OLD | NEW |
---|---|
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 26 matching lines...) Expand all Loading... | |
37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | 37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | 38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | 39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
41 #endif | 41 #endif |
42 | 42 |
43 #include <stdio.h> | 43 #include <stdio.h> |
44 #ifdef NSS_ENABLE_ZLIB | 44 #ifdef NSS_ENABLE_ZLIB |
45 #include "zlib.h" | 45 #include "zlib.h" |
46 #endif | 46 #endif |
47 #ifdef LINUX | |
48 #include <dlfcn.h> | |
49 #endif | |
47 | 50 |
48 #ifndef PK11_SETATTRS | 51 #ifndef PK11_SETATTRS |
49 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ | 52 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ |
50 (x)->pValue=(v); (x)->ulValueLen = (l); | 53 (x)->pValue=(v); (x)->ulValueLen = (l); |
51 #endif | 54 #endif |
52 | 55 |
53 static SECStatus ssl3_AuthCertificate(sslSocket *ss); | 56 static SECStatus ssl3_AuthCertificate(sslSocket *ss); |
54 static void ssl3_CleanupPeerCerts(sslSocket *ss); | 57 static void ssl3_CleanupPeerCerts(sslSocket *ss); |
55 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); | 58 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); |
56 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, | 59 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, |
(...skipping 25 matching lines...) Expand all Loading... | |
82 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 85 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
83 #define MIN_SEND_BUF_LENGTH 4000 | 86 #define MIN_SEND_BUF_LENGTH 4000 |
84 | 87 |
85 /* This list of SSL3 cipher suites is sorted in descending order of | 88 /* This list of SSL3 cipher suites is sorted in descending order of |
86 * precedence (desirability). It only includes cipher suites we implement. | 89 * precedence (desirability). It only includes cipher suites we implement. |
87 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites | 90 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites |
88 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) | 91 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
89 */ | 92 */ |
90 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { | 93 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
91 /* cipher_suite policy enabled is_present*/ | 94 /* cipher_suite policy enabled is_present*/ |
95 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | |
92 #ifdef NSS_ENABLE_ECC | 96 #ifdef NSS_ENABLE_ECC |
97 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | |
98 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | |
93 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 99 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
94 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 100 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
95 #endif /* NSS_ENABLE_ECC */ | 101 #endif /* NSS_ENABLE_ECC */ |
96 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 102 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
97 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 103 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
98 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 104 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
99 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 105 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
100 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 106 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
101 #ifdef NSS_ENABLE_ECC | 107 #ifdef NSS_ENABLE_ECC |
102 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 108 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
(...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
226 | 232 |
227 | 233 |
228 /* This global item is used only in servers. It is is initialized by | 234 /* This global item is used only in servers. It is is initialized by |
229 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 235 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
230 */ | 236 */ |
231 CERTDistNames *ssl3_server_ca_list = NULL; | 237 CERTDistNames *ssl3_server_ca_list = NULL; |
232 static SSL3Statistics ssl3stats; | 238 static SSL3Statistics ssl3stats; |
233 | 239 |
234 /* indexed by SSL3BulkCipher */ | 240 /* indexed by SSL3BulkCipher */ |
235 static const ssl3BulkCipherDef bulk_cipher_defs[] = { | 241 static const ssl3BulkCipherDef bulk_cipher_defs[] = { |
236 /* cipher calg keySz secretSz type ivSz BlkSz keygen */ | 242 /* |--------- Lengths --------| */ |
237 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, | 243 /* cipher calg K S type I B T N */ |
238 {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, | 244 /* e e V l a o */ |
239 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, | 245 /* y c | o g n */ |
240 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, | 246 /* | r | c | c */ |
241 {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, | 247 /* | e | k | e */ |
242 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, | 248 /* | t | | | | */ |
243 {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong}, | 249 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
244 {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, | 250 {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0}, |
245 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, | 251 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0}, |
246 {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, | 252 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0}, |
247 {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, | 253 {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0}, |
248 {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, | 254 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0}, |
249 {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong}, | 255 {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0}, |
250 {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong}, | 256 {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0}, |
251 {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong}, | 257 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0}, |
252 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, | 258 {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0}, |
259 {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, | |
260 {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, | |
261 {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, | |
262 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, | |
263 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, | |
264 {cipher_aes_128_gcm, calg_aes_128_gcm, 16,16, type_aead, 4, 0,16, 8}, | |
265 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, | |
253 }; | 266 }; |
254 | 267 |
255 static const ssl3KEADef kea_defs[] = | 268 static const ssl3KEADef kea_defs[] = |
256 { /* indexed by SSL3KeyExchangeAlgorithm */ | 269 { /* indexed by SSL3KeyExchangeAlgorithm */ |
257 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ | 270 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ |
258 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, | 271 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, |
259 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, | 272 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, |
260 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, | 273 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, |
261 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, | 274 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, |
262 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, | 275 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
364 cipher_camellia_256, mac_sha, kea_dhe_rsa}, | 377 cipher_camellia_256, mac_sha, kea_dhe_rsa}, |
365 | 378 |
366 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, | 379 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, |
367 cipher_des, mac_sha,kea_rsa_export_1024}, | 380 cipher_des, mac_sha,kea_rsa_export_1024}, |
368 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, | 381 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, |
369 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, | 382 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, |
370 | 383 |
371 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 384 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
372 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 385 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
373 | 386 |
387 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, | |
388 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ec dhe_rsa}, | |
389 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ ecdhe_ecdsa}, | |
390 | |
374 #ifdef NSS_ENABLE_ECC | 391 #ifdef NSS_ENABLE_ECC |
375 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, | 392 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
376 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, | 393 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
377 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , | 394 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , |
378 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, | 395 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, |
379 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, | 396 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, |
380 | 397 |
381 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, | 398 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, |
382 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, | 399 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, |
383 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds a}, | 400 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds a}, |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
427 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, | 444 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, |
428 { calg_rc4 , CKM_RC4 }, | 445 { calg_rc4 , CKM_RC4 }, |
429 { calg_rc2 , CKM_RC2_CBC }, | 446 { calg_rc2 , CKM_RC2_CBC }, |
430 { calg_des , CKM_DES_CBC }, | 447 { calg_des , CKM_DES_CBC }, |
431 { calg_3des , CKM_DES3_CBC }, | 448 { calg_3des , CKM_DES3_CBC }, |
432 { calg_idea , CKM_IDEA_CBC }, | 449 { calg_idea , CKM_IDEA_CBC }, |
433 { calg_fortezza , CKM_SKIPJACK_CBC64 }, | 450 { calg_fortezza , CKM_SKIPJACK_CBC64 }, |
434 { calg_aes , CKM_AES_CBC }, | 451 { calg_aes , CKM_AES_CBC }, |
435 { calg_camellia , CKM_CAMELLIA_CBC }, | 452 { calg_camellia , CKM_CAMELLIA_CBC }, |
436 { calg_seed , CKM_SEED_CBC }, | 453 { calg_seed , CKM_SEED_CBC }, |
454 { calg_aes_128_gcm, CKM_AES_GCM }, | |
437 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ | 455 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
438 }; | 456 }; |
439 | 457 |
440 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L | 458 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L |
441 #define mmech_md5 CKM_SSL3_MD5_MAC | 459 #define mmech_md5 CKM_SSL3_MD5_MAC |
442 #define mmech_sha CKM_SSL3_SHA1_MAC | 460 #define mmech_sha CKM_SSL3_SHA1_MAC |
443 #define mmech_md5_hmac CKM_MD5_HMAC | 461 #define mmech_md5_hmac CKM_MD5_HMAC |
444 #define mmech_sha_hmac CKM_SHA_1_HMAC | 462 #define mmech_sha_hmac CKM_SHA_1_HMAC |
445 #define mmech_sha256_hmac CKM_SHA256_HMAC | 463 #define mmech_sha256_hmac CKM_SHA256_HMAC |
446 | 464 |
(...skipping 18 matching lines...) Expand all Loading... | |
465 "RC2-CBC-40", | 483 "RC2-CBC-40", |
466 "DES-CBC", | 484 "DES-CBC", |
467 "3DES-EDE-CBC", | 485 "3DES-EDE-CBC", |
468 "DES-CBC-40", | 486 "DES-CBC-40", |
469 "IDEA-CBC", | 487 "IDEA-CBC", |
470 "AES-128", | 488 "AES-128", |
471 "AES-256", | 489 "AES-256", |
472 "Camellia-128", | 490 "Camellia-128", |
473 "Camellia-256", | 491 "Camellia-256", |
474 "SEED-CBC", | 492 "SEED-CBC", |
493 "AES-128-GCM", | |
475 "missing" | 494 "missing" |
476 }; | 495 }; |
477 | 496 |
478 #ifdef NSS_ENABLE_ECC | 497 #ifdef NSS_ENABLE_ECC |
479 /* The ECCWrappedKeyInfo structure defines how various pieces of | 498 /* The ECCWrappedKeyInfo structure defines how various pieces of |
480 * information are laid out within wrappedSymmetricWrappingkey | 499 * information are laid out within wrappedSymmetricWrappingkey |
481 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is | 500 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is |
482 * a 512-byte buffer (see sslimpl.h), the variable length field | 501 * a 512-byte buffer (see sslimpl.h), the variable length field |
483 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. | 502 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. |
484 * | 503 * |
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
591 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented | 610 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented |
592 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented | 611 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented |
593 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented | 612 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented |
594 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented | 613 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented |
595 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented | 614 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented |
596 */ | 615 */ |
597 return version <= SSL_LIBRARY_VERSION_TLS_1_0; | 616 return version <= SSL_LIBRARY_VERSION_TLS_1_0; |
598 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | 617 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
599 case TLS_RSA_WITH_AES_256_CBC_SHA256: | 618 case TLS_RSA_WITH_AES_256_CBC_SHA256: |
600 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | 619 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
620 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: | |
601 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | 621 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
622 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: | |
602 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | 623 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
603 case TLS_RSA_WITH_AES_128_CBC_SHA256: | 624 case TLS_RSA_WITH_AES_128_CBC_SHA256: |
625 case TLS_RSA_WITH_AES_128_GCM_SHA256: | |
604 case TLS_RSA_WITH_NULL_SHA256: | 626 case TLS_RSA_WITH_NULL_SHA256: |
605 return version >= SSL_LIBRARY_VERSION_TLS_1_2; | 627 return version >= SSL_LIBRARY_VERSION_TLS_1_2; |
606 default: | 628 default: |
607 return PR_TRUE; | 629 return PR_TRUE; |
608 } | 630 } |
609 } | 631 } |
610 | 632 |
611 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ | 633 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ |
612 /* XXX This does a linear search. A binary search would be better. */ | 634 /* XXX This does a linear search. A binary search would be better. */ |
613 static const ssl3CipherSuiteDef * | 635 static const ssl3CipherSuiteDef * |
(...skipping 739 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1353 if (IS_DTLS(ss)) { | 1375 if (IS_DTLS(ss)) { |
1354 /* Double-check that we did not pick an RC4 suite */ | 1376 /* Double-check that we did not pick an RC4 suite */ |
1355 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && | 1377 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && |
1356 (suite_def->bulk_cipher_alg != cipher_rc4_40) && | 1378 (suite_def->bulk_cipher_alg != cipher_rc4_40) && |
1357 (suite_def->bulk_cipher_alg != cipher_rc4_56)); | 1379 (suite_def->bulk_cipher_alg != cipher_rc4_56)); |
1358 } | 1380 } |
1359 | 1381 |
1360 cipher = suite_def->bulk_cipher_alg; | 1382 cipher = suite_def->bulk_cipher_alg; |
1361 kea = suite_def->key_exchange_alg; | 1383 kea = suite_def->key_exchange_alg; |
1362 mac = suite_def->mac_alg; | 1384 mac = suite_def->mac_alg; |
1363 if (mac <= ssl_mac_sha && isTLS) | 1385 if (mac <= ssl_mac_sha && mac != mac_null && isTLS) |
1364 mac += 2; | 1386 mac += 2; |
1365 | 1387 |
1366 ss->ssl3.hs.suite_def = suite_def; | 1388 ss->ssl3.hs.suite_def = suite_def; |
1367 ss->ssl3.hs.kea_def = &kea_defs[kea]; | 1389 ss->ssl3.hs.kea_def = &kea_defs[kea]; |
1368 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); | 1390 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); |
1369 | 1391 |
1370 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; | 1392 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; |
1371 PORT_Assert(pwSpec->cipher_def->cipher == cipher); | 1393 PORT_Assert(pwSpec->cipher_def->cipher == cipher); |
1372 | 1394 |
1373 pwSpec->mac_def = &mac_defs[mac]; | 1395 pwSpec->mac_def = &mac_defs[mac]; |
(...skipping 173 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1547 ssl3CipherSpec * pwSpec; | 1569 ssl3CipherSpec * pwSpec; |
1548 const ssl3BulkCipherDef *cipher_def; | 1570 const ssl3BulkCipherDef *cipher_def; |
1549 void * serverContext = NULL; | 1571 void * serverContext = NULL; |
1550 void * clientContext = NULL; | 1572 void * clientContext = NULL; |
1551 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; | 1573 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; |
1552 int mode = 0; | 1574 int mode = 0; |
1553 unsigned int optArg1 = 0; | 1575 unsigned int optArg1 = 0; |
1554 unsigned int optArg2 = 0; | 1576 unsigned int optArg2 = 0; |
1555 PRBool server_encrypts = ss->sec.isServer; | 1577 PRBool server_encrypts = ss->sec.isServer; |
1556 SSLCipherAlgorithm calg; | 1578 SSLCipherAlgorithm calg; |
1557 SSLCompressionMethod compression_method; | |
1558 SECStatus rv; | 1579 SECStatus rv; |
1559 | 1580 |
1560 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1581 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1561 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 1582 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
1562 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 1583 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
1563 | 1584 |
1564 pwSpec = ss->ssl3.pwSpec; | 1585 pwSpec = ss->ssl3.pwSpec; |
1565 cipher_def = pwSpec->cipher_def; | 1586 cipher_def = pwSpec->cipher_def; |
1566 | 1587 |
1567 calg = cipher_def->calg; | 1588 calg = cipher_def->calg; |
1568 compression_method = pwSpec->compression_method; | |
1569 | 1589 |
1570 serverContext = pwSpec->server.cipher_context; | 1590 serverContext = pwSpec->server.cipher_context; |
1571 clientContext = pwSpec->client.cipher_context; | 1591 clientContext = pwSpec->client.cipher_context; |
1572 | 1592 |
1573 switch (calg) { | 1593 switch (calg) { |
1574 case ssl_calg_null: | 1594 case ssl_calg_null: |
1575 pwSpec->encode = Null_Cipher; | 1595 pwSpec->encode = Null_Cipher; |
1576 pwSpec->decode = Null_Cipher; | 1596 pwSpec->decode = Null_Cipher; |
1577 pwSpec->destroy = NULL; | 1597 pwSpec->destroy = NULL; |
1578 goto success; | 1598 goto success; |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1714 case CKM_RC2_MAC: | 1734 case CKM_RC2_MAC: |
1715 case CKM_RC2_MAC_GENERAL: | 1735 case CKM_RC2_MAC_GENERAL: |
1716 case CKM_RC2_CBC_PAD: | 1736 case CKM_RC2_CBC_PAD: |
1717 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; | 1737 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; |
1718 default: break; | 1738 default: break; |
1719 } | 1739 } |
1720 } | 1740 } |
1721 return param; | 1741 return param; |
1722 } | 1742 } |
1723 | 1743 |
1744 /* ssl3_build_record_pseudo_header writes the TLS pseudo-header (the data which | |
1745 * is included in the MAC) to |out| and returns its length. */ | |
1746 static int | |
1747 ssl3_build_record_pseudo_header(unsigned char* out, | |
1748 SSL3ContentType type, | |
1749 SSL3ProtocolVersion version, | |
1750 PRBool isDTLS, | |
1751 SSL3SequenceNumber seq_num, | |
1752 int length) { | |
1753 out[0] = (unsigned char)(seq_num.high >> 24); | |
1754 out[1] = (unsigned char)(seq_num.high >> 16); | |
1755 out[2] = (unsigned char)(seq_num.high >> 8); | |
1756 out[3] = (unsigned char)(seq_num.high >> 0); | |
1757 out[4] = (unsigned char)(seq_num.low >> 24); | |
1758 out[5] = (unsigned char)(seq_num.low >> 16); | |
1759 out[6] = (unsigned char)(seq_num.low >> 8); | |
1760 out[7] = (unsigned char)(seq_num.low >> 0); | |
1761 out[8] = type; | |
1762 | |
1763 /* TLS MAC includes the record's version field, SSL's doesn't. We decide | |
1764 * which MAC defintiion to use based on the version of the protocol that | |
1765 * was negotiated when the spec became current, NOT based on the version | |
1766 * value in the record itself. But, we use the record'v version value in | |
1767 * the computation. */ | |
1768 if (version <= SSL_LIBRARY_VERSION_3_0) { | |
1769 out[9] = MSB(length); | |
1770 out[10] = LSB(length); | |
1771 return 11; | |
1772 } else { | |
1773 /* New TLS hash includes version. */ | |
1774 if (isDTLS) { | |
1775 SSL3ProtocolVersion dtls_version; | |
1776 | |
1777 dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
1778 out[9] = MSB(dtls_version); | |
1779 out[10] = LSB(dtls_version); | |
1780 } else { | |
1781 out[9] = MSB(version); | |
1782 out[10] = LSB(version); | |
1783 } | |
1784 out[11] = MSB(length); | |
1785 out[12] = LSB(length); | |
1786 return 13; | |
1787 } | |
1788 } | |
1789 | |
1790 typedef SECStatus (*PK11CryptFcn)( | |
1791 PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param, | |
1792 unsigned char *out, unsigned int *outLen, unsigned int maxLen, | |
1793 const unsigned char *in, unsigned int inLen); | |
1794 | |
1795 static PK11CryptFcn pk11_encrypt = NULL; | |
1796 static PK11CryptFcn pk11_decrypt = NULL; | |
1797 | |
1798 static PRCallOnceType checkGCMSupportOnce; | |
1799 | |
1800 static PRStatus | |
1801 ssl3_CheckGCMSupport(void) | |
agl
2013/08/02 14:59:50
This function is called CheckGCMSupport, but it do
wtc
2013/08/03 01:02:15
Done. Renamed this function ssl3_ResolvePK11CryptF
| |
1802 { | |
1803 #ifdef LINUX | |
1804 void *handle = dlopen(NULL, RTLD_LAZY); | |
1805 if (!handle) { | |
1806 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1807 return PR_FAILURE; | |
1808 } | |
1809 pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt"); | |
1810 pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt"); | |
1811 dlclose(handle); | |
1812 return PR_SUCCESS; | |
1813 #else | |
1814 pk11_encrypt = PK11_Encrypt; | |
1815 pk11_decrypt = PK11_Decrypt; | |
1816 return PR_SUCCESS; | |
1817 #endif | |
1818 } | |
1819 | |
1820 /* List of all GCM cipher suites */ | |
1821 static const ssl3CipherSuite gcmSuites[] = { | |
1822 TLS_RSA_WITH_AES_128_GCM_SHA256, | |
1823 #ifdef NSS_ENABLE_ECC | |
1824 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
1825 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
1826 #endif | |
1827 0 /* end of list marker */ | |
1828 }; | |
1829 | |
1830 /* On this socket, disable the GCM cipher suites */ | |
1831 SECStatus | |
1832 ssl3_DisableGCMSuites(sslSocket * ss) | |
1833 { | |
1834 const ssl3CipherSuite * suite; | |
agl
2013/08/02 14:59:50
It occurs that the cipher of the ciphersuites coul
wtc
2013/08/03 01:02:15
I re-implemented ssl3_DisableGCMSuites in patch se
| |
1835 | |
1836 for (suite = gcmSuites; *suite; ++suite) { | |
1837 SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE); | |
1838 | |
1839 PORT_Assert(rv == SECSuccess); /* else is coding error */ | |
1840 } | |
1841 return SECSuccess; | |
1842 } | |
1843 | |
1844 static SECStatus | |
1845 ssl3_aes_gcm(ssl3KeyMaterial *keys, | |
1846 PRBool doDecrypt, | |
1847 unsigned char *out, | |
1848 int *outlen, | |
1849 int maxout, | |
1850 const unsigned char *in, | |
1851 int inlen, | |
1852 const unsigned char *explicitNonce, | |
1853 int explicitNonceLen, | |
1854 SSL3ContentType type, | |
1855 SSL3ProtocolVersion version, | |
1856 SSL3SequenceNumber seq_num) { | |
1857 SECItem param; | |
1858 SECStatus rv = SECFailure; | |
1859 unsigned char nonce[12]; | |
1860 unsigned char additionalData[13]; | |
1861 int additionalDataLen; | |
1862 unsigned int uOutLen; | |
1863 CK_GCM_PARAMS gcmParams; | |
1864 | |
1865 static const int tagSize = 16; | |
1866 | |
1867 PORT_Assert(explicitNonceLen == 8); | |
1868 | |
1869 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the | |
1870 * nonce is formed. */ | |
1871 memcpy(nonce, keys->write_iv, 4); | |
1872 memcpy(nonce + 4, explicitNonce, 8); | |
1873 | |
1874 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
1875 * definition of the AEAD additional data. */ | |
1876 additionalDataLen = ssl3_build_record_pseudo_header( | |
1877 additionalData, type, version, PR_FALSE /* not DTLS */, seq_num, | |
1878 inlen - (doDecrypt ? tagSize : 0)); | |
1879 PORT_Assert(additionalDataLen <= sizeof(additionalData)); | |
1880 | |
1881 memset(¶m, 0, sizeof(param)); | |
1882 param.len = sizeof(CK_GCM_PARAMS); | |
1883 param.data = (unsigned char *) &gcmParams; | |
1884 memset(&gcmParams, 0, sizeof(CK_GCM_PARAMS)); | |
1885 gcmParams.pIv = nonce; | |
1886 gcmParams.ulIvLen = sizeof(nonce); | |
1887 gcmParams.pAAD = additionalData; | |
1888 gcmParams.ulAADLen = additionalDataLen; | |
1889 gcmParams.ulTagBits = tagSize * 8; | |
1890 | |
1891 if (doDecrypt) { | |
1892 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | |
1893 maxout, in, inlen); | |
1894 } else { | |
1895 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | |
1896 maxout, in, inlen); | |
1897 } | |
1898 *outlen = (int) uOutLen; | |
1899 | |
1900 return rv; | |
1901 } | |
1902 | |
1724 /* Initialize encryption and MAC contexts for pending spec. | 1903 /* Initialize encryption and MAC contexts for pending spec. |
1725 * Master Secret already is derived. | 1904 * Master Secret already is derived. |
1726 * Caller holds Spec write lock. | 1905 * Caller holds Spec write lock. |
1727 */ | 1906 */ |
1728 static SECStatus | 1907 static SECStatus |
1729 ssl3_InitPendingContextsPKCS11(sslSocket *ss) | 1908 ssl3_InitPendingContextsPKCS11(sslSocket *ss) |
1730 { | 1909 { |
1731 ssl3CipherSpec * pwSpec; | 1910 ssl3CipherSpec * pwSpec; |
1732 const ssl3BulkCipherDef *cipher_def; | 1911 const ssl3BulkCipherDef *cipher_def; |
1733 PK11Context * serverContext = NULL; | 1912 PK11Context * serverContext = NULL; |
1734 PK11Context * clientContext = NULL; | 1913 PK11Context * clientContext = NULL; |
1735 SECItem * param; | 1914 SECItem * param; |
1736 CK_MECHANISM_TYPE mechanism; | 1915 CK_MECHANISM_TYPE mechanism; |
1737 CK_MECHANISM_TYPE mac_mech; | 1916 CK_MECHANISM_TYPE mac_mech; |
1738 CK_ULONG macLength; | 1917 CK_ULONG macLength; |
1739 CK_ULONG effKeyBits; | 1918 CK_ULONG effKeyBits; |
1740 SECItem iv; | 1919 SECItem iv; |
1741 SECItem mac_param; | 1920 SECItem mac_param; |
1742 SSLCipherAlgorithm calg; | 1921 SSLCipherAlgorithm calg; |
1743 | 1922 |
1744 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1923 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1745 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 1924 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
1746 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 1925 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
1747 | 1926 |
1748 pwSpec = ss->ssl3.pwSpec; | 1927 pwSpec = ss->ssl3.pwSpec; |
1749 cipher_def = pwSpec->cipher_def; | 1928 cipher_def = pwSpec->cipher_def; |
1750 macLength = pwSpec->mac_size; | 1929 macLength = pwSpec->mac_size; |
1930 calg = cipher_def->calg; | |
1931 PORT_Assert(alg2Mech[calg].calg == calg); | |
1932 mechanism = alg2Mech[calg].cmech; | |
1933 | |
1934 pwSpec->client.write_mac_context = NULL; | |
1935 pwSpec->server.write_mac_context = NULL; | |
1936 | |
1937 if (calg == calg_aes_128_gcm) { | |
1938 pwSpec->encode = NULL; | |
1939 pwSpec->decode = NULL; | |
1940 pwSpec->destroy = NULL; | |
1941 pwSpec->encodeContext = NULL; | |
1942 pwSpec->decodeContext = NULL; | |
1943 pwSpec->aead = ssl3_aes_gcm; | |
1944 return SECSuccess; | |
1945 } | |
1751 | 1946 |
1752 /* | 1947 /* |
1753 ** Now setup the MAC contexts, | 1948 ** Now setup the MAC contexts, |
1754 ** crypto contexts are setup below. | 1949 ** crypto contexts are setup below. |
1755 */ | 1950 */ |
1756 | 1951 |
1757 pwSpec->client.write_mac_context = NULL; | |
1758 pwSpec->server.write_mac_context = NULL; | |
1759 mac_mech = pwSpec->mac_def->mmech; | 1952 mac_mech = pwSpec->mac_def->mmech; |
1760 mac_param.data = (unsigned char *)&macLength; | 1953 mac_param.data = (unsigned char *)&macLength; |
1761 mac_param.len = sizeof(macLength); | 1954 mac_param.len = sizeof(macLength); |
1762 mac_param.type = 0; | 1955 mac_param.type = 0; |
1763 | 1956 |
1764 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( | 1957 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( |
1765 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); | 1958 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); |
1766 if (pwSpec->client.write_mac_context == NULL) { | 1959 if (pwSpec->client.write_mac_context == NULL) { |
1767 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); | 1960 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); |
1768 goto fail; | 1961 goto fail; |
1769 } | 1962 } |
1770 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( | 1963 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( |
1771 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); | 1964 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); |
1772 if (pwSpec->server.write_mac_context == NULL) { | 1965 if (pwSpec->server.write_mac_context == NULL) { |
1773 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); | 1966 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); |
1774 goto fail; | 1967 goto fail; |
1775 } | 1968 } |
1776 | 1969 |
1777 /* | 1970 /* |
1778 ** Now setup the crypto contexts. | 1971 ** Now setup the crypto contexts. |
1779 */ | 1972 */ |
1780 | 1973 |
1781 calg = cipher_def->calg; | |
1782 PORT_Assert(alg2Mech[calg].calg == calg); | |
1783 | |
1784 if (calg == calg_null) { | 1974 if (calg == calg_null) { |
1785 pwSpec->encode = Null_Cipher; | 1975 pwSpec->encode = Null_Cipher; |
1786 pwSpec->decode = Null_Cipher; | 1976 pwSpec->decode = Null_Cipher; |
1787 pwSpec->destroy = NULL; | 1977 pwSpec->destroy = NULL; |
1788 return SECSuccess; | 1978 return SECSuccess; |
1789 } | 1979 } |
1790 mechanism = alg2Mech[calg].cmech; | |
1791 effKeyBits = cipher_def->key_size * BPB; | 1980 effKeyBits = cipher_def->key_size * BPB; |
1792 | 1981 |
1793 /* | 1982 /* |
1794 * build the server context | 1983 * build the server context |
1795 */ | 1984 */ |
1796 iv.data = pwSpec->server.write_iv; | 1985 iv.data = pwSpec->server.write_iv; |
1797 iv.len = cipher_def->iv_size; | 1986 iv.len = cipher_def->iv_size; |
1798 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); | 1987 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); |
1799 if (param == NULL) { | 1988 if (param == NULL) { |
1800 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); | 1989 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); |
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1992 SSL3ContentType type, | 2181 SSL3ContentType type, |
1993 SSL3ProtocolVersion version, | 2182 SSL3ProtocolVersion version, |
1994 SSL3SequenceNumber seq_num, | 2183 SSL3SequenceNumber seq_num, |
1995 const SSL3Opaque * input, | 2184 const SSL3Opaque * input, |
1996 int inputLength, | 2185 int inputLength, |
1997 unsigned char * outbuf, | 2186 unsigned char * outbuf, |
1998 unsigned int * outLength) | 2187 unsigned int * outLength) |
1999 { | 2188 { |
2000 const ssl3MACDef * mac_def; | 2189 const ssl3MACDef * mac_def; |
2001 SECStatus rv; | 2190 SECStatus rv; |
2002 #ifndef NO_PKCS11_BYPASS | |
2003 PRBool isTLS; | |
2004 #endif | |
2005 unsigned int tempLen; | 2191 unsigned int tempLen; |
2006 unsigned char temp[MAX_MAC_LENGTH]; | 2192 unsigned char temp[MAX_MAC_LENGTH]; |
2193 #ifndef NO_PKCS11_BYPASS | |
2194 PRBool isTLS = PR_FALSE; | |
2007 | 2195 |
2008 temp[0] = (unsigned char)(seq_num.high >> 24); | 2196 if (spec->version >= SSL_LIBRARY_VERSION_3_0) { |
2009 temp[1] = (unsigned char)(seq_num.high >> 16); | 2197 » isTLS = PR_TRUE; |
2010 temp[2] = (unsigned char)(seq_num.high >> 8); | 2198 } |
2011 temp[3] = (unsigned char)(seq_num.high >> 0); | 2199 #endif |
2012 temp[4] = (unsigned char)(seq_num.low >> 24); | |
2013 temp[5] = (unsigned char)(seq_num.low >> 16); | |
2014 temp[6] = (unsigned char)(seq_num.low >> 8); | |
2015 temp[7] = (unsigned char)(seq_num.low >> 0); | |
2016 temp[8] = type; | |
2017 | 2200 |
2018 /* TLS MAC includes the record's version field, SSL's doesn't. | 2201 tempLen = ssl3_build_record_pseudo_header(temp, type, version, isDTLS, |
2019 ** We decide which MAC defintiion to use based on the version of | 2202 » » » » » seq_num, inputLength); |
2020 ** the protocol that was negotiated when the spec became current, | 2203 PORT_Assert(tempLen <= sizeof(temp)); |
2021 ** NOT based on the version value in the record itself. | |
2022 ** But, we use the record'v version value in the computation. | |
2023 */ | |
2024 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | |
2025 » temp[9] = MSB(inputLength); | |
2026 » temp[10] = LSB(inputLength); | |
2027 » tempLen = 11; | |
2028 #ifndef NO_PKCS11_BYPASS | |
2029 » isTLS = PR_FALSE; | |
2030 #endif | |
2031 } else { | |
2032 » /* New TLS hash includes version. */ | |
2033 » if (isDTLS) { | |
2034 » SSL3ProtocolVersion dtls_version; | |
2035 | |
2036 » dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
2037 » temp[9] = MSB(dtls_version); | |
2038 » temp[10] = LSB(dtls_version); | |
2039 } else { | |
2040 » temp[9] = MSB(version); | |
2041 » temp[10] = LSB(version); | |
2042 } | |
2043 » temp[11] = MSB(inputLength); | |
2044 » temp[12] = LSB(inputLength); | |
2045 » tempLen = 13; | |
2046 #ifndef NO_PKCS11_BYPASS | |
2047 » isTLS = PR_TRUE; | |
2048 #endif | |
2049 } | |
2050 | 2204 |
2051 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | 2205 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
2052 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 2206 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
2053 | 2207 |
2054 mac_def = spec->mac_def; | 2208 mac_def = spec->mac_def; |
2055 if (mac_def->mac == mac_null) { | 2209 if (mac_def->mac == mac_null) { |
2056 *outLength = 0; | 2210 *outLength = 0; |
2057 return SECSuccess; | 2211 return SECSuccess; |
2058 } | 2212 } |
2059 #ifndef NO_PKCS11_BYPASS | 2213 #ifndef NO_PKCS11_BYPASS |
(...skipping 323 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2383 rv = cwSpec->compressor( | 2537 rv = cwSpec->compressor( |
2384 cwSpec->compressContext, | 2538 cwSpec->compressContext, |
2385 wrBuf->buf + headerLen + ivLen, &outlen, | 2539 wrBuf->buf + headerLen + ivLen, &outlen, |
2386 wrBuf->space - headerLen - ivLen, pIn, contentLen); | 2540 wrBuf->space - headerLen - ivLen, pIn, contentLen); |
2387 if (rv != SECSuccess) | 2541 if (rv != SECSuccess) |
2388 return rv; | 2542 return rv; |
2389 pIn = wrBuf->buf + headerLen + ivLen; | 2543 pIn = wrBuf->buf + headerLen + ivLen; |
2390 contentLen = outlen; | 2544 contentLen = outlen; |
2391 } | 2545 } |
2392 | 2546 |
2393 /* | 2547 if (cipher_def->type == type_aead) { |
2394 * Add the MAC | 2548 » /* Prepend the explicit part of the nonce. See |
2395 */ | 2549 » * https://tools.ietf.org/html/rfc5246#section-6.2.3.3 */ |
2396 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, | 2550 » const int nonceLen = cipher_def->explicit_nonce_size; |
2397 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 2551 » const int tagLen = cipher_def->tag_size; |
2398 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | |
2399 if (rv != SECSuccess) { | |
2400 » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | |
2401 » return SECFailure; | |
2402 } | |
2403 p1Len = contentLen; | |
2404 p2Len = macLen; | |
2405 fragLen = contentLen + macLen;» /* needs to be encrypted */ | |
2406 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | |
2407 | 2552 |
2408 /* | 2553 » if (nonceLen > wrBuf->space - headerLen) { |
2409 * Pad the text (if we're doing a block cipher) | 2554 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2410 * then Encrypt it | 2555 » return SECFailure; |
2411 */ | 2556 » } |
2412 if (cipher_def->type == type_block) { | 2557 » rv = PK11_GenerateRandom(wrBuf->buf + headerLen, nonceLen); |
2413 » unsigned char * pBuf; | 2558 » if (rv != SECSuccess) { |
2414 » int padding_length; | 2559 » ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); |
2415 » int i; | 2560 » return rv; |
2561 » } | |
2562 » if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { | |
2563 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
2564 » return SECFailure; | |
2565 » } | |
2416 | 2566 |
2417 » oddLen = contentLen % cipher_def->block_size; | 2567 » cipherBytes = contentLen; |
2418 » /* Assume blockSize is a power of two */ | 2568 » rv = cwSpec->aead( |
2419 » padding_length = cipher_def->block_size - 1 - | 2569 » » isServer ? &cwSpec->server : &cwSpec->client, |
2420 » » » ((fragLen) & (cipher_def->block_size - 1)); | 2570 » » PR_FALSE, /* do encrypt */ |
2421 » fragLen += padding_length + 1; | 2571 » » wrBuf->buf + headerLen + nonceLen, /* output */ |
2422 » PORT_Assert((fragLen % cipher_def->block_size) == 0); | 2572 » » &cipherBytes, /* out len */ |
2423 | 2573 » » wrBuf->space - headerLen - nonceLen, /* max out */ |
2424 » /* Pad according to TLS rules (also acceptable to SSL3). */ | 2574 » » pIn, contentLen, /* input */ |
2425 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; | 2575 » » wrBuf->buf + headerLen, nonceLen, /* explicit nonce */ |
2426 » for (i = padding_length + 1; i > 0; --i) { | 2576 » » type, cwSpec->version, cwSpec->write_seq_num); |
2427 » *pBuf-- = padding_length; | 2577 » if (rv != SECSuccess) { |
2428 » } | |
2429 » /* now, if contentLen is not a multiple of block size, fix it */ | |
2430 » p2Len = fragLen - p1Len; | |
2431 } | |
2432 if (p1Len < 256) { | |
2433 » oddLen = p1Len; | |
2434 » p1Len = 0; | |
2435 } else { | |
2436 » p1Len -= oddLen; | |
2437 } | |
2438 if (oddLen) { | |
2439 » p2Len += oddLen; | |
2440 » PORT_Assert( (cipher_def->block_size < 2) || \ | |
2441 » » (p2Len % cipher_def->block_size) == 0); | |
2442 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); | |
2443 } | |
2444 if (p1Len > 0) { | |
2445 » int cipherBytesPart1 = -1; | |
2446 » rv = cwSpec->encode( cwSpec->encodeContext, | |
2447 » wrBuf->buf + headerLen + ivLen, /* output */ | |
2448 » &cipherBytesPart1, /* actual outlen */ | |
2449 » p1Len, /* max outlen */ | |
2450 » pIn, p1Len); /* input, and inputlen */ | |
2451 » PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | |
2452 » if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | |
2453 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2578 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2454 return SECFailure; | 2579 return SECFailure; |
2455 } | 2580 } |
2456 » cipherBytes += cipherBytesPart1; | 2581 » cipherBytes += nonceLen; |
2457 } | 2582 } else { |
2458 if (p2Len > 0) { | 2583 » /* |
2459 » int cipherBytesPart2 = -1; | 2584 » * Add the MAC |
2460 » rv = cwSpec->encode( cwSpec->encodeContext, | 2585 » */ |
2461 » wrBuf->buf + headerLen + ivLen + p1Len, | 2586 » rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
2462 » &cipherBytesPart2, /* output and actual outLen */ | 2587 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
2463 » p2Len, /* max outlen */ | 2588 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
2464 » wrBuf->buf + headerLen + ivLen + p1Len, | 2589 » if (rv != SECSuccess) { |
2465 » p2Len); /* input and inputLen*/ | 2590 » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2466 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | |
2467 » if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | |
2468 » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | |
2469 return SECFailure; | 2591 return SECFailure; |
2470 } | 2592 } |
2471 » cipherBytes += cipherBytesPart2; | 2593 » p1Len = contentLen; |
2472 }» | 2594 » p2Len = macLen; |
2595 » fragLen = contentLen + macLen;» /* needs to be encrypted */ | |
2596 » PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | |
2597 | |
2598 » /* | |
2599 » * Pad the text (if we're doing a block cipher) | |
2600 » * then Encrypt it | |
2601 » */ | |
2602 » if (cipher_def->type == type_block) { | |
2603 » unsigned char * pBuf; | |
2604 » int padding_length; | |
2605 » int i; | |
2606 | |
2607 » oddLen = contentLen % cipher_def->block_size; | |
2608 » /* Assume blockSize is a power of two */ | |
2609 » padding_length = cipher_def->block_size - 1 - | |
2610 » » » ((fragLen) & (cipher_def->block_size - 1)); | |
2611 » fragLen += padding_length + 1; | |
2612 » PORT_Assert((fragLen % cipher_def->block_size) == 0); | |
2613 | |
2614 » /* Pad according to TLS rules (also acceptable to SSL3). */ | |
2615 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; | |
2616 » for (i = padding_length + 1; i > 0; --i) { | |
2617 » » *pBuf-- = padding_length; | |
2618 » } | |
2619 » /* now, if contentLen is not a multiple of block size, fix it */ | |
2620 » p2Len = fragLen - p1Len; | |
2621 » } | |
2622 » if (p1Len < 256) { | |
2623 » oddLen = p1Len; | |
2624 » p1Len = 0; | |
2625 » } else { | |
2626 » p1Len -= oddLen; | |
2627 » } | |
2628 » if (oddLen) { | |
2629 » p2Len += oddLen; | |
2630 » PORT_Assert( (cipher_def->block_size < 2) || \ | |
2631 » » » (p2Len % cipher_def->block_size) == 0); | |
2632 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen) ; | |
2633 » } | |
2634 » if (p1Len > 0) { | |
2635 » int cipherBytesPart1 = -1; | |
2636 » rv = cwSpec->encode( cwSpec->encodeContext, | |
2637 » » wrBuf->buf + headerLen + ivLen, /* output */ | |
2638 » » &cipherBytesPart1, /* actual outlen */ | |
2639 » » p1Len, /* max outlen */ | |
2640 » » pIn, p1Len); /* input, and inputlen */ | |
2641 » PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | |
2642 » if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | |
2643 » » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | |
2644 » » return SECFailure; | |
2645 » } | |
2646 » cipherBytes += cipherBytesPart1; | |
2647 » } | |
2648 » if (p2Len > 0) { | |
2649 » int cipherBytesPart2 = -1; | |
2650 » rv = cwSpec->encode( cwSpec->encodeContext, | |
2651 » » wrBuf->buf + headerLen + ivLen + p1Len, | |
2652 » » &cipherBytesPart2, /* output and actual outLen */ | |
2653 » » p2Len, /* max outlen */ | |
2654 » » wrBuf->buf + headerLen + ivLen + p1Len, | |
2655 » » p2Len); /* input and inputLen*/ | |
2656 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | |
2657 » if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | |
2658 » » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | |
2659 » » return SECFailure; | |
2660 » } | |
2661 » cipherBytes += cipherBytesPart2; | |
2662 » } | |
2663 } | |
2664 | |
2473 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2665 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
2474 | 2666 |
2475 wrBuf->len = cipherBytes + headerLen; | 2667 wrBuf->len = cipherBytes + headerLen; |
2476 wrBuf->buf[0] = type; | 2668 wrBuf->buf[0] = type; |
2477 if (isDTLS) { | 2669 if (isDTLS) { |
2478 SSL3ProtocolVersion version; | 2670 SSL3ProtocolVersion version; |
2479 | 2671 |
2480 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); | 2672 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); |
2481 wrBuf->buf[1] = MSB(version); | 2673 wrBuf->buf[1] = MSB(version); |
2482 wrBuf->buf[2] = LSB(version); | 2674 wrBuf->buf[2] = LSB(version); |
(...skipping 522 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3005 ssl_ReleaseSSL3HandshakeLock(ss); | 3197 ssl_ReleaseSSL3HandshakeLock(ss); |
3006 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ | 3198 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ |
3007 } | 3199 } |
3008 | 3200 |
3009 /* | 3201 /* |
3010 * Send illegal_parameter alert. Set generic error number. | 3202 * Send illegal_parameter alert. Set generic error number. |
3011 */ | 3203 */ |
3012 static SECStatus | 3204 static SECStatus |
3013 ssl3_IllegalParameter(sslSocket *ss) | 3205 ssl3_IllegalParameter(sslSocket *ss) |
3014 { | 3206 { |
3015 PRBool isTLS; | |
3016 | |
3017 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | |
3018 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | 3207 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
3019 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT | 3208 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
3020 : SSL_ERROR_BAD_SERVER ); | 3209 : SSL_ERROR_BAD_SERVER ); |
3021 return SECFailure; | 3210 return SECFailure; |
3022 } | 3211 } |
3023 | 3212 |
3024 /* | 3213 /* |
3025 * Send handshake_Failure alert. Set generic error number. | 3214 * Send handshake_Failure alert. Set generic error number. |
3026 */ | 3215 */ |
3027 static SECStatus | 3216 static SECStatus |
(...skipping 1795 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4823 if (!total_exten_len || !isTLS) { | 5012 if (!total_exten_len || !isTLS) { |
4824 /* not sending the elliptic_curves and ec_point_formats extensions */ | 5013 /* not sending the elliptic_curves and ec_point_formats extensions */ |
4825 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ | 5014 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ |
4826 } | 5015 } |
4827 #endif | 5016 #endif |
4828 | 5017 |
4829 if (IS_DTLS(ss)) { | 5018 if (IS_DTLS(ss)) { |
4830 ssl3_DisableNonDTLSSuites(ss); | 5019 ssl3_DisableNonDTLSSuites(ss); |
4831 } | 5020 } |
4832 | 5021 |
5022 (void) PR_CallOnce(&checkGCMSupportOnce, ssl3_CheckGCMSupport); | |
5023 if (!pk11_encrypt) { | |
agl
2013/08/02 14:59:50
(Assuming that PK11_Encrypt and PK11_Decrypt appea
wtc
2013/08/03 01:02:15
Yes, PK11_Encrypt and PK11_Decrypt were added in t
| |
5024 ssl3_DisableGCMSuites(ss); | |
5025 } | |
5026 | |
4833 /* how many suites are permitted by policy and user preference? */ | 5027 /* how many suites are permitted by policy and user preference? */ |
4834 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); | 5028 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
4835 if (!num_suites) | 5029 if (!num_suites) |
4836 return SECFailure; /* count_cipher_suites has set error code. */ | 5030 return SECFailure; /* count_cipher_suites has set error code. */ |
4837 if (ss->ssl3.hs.sendingSCSV) { | 5031 if (ss->ssl3.hs.sendingSCSV) { |
4838 ++num_suites; /* make room for SCSV */ | 5032 ++num_suites; /* make room for SCSV */ |
4839 } | 5033 } |
4840 | 5034 |
4841 /* count compression methods */ | 5035 /* count compression methods */ |
4842 numCompressionMethods = 0; | 5036 numCompressionMethods = 0; |
(...skipping 5096 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9939 return rv; | 10133 return rv; |
9940 } | 10134 } |
9941 | 10135 |
9942 /* called from ssl3_SendFinished | 10136 /* called from ssl3_SendFinished |
9943 * | 10137 * |
9944 * This function is simply a debugging aid and therefore does not return a | 10138 * This function is simply a debugging aid and therefore does not return a |
9945 * SECStatus. */ | 10139 * SECStatus. */ |
9946 static void | 10140 static void |
9947 ssl3_RecordKeyLog(sslSocket *ss) | 10141 ssl3_RecordKeyLog(sslSocket *ss) |
9948 { | 10142 { |
9949 sslSessionID *sid; | |
9950 SECStatus rv; | 10143 SECStatus rv; |
9951 SECItem *keyData; | 10144 SECItem *keyData; |
9952 char buf[14 /* "CLIENT_RANDOM " */ + | 10145 char buf[14 /* "CLIENT_RANDOM " */ + |
9953 SSL3_RANDOM_LENGTH*2 /* client_random */ + | 10146 SSL3_RANDOM_LENGTH*2 /* client_random */ + |
9954 1 /* " " */ + | 10147 1 /* " " */ + |
9955 48*2 /* master secret */ + | 10148 48*2 /* master secret */ + |
9956 1 /* new line */]; | 10149 1 /* new line */]; |
9957 unsigned int j; | 10150 unsigned int j; |
9958 | 10151 |
9959 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 10152 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
9960 | 10153 |
9961 sid = ss->sec.ci.sid; | |
9962 | |
9963 if (!ssl_keylog_iob) | 10154 if (!ssl_keylog_iob) |
9964 return; | 10155 return; |
9965 | 10156 |
9966 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); | 10157 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); |
9967 if (rv != SECSuccess) | 10158 if (rv != SECSuccess) |
9968 return; | 10159 return; |
9969 | 10160 |
9970 ssl_GetSpecReadLock(ss); | 10161 ssl_GetSpecReadLock(ss); |
9971 | 10162 |
9972 /* keyData does not need to be freed. */ | 10163 /* keyData does not need to be freed. */ |
(...skipping 1191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
11164 | 11355 |
11165 good = ~0U; | 11356 good = ~0U; |
11166 minLength = crSpec->mac_size; | 11357 minLength = crSpec->mac_size; |
11167 if (cipher_def->type == type_block) { | 11358 if (cipher_def->type == type_block) { |
11168 /* CBC records have a padding length byte at the end. */ | 11359 /* CBC records have a padding length byte at the end. */ |
11169 minLength++; | 11360 minLength++; |
11170 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 11361 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
11171 /* With >= TLS 1.1, CBC records have an explicit IV. */ | 11362 /* With >= TLS 1.1, CBC records have an explicit IV. */ |
11172 minLength += cipher_def->iv_size; | 11363 minLength += cipher_def->iv_size; |
11173 } | 11364 } |
11365 } else if (cipher_def->type == type_aead) { | |
11366 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; | |
11174 } | 11367 } |
11175 | 11368 |
11176 /* We can perform this test in variable time because the record's total | 11369 /* We can perform this test in variable time because the record's total |
11177 * length and the ciphersuite are both public knowledge. */ | 11370 * length and the ciphersuite are both public knowledge. */ |
11178 if (cText->buf->len < minLength) { | 11371 if (cText->buf->len < minLength) { |
11179 goto decrypt_loser; | 11372 » goto decrypt_loser; |
11180 } | 11373 } |
11181 | 11374 |
11182 if (cipher_def->type == type_block && | 11375 if (cipher_def->type == type_block && |
11183 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 11376 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
11184 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | 11377 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states |
11185 * "The receiver decrypts the entire GenericBlockCipher structure and | 11378 * "The receiver decrypts the entire GenericBlockCipher structure and |
11186 * then discards the first cipher block corresponding to the IV | 11379 * then discards the first cipher block corresponding to the IV |
11187 * component." Instead, we decrypt the first cipher block and then | 11380 * component." Instead, we decrypt the first cipher block and then |
11188 * discard it before decrypting the rest. | 11381 * discard it before decrypting the rest. |
11189 */ | 11382 */ |
(...skipping 10 matching lines...) Expand all Loading... | |
11200 PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen)); | 11393 PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen)); |
11201 | 11394 |
11202 /* The decryption result is garbage, but since we just throw away | 11395 /* The decryption result is garbage, but since we just throw away |
11203 * the block it doesn't matter. The decryption of the next block | 11396 * the block it doesn't matter. The decryption of the next block |
11204 * depends only on the ciphertext of the IV block. | 11397 * depends only on the ciphertext of the IV block. |
11205 */ | 11398 */ |
11206 rv = crSpec->decode(crSpec->decodeContext, iv, &decoded, | 11399 rv = crSpec->decode(crSpec->decodeContext, iv, &decoded, |
11207 sizeof(iv), cText->buf->buf, ivLen); | 11400 sizeof(iv), cText->buf->buf, ivLen); |
11208 | 11401 |
11209 good &= SECStatusToMask(rv); | 11402 good &= SECStatusToMask(rv); |
11403 } else if (cipher_def->type == type_aead) { | |
11404 ivLen = cipher_def->explicit_nonce_size; | |
11210 } | 11405 } |
11211 | 11406 |
11212 /* If we will be decompressing the buffer we need to decrypt somewhere | 11407 /* If we will be decompressing the buffer we need to decrypt somewhere |
11213 * other than into databuf */ | 11408 * other than into databuf */ |
11214 if (crSpec->decompressor) { | 11409 if (crSpec->decompressor) { |
11215 temp_buf.buf = NULL; | 11410 temp_buf.buf = NULL; |
11216 temp_buf.space = 0; | 11411 temp_buf.space = 0; |
11217 plaintext = &temp_buf; | 11412 plaintext = &temp_buf; |
11218 } else { | 11413 } else { |
11219 plaintext = databuf; | 11414 plaintext = databuf; |
(...skipping 17 matching lines...) Expand all Loading... | |
11237 | 11432 |
11238 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); | 11433 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); |
11239 | 11434 |
11240 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { | 11435 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
11241 ssl_ReleaseSpecReadLock(ss); | 11436 ssl_ReleaseSpecReadLock(ss); |
11242 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 11437 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
11243 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 11438 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
11244 return SECFailure; | 11439 return SECFailure; |
11245 } | 11440 } |
11246 | 11441 |
11247 if (cipher_def->type == type_block && | 11442 rType = cText->type; |
11248 » ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | 11443 if (cipher_def->type == type_aead) { |
11249 » goto decrypt_loser; | 11444 » rv = crSpec->aead( |
11250 } | 11445 » » ss->sec.isServer ? &crSpec->client : &crSpec->server, |
11446 » » PR_TRUE, /* do decrypt */ | |
11447 » » plaintext->buf, /* out */ | |
11448 » » (int*) &plaintext->len, /* outlen */ | |
11449 » » plaintext->space, /* maxout */ | |
11450 » » cText->buf->buf + ivLen, /* in */ | |
11451 » » cText->buf->len - ivLen, /* inlen */ | |
11452 » » cText->buf->buf, /* explicitNonce */ | |
11453 » » cipher_def->explicit_nonce_size, /* explicitNonceLen */ | |
11454 » » rType, /* record type */ | |
11455 » » cText->version, | |
11456 » » crSpec->read_seq_num); | |
11457 » if (rv != SECSuccess) { | |
11458 » good = 0; | |
11459 » } | |
11460 } else { | |
11461 » if (cipher_def->type == type_block && | |
11462 » ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | |
11463 » goto decrypt_loser; | |
11464 » } | |
11251 | 11465 |
11252 /* decrypt from cText buf to plaintext. */ | 11466 » /* decrypt from cText buf to plaintext. */ |
11253 rv = crSpec->decode( | 11467 » rv = crSpec->decode( |
11254 » crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, | 11468 » crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
11255 » plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); | 11469 » plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
11256 if (rv != SECSuccess) { | 11470 » if (rv != SECSuccess) { |
11257 » goto decrypt_loser; | 11471 » goto decrypt_loser; |
11258 } | 11472 » } |
11259 | 11473 |
11260 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); | 11474 » PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
11261 | 11475 |
11262 originalLen = plaintext->len; | 11476 » originalLen = plaintext->len; |
11263 | 11477 |
11264 /* If it's a block cipher, check and strip the padding. */ | 11478 » /* If it's a block cipher, check and strip the padding. */ |
11265 if (cipher_def->type == type_block) { | 11479 » if (cipher_def->type == type_block) { |
11266 » const unsigned int blockSize = cipher_def->block_size; | 11480 » const unsigned int blockSize = cipher_def->block_size; |
11267 » const unsigned int macSize = crSpec->mac_size; | 11481 » const unsigned int macSize = crSpec->mac_size; |
11268 | 11482 |
11269 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { | 11483 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { |
11270 » good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 11484 » » good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
11271 » » » plaintext, blockSize, macSize)); | 11485 » » » plaintext, blockSize, macSize)); |
11486 » } else { | |
11487 » » good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | |
11488 » » » plaintext, macSize)); | |
11489 » } | |
11490 » } | |
11491 | |
11492 » /* compute the MAC */ | |
11493 » if (cipher_def->type == type_block) { | |
11494 » rv = ssl3_ComputeRecordMACConstantTime( | |
11495 » » crSpec, (PRBool)(!ss->sec.isServer), | |
11496 » » IS_DTLS(ss), rType, cText->version, | |
11497 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11498 » » plaintext->buf, plaintext->len, originalLen, | |
11499 » » hash, &hashBytes); | |
11500 | |
11501 » ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | |
11502 » » » crSpec->mac_size); | |
11503 » givenHash = givenHashBuf; | |
11504 | |
11505 » /* plaintext->len will always have enough space to remove the MAC | |
11506 » * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust | |
11507 » * plaintext->len if the result has enough space for the MAC and we | |
11508 » * tested the unadjusted size against minLength, above. */ | |
11509 » plaintext->len -= crSpec->mac_size; | |
11272 } else { | 11510 } else { |
11273 » good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 11511 » /* This is safe because we checked the minLength above. */ |
11274 » » » plaintext, macSize)); | 11512 » plaintext->len -= crSpec->mac_size; |
11513 | |
11514 » rv = ssl3_ComputeRecordMAC( | |
11515 » » crSpec, (PRBool)(!ss->sec.isServer), | |
11516 » » IS_DTLS(ss), rType, cText->version, | |
11517 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11518 » » plaintext->buf, plaintext->len, | |
11519 » » hash, &hashBytes); | |
11520 | |
11521 » /* We can read the MAC directly from the record because its location is | |
11522 » * public when a stream cipher is used. */ | |
11523 » givenHash = plaintext->buf + plaintext->len; | |
11524 » } | |
11525 | |
11526 » good &= SECStatusToMask(rv); | |
11527 | |
11528 » if (hashBytes != (unsigned)crSpec->mac_size || | |
11529 » NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | |
11530 » /* We're allowed to leak whether or not the MAC check was correct */ | |
11531 » good = 0; | |
11275 } | 11532 } |
11276 } | 11533 } |
11277 | 11534 |
11278 /* compute the MAC */ | |
11279 rType = cText->type; | |
11280 if (cipher_def->type == type_block) { | |
11281 rv = ssl3_ComputeRecordMACConstantTime( | |
11282 crSpec, (PRBool)(!ss->sec.isServer), | |
11283 IS_DTLS(ss), rType, cText->version, | |
11284 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11285 plaintext->buf, plaintext->len, originalLen, | |
11286 hash, &hashBytes); | |
11287 | |
11288 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | |
11289 crSpec->mac_size); | |
11290 givenHash = givenHashBuf; | |
11291 | |
11292 /* plaintext->len will always have enough space to remove the MAC | |
11293 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust | |
11294 * plaintext->len if the result has enough space for the MAC and we | |
11295 * tested the unadjusted size against minLength, above. */ | |
11296 plaintext->len -= crSpec->mac_size; | |
11297 } else { | |
11298 /* This is safe because we checked the minLength above. */ | |
11299 plaintext->len -= crSpec->mac_size; | |
11300 | |
11301 rv = ssl3_ComputeRecordMAC( | |
11302 crSpec, (PRBool)(!ss->sec.isServer), | |
11303 IS_DTLS(ss), rType, cText->version, | |
11304 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11305 plaintext->buf, plaintext->len, | |
11306 hash, &hashBytes); | |
11307 | |
11308 /* We can read the MAC directly from the record because its location is | |
11309 * public when a stream cipher is used. */ | |
11310 givenHash = plaintext->buf + plaintext->len; | |
11311 } | |
11312 | |
11313 good &= SECStatusToMask(rv); | |
11314 | |
11315 if (hashBytes != (unsigned)crSpec->mac_size || | |
11316 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | |
11317 /* We're allowed to leak whether or not the MAC check was correct */ | |
11318 good = 0; | |
11319 } | |
11320 | |
11321 if (good == 0) { | 11535 if (good == 0) { |
11322 decrypt_loser: | 11536 decrypt_loser: |
11323 /* must not hold spec lock when calling SSL3_SendAlert. */ | 11537 /* must not hold spec lock when calling SSL3_SendAlert. */ |
11324 ssl_ReleaseSpecReadLock(ss); | 11538 ssl_ReleaseSpecReadLock(ss); |
11325 | 11539 |
11326 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); | 11540 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); |
11327 | 11541 |
11328 if (!IS_DTLS(ss)) { | 11542 if (!IS_DTLS(ss)) { |
11329 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | 11543 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); |
11330 /* always log mac error, in case attacker can read server logs. */ | 11544 /* always log mac error, in case attacker can read server logs. */ |
(...skipping 639 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
11970 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12184 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
11971 } | 12185 } |
11972 } | 12186 } |
11973 | 12187 |
11974 ss->ssl3.initialized = PR_FALSE; | 12188 ss->ssl3.initialized = PR_FALSE; |
11975 | 12189 |
11976 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12190 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
11977 } | 12191 } |
11978 | 12192 |
11979 /* End of ssl3con.c */ | 12193 /* End of ssl3con.c */ |
OLD | NEW |