Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(63)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 14772023: Implement TLS 1.2. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Remove an incorrect assertion I added Created 7 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/third_party/nss/ssl/SSLerrs.h ('K') | « net/third_party/nss/ssl/SSLerrs.h ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public 5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 /* $Id$ */ 8 /* $Id$ */
9 9
10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ 10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
11 11
12 #include "cert.h" 12 #include "cert.h"
13 #include "ssl.h" 13 #include "ssl.h"
14 #include "cryptohi.h" /* for DSAU_ stuff */ 14 #include "cryptohi.h" /* for DSAU_ stuff */
15 #include "keyhi.h" 15 #include "keyhi.h"
16 #include "secder.h" 16 #include "secder.h"
17 #include "secitem.h" 17 #include "secitem.h"
18 #include "sechash.h"
18 19
19 #include "sslimpl.h" 20 #include "sslimpl.h"
20 #include "sslproto.h" 21 #include "sslproto.h"
21 #include "sslerr.h" 22 #include "sslerr.h"
22 #include "prtime.h" 23 #include "prtime.h"
23 #include "prinrval.h" 24 #include "prinrval.h"
24 #include "prerror.h" 25 #include "prerror.h"
25 #include "pratom.h" 26 #include "pratom.h"
26 #include "prthread.h" 27 #include "prthread.h"
27 28
28 #include "pk11func.h" 29 #include "pk11func.h"
29 #include "secmod.h" 30 #include "secmod.h"
30 #ifndef NO_PKCS11_BYPASS 31 #ifndef NO_PKCS11_BYPASS
31 #include "blapi.h" 32 #include "blapi.h"
32 #endif 33 #endif
33 34
35 /* This is a bodge to allow this code to be compiled against older NSS headers
36 * that don't contain the TLS 1.2 changes. */
37 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
38 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21)
39 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22)
40 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23)
41 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
42 #endif
43
34 #include <stdio.h> 44 #include <stdio.h>
35 #ifdef NSS_ENABLE_ZLIB 45 #ifdef NSS_ENABLE_ZLIB
36 #include "zlib.h" 46 #include "zlib.h"
37 #endif 47 #endif
38 48
39 #ifndef PK11_SETATTRS 49 #ifndef PK11_SETATTRS
40 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ 50 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
41 (x)->pValue=(v); (x)->ulValueLen = (l); 51 (x)->pValue=(v); (x)->ulValueLen = (l);
42 #endif 52 #endif
43 53
(...skipping 13 matching lines...) Expand all
57 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); 67 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
58 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); 68 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
59 static SECStatus ssl3_SendServerHello( sslSocket *ss); 69 static SECStatus ssl3_SendServerHello( sslSocket *ss);
60 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); 70 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
61 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); 71 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
62 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); 72 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss);
63 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, 73 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
64 const unsigned char *b, 74 const unsigned char *b,
65 unsigned int l); 75 unsigned int l);
66 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); 76 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
77 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
67 78
68 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, 79 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
69 int maxOutputLen, const unsigned char *input, 80 int maxOutputLen, const unsigned char *input,
70 int inputLen); 81 int inputLen);
71 82
72 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ 83 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
73 #define MIN_SEND_BUF_LENGTH 4000 84 #define MIN_SEND_BUF_LENGTH 4000
74 85
75 /* This list of SSL3 cipher suites is sorted in descending order of 86 /* This list of SSL3 cipher suites is sorted in descending order of
76 * precedence (desirability). It only includes cipher suites we implement. 87 * precedence (desirability). It only includes cipher suites we implement.
(...skipping 727 matching lines...) Expand 10 before | Expand all | Expand 10 after
804 SECStatus 815 SECStatus
805 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 816 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
806 PRBool isTLS) 817 PRBool isTLS)
807 { 818 {
808 SECStatus rv = SECFailure; 819 SECStatus rv = SECFailure;
809 PRBool doDerEncode = PR_FALSE; 820 PRBool doDerEncode = PR_FALSE;
810 int signatureLen; 821 int signatureLen;
811 SECItem hashItem; 822 SECItem hashItem;
812 823
813 buf->data = NULL; 824 buf->data = NULL;
814 signatureLen = PK11_SignatureLen(key);
815 if (signatureLen <= 0) {
816 PORT_SetError(SEC_ERROR_INVALID_KEY);
817 goto done;
818 }
819
820 buf->len = (unsigned)signatureLen;
821 buf->data = (unsigned char *)PORT_Alloc(signatureLen);
822 if (!buf->data)
823 goto done; /* error code was set. */
824 825
825 switch (key->keyType) { 826 switch (key->keyType) {
826 case rsaKey: 827 case rsaKey:
827 » hashItem.data = hash->md5; 828 » hashItem.data = hash->u.raw;
828 » hashItem.len = sizeof(SSL3Hashes); 829 » hashItem.len = hash->len;
829 break; 830 break;
830 case dsaKey: 831 case dsaKey:
831 doDerEncode = isTLS; 832 doDerEncode = isTLS;
832 » hashItem.data = hash->sha; 833 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
833 » hashItem.len = sizeof(hash->sha); 834 » * In that case, we use just the SHA1 part. */
835 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
836 » hashItem.data = hash->u.s.sha;
837 » hashItem.len = sizeof(hash->u.s.sha);
838 » } else {
839 » hashItem.data = hash->u.raw;
840 » hashItem.len = hash->len;
841 » }
834 break; 842 break;
835 #ifdef NSS_ENABLE_ECC 843 #ifdef NSS_ENABLE_ECC
836 case ecKey: 844 case ecKey:
837 doDerEncode = PR_TRUE; 845 doDerEncode = PR_TRUE;
838 » hashItem.data = hash->sha; 846 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
839 » hashItem.len = sizeof(hash->sha); 847 » * In that case, we use just the SHA1 part. */
848 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
849 » hashItem.data = hash->u.s.sha;
850 » hashItem.len = sizeof(hash->u.s.sha);
851 » } else {
852 » hashItem.data = hash->u.raw;
853 » hashItem.len = hash->len;
854 » }
840 break; 855 break;
841 #endif /* NSS_ENABLE_ECC */ 856 #endif /* NSS_ENABLE_ECC */
842 default: 857 default:
843 PORT_SetError(SEC_ERROR_INVALID_KEY); 858 PORT_SetError(SEC_ERROR_INVALID_KEY);
844 goto done; 859 goto done;
845 } 860 }
846 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); 861 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
847 862
848 rv = PK11_Sign(key, buf, &hashItem); 863 if (hash->hashAlg == SEC_OID_UNKNOWN) {
864 » signatureLen = PK11_SignatureLen(key);
865 » if (signatureLen <= 0) {
866 » PORT_SetError(SEC_ERROR_INVALID_KEY);
867 » goto done;
868 » }
869
870 » buf->len = (unsigned)signatureLen;
871 » buf->data = (unsigned char *)PORT_Alloc(signatureLen);
872 » if (!buf->data)
873 » goto done; /* error code was set. */
874
875 » rv = PK11_Sign(key, buf, &hashItem);
876 } else {
877 » rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem);
wtc 2013/05/28 17:50:25 I figured out how to use the NSS high-level signat
878 }
849 if (rv != SECSuccess) { 879 if (rv != SECSuccess) {
850 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); 880 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
851 } else if (doDerEncode) { 881 } else if (doDerEncode) {
852 SECItem derSig = {siBuffer, NULL, 0}; 882 SECItem derSig = {siBuffer, NULL, 0};
853 883
854 /* This also works for an ECDSA signature */ 884 /* This also works for an ECDSA signature */
855 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); 885 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
856 if (rv == SECSuccess) { 886 if (rv == SECSuccess) {
857 PORT_Free(buf->data); /* discard unencoded signature. */ 887 PORT_Free(buf->data); /* discard unencoded signature. */
858 *buf = derSig; /* give caller encoded signature. */ 888 *buf = derSig; /* give caller encoded signature. */
(...skipping 13 matching lines...) Expand all
872 902
873 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ 903 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
874 SECStatus 904 SECStatus
875 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 905 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
876 SECItem *buf, PRBool isTLS, void *pwArg) 906 SECItem *buf, PRBool isTLS, void *pwArg)
877 { 907 {
878 SECKEYPublicKey * key; 908 SECKEYPublicKey * key;
879 SECItem * signature = NULL; 909 SECItem * signature = NULL;
880 SECStatus rv; 910 SECStatus rv;
881 SECItem hashItem; 911 SECItem hashItem;
882 #ifdef NSS_ENABLE_ECC 912 SECOidTag encAlg;
883 unsigned int len; 913 SECOidTag hashAlg;
884 #endif /* NSS_ENABLE_ECC */
885 914
886 915
887 PRINT_BUF(60, (NULL, "check signed hashes", 916 PRINT_BUF(60, (NULL, "check signed hashes",
888 buf->data, buf->len)); 917 buf->data, buf->len));
889 918
890 key = CERT_ExtractPublicKey(cert); 919 key = CERT_ExtractPublicKey(cert);
891 if (key == NULL) { 920 if (key == NULL) {
892 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 921 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
893 return SECFailure; 922 return SECFailure;
894 } 923 }
895 924
925 hashAlg = hash->hashAlg;
896 switch (key->keyType) { 926 switch (key->keyType) {
897 case rsaKey: 927 case rsaKey:
898 » hashItem.data = hash->md5; 928 » encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION;
899 » hashItem.len = sizeof(SSL3Hashes); 929 » hashItem.data = hash->u.raw;
930 » hashItem.len = hash->len;
900 break; 931 break;
901 case dsaKey: 932 case dsaKey:
902 » hashItem.data = hash->sha; 933 » encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE;
903 » hashItem.len = sizeof(hash->sha); 934 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
935 » * In that case, we use just the SHA1 part. */
936 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
937 » hashItem.data = hash->u.s.sha;
938 » hashItem.len = sizeof(hash->u.s.sha);
939 » } else {
940 » hashItem.data = hash->u.raw;
941 » hashItem.len = hash->len;
942 » }
904 /* Allow DER encoded DSA signatures in SSL 3.0 */ 943 /* Allow DER encoded DSA signatures in SSL 3.0 */
905 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { 944 if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
906 signature = DSAU_DecodeDerSig(buf); 945 signature = DSAU_DecodeDerSig(buf);
907 if (!signature) { 946 if (!signature) {
908 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 947 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
909 return SECFailure; 948 return SECFailure;
910 } 949 }
911 buf = signature; 950 buf = signature;
912 } 951 }
913 break; 952 break;
914 953
915 #ifdef NSS_ENABLE_ECC 954 #ifdef NSS_ENABLE_ECC
916 case ecKey: 955 case ecKey:
917 » hashItem.data = hash->sha; 956 » encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
918 » hashItem.len = sizeof(hash->sha); 957 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
919 » /* 958 » * In that case, we use just the SHA1 part.
920 » * ECDSA signatures always encode the integers r and s 959 » * ECDSA signatures always encode the integers r and s using ASN.1
921 » * using ASN (unlike DSA where ASN encoding is used 960 » * (unlike DSA where ASN.1 encoding is used with TLS but not with
922 » * with TLS but not with SSL3) 961 » * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
923 */ 962 */
924 » len = SECKEY_SignatureLen(key); 963 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
925 » if (len == 0) { 964 » hashAlg = SEC_OID_SHA1;
926 » SECKEY_DestroyPublicKey(key); 965 » hashItem.data = hash->u.s.sha;
927 » PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); 966 » hashItem.len = sizeof(hash->u.s.sha);
928 » return SECFailure; 967 » } else {
968 » hashItem.data = hash->u.raw;
969 » hashItem.len = hash->len;
929 } 970 }
930 signature = DSAU_DecodeDerSigToLen(buf, len);
931 if (!signature) {
932 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
933 return SECFailure;
934 }
935 buf = signature;
936 break; 971 break;
937 #endif /* NSS_ENABLE_ECC */ 972 #endif /* NSS_ENABLE_ECC */
938 973
939 default: 974 default:
940 SECKEY_DestroyPublicKey(key); 975 SECKEY_DestroyPublicKey(key);
941 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 976 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
942 return SECFailure; 977 return SECFailure;
943 } 978 }
944 979
945 PRINT_BUF(60, (NULL, "hash(es) to be verified", 980 PRINT_BUF(60, (NULL, "hash(es) to be verified",
946 hashItem.data, hashItem.len)); 981 hashItem.data, hashItem.len));
947 982
948 rv = PK11_Verify(key, buf, &hashItem, pwArg); 983 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) {
wtc 2013/05/28 17:50:25 Please let me know if you find this boolean expres
agl 2013/05/28 20:21:13 Based on my understanding I would write: // VFY_V
wtc 2013/05/28 23:22:19 Done.
984 » /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded.
985 » * So it would be more complicated to verify DSA signatures with
986 » * VFY_VerifyDigestDirect. */
987 » rv = PK11_Verify(key, buf, &hashItem, pwArg);
988 } else {
989 » rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
990 » » » » pwArg);
991 }
949 SECKEY_DestroyPublicKey(key); 992 SECKEY_DestroyPublicKey(key);
950 if (signature) { 993 if (signature) {
951 SECITEM_FreeItem(signature, PR_TRUE); 994 SECITEM_FreeItem(signature, PR_TRUE);
952 } 995 }
953 if (rv != SECSuccess) { 996 if (rv != SECSuccess) {
954 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 997 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
955 } 998 }
956 return rv; 999 return rv;
957 } 1000 }
958 1001
959 1002
960 /* Caller must set hiLevel error code. */ 1003 /* Caller must set hiLevel error code. */
961 /* Called from ssl3_ComputeExportRSAKeyHash 1004 /* Called from ssl3_ComputeExportRSAKeyHash
962 * ssl3_ComputeDHKeyHash 1005 * ssl3_ComputeDHKeyHash
963 * which are called from ssl3_HandleServerKeyExchange. 1006 * which are called from ssl3_HandleServerKeyExchange.
1007 *
1008 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify
1009 * the pre-1.2, MD5/SHA1 combination hash.
964 */ 1010 */
965 SECStatus 1011 SECStatus
966 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen, 1012 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
967 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) 1013 » » » PRUint8 * hashBuf, unsigned int bufLen,
1014 » » » SSL3Hashes *hashes, PRBool bypassPKCS11)
968 { 1015 {
969 SECStatus rv = SECSuccess; 1016 SECStatus rv = SECSuccess;
970 1017
971 #ifndef NO_PKCS11_BYPASS 1018 #ifndef NO_PKCS11_BYPASS
972 if (bypassPKCS11) { 1019 if (bypassPKCS11) {
973 » MD5_HashBuf (hashes->md5, hashBuf, bufLen); 1020 » if (hashAlg == SEC_OID_UNKNOWN) {
974 » SHA1_HashBuf(hashes->sha, hashBuf, bufLen); 1021 » MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
1022 » SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
1023 » hashes->len = MD5_LENGTH + SHA1_LENGTH;
1024 » } else if (hashAlg == SEC_OID_SHA1) {
1025 » SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
1026 » hashes->len = SHA1_LENGTH;
1027 » } else if (hashAlg == SEC_OID_SHA256) {
1028 » SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
1029 » hashes->len = SHA256_LENGTH;
1030 » } else if (hashAlg == SEC_OID_SHA384) {
1031 » SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
1032 » hashes->len = SHA384_LENGTH;
1033 » } else {
1034 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1035 » return SECFailure;
1036 » }
975 } else 1037 } else
976 #endif 1038 #endif
977 { 1039 {
978 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen); 1040 » if (hashAlg == SEC_OID_UNKNOWN) {
979 » if (rv != SECSuccess) { 1041 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
980 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 1042 » if (rv != SECSuccess) {
981 » rv = SECFailure; 1043 » » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
982 » goto done; 1044 » » rv = SECFailure;
983 » } 1045 » » goto done;
1046 » }
984 1047
985 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen); 1048 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
986 » if (rv != SECSuccess) { 1049 » if (rv != SECSuccess) {
987 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 1050 » » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
988 » rv = SECFailure; 1051 » » rv = SECFailure;
1052 » }
1053 » hashes->len = MD5_LENGTH + SHA1_LENGTH;
1054 » } else {
1055 » hashes->len = HASH_ResultLenByOidTag(hashAlg);
1056 » if (hashes->len > sizeof(hashes->u.raw)) {
1057 » » ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1058 » » rv = SECFailure;
1059 » » goto done;
1060 » }
1061 » rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen);
1062 » if (rv != SECSuccess) {
1063 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
1064 » » rv = SECFailure;
1065 » }
989 } 1066 }
990 } 1067 }
1068 hashes->hashAlg = hashAlg;
1069
991 done: 1070 done:
992 return rv; 1071 return rv;
993 } 1072 }
994 1073
995 /* Caller must set hiLevel error code. 1074 /* Caller must set hiLevel error code.
996 ** Called from ssl3_SendServerKeyExchange and 1075 ** Called from ssl3_SendServerKeyExchange and
997 ** ssl3_HandleServerKeyExchange. 1076 ** ssl3_HandleServerKeyExchange.
998 */ 1077 */
999 static SECStatus 1078 static SECStatus
1000 ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent, 1079 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg,
1080 » » » SECItem modulus, SECItem publicExponent,
1001 SSL3Random *client_rand, SSL3Random *server_rand, 1081 SSL3Random *client_rand, SSL3Random *server_rand,
1002 SSL3Hashes *hashes, PRBool bypassPKCS11) 1082 SSL3Hashes *hashes, PRBool bypassPKCS11)
1003 { 1083 {
1004 PRUint8 * hashBuf; 1084 PRUint8 * hashBuf;
1005 PRUint8 * pBuf; 1085 PRUint8 * pBuf;
1006 SECStatus rv = SECSuccess; 1086 SECStatus rv = SECSuccess;
1007 unsigned int bufLen; 1087 unsigned int bufLen;
1008 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1088 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1009 1089
1010 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; 1090 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
(...skipping 15 matching lines...) Expand all
1026 pBuf += 2; 1106 pBuf += 2;
1027 memcpy(pBuf, modulus.data, modulus.len); 1107 memcpy(pBuf, modulus.data, modulus.len);
1028 pBuf += modulus.len; 1108 pBuf += modulus.len;
1029 pBuf[0] = (PRUint8)(publicExponent.len >> 8); 1109 pBuf[0] = (PRUint8)(publicExponent.len >> 8);
1030 pBuf[1] = (PRUint8)(publicExponent.len); 1110 pBuf[1] = (PRUint8)(publicExponent.len);
1031 pBuf += 2; 1111 pBuf += 2;
1032 memcpy(pBuf, publicExponent.data, publicExponent.len); 1112 memcpy(pBuf, publicExponent.data, publicExponent.len);
1033 pBuf += publicExponent.len; 1113 pBuf += publicExponent.len;
1034 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1114 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1035 1115
1036 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); 1116 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1117 » » » » bypassPKCS11);
1037 1118
1038 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); 1119 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
1039 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH)); 1120 if (hashAlg == SEC_OID_UNKNOWN) {
1040 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); 1121 » PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result",
1122 » » hashes->u.s.md5, MD5_LENGTH));
1123 » PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result",
1124 » » hashes->u.s.sha, SHA1_LENGTH));
1125 } else {
1126 » PRINT_BUF(95, (NULL, "RSAkey hash: result",
1127 » » hashes->u.raw, hashes->len));
1128 }
1041 1129
1042 if (hashBuf != buf && hashBuf != NULL) 1130 if (hashBuf != buf && hashBuf != NULL)
1043 PORT_Free(hashBuf); 1131 PORT_Free(hashBuf);
1044 return rv; 1132 return rv;
1045 } 1133 }
1046 1134
1047 /* Caller must set hiLevel error code. */ 1135 /* Caller must set hiLevel error code. */
1048 /* Called from ssl3_HandleServerKeyExchange. */ 1136 /* Called from ssl3_HandleServerKeyExchange. */
1049 static SECStatus 1137 static SECStatus
1050 ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys, 1138 ssl3_ComputeDHKeyHash(SECOidTag hashAlg,
1051 » » » SSL3Random *client_rand, SSL3Random *server_rand, 1139 » » SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
1052 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) 1140 » » SSL3Random *client_rand, SSL3Random *server_rand,
1141 » » SSL3Hashes *hashes, PRBool bypassPKCS11)
1053 { 1142 {
1054 PRUint8 * hashBuf; 1143 PRUint8 * hashBuf;
1055 PRUint8 * pBuf; 1144 PRUint8 * pBuf;
1056 SECStatus rv = SECSuccess; 1145 SECStatus rv = SECSuccess;
1057 unsigned int bufLen; 1146 unsigned int bufLen;
1058 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1147 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1059 1148
1060 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; 1149 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
1061 if (bufLen <= sizeof buf) { 1150 if (bufLen <= sizeof buf) {
1062 hashBuf = buf; 1151 hashBuf = buf;
(...skipping 18 matching lines...) Expand all
1081 pBuf += 2; 1170 pBuf += 2;
1082 memcpy(pBuf, dh_g.data, dh_g.len); 1171 memcpy(pBuf, dh_g.data, dh_g.len);
1083 pBuf += dh_g.len; 1172 pBuf += dh_g.len;
1084 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); 1173 pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
1085 pBuf[1] = (PRUint8)(dh_Ys.len); 1174 pBuf[1] = (PRUint8)(dh_Ys.len);
1086 pBuf += 2; 1175 pBuf += 2;
1087 memcpy(pBuf, dh_Ys.data, dh_Ys.len); 1176 memcpy(pBuf, dh_Ys.data, dh_Ys.len);
1088 pBuf += dh_Ys.len; 1177 pBuf += dh_Ys.len;
1089 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1178 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1090 1179
1091 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); 1180 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1181 » » » » bypassPKCS11);
1092 1182
1093 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); 1183 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
1094 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH)); 1184 if (hashAlg == SEC_OID_UNKNOWN) {
1095 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); 1185 » PRINT_BUF(95, (NULL, "DHkey hash: MD5 result",
1186 » » hashes->u.s.md5, MD5_LENGTH));
1187 » PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result",
1188 » » hashes->u.s.sha, SHA1_LENGTH));
1189 } else {
1190 » PRINT_BUF(95, (NULL, "DHkey hash: result",
1191 » » hashes->u.raw, hashes->len));
1192 }
1096 1193
1097 if (hashBuf != buf && hashBuf != NULL) 1194 if (hashBuf != buf && hashBuf != NULL)
1098 PORT_Free(hashBuf); 1195 PORT_Free(hashBuf);
1099 return rv; 1196 return rv;
1100 } 1197 }
1101 1198
1102 static void 1199 static void
1103 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) 1200 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
1104 { 1201 {
1105 num->low++; 1202 num->low++;
(...skipping 2077 matching lines...) Expand 10 before | Expand all | Expand 10 after
3183 */ 3280 */
3184 static SECStatus 3281 static SECStatus
3185 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) 3282 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
3186 { 3283 {
3187 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 3284 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3188 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; 3285 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
3189 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 3286 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3190 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 3287 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3191 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 3288 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3192 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 3289 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3290 PRBool isTLS12=
3291 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3193 /* 3292 /*
3194 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH 3293 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
3195 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size 3294 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
3196 * data into a 48-byte value. 3295 * data into a 48-byte value.
3197 */ 3296 */
3198 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || 3297 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
3199 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); 3298 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
3200 SECStatus rv = SECFailure; 3299 SECStatus rv = SECFailure;
3201 CK_MECHANISM_TYPE master_derive; 3300 CK_MECHANISM_TYPE master_derive;
3202 CK_MECHANISM_TYPE key_derive; 3301 CK_MECHANISM_TYPE key_derive;
3203 SECItem params; 3302 SECItem params;
3204 CK_FLAGS keyFlags; 3303 CK_FLAGS keyFlags;
3205 CK_VERSION pms_version; 3304 CK_VERSION pms_version;
3206 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; 3305 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
3207 3306
3208 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 3307 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3209 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 3308 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3210 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 3309 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3211 if (isTLS) { 3310 if (isTLS12) {
3311 » if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
3312 » else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
3313 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3314 » keyFlags = CKF_SIGN | CKF_VERIFY;
3315 } else if (isTLS) {
3212 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; 3316 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
3213 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; 3317 else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
3214 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 3318 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3215 keyFlags = CKF_SIGN | CKF_VERIFY; 3319 keyFlags = CKF_SIGN | CKF_VERIFY;
3216 } else { 3320 } else {
3217 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; 3321 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
3218 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; 3322 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
3219 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 3323 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3220 keyFlags = 0; 3324 keyFlags = 0;
3221 } 3325 }
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
3359 */ 3463 */
3360 static SECStatus 3464 static SECStatus
3361 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) 3465 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
3362 { 3466 {
3363 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 3467 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3364 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 3468 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
3365 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 3469 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3366 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 3470 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3367 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 3471 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3368 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 3472 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3473 PRBool isTLS12=
3474 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3369 /* following variables used in PKCS11 path */ 3475 /* following variables used in PKCS11 path */
3370 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; 3476 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
3371 PK11SlotInfo * slot = NULL; 3477 PK11SlotInfo * slot = NULL;
3372 PK11SymKey * symKey = NULL; 3478 PK11SymKey * symKey = NULL;
3373 void * pwArg = ss->pkcs11PinArg; 3479 void * pwArg = ss->pkcs11PinArg;
3374 int keySize; 3480 int keySize;
3375 CK_SSL3_KEY_MAT_PARAMS key_material_params; 3481 CK_SSL3_KEY_MAT_PARAMS key_material_params;
3376 CK_SSL3_KEY_MAT_OUT returnedKeys; 3482 CK_SSL3_KEY_MAT_OUT returnedKeys;
3377 CK_MECHANISM_TYPE key_derive; 3483 CK_MECHANISM_TYPE key_derive;
3378 CK_MECHANISM_TYPE bulk_mechanism; 3484 CK_MECHANISM_TYPE bulk_mechanism;
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
3416 returnedKeys.pIVServer = NULL; 3522 returnedKeys.pIVServer = NULL;
3417 } 3523 }
3418 3524
3419 calg = cipher_def->calg; 3525 calg = cipher_def->calg;
3420 PORT_Assert( alg2Mech[calg].calg == calg); 3526 PORT_Assert( alg2Mech[calg].calg == calg);
3421 bulk_mechanism = alg2Mech[calg].cmech; 3527 bulk_mechanism = alg2Mech[calg].cmech;
3422 3528
3423 params.data = (unsigned char *)&key_material_params; 3529 params.data = (unsigned char *)&key_material_params;
3424 params.len = sizeof(key_material_params); 3530 params.len = sizeof(key_material_params);
3425 3531
3426 if (isTLS) { 3532 if (isTLS12) {
3533 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3534 } else if (isTLS) {
3427 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 3535 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3428 } else { 3536 } else {
3429 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 3537 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3430 } 3538 }
3431 3539
3432 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and 3540 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
3433 * DERIVE by DEFAULT */ 3541 * DERIVE by DEFAULT */
3434 symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params, 3542 symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
3435 bulk_mechanism, CKA_ENCRYPT, keySize); 3543 bulk_mechanism, CKA_ENCRYPT, keySize);
3436 if (!symKey) { 3544 if (!symKey) {
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
3473 PK11_FreeSymKey(symKey); 3581 PK11_FreeSymKey(symKey);
3474 return SECSuccess; 3582 return SECSuccess;
3475 3583
3476 3584
3477 loser: 3585 loser:
3478 if (symKey) PK11_FreeSymKey(symKey); 3586 if (symKey) PK11_FreeSymKey(symKey);
3479 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3587 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3480 return SECFailure; 3588 return SECFailure;
3481 } 3589 }
3482 3590
3591 /* ssl3_InitTLS12HandshakeHash creates a handshake hash context for TLS 1.2,
3592 * if needed, and hashes in any buffered messages in ss->ssl3.hs.messages. */
3593 static SECStatus
3594 ssl3_InitTLS12HandshakeHash(sslSocket *ss)
3595 {
3596 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2 &&
3597 ss->ssl3.hs.tls12_handshake_hash == NULL) {
3598 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
3599 * then this will need to be updated. */
3600 ss->ssl3.hs.tls12_handshake_hash =
3601 PK11_CreateDigestContext(SEC_OID_SHA256);
3602 if (!ss->ssl3.hs.tls12_handshake_hash ||
3603 PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash) != SECSuccess) {
3604 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
3605 return SECFailure;
3606 }
3607 }
3608
3609 if (ss->ssl3.hs.tls12_handshake_hash && ss->ssl3.hs.messages.len > 0) {
3610 if (PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash,
3611 ss->ssl3.hs.messages.buf,
3612 ss->ssl3.hs.messages.len) != SECSuccess) {
3613 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
3614 return SECFailure;
3615 }
3616 }
3617
3618 if (ss->ssl3.hs.messages.buf && !ss->opt.bypassPKCS11) {
3619 PORT_Free(ss->ssl3.hs.messages.buf);
3620 ss->ssl3.hs.messages.buf = NULL;
3621 ss->ssl3.hs.messages.len = 0;
3622 ss->ssl3.hs.messages.space = 0;
3623 }
3624
3625 return SECSuccess;
3626 }
3627
3483 static SECStatus 3628 static SECStatus
3484 ssl3_RestartHandshakeHashes(sslSocket *ss) 3629 ssl3_RestartHandshakeHashes(sslSocket *ss)
3485 { 3630 {
3486 SECStatus rv = SECSuccess; 3631 SECStatus rv = SECSuccess;
3487 3632
3633 ss->ssl3.hs.messages.len = 0;
3488 #ifndef NO_PKCS11_BYPASS 3634 #ifndef NO_PKCS11_BYPASS
3489 if (ss->opt.bypassPKCS11) { 3635 if (ss->opt.bypassPKCS11) {
3490 ss->ssl3.hs.messages.len = 0;
3491 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); 3636 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
3492 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); 3637 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
3493 } else 3638 } else
3494 #endif 3639 #endif
3495 { 3640 {
3641 if (ss->ssl3.hs.tls12_handshake_hash) {
3642 rv = PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash);
3643 if (rv != SECSuccess) {
3644 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
3645 return rv;
3646 }
3647 }
3496 rv = PK11_DigestBegin(ss->ssl3.hs.md5); 3648 rv = PK11_DigestBegin(ss->ssl3.hs.md5);
3497 if (rv != SECSuccess) { 3649 if (rv != SECSuccess) {
3498 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3650 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3499 return rv; 3651 return rv;
3500 } 3652 }
3501 rv = PK11_DigestBegin(ss->ssl3.hs.sha); 3653 rv = PK11_DigestBegin(ss->ssl3.hs.sha);
3502 if (rv != SECSuccess) { 3654 if (rv != SECSuccess) {
3503 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3655 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3504 return rv; 3656 return rv;
3505 } 3657 }
3506 } 3658 }
3507 return rv; 3659 return rv;
3508 } 3660 }
3509 3661
3510 static SECStatus 3662 static SECStatus
3511 ssl3_NewHandshakeHashes(sslSocket *ss) 3663 ssl3_NewHandshakeHashes(sslSocket *ss)
3512 { 3664 {
3513 PK11Context *md5 = NULL; 3665 PK11Context *md5 = NULL;
3514 PK11Context *sha = NULL; 3666 PK11Context *sha = NULL;
3515 3667
3516 /* 3668 /*
3517 * note: We should probably lookup an SSL3 slot for these 3669 * note: We should probably lookup an SSL3 slot for these
3518 * handshake hashes in hopes that we wind up with the same slots 3670 * handshake hashes in hopes that we wind up with the same slots
3519 * that the master secret will wind up in ... 3671 * that the master secret will wind up in ...
3520 */ 3672 */
3521 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); 3673 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
3522 #ifndef NO_PKCS11_BYPASS 3674 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
3523 if (ss->opt.bypassPKCS11) { 3675 ss->ssl3.hs.messages.buf = NULL;
3524 » PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); 3676 ss->ssl3.hs.messages.space = 0;
3525 » ss->ssl3.hs.messages.buf = NULL; 3677
3526 » ss->ssl3.hs.messages.space = 0; 3678 ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
3527 } else 3679 ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
3528 #endif 3680 ss->ssl3.hs.tls12_handshake_hash = NULL;
3529 { 3681 if (md5 == NULL) {
3530 » ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); 3682 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3531 » ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); 3683 » goto loser;
3532 » if (md5 == NULL) { 3684 }
3533 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3685 if (sha == NULL) {
3534 » goto loser; 3686 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3535 » } 3687 » goto loser;
3536 » if (sha == NULL) {
3537 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3538 » goto loser;
3539 » }
3540 } 3688 }
3541 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { 3689 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) {
3542 return SECSuccess; 3690 return SECSuccess;
3543 } 3691 }
3544 3692
3545 loser: 3693 loser:
3546 if (md5 != NULL) { 3694 if (md5 != NULL) {
3547 PK11_DestroyContext(md5, PR_TRUE); 3695 PK11_DestroyContext(md5, PR_TRUE);
3548 ss->ssl3.hs.md5 = NULL; 3696 ss->ssl3.hs.md5 = NULL;
3549 } 3697 }
(...skipping 17 matching lines...) Expand all
3567 static SECStatus 3715 static SECStatus
3568 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, 3716 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
3569 unsigned int l) 3717 unsigned int l)
3570 { 3718 {
3571 SECStatus rv = SECSuccess; 3719 SECStatus rv = SECSuccess;
3572 3720
3573 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3721 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3574 3722
3575 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); 3723 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
3576 3724
3725 if ((ss->version == 0 || ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) &&
3726 !ss->opt.bypassPKCS11 &&
3727 ss->ssl3.hs.tls12_handshake_hash == NULL) {
3728 /* For TLS 1.2 connections we need to buffer the handshake messages
3729 * until we have established which PRF hash function to use. */
3730 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
3731 if (rv != SECSuccess) {
3732 return rv;
3733 }
3734 }
3735
3577 #ifndef NO_PKCS11_BYPASS 3736 #ifndef NO_PKCS11_BYPASS
3578 if (ss->opt.bypassPKCS11) { 3737 if (ss->opt.bypassPKCS11) {
3579 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); 3738 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
3580 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); 3739 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
3581 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) 3740 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
3582 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); 3741 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
3583 #endif 3742 #endif
3584 return rv; 3743 return rv;
3585 } 3744 }
3586 #endif 3745 #endif
3587 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); 3746 if (ss->ssl3.hs.tls12_handshake_hash) {
3588 if (rv != SECSuccess) { 3747 » rv = PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, b, l);
3589 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3748 » if (rv != SECSuccess) {
3590 » return rv; 3749 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
3591 } 3750 » return rv;
3592 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); 3751 » }
3593 if (rv != SECSuccess) { 3752 } else {
3594 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3753 » rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
3595 » return rv; 3754 » if (rv != SECSuccess) {
3755 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3756 » return rv;
3757 » }
3758 » rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
3759 » if (rv != SECSuccess) {
3760 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3761 » return rv;
3762 » }
3596 } 3763 }
3597 return rv; 3764 return rv;
3598 } 3765 }
3599 3766
3600 /************************************************************************** 3767 /**************************************************************************
3601 * Append Handshake functions. 3768 * Append Handshake functions.
3602 * All these functions set appropriate error codes. 3769 * All these functions set appropriate error codes.
3603 * Most rely on ssl3_AppendHandshake to set the error code. 3770 * Most rely on ssl3_AppendHandshake to set the error code.
3604 **************************************************************************/ 3771 **************************************************************************/
3605 SECStatus 3772 SECStatus
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after
3737 /* Fragment length -- set to the packet length because not fragmented */ 3904 /* Fragment length -- set to the packet length because not fragmented */
3738 rv = ssl3_AppendHandshakeNumber(ss, length, 3); 3905 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
3739 if (rv != SECSuccess) { 3906 if (rv != SECSuccess) {
3740 return rv; /* error code set by AppendHandshake, if applicable. */ 3907 return rv; /* error code set by AppendHandshake, if applicable. */
3741 } 3908 }
3742 } 3909 }
3743 3910
3744 return rv; /* error code set by AppendHandshake, if applicable. */ 3911 return rv; /* error code set by AppendHandshake, if applicable. */
3745 } 3912 }
3746 3913
3914 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
3915 * |sigAndHash| to the current handshake message. */
3916 SECStatus
3917 ssl3_AppendSignatureAndHashAlgorithm(
3918 sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash)
3919 {
3920 unsigned char serialized[2];
3921
3922 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
3923 if (serialized[0] == 0) {
3924 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
3925 return SECFailure;
3926 }
3927
3928 serialized[1] = sigAndHash->sigAlg;
3929
3930 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
3931 }
3932
3747 /************************************************************************** 3933 /**************************************************************************
3748 * Consume Handshake functions. 3934 * Consume Handshake functions.
3749 * 3935 *
3750 * All data used in these functions is protected by two locks, 3936 * All data used in these functions is protected by two locks,
3751 * the RecvBufLock and the SSL3HandshakeLock 3937 * the RecvBufLock and the SSL3HandshakeLock
3752 **************************************************************************/ 3938 **************************************************************************/
3753 3939
3754 /* Read up the next "bytes" number of bytes from the (decrypted) input 3940 /* Read up the next "bytes" number of bytes from the (decrypted) input
3755 * stream "b" (which is *length bytes long). Copy them into buffer "v". 3941 * stream "b" (which is *length bytes long). Copy them into buffer "v".
3756 * Reduces *length by bytes. Advances *b by bytes. 3942 * Reduces *length by bytes. Advances *b by bytes.
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
3843 return ssl3_DecodeError(ss); 4029 return ssl3_DecodeError(ss);
3844 } 4030 }
3845 i->data = *b; 4031 i->data = *b;
3846 i->len = count; 4032 i->len = count;
3847 *b += count; 4033 *b += count;
3848 *length -= count; 4034 *length -= count;
3849 } 4035 }
3850 return SECSuccess; 4036 return SECSuccess;
3851 } 4037 }
3852 4038
4039 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
4040 * SECOidTag used internally by NSS. */
4041 static const struct {
4042 int tlsHash;
4043 SECOidTag oid;
4044 } tlsHashOIDMap[] = {
4045 { tls_hash_md5, SEC_OID_MD5 },
4046 { tls_hash_sha1, SEC_OID_SHA1 },
4047 { tls_hash_sha224, SEC_OID_SHA224 },
4048 { tls_hash_sha256, SEC_OID_SHA256 },
4049 { tls_hash_sha384, SEC_OID_SHA384 },
4050 { tls_hash_sha512, SEC_OID_SHA512 }
4051 };
4052
4053 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value.
4054 * If the hash is not recognised, SEC_OID_UNKNOWN is returned.
4055 *
4056 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4057 SECOidTag
4058 ssl3_TLSHashAlgorithmToOID(int hashFunc)
4059 {
4060 unsigned int i;
4061
4062 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4063 if (hashFunc == tlsHashOIDMap[i].tlsHash) {
4064 return tlsHashOIDMap[i].oid;
4065 }
4066 }
4067 return SEC_OID_UNKNOWN;
4068 }
4069
4070 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm identifier .
agl 2013/05/28 20:21:13 You appear to have wrapped lines at 80 chars, but
wtc 2013/05/28 23:22:19 Done.
4071 * If the hash is not recognised, zero is returned.
4072 *
4073 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4074 static int
4075 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid)
4076 {
4077 unsigned int i;
4078
4079 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4080 if (oid == tlsHashOIDMap[i].oid) {
4081 return tlsHashOIDMap[i].tlsHash;
4082 }
4083 }
4084 return 0;
4085 }
4086
4087 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm
4088 * identifier for a given KeyType. */
4089 static SECStatus
4090 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType,
4091 TLSSignatureAlgorithm *out)
4092 {
4093 switch (keyType) {
4094 case rsaKey:
4095 *out = tls_sig_rsa;
4096 return SECSuccess;
4097 case dsaKey:
4098 *out = tls_sig_dsa;
4099 return SECSuccess;
4100 case ecKey:
4101 *out = tls_sig_ecdsa;
4102 return SECSuccess;
4103 default:
wtc 2013/05/28 17:50:25 clang warns if this switch statement doesn't handl
4104 PORT_SetError(SEC_ERROR_INVALID_KEY);
4105 return SECFailure;
4106 }
4107 }
4108
4109 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature
4110 * algorithm identifier for the given certificate. */
4111 static SECStatus
4112 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert,
4113 TLSSignatureAlgorithm *out)
4114 {
4115 SECKEYPublicKey *key;
4116 KeyType keyType;
4117
4118 key = CERT_ExtractPublicKey(cert);
4119 if (key == NULL) {
4120 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
4121 return SECFailure;
4122 }
4123
4124 keyType = key->keyType;
4125 SECKEY_DestroyPublicKey(key);
wtc 2013/05/28 17:50:25 This fixes a leak of the public key.
4126 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out);
4127 }
4128
4129 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature
4130 * algorithm identifier in |sigAndHash| is consistent with the public key in
4131 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called
4132 * and SECFailure is returned. */
4133 SECStatus
4134 ssl3_CheckSignatureAndHashAlgorithmConsistency(
4135 const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert)
4136 {
4137 SECStatus rv;
4138 TLSSignatureAlgorithm sigAlg;
4139
4140 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg);
4141 if (rv != SECSuccess) {
4142 return rv;
4143 }
4144 if (sigAlg != sigAndHash->sigAlg) {
4145 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
4146 return SECFailure;
4147 }
4148 return SECSuccess;
4149 }
4150
4151 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm
4152 * structure from |b| and puts the resulting value into |out|. |b| and |length|
4153 * are updated accordingly.
4154 *
4155 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4156 SECStatus
4157 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
4158 SSL3Opaque **b,
4159 PRUint32 *length,
4160 SSL3SignatureAndHashAlgorithm *out)
4161 {
4162 unsigned char bytes[2];
4163 SECStatus rv;
4164
4165 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
4166 if (rv != SECSuccess) {
4167 return rv;
4168 }
4169
4170 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]);
4171 if (out->hashAlg == SEC_OID_UNKNOWN) {
4172 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
4173 return SECFailure;
4174 }
4175
4176 out->sigAlg = bytes[1];
4177 return SECSuccess;
4178 }
4179
3853 /************************************************************************** 4180 /**************************************************************************
3854 * end of Consume Handshake functions. 4181 * end of Consume Handshake functions.
3855 **************************************************************************/ 4182 **************************************************************************/
3856 4183
3857 /* Extract the hashes of handshake messages to this point. 4184 /* Extract the hashes of handshake messages to this point.
3858 * Called from ssl3_SendCertificateVerify 4185 * Called from ssl3_SendCertificateVerify
3859 * ssl3_SendFinished 4186 * ssl3_SendFinished
3860 * ssl3_HandleHandshakeMessage 4187 * ssl3_HandleHandshakeMessage
3861 * 4188 *
3862 * Caller must hold the SSL3HandshakeLock. 4189 * Caller must hold the SSL3HandshakeLock.
3863 * Caller must hold a read or write lock on the Spec R/W lock. 4190 * Caller must hold a read or write lock on the Spec R/W lock.
3864 * (There is presently no way to assert on a Read lock.) 4191 * (There is presently no way to assert on a Read lock.)
3865 */ 4192 */
3866 static SECStatus 4193 static SECStatus
3867 ssl3_ComputeHandshakeHashes(sslSocket * ss, 4194 ssl3_ComputeHandshakeHashes(sslSocket * ss,
3868 ssl3CipherSpec *spec, /* uses ->master_secret */ 4195 ssl3CipherSpec *spec, /* uses ->master_secret */
3869 SSL3Hashes * hashes, /* output goes here. */ 4196 SSL3Hashes * hashes, /* output goes here. */
3870 PRUint32 sender) 4197 PRUint32 sender)
3871 { 4198 {
3872 SECStatus rv = SECSuccess; 4199 SECStatus rv = SECSuccess;
3873 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); 4200 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
3874 unsigned int outLength; 4201 unsigned int outLength;
3875 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; 4202 SSL3Opaque md5_inner[MAX_MAC_LENGTH];
3876 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; 4203 SSL3Opaque sha_inner[MAX_MAC_LENGTH];
3877 4204
3878 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4205 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4206 hashes->hashAlg = SEC_OID_UNKNOWN;
3879 4207
3880 #ifndef NO_PKCS11_BYPASS 4208 #ifndef NO_PKCS11_BYPASS
3881 if (ss->opt.bypassPKCS11) { 4209 if (ss->opt.bypassPKCS11) {
3882 /* compute them without PKCS11 */ 4210 /* compute them without PKCS11 */
3883 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; 4211 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
3884 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; 4212 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
3885 4213
3886 #define md5cx ((MD5Context *)md5_cx) 4214 #define md5cx ((MD5Context *)md5_cx)
3887 #define shacx ((SHA1Context *)sha_cx) 4215 #define shacx ((SHA1Context *)sha_cx)
3888 4216
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
3932 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); 4260 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
3933 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 4261 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
3934 mac_defs[mac_md5].pad_size)); 4262 mac_defs[mac_md5].pad_size));
3935 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; 4263 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
3936 4264
3937 MD5_Begin(md5cx); 4265 MD5_Begin(md5cx);
3938 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); 4266 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
3939 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); 4267 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
3940 MD5_Update(md5cx, md5_inner, MD5_LENGTH); 4268 MD5_Update(md5cx, md5_inner, MD5_LENGTH);
3941 } 4269 }
3942 » MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH); 4270 » MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH);
3943 4271
3944 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); 4272 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
3945 4273
3946 if (!isTLS) { 4274 if (!isTLS) {
3947 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 4275 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
3948 mac_defs[mac_sha].pad_size)); 4276 mac_defs[mac_sha].pad_size));
3949 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); 4277 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
3950 4278
3951 SHA1_Begin(shacx); 4279 SHA1_Begin(shacx);
3952 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); 4280 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
3953 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); 4281 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
3954 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); 4282 SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
3955 } 4283 }
3956 » SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH); 4284 » SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH);
3957 4285
3958 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); 4286 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ;
3959 4287
4288 hashes->len = MD5_LENGTH + SHA1_LENGTH;
3960 rv = SECSuccess; 4289 rv = SECSuccess;
3961 #undef md5cx 4290 #undef md5cx
3962 #undef shacx 4291 #undef shacx
3963 } else 4292 } else
3964 #endif 4293 #endif
3965 { 4294 if (ss->ssl3.hs.tls12_handshake_hash) {
4295 » PK11Context *h;
4296 » unsigned int stateLen;
4297 » unsigned char stackBuf[1024];
4298 » unsigned char *stateBuf = NULL;
4299
4300 » if (!spec->master_secret) {
4301 » PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4302 » return SECFailure;
4303 » }
4304
4305 » h = ss->ssl3.hs.tls12_handshake_hash;
4306 » stateBuf = PK11_SaveContextAlloc(h, stackBuf,
4307 » » » » » sizeof(stackBuf), &stateLen);
4308 » if (stateBuf == NULL) {
4309 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4310 » goto tls12Loser;
4311 » }
4312 » rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
4313 » » » sizeof(hashes->u.raw));
4314 » if (rv != SECSuccess) {
4315 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4316 » rv = SECFailure;
4317 » goto tls12Loser;
4318 » }
4319 » /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4320 » * then this will need to be updated. */
4321 » hashes->hashAlg = SEC_OID_SHA256;
4322 » rv = SECSuccess;
4323
4324 tls12Loser:
4325 » if (stateBuf) {
4326 » if (PK11_RestoreContext(ss->ssl3.hs.tls12_handshake_hash, stateBuf,
4327 » » » » stateLen) != SECSuccess) {
4328 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4329 » » rv = SECFailure;
4330 » }
4331 » if (stateBuf != stackBuf) {
4332 » » PORT_ZFree(stateBuf, stateLen);
4333 » }
4334 » }
4335 } else {
3966 /* compute hases with PKCS11 */ 4336 /* compute hases with PKCS11 */
3967 PK11Context * md5; 4337 PK11Context * md5;
3968 PK11Context * sha = NULL; 4338 PK11Context * sha = NULL;
3969 unsigned char *md5StateBuf = NULL; 4339 unsigned char *md5StateBuf = NULL;
3970 unsigned char *shaStateBuf = NULL; 4340 unsigned char *shaStateBuf = NULL;
3971 unsigned int md5StateLen, shaStateLen; 4341 unsigned int md5StateLen, shaStateLen;
3972 unsigned char md5StackBuf[256]; 4342 unsigned char md5StackBuf[256];
3973 unsigned char shaStackBuf[512]; 4343 unsigned char shaStackBuf[512];
3974 4344
3975 if (!spec->master_secret) { 4345 if (!spec->master_secret) {
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
4044 4414
4045 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 4415 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4046 mac_defs[mac_md5].pad_size)); 4416 mac_defs[mac_md5].pad_size));
4047 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; 4417 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
4048 4418
4049 rv |= PK11_DigestBegin(md5); 4419 rv |= PK11_DigestBegin(md5);
4050 rv |= PK11_DigestKey(md5, spec->master_secret); 4420 rv |= PK11_DigestKey(md5, spec->master_secret);
4051 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); 4421 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
4052 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); 4422 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
4053 } 4423 }
4054 » rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH); 4424 » rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH);
4055 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); 4425 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4056 if (rv != SECSuccess) { 4426 if (rv != SECSuccess) {
4057 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4427 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4058 rv = SECFailure; 4428 rv = SECFailure;
4059 goto loser; 4429 goto loser;
4060 } 4430 }
4061 4431
4062 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); 4432 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4063 4433
4064 if (!isTLS) { 4434 if (!isTLS) {
4065 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 4435 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4066 mac_defs[mac_sha].pad_size)); 4436 mac_defs[mac_sha].pad_size));
4067 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); 4437 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
4068 4438
4069 rv |= PK11_DigestBegin(sha); 4439 rv |= PK11_DigestBegin(sha);
4070 rv |= PK11_DigestKey(sha,spec->master_secret); 4440 rv |= PK11_DigestKey(sha,spec->master_secret);
4071 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); 4441 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
4072 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); 4442 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
4073 } 4443 }
4074 » rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH); 4444 » rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4075 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); 4445 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4076 if (rv != SECSuccess) { 4446 if (rv != SECSuccess) {
4077 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4447 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4078 rv = SECFailure; 4448 rv = SECFailure;
4079 goto loser; 4449 goto loser;
4080 } 4450 }
4081 4451
4082 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); 4452 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ;
4083 4453
4454 hashes->len = MD5_LENGTH + SHA1_LENGTH;
4084 rv = SECSuccess; 4455 rv = SECSuccess;
4085 4456
4086 loser: 4457 loser:
4087 if (md5StateBuf) { 4458 if (md5StateBuf) {
4088 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) 4459 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
4089 != SECSuccess) 4460 != SECSuccess)
4090 { 4461 {
4091 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4462 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4092 rv = SECFailure; 4463 rv = SECFailure;
4093 } 4464 }
(...skipping 1242 matching lines...) Expand 10 before | Expand all | Expand 10 after
5336 SECKEY_DestroyPublicKey(serverKey); 5707 SECKEY_DestroyPublicKey(serverKey);
5337 return rv; /* err code already set. */ 5708 return rv; /* err code already set. */
5338 } 5709 }
5339 5710
5340 /* Called from ssl3_HandleServerHelloDone(). */ 5711 /* Called from ssl3_HandleServerHelloDone(). */
5341 static SECStatus 5712 static SECStatus
5342 ssl3_SendCertificateVerify(sslSocket *ss) 5713 ssl3_SendCertificateVerify(sslSocket *ss)
5343 { 5714 {
5344 SECStatus rv = SECFailure; 5715 SECStatus rv = SECFailure;
5345 PRBool isTLS; 5716 PRBool isTLS;
5717 PRBool isTLS12;
5346 SECItem buf = {siBuffer, NULL, 0}; 5718 SECItem buf = {siBuffer, NULL, 0};
5347 SSL3Hashes hashes; 5719 SSL3Hashes hashes;
5720 KeyType keyType;
5721 unsigned int len;
5722 SSL3SignatureAndHashAlgorithm sigAndHash;
5348 5723
5349 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 5724 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
5350 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 5725 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
5351 5726
5352 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", 5727 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
5353 SSL_GETPID(), ss->fd)); 5728 SSL_GETPID(), ss->fd));
5354 5729
5355 ssl_GetSpecReadLock(ss); 5730 ssl_GetSpecReadLock(ss);
5356 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); 5731 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
5357 ssl_ReleaseSpecReadLock(ss); 5732 ssl_ReleaseSpecReadLock(ss);
5358 if (rv != SECSuccess) { 5733 if (rv != SECSuccess) {
5359 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ 5734 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
5360 } 5735 }
5361 5736
5362 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 5737 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
5738 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
wtc 2013/05/28 17:50:25 In several places I changed ss->version to either
5363 if (ss->ssl3.platformClientKey) { 5739 if (ss->ssl3.platformClientKey) {
5364 #ifdef NSS_PLATFORM_CLIENT_AUTH 5740 #ifdef NSS_PLATFORM_CLIENT_AUTH
5741 keyType = CERT_GetCertKeyType(
5742 &ss->ssl3.clientCertificate->subjectPublicKeyInfo);
5365 rv = ssl3_PlatformSignHashes( 5743 rv = ssl3_PlatformSignHashes(
5366 » &hashes, ss->ssl3.platformClientKey, &buf, isTLS, 5744 » &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType);
5367 » CERT_GetCertKeyType(
5368 » » &ss->ssl3.clientCertificate->subjectPublicKeyInfo));
5369 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 5745 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
5370 ss->ssl3.platformClientKey = (PlatformKey)NULL; 5746 ss->ssl3.platformClientKey = (PlatformKey)NULL;
5371 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 5747 #endif /* NSS_PLATFORM_CLIENT_AUTH */
5372 } else { 5748 } else {
5749 keyType = ss->ssl3.clientPrivateKey->keyType;
5373 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); 5750 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
5374 if (rv == SECSuccess) { 5751 if (rv == SECSuccess) {
5375 PK11SlotInfo * slot; 5752 PK11SlotInfo * slot;
5376 sslSessionID * sid = ss->sec.ci.sid; 5753 sslSessionID * sid = ss->sec.ci.sid;
5377 5754
5378 /* Remember the info about the slot that did the signing. 5755 /* Remember the info about the slot that did the signing.
5379 ** Later, when doing an SSL restart handshake, verify this. 5756 ** Later, when doing an SSL restart handshake, verify this.
5380 ** These calls are mere accessors, and can't fail. 5757 ** These calls are mere accessors, and can't fail.
5381 */ 5758 */
5382 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); 5759 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
5383 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); 5760 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot);
5384 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); 5761 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot);
5385 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); 5762 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
5386 sid->u.ssl3.clAuthValid = PR_TRUE; 5763 sid->u.ssl3.clAuthValid = PR_TRUE;
5387 PK11_FreeSlot(slot); 5764 PK11_FreeSlot(slot);
5388 } 5765 }
5389 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 5766 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5390 ss->ssl3.clientPrivateKey = NULL; 5767 ss->ssl3.clientPrivateKey = NULL;
5391 } 5768 }
5392 if (rv != SECSuccess) { 5769 if (rv != SECSuccess) {
5393 goto done; /* err code was set by ssl3_SignHashes */ 5770 goto done; /* err code was set by ssl3_SignHashes */
5394 } 5771 }
5395 5772
5396 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); 5773 len = buf.len + 2 + (isTLS12 ? 2 : 0);
5774
5775 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
5397 if (rv != SECSuccess) { 5776 if (rv != SECSuccess) {
5398 goto done; /* error code set by AppendHandshake */ 5777 goto done; /* error code set by AppendHandshake */
5399 } 5778 }
5779 if (isTLS12) {
5780 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
5781 &sigAndHash.sigAlg);
5782 if (rv != SECSuccess) {
5783 goto done;
5784 }
5785 /* We always sign using the handshake hash function. It's possible that
5786 * a server could support SHA-256 as the handshake hash but not as a
5787 * signature hash. In that case we wouldn't be able to do client
5788 * certificates with it. The alternative is to buffer all handshake
5789 * messages. */
5790 sigAndHash.hashAlg = hashes.hashAlg;
5791
5792 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
5793 if (rv != SECSuccess) {
5794 goto done; /* err set by AppendHandshake. */
5795 }
5796 }
5400 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); 5797 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
5401 if (rv != SECSuccess) { 5798 if (rv != SECSuccess) {
5402 goto done; /* error code set by AppendHandshake */ 5799 goto done; /* error code set by AppendHandshake */
5403 } 5800 }
5404 5801
5405 done: 5802 done:
5406 if (buf.data) 5803 if (buf.data)
5407 PORT_Free(buf.data); 5804 PORT_Free(buf.data);
5408 return rv; 5805 return rv;
5409 } 5806 }
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after
5497 5894
5498 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); 5895 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
5499 if (rv != SECSuccess) { 5896 if (rv != SECSuccess) {
5500 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 5897 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
5501 : handshake_failure; 5898 : handshake_failure;
5502 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 5899 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
5503 goto alert_loser; 5900 goto alert_loser;
5504 } 5901 }
5505 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); 5902 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
5506 5903
5904 rv = ssl3_InitTLS12HandshakeHash(ss);
5905 if (rv != SECSuccess) {
5906 desc = internal_error;
5907 errCode = PORT_GetError();
5908 goto alert_loser;
5909 }
5910
5507 rv = ssl3_ConsumeHandshake( 5911 rv = ssl3_ConsumeHandshake(
5508 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); 5912 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
5509 if (rv != SECSuccess) { 5913 if (rv != SECSuccess) {
5510 goto loser; /* alert has been sent */ 5914 goto loser; /* alert has been sent */
5511 } 5915 }
5512 5916
5513 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 5917 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
5514 if (rv != SECSuccess) { 5918 if (rv != SECSuccess) {
5515 goto loser; /* alert has been sent */ 5919 goto loser; /* alert has been sent */
5516 } 5920 }
(...skipping 310 matching lines...) Expand 10 before | Expand all | Expand 10 after
5827 6231
5828 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 6232 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5829 * ssl3 ServerKeyExchange message. 6233 * ssl3 ServerKeyExchange message.
5830 * Caller must hold Handshake and RecvBuf locks. 6234 * Caller must hold Handshake and RecvBuf locks.
5831 */ 6235 */
5832 static SECStatus 6236 static SECStatus
5833 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 6237 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
5834 { 6238 {
5835 PRArenaPool * arena = NULL; 6239 PRArenaPool * arena = NULL;
5836 SECKEYPublicKey *peerKey = NULL; 6240 SECKEYPublicKey *peerKey = NULL;
5837 PRBool isTLS; 6241 PRBool isTLS, isTLS12;
5838 SECStatus rv; 6242 SECStatus rv;
5839 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; 6243 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
5840 SSL3AlertDescription desc = illegal_parameter; 6244 SSL3AlertDescription desc = illegal_parameter;
5841 SSL3Hashes hashes; 6245 SSL3Hashes hashes;
5842 SECItem signature = {siBuffer, NULL, 0}; 6246 SECItem signature = {siBuffer, NULL, 0};
6247 SSL3SignatureAndHashAlgorithm sigAndHash;
6248
6249 sigAndHash.hashAlg = SEC_OID_UNKNOWN;
5843 6250
5844 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", 6251 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
5845 SSL_GETPID(), ss->fd)); 6252 SSL_GETPID(), ss->fd));
5846 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 6253 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5847 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6254 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5848 6255
5849 if (ss->ssl3.hs.ws != wait_server_key && 6256 if (ss->ssl3.hs.ws != wait_server_key &&
5850 ss->ssl3.hs.ws != wait_server_cert) { 6257 ss->ssl3.hs.ws != wait_server_cert) {
5851 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; 6258 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
5852 desc = unexpected_message; 6259 desc = unexpected_message;
5853 goto alert_loser; 6260 goto alert_loser;
5854 } 6261 }
5855 if (ss->sec.peerCert == NULL) { 6262 if (ss->sec.peerCert == NULL) {
5856 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; 6263 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
5857 desc = unexpected_message; 6264 desc = unexpected_message;
5858 goto alert_loser; 6265 goto alert_loser;
5859 } 6266 }
5860 6267
5861 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 6268 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
6269 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
5862 6270
5863 switch (ss->ssl3.hs.kea_def->exchKeyType) { 6271 switch (ss->ssl3.hs.kea_def->exchKeyType) {
5864 6272
5865 case kt_rsa: { 6273 case kt_rsa: {
5866 SECItem modulus = {siBuffer, NULL, 0}; 6274 SECItem modulus = {siBuffer, NULL, 0};
5867 SECItem exponent = {siBuffer, NULL, 0}; 6275 SECItem exponent = {siBuffer, NULL, 0};
5868 6276
5869 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); 6277 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
5870 if (rv != SECSuccess) { 6278 if (rv != SECSuccess) {
5871 goto loser; /* malformed. */ 6279 goto loser; /* malformed. */
5872 } 6280 }
5873 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); 6281 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
5874 if (rv != SECSuccess) { 6282 if (rv != SECSuccess) {
5875 goto loser; /* malformed. */ 6283 goto loser; /* malformed. */
5876 } 6284 }
6285 if (isTLS12) {
6286 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6287 &sigAndHash);
6288 if (rv != SECSuccess) {
6289 goto loser; /* malformed or unsupported. */
6290 }
6291 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6292 &sigAndHash, ss->sec.peerCert);
6293 if (rv != SECSuccess) {
6294 goto loser;
6295 }
6296 }
5877 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 6297 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
5878 if (rv != SECSuccess) { 6298 if (rv != SECSuccess) {
5879 goto loser; /* malformed. */ 6299 goto loser; /* malformed. */
5880 } 6300 }
5881 if (length != 0) { 6301 if (length != 0) {
5882 if (isTLS) 6302 if (isTLS)
5883 desc = decode_error; 6303 desc = decode_error;
5884 goto alert_loser; /* malformed. */ 6304 goto alert_loser; /* malformed. */
5885 } 6305 }
5886 6306
5887 /* failures after this point are not malformed handshakes. */ 6307 /* failures after this point are not malformed handshakes. */
5888 /* TLS: send decrypt_error if signature failed. */ 6308 /* TLS: send decrypt_error if signature failed. */
5889 desc = isTLS ? decrypt_error : handshake_failure; 6309 desc = isTLS ? decrypt_error : handshake_failure;
5890 6310
5891 /* 6311 /*
5892 * check to make sure the hash is signed by right guy 6312 * check to make sure the hash is signed by right guy
5893 */ 6313 */
5894 » rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent, 6314 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
5895 &ss->ssl3.hs.client_random, 6315 &ss->ssl3.hs.client_random,
5896 &ss->ssl3.hs.server_random, 6316 &ss->ssl3.hs.server_random,
5897 &hashes, ss->opt.bypassPKCS11); 6317 &hashes, ss->opt.bypassPKCS11);
5898 if (rv != SECSuccess) { 6318 if (rv != SECSuccess) {
5899 errCode = 6319 errCode =
5900 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6320 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5901 goto alert_loser; 6321 goto alert_loser;
5902 } 6322 }
5903 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 6323 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
5904 isTLS, ss->pkcs11PinArg); 6324 isTLS, ss->pkcs11PinArg);
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after
5957 goto loser; /* malformed. */ 6377 goto loser; /* malformed. */
5958 } 6378 }
5959 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) 6379 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
5960 goto alert_loser; 6380 goto alert_loser;
5961 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); 6381 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
5962 if (rv != SECSuccess) { 6382 if (rv != SECSuccess) {
5963 goto loser; /* malformed. */ 6383 goto loser; /* malformed. */
5964 } 6384 }
5965 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) 6385 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
5966 goto alert_loser; 6386 goto alert_loser;
6387 if (isTLS12) {
6388 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6389 &sigAndHash);
6390 if (rv != SECSuccess) {
6391 goto loser; /* malformed or unsupported. */
6392 }
6393 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6394 &sigAndHash, ss->sec.peerCert);
6395 if (rv != SECSuccess) {
6396 goto loser;
6397 }
6398 }
5967 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 6399 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
5968 if (rv != SECSuccess) { 6400 if (rv != SECSuccess) {
5969 goto loser; /* malformed. */ 6401 goto loser; /* malformed. */
5970 } 6402 }
5971 if (length != 0) { 6403 if (length != 0) {
5972 if (isTLS) 6404 if (isTLS)
5973 desc = decode_error; 6405 desc = decode_error;
5974 goto alert_loser; /* malformed. */ 6406 goto alert_loser; /* malformed. */
5975 } 6407 }
5976 6408
5977 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); 6409 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
5978 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); 6410 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
5979 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); 6411 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
5980 6412
5981 /* failures after this point are not malformed handshakes. */ 6413 /* failures after this point are not malformed handshakes. */
5982 /* TLS: send decrypt_error if signature failed. */ 6414 /* TLS: send decrypt_error if signature failed. */
5983 desc = isTLS ? decrypt_error : handshake_failure; 6415 desc = isTLS ? decrypt_error : handshake_failure;
5984 6416
5985 /* 6417 /*
5986 * check to make sure the hash is signed by right guy 6418 * check to make sure the hash is signed by right guy
5987 */ 6419 */
5988 » rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys, 6420 » rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
5989 &ss->ssl3.hs.client_random, 6421 &ss->ssl3.hs.client_random,
5990 &ss->ssl3.hs.server_random, 6422 &ss->ssl3.hs.server_random,
5991 &hashes, ss->opt.bypassPKCS11); 6423 &hashes, ss->opt.bypassPKCS11);
5992 if (rv != SECSuccess) { 6424 if (rv != SECSuccess) {
5993 errCode = 6425 errCode =
5994 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6426 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5995 goto alert_loser; 6427 goto alert_loser;
5996 } 6428 }
5997 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 6429 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
5998 isTLS, ss->pkcs11PinArg); 6430 isTLS, ss->pkcs11PinArg);
(...skipping 856 matching lines...) Expand 10 before | Expand all | Expand 10 after
6855 } 7287 }
6856 7288
6857 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); 7289 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
6858 if (rv != SECSuccess) { 7290 if (rv != SECSuccess) {
6859 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 7291 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
6860 : handshake_failure; 7292 : handshake_failure;
6861 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 7293 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6862 goto alert_loser; 7294 goto alert_loser;
6863 } 7295 }
6864 7296
7297 rv = ssl3_InitTLS12HandshakeHash(ss);
7298 if (rv != SECSuccess) {
7299 desc = internal_error;
7300 errCode = PORT_GetError();
7301 goto alert_loser;
7302 }
7303
6865 /* grab the client random data. */ 7304 /* grab the client random data. */
6866 rv = ssl3_ConsumeHandshake( 7305 rv = ssl3_ConsumeHandshake(
6867 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); 7306 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
6868 if (rv != SECSuccess) { 7307 if (rv != SECSuccess) {
6869 goto loser; /* malformed */ 7308 goto loser; /* malformed */
6870 } 7309 }
6871 7310
6872 /* grab the client's SID, if present. */ 7311 /* grab the client's SID, if present. */
6873 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 7312 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
6874 if (rv != SECSuccess) { 7313 if (rv != SECSuccess) {
(...skipping 722 matching lines...) Expand 10 before | Expand all | Expand 10 after
7597 ss->clientHelloVersion = version; 8036 ss->clientHelloVersion = version;
7598 8037
7599 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); 8038 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
7600 if (rv != SECSuccess) { 8039 if (rv != SECSuccess) {
7601 /* send back which ever alert client will understand. */ 8040 /* send back which ever alert client will understand. */
7602 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure; 8041 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure;
7603 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 8042 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
7604 goto alert_loser; 8043 goto alert_loser;
7605 } 8044 }
7606 8045
8046 rv = ssl3_InitTLS12HandshakeHash(ss);
wtc 2013/05/28 17:50:25 I moved this ssl3_InitTLS12HandshakeHash call here
agl 2013/05/28 20:21:13 I can't see any problems.
8047 if (rv != SECSuccess) {
8048 desc = internal_error;
8049 errCode = PORT_GetError();
8050 goto alert_loser;
8051 }
8052
7607 /* if we get a non-zero SID, just ignore it. */ 8053 /* if we get a non-zero SID, just ignore it. */
7608 if (length != 8054 if (length !=
7609 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { 8055 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
7610 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", 8056 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
7611 SSL_GETPID(), ss->fd, length, 8057 SSL_GETPID(), ss->fd, length,
7612 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + 8058 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
7613 rand_length)); 8059 rand_length));
7614 goto loser; /* malformed */ /* alert_loser */ 8060 goto loser; /* malformed */ /* alert_loser */
7615 } 8061 }
7616 8062
(...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after
7844 } 8290 }
7845 } 8291 }
7846 rv = ssl3_SetupPendingCipherSpec(ss); 8292 rv = ssl3_SetupPendingCipherSpec(ss);
7847 if (rv != SECSuccess) { 8293 if (rv != SECSuccess) {
7848 return rv; /* err set by ssl3_SetupPendingCipherSpec */ 8294 return rv; /* err set by ssl3_SetupPendingCipherSpec */
7849 } 8295 }
7850 8296
7851 return SECSuccess; 8297 return SECSuccess;
7852 } 8298 }
7853 8299
8300 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing
8301 * elements of the handshake. (The negotiated cipher suite determines the
8302 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always
8303 * used. With TLS 1.2, a client may advertise its support for signature and
8304 * hash combinations. */
8305 static SECStatus
8306 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
8307 SSL3SignatureAndHashAlgorithm* out)
8308 {
8309 TLSSignatureAlgorithm sigAlg;
8310 unsigned int i, j;
8311 /* hashPreference expresses our preferences for hash algorithms, most
8312 * preferable first. */
8313 static const PRUint8 hashPreference[] = {
8314 tls_hash_sha256,
8315 tls_hash_sha384,
8316 tls_hash_sha512,
8317 tls_hash_sha224,
wtc 2013/05/28 17:50:25 I added tls_hash_sha224 to this array. (NSS suppor
agl 2013/05/28 20:21:13 Ah, no, just missed it. Thanks!
wtc 2013/05/28 23:22:19 Good. Then my next question is where you think sha
agl 2013/05/28 23:36:36 I think it's either just above or just below SHA-5
8318 tls_hash_sha1,
8319 };
8320
8321 switch (ss->ssl3.hs.kea_def->kea) {
8322 case kea_rsa:
8323 case kea_rsa_export:
8324 case kea_rsa_export_1024:
8325 case kea_dh_rsa:
8326 case kea_dh_rsa_export:
8327 case kea_dhe_rsa:
8328 case kea_dhe_rsa_export:
8329 case kea_rsa_fips:
8330 case kea_ecdh_rsa:
8331 case kea_ecdhe_rsa:
8332 sigAlg = tls_sig_rsa;
8333 break;
8334 case kea_dh_dss:
8335 case kea_dh_dss_export:
8336 case kea_dhe_dss:
8337 case kea_dhe_dss_export:
8338 sigAlg = tls_sig_dsa;
8339 break;
8340 case kea_ecdh_ecdsa:
8341 case kea_ecdhe_ecdsa:
8342 sigAlg = tls_sig_ecdsa;
8343 break;
8344 default:
8345 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
8346 return SECFailure;
8347 }
8348 out->sigAlg = sigAlg;
8349
8350 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) {
8351 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
8352 * prior. */
8353 out->hashAlg = SEC_OID_UNKNOWN;
8354 return SECSuccess;
8355 }
8356
8357 if (ss->ssl3.hs.numClientSigAndHash == 0) {
8358 /* If the client didn't provide any signature_algorithms extension then
8359 * we can assume that they support SHA-1:
8360 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
8361 out->hashAlg = SEC_OID_SHA1;
8362 return SECSuccess;
8363 }
8364
8365 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) {
8366 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
8367 const SSL3SignatureAndHashAlgorithm* sh =
8368 &ss->ssl3.hs.clientSigAndHash[j];
8369 if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) {
8370 out->hashAlg = sh->hashAlg;
wtc 2013/05/28 17:50:25 This was: *out = *sh; Since we already assign
8371 return SECSuccess;
8372 }
8373 }
8374 }
8375
8376 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
8377 return SECFailure;
8378 }
8379
7854 8380
7855 static SECStatus 8381 static SECStatus
7856 ssl3_SendServerKeyExchange(sslSocket *ss) 8382 ssl3_SendServerKeyExchange(sslSocket *ss)
7857 { 8383 {
7858 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 8384 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
7859 SECStatus rv = SECFailure; 8385 SECStatus rv = SECFailure;
7860 int length; 8386 int length;
7861 PRBool isTLS; 8387 PRBool isTLS;
7862 SECItem signed_hash = {siBuffer, NULL, 0}; 8388 SECItem signed_hash = {siBuffer, NULL, 0};
7863 SSL3Hashes hashes; 8389 SSL3Hashes hashes;
7864 SECKEYPublicKey * sdPub; /* public key for step-down */ 8390 SECKEYPublicKey * sdPub; /* public key for step-down */
8391 SSL3SignatureAndHashAlgorithm sigAndHash;
7865 8392
7866 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", 8393 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
7867 SSL_GETPID(), ss->fd)); 8394 SSL_GETPID(), ss->fd));
7868 8395
7869 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 8396 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
7870 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 8397 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
7871 8398
8399 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
8400 return SECFailure;
8401 }
8402
7872 switch (kea_def->exchKeyType) { 8403 switch (kea_def->exchKeyType) {
7873 case kt_rsa: 8404 case kt_rsa:
7874 /* Perform SSL Step-Down here. */ 8405 /* Perform SSL Step-Down here. */
7875 sdPub = ss->stepDownKeyPair->pubKey; 8406 sdPub = ss->stepDownKeyPair->pubKey;
7876 PORT_Assert(sdPub != NULL); 8407 PORT_Assert(sdPub != NULL);
7877 if (!sdPub) { 8408 if (!sdPub) {
7878 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 8409 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
7879 return SECFailure; 8410 return SECFailure;
7880 } 8411 }
7881 » rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus, 8412 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg,
8413 » » » » » sdPub->u.rsa.modulus,
7882 sdPub->u.rsa.publicExponent, 8414 sdPub->u.rsa.publicExponent,
7883 &ss->ssl3.hs.client_random, 8415 &ss->ssl3.hs.client_random,
7884 &ss->ssl3.hs.server_random, 8416 &ss->ssl3.hs.server_random,
7885 &hashes, ss->opt.bypassPKCS11); 8417 &hashes, ss->opt.bypassPKCS11);
7886 if (rv != SECSuccess) { 8418 if (rv != SECSuccess) {
7887 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 8419 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
7888 return rv; 8420 return rv;
7889 } 8421 }
7890 8422
7891 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 8423 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
(...skipping 22 matching lines...) Expand all
7914 goto loser; /* err set by AppendHandshake. */ 8446 goto loser; /* err set by AppendHandshake. */
7915 } 8447 }
7916 8448
7917 rv = ssl3_AppendHandshakeVariable( 8449 rv = ssl3_AppendHandshakeVariable(
7918 ss, sdPub->u.rsa.publicExponent.data, 8450 ss, sdPub->u.rsa.publicExponent.data,
7919 sdPub->u.rsa.publicExponent.len, 2); 8451 sdPub->u.rsa.publicExponent.len, 2);
7920 if (rv != SECSuccess) { 8452 if (rv != SECSuccess) {
7921 goto loser; /* err set by AppendHandshake. */ 8453 goto loser; /* err set by AppendHandshake. */
7922 } 8454 }
7923 8455
8456 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
8457 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
8458 if (rv != SECSuccess) {
8459 goto loser; /* err set by AppendHandshake. */
8460 }
8461 }
8462
7924 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, 8463 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
7925 signed_hash.len, 2); 8464 signed_hash.len, 2);
7926 if (rv != SECSuccess) { 8465 if (rv != SECSuccess) {
7927 goto loser; /* err set by AppendHandshake. */ 8466 goto loser; /* err set by AppendHandshake. */
7928 } 8467 }
7929 PORT_Free(signed_hash.data); 8468 PORT_Free(signed_hash.data);
7930 return SECSuccess; 8469 return SECSuccess;
7931 8470
7932 #ifdef NSS_ENABLE_ECC 8471 #ifdef NSS_ENABLE_ECC
7933 case kt_ecdh: { 8472 case kt_ecdh: {
7934 » rv = ssl3_SendECDHServerKeyExchange(ss); 8473 » rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
wtc 2013/05/28 17:50:25 By passing &sigAndHash to ssl3_SendECDHServerKeyEx
7935 return rv; 8474 return rv;
7936 } 8475 }
7937 #endif /* NSS_ENABLE_ECC */ 8476 #endif /* NSS_ENABLE_ECC */
7938 8477
7939 case kt_dh: 8478 case kt_dh:
7940 case kt_null: 8479 case kt_null:
7941 default: 8480 default:
7942 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 8481 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
7943 break; 8482 break;
7944 } 8483 }
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after
8038 * Caller must hold Handshake and RecvBuf locks. 8577 * Caller must hold Handshake and RecvBuf locks.
8039 */ 8578 */
8040 static SECStatus 8579 static SECStatus
8041 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, 8580 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
8042 SSL3Hashes *hashes) 8581 SSL3Hashes *hashes)
8043 { 8582 {
8044 SECItem signed_hash = {siBuffer, NULL, 0}; 8583 SECItem signed_hash = {siBuffer, NULL, 0};
8045 SECStatus rv; 8584 SECStatus rv;
8046 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; 8585 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
8047 SSL3AlertDescription desc = handshake_failure; 8586 SSL3AlertDescription desc = handshake_failure;
8048 PRBool isTLS; 8587 PRBool isTLS, isTLS12;
8588 SSL3SignatureAndHashAlgorithm sigAndHash;
8049 8589
8050 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", 8590 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
8051 SSL_GETPID(), ss->fd)); 8591 SSL_GETPID(), ss->fd));
8052 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 8592 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8053 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 8593 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
8054 8594
8595 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
8596 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
8597
8055 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { 8598 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
8056 desc = unexpected_message; 8599 desc = unexpected_message;
8057 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; 8600 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
8058 goto alert_loser; 8601 goto alert_loser;
8059 } 8602 }
8060 8603
8604 if (isTLS12) {
8605 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
8606 &sigAndHash);
8607 if (rv != SECSuccess) {
8608 goto loser; /* malformed or unsupported. */
8609 }
8610 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
8611 &sigAndHash, ss->sec.peerCert);
8612 if (rv != SECSuccess) {
8613 errCode = PORT_GetError();
8614 desc = decrypt_error;
8615 goto alert_loser;
8616 }
8617
8618 /* We only support CertificateVerify messages that use the handshake
8619 * hash. */
8620 if (sigAndHash.hashAlg != hashes->hashAlg) {
8621 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM;
8622 desc = decrypt_error;
8623 goto alert_loser;
wtc 2013/05/28 17:50:25 I think we should send a decrypt_error alert to th
agl 2013/05/28 20:21:13 I think decrypt_error is a reasonable pick in both
wtc 2013/05/28 23:22:19 decrypt_error is the alert used in TLS by the exis
8624 }
8625 }
8626
8061 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); 8627 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
8062 if (rv != SECSuccess) { 8628 if (rv != SECSuccess) {
8063 goto loser; /* malformed. */ 8629 goto loser; /* malformed. */
8064 } 8630 }
8065 8631
8066 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
8067
8068 /* XXX verify that the key & kea match */ 8632 /* XXX verify that the key & kea match */
8069 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, 8633 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
8070 isTLS, ss->pkcs11PinArg); 8634 isTLS, ss->pkcs11PinArg);
8071 if (rv != SECSuccess) { 8635 if (rv != SECSuccess) {
8072 errCode = PORT_GetError(); 8636 errCode = PORT_GetError();
8073 desc = isTLS ? decrypt_error : handshake_failure; 8637 desc = isTLS ? decrypt_error : handshake_failure;
8074 goto alert_loser; 8638 goto alert_loser;
8075 } 8639 }
8076 8640
8077 signed_hash.data = NULL; 8641 signed_hash.data = NULL;
(...skipping 1078 matching lines...) Expand 10 before | Expand all | Expand 10 after
9156 done: 9720 done:
9157 ssl_ReleaseSSL3HandshakeLock(ss); 9721 ssl_ReleaseSSL3HandshakeLock(ss);
9158 ssl_ReleaseRecvBufLock(ss); 9722 ssl_ReleaseRecvBufLock(ss);
9159 9723
9160 return rv; 9724 return rv;
9161 } 9725 }
9162 9726
9163 static SECStatus 9727 static SECStatus
9164 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, 9728 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
9165 PRBool isServer, 9729 PRBool isServer,
9166 const SSL3Finished * hashes, 9730 const SSL3Hashes * hashes,
wtc 2013/05/28 17:50:25 In the original code, SSL3Finished is typedef'ed t
9167 TLSFinished * tlsFinished) 9731 TLSFinished * tlsFinished)
9168 { 9732 {
9169 const char * label; 9733 const char * label;
9170 unsigned int len; 9734 unsigned int len;
9171 SECStatus rv; 9735 SECStatus rv;
9172 9736
9173 label = isServer ? "server finished" : "client finished"; 9737 label = isServer ? "server finished" : "client finished";
9174 len = 15; 9738 len = 15;
9175 9739
9176 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5, 9740 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
9177 » sizeof *hashes, tlsFinished->verify_data, 9741 » hashes->len, tlsFinished->verify_data,
9178 sizeof tlsFinished->verify_data); 9742 sizeof tlsFinished->verify_data);
9179 9743
9180 return rv; 9744 return rv;
9181 } 9745 }
9182 9746
9183 /* The calling function must acquire and release the appropriate 9747 /* The calling function must acquire and release the appropriate
9184 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for 9748 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
9185 * ss->ssl3.crSpec). 9749 * ss->ssl3.crSpec).
9186 */ 9750 */
9187 SECStatus 9751 SECStatus
9188 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, 9752 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
9189 unsigned int labelLen, const unsigned char *val, unsigned int valLen, 9753 unsigned int labelLen, const unsigned char *val, unsigned int valLen,
9190 unsigned char *out, unsigned int outLen) 9754 unsigned char *out, unsigned int outLen)
9191 { 9755 {
9192 SECStatus rv = SECSuccess; 9756 SECStatus rv = SECSuccess;
9193 9757
9194 if (spec->master_secret && !spec->bypassCiphers) { 9758 if (spec->master_secret && !spec->bypassCiphers) {
9195 » SECItem param = {siBuffer, NULL, 0}; 9759 » SECItem param = {siBuffer, NULL, 0};
9196 » PK11Context *prf_context = 9760 » CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL;
9197 » PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, 9761 » PK11Context *prf_context;
9198 » » » » spec->master_secret, &param);
9199 unsigned int retLen; 9762 unsigned int retLen;
wtc 2013/05/28 17:50:25 This fixes MSVC compilation errors (variables cann
9200 9763
9764 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
9765 mech = CKM_NSS_TLS_PRF_GENERAL_SHA256;
9766 }
9767 prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN,
9768 spec->master_secret, &param);
9201 if (!prf_context) 9769 if (!prf_context)
9202 return SECFailure; 9770 return SECFailure;
9203 9771
9204 rv = PK11_DigestBegin(prf_context); 9772 rv = PK11_DigestBegin(prf_context);
9205 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); 9773 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
9206 rv |= PK11_DigestOp(prf_context, val, valLen); 9774 rv |= PK11_DigestOp(prf_context, val, valLen);
9207 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen); 9775 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
9208 PORT_Assert(rv != SECSuccess || retLen == outLen); 9776 PORT_Assert(rv != SECSuccess || retLen == outLen);
9209 9777
9210 PK11_DestroyContext(prf_context, PR_TRUE); 9778 PK11_DestroyContext(prf_context, PR_TRUE);
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after
9402 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || 9970 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
9403 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) { 9971 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
9404 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); 9972 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
9405 rv = SECFailure; 9973 rv = SECFailure;
9406 goto loser; 9974 goto loser;
9407 } 9975 }
9408 9976
9409 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); 9977 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
9410 9978
9411 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); 9979 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
9412 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes)); 9980 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len);
9413 9981
9414 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, sizeof(signed_data)); 9982 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data,
9983 » » sizeof(CHANNEL_ID_MAGIC) + hashes.len);
wtc 2013/05/28 17:50:25 This updates the TLS Channel ID code for the new S
9415 if (rv != SECSuccess) 9984 if (rv != SECSuccess)
9416 goto loser; 9985 goto loser;
9417 9986
9418 digest_item.data = digest; 9987 digest_item.data = digest;
9419 digest_item.len = sizeof(digest); 9988 digest_item.len = sizeof(digest);
9420 9989
9421 signature_item.data = signature; 9990 signature_item.data = signature;
9422 signature_item.len = sizeof(signature); 9991 signature_item.len = sizeof(signature);
9423 9992
9424 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); 9993 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after
9489 * ssl3_HandleFinished 10058 * ssl3_HandleFinished
9490 */ 10059 */
9491 static SECStatus 10060 static SECStatus
9492 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) 10061 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
9493 { 10062 {
9494 ssl3CipherSpec *cwSpec; 10063 ssl3CipherSpec *cwSpec;
9495 PRBool isTLS; 10064 PRBool isTLS;
9496 PRBool isServer = ss->sec.isServer; 10065 PRBool isServer = ss->sec.isServer;
9497 SECStatus rv; 10066 SECStatus rv;
9498 SSL3Sender sender = isServer ? sender_server : sender_client; 10067 SSL3Sender sender = isServer ? sender_server : sender_client;
9499 SSL3Finished hashes; 10068 SSL3Hashes hashes;
wtc 2013/05/28 17:50:25 This is another case where it is more correct sema
9500 TLSFinished tlsFinished; 10069 TLSFinished tlsFinished;
9501 10070
9502 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd)); 10071 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
9503 10072
9504 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 10073 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9505 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 10074 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9506 10075
9507 ssl_GetSpecReadLock(ss); 10076 ssl_GetSpecReadLock(ss);
9508 cwSpec = ss->ssl3.cwSpec; 10077 cwSpec = ss->ssl3.cwSpec;
9509 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); 10078 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
(...skipping 13 matching lines...) Expand all
9523 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; 10092 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
9524 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; 10093 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
9525 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); 10094 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
9526 if (rv != SECSuccess) 10095 if (rv != SECSuccess)
9527 goto fail; /* err set by AppendHandshake. */ 10096 goto fail; /* err set by AppendHandshake. */
9528 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); 10097 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
9529 if (rv != SECSuccess) 10098 if (rv != SECSuccess)
9530 goto fail; /* err set by AppendHandshake. */ 10099 goto fail; /* err set by AppendHandshake. */
9531 } else { 10100 } else {
9532 if (isServer) 10101 if (isServer)
9533 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes; 10102 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s;
9534 else 10103 else
9535 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes; 10104 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s;
9536 » ss->ssl3.hs.finishedBytes = sizeof hashes; 10105 » PORT_Assert(hashes.len == sizeof hashes.u.s);
9537 » rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes); 10106 » ss->ssl3.hs.finishedBytes = sizeof hashes.u.s;
10107 » rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s);
wtc 2013/05/28 17:50:25 I reverted your change to how |sFinished| is defin
agl 2013/05/28 20:21:13 Is this correct for SSLv3? http://tools.ietf.org/h
wtc 2013/05/28 23:22:19 Yes, this is correct for SSLv3. I also tested it w
agl 2013/05/28 23:36:36 Right, sorry. I'm forgetting my own code.
9538 if (rv != SECSuccess) 10108 if (rv != SECSuccess)
9539 goto fail; /* err set by AppendHandshake. */ 10109 goto fail; /* err set by AppendHandshake. */
9540 » rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes); 10110 » rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s);
9541 if (rv != SECSuccess) 10111 if (rv != SECSuccess)
9542 goto fail; /* err set by AppendHandshake. */ 10112 goto fail; /* err set by AppendHandshake. */
9543 } 10113 }
9544 rv = ssl3_FlushHandshake(ss, flags); 10114 rv = ssl3_FlushHandshake(ss, flags);
9545 if (rv != SECSuccess) { 10115 if (rv != SECSuccess) {
9546 goto fail; /* error code set by ssl3_FlushHandshake */ 10116 goto fail; /* error code set by ssl3_FlushHandshake */
9547 } 10117 }
9548 10118
9549 ssl3_RecordKeyLog(ss); 10119 ssl3_RecordKeyLog(ss);
9550 10120
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after
9679 else 10249 else
9680 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; 10250 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
9681 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; 10251 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
9682 if (rv != SECSuccess || 10252 if (rv != SECSuccess ||
9683 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { 10253 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
9684 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); 10254 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
9685 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 10255 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
9686 return SECFailure; 10256 return SECFailure;
9687 } 10257 }
9688 } else { 10258 } else {
9689 » if (length != sizeof(SSL3Hashes)) { 10259 » if (length != sizeof(SSL3Finished)) {
9690 (void)ssl3_IllegalParameter(ss); 10260 (void)ssl3_IllegalParameter(ss);
9691 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); 10261 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
9692 return SECFailure; 10262 return SECFailure;
9693 } 10263 }
9694 10264
9695 if (!isServer) 10265 if (!isServer)
9696 » ss->ssl3.hs.finishedMsgs.sFinished[1] = *hashes; 10266 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s;
9697 else 10267 else
9698 » ss->ssl3.hs.finishedMsgs.sFinished[0] = *hashes; 10268 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s;
9699 » ss->ssl3.hs.finishedBytes = sizeof *hashes; 10269 » PORT_Assert(hashes->len == sizeof hashes->u.s);
9700 » if (0 != NSS_SecureMemcmp(hashes, b, length)) { 10270 » ss->ssl3.hs.finishedBytes = sizeof hashes->u.s;
10271 » if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) {
9701 (void)ssl3_HandshakeFailure(ss); 10272 (void)ssl3_HandshakeFailure(ss);
9702 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 10273 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
9703 return SECFailure; 10274 return SECFailure;
9704 } 10275 }
9705 } 10276 }
9706 10277
9707 ssl_GetXmitBufLock(ss); /*************************************/ 10278 ssl_GetXmitBufLock(ss); /*************************************/
9708 10279
9709 if ((isServer && !ss->ssl3.hs.isResuming) || 10280 if ((isServer && !ss->ssl3.hs.isResuming) ||
9710 (!isServer && ss->ssl3.hs.isResuming)) { 10281 (!isServer && ss->ssl3.hs.isResuming)) {
(...skipping 1568 matching lines...) Expand 10 before | Expand all | Expand 10 after
11279 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); 11850 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
11280 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); 11851 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
11281 } 11852 }
11282 #endif 11853 #endif
11283 if (ss->ssl3.hs.md5) { 11854 if (ss->ssl3.hs.md5) {
11284 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); 11855 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
11285 } 11856 }
11286 if (ss->ssl3.hs.sha) { 11857 if (ss->ssl3.hs.sha) {
11287 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); 11858 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
11288 } 11859 }
11860 if (ss->ssl3.hs.tls12_handshake_hash) {
11861 PK11_DestroyContext(ss->ssl3.hs.tls12_handshake_hash,PR_TRUE);
11862 }
11863 if (ss->ssl3.hs.clientSigAndHash) {
11864 PORT_Free(ss->ssl3.hs.clientSigAndHash);
11865 }
11289 if (ss->ssl3.hs.messages.buf) { 11866 if (ss->ssl3.hs.messages.buf) {
11290 PORT_Free(ss->ssl3.hs.messages.buf); 11867 PORT_Free(ss->ssl3.hs.messages.buf);
11291 ss->ssl3.hs.messages.buf = NULL; 11868 ss->ssl3.hs.messages.buf = NULL;
11292 ss->ssl3.hs.messages.len = 0; 11869 ss->ssl3.hs.messages.len = 0;
11293 ss->ssl3.hs.messages.space = 0; 11870 ss->ssl3.hs.messages.space = 0;
11294 } 11871 }
11295 11872
11296 /* free the SSL3Buffer (msg_body) */ 11873 /* free the SSL3Buffer (msg_body) */
11297 PORT_Free(ss->ssl3.hs.msg_body.buf); 11874 PORT_Free(ss->ssl3.hs.msg_body.buf);
11298 11875
11299 /* free up the CipherSpecs */ 11876 /* free up the CipherSpecs */
11300 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); 11877 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
11301 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); 11878 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
11302 11879
11303 /* Destroy the DTLS data */ 11880 /* Destroy the DTLS data */
11304 if (IS_DTLS(ss)) { 11881 if (IS_DTLS(ss)) {
11305 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); 11882 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
11306 if (ss->ssl3.hs.recvdFragments.buf) { 11883 if (ss->ssl3.hs.recvdFragments.buf) {
11307 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 11884 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
11308 } 11885 }
11309 } 11886 }
11310 11887
11311 ss->ssl3.initialized = PR_FALSE; 11888 ss->ssl3.initialized = PR_FALSE;
11312 11889
11313 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 11890 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
11314 } 11891 }
11315 11892
11316 /* End of ssl3con.c */ 11893 /* End of ssl3con.c */
OLDNEW
« net/third_party/nss/ssl/SSLerrs.h ('K') | « net/third_party/nss/ssl/SSLerrs.h ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698