OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 1366 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1377 } | 1377 } |
1378 if (spec->master_secret != NULL) { | 1378 if (spec->master_secret != NULL) { |
1379 PK11_FreeSymKey(spec->master_secret); | 1379 PK11_FreeSymKey(spec->master_secret); |
1380 spec->master_secret = NULL; | 1380 spec->master_secret = NULL; |
1381 } | 1381 } |
1382 spec->msItem.data = NULL; | 1382 spec->msItem.data = NULL; |
1383 spec->msItem.len = 0; | 1383 spec->msItem.len = 0; |
1384 ssl3_CleanupKeyMaterial(&spec->client); | 1384 ssl3_CleanupKeyMaterial(&spec->client); |
1385 ssl3_CleanupKeyMaterial(&spec->server); | 1385 ssl3_CleanupKeyMaterial(&spec->server); |
1386 spec->bypassCiphers = PR_FALSE; | 1386 spec->bypassCiphers = PR_FALSE; |
| 1387 spec->encryptThenMAC = PR_FALSE; |
1387 spec->destroy=NULL; | 1388 spec->destroy=NULL; |
1388 spec->destroyCompressContext = NULL; | 1389 spec->destroyCompressContext = NULL; |
1389 spec->destroyDecompressContext = NULL; | 1390 spec->destroyDecompressContext = NULL; |
1390 } | 1391 } |
1391 | 1392 |
1392 /* Fill in the pending cipher spec with info from the selected ciphersuite. | 1393 /* Fill in the pending cipher spec with info from the selected ciphersuite. |
1393 ** This is as much initialization as we can do without having key material. | 1394 ** This is as much initialization as we can do without having key material. |
1394 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello() | 1395 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello() |
1395 ** Caller must hold the ssl3 handshake lock. | 1396 ** Caller must hold the ssl3 handshake lock. |
1396 ** Acquires & releases SpecWriteLock. | 1397 ** Acquires & releases SpecWriteLock. |
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1462 | 1463 |
1463 pwSpec->encodeContext = NULL; | 1464 pwSpec->encodeContext = NULL; |
1464 pwSpec->decodeContext = NULL; | 1465 pwSpec->decodeContext = NULL; |
1465 | 1466 |
1466 pwSpec->mac_size = pwSpec->mac_def->mac_size; | 1467 pwSpec->mac_size = pwSpec->mac_def->mac_size; |
1467 | 1468 |
1468 pwSpec->compression_method = ss->ssl3.hs.compression; | 1469 pwSpec->compression_method = ss->ssl3.hs.compression; |
1469 pwSpec->compressContext = NULL; | 1470 pwSpec->compressContext = NULL; |
1470 pwSpec->decompressContext = NULL; | 1471 pwSpec->decompressContext = NULL; |
1471 | 1472 |
| 1473 pwSpec->encryptThenMAC = |
| 1474 ssl3_ExtensionNegotiated(ss, ssl_encrypt_then_mac_xtn); |
| 1475 |
1472 ssl_ReleaseSpecWriteLock(ss); /*******************************/ | 1476 ssl_ReleaseSpecWriteLock(ss); /*******************************/ |
1473 return SECSuccess; | 1477 return SECSuccess; |
1474 } | 1478 } |
1475 | 1479 |
1476 #ifdef NSS_ENABLE_ZLIB | 1480 #ifdef NSS_ENABLE_ZLIB |
1477 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) | 1481 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) |
1478 | 1482 |
1479 static SECStatus | 1483 static SECStatus |
1480 ssl3_MapZlibError(int zlib_error) | 1484 ssl3_MapZlibError(int zlib_error) |
1481 { | 1485 { |
(...skipping 1243 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2725 wrBuf->buf + headerLen, /* output */ | 2729 wrBuf->buf + headerLen, /* output */ |
2726 &cipherBytes, /* out len */ | 2730 &cipherBytes, /* out len */ |
2727 wrBuf->space - headerLen, /* max out */ | 2731 wrBuf->space - headerLen, /* max out */ |
2728 pIn, contentLen, /* input */ | 2732 pIn, contentLen, /* input */ |
2729 pseudoHeader, pseudoHeaderLen); | 2733 pseudoHeader, pseudoHeaderLen); |
2730 if (rv != SECSuccess) { | 2734 if (rv != SECSuccess) { |
2731 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2735 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2732 return SECFailure; | 2736 return SECFailure; |
2733 } | 2737 } |
2734 } else { | 2738 } else { |
2735 » /* | 2739 if (!cwSpec->encryptThenMAC) { |
2736 » * Add the MAC | 2740 » /* |
2737 » */ | 2741 » * Add the MAC |
2738 » rv = ssl3_ComputeRecordMAC(cwSpec, isServer, | 2742 » */ |
2739 » pseudoHeader, pseudoHeaderLen, pIn, contentLen, | 2743 » rv = ssl3_ComputeRecordMAC(cwSpec, isServer, |
2740 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | 2744 » » pseudoHeader, pseudoHeaderLen, pIn, contentLen, |
2741 » if (rv != SECSuccess) { | 2745 » » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
2742 » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2746 » if (rv != SECSuccess) { |
2743 » return SECFailure; | 2747 » » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
| 2748 » » return SECFailure; |
| 2749 » } |
| 2750 » p1Len = contentLen; |
| 2751 » p2Len = macLen; |
| 2752 » fragLen = contentLen + macLen;» /* needs to be encrypted */ |
| 2753 » PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
| 2754 } else { |
| 2755 » p1Len = contentLen; |
| 2756 » p2Len = 0; |
| 2757 » fragLen = contentLen;» /* needs to be encrypted */ |
2744 } | 2758 } |
2745 p1Len = contentLen; | |
2746 p2Len = macLen; | |
2747 fragLen = contentLen + macLen; /* needs to be encrypted */ | |
2748 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | |
2749 | 2759 |
2750 /* | 2760 /* |
2751 * Pad the text (if we're doing a block cipher) | 2761 * Pad the text (if we're doing a block cipher) |
2752 * then Encrypt it | 2762 * then Encrypt it |
2753 */ | 2763 */ |
2754 if (cipher_def->type == type_block) { | 2764 if (cipher_def->type == type_block) { |
2755 unsigned char * pBuf; | 2765 unsigned char * pBuf; |
2756 int padding_length; | 2766 int padding_length; |
2757 int i; | 2767 int i; |
2758 | 2768 |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2806 p2Len, /* max outlen */ | 2816 p2Len, /* max outlen */ |
2807 wrBuf->buf + headerLen + ivLen + p1Len, | 2817 wrBuf->buf + headerLen + ivLen + p1Len, |
2808 p2Len); /* input and inputLen*/ | 2818 p2Len); /* input and inputLen*/ |
2809 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | 2819 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
2810 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | 2820 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
2811 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2821 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2812 return SECFailure; | 2822 return SECFailure; |
2813 } | 2823 } |
2814 cipherBytes += cipherBytesPart2; | 2824 cipherBytes += cipherBytesPart2; |
2815 } | 2825 } |
| 2826 |
| 2827 if (cwSpec->encryptThenMAC) { |
| 2828 /* |
| 2829 * Add the MAC |
| 2830 */ |
| 2831 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader( |
| 2832 pseudoHeader, cwSpec->write_seq_num, type, |
| 2833 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, |
| 2834 isDTLS, cipherBytes /* + crSpec->mac_size */); |
| 2835 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); |
| 2836 |
| 2837 rv = ssl3_ComputeRecordMAC(cwSpec, isServer, |
| 2838 pseudoHeader, pseudoHeaderLen, |
| 2839 wrBuf->buf + headerLen, cipherBytes, |
| 2840 wrBuf->buf + headerLen + cipherBytes, &macLen); |
| 2841 if (rv != SECSuccess) { |
| 2842 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
| 2843 return SECFailure; |
| 2844 } |
| 2845 PORT_Assert(macLen == cwSpec->mac_size); |
| 2846 cipherBytes += macLen; |
| 2847 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
| 2848 } |
2816 } | 2849 } |
2817 | 2850 |
2818 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2851 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
2819 | 2852 |
2820 wrBuf->len = cipherBytes + headerLen; | 2853 wrBuf->len = cipherBytes + headerLen; |
2821 wrBuf->buf[0] = type; | 2854 wrBuf->buf[0] = type; |
2822 if (isDTLS) { | 2855 if (isDTLS) { |
2823 SSL3ProtocolVersion version; | 2856 SSL3ProtocolVersion version; |
2824 | 2857 |
2825 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); | 2858 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); |
(...skipping 6246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9072 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1); | 9105 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1); |
9073 if (rv != SECSuccess) { | 9106 if (rv != SECSuccess) { |
9074 return rv; /* err set by AppendHandshake. */ | 9107 return rv; /* err set by AppendHandshake. */ |
9075 } | 9108 } |
9076 if (extensions_len) { | 9109 if (extensions_len) { |
9077 PRInt32 sent_len; | 9110 PRInt32 sent_len; |
9078 | 9111 |
9079 extensions_len -= 2; | 9112 extensions_len -= 2; |
9080 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2); | 9113 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2); |
9081 if (rv != SECSuccess) | 9114 if (rv != SECSuccess) |
9082 » return rv;» /* err set by ssl3_SetupPendingCipherSpec */ | 9115 » return rv;» /* err set by AppendHandshake. */ |
9083 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len, | 9116 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len, |
9084 &ss->xtnData.serverSenders[0]); | 9117 &ss->xtnData.serverSenders[0]); |
9085 PORT_Assert(sent_len == extensions_len); | 9118 PORT_Assert(sent_len == extensions_len); |
9086 if (sent_len != extensions_len) { | 9119 if (sent_len != extensions_len) { |
9087 if (sent_len >= 0) | 9120 if (sent_len >= 0) |
9088 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 9121 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
9089 return SECFailure; | 9122 return SECFailure; |
9090 } | 9123 } |
9091 } | 9124 } |
9092 rv = ssl3_SetupPendingCipherSpec(ss); | 9125 rv = ssl3_SetupPendingCipherSpec(ss); |
(...skipping 2821 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11914 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX(). | 11947 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX(). |
11915 * This implies that databuf holds a previously deciphered SSL Handshake | 11948 * This implies that databuf holds a previously deciphered SSL Handshake |
11916 * message. | 11949 * message. |
11917 */ | 11950 */ |
11918 if (cText == NULL) { | 11951 if (cText == NULL) { |
11919 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake", | 11952 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake", |
11920 SSL_GETPID(), ss->fd)); | 11953 SSL_GETPID(), ss->fd)); |
11921 rType = content_handshake; | 11954 rType = content_handshake; |
11922 goto process_it; | 11955 goto process_it; |
11923 } | 11956 } |
| 11957 rType = cText->type; |
11924 | 11958 |
11925 ssl_GetSpecReadLock(ss); /******************************************/ | 11959 ssl_GetSpecReadLock(ss); /******************************************/ |
11926 | 11960 |
11927 crSpec = ss->ssl3.crSpec; | 11961 crSpec = ss->ssl3.crSpec; |
11928 cipher_def = crSpec->cipher_def; | 11962 cipher_def = crSpec->cipher_def; |
11929 | 11963 |
11930 /* | 11964 /* |
11931 * DTLS relevance checks: | 11965 * DTLS relevance checks: |
11932 * Note that this code currently ignores all out-of-epoch packets, | 11966 * Note that this code currently ignores all out-of-epoch packets, |
11933 * which means we lose some in the case of rehandshake + | 11967 * which means we lose some in the case of rehandshake + |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11972 } else if (cipher_def->type == type_aead) { | 12006 } else if (cipher_def->type == type_aead) { |
11973 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; | 12007 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; |
11974 } | 12008 } |
11975 | 12009 |
11976 /* We can perform this test in variable time because the record's total | 12010 /* We can perform this test in variable time because the record's total |
11977 * length and the ciphersuite are both public knowledge. */ | 12011 * length and the ciphersuite are both public knowledge. */ |
11978 if (cText->buf->len < minLength) { | 12012 if (cText->buf->len < minLength) { |
11979 goto decrypt_loser; | 12013 goto decrypt_loser; |
11980 } | 12014 } |
11981 | 12015 |
| 12016 if (crSpec->encryptThenMAC) { |
| 12017 /* compute the MAC */ |
| 12018 headerLen = ssl3_BuildRecordPseudoHeader( |
| 12019 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 12020 rType, isTLS, cText->version, IS_DTLS(ss), |
| 12021 cText->buf->len - crSpec->mac_size); |
| 12022 PORT_Assert(headerLen <= sizeof(header)); |
| 12023 /* This is safe because we checked the minLength above. */ |
| 12024 cText->buf->len -= crSpec->mac_size; |
| 12025 |
| 12026 rv = ssl3_ComputeRecordMAC( |
| 12027 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
| 12028 cText->buf->buf, cText->buf->len, hash, &hashBytes); |
| 12029 |
| 12030 /* We can read the MAC directly from the record because its location |
| 12031 * is public when a stream cipher is used. */ |
| 12032 givenHash = cText->buf->buf + cText->buf->len; |
| 12033 |
| 12034 if (hashBytes != (unsigned)crSpec->mac_size || |
| 12035 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
| 12036 /* We're allowed to leak whether or not the MAC check was correct */ |
| 12037 goto decrypt_loser; |
| 12038 } |
| 12039 } |
| 12040 |
11982 if (cipher_def->type == type_block && | 12041 if (cipher_def->type == type_block && |
11983 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 12042 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
11984 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | 12043 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states |
11985 * "The receiver decrypts the entire GenericBlockCipher structure and | 12044 * "The receiver decrypts the entire GenericBlockCipher structure and |
11986 * then discards the first cipher block corresponding to the IV | 12045 * then discards the first cipher block corresponding to the IV |
11987 * component." Instead, we decrypt the first cipher block and then | 12046 * component." Instead, we decrypt the first cipher block and then |
11988 * discard it before decrypting the rest. | 12047 * discard it before decrypting the rest. |
11989 */ | 12048 */ |
11990 SSL3Opaque iv[MAX_IV_LENGTH]; | 12049 SSL3Opaque iv[MAX_IV_LENGTH]; |
11991 int decoded; | 12050 int decoded; |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12037 | 12096 |
12038 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); | 12097 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); |
12039 | 12098 |
12040 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { | 12099 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
12041 ssl_ReleaseSpecReadLock(ss); | 12100 ssl_ReleaseSpecReadLock(ss); |
12042 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 12101 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
12043 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 12102 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
12044 return SECFailure; | 12103 return SECFailure; |
12045 } | 12104 } |
12046 | 12105 |
12047 rType = cText->type; | |
12048 if (cipher_def->type == type_aead) { | 12106 if (cipher_def->type == type_aead) { |
12049 /* XXX For many AEAD ciphers, the plaintext is shorter than the | 12107 /* XXX For many AEAD ciphers, the plaintext is shorter than the |
12050 * ciphertext by a fixed byte count, but it is not true in general. | 12108 * ciphertext by a fixed byte count, but it is not true in general. |
12051 * Each AEAD cipher should provide a function that returns the | 12109 * Each AEAD cipher should provide a function that returns the |
12052 * plaintext length for a given ciphertext. */ | 12110 * plaintext length for a given ciphertext. */ |
12053 unsigned int decryptedLen = | 12111 unsigned int decryptedLen = |
12054 cText->buf->len - cipher_def->explicit_nonce_size - | 12112 cText->buf->len - cipher_def->explicit_nonce_size - |
12055 cipher_def->tag_size; | 12113 cipher_def->tag_size; |
12056 headerLen = ssl3_BuildRecordPseudoHeader( | 12114 headerLen = ssl3_BuildRecordPseudoHeader( |
12057 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | 12115 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
(...skipping 25 matching lines...) Expand all Loading... |
12083 goto decrypt_loser; | 12141 goto decrypt_loser; |
12084 } | 12142 } |
12085 | 12143 |
12086 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); | 12144 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
12087 | 12145 |
12088 originalLen = plaintext->len; | 12146 originalLen = plaintext->len; |
12089 | 12147 |
12090 /* If it's a block cipher, check and strip the padding. */ | 12148 /* If it's a block cipher, check and strip the padding. */ |
12091 if (cipher_def->type == type_block) { | 12149 if (cipher_def->type == type_block) { |
12092 const unsigned int blockSize = cipher_def->block_size; | 12150 const unsigned int blockSize = cipher_def->block_size; |
12093 » const unsigned int macSize = crSpec->mac_size; | 12151 » const unsigned int macSize = |
| 12152 » » crSpec->encryptThenMAC ? 0 : crSpec->mac_size; |
12094 | 12153 |
12095 if (!isTLS) { | 12154 if (!isTLS) { |
12096 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 12155 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
12097 plaintext, blockSize, macSize)); | 12156 plaintext, blockSize, macSize)); |
12098 } else { | 12157 } else { |
12099 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 12158 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
12100 plaintext, macSize)); | 12159 plaintext, macSize)); |
12101 } | 12160 } |
12102 } | 12161 } |
12103 | 12162 |
| 12163 if (!crSpec->encryptThenMAC) { |
12104 /* compute the MAC */ | 12164 /* compute the MAC */ |
12105 headerLen = ssl3_BuildRecordPseudoHeader( | 12165 headerLen = ssl3_BuildRecordPseudoHeader( |
12106 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | 12166 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
12107 rType, isTLS, cText->version, IS_DTLS(ss), | 12167 rType, isTLS, cText->version, IS_DTLS(ss), |
12108 plaintext->len - crSpec->mac_size); | 12168 plaintext->len - crSpec->mac_size); |
12109 PORT_Assert(headerLen <= sizeof(header)); | 12169 PORT_Assert(headerLen <= sizeof(header)); |
12110 if (cipher_def->type == type_block) { | 12170 if (cipher_def->type == type_block) { |
12111 rv = ssl3_ComputeRecordMACConstantTime( | 12171 rv = ssl3_ComputeRecordMACConstantTime( |
12112 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, | 12172 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
12113 plaintext->buf, plaintext->len, originalLen, | 12173 plaintext->buf, plaintext->len, originalLen, |
(...skipping 21 matching lines...) Expand all Loading... |
12135 givenHash = plaintext->buf + plaintext->len; | 12195 givenHash = plaintext->buf + plaintext->len; |
12136 } | 12196 } |
12137 | 12197 |
12138 good &= SECStatusToMask(rv); | 12198 good &= SECStatusToMask(rv); |
12139 | 12199 |
12140 if (hashBytes != (unsigned)crSpec->mac_size || | 12200 if (hashBytes != (unsigned)crSpec->mac_size || |
12141 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | 12201 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
12142 /* We're allowed to leak whether or not the MAC check was correct */ | 12202 /* We're allowed to leak whether or not the MAC check was correct */ |
12143 good = 0; | 12203 good = 0; |
12144 } | 12204 } |
| 12205 } |
12145 } | 12206 } |
12146 | 12207 |
12147 if (good == 0) { | 12208 if (good == 0) { |
12148 decrypt_loser: | 12209 decrypt_loser: |
12149 /* must not hold spec lock when calling SSL3_SendAlert. */ | 12210 /* must not hold spec lock when calling SSL3_SendAlert. */ |
12150 ssl_ReleaseSpecReadLock(ss); | 12211 ssl_ReleaseSpecReadLock(ss); |
12151 | 12212 |
12152 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); | 12213 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); |
12153 | 12214 |
12154 if (!IS_DTLS(ss)) { | 12215 if (!IS_DTLS(ss)) { |
(...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12310 spec->encode = Null_Cipher; | 12371 spec->encode = Null_Cipher; |
12311 spec->decode = Null_Cipher; | 12372 spec->decode = Null_Cipher; |
12312 spec->destroy = NULL; | 12373 spec->destroy = NULL; |
12313 spec->compressor = NULL; | 12374 spec->compressor = NULL; |
12314 spec->decompressor = NULL; | 12375 spec->decompressor = NULL; |
12315 spec->destroyCompressContext = NULL; | 12376 spec->destroyCompressContext = NULL; |
12316 spec->destroyDecompressContext = NULL; | 12377 spec->destroyDecompressContext = NULL; |
12317 spec->mac_size = 0; | 12378 spec->mac_size = 0; |
12318 spec->master_secret = NULL; | 12379 spec->master_secret = NULL; |
12319 spec->bypassCiphers = PR_FALSE; | 12380 spec->bypassCiphers = PR_FALSE; |
| 12381 spec->encryptThenMAC = PR_FALSE; |
12320 | 12382 |
12321 spec->msItem.data = NULL; | 12383 spec->msItem.data = NULL; |
12322 spec->msItem.len = 0; | 12384 spec->msItem.len = 0; |
12323 | 12385 |
12324 spec->client.write_key = NULL; | 12386 spec->client.write_key = NULL; |
12325 spec->client.write_mac_key = NULL; | 12387 spec->client.write_mac_key = NULL; |
12326 spec->client.write_mac_context = NULL; | 12388 spec->client.write_mac_context = NULL; |
12327 | 12389 |
12328 spec->server.write_key = NULL; | 12390 spec->server.write_key = NULL; |
12329 spec->server.write_mac_key = NULL; | 12391 spec->server.write_mac_key = NULL; |
(...skipping 511 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12841 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12903 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
12842 } | 12904 } |
12843 } | 12905 } |
12844 | 12906 |
12845 ss->ssl3.initialized = PR_FALSE; | 12907 ss->ssl3.initialized = PR_FALSE; |
12846 | 12908 |
12847 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12909 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
12848 } | 12910 } |
12849 | 12911 |
12850 /* End of ssl3con.c */ | 12912 /* End of ssl3con.c */ |
OLD | NEW |