Uprev NSS (in libssl) to NSS 3.21

net/third_party/nss/ssl/sslsock.c

 /*
  * vtables (and methods that call through them) for the 4 types of
  * SSLSockets supported.  Only one type is still supported.
  * Various other functions.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "nspr.h"
 #include "private/pprio.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
 #include "pk11pub.h"
 #include "nss.h"
+#include "pk11pqg.h"
 
 /* This is a bodge to allow this code to be compiled against older NSS headers
  * that don't contain the TLS 1.2 changes. */
 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256
 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
 #endif
 
 #define SET_ERROR_CODE   /* reminder */
 
 static const sslSocketOps ssl_default_ops = {   /* No SSL. */
@@ skipping 51 matching lines @@
     PR_FALSE,   /* enableDeflate      */
     2,          /* enableRenegotiation (default: requires extension) */
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
     PR_TRUE,    /* cbcRandomIV        */
     PR_FALSE,   /* enableOCSPStapling */
     PR_TRUE,    /* enableNPN          */
     PR_FALSE,   /* enableALPN         */
     PR_TRUE,    /* reuseServerECDHEKey */
     PR_FALSE,   /* enableFallbackSCSV */
+    PR_TRUE,    /* enableServerDhe */
+    PR_FALSE,    /* enableExtendedMS    */
     PR_FALSE,   /* enableSignedCertTimestamps */
 };
 
 /*
  * default range of enabled SSL/TLS protocols
  */
 static SSLVersionRange versions_defaults_stream = {
     SSL_LIBRARY_VERSION_TLS_1_0,
     SSL_LIBRARY_VERSION_TLS_1_2
 };
@@ skipping 122 matching lines @@
         ss->dbHandle = os->dbHandle;
 
         /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
         ss->allowedByPolicy     = os->allowedByPolicy;
         ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
         ss->chosenPreference    = os->chosenPreference;
         PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
         PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
                     sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount);
         ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount;
+        PORT_Memcpy(ss->ssl3.signatureAlgorithms, os->ssl3.signatureAlgorithms,
+                    sizeof(ss->ssl3.signatureAlgorithms[0]) *
+                    os->ssl3.signatureAlgorithmCount);
+        ss->ssl3.signatureAlgorithmCount = os->ssl3.signatureAlgorithmCount;
+
+        ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled;
+        ss->ssl3.numDHEGroups = os->ssl3.numDHEGroups;
+        if (os->ssl3.dheGroups) {
+            ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType,
+                                               os->ssl3.numDHEGroups);
+            if (!ss->ssl3.dheGroups) {
+                goto loser;
+            }
+            PORT_Memcpy(ss->ssl3.dheGroups, os->ssl3.dheGroups,
+                        sizeof(SSLDHEGroupType) * os->ssl3.numDHEGroups);
+        } else {
+            ss->ssl3.dheGroups = NULL;
+        }
 
         if (os->cipherSpecs) {
             ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
             if (ss->cipherSpecs)
                 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs,
                             os->sizeCipherSpecs);
             ss->sizeCipherSpecs    = os->sizeCipherSpecs;
             ss->preferredCipher    = os->preferredCipher;
         } else {
             ss->cipherSpecs        = NULL;  /* produced lazily */
@@ skipping 23 matching lines @@
                 if (oc->serverKeyPair && !sc->serverKeyPair)
                     goto loser;
                 sc->serverKeyBits = oc->serverKeyBits;
                 ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL :
                                 SECITEM_DupArray(NULL, os->certStatusArray[i]);
             }
             ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
                                   ssl3_GetKeyPairRef(os->stepDownKeyPair);
             ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
                                   ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
+            ss->dheKeyPair = !os->dheKeyPair ? NULL :
+                             ssl3_GetKeyPairRef(os->dheKeyPair);
+            ss->dheParams = os->dheParams;
+
 /*
  * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
  * XXX We should detect this, and not just march on with NULL pointers.
  */
             ss->authCertificate       = os->authCertificate;
             ss->authCertificateArg    = os->authCertificateArg;
             ss->getClientAuthData     = os->getClientAuthData;
             ss->getClientAuthDataArg  = os->getClientAuthDataArg;
 #ifdef NSS_PLATFORM_CLIENT_AUTH
             ss->getPlatformClientAuthData    = os->getPlatformClientAuthData;
@@ skipping 103 matching lines @@
         }
     }
     if (ss->stepDownKeyPair) {
         ssl3_FreeKeyPair(ss->stepDownKeyPair);
         ss->stepDownKeyPair = NULL;
     }
     if (ss->ephemeralECDHKeyPair) {
         ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
         ss->ephemeralECDHKeyPair = NULL;
     }
+    if (ss->dheKeyPair) {
+        ssl3_FreeKeyPair(ss->dheKeyPair);
+        ss->dheKeyPair = NULL;
+    }
     SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
-    PORT_Assert(!ss->xtnData.sniNameArr);
     if (ss->xtnData.sniNameArr) {
         PORT_Free(ss->xtnData.sniNameArr);
         ss->xtnData.sniNameArr = NULL;
     }
 }
 
 /*
  * free an sslSocket struct, and all the stuff that hangs off of it
  */
 void
@@ skipping 388 matching lines @@
         break;
 
       case SSL_REUSE_SERVER_ECDHE_KEY:
         ss->opt.reuseServerECDHEKey = on;
         break;
 
       case SSL_ENABLE_FALLBACK_SCSV:
         ss->opt.enableFallbackSCSV = on;
         break;
 
+      case SSL_ENABLE_SERVER_DHE:
+        ss->opt.enableServerDhe = on;
+        break;
+
+      case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+        ss->opt.enableExtendedMS = on;
+        break;
+
       case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
         ss->opt.enableSignedCertTimestamps = on;
         break;
 
       default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     }
 
     /* We can't use the macros for releasing the locks here,
@@ skipping 59 matching lines @@
     case SSL_REQUIRE_SAFE_NEGOTIATION:
                                   on = ss->opt.requireSafeNegotiation; break;
     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
     case SSL_ENABLE_NPN:          on = ss->opt.enableNPN;          break;
     case SSL_ENABLE_ALPN:         on = ss->opt.enableALPN;         break;
     case SSL_REUSE_SERVER_ECDHE_KEY:
                                   on = ss->opt.reuseServerECDHEKey; break;
     case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
+    case SSL_ENABLE_SERVER_DHE:   on = ss->opt.enableServerDhe; break;
+    case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+                                  on = ss->opt.enableExtendedMS; break;
     case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
         on = ss->opt.enableSignedCertTimestamps;
         break;
 
     default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     }
 
     ssl_ReleaseSSL3HandshakeLock(ss);
@@ skipping 52 matching lines @@
        on = ssl_defaults.enableOCSPStapling;
        break;
     case SSL_ENABLE_NPN:          on = ssl_defaults.enableNPN;          break;
     case SSL_ENABLE_ALPN:         on = ssl_defaults.enableALPN;         break;
     case SSL_REUSE_SERVER_ECDHE_KEY:
        on = ssl_defaults.reuseServerECDHEKey;
        break;
     case SSL_ENABLE_FALLBACK_SCSV:
        on = ssl_defaults.enableFallbackSCSV;
        break;
+    case SSL_ENABLE_SERVER_DHE:
+       on = ssl_defaults.enableServerDhe;
+       break;
+    case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+       on = ssl_defaults.enableExtendedMS;
+       break;
     case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
        on = ssl_defaults.enableSignedCertTimestamps;
        break;
 
     default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     }
 
     *pOn = on;
@@ skipping 166 matching lines @@
         break;
 
       case SSL_REUSE_SERVER_ECDHE_KEY:
         ssl_defaults.reuseServerECDHEKey = on;
         break;
 
       case SSL_ENABLE_FALLBACK_SCSV:
         ssl_defaults.enableFallbackSCSV = on;
         break;
 
+      case SSL_ENABLE_SERVER_DHE:
+        ssl_defaults.enableServerDhe = on;
+        break;
+
+      case SSL_ENABLE_EXTENDED_MASTER_SECRET:
+        ssl_defaults.enableExtendedMS = on;
+        break;
+
       case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
         ssl_defaults.enableSignedCertTimestamps = on;
         break;
 
       default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     return SECSuccess;
 }
@@ skipping 216 matching lines @@
     return NSS_SetDomesticPolicy();
 }
 
 SECStatus
 NSS_SetFrancePolicy(void)
 {
     return NSS_SetDomesticPolicy();
 }
 
 SECStatus
+SSL_DHEGroupPrefSet(PRFileDesc *fd,
+                    SSLDHEGroupType *groups,
+                    PRUint16 num_groups)
+{
+    sslSocket *ss;
+
+    if ((num_groups && !groups) || (!num_groups && groups)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    if (ss->ssl3.dheGroups) {
+        PORT_Free(ss->ssl3.dheGroups);
+        ss->ssl3.dheGroups = NULL;
+        ss->ssl3.numDHEGroups = 0;
+    }
+
+    if (groups) {
+        ss->ssl3.dheGroups = PORT_NewArray(SSLDHEGroupType, num_groups);
+        if (!ss->ssl3.dheGroups) {
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+            return SECFailure;
+        }
+        PORT_Memcpy(ss->ssl3.dheGroups, groups,
+                    sizeof(SSLDHEGroupType) * num_groups);
+    }
+    return SECSuccess;
+}
+
+
+PRCallOnceType gWeakDHParamsRegisterOnce;
+int gWeakDHParamsRegisterError;
+
+PRCallOnceType gWeakDHParamsOnce;
+int gWeakDHParamsError;
+/* As our code allocates type PQGParams, we'll keep it around,
+ * even though we only make use of it's parameters through gWeakDHParam. */
+static PQGParams *gWeakParamsPQG;
+static ssl3DHParams *gWeakDHParams;
+
+static PRStatus
+ssl3_CreateWeakDHParams(void)
+{
+    PQGVerify *vfy;
+    SECStatus rv, passed;
+
+    PORT_Assert(!gWeakDHParams && !gWeakParamsPQG);
+
+    rv = PK11_PQG_ParamGenV2(1024, 160, 64 /*maximum seed that will work*/,
+                             &gWeakParamsPQG, &vfy);
+    if (rv != SECSuccess) {
+        gWeakDHParamsError = PORT_GetError();
+        return PR_FAILURE;
+    }
+
+    rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed);
+    if (rv != SECSuccess || passed != SECSuccess) {
+        SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams",
+                SSL_GETPID()));
+        gWeakDHParamsError = PORT_GetError();
+        return PR_FAILURE;
+    }
+
+    gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams);
+    if (!gWeakDHParams) {
+        gWeakDHParamsError = PORT_GetError();
+        return PR_FAILURE;
+    }
+
+    gWeakDHParams->prime.data = gWeakParamsPQG->prime.data;
+    gWeakDHParams->prime.len = gWeakParamsPQG->prime.len;
+    gWeakDHParams->base.data = gWeakParamsPQG->base.data;
+    gWeakDHParams->base.len = gWeakParamsPQG->base.len;
+
+    PK11_PQG_DestroyVerify(vfy);
+    return PR_SUCCESS;
+}
+
+static SECStatus
+ssl3_WeakDHParamsShutdown(void *appData, void *nssData)
+{
+    if (gWeakParamsPQG) {
+        PK11_PQG_DestroyParams(gWeakParamsPQG);
+        gWeakParamsPQG = NULL;
+        gWeakDHParams = NULL;
+    }
+    return SECSuccess;
+}
+
+static PRStatus
+ssl3_WeakDHParamsRegisterShutdown(void)
+{
+    SECStatus rv;
+    rv = NSS_RegisterShutdown(ssl3_WeakDHParamsShutdown, NULL);
+    if (rv != SECSuccess) {
+        gWeakDHParamsRegisterError = PORT_GetError();
+    }
+    return (PRStatus)rv;
+}
+
+/* global init strategy inspired by ssl3_CreateECDHEphemeralKeys */
+SECStatus
+SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled)
+{
+    sslSocket *ss;
+    PRStatus status;
+
+    if (enabled) {
+        status = PR_CallOnce(&gWeakDHParamsRegisterOnce,
+                             ssl3_WeakDHParamsRegisterShutdown);
+        if (status != PR_SUCCESS) {
+            PORT_SetError(gWeakDHParamsRegisterError);
+            return SECFailure;
+        }
+
+        status = PR_CallOnce(&gWeakDHParamsOnce, ssl3_CreateWeakDHParams);
+        if (status != PR_SUCCESS) {
+            PORT_SetError(gWeakDHParamsError);
+            return SECFailure;
+        }
+    }
+
+    if (!fd)
+        return SECSuccess;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd));
+        return SECFailure;
+    }
+
+    ss->ssl3.dheWeakGroupEnabled = enabled;
+    return SECSuccess;
+}
+
+SECStatus
 SSL_GetChannelBinding(PRFileDesc *fd,
                       SSLChannelBindingType binding_type,
                       unsigned char *out,
                       unsigned int *outLen,
                       unsigned int outLenMax) {
     sslSocket *ss = ssl_FindSocket(fd);
 
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding",
                  SSL_GETPID(), fd));
         return SECFailure;
     }
 
     if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
 
     return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax);
 }
 
+#include "dhe-param.c"
+
+static const SSLDHEGroupType ssl_default_dhe_groups[] = {
+    ssl_ff_dhe_2048_group
+};
+
+/* Keep this array synchronized with the index definitions in SSLDHEGroupType */
+static const ssl3DHParams *all_ssl3DHParams[] = {
+    NULL, /* ssl_dhe_group_none */
+    &ff_dhe_2048,
+    &ff_dhe_3072,
+    &ff_dhe_4096,
+    &ff_dhe_6144,
+    &ff_dhe_8192,
+};
+
+static SSLDHEGroupType
+selectDHEGroup(sslSocket *ss, const SSLDHEGroupType *groups, PRUint16 num_groups)
+{
+    if (!groups || !num_groups)
+        return ssl_dhe_group_none;
+
+    /* We don't have automatic group parameter selection yet
+     * (potentially) based on socket parameters, e.g. key sizes.
+     * For now, we return the first available group from the allowed list. */
+    return groups[0];
+}
+
+/* Ensure DH parameters have been selected */
+SECStatus
+ssl3_SelectDHParams(sslSocket *ss)
+{
+    SSLDHEGroupType selectedGroup = ssl_dhe_group_none;
+
+    if (ss->ssl3.dheWeakGroupEnabled) {
+        ss->dheParams = gWeakDHParams;
+    } else {
+        if (ss->ssl3.dheGroups) {
+            selectedGroup = selectDHEGroup(ss, ss->ssl3.dheGroups,
+                               ss->ssl3.numDHEGroups);
+        } else {
+            size_t number_of_default_groups = PR_ARRAY_SIZE(ssl_default_dhe_groups);
+            selectedGroup = selectDHEGroup(ss, ssl_default_dhe_groups,
+                               number_of_default_groups);
+        }
+
+        if (selectedGroup == ssl_dhe_group_none ||
+            selectedGroup >= ssl_dhe_group_max) {
+            return SECFailure;
+        }
+
+        ss->dheParams = all_ssl3DHParams[selectedGroup];
+    }
+
+    return SECSuccess;
+}
 
 /* LOCKS ??? XXX */
 static PRFileDesc *
 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
 {
     sslSocket * ns = NULL;
     PRStatus    rv;
     PRNetAddr   addr;
     SECStatus   status = ssl_Init();
 
@@ skipping 277 matching lines @@
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
 
     ss->opt  = sm->opt;
     ss->vrange = sm->vrange;
     PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites);
     PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers,
                 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount);
     ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount;
+    PORT_Memcpy(ss->ssl3.signatureAlgorithms, sm->ssl3.signatureAlgorithms,
+                sizeof(ss->ssl3.signatureAlgorithms[0]) *
+                sm->ssl3.signatureAlgorithmCount);
+    ss->ssl3.signatureAlgorithmCount = sm->ssl3.signatureAlgorithmCount;
 
     if (!ss->opt.useSecurity) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     /* This int should be SSLKEAType, but CC on Irix complains,
      * during the for loop.
      */
     for (i=kt_null; i < kt_kea_size; i++) {
         mc = &(sm->serverCerts[i]);
@@ skipping 1403 matching lines @@
         for (i=kt_null; i < kt_kea_size; i++) {
             sslServerCerts * sc = ss->serverCerts + i;
             sc->serverCert      = NULL;
             sc->serverCertChain = NULL;
             sc->serverKeyPair   = NULL;
             sc->serverKeyBits   = 0;
             ss->certStatusArray[i] = NULL;
         }
         ss->requestedCertTypes = NULL;
         ss->stepDownKeyPair    = NULL;
+
+        ss->dheParams = NULL;
+        ss->dheKeyPair = NULL;
+
         ss->dbHandle           = CERT_GetDefaultCertDB();
 
         /* Provide default implementation of hooks */
         ss->authCertificate    = SSL_AuthCertificate;
         ss->authCertificateArg = (void *)ss->dbHandle;
         ss->sniSocketConfig    = NULL;
         ss->sniSocketConfigArg = NULL;
         ss->getClientAuthData  = NULL;
 #ifdef NSS_PLATFORM_CLIENT_AUTH
         ss->getPlatformClientAuthData = NULL;
@@ skipping 23 matching lines @@
         if (status != SECSuccess) {
 loser:
             ssl_DestroySocketContents(ss);
             ssl_DestroyLocks(ss);
             PORT_Free(ss);
             ss = NULL;
         }
     }
     return ss;
 }