicKey(cert); | |
4119 if (key == NULL) { | |
4120 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | |
4121 return SECFailure; | |
4122 } | |
4123 | |
4124 keyType = key->keyType; | |
4125 SECKEY_DestroyPublicKey(key); | |
wtc
2013/05/28 17:50:25
This fixes a leak of the public key.
| |
4126 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out); | |
4127 } | |
4128 | |
4129 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature | |
4130 * algorithm identifier in |sigAndHash| is consistent with the public key in | |
4131 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called | |
4132 * and SECFailure is returned. */ | |
4133 SECStatus | |
4134 ssl3_CheckSignatureAndHashAlgorithmConsistency( | |
4135 const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert) | |
4136 { | |
4137 SECStatus rv; | |
4138 TLSSignatureAlgorithm sigAlg; | |
4139 | |
4140 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg); | |
4141 if (rv != SECSuccess) { | |
4142 return rv; | |
4143 } | |
4144 if (sigAlg != sigAndHash->sigAlg) { | |
4145 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); | |
4146 return SECFailure; | |
4147 } | |
4148 return SECSuccess; | |
4149 } | |
4150 | |
4151 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm | |
4152 * structure from |b| and puts the resulting value into |out|. |b| and |length| | |
4153 * are updated accordingly. | |
4154 * | |
4155 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
4156 SECStatus | |
4157 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, | |
4158 SSL3Opaque **b, | |
4159 PRUint32 *length, | |
4160 SSL3SignatureAndHashAlgorithm *out) | |
4161 { | |
4162 unsigned char bytes[2]; | |
4163 SECStatus rv; | |
4164 | |
4165 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length); | |
4166 if (rv != SECSuccess) { | |
4167 return rv; | |
4168 } | |
4169 | |
4170 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]); | |
4171 if (out->hashAlg == SEC_OID_UNKNOWN) { | |
4172 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | |
4173 return SECFailure; | |
4174 } | |
4175 | |
4176 out->sigAlg = bytes[1]; | |
4177 return SECSuccess; | |
4178 } | |
4179 | |
3853 /************************************************************************** | 4180 /************************************************************************** |
3854 * end of Consume Handshake functions. | 4181 * end of Consume Handshake functions. |
3855 **************************************************************************/ | 4182 **************************************************************************/ |
3856 | 4183 |
3857 /* Extract the hashes of handshake messages to this point. | 4184 /* Extract the hashes of handshake messages to this point. |
3858 * Called from ssl3_SendCertificateVerify | 4185 * Called from ssl3_SendCertificateVerify |
3859 * ssl3_SendFinished | 4186 * ssl3_SendFinished |
3860 * ssl3_HandleHandshakeMessage | 4187 * ssl3_HandleHandshakeMessage |
3861 * | 4188 * |
3862 * Caller must hold the SSL3HandshakeLock. | 4189 * Caller must hold the SSL3HandshakeLock. |
3863 * Caller must hold a read or write lock on the Spec R/W lock. | 4190 * Caller must hold a read or write lock on the Spec R/W lock. |
3864 * (There is presently no way to assert on a Read lock.) | 4191 * (There is presently no way to assert on a Read lock.) |
3865 */ | 4192 */ |
3866 static SECStatus | 4193 static SECStatus |
3867 ssl3_ComputeHandshakeHashes(sslSocket * ss, | 4194 ssl3_ComputeHandshakeHashes(sslSocket * ss, |
3868 ssl3CipherSpec *spec, /* uses ->master_secret */ | 4195 ssl3CipherSpec *spec, /* uses ->master_secret */ |
3869 SSL3Hashes * hashes, /* output goes here. */ | 4196 SSL3Hashes * hashes, /* output goes here. */ |
3870 PRUint32 sender) | 4197 PRUint32 sender) |
3871 { | 4198 { |
3872 SECStatus rv = SECSuccess; | 4199 SECStatus rv = SECSuccess; |
3873 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); | 4200 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); |
3874 unsigned int outLength; | 4201 unsigned int outLength; |
3875 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; | 4202 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; |
3876 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; | 4203 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; |
3877 | 4204 |
3878 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 4205 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
4206 hashes->hashAlg = SEC_OID_UNKNOWN; | |
3879 | 4207 |
3880 #ifndef NO_PKCS11_BYPASS | 4208 #ifndef NO_PKCS11_BYPASS |
3881 if (ss->opt.bypassPKCS11) { | 4209 if (ss->opt.bypassPKCS11) { |
3882 /* compute them without PKCS11 */ | 4210 /* compute them without PKCS11 */ |
3883 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; | 4211 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; |
3884 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; | 4212 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
3885 | 4213 |
3886 #define md5cx ((MD5Context *)md5_cx) | 4214 #define md5cx ((MD5Context *)md5_cx) |
3887 #define shacx ((SHA1Context *)sha_cx) | 4215 #define shacx ((SHA1Context *)sha_cx) |
3888 | 4216 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3932 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); | 4260 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); |
3933 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, | 4261 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, |
3934 mac_defs[mac_md5].pad_size)); | 4262 mac_defs[mac_md5].pad_size)); |
3935 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; | 4263 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; |
3936 | 4264 |
3937 MD5_Begin(md5cx); | 4265 MD5_Begin(md5cx); |
3938 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); | 4266 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); |
3939 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); | 4267 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); |
3940 MD5_Update(md5cx, md5_inner, MD5_LENGTH); | 4268 MD5_Update(md5cx, md5_inner, MD5_LENGTH); |
3941 } | 4269 } |
3942 » MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH); | 4270 » MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH); |
3943 | 4271 |
3944 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); | 4272 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH)); |
3945 | 4273 |
3946 if (!isTLS) { | 4274 if (!isTLS) { |
3947 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, | 4275 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, |
3948 mac_defs[mac_sha].pad_size)); | 4276 mac_defs[mac_sha].pad_size)); |
3949 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); | 4277 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); |
3950 | 4278 |
3951 SHA1_Begin(shacx); | 4279 SHA1_Begin(shacx); |
3952 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); | 4280 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); |
3953 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); | 4281 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); |
3954 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); | 4282 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); |
3955 } | 4283 } |
3956 » SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH); | 4284 » SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH); |
3957 | 4285 |
3958 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); | 4286 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ; |
3959 | 4287 |
4288 hashes->len = MD5_LENGTH + SHA1_LENGTH; | |
3960 rv = SECSuccess; | 4289 rv = SECSuccess; |
3961 #undef md5cx | 4290 #undef md5cx |
3962 #undef shacx | 4291 #undef shacx |
3963 } else | 4292 } else |
3964 #endif | 4293 #endif |
3965 { | 4294 if (ss->ssl3.hs.tls12_handshake_hash) { |
4295 » PK11Context *h; | |
4296 » unsigned int stateLen; | |
4297 » unsigned char stackBuf[1024]; | |
4298 » unsigned char *stateBuf = NULL; | |
4299 | |
4300 » if (!spec->master_secret) { | |
4301 » PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
4302 » return SECFailure; | |
4303 » } | |
4304 | |
4305 » h = ss->ssl3.hs.tls12_handshake_hash; | |
4306 » stateBuf = PK11_SaveContextAlloc(h, stackBuf, | |
4307 » » » » » sizeof(stackBuf), &stateLen); | |
4308 » if (stateBuf == NULL) { | |
4309 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |
4310 » goto tls12Loser; | |
4311 » } | |
4312 » rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len, | |
4313 » » » sizeof(hashes->u.raw)); | |
4314 » if (rv != SECSuccess) { | |
4315 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |
4316 » rv = SECFailure; | |
4317 » goto tls12Loser; | |
4318 » } | |
4319 » /* If we ever support ciphersuites where the PRF hash isn't SHA-256 | |
4320 » * then this will need to be updated. */ | |
4321 » hashes->hashAlg = SEC_OID_SHA256; | |
4322 » rv = SECSuccess; | |
4323 | |
4324 tls12Loser: | |
4325 » if (stateBuf) { | |
4326 » if (PK11_RestoreContext(ss->ssl3.hs.tls12_handshake_hash, stateBuf, | |
4327 » » » » stateLen) != SECSuccess) { | |
4328 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |
4329 » » rv = SECFailure; | |
4330 » } | |
4331 » if (stateBuf != stackBuf) { | |
4332 » » PORT_ZFree(stateBuf, stateLen); | |
4333 » } | |
4334 » } | |
4335 } else { | |
3966 /* compute hases with PKCS11 */ | 4336 /* compute hases with PKCS11 */ |
3967 PK11Context * md5; | 4337 PK11Context * md5; |
3968 PK11Context * sha = NULL; | 4338 PK11Context * sha = NULL; |
3969 unsigned char *md5StateBuf = NULL; | 4339 unsigned char *md5StateBuf = NULL; |
3970 unsigned char *shaStateBuf = NULL; | 4340 unsigned char *shaStateBuf = NULL; |
3971 unsigned int md5StateLen, shaStateLen; | 4341 unsigned int md5StateLen, shaStateLen; |
3972 unsigned char md5StackBuf[256]; | 4342 unsigned char md5StackBuf[256]; |
3973 unsigned char shaStackBuf[512]; | 4343 unsigned char shaStackBuf[512]; |
3974 | 4344 |
3975 if (!spec->master_secret) { | 4345 if (!spec->master_secret) { |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4044 | 4414 |
4045 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, | 4415 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, |
4046 mac_defs[mac_md5].pad_size)); | 4416 mac_defs[mac_md5].pad_size)); |
4047 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; | 4417 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; |
4048 | 4418 |
4049 rv |= PK11_DigestBegin(md5); | 4419 rv |= PK11_DigestBegin(md5); |
4050 rv |= PK11_DigestKey(md5, spec->master_secret); | 4420 rv |= PK11_DigestKey(md5, spec->master_secret); |
4051 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); | 4421 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); |
4052 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); | 4422 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); |
4053 } | 4423 } |
4054 » rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH); | 4424 » rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH); |
4055 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); | 4425 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); |
4056 if (rv != SECSuccess) { | 4426 if (rv != SECSuccess) { |
4057 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 4427 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
4058 rv = SECFailure; | 4428 rv = SECFailure; |
4059 goto loser; | 4429 goto loser; |
4060 } | 4430 } |
4061 | 4431 |
4062 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); | 4432 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH)); |
4063 | 4433 |
4064 if (!isTLS) { | 4434 if (!isTLS) { |
4065 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, | 4435 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, |
4066 mac_defs[mac_sha].pad_size)); | 4436 mac_defs[mac_sha].pad_size)); |
4067 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); | 4437 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); |
4068 | 4438 |
4069 rv |= PK11_DigestBegin(sha); | 4439 rv |= PK11_DigestBegin(sha); |
4070 rv |= PK11_DigestKey(sha,spec->master_secret); | 4440 rv |= PK11_DigestKey(sha,spec->master_secret); |
4071 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); | 4441 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); |
4072 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); | 4442 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); |
4073 } | 4443 } |
4074 » rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH); | 4444 » rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH); |
4075 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); | 4445 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); |
4076 if (rv != SECSuccess) { | 4446 if (rv != SECSuccess) { |
4077 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 4447 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4078 rv = SECFailure; | 4448 rv = SECFailure; |
4079 goto loser; | 4449 goto loser; |
4080 } | 4450 } |
4081 | 4451 |
4082 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); | 4452 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ; |
4083 | 4453 |
4454 hashes->len = MD5_LENGTH + SHA1_LENGTH; | |
4084 rv = SECSuccess; | 4455 rv = SECSuccess; |
4085 | 4456 |
4086 loser: | 4457 loser: |
4087 if (md5StateBuf) { | 4458 if (md5StateBuf) { |
4088 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) | 4459 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) |
4089 != SECSuccess) | 4460 != SECSuccess) |
4090 { | 4461 { |
4091 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 4462 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
4092 rv = SECFailure; | 4463 rv = SECFailure; |
4093 } | 4464 } |
(...skipping 1242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5336 SECKEY_DestroyPublicKey(serverKey); | 5707 SECKEY_DestroyPublicKey(serverKey); |
5337 return rv; /* err code already set. */ | 5708 return rv; /* err code already set. */ |
5338 } | 5709 } |
5339 | 5710 |
5340 /* Called from ssl3_HandleServerHelloDone(). */ | 5711 /* Called from ssl3_HandleServerHelloDone(). */ |
5341 static SECStatus | 5712 static SECStatus |
5342 ssl3_SendCertificateVerify(sslSocket *ss) | 5713 ssl3_SendCertificateVerify(sslSocket *ss) |
5343 { | 5714 { |
5344 SECStatus rv = SECFailure; | 5715 SECStatus rv = SECFailure; |
5345 PRBool isTLS; | 5716 PRBool isTLS; |
5717 PRBool isTLS12; | |
5346 SECItem buf = {siBuffer, NULL, 0}; | 5718 SECItem buf = {siBuffer, NULL, 0}; |
5347 SSL3Hashes hashes; | 5719 SSL3Hashes hashes; |
5720 KeyType keyType; | |
5721 unsigned int len; | |
5722 SSL3SignatureAndHashAlgorithm sigAndHash; | |
5348 | 5723 |
5349 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 5724 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5350 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 5725 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5351 | 5726 |
5352 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", | 5727 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", |
5353 SSL_GETPID(), ss->fd)); | 5728 SSL_GETPID(), ss->fd)); |
5354 | 5729 |
5355 ssl_GetSpecReadLock(ss); | 5730 ssl_GetSpecReadLock(ss); |
5356 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | 5731 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
5357 ssl_ReleaseSpecReadLock(ss); | 5732 ssl_ReleaseSpecReadLock(ss); |
5358 if (rv != SECSuccess) { | 5733 if (rv != SECSuccess) { |
5359 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ | 5734 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
5360 } | 5735 } |
5361 | 5736 |
5362 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 5737 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
5738 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | |
wtc
2013/05/28 17:50:25
In several places I changed ss->version to either
| |
5363 if (ss->ssl3.platformClientKey) { | 5739 if (ss->ssl3.platformClientKey) { |
5364 #ifdef NSS_PLATFORM_CLIENT_AUTH | 5740 #ifdef NSS_PLATFORM_CLIENT_AUTH |
5741 keyType = CERT_GetCertKeyType( | |
5742 &ss->ssl3.clientCertificate->subjectPublicKeyInfo); | |
5365 rv = ssl3_PlatformSignHashes( | 5743 rv = ssl3_PlatformSignHashes( |
5366 » &hashes, ss->ssl3.platformClientKey, &buf, isTLS, | 5744 » &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType); |
5367 » CERT_GetCertKeyType( | |
5368 » » &ss->ssl3.clientCertificate->subjectPublicKeyInfo)); | |
5369 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 5745 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
5370 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 5746 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
5371 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 5747 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5372 } else { | 5748 } else { |
5749 keyType = ss->ssl3.clientPrivateKey->keyType; | |
5373 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 5750 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
5374 if (rv == SECSuccess) { | 5751 if (rv == SECSuccess) { |
5375 PK11SlotInfo * slot; | 5752 PK11SlotInfo * slot; |
5376 sslSessionID * sid = ss->sec.ci.sid; | 5753 sslSessionID * sid = ss->sec.ci.sid; |
5377 | 5754 |
5378 /* Remember the info about the slot that did the signing. | 5755 /* Remember the info about the slot that did the signing. |
5379 ** Later, when doing an SSL restart handshake, verify this. | 5756 ** Later, when doing an SSL restart handshake, verify this. |
5380 ** These calls are mere accessors, and can't fail. | 5757 ** These calls are mere accessors, and can't fail. |
5381 */ | 5758 */ |
5382 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); | 5759 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); |
5383 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); | 5760 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); |
5384 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); | 5761 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); |
5385 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); | 5762 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); |
5386 sid->u.ssl3.clAuthValid = PR_TRUE; | 5763 sid->u.ssl3.clAuthValid = PR_TRUE; |
5387 PK11_FreeSlot(slot); | 5764 PK11_FreeSlot(slot); |
5388 } | 5765 } |
5389 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 5766 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
5390 ss->ssl3.clientPrivateKey = NULL; | 5767 ss->ssl3.clientPrivateKey = NULL; |
5391 } | 5768 } |
5392 if (rv != SECSuccess) { | 5769 if (rv != SECSuccess) { |
5393 goto done; /* err code was set by ssl3_SignHashes */ | 5770 goto done; /* err code was set by ssl3_SignHashes */ |
5394 } | 5771 } |
5395 | 5772 |
5396 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); | 5773 len = buf.len + 2 + (isTLS12 ? 2 : 0); |
5774 | |
5775 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); | |
5397 if (rv != SECSuccess) { | 5776 if (rv != SECSuccess) { |
5398 goto done; /* error code set by AppendHandshake */ | 5777 goto done; /* error code set by AppendHandshake */ |
5399 } | 5778 } |
5779 if (isTLS12) { | |
5780 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, | |
5781 &sigAndHash.sigAlg); | |
5782 if (rv != SECSuccess) { | |
5783 goto done; | |
5784 } | |
5785 /* We always sign using the handshake hash function. It's possible that | |
5786 * a server could support SHA-256 as the handshake hash but not as a | |
5787 * signature hash. In that case we wouldn't be able to do client | |
5788 * certificates with it. The alternative is to buffer all handshake | |
5789 * messages. */ | |
5790 sigAndHash.hashAlg = hashes.hashAlg; | |
5791 | |
5792 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); | |
5793 if (rv != SECSuccess) { | |
5794 goto done; /* err set by AppendHandshake. */ | |
5795 } | |
5796 } | |
5400 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | 5797 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
5401 if (rv != SECSuccess) { | 5798 if (rv != SECSuccess) { |
5402 goto done; /* error code set by AppendHandshake */ | 5799 goto done; /* error code set by AppendHandshake */ |
5403 } | 5800 } |
5404 | 5801 |
5405 done: | 5802 done: |
5406 if (buf.data) | 5803 if (buf.data) |
5407 PORT_Free(buf.data); | 5804 PORT_Free(buf.data); |
5408 return rv; | 5805 return rv; |
5409 } | 5806 } |
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5497 | 5894 |
5498 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); | 5895 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
5499 if (rv != SECSuccess) { | 5896 if (rv != SECSuccess) { |
5500 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 5897 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
5501 : handshake_failure; | 5898 : handshake_failure; |
5502 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 5899 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
5503 goto alert_loser; | 5900 goto alert_loser; |
5504 } | 5901 } |
5505 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 5902 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
5506 | 5903 |
5904 rv = ssl3_InitTLS12HandshakeHash(ss); | |
5905 if (rv != SECSuccess) { | |
5906 desc = internal_error; | |
5907 errCode = PORT_GetError(); | |
5908 goto alert_loser; | |
5909 } | |
5910 | |
5507 rv = ssl3_ConsumeHandshake( | 5911 rv = ssl3_ConsumeHandshake( |
5508 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); | 5912 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); |
5509 if (rv != SECSuccess) { | 5913 if (rv != SECSuccess) { |
5510 goto loser; /* alert has been sent */ | 5914 goto loser; /* alert has been sent */ |
5511 } | 5915 } |
5512 | 5916 |
5513 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 5917 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
5514 if (rv != SECSuccess) { | 5918 if (rv != SECSuccess) { |
5515 goto loser; /* alert has been sent */ | 5919 goto loser; /* alert has been sent */ |
5516 } | 5920 } |
(...skipping 310 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5827 | 6231 |
5828 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 6232 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
5829 * ssl3 ServerKeyExchange message. | 6233 * ssl3 ServerKeyExchange message. |
5830 * Caller must hold Handshake and RecvBuf locks. | 6234 * Caller must hold Handshake and RecvBuf locks. |
5831 */ | 6235 */ |
5832 static SECStatus | 6236 static SECStatus |
5833 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 6237 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
5834 { | 6238 { |
5835 PRArenaPool * arena = NULL; | 6239 PRArenaPool * arena = NULL; |
5836 SECKEYPublicKey *peerKey = NULL; | 6240 SECKEYPublicKey *peerKey = NULL; |
5837 PRBool isTLS; | 6241 PRBool isTLS, isTLS12; |
5838 SECStatus rv; | 6242 SECStatus rv; |
5839 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; | 6243 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; |
5840 SSL3AlertDescription desc = illegal_parameter; | 6244 SSL3AlertDescription desc = illegal_parameter; |
5841 SSL3Hashes hashes; | 6245 SSL3Hashes hashes; |
5842 SECItem signature = {siBuffer, NULL, 0}; | 6246 SECItem signature = {siBuffer, NULL, 0}; |
6247 SSL3SignatureAndHashAlgorithm sigAndHash; | |
6248 | |
6249 sigAndHash.hashAlg = SEC_OID_UNKNOWN; | |
5843 | 6250 |
5844 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", | 6251 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", |
5845 SSL_GETPID(), ss->fd)); | 6252 SSL_GETPID(), ss->fd)); |
5846 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 6253 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
5847 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 6254 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
5848 | 6255 |
5849 if (ss->ssl3.hs.ws != wait_server_key && | 6256 if (ss->ssl3.hs.ws != wait_server_key && |
5850 ss->ssl3.hs.ws != wait_server_cert) { | 6257 ss->ssl3.hs.ws != wait_server_cert) { |
5851 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; | 6258 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; |
5852 desc = unexpected_message; | 6259 desc = unexpected_message; |
5853 goto alert_loser; | 6260 goto alert_loser; |
5854 } | 6261 } |
5855 if (ss->sec.peerCert == NULL) { | 6262 if (ss->sec.peerCert == NULL) { |
5856 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; | 6263 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; |
5857 desc = unexpected_message; | 6264 desc = unexpected_message; |
5858 goto alert_loser; | 6265 goto alert_loser; |
5859 } | 6266 } |
5860 | 6267 |
5861 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 6268 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
6269 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | |
5862 | 6270 |
5863 switch (ss->ssl3.hs.kea_def->exchKeyType) { | 6271 switch (ss->ssl3.hs.kea_def->exchKeyType) { |
5864 | 6272 |
5865 case kt_rsa: { | 6273 case kt_rsa: { |
5866 SECItem modulus = {siBuffer, NULL, 0}; | 6274 SECItem modulus = {siBuffer, NULL, 0}; |
5867 SECItem exponent = {siBuffer, NULL, 0}; | 6275 SECItem exponent = {siBuffer, NULL, 0}; |
5868 | 6276 |
5869 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); | 6277 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); |
5870 if (rv != SECSuccess) { | 6278 if (rv != SECSuccess) { |
5871 goto loser; /* malformed. */ | 6279 goto loser; /* malformed. */ |
5872 } | 6280 } |
5873 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); | 6281 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); |
5874 if (rv != SECSuccess) { | 6282 if (rv != SECSuccess) { |
5875 goto loser; /* malformed. */ | 6283 goto loser; /* malformed. */ |
5876 } | 6284 } |
6285 if (isTLS12) { | |
6286 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | |
6287 &sigAndHash); | |
6288 if (rv != SECSuccess) { | |
6289 goto loser; /* malformed or unsupported. */ | |
6290 } | |
6291 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | |
6292 &sigAndHash, ss->sec.peerCert); | |
6293 if (rv != SECSuccess) { | |
6294 goto loser; | |
6295 } | |
6296 } | |
5877 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 6297 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
5878 if (rv != SECSuccess) { | 6298 if (rv != SECSuccess) { |
5879 goto loser; /* malformed. */ | 6299 goto loser; /* malformed. */ |
5880 } | 6300 } |
5881 if (length != 0) { | 6301 if (length != 0) { |
5882 if (isTLS) | 6302 if (isTLS) |
5883 desc = decode_error; | 6303 desc = decode_error; |
5884 goto alert_loser; /* malformed. */ | 6304 goto alert_loser; /* malformed. */ |
5885 } | 6305 } |
5886 | 6306 |
5887 /* failures after this point are not malformed handshakes. */ | 6307 /* failures after this point are not malformed handshakes. */ |
5888 /* TLS: send decrypt_error if signature failed. */ | 6308 /* TLS: send decrypt_error if signature failed. */ |
5889 desc = isTLS ? decrypt_error : handshake_failure; | 6309 desc = isTLS ? decrypt_error : handshake_failure; |
5890 | 6310 |
5891 /* | 6311 /* |
5892 * check to make sure the hash is signed by right guy | 6312 * check to make sure the hash is signed by right guy |
5893 */ | 6313 */ |
5894 » rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent, | 6314 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent, |
5895 &ss->ssl3.hs.client_random, | 6315 &ss->ssl3.hs.client_random, |
5896 &ss->ssl3.hs.server_random, | 6316 &ss->ssl3.hs.server_random, |
5897 &hashes, ss->opt.bypassPKCS11); | 6317 &hashes, ss->opt.bypassPKCS11); |
5898 if (rv != SECSuccess) { | 6318 if (rv != SECSuccess) { |
5899 errCode = | 6319 errCode = |
5900 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 6320 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
5901 goto alert_loser; | 6321 goto alert_loser; |
5902 } | 6322 } |
5903 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 6323 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
5904 isTLS, ss->pkcs11PinArg); | 6324 isTLS, ss->pkcs11PinArg); |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5957 goto loser; /* malformed. */ | 6377 goto loser; /* malformed. */ |
5958 } | 6378 } |
5959 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) | 6379 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) |
5960 goto alert_loser; | 6380 goto alert_loser; |
5961 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); | 6381 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); |
5962 if (rv != SECSuccess) { | 6382 if (rv != SECSuccess) { |
5963 goto loser; /* malformed. */ | 6383 goto loser; /* malformed. */ |
5964 } | 6384 } |
5965 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) | 6385 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) |
5966 goto alert_loser; | 6386 goto alert_loser; |
6387 if (isTLS12) { | |
6388 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | |
6389 &sigAndHash); | |
6390 if (rv != SECSuccess) { | |
6391 goto loser; /* malformed or unsupported. */ | |
6392 } | |
6393 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | |
6394 &sigAndHash, ss->sec.peerCert); | |
6395 if (rv != SECSuccess) { | |
6396 goto loser; | |
6397 } | |
6398 } | |
5967 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 6399 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
5968 if (rv != SECSuccess) { | 6400 if (rv != SECSuccess) { |
5969 goto loser; /* malformed. */ | 6401 goto loser; /* malformed. */ |
5970 } | 6402 } |
5971 if (length != 0) { | 6403 if (length != 0) { |
5972 if (isTLS) | 6404 if (isTLS) |
5973 desc = decode_error; | 6405 desc = decode_error; |
5974 goto alert_loser; /* malformed. */ | 6406 goto alert_loser; /* malformed. */ |
5975 } | 6407 } |
5976 | 6408 |
5977 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); | 6409 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); |
5978 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); | 6410 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); |
5979 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); | 6411 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); |
5980 | 6412 |
5981 /* failures after this point are not malformed handshakes. */ | 6413 /* failures after this point are not malformed handshakes. */ |
5982 /* TLS: send decrypt_error if signature failed. */ | 6414 /* TLS: send decrypt_error if signature failed. */ |
5983 desc = isTLS ? decrypt_error : handshake_failure; | 6415 desc = isTLS ? decrypt_error : handshake_failure; |
5984 | 6416 |
5985 /* | 6417 /* |
5986 * check to make sure the hash is signed by right guy | 6418 * check to make sure the hash is signed by right guy |
5987 */ | 6419 */ |
5988 » rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys, | 6420 » rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys, |
5989 &ss->ssl3.hs.client_random, | 6421 &ss->ssl3.hs.client_random, |
5990 &ss->ssl3.hs.server_random, | 6422 &ss->ssl3.hs.server_random, |
5991 &hashes, ss->opt.bypassPKCS11); | 6423 &hashes, ss->opt.bypassPKCS11); |
5992 if (rv != SECSuccess) { | 6424 if (rv != SECSuccess) { |
5993 errCode = | 6425 errCode = |
5994 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 6426 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
5995 goto alert_loser; | 6427 goto alert_loser; |
5996 } | 6428 } |
5997 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 6429 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
5998 isTLS, ss->pkcs11PinArg); | 6430 isTLS, ss->pkcs11PinArg); |
(...skipping 856 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
6855 } | 7287 } |
6856 | 7288 |
6857 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 7289 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
6858 if (rv != SECSuccess) { | 7290 if (rv != SECSuccess) { |
6859 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 7291 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
6860 : handshake_failure; | 7292 : handshake_failure; |
6861 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 7293 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
6862 goto alert_loser; | 7294 goto alert_loser; |
6863 } | 7295 } |
6864 | 7296 |
7297 rv = ssl3_InitTLS12HandshakeHash(ss); | |
7298 if (rv != SECSuccess) { | |
7299 desc = internal_error; | |
7300 errCode = PORT_GetError(); | |
7301 goto alert_loser; | |
7302 } | |
7303 | |
6865 /* grab the client random data. */ | 7304 /* grab the client random data. */ |
6866 rv = ssl3_ConsumeHandshake( | 7305 rv = ssl3_ConsumeHandshake( |
6867 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); | 7306 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); |
6868 if (rv != SECSuccess) { | 7307 if (rv != SECSuccess) { |
6869 goto loser; /* malformed */ | 7308 goto loser; /* malformed */ |
6870 } | 7309 } |
6871 | 7310 |
6872 /* grab the client's SID, if present. */ | 7311 /* grab the client's SID, if present. */ |
6873 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 7312 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
6874 if (rv != SECSuccess) { | 7313 if (rv != SECSuccess) { |
(...skipping 722 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7597 ss->clientHelloVersion = version; | 8036 ss->clientHelloVersion = version; |
7598 | 8037 |
7599 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 8038 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
7600 if (rv != SECSuccess) { | 8039 if (rv != SECSuccess) { |
7601 /* send back which ever alert client will understand. */ | 8040 /* send back which ever alert client will understand. */ |
7602 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure; | 8041 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure; |
7603 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 8042 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
7604 goto alert_loser; | 8043 goto alert_loser; |
7605 } | 8044 } |
7606 | 8045 |
8046 rv = ssl3_InitTLS12HandshakeHash(ss); | |
wtc
2013/05/28 17:50:25
I moved this ssl3_InitTLS12HandshakeHash call here
agl
2013/05/28 20:21:13
I can't see any problems.
| |
8047 if (rv != SECSuccess) { | |
8048 desc = internal_error; | |
8049 errCode = PORT_GetError(); | |
8050 goto alert_loser; | |
8051 } | |
8052 | |
7607 /* if we get a non-zero SID, just ignore it. */ | 8053 /* if we get a non-zero SID, just ignore it. */ |
7608 if (length != | 8054 if (length != |
7609 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { | 8055 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { |
7610 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", | 8056 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", |
7611 SSL_GETPID(), ss->fd, length, | 8057 SSL_GETPID(), ss->fd, length, |
7612 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + | 8058 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + |
7613 rand_length)); | 8059 rand_length)); |
7614 goto loser; /* malformed */ /* alert_loser */ | 8060 goto loser; /* malformed */ /* alert_loser */ |
7615 } | 8061 } |
7616 | 8062 |
(...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7844 } | 8290 } |
7845 } | 8291 } |
7846 rv = ssl3_SetupPendingCipherSpec(ss); | 8292 rv = ssl3_SetupPendingCipherSpec(ss); |
7847 if (rv != SECSuccess) { | 8293 if (rv != SECSuccess) { |
7848 return rv; /* err set by ssl3_SetupPendingCipherSpec */ | 8294 return rv; /* err set by ssl3_SetupPendingCipherSpec */ |
7849 } | 8295 } |
7850 | 8296 |
7851 return SECSuccess; | 8297 return SECSuccess; |
7852 } | 8298 } |
7853 | 8299 |
8300 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing | |
8301 * elements of the handshake. (The negotiated cipher suite determines the | |
8302 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always | |
8303 * used. With TLS 1.2, a client may advertise its support for signature and | |
8304 * hash combinations. */ | |
8305 static SECStatus | |
8306 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, | |
8307 SSL3SignatureAndHashAlgorithm* out) | |
8308 { | |
8309 TLSSignatureAlgorithm sigAlg; | |
8310 unsigned int i, j; | |
8311 /* hashPreference expresses our preferences for hash algorithms, most | |
8312 * preferable first. */ | |
8313 static const PRUint8 hashPreference[] = { | |
8314 tls_hash_sha256, | |
8315 tls_hash_sha384, | |
8316 tls_hash_sha512, | |
8317 tls_hash_sha224, | |
wtc
2013/05/28 17:50:25
I added tls_hash_sha224 to this array. (NSS suppor
agl
2013/05/28 20:21:13
Ah, no, just missed it. Thanks!
wtc
2013/05/28 23:22:19
Good. Then my next question is where you think sha
agl
2013/05/28 23:36:36
I think it's either just above or just below SHA-5
| |
8318 tls_hash_sha1, | |
8319 }; | |
8320 | |
8321 switch (ss->ssl3.hs.kea_def->kea) { | |
8322 case kea_rsa: | |
8323 case kea_rsa_export: | |
8324 case kea_rsa_export_1024: | |
8325 case kea_dh_rsa: | |
8326 case kea_dh_rsa_export: | |
8327 case kea_dhe_rsa: | |
8328 case kea_dhe_rsa_export: | |
8329 case kea_rsa_fips: | |
8330 case kea_ecdh_rsa: | |
8331 case kea_ecdhe_rsa: | |
8332 sigAlg = tls_sig_rsa; | |
8333 break; | |
8334 case kea_dh_dss: | |
8335 case kea_dh_dss_export: | |
8336 case kea_dhe_dss: | |
8337 case kea_dhe_dss_export: | |
8338 sigAlg = tls_sig_dsa; | |
8339 break; | |
8340 case kea_ecdh_ecdsa: | |
8341 case kea_ecdhe_ecdsa: | |
8342 sigAlg = tls_sig_ecdsa; | |
8343 break; | |
8344 default: | |
8345 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | |
8346 return SECFailure; | |
8347 } | |
8348 out->sigAlg = sigAlg; | |
8349 | |
8350 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) { | |
8351 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and | |
8352 * prior. */ | |
8353 out->hashAlg = SEC_OID_UNKNOWN; | |
8354 return SECSuccess; | |
8355 } | |
8356 | |
8357 if (ss->ssl3.hs.numClientSigAndHash == 0) { | |
8358 /* If the client didn't provide any signature_algorithms extension then | |
8359 * we can assume that they support SHA-1: | |
8360 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
8361 out->hashAlg = SEC_OID_SHA1; | |
8362 return SECSuccess; | |
8363 } | |
8364 | |
8365 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) { | |
8366 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { | |
8367 const SSL3SignatureAndHashAlgorithm* sh = | |
8368 &ss->ssl3.hs.clientSigAndHash[j]; | |
8369 if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) { | |
8370 out->hashAlg = sh->hashAlg; | |
wtc
2013/05/28 17:50:25
This was:
*out = *sh;
Since we already assign
| |
8371 return SECSuccess; | |
8372 } | |
8373 } | |
8374 } | |
8375 | |
8376 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | |
8377 return SECFailure; | |
8378 } | |
8379 | |
7854 | 8380 |
7855 static SECStatus | 8381 static SECStatus |
7856 ssl3_SendServerKeyExchange(sslSocket *ss) | 8382 ssl3_SendServerKeyExchange(sslSocket *ss) |
7857 { | 8383 { |
7858 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 8384 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
7859 SECStatus rv = SECFailure; | 8385 SECStatus rv = SECFailure; |
7860 int length; | 8386 int length; |
7861 PRBool isTLS; | 8387 PRBool isTLS; |
7862 SECItem signed_hash = {siBuffer, NULL, 0}; | 8388 SECItem signed_hash = {siBuffer, NULL, 0}; |
7863 SSL3Hashes hashes; | 8389 SSL3Hashes hashes; |
7864 SECKEYPublicKey * sdPub; /* public key for step-down */ | 8390 SECKEYPublicKey * sdPub; /* public key for step-down */ |
8391 SSL3SignatureAndHashAlgorithm sigAndHash; | |
7865 | 8392 |
7866 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", | 8393 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", |
7867 SSL_GETPID(), ss->fd)); | 8394 SSL_GETPID(), ss->fd)); |
7868 | 8395 |
7869 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 8396 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
7870 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 8397 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
7871 | 8398 |
8399 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { | |
8400 return SECFailure; | |
8401 } | |
8402 | |
7872 switch (kea_def->exchKeyType) { | 8403 switch (kea_def->exchKeyType) { |
7873 case kt_rsa: | 8404 case kt_rsa: |
7874 /* Perform SSL Step-Down here. */ | 8405 /* Perform SSL Step-Down here. */ |
7875 sdPub = ss->stepDownKeyPair->pubKey; | 8406 sdPub = ss->stepDownKeyPair->pubKey; |
7876 PORT_Assert(sdPub != NULL); | 8407 PORT_Assert(sdPub != NULL); |
7877 if (!sdPub) { | 8408 if (!sdPub) { |
7878 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 8409 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
7879 return SECFailure; | 8410 return SECFailure; |
7880 } | 8411 } |
7881 » rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus, | 8412 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, |
8413 » » » » » sdPub->u.rsa.modulus, | |
7882 sdPub->u.rsa.publicExponent, | 8414 sdPub->u.rsa.publicExponent, |
7883 &ss->ssl3.hs.client_random, | 8415 &ss->ssl3.hs.client_random, |
7884 &ss->ssl3.hs.server_random, | 8416 &ss->ssl3.hs.server_random, |
7885 &hashes, ss->opt.bypassPKCS11); | 8417 &hashes, ss->opt.bypassPKCS11); |
7886 if (rv != SECSuccess) { | 8418 if (rv != SECSuccess) { |
7887 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 8419 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
7888 return rv; | 8420 return rv; |
7889 } | 8421 } |
7890 | 8422 |
7891 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 8423 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
(...skipping 22 matching lines...) Expand all Loading... | |
7914 goto loser; /* err set by AppendHandshake. */ | 8446 goto loser; /* err set by AppendHandshake. */ |
7915 } | 8447 } |
7916 | 8448 |
7917 rv = ssl3_AppendHandshakeVariable( | 8449 rv = ssl3_AppendHandshakeVariable( |
7918 ss, sdPub->u.rsa.publicExponent.data, | 8450 ss, sdPub->u.rsa.publicExponent.data, |
7919 sdPub->u.rsa.publicExponent.len, 2); | 8451 sdPub->u.rsa.publicExponent.len, 2); |
7920 if (rv != SECSuccess) { | 8452 if (rv != SECSuccess) { |
7921 goto loser; /* err set by AppendHandshake. */ | 8453 goto loser; /* err set by AppendHandshake. */ |
7922 } | 8454 } |
7923 | 8455 |
8456 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { | |
8457 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); | |
8458 if (rv != SECSuccess) { | |
8459 goto loser; /* err set by AppendHandshake. */ | |
8460 } | |
8461 } | |
8462 | |
7924 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, | 8463 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
7925 signed_hash.len, 2); | 8464 signed_hash.len, 2); |
7926 if (rv != SECSuccess) { | 8465 if (rv != SECSuccess) { |
7927 goto loser; /* err set by AppendHandshake. */ | 8466 goto loser; /* err set by AppendHandshake. */ |
7928 } | 8467 } |
7929 PORT_Free(signed_hash.data); | 8468 PORT_Free(signed_hash.data); |
7930 return SECSuccess; | 8469 return SECSuccess; |
7931 | 8470 |
7932 #ifdef NSS_ENABLE_ECC | 8471 #ifdef NSS_ENABLE_ECC |
7933 case kt_ecdh: { | 8472 case kt_ecdh: { |
7934 » rv = ssl3_SendECDHServerKeyExchange(ss); | 8473 » rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); |
wtc
2013/05/28 17:50:25
By passing &sigAndHash to ssl3_SendECDHServerKeyEx
| |
7935 return rv; | 8474 return rv; |
7936 } | 8475 } |
7937 #endif /* NSS_ENABLE_ECC */ | 8476 #endif /* NSS_ENABLE_ECC */ |
7938 | 8477 |
7939 case kt_dh: | 8478 case kt_dh: |
7940 case kt_null: | 8479 case kt_null: |
7941 default: | 8480 default: |
7942 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 8481 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
7943 break; | 8482 break; |
7944 } | 8483 } |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
8038 * Caller must hold Handshake and RecvBuf locks. | 8577 * Caller must hold Handshake and RecvBuf locks. |
8039 */ | 8578 */ |
8040 static SECStatus | 8579 static SECStatus |
8041 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, | 8580 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
8042 SSL3Hashes *hashes) | 8581 SSL3Hashes *hashes) |
8043 { | 8582 { |
8044 SECItem signed_hash = {siBuffer, NULL, 0}; | 8583 SECItem signed_hash = {siBuffer, NULL, 0}; |
8045 SECStatus rv; | 8584 SECStatus rv; |
8046 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; | 8585 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; |
8047 SSL3AlertDescription desc = handshake_failure; | 8586 SSL3AlertDescription desc = handshake_failure; |
8048 PRBool isTLS; | 8587 PRBool isTLS, isTLS12; |
8588 SSL3SignatureAndHashAlgorithm sigAndHash; | |
8049 | 8589 |
8050 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", | 8590 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", |
8051 SSL_GETPID(), ss->fd)); | 8591 SSL_GETPID(), ss->fd)); |
8052 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 8592 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
8053 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 8593 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
8054 | 8594 |
8595 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | |
8596 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | |
8597 | |
8055 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { | 8598 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { |
8056 desc = unexpected_message; | 8599 desc = unexpected_message; |
8057 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; | 8600 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; |
8058 goto alert_loser; | 8601 goto alert_loser; |
8059 } | 8602 } |
8060 | 8603 |
8604 if (isTLS12) { | |
8605 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | |
8606 &sigAndHash); | |
8607 if (rv != SECSuccess) { | |
8608 goto loser; /* malformed or unsupported. */ | |
8609 } | |
8610 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | |
8611 &sigAndHash, ss->sec.peerCert); | |
8612 if (rv != SECSuccess) { | |
8613 errCode = PORT_GetError(); | |
8614 desc = decrypt_error; | |
8615 goto alert_loser; | |
8616 } | |
8617 | |
8618 /* We only support CertificateVerify messages that use the handshake | |
8619 * hash. */ | |
8620 if (sigAndHash.hashAlg != hashes->hashAlg) { | |
8621 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; | |
8622 desc = decrypt_error; | |
8623 goto alert_loser; | |
wtc
2013/05/28 17:50:25
I think we should send a decrypt_error alert to th
agl
2013/05/28 20:21:13
I think decrypt_error is a reasonable pick in both
wtc
2013/05/28 23:22:19
decrypt_error is the alert used in TLS by the exis
| |
8624 } | |
8625 } | |
8626 | |
8061 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); | 8627 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); |
8062 if (rv != SECSuccess) { | 8628 if (rv != SECSuccess) { |
8063 goto loser; /* malformed. */ | 8629 goto loser; /* malformed. */ |
8064 } | 8630 } |
8065 | 8631 |
8066 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | |
8067 | |
8068 /* XXX verify that the key & kea match */ | 8632 /* XXX verify that the key & kea match */ |
8069 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, | 8633 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, |
8070 isTLS, ss->pkcs11PinArg); | 8634 isTLS, ss->pkcs11PinArg); |
8071 if (rv != SECSuccess) { | 8635 if (rv != SECSuccess) { |
8072 errCode = PORT_GetError(); | 8636 errCode = PORT_GetError(); |
8073 desc = isTLS ? decrypt_error : handshake_failure; | 8637 desc = isTLS ? decrypt_error : handshake_failure; |
8074 goto alert_loser; | 8638 goto alert_loser; |
8075 } | 8639 } |
8076 | 8640 |
8077 signed_hash.data = NULL; | 8641 signed_hash.data = NULL; |
(...skipping 1078 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9156 done: | 9720 done: |
9157 ssl_ReleaseSSL3HandshakeLock(ss); | 9721 ssl_ReleaseSSL3HandshakeLock(ss); |
9158 ssl_ReleaseRecvBufLock(ss); | 9722 ssl_ReleaseRecvBufLock(ss); |
9159 | 9723 |
9160 return rv; | 9724 return rv; |
9161 } | 9725 } |
9162 | 9726 |
9163 static SECStatus | 9727 static SECStatus |
9164 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 9728 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
9165 PRBool isServer, | 9729 PRBool isServer, |
9166 const SSL3Finished * hashes, | 9730 const SSL3Hashes * hashes, |
wtc
2013/05/28 17:50:25
In the original code, SSL3Finished is typedef'ed t
| |
9167 TLSFinished * tlsFinished) | 9731 TLSFinished * tlsFinished) |
9168 { | 9732 { |
9169 const char * label; | 9733 const char * label; |
9170 unsigned int len; | 9734 unsigned int len; |
9171 SECStatus rv; | 9735 SECStatus rv; |
9172 | 9736 |
9173 label = isServer ? "server finished" : "client finished"; | 9737 label = isServer ? "server finished" : "client finished"; |
9174 len = 15; | 9738 len = 15; |
9175 | 9739 |
9176 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5, | 9740 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, |
9177 » sizeof *hashes, tlsFinished->verify_data, | 9741 » hashes->len, tlsFinished->verify_data, |
9178 sizeof tlsFinished->verify_data); | 9742 sizeof tlsFinished->verify_data); |
9179 | 9743 |
9180 return rv; | 9744 return rv; |
9181 } | 9745 } |
9182 | 9746 |
9183 /* The calling function must acquire and release the appropriate | 9747 /* The calling function must acquire and release the appropriate |
9184 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for | 9748 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for |
9185 * ss->ssl3.crSpec). | 9749 * ss->ssl3.crSpec). |
9186 */ | 9750 */ |
9187 SECStatus | 9751 SECStatus |
9188 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, | 9752 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, |
9189 unsigned int labelLen, const unsigned char *val, unsigned int valLen, | 9753 unsigned int labelLen, const unsigned char *val, unsigned int valLen, |
9190 unsigned char *out, unsigned int outLen) | 9754 unsigned char *out, unsigned int outLen) |
9191 { | 9755 { |
9192 SECStatus rv = SECSuccess; | 9756 SECStatus rv = SECSuccess; |
9193 | 9757 |
9194 if (spec->master_secret && !spec->bypassCiphers) { | 9758 if (spec->master_secret && !spec->bypassCiphers) { |
9195 » SECItem param = {siBuffer, NULL, 0}; | 9759 » SECItem param = {siBuffer, NULL, 0}; |
9196 » PK11Context *prf_context = | 9760 » CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL; |
9197 » PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, | 9761 » PK11Context *prf_context; |
9198 » » » » spec->master_secret, ¶m); | |
9199 unsigned int retLen; | 9762 unsigned int retLen; |
wtc
2013/05/28 17:50:25
This fixes MSVC compilation errors (variables cann
| |
9200 | 9763 |
9764 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { | |
9765 mech = CKM_NSS_TLS_PRF_GENERAL_SHA256; | |
9766 } | |
9767 prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN, | |
9768 spec->master_secret, ¶m); | |
9201 if (!prf_context) | 9769 if (!prf_context) |
9202 return SECFailure; | 9770 return SECFailure; |
9203 | 9771 |
9204 rv = PK11_DigestBegin(prf_context); | 9772 rv = PK11_DigestBegin(prf_context); |
9205 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); | 9773 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); |
9206 rv |= PK11_DigestOp(prf_context, val, valLen); | 9774 rv |= PK11_DigestOp(prf_context, val, valLen); |
9207 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen); | 9775 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen); |
9208 PORT_Assert(rv != SECSuccess || retLen == outLen); | 9776 PORT_Assert(rv != SECSuccess || retLen == outLen); |
9209 | 9777 |
9210 PK11_DestroyContext(prf_context, PR_TRUE); | 9778 PK11_DestroyContext(prf_context, PR_TRUE); |
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9402 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || | 9970 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || |
9403 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) { | 9971 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) { |
9404 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); | 9972 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); |
9405 rv = SECFailure; | 9973 rv = SECFailure; |
9406 goto loser; | 9974 goto loser; |
9407 } | 9975 } |
9408 | 9976 |
9409 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); | 9977 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); |
9410 | 9978 |
9411 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); | 9979 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); |
9412 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes)); | 9980 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len); |
9413 | 9981 |
9414 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, sizeof(signed_data)); | 9982 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, |
9983 » » sizeof(CHANNEL_ID_MAGIC) + hashes.len); | |
wtc
2013/05/28 17:50:25
This updates the TLS Channel ID code for the new S
| |
9415 if (rv != SECSuccess) | 9984 if (rv != SECSuccess) |
9416 goto loser; | 9985 goto loser; |
9417 | 9986 |
9418 digest_item.data = digest; | 9987 digest_item.data = digest; |
9419 digest_item.len = sizeof(digest); | 9988 digest_item.len = sizeof(digest); |
9420 | 9989 |
9421 signature_item.data = signature; | 9990 signature_item.data = signature; |
9422 signature_item.len = sizeof(signature); | 9991 signature_item.len = sizeof(signature); |
9423 | 9992 |
9424 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); | 9993 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9489 * ssl3_HandleFinished | 10058 * ssl3_HandleFinished |
9490 */ | 10059 */ |
9491 static SECStatus | 10060 static SECStatus |
9492 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) | 10061 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) |
9493 { | 10062 { |
9494 ssl3CipherSpec *cwSpec; | 10063 ssl3CipherSpec *cwSpec; |
9495 PRBool isTLS; | 10064 PRBool isTLS; |
9496 PRBool isServer = ss->sec.isServer; | 10065 PRBool isServer = ss->sec.isServer; |
9497 SECStatus rv; | 10066 SECStatus rv; |
9498 SSL3Sender sender = isServer ? sender_server : sender_client; | 10067 SSL3Sender sender = isServer ? sender_server : sender_client; |
9499 SSL3Finished hashes; | 10068 SSL3Hashes hashes; |
wtc
2013/05/28 17:50:25
This is another case where it is more correct sema
| |
9500 TLSFinished tlsFinished; | 10069 TLSFinished tlsFinished; |
9501 | 10070 |
9502 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd)); | 10071 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd)); |
9503 | 10072 |
9504 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 10073 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
9505 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 10074 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
9506 | 10075 |
9507 ssl_GetSpecReadLock(ss); | 10076 ssl_GetSpecReadLock(ss); |
9508 cwSpec = ss->ssl3.cwSpec; | 10077 cwSpec = ss->ssl3.cwSpec; |
9509 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); | 10078 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); |
(...skipping 13 matching lines...) Expand all Loading... | |
9523 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; | 10092 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; |
9524 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; | 10093 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; |
9525 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); | 10094 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); |
9526 if (rv != SECSuccess) | 10095 if (rv != SECSuccess) |
9527 goto fail; /* err set by AppendHandshake. */ | 10096 goto fail; /* err set by AppendHandshake. */ |
9528 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); | 10097 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); |
9529 if (rv != SECSuccess) | 10098 if (rv != SECSuccess) |
9530 goto fail; /* err set by AppendHandshake. */ | 10099 goto fail; /* err set by AppendHandshake. */ |
9531 } else { | 10100 } else { |
9532 if (isServer) | 10101 if (isServer) |
9533 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes; | 10102 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s; |
9534 else | 10103 else |
9535 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes; | 10104 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s; |
9536 » ss->ssl3.hs.finishedBytes = sizeof hashes; | 10105 » PORT_Assert(hashes.len == sizeof hashes.u.s); |
9537 » rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes); | 10106 » ss->ssl3.hs.finishedBytes = sizeof hashes.u.s; |
10107 » rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s); | |
wtc
2013/05/28 17:50:25
I reverted your change to how |sFinished| is defin
agl
2013/05/28 20:21:13
Is this correct for SSLv3? http://tools.ietf.org/h
wtc
2013/05/28 23:22:19
Yes, this is correct for SSLv3. I also tested it w
agl
2013/05/28 23:36:36
Right, sorry. I'm forgetting my own code.
| |
9538 if (rv != SECSuccess) | 10108 if (rv != SECSuccess) |
9539 goto fail; /* err set by AppendHandshake. */ | 10109 goto fail; /* err set by AppendHandshake. */ |
9540 » rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes); | 10110 » rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s); |
9541 if (rv != SECSuccess) | 10111 if (rv != SECSuccess) |
9542 goto fail; /* err set by AppendHandshake. */ | 10112 goto fail; /* err set by AppendHandshake. */ |
9543 } | 10113 } |
9544 rv = ssl3_FlushHandshake(ss, flags); | 10114 rv = ssl3_FlushHandshake(ss, flags); |
9545 if (rv != SECSuccess) { | 10115 if (rv != SECSuccess) { |
9546 goto fail; /* error code set by ssl3_FlushHandshake */ | 10116 goto fail; /* error code set by ssl3_FlushHandshake */ |
9547 } | 10117 } |
9548 | 10118 |
9549 ssl3_RecordKeyLog(ss); | 10119 ssl3_RecordKeyLog(ss); |
9550 | 10120 |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9679 else | 10249 else |
9680 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; | 10250 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; |
9681 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; | 10251 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; |
9682 if (rv != SECSuccess || | 10252 if (rv != SECSuccess || |
9683 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { | 10253 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { |
9684 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); | 10254 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); |
9685 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 10255 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
9686 return SECFailure; | 10256 return SECFailure; |
9687 } | 10257 } |
9688 } else { | 10258 } else { |
9689 » if (length != sizeof(SSL3Hashes)) { | 10259 » if (length != sizeof(SSL3Finished)) { |
9690 (void)ssl3_IllegalParameter(ss); | 10260 (void)ssl3_IllegalParameter(ss); |
9691 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); | 10261 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); |
9692 return SECFailure; | 10262 return SECFailure; |
9693 } | 10263 } |
9694 | 10264 |
9695 if (!isServer) | 10265 if (!isServer) |
9696 » ss->ssl3.hs.finishedMsgs.sFinished[1] = *hashes; | 10266 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s; |
9697 else | 10267 else |
9698 » ss->ssl3.hs.finishedMsgs.sFinished[0] = *hashes; | 10268 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s; |
9699 » ss->ssl3.hs.finishedBytes = sizeof *hashes; | 10269 » PORT_Assert(hashes->len == sizeof hashes->u.s); |
9700 » if (0 != NSS_SecureMemcmp(hashes, b, length)) { | 10270 » ss->ssl3.hs.finishedBytes = sizeof hashes->u.s; |
10271 » if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) { | |
9701 (void)ssl3_HandshakeFailure(ss); | 10272 (void)ssl3_HandshakeFailure(ss); |
9702 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 10273 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
9703 return SECFailure; | 10274 return SECFailure; |
9704 } | 10275 } |
9705 } | 10276 } |
9706 | 10277 |
9707 ssl_GetXmitBufLock(ss); /*************************************/ | 10278 ssl_GetXmitBufLock(ss); /*************************************/ |
9708 | 10279 |
9709 if ((isServer && !ss->ssl3.hs.isResuming) || | 10280 if ((isServer && !ss->ssl3.hs.isResuming) || |
9710 (!isServer && ss->ssl3.hs.isResuming)) { | 10281 (!isServer && ss->ssl3.hs.isResuming)) { |
(...skipping 1568 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
11279 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); | 11850 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); |
11280 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); | 11851 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); |
11281 } | 11852 } |
11282 #endif | 11853 #endif |
11283 if (ss->ssl3.hs.md5) { | 11854 if (ss->ssl3.hs.md5) { |
11284 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); | 11855 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); |
11285 } | 11856 } |
11286 if (ss->ssl3.hs.sha) { | 11857 if (ss->ssl3.hs.sha) { |
11287 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); | 11858 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); |
11288 } | 11859 } |
11860 if (ss->ssl3.hs.tls12_handshake_hash) { | |
11861 PK11_DestroyContext(ss->ssl3.hs.tls12_handshake_hash,PR_TRUE); | |
11862 } | |
11863 if (ss->ssl3.hs.clientSigAndHash) { | |
11864 PORT_Free(ss->ssl3.hs.clientSigAndHash); | |
11865 } | |
11289 if (ss->ssl3.hs.messages.buf) { | 11866 if (ss->ssl3.hs.messages.buf) { |
11290 PORT_Free(ss->ssl3.hs.messages.buf); | 11867 PORT_Free(ss->ssl3.hs.messages.buf); |
11291 ss->ssl3.hs.messages.buf = NULL; | 11868 ss->ssl3.hs.messages.buf = NULL; |
11292 ss->ssl3.hs.messages.len = 0; | 11869 ss->ssl3.hs.messages.len = 0; |
11293 ss->ssl3.hs.messages.space = 0; | 11870 ss->ssl3.hs.messages.space = 0; |
11294 } | 11871 } |
11295 | 11872 |
11296 /* free the SSL3Buffer (msg_body) */ | 11873 /* free the SSL3Buffer (msg_body) */ |
11297 PORT_Free(ss->ssl3.hs.msg_body.buf); | 11874 PORT_Free(ss->ssl3.hs.msg_body.buf); |
11298 | 11875 |
11299 /* free up the CipherSpecs */ | 11876 /* free up the CipherSpecs */ |
11300 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); | 11877 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); |
11301 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 11878 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
11302 | 11879 |
11303 /* Destroy the DTLS data */ | 11880 /* Destroy the DTLS data */ |
11304 if (IS_DTLS(ss)) { | 11881 if (IS_DTLS(ss)) { |
11305 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); | 11882 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); |
11306 if (ss->ssl3.hs.recvdFragments.buf) { | 11883 if (ss->ssl3.hs.recvdFragments.buf) { |
11307 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 11884 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
11308 } | 11885 } |
11309 } | 11886 } |
11310 | 11887 |
11311 ss->ssl3.initialized = PR_FALSE; | 11888 ss->ssl3.initialized = PR_FALSE; |
11312 | 11889 |
11313 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 11890 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
11314 } | 11891 } |
11315 | 11892 |
11316 /* End of ssl3con.c */ | 11893 /* End of ssl3con.c */ |
OLD | NEW |