Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(546)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/tls12handshakehashes.patch

Issue 17109007: Miscellaneous cleanup of TLS 1.2 code. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Make error handling in ssl3_InitHandshakeHashes more uniform. Include the patch file. Created 7 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/derive.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 Index: net/third_party/nss/ssl/derive.c
2 ===================================================================
3 --- net/third_party/nss/ssl/derive.c (revision 206496)
4 +++ net/third_party/nss/ssl/derive.c (working copy)
5 @@ -82,9 +82,11 @@
6 unsigned int effKeySize; /* effective size of cipher keys */
7 unsigned int macSize; /* size of MAC secret */
8 unsigned int IVSize; /* size of IV */
9 + PRBool explicitIV = PR_FALSE;
10 SECStatus rv = SECFailure;
11 SECStatus status = SECSuccess;
12 PRBool isFIPS = PR_FALSE;
13 + PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2;
14
15 SECItem srcr;
16 SECItem crsr;
17 @@ -116,7 +118,13 @@
18 if (keySize == 0) {
19 effKeySize = IVSize = 0; /* only MACing */
20 }
21 - block_needed = 2 * (macSize + effKeySize + ((!isExport) * IVSize));
22 + if (cipher_def->type == type_block &&
23 + pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
24 + /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
25 + explicitIV = PR_TRUE;
26 + }
27 + block_needed =
28 + 2 * (macSize + effKeySize + ((!isExport && !explicitIV) * IVSize));
29
30 /*
31 * clear out our returned keys so we can recover on failure
32 @@ -151,8 +159,13 @@
33 keyblk.data = key_block;
34 keyblk.len = block_needed;
35
36 - status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
37 - isFIPS);
38 + if (isTLS12) {
39 + status = TLS_P_hash(HASH_AlgSHA256, &pwSpec->msItem,
40 + "key expansion", &srcr, &keyblk, isFIPS);
41 + } else {
42 + status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
43 + isFIPS);
44 + }
45 if (status != SECSuccess) {
46 goto key_and_mac_derive_fail;
47 }
48 @@ -240,22 +253,34 @@
49 i += keySize;
50
51 if (IVSize > 0) {
52 - /*
53 - ** client_write_IV[CipherSpec.IV_size]
54 - */
55 - buildSSLKey(&key_block[i], IVSize, &pwSpec->client.write_iv_item, \
56 - "Domestic Client Write IV");
57 - i += IVSize;
58 + if (explicitIV) {
59 + static unsigned char zero_block[32];
60 + PORT_Assert(IVSize <= sizeof zero_block);
61 + buildSSLKey(&zero_block[0], IVSize, \
62 + &pwSpec->client.write_iv_item, \
63 + "Domestic Client Write IV");
64 + buildSSLKey(&zero_block[0], IVSize, \
65 + &pwSpec->server.write_iv_item, \
66 + "Domestic Server Write IV");
67 + } else {
68 + /*
69 + ** client_write_IV[CipherSpec.IV_size]
70 + */
71 + buildSSLKey(&key_block[i], IVSize, \
72 + &pwSpec->client.write_iv_item, \
73 + "Domestic Client Write IV");
74 + i += IVSize;
75
76 - /*
77 - ** server_write_IV[CipherSpec.IV_size]
78 - */
79 - buildSSLKey(&key_block[i], IVSize, &pwSpec->server.write_iv_item, \
80 - "Domestic Server Write IV");
81 - i += IVSize;
82 + /*
83 + ** server_write_IV[CipherSpec.IV_size]
84 + */
85 + buildSSLKey(&key_block[i], IVSize, \
86 + &pwSpec->server.write_iv_item, \
87 + "Domestic Server Write IV");
88 + i += IVSize;
89 + }
90 }
91 PORT_Assert(i <= block_bytes);
92 -
93 } else if (!isTLS) {
94 /*
95 ** Generate SSL3 Export write keys and IVs.
96 @@ -418,6 +443,7 @@
97 unsigned char * key_block = pwSpec->key_block;
98 SECStatus rv = SECSuccess;
99 PRBool isFIPS = PR_FALSE;
100 + PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2;
101
102 SECItem crsr;
103
104 @@ -453,7 +479,12 @@
105 master.data = key_block;
106 master.len = SSL3_MASTER_SECRET_LENGTH;
107
108 - rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
109 + if (isTLS12) {
110 + rv = TLS_P_hash(HASH_AlgSHA256, pms, "master secret", &crsr,
111 + &master, isFIPS);
112 + } else {
113 + rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
114 + }
115 if (rv != SECSuccess) {
116 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
117 }
118 Index: net/third_party/nss/ssl/sslsock.c
119 ===================================================================
120 --- net/third_party/nss/ssl/sslsock.c (revision 206496)
121 +++ net/third_party/nss/ssl/sslsock.c (working copy)
122 @@ -796,10 +796,7 @@
123 rv = SECFailure;
124 } else {
125 if (PR_FALSE != on) {
126 - /* PKCS#11 bypass is not supported with TLS 1.2. */
127 - if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) {
128 - ss->opt.bypassPKCS11 = PR_FALSE;
129 - } else if (PR_SUCCESS == SSL_BypassSetup() ) {
130 + if (PR_SUCCESS == SSL_BypassSetup() ) {
131 #ifdef NO_PKCS11_BYPASS
132 ss->opt.bypassPKCS11 = PR_FALSE;
133 #else
134 @@ -1964,10 +1961,6 @@
135 }
136 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
137 }
138 - /* PKCS#11 bypass is not supported with TLS 1.2. */
139 - if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) {
140 - ss->opt.bypassPKCS11 = PR_FALSE;
141 - }
142
143 ssl_ReleaseSSL3HandshakeLock(ss);
144 ssl_Release1stHandshakeLock(ss);
145 Index: net/third_party/nss/ssl/ssl3con.c
146 ===================================================================
147 --- net/third_party/nss/ssl/ssl3con.c (revision 206496)
148 +++ net/third_party/nss/ssl/ssl3con.c (working copy)
149 @@ -69,7 +69,6 @@
150 static SECStatus ssl3_SendServerHello( sslSocket *ss);
151 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
152 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
153 -static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss);
154 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
155 const unsigned char *b,
156 unsigned int l);
157 @@ -1072,6 +1071,9 @@
158 } else if (hashAlg == SEC_OID_SHA384) {
159 SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
160 hashes->len = SHA384_LENGTH;
161 + } else if (hashAlg == SEC_OID_SHA512) {
162 + SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
163 + hashes->len = SHA512_LENGTH;
164 } else {
165 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
166 return SECFailure;
167 @@ -1535,7 +1537,8 @@
168 }
169
170 #ifndef NO_PKCS11_BYPASS
171 -/* Initialize encryption and MAC contexts for pending spec.
172 +/* Initialize encryption contexts for pending spec.
173 + * MAC contexts are set up when computing the mac, not here.
174 * Master Secret already is derived in spec->msItem
175 * Caller holds Spec write lock.
176 */
177 @@ -1551,7 +1554,6 @@
178 unsigned int optArg1 = 0;
179 unsigned int optArg2 = 0;
180 PRBool server_encrypts = ss->sec.isServer;
181 - CK_ULONG macLength;
182 SSLCipherAlgorithm calg;
183 SSLCompressionMethod compression_method;
184 SECStatus rv;
185 @@ -1562,12 +1564,7 @@
186
187 pwSpec = ss->ssl3.pwSpec;
188 cipher_def = pwSpec->cipher_def;
189 - macLength = pwSpec->mac_size;
190
191 - /* MAC setup is done when computing the mac, not here.
192 - * Now setup the crypto contexts.
193 - */
194 -
195 calg = cipher_def->calg;
196 compression_method = pwSpec->compression_method;
197
198 @@ -3459,18 +3456,6 @@
199 */
200 rv = PK11_ExtractKeyValue(pwSpec->master_secret);
201 if (rv != SECSuccess) {
202 -#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
203 - /* The double bypass failed.
204 - * Attempt to revert to an all PKCS#11, non-bypass method.
205 - * Do we need any unacquired locks here?
206 - */
207 - ss->opt.bypassPKCS11 = 0;
208 - rv = ssl3_NewHandshakeHashes(ss);
209 - if (rv == SECSuccess) {
210 - rv = ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
211 - ss->ssl3.hs.messages.len);
212 - }
213 -#endif
214 return rv;
215 }
216 /* This returns the address of the secItem inside the key struct,
217 @@ -3640,34 +3625,90 @@
218 return SECFailure;
219 }
220
221 -/* ssl3_InitTLS12HandshakeHash creates a handshake hash context for TLS 1.2,
222 - * if needed, and hashes in any buffered messages in ss->ssl3.hs.messages. */
223 +/* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
224 + * buffered messages in ss->ssl3.hs.messages. */
225 static SECStatus
226 -ssl3_InitTLS12HandshakeHash(sslSocket *ss)
227 +ssl3_InitHandshakeHashes(sslSocket *ss)
228 {
229 - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2 &&
230 - ss->ssl3.hs.tls12_handshake_hash == NULL) {
231 - /* If we ever support ciphersuites where the PRF hash isn't SHA-256
232 - * then this will need to be updated. */
233 - ss->ssl3.hs.tls12_handshake_hash =
234 - PK11_CreateDigestContext(SEC_OID_SHA256);
235 - if (!ss->ssl3.hs.tls12_handshake_hash ||
236 - PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash) != SECSuccess) {
237 - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
238 - return SECFailure;
239 + SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
240 +
241 + PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown);
242 +#ifndef NO_PKCS11_BYPASS
243 + if (ss->opt.bypassPKCS11) {
244 + PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
245 + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
246 + /* If we ever support ciphersuites where the PRF hash isn't SHA-256
247 + * then this will need to be updated. */
248 + ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
249 + if (!ss->ssl3.hs.sha_obj) {
250 + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
251 + return SECFailure;
252 + }
253 + ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
254 + ss->ssl3.hs.hashType = handshake_hash_single;
255 + ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
256 + } else {
257 + ss->ssl3.hs.hashType = handshake_hash_combo;
258 + MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
259 + SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
260 }
261 - }
262 + } else
263 +#endif
264 + {
265 + PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
266 + /*
267 + * note: We should probably lookup an SSL3 slot for these
268 + * handshake hashes in hopes that we wind up with the same slots
269 + * that the master secret will wind up in ...
270 + */
271 + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
272 + /* If we ever support ciphersuites where the PRF hash isn't SHA-256
273 + * then this will need to be updated. */
274 + ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
275 + if (ss->ssl3.hs.sha == NULL) {
276 + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
277 + return SECFailure;
278 + }
279 + ss->ssl3.hs.hashType = handshake_hash_single;
280
281 - if (ss->ssl3.hs.tls12_handshake_hash && ss->ssl3.hs.messages.len > 0) {
282 - if (PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash,
283 - ss->ssl3.hs.messages.buf,
284 - ss->ssl3.hs.messages.len) != SECSuccess) {
285 - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
286 - return SECFailure;
287 + if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
288 + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
289 + return SECFailure;
290 + }
291 + } else {
292 + /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
293 + * created successfully. */
294 + ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
295 + if (ss->ssl3.hs.md5 == NULL) {
296 + ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
297 + return SECFailure;
298 + }
299 + ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
300 + if (ss->ssl3.hs.sha == NULL) {
301 + PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
302 + ss->ssl3.hs.md5 = NULL;
303 + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
304 + return SECFailure;
305 + }
306 + ss->ssl3.hs.hashType = handshake_hash_combo;
307 +
308 + if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
309 + ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
310 + return SECFailure;
311 + }
312 + if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
313 + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
314 + return SECFailure;
315 + }
316 }
317 }
318
319 - if (ss->ssl3.hs.messages.buf && !ss->opt.bypassPKCS11) {
320 + if (ss->ssl3.hs.messages.len > 0) {
321 + if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
322 + ss->ssl3.hs.messages.len) !=
323 + SECSuccess) {
324 + return SECFailure;
325 + }
326 PORT_Free(ss->ssl3.hs.messages.buf);
327 ss->ssl3.hs.messages.buf = NULL;
328 ss->ssl3.hs.messages.len = 0;
329 @@ -3682,83 +3723,30 @@
330 {
331 SECStatus rv = SECSuccess;
332
333 + SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
334 + SSL_GETPID(), ss->fd ));
335 + ss->ssl3.hs.hashType = handshake_hash_unknown;
336 ss->ssl3.hs.messages.len = 0;
337 #ifndef NO_PKCS11_BYPASS
338 - if (ss->opt.bypassPKCS11) {
339 - MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
340 - SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
341 - } else
342 + ss->ssl3.hs.sha_obj = NULL;
343 + ss->ssl3.hs.sha_clone = NULL;
344 #endif
345 - {
346 - if (ss->ssl3.hs.tls12_handshake_hash) {
347 - rv = PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash);
348 - if (rv != SECSuccess) {
349 - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
350 - return rv;
351 - }
352 - }
353 - rv = PK11_DigestBegin(ss->ssl3.hs.md5);
354 - if (rv != SECSuccess) {
355 - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
356 - return rv;
357 - }
358 - rv = PK11_DigestBegin(ss->ssl3.hs.sha);
359 - if (rv != SECSuccess) {
360 - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
361 - return rv;
362 - }
363 - }
364 - return rv;
365 -}
366 -
367 -static SECStatus
368 -ssl3_NewHandshakeHashes(sslSocket *ss)
369 -{
370 - PK11Context *md5 = NULL;
371 - PK11Context *sha = NULL;
372 -
373 - /*
374 - * note: We should probably lookup an SSL3 slot for these
375 - * handshake hashes in hopes that we wind up with the same slots
376 - * that the master secret will wind up in ...
377 - */
378 - SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
379 - PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
380 - ss->ssl3.hs.messages.buf = NULL;
381 - ss->ssl3.hs.messages.space = 0;
382 -
383 - ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
384 - ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
385 - ss->ssl3.hs.tls12_handshake_hash = NULL;
386 - if (md5 == NULL) {
387 - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
388 - goto loser;
389 - }
390 - if (sha == NULL) {
391 - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
392 - goto loser;
393 - }
394 - if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) {
395 - return SECSuccess;
396 - }
397 -
398 -loser:
399 - if (md5 != NULL) {
400 - PK11_DestroyContext(md5, PR_TRUE);
401 + if (ss->ssl3.hs.md5) {
402 + PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
403 ss->ssl3.hs.md5 = NULL;
404 }
405 - if (sha != NULL) {
406 - PK11_DestroyContext(sha, PR_TRUE);
407 + if (ss->ssl3.hs.sha) {
408 + PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
409 ss->ssl3.hs.sha = NULL;
410 }
411 - return SECFailure;
412 -
413 + return rv;
414 }
415
416 /*
417 * Handshake messages
418 */
419 -/* Called from ssl3_AppendHandshake()
420 +/* Called from ssl3_InitHandshakeHashes()
421 +** ssl3_AppendHandshake()
422 ** ssl3_StartHandshakeHash()
423 ** ssl3_HandleV2ClientHello()
424 ** ssl3_HandleHandshakeMessage()
425 @@ -3772,31 +3760,27 @@
426
427 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
428
429 - PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
430 -
431 - if ((ss->version == 0 || ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) &&
432 - !ss->opt.bypassPKCS11 &&
433 - ss->ssl3.hs.tls12_handshake_hash == NULL) {
434 - /* For TLS 1.2 connections we need to buffer the handshake messages
435 - * until we have established which PRF hash function to use. */
436 - rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
437 - if (rv != SECSuccess) {
438 - return rv;
439 - }
440 + /* We need to buffer the handshake messages until we have established
441 + * which handshake hash function to use. */
442 + if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
443 + return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
444 }
445
446 + PRINT_BUF(90, (NULL, "handshake hash input:", b, l));
447 +
448 #ifndef NO_PKCS11_BYPASS
449 if (ss->opt.bypassPKCS11) {
450 - MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
451 - SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
452 -#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
453 - rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
454 -#endif
455 + if (ss->ssl3.hs.hashType == handshake_hash_single) {
456 + ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
457 + } else {
458 + MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
459 + SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
460 + }
461 return rv;
462 }
463 #endif
464 - if (ss->ssl3.hs.tls12_handshake_hash) {
465 - rv = PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, b, l);
466 + if (ss->ssl3.hs.hashType == handshake_hash_single) {
467 + rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
468 if (rv != SECSuccess) {
469 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
470 return rv;
471 @@ -3924,10 +3908,6 @@
472
473 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
474 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
475 - PRINT_BUF(60, (ss, "MD5 handshake hash:",
476 - (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
477 - PRINT_BUF(95, (ss, "SHA handshake hash:",
478 - (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
479
480 rv = ssl3_AppendHandshakeNumber(ss, t, 1);
481 if (rv != SECSuccess) {
482 @@ -4275,8 +4255,28 @@
483 hashes->hashAlg = SEC_OID_UNKNOWN;
484
485 #ifndef NO_PKCS11_BYPASS
486 - if (ss->opt.bypassPKCS11) {
487 + if (ss->opt.bypassPKCS11 &&
488 + ss->ssl3.hs.hashType == handshake_hash_single) {
489 /* compute them without PKCS11 */
490 + PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
491 +
492 + if (!spec->msItem.data) {
493 + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
494 + return SECFailure;
495 + }
496 +
497 + ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
498 + ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
499 + sizeof(hashes->u.raw));
500 +
501 + PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
502 +
503 + /* If we ever support ciphersuites where the PRF hash isn't SHA-256
504 + * then this will need to be updated. */
505 + hashes->hashAlg = SEC_OID_SHA256;
506 + rv = SECSuccess;
507 + } else if (ss->opt.bypassPKCS11) {
508 + /* compute them without PKCS11 */
509 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
510 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
511
512 @@ -4360,7 +4360,8 @@
513 #undef shacx
514 } else
515 #endif
516 - if (ss->ssl3.hs.tls12_handshake_hash) {
517 + if (ss->ssl3.hs.hashType == handshake_hash_single) {
518 + /* compute hashes with PKCS11 */
519 PK11Context *h;
520 unsigned int stateLen;
521 unsigned char stackBuf[1024];
522 @@ -4371,7 +4372,7 @@
523 return SECFailure;
524 }
525
526 - h = ss->ssl3.hs.tls12_handshake_hash;
527 + h = ss->ssl3.hs.sha;
528 stateBuf = PK11_SaveContextAlloc(h, stackBuf,
529 sizeof(stackBuf), &stateLen);
530 if (stateBuf == NULL) {
531 @@ -4392,8 +4393,7 @@
532
533 tls12_loser:
534 if (stateBuf) {
535 - if (PK11_RestoreContext(ss->ssl3.hs.tls12_handshake_hash, stateBuf,
536 - stateLen) != SECSuccess) {
537 + if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
538 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
539 rv = SECFailure;
540 }
541 @@ -4402,7 +4402,7 @@
542 }
543 }
544 } else {
545 - /* compute hases with PKCS11 */
546 + /* compute hashes with PKCS11 */
547 PK11Context * md5;
548 PK11Context * sha = NULL;
549 unsigned char *md5StateBuf = NULL;
550 @@ -4567,6 +4567,10 @@
551 if (rv != SECSuccess) {
552 goto done; /* ssl3_InitState has set the error code. */
553 }
554 + rv = ssl3_RestartHandshakeHashes(ss);
555 + if (rv != SECSuccess) {
556 + goto done;
557 + }
558
559 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
560 PORT_Memcpy(
561 @@ -4626,8 +4630,6 @@
562 */
563 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
564
565 - SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
566 - SSL_GETPID(), ss->fd ));
567 rv = ssl3_RestartHandshakeHashes(ss);
568 if (rv != SECSuccess) {
569 return rv;
570 @@ -5897,12 +5899,8 @@
571 SSL_GETPID(), ss->fd));
572 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
573 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
574 + PORT_Assert( ss->ssl3.initialized );
575
576 - rv = ssl3_InitState(ss);
577 - if (rv != SECSuccess) {
578 - errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
579 - goto alert_loser;
580 - }
581 if (ss->ssl3.hs.ws != wait_server_hello) {
582 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
583 desc = unexpected_message;
584 @@ -5970,7 +5968,7 @@
585 }
586 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
587
588 - rv = ssl3_InitTLS12HandshakeHash(ss);
589 + rv = ssl3_InitHandshakeHashes(ss);
590 if (rv != SECSuccess) {
591 desc = internal_error;
592 errCode = PORT_GetError();
593 @@ -7308,6 +7306,7 @@
594
595 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
596 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
597 + PORT_Assert( ss->ssl3.initialized );
598
599 /* Get peer name of client */
600 rv = ssl_GetPeerInfo(ss);
601 @@ -7335,11 +7334,6 @@
602 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
603 ss->statelessResume = PR_FALSE;
604
605 - rv = ssl3_InitState(ss);
606 - if (rv != SECSuccess) {
607 - return rv; /* ssl3_InitState has set the error code. */
608 - }
609 -
610 if ((ss->ssl3.hs.ws != wait_client_hello) &&
611 (ss->ssl3.hs.ws != idle_handshake)) {
612 desc = unexpected_message;
613 @@ -7378,7 +7372,7 @@
614 goto alert_loser;
615 }
616
617 - rv = ssl3_InitTLS12HandshakeHash(ss);
618 + rv = ssl3_InitHandshakeHashes(ss);
619 if (rv != SECSuccess) {
620 desc = internal_error;
621 errCode = PORT_GetError();
622 @@ -8106,6 +8100,11 @@
623 ssl_ReleaseSSL3HandshakeLock(ss);
624 return rv; /* ssl3_InitState has set the error code. */
625 }
626 + rv = ssl3_RestartHandshakeHashes(ss);
627 + if (rv != SECSuccess) {
628 + ssl_ReleaseSSL3HandshakeLock(ss);
629 + return rv;
630 + }
631
632 if (ss->ssl3.hs.ws != wait_client_hello) {
633 desc = unexpected_message;
634 @@ -8127,7 +8126,7 @@
635 goto alert_loser;
636 }
637
638 - rv = ssl3_InitTLS12HandshakeHash(ss);
639 + rv = ssl3_InitHandshakeHashes(ss);
640 if (rv != SECSuccess) {
641 desc = internal_error;
642 errCode = PORT_GetError();
643 @@ -8858,6 +8857,7 @@
644
645 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
646 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
647 + PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec );
648
649 enc_pms.data = b;
650 enc_pms.len = length;
651 @@ -9886,7 +9886,12 @@
652 inData.len = valLen;
653 outData.data = out;
654 outData.len = outLen;
655 - rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
656 + if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
657 + rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData,
658 + &outData, isFIPS);
659 + } else {
660 + rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
661 + }
662 PORT_Assert(rv != SECSuccess || outData.len == outLen);
663 #endif
664 }
665 @@ -10560,10 +10565,6 @@
666 }
667 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
668 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
669 - PRINT_BUF(60, (ss, "MD5 handshake hash:",
670 - (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
671 - PRINT_BUF(95, (ss, "SHA handshake hash:",
672 - (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
673
674 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
675 hdr[1] = (PRUint8)(length >> 16);
676 @@ -10572,8 +10573,6 @@
677
678 /* Start new handshake hashes when we start a new handshake */
679 if (ss->ssl3.hs.msg_type == client_hello) {
680 - SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
681 - SSL_GETPID(), ss->fd ));
682 rv = ssl3_RestartHandshakeHashes(ss);
683 if (rv != SECSuccess) {
684 return rv;
685 @@ -11526,8 +11525,6 @@
686 /* Called from: ssl3_SendRecord
687 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
688 ** ssl3_SendClientHello()
689 -** ssl3_HandleServerHello()
690 -** ssl3_HandleClientHello()
691 ** ssl3_HandleV2ClientHello()
692 ** ssl3_HandleRecord()
693 **
694 @@ -11538,7 +11535,6 @@
695 static SECStatus
696 ssl3_InitState(sslSocket *ss)
697 {
698 - SECStatus rv;
699 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
700
701 if (ss->ssl3.initialized)
702 @@ -11571,12 +11567,12 @@
703 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
704 }
705
706 - rv = ssl3_NewHandshakeHashes(ss);
707 - if (rv == SECSuccess) {
708 - ss->ssl3.initialized = PR_TRUE;
709 - }
710 + PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
711 + ss->ssl3.hs.messages.buf = NULL;
712 + ss->ssl3.hs.messages.space = 0;
713
714 - return rv;
715 + ss->ssl3.initialized = PR_TRUE;
716 + return SECSuccess;
717 }
718
719 /* Returns a reference counted object that contains a key pair.
720 @@ -11942,8 +11938,12 @@
721 /* clean up handshake */
722 #ifndef NO_PKCS11_BYPASS
723 if (ss->opt.bypassPKCS11) {
724 - SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
725 - MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
726 + if (ss->ssl3.hs.hashType == handshake_hash_combo) {
727 + SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
728 + MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
729 + } else if (ss->ssl3.hs.hashType == handshake_hash_single) {
730 + ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE);
731 + }
732 }
733 #endif
734 if (ss->ssl3.hs.md5) {
735 @@ -11952,9 +11952,6 @@
736 if (ss->ssl3.hs.sha) {
737 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
738 }
739 - if (ss->ssl3.hs.tls12_handshake_hash) {
740 - PK11_DestroyContext(ss->ssl3.hs.tls12_handshake_hash,PR_TRUE);
741 - }
742 if (ss->ssl3.hs.clientSigAndHash) {
743 PORT_Free(ss->ssl3.hs.clientSigAndHash);
744 }
745 Index: net/third_party/nss/ssl/sslimpl.h
746 ===================================================================
747 --- net/third_party/nss/ssl/sslimpl.h (revision 206496)
748 +++ net/third_party/nss/ssl/sslimpl.h (working copy)
749 @@ -506,7 +506,9 @@
750
751 typedef void (*DTLSTimerCb)(sslSocket *);
752
753 -#define MAX_MAC_CONTEXT_BYTES 400
754 +#define MAX_MAC_CONTEXT_BYTES 400 /* 400 is large enough for MD5, SHA-1, and
755 + * SHA-256. For SHA-384 support, increase
756 + * it to 712. */
757 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
758
759 #define MAX_CIPHER_CONTEXT_BYTES 2080
760 @@ -788,6 +790,12 @@
761 PRUint16 len; /* The data length */
762 } DTLSQueuedMessage;
763
764 +typedef enum {
765 + handshake_hash_unknown = 0,
766 + handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
767 + handshake_hash_single = 2 /* A single hash */
768 +} SSL3HandshakeHashType;
769 +
770 /*
771 ** This is the "hs" member of the "ssl3" struct.
772 ** This entire struct is protected by ssl3HandshakeLock
773 @@ -796,11 +804,31 @@
774 SSL3Random server_random;
775 SSL3Random client_random;
776 SSL3WaitState ws;
777 +
778 + /* This group of members is used for handshake running hashes. */
779 + SSL3HandshakeHashType hashType;
780 + sslBuffer messages; /* Accumulated handshake messages */
781 +#ifndef NO_PKCS11_BYPASS
782 + /* Bypass mode:
783 + * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for
784 + * MD5 and |sha_cx| for SHA-1.
785 + * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support
786 + * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */
787 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
788 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
789 - PK11Context * md5; /* handshake running hashes */
790 + const SECHashObject * sha_obj;
791 + /* The function prototype of sha_obj->clone() does not match the prototype
792 + * of the freebl <HASH>_Clone functions, so we need a dedicated function
793 + * pointer for the <HASH>_Clone function. */
794 + void (*sha_clone)(void *dest, void *src);
795 +#endif
796 + /* PKCS #11 mode:
797 + * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
798 + * |sha| for SHA-1.
799 + * TLS 1.2 and later use only |sha|, for SHA-256. */
800 + PK11Context * md5;
801 PK11Context * sha;
802 - PK11Context * tls12_handshake_hash;
803 +
804 const ssl3KEADef * kea_def;
805 ssl3CipherSuite cipher_suite;
806 const ssl3CipherSuiteDef *suite_def;
807 @@ -818,7 +846,6 @@
808 PRBool sendingSCSV; /* instead of empty RI */
809 sslBuffer msgState; /* current state for handshake messages* /
810 /* protected by recvBufLock */
811 - sslBuffer messages; /* Accumulated handshake messages */
812 PRUint16 finishedBytes; /* size of single finished below */
813 union {
814 TLSFinished tFinished[2]; /* client, then server */
OLDNEW
« no previous file with comments | « net/third_party/nss/patches/applypatches.sh ('k') | net/third_party/nss/ssl/derive.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698