| OLD | NEW |
|---|
| 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
| 2 /* | 2 /* |
| 3 * SSL3 Protocol | 3 * SSL3 Protocol |
| 4 * | 4 * |
| 5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
| 6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 8 | 8 |
| 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
| 10 | 10 |
| (...skipping 26 matching lines...) Expand all Loading... |
| 37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | 37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
| 38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | 38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
| 39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | 39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
| 40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
| 41 #endif | 41 #endif |
| 42 | 42 |
| 43 #include <stdio.h> | 43 #include <stdio.h> |
| 44 #ifdef NSS_ENABLE_ZLIB | 44 #ifdef NSS_ENABLE_ZLIB |
| 45 #include "zlib.h" | 45 #include "zlib.h" |
| 46 #endif | 46 #endif |
| 47 #ifdef LINUX |
| 48 #include <dlfcn.h> |
| 49 #endif |
| 47 | 50 |
| 48 #ifndef PK11_SETATTRS | 51 #ifndef PK11_SETATTRS |
| 49 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ | 52 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ |
| 50 (x)->pValue=(v); (x)->ulValueLen = (l); | 53 (x)->pValue=(v); (x)->ulValueLen = (l); |
| 51 #endif | 54 #endif |
| 52 | 55 |
| 53 static SECStatus ssl3_AuthCertificate(sslSocket *ss); | 56 static SECStatus ssl3_AuthCertificate(sslSocket *ss); |
| 54 static void ssl3_CleanupPeerCerts(sslSocket *ss); | 57 static void ssl3_CleanupPeerCerts(sslSocket *ss); |
| 55 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); | 58 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); |
| 56 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, | 59 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, |
| (...skipping 14 matching lines...) Expand all Loading... |
| 71 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 74 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
| 72 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 75 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
| 73 const unsigned char *b, | 76 const unsigned char *b, |
| 74 unsigned int l); | 77 unsigned int l); |
| 75 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
| 76 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); | 79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); |
| 77 | 80 |
| 78 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
| 79 int maxOutputLen, const unsigned char *input, | 82 int maxOutputLen, const unsigned char *input, |
| 80 int inputLen); | 83 int inputLen); |
| 84 #ifndef NO_PKCS11_BYPASS |
| 85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
| 86 unsigned char *out, int *outlen, int maxout, |
| 87 const unsigned char *in, int inlen, |
| 88 SSL3ContentType type, |
| 89 SSL3ProtocolVersion version, |
| 90 SSL3SequenceNumber seq_num); |
| 91 #endif |
| 81 | 92 |
| 82 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 93 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
| 83 #define MIN_SEND_BUF_LENGTH 4000 | 94 #define MIN_SEND_BUF_LENGTH 4000 |
| 84 | 95 |
| 85 /* This list of SSL3 cipher suites is sorted in descending order of | 96 /* This list of SSL3 cipher suites is sorted in descending order of |
| 86 * precedence (desirability). It only includes cipher suites we implement. | 97 * precedence (desirability). It only includes cipher suites we implement. |
| 87 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites | 98 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites |
| 88 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) | 99 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
| 89 */ | 100 */ |
| 90 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { | 101 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
| 91 /* cipher_suite policy enabled is_present*/ | 102 /* cipher_suite policy enabled is_present*/ |
| 92 #ifdef NSS_ENABLE_ECC | 103 #ifdef NSS_ENABLE_ECC |
| 104 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 105 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 106 #endif /* NSS_ENABLE_ECC */ |
| 107 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 108 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 109 |
| 110 #ifdef NSS_ENABLE_ECC |
| 93 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 111 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 94 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 112 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 95 #endif /* NSS_ENABLE_ECC */ | 113 #endif /* NSS_ENABLE_ECC */ |
| 96 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 114 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 97 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 115 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 98 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 116 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 99 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 117 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 100 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 118 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 101 #ifdef NSS_ENABLE_ECC | 119 #ifdef NSS_ENABLE_ECC |
| 102 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 120 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| (...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 226 | 244 |
| 227 | 245 |
| 228 /* This global item is used only in servers. It is is initialized by | 246 /* This global item is used only in servers. It is is initialized by |
| 229 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 247 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
| 230 */ | 248 */ |
| 231 CERTDistNames *ssl3_server_ca_list = NULL; | 249 CERTDistNames *ssl3_server_ca_list = NULL; |
| 232 static SSL3Statistics ssl3stats; | 250 static SSL3Statistics ssl3stats; |
| 233 | 251 |
| 234 /* indexed by SSL3BulkCipher */ | 252 /* indexed by SSL3BulkCipher */ |
| 235 static const ssl3BulkCipherDef bulk_cipher_defs[] = { | 253 static const ssl3BulkCipherDef bulk_cipher_defs[] = { |
| 236 /* cipher calg keySz secretSz type ivSz BlkSz keygen */ | 254 /* |--------- Lengths --------| */ |
| 237 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, | 255 /* cipher calg k s type i b t n */ |
| 238 {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, | 256 /* e e v l a o */ |
| 239 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, | 257 /* y c | o g n */ |
| 240 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, | 258 /* | r | c | c */ |
| 241 {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, | 259 /* | e | k | e */ |
| 242 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, | 260 /* | t | | | | */ |
| 243 {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong}, | 261 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
| 244 {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, | 262 {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0}, |
| 245 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, | 263 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0}, |
| 246 {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, | 264 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0}, |
| 247 {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, | 265 {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0}, |
| 248 {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, | 266 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0}, |
| 249 {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong}, | 267 {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0}, |
| 250 {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong}, | 268 {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0}, |
| 251 {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong}, | 269 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0}, |
| 252 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, | 270 {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0}, |
| 271 {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, |
| 272 {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, |
| 273 {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, |
| 274 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, |
| 275 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, |
| 276 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, |
| 277 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
| 253 }; | 278 }; |
| 254 | 279 |
| 255 static const ssl3KEADef kea_defs[] = | 280 static const ssl3KEADef kea_defs[] = |
| 256 { /* indexed by SSL3KeyExchangeAlgorithm */ | 281 { /* indexed by SSL3KeyExchangeAlgorithm */ |
| 257 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ | 282 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ |
| 258 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, | 283 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, |
| 259 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, | 284 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, |
| 260 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, | 285 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, |
| 261 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, | 286 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, |
| 262 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, | 287 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 364 cipher_camellia_256, mac_sha, kea_dhe_rsa}, | 389 cipher_camellia_256, mac_sha, kea_dhe_rsa}, |
| 365 | 390 |
| 366 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, | 391 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, |
| 367 cipher_des, mac_sha,kea_rsa_export_1024}, | 392 cipher_des, mac_sha,kea_rsa_export_1024}, |
| 368 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, | 393 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, |
| 369 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, | 394 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, |
| 370 | 395 |
| 371 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 396 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
| 372 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 397 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
| 373 | 398 |
| 399 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_
rsa}, |
| 400 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, |
| 401 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ec
dhe_rsa}, |
| 402 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_
ecdhe_ecdsa}, |
| 403 |
| 374 #ifdef NSS_ENABLE_ECC | 404 #ifdef NSS_ENABLE_ECC |
| 375 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, | 405 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
| 376 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, | 406 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
| 377 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, | 407 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, |
| 378 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, | 408 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, |
| 379 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, | 409 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, |
| 380 | 410 |
| 381 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, | 411 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, |
| 382 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, | 412 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, |
| 383 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, | 413 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 427 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, | 457 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, |
| 428 { calg_rc4 , CKM_RC4 }, | 458 { calg_rc4 , CKM_RC4 }, |
| 429 { calg_rc2 , CKM_RC2_CBC }, | 459 { calg_rc2 , CKM_RC2_CBC }, |
| 430 { calg_des , CKM_DES_CBC }, | 460 { calg_des , CKM_DES_CBC }, |
| 431 { calg_3des , CKM_DES3_CBC }, | 461 { calg_3des , CKM_DES3_CBC }, |
| 432 { calg_idea , CKM_IDEA_CBC }, | 462 { calg_idea , CKM_IDEA_CBC }, |
| 433 { calg_fortezza , CKM_SKIPJACK_CBC64 }, | 463 { calg_fortezza , CKM_SKIPJACK_CBC64 }, |
| 434 { calg_aes , CKM_AES_CBC }, | 464 { calg_aes , CKM_AES_CBC }, |
| 435 { calg_camellia , CKM_CAMELLIA_CBC }, | 465 { calg_camellia , CKM_CAMELLIA_CBC }, |
| 436 { calg_seed , CKM_SEED_CBC }, | 466 { calg_seed , CKM_SEED_CBC }, |
| 467 { calg_aes_gcm , CKM_AES_GCM }, |
| 437 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ | 468 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
| 438 }; | 469 }; |
| 439 | 470 |
| 440 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L | 471 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L |
| 441 #define mmech_md5 CKM_SSL3_MD5_MAC | 472 #define mmech_md5 CKM_SSL3_MD5_MAC |
| 442 #define mmech_sha CKM_SSL3_SHA1_MAC | 473 #define mmech_sha CKM_SSL3_SHA1_MAC |
| 443 #define mmech_md5_hmac CKM_MD5_HMAC | 474 #define mmech_md5_hmac CKM_MD5_HMAC |
| 444 #define mmech_sha_hmac CKM_SHA_1_HMAC | 475 #define mmech_sha_hmac CKM_SHA_1_HMAC |
| 445 #define mmech_sha256_hmac CKM_SHA256_HMAC | 476 #define mmech_sha256_hmac CKM_SHA256_HMAC |
| 446 | 477 |
| (...skipping 18 matching lines...) Expand all Loading... |
| 465 "RC2-CBC-40", | 496 "RC2-CBC-40", |
| 466 "DES-CBC", | 497 "DES-CBC", |
| 467 "3DES-EDE-CBC", | 498 "3DES-EDE-CBC", |
| 468 "DES-CBC-40", | 499 "DES-CBC-40", |
| 469 "IDEA-CBC", | 500 "IDEA-CBC", |
| 470 "AES-128", | 501 "AES-128", |
| 471 "AES-256", | 502 "AES-256", |
| 472 "Camellia-128", | 503 "Camellia-128", |
| 473 "Camellia-256", | 504 "Camellia-256", |
| 474 "SEED-CBC", | 505 "SEED-CBC", |
| 506 "AES-128-GCM", |
| 475 "missing" | 507 "missing" |
| 476 }; | 508 }; |
| 477 | 509 |
| 478 #ifdef NSS_ENABLE_ECC | 510 #ifdef NSS_ENABLE_ECC |
| 479 /* The ECCWrappedKeyInfo structure defines how various pieces of | 511 /* The ECCWrappedKeyInfo structure defines how various pieces of |
| 480 * information are laid out within wrappedSymmetricWrappingkey | 512 * information are laid out within wrappedSymmetricWrappingkey |
| 481 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is | 513 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is |
| 482 * a 512-byte buffer (see sslimpl.h), the variable length field | 514 * a 512-byte buffer (see sslimpl.h), the variable length field |
| 483 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. | 515 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. |
| 484 * | 516 * |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 591 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented | 623 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented |
| 592 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented | 624 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented |
| 593 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented | 625 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented |
| 594 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented | 626 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented |
| 595 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented | 627 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented |
| 596 */ | 628 */ |
| 597 return version <= SSL_LIBRARY_VERSION_TLS_1_0; | 629 return version <= SSL_LIBRARY_VERSION_TLS_1_0; |
| 598 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | 630 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
| 599 case TLS_RSA_WITH_AES_256_CBC_SHA256: | 631 case TLS_RSA_WITH_AES_256_CBC_SHA256: |
| 600 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | 632 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
| 633 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
| 601 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | 634 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
| 635 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: |
| 602 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | 636 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
| 637 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: |
| 603 case TLS_RSA_WITH_AES_128_CBC_SHA256: | 638 case TLS_RSA_WITH_AES_128_CBC_SHA256: |
| 639 case TLS_RSA_WITH_AES_128_GCM_SHA256: |
| 604 case TLS_RSA_WITH_NULL_SHA256: | 640 case TLS_RSA_WITH_NULL_SHA256: |
| 605 return version >= SSL_LIBRARY_VERSION_TLS_1_2; | 641 return version >= SSL_LIBRARY_VERSION_TLS_1_2; |
| 606 default: | 642 default: |
| 607 return PR_TRUE; | 643 return PR_TRUE; |
| 608 } | 644 } |
| 609 } | 645 } |
| 610 | 646 |
| 611 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ | 647 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ |
| 612 /* XXX This does a linear search. A binary search would be better. */ | 648 /* XXX This does a linear search. A binary search would be better. */ |
| 613 static const ssl3CipherSuiteDef * | 649 static const ssl3CipherSuiteDef * |
| (...skipping 739 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1353 if (IS_DTLS(ss)) { | 1389 if (IS_DTLS(ss)) { |
| 1354 /* Double-check that we did not pick an RC4 suite */ | 1390 /* Double-check that we did not pick an RC4 suite */ |
| 1355 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && | 1391 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && |
| 1356 (suite_def->bulk_cipher_alg != cipher_rc4_40) && | 1392 (suite_def->bulk_cipher_alg != cipher_rc4_40) && |
| 1357 (suite_def->bulk_cipher_alg != cipher_rc4_56)); | 1393 (suite_def->bulk_cipher_alg != cipher_rc4_56)); |
| 1358 } | 1394 } |
| 1359 | 1395 |
| 1360 cipher = suite_def->bulk_cipher_alg; | 1396 cipher = suite_def->bulk_cipher_alg; |
| 1361 kea = suite_def->key_exchange_alg; | 1397 kea = suite_def->key_exchange_alg; |
| 1362 mac = suite_def->mac_alg; | 1398 mac = suite_def->mac_alg; |
| 1363 if (mac <= ssl_mac_sha && isTLS) | 1399 if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) |
| 1364 mac += 2; | 1400 mac += 2; |
| 1365 | 1401 |
| 1366 ss->ssl3.hs.suite_def = suite_def; | 1402 ss->ssl3.hs.suite_def = suite_def; |
| 1367 ss->ssl3.hs.kea_def = &kea_defs[kea]; | 1403 ss->ssl3.hs.kea_def = &kea_defs[kea]; |
| 1368 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); | 1404 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); |
| 1369 | 1405 |
| 1370 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; | 1406 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; |
| 1371 PORT_Assert(pwSpec->cipher_def->cipher == cipher); | 1407 PORT_Assert(pwSpec->cipher_def->cipher == cipher); |
| 1372 | 1408 |
| 1373 pwSpec->mac_def = &mac_defs[mac]; | 1409 pwSpec->mac_def = &mac_defs[mac]; |
| (...skipping 173 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1547 ssl3CipherSpec * pwSpec; | 1583 ssl3CipherSpec * pwSpec; |
| 1548 const ssl3BulkCipherDef *cipher_def; | 1584 const ssl3BulkCipherDef *cipher_def; |
| 1549 void * serverContext = NULL; | 1585 void * serverContext = NULL; |
| 1550 void * clientContext = NULL; | 1586 void * clientContext = NULL; |
| 1551 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; | 1587 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; |
| 1552 int mode = 0; | 1588 int mode = 0; |
| 1553 unsigned int optArg1 = 0; | 1589 unsigned int optArg1 = 0; |
| 1554 unsigned int optArg2 = 0; | 1590 unsigned int optArg2 = 0; |
| 1555 PRBool server_encrypts = ss->sec.isServer; | 1591 PRBool server_encrypts = ss->sec.isServer; |
| 1556 SSLCipherAlgorithm calg; | 1592 SSLCipherAlgorithm calg; |
| 1557 SSLCompressionMethod compression_method; | |
| 1558 SECStatus rv; | 1593 SECStatus rv; |
| 1559 | 1594 |
| 1560 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1595 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1561 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 1596 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
| 1562 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 1597 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 1563 | 1598 |
| 1564 pwSpec = ss->ssl3.pwSpec; | 1599 pwSpec = ss->ssl3.pwSpec; |
| 1565 cipher_def = pwSpec->cipher_def; | 1600 cipher_def = pwSpec->cipher_def; |
| 1566 | 1601 |
| 1567 calg = cipher_def->calg; | 1602 calg = cipher_def->calg; |
| 1568 compression_method = pwSpec->compression_method; | 1603 |
| 1604 if (calg == calg_aes_gcm) { |
| 1605 » pwSpec->encode = NULL; |
| 1606 » pwSpec->decode = NULL; |
| 1607 » pwSpec->destroy = NULL; |
| 1608 » pwSpec->encodeContext = NULL; |
| 1609 » pwSpec->decodeContext = NULL; |
| 1610 » pwSpec->aead = ssl3_AESGCMBypass; |
| 1611 » ssl3_InitCompressionContext(pwSpec); |
| 1612 » return SECSuccess; |
| 1613 } |
| 1569 | 1614 |
| 1570 serverContext = pwSpec->server.cipher_context; | 1615 serverContext = pwSpec->server.cipher_context; |
| 1571 clientContext = pwSpec->client.cipher_context; | 1616 clientContext = pwSpec->client.cipher_context; |
| 1572 | 1617 |
| 1573 switch (calg) { | 1618 switch (calg) { |
| 1574 case ssl_calg_null: | 1619 case ssl_calg_null: |
| 1575 pwSpec->encode = Null_Cipher; | 1620 pwSpec->encode = Null_Cipher; |
| 1576 pwSpec->decode = Null_Cipher; | 1621 pwSpec->decode = Null_Cipher; |
| 1577 pwSpec->destroy = NULL; | 1622 pwSpec->destroy = NULL; |
| 1578 goto success; | 1623 goto success; |
| (...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1714 case CKM_RC2_MAC: | 1759 case CKM_RC2_MAC: |
| 1715 case CKM_RC2_MAC_GENERAL: | 1760 case CKM_RC2_MAC_GENERAL: |
| 1716 case CKM_RC2_CBC_PAD: | 1761 case CKM_RC2_CBC_PAD: |
| 1717 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; | 1762 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; |
| 1718 default: break; | 1763 default: break; |
| 1719 } | 1764 } |
| 1720 } | 1765 } |
| 1721 return param; | 1766 return param; |
| 1722 } | 1767 } |
| 1723 | 1768 |
| 1769 /* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which |
| 1770 * is included in the MAC) to |out| and returns its length. */ |
| 1771 static unsigned int |
| 1772 ssl3_BuildRecordPseudoHeader(unsigned char *out, |
| 1773 SSL3SequenceNumber seq_num, |
| 1774 SSL3ContentType type, |
| 1775 PRBool includesVersion, |
| 1776 SSL3ProtocolVersion version, |
| 1777 PRBool isDTLS, |
| 1778 int length) |
| 1779 { |
| 1780 out[0] = (unsigned char)(seq_num.high >> 24); |
| 1781 out[1] = (unsigned char)(seq_num.high >> 16); |
| 1782 out[2] = (unsigned char)(seq_num.high >> 8); |
| 1783 out[3] = (unsigned char)(seq_num.high >> 0); |
| 1784 out[4] = (unsigned char)(seq_num.low >> 24); |
| 1785 out[5] = (unsigned char)(seq_num.low >> 16); |
| 1786 out[6] = (unsigned char)(seq_num.low >> 8); |
| 1787 out[7] = (unsigned char)(seq_num.low >> 0); |
| 1788 out[8] = type; |
| 1789 |
| 1790 /* SSL3 MAC doesn't include the record's version field. */ |
| 1791 if (!includesVersion) { |
| 1792 out[9] = MSB(length); |
| 1793 out[10] = LSB(length); |
| 1794 return 11; |
| 1795 } |
| 1796 |
| 1797 /* TLS MAC and AEAD additional data include version. */ |
| 1798 if (isDTLS) { |
| 1799 SSL3ProtocolVersion dtls_version; |
| 1800 |
| 1801 dtls_version = dtls_TLSVersionToDTLSVersion(version); |
| 1802 out[9] = MSB(dtls_version); |
| 1803 out[10] = LSB(dtls_version); |
| 1804 } else { |
| 1805 out[9] = MSB(version); |
| 1806 out[10] = LSB(version); |
| 1807 } |
| 1808 out[11] = MSB(length); |
| 1809 out[12] = LSB(length); |
| 1810 return 13; |
| 1811 } |
| 1812 |
| 1813 typedef SECStatus (*PK11CryptFcn)( |
| 1814 PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param, |
| 1815 unsigned char *out, unsigned int *outLen, unsigned int maxLen, |
| 1816 const unsigned char *in, unsigned int inLen); |
| 1817 |
| 1818 static PK11CryptFcn pk11_encrypt = NULL; |
| 1819 static PK11CryptFcn pk11_decrypt = NULL; |
| 1820 |
| 1821 static PRCallOnceType resolvePK11CryptOnce; |
| 1822 |
| 1823 static PRStatus |
| 1824 ssl3_ResolvePK11CryptFunctions(void) |
| 1825 { |
| 1826 #ifdef LINUX |
| 1827 /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and |
| 1828 * PK11_Decrypt functions at run time. */ |
| 1829 void *handle = dlopen(NULL, RTLD_LAZY); |
| 1830 if (!handle) { |
| 1831 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1832 return PR_FAILURE; |
| 1833 } |
| 1834 pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt"); |
| 1835 pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt"); |
| 1836 dlclose(handle); |
| 1837 return PR_SUCCESS; |
| 1838 #else |
| 1839 /* On other platforms we use our own copy of NSS. PK11_Encrypt and |
| 1840 * PK11_Decrypt are known to be available. */ |
| 1841 pk11_encrypt = PK11_Encrypt; |
| 1842 pk11_decrypt = PK11_Decrypt; |
| 1843 return PR_SUCCESS; |
| 1844 #endif |
| 1845 } |
| 1846 |
| 1847 /* |
| 1848 * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access |
| 1849 * to the AES GCM implementation in the NSS softoken. So the presence of |
| 1850 * these two functions implies the NSS version supports AES GCM. |
| 1851 */ |
| 1852 static PRBool |
| 1853 ssl3_HasGCMSupport(void) |
| 1854 { |
| 1855 (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions); |
| 1856 return pk11_encrypt != NULL; |
| 1857 } |
| 1858 |
| 1859 /* On this socket, disable the GCM cipher suites */ |
| 1860 SECStatus |
| 1861 ssl3_DisableGCMSuites(sslSocket * ss) |
| 1862 { |
| 1863 unsigned int i; |
| 1864 |
| 1865 for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) { |
| 1866 const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i]; |
| 1867 if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) { |
| 1868 SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite, |
| 1869 PR_FALSE); |
| 1870 PORT_Assert(rv == SECSuccess); /* else is coding error */ |
| 1871 } |
| 1872 } |
| 1873 return SECSuccess; |
| 1874 } |
| 1875 |
| 1876 static SECStatus |
| 1877 ssl3_AESGCM(ssl3KeyMaterial *keys, |
| 1878 PRBool doDecrypt, |
| 1879 unsigned char *out, |
| 1880 int *outlen, |
| 1881 int maxout, |
| 1882 const unsigned char *in, |
| 1883 int inlen, |
| 1884 SSL3ContentType type, |
| 1885 SSL3ProtocolVersion version, |
| 1886 SSL3SequenceNumber seq_num) |
| 1887 { |
| 1888 SECItem param; |
| 1889 SECStatus rv = SECFailure; |
| 1890 unsigned char nonce[12]; |
| 1891 unsigned char additionalData[13]; |
| 1892 unsigned int additionalDataLen; |
| 1893 unsigned int uOutLen; |
| 1894 CK_GCM_PARAMS gcmParams; |
| 1895 |
| 1896 static const int tagSize = 16; |
| 1897 static const int explicitNonceLen = 8; |
| 1898 |
| 1899 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
| 1900 * definition of the AEAD additional data. */ |
| 1901 additionalDataLen = ssl3_BuildRecordPseudoHeader( |
| 1902 additionalData, seq_num, type, PR_TRUE /* includes version */, |
| 1903 version, PR_FALSE /* not DTLS */, |
| 1904 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
| 1905 PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
| 1906 |
| 1907 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
| 1908 * nonce is formed. */ |
| 1909 memcpy(nonce, keys->write_iv, 4); |
| 1910 if (doDecrypt) { |
| 1911 memcpy(nonce + 4, in, explicitNonceLen); |
| 1912 in += explicitNonceLen; |
| 1913 inlen -= explicitNonceLen; |
| 1914 *outlen = 0; |
| 1915 } else { |
| 1916 if (maxout < explicitNonceLen) { |
| 1917 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 1918 return SECFailure; |
| 1919 } |
| 1920 /* Use the 64-bit sequence number as the explicit nonce. */ |
| 1921 memcpy(nonce + 4, additionalData, explicitNonceLen); |
| 1922 memcpy(out, additionalData, explicitNonceLen); |
| 1923 out += explicitNonceLen; |
| 1924 maxout -= explicitNonceLen; |
| 1925 *outlen = explicitNonceLen; |
| 1926 } |
| 1927 |
| 1928 param.type = siBuffer; |
| 1929 param.data = (unsigned char *) &gcmParams; |
| 1930 param.len = sizeof(gcmParams); |
| 1931 gcmParams.pIv = nonce; |
| 1932 gcmParams.ulIvLen = sizeof(nonce); |
| 1933 gcmParams.pAAD = additionalData; |
| 1934 gcmParams.ulAADLen = additionalDataLen; |
| 1935 gcmParams.ulTagBits = tagSize * 8; |
| 1936 |
| 1937 if (doDecrypt) { |
| 1938 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 1939 maxout, in, inlen); |
| 1940 } else { |
| 1941 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 1942 maxout, in, inlen); |
| 1943 } |
| 1944 *outlen += (int) uOutLen; |
| 1945 |
| 1946 return rv; |
| 1947 } |
| 1948 |
| 1949 #ifndef NO_PKCS11_BYPASS |
| 1950 static SECStatus |
| 1951 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, |
| 1952 PRBool doDecrypt, |
| 1953 unsigned char *out, |
| 1954 int *outlen, |
| 1955 int maxout, |
| 1956 const unsigned char *in, |
| 1957 int inlen, |
| 1958 SSL3ContentType type, |
| 1959 SSL3ProtocolVersion version, |
| 1960 SSL3SequenceNumber seq_num) |
| 1961 { |
| 1962 SECStatus rv = SECFailure; |
| 1963 unsigned char nonce[12]; |
| 1964 unsigned char additionalData[13]; |
| 1965 unsigned int additionalDataLen; |
| 1966 unsigned int uOutLen; |
| 1967 AESContext *cx; |
| 1968 CK_GCM_PARAMS gcmParams; |
| 1969 |
| 1970 static const int tagSize = 16; |
| 1971 static const int explicitNonceLen = 8; |
| 1972 |
| 1973 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
| 1974 * definition of the AEAD additional data. */ |
| 1975 additionalDataLen = ssl3_BuildRecordPseudoHeader( |
| 1976 additionalData, seq_num, type, PR_TRUE /* includes version */, |
| 1977 version, PR_FALSE /* not DTLS */, |
| 1978 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
| 1979 PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
| 1980 |
| 1981 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
| 1982 * nonce is formed. */ |
| 1983 PORT_Assert(keys->write_iv_item.len == 4); |
| 1984 if (keys->write_iv_item.len != 4) { |
| 1985 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1986 return SECFailure; |
| 1987 } |
| 1988 memcpy(nonce, keys->write_iv_item.data, 4); |
| 1989 if (doDecrypt) { |
| 1990 memcpy(nonce + 4, in, explicitNonceLen); |
| 1991 in += explicitNonceLen; |
| 1992 inlen -= explicitNonceLen; |
| 1993 *outlen = 0; |
| 1994 } else { |
| 1995 if (maxout < explicitNonceLen) { |
| 1996 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 1997 return SECFailure; |
| 1998 } |
| 1999 /* Use the 64-bit sequence number as the explicit nonce. */ |
| 2000 memcpy(nonce + 4, additionalData, explicitNonceLen); |
| 2001 memcpy(out, additionalData, explicitNonceLen); |
| 2002 out += explicitNonceLen; |
| 2003 maxout -= explicitNonceLen; |
| 2004 *outlen = explicitNonceLen; |
| 2005 } |
| 2006 |
| 2007 gcmParams.pIv = nonce; |
| 2008 gcmParams.ulIvLen = sizeof(nonce); |
| 2009 gcmParams.pAAD = additionalData; |
| 2010 gcmParams.ulAADLen = additionalDataLen; |
| 2011 gcmParams.ulTagBits = tagSize * 8; |
| 2012 |
| 2013 cx = (AESContext *)keys->cipher_context; |
| 2014 rv = AES_InitContext(cx, keys->write_key_item.data, |
| 2015 keys->write_key_item.len, |
| 2016 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, |
| 2017 AES_BLOCK_SIZE); |
| 2018 if (rv != SECSuccess) { |
| 2019 return rv; |
| 2020 } |
| 2021 if (doDecrypt) { |
| 2022 rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); |
| 2023 } else { |
| 2024 rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); |
| 2025 } |
| 2026 AES_DestroyContext(cx, PR_FALSE); |
| 2027 *outlen += (int) uOutLen; |
| 2028 |
| 2029 return rv; |
| 2030 } |
| 2031 #endif |
| 2032 |
| 1724 /* Initialize encryption and MAC contexts for pending spec. | 2033 /* Initialize encryption and MAC contexts for pending spec. |
| 1725 * Master Secret already is derived. | 2034 * Master Secret already is derived. |
| 1726 * Caller holds Spec write lock. | 2035 * Caller holds Spec write lock. |
| 1727 */ | 2036 */ |
| 1728 static SECStatus | 2037 static SECStatus |
| 1729 ssl3_InitPendingContextsPKCS11(sslSocket *ss) | 2038 ssl3_InitPendingContextsPKCS11(sslSocket *ss) |
| 1730 { | 2039 { |
| 1731 ssl3CipherSpec * pwSpec; | 2040 ssl3CipherSpec * pwSpec; |
| 1732 const ssl3BulkCipherDef *cipher_def; | 2041 const ssl3BulkCipherDef *cipher_def; |
| 1733 PK11Context * serverContext = NULL; | 2042 PK11Context * serverContext = NULL; |
| 1734 PK11Context * clientContext = NULL; | 2043 PK11Context * clientContext = NULL; |
| 1735 SECItem * param; | 2044 SECItem * param; |
| 1736 CK_MECHANISM_TYPE mechanism; | 2045 CK_MECHANISM_TYPE mechanism; |
| 1737 CK_MECHANISM_TYPE mac_mech; | 2046 CK_MECHANISM_TYPE mac_mech; |
| 1738 CK_ULONG macLength; | 2047 CK_ULONG macLength; |
| 1739 CK_ULONG effKeyBits; | 2048 CK_ULONG effKeyBits; |
| 1740 SECItem iv; | 2049 SECItem iv; |
| 1741 SECItem mac_param; | 2050 SECItem mac_param; |
| 1742 SSLCipherAlgorithm calg; | 2051 SSLCipherAlgorithm calg; |
| 1743 | 2052 |
| 1744 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2053 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1745 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 2054 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
| 1746 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 2055 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 1747 | 2056 |
| 1748 pwSpec = ss->ssl3.pwSpec; | 2057 pwSpec = ss->ssl3.pwSpec; |
| 1749 cipher_def = pwSpec->cipher_def; | 2058 cipher_def = pwSpec->cipher_def; |
| 1750 macLength = pwSpec->mac_size; | 2059 macLength = pwSpec->mac_size; |
| 2060 calg = cipher_def->calg; |
| 2061 PORT_Assert(alg2Mech[calg].calg == calg); |
| 2062 |
| 2063 pwSpec->client.write_mac_context = NULL; |
| 2064 pwSpec->server.write_mac_context = NULL; |
| 2065 |
| 2066 if (calg == calg_aes_gcm) { |
| 2067 pwSpec->encode = NULL; |
| 2068 pwSpec->decode = NULL; |
| 2069 pwSpec->destroy = NULL; |
| 2070 pwSpec->encodeContext = NULL; |
| 2071 pwSpec->decodeContext = NULL; |
| 2072 pwSpec->aead = ssl3_AESGCM; |
| 2073 return SECSuccess; |
| 2074 } |
| 1751 | 2075 |
| 1752 /* | 2076 /* |
| 1753 ** Now setup the MAC contexts, | 2077 ** Now setup the MAC contexts, |
| 1754 ** crypto contexts are setup below. | 2078 ** crypto contexts are setup below. |
| 1755 */ | 2079 */ |
| 1756 | 2080 |
| 1757 pwSpec->client.write_mac_context = NULL; | |
| 1758 pwSpec->server.write_mac_context = NULL; | |
| 1759 mac_mech = pwSpec->mac_def->mmech; | 2081 mac_mech = pwSpec->mac_def->mmech; |
| 1760 mac_param.data = (unsigned char *)&macLength; | 2082 mac_param.data = (unsigned char *)&macLength; |
| 1761 mac_param.len = sizeof(macLength); | 2083 mac_param.len = sizeof(macLength); |
| 1762 mac_param.type = 0; | 2084 mac_param.type = 0; |
| 1763 | 2085 |
| 1764 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( | 2086 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( |
| 1765 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); | 2087 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); |
| 1766 if (pwSpec->client.write_mac_context == NULL) { | 2088 if (pwSpec->client.write_mac_context == NULL) { |
| 1767 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); | 2089 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); |
| 1768 goto fail; | 2090 goto fail; |
| 1769 } | 2091 } |
| 1770 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( | 2092 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( |
| 1771 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); | 2093 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); |
| 1772 if (pwSpec->server.write_mac_context == NULL) { | 2094 if (pwSpec->server.write_mac_context == NULL) { |
| 1773 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); | 2095 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); |
| 1774 goto fail; | 2096 goto fail; |
| 1775 } | 2097 } |
| 1776 | 2098 |
| 1777 /* | 2099 /* |
| 1778 ** Now setup the crypto contexts. | 2100 ** Now setup the crypto contexts. |
| 1779 */ | 2101 */ |
| 1780 | 2102 |
| 1781 calg = cipher_def->calg; | |
| 1782 PORT_Assert(alg2Mech[calg].calg == calg); | |
| 1783 | |
| 1784 if (calg == calg_null) { | 2103 if (calg == calg_null) { |
| 1785 pwSpec->encode = Null_Cipher; | 2104 pwSpec->encode = Null_Cipher; |
| 1786 pwSpec->decode = Null_Cipher; | 2105 pwSpec->decode = Null_Cipher; |
| 1787 pwSpec->destroy = NULL; | 2106 pwSpec->destroy = NULL; |
| 1788 return SECSuccess; | 2107 return SECSuccess; |
| 1789 } | 2108 } |
| 1790 mechanism = alg2Mech[calg].cmech; | 2109 mechanism = alg2Mech[calg].cmech; |
| 1791 effKeyBits = cipher_def->key_size * BPB; | 2110 effKeyBits = cipher_def->key_size * BPB; |
| 1792 | 2111 |
| 1793 /* | 2112 /* |
| (...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1992 SSL3ContentType type, | 2311 SSL3ContentType type, |
| 1993 SSL3ProtocolVersion version, | 2312 SSL3ProtocolVersion version, |
| 1994 SSL3SequenceNumber seq_num, | 2313 SSL3SequenceNumber seq_num, |
| 1995 const SSL3Opaque * input, | 2314 const SSL3Opaque * input, |
| 1996 int inputLength, | 2315 int inputLength, |
| 1997 unsigned char * outbuf, | 2316 unsigned char * outbuf, |
| 1998 unsigned int * outLength) | 2317 unsigned int * outLength) |
| 1999 { | 2318 { |
| 2000 const ssl3MACDef * mac_def; | 2319 const ssl3MACDef * mac_def; |
| 2001 SECStatus rv; | 2320 SECStatus rv; |
| 2002 #ifndef NO_PKCS11_BYPASS | |
| 2003 PRBool isTLS; | 2321 PRBool isTLS; |
| 2004 #endif | |
| 2005 unsigned int tempLen; | 2322 unsigned int tempLen; |
| 2006 unsigned char temp[MAX_MAC_LENGTH]; | 2323 unsigned char temp[MAX_MAC_LENGTH]; |
| 2007 | 2324 |
| 2008 temp[0] = (unsigned char)(seq_num.high >> 24); | |
| 2009 temp[1] = (unsigned char)(seq_num.high >> 16); | |
| 2010 temp[2] = (unsigned char)(seq_num.high >> 8); | |
| 2011 temp[3] = (unsigned char)(seq_num.high >> 0); | |
| 2012 temp[4] = (unsigned char)(seq_num.low >> 24); | |
| 2013 temp[5] = (unsigned char)(seq_num.low >> 16); | |
| 2014 temp[6] = (unsigned char)(seq_num.low >> 8); | |
| 2015 temp[7] = (unsigned char)(seq_num.low >> 0); | |
| 2016 temp[8] = type; | |
| 2017 | |
| 2018 /* TLS MAC includes the record's version field, SSL's doesn't. | 2325 /* TLS MAC includes the record's version field, SSL's doesn't. |
| 2019 ** We decide which MAC defintiion to use based on the version of | 2326 ** We decide which MAC defintiion to use based on the version of |
| 2020 ** the protocol that was negotiated when the spec became current, | 2327 ** the protocol that was negotiated when the spec became current, |
| 2021 ** NOT based on the version value in the record itself. | 2328 ** NOT based on the version value in the record itself. |
| 2022 ** But, we use the record'v version value in the computation. | 2329 ** But, we use the record's version value in the computation. |
| 2023 */ | 2330 */ |
| 2024 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 2331 isTLS = spec->version > SSL_LIBRARY_VERSION_3_0; |
| 2025 » temp[9] = MSB(inputLength); | 2332 tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS, |
| 2026 » temp[10] = LSB(inputLength); | 2333 » » » » » version, isDTLS, inputLength); |
| 2027 » tempLen = 11; | 2334 PORT_Assert(tempLen <= sizeof(temp)); |
| 2028 #ifndef NO_PKCS11_BYPASS | |
| 2029 » isTLS = PR_FALSE; | |
| 2030 #endif | |
| 2031 } else { | |
| 2032 » /* New TLS hash includes version. */ | |
| 2033 » if (isDTLS) { | |
| 2034 » SSL3ProtocolVersion dtls_version; | |
| 2035 | |
| 2036 » dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
| 2037 » temp[9] = MSB(dtls_version); | |
| 2038 » temp[10] = LSB(dtls_version); | |
| 2039 } else { | |
| 2040 » temp[9] = MSB(version); | |
| 2041 » temp[10] = LSB(version); | |
| 2042 } | |
| 2043 » temp[11] = MSB(inputLength); | |
| 2044 » temp[12] = LSB(inputLength); | |
| 2045 » tempLen = 13; | |
| 2046 #ifndef NO_PKCS11_BYPASS | |
| 2047 » isTLS = PR_TRUE; | |
| 2048 #endif | |
| 2049 } | |
| 2050 | 2335 |
| 2051 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | 2336 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
| 2052 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 2337 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
| 2053 | 2338 |
| 2054 mac_def = spec->mac_def; | 2339 mac_def = spec->mac_def; |
| 2055 if (mac_def->mac == mac_null) { | 2340 if (mac_def->mac == mac_null) { |
| 2056 *outLength = 0; | 2341 *outLength = 0; |
| 2057 return SECSuccess; | 2342 return SECSuccess; |
| 2058 } | 2343 } |
| 2059 #ifndef NO_PKCS11_BYPASS | 2344 #ifndef NO_PKCS11_BYPASS |
| (...skipping 323 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2383 rv = cwSpec->compressor( | 2668 rv = cwSpec->compressor( |
| 2384 cwSpec->compressContext, | 2669 cwSpec->compressContext, |
| 2385 wrBuf->buf + headerLen + ivLen, &outlen, | 2670 wrBuf->buf + headerLen + ivLen, &outlen, |
| 2386 wrBuf->space - headerLen - ivLen, pIn, contentLen); | 2671 wrBuf->space - headerLen - ivLen, pIn, contentLen); |
| 2387 if (rv != SECSuccess) | 2672 if (rv != SECSuccess) |
| 2388 return rv; | 2673 return rv; |
| 2389 pIn = wrBuf->buf + headerLen + ivLen; | 2674 pIn = wrBuf->buf + headerLen + ivLen; |
| 2390 contentLen = outlen; | 2675 contentLen = outlen; |
| 2391 } | 2676 } |
| 2392 | 2677 |
| 2393 /* | 2678 if (cipher_def->type == type_aead) { |
| 2394 * Add the MAC | 2679 » const int nonceLen = cipher_def->explicit_nonce_size; |
| 2395 */ | 2680 » const int tagLen = cipher_def->tag_size; |
| 2396 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, | |
| 2397 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | |
| 2398 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | |
| 2399 if (rv != SECSuccess) { | |
| 2400 » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | |
| 2401 » return SECFailure; | |
| 2402 } | |
| 2403 p1Len = contentLen; | |
| 2404 p2Len = macLen; | |
| 2405 fragLen = contentLen + macLen;» /* needs to be encrypted */ | |
| 2406 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | |
| 2407 | 2681 |
| 2408 /* | 2682 » if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { |
| 2409 * Pad the text (if we're doing a block cipher) | 2683 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 2410 * then Encrypt it | 2684 » return SECFailure; |
| 2411 */ | 2685 » } |
| 2412 if (cipher_def->type == type_block) { | |
| 2413 » unsigned char * pBuf; | |
| 2414 » int padding_length; | |
| 2415 » int i; | |
| 2416 | 2686 |
| 2417 » oddLen = contentLen % cipher_def->block_size; | 2687 » cipherBytes = contentLen; |
| 2418 » /* Assume blockSize is a power of two */ | 2688 » rv = cwSpec->aead( |
| 2419 » padding_length = cipher_def->block_size - 1 - | 2689 » » isServer ? &cwSpec->server : &cwSpec->client, |
| 2420 » » » ((fragLen) & (cipher_def->block_size - 1)); | 2690 » » PR_FALSE, /* do encrypt */ |
| 2421 » fragLen += padding_length + 1; | 2691 » » wrBuf->buf + headerLen, /* output */ |
| 2422 » PORT_Assert((fragLen % cipher_def->block_size) == 0); | 2692 » » &cipherBytes, /* out len */ |
| 2423 | 2693 » » wrBuf->space - headerLen, /* max out */ |
| 2424 » /* Pad according to TLS rules (also acceptable to SSL3). */ | 2694 » » pIn, contentLen, /* input */ |
| 2425 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; | 2695 » » type, cwSpec->version, cwSpec->write_seq_num); |
| 2426 » for (i = padding_length + 1; i > 0; --i) { | 2696 » if (rv != SECSuccess) { |
| 2427 » *pBuf-- = padding_length; | |
| 2428 » } | |
| 2429 » /* now, if contentLen is not a multiple of block size, fix it */ | |
| 2430 » p2Len = fragLen - p1Len; | |
| 2431 } | |
| 2432 if (p1Len < 256) { | |
| 2433 » oddLen = p1Len; | |
| 2434 » p1Len = 0; | |
| 2435 } else { | |
| 2436 » p1Len -= oddLen; | |
| 2437 } | |
| 2438 if (oddLen) { | |
| 2439 » p2Len += oddLen; | |
| 2440 » PORT_Assert( (cipher_def->block_size < 2) || \ | |
| 2441 » » (p2Len % cipher_def->block_size) == 0); | |
| 2442 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); | |
| 2443 } | |
| 2444 if (p1Len > 0) { | |
| 2445 » int cipherBytesPart1 = -1; | |
| 2446 » rv = cwSpec->encode( cwSpec->encodeContext, | |
| 2447 » wrBuf->buf + headerLen + ivLen, /* output */ | |
| 2448 » &cipherBytesPart1, /* actual outlen */ | |
| 2449 » p1Len, /* max outlen */ | |
| 2450 » pIn, p1Len); /* input, and inputlen */ | |
| 2451 » PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | |
| 2452 » if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | |
| 2453 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2697 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 2454 return SECFailure; | 2698 return SECFailure; |
| 2455 } | 2699 } |
| 2456 » cipherBytes += cipherBytesPart1; | 2700 } else { |
| 2457 } | 2701 » /* |
| 2458 if (p2Len > 0) { | 2702 » * Add the MAC |
| 2459 » int cipherBytesPart2 = -1; | 2703 » */ |
| 2460 » rv = cwSpec->encode( cwSpec->encodeContext, | 2704 » rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
| 2461 » wrBuf->buf + headerLen + ivLen + p1Len, | 2705 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
| 2462 » &cipherBytesPart2, /* output and actual outLen */ | 2706 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
| 2463 » p2Len, /* max outlen */ | 2707 » if (rv != SECSuccess) { |
| 2464 » wrBuf->buf + headerLen + ivLen + p1Len, | 2708 » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
| 2465 » p2Len); /* input and inputLen*/ | |
| 2466 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | |
| 2467 » if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | |
| 2468 » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | |
| 2469 return SECFailure; | 2709 return SECFailure; |
| 2470 } | 2710 } |
| 2471 » cipherBytes += cipherBytesPart2; | 2711 » p1Len = contentLen; |
| 2472 }» | 2712 » p2Len = macLen; |
| 2713 » fragLen = contentLen + macLen;» /* needs to be encrypted */ |
| 2714 » PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
| 2715 |
| 2716 » /* |
| 2717 » * Pad the text (if we're doing a block cipher) |
| 2718 » * then Encrypt it |
| 2719 » */ |
| 2720 » if (cipher_def->type == type_block) { |
| 2721 » unsigned char * pBuf; |
| 2722 » int padding_length; |
| 2723 » int i; |
| 2724 |
| 2725 » oddLen = contentLen % cipher_def->block_size; |
| 2726 » /* Assume blockSize is a power of two */ |
| 2727 » padding_length = cipher_def->block_size - 1 - |
| 2728 » » » ((fragLen) & (cipher_def->block_size - 1)); |
| 2729 » fragLen += padding_length + 1; |
| 2730 » PORT_Assert((fragLen % cipher_def->block_size) == 0); |
| 2731 |
| 2732 » /* Pad according to TLS rules (also acceptable to SSL3). */ |
| 2733 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; |
| 2734 » for (i = padding_length + 1; i > 0; --i) { |
| 2735 » » *pBuf-- = padding_length; |
| 2736 » } |
| 2737 » /* now, if contentLen is not a multiple of block size, fix it */ |
| 2738 » p2Len = fragLen - p1Len; |
| 2739 » } |
| 2740 » if (p1Len < 256) { |
| 2741 » oddLen = p1Len; |
| 2742 » p1Len = 0; |
| 2743 » } else { |
| 2744 » p1Len -= oddLen; |
| 2745 » } |
| 2746 » if (oddLen) { |
| 2747 » p2Len += oddLen; |
| 2748 » PORT_Assert( (cipher_def->block_size < 2) || \ |
| 2749 » » » (p2Len % cipher_def->block_size) == 0); |
| 2750 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, |
| 2751 » » oddLen); |
| 2752 » } |
| 2753 » if (p1Len > 0) { |
| 2754 » int cipherBytesPart1 = -1; |
| 2755 » rv = cwSpec->encode( cwSpec->encodeContext, |
| 2756 » » wrBuf->buf + headerLen + ivLen, /* output */ |
| 2757 » » &cipherBytesPart1, /* actual outlen */ |
| 2758 » » p1Len, /* max outlen */ |
| 2759 » » pIn, p1Len); /* input, and inputlen */ |
| 2760 » PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
| 2761 » if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
| 2762 » » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 2763 » » return SECFailure; |
| 2764 » } |
| 2765 » cipherBytes += cipherBytesPart1; |
| 2766 » } |
| 2767 » if (p2Len > 0) { |
| 2768 » int cipherBytesPart2 = -1; |
| 2769 » rv = cwSpec->encode( cwSpec->encodeContext, |
| 2770 » » wrBuf->buf + headerLen + ivLen + p1Len, |
| 2771 » » &cipherBytesPart2, /* output and actual outLen */ |
| 2772 » » p2Len, /* max outlen */ |
| 2773 » » wrBuf->buf + headerLen + ivLen + p1Len, |
| 2774 » » p2Len); /* input and inputLen*/ |
| 2775 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
| 2776 » if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
| 2777 » » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 2778 » » return SECFailure; |
| 2779 » } |
| 2780 » cipherBytes += cipherBytesPart2; |
| 2781 » } |
| 2782 } |
| 2783 |
| 2473 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2784 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
| 2474 | 2785 |
| 2475 wrBuf->len = cipherBytes + headerLen; | 2786 wrBuf->len = cipherBytes + headerLen; |
| 2476 wrBuf->buf[0] = type; | 2787 wrBuf->buf[0] = type; |
| 2477 if (isDTLS) { | 2788 if (isDTLS) { |
| 2478 SSL3ProtocolVersion version; | 2789 SSL3ProtocolVersion version; |
| 2479 | 2790 |
| 2480 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); | 2791 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); |
| 2481 wrBuf->buf[1] = MSB(version); | 2792 wrBuf->buf[1] = MSB(version); |
| 2482 wrBuf->buf[2] = LSB(version); | 2793 wrBuf->buf[2] = LSB(version); |
| (...skipping 522 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3005 ssl_ReleaseSSL3HandshakeLock(ss); | 3316 ssl_ReleaseSSL3HandshakeLock(ss); |
| 3006 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ | 3317 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ |
| 3007 } | 3318 } |
| 3008 | 3319 |
| 3009 /* | 3320 /* |
| 3010 * Send illegal_parameter alert. Set generic error number. | 3321 * Send illegal_parameter alert. Set generic error number. |
| 3011 */ | 3322 */ |
| 3012 static SECStatus | 3323 static SECStatus |
| 3013 ssl3_IllegalParameter(sslSocket *ss) | 3324 ssl3_IllegalParameter(sslSocket *ss) |
| 3014 { | 3325 { |
| 3015 PRBool isTLS; | |
| 3016 | |
| 3017 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | |
| 3018 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | 3326 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
| 3019 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT | 3327 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
| 3020 : SSL_ERROR_BAD_SERVER ); | 3328 : SSL_ERROR_BAD_SERVER ); |
| 3021 return SECFailure; | 3329 return SECFailure; |
| 3022 } | 3330 } |
| 3023 | 3331 |
| 3024 /* | 3332 /* |
| 3025 * Send handshake_Failure alert. Set generic error number. | 3333 * Send handshake_Failure alert. Set generic error number. |
| 3026 */ | 3334 */ |
| 3027 static SECStatus | 3335 static SECStatus |
| (...skipping 503 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3531 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; | 3839 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; |
| 3532 if (cipher_def->type == type_block && | 3840 if (cipher_def->type == type_block && |
| 3533 pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 3841 pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 3534 /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ | 3842 /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ |
| 3535 key_material_params.ulIVSizeInBits = 0; | 3843 key_material_params.ulIVSizeInBits = 0; |
| 3536 memset(pwSpec->client.write_iv, 0, cipher_def->iv_size); | 3844 memset(pwSpec->client.write_iv, 0, cipher_def->iv_size); |
| 3537 memset(pwSpec->server.write_iv, 0, cipher_def->iv_size); | 3845 memset(pwSpec->server.write_iv, 0, cipher_def->iv_size); |
| 3538 } | 3846 } |
| 3539 | 3847 |
| 3540 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); | 3848 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); |
| 3541 /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ | |
| 3542 | 3849 |
| 3543 key_material_params.RandomInfo.pClientRandom = cr; | 3850 key_material_params.RandomInfo.pClientRandom = cr; |
| 3544 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; | 3851 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
| 3545 key_material_params.RandomInfo.pServerRandom = sr; | 3852 key_material_params.RandomInfo.pServerRandom = sr; |
| 3546 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; | 3853 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; |
| 3547 key_material_params.pReturnedKeyMaterial = &returnedKeys; | 3854 key_material_params.pReturnedKeyMaterial = &returnedKeys; |
| 3548 | 3855 |
| 3549 returnedKeys.pIVClient = pwSpec->client.write_iv; | 3856 returnedKeys.pIVClient = pwSpec->client.write_iv; |
| 3550 returnedKeys.pIVServer = pwSpec->server.write_iv; | 3857 returnedKeys.pIVServer = pwSpec->server.write_iv; |
| 3551 keySize = cipher_def->key_size; | 3858 keySize = cipher_def->key_size; |
| (...skipping 1271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4823 if (!total_exten_len || !isTLS) { | 5130 if (!total_exten_len || !isTLS) { |
| 4824 /* not sending the elliptic_curves and ec_point_formats extensions */ | 5131 /* not sending the elliptic_curves and ec_point_formats extensions */ |
| 4825 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ | 5132 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ |
| 4826 } | 5133 } |
| 4827 #endif | 5134 #endif |
| 4828 | 5135 |
| 4829 if (IS_DTLS(ss)) { | 5136 if (IS_DTLS(ss)) { |
| 4830 ssl3_DisableNonDTLSSuites(ss); | 5137 ssl3_DisableNonDTLSSuites(ss); |
| 4831 } | 5138 } |
| 4832 | 5139 |
| 5140 if (!ssl3_HasGCMSupport()) { |
| 5141 ssl3_DisableGCMSuites(ss); |
| 5142 } |
| 5143 |
| 4833 /* how many suites are permitted by policy and user preference? */ | 5144 /* how many suites are permitted by policy and user preference? */ |
| 4834 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); | 5145 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
| 4835 if (!num_suites) | 5146 if (!num_suites) |
| 4836 return SECFailure; /* count_cipher_suites has set error code. */ | 5147 return SECFailure; /* count_cipher_suites has set error code. */ |
| 4837 if (ss->ssl3.hs.sendingSCSV) { | 5148 if (ss->ssl3.hs.sendingSCSV) { |
| 4838 ++num_suites; /* make room for SCSV */ | 5149 ++num_suites; /* make room for SCSV */ |
| 4839 } | 5150 } |
| 4840 | 5151 |
| 4841 /* count compression methods */ | 5152 /* count compression methods */ |
| 4842 numCompressionMethods = 0; | 5153 numCompressionMethods = 0; |
| (...skipping 2685 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7528 | 7839 |
| 7529 #ifdef NSS_ENABLE_ECC | 7840 #ifdef NSS_ENABLE_ECC |
| 7530 /* Disable any ECC cipher suites for which we have no cert. */ | 7841 /* Disable any ECC cipher suites for which we have no cert. */ |
| 7531 ssl3_FilterECCipherSuitesByServerCerts(ss); | 7842 ssl3_FilterECCipherSuitesByServerCerts(ss); |
| 7532 #endif | 7843 #endif |
| 7533 | 7844 |
| 7534 if (IS_DTLS(ss)) { | 7845 if (IS_DTLS(ss)) { |
| 7535 ssl3_DisableNonDTLSSuites(ss); | 7846 ssl3_DisableNonDTLSSuites(ss); |
| 7536 } | 7847 } |
| 7537 | 7848 |
| 7849 if (!ssl3_HasGCMSupport()) { |
| 7850 ssl3_DisableGCMSuites(ss); |
| 7851 } |
| 7852 |
| 7538 #ifdef PARANOID | 7853 #ifdef PARANOID |
| 7539 /* Look for a matching cipher suite. */ | 7854 /* Look for a matching cipher suite. */ |
| 7540 j = ssl3_config_match_init(ss); | 7855 j = ssl3_config_match_init(ss); |
| 7541 if (j <= 0) { /* no ciphers are working/supported by PK11 */ | 7856 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
| 7542 errCode = PORT_GetError(); /* error code is already set. */ | 7857 errCode = PORT_GetError(); /* error code is already set. */ |
| 7543 goto alert_loser; | 7858 goto alert_loser; |
| 7544 } | 7859 } |
| 7545 #endif | 7860 #endif |
| 7546 | 7861 |
| 7547 /* If we already have a session for this client, be sure to pick the | 7862 /* If we already have a session for this client, be sure to pick the |
| (...skipping 2391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9939 return rv; | 10254 return rv; |
| 9940 } | 10255 } |
| 9941 | 10256 |
| 9942 /* called from ssl3_SendFinished | 10257 /* called from ssl3_SendFinished |
| 9943 * | 10258 * |
| 9944 * This function is simply a debugging aid and therefore does not return a | 10259 * This function is simply a debugging aid and therefore does not return a |
| 9945 * SECStatus. */ | 10260 * SECStatus. */ |
| 9946 static void | 10261 static void |
| 9947 ssl3_RecordKeyLog(sslSocket *ss) | 10262 ssl3_RecordKeyLog(sslSocket *ss) |
| 9948 { | 10263 { |
| 9949 sslSessionID *sid; | |
| 9950 SECStatus rv; | 10264 SECStatus rv; |
| 9951 SECItem *keyData; | 10265 SECItem *keyData; |
| 9952 char buf[14 /* "CLIENT_RANDOM " */ + | 10266 char buf[14 /* "CLIENT_RANDOM " */ + |
| 9953 SSL3_RANDOM_LENGTH*2 /* client_random */ + | 10267 SSL3_RANDOM_LENGTH*2 /* client_random */ + |
| 9954 1 /* " " */ + | 10268 1 /* " " */ + |
| 9955 48*2 /* master secret */ + | 10269 48*2 /* master secret */ + |
| 9956 1 /* new line */]; | 10270 1 /* new line */]; |
| 9957 unsigned int j; | 10271 unsigned int j; |
| 9958 | 10272 |
| 9959 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 10273 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 9960 | 10274 |
| 9961 sid = ss->sec.ci.sid; | |
| 9962 | |
| 9963 if (!ssl_keylog_iob) | 10275 if (!ssl_keylog_iob) |
| 9964 return; | 10276 return; |
| 9965 | 10277 |
| 9966 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); | 10278 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); |
| 9967 if (rv != SECSuccess) | 10279 if (rv != SECSuccess) |
| 9968 return; | 10280 return; |
| 9969 | 10281 |
| 9970 ssl_GetSpecReadLock(ss); | 10282 ssl_GetSpecReadLock(ss); |
| 9971 | 10283 |
| 9972 /* keyData does not need to be freed. */ | 10284 /* keyData does not need to be freed. */ |
| (...skipping 1191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11164 | 11476 |
| 11165 good = ~0U; | 11477 good = ~0U; |
| 11166 minLength = crSpec->mac_size; | 11478 minLength = crSpec->mac_size; |
| 11167 if (cipher_def->type == type_block) { | 11479 if (cipher_def->type == type_block) { |
| 11168 /* CBC records have a padding length byte at the end. */ | 11480 /* CBC records have a padding length byte at the end. */ |
| 11169 minLength++; | 11481 minLength++; |
| 11170 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 11482 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 11171 /* With >= TLS 1.1, CBC records have an explicit IV. */ | 11483 /* With >= TLS 1.1, CBC records have an explicit IV. */ |
| 11172 minLength += cipher_def->iv_size; | 11484 minLength += cipher_def->iv_size; |
| 11173 } | 11485 } |
| 11486 } else if (cipher_def->type == type_aead) { |
| 11487 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; |
| 11174 } | 11488 } |
| 11175 | 11489 |
| 11176 /* We can perform this test in variable time because the record's total | 11490 /* We can perform this test in variable time because the record's total |
| 11177 * length and the ciphersuite are both public knowledge. */ | 11491 * length and the ciphersuite are both public knowledge. */ |
| 11178 if (cText->buf->len < minLength) { | 11492 if (cText->buf->len < minLength) { |
| 11179 goto decrypt_loser; | 11493 » goto decrypt_loser; |
| 11180 } | 11494 } |
| 11181 | 11495 |
| 11182 if (cipher_def->type == type_block && | 11496 if (cipher_def->type == type_block && |
| 11183 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 11497 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 11184 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | 11498 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states |
| 11185 * "The receiver decrypts the entire GenericBlockCipher structure and | 11499 * "The receiver decrypts the entire GenericBlockCipher structure and |
| 11186 * then discards the first cipher block corresponding to the IV | 11500 * then discards the first cipher block corresponding to the IV |
| 11187 * component." Instead, we decrypt the first cipher block and then | 11501 * component." Instead, we decrypt the first cipher block and then |
| 11188 * discard it before decrypting the rest. | 11502 * discard it before decrypting the rest. |
| 11189 */ | 11503 */ |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11237 | 11551 |
| 11238 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); | 11552 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 11239 | 11553 |
| 11240 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { | 11554 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
| 11241 ssl_ReleaseSpecReadLock(ss); | 11555 ssl_ReleaseSpecReadLock(ss); |
| 11242 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 11556 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
| 11243 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 11557 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
| 11244 return SECFailure; | 11558 return SECFailure; |
| 11245 } | 11559 } |
| 11246 | 11560 |
| 11247 if (cipher_def->type == type_block && | 11561 rType = cText->type; |
| 11248 » ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | 11562 if (cipher_def->type == type_aead) { |
| 11249 » goto decrypt_loser; | 11563 » rv = crSpec->aead( |
| 11250 } | 11564 » » ss->sec.isServer ? &crSpec->client : &crSpec->server, |
| 11565 » » PR_TRUE, /* do decrypt */ |
| 11566 » » plaintext->buf, /* out */ |
| 11567 » » (int*) &plaintext->len, /* outlen */ |
| 11568 » » plaintext->space, /* maxout */ |
| 11569 » » cText->buf->buf, /* in */ |
| 11570 » » cText->buf->len, /* inlen */ |
| 11571 » » rType, /* record type */ |
| 11572 » » cText->version, |
| 11573 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num); |
| 11574 » if (rv != SECSuccess) { |
| 11575 » good = 0; |
| 11576 » } |
| 11577 } else { |
| 11578 » if (cipher_def->type == type_block && |
| 11579 » ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
| 11580 » goto decrypt_loser; |
| 11581 » } |
| 11251 | 11582 |
| 11252 /* decrypt from cText buf to plaintext. */ | 11583 » /* decrypt from cText buf to plaintext. */ |
| 11253 rv = crSpec->decode( | 11584 » rv = crSpec->decode( |
| 11254 » crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, | 11585 » crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
| 11255 » plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); | 11586 » plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
| 11256 if (rv != SECSuccess) { | 11587 » if (rv != SECSuccess) { |
| 11257 » goto decrypt_loser; | 11588 » goto decrypt_loser; |
| 11258 } | 11589 » } |
| 11259 | 11590 |
| 11260 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); | 11591 » PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
| 11261 | 11592 |
| 11262 originalLen = plaintext->len; | 11593 » originalLen = plaintext->len; |
| 11263 | 11594 |
| 11264 /* If it's a block cipher, check and strip the padding. */ | 11595 » /* If it's a block cipher, check and strip the padding. */ |
| 11265 if (cipher_def->type == type_block) { | 11596 » if (cipher_def->type == type_block) { |
| 11266 » const unsigned int blockSize = cipher_def->block_size; | 11597 » const unsigned int blockSize = cipher_def->block_size; |
| 11267 » const unsigned int macSize = crSpec->mac_size; | 11598 » const unsigned int macSize = crSpec->mac_size; |
| 11268 | 11599 |
| 11269 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { | 11600 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { |
| 11270 » good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 11601 » » good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
| 11271 » » » plaintext, blockSize, macSize)); | 11602 » » » plaintext, blockSize, macSize)); |
| 11603 » } else { |
| 11604 » » good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
| 11605 » » » plaintext, macSize)); |
| 11606 » } |
| 11607 » } |
| 11608 |
| 11609 » /* compute the MAC */ |
| 11610 » if (cipher_def->type == type_block) { |
| 11611 » rv = ssl3_ComputeRecordMACConstantTime( |
| 11612 » » crSpec, (PRBool)(!ss->sec.isServer), |
| 11613 » » IS_DTLS(ss), rType, cText->version, |
| 11614 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 11615 » » plaintext->buf, plaintext->len, originalLen, |
| 11616 » » hash, &hashBytes); |
| 11617 |
| 11618 » ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
| 11619 » » » crSpec->mac_size); |
| 11620 » givenHash = givenHashBuf; |
| 11621 |
| 11622 » /* plaintext->len will always have enough space to remove the MAC |
| 11623 » * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust |
| 11624 » * plaintext->len if the result has enough space for the MAC and we |
| 11625 » * tested the unadjusted size against minLength, above. */ |
| 11626 » plaintext->len -= crSpec->mac_size; |
| 11272 } else { | 11627 } else { |
| 11273 » good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 11628 » /* This is safe because we checked the minLength above. */ |
| 11274 » » » plaintext, macSize)); | 11629 » plaintext->len -= crSpec->mac_size; |
| 11630 |
| 11631 » rv = ssl3_ComputeRecordMAC( |
| 11632 » » crSpec, (PRBool)(!ss->sec.isServer), |
| 11633 » » IS_DTLS(ss), rType, cText->version, |
| 11634 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 11635 » » plaintext->buf, plaintext->len, |
| 11636 » » hash, &hashBytes); |
| 11637 |
| 11638 » /* We can read the MAC directly from the record because its location |
| 11639 » * is public when a stream cipher is used. */ |
| 11640 » givenHash = plaintext->buf + plaintext->len; |
| 11641 » } |
| 11642 |
| 11643 » good &= SECStatusToMask(rv); |
| 11644 |
| 11645 » if (hashBytes != (unsigned)crSpec->mac_size || |
| 11646 » NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
| 11647 » /* We're allowed to leak whether or not the MAC check was correct */ |
| 11648 » good = 0; |
| 11275 } | 11649 } |
| 11276 } | 11650 } |
| 11277 | 11651 |
| 11278 /* compute the MAC */ | |
| 11279 rType = cText->type; | |
| 11280 if (cipher_def->type == type_block) { | |
| 11281 rv = ssl3_ComputeRecordMACConstantTime( | |
| 11282 crSpec, (PRBool)(!ss->sec.isServer), | |
| 11283 IS_DTLS(ss), rType, cText->version, | |
| 11284 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
| 11285 plaintext->buf, plaintext->len, originalLen, | |
| 11286 hash, &hashBytes); | |
| 11287 | |
| 11288 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | |
| 11289 crSpec->mac_size); | |
| 11290 givenHash = givenHashBuf; | |
| 11291 | |
| 11292 /* plaintext->len will always have enough space to remove the MAC | |
| 11293 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust | |
| 11294 * plaintext->len if the result has enough space for the MAC and we | |
| 11295 * tested the unadjusted size against minLength, above. */ | |
| 11296 plaintext->len -= crSpec->mac_size; | |
| 11297 } else { | |
| 11298 /* This is safe because we checked the minLength above. */ | |
| 11299 plaintext->len -= crSpec->mac_size; | |
| 11300 | |
| 11301 rv = ssl3_ComputeRecordMAC( | |
| 11302 crSpec, (PRBool)(!ss->sec.isServer), | |
| 11303 IS_DTLS(ss), rType, cText->version, | |
| 11304 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
| 11305 plaintext->buf, plaintext->len, | |
| 11306 hash, &hashBytes); | |
| 11307 | |
| 11308 /* We can read the MAC directly from the record because its location is | |
| 11309 * public when a stream cipher is used. */ | |
| 11310 givenHash = plaintext->buf + plaintext->len; | |
| 11311 } | |
| 11312 | |
| 11313 good &= SECStatusToMask(rv); | |
| 11314 | |
| 11315 if (hashBytes != (unsigned)crSpec->mac_size || | |
| 11316 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | |
| 11317 /* We're allowed to leak whether or not the MAC check was correct */ | |
| 11318 good = 0; | |
| 11319 } | |
| 11320 | |
| 11321 if (good == 0) { | 11652 if (good == 0) { |
| 11322 decrypt_loser: | 11653 decrypt_loser: |
| 11323 /* must not hold spec lock when calling SSL3_SendAlert. */ | 11654 /* must not hold spec lock when calling SSL3_SendAlert. */ |
| 11324 ssl_ReleaseSpecReadLock(ss); | 11655 ssl_ReleaseSpecReadLock(ss); |
| 11325 | 11656 |
| 11326 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); | 11657 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); |
| 11327 | 11658 |
| 11328 if (!IS_DTLS(ss)) { | 11659 if (!IS_DTLS(ss)) { |
| 11329 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | 11660 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); |
| 11330 /* always log mac error, in case attacker can read server logs. */ | 11661 /* always log mac error, in case attacker can read server logs. */ |
| (...skipping 639 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11970 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12301 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
| 11971 } | 12302 } |
| 11972 } | 12303 } |
| 11973 | 12304 |
| 11974 ss->ssl3.initialized = PR_FALSE; | 12305 ss->ssl3.initialized = PR_FALSE; |
| 11975 | 12306 |
| 11976 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12307 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
| 11977 } | 12308 } |
| 11978 | 12309 |
| 11979 /* End of ssl3con.c */ | 12310 /* End of ssl3con.c */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 21696002:
Implement the AES GCM cipher suites for TLS. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/