OLD | NEW |
1 /* | 1 /* |
2 * Various SSL functions. | 2 * Various SSL functions. |
3 * | 3 * |
4 * This Source Code Form is subject to the terms of the Mozilla Public | 4 * This Source Code Form is subject to the terms of the Mozilla Public |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | 5 * License, v. 2.0. If a copy of the MPL was not distributed with this |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
7 #include "cert.h" | 7 #include "cert.h" |
8 #include "secitem.h" | 8 #include "secitem.h" |
9 #include "keyhi.h" | 9 #include "keyhi.h" |
10 #include "ssl.h" | 10 #include "ssl.h" |
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
131 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 131 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
132 | 132 |
133 SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd)); | 133 SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd)); |
134 | 134 |
135 ss->firstHsDone = PR_TRUE; | 135 ss->firstHsDone = PR_TRUE; |
136 ss->enoughFirstHsDone = PR_TRUE; | 136 ss->enoughFirstHsDone = PR_TRUE; |
137 ss->gs.writeOffset = 0; | 137 ss->gs.writeOffset = 0; |
138 ss->gs.readOffset = 0; | 138 ss->gs.readOffset = 0; |
139 | 139 |
140 if (ss->handshakeCallback) { | 140 if (ss->handshakeCallback) { |
| 141 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_3_0 || |
| 142 (ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) == |
| 143 ssl_preinfo_all); |
141 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); | 144 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); |
142 } | 145 } |
143 } | 146 } |
144 | 147 |
145 /* | 148 /* |
146 * Handshake function that blocks. Used to force a | 149 * Handshake function that blocks. Used to force a |
147 * retry on a connection on the next read/write. | 150 * retry on a connection on the next read/write. |
148 */ | 151 */ |
149 static SECStatus | 152 static SECStatus |
150 ssl3_AlwaysBlock(sslSocket *ss) | 153 ssl3_AlwaysBlock(sslSocket *ss) |
(...skipping 496 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
647 ** length record) then this will force it to be correct. | 650 ** length record) then this will force it to be correct. |
648 */ | 651 */ |
649 PORT_SetError(PR_WOULD_BLOCK_ERROR); | 652 PORT_SetError(PR_WOULD_BLOCK_ERROR); |
650 rv = SECFailure; | 653 rv = SECFailure; |
651 goto done; | 654 goto done; |
652 } | 655 } |
653 SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d", | 656 SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d", |
654 SSL_GETPID(), ss->fd, available)); | 657 SSL_GETPID(), ss->fd, available)); |
655 } | 658 } |
656 | 659 |
| 660 if (IS_DTLS(ss) && (len < available)) { |
| 661 /* DTLS does not allow you to do partial reads */ |
| 662 SSL_TRC(30, ("%d: SSL[%d]: DTLS short read. len=%d available=%d", |
| 663 SSL_GETPID(), ss->fd, len, available)); |
| 664 ss->gs.readOffset += available; |
| 665 PORT_SetError(SSL_ERROR_RX_SHORT_DTLS_READ); |
| 666 rv = SECFailure; |
| 667 goto done; |
| 668 } |
| 669 |
657 /* Dole out clear data to reader */ | 670 /* Dole out clear data to reader */ |
658 amount = PR_MIN(len, available); | 671 amount = PR_MIN(len, available); |
659 PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount); | 672 PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount); |
660 if (!(flags & PR_MSG_PEEK)) { | 673 if (!(flags & PR_MSG_PEEK)) { |
661 ss->gs.readOffset += amount; | 674 ss->gs.readOffset += amount; |
662 } | 675 } |
663 PORT_Assert(ss->gs.readOffset <= ss->gs.writeOffset); | 676 PORT_Assert(ss->gs.readOffset <= ss->gs.writeOffset); |
664 rv = amount; | 677 rv = amount; |
665 | 678 |
666 SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d", | 679 SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d", |
(...skipping 19 matching lines...) Expand all Loading... |
686 | 699 |
687 if (!cert) goto loser; | 700 if (!cert) goto loser; |
688 | 701 |
689 tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm)); | 702 tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm)); |
690 | 703 |
691 switch (tag) { | 704 switch (tag) { |
692 case SEC_OID_X500_RSA_ENCRYPTION: | 705 case SEC_OID_X500_RSA_ENCRYPTION: |
693 case SEC_OID_PKCS1_RSA_ENCRYPTION: | 706 case SEC_OID_PKCS1_RSA_ENCRYPTION: |
694 keaType = kt_rsa; | 707 keaType = kt_rsa; |
695 break; | 708 break; |
| 709 case SEC_OID_ANSIX9_DSA_SIGNATURE: /* hah, signature, not a key? */ |
696 case SEC_OID_X942_DIFFIE_HELMAN_KEY: | 710 case SEC_OID_X942_DIFFIE_HELMAN_KEY: |
697 keaType = kt_dh; | 711 keaType = kt_dh; |
698 break; | 712 break; |
699 #ifndef NSS_DISABLE_ECC | 713 #ifndef NSS_DISABLE_ECC |
700 case SEC_OID_ANSIX962_EC_PUBLIC_KEY: | 714 case SEC_OID_ANSIX962_EC_PUBLIC_KEY: |
701 keaType = kt_ecdh; | 715 keaType = kt_ecdh; |
702 break; | 716 break; |
703 #endif /* NSS_DISABLE_ECC */ | 717 #endif /* NSS_DISABLE_ECC */ |
704 default: | 718 default: |
705 keaType = kt_null; | 719 keaType = kt_null; |
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
782 if (keyPair) { | 796 if (keyPair) { |
783 SECKEY_CacheStaticFlags(keyPair->privKey); | 797 SECKEY_CacheStaticFlags(keyPair->privKey); |
784 sc->serverKeyPair = ssl3_GetKeyPairRef(keyPair); | 798 sc->serverKeyPair = ssl3_GetKeyPairRef(keyPair); |
785 } | 799 } |
786 if (kea == kt_rsa && cert && sc->serverKeyBits > 512 && | 800 if (kea == kt_rsa && cert && sc->serverKeyBits > 512 && |
787 !ss->opt.noStepDown && !ss->stepDownKeyPair) { | 801 !ss->opt.noStepDown && !ss->stepDownKeyPair) { |
788 if (ssl3_CreateRSAStepDownKeys(ss) != SECSuccess) { | 802 if (ssl3_CreateRSAStepDownKeys(ss) != SECSuccess) { |
789 goto loser; | 803 goto loser; |
790 } | 804 } |
791 } | 805 } |
| 806 if (kea == ssl_kea_dh || kea == ssl_kea_rsa) { |
| 807 if (ssl3_SelectDHParams(ss) != SECSuccess) { |
| 808 goto loser; |
| 809 } |
| 810 } |
792 return SECSuccess; | 811 return SECSuccess; |
793 | 812 |
794 loser: | 813 loser: |
795 if (localCertChain) { | 814 if (localCertChain) { |
796 CERT_DestroyCertificateList(localCertChain); | 815 CERT_DestroyCertificateList(localCertChain); |
797 } | 816 } |
798 if (sc->serverCert != NULL) { | 817 if (sc->serverCert != NULL) { |
799 CERT_DestroyCertificate(sc->serverCert); | 818 CERT_DestroyCertificate(sc->serverCert); |
800 sc->serverCert = NULL; | 819 sc->serverCert = NULL; |
801 } | 820 } |
(...skipping 368 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1170 | 1189 |
1171 return rv; | 1190 return rv; |
1172 } | 1191 } |
1173 | 1192 |
1174 /************************************************************************/ | 1193 /************************************************************************/ |
1175 | 1194 |
1176 | 1195 |
1177 int | 1196 int |
1178 ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags) | 1197 ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags) |
1179 { | 1198 { |
1180 sslSecurityInfo *sec; | |
1181 int rv = 0; | 1199 int rv = 0; |
1182 | 1200 |
1183 sec = &ss->sec; | |
1184 | |
1185 if (ss->shutdownHow & ssl_SHUTDOWN_RCV) { | 1201 if (ss->shutdownHow & ssl_SHUTDOWN_RCV) { |
1186 PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR); | 1202 PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR); |
1187 return PR_FAILURE; | 1203 return PR_FAILURE; |
1188 } | 1204 } |
1189 if (flags & ~PR_MSG_PEEK) { | 1205 if (flags & ~PR_MSG_PEEK) { |
1190 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 1206 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
1191 return PR_FAILURE; | 1207 return PR_FAILURE; |
1192 } | 1208 } |
1193 | 1209 |
1194 if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) { | 1210 if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) { |
(...skipping 517 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1712 if (!ss) { | 1728 if (!ss) { |
1713 SSL_DBG(("%d: SSL[%d]: bad socket in SNISocketConfigHook", | 1729 SSL_DBG(("%d: SSL[%d]: bad socket in SNISocketConfigHook", |
1714 SSL_GETPID(), fd)); | 1730 SSL_GETPID(), fd)); |
1715 return SECFailure; | 1731 return SECFailure; |
1716 } | 1732 } |
1717 | 1733 |
1718 ss->sniSocketConfig = func; | 1734 ss->sniSocketConfig = func; |
1719 ss->sniSocketConfigArg = arg; | 1735 ss->sniSocketConfigArg = arg; |
1720 return SECSuccess; | 1736 return SECSuccess; |
1721 } | 1737 } |
OLD | NEW |