| OLD | NEW |
| 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
| 2 /* | 2 /* |
| 3 * SSL3 Protocol | 3 * SSL3 Protocol |
| 4 * | 4 * |
| 5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
| 6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 8 | 8 |
| 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
| 10 | 10 |
| 11 #define _GNU_SOURCE 1 | 11 #define _GNU_SOURCE 1 |
| 12 #include "cert.h" | 12 #include "cert.h" |
| 13 #include "ssl.h" | 13 #include "ssl.h" |
| 14 #include "cryptohi.h" /* for DSAU_ stuff */ | 14 #include "cryptohi.h" /* for DSAU_ stuff */ |
| 15 #include "keyhi.h" | 15 #include "keyhi.h" |
| 16 #include "secder.h" | 16 #include "secder.h" |
| 17 #include "secitem.h" | 17 #include "secitem.h" |
| 18 #include "sechash.h" | 18 #include "sechash.h" |
| 19 | 19 |
| 20 #include "sslimpl.h" | 20 #include "sslimpl.h" |
| 21 #include "sslproto.h" | 21 #include "sslproto.h" |
| 22 #include "sslerr.h" | 22 #include "sslerr.h" |
| 23 #include "prtime.h" | 23 #include "prtime.h" |
| 24 #include "prinrval.h" | 24 #include "prinrval.h" |
| 25 #include "prerror.h" | 25 #include "prerror.h" |
| 26 #include "pratom.h" | 26 #include "pratom.h" |
| 27 #include "prthread.h" | 27 #include "prthread.h" |
| 28 #include "nss.h" |
| 29 #include "nssoptions.h" |
| 28 | 30 |
| 29 #include "pk11func.h" | 31 #include "pk11func.h" |
| 30 #include "secmod.h" | 32 #include "secmod.h" |
| 31 #ifndef NO_PKCS11_BYPASS | 33 #ifndef NO_PKCS11_BYPASS |
| 32 #include "blapi.h" | 34 #include "blapi.h" |
| 33 #endif | 35 #endif |
| 34 | 36 |
| 35 /* This is a bodge to allow this code to be compiled against older NSS headers | 37 /* This is a bodge to allow this code to be compiled against older NSS headers |
| 36 * that don't contain the TLS 1.2 changes. */ | 38 * that don't contain the TLS 1.2 changes. */ |
| 37 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 | 39 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 84 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 86 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
| 85 static SECStatus ssl3_SendNextProto( sslSocket *ss); | 87 static SECStatus ssl3_SendNextProto( sslSocket *ss); |
| 86 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); | 88 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); |
| 87 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 89 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
| 88 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 90 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
| 89 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 91 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
| 90 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 92 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
| 91 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 93 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
| 92 const unsigned char *b, | 94 const unsigned char *b, |
| 93 unsigned int l); | 95 unsigned int l); |
| 96 static SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss, |
| 97 ssl3CipherSpec *spec, |
| 98 SSL3Hashes *hashes, |
| 99 PRUint32 sender); |
| 94 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 100 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
| 95 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); | |
| 96 | 101 |
| 97 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 102 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
| 98 int maxOutputLen, const unsigned char *input, | 103 int maxOutputLen, const unsigned char *input, |
| 99 int inputLen); | 104 int inputLen); |
| 100 #ifndef NO_PKCS11_BYPASS | 105 #ifndef NO_PKCS11_BYPASS |
| 101 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, | 106 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
| 102 unsigned char *out, int *outlen, int maxout, | 107 unsigned char *out, int *outlen, int maxout, |
| 103 const unsigned char *in, int inlen, | 108 const unsigned char *in, int inlen, |
| 104 const unsigned char *additionalData, | 109 const unsigned char *additionalData, |
| 105 int additionalDataLen); | 110 int additionalDataLen); |
| 106 #endif | 111 #endif |
| 107 | 112 |
| 108 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 113 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
| 109 #define MIN_SEND_BUF_LENGTH 4000 | 114 #define MIN_SEND_BUF_LENGTH 4000 |
| 110 | 115 |
| 111 /* This list of SSL3 cipher suites is sorted in descending order of | 116 /* This list of SSL3 cipher suites is sorted in descending order of |
| 112 * precedence (desirability). It only includes cipher suites we implement. | 117 * precedence (desirability). It only includes cipher suites we implement. |
| 113 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites | 118 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites |
| 114 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) | 119 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
| 115 * | 120 * |
| 116 * Important: See bug 946147 before enabling, reordering, or adding any cipher | 121 * Important: See bug 946147 before enabling, reordering, or adding any cipher |
| 117 * suites to this list. | 122 * suites to this list. |
| 118 */ | 123 */ |
| 119 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { | 124 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
| 120 /* cipher_suite policy enabled isPresent */ | 125 /* cipher_suite policy enabled isPresent */ |
| 121 | 126 |
| 122 #ifndef NSS_DISABLE_ECC | 127 #ifndef NSS_DISABLE_ECC |
| 123 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 128 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 124 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 129 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 125 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 130 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 126 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 131 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 127 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around | 132 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around |
| 128 * bug 946147. | 133 * bug 946147. |
| 129 */ | 134 */ |
| 130 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 135 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 131 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 136 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 132 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 137 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 133 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 138 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 134 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 139 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 135 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 140 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 136 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 141 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 137 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 142 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 138 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 143 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 139 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 144 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 140 #endif /* NSS_DISABLE_ECC */ | 145 #endif /* NSS_DISABLE_ECC */ |
| 141 | 146 |
| 142 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 147 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 148 { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 143 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 149 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 144 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 150 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 145 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 151 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 152 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 146 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 153 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 147 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 154 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 148 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 155 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 149 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 156 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 150 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 157 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 158 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 151 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 159 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 152 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 160 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 153 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 161 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 154 { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | 162 { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
| 155 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 163 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 156 | 164 |
| 157 #ifndef NSS_DISABLE_ECC | 165 #ifndef NSS_DISABLE_ECC |
| 158 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 166 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 159 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 167 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 160 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 168 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 198 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 206 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 199 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 207 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 200 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 208 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 201 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 209 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 202 #endif /* NSS_DISABLE_ECC */ | 210 #endif /* NSS_DISABLE_ECC */ |
| 203 { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 211 { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 204 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 212 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 205 { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | 213 { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
| 206 }; | 214 }; |
| 207 | 215 |
| 216 static const SSLSignatureAndHashAlg defaultSignatureAlgorithms[] = { |
| 217 {ssl_hash_sha256, ssl_sign_rsa}, |
| 218 {ssl_hash_sha384, ssl_sign_rsa}, |
| 219 {ssl_hash_sha512, ssl_sign_rsa}, |
| 220 {ssl_hash_sha1, ssl_sign_rsa}, |
| 221 #ifndef NSS_DISABLE_ECC |
| 222 {ssl_hash_sha256, ssl_sign_ecdsa}, |
| 223 {ssl_hash_sha384, ssl_sign_ecdsa}, |
| 224 {ssl_hash_sha512, ssl_sign_ecdsa}, |
| 225 {ssl_hash_sha1, ssl_sign_ecdsa}, |
| 226 #endif |
| 227 {ssl_hash_sha256, ssl_sign_dsa}, |
| 228 {ssl_hash_sha1, ssl_sign_dsa} |
| 229 }; |
| 230 PR_STATIC_ASSERT(PR_ARRAY_SIZE(defaultSignatureAlgorithms) <= |
| 231 MAX_SIGNATURE_ALGORITHMS); |
| 232 |
| 208 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order. | 233 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order. |
| 209 */ | 234 */ |
| 210 #ifdef DEBUG | 235 #ifdef DEBUG |
| 211 void ssl3_CheckCipherSuiteOrderConsistency() | 236 void ssl3_CheckCipherSuiteOrderConsistency() |
| 212 { | 237 { |
| 213 unsigned int i; | 238 unsigned int i; |
| 214 | 239 |
| 215 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites | 240 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites |
| 216 * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites. | 241 * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites. |
| 217 */ | 242 */ |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 258 } | 283 } |
| 259 | 284 |
| 260 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = { | 285 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = { |
| 261 ct_RSA_sign, | 286 ct_RSA_sign, |
| 262 #ifndef NSS_DISABLE_ECC | 287 #ifndef NSS_DISABLE_ECC |
| 263 ct_ECDSA_sign, | 288 ct_ECDSA_sign, |
| 264 #endif /* NSS_DISABLE_ECC */ | 289 #endif /* NSS_DISABLE_ECC */ |
| 265 ct_DSS_sign, | 290 ct_DSS_sign, |
| 266 }; | 291 }; |
| 267 | 292 |
| 268 /* This block is the contents of the supported_signature_algorithms field of | |
| 269 * our TLS 1.2 CertificateRequest message, in wire format. See | |
| 270 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 | |
| 271 * | |
| 272 * This block contains only sha256 entries because we only support TLS 1.2 | |
| 273 * CertificateVerify messages that use the handshake hash. */ | |
| 274 static const PRUint8 supported_signature_algorithms[] = { | |
| 275 tls_hash_sha256, tls_sig_rsa, | |
| 276 #ifndef NSS_DISABLE_ECC | |
| 277 tls_hash_sha256, tls_sig_ecdsa, | |
| 278 #endif | |
| 279 tls_hash_sha256, tls_sig_dsa, | |
| 280 }; | |
| 281 | |
| 282 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ | 293 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ |
| 283 | 294 |
| 284 | 295 |
| 285 /* This global item is used only in servers. It is is initialized by | 296 /* This global item is used only in servers. It is is initialized by |
| 286 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 297 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
| 287 */ | 298 */ |
| 288 CERTDistNames *ssl3_server_ca_list = NULL; | 299 CERTDistNames *ssl3_server_ca_list = NULL; |
| 289 static SSL3Statistics ssl3stats; | 300 static SSL3Statistics ssl3stats; |
| 290 | 301 |
| 291 /* indexed by SSL3BulkCipher */ | 302 /* indexed by SSL3BulkCipher */ |
| (...skipping 23 matching lines...) Expand all Loading... |
| 315 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, | 326 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, |
| 316 {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, | 327 {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, |
| 317 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, | 328 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
| 318 }; | 329 }; |
| 319 | 330 |
| 320 static const ssl3KEADef kea_defs[] = | 331 static const ssl3KEADef kea_defs[] = |
| 321 { /* indexed by SSL3KeyExchangeAlgorithm */ | 332 { /* indexed by SSL3KeyExchangeAlgorithm */ |
| 322 /* kea exchKeyType signKeyType is_limited limit tls_keygen epheme
ral */ | 333 /* kea exchKeyType signKeyType is_limited limit tls_keygen epheme
ral */ |
| 323 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 334 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
| 324 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 335 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
| 325 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 336 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, |
| 326 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_TRUE}, | 337 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE, PR_FALSE}
, |
| 327 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 338 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
| 328 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, | 339 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, |
| 329 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, | 340 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_FALSE}
, |
| 330 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, | 341 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_FALSE}
, |
| 331 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, | 342 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, |
| 332 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 343 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, |
| 333 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, | 344 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE, PR_TRUE}, |
| 334 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 345 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE, PR_TRUE}, |
| 335 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE, PR_TRUE}, | 346 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE, PR_TRUE}, |
| 336 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE, PR_TRUE}, | 347 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE, PR_TRUE}, |
| (...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 436 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 447 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
| 437 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 448 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
| 438 | 449 |
| 439 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_
rsa}, | 450 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_
rsa}, |
| 440 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, | 451 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, |
| 441 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec
dhe_rsa}, | 452 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec
dhe_rsa}, |
| 442 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_
ecdhe_ecdsa}, | 453 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_
ecdhe_ecdsa}, |
| 443 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_
rsa}, | 454 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_
rsa}, |
| 444 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdh
e_ecdsa}, | 455 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdh
e_ecdsa}, |
| 445 | 456 |
| 457 {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_
dss}, |
| 458 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_d
ss}, |
| 459 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_d
ss}, |
| 460 |
| 446 #ifndef NSS_DISABLE_ECC | 461 #ifndef NSS_DISABLE_ECC |
| 447 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, | 462 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
| 448 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, | 463 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
| 449 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, | 464 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, |
| 450 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, | 465 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, |
| 451 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, | 466 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, |
| 452 | 467 |
| 453 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, | 468 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, |
| 454 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, | 469 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, |
| 455 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, | 470 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, |
| (...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 673 */ | 688 */ |
| 674 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; | 689 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; |
| 675 | 690 |
| 676 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | 691 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
| 677 case TLS_RSA_WITH_AES_256_CBC_SHA256: | 692 case TLS_RSA_WITH_AES_256_CBC_SHA256: |
| 678 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | 693 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
| 679 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | 694 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
| 680 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | 695 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
| 681 case TLS_RSA_WITH_AES_128_CBC_SHA256: | 696 case TLS_RSA_WITH_AES_128_CBC_SHA256: |
| 682 case TLS_RSA_WITH_AES_128_GCM_SHA256: | 697 case TLS_RSA_WITH_AES_128_GCM_SHA256: |
| 698 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: |
| 699 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: |
| 683 case TLS_RSA_WITH_NULL_SHA256: | 700 case TLS_RSA_WITH_NULL_SHA256: |
| 684 return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; | 701 return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; |
| 685 | 702 |
| 686 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: | 703 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: |
| 687 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: | 704 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: |
| 688 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: | 705 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
| 689 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: | 706 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: |
| 690 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: | 707 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: |
| 708 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: |
| 691 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; | 709 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; |
| 692 | 710 |
| 693 /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and | 711 /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and |
| 694 * point formats.*/ | 712 * point formats.*/ |
| 695 case TLS_ECDH_ECDSA_WITH_NULL_SHA: | 713 case TLS_ECDH_ECDSA_WITH_NULL_SHA: |
| 696 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: | 714 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: |
| 697 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: | 715 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: |
| 698 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: | 716 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: |
| 699 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: | 717 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: |
| 700 case TLS_ECDHE_ECDSA_WITH_NULL_SHA: | 718 case TLS_ECDHE_ECDSA_WITH_NULL_SHA: |
| (...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 803 kea_defs[cipher_def->key_exchange_alg].exchKeyType; | 821 kea_defs[cipher_def->key_exchange_alg].exchKeyType; |
| 804 #ifdef NSS_DISABLE_ECC | 822 #ifdef NSS_DISABLE_ECC |
| 805 svrAuth = ss->serverCerts + exchKeyType; | 823 svrAuth = ss->serverCerts + exchKeyType; |
| 806 #else | 824 #else |
| 807 /* XXX SSLKEAType isn't really a good choice for | 825 /* XXX SSLKEAType isn't really a good choice for |
| 808 * indexing certificates. It doesn't work for | 826 * indexing certificates. It doesn't work for |
| 809 * (EC)DHE-* ciphers. Here we use a hack to ensure | 827 * (EC)DHE-* ciphers. Here we use a hack to ensure |
| 810 * that the server uses an RSA cert for (EC)DHE-RSA. | 828 * that the server uses an RSA cert for (EC)DHE-RSA. |
| 811 */ | 829 */ |
| 812 switch (cipher_def->key_exchange_alg) { | 830 switch (cipher_def->key_exchange_alg) { |
| 831 case kea_dhe_dss: |
| 832 svrAuth = ss->serverCerts + ssl_kea_dh; |
| 833 break; |
| 813 case kea_ecdhe_rsa: | 834 case kea_ecdhe_rsa: |
| 814 #if NSS_SERVER_DHE_IMPLEMENTED | |
| 815 /* XXX NSS does not yet implement the server side of _DHE_ | |
| 816 * cipher suites. Correcting the computation for svrAuth, | |
| 817 * as the case below does, causes NSS SSL servers to begin to | |
| 818 * negotiate cipher suites they do not implement. So, until | |
| 819 * server side _DHE_ is implemented, keep this disabled. | |
| 820 */ | |
| 821 case kea_dhe_rsa: | 835 case kea_dhe_rsa: |
| 822 #endif | |
| 823 svrAuth = ss->serverCerts + kt_rsa; | 836 svrAuth = ss->serverCerts + kt_rsa; |
| 824 break; | 837 break; |
| 825 case kea_ecdh_ecdsa: | 838 case kea_ecdh_ecdsa: |
| 826 case kea_ecdh_rsa: | 839 case kea_ecdh_rsa: |
| 827 /* | 840 /* |
| 828 * XXX We ought to have different indices for | 841 * XXX We ought to have different indices for |
| 829 * ECDSA- and RSA-signed EC certificates so | 842 * ECDSA- and RSA-signed EC certificates so |
| 830 * we could support both key exchange mechanisms | 843 * we could support both key exchange mechanisms |
| 831 * simultaneously. For now, both of them use | 844 * simultaneously. For now, both of them use |
| 832 * whatever is in the certificate slot for kt_ecdh | 845 * whatever is in the certificate slot for kt_ecdh |
| 833 */ | 846 */ |
| 847 case kea_dhe_dss_export: |
| 848 case kea_dhe_rsa_export: |
| 834 default: | 849 default: |
| 835 svrAuth = ss->serverCerts + exchKeyType; | 850 svrAuth = ss->serverCerts + exchKeyType; |
| 836 break; | 851 break; |
| 837 } | 852 } |
| 838 #endif /* NSS_DISABLE_ECC */ | 853 #endif /* NSS_DISABLE_ECC */ |
| 839 | 854 |
| 840 /* Mark the suites that are backed by real tokens, certs and keys */ | 855 /* Mark the suites that are backed by real tokens, certs and keys */ |
| 841 suite->isPresent = (PRBool) | 856 suite->isPresent = (PRBool) |
| 842 (((exchKeyType == kt_null) || | 857 (((exchKeyType == kt_null) || |
| 843 ((!isServer || (svrAuth->serverKeyPair && | 858 ((!isServer || (svrAuth->serverKeyPair && |
| (...skipping 16 matching lines...) Expand all Loading... |
| 860 /* return PR_TRUE if suite matches policy, enabled state and is applicable to | 875 /* return PR_TRUE if suite matches policy, enabled state and is applicable to |
| 861 * the given version range. */ | 876 * the given version range. */ |
| 862 /* It would be a REALLY BAD THING (tm) if we ever permitted the use | 877 /* It would be a REALLY BAD THING (tm) if we ever permitted the use |
| 863 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with | 878 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with |
| 864 ** policy == SSL_NOT_ALLOWED, report no match. | 879 ** policy == SSL_NOT_ALLOWED, report no match. |
| 865 */ | 880 */ |
| 866 /* adjust suite enabled to the availability of a token that can do the | 881 /* adjust suite enabled to the availability of a token that can do the |
| 867 * cipher suite. */ | 882 * cipher suite. */ |
| 868 static PRBool | 883 static PRBool |
| 869 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, | 884 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, |
| 870 » const SSLVersionRange *vrange) | 885 » const SSLVersionRange *vrange, const sslSocket *ss) |
| 871 { | 886 { |
| 887 const ssl3CipherSuiteDef *cipher_def; |
| 888 |
| 872 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); | 889 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
| 873 if (policy == SSL_NOT_ALLOWED || !enabled) | 890 if (policy == SSL_NOT_ALLOWED || !enabled) |
| 874 » return PR_FALSE; | 891 » return PR_FALSE; |
| 892 |
| 893 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); |
| 894 PORT_Assert(cipher_def != NULL); |
| 895 |
| 896 PORT_Assert(ss != NULL); |
| 897 if (ss->sec.isServer && !ss->opt.enableServerDhe && |
| 898 kea_defs[cipher_def->key_exchange_alg].exchKeyType == ssl_kea_dh) |
| 899 » return PR_FALSE; |
| 900 |
| 875 return (PRBool)(suite->enabled && | 901 return (PRBool)(suite->enabled && |
| 876 suite->isPresent && | 902 suite->isPresent && |
| 877 suite->policy != SSL_NOT_ALLOWED && | 903 suite->policy != SSL_NOT_ALLOWED && |
| 878 suite->policy <= policy && | 904 suite->policy <= policy && |
| 879 ssl3_CipherSuiteAllowedForVersionRange( | 905 ssl3_CipherSuiteAllowedForVersionRange( |
| 880 suite->cipher_suite, vrange)); | 906 suite->cipher_suite, vrange)); |
| 881 } | 907 } |
| 882 | 908 |
| 883 /* return number of cipher suites that match policy, enabled state and are | 909 /* return number of cipher suites that match policy, enabled state and are |
| 884 * applicable for the configured protocol version range. */ | 910 * applicable for the configured protocol version range. */ |
| 885 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ | 911 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 886 static int | 912 static int |
| 887 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) | 913 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
| 888 { | 914 { |
| 889 int i, count = 0; | 915 int i, count = 0; |
| 890 | 916 |
| 891 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { | 917 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 892 return 0; | 918 return 0; |
| 893 } | 919 } |
| 894 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 920 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 895 » if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange)) | 921 » if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange, ss)
) |
| 896 count++; | 922 count++; |
| 897 } | 923 } |
| 898 if (count <= 0) { | 924 if (count <= 0) { |
| 899 PORT_SetError(SSL_ERROR_SSL_DISABLED); | 925 PORT_SetError(SSL_ERROR_SSL_DISABLED); |
| 900 } | 926 } |
| 901 return count; | 927 return count; |
| 902 } | 928 } |
| 903 | 929 |
| 904 /* | 930 /* |
| 905 * Null compression, mac and encryption functions | 931 * Null compression, mac and encryption functions |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 977 | 1003 |
| 978 buf->data = NULL; | 1004 buf->data = NULL; |
| 979 | 1005 |
| 980 switch (key->keyType) { | 1006 switch (key->keyType) { |
| 981 case rsaKey: | 1007 case rsaKey: |
| 982 hashItem.data = hash->u.raw; | 1008 hashItem.data = hash->u.raw; |
| 983 hashItem.len = hash->len; | 1009 hashItem.len = hash->len; |
| 984 break; | 1010 break; |
| 985 case dsaKey: | 1011 case dsaKey: |
| 986 doDerEncode = isTLS; | 1012 doDerEncode = isTLS; |
| 987 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1013 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
| 988 * In that case, we use just the SHA1 part. */ | 1014 * In that case, we use just the SHA1 part. */ |
| 989 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1015 » if (hash->hashAlg == ssl_hash_none) { |
| 990 hashItem.data = hash->u.s.sha; | 1016 hashItem.data = hash->u.s.sha; |
| 991 hashItem.len = sizeof(hash->u.s.sha); | 1017 hashItem.len = sizeof(hash->u.s.sha); |
| 992 } else { | 1018 } else { |
| 993 hashItem.data = hash->u.raw; | 1019 hashItem.data = hash->u.raw; |
| 994 hashItem.len = hash->len; | 1020 hashItem.len = hash->len; |
| 995 } | 1021 } |
| 996 break; | 1022 break; |
| 997 #ifndef NSS_DISABLE_ECC | 1023 #ifndef NSS_DISABLE_ECC |
| 998 case ecKey: | 1024 case ecKey: |
| 999 doDerEncode = PR_TRUE; | 1025 doDerEncode = PR_TRUE; |
| 1000 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1026 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
| 1001 * In that case, we use just the SHA1 part. */ | 1027 * In that case, we use just the SHA1 part. */ |
| 1002 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1028 » if (hash->hashAlg == ssl_hash_none) { |
| 1003 hashItem.data = hash->u.s.sha; | 1029 hashItem.data = hash->u.s.sha; |
| 1004 hashItem.len = sizeof(hash->u.s.sha); | 1030 hashItem.len = sizeof(hash->u.s.sha); |
| 1005 } else { | 1031 } else { |
| 1006 hashItem.data = hash->u.raw; | 1032 hashItem.data = hash->u.raw; |
| 1007 hashItem.len = hash->len; | 1033 hashItem.len = hash->len; |
| 1008 } | 1034 } |
| 1009 break; | 1035 break; |
| 1010 #endif /* NSS_DISABLE_ECC */ | 1036 #endif /* NSS_DISABLE_ECC */ |
| 1011 default: | 1037 default: |
| 1012 PORT_SetError(SEC_ERROR_INVALID_KEY); | 1038 PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 1013 goto done; | 1039 goto done; |
| 1014 } | 1040 } |
| 1015 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); | 1041 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); |
| 1016 | 1042 |
| 1017 if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1043 if (hash->hashAlg == ssl_hash_none) { |
| 1018 signatureLen = PK11_SignatureLen(key); | 1044 signatureLen = PK11_SignatureLen(key); |
| 1019 if (signatureLen <= 0) { | 1045 if (signatureLen <= 0) { |
| 1020 PORT_SetError(SEC_ERROR_INVALID_KEY); | 1046 PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 1021 goto done; | 1047 goto done; |
| 1022 } | 1048 } |
| 1023 | 1049 |
| 1024 buf->len = (unsigned)signatureLen; | 1050 buf->len = (unsigned)signatureLen; |
| 1025 buf->data = (unsigned char *)PORT_Alloc(signatureLen); | 1051 buf->data = (unsigned char *)PORT_Alloc(signatureLen); |
| 1026 if (!buf->data) | 1052 if (!buf->data) |
| 1027 goto done; /* error code was set. */ | 1053 goto done; /* error code was set. */ |
| 1028 | 1054 |
| 1029 rv = PK11_Sign(key, buf, &hashItem); | 1055 rv = PK11_Sign(key, buf, &hashItem); |
| 1030 } else { | 1056 } else { |
| 1031 » rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem); | 1057 SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID(hash->hashAlg); |
| 1058 rv = SGN_Digest(key, hashOID, buf, &hashItem); |
| 1032 } | 1059 } |
| 1033 if (rv != SECSuccess) { | 1060 if (rv != SECSuccess) { |
| 1034 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 1061 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 1035 } else if (doDerEncode) { | 1062 } else if (doDerEncode) { |
| 1036 SECItem derSig = {siBuffer, NULL, 0}; | 1063 SECItem derSig = {siBuffer, NULL, 0}; |
| 1037 | 1064 |
| 1038 /* This also works for an ECDSA signature */ | 1065 /* This also works for an ECDSA signature */ |
| 1039 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); | 1066 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); |
| 1040 if (rv == SECSuccess) { | 1067 if (rv == SECSuccess) { |
| 1041 PORT_Free(buf->data); /* discard unencoded signature. */ | 1068 PORT_Free(buf->data); /* discard unencoded signature. */ |
| (...skipping 27 matching lines...) Expand all Loading... |
| 1069 | 1096 |
| 1070 PRINT_BUF(60, (NULL, "check signed hashes", | 1097 PRINT_BUF(60, (NULL, "check signed hashes", |
| 1071 buf->data, buf->len)); | 1098 buf->data, buf->len)); |
| 1072 | 1099 |
| 1073 key = CERT_ExtractPublicKey(cert); | 1100 key = CERT_ExtractPublicKey(cert); |
| 1074 if (key == NULL) { | 1101 if (key == NULL) { |
| 1075 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | 1102 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
| 1076 return SECFailure; | 1103 return SECFailure; |
| 1077 } | 1104 } |
| 1078 | 1105 |
| 1079 hashAlg = hash->hashAlg; | 1106 hashAlg = ssl3_TLSHashAlgorithmToOID(hash->hashAlg); |
| 1080 switch (key->keyType) { | 1107 switch (key->keyType) { |
| 1081 case rsaKey: | 1108 case rsaKey: |
| 1082 encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; | 1109 encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; |
| 1083 hashItem.data = hash->u.raw; | 1110 hashItem.data = hash->u.raw; |
| 1084 hashItem.len = hash->len; | 1111 hashItem.len = hash->len; |
| 1085 break; | 1112 break; |
| 1086 case dsaKey: | 1113 case dsaKey: |
| 1087 encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; | 1114 encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; |
| 1088 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1115 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
| 1089 * In that case, we use just the SHA1 part. */ | 1116 * In that case, we use just the SHA1 part. */ |
| 1090 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1117 » if (hash->hashAlg == ssl_hash_none) { |
| 1091 hashItem.data = hash->u.s.sha; | 1118 hashItem.data = hash->u.s.sha; |
| 1092 hashItem.len = sizeof(hash->u.s.sha); | 1119 hashItem.len = sizeof(hash->u.s.sha); |
| 1093 } else { | 1120 } else { |
| 1094 hashItem.data = hash->u.raw; | 1121 hashItem.data = hash->u.raw; |
| 1095 hashItem.len = hash->len; | 1122 hashItem.len = hash->len; |
| 1096 } | 1123 } |
| 1097 /* Allow DER encoded DSA signatures in SSL 3.0 */ | 1124 /* Allow DER encoded DSA signatures in SSL 3.0 */ |
| 1098 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { | 1125 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { |
| 1099 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key)); | 1126 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key)); |
| 1100 if (!signature) { | 1127 if (!signature) { |
| 1101 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 1128 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
| 1102 return SECFailure; | 1129 return SECFailure; |
| 1103 } | 1130 } |
| 1104 buf = signature; | 1131 buf = signature; |
| 1105 } | 1132 } |
| 1106 break; | 1133 break; |
| 1107 | 1134 |
| 1108 #ifndef NSS_DISABLE_ECC | 1135 #ifndef NSS_DISABLE_ECC |
| 1109 case ecKey: | 1136 case ecKey: |
| 1110 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; | 1137 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; |
| 1111 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. | 1138 » /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash. |
| 1112 * In that case, we use just the SHA1 part. | 1139 * In that case, we use just the SHA1 part. |
| 1113 * ECDSA signatures always encode the integers r and s using ASN.1 | 1140 * ECDSA signatures always encode the integers r and s using ASN.1 |
| 1114 * (unlike DSA where ASN.1 encoding is used with TLS but not with | 1141 * (unlike DSA where ASN.1 encoding is used with TLS but not with |
| 1115 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. | 1142 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. |
| 1116 */ | 1143 */ |
| 1117 » if (hash->hashAlg == SEC_OID_UNKNOWN) { | 1144 » if (hash->hashAlg == ssl_hash_none) { |
| 1118 hashAlg = SEC_OID_SHA1; | 1145 hashAlg = SEC_OID_SHA1; |
| 1119 hashItem.data = hash->u.s.sha; | 1146 hashItem.data = hash->u.s.sha; |
| 1120 hashItem.len = sizeof(hash->u.s.sha); | 1147 hashItem.len = sizeof(hash->u.s.sha); |
| 1121 } else { | 1148 } else { |
| 1122 hashItem.data = hash->u.raw; | 1149 hashItem.data = hash->u.raw; |
| 1123 hashItem.len = hash->len; | 1150 hashItem.len = hash->len; |
| 1124 } | 1151 } |
| 1125 break; | 1152 break; |
| 1126 #endif /* NSS_DISABLE_ECC */ | 1153 #endif /* NSS_DISABLE_ECC */ |
| 1127 | 1154 |
| 1128 default: | 1155 default: |
| 1129 SECKEY_DestroyPublicKey(key); | 1156 SECKEY_DestroyPublicKey(key); |
| 1130 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 1157 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
| 1131 return SECFailure; | 1158 return SECFailure; |
| 1132 } | 1159 } |
| 1133 | 1160 |
| 1134 PRINT_BUF(60, (NULL, "hash(es) to be verified", | 1161 PRINT_BUF(60, (NULL, "hash(es) to be verified", |
| 1135 hashItem.data, hashItem.len)); | 1162 hashItem.data, hashItem.len)); |
| 1136 | 1163 |
| 1137 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) { | 1164 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) { |
| 1138 /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded. | 1165 /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded. |
| 1139 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code | 1166 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code |
| 1140 * above always removes the DER encoding of DSA signatures when | 1167 * above always removes the DER encoding of DSA signatures when |
| 1141 * present. Thus DSA signatures are always verified with PK11_Verify. | 1168 * present. Thus DSA signatures are always verified with PK11_Verify. |
| 1142 */ | 1169 */ |
| 1143 rv = PK11_Verify(key, buf, &hashItem, pwArg); | 1170 rv = PK11_Verify(key, buf, &hashItem, pwArg); |
| 1144 } else { | 1171 } else { |
| 1145 » rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg, | 1172 rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg, |
| 1146 » » » » pwArg); | 1173 pwArg); |
| 1147 } | 1174 } |
| 1148 SECKEY_DestroyPublicKey(key); | 1175 SECKEY_DestroyPublicKey(key); |
| 1149 if (signature) { | 1176 if (signature) { |
| 1150 SECITEM_FreeItem(signature, PR_TRUE); | 1177 SECITEM_FreeItem(signature, PR_TRUE); |
| 1151 } | 1178 } |
| 1152 if (rv != SECSuccess) { | 1179 if (rv != SECSuccess) { |
| 1153 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 1180 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
| 1154 } | 1181 } |
| 1155 return rv; | 1182 return rv; |
| 1156 } | 1183 } |
| 1157 | 1184 |
| 1158 | 1185 |
| 1159 /* Caller must set hiLevel error code. */ | 1186 /* Caller must set hiLevel error code. */ |
| 1160 /* Called from ssl3_ComputeExportRSAKeyHash | 1187 /* Called from ssl3_ComputeExportRSAKeyHash |
| 1161 * ssl3_ComputeDHKeyHash | 1188 * ssl3_ComputeDHKeyHash |
| 1162 * which are called from ssl3_HandleServerKeyExchange. | 1189 * which are called from ssl3_HandleServerKeyExchange. |
| 1163 * | 1190 * |
| 1164 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify | 1191 * hashAlg: ssl_hash_none indicates the pre-1.2, MD5/SHA1 combination hash. |
| 1165 * the pre-1.2, MD5/SHA1 combination hash. | |
| 1166 */ | 1192 */ |
| 1167 SECStatus | 1193 SECStatus |
| 1168 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg, | 1194 ssl3_ComputeCommonKeyHash(SSLHashType hashAlg, |
| 1169 » » » PRUint8 * hashBuf, unsigned int bufLen, | 1195 PRUint8 * hashBuf, unsigned int bufLen, |
| 1170 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1196 SSL3Hashes *hashes, PRBool bypassPKCS11) |
| 1171 { | 1197 { |
| 1172 SECStatus rv » » = SECSuccess; | 1198 SECStatus rv; |
| 1199 SECOidTag hashOID; |
| 1173 | 1200 |
| 1174 #ifndef NO_PKCS11_BYPASS | 1201 #ifndef NO_PKCS11_BYPASS |
| 1175 if (bypassPKCS11) { | 1202 if (bypassPKCS11) { |
| 1176 » if (hashAlg == SEC_OID_UNKNOWN) { | 1203 if (hashAlg == ssl_hash_none) { |
| 1177 » MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen); | 1204 MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen); |
| 1178 » SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); | 1205 SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); |
| 1179 » hashes->len = MD5_LENGTH + SHA1_LENGTH; | 1206 hashes->len = MD5_LENGTH + SHA1_LENGTH; |
| 1180 » } else if (hashAlg == SEC_OID_SHA1) { | 1207 } else if (hashAlg == ssl_hash_sha1) { |
| 1181 » SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1208 SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 1182 » hashes->len = SHA1_LENGTH; | 1209 hashes->len = SHA1_LENGTH; |
| 1183 » } else if (hashAlg == SEC_OID_SHA256) { | 1210 } else if (hashAlg == ssl_hash_sha256) { |
| 1184 » SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1211 SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 1185 » hashes->len = SHA256_LENGTH; | 1212 hashes->len = SHA256_LENGTH; |
| 1186 » } else if (hashAlg == SEC_OID_SHA384) { | 1213 } else if (hashAlg == ssl_hash_sha384) { |
| 1187 » SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1214 SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 1188 » hashes->len = SHA384_LENGTH; | 1215 hashes->len = SHA384_LENGTH; |
| 1189 » } else if (hashAlg == SEC_OID_SHA512) { | 1216 } else if (hashAlg == ssl_hash_sha512) { |
| 1190 » SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen); | 1217 SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 1191 » hashes->len = SHA512_LENGTH; | 1218 hashes->len = SHA512_LENGTH; |
| 1192 » } else { | 1219 } else { |
| 1193 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 1220 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 1194 » return SECFailure; | 1221 return SECFailure; |
| 1195 » } | 1222 } |
| 1196 } else | 1223 } else |
| 1197 #endif | 1224 #endif |
| 1198 { | 1225 { |
| 1199 » if (hashAlg == SEC_OID_UNKNOWN) { | 1226 if (hashAlg == ssl_hash_none) { |
| 1200 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); | 1227 rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); |
| 1201 » if (rv != SECSuccess) { | 1228 if (rv != SECSuccess) { |
| 1202 » » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 1229 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 1203 » » rv = SECFailure; | 1230 return rv; |
| 1204 » » goto done; | 1231 } |
| 1205 » } | 1232 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); |
| 1206 | 1233 if (rv != SECSuccess) { |
| 1207 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); | 1234 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 1208 » if (rv != SECSuccess) { | 1235 return rv; |
| 1209 » » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 1236 } |
| 1210 » » rv = SECFailure; | 1237 hashes->len = MD5_LENGTH + SHA1_LENGTH; |
| 1211 » } | 1238 } else { |
| 1212 » hashes->len = MD5_LENGTH + SHA1_LENGTH; | 1239 hashOID = ssl3_TLSHashAlgorithmToOID(hashAlg); |
| 1213 » } else { | 1240 hashes->len = HASH_ResultLenByOidTag(hashOID); |
| 1214 » hashes->len = HASH_ResultLenByOidTag(hashAlg); | 1241 if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) { |
| 1215 » if (hashes->len > sizeof(hashes->u.raw)) { | 1242 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 1216 » » ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 1243 return SECFailure; |
| 1217 » » rv = SECFailure; | 1244 } |
| 1218 » » goto done; | 1245 rv = PK11_HashBuf(hashOID, hashes->u.raw, hashBuf, bufLen); |
| 1219 » } | 1246 if (rv != SECSuccess) { |
| 1220 » rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen); | 1247 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 1221 » if (rv != SECSuccess) { | 1248 return rv; |
| 1222 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 1249 } |
| 1223 » » rv = SECFailure; | 1250 } |
| 1224 » } | |
| 1225 » } | |
| 1226 } | 1251 } |
| 1227 hashes->hashAlg = hashAlg; | 1252 hashes->hashAlg = hashAlg; |
| 1228 | 1253 return SECSuccess; |
| 1229 done: | |
| 1230 return rv; | |
| 1231 } | 1254 } |
| 1232 | 1255 |
| 1233 /* Caller must set hiLevel error code. | 1256 /* Caller must set hiLevel error code. |
| 1234 ** Called from ssl3_SendServerKeyExchange and | 1257 ** Called from ssl3_SendServerKeyExchange and |
| 1235 ** ssl3_HandleServerKeyExchange. | 1258 ** ssl3_HandleServerKeyExchange. |
| 1236 */ | 1259 */ |
| 1237 static SECStatus | 1260 static SECStatus |
| 1238 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg, | 1261 ssl3_ComputeExportRSAKeyHash(SSLHashType hashAlg, |
| 1239 » » » SECItem modulus, SECItem publicExponent, | 1262 SECItem modulus, SECItem publicExponent, |
| 1240 » » » SSL3Random *client_rand, SSL3Random *server_rand, | 1263 SSL3Random *client_rand, SSL3Random *server_rand, |
| 1241 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1264 SSL3Hashes *hashes, PRBool bypassPKCS11) |
| 1242 { | 1265 { |
| 1243 PRUint8 * hashBuf; | 1266 PRUint8 * hashBuf; |
| 1244 PRUint8 * pBuf; | 1267 PRUint8 * pBuf; |
| 1245 SECStatus rv = SECSuccess; | 1268 SECStatus rv = SECSuccess; |
| 1246 unsigned int bufLen; | 1269 unsigned int bufLen; |
| 1247 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1270 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
| 1248 | 1271 |
| 1249 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; | 1272 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; |
| 1250 if (bufLen <= sizeof buf) { | 1273 if (bufLen <= sizeof buf) { |
| 1251 hashBuf = buf; | 1274 hashBuf = buf; |
| (...skipping 17 matching lines...) Expand all Loading... |
| 1269 pBuf[1] = (PRUint8)(publicExponent.len); | 1292 pBuf[1] = (PRUint8)(publicExponent.len); |
| 1270 pBuf += 2; | 1293 pBuf += 2; |
| 1271 memcpy(pBuf, publicExponent.data, publicExponent.len); | 1294 memcpy(pBuf, publicExponent.data, publicExponent.len); |
| 1272 pBuf += publicExponent.len; | 1295 pBuf += publicExponent.len; |
| 1273 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1296 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
| 1274 | 1297 |
| 1275 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, | 1298 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
| 1276 bypassPKCS11); | 1299 bypassPKCS11); |
| 1277 | 1300 |
| 1278 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); | 1301 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); |
| 1279 if (hashAlg == SEC_OID_UNKNOWN) { | 1302 if (hashAlg == ssl_hash_none) { |
| 1280 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", | 1303 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", |
| 1281 hashes->u.s.md5, MD5_LENGTH)); | 1304 hashes->u.s.md5, MD5_LENGTH)); |
| 1282 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", | 1305 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", |
| 1283 hashes->u.s.sha, SHA1_LENGTH)); | 1306 hashes->u.s.sha, SHA1_LENGTH)); |
| 1284 } else { | 1307 } else { |
| 1285 PRINT_BUF(95, (NULL, "RSAkey hash: result", | 1308 PRINT_BUF(95, (NULL, "RSAkey hash: result", |
| 1286 hashes->u.raw, hashes->len)); | 1309 hashes->u.raw, hashes->len)); |
| 1287 } | 1310 } |
| 1288 | 1311 |
| 1289 if (hashBuf != buf && hashBuf != NULL) | 1312 if (hashBuf != buf && hashBuf != NULL) |
| 1290 PORT_Free(hashBuf); | 1313 PORT_Free(hashBuf); |
| 1291 return rv; | 1314 return rv; |
| 1292 } | 1315 } |
| 1293 | 1316 |
| 1294 /* Caller must set hiLevel error code. */ | 1317 /* Caller must set hiLevel error code. */ |
| 1295 /* Called from ssl3_HandleServerKeyExchange. */ | 1318 /* Called from ssl3_HandleServerKeyExchange. */ |
| 1296 static SECStatus | 1319 static SECStatus |
| 1297 ssl3_ComputeDHKeyHash(SECOidTag hashAlg, | 1320 ssl3_ComputeDHKeyHash(SSLHashType hashAlg, |
| 1298 » » SECItem dh_p, SECItem dh_g, SECItem dh_Ys, | 1321 SECItem dh_p, SECItem dh_g, SECItem dh_Ys, |
| 1299 » » SSL3Random *client_rand, SSL3Random *server_rand, | 1322 SSL3Random *client_rand, SSL3Random *server_rand, |
| 1300 » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1323 SSL3Hashes *hashes, PRBool bypassPKCS11) |
| 1301 { | 1324 { |
| 1302 PRUint8 * hashBuf; | 1325 PRUint8 * hashBuf; |
| 1303 PRUint8 * pBuf; | 1326 PRUint8 * pBuf; |
| 1304 SECStatus rv = SECSuccess; | 1327 SECStatus rv = SECSuccess; |
| 1305 unsigned int bufLen; | 1328 unsigned int bufLen; |
| 1306 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1329 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
| 1307 | 1330 |
| 1308 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; | 1331 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; |
| 1309 if (bufLen <= sizeof buf) { | 1332 if (bufLen <= sizeof buf) { |
| 1310 hashBuf = buf; | 1333 hashBuf = buf; |
| (...skipping 22 matching lines...) Expand all Loading... |
| 1333 pBuf[1] = (PRUint8)(dh_Ys.len); | 1356 pBuf[1] = (PRUint8)(dh_Ys.len); |
| 1334 pBuf += 2; | 1357 pBuf += 2; |
| 1335 memcpy(pBuf, dh_Ys.data, dh_Ys.len); | 1358 memcpy(pBuf, dh_Ys.data, dh_Ys.len); |
| 1336 pBuf += dh_Ys.len; | 1359 pBuf += dh_Ys.len; |
| 1337 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1360 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
| 1338 | 1361 |
| 1339 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, | 1362 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
| 1340 bypassPKCS11); | 1363 bypassPKCS11); |
| 1341 | 1364 |
| 1342 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); | 1365 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); |
| 1343 if (hashAlg == SEC_OID_UNKNOWN) { | 1366 if (hashAlg == ssl_hash_none) { |
| 1344 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", | 1367 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", |
| 1345 hashes->u.s.md5, MD5_LENGTH)); | 1368 hashes->u.s.md5, MD5_LENGTH)); |
| 1346 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", | 1369 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", |
| 1347 hashes->u.s.sha, SHA1_LENGTH)); | 1370 hashes->u.s.sha, SHA1_LENGTH)); |
| 1348 } else { | 1371 } else { |
| 1349 PRINT_BUF(95, (NULL, "DHkey hash: result", | 1372 PRINT_BUF(95, (NULL, "DHkey hash: result", |
| 1350 hashes->u.raw, hashes->len)); | 1373 hashes->u.raw, hashes->len)); |
| 1351 } | 1374 } |
| 1352 | 1375 |
| 1353 if (hashBuf != buf && hashBuf != NULL) | 1376 if (hashBuf != buf && hashBuf != NULL) |
| (...skipping 937 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2291 | 2314 |
| 2292 /* Complete the initialization of all keys, ciphers, MACs and their contexts | 2315 /* Complete the initialization of all keys, ciphers, MACs and their contexts |
| 2293 * for the pending Cipher Spec. | 2316 * for the pending Cipher Spec. |
| 2294 * Called from: ssl3_SendClientKeyExchange (for Full handshake) | 2317 * Called from: ssl3_SendClientKeyExchange (for Full handshake) |
| 2295 * ssl3_HandleRSAClientKeyExchange (for Full handshake) | 2318 * ssl3_HandleRSAClientKeyExchange (for Full handshake) |
| 2296 * ssl3_HandleServerHello (for session restart) | 2319 * ssl3_HandleServerHello (for session restart) |
| 2297 * ssl3_HandleClientHello (for session restart) | 2320 * ssl3_HandleClientHello (for session restart) |
| 2298 * Sets error code, but caller probably should override to disambiguate. | 2321 * Sets error code, but caller probably should override to disambiguate. |
| 2299 * NULL pms means re-use old master_secret. | 2322 * NULL pms means re-use old master_secret. |
| 2300 * | 2323 * |
| 2301 * This code is common to the bypass and PKCS11 execution paths. | 2324 * This code is common to the bypass and PKCS11 execution paths. For |
| 2325 * the bypass case, pms is NULL. If the old master secret is reused, |
| 2326 * pms is NULL and the master secret is already in either |
| 2327 * pwSpec->msItem.len (the bypass case) or pwSpec->master_secret. |
| 2328 * |
| 2302 * For the bypass case, pms is NULL. | 2329 * For the bypass case, pms is NULL. |
| 2303 */ | 2330 */ |
| 2304 SECStatus | 2331 SECStatus |
| 2305 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) | 2332 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) |
| 2306 { | 2333 { |
| 2307 ssl3CipherSpec * pwSpec; | 2334 ssl3CipherSpec * pwSpec; |
| 2308 ssl3CipherSpec * cwSpec; | 2335 ssl3CipherSpec * cwSpec; |
| 2309 SECStatus rv; | 2336 SECStatus rv; |
| 2310 | 2337 |
| 2311 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2338 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| (...skipping 363 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2675 const SSL3Opaque * pIn, | 2702 const SSL3Opaque * pIn, |
| 2676 PRUint32 contentLen, | 2703 PRUint32 contentLen, |
| 2677 sslBuffer * wrBuf) | 2704 sslBuffer * wrBuf) |
| 2678 { | 2705 { |
| 2679 const ssl3BulkCipherDef * cipher_def; | 2706 const ssl3BulkCipherDef * cipher_def; |
| 2680 SECStatus rv; | 2707 SECStatus rv; |
| 2681 PRUint32 macLen = 0; | 2708 PRUint32 macLen = 0; |
| 2682 PRUint32 fragLen; | 2709 PRUint32 fragLen; |
| 2683 PRUint32 p1Len, p2Len, oddLen = 0; | 2710 PRUint32 p1Len, p2Len, oddLen = 0; |
| 2684 PRUint16 headerLen; | 2711 PRUint16 headerLen; |
| 2685 int ivLen = 0; | 2712 unsigned int ivLen = 0; |
| 2686 int cipherBytes = 0; | 2713 int cipherBytes = 0; |
| 2687 unsigned char pseudoHeader[13]; | 2714 unsigned char pseudoHeader[13]; |
| 2688 unsigned int pseudoHeaderLen; | 2715 unsigned int pseudoHeaderLen; |
| 2689 | 2716 |
| 2690 cipher_def = cwSpec->cipher_def; | 2717 cipher_def = cwSpec->cipher_def; |
| 2691 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; | 2718 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; |
| 2692 | 2719 |
| 2693 if (cipher_def->type == type_block && | 2720 if (cipher_def->type == type_block && |
| 2694 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 2721 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 2695 /* Prepend the per-record explicit IV using technique 2b from | 2722 /* Prepend the per-record explicit IV using technique 2b from |
| (...skipping 541 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3237 * This function returns SECSuccess or SECFailure, never SECWouldBlock. | 3264 * This function returns SECSuccess or SECFailure, never SECWouldBlock. |
| 3238 * Always set sendBuf.len to 0, even when returning SECFailure. | 3265 * Always set sendBuf.len to 0, even when returning SECFailure. |
| 3239 * | 3266 * |
| 3240 * Called from ssl3_FlushHandshake | 3267 * Called from ssl3_FlushHandshake |
| 3241 */ | 3268 */ |
| 3242 static SECStatus | 3269 static SECStatus |
| 3243 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) | 3270 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) |
| 3244 { | 3271 { |
| 3245 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER | | 3272 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER | |
| 3246 ssl_SEND_FLAG_CAP_RECORD_VERSION; | 3273 ssl_SEND_FLAG_CAP_RECORD_VERSION; |
| 3247 PRInt32 rv = SECSuccess; | 3274 PRInt32 count = -1; |
| 3275 SECStatus rv = SECSuccess; |
| 3248 | 3276 |
| 3249 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 3277 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 3250 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 3278 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
| 3251 | 3279 |
| 3252 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) | 3280 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) |
| 3253 return rv; | 3281 return rv; |
| 3254 | 3282 |
| 3255 /* only these flags are allowed */ | 3283 /* only these flags are allowed */ |
| 3256 PORT_Assert(!(flags & ~allowedFlags)); | 3284 PORT_Assert(!(flags & ~allowedFlags)); |
| 3257 if ((flags & ~allowedFlags) != 0) { | 3285 if ((flags & ~allowedFlags) != 0) { |
| 3258 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 3286 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 3259 rv = SECFailure; | 3287 rv = SECFailure; |
| 3260 } else { | 3288 } else { |
| 3261 » rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf, | 3289 » count = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf
, |
| 3262 ss->sec.ci.sendBuf.len, flags); | 3290 ss->sec.ci.sendBuf.len, flags); |
| 3263 } | 3291 } |
| 3264 if (rv < 0) { | 3292 if (count < 0) { |
| 3265 int err = PORT_GetError(); | 3293 int err = PORT_GetError(); |
| 3266 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); | 3294 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); |
| 3267 if (err == PR_WOULD_BLOCK_ERROR) { | 3295 if (err == PR_WOULD_BLOCK_ERROR) { |
| 3268 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 3296 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 3269 } | 3297 } |
| 3270 } else if (rv < ss->sec.ci.sendBuf.len) { | 3298 rv = SECFailure; |
| 3299 } else if ((unsigned int)count < ss->sec.ci.sendBuf.len) { |
| 3271 /* short write should never happen */ | 3300 /* short write should never happen */ |
| 3272 » PORT_Assert(rv >= ss->sec.ci.sendBuf.len); | 3301 » PORT_Assert((unsigned int)count >= ss->sec.ci.sendBuf.len); |
| 3273 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 3302 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 3274 rv = SECFailure; | 3303 rv = SECFailure; |
| 3275 } else { | 3304 } else { |
| 3276 rv = SECSuccess; | 3305 rv = SECSuccess; |
| 3277 } | 3306 } |
| 3278 | 3307 |
| 3279 /* Whether we succeeded or failed, toss the old handshake data. */ | 3308 /* Whether we succeeded or failed, toss the old handshake data. */ |
| 3280 ss->sec.ci.sendBuf.len = 0; | 3309 ss->sec.ci.sendBuf.len = 0; |
| 3281 return rv; | 3310 return rv; |
| 3282 } | 3311 } |
| (...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3698 /* If we are really through with the old cipher prSpec | 3727 /* If we are really through with the old cipher prSpec |
| 3699 * (Both the read and write sides have changed) destroy it. | 3728 * (Both the read and write sides have changed) destroy it. |
| 3700 */ | 3729 */ |
| 3701 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { | 3730 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { |
| 3702 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/); | 3731 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/); |
| 3703 } | 3732 } |
| 3704 ssl_ReleaseSpecWriteLock(ss); /*************************************/ | 3733 ssl_ReleaseSpecWriteLock(ss); /*************************************/ |
| 3705 return SECSuccess; | 3734 return SECSuccess; |
| 3706 } | 3735 } |
| 3707 | 3736 |
| 3708 /* This method uses PKCS11 to derive the MS from the PMS, where PMS | 3737 /* This method completes the derivation of the MS from the PMS. |
| 3709 ** is a PKCS11 symkey. This is used in all cases except the | 3738 ** |
| 3710 ** "triple bypass" with RSA key exchange. | 3739 ** 1. Derive the MS, if possible, else return an error. |
| 3711 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec. | 3740 ** |
| 3741 ** 2. Check the version if |pms_version| is non-zero and if wrong, |
| 3742 ** return an error. |
| 3743 ** |
| 3744 ** 3. If |msp| is nonzero, return MS in |*msp|. |
| 3745 |
| 3746 ** Called from: |
| 3747 ** ssl3_ComputeMasterSecretInt |
| 3748 ** tls_ComputeExtendedMasterSecretInt |
| 3712 */ | 3749 */ |
| 3713 static SECStatus | 3750 static SECStatus |
| 3714 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) | 3751 ssl3_ComputeMasterSecretFinish(sslSocket *ss, |
| 3752 CK_MECHANISM_TYPE master_derive, |
| 3753 CK_MECHANISM_TYPE key_derive, |
| 3754 CK_VERSION *pms_version, |
| 3755 SECItem *params, CK_FLAGS keyFlags, |
| 3756 PK11SymKey *pms, PK11SymKey **msp) |
| 3757 { |
| 3758 PK11SymKey *ms = NULL; |
| 3759 |
| 3760 ms = PK11_DeriveWithFlags(pms, master_derive, |
| 3761 params, key_derive, |
| 3762 CKA_DERIVE, 0, keyFlags); |
| 3763 if (!ms) { |
| 3764 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 3765 return SECFailure; |
| 3766 } |
| 3767 |
| 3768 if (pms_version && ss->opt.detectRollBack) { |
| 3769 SSL3ProtocolVersion client_version; |
| 3770 client_version = pms_version->major << 8 | pms_version->minor; |
| 3771 |
| 3772 if (IS_DTLS(ss)) { |
| 3773 client_version = dtls_DTLSVersionToTLSVersion(client_version); |
| 3774 } |
| 3775 |
| 3776 if (client_version != ss->clientHelloVersion) { |
| 3777 /* Destroy MS. Version roll-back detected. */ |
| 3778 PK11_FreeSymKey(ms); |
| 3779 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 3780 return SECFailure; |
| 3781 } |
| 3782 } |
| 3783 |
| 3784 if (msp) { |
| 3785 *msp = ms; |
| 3786 } else { |
| 3787 PK11_FreeSymKey(ms); |
| 3788 } |
| 3789 |
| 3790 return SECSuccess; |
| 3791 } |
| 3792 |
| 3793 /* Compute the ordinary (pre draft-ietf-tls-session-hash) master |
| 3794 ** secret and return it in |*msp|. |
| 3795 ** |
| 3796 ** Called from: ssl3_ComputeMasterSecret |
| 3797 */ |
| 3798 static SECStatus |
| 3799 ssl3_ComputeMasterSecretInt(sslSocket *ss, PK11SymKey *pms, |
| 3800 PK11SymKey **msp) |
| 3715 { | 3801 { |
| 3716 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 3802 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
| 3717 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; | 3803 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; |
| 3718 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 3804 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
| 3719 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 3805 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
| 3720 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 3806 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
| 3721 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 3807 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
| 3722 PRBool isTLS12= | 3808 PRBool isTLS12= |
| 3723 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 3809 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 3724 /* | 3810 /* |
| 3725 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH | 3811 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH |
| 3726 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size | 3812 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size |
| 3727 * data into a 48-byte value. | 3813 * data into a 48-byte value, and does not expect to return the version. |
| 3728 */ | 3814 */ |
| 3729 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || | 3815 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || |
| 3730 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); | 3816 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); |
| 3731 SECStatus rv = SECFailure; | |
| 3732 CK_MECHANISM_TYPE master_derive; | 3817 CK_MECHANISM_TYPE master_derive; |
| 3733 CK_MECHANISM_TYPE key_derive; | 3818 CK_MECHANISM_TYPE key_derive; |
| 3734 SECItem params; | 3819 SECItem params; |
| 3735 CK_FLAGS keyFlags; | 3820 CK_FLAGS keyFlags; |
| 3736 CK_VERSION pms_version; | 3821 CK_VERSION pms_version; |
| 3737 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; | 3822 CK_VERSION *pms_version_ptr = NULL; |
| 3823 /* master_params may be used as a CK_SSL3_MASTER_KEY_DERIVE_PARAMS */ |
| 3824 CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; |
| 3825 unsigned int master_params_len; |
| 3738 | 3826 |
| 3739 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
| 3740 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | |
| 3741 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | |
| 3742 if (isTLS12) { | 3827 if (isTLS12) { |
| 3743 » if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; | 3828 » if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; |
| 3744 » else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256; | 3829 » else master_derive = CKM_TLS12_MASTER_KEY_DERIVE; |
| 3745 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; | 3830 » key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; |
| 3746 keyFlags = CKF_SIGN | CKF_VERIFY; | 3831 keyFlags = CKF_SIGN | CKF_VERIFY; |
| 3747 } else if (isTLS) { | 3832 } else if (isTLS) { |
| 3748 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; | 3833 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; |
| 3749 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; | 3834 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; |
| 3750 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 3835 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
| 3751 keyFlags = CKF_SIGN | CKF_VERIFY; | 3836 keyFlags = CKF_SIGN | CKF_VERIFY; |
| 3752 } else { | 3837 } else { |
| 3753 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 3838 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
| 3754 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; | 3839 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; |
| 3755 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 3840 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
| 3756 keyFlags = 0; | 3841 keyFlags = 0; |
| 3757 } | 3842 } |
| 3758 | 3843 |
| 3759 if (pms || !pwSpec->master_secret) { | 3844 if (!isDH) { |
| 3760 » if (isDH) { | 3845 pms_version_ptr = &pms_version; |
| 3761 » master_params.pVersion = NULL; | |
| 3762 » } else { | |
| 3763 » master_params.pVersion = &pms_version; | |
| 3764 » } | |
| 3765 » master_params.RandomInfo.pClientRandom = cr; | |
| 3766 » master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; | |
| 3767 » master_params.RandomInfo.pServerRandom = sr; | |
| 3768 » master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; | |
| 3769 | |
| 3770 » params.data = (unsigned char *) &master_params; | |
| 3771 » params.len = sizeof master_params; | |
| 3772 } | 3846 } |
| 3773 | 3847 |
| 3774 if (pms != NULL) { | 3848 master_params.pVersion = pms_version_ptr; |
| 3775 #if defined(TRACE) | 3849 master_params.RandomInfo.pClientRandom = cr; |
| 3776 » if (ssl_trace >= 100) { | 3850 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
| 3777 » SECStatus extractRV = PK11_ExtractKeyValue(pms); | 3851 master_params.RandomInfo.pServerRandom = sr; |
| 3778 » if (extractRV == SECSuccess) { | 3852 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; |
| 3779 » » SECItem * keyData = PK11_GetKeyData(pms); | 3853 if (isTLS12) { |
| 3780 » » if (keyData && keyData->data && keyData->len) { | 3854 master_params.prfHashMechanism = CKM_SHA256; |
| 3781 » » ssl_PrintBuf(ss, "Pre-Master Secret", | 3855 master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS); |
| 3782 » » » » keyData->data, keyData->len); | 3856 } else { |
| 3783 » » } | 3857 /* prfHashMechanism is not relevant with this PRF */ |
| 3784 » } | 3858 master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); |
| 3785 » } | 3859 } |
| 3786 #endif | |
| 3787 » pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, | |
| 3788 » » » » ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); | |
| 3789 » if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { | |
| 3790 » SSL3ProtocolVersion client_version; | |
| 3791 » client_version = pms_version.major << 8 | pms_version.minor; | |
| 3792 | 3860 |
| 3793 » if (IS_DTLS(ss)) { | 3861 params.data = (unsigned char *) &master_params; |
| 3794 » » client_version = dtls_DTLSVersionToTLSVersion(client_version); | 3862 params.len = master_params_len; |
| 3795 » } | |
| 3796 | 3863 |
| 3797 » if (client_version != ss->clientHelloVersion) { | 3864 return ssl3_ComputeMasterSecretFinish(ss, master_derive, key_derive, |
| 3798 » » /* Destroy it. Version roll-back detected. */ | 3865 pms_version_ptr, ¶ms, |
| 3799 » » PK11_FreeSymKey(pwSpec->master_secret); | 3866 keyFlags, pms, msp); |
| 3800 » » pwSpec->master_secret = NULL; | 3867 } |
| 3801 » } | |
| 3802 » } | |
| 3803 » if (pwSpec->master_secret == NULL) { | |
| 3804 » /* Generate a faux master secret in the same slot as the old one. */ | |
| 3805 » PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); | |
| 3806 » PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); | |
| 3807 | 3868 |
| 3808 » PK11_FreeSlot(slot); | 3869 /* Compute the draft-ietf-tls-session-hash master |
| 3809 » if (fpms != NULL) { | 3870 ** secret and return it in |*msp|. |
| 3810 » » pwSpec->master_secret = PK11_DeriveWithFlags(fpms, | 3871 ** |
| 3811 » » » » » master_derive, ¶ms, key_derive, | 3872 ** Called from: ssl3_ComputeMasterSecret |
| 3812 » » » » » CKA_DERIVE, 0, keyFlags); | 3873 */ |
| 3813 » » PK11_FreeSymKey(fpms); | 3874 static SECStatus |
| 3814 » } | 3875 tls_ComputeExtendedMasterSecretInt(sslSocket *ss, PK11SymKey *pms, |
| 3815 » } | 3876 PK11SymKey **msp) |
| 3877 { |
| 3878 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; |
| 3879 CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS extended_master_params; |
| 3880 SSL3Hashes hashes; |
| 3881 /* |
| 3882 * Determine whether to use the DH/ECDH or RSA derivation modes. |
| 3883 */ |
| 3884 /* |
| 3885 * TODO(ekr@rtfm.com): Verify that the slot can handle this key expansion |
| 3886 * mode. Bug 1198298 */ |
| 3887 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || |
| 3888 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); |
| 3889 CK_MECHANISM_TYPE master_derive; |
| 3890 CK_MECHANISM_TYPE key_derive; |
| 3891 SECItem params; |
| 3892 const CK_FLAGS keyFlags = CKF_SIGN | CKF_VERIFY; |
| 3893 CK_VERSION pms_version; |
| 3894 CK_VERSION *pms_version_ptr = NULL; |
| 3895 SECStatus rv; |
| 3896 |
| 3897 rv = ssl3_ComputeHandshakeHashes(ss, pwSpec, &hashes, 0); |
| 3898 if (rv != SECSuccess) { |
| 3899 PORT_Assert(0); /* Should never fail */ |
| 3900 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 3901 return SECFailure; |
| 3816 } | 3902 } |
| 3817 if (pwSpec->master_secret == NULL) { | |
| 3818 /* Generate a faux master secret from the internal slot. */ | |
| 3819 PK11SlotInfo * slot = PK11_GetInternalSlot(); | |
| 3820 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); | |
| 3821 | 3903 |
| 3822 » PK11_FreeSlot(slot); | 3904 if (isDH) { |
| 3823 » if (fpms != NULL) { | 3905 master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH; |
| 3824 » pwSpec->master_secret = PK11_DeriveWithFlags(fpms, | 3906 } else { |
| 3825 » » » » » master_derive, ¶ms, key_derive, | 3907 master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE; |
| 3826 » » » » » CKA_DERIVE, 0, keyFlags); | 3908 pms_version_ptr = &pms_version; |
| 3827 » if (pwSpec->master_secret == NULL) { | |
| 3828 » » pwSpec->master_secret = fpms; /* use the fpms as the master. */ | |
| 3829 » » fpms = NULL; | |
| 3830 » } | |
| 3831 » } | |
| 3832 » if (fpms) { | |
| 3833 » PK11_FreeSymKey(fpms); | |
| 3834 » } | |
| 3835 } | 3909 } |
| 3836 if (pwSpec->master_secret == NULL) { | 3910 |
| 3837 » ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 3911 if (pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 3838 » return rv; | 3912 /* TLS 1.2 */ |
| 3913 extended_master_params.prfHashMechanism = CKM_SHA256; |
| 3914 key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; |
| 3915 } else { |
| 3916 /* TLS < 1.2 */ |
| 3917 extended_master_params.prfHashMechanism = CKM_TLS_PRF; |
| 3918 » key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
| 3839 } | 3919 } |
| 3920 |
| 3921 extended_master_params.pVersion = pms_version_ptr; |
| 3922 extended_master_params.pSessionHash = hashes.u.raw; |
| 3923 extended_master_params.ulSessionHashLen = hashes.len; |
| 3924 |
| 3925 params.data = (unsigned char *) &extended_master_params; |
| 3926 params.len = sizeof extended_master_params; |
| 3927 |
| 3928 return ssl3_ComputeMasterSecretFinish(ss, master_derive, key_derive, |
| 3929 pms_version_ptr, ¶ms, |
| 3930 keyFlags, pms, msp); |
| 3931 } |
| 3932 |
| 3933 |
| 3934 /* Wrapper method to compute the master secret and return it in |*msp|. |
| 3935 ** |
| 3936 ** Called from ssl3_ComputeMasterSecret |
| 3937 */ |
| 3938 static SECStatus |
| 3939 ssl3_ComputeMasterSecret(sslSocket *ss, PK11SymKey *pms, |
| 3940 PK11SymKey **msp) |
| 3941 { |
| 3942 PORT_Assert(pms != NULL); |
| 3943 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 3944 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 3945 |
| 3946 if (ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 3947 return tls_ComputeExtendedMasterSecretInt(ss, pms, msp); |
| 3948 } else { |
| 3949 return ssl3_ComputeMasterSecretInt(ss, pms, msp); |
| 3950 } |
| 3951 } |
| 3952 |
| 3953 /* This method uses PKCS11 to derive the MS from the PMS, where PMS |
| 3954 ** is a PKCS11 symkey. We call ssl3_ComputeMasterSecret to do the |
| 3955 ** computations and then modify the pwSpec->state as a side effect. |
| 3956 ** |
| 3957 ** This is used in all cases except the "triple bypass" with RSA key |
| 3958 ** exchange. |
| 3959 ** |
| 3960 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec. |
| 3961 */ |
| 3962 static SECStatus |
| 3963 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) |
| 3964 { |
| 3965 SECStatus rv; |
| 3966 PK11SymKey* ms = NULL; |
| 3967 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; |
| 3968 |
| 3969 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 3970 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
| 3971 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 3972 |
| 3973 if (pms) { |
| 3974 rv = ssl3_ComputeMasterSecret(ss, pms, &ms); |
| 3975 pwSpec->master_secret = ms; |
| 3976 if (rv != SECSuccess) |
| 3977 return rv; |
| 3978 } |
| 3979 |
| 3840 #ifndef NO_PKCS11_BYPASS | 3980 #ifndef NO_PKCS11_BYPASS |
| 3841 if (ss->opt.bypassPKCS11) { | 3981 if (ss->opt.bypassPKCS11) { |
| 3842 SECItem * keydata; | 3982 SECItem * keydata; |
| 3843 /* In hope of doing a "double bypass", | 3983 /* In hope of doing a "double bypass", |
| 3844 * need to extract the master secret's value from the key object | 3984 * need to extract the master secret's value from the key object |
| 3845 * and store it raw in the sslSocket struct. | 3985 * and store it raw in the sslSocket struct. |
| 3846 */ | 3986 */ |
| 3847 rv = PK11_ExtractKeyValue(pwSpec->master_secret); | 3987 rv = PK11_ExtractKeyValue(pwSpec->master_secret); |
| 3848 if (rv != SECSuccess) { | 3988 if (rv != SECSuccess) { |
| 3849 return rv; | 3989 return rv; |
| 3850 » } | 3990 } |
| 3851 /* This returns the address of the secItem inside the key struct, | 3991 /* This returns the address of the secItem inside the key struct, |
| 3852 * not a copy or a reference. So, there's no need to free it. | 3992 * not a copy or a reference. So, there's no need to free it. |
| 3853 */ | 3993 */ |
| 3854 keydata = PK11_GetKeyData(pwSpec->master_secret); | 3994 keydata = PK11_GetKeyData(pwSpec->master_secret); |
| 3855 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) { | 3995 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) { |
| 3856 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len); | 3996 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len); |
| 3857 pwSpec->msItem.data = pwSpec->raw_master_secret; | 3997 pwSpec->msItem.data = pwSpec->raw_master_secret; |
| 3858 pwSpec->msItem.len = keydata->len; | 3998 pwSpec->msItem.len = keydata->len; |
| 3859 } else { | 3999 } else { |
| 3860 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 4000 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 3861 return SECFailure; | 4001 return SECFailure; |
| 3862 } | 4002 } |
| 3863 } | 4003 } |
| 3864 #endif | 4004 #endif |
| 4005 |
| 3865 return SECSuccess; | 4006 return SECSuccess; |
| 3866 } | 4007 } |
| 3867 | 4008 |
| 3868 | |
| 3869 /* | 4009 /* |
| 3870 * Derive encryption and MAC Keys (and IVs) from master secret | 4010 * Derive encryption and MAC Keys (and IVs) from master secret |
| 3871 * Sets a useful error code when returning SECFailure. | 4011 * Sets a useful error code when returning SECFailure. |
| 3872 * | 4012 * |
| 3873 * Called only from ssl3_InitPendingCipherSpec(), | 4013 * Called only from ssl3_InitPendingCipherSpec(), |
| 3874 * which in turn is called from | 4014 * which in turn is called from |
| 3875 * sendRSAClientKeyExchange (for Full handshake) | 4015 * sendRSAClientKeyExchange (for Full handshake) |
| 3876 * sendDHClientKeyExchange (for Full handshake) | 4016 * sendDHClientKeyExchange (for Full handshake) |
| 3877 * ssl3_HandleClientKeyExchange (for Full handshake) | 4017 * ssl3_HandleClientKeyExchange (for Full handshake) |
| 3878 * ssl3_HandleServerHello (for session restart) | 4018 * ssl3_HandleServerHello (for session restart) |
| (...skipping 12 matching lines...) Expand all Loading... |
| 3891 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 4031 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
| 3892 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 4032 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
| 3893 PRBool isTLS12= | 4033 PRBool isTLS12= |
| 3894 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 4034 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 3895 /* following variables used in PKCS11 path */ | 4035 /* following variables used in PKCS11 path */ |
| 3896 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; | 4036 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; |
| 3897 PK11SlotInfo * slot = NULL; | 4037 PK11SlotInfo * slot = NULL; |
| 3898 PK11SymKey * symKey = NULL; | 4038 PK11SymKey * symKey = NULL; |
| 3899 void * pwArg = ss->pkcs11PinArg; | 4039 void * pwArg = ss->pkcs11PinArg; |
| 3900 int keySize; | 4040 int keySize; |
| 3901 CK_SSL3_KEY_MAT_PARAMS key_material_params; | 4041 CK_TLS12_KEY_MAT_PARAMS key_material_params; /* may be used as a |
| 4042 » » » » » » * CK_SSL3_KEY_MAT_PARAMS */ |
| 4043 unsigned int key_material_params_len; |
| 3902 CK_SSL3_KEY_MAT_OUT returnedKeys; | 4044 CK_SSL3_KEY_MAT_OUT returnedKeys; |
| 3903 CK_MECHANISM_TYPE key_derive; | 4045 CK_MECHANISM_TYPE key_derive; |
| 3904 CK_MECHANISM_TYPE bulk_mechanism; | 4046 CK_MECHANISM_TYPE bulk_mechanism; |
| 3905 SSLCipherAlgorithm calg; | 4047 SSLCipherAlgorithm calg; |
| 3906 SECItem params; | 4048 SECItem params; |
| 3907 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); | 4049 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); |
| 3908 | 4050 |
| 3909 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 4051 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 3910 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 4052 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
| 3911 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 4053 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3945 key_material_params.ulKeySizeInBits = 0; | 4087 key_material_params.ulKeySizeInBits = 0; |
| 3946 key_material_params.ulIVSizeInBits = 0; | 4088 key_material_params.ulIVSizeInBits = 0; |
| 3947 returnedKeys.pIVClient = NULL; | 4089 returnedKeys.pIVClient = NULL; |
| 3948 returnedKeys.pIVServer = NULL; | 4090 returnedKeys.pIVServer = NULL; |
| 3949 } | 4091 } |
| 3950 | 4092 |
| 3951 calg = cipher_def->calg; | 4093 calg = cipher_def->calg; |
| 3952 PORT_Assert( alg2Mech[calg].calg == calg); | 4094 PORT_Assert( alg2Mech[calg].calg == calg); |
| 3953 bulk_mechanism = alg2Mech[calg].cmech; | 4095 bulk_mechanism = alg2Mech[calg].cmech; |
| 3954 | 4096 |
| 3955 params.data = (unsigned char *)&key_material_params; | |
| 3956 params.len = sizeof(key_material_params); | |
| 3957 | |
| 3958 if (isTLS12) { | 4097 if (isTLS12) { |
| 3959 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; | 4098 » key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; |
| 4099 » key_material_params.prfHashMechanism = CKM_SHA256; |
| 4100 » key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS); |
| 3960 } else if (isTLS) { | 4101 } else if (isTLS) { |
| 3961 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 4102 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
| 4103 key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); |
| 3962 } else { | 4104 } else { |
| 3963 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 4105 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
| 4106 key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); |
| 3964 } | 4107 } |
| 3965 | 4108 |
| 4109 params.data = (unsigned char *)&key_material_params; |
| 4110 params.len = key_material_params_len; |
| 4111 |
| 3966 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and | 4112 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and |
| 3967 * DERIVE by DEFAULT */ | 4113 * DERIVE by DEFAULT */ |
| 3968 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, | 4114 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, |
| 3969 bulk_mechanism, CKA_ENCRYPT, keySize); | 4115 bulk_mechanism, CKA_ENCRYPT, keySize); |
| 3970 if (!symKey) { | 4116 if (!symKey) { |
| 3971 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 4117 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 3972 return SECFailure; | 4118 return SECFailure; |
| 3973 } | 4119 } |
| 3974 /* we really should use the actual mac'ing mechanism here, but we | 4120 /* we really should use the actual mac'ing mechanism here, but we |
| 3975 * don't because these types are used to map keytype anyway and both | 4121 * don't because these types are used to map keytype anyway and both |
| (...skipping 290 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4266 return SECSuccess; | 4412 return SECSuccess; |
| 4267 } | 4413 } |
| 4268 | 4414 |
| 4269 SECStatus | 4415 SECStatus |
| 4270 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize) | 4416 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize) |
| 4271 { | 4417 { |
| 4272 SECStatus rv; | 4418 SECStatus rv; |
| 4273 PRUint8 b[4]; | 4419 PRUint8 b[4]; |
| 4274 PRUint8 * p = b; | 4420 PRUint8 * p = b; |
| 4275 | 4421 |
| 4422 PORT_Assert(lenSize <= 4 && lenSize > 0); |
| 4423 if (lenSize < 4 && num >= (1L << (lenSize * 8))) { |
| 4424 PORT_SetError(SSL_ERROR_TX_RECORD_TOO_LONG); |
| 4425 return SECFailure; |
| 4426 } |
| 4427 |
| 4276 switch (lenSize) { | 4428 switch (lenSize) { |
| 4277 case 4: | 4429 case 4: |
| 4278 *p++ = (num >> 24) & 0xff; | 4430 *p++ = (num >> 24) & 0xff; |
| 4279 case 3: | 4431 case 3: |
| 4280 *p++ = (num >> 16) & 0xff; | 4432 *p++ = (num >> 16) & 0xff; |
| 4281 case 2: | 4433 case 2: |
| 4282 *p++ = (num >> 8) & 0xff; | 4434 *p++ = (num >> 8) & 0xff; |
| 4283 case 1: | 4435 case 1: |
| 4284 *p = num & 0xff; | 4436 *p = num & 0xff; |
| 4285 } | 4437 } |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4358 } | 4510 } |
| 4359 } | 4511 } |
| 4360 | 4512 |
| 4361 return rv; /* error code set by AppendHandshake, if applicable. */ | 4513 return rv; /* error code set by AppendHandshake, if applicable. */ |
| 4362 } | 4514 } |
| 4363 | 4515 |
| 4364 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of | 4516 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of |
| 4365 * |sigAndHash| to the current handshake message. */ | 4517 * |sigAndHash| to the current handshake message. */ |
| 4366 SECStatus | 4518 SECStatus |
| 4367 ssl3_AppendSignatureAndHashAlgorithm( | 4519 ssl3_AppendSignatureAndHashAlgorithm( |
| 4368 » sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash) | 4520 sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash) |
| 4369 { | 4521 { |
| 4370 unsigned char serialized[2]; | 4522 PRUint8 serialized[2]; |
| 4371 | 4523 |
| 4372 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg); | 4524 serialized[0] = (PRUint8)sigAndHash->hashAlg; |
| 4373 if (serialized[0] == 0) { | 4525 serialized[1] = (PRUint8)sigAndHash->sigAlg; |
| 4374 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | |
| 4375 » return SECFailure; | |
| 4376 } | |
| 4377 | |
| 4378 serialized[1] = sigAndHash->sigAlg; | |
| 4379 | 4526 |
| 4380 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); | 4527 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); |
| 4381 } | 4528 } |
| 4382 | 4529 |
| 4383 /************************************************************************** | 4530 /************************************************************************** |
| 4384 * Consume Handshake functions. | 4531 * Consume Handshake functions. |
| 4385 * | 4532 * |
| 4386 * All data used in these functions is protected by two locks, | 4533 * All data used in these functions is protected by two locks, |
| 4387 * the RecvBufLock and the SSL3HandshakeLock | 4534 * the RecvBufLock and the SSL3HandshakeLock |
| 4388 **************************************************************************/ | 4535 **************************************************************************/ |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4463 */ | 4610 */ |
| 4464 SECStatus | 4611 SECStatus |
| 4465 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, | 4612 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, |
| 4466 SSL3Opaque **b, PRUint32 *length) | 4613 SSL3Opaque **b, PRUint32 *length) |
| 4467 { | 4614 { |
| 4468 PRInt32 count; | 4615 PRInt32 count; |
| 4469 | 4616 |
| 4470 PORT_Assert(bytes <= 3); | 4617 PORT_Assert(bytes <= 3); |
| 4471 i->len = 0; | 4618 i->len = 0; |
| 4472 i->data = NULL; | 4619 i->data = NULL; |
| 4620 i->type = siBuffer; |
| 4473 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length); | 4621 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length); |
| 4474 if (count < 0) { /* Can't test for SECSuccess here. */ | 4622 if (count < 0) { /* Can't test for SECSuccess here. */ |
| 4475 return SECFailure; | 4623 return SECFailure; |
| 4476 } | 4624 } |
| 4477 if (count > 0) { | 4625 if (count > 0) { |
| 4478 if ((PRUint32)count > *length) { | 4626 if ((PRUint32)count > *length) { |
| 4479 return ssl3_DecodeError(ss); | 4627 return ssl3_DecodeError(ss); |
| 4480 } | 4628 } |
| 4481 i->data = *b; | 4629 i->data = *b; |
| 4482 i->len = count; | 4630 i->len = count; |
| 4483 *b += count; | 4631 *b += count; |
| 4484 *length -= count; | 4632 *length -= count; |
| 4485 } | 4633 } |
| 4486 return SECSuccess; | 4634 return SECSuccess; |
| 4487 } | 4635 } |
| 4488 | 4636 |
| 4489 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the | 4637 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the |
| 4490 * SECOidTag used internally by NSS. */ | 4638 * SECOidTag used internally by NSS. */ |
| 4491 static const struct { | 4639 static const struct { |
| 4492 int tlsHash; | 4640 SSLHashType tlsHash; |
| 4493 SECOidTag oid; | 4641 SECOidTag oid; |
| 4494 } tlsHashOIDMap[] = { | 4642 } tlsHashOIDMap[] = { |
| 4495 { tls_hash_md5, SEC_OID_MD5 }, | 4643 { ssl_hash_sha1, SEC_OID_SHA1 }, |
| 4496 { tls_hash_sha1, SEC_OID_SHA1 }, | 4644 { ssl_hash_sha256, SEC_OID_SHA256 }, |
| 4497 { tls_hash_sha224, SEC_OID_SHA224 }, | 4645 { ssl_hash_sha384, SEC_OID_SHA384 }, |
| 4498 { tls_hash_sha256, SEC_OID_SHA256 }, | 4646 { ssl_hash_sha512, SEC_OID_SHA512 } |
| 4499 { tls_hash_sha384, SEC_OID_SHA384 }, | |
| 4500 { tls_hash_sha512, SEC_OID_SHA512 } | |
| 4501 }; | 4647 }; |
| 4502 | 4648 |
| 4503 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. | 4649 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. |
| 4504 * If the hash is not recognised, SEC_OID_UNKNOWN is returned. | 4650 * If the hash is not recognised, SEC_OID_UNKNOWN is returned. |
| 4505 * | 4651 * |
| 4506 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 4652 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
| 4507 SECOidTag | 4653 SECOidTag |
| 4508 ssl3_TLSHashAlgorithmToOID(int hashFunc) | 4654 ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc) |
| 4509 { | 4655 { |
| 4510 unsigned int i; | 4656 unsigned int i; |
| 4511 | 4657 |
| 4512 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { | 4658 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { |
| 4513 if (hashFunc == tlsHashOIDMap[i].tlsHash) { | 4659 if (hashFunc == tlsHashOIDMap[i].tlsHash) { |
| 4514 return tlsHashOIDMap[i].oid; | 4660 return tlsHashOIDMap[i].oid; |
| 4515 } | 4661 } |
| 4516 } | 4662 } |
| 4517 return SEC_OID_UNKNOWN; | 4663 return SEC_OID_UNKNOWN; |
| 4518 } | 4664 } |
| 4519 | 4665 |
| 4520 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm | |
| 4521 * identifier. If the hash is not recognised, zero is returned. | |
| 4522 * | |
| 4523 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
| 4524 static int | |
| 4525 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid) | |
| 4526 { | |
| 4527 unsigned int i; | |
| 4528 | |
| 4529 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { | |
| 4530 if (oid == tlsHashOIDMap[i].oid) { | |
| 4531 return tlsHashOIDMap[i].tlsHash; | |
| 4532 } | |
| 4533 } | |
| 4534 return 0; | |
| 4535 } | |
| 4536 | |
| 4537 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm | 4666 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm |
| 4538 * identifier for a given KeyType. */ | 4667 * identifier for a given KeyType. */ |
| 4539 static SECStatus | 4668 static SECStatus |
| 4540 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, | 4669 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, SSLSignType *out) |
| 4541 » » » » TLSSignatureAlgorithm *out) | |
| 4542 { | 4670 { |
| 4543 switch (keyType) { | 4671 switch (keyType) { |
| 4544 case rsaKey: | 4672 case rsaKey: |
| 4545 » *out = tls_sig_rsa; | 4673 *out = ssl_sign_rsa; |
| 4546 » return SECSuccess; | 4674 return SECSuccess; |
| 4547 case dsaKey: | 4675 case dsaKey: |
| 4548 » *out = tls_sig_dsa; | 4676 *out = ssl_sign_dsa; |
| 4549 » return SECSuccess; | 4677 return SECSuccess; |
| 4550 case ecKey: | 4678 case ecKey: |
| 4551 » *out = tls_sig_ecdsa; | 4679 *out = ssl_sign_ecdsa; |
| 4552 » return SECSuccess; | 4680 return SECSuccess; |
| 4553 default: | 4681 default: |
| 4554 » PORT_SetError(SEC_ERROR_INVALID_KEY); | 4682 PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 4555 » return SECFailure; | 4683 return SECFailure; |
| 4556 } | 4684 } |
| 4557 } | 4685 } |
| 4558 | 4686 |
| 4559 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature | 4687 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature |
| 4560 * algorithm identifier for the given certificate. */ | 4688 * algorithm identifier for the given certificate. */ |
| 4561 static SECStatus | 4689 static SECStatus |
| 4562 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert, | 4690 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert, |
| 4563 » » » » » TLSSignatureAlgorithm *out) | 4691 SSLSignType *out) |
| 4564 { | 4692 { |
| 4565 SECKEYPublicKey *key; | 4693 SECKEYPublicKey *key; |
| 4566 KeyType keyType; | 4694 KeyType keyType; |
| 4567 | 4695 |
| 4568 key = CERT_ExtractPublicKey(cert); | 4696 key = CERT_ExtractPublicKey(cert); |
| 4569 if (key == NULL) { | 4697 if (key == NULL) { |
| 4570 » ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | 4698 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
| 4571 » return SECFailure; | 4699 return SECFailure; |
| 4572 } | 4700 } |
| 4573 | 4701 |
| 4574 keyType = key->keyType; | 4702 keyType = key->keyType; |
| 4575 SECKEY_DestroyPublicKey(key); | 4703 SECKEY_DestroyPublicKey(key); |
| 4576 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out); | 4704 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out); |
| 4577 } | 4705 } |
| 4578 | 4706 |
| 4579 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature | 4707 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature |
| 4580 * algorithm identifier in |sigAndHash| is consistent with the public key in | 4708 * algorithm identifier in |sigAndHash| is consistent with the public key in |
| 4581 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called | 4709 * |cert|. It also checks the hash algorithm against the configured signature |
| 4582 * and SECFailure is returned. */ | 4710 * algorithms. If all the tests pass, SECSuccess is returned. Otherwise, |
| 4711 * PORT_SetError is called and SECFailure is returned. */ |
| 4583 SECStatus | 4712 SECStatus |
| 4584 ssl3_CheckSignatureAndHashAlgorithmConsistency( | 4713 ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 4585 » const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert) | 4714 sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash, |
| 4715 CERTCertificate* cert) |
| 4586 { | 4716 { |
| 4587 SECStatus rv; | 4717 SECStatus rv; |
| 4588 TLSSignatureAlgorithm sigAlg; | 4718 SSLSignType sigAlg; |
| 4719 unsigned int i; |
| 4589 | 4720 |
| 4590 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg); | 4721 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg); |
| 4591 if (rv != SECSuccess) { | 4722 if (rv != SECSuccess) { |
| 4592 » return rv; | 4723 return rv; |
| 4593 } | 4724 } |
| 4594 if (sigAlg != sigAndHash->sigAlg) { | 4725 if (sigAlg != sigAndHash->sigAlg) { |
| 4595 » PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); | 4726 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); |
| 4596 » return SECFailure; | 4727 return SECFailure; |
| 4597 } | 4728 } |
| 4598 return SECSuccess; | 4729 |
| 4730 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { |
| 4731 const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; |
| 4732 if (sigAndHash->sigAlg == alg->sigAlg && |
| 4733 sigAndHash->hashAlg == alg->hashAlg) { |
| 4734 return SECSuccess; |
| 4735 } |
| 4736 } |
| 4737 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); |
| 4738 return SECFailure; |
| 4739 } |
| 4740 |
| 4741 PRBool |
| 4742 ssl3_IsSupportedSignatureAlgorithm(const SSLSignatureAndHashAlg *alg) |
| 4743 { |
| 4744 static const SSLHashType supportedHashes[] = { |
| 4745 ssl_hash_sha1, |
| 4746 ssl_hash_sha256, |
| 4747 ssl_hash_sha384, |
| 4748 ssl_hash_sha512 |
| 4749 }; |
| 4750 |
| 4751 static const SSLSignType supportedSigAlgs[] = { |
| 4752 ssl_sign_rsa, |
| 4753 #ifndef NSS_DISABLE_ECC |
| 4754 ssl_sign_ecdsa, |
| 4755 #endif |
| 4756 ssl_sign_dsa |
| 4757 }; |
| 4758 |
| 4759 unsigned int i; |
| 4760 PRBool hashOK = PR_FALSE; |
| 4761 PRBool signOK = PR_FALSE; |
| 4762 |
| 4763 for (i = 0; i < PR_ARRAY_SIZE(supportedHashes); ++i) { |
| 4764 if (alg->hashAlg == supportedHashes[i]) { |
| 4765 hashOK = PR_TRUE; |
| 4766 break; |
| 4767 } |
| 4768 } |
| 4769 |
| 4770 for (i = 0; i < PR_ARRAY_SIZE(supportedSigAlgs); ++i) { |
| 4771 if (alg->sigAlg == supportedSigAlgs[i]) { |
| 4772 signOK = PR_TRUE; |
| 4773 break; |
| 4774 } |
| 4775 } |
| 4776 |
| 4777 return hashOK && signOK; |
| 4599 } | 4778 } |
| 4600 | 4779 |
| 4601 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm | 4780 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm |
| 4602 * structure from |b| and puts the resulting value into |out|. |b| and |length| | 4781 * structure from |b| and puts the resulting value into |out|. |b| and |length| |
| 4603 * are updated accordingly. | 4782 * are updated accordingly. |
| 4604 * | 4783 * |
| 4605 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 4784 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
| 4606 SECStatus | 4785 SECStatus |
| 4607 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, | 4786 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, |
| 4608 » » » » SSL3Opaque **b, | 4787 SSL3Opaque **b, |
| 4609 » » » » PRUint32 *length, | 4788 PRUint32 *length, |
| 4610 » » » » SSL3SignatureAndHashAlgorithm *out) | 4789 SSLSignatureAndHashAlg *out) |
| 4611 { | 4790 { |
| 4612 unsigned char bytes[2]; | 4791 PRUint8 bytes[2]; |
| 4613 SECStatus rv; | 4792 SECStatus rv; |
| 4614 | 4793 |
| 4615 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length); | 4794 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length); |
| 4616 if (rv != SECSuccess) { | 4795 if (rv != SECSuccess) { |
| 4617 » return rv; | 4796 return rv; |
| 4618 } | 4797 } |
| 4619 | 4798 |
| 4620 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]); | 4799 out->hashAlg = (SSLHashType)bytes[0]; |
| 4621 if (out->hashAlg == SEC_OID_UNKNOWN) { | 4800 out->sigAlg = (SSLSignType)bytes[1]; |
| 4622 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 4801 if (!ssl3_IsSupportedSignatureAlgorithm(out)) { |
| 4623 » return SECFailure; | 4802 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); |
| 4803 return SECFailure; |
| 4624 } | 4804 } |
| 4625 | |
| 4626 out->sigAlg = bytes[1]; | |
| 4627 return SECSuccess; | 4805 return SECSuccess; |
| 4628 } | 4806 } |
| 4629 | 4807 |
| 4630 /************************************************************************** | 4808 /************************************************************************** |
| 4631 * end of Consume Handshake functions. | 4809 * end of Consume Handshake functions. |
| 4632 **************************************************************************/ | 4810 **************************************************************************/ |
| 4633 | 4811 |
| 4634 /* Extract the hashes of handshake messages to this point. | 4812 /* Extract the hashes of handshake messages to this point. |
| 4635 * Called from ssl3_SendCertificateVerify | 4813 * Called from ssl3_SendCertificateVerify |
| 4636 * ssl3_SendFinished | 4814 * ssl3_SendFinished |
| 4637 * ssl3_HandleHandshakeMessage | 4815 * ssl3_HandleHandshakeMessage |
| 4638 * | 4816 * |
| 4639 * Caller must hold the SSL3HandshakeLock. | 4817 * Caller must hold the SSL3HandshakeLock. |
| 4640 * Caller must hold a read or write lock on the Spec R/W lock. | 4818 * Caller must hold a read or write lock on the Spec R/W lock. |
| 4641 * (There is presently no way to assert on a Read lock.) | 4819 * (There is presently no way to assert on a Read lock.) |
| 4642 */ | 4820 */ |
| 4643 static SECStatus | 4821 static SECStatus |
| 4644 ssl3_ComputeHandshakeHashes(sslSocket * ss, | 4822 ssl3_ComputeHandshakeHashes(sslSocket * ss, |
| 4645 ssl3CipherSpec *spec, /* uses ->master_secret */ | 4823 ssl3CipherSpec *spec, /* uses ->master_secret */ |
| 4646 SSL3Hashes * hashes, /* output goes here. */ | 4824 SSL3Hashes * hashes, /* output goes here. */ |
| 4647 PRUint32 sender) | 4825 PRUint32 sender) |
| 4648 { | 4826 { |
| 4649 SECStatus rv = SECSuccess; | 4827 SECStatus rv = SECSuccess; |
| 4650 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); | 4828 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); |
| 4651 unsigned int outLength; | 4829 unsigned int outLength; |
| 4652 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; | 4830 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; |
| 4653 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; | 4831 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; |
| 4654 | 4832 |
| 4655 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 4833 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 4656 hashes->hashAlg = SEC_OID_UNKNOWN; | 4834 if (ss->ssl3.hs.hashType == handshake_hash_unknown) { |
| 4835 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 4836 return SECFailure; |
| 4837 } |
| 4838 |
| 4839 hashes->hashAlg = ssl_hash_none; |
| 4657 | 4840 |
| 4658 #ifndef NO_PKCS11_BYPASS | 4841 #ifndef NO_PKCS11_BYPASS |
| 4659 if (ss->opt.bypassPKCS11 && | 4842 if (ss->opt.bypassPKCS11 && |
| 4660 ss->ssl3.hs.hashType == handshake_hash_single) { | 4843 ss->ssl3.hs.hashType == handshake_hash_single) { |
| 4661 /* compute them without PKCS11 */ | 4844 /* compute them without PKCS11 */ |
| 4662 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; | 4845 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 4663 | 4846 |
| 4664 if (!spec->msItem.data) { | |
| 4665 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
| 4666 return SECFailure; | |
| 4667 } | |
| 4668 | |
| 4669 ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); | 4847 ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); |
| 4670 ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, | 4848 ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, |
| 4671 sizeof(hashes->u.raw)); | 4849 sizeof(hashes->u.raw)); |
| 4672 | 4850 |
| 4673 PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); | 4851 PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); |
| 4674 | 4852 |
| 4675 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 | 4853 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 4676 * then this will need to be updated. */ | 4854 * then this will need to be updated. */ |
| 4677 » hashes->hashAlg = SEC_OID_SHA256; | 4855 » hashes->hashAlg = ssl_hash_sha256; |
| 4678 rv = SECSuccess; | 4856 rv = SECSuccess; |
| 4679 } else if (ss->opt.bypassPKCS11) { | 4857 } else if (ss->opt.bypassPKCS11) { |
| 4680 /* compute them without PKCS11 */ | 4858 /* compute them without PKCS11 */ |
| 4681 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; | 4859 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 4682 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; | 4860 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 4683 | 4861 |
| 4684 #define md5cx ((MD5Context *)md5_cx) | 4862 #define md5cx ((MD5Context *)md5_cx) |
| 4685 #define shacx ((SHA1Context *)sha_cx) | 4863 #define shacx ((SHA1Context *)sha_cx) |
| 4686 | 4864 |
| 4687 if (!spec->msItem.data) { | |
| 4688 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
| 4689 return SECFailure; | |
| 4690 } | |
| 4691 | |
| 4692 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); | 4865 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); |
| 4693 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx); | 4866 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx); |
| 4694 | 4867 |
| 4695 if (!isTLS) { | 4868 if (!isTLS) { |
| 4696 /* compute hashes for SSL3. */ | 4869 /* compute hashes for SSL3. */ |
| 4697 unsigned char s[4]; | 4870 unsigned char s[4]; |
| 4698 | 4871 |
| 4872 if (!spec->msItem.data) { |
| 4873 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); |
| 4874 return SECFailure; |
| 4875 } |
| 4876 |
| 4699 s[0] = (unsigned char)(sender >> 24); | 4877 s[0] = (unsigned char)(sender >> 24); |
| 4700 s[1] = (unsigned char)(sender >> 16); | 4878 s[1] = (unsigned char)(sender >> 16); |
| 4701 s[2] = (unsigned char)(sender >> 8); | 4879 s[2] = (unsigned char)(sender >> 8); |
| 4702 s[3] = (unsigned char)sender; | 4880 s[3] = (unsigned char)sender; |
| 4703 | 4881 |
| 4704 if (sender != 0) { | 4882 if (sender != 0) { |
| 4705 MD5_Update(md5cx, s, 4); | 4883 MD5_Update(md5cx, s, 4); |
| 4706 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); | 4884 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); |
| 4707 } | 4885 } |
| 4708 | 4886 |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4761 #undef shacx | 4939 #undef shacx |
| 4762 } else | 4940 } else |
| 4763 #endif | 4941 #endif |
| 4764 if (ss->ssl3.hs.hashType == handshake_hash_single) { | 4942 if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 4765 /* compute hashes with PKCS11 */ | 4943 /* compute hashes with PKCS11 */ |
| 4766 PK11Context *h; | 4944 PK11Context *h; |
| 4767 unsigned int stateLen; | 4945 unsigned int stateLen; |
| 4768 unsigned char stackBuf[1024]; | 4946 unsigned char stackBuf[1024]; |
| 4769 unsigned char *stateBuf = NULL; | 4947 unsigned char *stateBuf = NULL; |
| 4770 | 4948 |
| 4771 if (!spec->master_secret) { | |
| 4772 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
| 4773 return SECFailure; | |
| 4774 } | |
| 4775 | |
| 4776 h = ss->ssl3.hs.sha; | 4949 h = ss->ssl3.hs.sha; |
| 4777 stateBuf = PK11_SaveContextAlloc(h, stackBuf, | 4950 stateBuf = PK11_SaveContextAlloc(h, stackBuf, |
| 4778 sizeof(stackBuf), &stateLen); | 4951 sizeof(stackBuf), &stateLen); |
| 4779 if (stateBuf == NULL) { | 4952 if (stateBuf == NULL) { |
| 4780 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 4953 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 4781 goto tls12_loser; | 4954 goto tls12_loser; |
| 4782 } | 4955 } |
| 4783 rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len, | 4956 rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len, |
| 4784 sizeof(hashes->u.raw)); | 4957 sizeof(hashes->u.raw)); |
| 4785 if (rv != SECSuccess) { | 4958 if (rv != SECSuccess) { |
| 4786 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 4959 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 4787 rv = SECFailure; | 4960 rv = SECFailure; |
| 4788 goto tls12_loser; | 4961 goto tls12_loser; |
| 4789 } | 4962 } |
| 4790 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 | 4963 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 4791 * then this will need to be updated. */ | 4964 * then this will need to be updated. */ |
| 4792 » hashes->hashAlg = SEC_OID_SHA256; | 4965 » hashes->hashAlg = ssl_hash_sha256; |
| 4793 rv = SECSuccess; | 4966 rv = SECSuccess; |
| 4794 | 4967 |
| 4795 tls12_loser: | 4968 tls12_loser: |
| 4796 if (stateBuf) { | 4969 if (stateBuf) { |
| 4797 if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { | 4970 if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { |
| 4798 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 4971 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 4799 rv = SECFailure; | 4972 rv = SECFailure; |
| 4800 } | 4973 } |
| 4801 if (stateBuf != stackBuf) { | 4974 if (stateBuf != stackBuf) { |
| 4802 PORT_ZFree(stateBuf, stateLen); | 4975 PORT_ZFree(stateBuf, stateLen); |
| 4803 } | 4976 } |
| 4804 } | 4977 } |
| 4805 } else { | 4978 } else { |
| 4806 /* compute hashes with PKCS11 */ | 4979 /* compute hashes with PKCS11 */ |
| 4807 PK11Context * md5; | 4980 PK11Context * md5; |
| 4808 PK11Context * sha = NULL; | 4981 PK11Context * sha = NULL; |
| 4809 unsigned char *md5StateBuf = NULL; | 4982 unsigned char *md5StateBuf = NULL; |
| 4810 unsigned char *shaStateBuf = NULL; | 4983 unsigned char *shaStateBuf = NULL; |
| 4811 unsigned int md5StateLen, shaStateLen; | 4984 unsigned int md5StateLen, shaStateLen; |
| 4812 unsigned char md5StackBuf[256]; | 4985 unsigned char md5StackBuf[256]; |
| 4813 unsigned char shaStackBuf[512]; | 4986 unsigned char shaStackBuf[512]; |
| 4814 | 4987 |
| 4815 if (!spec->master_secret) { | |
| 4816 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); | |
| 4817 return SECFailure; | |
| 4818 } | |
| 4819 | |
| 4820 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf, | 4988 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf, |
| 4821 sizeof md5StackBuf, &md5StateLen); | 4989 sizeof md5StackBuf, &md5StateLen); |
| 4822 if (md5StateBuf == NULL) { | 4990 if (md5StateBuf == NULL) { |
| 4823 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 4991 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 4824 goto loser; | 4992 goto loser; |
| 4825 } | 4993 } |
| 4826 md5 = ss->ssl3.hs.md5; | 4994 md5 = ss->ssl3.hs.md5; |
| 4827 | 4995 |
| 4828 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf, | 4996 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf, |
| 4829 sizeof shaStackBuf, &shaStateLen); | 4997 sizeof shaStackBuf, &shaStateLen); |
| 4830 if (shaStateBuf == NULL) { | 4998 if (shaStateBuf == NULL) { |
| 4831 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 4999 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 4832 goto loser; | 5000 goto loser; |
| 4833 } | 5001 } |
| 4834 sha = ss->ssl3.hs.sha; | 5002 sha = ss->ssl3.hs.sha; |
| 4835 | 5003 |
| 4836 if (!isTLS) { | 5004 if (!isTLS) { |
| 4837 /* compute hashes for SSL3. */ | 5005 /* compute hashes for SSL3. */ |
| 4838 unsigned char s[4]; | 5006 unsigned char s[4]; |
| 4839 | 5007 |
| 5008 if (!spec->master_secret) { |
| 5009 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); |
| 5010 return SECFailure; |
| 5011 } |
| 5012 |
| 4840 s[0] = (unsigned char)(sender >> 24); | 5013 s[0] = (unsigned char)(sender >> 24); |
| 4841 s[1] = (unsigned char)(sender >> 16); | 5014 s[1] = (unsigned char)(sender >> 16); |
| 4842 s[2] = (unsigned char)(sender >> 8); | 5015 s[2] = (unsigned char)(sender >> 8); |
| 4843 s[3] = (unsigned char)sender; | 5016 s[3] = (unsigned char)sender; |
| 4844 | 5017 |
| 4845 if (sender != 0) { | 5018 if (sender != 0) { |
| 4846 rv |= PK11_DigestOp(md5, s, 4); | 5019 rv |= PK11_DigestOp(md5, s, 4); |
| 4847 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); | 5020 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); |
| 4848 } | 5021 } |
| 4849 | 5022 |
| (...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4961 PORT_Assert( !ss->sec.isServer ); | 5134 PORT_Assert( !ss->sec.isServer ); |
| 4962 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); | 5135 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); |
| 4963 | 5136 |
| 4964 rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len, | 5137 rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len, |
| 4965 sizeof(hashes->u.raw)); | 5138 sizeof(hashes->u.raw)); |
| 4966 if (rv != SECSuccess) { | 5139 if (rv != SECSuccess) { |
| 4967 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 5140 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 4968 rv = SECFailure; | 5141 rv = SECFailure; |
| 4969 goto loser; | 5142 goto loser; |
| 4970 } | 5143 } |
| 4971 hashes->hashAlg = SEC_OID_SHA1; | 5144 hashes->hashAlg = ssl_hash_sha1; |
| 4972 | 5145 |
| 4973 loser: | 5146 loser: |
| 4974 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); | 5147 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); |
| 4975 ss->ssl3.hs.backupHash = NULL; | 5148 ss->ssl3.hs.backupHash = NULL; |
| 4976 return rv; | 5149 return rv; |
| 4977 } | 5150 } |
| 4978 | 5151 |
| 4979 /* | 5152 /* |
| 4980 * SSL 2 based implementations pass in the initial outbound buffer | 5153 * SSL 2 based implementations pass in the initial outbound buffer |
| 4981 * so that the handshake hash can contain the included information. | 5154 * so that the handshake hash can contain the included information. |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5042 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), | 5215 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), |
| 5043 ss->fd)); | 5216 ss->fd)); |
| 5044 | 5217 |
| 5045 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 5218 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 5046 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 5219 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
| 5047 | 5220 |
| 5048 rv = ssl3_InitState(ss); | 5221 rv = ssl3_InitState(ss); |
| 5049 if (rv != SECSuccess) { | 5222 if (rv != SECSuccess) { |
| 5050 return rv; /* ssl3_InitState has set the error code. */ | 5223 return rv; /* ssl3_InitState has set the error code. */ |
| 5051 } | 5224 } |
| 5052 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ | 5225 /* These must be reset every handshake. */ |
| 5226 ss->ssl3.hs.sendingSCSV = PR_FALSE; |
| 5227 ss->ssl3.hs.preliminaryInfo = 0; |
| 5053 PORT_Assert(IS_DTLS(ss) || !resending); | 5228 PORT_Assert(IS_DTLS(ss) || !resending); |
| 5054 | 5229 |
| 5055 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE); | 5230 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE); |
| 5056 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE; | 5231 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE; |
| 5057 | 5232 |
| 5058 /* We might be starting a session renegotiation in which case we should | 5233 /* We might be starting a session renegotiation in which case we should |
| 5059 * clear previous state. | 5234 * clear previous state. |
| 5060 */ | 5235 */ |
| 5061 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 5236 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
| 5062 | 5237 |
| (...skipping 355 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5418 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, | 5593 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, |
| 5419 sizeof(ssl3CipherSuite)); | 5594 sizeof(ssl3CipherSuite)); |
| 5420 if (rv != SECSuccess) { | 5595 if (rv != SECSuccess) { |
| 5421 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } | 5596 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } |
| 5422 return rv; /* err set by ssl3_AppendHandshake* */ | 5597 return rv; /* err set by ssl3_AppendHandshake* */ |
| 5423 } | 5598 } |
| 5424 actual_count++; | 5599 actual_count++; |
| 5425 } | 5600 } |
| 5426 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 5601 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 5427 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 5602 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 5428 » if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { | 5603 » if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange, ss)) { |
| 5429 actual_count++; | 5604 actual_count++; |
| 5430 if (actual_count > num_suites) { | 5605 if (actual_count > num_suites) { |
| 5431 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock);
} | 5606 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock);
} |
| 5432 /* set error card removal/insertion error */ | 5607 /* set error card removal/insertion error */ |
| 5433 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); | 5608 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); |
| 5434 return SECFailure; | 5609 return SECFailure; |
| 5435 } | 5610 } |
| 5436 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite, | 5611 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite, |
| 5437 sizeof(ssl3CipherSuite)); | 5612 sizeof(ssl3CipherSuite)); |
| 5438 if (rv != SECSuccess) { | 5613 if (rv != SECSuccess) { |
| (...skipping 637 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6076 hexEncode(buf + 21, keyData->data, 48); | 6251 hexEncode(buf + 21, keyData->data, 48); |
| 6077 buf[sizeof(buf) - 1] = '\n'; | 6252 buf[sizeof(buf) - 1] = '\n'; |
| 6078 | 6253 |
| 6079 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob); | 6254 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob); |
| 6080 fflush(ssl_keylog_iob); | 6255 fflush(ssl_keylog_iob); |
| 6081 } | 6256 } |
| 6082 } | 6257 } |
| 6083 } | 6258 } |
| 6084 } | 6259 } |
| 6085 | 6260 |
| 6086 rv = ssl3_InitPendingCipherSpec(ss, pms); | |
| 6087 PK11_FreeSymKey(pms); pms = NULL; | |
| 6088 | |
| 6089 if (rv != SECSuccess) { | |
| 6090 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | |
| 6091 goto loser; | |
| 6092 } | |
| 6093 | |
| 6094 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, | 6261 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, |
| 6095 isTLS ? enc_pms.len + 2 : enc_pms.len); | 6262 isTLS ? enc_pms.len + 2 : enc_pms.len); |
| 6096 if (rv != SECSuccess) { | 6263 if (rv != SECSuccess) { |
| 6097 goto loser; /* err set by ssl3_AppendHandshake* */ | 6264 goto loser; /* err set by ssl3_AppendHandshake* */ |
| 6098 } | 6265 } |
| 6099 if (isTLS) { | 6266 if (isTLS) { |
| 6100 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2); | 6267 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2); |
| 6101 } else { | 6268 } else { |
| 6102 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len); | 6269 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len); |
| 6103 } | 6270 } |
| 6104 if (rv != SECSuccess) { | 6271 if (rv != SECSuccess) { |
| 6105 goto loser; /* err set by ssl3_AppendHandshake* */ | 6272 goto loser; /* err set by ssl3_AppendHandshake* */ |
| 6106 } | 6273 } |
| 6107 | 6274 |
| 6275 rv = ssl3_InitPendingCipherSpec(ss, pms); |
| 6276 PK11_FreeSymKey(pms); |
| 6277 pms = NULL; |
| 6278 |
| 6279 if (rv != SECSuccess) { |
| 6280 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 6281 goto loser; |
| 6282 } |
| 6283 |
| 6108 rv = SECSuccess; | 6284 rv = SECSuccess; |
| 6109 | 6285 |
| 6110 loser: | 6286 loser: |
| 6111 if (enc_pms.data != NULL) { | 6287 if (enc_pms.data != NULL) { |
| 6112 PORT_Free(enc_pms.data); | 6288 PORT_Free(enc_pms.data); |
| 6113 } | 6289 } |
| 6114 if (pms != NULL) { | 6290 if (pms != NULL) { |
| 6115 PK11_FreeSymKey(pms); | 6291 PK11_FreeSymKey(pms); |
| 6116 } | 6292 } |
| 6117 return rv; | 6293 return rv; |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6167 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); | 6343 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); |
| 6168 | 6344 |
| 6169 if (pms == NULL) { | 6345 if (pms == NULL) { |
| 6170 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 6346 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 6171 goto loser; | 6347 goto loser; |
| 6172 } | 6348 } |
| 6173 | 6349 |
| 6174 SECKEY_DestroyPrivateKey(privKey); | 6350 SECKEY_DestroyPrivateKey(privKey); |
| 6175 privKey = NULL; | 6351 privKey = NULL; |
| 6176 | 6352 |
| 6177 rv = ssl3_InitPendingCipherSpec(ss, pms); | |
| 6178 PK11_FreeSymKey(pms); pms = NULL; | |
| 6179 | |
| 6180 if (rv != SECSuccess) { | |
| 6181 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | |
| 6182 goto loser; | |
| 6183 } | |
| 6184 | |
| 6185 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, | 6353 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, |
| 6186 pubKey->u.dh.publicValue.len + 2); | 6354 pubKey->u.dh.publicValue.len + 2); |
| 6187 if (rv != SECSuccess) { | 6355 if (rv != SECSuccess) { |
| 6188 goto loser; /* err set by ssl3_AppendHandshake* */ | 6356 goto loser; /* err set by ssl3_AppendHandshake* */ |
| 6189 } | 6357 } |
| 6190 rv = ssl3_AppendHandshakeVariable(ss, | 6358 rv = ssl3_AppendHandshakeVariable(ss, |
| 6191 pubKey->u.dh.publicValue.data, | 6359 pubKey->u.dh.publicValue.data, |
| 6192 pubKey->u.dh.publicValue.len, 2); | 6360 pubKey->u.dh.publicValue.len, 2); |
| 6193 SECKEY_DestroyPublicKey(pubKey); | 6361 SECKEY_DestroyPublicKey(pubKey); |
| 6194 pubKey = NULL; | 6362 pubKey = NULL; |
| 6195 | 6363 |
| 6196 if (rv != SECSuccess) { | 6364 if (rv != SECSuccess) { |
| 6197 goto loser; /* err set by ssl3_AppendHandshake* */ | 6365 goto loser; /* err set by ssl3_AppendHandshake* */ |
| 6198 } | 6366 } |
| 6199 | 6367 |
| 6368 rv = ssl3_InitPendingCipherSpec(ss, pms); |
| 6369 PK11_FreeSymKey(pms); |
| 6370 pms = NULL; |
| 6371 |
| 6372 if (rv != SECSuccess) { |
| 6373 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 6374 goto loser; |
| 6375 } |
| 6376 |
| 6200 rv = SECSuccess; | 6377 rv = SECSuccess; |
| 6201 | 6378 |
| 6202 | |
| 6203 loser: | 6379 loser: |
| 6204 | 6380 |
| 6205 if(pms) PK11_FreeSymKey(pms); | 6381 if(pms) PK11_FreeSymKey(pms); |
| 6206 if(privKey) SECKEY_DestroyPrivateKey(privKey); | 6382 if(privKey) SECKEY_DestroyPrivateKey(privKey); |
| 6207 if(pubKey) SECKEY_DestroyPublicKey(pubKey); | 6383 if(pubKey) SECKEY_DestroyPublicKey(pubKey); |
| 6208 return rv; | 6384 return rv; |
| 6209 } | 6385 } |
| 6210 | 6386 |
| 6211 | 6387 |
| 6212 | 6388 |
| (...skipping 20 matching lines...) Expand all Loading... |
| 6233 return SECFailure; | 6409 return SECFailure; |
| 6234 } | 6410 } |
| 6235 } else { | 6411 } else { |
| 6236 serverKey = ss->sec.peerKey; | 6412 serverKey = ss->sec.peerKey; |
| 6237 ss->sec.peerKey = NULL; /* we're done with it now */ | 6413 ss->sec.peerKey = NULL; /* we're done with it now */ |
| 6238 } | 6414 } |
| 6239 | 6415 |
| 6240 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 6416 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 6241 /* enforce limits on kea key sizes. */ | 6417 /* enforce limits on kea key sizes. */ |
| 6242 if (ss->ssl3.hs.kea_def->is_limited) { | 6418 if (ss->ssl3.hs.kea_def->is_limited) { |
| 6243 » int keyLen = SECKEY_PublicKeyStrength(serverKey);» /* bytes */ | 6419 unsigned int keyLen = SECKEY_PublicKeyStrengthInBits(serverKey); |
| 6244 | 6420 |
| 6245 » if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) { | 6421 if (keyLen > ss->ssl3.hs.kea_def->key_size_limit) { |
| 6246 if (isTLS) | 6422 if (isTLS) |
| 6247 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction); | 6423 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction); |
| 6248 else | 6424 else |
| 6249 (void)ssl3_HandshakeFailure(ss); | 6425 (void)ssl3_HandshakeFailure(ss); |
| 6250 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); | 6426 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); |
| 6251 goto loser; | 6427 goto loser; |
| 6252 } | 6428 } |
| 6253 } | 6429 } |
| 6254 | 6430 |
| 6255 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; | 6431 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6290 static SECStatus | 6466 static SECStatus |
| 6291 ssl3_SendCertificateVerify(sslSocket *ss) | 6467 ssl3_SendCertificateVerify(sslSocket *ss) |
| 6292 { | 6468 { |
| 6293 SECStatus rv = SECFailure; | 6469 SECStatus rv = SECFailure; |
| 6294 PRBool isTLS; | 6470 PRBool isTLS; |
| 6295 PRBool isTLS12; | 6471 PRBool isTLS12; |
| 6296 SECItem buf = {siBuffer, NULL, 0}; | 6472 SECItem buf = {siBuffer, NULL, 0}; |
| 6297 SSL3Hashes hashes; | 6473 SSL3Hashes hashes; |
| 6298 KeyType keyType; | 6474 KeyType keyType; |
| 6299 unsigned int len; | 6475 unsigned int len; |
| 6300 SSL3SignatureAndHashAlgorithm sigAndHash; | 6476 SSLSignatureAndHashAlg sigAndHash; |
| 6301 | 6477 |
| 6302 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 6478 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 6303 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 6479 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 6304 | 6480 |
| 6305 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", | 6481 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", |
| 6306 SSL_GETPID(), ss->fd)); | 6482 SSL_GETPID(), ss->fd)); |
| 6307 | 6483 |
| 6308 ssl_GetSpecReadLock(ss); | 6484 ssl_GetSpecReadLock(ss); |
| 6309 if (ss->ssl3.hs.hashType == handshake_hash_single && | 6485 if (ss->ssl3.hs.hashType == handshake_hash_single && |
| 6310 ss->ssl3.hs.backupHash) { | 6486 ss->ssl3.hs.backupHash) { |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6355 } | 6531 } |
| 6356 | 6532 |
| 6357 len = buf.len + 2 + (isTLS12 ? 2 : 0); | 6533 len = buf.len + 2 + (isTLS12 ? 2 : 0); |
| 6358 | 6534 |
| 6359 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); | 6535 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); |
| 6360 if (rv != SECSuccess) { | 6536 if (rv != SECSuccess) { |
| 6361 goto done; /* error code set by AppendHandshake */ | 6537 goto done; /* error code set by AppendHandshake */ |
| 6362 } | 6538 } |
| 6363 if (isTLS12) { | 6539 if (isTLS12) { |
| 6364 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, | 6540 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, |
| 6365 » » » » » » &sigAndHash.sigAlg); | 6541 &sigAndHash.sigAlg); |
| 6366 if (rv != SECSuccess) { | 6542 if (rv != SECSuccess) { |
| 6367 goto done; | 6543 goto done; |
| 6368 } | 6544 } |
| 6369 » sigAndHash.hashAlg = hashes.hashAlg; | 6545 sigAndHash.hashAlg = hashes.hashAlg; |
| 6370 | 6546 |
| 6371 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); | 6547 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
| 6372 if (rv != SECSuccess) { | 6548 if (rv != SECSuccess) { |
| 6373 goto done; /* err set by AppendHandshake. */ | 6549 goto done; /* err set by AppendHandshake. */ |
| 6374 } | 6550 } |
| 6375 } | 6551 } |
| 6376 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | 6552 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
| 6377 if (rv != SECSuccess) { | 6553 if (rv != SECSuccess) { |
| 6378 goto done; /* error code set by AppendHandshake */ | 6554 goto done; /* error code set by AppendHandshake */ |
| 6379 } | 6555 } |
| (...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6467 } | 6643 } |
| 6468 } | 6644 } |
| 6469 | 6645 |
| 6470 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); | 6646 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
| 6471 if (rv != SECSuccess) { | 6647 if (rv != SECSuccess) { |
| 6472 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 6648 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
| 6473 : handshake_failure; | 6649 : handshake_failure; |
| 6474 errCode = SSL_ERROR_UNSUPPORTED_VERSION; | 6650 errCode = SSL_ERROR_UNSUPPORTED_VERSION; |
| 6475 goto alert_loser; | 6651 goto alert_loser; |
| 6476 } | 6652 } |
| 6653 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; |
| 6477 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 6654 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
| 6478 | 6655 |
| 6479 rv = ssl3_InitHandshakeHashes(ss); | 6656 rv = ssl3_InitHandshakeHashes(ss); |
| 6480 if (rv != SECSuccess) { | 6657 if (rv != SECSuccess) { |
| 6481 desc = internal_error; | 6658 desc = internal_error; |
| 6482 errCode = PORT_GetError(); | 6659 errCode = PORT_GetError(); |
| 6483 goto alert_loser; | 6660 goto alert_loser; |
| 6484 } | 6661 } |
| 6485 | 6662 |
| 6486 rv = ssl3_ConsumeHandshake( | 6663 rv = ssl3_ConsumeHandshake( |
| (...skipping 15 matching lines...) Expand all Loading... |
| 6502 /* find selected cipher suite in our list. */ | 6679 /* find selected cipher suite in our list. */ |
| 6503 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 6680 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 6504 if (temp < 0) { | 6681 if (temp < 0) { |
| 6505 goto loser; /* alert has been sent */ | 6682 goto loser; /* alert has been sent */ |
| 6506 } | 6683 } |
| 6507 ssl3_config_match_init(ss); | 6684 ssl3_config_match_init(ss); |
| 6508 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 6685 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 6509 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 6686 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 6510 if (temp == suite->cipher_suite) { | 6687 if (temp == suite->cipher_suite) { |
| 6511 SSLVersionRange vrange = {ss->version, ss->version}; | 6688 SSLVersionRange vrange = {ss->version, ss->version}; |
| 6512 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { | 6689 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { |
| 6513 /* config_match already checks whether the cipher suite is | 6690 /* config_match already checks whether the cipher suite is |
| 6514 * acceptable for the version, but the check is repeated here | 6691 * acceptable for the version, but the check is repeated here |
| 6515 * in order to give a more precise error code. */ | 6692 * in order to give a more precise error code. */ |
| 6516 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) { | 6693 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) { |
| 6517 desc = handshake_failure; | 6694 desc = handshake_failure; |
| 6518 errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; | 6695 errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; |
| 6519 goto alert_loser; | 6696 goto alert_loser; |
| 6520 } | 6697 } |
| 6521 | 6698 |
| 6522 break; /* failure */ | 6699 break; /* failure */ |
| 6523 } | 6700 } |
| 6524 | 6701 |
| 6525 suite_found = PR_TRUE; | 6702 suite_found = PR_TRUE; |
| 6526 break; /* success */ | 6703 break; /* success */ |
| 6527 } | 6704 } |
| 6528 } | 6705 } |
| 6529 if (!suite_found) { | 6706 if (!suite_found) { |
| 6530 desc = handshake_failure; | 6707 desc = handshake_failure; |
| 6531 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 6708 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
| 6532 goto alert_loser; | 6709 goto alert_loser; |
| 6533 } | 6710 } |
| 6534 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp; | 6711 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp; |
| 6535 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp); | 6712 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp); |
| 6713 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
| 6536 PORT_Assert(ss->ssl3.hs.suite_def); | 6714 PORT_Assert(ss->ssl3.hs.suite_def); |
| 6537 if (!ss->ssl3.hs.suite_def) { | 6715 if (!ss->ssl3.hs.suite_def) { |
| 6538 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE); | 6716 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE); |
| 6539 goto loser; /* we don't send alerts for our screw-ups. */ | 6717 goto loser; /* we don't send alerts for our screw-ups. */ |
| 6540 } | 6718 } |
| 6541 | 6719 |
| 6542 /* find selected compression method in our list. */ | 6720 /* find selected compression method in our list. */ |
| 6543 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); | 6721 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); |
| 6544 if (temp < 0) { | 6722 if (temp < 0) { |
| 6545 goto loser; /* alert has been sent */ | 6723 goto loser; /* alert has been sent */ |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6612 sidBytes.len == sid->u.ssl3.sessionIDLength && | 6790 sidBytes.len == sid->u.ssl3.sessionIDLength && |
| 6613 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len)); | 6791 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len)); |
| 6614 | 6792 |
| 6615 if (sid_match && | 6793 if (sid_match && |
| 6616 sid->version == ss->version && | 6794 sid->version == ss->version && |
| 6617 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do { | 6795 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do { |
| 6618 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; | 6796 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; |
| 6619 | 6797 |
| 6620 SECItem wrappedMS; /* wrapped master secret. */ | 6798 SECItem wrappedMS; /* wrapped master secret. */ |
| 6621 | 6799 |
| 6800 /* [draft-ietf-tls-session-hash-06; Section 5.3] |
| 6801 * |
| 6802 * o If the original session did not use the "extended_master_secret" |
| 6803 * extension but the new ServerHello contains the extension, the |
| 6804 * client MUST abort the handshake. |
| 6805 */ |
| 6806 if (!sid->u.ssl3.keys.extendedMasterSecretUsed && |
| 6807 ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 6808 errCode = SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET; |
| 6809 goto alert_loser; |
| 6810 } |
| 6811 |
| 6812 /* |
| 6813 * o If the original session used an extended master secret but the n
ew |
| 6814 * ServerHello does not contain the "extended_master_secret" |
| 6815 * extension, the client SHOULD abort the handshake. |
| 6816 * |
| 6817 * TODO(ekr@rtfm.com): Add option to refuse to resume when EMS is not |
| 6818 * used at all (bug 1176526). |
| 6819 */ |
| 6820 if (sid->u.ssl3.keys.extendedMasterSecretUsed && |
| 6821 !ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 6822 errCode = SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET; |
| 6823 goto alert_loser; |
| 6824 } |
| 6825 |
| 6622 ss->sec.authAlgorithm = sid->authAlgorithm; | 6826 ss->sec.authAlgorithm = sid->authAlgorithm; |
| 6623 ss->sec.authKeyBits = sid->authKeyBits; | 6827 ss->sec.authKeyBits = sid->authKeyBits; |
| 6624 ss->sec.keaType = sid->keaType; | 6828 ss->sec.keaType = sid->keaType; |
| 6625 ss->sec.keaKeyBits = sid->keaKeyBits; | 6829 ss->sec.keaKeyBits = sid->keaKeyBits; |
| 6626 | 6830 |
| 6627 /* 3 cases here: | 6831 /* 3 cases here: |
| 6628 * a) key is wrapped (implies using PKCS11) | 6832 * a) key is wrapped (implies using PKCS11) |
| 6629 * b) key is unwrapped, but we're still using PKCS11 | 6833 * b) key is unwrapped, but we're still using PKCS11 |
| 6630 * c) key is unwrapped, and we're bypassing PKCS11. | 6834 * c) key is unwrapped, and we're bypassing PKCS11. |
| 6631 */ | 6835 */ |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6714 ss->ssl3.hs.ws = wait_change_cipher; | 6918 ss->ssl3.hs.ws = wait_change_cipher; |
| 6715 | 6919 |
| 6716 ss->ssl3.hs.isResuming = PR_TRUE; | 6920 ss->ssl3.hs.isResuming = PR_TRUE; |
| 6717 | 6921 |
| 6718 /* copy the peer cert from the SID */ | 6922 /* copy the peer cert from the SID */ |
| 6719 if (sid->peerCert != NULL) { | 6923 if (sid->peerCert != NULL) { |
| 6720 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | 6924 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
| 6721 ssl3_CopyPeerCertsFromSID(ss, sid); | 6925 ssl3_CopyPeerCertsFromSID(ss, sid); |
| 6722 } | 6926 } |
| 6723 | 6927 |
| 6724 » /* NULL value for PMS signifies re-use of the old MS */ | 6928 » /* NULL value for PMS because we are reusing the old MS */ |
| 6725 rv = ssl3_InitPendingCipherSpec(ss, NULL); | 6929 rv = ssl3_InitPendingCipherSpec(ss, NULL); |
| 6726 if (rv != SECSuccess) { | 6930 if (rv != SECSuccess) { |
| 6727 goto alert_loser; /* err code was set */ | 6931 goto alert_loser; /* err code was set */ |
| 6728 } | 6932 } |
| 6729 goto winner; | 6933 goto winner; |
| 6730 } while (0); | 6934 } while (0); |
| 6731 | 6935 |
| 6732 if (sid_match) | 6936 if (sid_match) |
| 6733 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); | 6937 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); |
| 6734 else | 6938 else |
| 6735 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses ); | 6939 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses ); |
| 6736 | 6940 |
| 6737 /* throw the old one away */ | 6941 /* throw the old one away */ |
| 6738 sid->u.ssl3.keys.resumable = PR_FALSE; | 6942 sid->u.ssl3.keys.resumable = PR_FALSE; |
| 6739 if (ss->sec.uncache) | 6943 if (ss->sec.uncache) |
| 6740 (*ss->sec.uncache)(sid); | 6944 (*ss->sec.uncache)(sid); |
| 6741 ssl_FreeSID(sid); | 6945 ssl_FreeSID(sid); |
| 6742 | 6946 |
| 6743 /* get a new sid */ | 6947 /* get a new sid */ |
| 6744 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); | 6948 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); |
| 6745 if (sid == NULL) { | 6949 if (sid == NULL) { |
| 6746 goto alert_loser; /* memory error is set. */ | 6950 goto alert_loser; /* memory error is set. */ |
| 6747 } | 6951 } |
| 6748 | 6952 |
| 6749 sid->version = ss->version; | 6953 sid->version = ss->version; |
| 6750 sid->u.ssl3.sessionIDLength = sidBytes.len; | 6954 sid->u.ssl3.sessionIDLength = sidBytes.len; |
| 6751 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); | 6955 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); |
| 6752 | 6956 |
| 6957 sid->u.ssl3.keys.extendedMasterSecretUsed = |
| 6958 ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn); |
| 6959 |
| 6753 /* Copy Signed Certificate Timestamps, if any. */ | 6960 /* Copy Signed Certificate Timestamps, if any. */ |
| 6754 if (ss->xtnData.signedCertTimestamps.data) { | 6961 if (ss->xtnData.signedCertTimestamps.data) { |
| 6755 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, | 6962 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, |
| 6756 &ss->xtnData.signedCertTimestamps); | 6963 &ss->xtnData.signedCertTimestamps); |
| 6757 if (rv != SECSuccess) | 6964 if (rv != SECSuccess) |
| 6758 goto loser; | 6965 goto loser; |
| 6759 } | 6966 } |
| 6760 | 6967 |
| 6761 ss->ssl3.hs.isResuming = PR_FALSE; | 6968 ss->ssl3.hs.isResuming = PR_FALSE; |
| 6762 if (ss->ssl3.hs.kea_def->signKeyType != sign_null) { | 6969 if (ss->ssl3.hs.kea_def->signKeyType != sign_null) { |
| 6763 /* All current cipher suites other than those with sign_null (i.e., | 6970 /* All current cipher suites other than those with sign_null (i.e., |
| 6764 * DH_anon_* suites) require a certificate, so use that signal. */ | 6971 * (EC)DH_anon_* suites) require a certificate, so use that signal. */ |
| 6765 ss->ssl3.hs.ws = wait_server_cert; | 6972 ss->ssl3.hs.ws = wait_server_cert; |
| 6766 } else if (ss->ssl3.hs.kea_def->ephemeral) { | 6973 } else { |
| 6767 /* Only ephemeral cipher suites use ServerKeyExchange. */ | 6974 /* All the remaining cipher suites must be (EC)DH_anon_* and so |
| 6975 * must be ephemeral. Note, if we ever add PSK this might |
| 6976 * change. */ |
| 6977 PORT_Assert(ss->ssl3.hs.kea_def->ephemeral); |
| 6768 ss->ssl3.hs.ws = wait_server_key; | 6978 ss->ssl3.hs.ws = wait_server_key; |
| 6769 } else { | |
| 6770 ss->ssl3.hs.ws = wait_cert_request; | |
| 6771 } | 6979 } |
| 6772 | 6980 |
| 6773 winner: | 6981 winner: |
| 6774 /* Clean up the temporary pointer to the handshake buffer. */ | 6982 /* Clean up the temporary pointer to the handshake buffer. */ |
| 6775 ss->xtnData.signedCertTimestamps.data = NULL; | 6983 ss->xtnData.signedCertTimestamps.data = NULL; |
| 6776 ss->xtnData.signedCertTimestamps.len = 0; | 6984 ss->xtnData.signedCertTimestamps.len = 0; |
| 6777 | 6985 |
| 6778 /* If we will need a ChannelID key then we make the callback now. This | 6986 /* If we will need a ChannelID key then we make the callback now. This |
| 6779 * allows the handshake to be restarted cleanly if the callback returns | 6987 * allows the handshake to be restarted cleanly if the callback returns |
| 6780 * SECWouldBlock. */ | 6988 * SECWouldBlock. */ |
| (...skipping 19 matching lines...) Expand all Loading... |
| 6800 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 7008 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| 6801 | 7009 |
| 6802 loser: | 7010 loser: |
| 6803 /* Clean up the temporary pointer to the handshake buffer. */ | 7011 /* Clean up the temporary pointer to the handshake buffer. */ |
| 6804 ss->xtnData.signedCertTimestamps.data = NULL; | 7012 ss->xtnData.signedCertTimestamps.data = NULL; |
| 6805 ss->xtnData.signedCertTimestamps.len = 0; | 7013 ss->xtnData.signedCertTimestamps.len = 0; |
| 6806 errCode = ssl_MapLowLevelError(errCode); | 7014 errCode = ssl_MapLowLevelError(errCode); |
| 6807 return SECFailure; | 7015 return SECFailure; |
| 6808 } | 7016 } |
| 6809 | 7017 |
| 6810 /* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned, | |
| 6811 * big-endian integer is > 1 */ | |
| 6812 static PRBool | |
| 6813 ssl3_BigIntGreaterThanOne(const SECItem* mpint) { | |
| 6814 unsigned char firstNonZeroByte = 0; | |
| 6815 unsigned int i; | |
| 6816 | |
| 6817 for (i = 0; i < mpint->len; i++) { | |
| 6818 if (mpint->data[i]) { | |
| 6819 firstNonZeroByte = mpint->data[i]; | |
| 6820 break; | |
| 6821 } | |
| 6822 } | |
| 6823 | |
| 6824 if (firstNonZeroByte == 0) | |
| 6825 return PR_FALSE; | |
| 6826 if (firstNonZeroByte > 1) | |
| 6827 return PR_TRUE; | |
| 6828 | |
| 6829 /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte | |
| 6830 * is followed by another byte. */ | |
| 6831 return (i < mpint->len - 1); | |
| 6832 } | |
| 6833 | 7018 |
| 6834 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 7019 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 6835 * ssl3 ServerKeyExchange message. | 7020 * ssl3 ServerKeyExchange message. |
| 6836 * Caller must hold Handshake and RecvBuf locks. | 7021 * Caller must hold Handshake and RecvBuf locks. |
| 6837 */ | 7022 */ |
| 6838 static SECStatus | 7023 static SECStatus |
| 6839 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 7024 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 6840 { | 7025 { |
| 6841 PLArenaPool * arena = NULL; | 7026 PLArenaPool * arena = NULL; |
| 6842 SECKEYPublicKey *peerKey = NULL; | 7027 SECKEYPublicKey *peerKey = NULL; |
| 6843 PRBool isTLS, isTLS12; | 7028 PRBool isTLS, isTLS12; |
| 6844 SECStatus rv; | 7029 SECStatus rv; |
| 6845 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; | 7030 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; |
| 6846 SSL3AlertDescription desc = illegal_parameter; | 7031 SSL3AlertDescription desc = illegal_parameter; |
| 6847 SSL3Hashes hashes; | 7032 SSL3Hashes hashes; |
| 6848 SECItem signature = {siBuffer, NULL, 0}; | 7033 SECItem signature = {siBuffer, NULL, 0}; |
| 6849 SSL3SignatureAndHashAlgorithm sigAndHash; | 7034 SSLSignatureAndHashAlg sigAndHash; |
| 6850 | 7035 |
| 6851 sigAndHash.hashAlg = SEC_OID_UNKNOWN; | 7036 sigAndHash.hashAlg = ssl_hash_none; |
| 6852 | 7037 |
| 6853 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", | 7038 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", |
| 6854 SSL_GETPID(), ss->fd)); | 7039 SSL_GETPID(), ss->fd)); |
| 6855 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 7040 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 6856 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 7041 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 6857 | 7042 |
| 6858 if (ss->ssl3.hs.ws != wait_server_key) { | 7043 if (ss->ssl3.hs.ws != wait_server_key) { |
| 6859 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; | 7044 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; |
| 6860 desc = unexpected_message; | 7045 desc = unexpected_message; |
| 6861 goto alert_loser; | 7046 goto alert_loser; |
| 6862 } | 7047 } |
| 6863 | 7048 |
| 6864 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 7049 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 6865 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 7050 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 6866 | 7051 |
| 6867 switch (ss->ssl3.hs.kea_def->exchKeyType) { | 7052 switch (ss->ssl3.hs.kea_def->exchKeyType) { |
| 6868 | 7053 |
| 6869 case kt_rsa: { | 7054 case kt_rsa: { |
| 6870 SECItem modulus = {siBuffer, NULL, 0}; | 7055 SECItem modulus = {siBuffer, NULL, 0}; |
| 6871 SECItem exponent = {siBuffer, NULL, 0}; | 7056 SECItem exponent = {siBuffer, NULL, 0}; |
| 6872 | 7057 |
| 6873 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); | 7058 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); |
| 6874 if (rv != SECSuccess) { | 7059 if (rv != SECSuccess) { |
| 6875 goto loser; /* malformed. */ | 7060 goto loser; /* malformed. */ |
| 6876 } | 7061 } |
| 7062 /* This exchange method is only used by export cipher suites. |
| 7063 * Those are broken and so this code will eventually be removed. */ |
| 7064 if (SECKEY_BigIntegerBitLength(&modulus) < 512) { |
| 7065 desc = isTLS ? insufficient_security : illegal_parameter; |
| 7066 goto alert_loser; |
| 7067 } |
| 6877 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); | 7068 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); |
| 6878 if (rv != SECSuccess) { | 7069 if (rv != SECSuccess) { |
| 6879 goto loser; /* malformed. */ | 7070 goto loser; /* malformed. */ |
| 6880 } | 7071 } |
| 6881 if (isTLS12) { | 7072 if (isTLS12) { |
| 6882 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | 7073 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 6883 &sigAndHash); | 7074 &sigAndHash); |
| 6884 if (rv != SECSuccess) { | 7075 if (rv != SECSuccess) { |
| 6885 goto loser; /* malformed or unsupported. */ | 7076 goto loser; /* malformed or unsupported. */ |
| 6886 } | 7077 } |
| 6887 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | 7078 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(ss, |
| 6888 &sigAndHash, ss->sec.peerCert); | 7079 &sigAndHash, ss->sec.peerCert); |
| 6889 if (rv != SECSuccess) { | 7080 if (rv != SECSuccess) { |
| 6890 goto loser; | 7081 goto loser; |
| 6891 } | 7082 } |
| 6892 } | 7083 } |
| 6893 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 7084 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
| 6894 if (rv != SECSuccess) { | 7085 if (rv != SECSuccess) { |
| 6895 goto loser; /* malformed. */ | 7086 goto loser; /* malformed. */ |
| 6896 } | 7087 } |
| 6897 if (length != 0) { | 7088 if (length != 0) { |
| 6898 if (isTLS) | 7089 if (isTLS) |
| 6899 desc = decode_error; | 7090 desc = decode_error; |
| 6900 goto alert_loser; /* malformed. */ | 7091 goto alert_loser; /* malformed. */ |
| 6901 } | 7092 } |
| 6902 | 7093 |
| 6903 /* failures after this point are not malformed handshakes. */ | 7094 /* failures after this point are not malformed handshakes. */ |
| 6904 /* TLS: send decrypt_error if signature failed. */ | 7095 /* TLS: send decrypt_error if signature failed. */ |
| 6905 desc = isTLS ? decrypt_error : handshake_failure; | 7096 desc = isTLS ? decrypt_error : handshake_failure; |
| 6906 | 7097 |
| 6907 /* | 7098 /* |
| 6908 * check to make sure the hash is signed by right guy | 7099 * check to make sure the hash is signed by right guy |
| 6909 */ | 7100 */ |
| 6910 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent, | 7101 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent, |
| 6911 » » » » » &ss->ssl3.hs.client_random, | 7102 &ss->ssl3.hs.client_random, |
| 6912 » » » » » &ss->ssl3.hs.server_random, | 7103 &ss->ssl3.hs.server_random, |
| 6913 » » » » » &hashes, ss->opt.bypassPKCS11); | 7104 &hashes, ss->opt.bypassPKCS11); |
| 6914 if (rv != SECSuccess) { | 7105 if (rv != SECSuccess) { |
| 6915 errCode = | 7106 errCode = |
| 6916 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7107 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 6917 goto alert_loser; | 7108 goto alert_loser; |
| 6918 } | 7109 } |
| 6919 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 7110 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
| 6920 isTLS, ss->pkcs11PinArg); | 7111 isTLS, ss->pkcs11PinArg); |
| 6921 if (rv != SECSuccess) { | 7112 if (rv != SECSuccess) { |
| 6922 errCode = | 7113 errCode = |
| 6923 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7114 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 6924 goto alert_loser; | 7115 goto alert_loser; |
| 6925 } | 7116 } |
| 6926 | 7117 |
| 6927 /* | 7118 /* |
| 6928 * we really need to build a new key here because we can no longer | 7119 * we really need to build a new key here because we can no longer |
| 6929 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate | 7120 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate |
| 6930 * pkcs11 slots and ID's. | 7121 * pkcs11 slots and ID's. |
| 6931 */ | 7122 */ |
| 6932 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 7123 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 6933 if (arena == NULL) { | 7124 if (arena == NULL) { |
| 6934 goto no_memory; | 7125 goto no_memory; |
| 6935 } | 7126 } |
| 6936 | 7127 |
| 6937 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); | 7128 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); |
| 6938 if (peerKey == NULL) { | 7129 if (peerKey == NULL) { |
| 6939 PORT_FreeArena(arena, PR_FALSE); | |
| 6940 goto no_memory; | 7130 goto no_memory; |
| 6941 } | 7131 } |
| 6942 | 7132 |
| 6943 peerKey->arena = arena; | 7133 peerKey->arena = arena; |
| 6944 peerKey->keyType = rsaKey; | 7134 peerKey->keyType = rsaKey; |
| 6945 peerKey->pkcs11Slot = NULL; | 7135 peerKey->pkcs11Slot = NULL; |
| 6946 peerKey->pkcs11ID = CK_INVALID_HANDLE; | 7136 peerKey->pkcs11ID = CK_INVALID_HANDLE; |
| 6947 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) || | 7137 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) || |
| 6948 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent)) | 7138 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent)) |
| 6949 { | 7139 { |
| 6950 PORT_FreeArena(arena, PR_FALSE); | |
| 6951 goto no_memory; | 7140 goto no_memory; |
| 6952 } | 7141 } |
| 6953 ss->sec.peerKey = peerKey; | 7142 ss->sec.peerKey = peerKey; |
| 6954 ss->ssl3.hs.ws = wait_cert_request; | 7143 ss->ssl3.hs.ws = wait_cert_request; |
| 6955 return SECSuccess; | 7144 return SECSuccess; |
| 6956 } | 7145 } |
| 6957 | 7146 |
| 6958 case kt_dh: { | 7147 case kt_dh: { |
| 6959 SECItem dh_p = {siBuffer, NULL, 0}; | 7148 SECItem dh_p = {siBuffer, NULL, 0}; |
| 6960 SECItem dh_g = {siBuffer, NULL, 0}; | 7149 SECItem dh_g = {siBuffer, NULL, 0}; |
| 6961 SECItem dh_Ys = {siBuffer, NULL, 0}; | 7150 SECItem dh_Ys = {siBuffer, NULL, 0}; |
| 7151 unsigned dh_p_bits; |
| 7152 unsigned dh_g_bits; |
| 7153 unsigned dh_Ys_bits; |
| 7154 PRInt32 minDH; |
| 6962 | 7155 |
| 6963 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); | 7156 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); |
| 6964 if (rv != SECSuccess) { | 7157 if (rv != SECSuccess) { |
| 6965 goto loser; /* malformed. */ | 7158 goto loser; /* malformed. */ |
| 6966 } | 7159 } |
| 6967 » if (dh_p.len < 1024/8 || | 7160 |
| 6968 » (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) { | 7161 » rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); |
| 7162 » if (rv != SECSuccess) { |
| 7163 minDH = SSL_DH_MIN_P_BITS; |
| 7164 » } |
| 7165 dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); |
| 7166 if (dh_p_bits < minDH) { |
| 6969 errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; | 7167 errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; |
| 6970 goto alert_loser; | 7168 goto alert_loser; |
| 6971 } | 7169 } |
| 6972 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); | 7170 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); |
| 6973 if (rv != SECSuccess) { | 7171 if (rv != SECSuccess) { |
| 6974 goto loser; /* malformed. */ | 7172 goto loser; /* malformed. */ |
| 6975 } | 7173 } |
| 6976 » if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) | 7174 /* Abort if dh_g is 0, 1, or obviously too big. */ |
| 7175 dh_g_bits = SECKEY_BigIntegerBitLength(&dh_g); |
| 7176 if (dh_g_bits > dh_p_bits || dh_g_bits <= 1) |
| 6977 goto alert_loser; | 7177 goto alert_loser; |
| 6978 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); | 7178 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); |
| 6979 if (rv != SECSuccess) { | 7179 if (rv != SECSuccess) { |
| 6980 goto loser; /* malformed. */ | 7180 goto loser; /* malformed. */ |
| 6981 } | 7181 } |
| 6982 » if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) | 7182 dh_Ys_bits = SECKEY_BigIntegerBitLength(&dh_Ys); |
| 7183 if (dh_Ys_bits > dh_p_bits || dh_Ys_bits <= 1) |
| 6983 goto alert_loser; | 7184 goto alert_loser; |
| 6984 if (isTLS12) { | 7185 if (isTLS12) { |
| 6985 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | 7186 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 6986 &sigAndHash); | 7187 &sigAndHash); |
| 6987 if (rv != SECSuccess) { | 7188 if (rv != SECSuccess) { |
| 6988 goto loser; /* malformed or unsupported. */ | 7189 goto loser; /* malformed or unsupported. */ |
| 6989 } | 7190 } |
| 6990 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | 7191 » rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(ss, |
| 6991 &sigAndHash, ss->sec.peerCert); | 7192 &sigAndHash, ss->sec.peerCert); |
| 6992 if (rv != SECSuccess) { | 7193 if (rv != SECSuccess) { |
| 6993 goto loser; | 7194 goto loser; |
| 6994 } | 7195 } |
| 6995 } | 7196 } |
| 6996 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 7197 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
| 6997 if (rv != SECSuccess) { | 7198 if (rv != SECSuccess) { |
| 6998 goto loser; /* malformed. */ | 7199 goto loser; /* malformed. */ |
| 6999 } | 7200 } |
| 7000 if (length != 0) { | 7201 if (length != 0) { |
| 7001 if (isTLS) | 7202 if (isTLS) |
| 7002 desc = decode_error; | 7203 desc = decode_error; |
| 7003 goto alert_loser; /* malformed. */ | 7204 goto alert_loser; /* malformed. */ |
| 7004 } | 7205 } |
| 7005 | 7206 |
| 7006 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); | 7207 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); |
| 7007 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); | 7208 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); |
| 7008 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); | 7209 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); |
| 7009 | 7210 |
| 7010 /* failures after this point are not malformed handshakes. */ | 7211 /* failures after this point are not malformed handshakes. */ |
| 7011 /* TLS: send decrypt_error if signature failed. */ | 7212 /* TLS: send decrypt_error if signature failed. */ |
| 7012 desc = isTLS ? decrypt_error : handshake_failure; | 7213 desc = isTLS ? decrypt_error : handshake_failure; |
| 7013 | 7214 |
| 7014 /* | 7215 /* |
| 7015 * check to make sure the hash is signed by right guy | 7216 * check to make sure the hash is signed by right guy |
| 7016 */ | 7217 */ |
| 7017 » rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys, | 7218 rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys, |
| 7018 » » » » » &ss->ssl3.hs.client_random, | 7219 &ss->ssl3.hs.client_random, |
| 7019 » » » » » &ss->ssl3.hs.server_random, | 7220 &ss->ssl3.hs.server_random, |
| 7020 » » » » » &hashes, ss->opt.bypassPKCS11); | 7221 &hashes, ss->opt.bypassPKCS11); |
| 7021 if (rv != SECSuccess) { | 7222 if (rv != SECSuccess) { |
| 7022 errCode = | 7223 errCode = |
| 7023 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7224 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 7024 goto alert_loser; | 7225 goto alert_loser; |
| 7025 } | 7226 } |
| 7026 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 7227 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
| 7027 isTLS, ss->pkcs11PinArg); | 7228 isTLS, ss->pkcs11PinArg); |
| 7028 if (rv != SECSuccess) { | 7229 if (rv != SECSuccess) { |
| 7029 errCode = | 7230 errCode = |
| 7030 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7231 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 7031 goto alert_loser; | 7232 goto alert_loser; |
| 7032 } | 7233 } |
| 7033 | 7234 |
| 7034 /* | 7235 /* |
| 7035 * we really need to build a new key here because we can no longer | 7236 * we really need to build a new key here because we can no longer |
| 7036 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate | 7237 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate |
| 7037 * pkcs11 slots and ID's. | 7238 * pkcs11 slots and ID's. |
| 7038 */ | 7239 */ |
| 7039 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 7240 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 7040 if (arena == NULL) { | 7241 if (arena == NULL) { |
| 7041 goto no_memory; | 7242 goto no_memory; |
| 7042 } | 7243 } |
| 7043 | 7244 |
| 7044 » ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); | 7245 » peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); |
| 7045 if (peerKey == NULL) { | 7246 if (peerKey == NULL) { |
| 7046 goto no_memory; | 7247 goto no_memory; |
| 7047 } | 7248 } |
| 7048 | 7249 |
| 7049 peerKey->arena = arena; | 7250 peerKey->arena = arena; |
| 7050 peerKey->keyType = dhKey; | 7251 peerKey->keyType = dhKey; |
| 7051 peerKey->pkcs11Slot = NULL; | 7252 peerKey->pkcs11Slot = NULL; |
| 7052 peerKey->pkcs11ID = CK_INVALID_HANDLE; | 7253 peerKey->pkcs11ID = CK_INVALID_HANDLE; |
| 7053 | 7254 |
| 7054 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) || | 7255 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) || |
| 7055 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) || | 7256 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) || |
| 7056 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys)) | 7257 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys)) |
| 7057 { | 7258 { |
| 7058 PORT_FreeArena(arena, PR_FALSE); | |
| 7059 goto no_memory; | 7259 goto no_memory; |
| 7060 } | 7260 } |
| 7061 ss->sec.peerKey = peerKey; | 7261 ss->sec.peerKey = peerKey; |
| 7062 ss->ssl3.hs.ws = wait_cert_request; | 7262 ss->ssl3.hs.ws = wait_cert_request; |
| 7063 return SECSuccess; | 7263 return SECSuccess; |
| 7064 } | 7264 } |
| 7065 | 7265 |
| 7066 #ifndef NSS_DISABLE_ECC | 7266 #ifndef NSS_DISABLE_ECC |
| 7067 case kt_ecdh: | 7267 case kt_ecdh: |
| 7068 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length); | 7268 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length); |
| 7069 return rv; | 7269 return rv; |
| 7070 #endif /* NSS_DISABLE_ECC */ | 7270 #endif /* NSS_DISABLE_ECC */ |
| 7071 | 7271 |
| 7072 default: | 7272 default: |
| 7073 desc = handshake_failure; | 7273 desc = handshake_failure; |
| 7074 errCode = SEC_ERROR_UNSUPPORTED_KEYALG; | 7274 errCode = SEC_ERROR_UNSUPPORTED_KEYALG; |
| 7075 break; /* goto alert_loser; */ | 7275 break; /* goto alert_loser; */ |
| 7076 } | 7276 } |
| 7077 | 7277 |
| 7078 alert_loser: | 7278 alert_loser: |
| 7079 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 7279 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| 7080 loser: | 7280 loser: |
| 7281 if (arena) { |
| 7282 PORT_FreeArena(arena, PR_FALSE); |
| 7283 } |
| 7081 PORT_SetError( errCode ); | 7284 PORT_SetError( errCode ); |
| 7082 return SECFailure; | 7285 return SECFailure; |
| 7083 | 7286 |
| 7084 no_memory: /* no-memory error has already been set. */ | 7287 no_memory: /* no-memory error has already been set. */ |
| 7288 if (arena) { |
| 7289 PORT_FreeArena(arena, PR_FALSE); |
| 7290 } |
| 7085 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 7291 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 7086 return SECFailure; | 7292 return SECFailure; |
| 7087 } | 7293 } |
| 7088 | 7294 |
| 7089 /* | 7295 /* |
| 7090 * Returns the TLS signature algorithm for the client authentication key and | 7296 * Returns the TLS signature algorithm for the client authentication key and |
| 7091 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes. | 7297 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes. |
| 7092 */ | 7298 */ |
| 7093 static SECStatus | 7299 static SECStatus |
| 7094 ssl3_ExtractClientKeyInfo(sslSocket *ss, | 7300 ssl3_ExtractClientKeyInfo(sslSocket *ss, |
| 7095 » » » TLSSignatureAlgorithm *sigAlg, | 7301 » » » SSLSignType *sigAlg, |
| 7096 PRBool *preferSha1) | 7302 PRBool *preferSha1) |
| 7097 { | 7303 { |
| 7098 SECStatus rv = SECSuccess; | 7304 SECStatus rv = SECSuccess; |
| 7099 SECKEYPublicKey *pubk; | 7305 SECKEYPublicKey *pubk; |
| 7100 | 7306 |
| 7101 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); | 7307 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); |
| 7102 if (pubk == NULL) { | 7308 if (pubk == NULL) { |
| 7103 rv = SECFailure; | 7309 rv = SECFailure; |
| 7104 goto done; | 7310 goto done; |
| 7105 } | 7311 } |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7141 | 7347 |
| 7142 /* Destroys the backup handshake hash context if we don't need it. Note that | 7348 /* Destroys the backup handshake hash context if we don't need it. Note that |
| 7143 * this function selects the hash algorithm for client authentication | 7349 * this function selects the hash algorithm for client authentication |
| 7144 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash | 7350 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash |
| 7145 * to determine whether to use SHA-1 or SHA-256. */ | 7351 * to determine whether to use SHA-1 or SHA-256. */ |
| 7146 static void | 7352 static void |
| 7147 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, | 7353 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, |
| 7148 const SECItem *algorithms) | 7354 const SECItem *algorithms) |
| 7149 { | 7355 { |
| 7150 SECStatus rv; | 7356 SECStatus rv; |
| 7151 TLSSignatureAlgorithm sigAlg; | 7357 SSLSignType sigAlg; |
| 7152 PRBool preferSha1; | 7358 PRBool preferSha1; |
| 7153 PRBool supportsSha1 = PR_FALSE; | 7359 PRBool supportsSha1 = PR_FALSE; |
| 7154 PRBool supportsSha256 = PR_FALSE; | 7360 PRBool supportsSha256 = PR_FALSE; |
| 7155 PRBool needBackupHash = PR_FALSE; | 7361 PRBool needBackupHash = PR_FALSE; |
| 7156 unsigned int i; | 7362 unsigned int i; |
| 7157 | 7363 |
| 7158 #ifndef NO_PKCS11_BYPASS | 7364 #ifndef NO_PKCS11_BYPASS |
| 7159 /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ | 7365 /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ |
| 7160 if (ss->opt.bypassPKCS11) { | 7366 if (ss->opt.bypassPKCS11) { |
| 7161 PORT_Assert(!ss->ssl3.hs.backupHash); | 7367 PORT_Assert(!ss->ssl3.hs.backupHash); |
| 7162 return; | 7368 return; |
| 7163 } | 7369 } |
| 7164 #endif | 7370 #endif |
| 7165 PORT_Assert(ss->ssl3.hs.backupHash); | 7371 PORT_Assert(ss->ssl3.hs.backupHash); |
| 7166 | 7372 |
| 7167 /* Determine the key's signature algorithm and whether it prefers SHA-1. */ | 7373 /* Determine the key's signature algorithm and whether it prefers SHA-1. */ |
| 7168 rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); | 7374 rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); |
| 7169 if (rv != SECSuccess) { | 7375 if (rv != SECSuccess) { |
| 7170 goto done; | 7376 goto done; |
| 7171 } | 7377 } |
| 7172 | 7378 |
| 7173 /* Determine the server's hash support for that signature algorithm. */ | 7379 /* Determine the server's hash support for that signature algorithm. */ |
| 7174 for (i = 0; i < algorithms->len; i += 2) { | 7380 for (i = 0; i < algorithms->len; i += 2) { |
| 7175 if (algorithms->data[i+1] == sigAlg) { | 7381 if (algorithms->data[i+1] == sigAlg) { |
| 7176 » if (algorithms->data[i] == tls_hash_sha1) { | 7382 » if (algorithms->data[i] == ssl_hash_sha1) { |
| 7177 supportsSha1 = PR_TRUE; | 7383 supportsSha1 = PR_TRUE; |
| 7178 » } else if (algorithms->data[i] == tls_hash_sha256) { | 7384 » } else if (algorithms->data[i] == ssl_hash_sha256) { |
| 7179 supportsSha256 = PR_TRUE; | 7385 supportsSha256 = PR_TRUE; |
| 7180 } | 7386 } |
| 7181 } | 7387 } |
| 7182 } | 7388 } |
| 7183 | 7389 |
| 7184 /* If either the server does not support SHA-256 or the client key prefers | 7390 /* If either the server does not support SHA-256 or the client key prefers |
| 7185 * SHA-1, leave the backup hash. */ | 7391 * SHA-1, leave the backup hash. */ |
| 7186 if (supportsSha1 && (preferSha1 || !supportsSha256)) { | 7392 if (supportsSha1 && (preferSha1 || !supportsSha256)) { |
| 7187 needBackupHash = PR_TRUE; | 7393 needBackupHash = PR_TRUE; |
| 7188 } | 7394 } |
| (...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7327 rv = (SECStatus)(*ss->getPlatformClientAuthData)( | 7533 rv = (SECStatus)(*ss->getPlatformClientAuthData)( |
| 7328 ss->getPlatformClientAuthDataArg, | 7534 ss->getPlatformClientAuthDataArg, |
| 7329 ss->fd, &ca_list, | 7535 ss->fd, &ca_list, |
| 7330 &platform_cert_list, | 7536 &platform_cert_list, |
| 7331 (void**)&ss->ssl3.platformClientKey, | 7537 (void**)&ss->ssl3.platformClientKey, |
| 7332 &ss->ssl3.clientCertificate, | 7538 &ss->ssl3.clientCertificate, |
| 7333 &ss->ssl3.clientPrivateKey); | 7539 &ss->ssl3.clientPrivateKey); |
| 7334 } else | 7540 } else |
| 7335 #endif | 7541 #endif |
| 7336 if (ss->getClientAuthData != NULL) { | 7542 if (ss->getClientAuthData != NULL) { |
| 7543 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 7544 ssl_preinfo_all); |
| 7337 /* XXX Should pass cert_types and algorithms in this call!! */ | 7545 /* XXX Should pass cert_types and algorithms in this call!! */ |
| 7338 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, | 7546 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, |
| 7339 ss->fd, &ca_list, | 7547 ss->fd, &ca_list, |
| 7340 &ss->ssl3.clientCertificate, | 7548 &ss->ssl3.clientCertificate, |
| 7341 &ss->ssl3.clientPrivateKey); | 7549 &ss->ssl3.clientPrivateKey); |
| 7342 } else { | 7550 } else { |
| 7343 rv = SECFailure; /* force it to send a no_certificate alert */ | 7551 rv = SECFailure; /* force it to send a no_certificate alert */ |
| 7344 } | 7552 } |
| 7345 | 7553 |
| 7346 switch (rv) { | 7554 switch (rv) { |
| (...skipping 211 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7558 * sufficiently strong that the attack can gain no advantage. | 7766 * sufficiently strong that the attack can gain no advantage. |
| 7559 * Therefore we always require an 80-bit cipher. */ | 7767 * Therefore we always require an 80-bit cipher. */ |
| 7560 ssl_GetSpecReadLock(ss); | 7768 ssl_GetSpecReadLock(ss); |
| 7561 maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10; | 7769 maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10; |
| 7562 ssl_ReleaseSpecReadLock(ss); | 7770 ssl_ReleaseSpecReadLock(ss); |
| 7563 | 7771 |
| 7564 if (!maybeFalseStart) { | 7772 if (!maybeFalseStart) { |
| 7565 SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher", | 7773 SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher", |
| 7566 SSL_GETPID(), ss->fd)); | 7774 SSL_GETPID(), ss->fd)); |
| 7567 } else { | 7775 } else { |
| 7776 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 7777 ssl_preinfo_all); |
| 7568 rv = (ss->canFalseStartCallback)(ss->fd, | 7778 rv = (ss->canFalseStartCallback)(ss->fd, |
| 7569 ss->canFalseStartCallbackData, | 7779 ss->canFalseStartCallbackData, |
| 7570 &ss->ssl3.hs.canFalseStart); | 7780 &ss->ssl3.hs.canFalseStart); |
| 7571 if (rv == SECSuccess) { | 7781 if (rv == SECSuccess) { |
| 7572 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s", | 7782 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s", |
| 7573 SSL_GETPID(), ss->fd, | 7783 SSL_GETPID(), ss->fd, |
| 7574 ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE")); | 7784 ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE")); |
| 7575 } else { | 7785 } else { |
| 7576 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)", | 7786 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)", |
| 7577 SSL_GETPID(), ss->fd, | 7787 SSL_GETPID(), ss->fd, |
| (...skipping 338 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7916 sid->addr = ss->sec.ci.peer; | 8126 sid->addr = ss->sec.ci.peer; |
| 7917 sid->port = ss->sec.ci.port; | 8127 sid->port = ss->sec.ci.port; |
| 7918 sid->references = 1; | 8128 sid->references = 1; |
| 7919 sid->cached = never_cached; | 8129 sid->cached = never_cached; |
| 7920 sid->version = ss->version; | 8130 sid->version = ss->version; |
| 7921 | 8131 |
| 7922 sid->u.ssl3.keys.resumable = PR_TRUE; | 8132 sid->u.ssl3.keys.resumable = PR_TRUE; |
| 7923 sid->u.ssl3.policy = SSL_ALLOWED; | 8133 sid->u.ssl3.policy = SSL_ALLOWED; |
| 7924 sid->u.ssl3.clientWriteKey = NULL; | 8134 sid->u.ssl3.clientWriteKey = NULL; |
| 7925 sid->u.ssl3.serverWriteKey = NULL; | 8135 sid->u.ssl3.serverWriteKey = NULL; |
| 8136 sid->u.ssl3.keys.extendedMasterSecretUsed = PR_FALSE; |
| 7926 | 8137 |
| 7927 if (is_server) { | 8138 if (is_server) { |
| 7928 SECStatus rv; | 8139 SECStatus rv; |
| 7929 int pid = SSL_GETPID(); | 8140 int pid = SSL_GETPID(); |
| 7930 | 8141 |
| 7931 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; | 8142 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; |
| 7932 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff; | 8143 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff; |
| 7933 sid->u.ssl3.sessionID[1] = pid & 0xff; | 8144 sid->u.ssl3.sessionID[1] = pid & 0xff; |
| 7934 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2, | 8145 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2, |
| 7935 SSL3_SESSIONID_BYTES -2); | 8146 SSL3_SESSIONID_BYTES -2); |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7968 return rv; /* error code is set. */ | 8179 return rv; /* error code is set. */ |
| 7969 } | 8180 } |
| 7970 /* We have to do this after the call to ssl3_SendServerHello, | 8181 /* We have to do this after the call to ssl3_SendServerHello, |
| 7971 * because kea_def is set up by ssl3_SendServerHello(). | 8182 * because kea_def is set up by ssl3_SendServerHello(). |
| 7972 */ | 8183 */ |
| 7973 kea_def = ss->ssl3.hs.kea_def; | 8184 kea_def = ss->ssl3.hs.kea_def; |
| 7974 ss->ssl3.hs.usedStepDownKey = PR_FALSE; | 8185 ss->ssl3.hs.usedStepDownKey = PR_FALSE; |
| 7975 | 8186 |
| 7976 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { | 8187 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { |
| 7977 /* see if we can legally use the key in the cert. */ | 8188 /* see if we can legally use the key in the cert. */ |
| 7978 » int keyLen; /* bytes */ | 8189 » unsigned int keyLen; /* bytes */ |
| 7979 | 8190 |
| 7980 keyLen = PK11_GetPrivateModulusLen( | 8191 keyLen = PK11_GetPrivateModulusLen( |
| 7981 ss->serverCerts[kea_def->exchKeyType].SERVERKEY); | 8192 ss->serverCerts[kea_def->exchKeyType].SERVERKEY); |
| 7982 | 8193 |
| 7983 if (keyLen > 0 && | 8194 if (keyLen > 0 && |
| 7984 keyLen * BPB <= kea_def->key_size_limit ) { | 8195 keyLen * BPB <= kea_def->key_size_limit ) { |
| 7985 /* XXX AND cert is not signing only!! */ | 8196 /* XXX AND cert is not signing only!! */ |
| 7986 /* just fall through and use it. */ | 8197 /* just fall through and use it. */ |
| 7987 } else if (ss->stepDownKeyPair != NULL) { | 8198 } else if (ss->stepDownKeyPair != NULL) { |
| 7988 ss->ssl3.hs.usedStepDownKey = PR_TRUE; | 8199 ss->ssl3.hs.usedStepDownKey = PR_TRUE; |
| (...skipping 26 matching lines...) Expand all Loading... |
| 8015 } | 8226 } |
| 8016 | 8227 |
| 8017 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert | 8228 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert |
| 8018 : wait_client_key; | 8229 : wait_client_key; |
| 8019 return SECSuccess; | 8230 return SECSuccess; |
| 8020 } | 8231 } |
| 8021 | 8232 |
| 8022 /* An empty TLS Renegotiation Info (RI) extension */ | 8233 /* An empty TLS Renegotiation Info (RI) extension */ |
| 8023 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00}; | 8234 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00}; |
| 8024 | 8235 |
| 8236 static PRBool |
| 8237 ssl3_KEAAllowsSessionTicket(SSL3KeyExchangeAlgorithm kea) |
| 8238 { |
| 8239 switch (kea) { |
| 8240 case kea_dhe_dss: |
| 8241 case kea_dhe_dss_export: |
| 8242 case kea_dh_dss_export: |
| 8243 case kea_dh_dss: |
| 8244 /* TODO: Fix session tickets for DSS. The server code rejects the |
| 8245 * session ticket received from the client. Bug 1174677 */ |
| 8246 return PR_FALSE; |
| 8247 default: |
| 8248 return PR_TRUE; |
| 8249 }; |
| 8250 } |
| 8251 |
| 8025 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 8252 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 8026 * ssl3 Client Hello message. | 8253 * ssl3 Client Hello message. |
| 8027 * Caller must hold Handshake and RecvBuf locks. | 8254 * Caller must hold Handshake and RecvBuf locks. |
| 8028 */ | 8255 */ |
| 8029 static SECStatus | 8256 static SECStatus |
| 8030 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 8257 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 8031 { | 8258 { |
| 8032 sslSessionID * sid = NULL; | 8259 sslSessionID * sid = NULL; |
| 8033 PRInt32 tmp; | 8260 PRInt32 tmp; |
| 8034 unsigned int i; | 8261 unsigned int i; |
| 8035 int j; | 8262 int j; |
| 8036 SECStatus rv; | 8263 SECStatus rv; |
| 8037 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; | 8264 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; |
| 8038 SSL3AlertDescription desc = illegal_parameter; | 8265 SSL3AlertDescription desc = illegal_parameter; |
| 8039 SSL3AlertLevel level = alert_fatal; | 8266 SSL3AlertLevel level = alert_fatal; |
| 8040 SSL3ProtocolVersion version; | 8267 SSL3ProtocolVersion version; |
| 8041 SECItem sidBytes = {siBuffer, NULL, 0}; | 8268 SECItem sidBytes = {siBuffer, NULL, 0}; |
| 8042 SECItem cookieBytes = {siBuffer, NULL, 0}; | 8269 SECItem cookieBytes = {siBuffer, NULL, 0}; |
| 8043 SECItem suites = {siBuffer, NULL, 0}; | 8270 SECItem suites = {siBuffer, NULL, 0}; |
| 8044 SECItem comps = {siBuffer, NULL, 0}; | 8271 SECItem comps = {siBuffer, NULL, 0}; |
| 8045 PRBool haveSpecWriteLock = PR_FALSE; | 8272 PRBool haveSpecWriteLock = PR_FALSE; |
| 8046 PRBool haveXmitBufLock = PR_FALSE; | 8273 PRBool haveXmitBufLock = PR_FALSE; |
| 8274 PRBool canOfferSessionTicket = PR_FALSE; |
| 8047 | 8275 |
| 8048 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", | 8276 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", |
| 8049 SSL_GETPID(), ss->fd)); | 8277 SSL_GETPID(), ss->fd)); |
| 8050 | 8278 |
| 8051 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 8279 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 8052 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 8280 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 8053 PORT_Assert( ss->ssl3.initialized ); | 8281 PORT_Assert( ss->ssl3.initialized ); |
| 8282 ss->ssl3.hs.preliminaryInfo = 0; |
| 8054 | 8283 |
| 8055 if (!ss->sec.isServer || | 8284 if (!ss->sec.isServer || |
| 8056 (ss->ssl3.hs.ws != wait_client_hello && | 8285 (ss->ssl3.hs.ws != wait_client_hello && |
| 8057 ss->ssl3.hs.ws != idle_handshake)) { | 8286 ss->ssl3.hs.ws != idle_handshake)) { |
| 8058 desc = unexpected_message; | 8287 desc = unexpected_message; |
| 8059 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; | 8288 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; |
| 8060 goto alert_loser; | 8289 goto alert_loser; |
| 8061 } | 8290 } |
| 8062 if (ss->ssl3.hs.ws == idle_handshake && | 8291 if (ss->ssl3.hs.ws == idle_handshake && |
| 8063 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 8292 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8109 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | 8338 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; |
| 8110 } | 8339 } |
| 8111 | 8340 |
| 8112 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 8341 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
| 8113 if (rv != SECSuccess) { | 8342 if (rv != SECSuccess) { |
| 8114 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 8343 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
| 8115 : handshake_failure; | 8344 : handshake_failure; |
| 8116 errCode = SSL_ERROR_UNSUPPORTED_VERSION; | 8345 errCode = SSL_ERROR_UNSUPPORTED_VERSION; |
| 8117 goto alert_loser; | 8346 goto alert_loser; |
| 8118 } | 8347 } |
| 8348 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; |
| 8119 | 8349 |
| 8120 rv = ssl3_InitHandshakeHashes(ss); | 8350 rv = ssl3_InitHandshakeHashes(ss); |
| 8121 if (rv != SECSuccess) { | 8351 if (rv != SECSuccess) { |
| 8122 desc = internal_error; | 8352 desc = internal_error; |
| 8123 errCode = PORT_GetError(); | 8353 errCode = PORT_GetError(); |
| 8124 goto alert_loser; | 8354 goto alert_loser; |
| 8125 } | 8355 } |
| 8126 | 8356 |
| 8127 /* grab the client random data. */ | 8357 /* grab the client random data. */ |
| 8128 rv = ssl3_ConsumeHandshake( | 8358 rv = ssl3_ConsumeHandshake( |
| (...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8276 * the extension and we are unable to do either a stateful or | 8506 * the extension and we are unable to do either a stateful or |
| 8277 * stateless resume. | 8507 * stateless resume. |
| 8278 * | 8508 * |
| 8279 * TODO: send a session ticket if performing a stateful | 8509 * TODO: send a session ticket if performing a stateful |
| 8280 * resumption. (As per RFC4507, a server may issue a session | 8510 * resumption. (As per RFC4507, a server may issue a session |
| 8281 * ticket while doing a (stateless or stateful) session resume, | 8511 * ticket while doing a (stateless or stateful) session resume, |
| 8282 * but OpenSSL-0.9.8g does not accept session tickets while | 8512 * but OpenSSL-0.9.8g does not accept session tickets while |
| 8283 * resuming.) | 8513 * resuming.) |
| 8284 */ | 8514 */ |
| 8285 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) { | 8515 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) { |
| 8286 » ssl3_RegisterServerHelloExtensionSender(ss, | 8516 » canOfferSessionTicket = PR_TRUE; |
| 8287 » ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn); | |
| 8288 } | 8517 } |
| 8289 | 8518 |
| 8290 if (sid != NULL) { | 8519 if (sid != NULL) { |
| 8291 /* We've found a session cache entry for this client. | 8520 /* We've found a session cache entry for this client. |
| 8292 * Now, if we're going to require a client-auth cert, | 8521 * Now, if we're going to require a client-auth cert, |
| 8293 * and we don't already have this client's cert in the session cache, | 8522 * and we don't already have this client's cert in the session cache, |
| 8294 * and this is the first handshake on this connection (not a redo), | 8523 * and this is the first handshake on this connection (not a redo), |
| 8295 * then drop this old cache entry and start a new session. | 8524 * then drop this old cache entry and start a new session. |
| 8296 */ | 8525 */ |
| 8297 if ((sid->peerCert == NULL) && ss->opt.requestCertificate && | 8526 if ((sid->peerCert == NULL) && ss->opt.requestCertificate && |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8360 } | 8589 } |
| 8361 PORT_Assert(j > 0); | 8590 PORT_Assert(j > 0); |
| 8362 if (j <= 0) | 8591 if (j <= 0) |
| 8363 break; | 8592 break; |
| 8364 #ifdef PARANOID | 8593 #ifdef PARANOID |
| 8365 /* Double check that the cached cipher suite is still enabled, | 8594 /* Double check that the cached cipher suite is still enabled, |
| 8366 * implemented, and allowed by policy. Might have been disabled. | 8595 * implemented, and allowed by policy. Might have been disabled. |
| 8367 * The product policy won't change during the process lifetime. | 8596 * The product policy won't change during the process lifetime. |
| 8368 * Implemented ("isPresent") shouldn't change for servers. | 8597 * Implemented ("isPresent") shouldn't change for servers. |
| 8369 */ | 8598 */ |
| 8370 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) | 8599 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) |
| 8371 break; | 8600 break; |
| 8372 #else | 8601 #else |
| 8373 if (!suite->enabled) | 8602 if (!suite->enabled) |
| 8374 break; | 8603 break; |
| 8375 #endif | 8604 #endif |
| 8376 /* Double check that the cached cipher suite is in the client's list */ | 8605 /* Double check that the cached cipher suite is in the client's list */ |
| 8377 for (i = 0; i + 1 < suites.len; i += 2) { | 8606 for (i = 0; i + 1 < suites.len; i += 2) { |
| 8378 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | 8607 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; |
| 8379 if (suite_i == suite->cipher_suite) { | 8608 if (suite_i == suite->cipher_suite) { |
| 8380 ss->ssl3.hs.cipher_suite = suite->cipher_suite; | 8609 ss->ssl3.hs.cipher_suite = suite->cipher_suite; |
| 8381 ss->ssl3.hs.suite_def = | 8610 ss->ssl3.hs.suite_def = |
| 8382 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); | 8611 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); |
| 8612 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
| 8383 | 8613 |
| 8384 /* Use the cached compression method. */ | 8614 /* Use the cached compression method. */ |
| 8385 ss->ssl3.hs.compression = sid->u.ssl3.compression; | 8615 ss->ssl3.hs.compression = sid->u.ssl3.compression; |
| 8386 goto compression_found; | 8616 goto compression_found; |
| 8387 } | 8617 } |
| 8388 } | 8618 } |
| 8389 } while (0); | 8619 } while (0); |
| 8390 | 8620 |
| 8391 /* START A NEW SESSION */ | 8621 /* START A NEW SESSION */ |
| 8392 | 8622 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 8409 ** 1.0 and selecting one of those export cipher suites. However, a secure | 8639 ** 1.0 and selecting one of those export cipher suites. However, a secure |
| 8410 ** TLS 1.1 client should not have export cipher suites enabled at all, | 8640 ** TLS 1.1 client should not have export cipher suites enabled at all, |
| 8411 ** and a TLS 1.1 client should definitely not be offering *only* export | 8641 ** and a TLS 1.1 client should definitely not be offering *only* export |
| 8412 ** cipher suites. Therefore, we refuse to negotiate export cipher suites | 8642 ** cipher suites. Therefore, we refuse to negotiate export cipher suites |
| 8413 ** with any client that indicates support for TLS 1.1 or higher when we | 8643 ** with any client that indicates support for TLS 1.1 or higher when we |
| 8414 ** (the server) have TLS 1.1 support enabled. | 8644 ** (the server) have TLS 1.1 support enabled. |
| 8415 */ | 8645 */ |
| 8416 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { | 8646 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 8417 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; | 8647 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 8418 SSLVersionRange vrange = {ss->version, ss->version}; | 8648 SSLVersionRange vrange = {ss->version, ss->version}; |
| 8419 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { | 8649 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { |
| 8420 continue; | 8650 continue; |
| 8421 } | 8651 } |
| 8422 for (i = 0; i + 1 < suites.len; i += 2) { | 8652 for (i = 0; i + 1 < suites.len; i += 2) { |
| 8423 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | 8653 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; |
| 8424 if (suite_i == suite->cipher_suite) { | 8654 if (suite_i == suite->cipher_suite) { |
| 8425 ss->ssl3.hs.cipher_suite = suite->cipher_suite; | 8655 ss->ssl3.hs.cipher_suite = suite->cipher_suite; |
| 8426 ss->ssl3.hs.suite_def = | 8656 ss->ssl3.hs.suite_def = |
| 8427 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); | 8657 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); |
| 8658 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
| 8428 goto suite_found; | 8659 goto suite_found; |
| 8429 } | 8660 } |
| 8430 } | 8661 } |
| 8431 } | 8662 } |
| 8432 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 8663 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
| 8433 goto alert_loser; | 8664 goto alert_loser; |
| 8434 | 8665 |
| 8435 suite_found: | 8666 suite_found: |
| 8667 if (canOfferSessionTicket) |
| 8668 canOfferSessionTicket = ssl3_KEAAllowsSessionTicket( |
| 8669 ss->ssl3.hs.suite_def->key_exchange_alg); |
| 8670 |
| 8671 if (canOfferSessionTicket) { |
| 8672 ssl3_RegisterServerHelloExtensionSender(ss, |
| 8673 ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn); |
| 8674 } |
| 8675 |
| 8436 /* Select a compression algorithm. */ | 8676 /* Select a compression algorithm. */ |
| 8437 for (i = 0; i < comps.len; i++) { | 8677 for (i = 0; i < comps.len; i++) { |
| 8438 if (!compressionEnabled(ss, comps.data[i])) | 8678 if (!compressionEnabled(ss, comps.data[i])) |
| 8439 continue; | 8679 continue; |
| 8440 for (j = 0; j < compressionMethodsCount; j++) { | 8680 for (j = 0; j < compressionMethodsCount; j++) { |
| 8441 if (comps.data[i] == compressions[j]) { | 8681 if (comps.data[i] == compressions[j]) { |
| 8442 ss->ssl3.hs.compression = | 8682 ss->ssl3.hs.compression = |
| 8443 (SSLCompressionMethod)compressions[j]; | 8683 (SSLCompressionMethod)compressions[j]; |
| 8444 goto compression_found; | 8684 goto compression_found; |
| 8445 } | 8685 } |
| 8446 } | 8686 } |
| 8447 } | 8687 } |
| 8448 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; | 8688 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; |
| 8449 /* null compression must be supported */ | 8689 /* null compression must be supported */ |
| 8450 goto alert_loser; | 8690 goto alert_loser; |
| 8451 | 8691 |
| 8452 compression_found: | 8692 compression_found: |
| 8453 suites.data = NULL; | 8693 suites.data = NULL; |
| 8454 comps.data = NULL; | 8694 comps.data = NULL; |
| 8455 | 8695 |
| 8456 ss->sec.send = ssl3_SendApplicationData; | 8696 ss->sec.send = ssl3_SendApplicationData; |
| 8457 | 8697 |
| 8458 /* If there are any failures while processing the old sid, | 8698 /* If there are any failures while processing the old sid, |
| 8459 * we don't consider them to be errors. Instead, We just behave | 8699 * we don't consider them to be errors. Instead, We just behave |
| 8460 * as if the client had sent us no sid to begin with, and make a new one. | 8700 * as if the client had sent us no sid to begin with, and make a new one. |
| 8701 * The exception here is attempts to resume extended_master_secret |
| 8702 * sessions without the extension, which causes an alert. |
| 8461 */ | 8703 */ |
| 8462 if (sid != NULL) do { | 8704 if (sid != NULL) do { |
| 8463 ssl3CipherSpec *pwSpec; | 8705 ssl3CipherSpec *pwSpec; |
| 8464 SECItem wrappedMS; /* wrapped key */ | 8706 SECItem wrappedMS; /* wrapped key */ |
| 8465 | 8707 |
| 8466 if (sid->version != ss->version || | 8708 if (sid->version != ss->version || |
| 8467 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite || | 8709 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite || |
| 8468 sid->u.ssl3.compression != ss->ssl3.hs.compression) { | 8710 sid->u.ssl3.compression != ss->ssl3.hs.compression) { |
| 8469 break; /* not an error */ | 8711 break; /* not an error */ |
| 8470 } | 8712 } |
| 8471 | 8713 |
| 8714 /* [draft-ietf-tls-session-hash-06; Section 5.3] |
| 8715 * o If the original session did not use the "extended_master_secret" |
| 8716 * extension but the new ClientHello contains the extension, then the |
| 8717 * server MUST NOT perform the abbreviated handshake. Instead, it |
| 8718 * SHOULD continue with a full handshake (as described in |
| 8719 * Section 5.2) to negotiate a new session. |
| 8720 * |
| 8721 * o If the original session used the "extended_master_secret" |
| 8722 * extension but the new ClientHello does not contain the extension, |
| 8723 * the server MUST abort the abbreviated handshake. |
| 8724 */ |
| 8725 if (ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) { |
| 8726 if (!sid->u.ssl3.keys.extendedMasterSecretUsed) { |
| 8727 break; /* not an error */ |
| 8728 } |
| 8729 } else { |
| 8730 if (sid->u.ssl3.keys.extendedMasterSecretUsed) { |
| 8731 /* Note: we do not destroy the session */ |
| 8732 desc = handshake_failure; |
| 8733 errCode = SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET; |
| 8734 goto alert_loser; |
| 8735 } |
| 8736 } |
| 8737 |
| 8472 if (ss->sec.ci.sid) { | 8738 if (ss->sec.ci.sid) { |
| 8473 if (ss->sec.uncache) | 8739 if (ss->sec.uncache) |
| 8474 ss->sec.uncache(ss->sec.ci.sid); | 8740 ss->sec.uncache(ss->sec.ci.sid); |
| 8475 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ..
. */ | 8741 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ..
. */ |
| 8476 if (ss->sec.ci.sid != sid) { | 8742 if (ss->sec.ci.sid != sid) { |
| 8477 ssl_FreeSID(ss->sec.ci.sid); | 8743 ssl_FreeSID(ss->sec.ci.sid); |
| 8478 } | 8744 } |
| 8479 ss->sec.ci.sid = NULL; | 8745 ss->sec.ci.sid = NULL; |
| 8480 } | 8746 } |
| 8481 /* we need to resurrect the master secret.... */ | 8747 /* we need to resurrect the master secret.... */ |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8603 if (rv != SECSuccess) { | 8869 if (rv != SECSuccess) { |
| 8604 errCode = PORT_GetError(); | 8870 errCode = PORT_GetError(); |
| 8605 goto loser; | 8871 goto loser; |
| 8606 } | 8872 } |
| 8607 | 8873 |
| 8608 if (haveSpecWriteLock) { | 8874 if (haveSpecWriteLock) { |
| 8609 ssl_ReleaseSpecWriteLock(ss); | 8875 ssl_ReleaseSpecWriteLock(ss); |
| 8610 haveSpecWriteLock = PR_FALSE; | 8876 haveSpecWriteLock = PR_FALSE; |
| 8611 } | 8877 } |
| 8612 | 8878 |
| 8613 » /* NULL value for PMS signifies re-use of the old MS */ | 8879 » /* NULL value for PMS because we are re-using the old MS */ |
| 8614 rv = ssl3_InitPendingCipherSpec(ss, NULL); | 8880 rv = ssl3_InitPendingCipherSpec(ss, NULL); |
| 8615 if (rv != SECSuccess) { | 8881 if (rv != SECSuccess) { |
| 8616 errCode = PORT_GetError(); | 8882 errCode = PORT_GetError(); |
| 8617 goto loser; | 8883 goto loser; |
| 8618 } | 8884 } |
| 8619 | 8885 |
| 8620 rv = ssl3_SendChangeCipherSpecs(ss); | 8886 rv = ssl3_SendChangeCipherSpecs(ss); |
| 8621 if (rv != SECSuccess) { | 8887 if (rv != SECSuccess) { |
| 8622 errCode = PORT_GetError(); | 8888 errCode = PORT_GetError(); |
| 8623 goto loser; | 8889 goto loser; |
| (...skipping 23 matching lines...) Expand all Loading... |
| 8647 if (ss->sec.uncache) | 8913 if (ss->sec.uncache) |
| 8648 ss->sec.uncache(sid); | 8914 ss->sec.uncache(sid); |
| 8649 ssl_FreeSID(sid); | 8915 ssl_FreeSID(sid); |
| 8650 sid = NULL; | 8916 sid = NULL; |
| 8651 } | 8917 } |
| 8652 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); | 8918 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); |
| 8653 | 8919 |
| 8654 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { | 8920 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { |
| 8655 int ret = 0; | 8921 int ret = 0; |
| 8656 if (ss->sniSocketConfig) do { /* not a loop */ | 8922 if (ss->sniSocketConfig) do { /* not a loop */ |
| 8923 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 8924 ssl_preinfo_all); |
| 8925 |
| 8657 ret = SSL_SNI_SEND_ALERT; | 8926 ret = SSL_SNI_SEND_ALERT; |
| 8658 /* If extension is negotiated, the len of names should > 0. */ | 8927 /* If extension is negotiated, the len of names should > 0. */ |
| 8659 if (ss->xtnData.sniNameArrSize) { | 8928 if (ss->xtnData.sniNameArrSize) { |
| 8660 /* Calling client callback to reconfigure the socket. */ | 8929 /* Calling client callback to reconfigure the socket. */ |
| 8661 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd, | 8930 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd, |
| 8662 ss->xtnData.sniNameArr, | 8931 ss->xtnData.sniNameArr, |
| 8663 ss->xtnData.sniNameArrSize, | 8932 ss->xtnData.sniNameArrSize, |
| 8664 ss->sniSocketConfigArg); | 8933 ss->sniSocketConfigArg); |
| 8665 } | 8934 } |
| 8666 if (ret <= SSL_SNI_SEND_ALERT) { | 8935 if (ret <= SSL_SNI_SEND_ALERT) { |
| (...skipping 27 matching lines...) Expand all Loading... |
| 8694 if (cwsName->data) { | 8963 if (cwsName->data) { |
| 8695 rv = SECITEM_CopyItem(NULL, pwsName, cwsName); | 8964 rv = SECITEM_CopyItem(NULL, pwsName, cwsName); |
| 8696 } | 8965 } |
| 8697 ssl_ReleaseSpecWriteLock(ss); /**************************/ | 8966 ssl_ReleaseSpecWriteLock(ss); /**************************/ |
| 8698 if (rv != SECSuccess) { | 8967 if (rv != SECSuccess) { |
| 8699 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; | 8968 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; |
| 8700 desc = internal_error; | 8969 desc = internal_error; |
| 8701 ret = SSL_SNI_SEND_ALERT; | 8970 ret = SSL_SNI_SEND_ALERT; |
| 8702 break; | 8971 break; |
| 8703 } | 8972 } |
| 8704 } else if (ret < ss->xtnData.sniNameArrSize) { | 8973 } else if ((unsigned int)ret < ss->xtnData.sniNameArrSize) { |
| 8705 /* Application has configured new socket info. Lets check it | 8974 /* Application has configured new socket info. Lets check it |
| 8706 * and save the name. */ | 8975 * and save the name. */ |
| 8707 SECStatus rv; | 8976 SECStatus rv; |
| 8708 SECItem * name = &ss->xtnData.sniNameArr[ret]; | 8977 SECItem * name = &ss->xtnData.sniNameArr[ret]; |
| 8709 int configedCiphers; | 8978 int configedCiphers; |
| 8710 SECItem * pwsName; | 8979 SECItem * pwsName; |
| 8711 | 8980 |
| 8712 /* get rid of the old name and save the newly picked. */ | 8981 /* get rid of the old name and save the newly picked. */ |
| 8713 /* This code is protected by ssl3HandshakeLock. */ | 8982 /* This code is protected by ssl3HandshakeLock. */ |
| 8714 ssl_GetSpecWriteLock(ss); /*******************************/ | 8983 ssl_GetSpecWriteLock(ss); /*******************************/ |
| (...skipping 30 matching lines...) Expand all Loading... |
| 8745 ret = SSL_SNI_SEND_ALERT; | 9014 ret = SSL_SNI_SEND_ALERT; |
| 8746 break; | 9015 break; |
| 8747 } | 9016 } |
| 8748 /* Need to tell the client that application has picked | 9017 /* Need to tell the client that application has picked |
| 8749 * the name from the offered list and reconfigured the socket. | 9018 * the name from the offered list and reconfigured the socket. |
| 8750 */ | 9019 */ |
| 8751 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn, | 9020 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn, |
| 8752 ssl3_SendServerNameXtn); | 9021 ssl3_SendServerNameXtn); |
| 8753 } else { | 9022 } else { |
| 8754 /* Callback returned index outside of the boundary. */ | 9023 /* Callback returned index outside of the boundary. */ |
| 8755 PORT_Assert(ret < ss->xtnData.sniNameArrSize); | 9024 PORT_Assert((unsigned int)ret < ss->xtnData.sniNameArrSize); |
| 8756 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; | 9025 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; |
| 8757 desc = internal_error; | 9026 desc = internal_error; |
| 8758 ret = SSL_SNI_SEND_ALERT; | 9027 ret = SSL_SNI_SEND_ALERT; |
| 8759 break; | 9028 break; |
| 8760 } | 9029 } |
| 8761 } while (0); | 9030 } while (0); |
| 8762 /* Free sniNameArr. The data that each SECItem in the array | 9031 /* Free sniNameArr. The data that each SECItem in the array |
| 8763 * points into is the data from the input buffer "b". It will | 9032 * points into is the data from the input buffer "b". It will |
| 8764 * not be available outside the scope of this or it's child | 9033 * not be available outside the scope of this or it's child |
| 8765 * functions.*/ | 9034 * functions.*/ |
| (...skipping 25 matching lines...) Expand all Loading... |
| 8791 } | 9060 } |
| 8792 #endif | 9061 #endif |
| 8793 | 9062 |
| 8794 sid = ssl3_NewSessionID(ss, PR_TRUE); | 9063 sid = ssl3_NewSessionID(ss, PR_TRUE); |
| 8795 if (sid == NULL) { | 9064 if (sid == NULL) { |
| 8796 errCode = PORT_GetError(); | 9065 errCode = PORT_GetError(); |
| 8797 goto loser; /* memory error is set. */ | 9066 goto loser; /* memory error is set. */ |
| 8798 } | 9067 } |
| 8799 ss->sec.ci.sid = sid; | 9068 ss->sec.ci.sid = sid; |
| 8800 | 9069 |
| 9070 sid->u.ssl3.keys.extendedMasterSecretUsed = |
| 9071 ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn); |
| 8801 ss->ssl3.hs.isResuming = PR_FALSE; | 9072 ss->ssl3.hs.isResuming = PR_FALSE; |
| 8802 ssl_GetXmitBufLock(ss); | 9073 ssl_GetXmitBufLock(ss); |
| 8803 rv = ssl3_SendServerHelloSequence(ss); | 9074 rv = ssl3_SendServerHelloSequence(ss); |
| 8804 ssl_ReleaseXmitBufLock(ss); | 9075 ssl_ReleaseXmitBufLock(ss); |
| 8805 if (rv != SECSuccess) { | 9076 if (rv != SECSuccess) { |
| 8806 » errCode = PORT_GetError(); | 9077 errCode = PORT_GetError(); |
| 8807 » goto loser; | 9078 desc = handshake_failure; |
| 9079 goto alert_loser; |
| 8808 } | 9080 } |
| 8809 | 9081 |
| 8810 if (haveXmitBufLock) { | 9082 if (haveXmitBufLock) { |
| 8811 ssl_ReleaseXmitBufLock(ss); | 9083 ssl_ReleaseXmitBufLock(ss); |
| 8812 haveXmitBufLock = PR_FALSE; | 9084 haveXmitBufLock = PR_FALSE; |
| 8813 } | 9085 } |
| 8814 | 9086 |
| 8815 return SECSuccess; | 9087 return SECSuccess; |
| 8816 | 9088 |
| 8817 alert_loser: | 9089 alert_loser: |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8889 ss->clientHelloVersion = version; | 9161 ss->clientHelloVersion = version; |
| 8890 | 9162 |
| 8891 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 9163 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
| 8892 if (rv != SECSuccess) { | 9164 if (rv != SECSuccess) { |
| 8893 /* send back which ever alert client will understand. */ | 9165 /* send back which ever alert client will understand. */ |
| 8894 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 9166 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
| 8895 : handshake_failure; | 9167 : handshake_failure; |
| 8896 errCode = SSL_ERROR_UNSUPPORTED_VERSION; | 9168 errCode = SSL_ERROR_UNSUPPORTED_VERSION; |
| 8897 goto alert_loser; | 9169 goto alert_loser; |
| 8898 } | 9170 } |
| 9171 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; |
| 8899 | 9172 |
| 8900 rv = ssl3_InitHandshakeHashes(ss); | 9173 rv = ssl3_InitHandshakeHashes(ss); |
| 8901 if (rv != SECSuccess) { | 9174 if (rv != SECSuccess) { |
| 8902 desc = internal_error; | 9175 desc = internal_error; |
| 8903 errCode = PORT_GetError(); | 9176 errCode = PORT_GetError(); |
| 8904 goto alert_loser; | 9177 goto alert_loser; |
| 8905 } | 9178 } |
| 8906 | 9179 |
| 8907 /* if we get a non-zero SID, just ignore it. */ | 9180 /* if we get a non-zero SID, just ignore it. */ |
| 8908 if (length != | 9181 if (length != |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8944 /* Select a cipher suite. | 9217 /* Select a cipher suite. |
| 8945 ** | 9218 ** |
| 8946 ** NOTE: This suite selection algorithm should be the same as the one in | 9219 ** NOTE: This suite selection algorithm should be the same as the one in |
| 8947 ** ssl3_HandleClientHello(). | 9220 ** ssl3_HandleClientHello(). |
| 8948 ** | 9221 ** |
| 8949 ** See the comments about export cipher suites in ssl3_HandleClientHello(). | 9222 ** See the comments about export cipher suites in ssl3_HandleClientHello(). |
| 8950 */ | 9223 */ |
| 8951 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { | 9224 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
| 8952 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; | 9225 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
| 8953 SSLVersionRange vrange = {ss->version, ss->version}; | 9226 SSLVersionRange vrange = {ss->version, ss->version}; |
| 8954 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { | 9227 » if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) { |
| 8955 continue; | 9228 continue; |
| 8956 } | 9229 } |
| 8957 for (i = 0; i+2 < suite_length; i += 3) { | 9230 for (i = 0; i+2 < suite_length; i += 3) { |
| 8958 PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2]; | 9231 PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2]; |
| 8959 if (suite_i == suite->cipher_suite) { | 9232 if (suite_i == suite->cipher_suite) { |
| 8960 ss->ssl3.hs.cipher_suite = suite->cipher_suite; | 9233 ss->ssl3.hs.cipher_suite = suite->cipher_suite; |
| 8961 ss->ssl3.hs.suite_def = | 9234 ss->ssl3.hs.suite_def = |
| 8962 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); | 9235 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); |
| 9236 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; |
| 8963 goto suite_found; | 9237 goto suite_found; |
| 8964 } | 9238 } |
| 8965 } | 9239 } |
| 8966 } | 9240 } |
| 8967 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 9241 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
| 8968 goto alert_loser; | 9242 goto alert_loser; |
| 8969 | 9243 |
| 8970 suite_found: | 9244 suite_found: |
| 8971 | 9245 |
| 8972 /* Look for the SCSV, and if found, treat it just like an empty RI | 9246 /* Look for the SCSV, and if found, treat it just like an empty RI |
| (...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9143 } | 9417 } |
| 9144 } | 9418 } |
| 9145 rv = ssl3_SetupPendingCipherSpec(ss); | 9419 rv = ssl3_SetupPendingCipherSpec(ss); |
| 9146 if (rv != SECSuccess) { | 9420 if (rv != SECSuccess) { |
| 9147 return rv; /* err set by ssl3_SetupPendingCipherSpec */ | 9421 return rv; /* err set by ssl3_SetupPendingCipherSpec */ |
| 9148 } | 9422 } |
| 9149 | 9423 |
| 9150 return SECSuccess; | 9424 return SECSuccess; |
| 9151 } | 9425 } |
| 9152 | 9426 |
| 9427 static SECStatus |
| 9428 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, |
| 9429 SSLSignatureAndHashAlg* out); |
| 9430 |
| 9431 static SECStatus |
| 9432 ssl3_SendDHServerKeyExchange(sslSocket *ss) |
| 9433 { |
| 9434 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
| 9435 SECStatus rv = SECFailure; |
| 9436 int length; |
| 9437 PRBool isTLS; |
| 9438 SECItem signed_hash = {siBuffer, NULL, 0}; |
| 9439 SSL3Hashes hashes; |
| 9440 SSLSignatureAndHashAlg sigAndHash; |
| 9441 SECKEYDHParams dhParam; |
| 9442 |
| 9443 ssl3KeyPair *keyPair = NULL; |
| 9444 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */ |
| 9445 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */ |
| 9446 int certIndex = -1; |
| 9447 |
| 9448 if (kea_def->kea != kea_dhe_dss && kea_def->kea != kea_dhe_rsa) { |
| 9449 /* TODO: Support DH_anon. It might be sufficient to drop the signature. |
| 9450 See bug 1170510. */ |
| 9451 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 9452 return SECFailure; |
| 9453 } |
| 9454 |
| 9455 dhParam.prime.data = ss->dheParams->prime.data; |
| 9456 dhParam.prime.len = ss->dheParams->prime.len; |
| 9457 dhParam.base.data = ss->dheParams->base.data; |
| 9458 dhParam.base.len = ss->dheParams->base.len; |
| 9459 |
| 9460 PRINT_BUF(60, (NULL, "Server DH p", dhParam.prime.data, |
| 9461 dhParam.prime.len)); |
| 9462 PRINT_BUF(60, (NULL, "Server DH g", dhParam.base.data, |
| 9463 dhParam.base.len)); |
| 9464 |
| 9465 /* Generate ephemeral DH keypair */ |
| 9466 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL); |
| 9467 if (!privKey || !pubKey) { |
| 9468 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 9469 rv = SECFailure; |
| 9470 goto loser; |
| 9471 } |
| 9472 |
| 9473 keyPair = ssl3_NewKeyPair(privKey, pubKey); |
| 9474 if (!keyPair) { |
| 9475 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 9476 goto loser; |
| 9477 } |
| 9478 |
| 9479 PRINT_BUF(50, (ss, "DH public value:", |
| 9480 pubKey->u.dh.publicValue.data, |
| 9481 pubKey->u.dh.publicValue.len)); |
| 9482 |
| 9483 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { |
| 9484 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 9485 goto loser; |
| 9486 } |
| 9487 |
| 9488 rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, |
| 9489 pubKey->u.dh.prime, |
| 9490 pubKey->u.dh.base, |
| 9491 pubKey->u.dh.publicValue, |
| 9492 &ss->ssl3.hs.client_random, |
| 9493 &ss->ssl3.hs.server_random, |
| 9494 &hashes, ss->opt.bypassPKCS11); |
| 9495 if (rv != SECSuccess) { |
| 9496 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 9497 goto loser; |
| 9498 } |
| 9499 |
| 9500 /* It has been suggested to test kea_def->signKeyType instead, and to use |
| 9501 * ssl_auth_* instead. Investigate what to do. See bug 102794. */ |
| 9502 if (kea_def->kea == kea_dhe_rsa) |
| 9503 certIndex = ssl_kea_rsa; |
| 9504 else |
| 9505 certIndex = ssl_kea_dh; |
| 9506 |
| 9507 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 9508 rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, |
| 9509 &signed_hash, isTLS); |
| 9510 if (rv != SECSuccess) { |
| 9511 goto loser; /* ssl3_SignHashes has set err. */ |
| 9512 } |
| 9513 if (signed_hash.data == NULL) { |
| 9514 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 9515 goto loser; |
| 9516 } |
| 9517 length = 2 + pubKey->u.dh.prime.len + |
| 9518 2 + pubKey->u.dh.base.len + |
| 9519 2 + pubKey->u.dh.publicValue.len + |
| 9520 2 + signed_hash.len; |
| 9521 |
| 9522 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 9523 length += 2; |
| 9524 } |
| 9525 |
| 9526 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); |
| 9527 if (rv != SECSuccess) { |
| 9528 goto loser; /* err set by AppendHandshake. */ |
| 9529 } |
| 9530 |
| 9531 rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.prime.data, |
| 9532 pubKey->u.dh.prime.len, 2); |
| 9533 if (rv != SECSuccess) { |
| 9534 goto loser; /* err set by AppendHandshake. */ |
| 9535 } |
| 9536 |
| 9537 rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.base.data, |
| 9538 pubKey->u.dh.base.len, 2); |
| 9539 if (rv != SECSuccess) { |
| 9540 goto loser; /* err set by AppendHandshake. */ |
| 9541 } |
| 9542 |
| 9543 rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.publicValue.data, |
| 9544 pubKey->u.dh.publicValue.len, 2); |
| 9545 if (rv != SECSuccess) { |
| 9546 goto loser; /* err set by AppendHandshake. */ |
| 9547 } |
| 9548 |
| 9549 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 9550 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
| 9551 if (rv != SECSuccess) { |
| 9552 goto loser; /* err set by AppendHandshake. */ |
| 9553 } |
| 9554 } |
| 9555 |
| 9556 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
| 9557 signed_hash.len, 2); |
| 9558 if (rv != SECSuccess) { |
| 9559 goto loser; /* err set by AppendHandshake. */ |
| 9560 } |
| 9561 PORT_Free(signed_hash.data); |
| 9562 ss->dheKeyPair = keyPair; |
| 9563 return SECSuccess; |
| 9564 |
| 9565 loser: |
| 9566 if (signed_hash.data) |
| 9567 PORT_Free(signed_hash.data); |
| 9568 if (privKey) |
| 9569 SECKEY_DestroyPrivateKey(privKey); |
| 9570 if (pubKey) |
| 9571 SECKEY_DestroyPublicKey(pubKey); |
| 9572 return SECFailure; |
| 9573 } |
| 9574 |
| 9153 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing | 9575 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing |
| 9154 * elements of the handshake. (The negotiated cipher suite determines the | 9576 * elements of the handshake. (The negotiated cipher suite determines the |
| 9155 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always | 9577 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always |
| 9156 * used. With TLS 1.2, a client may advertise its support for signature and | 9578 * used. With TLS 1.2, a client may advertise its support for signature and |
| 9157 * hash combinations. */ | 9579 * hash combinations. */ |
| 9158 static SECStatus | 9580 static SECStatus |
| 9159 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, | 9581 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, |
| 9160 » » » » SSL3SignatureAndHashAlgorithm* out) | 9582 SSLSignatureAndHashAlg* out) |
| 9161 { | 9583 { |
| 9162 TLSSignatureAlgorithm sigAlg; | 9584 SSLSignType sigAlg; |
| 9585 PRUint32 policy; |
| 9163 unsigned int i, j; | 9586 unsigned int i, j; |
| 9164 /* hashPreference expresses our preferences for hash algorithms, most | |
| 9165 * preferable first. */ | |
| 9166 static const SECOidTag hashPreference[] = { | |
| 9167 SEC_OID_SHA256, | |
| 9168 SEC_OID_SHA384, | |
| 9169 SEC_OID_SHA512, | |
| 9170 SEC_OID_SHA1, | |
| 9171 }; | |
| 9172 | 9587 |
| 9173 switch (ss->ssl3.hs.kea_def->kea) { | 9588 switch (ss->ssl3.hs.kea_def->kea) { |
| 9174 case kea_rsa: | 9589 case kea_rsa: |
| 9175 case kea_rsa_export: | 9590 case kea_rsa_export: |
| 9176 case kea_rsa_export_1024: | 9591 case kea_rsa_export_1024: |
| 9177 case kea_dh_rsa: | 9592 case kea_dh_rsa: |
| 9178 case kea_dh_rsa_export: | 9593 case kea_dh_rsa_export: |
| 9179 case kea_dhe_rsa: | 9594 case kea_dhe_rsa: |
| 9180 case kea_dhe_rsa_export: | 9595 case kea_dhe_rsa_export: |
| 9181 case kea_rsa_fips: | 9596 case kea_rsa_fips: |
| 9182 case kea_ecdh_rsa: | 9597 case kea_ecdh_rsa: |
| 9183 case kea_ecdhe_rsa: | 9598 case kea_ecdhe_rsa: |
| 9184 » sigAlg = tls_sig_rsa; | 9599 sigAlg = ssl_sign_rsa; |
| 9185 » break; | 9600 break; |
| 9186 case kea_dh_dss: | 9601 case kea_dh_dss: |
| 9187 case kea_dh_dss_export: | 9602 case kea_dh_dss_export: |
| 9188 case kea_dhe_dss: | 9603 case kea_dhe_dss: |
| 9189 case kea_dhe_dss_export: | 9604 case kea_dhe_dss_export: |
| 9190 » sigAlg = tls_sig_dsa; | 9605 sigAlg = ssl_sign_dsa; |
| 9191 » break; | 9606 break; |
| 9192 case kea_ecdh_ecdsa: | 9607 case kea_ecdh_ecdsa: |
| 9193 case kea_ecdhe_ecdsa: | 9608 case kea_ecdhe_ecdsa: |
| 9194 » sigAlg = tls_sig_ecdsa; | 9609 sigAlg = ssl_sign_ecdsa; |
| 9195 » break; | 9610 break; |
| 9196 default: | 9611 default: |
| 9197 » PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 9612 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
| 9198 » return SECFailure; | 9613 return SECFailure; |
| 9199 } | 9614 } |
| 9200 out->sigAlg = sigAlg; | 9615 out->sigAlg = sigAlg; |
| 9201 | 9616 |
| 9202 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) { | 9617 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 9203 » /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and | 9618 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and |
| 9204 » * prior. */ | 9619 * prior. */ |
| 9205 » out->hashAlg = SEC_OID_UNKNOWN; | 9620 out->hashAlg = ssl_hash_none; |
| 9206 » return SECSuccess; | 9621 return SECSuccess; |
| 9207 } | 9622 } |
| 9208 | 9623 |
| 9209 if (ss->ssl3.hs.numClientSigAndHash == 0) { | 9624 if (ss->ssl3.hs.numClientSigAndHash == 0) { |
| 9210 » /* If the client didn't provide any signature_algorithms extension then | 9625 /* If the client didn't provide any signature_algorithms extension then |
| 9211 » * we can assume that they support SHA-1: | 9626 * we can assume that they support SHA-1: |
| 9212 » * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 9627 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
| 9213 » out->hashAlg = SEC_OID_SHA1; | 9628 out->hashAlg = ssl_hash_sha1; |
| 9214 » return SECSuccess; | 9629 return SECSuccess; |
| 9215 } | 9630 } |
| 9216 | 9631 |
| 9217 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) { | 9632 /* Here we look for the first server preference that the client has |
| 9218 » for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { | 9633 * indicated support for in their signature_algorithms extension. */ |
| 9219 » const SSL3SignatureAndHashAlgorithm* sh = | 9634 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { |
| 9220 » » &ss->ssl3.hs.clientSigAndHash[j]; | 9635 const SSLSignatureAndHashAlg *serverPref = |
| 9221 » if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) { | 9636 &ss->ssl3.signatureAlgorithms[i]; |
| 9222 » » out->hashAlg = sh->hashAlg; | 9637 » SECOidTag hashOID; |
| 9223 » » return SECSuccess; | 9638 if (serverPref->sigAlg != sigAlg) { |
| 9224 » } | 9639 continue; |
| 9640 } |
| 9641 hashOID = ssl3_TLSHashAlgorithmToOID(serverPref->hashAlg); |
| 9642 » if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) |
| 9643 » || !(policy & NSS_USE_ALG_IN_SSL_KX)) { |
| 9644 » /* we ignore hashes we don't support */ |
| 9645 » continue; |
| 9225 } | 9646 } |
| 9647 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { |
| 9648 const SSLSignatureAndHashAlg *clientPref = |
| 9649 &ss->ssl3.hs.clientSigAndHash[j]; |
| 9650 if (clientPref->hashAlg == serverPref->hashAlg && |
| 9651 clientPref->sigAlg == sigAlg) { |
| 9652 out->hashAlg = serverPref->hashAlg; |
| 9653 return SECSuccess; |
| 9654 } |
| 9655 } |
| 9226 } | 9656 } |
| 9227 | 9657 |
| 9228 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); | 9658 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 9229 return SECFailure; | 9659 return SECFailure; |
| 9230 } | 9660 } |
| 9231 | 9661 |
| 9232 | 9662 |
| 9233 static SECStatus | 9663 static SECStatus |
| 9234 ssl3_SendServerKeyExchange(sslSocket *ss) | 9664 ssl3_SendServerKeyExchange(sslSocket *ss) |
| 9235 { | 9665 { |
| 9236 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 9666 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
| 9237 SECStatus rv = SECFailure; | 9667 SECStatus rv = SECFailure; |
| 9238 int length; | 9668 int length; |
| 9239 PRBool isTLS; | 9669 PRBool isTLS; |
| 9240 SECItem signed_hash = {siBuffer, NULL, 0}; | 9670 SECItem signed_hash = {siBuffer, NULL, 0}; |
| 9241 SSL3Hashes hashes; | 9671 SSL3Hashes hashes; |
| 9242 SECKEYPublicKey * sdPub; /* public key for step-down */ | 9672 SECKEYPublicKey * sdPub; /* public key for step-down */ |
| 9243 SSL3SignatureAndHashAlgorithm sigAndHash; | 9673 SSLSignatureAndHashAlg sigAndHash; |
| 9244 | 9674 |
| 9245 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", | 9675 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", |
| 9246 SSL_GETPID(), ss->fd)); | 9676 SSL_GETPID(), ss->fd)); |
| 9247 | 9677 |
| 9248 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 9678 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 9249 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 9679 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 9250 | 9680 |
| 9251 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { | 9681 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { |
| 9252 return SECFailure; | 9682 return SECFailure; |
| 9253 } | 9683 } |
| (...skipping 26 matching lines...) Expand all Loading... |
| 9280 } | 9710 } |
| 9281 if (signed_hash.data == NULL) { | 9711 if (signed_hash.data == NULL) { |
| 9282 /* how can this happen and rv == SECSuccess ?? */ | 9712 /* how can this happen and rv == SECSuccess ?? */ |
| 9283 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 9713 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 9284 goto loser; | 9714 goto loser; |
| 9285 } | 9715 } |
| 9286 length = 2 + sdPub->u.rsa.modulus.len + | 9716 length = 2 + sdPub->u.rsa.modulus.len + |
| 9287 2 + sdPub->u.rsa.publicExponent.len + | 9717 2 + sdPub->u.rsa.publicExponent.len + |
| 9288 2 + signed_hash.len; | 9718 2 + signed_hash.len; |
| 9289 | 9719 |
| 9720 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 9721 length += 2; |
| 9722 } |
| 9723 |
| 9290 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); | 9724 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); |
| 9291 if (rv != SECSuccess) { | 9725 if (rv != SECSuccess) { |
| 9292 goto loser; /* err set by AppendHandshake. */ | 9726 goto loser; /* err set by AppendHandshake. */ |
| 9293 } | 9727 } |
| 9294 | 9728 |
| 9295 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data, | 9729 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data, |
| 9296 sdPub->u.rsa.modulus.len, 2); | 9730 sdPub->u.rsa.modulus.len, 2); |
| 9297 if (rv != SECSuccess) { | 9731 if (rv != SECSuccess) { |
| 9298 goto loser; /* err set by AppendHandshake. */ | 9732 goto loser; /* err set by AppendHandshake. */ |
| 9299 } | 9733 } |
| (...skipping 13 matching lines...) Expand all Loading... |
| 9313 } | 9747 } |
| 9314 | 9748 |
| 9315 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, | 9749 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
| 9316 signed_hash.len, 2); | 9750 signed_hash.len, 2); |
| 9317 if (rv != SECSuccess) { | 9751 if (rv != SECSuccess) { |
| 9318 goto loser; /* err set by AppendHandshake. */ | 9752 goto loser; /* err set by AppendHandshake. */ |
| 9319 } | 9753 } |
| 9320 PORT_Free(signed_hash.data); | 9754 PORT_Free(signed_hash.data); |
| 9321 return SECSuccess; | 9755 return SECSuccess; |
| 9322 | 9756 |
| 9757 case ssl_kea_dh: { |
| 9758 rv = ssl3_SendDHServerKeyExchange(ss); |
| 9759 return rv; |
| 9760 } |
| 9761 |
| 9323 #ifndef NSS_DISABLE_ECC | 9762 #ifndef NSS_DISABLE_ECC |
| 9324 case kt_ecdh: { | 9763 case kt_ecdh: { |
| 9325 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); | 9764 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); |
| 9326 return rv; | 9765 return rv; |
| 9327 } | 9766 } |
| 9328 #endif /* NSS_DISABLE_ECC */ | 9767 #endif /* NSS_DISABLE_ECC */ |
| 9329 | 9768 |
| 9330 case kt_dh: | |
| 9331 case kt_null: | 9769 case kt_null: |
| 9332 default: | 9770 default: |
| 9333 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 9771 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
| 9334 break; | 9772 break; |
| 9335 } | 9773 } |
| 9336 loser: | 9774 loser: |
| 9337 if (signed_hash.data != NULL) | 9775 if (signed_hash.data != NULL) |
| 9338 PORT_Free(signed_hash.data); | 9776 PORT_Free(signed_hash.data); |
| 9339 return SECFailure; | 9777 return SECFailure; |
| 9340 } | 9778 } |
| 9341 | 9779 |
| 9780 static SECStatus |
| 9781 ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, |
| 9782 unsigned maxLen, PRUint32 *len) |
| 9783 { |
| 9784 unsigned int i; |
| 9785 |
| 9786 PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2); |
| 9787 if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) { |
| 9788 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 9789 return SECFailure; |
| 9790 } |
| 9791 |
| 9792 *len = 0; |
| 9793 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { |
| 9794 const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; |
| 9795 /* Note that we don't support a handshake hash with anything other than |
| 9796 * SHA-256, so asking for a signature from clients for something else |
| 9797 * would be inviting disaster. */ |
| 9798 if (alg->hashAlg == ssl_hash_sha256) { |
| 9799 buf[(*len)++] = (PRUint8)alg->hashAlg; |
| 9800 buf[(*len)++] = (PRUint8)alg->sigAlg; |
| 9801 } |
| 9802 } |
| 9803 |
| 9804 if (*len == 0) { |
| 9805 PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); |
| 9806 return SECFailure; |
| 9807 } |
| 9808 return SECSuccess; |
| 9809 } |
| 9342 | 9810 |
| 9343 static SECStatus | 9811 static SECStatus |
| 9344 ssl3_SendCertificateRequest(sslSocket *ss) | 9812 ssl3_SendCertificateRequest(sslSocket *ss) |
| 9345 { | 9813 { |
| 9346 PRBool isTLS12; | 9814 PRBool isTLS12; |
| 9347 SECItem * name; | 9815 SECItem * name; |
| 9348 CERTDistNames *ca_list; | 9816 CERTDistNames *ca_list; |
| 9349 const PRUint8 *certTypes; | 9817 const PRUint8 *certTypes; |
| 9350 const PRUint8 *sigAlgs; | |
| 9351 SECItem * names = NULL; | 9818 SECItem * names = NULL; |
| 9352 SECStatus rv; | 9819 SECStatus rv; |
| 9353 int length; | 9820 int length; |
| 9354 int i; | 9821 int i; |
| 9355 int calen = 0; | 9822 int calen = 0; |
| 9356 int nnames = 0; | 9823 int nnames = 0; |
| 9357 int certTypesLength; | 9824 int certTypesLength; |
| 9358 int sigAlgsLength; | 9825 PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; |
| 9826 unsigned int sigAlgsLength = 0; |
| 9359 | 9827 |
| 9360 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", | 9828 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", |
| 9361 SSL_GETPID(), ss->fd)); | 9829 SSL_GETPID(), ss->fd)); |
| 9362 | 9830 |
| 9363 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 9831 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 9364 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 9832 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 9365 | 9833 |
| 9366 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 9834 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 9367 | 9835 |
| 9368 /* ssl3.ca_list is initialized to NULL, and never changed. */ | 9836 /* ssl3.ca_list is initialized to NULL, and never changed. */ |
| 9369 ca_list = ss->ssl3.ca_list; | 9837 ca_list = ss->ssl3.ca_list; |
| 9370 if (!ca_list) { | 9838 if (!ca_list) { |
| 9371 ca_list = ssl3_server_ca_list; | 9839 ca_list = ssl3_server_ca_list; |
| 9372 } | 9840 } |
| 9373 | 9841 |
| 9374 if (ca_list != NULL) { | 9842 if (ca_list != NULL) { |
| 9375 names = ca_list->names; | 9843 names = ca_list->names; |
| 9376 nnames = ca_list->nnames; | 9844 nnames = ca_list->nnames; |
| 9377 } | 9845 } |
| 9378 | 9846 |
| 9379 for (i = 0, name = names; i < nnames; i++, name++) { | 9847 for (i = 0, name = names; i < nnames; i++, name++) { |
| 9380 calen += 2 + name->len; | 9848 calen += 2 + name->len; |
| 9381 } | 9849 } |
| 9382 | 9850 |
| 9383 certTypes = certificate_types; | 9851 certTypes = certificate_types; |
| 9384 certTypesLength = sizeof certificate_types; | 9852 certTypesLength = sizeof certificate_types; |
| 9385 sigAlgs = supported_signature_algorithms; | |
| 9386 sigAlgsLength = sizeof supported_signature_algorithms; | |
| 9387 | 9853 |
| 9388 length = 1 + certTypesLength + 2 + calen; | 9854 length = 1 + certTypesLength + 2 + calen; |
| 9389 if (isTLS12) { | 9855 if (isTLS12) { |
| 9390 » length += 2 + sigAlgsLength; | 9856 rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), |
| 9857 &sigAlgsLength); |
| 9858 if (rv != SECSuccess) { |
| 9859 return rv; |
| 9860 } |
| 9861 length += 2 + sigAlgsLength; |
| 9391 } | 9862 } |
| 9392 | 9863 |
| 9393 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); | 9864 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); |
| 9394 if (rv != SECSuccess) { | 9865 if (rv != SECSuccess) { |
| 9395 return rv; /* err set by AppendHandshake. */ | 9866 return rv; /* err set by AppendHandshake. */ |
| 9396 } | 9867 } |
| 9397 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1); | 9868 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1); |
| 9398 if (rv != SECSuccess) { | 9869 if (rv != SECSuccess) { |
| 9399 return rv; /* err set by AppendHandshake. */ | 9870 return rv; /* err set by AppendHandshake. */ |
| 9400 } | 9871 } |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9446 */ | 9917 */ |
| 9447 static SECStatus | 9918 static SECStatus |
| 9448 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, | 9919 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
| 9449 SSL3Hashes *hashes) | 9920 SSL3Hashes *hashes) |
| 9450 { | 9921 { |
| 9451 SECItem signed_hash = {siBuffer, NULL, 0}; | 9922 SECItem signed_hash = {siBuffer, NULL, 0}; |
| 9452 SECStatus rv; | 9923 SECStatus rv; |
| 9453 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; | 9924 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; |
| 9454 SSL3AlertDescription desc = handshake_failure; | 9925 SSL3AlertDescription desc = handshake_failure; |
| 9455 PRBool isTLS, isTLS12; | 9926 PRBool isTLS, isTLS12; |
| 9456 SSL3SignatureAndHashAlgorithm sigAndHash; | 9927 SSLSignatureAndHashAlg sigAndHash; |
| 9457 | 9928 |
| 9458 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", | 9929 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", |
| 9459 SSL_GETPID(), ss->fd)); | 9930 SSL_GETPID(), ss->fd)); |
| 9460 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9931 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 9461 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 9932 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 9462 | 9933 |
| 9463 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 9934 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 9464 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 9935 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 9465 | 9936 |
| 9466 if (ss->ssl3.hs.ws != wait_cert_verify) { | 9937 if (ss->ssl3.hs.ws != wait_cert_verify) { |
| 9467 desc = unexpected_message; | 9938 desc = unexpected_message; |
| 9468 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; | 9939 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; |
| 9469 goto alert_loser; | 9940 goto alert_loser; |
| 9470 } | 9941 } |
| 9471 | 9942 |
| 9943 if (!hashes) { |
| 9944 PORT_Assert(0); |
| 9945 desc = internal_error; |
| 9946 errCode = SEC_ERROR_LIBRARY_FAILURE; |
| 9947 goto alert_loser; |
| 9948 } |
| 9949 |
| 9472 if (isTLS12) { | 9950 if (isTLS12) { |
| 9473 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | 9951 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 9474 &sigAndHash); | 9952 &sigAndHash); |
| 9475 if (rv != SECSuccess) { | 9953 if (rv != SECSuccess) { |
| 9476 goto loser; /* malformed or unsupported. */ | 9954 goto loser; /* malformed or unsupported. */ |
| 9477 } | 9955 } |
| 9478 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | 9956 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 9479 » » &sigAndHash, ss->sec.peerCert); | 9957 ss, &sigAndHash, ss->sec.peerCert); |
| 9480 if (rv != SECSuccess) { | 9958 if (rv != SECSuccess) { |
| 9481 errCode = PORT_GetError(); | 9959 errCode = PORT_GetError(); |
| 9482 desc = decrypt_error; | 9960 desc = decrypt_error; |
| 9483 goto alert_loser; | 9961 goto alert_loser; |
| 9484 } | 9962 } |
| 9485 | 9963 |
| 9486 /* We only support CertificateVerify messages that use the handshake | 9964 /* We only support CertificateVerify messages that use the handshake |
| 9487 * hash. */ | 9965 * hash. */ |
| 9488 » if (sigAndHash.hashAlg != hashes->hashAlg) { | 9966 if (sigAndHash.hashAlg != hashes->hashAlg) { |
| 9489 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; | 9967 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; |
| 9490 desc = decrypt_error; | 9968 desc = decrypt_error; |
| 9491 goto alert_loser; | 9969 goto alert_loser; |
| 9492 } | 9970 } |
| 9493 } | 9971 } |
| 9494 | 9972 |
| 9495 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); | 9973 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); |
| 9496 if (rv != SECSuccess) { | 9974 if (rv != SECSuccess) { |
| 9497 goto loser; /* malformed. */ | 9975 goto loser; /* malformed. */ |
| 9498 } | 9976 } |
| (...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9609 * the failure must occur. | 10087 * the failure must occur. |
| 9610 * | 10088 * |
| 9611 * Called from ssl3_HandleClientKeyExchange | 10089 * Called from ssl3_HandleClientKeyExchange |
| 9612 */ | 10090 */ |
| 9613 static SECStatus | 10091 static SECStatus |
| 9614 ssl3_HandleRSAClientKeyExchange(sslSocket *ss, | 10092 ssl3_HandleRSAClientKeyExchange(sslSocket *ss, |
| 9615 SSL3Opaque *b, | 10093 SSL3Opaque *b, |
| 9616 PRUint32 length, | 10094 PRUint32 length, |
| 9617 SECKEYPrivateKey *serverKey) | 10095 SECKEYPrivateKey *serverKey) |
| 9618 { | 10096 { |
| 9619 PK11SymKey * pms; | |
| 9620 #ifndef NO_PKCS11_BYPASS | 10097 #ifndef NO_PKCS11_BYPASS |
| 9621 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 10098 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
| 9622 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 10099 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
| 9623 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 10100 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
| 9624 unsigned int outLen = 0; | 10101 unsigned int outLen = 0; |
| 10102 PRBool isTLS = PR_FALSE; |
| 10103 SECItem pmsItem = {siBuffer, NULL, 0}; |
| 10104 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; |
| 9625 #endif | 10105 #endif |
| 9626 PRBool isTLS = PR_FALSE; | |
| 9627 SECStatus rv; | 10106 SECStatus rv; |
| 9628 SECItem enc_pms; | 10107 SECItem enc_pms; |
| 9629 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; | |
| 9630 SECItem pmsItem = {siBuffer, NULL, 0}; | |
| 9631 | 10108 |
| 9632 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 10109 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 9633 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 10110 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 9634 PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec ); | 10111 PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec ); |
| 9635 | 10112 |
| 9636 enc_pms.data = b; | 10113 enc_pms.data = b; |
| 9637 enc_pms.len = length; | 10114 enc_pms.len = length; |
| 10115 #ifndef NO_PKCS11_BYPASS |
| 9638 pmsItem.data = rsaPmsBuf; | 10116 pmsItem.data = rsaPmsBuf; |
| 9639 pmsItem.len = sizeof rsaPmsBuf; | 10117 pmsItem.len = sizeof rsaPmsBuf; |
| 10118 #endif |
| 9640 | 10119 |
| 9641 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ | 10120 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ |
| 9642 PRInt32 kLen; | 10121 PRInt32 kLen; |
| 9643 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len); | 10122 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len); |
| 9644 if (kLen < 0) { | 10123 if (kLen < 0) { |
| 9645 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 10124 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 9646 return SECFailure; | 10125 return SECFailure; |
| 9647 } | 10126 } |
| 9648 if ((unsigned)kLen < enc_pms.len) { | 10127 if ((unsigned)kLen < enc_pms.len) { |
| 9649 enc_pms.len = kLen; | 10128 enc_pms.len = kLen; |
| 9650 } | 10129 } |
| 10130 #ifndef NO_PKCS11_BYPASS |
| 9651 isTLS = PR_TRUE; | 10131 isTLS = PR_TRUE; |
| 10132 #endif |
| 9652 } else { | 10133 } else { |
| 10134 #ifndef NO_PKCS11_BYPASS |
| 9653 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0); | 10135 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0); |
| 10136 #endif |
| 9654 } | 10137 } |
| 9655 | 10138 |
| 9656 #ifndef NO_PKCS11_BYPASS | 10139 #ifndef NO_PKCS11_BYPASS |
| 9657 if (ss->opt.bypassPKCS11) { | 10140 if (ss->opt.bypassPKCS11) { |
| 10141 /* We have not implemented a tls_ExtendedMasterKeyDeriveBypass |
| 10142 * and will not negotiate this extension in bypass mode. This |
| 10143 * assert just double-checks that. |
| 10144 */ |
| 10145 PORT_Assert( |
| 10146 !ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)); |
| 10147 |
| 9658 /* TRIPLE BYPASS, get PMS directly from RSA decryption. | 10148 /* TRIPLE BYPASS, get PMS directly from RSA decryption. |
| 9659 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, | 10149 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, |
| 9660 * then, check for version rollback attack, then | 10150 * then, check for version rollback attack, then |
| 9661 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in | 10151 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in |
| 9662 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with | 10152 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with |
| 9663 * ss and NULL, so that it will use the MS we've already derived here. | 10153 * ss and NULL, so that it will use the MS we've already derived here. |
| 9664 */ | 10154 */ |
| 9665 | 10155 |
| 9666 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, | 10156 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, |
| 9667 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); | 10157 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); |
| 9668 if (rv != SECSuccess) { | 10158 if (rv != SECSuccess) { |
| 9669 /* triple bypass failed. Let's try for a double bypass. */ | 10159 /* triple bypass failed. Let's try for a double bypass. */ |
| 9670 goto double_bypass; | 10160 goto double_bypass; |
| 9671 } else if (ss->opt.detectRollBack) { | 10161 } else if (ss->opt.detectRollBack) { |
| 9672 SSL3ProtocolVersion client_version = | 10162 SSL3ProtocolVersion client_version = |
| 9673 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; | 10163 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; |
| 9674 | 10164 |
| 9675 if (IS_DTLS(ss)) { | 10165 if (IS_DTLS(ss)) { |
| 9676 client_version = dtls_DTLSVersionToTLSVersion(client_version); | 10166 client_version = dtls_DTLSVersionToTLSVersion(client_version); |
| 9677 } | 10167 } |
| 9678 | 10168 |
| 9679 if (client_version != ss->clientHelloVersion) { | 10169 if (client_version != ss->clientHelloVersion) { |
| 9680 /* Version roll-back detected. ensure failure. */ | 10170 /* Version roll-back detected. ensure failure. */ |
| 9681 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); | 10171 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); |
| 9682 } | 10172 } |
| 9683 } | 10173 } |
| 9684 /* have PMS, build MS without PKCS11 */ | 10174 /* have PMS, build MS without PKCS11 */ |
| 9685 » rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, | 10175 » rv = ssl3_MasterSecretDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, |
| 9686 » » » » » PR_TRUE); | 10176 PR_TRUE); |
| 9687 if (rv != SECSuccess) { | 10177 if (rv != SECSuccess) { |
| 9688 pwSpec->msItem.data = pwSpec->raw_master_secret; | 10178 pwSpec->msItem.data = pwSpec->raw_master_secret; |
| 9689 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; | 10179 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; |
| 9690 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len); | 10180 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len); |
| 9691 } | 10181 } |
| 9692 rv = ssl3_InitPendingCipherSpec(ss, NULL); | 10182 rv = ssl3_InitPendingCipherSpec(ss, NULL); |
| 9693 } else | 10183 } else |
| 9694 #endif | 10184 #endif |
| 9695 { | 10185 { |
| 10186 PK11SymKey *tmpPms[2] = {NULL, NULL}; |
| 10187 PK11SlotInfo *slot; |
| 10188 int useFauxPms = 0; |
| 10189 #define currentPms tmpPms[!useFauxPms] |
| 10190 #define unusedPms tmpPms[useFauxPms] |
| 10191 #define realPms tmpPms[1] |
| 10192 #define fauxPms tmpPms[0] |
| 10193 |
| 9696 #ifndef NO_PKCS11_BYPASS | 10194 #ifndef NO_PKCS11_BYPASS |
| 9697 double_bypass: | 10195 double_bypass: |
| 9698 #endif | 10196 #endif |
| 9699 /* | |
| 9700 * unwrap pms out of the incoming buffer | |
| 9701 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do | |
| 9702 * the unwrap. Rather, it is the mechanism with which the | |
| 9703 * unwrapped pms will be used. | |
| 9704 */ | |
| 9705 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms, | |
| 9706 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); | |
| 9707 if (pms != NULL) { | |
| 9708 PRINT_BUF(60, (ss, "decrypted premaster secret:", | |
| 9709 PK11_GetKeyData(pms)->data, | |
| 9710 PK11_GetKeyData(pms)->len)); | |
| 9711 } else { | |
| 9712 /* unwrap failed. Generate a bogus PMS and carry on. */ | |
| 9713 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey); | |
| 9714 | 10197 |
| 9715 » ssl_GetSpecWriteLock(ss); | 10198 /* |
| 9716 » pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); | 10199 * Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1 |
| 9717 » ssl_ReleaseSpecWriteLock(ss); | 10200 * as we can within the constraints of the PKCS#11 interface. |
| 9718 » PK11_FreeSlot(slot); | 10201 * |
| 9719 » } | 10202 * 1. Unconditionally generate a bogus PMS (what RFC 5246 |
| 10203 * calls R). |
| 10204 * 2. Attempt the RSA decryption to recover the PMS (what |
| 10205 * RFC 5246 calls M). |
| 10206 * 3. Set PMS = (M == NULL) ? R : M |
| 10207 * 4. Use ssl3_ComputeMasterSecret(PMS) to attempt to derive |
| 10208 * the MS from PMS. This includes performing the version |
| 10209 * check and length check. |
| 10210 * 5. If either the initial RSA decryption failed or |
| 10211 * ssl3_ComputeMasterSecret(PMS) failed, then discard |
| 10212 * M and set PMS = R. Else, discard R and set PMS = M. |
| 10213 * |
| 10214 * We do two derivations here because we can't rely on having |
| 10215 * a function that only performs the PMS version and length |
| 10216 * check. The only redundant cost is that this runs the PRF, |
| 10217 * which isn't necessary here. |
| 10218 */ |
| 9720 | 10219 |
| 9721 » if (pms == NULL) { | 10220 /* Generate the bogus PMS (R) */ |
| 9722 » /* last gasp. */ | 10221 slot = PK11_GetSlotFromPrivateKey(serverKey); |
| 10222 if (!slot) { |
| 10223 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 10224 return SECFailure; |
| 10225 } |
| 10226 |
| 10227 if (!PK11_DoesMechanism(slot, CKM_SSL3_MASTER_KEY_DERIVE)) { |
| 10228 PK11_FreeSlot(slot); |
| 10229 slot = PK11_GetBestSlot(CKM_SSL3_MASTER_KEY_DERIVE, NULL); |
| 10230 if (!slot) { |
| 10231 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 10232 return SECFailure; |
| 10233 } |
| 10234 } |
| 10235 |
| 10236 ssl_GetSpecWriteLock(ss); |
| 10237 fauxPms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); |
| 10238 ssl_ReleaseSpecWriteLock(ss); |
| 10239 PK11_FreeSlot(slot); |
| 10240 |
| 10241 if (fauxPms == NULL) { |
| 9723 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 10242 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 9724 return SECFailure; | 10243 return SECFailure; |
| 9725 } | 10244 } |
| 9726 | 10245 |
| 10246 /* |
| 10247 * unwrap pms out of the incoming buffer |
| 10248 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do |
| 10249 * the unwrap. Rather, it is the mechanism with which the |
| 10250 * unwrapped pms will be used. |
| 10251 */ |
| 10252 realPms = PK11_PubUnwrapSymKey(serverKey, &enc_pms, |
| 10253 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE
, 0); |
| 10254 /* Temporarily use the PMS if unwrapping the real PMS fails. */ |
| 10255 useFauxPms |= (realPms == NULL); |
| 10256 |
| 10257 /* Attempt to derive the MS from the PMS. This is the only way to |
| 10258 * check the version field in the RSA PMS. If this fails, we |
| 10259 * then use the faux PMS in place of the PMS. Note that this |
| 10260 * operation should never fail if we are using the faux PMS |
| 10261 * since it is correctly formatted. */ |
| 10262 rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL); |
| 10263 |
| 10264 /* If we succeeded, then select the true PMS and discard the |
| 10265 * FPMS. Else, select the FPMS and select the true PMS */ |
| 10266 useFauxPms |= (rv != SECSuccess); |
| 10267 |
| 10268 if (unusedPms) { |
| 10269 PK11_FreeSymKey(unusedPms); |
| 10270 } |
| 10271 |
| 9727 /* This step will derive the MS from the PMS, among other things. */ | 10272 /* This step will derive the MS from the PMS, among other things. */ |
| 9728 » rv = ssl3_InitPendingCipherSpec(ss, pms); | 10273 rv = ssl3_InitPendingCipherSpec(ss, currentPms); |
| 9729 » PK11_FreeSymKey(pms); | 10274 PK11_FreeSymKey(currentPms); |
| 9730 } | 10275 } |
| 9731 | 10276 |
| 9732 if (rv != SECSuccess) { | 10277 if (rv != SECSuccess) { |
| 9733 SEND_ALERT | 10278 SEND_ALERT |
| 9734 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ | 10279 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ |
| 9735 } | 10280 } |
| 10281 |
| 10282 #undef currentPms |
| 10283 #undef unusedPms |
| 10284 #undef realPms |
| 10285 #undef fauxPms |
| 10286 |
| 9736 return SECSuccess; | 10287 return SECSuccess; |
| 9737 } | 10288 } |
| 9738 | 10289 |
| 10290 static SECStatus |
| 10291 ssl3_HandleDHClientKeyExchange(sslSocket *ss, |
| 10292 SSL3Opaque *b, |
| 10293 PRUint32 length, |
| 10294 SECKEYPublicKey *srvrPubKey, |
| 10295 SECKEYPrivateKey *serverKey) |
| 10296 { |
| 10297 PK11SymKey *pms; |
| 10298 SECStatus rv; |
| 10299 SECKEYPublicKey clntPubKey; |
| 10300 CK_MECHANISM_TYPE target; |
| 10301 PRBool isTLS; |
| 10302 |
| 10303 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 10304 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 10305 PORT_Assert( srvrPubKey ); |
| 10306 |
| 10307 clntPubKey.keyType = dhKey; |
| 10308 clntPubKey.u.dh.prime.len = srvrPubKey->u.dh.prime.len; |
| 10309 clntPubKey.u.dh.prime.data = srvrPubKey->u.dh.prime.data; |
| 10310 clntPubKey.u.dh.base.len = srvrPubKey->u.dh.base.len; |
| 10311 clntPubKey.u.dh.base.data = srvrPubKey->u.dh.base.data; |
| 10312 |
| 10313 rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.dh.publicValue, |
| 10314 2, &b, &length); |
| 10315 if (rv != SECSuccess) { |
| 10316 goto loser; |
| 10317 } |
| 10318 |
| 10319 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 10320 |
| 10321 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; |
| 10322 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
| 10323 |
| 10324 /* Determine the PMS */ |
| 10325 pms = PK11_PubDerive(serverKey, &clntPubKey, PR_FALSE, NULL, NULL, |
| 10326 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); |
| 10327 if (pms == NULL) { |
| 10328 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 10329 goto loser; |
| 10330 } |
| 10331 |
| 10332 rv = ssl3_InitPendingCipherSpec(ss, pms); |
| 10333 PK11_FreeSymKey(pms); pms = NULL; |
| 10334 |
| 10335 loser: |
| 10336 if (ss->dheKeyPair) { |
| 10337 ssl3_FreeKeyPair(ss->dheKeyPair); |
| 10338 ss->dheKeyPair = NULL; |
| 10339 } |
| 10340 return rv; |
| 10341 } |
| 10342 |
| 9739 | 10343 |
| 9740 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 10344 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 9741 * ssl3 ClientKeyExchange message from the remote client | 10345 * ssl3 ClientKeyExchange message from the remote client |
| 9742 * Caller must hold Handshake and RecvBuf locks. | 10346 * Caller must hold Handshake and RecvBuf locks. |
| 9743 */ | 10347 */ |
| 9744 static SECStatus | 10348 static SECStatus |
| 9745 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 10349 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 9746 { | 10350 { |
| 9747 SECKEYPrivateKey *serverKey = NULL; | 10351 SECKEYPrivateKey *serverKey = NULL; |
| 9748 SECStatus rv; | 10352 SECStatus rv; |
| 9749 const ssl3KEADef *kea_def; | 10353 const ssl3KEADef *kea_def; |
| 9750 ssl3KeyPair *serverKeyPair = NULL; | 10354 ssl3KeyPair *serverKeyPair = NULL; |
| 9751 #ifndef NSS_DISABLE_ECC | |
| 9752 SECKEYPublicKey *serverPubKey = NULL; | 10355 SECKEYPublicKey *serverPubKey = NULL; |
| 9753 #endif /* NSS_DISABLE_ECC */ | |
| 9754 | 10356 |
| 9755 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", | 10357 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", |
| 9756 SSL_GETPID(), ss->fd)); | 10358 SSL_GETPID(), ss->fd)); |
| 9757 | 10359 |
| 9758 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 10360 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 9759 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 10361 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 9760 | 10362 |
| 9761 if (ss->ssl3.hs.ws != wait_client_key) { | 10363 if (ss->ssl3.hs.ws != wait_client_key) { |
| 9762 SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 10364 SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 9763 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); | 10365 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); |
| 9764 return SECFailure; | 10366 return SECFailure; |
| 9765 } | 10367 } |
| 9766 | 10368 |
| 9767 kea_def = ss->ssl3.hs.kea_def; | 10369 kea_def = ss->ssl3.hs.kea_def; |
| 9768 | 10370 |
| 9769 if (ss->ssl3.hs.usedStepDownKey) { | 10371 if (ss->ssl3.hs.usedStepDownKey) { |
| 9770 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */ | 10372 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */ |
| 9771 && kea_def->exchKeyType == kt_rsa | 10373 && kea_def->exchKeyType == kt_rsa |
| 9772 && ss->stepDownKeyPair != NULL); | 10374 && ss->stepDownKeyPair != NULL); |
| 9773 if (!kea_def->is_limited || | 10375 if (!kea_def->is_limited || |
| 9774 kea_def->exchKeyType != kt_rsa || | 10376 kea_def->exchKeyType != kt_rsa || |
| 9775 ss->stepDownKeyPair == NULL) { | 10377 ss->stepDownKeyPair == NULL) { |
| 9776 /* shouldn't happen, don't use step down if it does */ | 10378 /* shouldn't happen, don't use step down if it does */ |
| 9777 goto skip; | 10379 goto skip; |
| 9778 } | 10380 } |
| 9779 serverKeyPair = ss->stepDownKeyPair; | 10381 serverKeyPair = ss->stepDownKeyPair; |
| 9780 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; | 10382 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; |
| 9781 } else | 10383 } else |
| 9782 skip: | 10384 skip: |
| 10385 if (kea_def->kea == kea_dhe_dss || |
| 10386 kea_def->kea == kea_dhe_rsa) { |
| 10387 if (ss->dheKeyPair) { |
| 10388 serverKeyPair = ss->dheKeyPair; |
| 10389 if (serverKeyPair->pubKey) { |
| 10390 ss->sec.keaKeyBits = |
| 10391 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey); |
| 10392 } |
| 10393 } |
| 10394 } else |
| 9783 #ifndef NSS_DISABLE_ECC | 10395 #ifndef NSS_DISABLE_ECC |
| 9784 /* XXX Using SSLKEAType to index server certifiates | 10396 /* XXX Using SSLKEAType to index server certifiates |
| 9785 * does not work for (EC)DHE ciphers. Until we have | 10397 * does not work for (EC)DHE ciphers. Until we have |
| 9786 * an indexing mechanism general enough for all key | 10398 * an indexing mechanism general enough for all key |
| 9787 * exchange algorithms, we'll need to deal with each | 10399 * exchange algorithms, we'll need to deal with each |
| 9788 * one seprately. | 10400 * one seprately. |
| 9789 */ | 10401 */ |
| 9790 if ((kea_def->kea == kea_ecdhe_rsa) || | 10402 if ((kea_def->kea == kea_ecdhe_rsa) || |
| 9791 (kea_def->kea == kea_ecdhe_ecdsa)) { | 10403 (kea_def->kea == kea_ecdhe_ecdsa)) { |
| 9792 if (ss->ephemeralECDHKeyPair != NULL) { | 10404 if (ss->ephemeralECDHKeyPair != NULL) { |
| (...skipping 25 matching lines...) Expand all Loading... |
| 9818 | 10430 |
| 9819 switch (kea_def->exchKeyType) { | 10431 switch (kea_def->exchKeyType) { |
| 9820 case kt_rsa: | 10432 case kt_rsa: |
| 9821 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey); | 10433 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey); |
| 9822 if (rv != SECSuccess) { | 10434 if (rv != SECSuccess) { |
| 9823 SEND_ALERT | 10435 SEND_ALERT |
| 9824 return SECFailure; /* error code set */ | 10436 return SECFailure; /* error code set */ |
| 9825 } | 10437 } |
| 9826 break; | 10438 break; |
| 9827 | 10439 |
| 10440 case ssl_kea_dh: |
| 10441 if (ss->dheKeyPair && ss->dheKeyPair->pubKey) { |
| 10442 serverPubKey = ss->dheKeyPair->pubKey; |
| 10443 } |
| 10444 if (!serverPubKey) { |
| 10445 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
| 10446 return SECFailure; |
| 10447 } |
| 10448 rv = ssl3_HandleDHClientKeyExchange(ss, b, length, |
| 10449 serverPubKey, serverKey); |
| 10450 if (rv != SECSuccess) { |
| 10451 SSL3_SendAlert(ss, alert_fatal, handshake_failure); |
| 10452 return SECFailure; /* error code set */ |
| 10453 } |
| 10454 break; |
| 9828 | 10455 |
| 9829 #ifndef NSS_DISABLE_ECC | 10456 #ifndef NSS_DISABLE_ECC |
| 9830 case kt_ecdh: | 10457 case kt_ecdh: |
| 9831 /* XXX We really ought to be able to store multiple | 10458 /* XXX We really ought to be able to store multiple |
| 9832 * EC certs (a requirement if we wish to support both | 10459 * EC certs (a requirement if we wish to support both |
| 9833 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently). | 10460 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently). |
| 9834 * When we make that change, we'll need an index other | 10461 * When we make that change, we'll need an index other |
| 9835 * than kt_ecdh to pick the right EC certificate. | 10462 * than kt_ecdh to pick the right EC certificate. |
| 9836 */ | 10463 */ |
| 9837 if (serverKeyPair) { | 10464 if (serverKeyPair) { |
| (...skipping 609 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 10447 | 11074 |
| 10448 static SECStatus | 11075 static SECStatus |
| 10449 ssl3_AuthCertificate(sslSocket *ss) | 11076 ssl3_AuthCertificate(sslSocket *ss) |
| 10450 { | 11077 { |
| 10451 SECStatus rv; | 11078 SECStatus rv; |
| 10452 PRBool isServer = (PRBool)(!!ss->sec.isServer); | 11079 PRBool isServer = (PRBool)(!!ss->sec.isServer); |
| 10453 int errCode; | 11080 int errCode; |
| 10454 | 11081 |
| 10455 ss->ssl3.hs.authCertificatePending = PR_FALSE; | 11082 ss->ssl3.hs.authCertificatePending = PR_FALSE; |
| 10456 | 11083 |
| 11084 PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 11085 ssl_preinfo_all); |
| 10457 /* | 11086 /* |
| 10458 * Ask caller-supplied callback function to validate cert chain. | 11087 * Ask caller-supplied callback function to validate cert chain. |
| 10459 */ | 11088 */ |
| 10460 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, | 11089 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, |
| 10461 PR_TRUE, isServer); | 11090 PR_TRUE, isServer); |
| 10462 if (rv) { | 11091 if (rv) { |
| 10463 errCode = PORT_GetError(); | 11092 errCode = PORT_GetError(); |
| 10464 if (rv != SECWouldBlock) { | 11093 if (rv != SECWouldBlock) { |
| 10465 if (ss->handleBadCert) { | 11094 if (ss->handleBadCert) { |
| 10466 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd); | 11095 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd); |
| (...skipping 24 matching lines...) Expand all Loading... |
| 10491 CERTCertificate *cert = ss->sec.peerCert; | 11120 CERTCertificate *cert = ss->sec.peerCert; |
| 10492 | 11121 |
| 10493 /* set the server authentication and key exchange types and sizes | 11122 /* set the server authentication and key exchange types and sizes |
| 10494 ** from the value in the cert. If the key exchange key is different, | 11123 ** from the value in the cert. If the key exchange key is different, |
| 10495 ** it will get fixed when we handle the server key exchange message. | 11124 ** it will get fixed when we handle the server key exchange message. |
| 10496 */ | 11125 */ |
| 10497 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); | 11126 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); |
| 10498 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; | 11127 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; |
| 10499 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; | 11128 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; |
| 10500 if (pubKey) { | 11129 if (pubKey) { |
| 11130 KeyType pubKeyType; |
| 11131 PRInt32 minKey; |
| 10501 ss->sec.keaKeyBits = ss->sec.authKeyBits = | 11132 ss->sec.keaKeyBits = ss->sec.authKeyBits = |
| 10502 SECKEY_PublicKeyStrengthInBits(pubKey); | 11133 SECKEY_PublicKeyStrengthInBits(pubKey); |
| 10503 #ifndef NSS_DISABLE_ECC | 11134 pubKeyType = SECKEY_GetPublicKeyType(pubKey); |
| 10504 » if (ss->sec.keaType == kt_ecdh) { | 11135 » minKey = ss->sec.authKeyBits; |
| 10505 » » /* Get authKeyBits from signing key. | 11136 » switch (pubKeyType) { |
| 10506 » » * XXX The code below uses a quick approximation of | 11137 » case rsaKey: |
| 10507 » » * key size based on cert->signatureWrap.signature.data | 11138 » case rsaPssKey: |
| 10508 » » * (which contains the DER encoded signature). The field | 11139 » case rsaOaepKey: |
| 10509 » » * cert->signatureWrap.signature.len contains the | 11140 » » rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minKey); |
| 10510 » » * length of the encoded signature in bits. | 11141 » » if (rv != SECSuccess) { |
| 10511 » » */ | 11142 » » minKey = SSL_RSA_MIN_MODULUS_BITS; |
| 10512 » » if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) { | |
| 10513 » » ss->sec.authKeyBits = | |
| 10514 » » » cert->signatureWrap.signature.data[3]*8; | |
| 10515 » » if (cert->signatureWrap.signature.data[4] == 0x00) | |
| 10516 » » » ss->sec.authKeyBits -= 8; | |
| 10517 » » /* | |
| 10518 » » * XXX: if cert is not signed by ecdsa we should | |
| 10519 » » * destroy pubKey and goto bad_cert | |
| 10520 » » */ | |
| 10521 » » } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) { | |
| 10522 » » ss->sec.authKeyBits = cert->signatureWrap.signature.len; | |
| 10523 » » /* | |
| 10524 » » * XXX: if cert is not signed by rsa we should | |
| 10525 » » * destroy pubKey and goto bad_cert | |
| 10526 » » */ | |
| 10527 } | 11143 } |
| 11144 break; |
| 11145 case dsaKey: |
| 11146 rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minKey); |
| 11147 if (rv != SECSuccess) { |
| 11148 minKey = SSL_DSA_MIN_P_BITS; |
| 11149 } |
| 11150 break; |
| 11151 case dhKey: |
| 11152 rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minKey); |
| 11153 if (rv != SECSuccess) { |
| 11154 minKey = SSL_DH_MIN_P_BITS; |
| 11155 } |
| 11156 break; |
| 11157 default: |
| 11158 break; |
| 10528 } | 11159 } |
| 10529 #endif /* NSS_DISABLE_ECC */ | 11160 |
| 11161 /* Too small: not good enough. Send a fatal alert. */ |
| 11162 /* We aren't checking EC here on the understanding that we only |
| 11163 * support curves we like, a decision that might need revisiting. */ |
| 11164 if ( ss->sec.authKeyBits < minKey) { |
| 11165 PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY); |
| 11166 (void)SSL3_SendAlert(ss, alert_fatal, |
| 11167 ss->version >= SSL_LIBRARY_VERSION_TLS_1_0 |
| 11168 ? insufficient_security |
| 11169 : illegal_parameter); |
| 11170 SECKEY_DestroyPublicKey(pubKey); |
| 11171 return SECFailure; |
| 11172 } |
| 10530 SECKEY_DestroyPublicKey(pubKey); | 11173 SECKEY_DestroyPublicKey(pubKey); |
| 10531 pubKey = NULL; | 11174 pubKey = NULL; |
| 10532 } | 11175 } |
| 10533 | 11176 |
| 10534 if (ss->ssl3.hs.kea_def->ephemeral) { | 11177 /* Ephemeral suites require ServerKeyExchange. Export cipher suites |
| 11178 * with RSA key exchange also require ServerKeyExchange if the |
| 11179 * authentication key exceeds the key size limit. */ |
| 11180 if (ss->ssl3.hs.kea_def->ephemeral || |
| 11181 (ss->ssl3.hs.kea_def->is_limited && |
| 11182 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa && |
| 11183 ss->sec.authKeyBits > ss->ssl3.hs.kea_def->key_size_limit)) { |
| 10535 ss->ssl3.hs.ws = wait_server_key; /* require server_key_exchange */ | 11184 ss->ssl3.hs.ws = wait_server_key; /* require server_key_exchange */ |
| 10536 } else { | 11185 } else { |
| 10537 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange
*/ | 11186 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange
*/ |
| 10538 } | 11187 } |
| 10539 } else { | 11188 } else { |
| 10540 ss->ssl3.hs.ws = wait_client_key; | 11189 ss->ssl3.hs.ws = wait_client_key; |
| 10541 } | 11190 } |
| 10542 | 11191 |
| 10543 PORT_Assert(rv == SECSuccess); | 11192 PORT_Assert(rv == SECSuccess); |
| 10544 if (rv != SECSuccess) { | 11193 if (rv != SECSuccess) { |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 10636 | 11285 |
| 10637 return rv; | 11286 return rv; |
| 10638 } | 11287 } |
| 10639 | 11288 |
| 10640 static SECStatus | 11289 static SECStatus |
| 10641 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 11290 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
| 10642 PRBool isServer, | 11291 PRBool isServer, |
| 10643 const SSL3Hashes * hashes, | 11292 const SSL3Hashes * hashes, |
| 10644 TLSFinished * tlsFinished) | 11293 TLSFinished * tlsFinished) |
| 10645 { | 11294 { |
| 10646 const char * label; | 11295 SECStatus rv; |
| 10647 unsigned int len; | 11296 CK_TLS_MAC_PARAMS tls_mac_params; |
| 10648 SECStatus rv; | 11297 SECItem param = {siBuffer, NULL, 0}; |
| 11298 PK11Context *prf_context; |
| 11299 unsigned int retLen; |
| 10649 | 11300 |
| 10650 label = isServer ? "server finished" : "client finished"; | 11301 if (!spec->master_secret || spec->bypassCiphers) { |
| 10651 len = 15; | 11302 » const char *label = isServer ? "server finished" : "client finished"; |
| 11303 » unsigned int len = 15; |
| 10652 | 11304 |
| 10653 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, | 11305 » return ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, |
| 10654 » hashes->len, tlsFinished->verify_data, | 11306 » hashes->len, tlsFinished->verify_data, |
| 10655 » sizeof tlsFinished->verify_data); | 11307 » sizeof tlsFinished->verify_data); |
| 11308 } |
| 11309 |
| 11310 if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
| 11311 » tls_mac_params.prfMechanism = CKM_TLS_PRF; |
| 11312 } else { |
| 11313 » tls_mac_params.prfMechanism = CKM_SHA256; |
| 11314 } |
| 11315 tls_mac_params.ulMacLength = 12; |
| 11316 tls_mac_params.ulServerOrClient = isServer ? 1 : 2; |
| 11317 param.data = (unsigned char *)&tls_mac_params; |
| 11318 param.len = sizeof(tls_mac_params); |
| 11319 prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN, |
| 11320 » » » » » spec->master_secret, ¶m); |
| 11321 if (!prf_context) |
| 11322 » return SECFailure; |
| 11323 |
| 11324 rv = PK11_DigestBegin(prf_context); |
| 11325 rv |= PK11_DigestOp(prf_context, hashes->u.raw, hashes->len); |
| 11326 rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, &retLen, |
| 11327 » » » sizeof tlsFinished->verify_data); |
| 11328 PORT_Assert(rv != SECSuccess || retLen == sizeof tlsFinished->verify_data); |
| 11329 |
| 11330 PK11_DestroyContext(prf_context, PR_TRUE); |
| 10656 | 11331 |
| 10657 return rv; | 11332 return rv; |
| 10658 } | 11333 } |
| 10659 | 11334 |
| 10660 /* The calling function must acquire and release the appropriate | 11335 /* The calling function must acquire and release the appropriate |
| 10661 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for | 11336 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for |
| 10662 * ss->ssl3.crSpec). | 11337 * ss->ssl3.crSpec). |
| 10663 */ | 11338 */ |
| 10664 SECStatus | 11339 SECStatus |
| 10665 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, | 11340 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, |
| (...skipping 497 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11163 | 11838 |
| 11164 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake", | 11839 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake", |
| 11165 SSL_GETPID(), ss->fd)); | 11840 SSL_GETPID(), ss->fd)); |
| 11166 | 11841 |
| 11167 if (ss->ssl3.hs.ws != wait_finished) { | 11842 if (ss->ssl3.hs.ws != wait_finished) { |
| 11168 SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 11843 SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 11169 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED); | 11844 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED); |
| 11170 return SECFailure; | 11845 return SECFailure; |
| 11171 } | 11846 } |
| 11172 | 11847 |
| 11848 if (!hashes) { |
| 11849 PORT_Assert(0); |
| 11850 SSL3_SendAlert(ss, alert_fatal, internal_error); |
| 11851 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 11852 return SECFailure; |
| 11853 } |
| 11854 |
| 11173 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0); | 11855 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 11174 if (isTLS) { | 11856 if (isTLS) { |
| 11175 TLSFinished tlsFinished; | 11857 TLSFinished tlsFinished; |
| 11176 | 11858 |
| 11177 if (length != sizeof tlsFinished) { | 11859 if (length != sizeof tlsFinished) { |
| 11178 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | 11860 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
| 11179 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); | 11861 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); |
| 11180 return SECFailure; | 11862 return SECFailure; |
| 11181 } | 11863 } |
| 11182 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, | 11864 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11218 (!isServer && ss->ssl3.hs.isResuming)) { | 11900 (!isServer && ss->ssl3.hs.isResuming)) { |
| 11219 PRInt32 flags = 0; | 11901 PRInt32 flags = 0; |
| 11220 | 11902 |
| 11221 /* Send a NewSessionTicket message if the client sent us | 11903 /* Send a NewSessionTicket message if the client sent us |
| 11222 * either an empty session ticket, or one that did not verify. | 11904 * either an empty session ticket, or one that did not verify. |
| 11223 * (Note that if either of these conditions was met, then the | 11905 * (Note that if either of these conditions was met, then the |
| 11224 * server has sent a SessionTicket extension in the | 11906 * server has sent a SessionTicket extension in the |
| 11225 * ServerHello message.) | 11907 * ServerHello message.) |
| 11226 */ | 11908 */ |
| 11227 if (isServer && !ss->ssl3.hs.isResuming && | 11909 if (isServer && !ss->ssl3.hs.isResuming && |
| 11228 » ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) { | 11910 » ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && |
| 11911 » ssl3_KEAAllowsSessionTicket(ss->ssl3.hs.suite_def->key_exchange_alg)
) { |
| 11229 /* RFC 5077 Section 3.3: "In the case of a full handshake, the | 11912 /* RFC 5077 Section 3.3: "In the case of a full handshake, the |
| 11230 * server MUST verify the client's Finished message before sending | 11913 * server MUST verify the client's Finished message before sending |
| 11231 * the ticket." Presumably, this also means that the client's | 11914 * the ticket." Presumably, this also means that the client's |
| 11232 * certificate, if any, must be verified beforehand too. | 11915 * certificate, if any, must be verified beforehand too. |
| 11233 */ | 11916 */ |
| 11234 rv = ssl3_SendNewSessionTicket(ss); | 11917 rv = ssl3_SendNewSessionTicket(ss); |
| 11235 if (rv != SECSuccess) { | 11918 if (rv != SECSuccess) { |
| 11236 goto xmit_loser; | 11919 goto xmit_loser; |
| 11237 } | 11920 } |
| 11238 } | 11921 } |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11271 goto xmit_loser; /* err is set. */ | 11954 goto xmit_loser; /* err is set. */ |
| 11272 } | 11955 } |
| 11273 } | 11956 } |
| 11274 | 11957 |
| 11275 xmit_loser: | 11958 xmit_loser: |
| 11276 ssl_ReleaseXmitBufLock(ss); /*************************************/ | 11959 ssl_ReleaseXmitBufLock(ss); /*************************************/ |
| 11277 if (rv != SECSuccess) { | 11960 if (rv != SECSuccess) { |
| 11278 return rv; | 11961 return rv; |
| 11279 } | 11962 } |
| 11280 | 11963 |
| 11281 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { | 11964 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || |
| 11965 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { |
| 11282 effectiveExchKeyType = kt_rsa; | 11966 effectiveExchKeyType = kt_rsa; |
| 11283 } else { | 11967 } else { |
| 11284 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | 11968 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; |
| 11285 } | 11969 } |
| 11286 | 11970 |
| 11287 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) { | 11971 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) { |
| 11288 /* fill in the sid */ | 11972 /* fill in the sid */ |
| 11289 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; | 11973 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; |
| 11290 sid->u.ssl3.compression = ss->ssl3.hs.compression; | 11974 sid->u.ssl3.compression = ss->ssl3.hs.compression; |
| 11291 sid->u.ssl3.policy = ss->ssl3.policy; | 11975 sid->u.ssl3.policy = ss->ssl3.policy; |
| (...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11391 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 | 12075 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 |
| 11392 * hanshake message. | 12076 * hanshake message. |
| 11393 * Caller must hold Handshake and RecvBuf locks. | 12077 * Caller must hold Handshake and RecvBuf locks. |
| 11394 */ | 12078 */ |
| 11395 SECStatus | 12079 SECStatus |
| 11396 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 12080 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 11397 { | 12081 { |
| 11398 SECStatus rv = SECSuccess; | 12082 SECStatus rv = SECSuccess; |
| 11399 SSL3HandshakeType type = ss->ssl3.hs.msg_type; | 12083 SSL3HandshakeType type = ss->ssl3.hs.msg_type; |
| 11400 SSL3Hashes hashes; /* computed hashes are put here. */ | 12084 SSL3Hashes hashes; /* computed hashes are put here. */ |
| 12085 SSL3Hashes *hashesPtr = NULL; /* Set when hashes are computed */ |
| 11401 PRUint8 hdr[4]; | 12086 PRUint8 hdr[4]; |
| 11402 PRUint8 dtlsData[8]; | 12087 PRUint8 dtlsData[8]; |
| 11403 | 12088 |
| 11404 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 12089 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 11405 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 12090 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 11406 /* | 12091 /* |
| 11407 * We have to compute the hashes before we update them with the | 12092 * We have to compute the hashes before we update them with the |
| 11408 * current message. | 12093 * current message. |
| 11409 */ | 12094 */ |
| 11410 ssl_GetSpecReadLock(ss); /************************************/ | 12095 ssl_GetSpecReadLock(ss); /************************************/ |
| 11411 if((type == finished) || (type == certificate_verify)) { | 12096 if(((type == finished) && (ss->ssl3.hs.ws == wait_finished)) || |
| 12097 ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify))) { |
| 11412 SSL3Sender sender = (SSL3Sender)0; | 12098 SSL3Sender sender = (SSL3Sender)0; |
| 11413 ssl3CipherSpec *rSpec = ss->ssl3.prSpec; | 12099 ssl3CipherSpec *rSpec = ss->ssl3.prSpec; |
| 11414 | 12100 |
| 11415 if (type == finished) { | 12101 if (type == finished) { |
| 11416 sender = ss->sec.isServer ? sender_client : sender_server; | 12102 sender = ss->sec.isServer ? sender_client : sender_server; |
| 11417 rSpec = ss->ssl3.crSpec; | 12103 rSpec = ss->ssl3.crSpec; |
| 11418 } | 12104 } |
| 11419 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); | 12105 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); |
| 12106 if (rv == SECSuccess) { |
| 12107 hashesPtr = &hashes; |
| 12108 } |
| 11420 } | 12109 } |
| 11421 ssl_ReleaseSpecReadLock(ss); /************************************/ | 12110 ssl_ReleaseSpecReadLock(ss); /************************************/ |
| 11422 if (rv != SECSuccess) { | 12111 if (rv != SECSuccess) { |
| 11423 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ | 12112 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ |
| 11424 } | 12113 } |
| 11425 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(), | 12114 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(), |
| 11426 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type))); | 12115 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type))); |
| 11427 | 12116 |
| 11428 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; | 12117 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; |
| 11429 hdr[1] = (PRUint8)(length >> 16); | 12118 hdr[1] = (PRUint8)(length >> 16); |
| (...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11560 return SECFailure; | 12249 return SECFailure; |
| 11561 } | 12250 } |
| 11562 rv = ssl3_HandleServerHelloDone(ss); | 12251 rv = ssl3_HandleServerHelloDone(ss); |
| 11563 break; | 12252 break; |
| 11564 case certificate_verify: | 12253 case certificate_verify: |
| 11565 if (!ss->sec.isServer) { | 12254 if (!ss->sec.isServer) { |
| 11566 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12255 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 11567 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY); | 12256 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY); |
| 11568 return SECFailure; | 12257 return SECFailure; |
| 11569 } | 12258 } |
| 11570 » rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes); | 12259 » rv = ssl3_HandleCertificateVerify(ss, b, length, hashesPtr); |
| 11571 break; | 12260 break; |
| 11572 case client_key_exchange: | 12261 case client_key_exchange: |
| 11573 if (!ss->sec.isServer) { | 12262 if (!ss->sec.isServer) { |
| 11574 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12263 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 11575 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); | 12264 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); |
| 11576 return SECFailure; | 12265 return SECFailure; |
| 11577 } | 12266 } |
| 11578 rv = ssl3_HandleClientKeyExchange(ss, b, length); | 12267 rv = ssl3_HandleClientKeyExchange(ss, b, length); |
| 11579 break; | 12268 break; |
| 11580 case new_session_ticket: | 12269 case new_session_ticket: |
| 11581 if (ss->sec.isServer) { | 12270 if (ss->sec.isServer) { |
| 11582 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12271 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 11583 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); | 12272 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); |
| 11584 return SECFailure; | 12273 return SECFailure; |
| 11585 } | 12274 } |
| 11586 rv = ssl3_HandleNewSessionTicket(ss, b, length); | 12275 rv = ssl3_HandleNewSessionTicket(ss, b, length); |
| 11587 break; | 12276 break; |
| 11588 case finished: | 12277 case finished: |
| 11589 rv = ssl3_HandleFinished(ss, b, length, &hashes); | 12278 rv = ssl3_HandleFinished(ss, b, length, hashesPtr); |
| 11590 break; | 12279 break; |
| 11591 default: | 12280 default: |
| 11592 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 12281 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 11593 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); | 12282 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); |
| 11594 rv = SECFailure; | 12283 rv = SECFailure; |
| 11595 } | 12284 } |
| 11596 | 12285 |
| 11597 if (IS_DTLS(ss) && (rv != SECFailure)) { | 12286 if (IS_DTLS(ss) && (rv != SECFailure)) { |
| 11598 /* Increment the expected sequence number */ | 12287 /* Increment the expected sequence number */ |
| 11599 ss->ssl3.hs.recvMessageSeq++; | 12288 ss->ssl3.hs.recvMessageSeq++; |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11634 if (ss->ssl3.hs.header_bytes++ == 0) | 12323 if (ss->ssl3.hs.header_bytes++ == 0) |
| 11635 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t; | 12324 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t; |
| 11636 else | 12325 else |
| 11637 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t; | 12326 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t; |
| 11638 if (ss->ssl3.hs.header_bytes < 4) | 12327 if (ss->ssl3.hs.header_bytes < 4) |
| 11639 continue; | 12328 continue; |
| 11640 | 12329 |
| 11641 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ | 12330 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ |
| 11642 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { | 12331 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { |
| 11643 (void)ssl3_DecodeError(ss); | 12332 (void)ssl3_DecodeError(ss); |
| 11644 » » PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 12333 » » PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); |
| 11645 return SECFailure; | 12334 return SECFailure; |
| 11646 } | 12335 } |
| 11647 #undef MAX_HANDSHAKE_MSG_LEN | 12336 #undef MAX_HANDSHAKE_MSG_LEN |
| 11648 | 12337 |
| 11649 /* If msg_len is zero, be sure we fall through, | 12338 /* If msg_len is zero, be sure we fall through, |
| 11650 ** even if buf->len is zero. | 12339 ** even if buf->len is zero. |
| 11651 */ | 12340 */ |
| 11652 if (ss->ssl3.hs.msg_len > 0) | 12341 if (ss->ssl3.hs.msg_len > 0) |
| 11653 continue; | 12342 continue; |
| 11654 } | 12343 } |
| (...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11935 ssl3CipherSpec * crSpec; | 12624 ssl3CipherSpec * crSpec; |
| 11936 SECStatus rv; | 12625 SECStatus rv; |
| 11937 unsigned int hashBytes = MAX_MAC_LENGTH + 1; | 12626 unsigned int hashBytes = MAX_MAC_LENGTH + 1; |
| 11938 PRBool isTLS; | 12627 PRBool isTLS; |
| 11939 SSL3ContentType rType; | 12628 SSL3ContentType rType; |
| 11940 SSL3Opaque hash[MAX_MAC_LENGTH]; | 12629 SSL3Opaque hash[MAX_MAC_LENGTH]; |
| 11941 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; | 12630 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; |
| 11942 SSL3Opaque *givenHash; | 12631 SSL3Opaque *givenHash; |
| 11943 sslBuffer *plaintext; | 12632 sslBuffer *plaintext; |
| 11944 sslBuffer temp_buf; | 12633 sslBuffer temp_buf; |
| 11945 PRUint64 dtls_seq_num; | 12634 PRUint64 dtls_seq_num = 0; |
| 11946 unsigned int ivLen = 0; | 12635 unsigned int ivLen = 0; |
| 11947 unsigned int originalLen = 0; | 12636 unsigned int originalLen = 0; |
| 11948 unsigned int good; | 12637 unsigned int good; |
| 11949 unsigned int minLength; | 12638 unsigned int minLength; |
| 11950 unsigned char header[13]; | 12639 unsigned char header[13]; |
| 11951 unsigned int headerLen; | 12640 unsigned int headerLen; |
| 11952 | 12641 |
| 11953 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 12642 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 11954 | 12643 |
| 11955 if (!ss->ssl3.initialized) { | 12644 if (!ss->ssl3.initialized) { |
| (...skipping 460 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 12416 return SECSuccess; /* Function should be idempotent */ | 13105 return SECSuccess; /* Function should be idempotent */ |
| 12417 | 13106 |
| 12418 ss->ssl3.policy = SSL_ALLOWED; | 13107 ss->ssl3.policy = SSL_ALLOWED; |
| 12419 | 13108 |
| 12420 ssl_GetSpecWriteLock(ss); | 13109 ssl_GetSpecWriteLock(ss); |
| 12421 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; | 13110 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; |
| 12422 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; | 13111 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; |
| 12423 ss->ssl3.hs.sendingSCSV = PR_FALSE; | 13112 ss->ssl3.hs.sendingSCSV = PR_FALSE; |
| 12424 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); | 13113 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); |
| 12425 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); | 13114 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); |
| 13115 ss->ssl3.hs.preliminaryInfo = 0; |
| 12426 | 13116 |
| 12427 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; | 13117 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; |
| 12428 #ifndef NSS_DISABLE_ECC | 13118 #ifndef NSS_DISABLE_ECC |
| 12429 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss); | 13119 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss); |
| 12430 #endif | 13120 #endif |
| 12431 ssl_ReleaseSpecWriteLock(ss); | 13121 ssl_ReleaseSpecWriteLock(ss); |
| 12432 | 13122 |
| 12433 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 13123 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
| 12434 | 13124 |
| 12435 if (IS_DTLS(ss)) { | 13125 if (IS_DTLS(ss)) { |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 12489 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); | 13179 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); |
| 12490 if (!newCount) { | 13180 if (!newCount) { |
| 12491 if (keyPair->privKey) | 13181 if (keyPair->privKey) |
| 12492 SECKEY_DestroyPrivateKey(keyPair->privKey); | 13182 SECKEY_DestroyPrivateKey(keyPair->privKey); |
| 12493 if (keyPair->pubKey) | 13183 if (keyPair->pubKey) |
| 12494 SECKEY_DestroyPublicKey( keyPair->pubKey); | 13184 SECKEY_DestroyPublicKey( keyPair->pubKey); |
| 12495 PORT_Free(keyPair); | 13185 PORT_Free(keyPair); |
| 12496 } | 13186 } |
| 12497 } | 13187 } |
| 12498 | 13188 |
| 12499 | |
| 12500 | |
| 12501 /* | 13189 /* |
| 12502 * Creates the public and private RSA keys for SSL Step down. | 13190 * Creates the public and private RSA keys for SSL Step down. |
| 12503 * Called from SSL_ConfigSecureServer in sslsecur.c | 13191 * Called from SSL_ConfigSecureServer in sslsecur.c |
| 12504 */ | 13192 */ |
| 12505 SECStatus | 13193 SECStatus |
| 12506 ssl3_CreateRSAStepDownKeys(sslSocket *ss) | 13194 ssl3_CreateRSAStepDownKeys(sslSocket *ss) |
| 12507 { | 13195 { |
| 12508 SECStatus rv = SECSuccess; | 13196 SECStatus rv = SECSuccess; |
| 12509 SECKEYPrivateKey * privKey; /* RSA step down key */ | 13197 SECKEYPrivateKey * privKey; /* RSA step down key */ |
| 12510 SECKEYPublicKey * pubKey; /* RSA step down key */ | 13198 SECKEYPublicKey * pubKey; /* RSA step down key */ |
| (...skipping 11 matching lines...) Expand all Loading... |
| 12522 if (!privKey || !pubKey || | 13210 if (!privKey || !pubKey || |
| 12523 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) { | 13211 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) { |
| 12524 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); | 13212 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 12525 rv = SECFailure; | 13213 rv = SECFailure; |
| 12526 } | 13214 } |
| 12527 } | 13215 } |
| 12528 #endif | 13216 #endif |
| 12529 return rv; | 13217 return rv; |
| 12530 } | 13218 } |
| 12531 | 13219 |
| 12532 | |
| 12533 /* record the export policy for this cipher suite */ | 13220 /* record the export policy for this cipher suite */ |
| 12534 SECStatus | 13221 SECStatus |
| 12535 ssl3_SetPolicy(ssl3CipherSuite which, int policy) | 13222 ssl3_SetPolicy(ssl3CipherSuite which, int policy) |
| 12536 { | 13223 { |
| 12537 ssl3CipherSuiteCfg *suite; | 13224 ssl3CipherSuiteCfg *suite; |
| 12538 | 13225 |
| 12539 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); | 13226 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
| 12540 if (suite == NULL) { | 13227 if (suite == NULL) { |
| 12541 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ | 13228 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ |
| 12542 } | 13229 } |
| (...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 12624 rv = SECSuccess; | 13311 rv = SECSuccess; |
| 12625 } else { | 13312 } else { |
| 12626 pref = SSL_NOT_ALLOWED; | 13313 pref = SSL_NOT_ALLOWED; |
| 12627 rv = SECFailure; /* err code was set by Lookup. */ | 13314 rv = SECFailure; /* err code was set by Lookup. */ |
| 12628 } | 13315 } |
| 12629 *enabled = pref; | 13316 *enabled = pref; |
| 12630 return rv; | 13317 return rv; |
| 12631 } | 13318 } |
| 12632 | 13319 |
| 12633 SECStatus | 13320 SECStatus |
| 13321 SSL_SignaturePrefSet(PRFileDesc *fd, const SSLSignatureAndHashAlg *algorithms, |
| 13322 unsigned int count) |
| 13323 { |
| 13324 sslSocket *ss; |
| 13325 unsigned int i; |
| 13326 |
| 13327 ss = ssl_FindSocket(fd); |
| 13328 if (!ss) { |
| 13329 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SignaturePrefSet", |
| 13330 SSL_GETPID(), fd)); |
| 13331 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13332 return SECFailure; |
| 13333 } |
| 13334 |
| 13335 if (!count || count > MAX_SIGNATURE_ALGORITHMS) { |
| 13336 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13337 return SECFailure; |
| 13338 } |
| 13339 |
| 13340 ss->ssl3.signatureAlgorithmCount = 0; |
| 13341 for (i = 0; i < count; ++i) { |
| 13342 if (!ssl3_IsSupportedSignatureAlgorithm(&algorithms[i])) { |
| 13343 SSL_DBG(("%d: SSL[%d]: invalid signature algorithm set %d/%d", |
| 13344 SSL_GETPID(), fd, algorithms[i].sigAlg, |
| 13345 algorithms[i].hashAlg)); |
| 13346 continue; |
| 13347 } |
| 13348 |
| 13349 ss->ssl3.signatureAlgorithms[ss->ssl3.signatureAlgorithmCount++] = |
| 13350 algorithms[i]; |
| 13351 } |
| 13352 |
| 13353 if (ss->ssl3.signatureAlgorithmCount == 0) { |
| 13354 PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); |
| 13355 return SECFailure; |
| 13356 } |
| 13357 return SECSuccess; |
| 13358 } |
| 13359 |
| 13360 SECStatus |
| 13361 SSL_SignaturePrefGet(PRFileDesc *fd, SSLSignatureAndHashAlg *algorithms, |
| 13362 unsigned int *count, unsigned int maxCount) |
| 13363 { |
| 13364 sslSocket *ss; |
| 13365 unsigned int requiredSpace; |
| 13366 |
| 13367 ss = ssl_FindSocket(fd); |
| 13368 if (!ss) { |
| 13369 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SignaturePrefGet", |
| 13370 SSL_GETPID(), fd)); |
| 13371 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13372 return SECFailure; |
| 13373 } |
| 13374 |
| 13375 if (!algorithms || !count || |
| 13376 maxCount < ss->ssl3.signatureAlgorithmCount) { |
| 13377 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 13378 return SECFailure; |
| 13379 } |
| 13380 |
| 13381 requiredSpace = |
| 13382 ss->ssl3.signatureAlgorithmCount * sizeof(SSLSignatureAndHashAlg); |
| 13383 PORT_Memcpy(algorithms, ss->ssl3.signatureAlgorithms, requiredSpace); |
| 13384 *count = ss->ssl3.signatureAlgorithmCount; |
| 13385 return SECSuccess; |
| 13386 } |
| 13387 |
| 13388 unsigned int |
| 13389 SSL_SignatureMaxCount() { |
| 13390 return MAX_SIGNATURE_ALGORITHMS; |
| 13391 } |
| 13392 |
| 13393 SECStatus |
| 12634 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int
len) | 13394 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int
len) |
| 12635 { | 13395 { |
| 12636 /* |i| iterates over |ciphers| while |done| and |j| iterate over | 13396 /* |i| iterates over |ciphers| while |done| and |j| iterate over |
| 12637 * |ss->cipherSuites|. */ | 13397 * |ss->cipherSuites|. */ |
| 12638 unsigned int i, done; | 13398 unsigned int i, done; |
| 12639 | 13399 |
| 12640 for (i = done = 0; i < len; i++) { | 13400 for (i = done = 0; i < len; i++) { |
| 12641 PRUint16 id = ciphers[i]; | 13401 PRUint16 id = ciphers[i]; |
| 12642 unsigned int existingIndex, j; | 13402 unsigned int existingIndex, j; |
| 12643 PRBool found = PR_FALSE; | 13403 PRBool found = PR_FALSE; |
| (...skipping 24 matching lines...) Expand all Loading... |
| 12668 } | 13428 } |
| 12669 | 13429 |
| 12670 return SECSuccess; | 13430 return SECSuccess; |
| 12671 } | 13431 } |
| 12672 | 13432 |
| 12673 /* copy global default policy into socket. */ | 13433 /* copy global default policy into socket. */ |
| 12674 void | 13434 void |
| 12675 ssl3_InitSocketPolicy(sslSocket *ss) | 13435 ssl3_InitSocketPolicy(sslSocket *ss) |
| 12676 { | 13436 { |
| 12677 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); | 13437 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); |
| 13438 PORT_Memcpy(ss->ssl3.signatureAlgorithms, defaultSignatureAlgorithms, |
| 13439 sizeof(defaultSignatureAlgorithms)); |
| 13440 ss->ssl3.signatureAlgorithmCount = PR_ARRAY_SIZE(defaultSignatureAlgorithms)
; |
| 12678 } | 13441 } |
| 12679 | 13442 |
| 12680 SECStatus | 13443 SECStatus |
| 12681 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, | 13444 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, |
| 12682 unsigned char *out, | 13445 unsigned char *out, |
| 12683 unsigned int *outLen, | 13446 unsigned int *outLen, |
| 12684 unsigned int outLenMax) { | 13447 unsigned int outLenMax) { |
| 12685 PRBool isTLS; | 13448 PRBool isTLS; |
| 12686 int index = 0; | 13449 int index = 0; |
| 12687 unsigned int len; | 13450 unsigned int len; |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 12757 return SECSuccess; | 13520 return SECSuccess; |
| 12758 } | 13521 } |
| 12759 if (cs == NULL) { | 13522 if (cs == NULL) { |
| 12760 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); | 13523 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
| 12761 return SECSuccess; | 13524 return SECSuccess; |
| 12762 } | 13525 } |
| 12763 | 13526 |
| 12764 /* ssl3_config_match_init was called by the caller of this function. */ | 13527 /* ssl3_config_match_init was called by the caller of this function. */ |
| 12765 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 13528 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 12766 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | 13529 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; |
| 12767 » if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) { | 13530 » if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange, ss)) { |
| 12768 if (cs != NULL) { | 13531 if (cs != NULL) { |
| 12769 *cs++ = 0x00; | 13532 *cs++ = 0x00; |
| 12770 *cs++ = (suite->cipher_suite >> 8) & 0xFF; | 13533 *cs++ = (suite->cipher_suite >> 8) & 0xFF; |
| 12771 *cs++ = suite->cipher_suite & 0xFF; | 13534 *cs++ = suite->cipher_suite & 0xFF; |
| 12772 } | 13535 } |
| 12773 count++; | 13536 count++; |
| 12774 } | 13537 } |
| 12775 } | 13538 } |
| 12776 *size = count; | 13539 *size = count; |
| 12777 return SECSuccess; | 13540 return SECSuccess; |
| (...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 12891 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 13654 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
| 12892 | 13655 |
| 12893 /* Destroy the DTLS data */ | 13656 /* Destroy the DTLS data */ |
| 12894 if (IS_DTLS(ss)) { | 13657 if (IS_DTLS(ss)) { |
| 12895 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); | 13658 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); |
| 12896 if (ss->ssl3.hs.recvdFragments.buf) { | 13659 if (ss->ssl3.hs.recvdFragments.buf) { |
| 12897 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 13660 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
| 12898 } | 13661 } |
| 12899 } | 13662 } |
| 12900 | 13663 |
| 13664 if (ss->ssl3.dheGroups) { |
| 13665 PORT_Free(ss->ssl3.dheGroups); |
| 13666 } |
| 13667 |
| 12901 ss->ssl3.initialized = PR_FALSE; | 13668 ss->ssl3.initialized = PR_FALSE; |
| 12902 | 13669 |
| 12903 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 13670 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
| 12904 } | 13671 } |
| 12905 | 13672 |
| 12906 /* End of ssl3con.c */ | 13673 /* End of ssl3con.c */ |
| OLD | NEW |