OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
11 #define _GNU_SOURCE 1 | 11 #define _GNU_SOURCE 1 |
12 #include "cert.h" | 12 #include "cert.h" |
13 #include "ssl.h" | 13 #include "ssl.h" |
14 #include "cryptohi.h" /* for DSAU_ stuff */ | 14 #include "cryptohi.h" /* for DSAU_ stuff */ |
15 #include "keyhi.h" | 15 #include "keyhi.h" |
16 #include "secder.h" | 16 #include "secder.h" |
17 #include "secitem.h" | 17 #include "secitem.h" |
18 #include "sechash.h" | 18 #include "sechash.h" |
19 | 19 |
20 #include "sslimpl.h" | 20 #include "sslimpl.h" |
21 #include "sslproto.h" | 21 #include "sslproto.h" |
22 #include "sslerr.h" | 22 #include "sslerr.h" |
23 #include "prtime.h" | 23 #include "prtime.h" |
24 #include "prinrval.h" | 24 #include "prinrval.h" |
25 #include "prerror.h" | 25 #include "prerror.h" |
26 #include "pratom.h" | 26 #include "pratom.h" |
27 #include "prthread.h" | 27 #include "prthread.h" |
| 28 #include "nss.h" |
| 29 #include "nssoptions.h" |
28 | 30 |
29 #include "pk11func.h" | 31 #include "pk11func.h" |
30 #include "secmod.h" | 32 #include "secmod.h" |
31 #ifndef NO_PKCS11_BYPASS | 33 #ifndef NO_PKCS11_BYPASS |
32 #include "blapi.h" | 34 #include "blapi.h" |
33 #endif | 35 #endif |
34 | 36 |
35 /* This is a bodge to allow this code to be compiled against older NSS headers | 37 /* This is a bodge to allow this code to be compiled against older NSS headers |
36 * that don't contain the TLS 1.2 changes. */ | 38 * that don't contain the TLS 1.2 changes. */ |
37 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 | 39 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
84 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 86 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
85 static SECStatus ssl3_SendNextProto( sslSocket *ss); | 87 static SECStatus ssl3_SendNextProto( sslSocket *ss); |
86 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); | 88 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); |
87 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 89 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
88 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 90 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
89 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 91 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
90 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 92 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
91 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 93 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
92 const unsigned char *b, | 94 const unsigned char *b, |
93 unsigned int l); | 95 unsigned int l); |
| 96 static SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss, |
| 97 ssl3CipherSpec *spec, |
| 98 SSL3Hashes *hashes, |
| 99 PRUint32 sender); |
94 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 100 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
95 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); | |
96 | 101 |
97 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 102 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
98 int maxOutputLen, const unsigned char *input, | 103 int maxOutputLen, const unsigned char *input, |
99 int inputLen); | 104 int inputLen); |
100 #ifndef NO_PKCS11_BYPASS | 105 #ifndef NO_PKCS11_BYPASS |
101 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, | 106 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
102 unsigned char *out, int *outlen, int maxout, | 107 unsigned char *out, int *outlen, int maxout, |
103 const unsigned char *in, int inlen, | 108 const unsigned char *in, int inlen, |
104 const unsigned char *additionalData, | 109 const unsigned char *additionalData, |
105 int additionalDataLen); | 110 int additionalDataLen); |
106 #endif | 111 #endif |
107 | 112 |
108 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 113 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
109 #define MIN_SEND_BUF_LENGTH 4000 | 114 #define MIN_SEND_BUF_LENGTH 4000 |
110 | 115 |
111 /* This list of SSL3 cipher suites is sorted in descending order of | 116 /* This list of SSL3 cipher suites is sorted in descending order of |
112 * precedence (desirability). It only includes cipher suites we implement. | 117 * precedence (desirability). It only includes cipher suites we implement. |
113 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites | 118 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites |
114 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) | 119 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
115 * | 120 * |
116 * Important: See bug 946147 before enabling, reordering, or adding any cipher | 121 * Important: See bug 946147 before enabling, reordering, or adding any cipher |
117 * suites to this list. | 122 * suites to this list. |
118 */ | 123 */ |
119 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { | 124 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
120 /* cipher_suite policy enabled isPresent */ | 125 /* cipher_suite policy enabled isPresent */ |
121 | 126 |
122 #ifndef NSS_DISABLE_ECC | 127 #ifndef NSS_DISABLE_ECC |
123 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 128 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
124 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 129 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
125 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 130 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
126 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 131 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
127 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around | 132 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around |
128 * bug 946147. | 133 * bug 946147. |
129 */ | 134 */ |
130 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 135 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
131 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 136 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
132 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 137 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
133 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 138 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
134 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 139 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
135 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 140 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
136 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 141 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
137 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 142 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
138 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 143 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
139 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 144 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
140 #endif /* NSS_DISABLE_ECC */ | 145 #endif /* NSS_DISABLE_ECC */ |
141 | 146 |
142 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 147 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 148 { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
143 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 149 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
144 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 150 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
145 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 151 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 152 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
146 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 153 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
147 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 154 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
148 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 155 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
149 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 156 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
150 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 157 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 158 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
151 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 159 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
152 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 160 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
153 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 161 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
154 { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 162 { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
155 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 163 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
156 | 164 |
157 #ifndef NSS_DISABLE_ECC | 165 #ifndef NSS_DISABLE_ECC |
158 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 166 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
159 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 167 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
160 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 168 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
198 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 206 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
199 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 207 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
200 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 208 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
201 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 209 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
202 #endif /* NSS_DISABLE_ECC */ | 210 #endif /* NSS_DISABLE_ECC */ |
203 { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 211 { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
204 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 212 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
205 { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 213 { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
206 }; | 214 }; |
207 | 215 |
| 216 static const SSLSignatureAndHashAlg defaultSignatureAlgorithms[] = { |
| 217 {ssl_hash_sha256, ssl_sign_rsa}, |
| 218 {ssl_hash_sha384, ssl_sign_rsa}, |
| 219 {ssl_hash_sha512, ssl_sign_rsa}, |
| 220 {ssl_hash_sha1, ssl_sign_rsa}, |
| 221 #ifndef NSS_DISABLE_ECC |
| 222 {ssl_hash_sha256, ssl_sign_ecdsa}, |
| 223 {ssl_hash_sha384, ssl_sign_ecdsa}, |
| 224 {ssl_hash_sha512, ssl_sign_ecdsa}, |
| 225 {ssl_hash_sha1, ssl_sign_ecdsa}, |
| 226 #endif |
| 227 {ssl_hash_sha256, ssl_sign_dsa}, |
| 228 {ssl_hash_sha1, ssl_sign_dsa} |
| 229 }; |
| 230 PR_STATIC_ASSERT(PR_ARRAY_SIZE(defaultSignatureAlgorithms) <= |
| 231 MAX_SIGNATURE_ALGORITHMS); |
| 232 |
208 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order. | 233 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order. |
209 */ | 234 */ |
210 #ifdef DEBUG | 235 #ifdef DEBUG |
211 void ssl3_CheckCipherSuiteOrderConsistency() | 236 void ssl3_CheckCipherSuiteOrderConsistency() |
212 { | 237 { |
213 unsigned int i; | 238 unsigned int i; |
214 | 239 |
215 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites | 240 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites |
216 * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites. | 241 * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites. |
217 */ | 242 */ |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
258 } | 283 } |
259 | 284 |
260 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = { | 285 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = { |
261 ct_RSA_sign, | 286 ct_RSA_sign, |
262 #ifndef NSS_DISABLE_ECC | 287 #ifndef NSS_DISABLE_ECC |
263 ct_ECDSA_sign, | 288 ct_ECDSA_sign, |
264 #endif /* NSS_DISABLE_ECC */ | 289 #endif /* NSS_DISABLE_ECC */ |
265 ct_DSS_sign, | 290 ct_DSS_sign, |
266 }; | 291 }; |
267 | 292 |
268 /* This block is the contents of the supported_signature_algorithms field of | |
269 * our TLS 1.2 CertificateRequest message, in wire format. See | |
270 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 | |
271 * | |
272 * This block contains only sha256 entries because we only support TLS 1.2 | |
273 * CertificateVerify messages that use the handshake hash. */ | |
274 static const PRUint8 supported_signature_algorithms[] = { | |
275 tls_hash_sha256, tls_sig_rsa, | |
276 #ifndef NSS_DISABLE_ECC | |
277 tls_hash_sha256, tls_sig_ecdsa, | |
278 #endif | |
279 tls_hash_sha256, tls_sig_dsa, | |
280 }; | |
281 | |
282 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ | 293 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ |
283 | 294 |
284 | 295 |
285 /* This global item is used only in servers. It is is initialized by | 296 /* This global item is used only in servers. It is is initialized by |
286 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 297 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
287 */ | 298 */ |
288 CERTDistNames *ssl3_server_ca_list = NULL; | 299 CERTDistNames *ssl3_server_ca_list = NULL; |
289 static SSL3Statistics ssl3stats; | 300 static SSL3Statistics ssl3stats; |
290 | 301 |
291 /* indexed by SSL3BulkCipher */ | 302 /* indexed by SSL3BulkCipher */ |
(...skipping 23 matching lines...) Expand all Loading... |
315 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, | 326 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, |
316 {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, | 327 {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, |
317 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, | 328 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
318 }; | 329 }; |
319 | 330 |
320 static const ssl3KEADef kea_defs[] = | 331 static const ssl3KEADef kea_defs[] = |
321 { /* indexed by SSL3KeyExchangeAlgorithm */ | 332 { /* indexed by SSL3KeyExchangeAlgorithm */ |
322 /* kea exchKeyType signKeyType is_limited limit tls_keygen epheme
ral */ | 333 /* kea exchKeyType signKeyType is_limited limit tls_keygen epheme
ral */ |
323 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 334 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
324 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 335 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
325 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 336 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, |
326 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_TRUE}, | 337 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_FALSE}
, |
327 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 338 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
328 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, | 339 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, |
329 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 340 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
330 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, | 341 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, |
331 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, | 342 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, |
332 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 343 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, |
333 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, | 344 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, |
334 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 345 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, |
335 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE, PR_TRUE}, | 346 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE, PR_TRUE}, |
336 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 347 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE, PR_TRUE}, |
(...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
436 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 447 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
437 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 448 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
438 | 449 |
439 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_
rsa}, | 450 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_
rsa}, |
440 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, | 451 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, |
441 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec
dhe_rsa}, | 452 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec
dhe_rsa}, |
442 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_
ecdhe_ecdsa}, | 453 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_
ecdhe_ecdsa}, |
443 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_
rsa}, | 454 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_
rsa}, |
444 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdh
e_ecdsa}, | 455 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdh
e_ecdsa}, |
445 | 456 |
| 457 {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_
dss}, |
| 458 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_d
ss}, |
| 459 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_d
ss}, |
| 460 |
446 #ifndef NSS_DISABLE_ECC | 461 #ifndef NSS_DISABLE_ECC |
447 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, | 462 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
448 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, | 463 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
449 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, | 464 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, |
450 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, | 465 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, |
451 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, | 466 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, |
452 | 467 |
453 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, | 468 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, |
454 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, | 469 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, |
455 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, | 470 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, |
(...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
673 */ | 688 */ |
674 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; | 689 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; |
675 | 690 |
676 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | 691 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
677 case TLS_RSA_WITH_AES_256_CBC_SHA256: | 692 case TLS_RSA_WITH_AES_256_CBC_SHA256: |
678 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | 693 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
679 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | 694 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
680 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | 695 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
681 case TLS_RSA_WITH_AES_128_CBC_SHA256: | 696 case TLS_RSA_WITH_AES_128_CBC_SHA256: |
682 case TLS_RSA_WITH_AES_128_GCM_SHA256: | 697 case TLS_RSA_WITH_AES_128_GCM_SHA256: |
| 698 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: |
| 699 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: |
683 case TLS_RSA_WITH_NULL_SHA256: | 700 case TLS_RSA_WITH_NULL_SHA256: |
684 return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; | 701 return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; |
685 | 702 |
686 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: | 703 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: |
687 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: | 704 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: |
688 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: | 705 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
689 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: | 706 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: |
690 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: | 707 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: |
| 708 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: |
691 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; | 709 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; |
692 | 710 |
693 /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and | 711 /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and |
694 * point formats.*/ | 712 * point formats.*/ |
695 case TLS_ECDH_ECDSA_WITH_NULL_SHA: | 713 case TLS_ECDH_ECDSA_WITH_NULL_SHA: |
696 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: | 714 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: |
697 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: | 715 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: |
698 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: | 716 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: |
699 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: | 717 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: |
700 case TLS_ECDHE_ECDSA_WITH_NULL_SHA: | 718 case TLS_ECDHE_ECDSA_WITH_NULL_SHA: |
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
803 kea_defs[cipher_def->key_exchange_alg].exchKeyType; | 821 kea_defs[cipher_def->key_exchange_alg].exchKeyType; |
804 #ifdef NSS_DISABLE_ECC | 822 #ifdef NSS_DISABLE_ECC |
805 svrAuth = ss->serverCerts + exchKeyType; | 823 svrAuth = ss->serverCerts + exchKeyType; |
806 #else | 824 #else |
807 /* XXX SSLKEAType isn't really a good choice for | 825 /* XXX SSLKEAType isn't really a good choice for |
808 * indexing certificates. It doesn't work for | 826 * indexing certificates. It doesn't work for |
809 * (EC)DHE-* ciphers. Here we use a hack to ensure | 827 * (EC)DHE-* ciphers. Here we use a hack to ensure |
810 * that the server uses an RSA cert for (EC)DHE-RSA. | 828 * that the server uses an RSA cert for (EC)DHE-RSA. |
811 */ | 829 */ |
812 switch (cipher_def->key_exchange_alg) { | 830 switch (cipher_def->key_exchange_alg) { |
| 831 case kea_dhe_dss: |
| 832 svrAuth = ss->serverCerts + ssl_kea_dh; |
| 833 break; |
813 case kea_ecdhe_rsa: | 834 case kea_ecdhe_rsa: |
814 #if NSS_SERVER_DHE_IMPLEMENTED | |
815 /* XXX NSS does not yet implement the server side of _DHE_ | |
816 * cipher suites. Correcting the computation for svrAuth, | |
817 * as the case below does, causes NSS SSL servers to begin to | |
818 * negotiate cipher suites they do not implement. So, until | |
819 * server side _DHE_ is implemented, keep this disabled. | |
820 */ | |
821 case kea_dhe_rsa: | 835 case kea_dhe_rsa: |
822 #endif | |
823 svrAuth = ss->serverCerts + kt_rsa; | 836 svrAuth = ss->serverCerts + kt_rsa; |
824 break; | 837 break; |
825 case kea_ecdh_ecdsa: | 838 case kea_ecdh_ecdsa: |
826 case kea_ecdh_rsa: | 839 case kea_ecdh_rsa: |
827 /* | 840 /* |
828 * XXX We ought to have different indices for | 841 * XXX We ought to have different indices for |
829 * ECDSA- and RSA-signed EC certificates so | 842 * ECDSA- and RSA-signed EC certificates so |
830 * we could support both key exchange mechanisms | 843 * we could support both key exchange mechanisms |
831 * simultaneously. For now, both of them use | 844 * simultaneously. For now, both of them use |
832 * whatever is in the certificate slot for kt_ecdh | 845 * whatever is in the certificate slot for kt_ecdh |
833 */ | 846 */ |
| 847 case kea_dhe_dss_export: |
| 848 case kea_dhe_rsa_export: |
834 default: | 849 default: |
835 svrAuth = ss->serverCerts + exchKeyType; | 850 svrAuth = ss->serverCerts + exchKeyType; |
836 break; | 851 break; |
837 } | 852 } |
838 #endif /* NSS_DISABLE_ECC */ | 853 #endif /* NSS_DISABLE_ECC */ |
839 | 854 |
840 /* Mark the suites that are backed by real tokens, certs and keys */ | 855 /* Mark the suites that are backed by real tokens, certs and keys */ |
841 suite->isPresent = (PRBool) | 856 suite->isPresent = (PRBool) |
842 (((exchKeyType == kt_null) || | 857 (((exchKeyType == kt_null) || |
843 ((!isServer || (svrAuth->serverKeyPair && | 858 ((!isServer || (svrAuth->serverKeyPair && |
(...skipping 16 matching lines...) Expand all Loading... |
860 /* return PR_TRUE if suite matches policy, enabled state and is applicable to | 875 /* return PR_TRUE if suite matches policy, enabled state and is applicable to |
861 * the given version range. */ | 876 * the given version range. */ |
862 /* It would be a REALLY BAD THING (tm) if we ever permitted the use | 877 /* It would be a REALLY BAD THING (tm) if we ever permitted the use |
863 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with | 878 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with |
864 ** policy == SSL_NOT_ALLOWED, report no match. | 879 ** policy == SSL_NOT_ALLOWED, report no match. |
865 */ | 880 */ |
866 /* adjust suite enabled to the availability of a token that can do the | 881 /* adjust suite enabled to the availability of a token that can do the |
867 * cipher suite. */ | 882 * cipher suite. */ |
868 static PRBool | 883 static PRBool |
869 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, | 884 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, |
870 » const SSLVersionRange *vrange) | 885 » const SSLVersionRange *vrange, const sslSocket *ss) |
871 { | 886 { |
| 887 const ssl3CipherSuiteDef *cipher_def; |
| 888 |
872 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); | 889 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
873 if (policy == SSL_NOT_ALLOWED || !enabled) | 890 if (policy == SSL_NOT_ALLOWED || !enabled) |
874 » return PR_FALSE; | 891 » return PR_FALSE; |
| 892 |
| 893 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); |
| 894 PORT_Assert(cipher_def != NULL); |
| 895 |
| 896 PORT_Assert(ss != NULL); |
| 897 if (ss->sec.isServer && !ss->opt.enableServerDhe && |
| 898 kea_defs[cipher_def->key_exchange_alg].exchKeyType == ssl_kea_dh) |
| 899 » return PR_FALSE; |
| 900 |
875 return (PRBool)(suite->enabled && | 901 return (PRBool)(suite->enabled && |
876 suite->isPresent && | 902 suite->isPresent && |
877 suite->policy != SSL_NOT_ALLOWED && | 903 suite->policy != SSL_NOT_ALLOWED && |
878 suite->policy <= policy && | 904 suite->policy <= policy && |
879 ssl3_CipherSuiteAllowedForVersionRange( | 905 ssl3_CipherSuiteAllowedForVersionRange( |
880 suite->cipher_suite, vrange)); | 906 suite->cipher_suite, vrange)); |
881 } | 907 } |
882 | 908 |
883 /* return number of cipher suites that match policy, enabled state and are | 909 /* return number of cipher suites that match policy, enabled state and are |
884 * applicable for the configured protocol version range. */ | 910 * applicable for the configured protocol version range. */ |
885 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ | 911 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
886 static int | 912 static int |
887 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) | 913 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
888 { | 914 { |
889 int i, count = 0; | 915 int i, count = 0; |
890 | 916 |
891 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { | 917 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
892 return 0; | 918 return 0; |
893 } | 919 } |
894 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 920 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
895 » if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange)) | 921 » if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange, ss)
) |
896 count++; | 922 count++; |
897 } | 923 } |
898 if (count <= 0) { | 924 if (count <= 0) { |
899 PORT_SetError(SSL_ERROR_SSL_DISABLED); | 925 PORT_SetError(SSL_ERROR_SSL_DISABLED); |
900 } | 926 } |
901 return count; | 927 return count; |
902 } | 928 } |
903 | 929 |
904 /* | 930 /* |
905 * Null compression, mac and encryption functions | 931 * Null compression, mac and encryption functions |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
977 | 1003 |
978 buf->data = NULL; | 1004 buf->data = NULL; |
979 | 1005 |
980 switch (key->keyType) { | 1006 switch (key->keyType) { |
981 case rsaKey: | 1007 case rsaKey: |
982 hashItem.data = hash->u.raw; | 1008 hashItem.data = hash->u.raw; |
983 hashItem.len = hash->len; | 1009 hashItem.len = hash->len; |
984 break; | 1010 break; |
985 case dsaKey: | 1011 case dsaKey: |
986 doDerEncode = isTLS; | 1012 doDerEncode = isTLS; |
987 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1013 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
988 * In that case, we use just the SHA1 part. */ | 1014 * In that case, we use just the SHA1 part. */ |
989 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1015 » if (hash->hashAlg == ssl_hash_none) { |
990 hashItem.data = hash->u.s.sha; | 1016 hashItem.data = hash->u.s.sha; |
991 hashItem.len = sizeof(hash->u.s.sha); | 1017 hashItem.len = sizeof(hash->u.s.sha); |
992 } else { | 1018 } else { |
993 hashItem.data = hash->u.raw; | 1019 hashItem.data = hash->u.raw; |
994 hashItem.len = hash->len; | 1020 hashItem.len = hash->len; |
995 } | 1021 } |
996 break; | 1022 break; |
997 #ifndef NSS_DISABLE_ECC | 1023 #ifndef NSS_DISABLE_ECC |
998 case ecKey: | 1024 case ecKey: |
999 doDerEncode = PR_TRUE; | 1025 doDerEncode = PR_TRUE; |
1000 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1026 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
1001 * In that case, we use just the SHA1 part. */ | 1027 * In that case, we use just the SHA1 part. */ |
1002 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1028 » if (hash->hashAlg == ssl_hash_none) { |
1003 hashItem.data = hash->u.s.sha; | 1029 hashItem.data = hash->u.s.sha; |
1004 hashItem.len = sizeof(hash->u.s.sha); | 1030 hashItem.len = sizeof(hash->u.s.sha); |
1005 } else { | 1031 } else { |
1006 hashItem.data = hash->u.raw; | 1032 hashItem.data = hash->u.raw; |
1007 hashItem.len = hash->len; | 1033 hashItem.len = hash->len; |
1008 } | 1034 } |
1009 break; | 1035 break; |
1010 #endif /* NSS_DISABLE_ECC */ | 1036 #endif /* NSS_DISABLE_ECC */ |
1011 default: | 1037 default: |
1012 PORT_SetError(SEC_ERROR_INVALID_KEY); | 1038 PORT_SetError(SEC_ERROR_INVALID_KEY); |
1013 goto done; | 1039 goto done; |
1014 } | 1040 } |
1015 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); | 1041 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); |
1016 | 1042 |
1017 if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1043 if (hash->hashAlg == ssl_hash_none) { |
1018 signatureLen = PK11_SignatureLen(key); | 1044 signatureLen = PK11_SignatureLen(key); |
1019 if (signatureLen <= 0) { | 1045 if (signatureLen <= 0) { |
1020 PORT_SetError(SEC_ERROR_INVALID_KEY); | 1046 PORT_SetError(SEC_ERROR_INVALID_KEY); |
1021 goto done; | 1047 goto done; |
1022 } | 1048 } |
1023 | 1049 |
1024 buf->len = (unsigned)signatureLen; | 1050 buf->len = (unsigned)signatureLen; |
1025 buf->data = (unsigned char *)PORT_Alloc(signatureLen); | 1051 buf->data = (unsigned char *)PORT_Alloc(signatureLen); |
1026 if (!buf->data) | 1052 if (!buf->data) |
1027 goto done; /* error code was set. */ | 1053 goto done; /* error code was set. */ |
1028 | 1054 |
1029 rv = PK11_Sign(key, buf, &hashItem); | 1055 rv = PK11_Sign(key, buf, &hashItem); |
1030 } else { | 1056 } else { |
1031 » rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem); | 1057 SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID(hash->hashAlg); |
| 1058 rv = SGN_Digest(key, hashOID, buf, &hashItem); |
1032 } | 1059 } |
1033 if (rv != SECSuccess) { | 1060 if (rv != SECSuccess) { |
1034 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 1061 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
1035 } else if (doDerEncode) { | 1062 } else if (doDerEncode) { |
1036 SECItem derSig = {siBuffer, NULL, 0}; | 1063 SECItem derSig = {siBuffer, NULL, 0}; |
1037 | 1064 |
1038 /* This also works for an ECDSA signature */ | 1065 /* This also works for an ECDSA signature */ |
1039 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); | 1066 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); |
1040 if (rv == SECSuccess) { | 1067 if (rv == SECSuccess) { |
1041 PORT_Free(buf->data); /* discard unencoded signature. */ | 1068 PORT_Free(buf->data); /* discard unencoded signature. */ |
(...skipping 27 matching lines...) Expand all Loading... |
1069 | 1096 |
1070 PRINT_BUF(60, (NULL, "check signed hashes", | 1097 PRINT_BUF(60, (NULL, "check signed hashes", |
1071 buf->data, buf->len)); | 1098 buf->data, buf->len)); |
1072 | 1099 |
1073 key = CERT_ExtractPublicKey(cert); | 1100 key = CERT_ExtractPublicKey(cert); |
1074 if (key == NULL) { | 1101 if (key == NULL) { |
1075 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | 1102 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
1076 return SECFailure; | 1103 return SECFailure; |
1077 } | 1104 } |
1078 | 1105 |
1079 hashAlg = hash->hashAlg; | 1106 hashAlg = ssl3_TLSHashAlgorithmToOID(hash->hashAlg); |
1080 switch (key->keyType) { | 1107 switch (key->keyType) { |
1081 case rsaKey: | 1108 case rsaKey: |
1082 encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; | 1109 encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; |
1083 hashItem.data = hash->u.raw; | 1110 hashItem.data = hash->u.raw; |
1084 hashItem.len = hash->len; | 1111 hashItem.len = hash->len; |
1085 break; | 1112 break; |
1086 case dsaKey: | 1113 case dsaKey: |
1087 encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; | 1114 encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; |
1088 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1115 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
1089 * In that case, we use just the SHA1 part. */ | 1116 * In that case, we use just the SHA1 part. */ |
1090 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1117 » if (hash->hashAlg == ssl_hash_none) { |
1091 hashItem.data = hash->u.s.sha; | 1118 hashItem.data = hash->u.s.sha; |
1092 hashItem.len = sizeof(hash->u.s.sha); | 1119 hashItem.len = sizeof(hash->u.s.sha); |
1093 } else { | 1120 } else { |
1094 hashItem.data = hash->u.raw; | 1121 hashItem.data = hash->u.raw; |
1095 hashItem.len = hash->len; | 1122 hashItem.len = hash->len; |
1096 } | 1123 } |
1097 /* Allow DER encoded DSA signatures in SSL 3.0 */ | 1124 /* Allow DER encoded DSA signatures in SSL 3.0 */ |
1098 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { | 1125 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { |
1099 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key)); | 1126 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key)); |
1100 if (!signature) { | 1127 if (!signature) { |
1101 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 1128 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
1102 return SECFailure; | 1129 return SECFailure; |
1103 } | 1130 } |
1104 buf = signature; | 1131 buf = signature; |
1105 } | 1132 } |
1106 break; | 1133 break; |
1107 | 1134 |
1108 #ifndef NSS_DISABLE_ECC | 1135 #ifndef NSS_DISABLE_ECC |
1109 case ecKey: | 1136 case ecKey: |
1110 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; | 1137 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; |
1111 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1138 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
1112 * In that case, we use just the SHA1 part. | 1139 * In that case, we use just the SHA1 part. |
1113 * ECDSA signatures always encode the integers r and s using ASN.1 | 1140 * ECDSA signatures always encode the integers r and s using ASN.1 |
1114 * (unlike DSA where ASN.1 encoding is used with TLS but not with | 1141 * (unlike DSA where ASN.1 encoding is used with TLS but not with |
1115 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. | 1142 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. |
1116 */ | 1143 */ |
1117 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1144 » if (hash->hashAlg == ssl_hash_none) { |
1118 hashAlg = SEC_OID_SHA1; | 1145 hashAlg = SEC_OID_SHA1; |
1119 hashItem.data = hash->u.s.sha; | 1146 hashItem.data = hash->u.s.sha; |
1120 hashItem.len = sizeof(hash->u.s.sha); | 1147 hashItem.len = sizeof(hash->u.s.sha); |
1121 } else { | 1148 } else { |
1122 hashItem.data = hash->u.raw; | 1149 hashItem.data = hash->u.raw; |
1123 hashItem.len = hash->len; | 1150 hashItem.len = hash->len; |
1124 } | 1151 } |
1125 break; | 1152 break; |
1126 #endif /* NSS_DISABLE_ECC */ | 1153 #endif /* NSS_DISABLE_ECC */ |
1127 | 1154 |
1128 default: | 1155 default: |
1129 SECKEY_DestroyPublicKey(key); | 1156 SECKEY_DestroyPublicKey(key); |
1130 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 1157 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
1131 return SECFailure; | 1158 return SECFailure; |
1132 } | 1159 } |
1133 | 1160 |
1134 PRINT_BUF(60, (NULL, "hash(es) to be verified", | 1161 PRINT_BUF(60, (NULL, "hash(es) to be verified", |
1135 hashItem.data, hashItem.len)); | 1162 hashItem.data, hashItem.len)); |
1136 | 1163 |
1137 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) { | 1164 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) { |
1138 /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded. | 1165 /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded. |
1139 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code | 1166 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code |
1140 * above always removes the DER encoding of DSA signatures when | 1167 * above always removes the DER encoding of DSA signatures when |
1141 * present. Thus DSA signatures are always verified with PK11_Verify. | 1168 * present. Thus DSA signatures are always verified with PK11_Verify. |
1142 */ | 1169 */ |
1143 rv = PK11_Verify(key, buf, &hashItem, pwArg); | 1170 rv = PK11_Verify(key, buf, &hashItem, pwArg); |
1144 } else { | 1171 } else { |
1145 » rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg, | 1172 rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg, |
1146 » » » » pwArg); | 1173 pwArg); |
1147 } | 1174 } |
1148 SECKEY_DestroyPublicKey(key); | 1175 SECKEY_DestroyPublicKey(key); |
1149 if (signature) { | 1176 if (signature) { |
1150 SECITEM_FreeItem(signature, PR_TRUE); | 1177 SECITEM_FreeItem(signature, PR_TRUE); |
1151 } | 1178 } |
1152 if (rv != SECSuccess) { | 1179 if (rv != SECSuccess) { |
1153 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 1180 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
1154 } | 1181 } |
1155 return rv; | 1182 return rv; |
1156 } | 1183 } |
1157 | 1184 |
1158 | 1185 |
1159 /* Caller must set hiLevel error code. */ | 1186 /* Caller must set hiLevel error code. */ |
1160 /* Called from ssl3_ComputeExportRSAKeyHash | 1187 /* Called from ssl3_ComputeExportRSAKeyHash |
1161 * ssl3_ComputeDHKeyHash | 1188 * ssl3_ComputeDHKeyHash |
1162 * which are called from ssl3_HandleServerKeyExchange. | 1189 * which are called from ssl3_HandleServerKeyExchange. |
1163 * | 1190 * |
1164 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify | 1191 * hashAlg: ssl_hash_none indicates the pre-1.2, MD5/SHA1 combination hash. |
1165 * the pre-1.2, MD5/SHA1 combination hash. | |
1166 */ | 1192 */ |
1167 SECStatus | 1193 SECStatus |
1168 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg, | 1194 ssl3_ComputeCommonKeyHash(SSLHashType hashAlg, |
1169 » » » PRUint8 * hashBuf, unsigned int bufLen, | 1195 PRUint8 * hashBuf, unsigned int bufLen, |
1170 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1196 SSL3Hashes *hashes, PRBool bypassPKCS11) |
1171 { | 1197 { |
1172 SECStatus rv » » = SECSuccess; | 1198 SECStatus rv; |
| 1199 SECOidTag hashOID; |
1173 | 1200 |
1174 #ifndef NO_PKCS11_BYPASS | 1201 #ifndef NO_PKCS11_BYPASS |
1175 if (bypassPKCS11) { | 1202 if (bypassPKCS11) { |
1176 » if (hashAlg == SEC_OID_UNKNOWN) { | 1203 if (hashAlg == ssl_hash_none) { |
1177 » MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen); | 1204 MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen); |
1178 » SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); | 1205 SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); |
1179 » hashes->len = MD5_LENGTH + SHA1_LENGTH; | 1206 hashes->len = MD5_LENGTH + SHA1_LENGTH; |
1180 » } else if (hashAlg == SEC_OID_SHA1) { | 1207 } else if (hashAlg == ssl_hash_sha1) { |
1181 » SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1208 SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); |
1182 » hashes->len = SHA1_LENGTH; | 1209 hashes->len = SHA1_LENGTH; |
1183 » } else if (hashAlg == SEC_OID_SHA256) { | 1210 } else if (hashAlg == ssl_hash_sha256) { |
1184 » SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1211 SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); |
1185 » hashes->len = SHA256_LENGTH; | 1212 hashes->len = SHA256_LENGTH; |
1186 » } else if (hashAlg == SEC_OID_SHA384) { | 1213 } else if (hashAlg == ssl_hash_sha384) { |
1187 » SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1214 SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); |
1188 » hashes->len = SHA384_LENGTH; | 1215 hashes->len = SHA384_LENGTH; |
1189 » } else if (hashAlg == SEC_OID_SHA512) { | 1216 } else if (hashAlg == ssl_hash_sha512) { |
1190 » SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1217 SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen); |
1191 » hashes->len = SHA512_LENGTH; | 1218 hashes->len = SHA512_LENGTH; |
1192 » } else { | 1219 } else { |
1193 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 1220 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
1194 » return SECFailure; | 1221 return SECFailure; |
1195 » } | 1222 } |
1196 } else | 1223 } else |
1197 #endif | 1224 #endif |
1198 { | 1225 { |
1199 » if (hashAlg == SEC_OID_UNKNOWN) { | 1226 if (hashAlg == ssl_hash_none) { |
1200 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); | 1227 rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); |
1201 » if (rv != SECSuccess) { | 1228 if (rv != SECSuccess) { |
1202 » » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 1229 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
1203 » » rv = SECFailure; | 1230 return rv; |
1204 » » goto done; | 1231 } |
1205 » } | 1232 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); |
1206 | 1233 if (rv != SECSuccess) { |
1207 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); | 1234 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
1208 » if (rv != SECSuccess) { | 1235 return rv; |
1209 » » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 1236 } |
1210 » » rv = SECFailure; | 1237 hashes->len = MD5_LENGTH + SHA1_LENGTH; |
1211 » } | 1238 } else { |
1212 » hashes->len = MD5_LENGTH + SHA1_LENGTH; | 1239 hashOID = ssl3_TLSHashAlgorithmToOID(hashAlg); |
1213 » } else { | 1240 hashes->len = HASH_ResultLenByOidTag(hashOID); |
1214 » hashes->len = HASH_ResultLenByOidTag(hashAlg); | 1241 if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) { |
1215 » if (hashes->len > sizeof(hashes->u.raw)) { | 1242 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
1216 » » ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 1243 return SECFailure; |
1217 » » rv = SECFailure; | 1244 } |
1218 » » goto done; | 1245 rv = PK11_HashBuf(hashOID, hashes->u.raw, hashBuf, bufLen); |
1219 » } | 1246 if (rv != SECSuccess) { |
1220 » rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen); | 1247 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
1221 » if (rv != SECSuccess) { | 1248 return rv; |
1222 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 1249 } |
1223 » » rv = SECFailure; | 1250 } |
1224 » } | |
1225 » } | |
1226 } | 1251 } |
1227 hashes->hashAlg = hashAlg; | 1252 hashes->hashAlg = hashAlg; |
1228 | 1253 return SECSuccess; |
1229 done: | |
1230 return rv; | |
1231 } | 1254 } |
1232 | 1255 |
1233 /* Caller must set hiLevel error code. | 1256 /* Caller must set hiLevel error code. |
1234 ** Called from ssl3_SendServerKeyExchange and | 1257 ** Called from ssl3_SendServerKeyExchange and |
1235 ** ssl3_HandleServerKeyExchange. | 1258 ** ssl3_HandleServerKeyExchange. |
1236 */ | 1259 */ |
1237 static SECStatus | 1260 static SECStatus |
1238 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg, | 1261 ssl3_ComputeExportRSAKeyHash(SSLHashType hashAlg, |
1239 » » » SECItem modulus, SECItem publicExponent, | 1262 SECItem modulus, SECItem publicExponent, |
1240 » » » SSL3Random *client_rand, SSL3Random *server_rand, | 1263 SSL3Random *client_rand, SSL3Random *server_rand, |
1241 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1264 SSL3Hashes *hashes, PRBool bypassPKCS11) |
1242 { | 1265 { |
1243 PRUint8 * hashBuf; | 1266 PRUint8 * hashBuf; |
1244 PRUint8 * pBuf; | 1267 PRUint8 * pBuf; |
1245 SECStatus rv = SECSuccess; | 1268 SECStatus rv = SECSuccess; |
1246 unsigned int bufLen; | 1269 unsigned int bufLen; |
1247 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1270 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
1248 | 1271 |
1249 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; | 1272 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; |
1250 if (bufLen <= sizeof buf) { | 1273 if (bufLen <= sizeof buf) { |
1251 hashBuf = buf; | 1274 hashBuf = buf; |
(...skipping 17 matching lines...) Expand all Loading... |
1269 pBuf[1] = (PRUint8)(publicExponent.len); | 1292 pBuf[1] = (PRUint8)(publicExponent.len); |
1270 pBuf += 2; | 1293 pBuf += 2; |
1271 memcpy(pBuf, publicExponent.data, publicExponent.len); | 1294 memcpy(pBuf, publicExponent.data, publicExponent.len); |
1272 pBuf += publicExponent.len; | 1295 pBuf += publicExponent.len; |
1273 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1296 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
1274 | 1297 |
1275 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, | 1298 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
1276 bypassPKCS11); | 1299 bypassPKCS11); |
1277 | 1300 |
1278 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); | 1301 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); |
1279 if (hashAlg == SEC_OID_UNKNOWN) { | 1302 if (hashAlg == ssl_hash_none) { |
1280 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", | 1303 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", |
1281 hashes->u.s.md5, MD5_LENGTH)); | 1304 hashes->u.s.md5, MD5_LENGTH)); |
1282 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", | 1305 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", |
1283 hashes->u.s.sha, SHA1_LENGTH)); | 1306 hashes->u.s.sha, SHA1_LENGTH)); |
1284 } else { | 1307 } else { |
1285 PRINT_BUF(95, (NULL, "RSAkey hash: result", | 1308 PRINT_BUF(95, (NULL, "RSAkey hash: result", |
1286 hashes->u.raw, hashes->len)); | 1309 hashes->u.raw, hashes->len)); |
1287 } | 1310 } |
1288 | 1311 |
1289 if (hashBuf != buf && hashBuf != NULL) | 1312 if (hashBuf != buf && hashBuf != NULL) |
1290 PORT_Free(hashBuf); | 1313 PORT_Free(hashBuf); |
1291 return rv; | 1314 return rv; |
1292 } | 1315 } |
1293 | 1316 |
1294 /* Caller must set hiLevel error code. */ | 1317 /* Caller must set hiLevel error code. */ |
1295 /* Called from ssl3_HandleServerKeyExchange. */ | 1318 /* Called from ssl3_HandleServerKeyExchange. */ |
1296 static SECStatus | 1319 static SECStatus |
1297 ssl3_ComputeDHKeyHash(SECOidTag hashAlg, | 1320 ssl3_ComputeDHKeyHash(SSLHashType hashAlg, |
1298 » » SECItem dh_p, SECItem dh_g, SECItem dh_Ys, | 1321 SECItem dh_p, SECItem dh_g, SECItem dh_Ys, |
1299 » » SSL3Random *client_rand, SSL3Random *server_rand, | 1322 SSL3Random *client_rand, SSL3Random *server_rand, |
1300 » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1323 SSL3Hashes *hashes, PRBool bypassPKCS11) |
1301 { | 1324 { |
1302 PRUint8 * hashBuf; | 1325 PRUint8 * hashBuf; |
1303 PRUint8 * pBuf; | 1326 PRUint8 * pBuf; |
1304 SECStatus rv = SECSuccess; | 1327 SECStatus rv = SECSuccess; |
1305 unsigned int bufLen; | 1328 unsigned int bufLen; |
1306 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1329 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
1307 | 1330 |
1308 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; | 1331 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; |
1309 if (bufLen <= sizeof buf) { | 1332 if (bufLen <= sizeof buf) { |
1310 hashBuf = buf; | 1333 hashBuf = buf; |
(...skipping 22 matching lines...) Expand all Loading... |
1333 pBuf[1] = (PRUint8)(dh_Ys.len); | 1356 pBuf[1] = (PRUint8)(dh_Ys.len); |
1334 pBuf += 2; | 1357 pBuf += 2; |
1335 memcpy(pBuf, dh_Ys.data, dh_Ys.len); | 1358 memcpy(pBuf, dh_Ys.data, dh_Ys.len); |
1336 pBuf += dh_Ys.len; | 1359 pBuf += dh_Ys.len; |
1337 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1360 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
1338 | 1361 |
1339 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, | 1362 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
1340 bypassPKCS11); | 1363 bypassPKCS11); |
1341 | 1364 |
1342 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); | 1365 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); |
1343 if (hashAlg == SEC_OID_UNKNOWN) { | 1366 if (hashAlg == ssl_hash_none) { |
1344 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", | 1367 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", |
1345 hashes->u.s.md5, MD5_LENGTH)); | 1368 hashes->u.s.md5, MD5_LENGTH)); |
1346 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", | 1369 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", |
1347 hashes->u.s.sha, SHA1_LENGTH)); | 1370 hashes->u.s.sha, SHA1_LENGTH)); |
1348 } else { | 1371 } else { |
1349 PRINT_BUF(95, (NULL, "DHkey hash: result", | 1372 PRINT_BUF(95, (NULL, "DHkey hash: result", |
1350 hashes->u.raw, hashes->len)); | 1373 hashes->u.raw, hashes->len)); |
1351 } | 1374 } |
1352 | 1375 |
1353 if (hashBuf != buf && hashBuf != NULL) | 1376 if (hashBuf != buf && hashBuf != NULL) |
(...skipping 937 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2291 | 2314 |
2292 /* Complete the initialization of all keys, ciphers, MACs and their contexts | 2315 /* Complete the initialization of all keys, ciphers, MACs and their contexts |
2293 * for the pending Cipher Spec. | 2316 * for the pending Cipher Spec. |
2294 * Called from: ssl3_SendClientKeyExchange (for Full handshake) | 2317 * Called from: ssl3_SendClientKeyExchange (for Full handshake) |
2295 * ssl3_HandleRSAClientKeyExchange (for Full handshake) | 2318 * ssl3_HandleRSAClientKeyExchange (for Full handshake) |
2296 * ssl3_HandleServerHello (for session restart) | 2319 * ssl3_HandleServerHello (for session restart) |
2297 * ssl3_HandleClientHello (for session restart) | 2320 * ssl3_HandleClientHello (for session restart) |
2298 * Sets error code, but caller probably should override to disambiguate. | 2321 * Sets error code, but caller probably should override to disambiguate. |
2299 * NULL pms means re-use old master_secret. | 2322 * NULL pms means re-use old master_secret. |
2300 * | 2323 * |
2301 * This code is common to the bypass and PKCS11 execution paths. | 2324 * This code is common to the bypass and PKCS11 execution paths. For |
| 2325 * the bypass case, pms is NULL. If the old master secret is reused, |
| 2326 * pms is NULL and the master secret is already in either |
| 2327 * pwSpec->msItem.len (the bypass case) or pwSpec->master_secret. |
| 2328 * |
2302 * For the bypass case, pms is NULL. | 2329 * For the bypass case, pms is NULL. |
2303 */ | 2330 */ |
2304 SECStatus | 2331 SECStatus |
2305 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) | 2332 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) |
2306 { | 2333 { |
2307 ssl3CipherSpec * pwSpec; | 2334 ssl3CipherSpec * pwSpec; |
2308 ssl3CipherSpec * cwSpec; | 2335 ssl3CipherSpec * cwSpec; |
2309 SECStatus rv; | 2336 SECStatus rv; |
2310 | 2337 |
2311 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2338 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
(...skipping 363 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2675 const SSL3Opaque * pIn, | 2702 const SSL3Opaque * pIn, |
2676 PRUint32 contentLen, | 2703 PRUint32 contentLen, |
2677 sslBuffer * wrBuf) | 2704 sslBuffer * wrBuf) |
2678 { | 2705 { |
2679 const ssl3BulkCipherDef * cipher_def; | 2706 const ssl3BulkCipherDef * cipher_def; |
2680 SECStatus rv; | 2707 SECStatus rv; |
2681 PRUint32 macLen = 0; | 2708 PRUint32 macLen = 0; |
2682 PRUint32 fragLen; | 2709 PRUint32 fragLen; |
2683 PRUint32 p1Len, p2Len, oddLen = 0; | 2710 PRUint32 p1Len, p2Len, oddLen = 0; |
2684 PRUint16 headerLen; | 2711 PRUint16 headerLen; |
2685 int ivLen = 0; | 2712 unsigned int ivLen = 0; |
2686 int cipherBytes = 0; | 2713 int cipherBytes = 0; |
2687 unsigned char pseudoHeader[13]; | 2714 unsigned char pseudoHeader[13]; |
2688 unsigned int pseudoHeaderLen; | 2715 unsigned int pseudoHeaderLen; |
2689 | 2716 |
2690 cipher_def = cwSpec->cipher_def; | 2717 cipher_def = cwSpec->cipher_def; |
2691 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; | 2718 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; |
2692 | 2719 |
2693 if (cipher_def->type == type_block && | 2720 if (cipher_def->type == type_block && |
2694 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 2721 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
2695 /* Prepend the per-record explicit IV using technique 2b from | 2722 /* Prepend the per-record explicit IV using technique 2b from |
(...skipping 541 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3237 * This function returns SECSuccess or SECFailure, never SECWouldBlock. | 3264 * This function returns SECSuccess or SECFailure, never SECWouldBlock. |
3238 * Always set sendBuf.len to 0, even when returning SECFailure. | 3265 * Always set sendBuf.len to 0, even when returning SECFailure. |
3239 * | 3266 * |
3240 * Called from ssl3_FlushHandshake | 3267 * Called from ssl3_FlushHandshake |
3241 */ | 3268 */ |
3242 static SECStatus | 3269 static SECStatus |
3243 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) | 3270 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) |
3244 { | 3271 { |
3245 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER | | 3272 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER | |
3246 ssl_SEND_FLAG_CAP_RECORD_VERSION; | 3273 ssl_SEND_FLAG_CAP_RECORD_VERSION; |
3247 PRInt32 rv = SECSuccess; | 3274 PRInt32 count = -1; |
| 3275 SECStatus rv = SECSuccess; |
3248 | 3276 |
3249 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 3277 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3250 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 3278 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
3251 | 3279 |
3252 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) | 3280 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) |
3253 return rv; | 3281 return rv; |
3254 | 3282 |
3255 /* only these flags are allowed */ | 3283 /* only these flags are allowed */ |
3256 PORT_Assert(!(flags & ~allowedFlags)); | 3284 PORT_Assert(!(flags & ~allowedFlags)); |
3257 if ((flags & ~allowedFlags) != 0) { | 3285 if ((flags & ~allowedFlags) != 0) { |
3258 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 3286 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
3259 rv = SECFailure; | 3287 rv = SECFailure; |
3260 } else { | 3288 } else { |
3261 » rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf, | 3289 » count = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf
, |
3262 ss->sec.ci.sendBuf.len, flags); | 3290 ss->sec.ci.sendBuf.len, flags); |
3263 } | 3291 } |
3264 if (rv < 0) { | 3292 if (count < 0) { |
3265 int err = PORT_GetError(); | 3293 int err = PORT_GetError(); |
3266 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); | 3294 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); |
3267 if (err == PR_WOULD_BLOCK_ERROR) { | 3295 if (err == PR_WOULD_BLOCK_ERROR) { |
3268 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 3296 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3269 } | 3297 } |
3270 } else if (rv < ss->sec.ci.sendBuf.len) { | 3298 rv = SECFailure; |
| 3299 } else if ((unsigned int)count < ss->sec.ci.sendBuf.len) { |
3271 /* short write should never happen */ | 3300 /* short write should never happen */ |
3272 » PORT_Assert(rv >= ss->sec.ci.sendBuf.len); | 3301 » PORT_Assert((unsigned int)count >= ss->sec.ci.sendBuf.len); |
3273 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 3302 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3274 rv = SECFailure; | 3303 rv = SECFailure; |
3275 } else { | 3304 } else { |
3276 rv = SECSuccess; | 3305 rv = SECSuccess; |
3277 } | 3306 } |
3278 | 3307 |
3279 /* Whether we succeeded or failed, toss the old handshake data. */ | 3308 /* Whether we succeeded or failed, toss the old handshake data. */ |
3280 ss->sec.ci.sendBuf.len = 0; | 3309 ss->sec.ci.sendBuf.len = 0; |
3281 return rv; | 3310 return rv; |
3282 } | 3311 } |
(...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3698 /* If we are really through with the old cipher prSpec | 3727 /* If we are really through with the old cipher prSpec |
3699 * (Both the read and write sides have changed) destroy it. | 3728 * (Both the read and write sides have changed) destroy it. |
3700 */ | 3729 */ |
3701 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { | 3730 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { |
3702 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/); | 3731 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/); |
3703 } | 3732 } |
3704 ssl_ReleaseSpecWriteLock(ss); /*************************************/ | 3733 ssl_ReleaseSpecWriteLock(ss); /*************************************/ |
3705 return SECSuccess; | 3734 return SECSuccess; |
3706 } | 3735 } |
3707 | 3736 |
3708 /* This method uses PKCS11 to derive the MS from the PMS, where PMS | 3737 /* This method completes the derivation of the MS from the PMS. |
3709 ** is a PKCS11 symkey. This is used in all cases except the | 3738 ** |
3710 ** "triple bypass" with RSA key exchange. | 3739 ** 1. Derive the MS, if possible, else return an error. |
3711 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec. | 3740 ** |
| 3741 ** 2. Check the version if |pms_version| is non-zero and if wrong, |
| 3742 ** return an error. |
| 3743 ** |
| 3744 ** 3. If |msp| is nonzero, return MS in |*msp|. |
| 3745 |
| 3746 ** Called from: |
| 3747 ** ssl3_ComputeMasterSecretInt |
| 3748 ** tls_ComputeExtendedMasterSecretInt |
3712 */ | 3749 */ |
3713 static SECStatus | 3750 static SECStatus |
3714 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) | 3751 ssl3_ComputeMasterSecretFinish(sslSocket *ss, |
| 3752 CK_MECHANISM_TYPE master_derive, |
| 3753 CK_MECHANISM_TYPE key_derive, |
| 3754 CK_VERSION *pms_version, |
| 3755 SECItem *params, CK_FLAGS keyFlags, |
| 3756 PK11SymKey *pms, PK11SymKey **msp) |
| 3757 { |
| 3758 PK11SymKey *ms = NULL; |
| 3759 |
| 3760 ms = PK11_DeriveWithFlags(pms, master_derive, |
| 3761 params, key_derive, |
| 3762 CKA_DERIVE, 0, keyFlags); |
| 3763 if (!ms) { |
| 3764 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 3765 return SECFailure; |
| 3766 } |
| 3767 |
| 3768 if (pms_version && ss->opt.detectRollBack) { |
| 3769 SSL3ProtocolVersion client_version; |
| 3770 client_version = pms_version->major << 8 | pms_version->minor; |
| 3771 |
| 3772 if (IS_DTLS(ss)) { |
| 3773 client_version = dtls_DTLSVersionToTLSVersion(client_version); |
| 3774 } |
| 3775 |
| 3776 if (client_version != ss->clientHelloVersion) { |
| 3777 /* Destroy MS. Version roll-back detected. */ |
| 3778 PK11_FreeSymKey(ms); |
| 3779 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 3780 return SECFailure; |
| 3781 } |
| 3782 } |
| 3783 |
| 3784 if (msp) { |
| 3785 *msp = ms; |
| 3786 } else { |
| 3787 PK11_FreeSymKey(ms); |
| 3788 } |
| 3789 |
| 3790 return SECSuccess; |
| 3791 } |
| 3792 |
| 3793 /* Compute the ordinary (pre draft-ietf-tls-session-hash) master |
| 3794 ** secret and return it in |*msp|. |
| 3795 ** |
| 3796 ** Called from: ssl3_ComputeMasterSecret |
| 3797 */ |
| 3798 static SECStatus |
| 3799 ssl3_ComputeMasterSecretInt(sslSocket *ss, PK11SymKey *pms, |
| 3800 PK11SymKey **msp) |
3715 { | 3801 { |
3716 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 3802 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
3717 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; | 3803 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; |
3718 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 3804 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
3719 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 3805 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
3720 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 3806 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
3721 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 3807 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
3722 PRBool isTLS12= | 3808 PRBool isTLS12= |
3723 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 3809 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
3724 /* | 3810 /* |
3725 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH | 3811 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH |
3726 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size | 3812 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size |
3727 * data into a 48-byte value. | 3813 * data into a 48-byte value, and does not expect to return the version. |
3728 */ | 3814 */ |
3729 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || | 3815 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || |
3730 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); | 3816 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); |
3731 SECStatus rv = SECFailure; | |
3732 CK_MECHANISM_TYPE master_derive; | 3817 CK_MECHANISM_TYPE master_derive; |
3733 CK_MECHANISM_TYPE key_derive; | 3818 CK_MECHANISM_TYPE key_derive; |
3734 SECItem params; | 3819 SECItem params; |
3735 CK_FLAGS keyFlags; | 3820 CK_FLAGS keyFlags; |
3736 CK_VERSION pms_version; | 3821 CK_VERSION pms_version; |
3737 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; | 3822 CK_VERSION *pms_version_ptr = NULL; |
| 3823 /* master_params may be used as a CK_SSL3_MASTER_KEY_DERIVE_PARAMS */ |
| 3824 CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; |
| 3825 unsigned int master_params_len; |
3738 | 3826 |
3739 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
3740 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | |
3741 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | |
3742 if (isTLS12) { | 3827 if (isTLS12) { |
3743 » if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; | 3828 » if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; |
3744 » else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256; | 3829 » else master_derive = CKM_TLS12_MASTER_KEY_DERIVE; |
3745 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; | 3830 » key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; |
3746 keyFlags = CKF_SIGN | CKF_VERIFY; | 3831 keyFlags = CKF_SIGN | CKF_VERIFY; |
3747 } else if (isTLS) { | 3832 } else if (isTLS) { |
3748 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; | 3833 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; |
3749 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; | 3834 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; |
3750 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 3835 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
3751 keyFlags = CKF_SIGN | CKF_VERIFY; | 3836 keyFlags = CKF_SIGN | CKF_VERIFY; |
3752 } else { | 3837 } else { |
3753 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 3838 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
3754 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; | 3839 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; |
3755 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 3840 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
3756 keyFlags = 0; | 3841 keyFlags = 0; |
3757 } | 3842 } |
3758 | 3843 |
3759 if (pms || !pwSpec->master_secret) { | 3844 if (!isDH) { |
3760 » if (isDH) { | 3845 pms_version_ptr = &pms_version; |
3761 » master_params.pVersion = NULL; | |
3762 » } else { | |
3763 » master_params.pVersion = &pms_version; | |
3764 » } | |
3765 » master_params.RandomInfo.pClientRandom = cr; | |
3766 » master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; | |
3767 » master_params.RandomInfo.pServerRandom = sr; | |
3768 » master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; | |
3769 | |
3770 » params.data = (unsigned char *) &master_params; | |
3771 » params.len = sizeof master_params; | |
3772 } | 3846 } |
3773 | 3847 |
3774 if (pms != NULL) { | 3848 master_params.pVersion = pms_version_ptr; |
3775 #if defined(TRACE) | 3849 master_params.RandomInfo.pClientRandom = cr; |
3776 » if (ssl_trace >= 100) { | 3850 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
3777 » SECStatus extractRV = PK11_ExtractKeyValue(pms); | 3851 master_params.RandomInfo.pServerRandom = sr; |
3778 » if (extractRV == SECSuccess) { | 3852 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; |
3779 » » SECItem * keyData = PK11_GetKeyData(pms); | 3853 if (isTLS12) { |
3780 » » if (keyData && keyData->data && keyData->len) { | 3854 master_params.prfHashMechanism = CKM_SHA256; |
3781 » » ssl_PrintBuf(ss, "Pre-Master Secret", | 3855 master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS); |
3782 » » » » keyData->data, keyData->len); | 3856 } else { |
3783 » » } | 3857 /* prfHashMechanism is not relevant with this PRF */ |
3784 » } | 3858 master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); |
3785 » } | 3859 } |
3786 #endif | |
3787 » pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, | |
3788 » » » » ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); | |
3789 » if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { | |
3790 » SSL3ProtocolVersion client_version; | |
3791 » client_version = pms_version.major << 8 | pms_version.minor; | |
3792 | 3860 |
3793 » if (IS_DTLS(ss)) { | 3861 params.data = (unsigned char *) &master_params; |
3794 » » client_version = dtls_DTLSVersionToTLSVersion(client_version); | 3862 params.len = master_params_len; |
3795 » } | |
3796 | 3863 |
3797 » if (client_version != ss->clientHelloVersion) { | 3864 return ssl3_ComputeMasterSecretFinish(ss, master_derive, key_derive, |
3798 » » /* Destroy it. Version roll-back detected. */ | 3865 pms_version_ptr, ¶ms, |
3799 » » PK11_FreeSymKey(pwSpec->master_secret); | 3866 keyFlags, pms, msp); |
3800 » » pwSpec->master_secret = NULL; | 3867 } |
3801 » } | |
3802 » } | |
3803 » if (pwSpec->master_secret == NULL) { | |
3804 » /* Generate a faux master secret in the same slot as the old one. */ | |
3805 » PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); | |
3806 » PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); | |
3807 | 3868 |
3808 » PK11_FreeSlot(slot); | 3869 /* Compute the draft-ietf-tls-session-hash master |
3809 » if (fpms != NULL) { | 3870 ** secret and return it in |*msp|. |
3810 » » pwSpec->master_secret = PK11_DeriveWithFlags(fpms, | 3871 ** |
3811 » » » » » master_derive, ¶ms, key_derive, | 3872 ** Called from: ssl3_ComputeMasterSecret |
3812 » » » » » CKA_DERIVE, 0, keyFlags); | 3873 */ |
3813 » » PK11_FreeSymKey(fpms); | 3874 static SECStatus |
3814 » } | 3875 tls_ComputeExtendedMasterSecretInt(sslSocket *ss, PK11SymKey *pms, |
3815 » } | 3876 PK11SymKey **msp) |
| 3877 { |
| 3878 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; |
| 3879 CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS extended_master_params; |
| 3880 SSL3Hashes hashes; |
| 3881 /* |
| 3882 * Determine whether to use the DH/ECDH or RSA derivation modes. |
| 3883 */ |
| 3884 /* |
| 3885 * TODO(ekr@rtfm.com): Verify that the slot can handle this key expansion |
| 3886 * mode. Bug 1198298 */ |
| 3887 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || |
| 3888 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); |
| 3889 CK_MECHANISM_TYPE master_derive; |
| 3890 CK_MECHANISM_TYPE key_derive; |
| 3891 SECItem params; |
| 3892 const CK_FLAGS keyFlags = CKF_SIGN | CKF_VERIFY; |
| 3893 CK_VERSION pms_version; |
| 3894 CK_VERSION *pms_version_ptr = NULL; |
| 3895 SECStatus rv; |
| 3896 |
| 3897 rv = ssl3_ComputeHandshakeHashes(ss, pwSpec, &hashes, 0); |
| 3898 if (rv != SECSuccess) { |
| 3899 PORT_Assert(0); /* Should never fail */ |
| 3900 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 3901 return SECFailure; |
3816 } | 3902 } |
3817 if (pwSpec->master_secret == NULL) { | |
3818 /* Generate a faux master secret from the internal slot. */ | |
3819 PK11SlotInfo * slot = PK11_GetInternalSlot(); | |
3820 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); | |
3821 | 3903 |
3822 » PK11_FreeSlot(slot); | 3904 if (isDH) { |
3823 » if (fpms != NULL) { | 3905 master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH; |
3824 » pwSpec->master_secret = PK11_DeriveWithFlags(fpms, | 3906 } else { |
3825 » » » » » master_derive, ¶ms, key_derive, | 3907 master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE; |
3826 » » » » » CKA_DERIVE, 0, keyFlags); | 3908 pms_version_ptr = &pms_version; |
3827 » if (pwSpec->master_secret == NULL) { | |
3828 » » pwSpec->master_secret = fpms; /* use the fpms as the master. */ | |
3829 » » fpms = NULL; | |
3830 » } | |
3831 » } | |
3832 » if (fpms) { | |
3833 » PK11_FreeSymKey(fpms); | |
3834 » } | |
3835 } | 3909 } |
3836 if (pwSpec->master_secret == NULL) { | 3910 |
3837 » ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 3911 if (pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
3838 » return rv; | 3912 /* TLS 1.2 */ |
| 3913 extended_master_params.prfHashMechanism = CKM_SHA256; |
| 3914 key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; |
| 3915 } else { |
| 3916 /* TLS < 1.2 */ |
| 3917 extended_master_params.prfHashMechanism = CKM_TLS_PRF; |
| 3918 » key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
3839 } | 3919 } |
| 3920 |
| 3921 extended_master_params.pVersion = pms_version_ptr; |
| 3922 extended_master_params.pSessionHash = hashes.u.raw; |
| 3923 extended_master_params.ulSessionHashLen = hashes.len; |
| 3924 |
| 3925 params.data = (unsigned char *) &extended_master_params; |
| 3926 params.len = sizeof extended_master_params; |
| 3927 |
| 3928 return ssl3_ComputeMasterSecretFinish(ss, master_derive, key_derive, |
| 3929 pms_version_ptr, ¶ms, |
| 3930 keyFlags, pms, msp); |
| 3931 } |
| 3932 |
| 3933 |
| 3934 /* Wrapper method to compute the master secret and return it in |*msp|. |
| 3935 ** |
| 3936 ** Called from ssl3_ComputeMasterSecret |
| 3937 */ |
| 3938 static SECStatus |
| 3939 ssl3_ComputeMasterSecret(sslSocket *ss, PK11SymKey *pms, |
| 3940 PK11SymKey **msp) |
| 3941 { |
| 3942 PORT_Assert(pms != NULL); |
| 3943 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 3944 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 3945 |
| 3946 if (ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 3947 return tls_ComputeExtendedMasterSecretInt(ss, pms, msp); |
| 3948 } else { |
| 3949 return ssl3_ComputeMasterSecretInt(ss, pms, msp); |
| 3950 } |
| 3951 } |
| 3952 |
| 3953 /* This method uses PKCS11 to derive the MS from the PMS, where PMS |
| 3954 ** is a PKCS11 symkey. We call ssl3_ComputeMasterSecret to do the |
| 3955 ** computations and then modify the pwSpec->state as a side effect. |
| 3956 ** |
| 3957 ** This is used in all cases except the "triple bypass" with RSA key |
| 3958 ** exchange. |
| 3959 ** |
| 3960 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec. |
| 3961 */ |
| 3962 static SECStatus |
| 3963 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) |
| 3964 { |
| 3965 SECStatus rv; |
| 3966 PK11SymKey* ms = NULL; |
| 3967 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; |
| 3968 |
| 3969 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 3970 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
| 3971 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 3972 |
| 3973 if (pms) { |
| 3974 rv = ssl3_ComputeMasterSecret(ss, pms, &ms); |
| 3975 pwSpec->master_secret = ms; |
| 3976 if (rv != SECSuccess) |
| 3977 return rv; |
| 3978 } |
| 3979 |
3840 #ifndef NO_PKCS11_BYPASS | 3980 #ifndef NO_PKCS11_BYPASS |
3841 if (ss->opt.bypassPKCS11) { | 3981 if (ss->opt.bypassPKCS11) { |
3842 SECItem * keydata; | 3982 SECItem * keydata; |
3843 /* In hope of doing a "double bypass", | 3983 /* In hope of doing a "double bypass", |
3844 * need to extract the master secret's value from the key object | 3984 * need to extract the master secret's value from the key object |
3845 * and store it raw in the sslSocket struct. | 3985 * and store it raw in the sslSocket struct. |
3846 */ | 3986 */ |
3847 rv = PK11_ExtractKeyValue(pwSpec->master_secret); | 3987 rv = PK11_ExtractKeyValue(pwSpec->master_secret); |
3848 if (rv != SECSuccess) { | 3988 if (rv != SECSuccess) { |
3849 return rv; | 3989 return rv; |
3850 » } | 3990 } |
3851 /* This returns the address of the secItem inside the key struct, | 3991 /* This returns the address of the secItem inside the key struct, |
3852 * not a copy or a reference. So, there's no need to free it. | 3992 * not a copy or a reference. So, there's no need to free it. |
3853 */ | 3993 */ |
3854 keydata = PK11_GetKeyData(pwSpec->master_secret); | 3994 keydata = PK11_GetKeyData(pwSpec->master_secret); |
3855 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) { | 3995 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) { |
3856 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len); | 3996 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len); |
3857 pwSpec->msItem.data = pwSpec->raw_master_secret; | 3997 pwSpec->msItem.data = pwSpec->raw_master_secret; |
3858 pwSpec->msItem.len = keydata->len; | 3998 pwSpec->msItem.len = keydata->len; |
3859 } else { | 3999 } else { |
3860 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 4000 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3861 return SECFailure; | 4001 return SECFailure; |
3862 } | 4002 } |
3863 } | 4003 } |
3864 #endif | 4004 #endif |
| 4005 |
3865 return SECSuccess; | 4006 return SECSuccess; |
3866 } | 4007 } |
3867 | 4008 |
3868 | |
3869 /* | 4009 /* |
3870 * Derive encryption and MAC Keys (and IVs) from master secret | 4010 * Derive encryption and MAC Keys (and IVs) from master secret |
3871 * Sets a useful error code when returning SECFailure. | 4011 * Sets a useful error code when returning SECFailure. |
3872 * | 4012 * |
3873 * Called only from ssl3_InitPendingCipherSpec(), | 4013 * Called only from ssl3_InitPendingCipherSpec(), |
3874 * which in turn is called from | 4014 * which in turn is called from |
3875 * sendRSAClientKeyExchange (for Full handshake) | 4015 * sendRSAClientKeyExchange (for Full handshake) |
3876 * sendDHClientKeyExchange (for Full handshake) | 4016 * sendDHClientKeyExchange (for Full handshake) |
3877 * ssl3_HandleClientKeyExchange (for Full handshake) | 4017 * ssl3_HandleClientKeyExchange (for Full handshake) |
3878 * ssl3_HandleServerHello (for session restart) | 4018 * ssl3_HandleServerHello (for session restart) |
(...skipping 12 matching lines...) Expand all Loading... |
3891 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 4031 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
3892 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 4032 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
3893 PRBool isTLS12= | 4033 PRBool isTLS12= |
3894 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 4034 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
3895 /* following variables used in PKCS11 path */ | 4035 /* following variables used in PKCS11 path */ |
3896 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; | 4036 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; |
3897 PK11SlotInfo * slot = NULL; | 4037 PK11SlotInfo * slot = NULL; |
3898 PK11SymKey * symKey = NULL; | 4038 PK11SymKey * symKey = NULL; |
3899 void * pwArg = ss->pkcs11PinArg; | 4039 void * pwArg = ss->pkcs11PinArg; |
3900 int keySize; | 4040 int keySize; |
3901 CK_SSL3_KEY_MAT_PARAMS key_material_params; | 4041 CK_TLS12_KEY_MAT_PARAMS key_material_params; /* may be used as a |
| 4042 » » » » » » * CK_SSL3_KEY_MAT_PARAMS */ |
| 4043 unsigned int key_material_params_len; |
3902 CK_SSL3_KEY_MAT_OUT returnedKeys; | 4044 CK_SSL3_KEY_MAT_OUT returnedKeys; |
3903 CK_MECHANISM_TYPE key_derive; | 4045 CK_MECHANISM_TYPE key_derive; |
3904 CK_MECHANISM_TYPE bulk_mechanism; | 4046 CK_MECHANISM_TYPE bulk_mechanism; |
3905 SSLCipherAlgorithm calg; | 4047 SSLCipherAlgorithm calg; |
3906 SECItem params; | 4048 SECItem params; |
3907 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); | 4049 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); |
3908 | 4050 |
3909 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 4051 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3910 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 4052 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
3911 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 4053 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3945 key_material_params.ulKeySizeInBits = 0; | 4087 key_material_params.ulKeySizeInBits = 0; |
3946 key_material_params.ulIVSizeInBits = 0; | 4088 key_material_params.ulIVSizeInBits = 0; |
3947 returnedKeys.pIVClient = NULL; | 4089 returnedKeys.pIVClient = NULL; |
3948 returnedKeys.pIVServer = NULL; | 4090 returnedKeys.pIVServer = NULL; |
3949 } | 4091 } |
3950 | 4092 |
3951 calg = cipher_def->calg; | 4093 calg = cipher_def->calg; |
3952 PORT_Assert( alg2Mech[calg].calg == calg); | 4094 PORT_Assert( alg2Mech[calg].calg == calg); |
3953 bulk_mechanism = alg2Mech[calg].cmech; | 4095 bulk_mechanism = alg2Mech[calg].cmech; |
3954 | 4096 |
3955 params.data = (unsigned char *)&key_material_params; | |
3956 params.len = sizeof(key_material_params); | |
3957 | |
3958 if (isTLS12) { | 4097 if (isTLS12) { |
3959 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; | 4098 » key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; |
| 4099 » key_material_params.prfHashMechanism = CKM_SHA256; |
| 4100 » key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS); |
3960 } else if (isTLS) { | 4101 } else if (isTLS) { |
3961 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 4102 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
| 4103 key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); |
3962 } else { | 4104 } else { |
3963 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 4105 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
| 4106 key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); |
3964 } | 4107 } |
3965 | 4108 |
| 4109 params.data = (unsigned char *)&key_material_params; |
| 4110 params.len = key_material_params_len; |
| 4111 |
3966 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and | 4112 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and |
3967 * DERIVE by DEFAULT */ | 4113 * DERIVE by DEFAULT */ |
3968 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, | 4114 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, |
3969 bulk_mechanism, CKA_ENCRYPT, keySize); | 4115 bulk_mechanism, CKA_ENCRYPT, keySize); |
3970 if (!symKey) { | 4116 if (!symKey) { |
3971 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 4117 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
3972 return SECFailure; | 4118 return SECFailure; |
3973 } | 4119 } |
3974 /* we really should use the actual mac'ing mechanism here, but we | 4120 /* we really should use the actual mac'ing mechanism here, but we |
3975 * don't because these types are used to map keytype anyway and both | 4121 * don't because these types are used to map keytype anyway and both |
(...skipping 290 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4266 return SECSuccess; | 4412 return SECSuccess; |
4267 } | 4413 } |
4268 | 4414 |
4269 SECStatus | 4415 SECStatus |
4270 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize) | 4416 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize) |
4271 { | 4417 { |
4272 SECStatus rv; | 4418 SECStatus rv; |
4273 PRUint8 b[4]; | 4419 PRUint8 b[4]; |
4274 PRUint8 * p = b; | 4420 PRUint8 * p = b; |
4275 | 4421 |
| 4422 PORT_Assert(lenSize <= 4 && lenSize > 0); |
| 4423 if (lenSize < 4 && num >= (1L << (lenSize * 8))) { |
| 4424 PORT_SetError(SSL_ERROR_TX_RECORD_TOO_LONG); |
| 4425 return SECFailure; |
| 4426 } |
| 4427 |
4276 switch (lenSize) { | 4428 switch (lenSize) { |
4277 case 4: | 4429 case 4: |
4278 *p++ = (num >> 24) & 0xff; | 4430 *p++ = (num >> 24) & 0xff; |
4279 case 3: | 4431 case 3: |
4280 *p++ = (num >> 16) & 0xff; | 4432 *p++ = (num >> 16) & 0xff; |
4281 case 2: | 4433 case 2: |
4282 *p++ = (num >> 8) & 0xff; | 4434 *p++ = (num >> 8) & 0xff; |
4283 case 1: | 4435 case 1: |
4284 *p = num & 0xff; | 4436 *p = num & 0xff; |
4285 } | 4437 } |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4358 } | 4510 } |
4359 } | 4511 } |
4360 | 4512 |
4361 return rv; /* error code set by AppendHandshake, if applicable. */ | 4513 return rv; /* error code set by AppendHandshake, if applicable. */ |
4362 } | 4514 } |
4363 | 4515 |
4364 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of | 4516 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of |
4365 * |sigAndHash| to the current handshake message. */ | 4517 * |sigAndHash| to the current handshake message. */ |
4366 SECStatus | 4518 SECStatus |
4367 ssl3_AppendSignatureAndHashAlgorithm( | 4519 ssl3_AppendSignatureAndHashAlgorithm( |
4368 » sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash) | 4520 sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash) |
4369 { | 4521 { |
4370 unsigned char serialized[2]; | 4522 PRUint8 serialized[2]; |
4371 | 4523 |
4372 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg); | 4524 serialized[0] = (PRUint8)sigAndHash->hashAlg; |
4373 if (serialized[0] == 0) { | 4525 serialized[1] = (PRUint8)sigAndHash->sigAlg; |
4374 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | |
4375 » return SECFailure; | |
4376 } | |
4377 | |
4378 serialized[1] = sigAndHash->sigAlg; | |
4379 | 4526 |
4380 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); | 4527 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); |
4381 } | 4528 } |
4382 | 4529 |
4383 /************************************************************************** | 4530 /************************************************************************** |
4384 * Consume Handshake functions. | 4531 * Consume Handshake functions. |
4385 * | 4532 * |
4386 * All data used in these functions is protected by two locks, | 4533 * All data used in these functions is protected by two locks, |
4387 * the RecvBufLock and the SSL3HandshakeLock | 4534 * the RecvBufLock and the SSL3HandshakeLock |
4388 **************************************************************************/ | 4535 **************************************************************************/ |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4463 */ | 4610 */ |
4464 SECStatus | 4611 SECStatus |
4465 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, | 4612 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, |
4466 SSL3Opaque **b, PRUint32 *length) | 4613 SSL3Opaque **b, PRUint32 *length) |
4467 { | 4614 { |
4468 PRInt32 count; | 4615 PRInt32 count; |
4469 | 4616 |
4470 PORT_Assert(bytes <= 3); | 4617 PORT_Assert(bytes <= 3); |
4471 i->len = 0; | 4618 i->len = 0; |
4472 i->data = NULL; | 4619 i->data = NULL; |
| 4620 i->type = siBuffer; |
4473 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length); | 4621 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length); |
4474 if (count < 0) { /* Can't test for SECSuccess here. */ | 4622 if (count < 0) { /* Can't test for SECSuccess here. */ |
4475 return SECFailure; | 4623 return SECFailure; |
4476 } | 4624 } |
4477 if (count > 0) { | 4625 if (count > 0) { |
4478 if ((PRUint32)count > *length) { | 4626 if ((PRUint32)count > *length) { |
4479 return ssl3_DecodeError(ss); | 4627 return ssl3_DecodeError(ss); |
4480 } | 4628 } |
4481 i->data = *b; | 4629 i->data = *b; |
4482 i->len = count; | 4630 i->len = count; |
4483 *b += count; | 4631 *b += count; |
4484 *length -= count; | 4632 *length -= count; |
4485 } | 4633 } |
4486 return SECSuccess; | 4634 return SECSuccess; |
4487 } | 4635 } |
4488 | 4636 |
4489 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the | 4637 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the |
4490 * SECOidTag used internally by NSS. */ | 4638 * SECOidTag used internally by NSS. */ |
4491 static const struct { | 4639 static const struct { |
4492 int tlsHash; | 4640 SSLHashType tlsHash; |
4493 SECOidTag oid; | 4641 SECOidTag oid; |
4494 } tlsHashOIDMap[] = { | 4642 } tlsHashOIDMap[] = { |
4495 { tls_hash_md5, SEC_OID_MD5 }, | 4643 { ssl_hash_sha1, SEC_OID_SHA1 }, |
4496 { tls_hash_sha1, SEC_OID_SHA1 }, | 4644 { ssl_hash_sha256, SEC_OID_SHA256 }, |
4497 { tls_hash_sha224, SEC_OID_SHA224 }, | 4645 { ssl_hash_sha384, SEC_OID_SHA384 }, |
4498 { tls_hash_sha256, SEC_OID_SHA256 }, | 4646 { ssl_hash_sha512, SEC_OID_SHA512 } |
4499 { tls_hash_sha384, SEC_OID_SHA384 }, | |
4500 { tls_hash_sha512, SEC_OID_SHA512 } | |
4501 }; | 4647 }; |
4502 | 4648 |
4503 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. | 4649 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. |
4504 * If the hash is not recognised, SEC_OID_UNKNOWN is returned. | 4650 * If the hash is not recognised, SEC_OID_UNKNOWN is returned. |
4505 * | 4651 * |
4506 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 4652 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
4507 SECOidTag | 4653 SECOidTag |
4508 ssl3_TLSHashAlgorithmToOID(int hashFunc) | 4654 ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc) |
4509 { | 4655 { |
4510 unsigned int i; | 4656 unsigned int i; |
4511 | 4657 |
4512 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { | 4658 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { |
4513 if (hashFunc == tlsHashOIDMap[i].tlsHash) { | 4659 if (hashFunc == tlsHashOIDMap[i].tlsHash) { |
4514 return tlsHashOIDMap[i].oid; | 4660 return tlsHashOIDMap[i].oid; |
4515 } | 4661 } |
4516 } | 4662 } |
4517 return SEC_OID_UNKNOWN; | 4663 return SEC_OID_UNKNOWN; |
4518 } | 4664 } |
4519 | 4665 |
4520 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm | |
4521 * identifier. If the hash is not recognised, zero is returned. | |
4522 * | |
4523 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
4524 static int | |
4525 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid) | |
4526 { | |
4527 unsigned int i; | |
4528 | |
4529 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { | |
4530 if (oid == tlsHashOIDMap[i].oid) { | |
4531 return tlsHashOIDMap[i].tlsHash; | |
4532 } | |
4533 } | |
4534 return 0; | |
4535 } | |
4536 | |
4537 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm | 4666 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm |
4538 * identifier for a given KeyType. */ | 4667 * identifier for a given KeyType. */ |
4539 static SECStatus | 4668 static SECStatus |
4540 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, | 4669 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, SSLSignType *out) |
4541 » » » » TLSSignatureAlgorithm *out) | |
4542 { | 4670 { |
4543 switch (keyType) { | 4671 switch (keyType) { |
4544 case rsaKey: | 4672 case rsaKey: |
4545 » *out = tls_sig_rsa; | 4673 *out = ssl_sign_rsa; |
4546 » return SECSuccess; | 4674 return SECSuccess; |
4547 case dsaKey: | 4675 case dsaKey: |
4548 » *out = tls_sig_dsa; | 4676 *out = ssl_sign_dsa; |
4549 » return SECSuccess; | 4677 return SECSuccess; |
4550 case ecKey: | 4678 case ecKey: |
4551 » *out = tls_sig_ecdsa; | 4679 *out = ssl_sign_ecdsa; |
4552 » return SECSuccess; | 4680 return SECSuccess; |
4553 default: | 4681 default: |
4554 » PORT_SetError(SEC_ERROR_INVALID_KEY); | 4682 PORT_SetError(SEC_ERROR_INVALID_KEY); |
4555 » return SECFailure; | 4683 return SECFailure; |
4556 } | 4684 } |
4557 } | 4685 } |
4558 | 4686 |
4559 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature | 4687 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature |
4560 * algorithm identifier for the given certificate. */ | 4688 * algorithm identifier for the given certificate. */ |
4561 static SECStatus | 4689 static SECStatus |
4562 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert, | 4690 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert, |
4563 » » » » » TLSSignatureAlgorithm *out) | 4691 SSLSignType *out) |
4564 { | 4692 { |
4565 SECKEYPublicKey *key; | 4693 SECKEYPublicKey *key; |
4566 KeyType keyType; | 4694 KeyType keyType; |
4567 | 4695 |
4568 key = CERT_ExtractPublicKey(cert); | 4696 key = CERT_ExtractPublicKey(cert); |
4569 if (key == NULL) { | 4697 if (key == NULL) { |
4570 » ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | 4698 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
4571 » return SECFailure; | 4699 return SECFailure; |
4572 } | 4700 } |
4573 | 4701 |
4574 keyType = key->keyType; | 4702 keyType = key->keyType; |
4575 SECKEY_DestroyPublicKey(key); | 4703 SECKEY_DestroyPublicKey(key); |
4576 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out); | 4704 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out); |
4577 } | 4705 } |
4578 | 4706 |
4579 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature | 4707 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature |
4580 * algorithm identifier in |sigAndHash| is consistent with the public key in | 4708 * algorithm identifier in |sigAndHash| is consistent with the public key in |
4581 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called | 4709 * |cert|. It also checks the hash algorithm against the configured signature |
4582 * and SECFailure is returned. */ | 4710 * algorithms. If all the tests pass, SECSuccess is returned. Otherwise, |
| 4711 * PORT_SetError is called and SECFailure is returned. */ |
4583 SECStatus | 4712 SECStatus |
4584 ssl3_CheckSignatureAndHashAlgorithmConsistency( | 4713 ssl3_CheckSignatureAndHashAlgorithmConsistency( |
4585 » const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert) | 4714 sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash, |
| 4715 CERTCertificate* cert) |
4586 { | 4716 { |
4587 SECStatus rv; | 4717 SECStatus rv; |
4588 TLSSignatureAlgorithm sigAlg; | 4718 SSLSignType sigAlg; |
| 4719 unsigned int i; |
4589 | 4720 |
4590 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg); | 4721 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg); |
4591 if (rv != SECSuccess) { | 4722 if (rv != SECSuccess) { |
4592 » return rv; | 4723 return rv; |
4593 } | 4724 } |
4594 if (sigAlg != sigAndHash->sigAlg) { | 4725 if (sigAlg != sigAndHash->sigAlg) { |
4595 » PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); | 4726 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); |
4596 » return SECFailure; | 4727 return SECFailure; |
4597 } | 4728 } |
4598 return SECSuccess; | 4729 |
| 4730 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { |
| 4731 const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; |
| 4732 if (sigAndHash->sigAlg == alg->sigAlg && |
| 4733 sigAndHash->hashAlg == alg->hashAlg) { |
| 4734 return SECSuccess; |
| 4735 } |
| 4736 } |
| 4737 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); |
| 4738 return SECFailure; |
| 4739 } |
| 4740 |
| 4741 PRBool |
| 4742 ssl3_IsSupportedSignatureAlgorithm(const SSLSignatureAndHashAlg *alg) |
| 4743 { |
| 4744 static const SSLHashType supportedHashes[] = { |
| 4745 ssl_hash_sha1, |
| 4746 ssl_hash_sha256, |
| 4747 ssl_hash_sha384, |
| 4748 ssl_hash_sha512 |
| 4749 }; |
| 4750 |
| 4751 static const SSLSignType supportedSigAlgs[] = { |
| 4752 ssl_sign_rsa, |
| 4753 #ifndef NSS_DISABLE_ECC |
| 4754 ssl_sign_ecdsa, |
| 4755 #endif |
| 4756 ssl_sign_dsa |
| 4757 }; |
| 4758 |
| 4759 unsigned int i; |
| 4760 PRBool hashOK = PR_FALSE; |
| 4761 PRBool signOK = PR_FALSE; |
| 4762 |
| 4763 for (i = 0; i < PR_ARRAY_SIZE(supportedHashes); ++i) { |
| 4764 if (alg->hashAlg == supportedHashes[i]) { |
| 4765 hashOK = PR_TRUE; |
| 4766 break; |
| 4767 } |
| 4768 } |
| 4769 |
| 4770 for (i = 0; i < PR_ARRAY_SIZE(supportedSigAlgs); ++i) { |
| 4771 if (alg->sigAlg == supportedSigAlgs[i]) { |
| 4772 signOK = PR_TRUE; |
| 4773 break; |
| 4774 } |
| 4775 } |
| 4776 |
| 4777 return hashOK && signOK; |
4599 } | 4778 } |
4600 | 4779 |
4601 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm | 4780 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm |
4602 * structure from |b| and puts the resulting value into |out|. |b| and |length| | 4781 * structure from |b| and puts the resulting value into |out|. |b| and |length| |
4603 * are updated accordingly. | 4782 * are updated accordingly. |
4604 * | 4783 * |
4605 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 4784 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
4606 SECStatus | 4785 SECStatus |
4607 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, | 4786 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, |
4608 » » » » SSL3Opaque **b, | 4787 SSL3Opaque **b, |
4609 » » » » PRUint32 *length, | 4788 PRUint32 *length, |
4610 » » » » SSL3SignatureAndHashAlgorithm *out) | 4789 SSLSignatureAndHashAlg *out) |
4611 { | 4790 { |
4612 unsigned char bytes[2]; | 4791 PRUint8 bytes[2]; |
4613 SECStatus rv; | 4792 SECStatus rv; |
4614 | 4793 |
4615 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length); | 4794 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length); |
4616 if (rv != SECSuccess) { | 4795 if (rv != SECSuccess) { |
4617 » return rv; | 4796 return rv; |
4618 } | 4797 } |
4619 | 4798 |
4620 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]); | 4799 out->hashAlg = (SSLHashType)bytes[0]; |
4621 if (out->hashAlg == SEC_OID_UNKNOWN) { | 4800 out->sigAlg = (SSLSignType)bytes[1]; |
4622 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 4801 if (!ssl3_IsSupportedSignatureAlgorithm(out)) { |
4623 » return SECFailure; | 4802 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); |
| 4803 return SECFailure; |
4624 } | 4804 } |
4625 | |
4626 out->sigAlg = bytes[1]; | |
4627 return SECSuccess; | 4805 return SECSuccess; |
4628 } | 4806 } |
4629 | 4807 |
4630 /************************************************************************** | 4808 /************************************************************************** |
4631 * end of Consume Handshake functions. | 4809 * end of Consume Handshake functions. |
4632 **************************************************************************/ | 4810 **************************************************************************/ |
4633 | 4811 |
4634 /* Extract the hashes of handshake messages to this point. | 4812 /* Extract the hashes of handshake messages to this point. |
4635 * Called from ssl3_SendCertificateVerify | 4813 * Called from ssl3_SendCertificateVerify |
4636 * ssl3_SendFinished | 4814 * ssl3_SendFinished |
4637 * ssl3_HandleHandshakeMessage | 4815 * ssl3_HandleHandshakeMessage |
4638 * | 4816 * |
4639 * Caller must hold the SSL3HandshakeLock. | 4817 * Caller must hold the SSL3HandshakeLock. |
4640 * Caller must hold a read or write lock on the Spec R/W lock. | 4818 * Caller must hold a read or write lock on the Spec R/W lock. |
4641 * (There is presently no way to assert on a Read lock.) | 4819 * (There is presently no way to assert on a Read lock.) |
4642 */ | 4820 */ |
4643 static SECStatus | 4821 static SECStatus |
4644 ssl3_ComputeHandshakeHashes(sslSocket * ss, | 4822 ssl3_ComputeHandshakeHashes(sslSocket * ss, |
4645 ssl3CipherSpec *spec, /* uses ->master_secret */ | 4823 ssl3CipherSpec *spec, /* uses ->master_secret */ |
4646 SSL3Hashes * hashes, /* output goes here. */ | 4824 SSL3Hashes * hashes, /* output goes here. */ |
4647 PRUint32 sender) | 4825 PRUint32 sender) |
4648 { | 4826 { |
4649 SECStatus rv = SECSuccess; | 4827 SECStatus rv = SECSuccess; |
4650 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); | 4828 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); |
4651 unsigned int outLength; | 4829 unsigned int outLength; |
4652 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; | 4830 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; |
4653 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; | 4831 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; |
4654 | 4832 |
4655 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 4833 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
4656 hashes->hashAlg = SEC_OID_UNKNOWN; | 4834 if (ss->ssl3.hs.hashType == handshake_hash_unknown) { |
| 4835 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 4836 return SECFailure; |
| 4837 } |
| 4838 |
| 4839 hashes->hashAlg = ssl_hash_none; |
4657 | 4840 |
4658 #ifndef NO_PKCS11_BYPASS | 4841 #ifndef NO_PKCS11_BYPASS |
4659 if (ss->opt.bypassPKCS11 && | 4842 if (ss->opt.bypassPKCS11 && |
4660 ss->ssl3.hs.hashType == handshake_hash_single) { | 4843 ss->ssl3.hs.hashType == handshake_hash_single) { |
4661 /* compute them without PKCS11 */ | 4844 /* compute them without PKCS11 */ |
4662 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; | 4845 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
4663 | 4846 |
4664 if (!spec->msItem.data) { | |
4665 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
4666 return SECFailure; | |
4667 } | |
4668 | |
4669 ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); | 4847 ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); |
4670 ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, | 4848 ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, |
4671 sizeof(hashes->u.raw)); | 4849 sizeof(hashes->u.raw)); |
4672 | 4850 |
4673 PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); | 4851 PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); |
4674 | 4852 |
4675 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 | 4853 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
4676 * then this will need to be updated. */ | 4854 * then this will need to be updated. */ |
4677 » hashes->hashAlg = SEC_OID_SHA256; | 4855 » hashes->hashAlg = ssl_hash_sha256; |
4678 rv = SECSuccess; | 4856 rv = SECSuccess; |
4679 } else if (ss->opt.bypassPKCS11) { | 4857 } else if (ss->opt.bypassPKCS11) { |
4680 /* compute them without PKCS11 */ | 4858 /* compute them without PKCS11 */ |
4681 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; | 4859 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; |
4682 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; | 4860 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
4683 | 4861 |
4684 #define md5cx ((MD5Context *)md5_cx) | 4862 #define md5cx ((MD5Context *)md5_cx) |
4685 #define shacx ((SHA1Context *)sha_cx) | 4863 #define shacx ((SHA1Context *)sha_cx) |
4686 | 4864 |
4687 if (!spec->msItem.data) { | |
4688 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
4689 return SECFailure; | |
4690 } | |
4691 | |
4692 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); | 4865 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); |
4693 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx); | 4866 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx); |
4694 | 4867 |
4695 if (!isTLS) { | 4868 if (!isTLS) { |
4696 /* compute hashes for SSL3. */ | 4869 /* compute hashes for SSL3. */ |
4697 unsigned char s[4]; | 4870 unsigned char s[4]; |
4698 | 4871 |
| 4872 if (!spec->msItem.data) { |
| 4873 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); |
| 4874 return SECFailure; |
| 4875 } |
| 4876 |
4699 s[0] = (unsigned char)(sender >> 24); | 4877 s[0] = (unsigned char)(sender >> 24); |
4700 s[1] = (unsigned char)(sender >> 16); | 4878 s[1] = (unsigned char)(sender >> 16); |
4701 s[2] = (unsigned char)(sender >> 8); | 4879 s[2] = (unsigned char)(sender >> 8); |
4702 s[3] = (unsigned char)sender; | 4880 s[3] = (unsigned char)sender; |
4703 | 4881 |
4704 if (sender != 0) { | 4882 if (sender != 0) { |
4705 MD5_Update(md5cx, s, 4); | 4883 MD5_Update(md5cx, s, 4); |
4706 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); | 4884 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); |
4707 } | 4885 } |
4708 | 4886 |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4761 #undef shacx | 4939 #undef shacx |
4762 } else | 4940 } else |
4763 #endif | 4941 #endif |
4764 if (ss->ssl3.hs.hashType == handshake_hash_single) { | 4942 if (ss->ssl3.hs.hashType == handshake_hash_single) { |
4765 /* compute hashes with PKCS11 */ | 4943 /* compute hashes with PKCS11 */ |
4766 PK11Context *h; | 4944 PK11Context *h; |
4767 unsigned int stateLen; | 4945 unsigned int stateLen; |
4768 unsigned char stackBuf[1024]; | 4946 unsigned char stackBuf[1024]; |
4769 unsigned char *stateBuf = NULL; | 4947 unsigned char *stateBuf = NULL; |
4770 | 4948 |
4771 if (!spec->master_secret) { | |
4772 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
4773 return SECFailure; | |
4774 } | |
4775 | |
4776 h = ss->ssl3.hs.sha; | 4949 h = ss->ssl3.hs.sha; |
4777 stateBuf = PK11_SaveContextAlloc(h, stackBuf, | 4950 stateBuf = PK11_SaveContextAlloc(h, stackBuf, |
4778 sizeof(stackBuf), &stateLen); | 4951 sizeof(stackBuf), &stateLen); |
4779 if (stateBuf == NULL) { | 4952 if (stateBuf == NULL) { |
4780 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 4953 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
4781 goto tls12_loser; | 4954 goto tls12_loser; |
4782 } | 4955 } |
4783 rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len, | 4956 rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len, |
4784 sizeof(hashes->u.raw)); | 4957 sizeof(hashes->u.raw)); |
4785 if (rv != SECSuccess) { | 4958 if (rv != SECSuccess) { |
4786 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 4959 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
4787 rv = SECFailure; | 4960 rv = SECFailure; |
4788 goto tls12_loser; | 4961 goto tls12_loser; |
4789 } | 4962 } |
4790 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 | 4963 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
4791 * then this will need to be updated. */ | 4964 * then this will need to be updated. */ |
4792 » hashes->hashAlg = SEC_OID_SHA256; | 4965 » hashes->hashAlg = ssl_hash_sha256; |
4793 rv = SECSuccess; | 4966 rv = SECSuccess; |
4794 | 4967 |
4795 tls12_loser: | 4968 tls12_loser: |
4796 if (stateBuf) { | 4969 if (stateBuf) { |
4797 if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { | 4970 if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { |
4798 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 4971 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
4799 rv = SECFailure; | 4972 rv = SECFailure; |
4800 } | 4973 } |
4801 if (stateBuf != stackBuf) { | 4974 if (stateBuf != stackBuf) { |
4802 PORT_ZFree(stateBuf, stateLen); | 4975 PORT_ZFree(stateBuf, stateLen); |
4803 } | 4976 } |
4804 } | 4977 } |
4805 } else { | 4978 } else { |
4806 /* compute hashes with PKCS11 */ | 4979 /* compute hashes with PKCS11 */ |
4807 PK11Context * md5; | 4980 PK11Context * md5; |
4808 PK11Context * sha = NULL; | 4981 PK11Context * sha = NULL; |
4809 unsigned char *md5StateBuf = NULL; | 4982 unsigned char *md5StateBuf = NULL; |
4810 unsigned char *shaStateBuf = NULL; | 4983 unsigned char *shaStateBuf = NULL; |
4811 unsigned int md5StateLen, shaStateLen; | 4984 unsigned int md5StateLen, shaStateLen; |
4812 unsigned char md5StackBuf[256]; | 4985 unsigned char md5StackBuf[256]; |
4813 unsigned char shaStackBuf[512]; | 4986 unsigned char shaStackBuf[512]; |
4814 | 4987 |
4815 if (!spec->master_secret) { | |
4816 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
4817 return SECFailure; | |
4818 } | |
4819 | |
4820 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf, | 4988 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf, |
4821 sizeof md5StackBuf, &md5StateLen); | 4989 sizeof md5StackBuf, &md5StateLen); |
4822 if (md5StateBuf == NULL) { | 4990 if (md5StateBuf == NULL) { |
4823 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 4991 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
4824 goto loser; | 4992 goto loser; |
4825 } | 4993 } |
4826 md5 = ss->ssl3.hs.md5; | 4994 md5 = ss->ssl3.hs.md5; |
4827 | 4995 |
4828 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf, | 4996 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf, |
4829 sizeof shaStackBuf, &shaStateLen); | 4997 sizeof shaStackBuf, &shaStateLen); |
4830 if (shaStateBuf == NULL) { | 4998 if (shaStateBuf == NULL) { |
4831 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 4999 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4832 goto loser; | 5000 goto loser; |
4833 } | 5001 } |
4834 sha = ss->ssl3.hs.sha; | 5002 sha = ss->ssl3.hs.sha; |
4835 | 5003 |
4836 if (!isTLS) { | 5004 if (!isTLS) { |
4837 /* compute hashes for SSL3. */ | 5005 /* compute hashes for SSL3. */ |
4838 unsigned char s[4]; | 5006 unsigned char s[4]; |
4839 | 5007 |
| 5008 if (!spec->master_secret) { |
| 5009 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); |
| 5010 return SECFailure; |
| 5011 } |
| 5012 |
4840 s[0] = (unsigned char)(sender >> 24); | 5013 s[0] = (unsigned char)(sender >> 24); |
4841 s[1] = (unsigned char)(sender >> 16); | 5014 s[1] = (unsigned char)(sender >> 16); |
4842 s[2] = (unsigned char)(sender >> 8); | 5015 s[2] = (unsigned char)(sender >> 8); |
4843 s[3] = (unsigned char)sender; | 5016 s[3] = (unsigned char)sender; |
4844 | 5017 |
4845 if (sender != 0) { | 5018 if (sender != 0) { |
4846 rv |= PK11_DigestOp(md5, s, 4); | 5019 rv |= PK11_DigestOp(md5, s, 4); |
4847 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); | 5020 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); |
4848 } | 5021 } |
4849 | 5022 |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4961 PORT_Assert( !ss->sec.isServer ); | 5134 PORT_Assert( !ss->sec.isServer ); |
4962 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); | 5135 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); |
4963 | 5136 |
4964 rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len, | 5137 rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len, |
4965 sizeof(hashes->u.raw)); | 5138 sizeof(hashes->u.raw)); |
4966 if (rv != SECSuccess) { | 5139 if (rv != SECSuccess) { |
4967 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 5140 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4968 rv = SECFailure; | 5141 rv = SECFailure; |
4969 goto loser; | 5142 goto loser; |
4970 } | 5143 } |
4971 hashes->hashAlg = SEC_OID_SHA1; | 5144 hashes->hashAlg = ssl_hash_sha1; |
4972 | 5145 |
4973 loser: | 5146 loser: |
4974 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); | 5147 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); |
4975 ss->ssl3.hs.backupHash = NULL; | 5148 ss->ssl3.hs.backupHash = NULL; |
4976 return rv; | 5149 return rv; |
4977 } | 5150 } |
4978 | 5151 |
4979 /* | 5152 /* |
4980 * SSL 2 based implementations pass in the initial outbound buffer | 5153 * SSL 2 based implementations pass in the initial outbound buffer |
4981 * so that the handshake hash can contain the included information. | 5154 * so that the handshake hash can contain the included information. |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5042 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), | 5215 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), |
5043 ss->fd)); | 5216 ss->fd)); |
5044 | 5217 |
5045 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 5218 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
5046 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 5219 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
5047 | 5220 |
5048 rv = ssl3_InitState(ss); | 5221 rv = ssl3_InitState(ss); |
5049 if (rv != SECSuccess) { | 5222 if (rv != SECSuccess) { |
5050 return rv; /* ssl3_InitState has set the error code. */ | 5223 return rv; /* ssl3_InitState has set the error code. */ |
5051 } | 5224 } |
5052 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ | 5225 /* These must be reset every handshake. */ |
| 5226 ss->ssl3.hs.sendingSCSV = PR_FALSE; |
| 5227 ss->ssl3.hs.preliminaryInfo = 0; |
5053 PORT_Assert(IS_DTLS(ss) || !resending); | 5228 PORT_Assert(IS_DTLS(ss) || !resending); |
5054 | 5229 |
5055 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE); | 5230 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE); |
5056 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE; | 5231 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE; |
5057 | 5232 |
5058 /* We might be starting a session renegotiation in which case we should | 5233 /* We might be starting a session renegotiation in which case we should |
5059 * clear previous state. | 5234 * clear previous state. |
5060 */ | 5235 */ |
5061 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 5236 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
5062 | 5237 |
(...skipping 355 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5418 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, | 5593 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, |
5419 sizeof(ssl3CipherSuite)); | 5594 sizeof(ssl3CipherSuite)); |
5420 if (rv != SECSuccess) { | 5595 if (rv != SECSuccess) { |
5421 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } | 5596 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } |
5422 return rv; /* err set by ssl3_AppendHandshake* */ | 5597 return rv; /* err set by ssl3_AppendHandshake* */ |
5423 } | 5598 } |
5424 actual_count++; | 5599 actual_count++; |
5425 } | 5600 } |
5426 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 5601 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
5427 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 5602 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
5428 » if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { | 5603 » if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange, ss)) { |
5429 actual_count++; | 5604 actual_count++; |
5430 if (actual_count > num_suites) { | 5605 if (actual_count > num_suites) { |
5431 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock);
} | 5606 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock);
} |
5432 /* set error card removal/insertion error */ | 5607 /* set error card removal/insertion error */ |
5433 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); | 5608 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); |
5434 return SECFailure; | 5609 return SECFailure; |
5435 } | 5610 } |
5436 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite, | 5611 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite, |
5437 sizeof(ssl3CipherSuite)); | 5612 sizeof(ssl3CipherSuite)); |
5438 if (rv != SECSuccess) { | 5613 if (rv != SECSuccess) { |
(...skipping 637 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6076 hexEncode(buf + 21, keyData->data, 48); | 6251 hexEncode(buf + 21, keyData->data, 48); |
6077 buf[sizeof(buf) - 1] = '\n'; | 6252 buf[sizeof(buf) - 1] = '\n'; |
6078 | 6253 |
6079 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob); | 6254 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob); |
6080 fflush(ssl_keylog_iob); | 6255 fflush(ssl_keylog_iob); |
6081 } | 6256 } |
6082 } | 6257 } |
6083 } | 6258 } |
6084 } | 6259 } |
6085 | 6260 |
6086 rv = ssl3_InitPendingCipherSpec(ss, pms); | |
6087 PK11_FreeSymKey(pms); pms = NULL; | |
6088 | |
6089 if (rv != SECSuccess) { | |
6090 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | |
6091 goto loser; | |
6092 } | |
6093 | |
6094 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, | 6261 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, |
6095 isTLS ? enc_pms.len + 2 : enc_pms.len); | 6262 isTLS ? enc_pms.len + 2 : enc_pms.len); |
6096 if (rv != SECSuccess) { | 6263 if (rv != SECSuccess) { |
6097 goto loser; /* err set by ssl3_AppendHandshake* */ | 6264 goto loser; /* err set by ssl3_AppendHandshake* */ |
6098 } | 6265 } |
6099 if (isTLS) { | 6266 if (isTLS) { |
6100 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2); | 6267 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2); |
6101 } else { | 6268 } else { |
6102 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len); | 6269 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len); |
6103 } | 6270 } |
6104 if (rv != SECSuccess) { | 6271 if (rv != SECSuccess) { |
6105 goto loser; /* err set by ssl3_AppendHandshake* */ | 6272 goto loser; /* err set by ssl3_AppendHandshake* */ |
6106 } | 6273 } |
6107 | 6274 |
| 6275 rv = ssl3_InitPendingCipherSpec(ss, pms); |
| 6276 PK11_FreeSymKey(pms); |
| 6277 pms = NULL; |
| 6278 |
| 6279 if (rv != SECSuccess) { |
| 6280 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 6281 goto loser; |
| 6282 } |
| 6283 |
6108 rv = SECSuccess; | 6284 rv = SECSuccess; |
6109 | 6285 |
6110 loser: | 6286 loser: |
6111 if (enc_pms.data != NULL) { | 6287 if (enc_pms.data != NULL) { |
6112 PORT_Free(enc_pms.data); | 6288 PORT_Free(enc_pms.data); |
6113 } | 6289 } |
6114 if (pms != NULL) { | 6290 if (pms != NULL) { |
6115 PK11_FreeSymKey(pms); | 6291 PK11_FreeSymKey(pms); |
6116 } | 6292 } |
6117 return rv; | 6293 return rv; |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6167 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); | 6343 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); |
6168 | 6344 |
6169 if (pms == NULL) { | 6345 if (pms == NULL) { |
6170 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 6346 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
6171 goto loser; | 6347 goto loser; |
6172 } | 6348 } |
6173 | 6349 |
6174 SECKEY_DestroyPrivateKey(privKey); | 6350 SECKEY_DestroyPrivateKey(privKey); |
6175 privKey = NULL; | 6351 privKey = NULL; |
6176 | 6352 |
6177 rv = ssl3_InitPendingCipherSpec(ss, pms); | |
6178 PK11_FreeSymKey(pms); pms = NULL; | |
6179 | |
6180 if (rv != SECSuccess) { | |
6181 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | |
6182 goto loser; | |
6183 } | |
6184 | |
6185 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, | 6353 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, |
6186 pubKey->u.dh.publicValue.len + 2); | 6354 pubKey->u.dh.publicValue.len + 2); |
6187 if (rv != SECSuccess) { | 6355 if (rv != SECSuccess) { |
6188 goto loser; /* err set by ssl3_AppendHandshake* */ | 6356 goto loser; /* err set by ssl3_AppendHandshake* */ |
6189 } | 6357 } |
6190 rv = ssl3_AppendHandshakeVariable(ss, | 6358 rv = ssl3_AppendHandshakeVariable(ss, |
6191 pubKey->u.dh.publicValue.data, | 6359 pubKey->u.dh.publicValue.data, |
6192 pubKey->u.dh.publicValue.len, 2); | 6360 pubKey->u.dh.publicValue.len, 2); |
6193 SECKEY_DestroyPublicKey(pubKey); | 6361 SECKEY_DestroyPublicKey(pubKey); |
6194 pubKey = NULL; | 6362 pubKey = NULL; |
6195 | 6363 |
6196 if (rv != SECSuccess) { | 6364 if (rv != SECSuccess) { |
6197 goto loser; /* err set by ssl3_AppendHandshake* */ | 6365 goto loser; /* err set by ssl3_AppendHandshake* */ |
6198 } | 6366 } |
6199 | 6367 |
| 6368 rv = ssl3_InitPendingCipherSpec(ss, pms); |
| 6369 PK11_FreeSymKey(pms); |
| 6370 pms = NULL; |
| 6371 |
| 6372 if (rv != SECSuccess) { |
| 6373 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 6374 goto loser; |
| 6375 } |
| 6376 |
6200 rv = SECSuccess; | 6377 rv = SECSuccess; |
6201 | 6378 |
6202 | |
6203 loser: | 6379 loser: |
6204 | 6380 |
6205 if(pms) PK11_FreeSymKey(pms); | 6381 if(pms) PK11_FreeSymKey(pms); |
6206 if(privKey) SECKEY_DestroyPrivateKey(privKey); | 6382 if(privKey) SECKEY_DestroyPrivateKey(privKey); |
6207 if(pubKey) SECKEY_DestroyPublicKey(pubKey); | 6383 if(pubKey) SECKEY_DestroyPublicKey(pubKey); |
6208 return rv; | 6384 return rv; |
6209 } | 6385 } |
6210 | 6386 |
6211 | 6387 |
6212 | 6388 |
(...skipping 20 matching lines...) Expand all Loading... |
6233 return SECFailure; | 6409 return SECFailure; |
6234 } | 6410 } |
6235 } else { | 6411 } else { |
6236 serverKey = ss->sec.peerKey; | 6412 serverKey = ss->sec.peerKey; |
6237 ss->sec.peerKey = NULL; /* we're done with it now */ | 6413 ss->sec.peerKey = NULL; /* we're done with it now */ |
6238 } | 6414 } |
6239 | 6415 |
6240 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 6416 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
6241 /* enforce limits on kea key sizes. */ | 6417 /* enforce limits on kea key sizes. */ |
6242 if (ss->ssl3.hs.kea_def->is_limited) { | 6418 if (ss->ssl3.hs.kea_def->is_limited) { |
6243 » int keyLen = SECKEY_PublicKeyStrength(serverKey);» /* bytes */ | 6419 unsigned int keyLen = SECKEY_PublicKeyStrengthInBits(serverKey); |
6244 | 6420 |
6245 » if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) { | 6421 if (keyLen > ss->ssl3.hs.kea_def->key_size_limit) { |
6246 if (isTLS) | 6422 if (isTLS) |
6247 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction); | 6423 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction); |
6248 else | 6424 else |
6249 (void)ssl3_HandshakeFailure(ss); | 6425 (void)ssl3_HandshakeFailure(ss); |
6250 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); | 6426 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); |
6251 goto loser; | 6427 goto loser; |
6252 } | 6428 } |
6253 } | 6429 } |
6254 | 6430 |
6255 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; | 6431 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6290 static SECStatus | 6466 static SECStatus |
6291 ssl3_SendCertificateVerify(sslSocket *ss) | 6467 ssl3_SendCertificateVerify(sslSocket *ss) |
6292 { | 6468 { |
6293 SECStatus rv = SECFailure; | 6469 SECStatus rv = SECFailure; |
6294 PRBool isTLS; | 6470 PRBool isTLS; |
6295 PRBool isTLS12; | 6471 PRBool isTLS12; |
6296 SECItem buf = {siBuffer, NULL, 0}; | 6472 SECItem buf = {siBuffer, NULL, 0}; |
6297 SSL3Hashes hashes; | 6473 SSL3Hashes hashes; |
6298 KeyType keyType; | 6474 KeyType keyType; |
6299 unsigned int len; | 6475 unsigned int len; |
6300 SSL3SignatureAndHashAlgorithm sigAndHash; | 6476 SSLSignatureAndHashAlg sigAndHash; |
6301 | 6477 |
6302 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 6478 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
6303 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 6479 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
6304 | 6480 |
6305 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", | 6481 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", |
6306 SSL_GETPID(), ss->fd)); | 6482 SSL_GETPID(), ss->fd)); |
6307 | 6483 |
6308 ssl_GetSpecReadLock(ss); | 6484 ssl_GetSpecReadLock(ss); |
6309 if (ss->ssl3.hs.hashType == handshake_hash_single && | 6485 if (ss->ssl3.hs.hashType == handshake_hash_single && |
6310 ss->ssl3.hs.backupHash) { | 6486 ss->ssl3.hs.backupHash) { |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6355 } | 6531 } |
6356 | 6532 |
6357 len = buf.len + 2 + (isTLS12 ? 2 : 0); | 6533 len = buf.len + 2 + (isTLS12 ? 2 : 0); |
6358 | 6534 |
6359 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); | 6535 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); |
6360 if (rv != SECSuccess) { | 6536 if (rv != SECSuccess) { |
6361 goto done; /* error code set by AppendHandshake */ | 6537 goto done; /* error code set by AppendHandshake */ |
6362 } | 6538 } |
6363 if (isTLS12) { | 6539 if (isTLS12) { |
6364 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, | 6540 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, |
6365 » » » » » » &sigAndHash.sigAlg); | 6541 &sigAndHash.sigAlg); |
6366 if (rv != SECSuccess) { | 6542 if (rv != SECSuccess) { |
6367 goto done; | 6543 goto done; |
6368 } | 6544 } |
6369 » sigAndHash.hashAlg = hashes.hashAlg; | 6545 sigAndHash.hashAlg = hashes.hashAlg; |
6370 | 6546 |
6371 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); | 6547 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
6372 if (rv != SECSuccess) { | 6548 if (rv != SECSuccess) { |
6373 goto done; /* err set by AppendHandshake. */ | 6549 goto done; /* err set by AppendHandshake. */ |
6374 } | 6550 } |
6375 } | 6551 } |
6376 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | 6552 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
6377 if (rv != SECSuccess) { | 6553 if (rv != SECSuccess) { |
6378 goto done; /* error code set by AppendHandshake */ | 6554 goto done; /* error code set by AppendHandshake */ |
6379 } | 6555 } |
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6467 } | 6643 } |
6468 } | 6644 } |
6469 | 6645 |
6470 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); | 6646 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
6471 if (rv != SECSuccess) { | 6647 if (rv != SECSuccess) { |
6472 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 6648 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
6473 : handshake_failure; | 6649 : handshake_failure; |
6474 errCode = SSL_ERROR_UNSUPPORTED_VERSION; | 6650 errCode = SSL_ERROR_UNSUPPORTED_VERSION; |
6475 goto alert_loser; | 6651 goto alert_loser; |
6476 } | 6652 } |
| 6653 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; |
6477 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 6654 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
6478 | 6655 |
6479 rv = ssl3_InitHandshakeHashes(ss); | 6656 rv = ssl3_InitHandshakeHashes(ss); |
6480 if (rv != SECSuccess) { | 6657 if (rv != SECSuccess) { |
6481 desc = internal_error; | 6658 desc = internal_error; |
6482 errCode = PORT_GetError(); | 6659 errCode = PORT_GetError(); |
6483 goto alert_loser; | 6660 goto alert_loser; |
6484 } | 6661 } |
6485 | 6662 |
6486 rv = ssl3_ConsumeHandshake( | 6663 rv = ssl3_ConsumeHandshake( |
(...skipping 15 matching lines...) Expand all Loading... |
6502 /* find selected cipher suite in our list. */ | 6679 /* find selected cipher suite in our list. */ |
6503 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 6680 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
6504 if (temp < 0) { | 6681 if (temp < 0) { |
6505 goto loser; /* alert has been sent */ | 6682 goto loser; /* alert has been sent */ |
6506 } | 6683 } |
6507 ssl3_config_match_init(ss); | 6684 ssl3_config_match_init(ss); |
6508 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 6685 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
6509 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 6686 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
6510 if (temp == suite->cipher_suite) { | 6687 if (temp == suite->cipher_suite) { |
6511 SSLVersionRange vrange = {ss->version, ss->version}; | 6688 SSLVersionRange vrange = {ss->version, ss->version}; |
6512 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { | 6689 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { |
6513 /* config_match already checks whether the cipher suite is | 6690 /* config_match already checks whether the cipher suite is |
6514 * acceptable for the version, but the check is repeated here | 6691 * acceptable for the version, but the check is repeated here |
6515 * in order to give a more precise error code. */ | 6692 * in order to give a more precise error code. */ |
6516 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) { | 6693 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) { |
6517 desc = handshake_failure; | 6694 desc = handshake_failure; |
6518 errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; | 6695 errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; |
6519 goto alert_loser; | 6696 goto alert_loser; |
6520 } | 6697 } |
6521 | 6698 |
6522 break; /* failure */ | 6699 break; /* failure */ |
6523 } | 6700 } |
6524 | 6701 |
6525 suite_found = PR_TRUE; | 6702 suite_found = PR_TRUE; |
6526 break; /* success */ | 6703 break; /* success */ |
6527 } | 6704 } |
6528 } | 6705 } |
6529 if (!suite_found) { | 6706 if (!suite_found) { |
6530 desc = handshake_failure; | 6707 desc = handshake_failure; |
6531 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 6708 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
6532 goto alert_loser; | 6709 goto alert_loser; |
6533 } | 6710 } |
6534 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp; | 6711 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp; |
6535 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp); | 6712 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp); |
| 6713 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
6536 PORT_Assert(ss->ssl3.hs.suite_def); | 6714 PORT_Assert(ss->ssl3.hs.suite_def); |
6537 if (!ss->ssl3.hs.suite_def) { | 6715 if (!ss->ssl3.hs.suite_def) { |
6538 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE); | 6716 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE); |
6539 goto loser; /* we don't send alerts for our screw-ups. */ | 6717 goto loser; /* we don't send alerts for our screw-ups. */ |
6540 } | 6718 } |
6541 | 6719 |
6542 /* find selected compression method in our list. */ | 6720 /* find selected compression method in our list. */ |
6543 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); | 6721 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); |
6544 if (temp < 0) { | 6722 if (temp < 0) { |
6545 goto loser; /* alert has been sent */ | 6723 goto loser; /* alert has been sent */ |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6612 sidBytes.len == sid->u.ssl3.sessionIDLength && | 6790 sidBytes.len == sid->u.ssl3.sessionIDLength && |
6613 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len)); | 6791 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len)); |
6614 | 6792 |
6615 if (sid_match && | 6793 if (sid_match && |
6616 sid->version == ss->version && | 6794 sid->version == ss->version && |
6617 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do { | 6795 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do { |
6618 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; | 6796 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; |
6619 | 6797 |
6620 SECItem wrappedMS; /* wrapped master secret. */ | 6798 SECItem wrappedMS; /* wrapped master secret. */ |
6621 | 6799 |
| 6800 /* [draft-ietf-tls-session-hash-06; Section 5.3] |
| 6801 * |
| 6802 * o If the original session did not use the "extended_master_secret" |
| 6803 * extension but the new ServerHello contains the extension, the |
| 6804 * client MUST abort the handshake. |
| 6805 */ |
| 6806 if (!sid->u.ssl3.keys.extendedMasterSecretUsed && |
| 6807 ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 6808 errCode = SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET; |
| 6809 goto alert_loser; |
| 6810 } |
| 6811 |
| 6812 /* |
| 6813 * o If the original session used an extended master secret but the n
ew |
| 6814 * ServerHello does not contain the "extended_master_secret" |
| 6815 * extension, the client SHOULD abort the handshake. |
| 6816 * |
| 6817 * TODO(ekr@rtfm.com): Add option to refuse to resume when EMS is not |
| 6818 * used at all (bug 1176526). |
| 6819 */ |
| 6820 if (sid->u.ssl3.keys.extendedMasterSecretUsed && |
| 6821 !ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 6822 errCode = SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET; |
| 6823 goto alert_loser; |
| 6824 } |
| 6825 |
6622 ss->sec.authAlgorithm = sid->authAlgorithm; | 6826 ss->sec.authAlgorithm = sid->authAlgorithm; |
6623 ss->sec.authKeyBits = sid->authKeyBits; | 6827 ss->sec.authKeyBits = sid->authKeyBits; |
6624 ss->sec.keaType = sid->keaType; | 6828 ss->sec.keaType = sid->keaType; |
6625 ss->sec.keaKeyBits = sid->keaKeyBits; | 6829 ss->sec.keaKeyBits = sid->keaKeyBits; |
6626 | 6830 |
6627 /* 3 cases here: | 6831 /* 3 cases here: |
6628 * a) key is wrapped (implies using PKCS11) | 6832 * a) key is wrapped (implies using PKCS11) |
6629 * b) key is unwrapped, but we're still using PKCS11 | 6833 * b) key is unwrapped, but we're still using PKCS11 |
6630 * c) key is unwrapped, and we're bypassing PKCS11. | 6834 * c) key is unwrapped, and we're bypassing PKCS11. |
6631 */ | 6835 */ |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6714 ss->ssl3.hs.ws = wait_change_cipher; | 6918 ss->ssl3.hs.ws = wait_change_cipher; |
6715 | 6919 |
6716 ss->ssl3.hs.isResuming = PR_TRUE; | 6920 ss->ssl3.hs.isResuming = PR_TRUE; |
6717 | 6921 |
6718 /* copy the peer cert from the SID */ | 6922 /* copy the peer cert from the SID */ |
6719 if (sid->peerCert != NULL) { | 6923 if (sid->peerCert != NULL) { |
6720 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | 6924 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
6721 ssl3_CopyPeerCertsFromSID(ss, sid); | 6925 ssl3_CopyPeerCertsFromSID(ss, sid); |
6722 } | 6926 } |
6723 | 6927 |
6724 » /* NULL value for PMS signifies re-use of the old MS */ | 6928 » /* NULL value for PMS because we are reusing the old MS */ |
6725 rv = ssl3_InitPendingCipherSpec(ss, NULL); | 6929 rv = ssl3_InitPendingCipherSpec(ss, NULL); |
6726 if (rv != SECSuccess) { | 6930 if (rv != SECSuccess) { |
6727 goto alert_loser; /* err code was set */ | 6931 goto alert_loser; /* err code was set */ |
6728 } | 6932 } |
6729 goto winner; | 6933 goto winner; |
6730 } while (0); | 6934 } while (0); |
6731 | 6935 |
6732 if (sid_match) | 6936 if (sid_match) |
6733 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); | 6937 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); |
6734 else | 6938 else |
6735 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses ); | 6939 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses ); |
6736 | 6940 |
6737 /* throw the old one away */ | 6941 /* throw the old one away */ |
6738 sid->u.ssl3.keys.resumable = PR_FALSE; | 6942 sid->u.ssl3.keys.resumable = PR_FALSE; |
6739 if (ss->sec.uncache) | 6943 if (ss->sec.uncache) |
6740 (*ss->sec.uncache)(sid); | 6944 (*ss->sec.uncache)(sid); |
6741 ssl_FreeSID(sid); | 6945 ssl_FreeSID(sid); |
6742 | 6946 |
6743 /* get a new sid */ | 6947 /* get a new sid */ |
6744 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); | 6948 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); |
6745 if (sid == NULL) { | 6949 if (sid == NULL) { |
6746 goto alert_loser; /* memory error is set. */ | 6950 goto alert_loser; /* memory error is set. */ |
6747 } | 6951 } |
6748 | 6952 |
6749 sid->version = ss->version; | 6953 sid->version = ss->version; |
6750 sid->u.ssl3.sessionIDLength = sidBytes.len; | 6954 sid->u.ssl3.sessionIDLength = sidBytes.len; |
6751 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); | 6955 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); |
6752 | 6956 |
| 6957 sid->u.ssl3.keys.extendedMasterSecretUsed = |
| 6958 ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn); |
| 6959 |
6753 /* Copy Signed Certificate Timestamps, if any. */ | 6960 /* Copy Signed Certificate Timestamps, if any. */ |
6754 if (ss->xtnData.signedCertTimestamps.data) { | 6961 if (ss->xtnData.signedCertTimestamps.data) { |
6755 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, | 6962 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, |
6756 &ss->xtnData.signedCertTimestamps); | 6963 &ss->xtnData.signedCertTimestamps); |
6757 if (rv != SECSuccess) | 6964 if (rv != SECSuccess) |
6758 goto loser; | 6965 goto loser; |
6759 } | 6966 } |
6760 | 6967 |
6761 ss->ssl3.hs.isResuming = PR_FALSE; | 6968 ss->ssl3.hs.isResuming = PR_FALSE; |
6762 if (ss->ssl3.hs.kea_def->signKeyType != sign_null) { | 6969 if (ss->ssl3.hs.kea_def->signKeyType != sign_null) { |
6763 /* All current cipher suites other than those with sign_null (i.e., | 6970 /* All current cipher suites other than those with sign_null (i.e., |
6764 * DH_anon_* suites) require a certificate, so use that signal. */ | 6971 * (EC)DH_anon_* suites) require a certificate, so use that signal. */ |
6765 ss->ssl3.hs.ws = wait_server_cert; | 6972 ss->ssl3.hs.ws = wait_server_cert; |
6766 } else if (ss->ssl3.hs.kea_def->ephemeral) { | 6973 } else { |
6767 /* Only ephemeral cipher suites use ServerKeyExchange. */ | 6974 /* All the remaining cipher suites must be (EC)DH_anon_* and so |
| 6975 * must be ephemeral. Note, if we ever add PSK this might |
| 6976 * change. */ |
| 6977 PORT_Assert(ss->ssl3.hs.kea_def->ephemeral); |
6768 ss->ssl3.hs.ws = wait_server_key; | 6978 ss->ssl3.hs.ws = wait_server_key; |
6769 } else { | |
6770 ss->ssl3.hs.ws = wait_cert_request; | |
6771 } | 6979 } |
6772 | 6980 |
6773 winner: | 6981 winner: |
6774 /* Clean up the temporary pointer to the handshake buffer. */ | 6982 /* Clean up the temporary pointer to the handshake buffer. */ |
6775 ss->xtnData.signedCertTimestamps.data = NULL; | 6983 ss->xtnData.signedCertTimestamps.data = NULL; |
6776 ss->xtnData.signedCertTimestamps.len = 0; | 6984 ss->xtnData.signedCertTimestamps.len = 0; |
6777 | 6985 |
6778 /* If we will need a ChannelID key then we make the callback now. This | 6986 /* If we will need a ChannelID key then we make the callback now. This |
6779 * allows the handshake to be restarted cleanly if the callback returns | 6987 * allows the handshake to be restarted cleanly if the callback returns |
6780 * SECWouldBlock. */ | 6988 * SECWouldBlock. */ |
(...skipping 19 matching lines...) Expand all Loading... |
6800 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 7008 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
6801 | 7009 |
6802 loser: | 7010 loser: |
6803 /* Clean up the temporary pointer to the handshake buffer. */ | 7011 /* Clean up the temporary pointer to the handshake buffer. */ |
6804 ss->xtnData.signedCertTimestamps.data = NULL; | 7012 ss->xtnData.signedCertTimestamps.data = NULL; |
6805 ss->xtnData.signedCertTimestamps.len = 0; | 7013 ss->xtnData.signedCertTimestamps.len = 0; |
6806 errCode = ssl_MapLowLevelError(errCode); | 7014 errCode = ssl_MapLowLevelError(errCode); |
6807 return SECFailure; | 7015 return SECFailure; |
6808 } | 7016 } |
6809 | 7017 |
6810 /* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned, | |
6811 * big-endian integer is > 1 */ | |
6812 static PRBool | |
6813 ssl3_BigIntGreaterThanOne(const SECItem* mpint) { | |
6814 unsigned char firstNonZeroByte = 0; | |
6815 unsigned int i; | |
6816 | |
6817 for (i = 0; i < mpint->len; i++) { | |
6818 if (mpint->data[i]) { | |
6819 firstNonZeroByte = mpint->data[i]; | |
6820 break; | |
6821 } | |
6822 } | |
6823 | |
6824 if (firstNonZeroByte == 0) | |
6825 return PR_FALSE; | |
6826 if (firstNonZeroByte > 1) | |
6827 return PR_TRUE; | |
6828 | |
6829 /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte | |
6830 * is followed by another byte. */ | |
6831 return (i < mpint->len - 1); | |
6832 } | |
6833 | 7018 |
6834 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 7019 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
6835 * ssl3 ServerKeyExchange message. | 7020 * ssl3 ServerKeyExchange message. |
6836 * Caller must hold Handshake and RecvBuf locks. | 7021 * Caller must hold Handshake and RecvBuf locks. |
6837 */ | 7022 */ |
6838 static SECStatus | 7023 static SECStatus |
6839 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 7024 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
6840 { | 7025 { |
6841 PLArenaPool * arena = NULL; | 7026 PLArenaPool * arena = NULL; |
6842 SECKEYPublicKey *peerKey = NULL; | 7027 SECKEYPublicKey *peerKey = NULL; |
6843 PRBool isTLS, isTLS12; | 7028 PRBool isTLS, isTLS12; |
6844 SECStatus rv; | 7029 SECStatus rv; |
6845 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; | 7030 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; |
6846 SSL3AlertDescription desc = illegal_parameter; | 7031 SSL3AlertDescription desc = illegal_parameter; |
6847 SSL3Hashes hashes; | 7032 SSL3Hashes hashes; |
6848 SECItem signature = {siBuffer, NULL, 0}; | 7033 SECItem signature = {siBuffer, NULL, 0}; |
6849 SSL3SignatureAndHashAlgorithm sigAndHash; | 7034 SSLSignatureAndHashAlg sigAndHash; |
6850 | 7035 |
6851 sigAndHash.hashAlg = SEC_OID_UNKNOWN; | 7036 sigAndHash.hashAlg = ssl_hash_none; |
6852 | 7037 |
6853 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", | 7038 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", |
6854 SSL_GETPID(), ss->fd)); | 7039 SSL_GETPID(), ss->fd)); |
6855 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 7040 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
6856 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 7041 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
6857 | 7042 |
6858 if (ss->ssl3.hs.ws != wait_server_key) { | 7043 if (ss->ssl3.hs.ws != wait_server_key) { |
6859 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; | 7044 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; |
6860 desc = unexpected_message; | 7045 desc = unexpected_message; |
6861 goto alert_loser; | 7046 goto alert_loser; |
6862 } | 7047 } |
6863 | 7048 |
6864 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 7049 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
6865 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 7050 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
6866 | 7051 |
6867 switch (ss->ssl3.hs.kea_def->exchKeyType) { | 7052 switch (ss->ssl3.hs.kea_def->exchKeyType) { |
6868 | 7053 |
6869 case kt_rsa: { | 7054 case kt_rsa: { |
6870 SECItem modulus = {siBuffer, NULL, 0}; | 7055 SECItem modulus = {siBuffer, NULL, 0}; |
6871 SECItem exponent = {siBuffer, NULL, 0}; | 7056 SECItem exponent = {siBuffer, NULL, 0}; |
6872 | 7057 |
6873 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); | 7058 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); |
6874 if (rv != SECSuccess) { | 7059 if (rv != SECSuccess) { |
6875 goto loser; /* malformed. */ | 7060 goto loser; /* malformed. */ |
6876 } | 7061 } |
| 7062 /* This exchange method is only used by export cipher suites. |
| 7063 * Those are broken and so this code will eventually be removed. */ |
| 7064 if (SECKEY_BigIntegerBitLength(&modulus) < 512) { |
| 7065 desc = isTLS ? insufficient_security : illegal_parameter; |
| 7066 goto alert_loser; |
| 7067 } |
6877 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); | 7068 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); |
6878 if (rv != SECSuccess) { | 7069 if (rv != SECSuccess) { |
6879 goto loser; /* malformed. */ | 7070 goto loser; /* malformed. */ |
6880 } | 7071 } |
6881 if (isTLS12) { | 7072 if (isTLS12) { |
6882 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | 7073 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
6883 &sigAndHash); | 7074 &sigAndHash); |
6884 if (rv != SECSuccess) { | 7075 if (rv != SECSuccess) { |
6885 goto loser; /* malformed or unsupported. */ | 7076 goto loser; /* malformed or unsupported. */ |
6886 } | 7077 } |
6887 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | 7078 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(ss, |
6888 &sigAndHash, ss->sec.peerCert); | 7079 &sigAndHash, ss->sec.peerCert); |
6889 if (rv != SECSuccess) { | 7080 if (rv != SECSuccess) { |
6890 goto loser; | 7081 goto loser; |
6891 } | 7082 } |
6892 } | 7083 } |
6893 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 7084 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
6894 if (rv != SECSuccess) { | 7085 if (rv != SECSuccess) { |
6895 goto loser; /* malformed. */ | 7086 goto loser; /* malformed. */ |
6896 } | 7087 } |
6897 if (length != 0) { | 7088 if (length != 0) { |
6898 if (isTLS) | 7089 if (isTLS) |
6899 desc = decode_error; | 7090 desc = decode_error; |
6900 goto alert_loser; /* malformed. */ | 7091 goto alert_loser; /* malformed. */ |
6901 } | 7092 } |
6902 | 7093 |
6903 /* failures after this point are not malformed handshakes. */ | 7094 /* failures after this point are not malformed handshakes. */ |
6904 /* TLS: send decrypt_error if signature failed. */ | 7095 /* TLS: send decrypt_error if signature failed. */ |
6905 desc = isTLS ? decrypt_error : handshake_failure; | 7096 desc = isTLS ? decrypt_error : handshake_failure; |
6906 | 7097 |
6907 /* | 7098 /* |
6908 * check to make sure the hash is signed by right guy | 7099 * check to make sure the hash is signed by right guy |
6909 */ | 7100 */ |
6910 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent, | 7101 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent, |
6911 » » » » » &ss->ssl3.hs.client_random, | 7102 &ss->ssl3.hs.client_random, |
6912 » » » » » &ss->ssl3.hs.server_random, | 7103 &ss->ssl3.hs.server_random, |
6913 » » » » » &hashes, ss->opt.bypassPKCS11); | 7104 &hashes, ss->opt.bypassPKCS11); |
6914 if (rv != SECSuccess) { | 7105 if (rv != SECSuccess) { |
6915 errCode = | 7106 errCode = |
6916 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7107 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
6917 goto alert_loser; | 7108 goto alert_loser; |
6918 } | 7109 } |
6919 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 7110 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
6920 isTLS, ss->pkcs11PinArg); | 7111 isTLS, ss->pkcs11PinArg); |
6921 if (rv != SECSuccess) { | 7112 if (rv != SECSuccess) { |
6922 errCode = | 7113 errCode = |
6923 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7114 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
6924 goto alert_loser; | 7115 goto alert_loser; |
6925 } | 7116 } |
6926 | 7117 |
6927 /* | 7118 /* |
6928 * we really need to build a new key here because we can no longer | 7119 * we really need to build a new key here because we can no longer |
6929 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate | 7120 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate |
6930 * pkcs11 slots and ID's. | 7121 * pkcs11 slots and ID's. |
6931 */ | 7122 */ |
6932 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 7123 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
6933 if (arena == NULL) { | 7124 if (arena == NULL) { |
6934 goto no_memory; | 7125 goto no_memory; |
6935 } | 7126 } |
6936 | 7127 |
6937 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); | 7128 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); |
6938 if (peerKey == NULL) { | 7129 if (peerKey == NULL) { |
6939 PORT_FreeArena(arena, PR_FALSE); | |
6940 goto no_memory; | 7130 goto no_memory; |
6941 } | 7131 } |
6942 | 7132 |
6943 peerKey->arena = arena; | 7133 peerKey->arena = arena; |
6944 peerKey->keyType = rsaKey; | 7134 peerKey->keyType = rsaKey; |
6945 peerKey->pkcs11Slot = NULL; | 7135 peerKey->pkcs11Slot = NULL; |
6946 peerKey->pkcs11ID = CK_INVALID_HANDLE; | 7136 peerKey->pkcs11ID = CK_INVALID_HANDLE; |
6947 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) || | 7137 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) || |
6948 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent)) | 7138 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent)) |
6949 { | 7139 { |
6950 PORT_FreeArena(arena, PR_FALSE); | |
6951 goto no_memory; | 7140 goto no_memory; |
6952 } | 7141 } |
6953 ss->sec.peerKey = peerKey; | 7142 ss->sec.peerKey = peerKey; |
6954 ss->ssl3.hs.ws = wait_cert_request; | 7143 ss->ssl3.hs.ws = wait_cert_request; |
6955 return SECSuccess; | 7144 return SECSuccess; |
6956 } | 7145 } |
6957 | 7146 |
6958 case kt_dh: { | 7147 case kt_dh: { |
6959 SECItem dh_p = {siBuffer, NULL, 0}; | 7148 SECItem dh_p = {siBuffer, NULL, 0}; |
6960 SECItem dh_g = {siBuffer, NULL, 0}; | 7149 SECItem dh_g = {siBuffer, NULL, 0}; |
6961 SECItem dh_Ys = {siBuffer, NULL, 0}; | 7150 SECItem dh_Ys = {siBuffer, NULL, 0}; |
| 7151 unsigned dh_p_bits; |
| 7152 unsigned dh_g_bits; |
| 7153 unsigned dh_Ys_bits; |
| 7154 PRInt32 minDH; |
6962 | 7155 |
6963 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); | 7156 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); |
6964 if (rv != SECSuccess) { | 7157 if (rv != SECSuccess) { |
6965 goto loser; /* malformed. */ | 7158 goto loser; /* malformed. */ |
6966 } | 7159 } |
6967 » if (dh_p.len < 1024/8 || | 7160 |
6968 » (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) { | 7161 » rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); |
| 7162 » if (rv != SECSuccess) { |
| 7163 minDH = SSL_DH_MIN_P_BITS; |
| 7164 » } |
| 7165 dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); |
| 7166 if (dh_p_bits < minDH) { |
6969 errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; | 7167 errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; |
6970 goto alert_loser; | 7168 goto alert_loser; |
6971 } | 7169 } |
6972 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); | 7170 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); |
6973 if (rv != SECSuccess) { | 7171 if (rv != SECSuccess) { |
6974 goto loser; /* malformed. */ | 7172 goto loser; /* malformed. */ |
6975 } | 7173 } |
6976 » if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) | 7174 /* Abort if dh_g is 0, 1, or obviously too big. */ |
| 7175 dh_g_bits = SECKEY_BigIntegerBitLength(&dh_g); |
| 7176 if (dh_g_bits > dh_p_bits || dh_g_bits <= 1) |
6977 goto alert_loser; | 7177 goto alert_loser; |
6978 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); | 7178 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); |
6979 if (rv != SECSuccess) { | 7179 if (rv != SECSuccess) { |
6980 goto loser; /* malformed. */ | 7180 goto loser; /* malformed. */ |
6981 } | 7181 } |
6982 » if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) | 7182 dh_Ys_bits = SECKEY_BigIntegerBitLength(&dh_Ys); |
| 7183 if (dh_Ys_bits > dh_p_bits || dh_Ys_bits <= 1) |
6983 goto alert_loser; | 7184 goto alert_loser; |
6984 if (isTLS12) { | 7185 if (isTLS12) { |
6985 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | 7186 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
6986 &sigAndHash); | 7187 &sigAndHash); |
6987 if (rv != SECSuccess) { | 7188 if (rv != SECSuccess) { |
6988 goto loser; /* malformed or unsupported. */ | 7189 goto loser; /* malformed or unsupported. */ |
6989 } | 7190 } |
6990 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | 7191 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(ss, |
6991 &sigAndHash, ss->sec.peerCert); | 7192 &sigAndHash, ss->sec.peerCert); |
6992 if (rv != SECSuccess) { | 7193 if (rv != SECSuccess) { |
6993 goto loser; | 7194 goto loser; |
6994 } | 7195 } |
6995 } | 7196 } |
6996 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 7197 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
6997 if (rv != SECSuccess) { | 7198 if (rv != SECSuccess) { |
6998 goto loser; /* malformed. */ | 7199 goto loser; /* malformed. */ |
6999 } | 7200 } |
7000 if (length != 0) { | 7201 if (length != 0) { |
7001 if (isTLS) | 7202 if (isTLS) |
7002 desc = decode_error; | 7203 desc = decode_error; |
7003 goto alert_loser; /* malformed. */ | 7204 goto alert_loser; /* malformed. */ |
7004 } | 7205 } |
7005 | 7206 |
7006 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); | 7207 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); |
7007 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); | 7208 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); |
7008 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); | 7209 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); |
7009 | 7210 |
7010 /* failures after this point are not malformed handshakes. */ | 7211 /* failures after this point are not malformed handshakes. */ |
7011 /* TLS: send decrypt_error if signature failed. */ | 7212 /* TLS: send decrypt_error if signature failed. */ |
7012 desc = isTLS ? decrypt_error : handshake_failure; | 7213 desc = isTLS ? decrypt_error : handshake_failure; |
7013 | 7214 |
7014 /* | 7215 /* |
7015 * check to make sure the hash is signed by right guy | 7216 * check to make sure the hash is signed by right guy |
7016 */ | 7217 */ |
7017 » rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys, | 7218 rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys, |
7018 » » » » » &ss->ssl3.hs.client_random, | 7219 &ss->ssl3.hs.client_random, |
7019 » » » » » &ss->ssl3.hs.server_random, | 7220 &ss->ssl3.hs.server_random, |
7020 » » » » » &hashes, ss->opt.bypassPKCS11); | 7221 &hashes, ss->opt.bypassPKCS11); |
7021 if (rv != SECSuccess) { | 7222 if (rv != SECSuccess) { |
7022 errCode = | 7223 errCode = |
7023 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7224 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
7024 goto alert_loser; | 7225 goto alert_loser; |
7025 } | 7226 } |
7026 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 7227 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
7027 isTLS, ss->pkcs11PinArg); | 7228 isTLS, ss->pkcs11PinArg); |
7028 if (rv != SECSuccess) { | 7229 if (rv != SECSuccess) { |
7029 errCode = | 7230 errCode = |
7030 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7231 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
7031 goto alert_loser; | 7232 goto alert_loser; |
7032 } | 7233 } |
7033 | 7234 |
7034 /* | 7235 /* |
7035 * we really need to build a new key here because we can no longer | 7236 * we really need to build a new key here because we can no longer |
7036 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate | 7237 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate |
7037 * pkcs11 slots and ID's. | 7238 * pkcs11 slots and ID's. |
7038 */ | 7239 */ |
7039 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 7240 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
7040 if (arena == NULL) { | 7241 if (arena == NULL) { |
7041 goto no_memory; | 7242 goto no_memory; |
7042 } | 7243 } |
7043 | 7244 |
7044 » ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); | 7245 » peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); |
7045 if (peerKey == NULL) { | 7246 if (peerKey == NULL) { |
7046 goto no_memory; | 7247 goto no_memory; |
7047 } | 7248 } |
7048 | 7249 |
7049 peerKey->arena = arena; | 7250 peerKey->arena = arena; |
7050 peerKey->keyType = dhKey; | 7251 peerKey->keyType = dhKey; |
7051 peerKey->pkcs11Slot = NULL; | 7252 peerKey->pkcs11Slot = NULL; |
7052 peerKey->pkcs11ID = CK_INVALID_HANDLE; | 7253 peerKey->pkcs11ID = CK_INVALID_HANDLE; |
7053 | 7254 |
7054 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) || | 7255 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) || |
7055 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) || | 7256 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) || |
7056 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys)) | 7257 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys)) |
7057 { | 7258 { |
7058 PORT_FreeArena(arena, PR_FALSE); | |
7059 goto no_memory; | 7259 goto no_memory; |
7060 } | 7260 } |
7061 ss->sec.peerKey = peerKey; | 7261 ss->sec.peerKey = peerKey; |
7062 ss->ssl3.hs.ws = wait_cert_request; | 7262 ss->ssl3.hs.ws = wait_cert_request; |
7063 return SECSuccess; | 7263 return SECSuccess; |
7064 } | 7264 } |
7065 | 7265 |
7066 #ifndef NSS_DISABLE_ECC | 7266 #ifndef NSS_DISABLE_ECC |
7067 case kt_ecdh: | 7267 case kt_ecdh: |
7068 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length); | 7268 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length); |
7069 return rv; | 7269 return rv; |
7070 #endif /* NSS_DISABLE_ECC */ | 7270 #endif /* NSS_DISABLE_ECC */ |
7071 | 7271 |
7072 default: | 7272 default: |
7073 desc = handshake_failure; | 7273 desc = handshake_failure; |
7074 errCode = SEC_ERROR_UNSUPPORTED_KEYALG; | 7274 errCode = SEC_ERROR_UNSUPPORTED_KEYALG; |
7075 break; /* goto alert_loser; */ | 7275 break; /* goto alert_loser; */ |
7076 } | 7276 } |
7077 | 7277 |
7078 alert_loser: | 7278 alert_loser: |
7079 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 7279 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
7080 loser: | 7280 loser: |
| 7281 if (arena) { |
| 7282 PORT_FreeArena(arena, PR_FALSE); |
| 7283 } |
7081 PORT_SetError( errCode ); | 7284 PORT_SetError( errCode ); |
7082 return SECFailure; | 7285 return SECFailure; |
7083 | 7286 |
7084 no_memory: /* no-memory error has already been set. */ | 7287 no_memory: /* no-memory error has already been set. */ |
| 7288 if (arena) { |
| 7289 PORT_FreeArena(arena, PR_FALSE); |
| 7290 } |
7085 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7291 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
7086 return SECFailure; | 7292 return SECFailure; |
7087 } | 7293 } |
7088 | 7294 |
7089 /* | 7295 /* |
7090 * Returns the TLS signature algorithm for the client authentication key and | 7296 * Returns the TLS signature algorithm for the client authentication key and |
7091 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes. | 7297 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes. |
7092 */ | 7298 */ |
7093 static SECStatus | 7299 static SECStatus |
7094 ssl3_ExtractClientKeyInfo(sslSocket *ss, | 7300 ssl3_ExtractClientKeyInfo(sslSocket *ss, |
7095 » » » TLSSignatureAlgorithm *sigAlg, | 7301 » » » SSLSignType *sigAlg, |
7096 PRBool *preferSha1) | 7302 PRBool *preferSha1) |
7097 { | 7303 { |
7098 SECStatus rv = SECSuccess; | 7304 SECStatus rv = SECSuccess; |
7099 SECKEYPublicKey *pubk; | 7305 SECKEYPublicKey *pubk; |
7100 | 7306 |
7101 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); | 7307 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); |
7102 if (pubk == NULL) { | 7308 if (pubk == NULL) { |
7103 rv = SECFailure; | 7309 rv = SECFailure; |
7104 goto done; | 7310 goto done; |
7105 } | 7311 } |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7141 | 7347 |
7142 /* Destroys the backup handshake hash context if we don't need it. Note that | 7348 /* Destroys the backup handshake hash context if we don't need it. Note that |
7143 * this function selects the hash algorithm for client authentication | 7349 * this function selects the hash algorithm for client authentication |
7144 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash | 7350 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash |
7145 * to determine whether to use SHA-1 or SHA-256. */ | 7351 * to determine whether to use SHA-1 or SHA-256. */ |
7146 static void | 7352 static void |
7147 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, | 7353 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, |
7148 const SECItem *algorithms) | 7354 const SECItem *algorithms) |
7149 { | 7355 { |
7150 SECStatus rv; | 7356 SECStatus rv; |
7151 TLSSignatureAlgorithm sigAlg; | 7357 SSLSignType sigAlg; |
7152 PRBool preferSha1; | 7358 PRBool preferSha1; |
7153 PRBool supportsSha1 = PR_FALSE; | 7359 PRBool supportsSha1 = PR_FALSE; |
7154 PRBool supportsSha256 = PR_FALSE; | 7360 PRBool supportsSha256 = PR_FALSE; |
7155 PRBool needBackupHash = PR_FALSE; | 7361 PRBool needBackupHash = PR_FALSE; |
7156 unsigned int i; | 7362 unsigned int i; |
7157 | 7363 |
7158 #ifndef NO_PKCS11_BYPASS | 7364 #ifndef NO_PKCS11_BYPASS |
7159 /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ | 7365 /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ |
7160 if (ss->opt.bypassPKCS11) { | 7366 if (ss->opt.bypassPKCS11) { |
7161 PORT_Assert(!ss->ssl3.hs.backupHash); | 7367 PORT_Assert(!ss->ssl3.hs.backupHash); |
7162 return; | 7368 return; |
7163 } | 7369 } |
7164 #endif | 7370 #endif |
7165 PORT_Assert(ss->ssl3.hs.backupHash); | 7371 PORT_Assert(ss->ssl3.hs.backupHash); |
7166 | 7372 |
7167 /* Determine the key's signature algorithm and whether it prefers SHA-1. */ | 7373 /* Determine the key's signature algorithm and whether it prefers SHA-1. */ |
7168 rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); | 7374 rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); |
7169 if (rv != SECSuccess) { | 7375 if (rv != SECSuccess) { |
7170 goto done; | 7376 goto done; |
7171 } | 7377 } |
7172 | 7378 |
7173 /* Determine the server's hash support for that signature algorithm. */ | 7379 /* Determine the server's hash support for that signature algorithm. */ |
7174 for (i = 0; i < algorithms->len; i += 2) { | 7380 for (i = 0; i < algorithms->len; i += 2) { |
7175 if (algorithms->data[i+1] == sigAlg) { | 7381 if (algorithms->data[i+1] == sigAlg) { |
7176 » if (algorithms->data[i] == tls_hash_sha1) { | 7382 » if (algorithms->data[i] == ssl_hash_sha1) { |
7177 supportsSha1 = PR_TRUE; | 7383 supportsSha1 = PR_TRUE; |
7178 » } else if (algorithms->data[i] == tls_hash_sha256) { | 7384 » } else if (algorithms->data[i] == ssl_hash_sha256) { |
7179 supportsSha256 = PR_TRUE; | 7385 supportsSha256 = PR_TRUE; |
7180 } | 7386 } |
7181 } | 7387 } |
7182 } | 7388 } |
7183 | 7389 |
7184 /* If either the server does not support SHA-256 or the client key prefers | 7390 /* If either the server does not support SHA-256 or the client key prefers |
7185 * SHA-1, leave the backup hash. */ | 7391 * SHA-1, leave the backup hash. */ |
7186 if (supportsSha1 && (preferSha1 || !supportsSha256)) { | 7392 if (supportsSha1 && (preferSha1 || !supportsSha256)) { |
7187 needBackupHash = PR_TRUE; | 7393 needBackupHash = PR_TRUE; |
7188 } | 7394 } |
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7327 rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 7533 rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
7328 ss->getPlatformClientAuthDataArg, | 7534 ss->getPlatformClientAuthDataArg, |
7329 ss->fd, &ca_list, | 7535 ss->fd, &ca_list, |
7330 &platform_cert_list, | 7536 &platform_cert_list, |
7331 (void**)&ss->ssl3.platformClientKey, | 7537 (void**)&ss->ssl3.platformClientKey, |
7332 &ss->ssl3.clientCertificate, | 7538 &ss->ssl3.clientCertificate, |
7333 &ss->ssl3.clientPrivateKey); | 7539 &ss->ssl3.clientPrivateKey); |
7334 } else | 7540 } else |
7335 #endif | 7541 #endif |
7336 if (ss->getClientAuthData != NULL) { | 7542 if (ss->getClientAuthData != NULL) { |
| 7543 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 7544 ssl_preinfo_all); |
7337 /* XXX Should pass cert_types and algorithms in this call!! */ | 7545 /* XXX Should pass cert_types and algorithms in this call!! */ |
7338 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, | 7546 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, |
7339 ss->fd, &ca_list, | 7547 ss->fd, &ca_list, |
7340 &ss->ssl3.clientCertificate, | 7548 &ss->ssl3.clientCertificate, |
7341 &ss->ssl3.clientPrivateKey); | 7549 &ss->ssl3.clientPrivateKey); |
7342 } else { | 7550 } else { |
7343 rv = SECFailure; /* force it to send a no_certificate alert */ | 7551 rv = SECFailure; /* force it to send a no_certificate alert */ |
7344 } | 7552 } |
7345 | 7553 |
7346 switch (rv) { | 7554 switch (rv) { |
(...skipping 211 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7558 * sufficiently strong that the attack can gain no advantage. | 7766 * sufficiently strong that the attack can gain no advantage. |
7559 * Therefore we always require an 80-bit cipher. */ | 7767 * Therefore we always require an 80-bit cipher. */ |
7560 ssl_GetSpecReadLock(ss); | 7768 ssl_GetSpecReadLock(ss); |
7561 maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10; | 7769 maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10; |
7562 ssl_ReleaseSpecReadLock(ss); | 7770 ssl_ReleaseSpecReadLock(ss); |
7563 | 7771 |
7564 if (!maybeFalseStart) { | 7772 if (!maybeFalseStart) { |
7565 SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher", | 7773 SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher", |
7566 SSL_GETPID(), ss->fd)); | 7774 SSL_GETPID(), ss->fd)); |
7567 } else { | 7775 } else { |
| 7776 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 7777 ssl_preinfo_all); |
7568 rv = (ss->canFalseStartCallback)(ss->fd, | 7778 rv = (ss->canFalseStartCallback)(ss->fd, |
7569 ss->canFalseStartCallbackData, | 7779 ss->canFalseStartCallbackData, |
7570 &ss->ssl3.hs.canFalseStart); | 7780 &ss->ssl3.hs.canFalseStart); |
7571 if (rv == SECSuccess) { | 7781 if (rv == SECSuccess) { |
7572 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s", | 7782 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s", |
7573 SSL_GETPID(), ss->fd, | 7783 SSL_GETPID(), ss->fd, |
7574 ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE")); | 7784 ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE")); |
7575 } else { | 7785 } else { |
7576 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)", | 7786 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)", |
7577 SSL_GETPID(), ss->fd, | 7787 SSL_GETPID(), ss->fd, |
(...skipping 338 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7916 sid->addr = ss->sec.ci.peer; | 8126 sid->addr = ss->sec.ci.peer; |
7917 sid->port = ss->sec.ci.port; | 8127 sid->port = ss->sec.ci.port; |
7918 sid->references = 1; | 8128 sid->references = 1; |
7919 sid->cached = never_cached; | 8129 sid->cached = never_cached; |
7920 sid->version = ss->version; | 8130 sid->version = ss->version; |
7921 | 8131 |
7922 sid->u.ssl3.keys.resumable = PR_TRUE; | 8132 sid->u.ssl3.keys.resumable = PR_TRUE; |
7923 sid->u.ssl3.policy = SSL_ALLOWED; | 8133 sid->u.ssl3.policy = SSL_ALLOWED; |
7924 sid->u.ssl3.clientWriteKey = NULL; | 8134 sid->u.ssl3.clientWriteKey = NULL; |
7925 sid->u.ssl3.serverWriteKey = NULL; | 8135 sid->u.ssl3.serverWriteKey = NULL; |
| 8136 sid->u.ssl3.keys.extendedMasterSecretUsed = PR_FALSE; |
7926 | 8137 |
7927 if (is_server) { | 8138 if (is_server) { |
7928 SECStatus rv; | 8139 SECStatus rv; |
7929 int pid = SSL_GETPID(); | 8140 int pid = SSL_GETPID(); |
7930 | 8141 |
7931 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; | 8142 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; |
7932 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff; | 8143 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff; |
7933 sid->u.ssl3.sessionID[1] = pid & 0xff; | 8144 sid->u.ssl3.sessionID[1] = pid & 0xff; |
7934 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2, | 8145 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2, |
7935 SSL3_SESSIONID_BYTES -2); | 8146 SSL3_SESSIONID_BYTES -2); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7968 return rv; /* error code is set. */ | 8179 return rv; /* error code is set. */ |
7969 } | 8180 } |
7970 /* We have to do this after the call to ssl3_SendServerHello, | 8181 /* We have to do this after the call to ssl3_SendServerHello, |
7971 * because kea_def is set up by ssl3_SendServerHello(). | 8182 * because kea_def is set up by ssl3_SendServerHello(). |
7972 */ | 8183 */ |
7973 kea_def = ss->ssl3.hs.kea_def; | 8184 kea_def = ss->ssl3.hs.kea_def; |
7974 ss->ssl3.hs.usedStepDownKey = PR_FALSE; | 8185 ss->ssl3.hs.usedStepDownKey = PR_FALSE; |
7975 | 8186 |
7976 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { | 8187 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { |
7977 /* see if we can legally use the key in the cert. */ | 8188 /* see if we can legally use the key in the cert. */ |
7978 » int keyLen; /* bytes */ | 8189 » unsigned int keyLen; /* bytes */ |
7979 | 8190 |
7980 keyLen = PK11_GetPrivateModulusLen( | 8191 keyLen = PK11_GetPrivateModulusLen( |
7981 ss->serverCerts[kea_def->exchKeyType].SERVERKEY); | 8192 ss->serverCerts[kea_def->exchKeyType].SERVERKEY); |
7982 | 8193 |
7983 if (keyLen > 0 && | 8194 if (keyLen > 0 && |
7984 keyLen * BPB <= kea_def->key_size_limit ) { | 8195 keyLen * BPB <= kea_def->key_size_limit ) { |
7985 /* XXX AND cert is not signing only!! */ | 8196 /* XXX AND cert is not signing only!! */ |
7986 /* just fall through and use it. */ | 8197 /* just fall through and use it. */ |
7987 } else if (ss->stepDownKeyPair != NULL) { | 8198 } else if (ss->stepDownKeyPair != NULL) { |
7988 ss->ssl3.hs.usedStepDownKey = PR_TRUE; | 8199 ss->ssl3.hs.usedStepDownKey = PR_TRUE; |
(...skipping 26 matching lines...) Expand all Loading... |
8015 } | 8226 } |
8016 | 8227 |
8017 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert | 8228 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert |
8018 : wait_client_key; | 8229 : wait_client_key; |
8019 return SECSuccess; | 8230 return SECSuccess; |
8020 } | 8231 } |
8021 | 8232 |
8022 /* An empty TLS Renegotiation Info (RI) extension */ | 8233 /* An empty TLS Renegotiation Info (RI) extension */ |
8023 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00}; | 8234 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00}; |
8024 | 8235 |
| 8236 static PRBool |
| 8237 ssl3_KEAAllowsSessionTicket(SSL3KeyExchangeAlgorithm kea) |
| 8238 { |
| 8239 switch (kea) { |
| 8240 case kea_dhe_dss: |
| 8241 case kea_dhe_dss_export: |
| 8242 case kea_dh_dss_export: |
| 8243 case kea_dh_dss: |
| 8244 /* TODO: Fix session tickets for DSS. The server code rejects the |
| 8245 * session ticket received from the client. Bug 1174677 */ |
| 8246 return PR_FALSE; |
| 8247 default: |
| 8248 return PR_TRUE; |
| 8249 }; |
| 8250 } |
| 8251 |
8025 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 8252 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
8026 * ssl3 Client Hello message. | 8253 * ssl3 Client Hello message. |
8027 * Caller must hold Handshake and RecvBuf locks. | 8254 * Caller must hold Handshake and RecvBuf locks. |
8028 */ | 8255 */ |
8029 static SECStatus | 8256 static SECStatus |
8030 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 8257 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
8031 { | 8258 { |
8032 sslSessionID * sid = NULL; | 8259 sslSessionID * sid = NULL; |
8033 PRInt32 tmp; | 8260 PRInt32 tmp; |
8034 unsigned int i; | 8261 unsigned int i; |
8035 int j; | 8262 int j; |
8036 SECStatus rv; | 8263 SECStatus rv; |
8037 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; | 8264 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; |
8038 SSL3AlertDescription desc = illegal_parameter; | 8265 SSL3AlertDescription desc = illegal_parameter; |
8039 SSL3AlertLevel level = alert_fatal; | 8266 SSL3AlertLevel level = alert_fatal; |
8040 SSL3ProtocolVersion version; | 8267 SSL3ProtocolVersion version; |
8041 SECItem sidBytes = {siBuffer, NULL, 0}; | 8268 SECItem sidBytes = {siBuffer, NULL, 0}; |
8042 SECItem cookieBytes = {siBuffer, NULL, 0}; | 8269 SECItem cookieBytes = {siBuffer, NULL, 0}; |
8043 SECItem suites = {siBuffer, NULL, 0}; | 8270 SECItem suites = {siBuffer, NULL, 0}; |
8044 SECItem comps = {siBuffer, NULL, 0}; | 8271 SECItem comps = {siBuffer, NULL, 0}; |
8045 PRBool haveSpecWriteLock = PR_FALSE; | 8272 PRBool haveSpecWriteLock = PR_FALSE; |
8046 PRBool haveXmitBufLock = PR_FALSE; | 8273 PRBool haveXmitBufLock = PR_FALSE; |
| 8274 PRBool canOfferSessionTicket = PR_FALSE; |
8047 | 8275 |
8048 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", | 8276 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", |
8049 SSL_GETPID(), ss->fd)); | 8277 SSL_GETPID(), ss->fd)); |
8050 | 8278 |
8051 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 8279 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
8052 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 8280 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
8053 PORT_Assert( ss->ssl3.initialized ); | 8281 PORT_Assert( ss->ssl3.initialized ); |
| 8282 ss->ssl3.hs.preliminaryInfo = 0; |
8054 | 8283 |
8055 if (!ss->sec.isServer || | 8284 if (!ss->sec.isServer || |
8056 (ss->ssl3.hs.ws != wait_client_hello && | 8285 (ss->ssl3.hs.ws != wait_client_hello && |
8057 ss->ssl3.hs.ws != idle_handshake)) { | 8286 ss->ssl3.hs.ws != idle_handshake)) { |
8058 desc = unexpected_message; | 8287 desc = unexpected_message; |
8059 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; | 8288 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; |
8060 goto alert_loser; | 8289 goto alert_loser; |
8061 } | 8290 } |
8062 if (ss->ssl3.hs.ws == idle_handshake && | 8291 if (ss->ssl3.hs.ws == idle_handshake && |
8063 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 8292 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8109 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | 8338 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; |
8110 } | 8339 } |
8111 | 8340 |
8112 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 8341 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
8113 if (rv != SECSuccess) { | 8342 if (rv != SECSuccess) { |
8114 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 8343 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
8115 : handshake_failure; | 8344 : handshake_failure; |
8116 errCode = SSL_ERROR_UNSUPPORTED_VERSION; | 8345 errCode = SSL_ERROR_UNSUPPORTED_VERSION; |
8117 goto alert_loser; | 8346 goto alert_loser; |
8118 } | 8347 } |
| 8348 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; |
8119 | 8349 |
8120 rv = ssl3_InitHandshakeHashes(ss); | 8350 rv = ssl3_InitHandshakeHashes(ss); |
8121 if (rv != SECSuccess) { | 8351 if (rv != SECSuccess) { |
8122 desc = internal_error; | 8352 desc = internal_error; |
8123 errCode = PORT_GetError(); | 8353 errCode = PORT_GetError(); |
8124 goto alert_loser; | 8354 goto alert_loser; |
8125 } | 8355 } |
8126 | 8356 |
8127 /* grab the client random data. */ | 8357 /* grab the client random data. */ |
8128 rv = ssl3_ConsumeHandshake( | 8358 rv = ssl3_ConsumeHandshake( |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8276 * the extension and we are unable to do either a stateful or | 8506 * the extension and we are unable to do either a stateful or |
8277 * stateless resume. | 8507 * stateless resume. |
8278 * | 8508 * |
8279 * TODO: send a session ticket if performing a stateful | 8509 * TODO: send a session ticket if performing a stateful |
8280 * resumption. (As per RFC4507, a server may issue a session | 8510 * resumption. (As per RFC4507, a server may issue a session |
8281 * ticket while doing a (stateless or stateful) session resume, | 8511 * ticket while doing a (stateless or stateful) session resume, |
8282 * but OpenSSL-0.9.8g does not accept session tickets while | 8512 * but OpenSSL-0.9.8g does not accept session tickets while |
8283 * resuming.) | 8513 * resuming.) |
8284 */ | 8514 */ |
8285 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) { | 8515 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) { |
8286 » ssl3_RegisterServerHelloExtensionSender(ss, | 8516 » canOfferSessionTicket = PR_TRUE; |
8287 » ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn); | |
8288 } | 8517 } |
8289 | 8518 |
8290 if (sid != NULL) { | 8519 if (sid != NULL) { |
8291 /* We've found a session cache entry for this client. | 8520 /* We've found a session cache entry for this client. |
8292 * Now, if we're going to require a client-auth cert, | 8521 * Now, if we're going to require a client-auth cert, |
8293 * and we don't already have this client's cert in the session cache, | 8522 * and we don't already have this client's cert in the session cache, |
8294 * and this is the first handshake on this connection (not a redo), | 8523 * and this is the first handshake on this connection (not a redo), |
8295 * then drop this old cache entry and start a new session. | 8524 * then drop this old cache entry and start a new session. |
8296 */ | 8525 */ |
8297 if ((sid->peerCert == NULL) && ss->opt.requestCertificate && | 8526 if ((sid->peerCert == NULL) && ss->opt.requestCertificate && |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8360 } | 8589 } |
8361 PORT_Assert(j > 0); | 8590 PORT_Assert(j > 0); |
8362 if (j <= 0) | 8591 if (j <= 0) |
8363 break; | 8592 break; |
8364 #ifdef PARANOID | 8593 #ifdef PARANOID |
8365 /* Double check that the cached cipher suite is still enabled, | 8594 /* Double check that the cached cipher suite is still enabled, |
8366 * implemented, and allowed by policy. Might have been disabled. | 8595 * implemented, and allowed by policy. Might have been disabled. |
8367 * The product policy won't change during the process lifetime. | 8596 * The product policy won't change during the process lifetime. |
8368 * Implemented ("isPresent") shouldn't change for servers. | 8597 * Implemented ("isPresent") shouldn't change for servers. |
8369 */ | 8598 */ |
8370 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) | 8599 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) |
8371 break; | 8600 break; |
8372 #else | 8601 #else |
8373 if (!suite->enabled) | 8602 if (!suite->enabled) |
8374 break; | 8603 break; |
8375 #endif | 8604 #endif |
8376 /* Double check that the cached cipher suite is in the client's list */ | 8605 /* Double check that the cached cipher suite is in the client's list */ |
8377 for (i = 0; i + 1 < suites.len; i += 2) { | 8606 for (i = 0; i + 1 < suites.len; i += 2) { |
8378 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | 8607 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; |
8379 if (suite_i == suite->cipher_suite) { | 8608 if (suite_i == suite->cipher_suite) { |
8380 ss->ssl3.hs.cipher_suite = suite->cipher_suite; | 8609 ss->ssl3.hs.cipher_suite = suite->cipher_suite; |
8381 ss->ssl3.hs.suite_def = | 8610 ss->ssl3.hs.suite_def = |
8382 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); | 8611 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); |
| 8612 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
8383 | 8613 |
8384 /* Use the cached compression method. */ | 8614 /* Use the cached compression method. */ |
8385 ss->ssl3.hs.compression = sid->u.ssl3.compression; | 8615 ss->ssl3.hs.compression = sid->u.ssl3.compression; |
8386 goto compression_found; | 8616 goto compression_found; |
8387 } | 8617 } |
8388 } | 8618 } |
8389 } while (0); | 8619 } while (0); |
8390 | 8620 |
8391 /* START A NEW SESSION */ | 8621 /* START A NEW SESSION */ |
8392 | 8622 |
(...skipping 16 matching lines...) Expand all Loading... |
8409 ** 1.0 and selecting one of those export cipher suites. However, a secure | 8639 ** 1.0 and selecting one of those export cipher suites. However, a secure |
8410 ** TLS 1.1 client should not have export cipher suites enabled at all, | 8640 ** TLS 1.1 client should not have export cipher suites enabled at all, |
8411 ** and a TLS 1.1 client should definitely not be offering *only* export | 8641 ** and a TLS 1.1 client should definitely not be offering *only* export |
8412 ** cipher suites. Therefore, we refuse to negotiate export cipher suites | 8642 ** cipher suites. Therefore, we refuse to negotiate export cipher suites |
8413 ** with any client that indicates support for TLS 1.1 or higher when we | 8643 ** with any client that indicates support for TLS 1.1 or higher when we |
8414 ** (the server) have TLS 1.1 support enabled. | 8644 ** (the server) have TLS 1.1 support enabled. |
8415 */ | 8645 */ |
8416 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { | 8646 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
8417 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; | 8647 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
8418 SSLVersionRange vrange = {ss->version, ss->version}; | 8648 SSLVersionRange vrange = {ss->version, ss->version}; |
8419 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { | 8649 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { |
8420 continue; | 8650 continue; |
8421 } | 8651 } |
8422 for (i = 0; i + 1 < suites.len; i += 2) { | 8652 for (i = 0; i + 1 < suites.len; i += 2) { |
8423 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | 8653 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; |
8424 if (suite_i == suite->cipher_suite) { | 8654 if (suite_i == suite->cipher_suite) { |
8425 ss->ssl3.hs.cipher_suite = suite->cipher_suite; | 8655 ss->ssl3.hs.cipher_suite = suite->cipher_suite; |
8426 ss->ssl3.hs.suite_def = | 8656 ss->ssl3.hs.suite_def = |
8427 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); | 8657 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); |
| 8658 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
8428 goto suite_found; | 8659 goto suite_found; |
8429 } | 8660 } |
8430 } | 8661 } |
8431 } | 8662 } |
8432 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 8663 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
8433 goto alert_loser; | 8664 goto alert_loser; |
8434 | 8665 |
8435 suite_found: | 8666 suite_found: |
| 8667 if (canOfferSessionTicket) |
| 8668 canOfferSessionTicket = ssl3_KEAAllowsSessionTicket( |
| 8669 ss->ssl3.hs.suite_def->key_exchange_alg); |
| 8670 |
| 8671 if (canOfferSessionTicket) { |
| 8672 ssl3_RegisterServerHelloExtensionSender(ss, |
| 8673 ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn); |
| 8674 } |
| 8675 |
8436 /* Select a compression algorithm. */ | 8676 /* Select a compression algorithm. */ |
8437 for (i = 0; i < comps.len; i++) { | 8677 for (i = 0; i < comps.len; i++) { |
8438 if (!compressionEnabled(ss, comps.data[i])) | 8678 if (!compressionEnabled(ss, comps.data[i])) |
8439 continue; | 8679 continue; |
8440 for (j = 0; j < compressionMethodsCount; j++) { | 8680 for (j = 0; j < compressionMethodsCount; j++) { |
8441 if (comps.data[i] == compressions[j]) { | 8681 if (comps.data[i] == compressions[j]) { |
8442 ss->ssl3.hs.compression = | 8682 ss->ssl3.hs.compression = |
8443 (SSLCompressionMethod)compressions[j]; | 8683 (SSLCompressionMethod)compressions[j]; |
8444 goto compression_found; | 8684 goto compression_found; |
8445 } | 8685 } |
8446 } | 8686 } |
8447 } | 8687 } |
8448 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; | 8688 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; |
8449 /* null compression must be supported */ | 8689 /* null compression must be supported */ |
8450 goto alert_loser; | 8690 goto alert_loser; |
8451 | 8691 |
8452 compression_found: | 8692 compression_found: |
8453 suites.data = NULL; | 8693 suites.data = NULL; |
8454 comps.data = NULL; | 8694 comps.data = NULL; |
8455 | 8695 |
8456 ss->sec.send = ssl3_SendApplicationData; | 8696 ss->sec.send = ssl3_SendApplicationData; |
8457 | 8697 |
8458 /* If there are any failures while processing the old sid, | 8698 /* If there are any failures while processing the old sid, |
8459 * we don't consider them to be errors. Instead, We just behave | 8699 * we don't consider them to be errors. Instead, We just behave |
8460 * as if the client had sent us no sid to begin with, and make a new one. | 8700 * as if the client had sent us no sid to begin with, and make a new one. |
| 8701 * The exception here is attempts to resume extended_master_secret |
| 8702 * sessions without the extension, which causes an alert. |
8461 */ | 8703 */ |
8462 if (sid != NULL) do { | 8704 if (sid != NULL) do { |
8463 ssl3CipherSpec *pwSpec; | 8705 ssl3CipherSpec *pwSpec; |
8464 SECItem wrappedMS; /* wrapped key */ | 8706 SECItem wrappedMS; /* wrapped key */ |
8465 | 8707 |
8466 if (sid->version != ss->version || | 8708 if (sid->version != ss->version || |
8467 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite || | 8709 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite || |
8468 sid->u.ssl3.compression != ss->ssl3.hs.compression) { | 8710 sid->u.ssl3.compression != ss->ssl3.hs.compression) { |
8469 break; /* not an error */ | 8711 break; /* not an error */ |
8470 } | 8712 } |
8471 | 8713 |
| 8714 /* [draft-ietf-tls-session-hash-06; Section 5.3] |
| 8715 * o If the original session did not use the "extended_master_secret" |
| 8716 * extension but the new ClientHello contains the extension, then the |
| 8717 * server MUST NOT perform the abbreviated handshake. Instead, it |
| 8718 * SHOULD continue with a full handshake (as described in |
| 8719 * Section 5.2) to negotiate a new session. |
| 8720 * |
| 8721 * o If the original session used the "extended_master_secret" |
| 8722 * extension but the new ClientHello does not contain the extension, |
| 8723 * the server MUST abort the abbreviated handshake. |
| 8724 */ |
| 8725 if (ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 8726 if (!sid->u.ssl3.keys.extendedMasterSecretUsed) { |
| 8727 break; /* not an error */ |
| 8728 } |
| 8729 } else { |
| 8730 if (sid->u.ssl3.keys.extendedMasterSecretUsed) { |
| 8731 /* Note: we do not destroy the session */ |
| 8732 desc = handshake_failure; |
| 8733 errCode = SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET; |
| 8734 goto alert_loser; |
| 8735 } |
| 8736 } |
| 8737 |
8472 if (ss->sec.ci.sid) { | 8738 if (ss->sec.ci.sid) { |
8473 if (ss->sec.uncache) | 8739 if (ss->sec.uncache) |
8474 ss->sec.uncache(ss->sec.ci.sid); | 8740 ss->sec.uncache(ss->sec.ci.sid); |
8475 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ..
. */ | 8741 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ..
. */ |
8476 if (ss->sec.ci.sid != sid) { | 8742 if (ss->sec.ci.sid != sid) { |
8477 ssl_FreeSID(ss->sec.ci.sid); | 8743 ssl_FreeSID(ss->sec.ci.sid); |
8478 } | 8744 } |
8479 ss->sec.ci.sid = NULL; | 8745 ss->sec.ci.sid = NULL; |
8480 } | 8746 } |
8481 /* we need to resurrect the master secret.... */ | 8747 /* we need to resurrect the master secret.... */ |
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8603 if (rv != SECSuccess) { | 8869 if (rv != SECSuccess) { |
8604 errCode = PORT_GetError(); | 8870 errCode = PORT_GetError(); |
8605 goto loser; | 8871 goto loser; |
8606 } | 8872 } |
8607 | 8873 |
8608 if (haveSpecWriteLock) { | 8874 if (haveSpecWriteLock) { |
8609 ssl_ReleaseSpecWriteLock(ss); | 8875 ssl_ReleaseSpecWriteLock(ss); |
8610 haveSpecWriteLock = PR_FALSE; | 8876 haveSpecWriteLock = PR_FALSE; |
8611 } | 8877 } |
8612 | 8878 |
8613 » /* NULL value for PMS signifies re-use of the old MS */ | 8879 » /* NULL value for PMS because we are re-using the old MS */ |
8614 rv = ssl3_InitPendingCipherSpec(ss, NULL); | 8880 rv = ssl3_InitPendingCipherSpec(ss, NULL); |
8615 if (rv != SECSuccess) { | 8881 if (rv != SECSuccess) { |
8616 errCode = PORT_GetError(); | 8882 errCode = PORT_GetError(); |
8617 goto loser; | 8883 goto loser; |
8618 } | 8884 } |
8619 | 8885 |
8620 rv = ssl3_SendChangeCipherSpecs(ss); | 8886 rv = ssl3_SendChangeCipherSpecs(ss); |
8621 if (rv != SECSuccess) { | 8887 if (rv != SECSuccess) { |
8622 errCode = PORT_GetError(); | 8888 errCode = PORT_GetError(); |
8623 goto loser; | 8889 goto loser; |
(...skipping 23 matching lines...) Expand all Loading... |
8647 if (ss->sec.uncache) | 8913 if (ss->sec.uncache) |
8648 ss->sec.uncache(sid); | 8914 ss->sec.uncache(sid); |
8649 ssl_FreeSID(sid); | 8915 ssl_FreeSID(sid); |
8650 sid = NULL; | 8916 sid = NULL; |
8651 } | 8917 } |
8652 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); | 8918 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); |
8653 | 8919 |
8654 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { | 8920 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { |
8655 int ret = 0; | 8921 int ret = 0; |
8656 if (ss->sniSocketConfig) do { /* not a loop */ | 8922 if (ss->sniSocketConfig) do { /* not a loop */ |
| 8923 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 8924 ssl_preinfo_all); |
| 8925 |
8657 ret = SSL_SNI_SEND_ALERT; | 8926 ret = SSL_SNI_SEND_ALERT; |
8658 /* If extension is negotiated, the len of names should > 0. */ | 8927 /* If extension is negotiated, the len of names should > 0. */ |
8659 if (ss->xtnData.sniNameArrSize) { | 8928 if (ss->xtnData.sniNameArrSize) { |
8660 /* Calling client callback to reconfigure the socket. */ | 8929 /* Calling client callback to reconfigure the socket. */ |
8661 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd, | 8930 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd, |
8662 ss->xtnData.sniNameArr, | 8931 ss->xtnData.sniNameArr, |
8663 ss->xtnData.sniNameArrSize, | 8932 ss->xtnData.sniNameArrSize, |
8664 ss->sniSocketConfigArg); | 8933 ss->sniSocketConfigArg); |
8665 } | 8934 } |
8666 if (ret <= SSL_SNI_SEND_ALERT) { | 8935 if (ret <= SSL_SNI_SEND_ALERT) { |
(...skipping 27 matching lines...) Expand all Loading... |
8694 if (cwsName->data) { | 8963 if (cwsName->data) { |
8695 rv = SECITEM_CopyItem(NULL, pwsName, cwsName); | 8964 rv = SECITEM_CopyItem(NULL, pwsName, cwsName); |
8696 } | 8965 } |
8697 ssl_ReleaseSpecWriteLock(ss); /**************************/ | 8966 ssl_ReleaseSpecWriteLock(ss); /**************************/ |
8698 if (rv != SECSuccess) { | 8967 if (rv != SECSuccess) { |
8699 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; | 8968 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; |
8700 desc = internal_error; | 8969 desc = internal_error; |
8701 ret = SSL_SNI_SEND_ALERT; | 8970 ret = SSL_SNI_SEND_ALERT; |
8702 break; | 8971 break; |
8703 } | 8972 } |
8704 } else if (ret < ss->xtnData.sniNameArrSize) { | 8973 } else if ((unsigned int)ret < ss->xtnData.sniNameArrSize) { |
8705 /* Application has configured new socket info. Lets check it | 8974 /* Application has configured new socket info. Lets check it |
8706 * and save the name. */ | 8975 * and save the name. */ |
8707 SECStatus rv; | 8976 SECStatus rv; |
8708 SECItem * name = &ss->xtnData.sniNameArr[ret]; | 8977 SECItem * name = &ss->xtnData.sniNameArr[ret]; |
8709 int configedCiphers; | 8978 int configedCiphers; |
8710 SECItem * pwsName; | 8979 SECItem * pwsName; |
8711 | 8980 |
8712 /* get rid of the old name and save the newly picked. */ | 8981 /* get rid of the old name and save the newly picked. */ |
8713 /* This code is protected by ssl3HandshakeLock. */ | 8982 /* This code is protected by ssl3HandshakeLock. */ |
8714 ssl_GetSpecWriteLock(ss); /*******************************/ | 8983 ssl_GetSpecWriteLock(ss); /*******************************/ |
(...skipping 30 matching lines...) Expand all Loading... |
8745 ret = SSL_SNI_SEND_ALERT; | 9014 ret = SSL_SNI_SEND_ALERT; |
8746 break; | 9015 break; |
8747 } | 9016 } |
8748 /* Need to tell the client that application has picked | 9017 /* Need to tell the client that application has picked |
8749 * the name from the offered list and reconfigured the socket. | 9018 * the name from the offered list and reconfigured the socket. |
8750 */ | 9019 */ |
8751 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn, | 9020 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn, |
8752 ssl3_SendServerNameXtn); | 9021 ssl3_SendServerNameXtn); |
8753 } else { | 9022 } else { |
8754 /* Callback returned index outside of the boundary. */ | 9023 /* Callback returned index outside of the boundary. */ |
8755 PORT_Assert(ret < ss->xtnData.sniNameArrSize); | 9024 PORT_Assert((unsigned int)ret < ss->xtnData.sniNameArrSize); |
8756 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; | 9025 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; |
8757 desc = internal_error; | 9026 desc = internal_error; |
8758 ret = SSL_SNI_SEND_ALERT; | 9027 ret = SSL_SNI_SEND_ALERT; |
8759 break; | 9028 break; |
8760 } | 9029 } |
8761 } while (0); | 9030 } while (0); |
8762 /* Free sniNameArr. The data that each SECItem in the array | 9031 /* Free sniNameArr. The data that each SECItem in the array |
8763 * points into is the data from the input buffer "b". It will | 9032 * points into is the data from the input buffer "b". It will |
8764 * not be available outside the scope of this or it's child | 9033 * not be available outside the scope of this or it's child |
8765 * functions.*/ | 9034 * functions.*/ |
(...skipping 25 matching lines...) Expand all Loading... |
8791 } | 9060 } |
8792 #endif | 9061 #endif |
8793 | 9062 |
8794 sid = ssl3_NewSessionID(ss, PR_TRUE); | 9063 sid = ssl3_NewSessionID(ss, PR_TRUE); |
8795 if (sid == NULL) { | 9064 if (sid == NULL) { |
8796 errCode = PORT_GetError(); | 9065 errCode = PORT_GetError(); |
8797 goto loser; /* memory error is set. */ | 9066 goto loser; /* memory error is set. */ |
8798 } | 9067 } |
8799 ss->sec.ci.sid = sid; | 9068 ss->sec.ci.sid = sid; |
8800 | 9069 |
| 9070 sid->u.ssl3.keys.extendedMasterSecretUsed = |
| 9071 ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn); |
8801 ss->ssl3.hs.isResuming = PR_FALSE; | 9072 ss->ssl3.hs.isResuming = PR_FALSE; |
8802 ssl_GetXmitBufLock(ss); | 9073 ssl_GetXmitBufLock(ss); |
8803 rv = ssl3_SendServerHelloSequence(ss); | 9074 rv = ssl3_SendServerHelloSequence(ss); |
8804 ssl_ReleaseXmitBufLock(ss); | 9075 ssl_ReleaseXmitBufLock(ss); |
8805 if (rv != SECSuccess) { | 9076 if (rv != SECSuccess) { |
8806 » errCode = PORT_GetError(); | 9077 errCode = PORT_GetError(); |
8807 » goto loser; | 9078 desc = handshake_failure; |
| 9079 goto alert_loser; |
8808 } | 9080 } |
8809 | 9081 |
8810 if (haveXmitBufLock) { | 9082 if (haveXmitBufLock) { |
8811 ssl_ReleaseXmitBufLock(ss); | 9083 ssl_ReleaseXmitBufLock(ss); |
8812 haveXmitBufLock = PR_FALSE; | 9084 haveXmitBufLock = PR_FALSE; |
8813 } | 9085 } |
8814 | 9086 |
8815 return SECSuccess; | 9087 return SECSuccess; |
8816 | 9088 |
8817 alert_loser: | 9089 alert_loser: |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8889 ss->clientHelloVersion = version; | 9161 ss->clientHelloVersion = version; |
8890 | 9162 |
8891 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 9163 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
8892 if (rv != SECSuccess) { | 9164 if (rv != SECSuccess) { |
8893 /* send back which ever alert client will understand. */ | 9165 /* send back which ever alert client will understand. */ |
8894 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 9166 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
8895 : handshake_failure; | 9167 : handshake_failure; |
8896 errCode = SSL_ERROR_UNSUPPORTED_VERSION; | 9168 errCode = SSL_ERROR_UNSUPPORTED_VERSION; |
8897 goto alert_loser; | 9169 goto alert_loser; |
8898 } | 9170 } |
| 9171 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; |
8899 | 9172 |
8900 rv = ssl3_InitHandshakeHashes(ss); | 9173 rv = ssl3_InitHandshakeHashes(ss); |
8901 if (rv != SECSuccess) { | 9174 if (rv != SECSuccess) { |
8902 desc = internal_error; | 9175 desc = internal_error; |
8903 errCode = PORT_GetError(); | 9176 errCode = PORT_GetError(); |
8904 goto alert_loser; | 9177 goto alert_loser; |
8905 } | 9178 } |
8906 | 9179 |
8907 /* if we get a non-zero SID, just ignore it. */ | 9180 /* if we get a non-zero SID, just ignore it. */ |
8908 if (length != | 9181 if (length != |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8944 /* Select a cipher suite. | 9217 /* Select a cipher suite. |
8945 ** | 9218 ** |
8946 ** NOTE: This suite selection algorithm should be the same as the one in | 9219 ** NOTE: This suite selection algorithm should be the same as the one in |
8947 ** ssl3_HandleClientHello(). | 9220 ** ssl3_HandleClientHello(). |
8948 ** | 9221 ** |
8949 ** See the comments about export cipher suites in ssl3_HandleClientHello(). | 9222 ** See the comments about export cipher suites in ssl3_HandleClientHello(). |
8950 */ | 9223 */ |
8951 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { | 9224 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
8952 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; | 9225 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
8953 SSLVersionRange vrange = {ss->version, ss->version}; | 9226 SSLVersionRange vrange = {ss->version, ss->version}; |
8954 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { | 9227 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { |
8955 continue; | 9228 continue; |
8956 } | 9229 } |
8957 for (i = 0; i+2 < suite_length; i += 3) { | 9230 for (i = 0; i+2 < suite_length; i += 3) { |
8958 PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2]; | 9231 PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2]; |
8959 if (suite_i == suite->cipher_suite) { | 9232 if (suite_i == suite->cipher_suite) { |
8960 ss->ssl3.hs.cipher_suite = suite->cipher_suite; | 9233 ss->ssl3.hs.cipher_suite = suite->cipher_suite; |
8961 ss->ssl3.hs.suite_def = | 9234 ss->ssl3.hs.suite_def = |
8962 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); | 9235 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); |
| 9236 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
8963 goto suite_found; | 9237 goto suite_found; |
8964 } | 9238 } |
8965 } | 9239 } |
8966 } | 9240 } |
8967 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 9241 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
8968 goto alert_loser; | 9242 goto alert_loser; |
8969 | 9243 |
8970 suite_found: | 9244 suite_found: |
8971 | 9245 |
8972 /* Look for the SCSV, and if found, treat it just like an empty RI | 9246 /* Look for the SCSV, and if found, treat it just like an empty RI |
(...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9143 } | 9417 } |
9144 } | 9418 } |
9145 rv = ssl3_SetupPendingCipherSpec(ss); | 9419 rv = ssl3_SetupPendingCipherSpec(ss); |
9146 if (rv != SECSuccess) { | 9420 if (rv != SECSuccess) { |
9147 return rv; /* err set by ssl3_SetupPendingCipherSpec */ | 9421 return rv; /* err set by ssl3_SetupPendingCipherSpec */ |
9148 } | 9422 } |
9149 | 9423 |
9150 return SECSuccess; | 9424 return SECSuccess; |
9151 } | 9425 } |
9152 | 9426 |
| 9427 static SECStatus |
| 9428 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, |
| 9429 SSLSignatureAndHashAlg* out); |
| 9430 |
| 9431 static SECStatus |
| 9432 ssl3_SendDHServerKeyExchange(sslSocket *ss) |
| 9433 { |
| 9434 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
| 9435 SECStatus rv = SECFailure; |
| 9436 int length; |
| 9437 PRBool isTLS; |
| 9438 SECItem signed_hash = {siBuffer, NULL, 0}; |
| 9439 SSL3Hashes hashes; |
| 9440 SSLSignatureAndHashAlg sigAndHash; |
| 9441 SECKEYDHParams dhParam; |
| 9442 |
| 9443 ssl3KeyPair *keyPair = NULL; |
| 9444 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */ |
| 9445 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */ |
| 9446 int certIndex = -1; |
| 9447 |
| 9448 if (kea_def->kea != kea_dhe_dss && kea_def->kea != kea_dhe_rsa) { |
| 9449 /* TODO: Support DH_anon. It might be sufficient to drop the signature. |
| 9450 See bug 1170510. */ |
| 9451 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 9452 return SECFailure; |
| 9453 } |
| 9454 |
| 9455 dhParam.prime.data = ss->dheParams->prime.data; |
| 9456 dhParam.prime.len = ss->dheParams->prime.len; |
| 9457 dhParam.base.data = ss->dheParams->base.data; |
| 9458 dhParam.base.len = ss->dheParams->base.len; |
| 9459 |
| 9460 PRINT_BUF(60, (NULL, "Server DH p", dhParam.prime.data, |
| 9461 dhParam.prime.len)); |
| 9462 PRINT_BUF(60, (NULL, "Server DH g", dhParam.base.data, |
| 9463 dhParam.base.len)); |
| 9464 |
| 9465 /* Generate ephemeral DH keypair */ |
| 9466 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL); |
| 9467 if (!privKey || !pubKey) { |
| 9468 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 9469 rv = SECFailure; |
| 9470 goto loser; |
| 9471 } |
| 9472 |
| 9473 keyPair = ssl3_NewKeyPair(privKey, pubKey); |
| 9474 if (!keyPair) { |
| 9475 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 9476 goto loser; |
| 9477 } |
| 9478 |
| 9479 PRINT_BUF(50, (ss, "DH public value:", |
| 9480 pubKey->u.dh.publicValue.data, |
| 9481 pubKey->u.dh.publicValue.len)); |
| 9482 |
| 9483 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { |
| 9484 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 9485 goto loser; |
| 9486 } |
| 9487 |
| 9488 rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, |
| 9489 pubKey->u.dh.prime, |
| 9490 pubKey->u.dh.base, |
| 9491 pubKey->u.dh.publicValue, |
| 9492 &ss->ssl3.hs.client_random, |
| 9493 &ss->ssl3.hs.server_random, |
| 9494 &hashes, ss->opt.bypassPKCS11); |
| 9495 if (rv != SECSuccess) { |
| 9496 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 9497 goto loser; |
| 9498 } |
| 9499 |
| 9500 /* It has been suggested to test kea_def->signKeyType instead, and to use |
| 9501 * ssl_auth_* instead. Investigate what to do. See bug 102794. */ |
| 9502 if (kea_def->kea == kea_dhe_rsa) |
| 9503 certIndex = ssl_kea_rsa; |
| 9504 else |
| 9505 certIndex = ssl_kea_dh; |
| 9506 |
| 9507 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 9508 rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, |
| 9509 &signed_hash, isTLS); |
| 9510 if (rv != SECSuccess) { |
| 9511 goto loser; /* ssl3_SignHashes has set err. */ |
| 9512 } |
| 9513 if (signed_hash.data == NULL) { |
| 9514 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 9515 goto loser; |
| 9516 } |
| 9517 length = 2 + pubKey->u.dh.prime.len + |
| 9518 2 + pubKey->u.dh.base.len + |
| 9519 2 + pubKey->u.dh.publicValue.len + |
| 9520 2 + signed_hash.len; |
| 9521 |
| 9522 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 9523 length += 2; |
| 9524 } |
| 9525 |
| 9526 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); |
| 9527 if (rv != SECSuccess) { |
| 9528 goto loser; /* err set by AppendHandshake. */ |
| 9529 } |
| 9530 |
| 9531 rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.prime.data, |
| 9532 pubKey->u.dh.prime.len, 2); |
| 9533 if (rv != SECSuccess) { |
| 9534 goto loser; /* err set by AppendHandshake. */ |
| 9535 } |
| 9536 |
| 9537 rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.base.data, |
| 9538 pubKey->u.dh.base.len, 2); |
| 9539 if (rv != SECSuccess) { |
| 9540 goto loser; /* err set by AppendHandshake. */ |
| 9541 } |
| 9542 |
| 9543 rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.publicValue.data, |
| 9544 pubKey->u.dh.publicValue.len, 2); |
| 9545 if (rv != SECSuccess) { |
| 9546 goto loser; /* err set by AppendHandshake. */ |
| 9547 } |
| 9548 |
| 9549 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 9550 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
| 9551 if (rv != SECSuccess) { |
| 9552 goto loser; /* err set by AppendHandshake. */ |
| 9553 } |
| 9554 } |
| 9555 |
| 9556 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
| 9557 signed_hash.len, 2); |
| 9558 if (rv != SECSuccess) { |
| 9559 goto loser; /* err set by AppendHandshake. */ |
| 9560 } |
| 9561 PORT_Free(signed_hash.data); |
| 9562 ss->dheKeyPair = keyPair; |
| 9563 return SECSuccess; |
| 9564 |
| 9565 loser: |
| 9566 if (signed_hash.data) |
| 9567 PORT_Free(signed_hash.data); |
| 9568 if (privKey) |
| 9569 SECKEY_DestroyPrivateKey(privKey); |
| 9570 if (pubKey) |
| 9571 SECKEY_DestroyPublicKey(pubKey); |
| 9572 return SECFailure; |
| 9573 } |
| 9574 |
9153 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing | 9575 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing |
9154 * elements of the handshake. (The negotiated cipher suite determines the | 9576 * elements of the handshake. (The negotiated cipher suite determines the |
9155 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always | 9577 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always |
9156 * used. With TLS 1.2, a client may advertise its support for signature and | 9578 * used. With TLS 1.2, a client may advertise its support for signature and |
9157 * hash combinations. */ | 9579 * hash combinations. */ |
9158 static SECStatus | 9580 static SECStatus |
9159 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, | 9581 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, |
9160 » » » » SSL3SignatureAndHashAlgorithm* out) | 9582 SSLSignatureAndHashAlg* out) |
9161 { | 9583 { |
9162 TLSSignatureAlgorithm sigAlg; | 9584 SSLSignType sigAlg; |
| 9585 PRUint32 policy; |
9163 unsigned int i, j; | 9586 unsigned int i, j; |
9164 /* hashPreference expresses our preferences for hash algorithms, most | |
9165 * preferable first. */ | |
9166 static const SECOidTag hashPreference[] = { | |
9167 SEC_OID_SHA256, | |
9168 SEC_OID_SHA384, | |
9169 SEC_OID_SHA512, | |
9170 SEC_OID_SHA1, | |
9171 }; | |
9172 | 9587 |
9173 switch (ss->ssl3.hs.kea_def->kea) { | 9588 switch (ss->ssl3.hs.kea_def->kea) { |
9174 case kea_rsa: | 9589 case kea_rsa: |
9175 case kea_rsa_export: | 9590 case kea_rsa_export: |
9176 case kea_rsa_export_1024: | 9591 case kea_rsa_export_1024: |
9177 case kea_dh_rsa: | 9592 case kea_dh_rsa: |
9178 case kea_dh_rsa_export: | 9593 case kea_dh_rsa_export: |
9179 case kea_dhe_rsa: | 9594 case kea_dhe_rsa: |
9180 case kea_dhe_rsa_export: | 9595 case kea_dhe_rsa_export: |
9181 case kea_rsa_fips: | 9596 case kea_rsa_fips: |
9182 case kea_ecdh_rsa: | 9597 case kea_ecdh_rsa: |
9183 case kea_ecdhe_rsa: | 9598 case kea_ecdhe_rsa: |
9184 » sigAlg = tls_sig_rsa; | 9599 sigAlg = ssl_sign_rsa; |
9185 » break; | 9600 break; |
9186 case kea_dh_dss: | 9601 case kea_dh_dss: |
9187 case kea_dh_dss_export: | 9602 case kea_dh_dss_export: |
9188 case kea_dhe_dss: | 9603 case kea_dhe_dss: |
9189 case kea_dhe_dss_export: | 9604 case kea_dhe_dss_export: |
9190 » sigAlg = tls_sig_dsa; | 9605 sigAlg = ssl_sign_dsa; |
9191 » break; | 9606 break; |
9192 case kea_ecdh_ecdsa: | 9607 case kea_ecdh_ecdsa: |
9193 case kea_ecdhe_ecdsa: | 9608 case kea_ecdhe_ecdsa: |
9194 » sigAlg = tls_sig_ecdsa; | 9609 sigAlg = ssl_sign_ecdsa; |
9195 » break; | 9610 break; |
9196 default: | 9611 default: |
9197 » PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 9612 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
9198 » return SECFailure; | 9613 return SECFailure; |
9199 } | 9614 } |
9200 out->sigAlg = sigAlg; | 9615 out->sigAlg = sigAlg; |
9201 | 9616 |
9202 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) { | 9617 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) { |
9203 » /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and | 9618 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and |
9204 » * prior. */ | 9619 * prior. */ |
9205 » out->hashAlg = SEC_OID_UNKNOWN; | 9620 out->hashAlg = ssl_hash_none; |
9206 » return SECSuccess; | 9621 return SECSuccess; |
9207 } | 9622 } |
9208 | 9623 |
9209 if (ss->ssl3.hs.numClientSigAndHash == 0) { | 9624 if (ss->ssl3.hs.numClientSigAndHash == 0) { |
9210 » /* If the client didn't provide any signature_algorithms extension then | 9625 /* If the client didn't provide any signature_algorithms extension then |
9211 » * we can assume that they support SHA-1: | 9626 * we can assume that they support SHA-1: |
9212 » * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 9627 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
9213 » out->hashAlg = SEC_OID_SHA1; | 9628 out->hashAlg = ssl_hash_sha1; |
9214 » return SECSuccess; | 9629 return SECSuccess; |
9215 } | 9630 } |
9216 | 9631 |
9217 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) { | 9632 /* Here we look for the first server preference that the client has |
9218 » for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { | 9633 * indicated support for in their signature_algorithms extension. */ |
9219 » const SSL3SignatureAndHashAlgorithm* sh = | 9634 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { |
9220 » » &ss->ssl3.hs.clientSigAndHash[j]; | 9635 const SSLSignatureAndHashAlg *serverPref = |
9221 » if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) { | 9636 &ss->ssl3.signatureAlgorithms[i]; |
9222 » » out->hashAlg = sh->hashAlg; | 9637 » SECOidTag hashOID; |
9223 » » return SECSuccess; | 9638 if (serverPref->sigAlg != sigAlg) { |
9224 » } | 9639 continue; |
| 9640 } |
| 9641 hashOID = ssl3_TLSHashAlgorithmToOID(serverPref->hashAlg); |
| 9642 » if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) |
| 9643 » || !(policy & NSS_USE_ALG_IN_SSL_KX)) { |
| 9644 » /* we ignore hashes we don't support */ |
| 9645 » continue; |
9225 } | 9646 } |
| 9647 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { |
| 9648 const SSLSignatureAndHashAlg *clientPref = |
| 9649 &ss->ssl3.hs.clientSigAndHash[j]; |
| 9650 if (clientPref->hashAlg == serverPref->hashAlg && |
| 9651 clientPref->sigAlg == sigAlg) { |
| 9652 out->hashAlg = serverPref->hashAlg; |
| 9653 return SECSuccess; |
| 9654 } |
| 9655 } |
9226 } | 9656 } |
9227 | 9657 |
9228 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 9658 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
9229 return SECFailure; | 9659 return SECFailure; |
9230 } | 9660 } |
9231 | 9661 |
9232 | 9662 |
9233 static SECStatus | 9663 static SECStatus |
9234 ssl3_SendServerKeyExchange(sslSocket *ss) | 9664 ssl3_SendServerKeyExchange(sslSocket *ss) |
9235 { | 9665 { |
9236 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 9666 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
9237 SECStatus rv = SECFailure; | 9667 SECStatus rv = SECFailure; |
9238 int length; | 9668 int length; |
9239 PRBool isTLS; | 9669 PRBool isTLS; |
9240 SECItem signed_hash = {siBuffer, NULL, 0}; | 9670 SECItem signed_hash = {siBuffer, NULL, 0}; |
9241 SSL3Hashes hashes; | 9671 SSL3Hashes hashes; |
9242 SECKEYPublicKey * sdPub; /* public key for step-down */ | 9672 SECKEYPublicKey * sdPub; /* public key for step-down */ |
9243 SSL3SignatureAndHashAlgorithm sigAndHash; | 9673 SSLSignatureAndHashAlg sigAndHash; |
9244 | 9674 |
9245 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", | 9675 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", |
9246 SSL_GETPID(), ss->fd)); | 9676 SSL_GETPID(), ss->fd)); |
9247 | 9677 |
9248 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 9678 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
9249 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 9679 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
9250 | 9680 |
9251 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { | 9681 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { |
9252 return SECFailure; | 9682 return SECFailure; |
9253 } | 9683 } |
(...skipping 26 matching lines...) Expand all Loading... |
9280 } | 9710 } |
9281 if (signed_hash.data == NULL) { | 9711 if (signed_hash.data == NULL) { |
9282 /* how can this happen and rv == SECSuccess ?? */ | 9712 /* how can this happen and rv == SECSuccess ?? */ |
9283 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 9713 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
9284 goto loser; | 9714 goto loser; |
9285 } | 9715 } |
9286 length = 2 + sdPub->u.rsa.modulus.len + | 9716 length = 2 + sdPub->u.rsa.modulus.len + |
9287 2 + sdPub->u.rsa.publicExponent.len + | 9717 2 + sdPub->u.rsa.publicExponent.len + |
9288 2 + signed_hash.len; | 9718 2 + signed_hash.len; |
9289 | 9719 |
| 9720 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 9721 length += 2; |
| 9722 } |
| 9723 |
9290 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); | 9724 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); |
9291 if (rv != SECSuccess) { | 9725 if (rv != SECSuccess) { |
9292 goto loser; /* err set by AppendHandshake. */ | 9726 goto loser; /* err set by AppendHandshake. */ |
9293 } | 9727 } |
9294 | 9728 |
9295 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data, | 9729 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data, |
9296 sdPub->u.rsa.modulus.len, 2); | 9730 sdPub->u.rsa.modulus.len, 2); |
9297 if (rv != SECSuccess) { | 9731 if (rv != SECSuccess) { |
9298 goto loser; /* err set by AppendHandshake. */ | 9732 goto loser; /* err set by AppendHandshake. */ |
9299 } | 9733 } |
(...skipping 13 matching lines...) Expand all Loading... |
9313 } | 9747 } |
9314 | 9748 |
9315 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, | 9749 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
9316 signed_hash.len, 2); | 9750 signed_hash.len, 2); |
9317 if (rv != SECSuccess) { | 9751 if (rv != SECSuccess) { |
9318 goto loser; /* err set by AppendHandshake. */ | 9752 goto loser; /* err set by AppendHandshake. */ |
9319 } | 9753 } |
9320 PORT_Free(signed_hash.data); | 9754 PORT_Free(signed_hash.data); |
9321 return SECSuccess; | 9755 return SECSuccess; |
9322 | 9756 |
| 9757 case ssl_kea_dh: { |
| 9758 rv = ssl3_SendDHServerKeyExchange(ss); |
| 9759 return rv; |
| 9760 } |
| 9761 |
9323 #ifndef NSS_DISABLE_ECC | 9762 #ifndef NSS_DISABLE_ECC |
9324 case kt_ecdh: { | 9763 case kt_ecdh: { |
9325 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); | 9764 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); |
9326 return rv; | 9765 return rv; |
9327 } | 9766 } |
9328 #endif /* NSS_DISABLE_ECC */ | 9767 #endif /* NSS_DISABLE_ECC */ |
9329 | 9768 |
9330 case kt_dh: | |
9331 case kt_null: | 9769 case kt_null: |
9332 default: | 9770 default: |
9333 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 9771 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
9334 break; | 9772 break; |
9335 } | 9773 } |
9336 loser: | 9774 loser: |
9337 if (signed_hash.data != NULL) | 9775 if (signed_hash.data != NULL) |
9338 PORT_Free(signed_hash.data); | 9776 PORT_Free(signed_hash.data); |
9339 return SECFailure; | 9777 return SECFailure; |
9340 } | 9778 } |
9341 | 9779 |
| 9780 static SECStatus |
| 9781 ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, |
| 9782 unsigned maxLen, PRUint32 *len) |
| 9783 { |
| 9784 unsigned int i; |
| 9785 |
| 9786 PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2); |
| 9787 if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) { |
| 9788 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 9789 return SECFailure; |
| 9790 } |
| 9791 |
| 9792 *len = 0; |
| 9793 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { |
| 9794 const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; |
| 9795 /* Note that we don't support a handshake hash with anything other than |
| 9796 * SHA-256, so asking for a signature from clients for something else |
| 9797 * would be inviting disaster. */ |
| 9798 if (alg->hashAlg == ssl_hash_sha256) { |
| 9799 buf[(*len)++] = (PRUint8)alg->hashAlg; |
| 9800 buf[(*len)++] = (PRUint8)alg->sigAlg; |
| 9801 } |
| 9802 } |
| 9803 |
| 9804 if (*len == 0) { |
| 9805 PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); |
| 9806 return SECFailure; |
| 9807 } |
| 9808 return SECSuccess; |
| 9809 } |
9342 | 9810 |
9343 static SECStatus | 9811 static SECStatus |
9344 ssl3_SendCertificateRequest(sslSocket *ss) | 9812 ssl3_SendCertificateRequest(sslSocket *ss) |
9345 { | 9813 { |
9346 PRBool isTLS12; | 9814 PRBool isTLS12; |
9347 SECItem * name; | 9815 SECItem * name; |
9348 CERTDistNames *ca_list; | 9816 CERTDistNames *ca_list; |
9349 const PRUint8 *certTypes; | 9817 const PRUint8 *certTypes; |
9350 const PRUint8 *sigAlgs; | |
9351 SECItem * names = NULL; | 9818 SECItem * names = NULL; |
9352 SECStatus rv; | 9819 SECStatus rv; |
9353 int length; | 9820 int length; |
9354 int i; | 9821 int i; |
9355 int calen = 0; | 9822 int calen = 0; |
9356 int nnames = 0; | 9823 int nnames = 0; |
9357 int certTypesLength; | 9824 int certTypesLength; |
9358 int sigAlgsLength; | 9825 PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; |
| 9826 unsigned int sigAlgsLength = 0; |
9359 | 9827 |
9360 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", | 9828 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", |
9361 SSL_GETPID(), ss->fd)); | 9829 SSL_GETPID(), ss->fd)); |
9362 | 9830 |
9363 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 9831 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
9364 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 9832 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
9365 | 9833 |
9366 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 9834 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
9367 | 9835 |
9368 /* ssl3.ca_list is initialized to NULL, and never changed. */ | 9836 /* ssl3.ca_list is initialized to NULL, and never changed. */ |
9369 ca_list = ss->ssl3.ca_list; | 9837 ca_list = ss->ssl3.ca_list; |
9370 if (!ca_list) { | 9838 if (!ca_list) { |
9371 ca_list = ssl3_server_ca_list; | 9839 ca_list = ssl3_server_ca_list; |
9372 } | 9840 } |
9373 | 9841 |
9374 if (ca_list != NULL) { | 9842 if (ca_list != NULL) { |
9375 names = ca_list->names; | 9843 names = ca_list->names; |
9376 nnames = ca_list->nnames; | 9844 nnames = ca_list->nnames; |
9377 } | 9845 } |
9378 | 9846 |
9379 for (i = 0, name = names; i < nnames; i++, name++) { | 9847 for (i = 0, name = names; i < nnames; i++, name++) { |
9380 calen += 2 + name->len; | 9848 calen += 2 + name->len; |
9381 } | 9849 } |
9382 | 9850 |
9383 certTypes = certificate_types; | 9851 certTypes = certificate_types; |
9384 certTypesLength = sizeof certificate_types; | 9852 certTypesLength = sizeof certificate_types; |
9385 sigAlgs = supported_signature_algorithms; | |
9386 sigAlgsLength = sizeof supported_signature_algorithms; | |
9387 | 9853 |
9388 length = 1 + certTypesLength + 2 + calen; | 9854 length = 1 + certTypesLength + 2 + calen; |
9389 if (isTLS12) { | 9855 if (isTLS12) { |
9390 » length += 2 + sigAlgsLength; | 9856 rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), |
| 9857 &sigAlgsLength); |
| 9858 if (rv != SECSuccess) { |
| 9859 return rv; |
| 9860 } |
| 9861 length += 2 + sigAlgsLength; |
9391 } | 9862 } |
9392 | 9863 |
9393 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); | 9864 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); |
9394 if (rv != SECSuccess) { | 9865 if (rv != SECSuccess) { |
9395 return rv; /* err set by AppendHandshake. */ | 9866 return rv; /* err set by AppendHandshake. */ |
9396 } | 9867 } |
9397 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1); | 9868 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1); |
9398 if (rv != SECSuccess) { | 9869 if (rv != SECSuccess) { |
9399 return rv; /* err set by AppendHandshake. */ | 9870 return rv; /* err set by AppendHandshake. */ |
9400 } | 9871 } |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9446 */ | 9917 */ |
9447 static SECStatus | 9918 static SECStatus |
9448 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, | 9919 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
9449 SSL3Hashes *hashes) | 9920 SSL3Hashes *hashes) |
9450 { | 9921 { |
9451 SECItem signed_hash = {siBuffer, NULL, 0}; | 9922 SECItem signed_hash = {siBuffer, NULL, 0}; |
9452 SECStatus rv; | 9923 SECStatus rv; |
9453 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; | 9924 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; |
9454 SSL3AlertDescription desc = handshake_failure; | 9925 SSL3AlertDescription desc = handshake_failure; |
9455 PRBool isTLS, isTLS12; | 9926 PRBool isTLS, isTLS12; |
9456 SSL3SignatureAndHashAlgorithm sigAndHash; | 9927 SSLSignatureAndHashAlg sigAndHash; |
9457 | 9928 |
9458 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", | 9929 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", |
9459 SSL_GETPID(), ss->fd)); | 9930 SSL_GETPID(), ss->fd)); |
9460 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9931 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
9461 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 9932 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
9462 | 9933 |
9463 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 9934 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
9464 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 9935 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
9465 | 9936 |
9466 if (ss->ssl3.hs.ws != wait_cert_verify) { | 9937 if (ss->ssl3.hs.ws != wait_cert_verify) { |
9467 desc = unexpected_message; | 9938 desc = unexpected_message; |
9468 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; | 9939 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; |
9469 goto alert_loser; | 9940 goto alert_loser; |
9470 } | 9941 } |
9471 | 9942 |
| 9943 if (!hashes) { |
| 9944 PORT_Assert(0); |
| 9945 desc = internal_error; |
| 9946 errCode = SEC_ERROR_LIBRARY_FAILURE; |
| 9947 goto alert_loser; |
| 9948 } |
| 9949 |
9472 if (isTLS12) { | 9950 if (isTLS12) { |
9473 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | 9951 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
9474 &sigAndHash); | 9952 &sigAndHash); |
9475 if (rv != SECSuccess) { | 9953 if (rv != SECSuccess) { |
9476 goto loser; /* malformed or unsupported. */ | 9954 goto loser; /* malformed or unsupported. */ |
9477 } | 9955 } |
9478 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | 9956 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
9479 » » &sigAndHash, ss->sec.peerCert); | 9957 ss, &sigAndHash, ss->sec.peerCert); |
9480 if (rv != SECSuccess) { | 9958 if (rv != SECSuccess) { |
9481 errCode = PORT_GetError(); | 9959 errCode = PORT_GetError(); |
9482 desc = decrypt_error; | 9960 desc = decrypt_error; |
9483 goto alert_loser; | 9961 goto alert_loser; |
9484 } | 9962 } |
9485 | 9963 |
9486 /* We only support CertificateVerify messages that use the handshake | 9964 /* We only support CertificateVerify messages that use the handshake |
9487 * hash. */ | 9965 * hash. */ |
9488 » if (sigAndHash.hashAlg != hashes->hashAlg) { | 9966 if (sigAndHash.hashAlg != hashes->hashAlg) { |
9489 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; | 9967 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; |
9490 desc = decrypt_error; | 9968 desc = decrypt_error; |
9491 goto alert_loser; | 9969 goto alert_loser; |
9492 } | 9970 } |
9493 } | 9971 } |
9494 | 9972 |
9495 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); | 9973 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); |
9496 if (rv != SECSuccess) { | 9974 if (rv != SECSuccess) { |
9497 goto loser; /* malformed. */ | 9975 goto loser; /* malformed. */ |
9498 } | 9976 } |
(...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9609 * the failure must occur. | 10087 * the failure must occur. |
9610 * | 10088 * |
9611 * Called from ssl3_HandleClientKeyExchange | 10089 * Called from ssl3_HandleClientKeyExchange |
9612 */ | 10090 */ |
9613 static SECStatus | 10091 static SECStatus |
9614 ssl3_HandleRSAClientKeyExchange(sslSocket *ss, | 10092 ssl3_HandleRSAClientKeyExchange(sslSocket *ss, |
9615 SSL3Opaque *b, | 10093 SSL3Opaque *b, |
9616 PRUint32 length, | 10094 PRUint32 length, |
9617 SECKEYPrivateKey *serverKey) | 10095 SECKEYPrivateKey *serverKey) |
9618 { | 10096 { |
9619 PK11SymKey * pms; | |
9620 #ifndef NO_PKCS11_BYPASS | 10097 #ifndef NO_PKCS11_BYPASS |
9621 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 10098 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
9622 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 10099 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
9623 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 10100 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
9624 unsigned int outLen = 0; | 10101 unsigned int outLen = 0; |
| 10102 PRBool isTLS = PR_FALSE; |
| 10103 SECItem pmsItem = {siBuffer, NULL, 0}; |
| 10104 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; |
9625 #endif | 10105 #endif |
9626 PRBool isTLS = PR_FALSE; | |
9627 SECStatus rv; | 10106 SECStatus rv; |
9628 SECItem enc_pms; | 10107 SECItem enc_pms; |
9629 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; | |
9630 SECItem pmsItem = {siBuffer, NULL, 0}; | |
9631 | 10108 |
9632 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 10109 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
9633 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 10110 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
9634 PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec ); | 10111 PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec ); |
9635 | 10112 |
9636 enc_pms.data = b; | 10113 enc_pms.data = b; |
9637 enc_pms.len = length; | 10114 enc_pms.len = length; |
| 10115 #ifndef NO_PKCS11_BYPASS |
9638 pmsItem.data = rsaPmsBuf; | 10116 pmsItem.data = rsaPmsBuf; |
9639 pmsItem.len = sizeof rsaPmsBuf; | 10117 pmsItem.len = sizeof rsaPmsBuf; |
| 10118 #endif |
9640 | 10119 |
9641 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ | 10120 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ |
9642 PRInt32 kLen; | 10121 PRInt32 kLen; |
9643 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len); | 10122 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len); |
9644 if (kLen < 0) { | 10123 if (kLen < 0) { |
9645 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 10124 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
9646 return SECFailure; | 10125 return SECFailure; |
9647 } | 10126 } |
9648 if ((unsigned)kLen < enc_pms.len) { | 10127 if ((unsigned)kLen < enc_pms.len) { |
9649 enc_pms.len = kLen; | 10128 enc_pms.len = kLen; |
9650 } | 10129 } |
| 10130 #ifndef NO_PKCS11_BYPASS |
9651 isTLS = PR_TRUE; | 10131 isTLS = PR_TRUE; |
| 10132 #endif |
9652 } else { | 10133 } else { |
| 10134 #ifndef NO_PKCS11_BYPASS |
9653 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0); | 10135 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0); |
| 10136 #endif |
9654 } | 10137 } |
9655 | 10138 |
9656 #ifndef NO_PKCS11_BYPASS | 10139 #ifndef NO_PKCS11_BYPASS |
9657 if (ss->opt.bypassPKCS11) { | 10140 if (ss->opt.bypassPKCS11) { |
| 10141 /* We have not implemented a tls_ExtendedMasterKeyDeriveBypass |
| 10142 * and will not negotiate this extension in bypass mode. This |
| 10143 * assert just double-checks that. |
| 10144 */ |
| 10145 PORT_Assert( |
| 10146 !ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)); |
| 10147 |
9658 /* TRIPLE BYPASS, get PMS directly from RSA decryption. | 10148 /* TRIPLE BYPASS, get PMS directly from RSA decryption. |
9659 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, | 10149 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, |
9660 * then, check for version rollback attack, then | 10150 * then, check for version rollback attack, then |
9661 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in | 10151 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in |
9662 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with | 10152 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with |
9663 * ss and NULL, so that it will use the MS we've already derived here. | 10153 * ss and NULL, so that it will use the MS we've already derived here. |
9664 */ | 10154 */ |
9665 | 10155 |
9666 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, | 10156 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, |
9667 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); | 10157 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); |
9668 if (rv != SECSuccess) { | 10158 if (rv != SECSuccess) { |
9669 /* triple bypass failed. Let's try for a double bypass. */ | 10159 /* triple bypass failed. Let's try for a double bypass. */ |
9670 goto double_bypass; | 10160 goto double_bypass; |
9671 } else if (ss->opt.detectRollBack) { | 10161 } else if (ss->opt.detectRollBack) { |
9672 SSL3ProtocolVersion client_version = | 10162 SSL3ProtocolVersion client_version = |
9673 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; | 10163 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; |
9674 | 10164 |
9675 if (IS_DTLS(ss)) { | 10165 if (IS_DTLS(ss)) { |
9676 client_version = dtls_DTLSVersionToTLSVersion(client_version); | 10166 client_version = dtls_DTLSVersionToTLSVersion(client_version); |
9677 } | 10167 } |
9678 | 10168 |
9679 if (client_version != ss->clientHelloVersion) { | 10169 if (client_version != ss->clientHelloVersion) { |
9680 /* Version roll-back detected. ensure failure. */ | 10170 /* Version roll-back detected. ensure failure. */ |
9681 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); | 10171 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); |
9682 } | 10172 } |
9683 } | 10173 } |
9684 /* have PMS, build MS without PKCS11 */ | 10174 /* have PMS, build MS without PKCS11 */ |
9685 » rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, | 10175 » rv = ssl3_MasterSecretDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, |
9686 » » » » » PR_TRUE); | 10176 PR_TRUE); |
9687 if (rv != SECSuccess) { | 10177 if (rv != SECSuccess) { |
9688 pwSpec->msItem.data = pwSpec->raw_master_secret; | 10178 pwSpec->msItem.data = pwSpec->raw_master_secret; |
9689 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; | 10179 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; |
9690 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len); | 10180 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len); |
9691 } | 10181 } |
9692 rv = ssl3_InitPendingCipherSpec(ss, NULL); | 10182 rv = ssl3_InitPendingCipherSpec(ss, NULL); |
9693 } else | 10183 } else |
9694 #endif | 10184 #endif |
9695 { | 10185 { |
| 10186 PK11SymKey *tmpPms[2] = {NULL, NULL}; |
| 10187 PK11SlotInfo *slot; |
| 10188 int useFauxPms = 0; |
| 10189 #define currentPms tmpPms[!useFauxPms] |
| 10190 #define unusedPms tmpPms[useFauxPms] |
| 10191 #define realPms tmpPms[1] |
| 10192 #define fauxPms tmpPms[0] |
| 10193 |
9696 #ifndef NO_PKCS11_BYPASS | 10194 #ifndef NO_PKCS11_BYPASS |
9697 double_bypass: | 10195 double_bypass: |
9698 #endif | 10196 #endif |
9699 /* | |
9700 * unwrap pms out of the incoming buffer | |
9701 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do | |
9702 * the unwrap. Rather, it is the mechanism with which the | |
9703 * unwrapped pms will be used. | |
9704 */ | |
9705 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms, | |
9706 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); | |
9707 if (pms != NULL) { | |
9708 PRINT_BUF(60, (ss, "decrypted premaster secret:", | |
9709 PK11_GetKeyData(pms)->data, | |
9710 PK11_GetKeyData(pms)->len)); | |
9711 } else { | |
9712 /* unwrap failed. Generate a bogus PMS and carry on. */ | |
9713 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey); | |
9714 | 10197 |
9715 » ssl_GetSpecWriteLock(ss); | 10198 /* |
9716 » pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); | 10199 * Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1 |
9717 » ssl_ReleaseSpecWriteLock(ss); | 10200 * as we can within the constraints of the PKCS#11 interface. |
9718 » PK11_FreeSlot(slot); | 10201 * |
9719 » } | 10202 * 1. Unconditionally generate a bogus PMS (what RFC 5246 |
| 10203 * calls R). |
| 10204 * 2. Attempt the RSA decryption to recover the PMS (what |
| 10205 * RFC 5246 calls M). |
| 10206 * 3. Set PMS = (M == NULL) ? R : M |
| 10207 * 4. Use ssl3_ComputeMasterSecret(PMS) to attempt to derive |
| 10208 * the MS from PMS. This includes performing the version |
| 10209 * check and length check. |
| 10210 * 5. If either the initial RSA decryption failed or |
| 10211 * ssl3_ComputeMasterSecret(PMS) failed, then discard |
| 10212 * M and set PMS = R. Else, discard R and set PMS = M. |
| 10213 * |
| 10214 * We do two derivations here because we can't rely on having |
| 10215 * a function that only performs the PMS version and length |
| 10216 * check. The only redundant cost is that this runs the PRF, |
| 10217 * which isn't necessary here. |
| 10218 */ |
9720 | 10219 |
9721 » if (pms == NULL) { | 10220 /* Generate the bogus PMS (R) */ |
9722 » /* last gasp. */ | 10221 slot = PK11_GetSlotFromPrivateKey(serverKey); |
| 10222 if (!slot) { |
| 10223 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 10224 return SECFailure; |
| 10225 } |
| 10226 |
| 10227 if (!PK11_DoesMechanism(slot, CKM_SSL3_MASTER_KEY_DERIVE)) { |
| 10228 PK11_FreeSlot(slot); |
| 10229 slot = PK11_GetBestSlot(CKM_SSL3_MASTER_KEY_DERIVE, NULL); |
| 10230 if (!slot) { |
| 10231 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 10232 return SECFailure; |
| 10233 } |
| 10234 } |
| 10235 |
| 10236 ssl_GetSpecWriteLock(ss); |
| 10237 fauxPms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); |
| 10238 ssl_ReleaseSpecWriteLock(ss); |
| 10239 PK11_FreeSlot(slot); |
| 10240 |
| 10241 if (fauxPms == NULL) { |
9723 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 10242 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
9724 return SECFailure; | 10243 return SECFailure; |
9725 } | 10244 } |
9726 | 10245 |
| 10246 /* |
| 10247 * unwrap pms out of the incoming buffer |
| 10248 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do |
| 10249 * the unwrap. Rather, it is the mechanism with which the |
| 10250 * unwrapped pms will be used. |
| 10251 */ |
| 10252 realPms = PK11_PubUnwrapSymKey(serverKey, &enc_pms, |
| 10253 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE
, 0); |
| 10254 /* Temporarily use the PMS if unwrapping the real PMS fails. */ |
| 10255 useFauxPms |= (realPms == NULL); |
| 10256 |
| 10257 /* Attempt to derive the MS from the PMS. This is the only way to |
| 10258 * check the version field in the RSA PMS. If this fails, we |
| 10259 * then use the faux PMS in place of the PMS. Note that this |
| 10260 * operation should never fail if we are using the faux PMS |
| 10261 * since it is correctly formatted. */ |
| 10262 rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL); |
| 10263 |
| 10264 /* If we succeeded, then select the true PMS and discard the |
| 10265 * FPMS. Else, select the FPMS and select the true PMS */ |
| 10266 useFauxPms |= (rv != SECSuccess); |
| 10267 |
| 10268 if (unusedPms) { |
| 10269 PK11_FreeSymKey(unusedPms); |
| 10270 } |
| 10271 |
9727 /* This step will derive the MS from the PMS, among other things. */ | 10272 /* This step will derive the MS from the PMS, among other things. */ |
9728 » rv = ssl3_InitPendingCipherSpec(ss, pms); | 10273 rv = ssl3_InitPendingCipherSpec(ss, currentPms); |
9729 » PK11_FreeSymKey(pms); | 10274 PK11_FreeSymKey(currentPms); |
9730 } | 10275 } |
9731 | 10276 |
9732 if (rv != SECSuccess) { | 10277 if (rv != SECSuccess) { |
9733 SEND_ALERT | 10278 SEND_ALERT |
9734 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ | 10279 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ |
9735 } | 10280 } |
| 10281 |
| 10282 #undef currentPms |
| 10283 #undef unusedPms |
| 10284 #undef realPms |
| 10285 #undef fauxPms |
| 10286 |
9736 return SECSuccess; | 10287 return SECSuccess; |
9737 } | 10288 } |
9738 | 10289 |
| 10290 static SECStatus |
| 10291 ssl3_HandleDHClientKeyExchange(sslSocket *ss, |
| 10292 SSL3Opaque *b, |
| 10293 PRUint32 length, |
| 10294 SECKEYPublicKey *srvrPubKey, |
| 10295 SECKEYPrivateKey *serverKey) |
| 10296 { |
| 10297 PK11SymKey *pms; |
| 10298 SECStatus rv; |
| 10299 SECKEYPublicKey clntPubKey; |
| 10300 CK_MECHANISM_TYPE target; |
| 10301 PRBool isTLS; |
| 10302 |
| 10303 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 10304 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 10305 PORT_Assert( srvrPubKey ); |
| 10306 |
| 10307 clntPubKey.keyType = dhKey; |
| 10308 clntPubKey.u.dh.prime.len = srvrPubKey->u.dh.prime.len; |
| 10309 clntPubKey.u.dh.prime.data = srvrPubKey->u.dh.prime.data; |
| 10310 clntPubKey.u.dh.base.len = srvrPubKey->u.dh.base.len; |
| 10311 clntPubKey.u.dh.base.data = srvrPubKey->u.dh.base.data; |
| 10312 |
| 10313 rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.dh.publicValue, |
| 10314 2, &b, &length); |
| 10315 if (rv != SECSuccess) { |
| 10316 goto loser; |
| 10317 } |
| 10318 |
| 10319 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 10320 |
| 10321 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; |
| 10322 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
| 10323 |
| 10324 /* Determine the PMS */ |
| 10325 pms = PK11_PubDerive(serverKey, &clntPubKey, PR_FALSE, NULL, NULL, |
| 10326 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); |
| 10327 if (pms == NULL) { |
| 10328 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 10329 goto loser; |
| 10330 } |
| 10331 |
| 10332 rv = ssl3_InitPendingCipherSpec(ss, pms); |
| 10333 PK11_FreeSymKey(pms); pms = NULL; |
| 10334 |
| 10335 loser: |
| 10336 if (ss->dheKeyPair) { |
| 10337 ssl3_FreeKeyPair(ss->dheKeyPair); |
| 10338 ss->dheKeyPair = NULL; |
| 10339 } |
| 10340 return rv; |
| 10341 } |
| 10342 |
9739 | 10343 |
9740 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 10344 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
9741 * ssl3 ClientKeyExchange message from the remote client | 10345 * ssl3 ClientKeyExchange message from the remote client |
9742 * Caller must hold Handshake and RecvBuf locks. | 10346 * Caller must hold Handshake and RecvBuf locks. |
9743 */ | 10347 */ |
9744 static SECStatus | 10348 static SECStatus |
9745 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 10349 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
9746 { | 10350 { |
9747 SECKEYPrivateKey *serverKey = NULL; | 10351 SECKEYPrivateKey *serverKey = NULL; |
9748 SECStatus rv; | 10352 SECStatus rv; |
9749 const ssl3KEADef *kea_def; | 10353 const ssl3KEADef *kea_def; |
9750 ssl3KeyPair *serverKeyPair = NULL; | 10354 ssl3KeyPair *serverKeyPair = NULL; |
9751 #ifndef NSS_DISABLE_ECC | |
9752 SECKEYPublicKey *serverPubKey = NULL; | 10355 SECKEYPublicKey *serverPubKey = NULL; |
9753 #endif /* NSS_DISABLE_ECC */ | |
9754 | 10356 |
9755 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", | 10357 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", |
9756 SSL_GETPID(), ss->fd)); | 10358 SSL_GETPID(), ss->fd)); |
9757 | 10359 |
9758 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 10360 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
9759 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 10361 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
9760 | 10362 |
9761 if (ss->ssl3.hs.ws != wait_client_key) { | 10363 if (ss->ssl3.hs.ws != wait_client_key) { |
9762 SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 10364 SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9763 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); | 10365 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); |
9764 return SECFailure; | 10366 return SECFailure; |
9765 } | 10367 } |
9766 | 10368 |
9767 kea_def = ss->ssl3.hs.kea_def; | 10369 kea_def = ss->ssl3.hs.kea_def; |
9768 | 10370 |
9769 if (ss->ssl3.hs.usedStepDownKey) { | 10371 if (ss->ssl3.hs.usedStepDownKey) { |
9770 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */ | 10372 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */ |
9771 && kea_def->exchKeyType == kt_rsa | 10373 && kea_def->exchKeyType == kt_rsa |
9772 && ss->stepDownKeyPair != NULL); | 10374 && ss->stepDownKeyPair != NULL); |
9773 if (!kea_def->is_limited || | 10375 if (!kea_def->is_limited || |
9774 kea_def->exchKeyType != kt_rsa || | 10376 kea_def->exchKeyType != kt_rsa || |
9775 ss->stepDownKeyPair == NULL) { | 10377 ss->stepDownKeyPair == NULL) { |
9776 /* shouldn't happen, don't use step down if it does */ | 10378 /* shouldn't happen, don't use step down if it does */ |
9777 goto skip; | 10379 goto skip; |
9778 } | 10380 } |
9779 serverKeyPair = ss->stepDownKeyPair; | 10381 serverKeyPair = ss->stepDownKeyPair; |
9780 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; | 10382 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; |
9781 } else | 10383 } else |
9782 skip: | 10384 skip: |
| 10385 if (kea_def->kea == kea_dhe_dss || |
| 10386 kea_def->kea == kea_dhe_rsa) { |
| 10387 if (ss->dheKeyPair) { |
| 10388 serverKeyPair = ss->dheKeyPair; |
| 10389 if (serverKeyPair->pubKey) { |
| 10390 ss->sec.keaKeyBits = |
| 10391 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey); |
| 10392 } |
| 10393 } |
| 10394 } else |
9783 #ifndef NSS_DISABLE_ECC | 10395 #ifndef NSS_DISABLE_ECC |
9784 /* XXX Using SSLKEAType to index server certifiates | 10396 /* XXX Using SSLKEAType to index server certifiates |
9785 * does not work for (EC)DHE ciphers. Until we have | 10397 * does not work for (EC)DHE ciphers. Until we have |
9786 * an indexing mechanism general enough for all key | 10398 * an indexing mechanism general enough for all key |
9787 * exchange algorithms, we'll need to deal with each | 10399 * exchange algorithms, we'll need to deal with each |
9788 * one seprately. | 10400 * one seprately. |
9789 */ | 10401 */ |
9790 if ((kea_def->kea == kea_ecdhe_rsa) || | 10402 if ((kea_def->kea == kea_ecdhe_rsa) || |
9791 (kea_def->kea == kea_ecdhe_ecdsa)) { | 10403 (kea_def->kea == kea_ecdhe_ecdsa)) { |
9792 if (ss->ephemeralECDHKeyPair != NULL) { | 10404 if (ss->ephemeralECDHKeyPair != NULL) { |
(...skipping 25 matching lines...) Expand all Loading... |
9818 | 10430 |
9819 switch (kea_def->exchKeyType) { | 10431 switch (kea_def->exchKeyType) { |
9820 case kt_rsa: | 10432 case kt_rsa: |
9821 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey); | 10433 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey); |
9822 if (rv != SECSuccess) { | 10434 if (rv != SECSuccess) { |
9823 SEND_ALERT | 10435 SEND_ALERT |
9824 return SECFailure; /* error code set */ | 10436 return SECFailure; /* error code set */ |
9825 } | 10437 } |
9826 break; | 10438 break; |
9827 | 10439 |
| 10440 case ssl_kea_dh: |
| 10441 if (ss->dheKeyPair && ss->dheKeyPair->pubKey) { |
| 10442 serverPubKey = ss->dheKeyPair->pubKey; |
| 10443 } |
| 10444 if (!serverPubKey) { |
| 10445 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
| 10446 return SECFailure; |
| 10447 } |
| 10448 rv = ssl3_HandleDHClientKeyExchange(ss, b, length, |
| 10449 serverPubKey, serverKey); |
| 10450 if (rv != SECSuccess) { |
| 10451 SSL3_SendAlert(ss, alert_fatal, handshake_failure); |
| 10452 return SECFailure; /* error code set */ |
| 10453 } |
| 10454 break; |
9828 | 10455 |
9829 #ifndef NSS_DISABLE_ECC | 10456 #ifndef NSS_DISABLE_ECC |
9830 case kt_ecdh: | 10457 case kt_ecdh: |
9831 /* XXX We really ought to be able to store multiple | 10458 /* XXX We really ought to be able to store multiple |
9832 * EC certs (a requirement if we wish to support both | 10459 * EC certs (a requirement if we wish to support both |
9833 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently). | 10460 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently). |
9834 * When we make that change, we'll need an index other | 10461 * When we make that change, we'll need an index other |
9835 * than kt_ecdh to pick the right EC certificate. | 10462 * than kt_ecdh to pick the right EC certificate. |
9836 */ | 10463 */ |
9837 if (serverKeyPair) { | 10464 if (serverKeyPair) { |
(...skipping 609 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
10447 | 11074 |
10448 static SECStatus | 11075 static SECStatus |
10449 ssl3_AuthCertificate(sslSocket *ss) | 11076 ssl3_AuthCertificate(sslSocket *ss) |
10450 { | 11077 { |
10451 SECStatus rv; | 11078 SECStatus rv; |
10452 PRBool isServer = (PRBool)(!!ss->sec.isServer); | 11079 PRBool isServer = (PRBool)(!!ss->sec.isServer); |
10453 int errCode; | 11080 int errCode; |
10454 | 11081 |
10455 ss->ssl3.hs.authCertificatePending = PR_FALSE; | 11082 ss->ssl3.hs.authCertificatePending = PR_FALSE; |
10456 | 11083 |
| 11084 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 11085 ssl_preinfo_all); |
10457 /* | 11086 /* |
10458 * Ask caller-supplied callback function to validate cert chain. | 11087 * Ask caller-supplied callback function to validate cert chain. |
10459 */ | 11088 */ |
10460 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, | 11089 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, |
10461 PR_TRUE, isServer); | 11090 PR_TRUE, isServer); |
10462 if (rv) { | 11091 if (rv) { |
10463 errCode = PORT_GetError(); | 11092 errCode = PORT_GetError(); |
10464 if (rv != SECWouldBlock) { | 11093 if (rv != SECWouldBlock) { |
10465 if (ss->handleBadCert) { | 11094 if (ss->handleBadCert) { |
10466 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd); | 11095 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd); |
(...skipping 24 matching lines...) Expand all Loading... |
10491 CERTCertificate *cert = ss->sec.peerCert; | 11120 CERTCertificate *cert = ss->sec.peerCert; |
10492 | 11121 |
10493 /* set the server authentication and key exchange types and sizes | 11122 /* set the server authentication and key exchange types and sizes |
10494 ** from the value in the cert. If the key exchange key is different, | 11123 ** from the value in the cert. If the key exchange key is different, |
10495 ** it will get fixed when we handle the server key exchange message. | 11124 ** it will get fixed when we handle the server key exchange message. |
10496 */ | 11125 */ |
10497 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); | 11126 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); |
10498 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; | 11127 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; |
10499 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; | 11128 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; |
10500 if (pubKey) { | 11129 if (pubKey) { |
| 11130 KeyType pubKeyType; |
| 11131 PRInt32 minKey; |
10501 ss->sec.keaKeyBits = ss->sec.authKeyBits = | 11132 ss->sec.keaKeyBits = ss->sec.authKeyBits = |
10502 SECKEY_PublicKeyStrengthInBits(pubKey); | 11133 SECKEY_PublicKeyStrengthInBits(pubKey); |
10503 #ifndef NSS_DISABLE_ECC | 11134 pubKeyType = SECKEY_GetPublicKeyType(pubKey); |
10504 » if (ss->sec.keaType == kt_ecdh) { | 11135 » minKey = ss->sec.authKeyBits; |
10505 » » /* Get authKeyBits from signing key. | 11136 » switch (pubKeyType) { |
10506 » » * XXX The code below uses a quick approximation of | 11137 » case rsaKey: |
10507 » » * key size based on cert->signatureWrap.signature.data | 11138 » case rsaPssKey: |
10508 » » * (which contains the DER encoded signature). The field | 11139 » case rsaOaepKey: |
10509 » » * cert->signatureWrap.signature.len contains the | 11140 » » rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minKey); |
10510 » » * length of the encoded signature in bits. | 11141 » » if (rv != SECSuccess) { |
10511 » » */ | 11142 » » minKey = SSL_RSA_MIN_MODULUS_BITS; |
10512 » » if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) { | |
10513 » » ss->sec.authKeyBits = | |
10514 » » » cert->signatureWrap.signature.data[3]*8; | |
10515 » » if (cert->signatureWrap.signature.data[4] == 0x00) | |
10516 » » » ss->sec.authKeyBits -= 8; | |
10517 » » /* | |
10518 » » * XXX: if cert is not signed by ecdsa we should | |
10519 » » * destroy pubKey and goto bad_cert | |
10520 » » */ | |
10521 » » } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) { | |
10522 » » ss->sec.authKeyBits = cert->signatureWrap.signature.len; | |
10523 » » /* | |
10524 » » * XXX: if cert is not signed by rsa we should | |
10525 » » * destroy pubKey and goto bad_cert | |
10526 » » */ | |
10527 } | 11143 } |
| 11144 break; |
| 11145 case dsaKey: |
| 11146 rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minKey); |
| 11147 if (rv != SECSuccess) { |
| 11148 minKey = SSL_DSA_MIN_P_BITS; |
| 11149 } |
| 11150 break; |
| 11151 case dhKey: |
| 11152 rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minKey); |
| 11153 if (rv != SECSuccess) { |
| 11154 minKey = SSL_DH_MIN_P_BITS; |
| 11155 } |
| 11156 break; |
| 11157 default: |
| 11158 break; |
10528 } | 11159 } |
10529 #endif /* NSS_DISABLE_ECC */ | 11160 |
| 11161 /* Too small: not good enough. Send a fatal alert. */ |
| 11162 /* We aren't checking EC here on the understanding that we only |
| 11163 * support curves we like, a decision that might need revisiting. */ |
| 11164 if ( ss->sec.authKeyBits < minKey) { |
| 11165 PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY); |
| 11166 (void)SSL3_SendAlert(ss, alert_fatal, |
| 11167 ss->version >= SSL_LIBRARY_VERSION_TLS_1_0 |
| 11168 ? insufficient_security |
| 11169 : illegal_parameter); |
| 11170 SECKEY_DestroyPublicKey(pubKey); |
| 11171 return SECFailure; |
| 11172 } |
10530 SECKEY_DestroyPublicKey(pubKey); | 11173 SECKEY_DestroyPublicKey(pubKey); |
10531 pubKey = NULL; | 11174 pubKey = NULL; |
10532 } | 11175 } |
10533 | 11176 |
10534 if (ss->ssl3.hs.kea_def->ephemeral) { | 11177 /* Ephemeral suites require ServerKeyExchange. Export cipher suites |
| 11178 * with RSA key exchange also require ServerKeyExchange if the |
| 11179 * authentication key exceeds the key size limit. */ |
| 11180 if (ss->ssl3.hs.kea_def->ephemeral || |
| 11181 (ss->ssl3.hs.kea_def->is_limited && |
| 11182 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa && |
| 11183 ss->sec.authKeyBits > ss->ssl3.hs.kea_def->key_size_limit)) { |
10535 ss->ssl3.hs.ws = wait_server_key; /* require server_key_exchange */ | 11184 ss->ssl3.hs.ws = wait_server_key; /* require server_key_exchange */ |
10536 } else { | 11185 } else { |
10537 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange
*/ | 11186 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange
*/ |
10538 } | 11187 } |
10539 } else { | 11188 } else { |
10540 ss->ssl3.hs.ws = wait_client_key; | 11189 ss->ssl3.hs.ws = wait_client_key; |
10541 } | 11190 } |
10542 | 11191 |
10543 PORT_Assert(rv == SECSuccess); | 11192 PORT_Assert(rv == SECSuccess); |
10544 if (rv != SECSuccess) { | 11193 if (rv != SECSuccess) { |
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
10636 | 11285 |
10637 return rv; | 11286 return rv; |
10638 } | 11287 } |
10639 | 11288 |
10640 static SECStatus | 11289 static SECStatus |
10641 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 11290 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
10642 PRBool isServer, | 11291 PRBool isServer, |
10643 const SSL3Hashes * hashes, | 11292 const SSL3Hashes * hashes, |
10644 TLSFinished * tlsFinished) | 11293 TLSFinished * tlsFinished) |
10645 { | 11294 { |
10646 const char * label; | 11295 SECStatus rv; |
10647 unsigned int len; | 11296 CK_TLS_MAC_PARAMS tls_mac_params; |
10648 SECStatus rv; | 11297 SECItem param = {siBuffer, NULL, 0}; |
| 11298 PK11Context *prf_context; |
| 11299 unsigned int retLen; |
10649 | 11300 |
10650 label = isServer ? "server finished" : "client finished"; | 11301 if (!spec->master_secret || spec->bypassCiphers) { |
10651 len = 15; | 11302 » const char *label = isServer ? "server finished" : "client finished"; |
| 11303 » unsigned int len = 15; |
10652 | 11304 |
10653 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, | 11305 » return ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, |
10654 » hashes->len, tlsFinished->verify_data, | 11306 » hashes->len, tlsFinished->verify_data, |
10655 » sizeof tlsFinished->verify_data); | 11307 » sizeof tlsFinished->verify_data); |
| 11308 } |
| 11309 |
| 11310 if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
| 11311 » tls_mac_params.prfMechanism = CKM_TLS_PRF; |
| 11312 } else { |
| 11313 » tls_mac_params.prfMechanism = CKM_SHA256; |
| 11314 } |
| 11315 tls_mac_params.ulMacLength = 12; |
| 11316 tls_mac_params.ulServerOrClient = isServer ? 1 : 2; |
| 11317 param.data = (unsigned char *)&tls_mac_params; |
| 11318 param.len = sizeof(tls_mac_params); |
| 11319 prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN, |
| 11320 » » » » » spec->master_secret, ¶m); |
| 11321 if (!prf_context) |
| 11322 » return SECFailure; |
| 11323 |
| 11324 rv = PK11_DigestBegin(prf_context); |
| 11325 rv |= PK11_DigestOp(prf_context, hashes->u.raw, hashes->len); |
| 11326 rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, &retLen, |
| 11327 » » » sizeof tlsFinished->verify_data); |
| 11328 PORT_Assert(rv != SECSuccess || retLen == sizeof tlsFinished->verify_data); |
| 11329 |
| 11330 PK11_DestroyContext(prf_context, PR_TRUE); |
10656 | 11331 |
10657 return rv; | 11332 return rv; |
10658 } | 11333 } |
10659 | 11334 |
10660 /* The calling function must acquire and release the appropriate | 11335 /* The calling function must acquire and release the appropriate |
10661 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for | 11336 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for |
10662 * ss->ssl3.crSpec). | 11337 * ss->ssl3.crSpec). |
10663 */ | 11338 */ |
10664 SECStatus | 11339 SECStatus |
10665 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, | 11340 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, |
(...skipping 497 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11163 | 11838 |
11164 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake", | 11839 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake", |
11165 SSL_GETPID(), ss->fd)); | 11840 SSL_GETPID(), ss->fd)); |
11166 | 11841 |
11167 if (ss->ssl3.hs.ws != wait_finished) { | 11842 if (ss->ssl3.hs.ws != wait_finished) { |
11168 SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 11843 SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
11169 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED); | 11844 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED); |
11170 return SECFailure; | 11845 return SECFailure; |
11171 } | 11846 } |
11172 | 11847 |
| 11848 if (!hashes) { |
| 11849 PORT_Assert(0); |
| 11850 SSL3_SendAlert(ss, alert_fatal, internal_error); |
| 11851 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 11852 return SECFailure; |
| 11853 } |
| 11854 |
11173 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0); | 11855 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0); |
11174 if (isTLS) { | 11856 if (isTLS) { |
11175 TLSFinished tlsFinished; | 11857 TLSFinished tlsFinished; |
11176 | 11858 |
11177 if (length != sizeof tlsFinished) { | 11859 if (length != sizeof tlsFinished) { |
11178 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | 11860 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
11179 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); | 11861 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); |
11180 return SECFailure; | 11862 return SECFailure; |
11181 } | 11863 } |
11182 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, | 11864 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11218 (!isServer && ss->ssl3.hs.isResuming)) { | 11900 (!isServer && ss->ssl3.hs.isResuming)) { |
11219 PRInt32 flags = 0; | 11901 PRInt32 flags = 0; |
11220 | 11902 |
11221 /* Send a NewSessionTicket message if the client sent us | 11903 /* Send a NewSessionTicket message if the client sent us |
11222 * either an empty session ticket, or one that did not verify. | 11904 * either an empty session ticket, or one that did not verify. |
11223 * (Note that if either of these conditions was met, then the | 11905 * (Note that if either of these conditions was met, then the |
11224 * server has sent a SessionTicket extension in the | 11906 * server has sent a SessionTicket extension in the |
11225 * ServerHello message.) | 11907 * ServerHello message.) |
11226 */ | 11908 */ |
11227 if (isServer && !ss->ssl3.hs.isResuming && | 11909 if (isServer && !ss->ssl3.hs.isResuming && |
11228 » ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) { | 11910 » ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && |
| 11911 » ssl3_KEAAllowsSessionTicket(ss->ssl3.hs.suite_def->key_exchange_alg)
) { |
11229 /* RFC 5077 Section 3.3: "In the case of a full handshake, the | 11912 /* RFC 5077 Section 3.3: "In the case of a full handshake, the |
11230 * server MUST verify the client's Finished message before sending | 11913 * server MUST verify the client's Finished message before sending |
11231 * the ticket." Presumably, this also means that the client's | 11914 * the ticket." Presumably, this also means that the client's |
11232 * certificate, if any, must be verified beforehand too. | 11915 * certificate, if any, must be verified beforehand too. |
11233 */ | 11916 */ |
11234 rv = ssl3_SendNewSessionTicket(ss); | 11917 rv = ssl3_SendNewSessionTicket(ss); |
11235 if (rv != SECSuccess) { | 11918 if (rv != SECSuccess) { |
11236 goto xmit_loser; | 11919 goto xmit_loser; |
11237 } | 11920 } |
11238 } | 11921 } |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11271 goto xmit_loser; /* err is set. */ | 11954 goto xmit_loser; /* err is set. */ |
11272 } | 11955 } |
11273 } | 11956 } |
11274 | 11957 |
11275 xmit_loser: | 11958 xmit_loser: |
11276 ssl_ReleaseXmitBufLock(ss); /*************************************/ | 11959 ssl_ReleaseXmitBufLock(ss); /*************************************/ |
11277 if (rv != SECSuccess) { | 11960 if (rv != SECSuccess) { |
11278 return rv; | 11961 return rv; |
11279 } | 11962 } |
11280 | 11963 |
11281 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { | 11964 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || |
| 11965 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { |
11282 effectiveExchKeyType = kt_rsa; | 11966 effectiveExchKeyType = kt_rsa; |
11283 } else { | 11967 } else { |
11284 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | 11968 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; |
11285 } | 11969 } |
11286 | 11970 |
11287 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) { | 11971 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) { |
11288 /* fill in the sid */ | 11972 /* fill in the sid */ |
11289 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; | 11973 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; |
11290 sid->u.ssl3.compression = ss->ssl3.hs.compression; | 11974 sid->u.ssl3.compression = ss->ssl3.hs.compression; |
11291 sid->u.ssl3.policy = ss->ssl3.policy; | 11975 sid->u.ssl3.policy = ss->ssl3.policy; |
(...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11391 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 | 12075 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 |
11392 * hanshake message. | 12076 * hanshake message. |
11393 * Caller must hold Handshake and RecvBuf locks. | 12077 * Caller must hold Handshake and RecvBuf locks. |
11394 */ | 12078 */ |
11395 SECStatus | 12079 SECStatus |
11396 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 12080 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
11397 { | 12081 { |
11398 SECStatus rv = SECSuccess; | 12082 SECStatus rv = SECSuccess; |
11399 SSL3HandshakeType type = ss->ssl3.hs.msg_type; | 12083 SSL3HandshakeType type = ss->ssl3.hs.msg_type; |
11400 SSL3Hashes hashes; /* computed hashes are put here. */ | 12084 SSL3Hashes hashes; /* computed hashes are put here. */ |
| 12085 SSL3Hashes *hashesPtr = NULL; /* Set when hashes are computed */ |
11401 PRUint8 hdr[4]; | 12086 PRUint8 hdr[4]; |
11402 PRUint8 dtlsData[8]; | 12087 PRUint8 dtlsData[8]; |
11403 | 12088 |
11404 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 12089 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
11405 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 12090 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
11406 /* | 12091 /* |
11407 * We have to compute the hashes before we update them with the | 12092 * We have to compute the hashes before we update them with the |
11408 * current message. | 12093 * current message. |
11409 */ | 12094 */ |
11410 ssl_GetSpecReadLock(ss); /************************************/ | 12095 ssl_GetSpecReadLock(ss); /************************************/ |
11411 if((type == finished) || (type == certificate_verify)) { | 12096 if(((type == finished) && (ss->ssl3.hs.ws == wait_finished)) || |
| 12097 ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify))) { |
11412 SSL3Sender sender = (SSL3Sender)0; | 12098 SSL3Sender sender = (SSL3Sender)0; |
11413 ssl3CipherSpec *rSpec = ss->ssl3.prSpec; | 12099 ssl3CipherSpec *rSpec = ss->ssl3.prSpec; |
11414 | 12100 |
11415 if (type == finished) { | 12101 if (type == finished) { |
11416 sender = ss->sec.isServer ? sender_client : sender_server; | 12102 sender = ss->sec.isServer ? sender_client : sender_server; |
11417 rSpec = ss->ssl3.crSpec; | 12103 rSpec = ss->ssl3.crSpec; |
11418 } | 12104 } |
11419 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); | 12105 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); |
| 12106 if (rv == SECSuccess) { |
| 12107 hashesPtr = &hashes; |
| 12108 } |
11420 } | 12109 } |
11421 ssl_ReleaseSpecReadLock(ss); /************************************/ | 12110 ssl_ReleaseSpecReadLock(ss); /************************************/ |
11422 if (rv != SECSuccess) { | 12111 if (rv != SECSuccess) { |
11423 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ | 12112 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ |
11424 } | 12113 } |
11425 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(), | 12114 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(), |
11426 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type))); | 12115 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type))); |
11427 | 12116 |
11428 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; | 12117 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; |
11429 hdr[1] = (PRUint8)(length >> 16); | 12118 hdr[1] = (PRUint8)(length >> 16); |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11560 return SECFailure; | 12249 return SECFailure; |
11561 } | 12250 } |
11562 rv = ssl3_HandleServerHelloDone(ss); | 12251 rv = ssl3_HandleServerHelloDone(ss); |
11563 break; | 12252 break; |
11564 case certificate_verify: | 12253 case certificate_verify: |
11565 if (!ss->sec.isServer) { | 12254 if (!ss->sec.isServer) { |
11566 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12255 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
11567 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY); | 12256 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY); |
11568 return SECFailure; | 12257 return SECFailure; |
11569 } | 12258 } |
11570 » rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes); | 12259 » rv = ssl3_HandleCertificateVerify(ss, b, length, hashesPtr); |
11571 break; | 12260 break; |
11572 case client_key_exchange: | 12261 case client_key_exchange: |
11573 if (!ss->sec.isServer) { | 12262 if (!ss->sec.isServer) { |
11574 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12263 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
11575 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); | 12264 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); |
11576 return SECFailure; | 12265 return SECFailure; |
11577 } | 12266 } |
11578 rv = ssl3_HandleClientKeyExchange(ss, b, length); | 12267 rv = ssl3_HandleClientKeyExchange(ss, b, length); |
11579 break; | 12268 break; |
11580 case new_session_ticket: | 12269 case new_session_ticket: |
11581 if (ss->sec.isServer) { | 12270 if (ss->sec.isServer) { |
11582 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12271 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
11583 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); | 12272 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); |
11584 return SECFailure; | 12273 return SECFailure; |
11585 } | 12274 } |
11586 rv = ssl3_HandleNewSessionTicket(ss, b, length); | 12275 rv = ssl3_HandleNewSessionTicket(ss, b, length); |
11587 break; | 12276 break; |
11588 case finished: | 12277 case finished: |
11589 rv = ssl3_HandleFinished(ss, b, length, &hashes); | 12278 rv = ssl3_HandleFinished(ss, b, length, hashesPtr); |
11590 break; | 12279 break; |
11591 default: | 12280 default: |
11592 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12281 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
11593 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); | 12282 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); |
11594 rv = SECFailure; | 12283 rv = SECFailure; |
11595 } | 12284 } |
11596 | 12285 |
11597 if (IS_DTLS(ss) && (rv != SECFailure)) { | 12286 if (IS_DTLS(ss) && (rv != SECFailure)) { |
11598 /* Increment the expected sequence number */ | 12287 /* Increment the expected sequence number */ |
11599 ss->ssl3.hs.recvMessageSeq++; | 12288 ss->ssl3.hs.recvMessageSeq++; |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11634 if (ss->ssl3.hs.header_bytes++ == 0) | 12323 if (ss->ssl3.hs.header_bytes++ == 0) |
11635 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t; | 12324 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t; |
11636 else | 12325 else |
11637 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t; | 12326 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t; |
11638 if (ss->ssl3.hs.header_bytes < 4) | 12327 if (ss->ssl3.hs.header_bytes < 4) |
11639 continue; | 12328 continue; |
11640 | 12329 |
11641 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ | 12330 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ |
11642 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { | 12331 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { |
11643 (void)ssl3_DecodeError(ss); | 12332 (void)ssl3_DecodeError(ss); |
11644 » » PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 12333 » » PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); |
11645 return SECFailure; | 12334 return SECFailure; |
11646 } | 12335 } |
11647 #undef MAX_HANDSHAKE_MSG_LEN | 12336 #undef MAX_HANDSHAKE_MSG_LEN |
11648 | 12337 |
11649 /* If msg_len is zero, be sure we fall through, | 12338 /* If msg_len is zero, be sure we fall through, |
11650 ** even if buf->len is zero. | 12339 ** even if buf->len is zero. |
11651 */ | 12340 */ |
11652 if (ss->ssl3.hs.msg_len > 0) | 12341 if (ss->ssl3.hs.msg_len > 0) |
11653 continue; | 12342 continue; |
11654 } | 12343 } |
(...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11935 ssl3CipherSpec * crSpec; | 12624 ssl3CipherSpec * crSpec; |
11936 SECStatus rv; | 12625 SECStatus rv; |
11937 unsigned int hashBytes = MAX_MAC_LENGTH + 1; | 12626 unsigned int hashBytes = MAX_MAC_LENGTH + 1; |
11938 PRBool isTLS; | 12627 PRBool isTLS; |
11939 SSL3ContentType rType; | 12628 SSL3ContentType rType; |
11940 SSL3Opaque hash[MAX_MAC_LENGTH]; | 12629 SSL3Opaque hash[MAX_MAC_LENGTH]; |
11941 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; | 12630 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; |
11942 SSL3Opaque *givenHash; | 12631 SSL3Opaque *givenHash; |
11943 sslBuffer *plaintext; | 12632 sslBuffer *plaintext; |
11944 sslBuffer temp_buf; | 12633 sslBuffer temp_buf; |
11945 PRUint64 dtls_seq_num; | 12634 PRUint64 dtls_seq_num = 0; |
11946 unsigned int ivLen = 0; | 12635 unsigned int ivLen = 0; |
11947 unsigned int originalLen = 0; | 12636 unsigned int originalLen = 0; |
11948 unsigned int good; | 12637 unsigned int good; |
11949 unsigned int minLength; | 12638 unsigned int minLength; |
11950 unsigned char header[13]; | 12639 unsigned char header[13]; |
11951 unsigned int headerLen; | 12640 unsigned int headerLen; |
11952 | 12641 |
11953 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 12642 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
11954 | 12643 |
11955 if (!ss->ssl3.initialized) { | 12644 if (!ss->ssl3.initialized) { |
(...skipping 460 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12416 return SECSuccess; /* Function should be idempotent */ | 13105 return SECSuccess; /* Function should be idempotent */ |
12417 | 13106 |
12418 ss->ssl3.policy = SSL_ALLOWED; | 13107 ss->ssl3.policy = SSL_ALLOWED; |
12419 | 13108 |
12420 ssl_GetSpecWriteLock(ss); | 13109 ssl_GetSpecWriteLock(ss); |
12421 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; | 13110 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; |
12422 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; | 13111 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; |
12423 ss->ssl3.hs.sendingSCSV = PR_FALSE; | 13112 ss->ssl3.hs.sendingSCSV = PR_FALSE; |
12424 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); | 13113 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); |
12425 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); | 13114 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); |
| 13115 ss->ssl3.hs.preliminaryInfo = 0; |
12426 | 13116 |
12427 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; | 13117 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; |
12428 #ifndef NSS_DISABLE_ECC | 13118 #ifndef NSS_DISABLE_ECC |
12429 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss); | 13119 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss); |
12430 #endif | 13120 #endif |
12431 ssl_ReleaseSpecWriteLock(ss); | 13121 ssl_ReleaseSpecWriteLock(ss); |
12432 | 13122 |
12433 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 13123 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
12434 | 13124 |
12435 if (IS_DTLS(ss)) { | 13125 if (IS_DTLS(ss)) { |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12489 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); | 13179 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); |
12490 if (!newCount) { | 13180 if (!newCount) { |
12491 if (keyPair->privKey) | 13181 if (keyPair->privKey) |
12492 SECKEY_DestroyPrivateKey(keyPair->privKey); | 13182 SECKEY_DestroyPrivateKey(keyPair->privKey); |
12493 if (keyPair->pubKey) | 13183 if (keyPair->pubKey) |
12494 SECKEY_DestroyPublicKey( keyPair->pubKey); | 13184 SECKEY_DestroyPublicKey( keyPair->pubKey); |
12495 PORT_Free(keyPair); | 13185 PORT_Free(keyPair); |
12496 } | 13186 } |
12497 } | 13187 } |
12498 | 13188 |
12499 | |
12500 | |
12501 /* | 13189 /* |
12502 * Creates the public and private RSA keys for SSL Step down. | 13190 * Creates the public and private RSA keys for SSL Step down. |
12503 * Called from SSL_ConfigSecureServer in sslsecur.c | 13191 * Called from SSL_ConfigSecureServer in sslsecur.c |
12504 */ | 13192 */ |
12505 SECStatus | 13193 SECStatus |
12506 ssl3_CreateRSAStepDownKeys(sslSocket *ss) | 13194 ssl3_CreateRSAStepDownKeys(sslSocket *ss) |
12507 { | 13195 { |
12508 SECStatus rv = SECSuccess; | 13196 SECStatus rv = SECSuccess; |
12509 SECKEYPrivateKey * privKey; /* RSA step down key */ | 13197 SECKEYPrivateKey * privKey; /* RSA step down key */ |
12510 SECKEYPublicKey * pubKey; /* RSA step down key */ | 13198 SECKEYPublicKey * pubKey; /* RSA step down key */ |
(...skipping 11 matching lines...) Expand all Loading... |
12522 if (!privKey || !pubKey || | 13210 if (!privKey || !pubKey || |
12523 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) { | 13211 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) { |
12524 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); | 13212 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
12525 rv = SECFailure; | 13213 rv = SECFailure; |
12526 } | 13214 } |
12527 } | 13215 } |
12528 #endif | 13216 #endif |
12529 return rv; | 13217 return rv; |
12530 } | 13218 } |
12531 | 13219 |
12532 | |
12533 /* record the export policy for this cipher suite */ | 13220 /* record the export policy for this cipher suite */ |
12534 SECStatus | 13221 SECStatus |
12535 ssl3_SetPolicy(ssl3CipherSuite which, int policy) | 13222 ssl3_SetPolicy(ssl3CipherSuite which, int policy) |
12536 { | 13223 { |
12537 ssl3CipherSuiteCfg *suite; | 13224 ssl3CipherSuiteCfg *suite; |
12538 | 13225 |
12539 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); | 13226 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
12540 if (suite == NULL) { | 13227 if (suite == NULL) { |
12541 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ | 13228 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ |
12542 } | 13229 } |
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12624 rv = SECSuccess; | 13311 rv = SECSuccess; |
12625 } else { | 13312 } else { |
12626 pref = SSL_NOT_ALLOWED; | 13313 pref = SSL_NOT_ALLOWED; |
12627 rv = SECFailure; /* err code was set by Lookup. */ | 13314 rv = SECFailure; /* err code was set by Lookup. */ |
12628 } | 13315 } |
12629 *enabled = pref; | 13316 *enabled = pref; |
12630 return rv; | 13317 return rv; |
12631 } | 13318 } |
12632 | 13319 |
12633 SECStatus | 13320 SECStatus |
| 13321 SSL_SignaturePrefSet(PRFileDesc *fd, const SSLSignatureAndHashAlg *algorithms, |
| 13322 unsigned int count) |
| 13323 { |
| 13324 sslSocket *ss; |
| 13325 unsigned int i; |
| 13326 |
| 13327 ss = ssl_FindSocket(fd); |
| 13328 if (!ss) { |
| 13329 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SignaturePrefSet", |
| 13330 SSL_GETPID(), fd)); |
| 13331 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13332 return SECFailure; |
| 13333 } |
| 13334 |
| 13335 if (!count || count > MAX_SIGNATURE_ALGORITHMS) { |
| 13336 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13337 return SECFailure; |
| 13338 } |
| 13339 |
| 13340 ss->ssl3.signatureAlgorithmCount = 0; |
| 13341 for (i = 0; i < count; ++i) { |
| 13342 if (!ssl3_IsSupportedSignatureAlgorithm(&algorithms[i])) { |
| 13343 SSL_DBG(("%d: SSL[%d]: invalid signature algorithm set %d/%d", |
| 13344 SSL_GETPID(), fd, algorithms[i].sigAlg, |
| 13345 algorithms[i].hashAlg)); |
| 13346 continue; |
| 13347 } |
| 13348 |
| 13349 ss->ssl3.signatureAlgorithms[ss->ssl3.signatureAlgorithmCount++] = |
| 13350 algorithms[i]; |
| 13351 } |
| 13352 |
| 13353 if (ss->ssl3.signatureAlgorithmCount == 0) { |
| 13354 PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); |
| 13355 return SECFailure; |
| 13356 } |
| 13357 return SECSuccess; |
| 13358 } |
| 13359 |
| 13360 SECStatus |
| 13361 SSL_SignaturePrefGet(PRFileDesc *fd, SSLSignatureAndHashAlg *algorithms, |
| 13362 unsigned int *count, unsigned int maxCount) |
| 13363 { |
| 13364 sslSocket *ss; |
| 13365 unsigned int requiredSpace; |
| 13366 |
| 13367 ss = ssl_FindSocket(fd); |
| 13368 if (!ss) { |
| 13369 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SignaturePrefGet", |
| 13370 SSL_GETPID(), fd)); |
| 13371 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13372 return SECFailure; |
| 13373 } |
| 13374 |
| 13375 if (!algorithms || !count || |
| 13376 maxCount < ss->ssl3.signatureAlgorithmCount) { |
| 13377 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13378 return SECFailure; |
| 13379 } |
| 13380 |
| 13381 requiredSpace = |
| 13382 ss->ssl3.signatureAlgorithmCount * sizeof(SSLSignatureAndHashAlg); |
| 13383 PORT_Memcpy(algorithms, ss->ssl3.signatureAlgorithms, requiredSpace); |
| 13384 *count = ss->ssl3.signatureAlgorithmCount; |
| 13385 return SECSuccess; |
| 13386 } |
| 13387 |
| 13388 unsigned int |
| 13389 SSL_SignatureMaxCount() { |
| 13390 return MAX_SIGNATURE_ALGORITHMS; |
| 13391 } |
| 13392 |
| 13393 SECStatus |
12634 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int
len) | 13394 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int
len) |
12635 { | 13395 { |
12636 /* |i| iterates over |ciphers| while |done| and |j| iterate over | 13396 /* |i| iterates over |ciphers| while |done| and |j| iterate over |
12637 * |ss->cipherSuites|. */ | 13397 * |ss->cipherSuites|. */ |
12638 unsigned int i, done; | 13398 unsigned int i, done; |
12639 | 13399 |
12640 for (i = done = 0; i < len; i++) { | 13400 for (i = done = 0; i < len; i++) { |
12641 PRUint16 id = ciphers[i]; | 13401 PRUint16 id = ciphers[i]; |
12642 unsigned int existingIndex, j; | 13402 unsigned int existingIndex, j; |
12643 PRBool found = PR_FALSE; | 13403 PRBool found = PR_FALSE; |
(...skipping 24 matching lines...) Expand all Loading... |
12668 } | 13428 } |
12669 | 13429 |
12670 return SECSuccess; | 13430 return SECSuccess; |
12671 } | 13431 } |
12672 | 13432 |
12673 /* copy global default policy into socket. */ | 13433 /* copy global default policy into socket. */ |
12674 void | 13434 void |
12675 ssl3_InitSocketPolicy(sslSocket *ss) | 13435 ssl3_InitSocketPolicy(sslSocket *ss) |
12676 { | 13436 { |
12677 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); | 13437 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); |
| 13438 PORT_Memcpy(ss->ssl3.signatureAlgorithms, defaultSignatureAlgorithms, |
| 13439 sizeof(defaultSignatureAlgorithms)); |
| 13440 ss->ssl3.signatureAlgorithmCount = PR_ARRAY_SIZE(defaultSignatureAlgorithms)
; |
12678 } | 13441 } |
12679 | 13442 |
12680 SECStatus | 13443 SECStatus |
12681 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, | 13444 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, |
12682 unsigned char *out, | 13445 unsigned char *out, |
12683 unsigned int *outLen, | 13446 unsigned int *outLen, |
12684 unsigned int outLenMax) { | 13447 unsigned int outLenMax) { |
12685 PRBool isTLS; | 13448 PRBool isTLS; |
12686 int index = 0; | 13449 int index = 0; |
12687 unsigned int len; | 13450 unsigned int len; |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12757 return SECSuccess; | 13520 return SECSuccess; |
12758 } | 13521 } |
12759 if (cs == NULL) { | 13522 if (cs == NULL) { |
12760 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); | 13523 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
12761 return SECSuccess; | 13524 return SECSuccess; |
12762 } | 13525 } |
12763 | 13526 |
12764 /* ssl3_config_match_init was called by the caller of this function. */ | 13527 /* ssl3_config_match_init was called by the caller of this function. */ |
12765 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 13528 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
12766 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 13529 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
12767 » if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) { | 13530 » if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange, ss)) { |
12768 if (cs != NULL) { | 13531 if (cs != NULL) { |
12769 *cs++ = 0x00; | 13532 *cs++ = 0x00; |
12770 *cs++ = (suite->cipher_suite >> 8) & 0xFF; | 13533 *cs++ = (suite->cipher_suite >> 8) & 0xFF; |
12771 *cs++ = suite->cipher_suite & 0xFF; | 13534 *cs++ = suite->cipher_suite & 0xFF; |
12772 } | 13535 } |
12773 count++; | 13536 count++; |
12774 } | 13537 } |
12775 } | 13538 } |
12776 *size = count; | 13539 *size = count; |
12777 return SECSuccess; | 13540 return SECSuccess; |
(...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12891 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 13654 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
12892 | 13655 |
12893 /* Destroy the DTLS data */ | 13656 /* Destroy the DTLS data */ |
12894 if (IS_DTLS(ss)) { | 13657 if (IS_DTLS(ss)) { |
12895 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); | 13658 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); |
12896 if (ss->ssl3.hs.recvdFragments.buf) { | 13659 if (ss->ssl3.hs.recvdFragments.buf) { |
12897 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 13660 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
12898 } | 13661 } |
12899 } | 13662 } |
12900 | 13663 |
| 13664 if (ss->ssl3.dheGroups) { |
| 13665 PORT_Free(ss->ssl3.dheGroups); |
| 13666 } |
| 13667 |
12901 ss->ssl3.initialized = PR_FALSE; | 13668 ss->ssl3.initialized = PR_FALSE; |
12902 | 13669 |
12903 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 13670 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
12904 } | 13671 } |
12905 | 13672 |
12906 /* End of ssl3con.c */ | 13673 /* End of ssl3con.c */ |
OLD | NEW |