OLD | NEW |
(Empty) | |
| 1 Index: net/third_party/nss/ssl/derive.c |
| 2 =================================================================== |
| 3 --- net/third_party/nss/ssl/derive.c (revision 206496) |
| 4 +++ net/third_party/nss/ssl/derive.c (working copy) |
| 5 @@ -82,9 +82,11 @@ |
| 6 unsigned int effKeySize; /* effective size of cipher keys
*/ |
| 7 unsigned int macSize; /* size of MAC secret */ |
| 8 unsigned int IVSize; /* size of IV */ |
| 9 + PRBool explicitIV = PR_FALSE; |
| 10 SECStatus rv = SECFailure; |
| 11 SECStatus status = SECSuccess; |
| 12 PRBool isFIPS = PR_FALSE; |
| 13 + PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2; |
| 14 |
| 15 SECItem srcr; |
| 16 SECItem crsr; |
| 17 @@ -116,7 +118,13 @@ |
| 18 if (keySize == 0) { |
| 19 effKeySize = IVSize = 0; /* only MACing */ |
| 20 } |
| 21 - block_needed = 2 * (macSize + effKeySize + ((!isExport) * IVSize)); |
| 22 + if (cipher_def->type == type_block && |
| 23 + pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 24 + /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ |
| 25 + explicitIV = PR_TRUE; |
| 26 + } |
| 27 + block_needed = |
| 28 + 2 * (macSize + effKeySize + ((!isExport && !explicitIV) * IVSize)); |
| 29 |
| 30 /* |
| 31 * clear out our returned keys so we can recover on failure |
| 32 @@ -151,8 +159,13 @@ |
| 33 keyblk.data = key_block; |
| 34 keyblk.len = block_needed; |
| 35 |
| 36 - status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk, |
| 37 - isFIPS); |
| 38 + if (isTLS12) { |
| 39 + status = TLS_P_hash(HASH_AlgSHA256, &pwSpec->msItem, |
| 40 + "key expansion", &srcr, &keyblk, isFIPS); |
| 41 + } else { |
| 42 + status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk, |
| 43 + isFIPS); |
| 44 + } |
| 45 if (status != SECSuccess) { |
| 46 goto key_and_mac_derive_fail; |
| 47 } |
| 48 @@ -240,22 +253,34 @@ |
| 49 i += keySize; |
| 50 |
| 51 if (IVSize > 0) { |
| 52 - /* |
| 53 - ** client_write_IV[CipherSpec.IV_size] |
| 54 - */ |
| 55 - buildSSLKey(&key_block[i], IVSize, &pwSpec->client.write_iv_item, \ |
| 56 - "Domestic Client Write IV"); |
| 57 - i += IVSize; |
| 58 + if (explicitIV) { |
| 59 + static unsigned char zero_block[32]; |
| 60 + PORT_Assert(IVSize <= sizeof zero_block); |
| 61 + buildSSLKey(&zero_block[0], IVSize, \ |
| 62 + &pwSpec->client.write_iv_item, \ |
| 63 + "Domestic Client Write IV"); |
| 64 + buildSSLKey(&zero_block[0], IVSize, \ |
| 65 + &pwSpec->server.write_iv_item, \ |
| 66 + "Domestic Server Write IV"); |
| 67 + } else { |
| 68 + /* |
| 69 + ** client_write_IV[CipherSpec.IV_size] |
| 70 + */ |
| 71 + buildSSLKey(&key_block[i], IVSize, \ |
| 72 + &pwSpec->client.write_iv_item, \ |
| 73 + "Domestic Client Write IV"); |
| 74 + i += IVSize; |
| 75 |
| 76 - /* |
| 77 - ** server_write_IV[CipherSpec.IV_size] |
| 78 - */ |
| 79 - buildSSLKey(&key_block[i], IVSize, &pwSpec->server.write_iv_item, \ |
| 80 - "Domestic Server Write IV"); |
| 81 - i += IVSize; |
| 82 + /* |
| 83 + ** server_write_IV[CipherSpec.IV_size] |
| 84 + */ |
| 85 + buildSSLKey(&key_block[i], IVSize, \ |
| 86 + &pwSpec->server.write_iv_item, \ |
| 87 + "Domestic Server Write IV"); |
| 88 + i += IVSize; |
| 89 + } |
| 90 } |
| 91 PORT_Assert(i <= block_bytes); |
| 92 - |
| 93 } else if (!isTLS) { |
| 94 /* |
| 95 ** Generate SSL3 Export write keys and IVs. |
| 96 @@ -418,6 +443,7 @@ |
| 97 unsigned char * key_block = pwSpec->key_block; |
| 98 SECStatus rv = SECSuccess; |
| 99 PRBool isFIPS = PR_FALSE; |
| 100 + PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2; |
| 101 |
| 102 SECItem crsr; |
| 103 |
| 104 @@ -453,7 +479,12 @@ |
| 105 master.data = key_block; |
| 106 master.len = SSL3_MASTER_SECRET_LENGTH; |
| 107 |
| 108 - rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS); |
| 109 + if (isTLS12) { |
| 110 + rv = TLS_P_hash(HASH_AlgSHA256, pms, "master secret", &crsr, |
| 111 + &master, isFIPS); |
| 112 + } else { |
| 113 + rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS); |
| 114 + } |
| 115 if (rv != SECSuccess) { |
| 116 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 117 } |
| 118 Index: net/third_party/nss/ssl/sslsock.c |
| 119 =================================================================== |
| 120 --- net/third_party/nss/ssl/sslsock.c (revision 206496) |
| 121 +++ net/third_party/nss/ssl/sslsock.c (working copy) |
| 122 @@ -796,10 +796,7 @@ |
| 123 rv = SECFailure; |
| 124 } else { |
| 125 if (PR_FALSE != on) { |
| 126 - /* PKCS#11 bypass is not supported with TLS 1.2. */ |
| 127 - if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 128 - ss->opt.bypassPKCS11 = PR_FALSE; |
| 129 - } else if (PR_SUCCESS == SSL_BypassSetup() ) { |
| 130 + if (PR_SUCCESS == SSL_BypassSetup() ) { |
| 131 #ifdef NO_PKCS11_BYPASS |
| 132 ss->opt.bypassPKCS11 = PR_FALSE; |
| 133 #else |
| 134 @@ -1964,10 +1961,6 @@ |
| 135 } |
| 136 ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
| 137 } |
| 138 - /* PKCS#11 bypass is not supported with TLS 1.2. */ |
| 139 - if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 140 - ss->opt.bypassPKCS11 = PR_FALSE; |
| 141 - } |
| 142 |
| 143 ssl_ReleaseSSL3HandshakeLock(ss); |
| 144 ssl_Release1stHandshakeLock(ss); |
| 145 Index: net/third_party/nss/ssl/ssl3con.c |
| 146 =================================================================== |
| 147 --- net/third_party/nss/ssl/ssl3con.c (revision 206496) |
| 148 +++ net/third_party/nss/ssl/ssl3con.c (working copy) |
| 149 @@ -69,7 +69,6 @@ |
| 150 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
| 151 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
| 152 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
| 153 -static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); |
| 154 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
| 155 const unsigned char *b, |
| 156 unsigned int l); |
| 157 @@ -1072,6 +1071,9 @@ |
| 158 } else if (hashAlg == SEC_OID_SHA384) { |
| 159 SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 160 hashes->len = SHA384_LENGTH; |
| 161 + } else if (hashAlg == SEC_OID_SHA512) { |
| 162 + SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 163 + hashes->len = SHA512_LENGTH; |
| 164 } else { |
| 165 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 166 return SECFailure; |
| 167 @@ -1535,7 +1537,8 @@ |
| 168 } |
| 169 |
| 170 #ifndef NO_PKCS11_BYPASS |
| 171 -/* Initialize encryption and MAC contexts for pending spec. |
| 172 +/* Initialize encryption contexts for pending spec. |
| 173 + * MAC contexts are set up when computing the mac, not here. |
| 174 * Master Secret already is derived in spec->msItem |
| 175 * Caller holds Spec write lock. |
| 176 */ |
| 177 @@ -1551,7 +1554,6 @@ |
| 178 unsigned int optArg1 = 0; |
| 179 unsigned int optArg2 = 0; |
| 180 PRBool server_encrypts = ss->sec.isServer; |
| 181 - CK_ULONG macLength; |
| 182 SSLCipherAlgorithm calg; |
| 183 SSLCompressionMethod compression_method; |
| 184 SECStatus rv; |
| 185 @@ -1562,12 +1564,7 @@ |
| 186 |
| 187 pwSpec = ss->ssl3.pwSpec; |
| 188 cipher_def = pwSpec->cipher_def; |
| 189 - macLength = pwSpec->mac_size; |
| 190 |
| 191 - /* MAC setup is done when computing the mac, not here. |
| 192 - * Now setup the crypto contexts. |
| 193 - */ |
| 194 - |
| 195 calg = cipher_def->calg; |
| 196 compression_method = pwSpec->compression_method; |
| 197 |
| 198 @@ -3459,18 +3456,6 @@ |
| 199 */ |
| 200 rv = PK11_ExtractKeyValue(pwSpec->master_secret); |
| 201 if (rv != SECSuccess) { |
| 202 -#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) |
| 203 - /* The double bypass failed. |
| 204 - * Attempt to revert to an all PKCS#11, non-bypass method. |
| 205 - * Do we need any unacquired locks here? |
| 206 - */ |
| 207 - ss->opt.bypassPKCS11 = 0; |
| 208 - rv = ssl3_NewHandshakeHashes(ss); |
| 209 - if (rv == SECSuccess) { |
| 210 - rv = ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, |
| 211 - ss->ssl3.hs.messages.len); |
| 212 - } |
| 213 -#endif |
| 214 return rv; |
| 215 } |
| 216 /* This returns the address of the secItem inside the key struct, |
| 217 @@ -3640,34 +3625,90 @@ |
| 218 return SECFailure; |
| 219 } |
| 220 |
| 221 -/* ssl3_InitTLS12HandshakeHash creates a handshake hash context for TLS 1.2, |
| 222 - * if needed, and hashes in any buffered messages in ss->ssl3.hs.messages. */ |
| 223 +/* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in |
| 224 + * buffered messages in ss->ssl3.hs.messages. */ |
| 225 static SECStatus |
| 226 -ssl3_InitTLS12HandshakeHash(sslSocket *ss) |
| 227 +ssl3_InitHandshakeHashes(sslSocket *ss) |
| 228 { |
| 229 - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2 && |
| 230 - ss->ssl3.hs.tls12_handshake_hash == NULL) { |
| 231 - /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 232 - * then this will need to be updated. */ |
| 233 - ss->ssl3.hs.tls12_handshake_hash = |
| 234 - PK11_CreateDigestContext(SEC_OID_SHA256); |
| 235 - if (!ss->ssl3.hs.tls12_handshake_hash || |
| 236 - PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash) != SECSuccess) { |
| 237 - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 238 - return SECFailure; |
| 239 + SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); |
| 240 + |
| 241 + PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); |
| 242 +#ifndef NO_PKCS11_BYPASS |
| 243 + if (ss->opt.bypassPKCS11) { |
| 244 + PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); |
| 245 + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 246 + /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 247 + * then this will need to be updated. */ |
| 248 + ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); |
| 249 + if (!ss->ssl3.hs.sha_obj) { |
| 250 + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 251 + return SECFailure; |
| 252 + } |
| 253 + ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone; |
| 254 + ss->ssl3.hs.hashType = handshake_hash_single; |
| 255 + ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx); |
| 256 + } else { |
| 257 + ss->ssl3.hs.hashType = handshake_hash_combo; |
| 258 + MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); |
| 259 + SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); |
| 260 } |
| 261 - } |
| 262 + } else |
| 263 +#endif |
| 264 + { |
| 265 + PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha); |
| 266 + /* |
| 267 + * note: We should probably lookup an SSL3 slot for these |
| 268 + * handshake hashes in hopes that we wind up with the same slots |
| 269 + * that the master secret will wind up in ... |
| 270 + */ |
| 271 + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 272 + /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 273 + * then this will need to be updated. */ |
| 274 + ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256); |
| 275 + if (ss->ssl3.hs.sha == NULL) { |
| 276 + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 277 + return SECFailure; |
| 278 + } |
| 279 + ss->ssl3.hs.hashType = handshake_hash_single; |
| 280 |
| 281 - if (ss->ssl3.hs.tls12_handshake_hash && ss->ssl3.hs.messages.len > 0) { |
| 282 - if (PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, |
| 283 - ss->ssl3.hs.messages.buf, |
| 284 - ss->ssl3.hs.messages.len) != SECSuccess) { |
| 285 - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 286 - return SECFailure; |
| 287 + if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { |
| 288 + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 289 + return SECFailure; |
| 290 + } |
| 291 + } else { |
| 292 + /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or |
| 293 + * created successfully. */ |
| 294 + ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); |
| 295 + if (ss->ssl3.hs.md5 == NULL) { |
| 296 + ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 297 + return SECFailure; |
| 298 + } |
| 299 + ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1); |
| 300 + if (ss->ssl3.hs.sha == NULL) { |
| 301 + PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 302 + ss->ssl3.hs.md5 = NULL; |
| 303 + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 304 + return SECFailure; |
| 305 + } |
| 306 + ss->ssl3.hs.hashType = handshake_hash_combo; |
| 307 + |
| 308 + if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) { |
| 309 + ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 310 + return SECFailure; |
| 311 + } |
| 312 + if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { |
| 313 + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 314 + return SECFailure; |
| 315 + } |
| 316 } |
| 317 } |
| 318 |
| 319 - if (ss->ssl3.hs.messages.buf && !ss->opt.bypassPKCS11) { |
| 320 + if (ss->ssl3.hs.messages.len > 0) { |
| 321 + if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, |
| 322 + ss->ssl3.hs.messages.len) != |
| 323 + SECSuccess) { |
| 324 + return SECFailure; |
| 325 + } |
| 326 PORT_Free(ss->ssl3.hs.messages.buf); |
| 327 ss->ssl3.hs.messages.buf = NULL; |
| 328 ss->ssl3.hs.messages.len = 0; |
| 329 @@ -3682,83 +3723,30 @@ |
| 330 { |
| 331 SECStatus rv = SECSuccess; |
| 332 |
| 333 + SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
| 334 + SSL_GETPID(), ss->fd )); |
| 335 + ss->ssl3.hs.hashType = handshake_hash_unknown; |
| 336 ss->ssl3.hs.messages.len = 0; |
| 337 #ifndef NO_PKCS11_BYPASS |
| 338 - if (ss->opt.bypassPKCS11) { |
| 339 - MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); |
| 340 - SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); |
| 341 - } else |
| 342 + ss->ssl3.hs.sha_obj = NULL; |
| 343 + ss->ssl3.hs.sha_clone = NULL; |
| 344 #endif |
| 345 - { |
| 346 - if (ss->ssl3.hs.tls12_handshake_hash) { |
| 347 - rv = PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash); |
| 348 - if (rv != SECSuccess) { |
| 349 - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 350 - return rv; |
| 351 - } |
| 352 - } |
| 353 - rv = PK11_DigestBegin(ss->ssl3.hs.md5); |
| 354 - if (rv != SECSuccess) { |
| 355 - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 356 - return rv; |
| 357 - } |
| 358 - rv = PK11_DigestBegin(ss->ssl3.hs.sha); |
| 359 - if (rv != SECSuccess) { |
| 360 - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 361 - return rv; |
| 362 - } |
| 363 - } |
| 364 - return rv; |
| 365 -} |
| 366 - |
| 367 -static SECStatus |
| 368 -ssl3_NewHandshakeHashes(sslSocket *ss) |
| 369 -{ |
| 370 - PK11Context *md5 = NULL; |
| 371 - PK11Context *sha = NULL; |
| 372 - |
| 373 - /* |
| 374 - * note: We should probably lookup an SSL3 slot for these |
| 375 - * handshake hashes in hopes that we wind up with the same slots |
| 376 - * that the master secret will wind up in ... |
| 377 - */ |
| 378 - SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); |
| 379 - PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); |
| 380 - ss->ssl3.hs.messages.buf = NULL; |
| 381 - ss->ssl3.hs.messages.space = 0; |
| 382 - |
| 383 - ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); |
| 384 - ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); |
| 385 - ss->ssl3.hs.tls12_handshake_hash = NULL; |
| 386 - if (md5 == NULL) { |
| 387 - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 388 - goto loser; |
| 389 - } |
| 390 - if (sha == NULL) { |
| 391 - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 392 - goto loser; |
| 393 - } |
| 394 - if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { |
| 395 - return SECSuccess; |
| 396 - } |
| 397 - |
| 398 -loser: |
| 399 - if (md5 != NULL) { |
| 400 - PK11_DestroyContext(md5, PR_TRUE); |
| 401 + if (ss->ssl3.hs.md5) { |
| 402 + PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); |
| 403 ss->ssl3.hs.md5 = NULL; |
| 404 } |
| 405 - if (sha != NULL) { |
| 406 - PK11_DestroyContext(sha, PR_TRUE); |
| 407 + if (ss->ssl3.hs.sha) { |
| 408 + PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); |
| 409 ss->ssl3.hs.sha = NULL; |
| 410 } |
| 411 - return SECFailure; |
| 412 - |
| 413 + return rv; |
| 414 } |
| 415 |
| 416 /* |
| 417 * Handshake messages |
| 418 */ |
| 419 -/* Called from ssl3_AppendHandshake() |
| 420 +/* Called from ssl3_InitHandshakeHashes() |
| 421 +** ssl3_AppendHandshake() |
| 422 ** ssl3_StartHandshakeHash() |
| 423 ** ssl3_HandleV2ClientHello() |
| 424 ** ssl3_HandleHandshakeMessage() |
| 425 @@ -3772,31 +3760,27 @@ |
| 426 |
| 427 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 428 |
| 429 - PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); |
| 430 - |
| 431 - if ((ss->version == 0 || ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) && |
| 432 - !ss->opt.bypassPKCS11 && |
| 433 - ss->ssl3.hs.tls12_handshake_hash == NULL) { |
| 434 - /* For TLS 1.2 connections we need to buffer the handshake messages |
| 435 - * until we have established which PRF hash function to use. */ |
| 436 - rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); |
| 437 - if (rv != SECSuccess) { |
| 438 - return rv; |
| 439 - } |
| 440 + /* We need to buffer the handshake messages until we have established |
| 441 + * which handshake hash function to use. */ |
| 442 + if (ss->ssl3.hs.hashType == handshake_hash_unknown) { |
| 443 + return sslBuffer_Append(&ss->ssl3.hs.messages, b, l); |
| 444 } |
| 445 |
| 446 + PRINT_BUF(90, (NULL, "handshake hash input:", b, l)); |
| 447 + |
| 448 #ifndef NO_PKCS11_BYPASS |
| 449 if (ss->opt.bypassPKCS11) { |
| 450 - MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); |
| 451 - SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); |
| 452 -#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) |
| 453 - rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); |
| 454 -#endif |
| 455 + if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 456 + ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l); |
| 457 + } else { |
| 458 + MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); |
| 459 + SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); |
| 460 + } |
| 461 return rv; |
| 462 } |
| 463 #endif |
| 464 - if (ss->ssl3.hs.tls12_handshake_hash) { |
| 465 - rv = PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, b, l); |
| 466 + if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 467 + rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); |
| 468 if (rv != SECSuccess) { |
| 469 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 470 return rv; |
| 471 @@ -3924,10 +3908,6 @@ |
| 472 |
| 473 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", |
| 474 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); |
| 475 - PRINT_BUF(60, (ss, "MD5 handshake hash:", |
| 476 - (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); |
| 477 - PRINT_BUF(95, (ss, "SHA handshake hash:", |
| 478 - (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); |
| 479 |
| 480 rv = ssl3_AppendHandshakeNumber(ss, t, 1); |
| 481 if (rv != SECSuccess) { |
| 482 @@ -4275,8 +4255,28 @@ |
| 483 hashes->hashAlg = SEC_OID_UNKNOWN; |
| 484 |
| 485 #ifndef NO_PKCS11_BYPASS |
| 486 - if (ss->opt.bypassPKCS11) { |
| 487 + if (ss->opt.bypassPKCS11 && |
| 488 + ss->ssl3.hs.hashType == handshake_hash_single) { |
| 489 /* compute them without PKCS11 */ |
| 490 + PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 491 + |
| 492 + if (!spec->msItem.data) { |
| 493 + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); |
| 494 + return SECFailure; |
| 495 + } |
| 496 + |
| 497 + ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); |
| 498 + ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, |
| 499 + sizeof(hashes->u.raw)); |
| 500 + |
| 501 + PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); |
| 502 + |
| 503 + /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 504 + * then this will need to be updated. */ |
| 505 + hashes->hashAlg = SEC_OID_SHA256; |
| 506 + rv = SECSuccess; |
| 507 + } else if (ss->opt.bypassPKCS11) { |
| 508 + /* compute them without PKCS11 */ |
| 509 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 510 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 511 |
| 512 @@ -4360,7 +4360,8 @@ |
| 513 #undef shacx |
| 514 } else |
| 515 #endif |
| 516 - if (ss->ssl3.hs.tls12_handshake_hash) { |
| 517 + if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 518 + /* compute hashes with PKCS11 */ |
| 519 PK11Context *h; |
| 520 unsigned int stateLen; |
| 521 unsigned char stackBuf[1024]; |
| 522 @@ -4371,7 +4372,7 @@ |
| 523 return SECFailure; |
| 524 } |
| 525 |
| 526 - h = ss->ssl3.hs.tls12_handshake_hash; |
| 527 + h = ss->ssl3.hs.sha; |
| 528 stateBuf = PK11_SaveContextAlloc(h, stackBuf, |
| 529 sizeof(stackBuf), &stateLen); |
| 530 if (stateBuf == NULL) { |
| 531 @@ -4392,8 +4393,7 @@ |
| 532 |
| 533 tls12_loser: |
| 534 if (stateBuf) { |
| 535 - if (PK11_RestoreContext(ss->ssl3.hs.tls12_handshake_hash, stateBuf, |
| 536 - stateLen) != SECSuccess) { |
| 537 + if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { |
| 538 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 539 rv = SECFailure; |
| 540 } |
| 541 @@ -4402,7 +4402,7 @@ |
| 542 } |
| 543 } |
| 544 } else { |
| 545 - /* compute hases with PKCS11 */ |
| 546 + /* compute hashes with PKCS11 */ |
| 547 PK11Context * md5; |
| 548 PK11Context * sha = NULL; |
| 549 unsigned char *md5StateBuf = NULL; |
| 550 @@ -4567,6 +4567,10 @@ |
| 551 if (rv != SECSuccess) { |
| 552 goto done; /* ssl3_InitState has set the error code. */ |
| 553 } |
| 554 + rv = ssl3_RestartHandshakeHashes(ss); |
| 555 + if (rv != SECSuccess) { |
| 556 + goto done; |
| 557 + } |
| 558 |
| 559 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH); |
| 560 PORT_Memcpy( |
| 561 @@ -4626,8 +4630,6 @@ |
| 562 */ |
| 563 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
| 564 |
| 565 - SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
| 566 - SSL_GETPID(), ss->fd )); |
| 567 rv = ssl3_RestartHandshakeHashes(ss); |
| 568 if (rv != SECSuccess) { |
| 569 return rv; |
| 570 @@ -5897,12 +5899,8 @@ |
| 571 SSL_GETPID(), ss->fd)); |
| 572 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 573 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 574 + PORT_Assert( ss->ssl3.initialized ); |
| 575 |
| 576 - rv = ssl3_InitState(ss); |
| 577 - if (rv != SECSuccess) { |
| 578 - errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */ |
| 579 - goto alert_loser; |
| 580 - } |
| 581 if (ss->ssl3.hs.ws != wait_server_hello) { |
| 582 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO; |
| 583 desc = unexpected_message; |
| 584 @@ -5970,7 +5968,7 @@ |
| 585 } |
| 586 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
| 587 |
| 588 - rv = ssl3_InitTLS12HandshakeHash(ss); |
| 589 + rv = ssl3_InitHandshakeHashes(ss); |
| 590 if (rv != SECSuccess) { |
| 591 desc = internal_error; |
| 592 errCode = PORT_GetError(); |
| 593 @@ -7308,6 +7306,7 @@ |
| 594 |
| 595 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 596 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 597 + PORT_Assert( ss->ssl3.initialized ); |
| 598 |
| 599 /* Get peer name of client */ |
| 600 rv = ssl_GetPeerInfo(ss); |
| 601 @@ -7335,11 +7334,6 @@ |
| 602 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
| 603 ss->statelessResume = PR_FALSE; |
| 604 |
| 605 - rv = ssl3_InitState(ss); |
| 606 - if (rv != SECSuccess) { |
| 607 - return rv; /* ssl3_InitState has set the error code. */ |
| 608 - } |
| 609 - |
| 610 if ((ss->ssl3.hs.ws != wait_client_hello) && |
| 611 (ss->ssl3.hs.ws != idle_handshake)) { |
| 612 desc = unexpected_message; |
| 613 @@ -7378,7 +7372,7 @@ |
| 614 goto alert_loser; |
| 615 } |
| 616 |
| 617 - rv = ssl3_InitTLS12HandshakeHash(ss); |
| 618 + rv = ssl3_InitHandshakeHashes(ss); |
| 619 if (rv != SECSuccess) { |
| 620 desc = internal_error; |
| 621 errCode = PORT_GetError(); |
| 622 @@ -8106,6 +8100,11 @@ |
| 623 ssl_ReleaseSSL3HandshakeLock(ss); |
| 624 return rv; /* ssl3_InitState has set the error code. */ |
| 625 } |
| 626 + rv = ssl3_RestartHandshakeHashes(ss); |
| 627 + if (rv != SECSuccess) { |
| 628 + ssl_ReleaseSSL3HandshakeLock(ss); |
| 629 + return rv; |
| 630 + } |
| 631 |
| 632 if (ss->ssl3.hs.ws != wait_client_hello) { |
| 633 desc = unexpected_message; |
| 634 @@ -8127,7 +8126,7 @@ |
| 635 goto alert_loser; |
| 636 } |
| 637 |
| 638 - rv = ssl3_InitTLS12HandshakeHash(ss); |
| 639 + rv = ssl3_InitHandshakeHashes(ss); |
| 640 if (rv != SECSuccess) { |
| 641 desc = internal_error; |
| 642 errCode = PORT_GetError(); |
| 643 @@ -8858,6 +8857,7 @@ |
| 644 |
| 645 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 646 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 647 + PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec ); |
| 648 |
| 649 enc_pms.data = b; |
| 650 enc_pms.len = length; |
| 651 @@ -9886,7 +9886,12 @@ |
| 652 inData.len = valLen; |
| 653 outData.data = out; |
| 654 outData.len = outLen; |
| 655 - rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); |
| 656 + if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 657 + rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData, |
| 658 + &outData, isFIPS); |
| 659 + } else { |
| 660 + rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); |
| 661 + } |
| 662 PORT_Assert(rv != SECSuccess || outData.len == outLen); |
| 663 #endif |
| 664 } |
| 665 @@ -10560,10 +10565,6 @@ |
| 666 } |
| 667 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(), |
| 668 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type))); |
| 669 - PRINT_BUF(60, (ss, "MD5 handshake hash:", |
| 670 - (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); |
| 671 - PRINT_BUF(95, (ss, "SHA handshake hash:", |
| 672 - (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); |
| 673 |
| 674 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; |
| 675 hdr[1] = (PRUint8)(length >> 16); |
| 676 @@ -10572,8 +10573,6 @@ |
| 677 |
| 678 /* Start new handshake hashes when we start a new handshake */ |
| 679 if (ss->ssl3.hs.msg_type == client_hello) { |
| 680 - SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
| 681 - SSL_GETPID(), ss->fd )); |
| 682 rv = ssl3_RestartHandshakeHashes(ss); |
| 683 if (rv != SECSuccess) { |
| 684 return rv; |
| 685 @@ -11526,8 +11525,6 @@ |
| 686 /* Called from: ssl3_SendRecord |
| 687 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() |
| 688 ** ssl3_SendClientHello() |
| 689 -** ssl3_HandleServerHello() |
| 690 -** ssl3_HandleClientHello() |
| 691 ** ssl3_HandleV2ClientHello() |
| 692 ** ssl3_HandleRecord() |
| 693 ** |
| 694 @@ -11538,7 +11535,6 @@ |
| 695 static SECStatus |
| 696 ssl3_InitState(sslSocket *ss) |
| 697 { |
| 698 - SECStatus rv; |
| 699 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 700 |
| 701 if (ss->ssl3.initialized) |
| 702 @@ -11571,12 +11567,12 @@ |
| 703 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */ |
| 704 } |
| 705 |
| 706 - rv = ssl3_NewHandshakeHashes(ss); |
| 707 - if (rv == SECSuccess) { |
| 708 - ss->ssl3.initialized = PR_TRUE; |
| 709 - } |
| 710 + PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); |
| 711 + ss->ssl3.hs.messages.buf = NULL; |
| 712 + ss->ssl3.hs.messages.space = 0; |
| 713 |
| 714 - return rv; |
| 715 + ss->ssl3.initialized = PR_TRUE; |
| 716 + return SECSuccess; |
| 717 } |
| 718 |
| 719 /* Returns a reference counted object that contains a key pair. |
| 720 @@ -11942,8 +11938,12 @@ |
| 721 /* clean up handshake */ |
| 722 #ifndef NO_PKCS11_BYPASS |
| 723 if (ss->opt.bypassPKCS11) { |
| 724 - SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); |
| 725 - MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); |
| 726 + if (ss->ssl3.hs.hashType == handshake_hash_combo) { |
| 727 + SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); |
| 728 + MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); |
| 729 + } else if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 730 + ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE); |
| 731 + } |
| 732 } |
| 733 #endif |
| 734 if (ss->ssl3.hs.md5) { |
| 735 @@ -11952,9 +11952,6 @@ |
| 736 if (ss->ssl3.hs.sha) { |
| 737 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); |
| 738 } |
| 739 - if (ss->ssl3.hs.tls12_handshake_hash) { |
| 740 - PK11_DestroyContext(ss->ssl3.hs.tls12_handshake_hash,PR_TRUE); |
| 741 - } |
| 742 if (ss->ssl3.hs.clientSigAndHash) { |
| 743 PORT_Free(ss->ssl3.hs.clientSigAndHash); |
| 744 } |
| 745 Index: net/third_party/nss/ssl/sslimpl.h |
| 746 =================================================================== |
| 747 --- net/third_party/nss/ssl/sslimpl.h (revision 206496) |
| 748 +++ net/third_party/nss/ssl/sslimpl.h (working copy) |
| 749 @@ -506,7 +506,9 @@ |
| 750 |
| 751 typedef void (*DTLSTimerCb)(sslSocket *); |
| 752 |
| 753 -#define MAX_MAC_CONTEXT_BYTES 400 |
| 754 +#define MAX_MAC_CONTEXT_BYTES 400 /* 400 is large enough for MD5, SHA-1, and |
| 755 + * SHA-256. For SHA-384 support, increase |
| 756 + * it to 712. */ |
| 757 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8) |
| 758 |
| 759 #define MAX_CIPHER_CONTEXT_BYTES 2080 |
| 760 @@ -788,6 +790,12 @@ |
| 761 PRUint16 len; /* The data length */ |
| 762 } DTLSQueuedMessage; |
| 763 |
| 764 +typedef enum { |
| 765 + handshake_hash_unknown = 0, |
| 766 + handshake_hash_combo = 1, /* The MD5/SHA-1 combination */ |
| 767 + handshake_hash_single = 2 /* A single hash */ |
| 768 +} SSL3HandshakeHashType; |
| 769 + |
| 770 /* |
| 771 ** This is the "hs" member of the "ssl3" struct. |
| 772 ** This entire struct is protected by ssl3HandshakeLock |
| 773 @@ -796,11 +804,31 @@ |
| 774 SSL3Random server_random; |
| 775 SSL3Random client_random; |
| 776 SSL3WaitState ws; |
| 777 + |
| 778 + /* This group of members is used for handshake running hashes. */ |
| 779 + SSL3HandshakeHashType hashType; |
| 780 + sslBuffer messages; /* Accumulated handshake messages */ |
| 781 +#ifndef NO_PKCS11_BYPASS |
| 782 + /* Bypass mode: |
| 783 + * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for |
| 784 + * MD5 and |sha_cx| for SHA-1. |
| 785 + * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support |
| 786 + * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */ |
| 787 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 788 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
| 789 - PK11Context * md5; /* handshake running hashes */ |
| 790 + const SECHashObject * sha_obj; |
| 791 + /* The function prototype of sha_obj->clone() does not match the prototype |
| 792 + * of the freebl <HASH>_Clone functions, so we need a dedicated function |
| 793 + * pointer for the <HASH>_Clone function. */ |
| 794 + void (*sha_clone)(void *dest, void *src); |
| 795 +#endif |
| 796 + /* PKCS #11 mode: |
| 797 + * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and |
| 798 + * |sha| for SHA-1. |
| 799 + * TLS 1.2 and later use only |sha|, for SHA-256. */ |
| 800 + PK11Context * md5; |
| 801 PK11Context * sha; |
| 802 - PK11Context * tls12_handshake_hash; |
| 803 + |
| 804 const ssl3KEADef * kea_def; |
| 805 ssl3CipherSuite cipher_suite; |
| 806 const ssl3CipherSuiteDef *suite_def; |
| 807 @@ -818,7 +846,6 @@ |
| 808 PRBool sendingSCSV; /* instead of empty RI */ |
| 809 sslBuffer msgState; /* current state for handshake messages*
/ |
| 810 /* protected by recvBufLock */ |
| 811 - sslBuffer messages; /* Accumulated handshake messages */ |
| 812 PRUint16 finishedBytes; /* size of single finished below */ |
| 813 union { |
| 814 TLSFinished tFinished[2]; /* client, then server */ |
OLD | NEW |