OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 26 matching lines...) Expand all Loading... |
37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | 37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | 38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | 39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
41 #endif | 41 #endif |
42 | 42 |
43 #include <stdio.h> | 43 #include <stdio.h> |
44 #ifdef NSS_ENABLE_ZLIB | 44 #ifdef NSS_ENABLE_ZLIB |
45 #include "zlib.h" | 45 #include "zlib.h" |
46 #endif | 46 #endif |
| 47 #ifdef LINUX |
| 48 #include <dlfcn.h> |
| 49 #endif |
47 | 50 |
48 #ifndef PK11_SETATTRS | 51 #ifndef PK11_SETATTRS |
49 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ | 52 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ |
50 (x)->pValue=(v); (x)->ulValueLen = (l); | 53 (x)->pValue=(v); (x)->ulValueLen = (l); |
51 #endif | 54 #endif |
52 | 55 |
53 static SECStatus ssl3_AuthCertificate(sslSocket *ss); | 56 static SECStatus ssl3_AuthCertificate(sslSocket *ss); |
54 static void ssl3_CleanupPeerCerts(sslSocket *ss); | 57 static void ssl3_CleanupPeerCerts(sslSocket *ss); |
55 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); | 58 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); |
56 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, | 59 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, |
(...skipping 14 matching lines...) Expand all Loading... |
71 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 74 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
72 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 75 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
73 const unsigned char *b, | 76 const unsigned char *b, |
74 unsigned int l); | 77 unsigned int l); |
75 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
76 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); | 79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); |
77 | 80 |
78 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
79 int maxOutputLen, const unsigned char *input, | 82 int maxOutputLen, const unsigned char *input, |
80 int inputLen); | 83 int inputLen); |
| 84 #ifndef NO_PKCS11_BYPASS |
| 85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
| 86 unsigned char *out, int *outlen, int maxout, |
| 87 const unsigned char *in, int inlen, |
| 88 SSL3ContentType type, |
| 89 SSL3ProtocolVersion version, |
| 90 SSL3SequenceNumber seq_num); |
| 91 #endif |
81 | 92 |
82 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 93 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
83 #define MIN_SEND_BUF_LENGTH 4000 | 94 #define MIN_SEND_BUF_LENGTH 4000 |
84 | 95 |
85 /* This list of SSL3 cipher suites is sorted in descending order of | 96 /* This list of SSL3 cipher suites is sorted in descending order of |
86 * precedence (desirability). It only includes cipher suites we implement. | 97 * precedence (desirability). It only includes cipher suites we implement. |
87 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites | 98 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites |
88 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) | 99 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
89 */ | 100 */ |
90 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { | 101 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
91 /* cipher_suite policy enabled is_present*/ | 102 /* cipher_suite policy enabled is_present*/ |
92 #ifdef NSS_ENABLE_ECC | 103 #ifdef NSS_ENABLE_ECC |
| 104 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 105 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 106 #endif /* NSS_ENABLE_ECC */ |
| 107 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 108 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 109 |
| 110 #ifdef NSS_ENABLE_ECC |
93 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 111 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
94 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 112 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
95 #endif /* NSS_ENABLE_ECC */ | 113 #endif /* NSS_ENABLE_ECC */ |
96 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 114 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
97 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 115 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
98 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 116 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
99 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 117 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
100 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 118 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
101 #ifdef NSS_ENABLE_ECC | 119 #ifdef NSS_ENABLE_ECC |
102 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 120 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
(...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
226 | 244 |
227 | 245 |
228 /* This global item is used only in servers. It is is initialized by | 246 /* This global item is used only in servers. It is is initialized by |
229 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 247 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
230 */ | 248 */ |
231 CERTDistNames *ssl3_server_ca_list = NULL; | 249 CERTDistNames *ssl3_server_ca_list = NULL; |
232 static SSL3Statistics ssl3stats; | 250 static SSL3Statistics ssl3stats; |
233 | 251 |
234 /* indexed by SSL3BulkCipher */ | 252 /* indexed by SSL3BulkCipher */ |
235 static const ssl3BulkCipherDef bulk_cipher_defs[] = { | 253 static const ssl3BulkCipherDef bulk_cipher_defs[] = { |
236 /* cipher calg keySz secretSz type ivSz BlkSz keygen */ | 254 /* |--------- Lengths --------| */ |
237 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, | 255 /* cipher calg k s type i b t n */ |
238 {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, | 256 /* e e v l a o */ |
239 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, | 257 /* y c | o g n */ |
240 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, | 258 /* | r | c | c */ |
241 {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, | 259 /* | e | k | e */ |
242 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, | 260 /* | t | | | | */ |
243 {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong}, | 261 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
244 {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, | 262 {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0}, |
245 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, | 263 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0}, |
246 {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, | 264 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0}, |
247 {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, | 265 {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0}, |
248 {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, | 266 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0}, |
249 {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong}, | 267 {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0}, |
250 {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong}, | 268 {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0}, |
251 {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong}, | 269 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0}, |
252 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, | 270 {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0}, |
| 271 {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, |
| 272 {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, |
| 273 {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, |
| 274 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, |
| 275 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, |
| 276 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, |
| 277 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
253 }; | 278 }; |
254 | 279 |
255 static const ssl3KEADef kea_defs[] = | 280 static const ssl3KEADef kea_defs[] = |
256 { /* indexed by SSL3KeyExchangeAlgorithm */ | 281 { /* indexed by SSL3KeyExchangeAlgorithm */ |
257 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ | 282 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ |
258 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, | 283 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, |
259 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, | 284 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, |
260 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, | 285 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, |
261 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, | 286 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, |
262 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, | 287 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
364 cipher_camellia_256, mac_sha, kea_dhe_rsa}, | 389 cipher_camellia_256, mac_sha, kea_dhe_rsa}, |
365 | 390 |
366 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, | 391 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, |
367 cipher_des, mac_sha,kea_rsa_export_1024}, | 392 cipher_des, mac_sha,kea_rsa_export_1024}, |
368 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, | 393 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, |
369 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, | 394 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, |
370 | 395 |
371 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 396 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
372 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 397 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
373 | 398 |
| 399 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_
rsa}, |
| 400 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, |
| 401 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ec
dhe_rsa}, |
| 402 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_
ecdhe_ecdsa}, |
| 403 |
374 #ifdef NSS_ENABLE_ECC | 404 #ifdef NSS_ENABLE_ECC |
375 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, | 405 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
376 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, | 406 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
377 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, | 407 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}
, |
378 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, | 408 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds
a}, |
379 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, | 409 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds
a}, |
380 | 410 |
381 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, | 411 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa
}, |
382 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, | 412 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa
}, |
383 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, | 413 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds
a}, |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
427 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, | 457 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, |
428 { calg_rc4 , CKM_RC4 }, | 458 { calg_rc4 , CKM_RC4 }, |
429 { calg_rc2 , CKM_RC2_CBC }, | 459 { calg_rc2 , CKM_RC2_CBC }, |
430 { calg_des , CKM_DES_CBC }, | 460 { calg_des , CKM_DES_CBC }, |
431 { calg_3des , CKM_DES3_CBC }, | 461 { calg_3des , CKM_DES3_CBC }, |
432 { calg_idea , CKM_IDEA_CBC }, | 462 { calg_idea , CKM_IDEA_CBC }, |
433 { calg_fortezza , CKM_SKIPJACK_CBC64 }, | 463 { calg_fortezza , CKM_SKIPJACK_CBC64 }, |
434 { calg_aes , CKM_AES_CBC }, | 464 { calg_aes , CKM_AES_CBC }, |
435 { calg_camellia , CKM_CAMELLIA_CBC }, | 465 { calg_camellia , CKM_CAMELLIA_CBC }, |
436 { calg_seed , CKM_SEED_CBC }, | 466 { calg_seed , CKM_SEED_CBC }, |
| 467 { calg_aes_gcm , CKM_AES_GCM }, |
437 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ | 468 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
438 }; | 469 }; |
439 | 470 |
440 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L | 471 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L |
441 #define mmech_md5 CKM_SSL3_MD5_MAC | 472 #define mmech_md5 CKM_SSL3_MD5_MAC |
442 #define mmech_sha CKM_SSL3_SHA1_MAC | 473 #define mmech_sha CKM_SSL3_SHA1_MAC |
443 #define mmech_md5_hmac CKM_MD5_HMAC | 474 #define mmech_md5_hmac CKM_MD5_HMAC |
444 #define mmech_sha_hmac CKM_SHA_1_HMAC | 475 #define mmech_sha_hmac CKM_SHA_1_HMAC |
445 #define mmech_sha256_hmac CKM_SHA256_HMAC | 476 #define mmech_sha256_hmac CKM_SHA256_HMAC |
446 | 477 |
(...skipping 18 matching lines...) Expand all Loading... |
465 "RC2-CBC-40", | 496 "RC2-CBC-40", |
466 "DES-CBC", | 497 "DES-CBC", |
467 "3DES-EDE-CBC", | 498 "3DES-EDE-CBC", |
468 "DES-CBC-40", | 499 "DES-CBC-40", |
469 "IDEA-CBC", | 500 "IDEA-CBC", |
470 "AES-128", | 501 "AES-128", |
471 "AES-256", | 502 "AES-256", |
472 "Camellia-128", | 503 "Camellia-128", |
473 "Camellia-256", | 504 "Camellia-256", |
474 "SEED-CBC", | 505 "SEED-CBC", |
| 506 "AES-128-GCM", |
475 "missing" | 507 "missing" |
476 }; | 508 }; |
477 | 509 |
478 #ifdef NSS_ENABLE_ECC | 510 #ifdef NSS_ENABLE_ECC |
479 /* The ECCWrappedKeyInfo structure defines how various pieces of | 511 /* The ECCWrappedKeyInfo structure defines how various pieces of |
480 * information are laid out within wrappedSymmetricWrappingkey | 512 * information are laid out within wrappedSymmetricWrappingkey |
481 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is | 513 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is |
482 * a 512-byte buffer (see sslimpl.h), the variable length field | 514 * a 512-byte buffer (see sslimpl.h), the variable length field |
483 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. | 515 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. |
484 * | 516 * |
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
591 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented | 623 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented |
592 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented | 624 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented |
593 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented | 625 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented |
594 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented | 626 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented |
595 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented | 627 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented |
596 */ | 628 */ |
597 return version <= SSL_LIBRARY_VERSION_TLS_1_0; | 629 return version <= SSL_LIBRARY_VERSION_TLS_1_0; |
598 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | 630 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
599 case TLS_RSA_WITH_AES_256_CBC_SHA256: | 631 case TLS_RSA_WITH_AES_256_CBC_SHA256: |
600 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | 632 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
| 633 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
601 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | 634 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
| 635 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: |
602 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | 636 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
| 637 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: |
603 case TLS_RSA_WITH_AES_128_CBC_SHA256: | 638 case TLS_RSA_WITH_AES_128_CBC_SHA256: |
| 639 case TLS_RSA_WITH_AES_128_GCM_SHA256: |
604 case TLS_RSA_WITH_NULL_SHA256: | 640 case TLS_RSA_WITH_NULL_SHA256: |
605 return version >= SSL_LIBRARY_VERSION_TLS_1_2; | 641 return version >= SSL_LIBRARY_VERSION_TLS_1_2; |
606 default: | 642 default: |
607 return PR_TRUE; | 643 return PR_TRUE; |
608 } | 644 } |
609 } | 645 } |
610 | 646 |
611 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ | 647 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ |
612 /* XXX This does a linear search. A binary search would be better. */ | 648 /* XXX This does a linear search. A binary search would be better. */ |
613 static const ssl3CipherSuiteDef * | 649 static const ssl3CipherSuiteDef * |
(...skipping 739 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1353 if (IS_DTLS(ss)) { | 1389 if (IS_DTLS(ss)) { |
1354 /* Double-check that we did not pick an RC4 suite */ | 1390 /* Double-check that we did not pick an RC4 suite */ |
1355 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && | 1391 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && |
1356 (suite_def->bulk_cipher_alg != cipher_rc4_40) && | 1392 (suite_def->bulk_cipher_alg != cipher_rc4_40) && |
1357 (suite_def->bulk_cipher_alg != cipher_rc4_56)); | 1393 (suite_def->bulk_cipher_alg != cipher_rc4_56)); |
1358 } | 1394 } |
1359 | 1395 |
1360 cipher = suite_def->bulk_cipher_alg; | 1396 cipher = suite_def->bulk_cipher_alg; |
1361 kea = suite_def->key_exchange_alg; | 1397 kea = suite_def->key_exchange_alg; |
1362 mac = suite_def->mac_alg; | 1398 mac = suite_def->mac_alg; |
1363 if (mac <= ssl_mac_sha && isTLS) | 1399 if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) |
1364 mac += 2; | 1400 mac += 2; |
1365 | 1401 |
1366 ss->ssl3.hs.suite_def = suite_def; | 1402 ss->ssl3.hs.suite_def = suite_def; |
1367 ss->ssl3.hs.kea_def = &kea_defs[kea]; | 1403 ss->ssl3.hs.kea_def = &kea_defs[kea]; |
1368 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); | 1404 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); |
1369 | 1405 |
1370 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; | 1406 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; |
1371 PORT_Assert(pwSpec->cipher_def->cipher == cipher); | 1407 PORT_Assert(pwSpec->cipher_def->cipher == cipher); |
1372 | 1408 |
1373 pwSpec->mac_def = &mac_defs[mac]; | 1409 pwSpec->mac_def = &mac_defs[mac]; |
(...skipping 173 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1547 ssl3CipherSpec * pwSpec; | 1583 ssl3CipherSpec * pwSpec; |
1548 const ssl3BulkCipherDef *cipher_def; | 1584 const ssl3BulkCipherDef *cipher_def; |
1549 void * serverContext = NULL; | 1585 void * serverContext = NULL; |
1550 void * clientContext = NULL; | 1586 void * clientContext = NULL; |
1551 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; | 1587 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; |
1552 int mode = 0; | 1588 int mode = 0; |
1553 unsigned int optArg1 = 0; | 1589 unsigned int optArg1 = 0; |
1554 unsigned int optArg2 = 0; | 1590 unsigned int optArg2 = 0; |
1555 PRBool server_encrypts = ss->sec.isServer; | 1591 PRBool server_encrypts = ss->sec.isServer; |
1556 SSLCipherAlgorithm calg; | 1592 SSLCipherAlgorithm calg; |
1557 SSLCompressionMethod compression_method; | |
1558 SECStatus rv; | 1593 SECStatus rv; |
1559 | 1594 |
1560 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1595 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1561 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 1596 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
1562 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 1597 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
1563 | 1598 |
1564 pwSpec = ss->ssl3.pwSpec; | 1599 pwSpec = ss->ssl3.pwSpec; |
1565 cipher_def = pwSpec->cipher_def; | 1600 cipher_def = pwSpec->cipher_def; |
1566 | 1601 |
1567 calg = cipher_def->calg; | 1602 calg = cipher_def->calg; |
1568 compression_method = pwSpec->compression_method; | 1603 |
| 1604 if (calg == calg_aes_gcm) { |
| 1605 » pwSpec->encode = NULL; |
| 1606 » pwSpec->decode = NULL; |
| 1607 » pwSpec->destroy = NULL; |
| 1608 » pwSpec->encodeContext = NULL; |
| 1609 » pwSpec->decodeContext = NULL; |
| 1610 » pwSpec->aead = ssl3_AESGCMBypass; |
| 1611 » ssl3_InitCompressionContext(pwSpec); |
| 1612 » return SECSuccess; |
| 1613 } |
1569 | 1614 |
1570 serverContext = pwSpec->server.cipher_context; | 1615 serverContext = pwSpec->server.cipher_context; |
1571 clientContext = pwSpec->client.cipher_context; | 1616 clientContext = pwSpec->client.cipher_context; |
1572 | 1617 |
1573 switch (calg) { | 1618 switch (calg) { |
1574 case ssl_calg_null: | 1619 case ssl_calg_null: |
1575 pwSpec->encode = Null_Cipher; | 1620 pwSpec->encode = Null_Cipher; |
1576 pwSpec->decode = Null_Cipher; | 1621 pwSpec->decode = Null_Cipher; |
1577 pwSpec->destroy = NULL; | 1622 pwSpec->destroy = NULL; |
1578 goto success; | 1623 goto success; |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1714 case CKM_RC2_MAC: | 1759 case CKM_RC2_MAC: |
1715 case CKM_RC2_MAC_GENERAL: | 1760 case CKM_RC2_MAC_GENERAL: |
1716 case CKM_RC2_CBC_PAD: | 1761 case CKM_RC2_CBC_PAD: |
1717 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; | 1762 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; |
1718 default: break; | 1763 default: break; |
1719 } | 1764 } |
1720 } | 1765 } |
1721 return param; | 1766 return param; |
1722 } | 1767 } |
1723 | 1768 |
| 1769 /* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which |
| 1770 * is included in the MAC) to |out| and returns its length. */ |
| 1771 static unsigned int |
| 1772 ssl3_BuildRecordPseudoHeader(unsigned char *out, |
| 1773 SSL3SequenceNumber seq_num, |
| 1774 SSL3ContentType type, |
| 1775 PRBool includesVersion, |
| 1776 SSL3ProtocolVersion version, |
| 1777 PRBool isDTLS, |
| 1778 int length) |
| 1779 { |
| 1780 out[0] = (unsigned char)(seq_num.high >> 24); |
| 1781 out[1] = (unsigned char)(seq_num.high >> 16); |
| 1782 out[2] = (unsigned char)(seq_num.high >> 8); |
| 1783 out[3] = (unsigned char)(seq_num.high >> 0); |
| 1784 out[4] = (unsigned char)(seq_num.low >> 24); |
| 1785 out[5] = (unsigned char)(seq_num.low >> 16); |
| 1786 out[6] = (unsigned char)(seq_num.low >> 8); |
| 1787 out[7] = (unsigned char)(seq_num.low >> 0); |
| 1788 out[8] = type; |
| 1789 |
| 1790 /* SSL3 MAC doesn't include the record's version field. */ |
| 1791 if (!includesVersion) { |
| 1792 out[9] = MSB(length); |
| 1793 out[10] = LSB(length); |
| 1794 return 11; |
| 1795 } |
| 1796 |
| 1797 /* TLS MAC and AEAD additional data include version. */ |
| 1798 if (isDTLS) { |
| 1799 SSL3ProtocolVersion dtls_version; |
| 1800 |
| 1801 dtls_version = dtls_TLSVersionToDTLSVersion(version); |
| 1802 out[9] = MSB(dtls_version); |
| 1803 out[10] = LSB(dtls_version); |
| 1804 } else { |
| 1805 out[9] = MSB(version); |
| 1806 out[10] = LSB(version); |
| 1807 } |
| 1808 out[11] = MSB(length); |
| 1809 out[12] = LSB(length); |
| 1810 return 13; |
| 1811 } |
| 1812 |
| 1813 typedef SECStatus (*PK11CryptFcn)( |
| 1814 PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param, |
| 1815 unsigned char *out, unsigned int *outLen, unsigned int maxLen, |
| 1816 const unsigned char *in, unsigned int inLen); |
| 1817 |
| 1818 static PK11CryptFcn pk11_encrypt = NULL; |
| 1819 static PK11CryptFcn pk11_decrypt = NULL; |
| 1820 |
| 1821 static PRCallOnceType resolvePK11CryptOnce; |
| 1822 |
| 1823 static PRStatus |
| 1824 ssl3_ResolvePK11CryptFunctions(void) |
| 1825 { |
| 1826 #ifdef LINUX |
| 1827 /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and |
| 1828 * PK11_Decrypt functions at run time. */ |
| 1829 void *handle = dlopen(NULL, RTLD_LAZY); |
| 1830 if (!handle) { |
| 1831 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1832 return PR_FAILURE; |
| 1833 } |
| 1834 pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt"); |
| 1835 pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt"); |
| 1836 dlclose(handle); |
| 1837 return PR_SUCCESS; |
| 1838 #else |
| 1839 /* On other platforms we use our own copy of NSS. PK11_Encrypt and |
| 1840 * PK11_Decrypt are known to be available. */ |
| 1841 pk11_encrypt = PK11_Encrypt; |
| 1842 pk11_decrypt = PK11_Decrypt; |
| 1843 return PR_SUCCESS; |
| 1844 #endif |
| 1845 } |
| 1846 |
| 1847 /* |
| 1848 * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access |
| 1849 * to the AES GCM implementation in the NSS softoken. So the presence of |
| 1850 * these two functions implies the NSS version supports AES GCM. |
| 1851 */ |
| 1852 static PRBool |
| 1853 ssl3_HasGCMSupport(void) |
| 1854 { |
| 1855 (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions); |
| 1856 return pk11_encrypt != NULL; |
| 1857 } |
| 1858 |
| 1859 /* On this socket, disable the GCM cipher suites */ |
| 1860 SECStatus |
| 1861 ssl3_DisableGCMSuites(sslSocket * ss) |
| 1862 { |
| 1863 unsigned int i; |
| 1864 |
| 1865 for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) { |
| 1866 const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i]; |
| 1867 if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) { |
| 1868 SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite, |
| 1869 PR_FALSE); |
| 1870 PORT_Assert(rv == SECSuccess); /* else is coding error */ |
| 1871 } |
| 1872 } |
| 1873 return SECSuccess; |
| 1874 } |
| 1875 |
| 1876 static SECStatus |
| 1877 ssl3_AESGCM(ssl3KeyMaterial *keys, |
| 1878 PRBool doDecrypt, |
| 1879 unsigned char *out, |
| 1880 int *outlen, |
| 1881 int maxout, |
| 1882 const unsigned char *in, |
| 1883 int inlen, |
| 1884 SSL3ContentType type, |
| 1885 SSL3ProtocolVersion version, |
| 1886 SSL3SequenceNumber seq_num) |
| 1887 { |
| 1888 SECItem param; |
| 1889 SECStatus rv = SECFailure; |
| 1890 unsigned char nonce[12]; |
| 1891 unsigned char additionalData[13]; |
| 1892 unsigned int additionalDataLen; |
| 1893 unsigned int uOutLen; |
| 1894 CK_GCM_PARAMS gcmParams; |
| 1895 |
| 1896 static const int tagSize = 16; |
| 1897 static const int explicitNonceLen = 8; |
| 1898 |
| 1899 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
| 1900 * definition of the AEAD additional data. */ |
| 1901 additionalDataLen = ssl3_BuildRecordPseudoHeader( |
| 1902 additionalData, seq_num, type, PR_TRUE /* includes version */, |
| 1903 version, PR_FALSE /* not DTLS */, |
| 1904 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
| 1905 PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
| 1906 |
| 1907 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
| 1908 * nonce is formed. */ |
| 1909 memcpy(nonce, keys->write_iv, 4); |
| 1910 if (doDecrypt) { |
| 1911 memcpy(nonce + 4, in, explicitNonceLen); |
| 1912 in += explicitNonceLen; |
| 1913 inlen -= explicitNonceLen; |
| 1914 *outlen = 0; |
| 1915 } else { |
| 1916 if (maxout < explicitNonceLen) { |
| 1917 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 1918 return SECFailure; |
| 1919 } |
| 1920 /* Use the 64-bit sequence number as the explicit nonce. */ |
| 1921 memcpy(nonce + 4, additionalData, explicitNonceLen); |
| 1922 memcpy(out, additionalData, explicitNonceLen); |
| 1923 out += explicitNonceLen; |
| 1924 maxout -= explicitNonceLen; |
| 1925 *outlen = explicitNonceLen; |
| 1926 } |
| 1927 |
| 1928 param.type = siBuffer; |
| 1929 param.data = (unsigned char *) &gcmParams; |
| 1930 param.len = sizeof(gcmParams); |
| 1931 gcmParams.pIv = nonce; |
| 1932 gcmParams.ulIvLen = sizeof(nonce); |
| 1933 gcmParams.pAAD = additionalData; |
| 1934 gcmParams.ulAADLen = additionalDataLen; |
| 1935 gcmParams.ulTagBits = tagSize * 8; |
| 1936 |
| 1937 if (doDecrypt) { |
| 1938 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 1939 maxout, in, inlen); |
| 1940 } else { |
| 1941 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 1942 maxout, in, inlen); |
| 1943 } |
| 1944 *outlen += (int) uOutLen; |
| 1945 |
| 1946 return rv; |
| 1947 } |
| 1948 |
| 1949 #ifndef NO_PKCS11_BYPASS |
| 1950 static SECStatus |
| 1951 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, |
| 1952 PRBool doDecrypt, |
| 1953 unsigned char *out, |
| 1954 int *outlen, |
| 1955 int maxout, |
| 1956 const unsigned char *in, |
| 1957 int inlen, |
| 1958 SSL3ContentType type, |
| 1959 SSL3ProtocolVersion version, |
| 1960 SSL3SequenceNumber seq_num) |
| 1961 { |
| 1962 SECStatus rv = SECFailure; |
| 1963 unsigned char nonce[12]; |
| 1964 unsigned char additionalData[13]; |
| 1965 unsigned int additionalDataLen; |
| 1966 unsigned int uOutLen; |
| 1967 AESContext *cx; |
| 1968 CK_GCM_PARAMS gcmParams; |
| 1969 |
| 1970 static const int tagSize = 16; |
| 1971 static const int explicitNonceLen = 8; |
| 1972 |
| 1973 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
| 1974 * definition of the AEAD additional data. */ |
| 1975 additionalDataLen = ssl3_BuildRecordPseudoHeader( |
| 1976 additionalData, seq_num, type, PR_TRUE /* includes version */, |
| 1977 version, PR_FALSE /* not DTLS */, |
| 1978 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
| 1979 PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
| 1980 |
| 1981 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
| 1982 * nonce is formed. */ |
| 1983 PORT_Assert(keys->write_iv_item.len == 4); |
| 1984 if (keys->write_iv_item.len != 4) { |
| 1985 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1986 return SECFailure; |
| 1987 } |
| 1988 memcpy(nonce, keys->write_iv_item.data, 4); |
| 1989 if (doDecrypt) { |
| 1990 memcpy(nonce + 4, in, explicitNonceLen); |
| 1991 in += explicitNonceLen; |
| 1992 inlen -= explicitNonceLen; |
| 1993 *outlen = 0; |
| 1994 } else { |
| 1995 if (maxout < explicitNonceLen) { |
| 1996 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 1997 return SECFailure; |
| 1998 } |
| 1999 /* Use the 64-bit sequence number as the explicit nonce. */ |
| 2000 memcpy(nonce + 4, additionalData, explicitNonceLen); |
| 2001 memcpy(out, additionalData, explicitNonceLen); |
| 2002 out += explicitNonceLen; |
| 2003 maxout -= explicitNonceLen; |
| 2004 *outlen = explicitNonceLen; |
| 2005 } |
| 2006 |
| 2007 gcmParams.pIv = nonce; |
| 2008 gcmParams.ulIvLen = sizeof(nonce); |
| 2009 gcmParams.pAAD = additionalData; |
| 2010 gcmParams.ulAADLen = additionalDataLen; |
| 2011 gcmParams.ulTagBits = tagSize * 8; |
| 2012 |
| 2013 cx = (AESContext *)keys->cipher_context; |
| 2014 rv = AES_InitContext(cx, keys->write_key_item.data, |
| 2015 keys->write_key_item.len, |
| 2016 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, |
| 2017 AES_BLOCK_SIZE); |
| 2018 if (rv != SECSuccess) { |
| 2019 return rv; |
| 2020 } |
| 2021 if (doDecrypt) { |
| 2022 rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); |
| 2023 } else { |
| 2024 rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); |
| 2025 } |
| 2026 AES_DestroyContext(cx, PR_FALSE); |
| 2027 *outlen += (int) uOutLen; |
| 2028 |
| 2029 return rv; |
| 2030 } |
| 2031 #endif |
| 2032 |
1724 /* Initialize encryption and MAC contexts for pending spec. | 2033 /* Initialize encryption and MAC contexts for pending spec. |
1725 * Master Secret already is derived. | 2034 * Master Secret already is derived. |
1726 * Caller holds Spec write lock. | 2035 * Caller holds Spec write lock. |
1727 */ | 2036 */ |
1728 static SECStatus | 2037 static SECStatus |
1729 ssl3_InitPendingContextsPKCS11(sslSocket *ss) | 2038 ssl3_InitPendingContextsPKCS11(sslSocket *ss) |
1730 { | 2039 { |
1731 ssl3CipherSpec * pwSpec; | 2040 ssl3CipherSpec * pwSpec; |
1732 const ssl3BulkCipherDef *cipher_def; | 2041 const ssl3BulkCipherDef *cipher_def; |
1733 PK11Context * serverContext = NULL; | 2042 PK11Context * serverContext = NULL; |
1734 PK11Context * clientContext = NULL; | 2043 PK11Context * clientContext = NULL; |
1735 SECItem * param; | 2044 SECItem * param; |
1736 CK_MECHANISM_TYPE mechanism; | 2045 CK_MECHANISM_TYPE mechanism; |
1737 CK_MECHANISM_TYPE mac_mech; | 2046 CK_MECHANISM_TYPE mac_mech; |
1738 CK_ULONG macLength; | 2047 CK_ULONG macLength; |
1739 CK_ULONG effKeyBits; | 2048 CK_ULONG effKeyBits; |
1740 SECItem iv; | 2049 SECItem iv; |
1741 SECItem mac_param; | 2050 SECItem mac_param; |
1742 SSLCipherAlgorithm calg; | 2051 SSLCipherAlgorithm calg; |
1743 | 2052 |
1744 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2053 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1745 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 2054 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
1746 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 2055 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
1747 | 2056 |
1748 pwSpec = ss->ssl3.pwSpec; | 2057 pwSpec = ss->ssl3.pwSpec; |
1749 cipher_def = pwSpec->cipher_def; | 2058 cipher_def = pwSpec->cipher_def; |
1750 macLength = pwSpec->mac_size; | 2059 macLength = pwSpec->mac_size; |
| 2060 calg = cipher_def->calg; |
| 2061 PORT_Assert(alg2Mech[calg].calg == calg); |
| 2062 |
| 2063 pwSpec->client.write_mac_context = NULL; |
| 2064 pwSpec->server.write_mac_context = NULL; |
| 2065 |
| 2066 if (calg == calg_aes_gcm) { |
| 2067 pwSpec->encode = NULL; |
| 2068 pwSpec->decode = NULL; |
| 2069 pwSpec->destroy = NULL; |
| 2070 pwSpec->encodeContext = NULL; |
| 2071 pwSpec->decodeContext = NULL; |
| 2072 pwSpec->aead = ssl3_AESGCM; |
| 2073 return SECSuccess; |
| 2074 } |
1751 | 2075 |
1752 /* | 2076 /* |
1753 ** Now setup the MAC contexts, | 2077 ** Now setup the MAC contexts, |
1754 ** crypto contexts are setup below. | 2078 ** crypto contexts are setup below. |
1755 */ | 2079 */ |
1756 | 2080 |
1757 pwSpec->client.write_mac_context = NULL; | |
1758 pwSpec->server.write_mac_context = NULL; | |
1759 mac_mech = pwSpec->mac_def->mmech; | 2081 mac_mech = pwSpec->mac_def->mmech; |
1760 mac_param.data = (unsigned char *)&macLength; | 2082 mac_param.data = (unsigned char *)&macLength; |
1761 mac_param.len = sizeof(macLength); | 2083 mac_param.len = sizeof(macLength); |
1762 mac_param.type = 0; | 2084 mac_param.type = 0; |
1763 | 2085 |
1764 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( | 2086 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( |
1765 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); | 2087 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); |
1766 if (pwSpec->client.write_mac_context == NULL) { | 2088 if (pwSpec->client.write_mac_context == NULL) { |
1767 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); | 2089 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); |
1768 goto fail; | 2090 goto fail; |
1769 } | 2091 } |
1770 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( | 2092 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( |
1771 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); | 2093 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); |
1772 if (pwSpec->server.write_mac_context == NULL) { | 2094 if (pwSpec->server.write_mac_context == NULL) { |
1773 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); | 2095 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); |
1774 goto fail; | 2096 goto fail; |
1775 } | 2097 } |
1776 | 2098 |
1777 /* | 2099 /* |
1778 ** Now setup the crypto contexts. | 2100 ** Now setup the crypto contexts. |
1779 */ | 2101 */ |
1780 | 2102 |
1781 calg = cipher_def->calg; | |
1782 PORT_Assert(alg2Mech[calg].calg == calg); | |
1783 | |
1784 if (calg == calg_null) { | 2103 if (calg == calg_null) { |
1785 pwSpec->encode = Null_Cipher; | 2104 pwSpec->encode = Null_Cipher; |
1786 pwSpec->decode = Null_Cipher; | 2105 pwSpec->decode = Null_Cipher; |
1787 pwSpec->destroy = NULL; | 2106 pwSpec->destroy = NULL; |
1788 return SECSuccess; | 2107 return SECSuccess; |
1789 } | 2108 } |
1790 mechanism = alg2Mech[calg].cmech; | 2109 mechanism = alg2Mech[calg].cmech; |
1791 effKeyBits = cipher_def->key_size * BPB; | 2110 effKeyBits = cipher_def->key_size * BPB; |
1792 | 2111 |
1793 /* | 2112 /* |
(...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1992 SSL3ContentType type, | 2311 SSL3ContentType type, |
1993 SSL3ProtocolVersion version, | 2312 SSL3ProtocolVersion version, |
1994 SSL3SequenceNumber seq_num, | 2313 SSL3SequenceNumber seq_num, |
1995 const SSL3Opaque * input, | 2314 const SSL3Opaque * input, |
1996 int inputLength, | 2315 int inputLength, |
1997 unsigned char * outbuf, | 2316 unsigned char * outbuf, |
1998 unsigned int * outLength) | 2317 unsigned int * outLength) |
1999 { | 2318 { |
2000 const ssl3MACDef * mac_def; | 2319 const ssl3MACDef * mac_def; |
2001 SECStatus rv; | 2320 SECStatus rv; |
2002 #ifndef NO_PKCS11_BYPASS | |
2003 PRBool isTLS; | 2321 PRBool isTLS; |
2004 #endif | |
2005 unsigned int tempLen; | 2322 unsigned int tempLen; |
2006 unsigned char temp[MAX_MAC_LENGTH]; | 2323 unsigned char temp[MAX_MAC_LENGTH]; |
2007 | 2324 |
2008 temp[0] = (unsigned char)(seq_num.high >> 24); | |
2009 temp[1] = (unsigned char)(seq_num.high >> 16); | |
2010 temp[2] = (unsigned char)(seq_num.high >> 8); | |
2011 temp[3] = (unsigned char)(seq_num.high >> 0); | |
2012 temp[4] = (unsigned char)(seq_num.low >> 24); | |
2013 temp[5] = (unsigned char)(seq_num.low >> 16); | |
2014 temp[6] = (unsigned char)(seq_num.low >> 8); | |
2015 temp[7] = (unsigned char)(seq_num.low >> 0); | |
2016 temp[8] = type; | |
2017 | |
2018 /* TLS MAC includes the record's version field, SSL's doesn't. | 2325 /* TLS MAC includes the record's version field, SSL's doesn't. |
2019 ** We decide which MAC defintiion to use based on the version of | 2326 ** We decide which MAC defintiion to use based on the version of |
2020 ** the protocol that was negotiated when the spec became current, | 2327 ** the protocol that was negotiated when the spec became current, |
2021 ** NOT based on the version value in the record itself. | 2328 ** NOT based on the version value in the record itself. |
2022 ** But, we use the record'v version value in the computation. | 2329 ** But, we use the record's version value in the computation. |
2023 */ | 2330 */ |
2024 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 2331 isTLS = spec->version > SSL_LIBRARY_VERSION_3_0; |
2025 » temp[9] = MSB(inputLength); | 2332 tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS, |
2026 » temp[10] = LSB(inputLength); | 2333 » » » » » version, isDTLS, inputLength); |
2027 » tempLen = 11; | 2334 PORT_Assert(tempLen <= sizeof(temp)); |
2028 #ifndef NO_PKCS11_BYPASS | |
2029 » isTLS = PR_FALSE; | |
2030 #endif | |
2031 } else { | |
2032 » /* New TLS hash includes version. */ | |
2033 » if (isDTLS) { | |
2034 » SSL3ProtocolVersion dtls_version; | |
2035 | |
2036 » dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
2037 » temp[9] = MSB(dtls_version); | |
2038 » temp[10] = LSB(dtls_version); | |
2039 } else { | |
2040 » temp[9] = MSB(version); | |
2041 » temp[10] = LSB(version); | |
2042 } | |
2043 » temp[11] = MSB(inputLength); | |
2044 » temp[12] = LSB(inputLength); | |
2045 » tempLen = 13; | |
2046 #ifndef NO_PKCS11_BYPASS | |
2047 » isTLS = PR_TRUE; | |
2048 #endif | |
2049 } | |
2050 | 2335 |
2051 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | 2336 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
2052 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 2337 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
2053 | 2338 |
2054 mac_def = spec->mac_def; | 2339 mac_def = spec->mac_def; |
2055 if (mac_def->mac == mac_null) { | 2340 if (mac_def->mac == mac_null) { |
2056 *outLength = 0; | 2341 *outLength = 0; |
2057 return SECSuccess; | 2342 return SECSuccess; |
2058 } | 2343 } |
2059 #ifndef NO_PKCS11_BYPASS | 2344 #ifndef NO_PKCS11_BYPASS |
(...skipping 323 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2383 rv = cwSpec->compressor( | 2668 rv = cwSpec->compressor( |
2384 cwSpec->compressContext, | 2669 cwSpec->compressContext, |
2385 wrBuf->buf + headerLen + ivLen, &outlen, | 2670 wrBuf->buf + headerLen + ivLen, &outlen, |
2386 wrBuf->space - headerLen - ivLen, pIn, contentLen); | 2671 wrBuf->space - headerLen - ivLen, pIn, contentLen); |
2387 if (rv != SECSuccess) | 2672 if (rv != SECSuccess) |
2388 return rv; | 2673 return rv; |
2389 pIn = wrBuf->buf + headerLen + ivLen; | 2674 pIn = wrBuf->buf + headerLen + ivLen; |
2390 contentLen = outlen; | 2675 contentLen = outlen; |
2391 } | 2676 } |
2392 | 2677 |
2393 /* | 2678 if (cipher_def->type == type_aead) { |
2394 * Add the MAC | 2679 » const int nonceLen = cipher_def->explicit_nonce_size; |
2395 */ | 2680 » const int tagLen = cipher_def->tag_size; |
2396 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, | |
2397 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | |
2398 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | |
2399 if (rv != SECSuccess) { | |
2400 » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | |
2401 » return SECFailure; | |
2402 } | |
2403 p1Len = contentLen; | |
2404 p2Len = macLen; | |
2405 fragLen = contentLen + macLen;» /* needs to be encrypted */ | |
2406 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | |
2407 | 2681 |
2408 /* | 2682 » if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { |
2409 * Pad the text (if we're doing a block cipher) | 2683 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2410 * then Encrypt it | 2684 » return SECFailure; |
2411 */ | 2685 » } |
2412 if (cipher_def->type == type_block) { | |
2413 » unsigned char * pBuf; | |
2414 » int padding_length; | |
2415 » int i; | |
2416 | 2686 |
2417 » oddLen = contentLen % cipher_def->block_size; | 2687 » cipherBytes = contentLen; |
2418 » /* Assume blockSize is a power of two */ | 2688 » rv = cwSpec->aead( |
2419 » padding_length = cipher_def->block_size - 1 - | 2689 » » isServer ? &cwSpec->server : &cwSpec->client, |
2420 » » » ((fragLen) & (cipher_def->block_size - 1)); | 2690 » » PR_FALSE, /* do encrypt */ |
2421 » fragLen += padding_length + 1; | 2691 » » wrBuf->buf + headerLen, /* output */ |
2422 » PORT_Assert((fragLen % cipher_def->block_size) == 0); | 2692 » » &cipherBytes, /* out len */ |
2423 | 2693 » » wrBuf->space - headerLen, /* max out */ |
2424 » /* Pad according to TLS rules (also acceptable to SSL3). */ | 2694 » » pIn, contentLen, /* input */ |
2425 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; | 2695 » » type, cwSpec->version, cwSpec->write_seq_num); |
2426 » for (i = padding_length + 1; i > 0; --i) { | 2696 » if (rv != SECSuccess) { |
2427 » *pBuf-- = padding_length; | |
2428 » } | |
2429 » /* now, if contentLen is not a multiple of block size, fix it */ | |
2430 » p2Len = fragLen - p1Len; | |
2431 } | |
2432 if (p1Len < 256) { | |
2433 » oddLen = p1Len; | |
2434 » p1Len = 0; | |
2435 } else { | |
2436 » p1Len -= oddLen; | |
2437 } | |
2438 if (oddLen) { | |
2439 » p2Len += oddLen; | |
2440 » PORT_Assert( (cipher_def->block_size < 2) || \ | |
2441 » » (p2Len % cipher_def->block_size) == 0); | |
2442 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); | |
2443 } | |
2444 if (p1Len > 0) { | |
2445 » int cipherBytesPart1 = -1; | |
2446 » rv = cwSpec->encode( cwSpec->encodeContext, | |
2447 » wrBuf->buf + headerLen + ivLen, /* output */ | |
2448 » &cipherBytesPart1, /* actual outlen */ | |
2449 » p1Len, /* max outlen */ | |
2450 » pIn, p1Len); /* input, and inputlen */ | |
2451 » PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | |
2452 » if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | |
2453 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2697 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2454 return SECFailure; | 2698 return SECFailure; |
2455 } | 2699 } |
2456 » cipherBytes += cipherBytesPart1; | 2700 } else { |
2457 } | 2701 » /* |
2458 if (p2Len > 0) { | 2702 » * Add the MAC |
2459 » int cipherBytesPart2 = -1; | 2703 » */ |
2460 » rv = cwSpec->encode( cwSpec->encodeContext, | 2704 » rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
2461 » wrBuf->buf + headerLen + ivLen + p1Len, | 2705 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
2462 » &cipherBytesPart2, /* output and actual outLen */ | 2706 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
2463 » p2Len, /* max outlen */ | 2707 » if (rv != SECSuccess) { |
2464 » wrBuf->buf + headerLen + ivLen + p1Len, | 2708 » ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2465 » p2Len); /* input and inputLen*/ | |
2466 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | |
2467 » if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | |
2468 » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | |
2469 return SECFailure; | 2709 return SECFailure; |
2470 } | 2710 } |
2471 » cipherBytes += cipherBytesPart2; | 2711 » p1Len = contentLen; |
2472 }» | 2712 » p2Len = macLen; |
| 2713 » fragLen = contentLen + macLen;» /* needs to be encrypted */ |
| 2714 » PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
| 2715 |
| 2716 » /* |
| 2717 » * Pad the text (if we're doing a block cipher) |
| 2718 » * then Encrypt it |
| 2719 » */ |
| 2720 » if (cipher_def->type == type_block) { |
| 2721 » unsigned char * pBuf; |
| 2722 » int padding_length; |
| 2723 » int i; |
| 2724 |
| 2725 » oddLen = contentLen % cipher_def->block_size; |
| 2726 » /* Assume blockSize is a power of two */ |
| 2727 » padding_length = cipher_def->block_size - 1 - |
| 2728 » » » ((fragLen) & (cipher_def->block_size - 1)); |
| 2729 » fragLen += padding_length + 1; |
| 2730 » PORT_Assert((fragLen % cipher_def->block_size) == 0); |
| 2731 |
| 2732 » /* Pad according to TLS rules (also acceptable to SSL3). */ |
| 2733 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; |
| 2734 » for (i = padding_length + 1; i > 0; --i) { |
| 2735 » » *pBuf-- = padding_length; |
| 2736 » } |
| 2737 » /* now, if contentLen is not a multiple of block size, fix it */ |
| 2738 » p2Len = fragLen - p1Len; |
| 2739 » } |
| 2740 » if (p1Len < 256) { |
| 2741 » oddLen = p1Len; |
| 2742 » p1Len = 0; |
| 2743 » } else { |
| 2744 » p1Len -= oddLen; |
| 2745 » } |
| 2746 » if (oddLen) { |
| 2747 » p2Len += oddLen; |
| 2748 » PORT_Assert( (cipher_def->block_size < 2) || \ |
| 2749 » » » (p2Len % cipher_def->block_size) == 0); |
| 2750 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, |
| 2751 » » oddLen); |
| 2752 » } |
| 2753 » if (p1Len > 0) { |
| 2754 » int cipherBytesPart1 = -1; |
| 2755 » rv = cwSpec->encode( cwSpec->encodeContext, |
| 2756 » » wrBuf->buf + headerLen + ivLen, /* output */ |
| 2757 » » &cipherBytesPart1, /* actual outlen */ |
| 2758 » » p1Len, /* max outlen */ |
| 2759 » » pIn, p1Len); /* input, and inputlen */ |
| 2760 » PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
| 2761 » if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
| 2762 » » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 2763 » » return SECFailure; |
| 2764 » } |
| 2765 » cipherBytes += cipherBytesPart1; |
| 2766 » } |
| 2767 » if (p2Len > 0) { |
| 2768 » int cipherBytesPart2 = -1; |
| 2769 » rv = cwSpec->encode( cwSpec->encodeContext, |
| 2770 » » wrBuf->buf + headerLen + ivLen + p1Len, |
| 2771 » » &cipherBytesPart2, /* output and actual outLen */ |
| 2772 » » p2Len, /* max outlen */ |
| 2773 » » wrBuf->buf + headerLen + ivLen + p1Len, |
| 2774 » » p2Len); /* input and inputLen*/ |
| 2775 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
| 2776 » if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
| 2777 » » PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 2778 » » return SECFailure; |
| 2779 » } |
| 2780 » cipherBytes += cipherBytesPart2; |
| 2781 » } |
| 2782 } |
| 2783 |
2473 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2784 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
2474 | 2785 |
2475 wrBuf->len = cipherBytes + headerLen; | 2786 wrBuf->len = cipherBytes + headerLen; |
2476 wrBuf->buf[0] = type; | 2787 wrBuf->buf[0] = type; |
2477 if (isDTLS) { | 2788 if (isDTLS) { |
2478 SSL3ProtocolVersion version; | 2789 SSL3ProtocolVersion version; |
2479 | 2790 |
2480 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); | 2791 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); |
2481 wrBuf->buf[1] = MSB(version); | 2792 wrBuf->buf[1] = MSB(version); |
2482 wrBuf->buf[2] = LSB(version); | 2793 wrBuf->buf[2] = LSB(version); |
(...skipping 522 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3005 ssl_ReleaseSSL3HandshakeLock(ss); | 3316 ssl_ReleaseSSL3HandshakeLock(ss); |
3006 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ | 3317 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ |
3007 } | 3318 } |
3008 | 3319 |
3009 /* | 3320 /* |
3010 * Send illegal_parameter alert. Set generic error number. | 3321 * Send illegal_parameter alert. Set generic error number. |
3011 */ | 3322 */ |
3012 static SECStatus | 3323 static SECStatus |
3013 ssl3_IllegalParameter(sslSocket *ss) | 3324 ssl3_IllegalParameter(sslSocket *ss) |
3014 { | 3325 { |
3015 PRBool isTLS; | |
3016 | |
3017 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | |
3018 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | 3326 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
3019 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT | 3327 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
3020 : SSL_ERROR_BAD_SERVER ); | 3328 : SSL_ERROR_BAD_SERVER ); |
3021 return SECFailure; | 3329 return SECFailure; |
3022 } | 3330 } |
3023 | 3331 |
3024 /* | 3332 /* |
3025 * Send handshake_Failure alert. Set generic error number. | 3333 * Send handshake_Failure alert. Set generic error number. |
3026 */ | 3334 */ |
3027 static SECStatus | 3335 static SECStatus |
(...skipping 503 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3531 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; | 3839 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; |
3532 if (cipher_def->type == type_block && | 3840 if (cipher_def->type == type_block && |
3533 pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 3841 pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
3534 /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ | 3842 /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ |
3535 key_material_params.ulIVSizeInBits = 0; | 3843 key_material_params.ulIVSizeInBits = 0; |
3536 memset(pwSpec->client.write_iv, 0, cipher_def->iv_size); | 3844 memset(pwSpec->client.write_iv, 0, cipher_def->iv_size); |
3537 memset(pwSpec->server.write_iv, 0, cipher_def->iv_size); | 3845 memset(pwSpec->server.write_iv, 0, cipher_def->iv_size); |
3538 } | 3846 } |
3539 | 3847 |
3540 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); | 3848 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); |
3541 /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ | |
3542 | 3849 |
3543 key_material_params.RandomInfo.pClientRandom = cr; | 3850 key_material_params.RandomInfo.pClientRandom = cr; |
3544 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; | 3851 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
3545 key_material_params.RandomInfo.pServerRandom = sr; | 3852 key_material_params.RandomInfo.pServerRandom = sr; |
3546 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; | 3853 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; |
3547 key_material_params.pReturnedKeyMaterial = &returnedKeys; | 3854 key_material_params.pReturnedKeyMaterial = &returnedKeys; |
3548 | 3855 |
3549 returnedKeys.pIVClient = pwSpec->client.write_iv; | 3856 returnedKeys.pIVClient = pwSpec->client.write_iv; |
3550 returnedKeys.pIVServer = pwSpec->server.write_iv; | 3857 returnedKeys.pIVServer = pwSpec->server.write_iv; |
3551 keySize = cipher_def->key_size; | 3858 keySize = cipher_def->key_size; |
(...skipping 1271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4823 if (!total_exten_len || !isTLS) { | 5130 if (!total_exten_len || !isTLS) { |
4824 /* not sending the elliptic_curves and ec_point_formats extensions */ | 5131 /* not sending the elliptic_curves and ec_point_formats extensions */ |
4825 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ | 5132 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ |
4826 } | 5133 } |
4827 #endif | 5134 #endif |
4828 | 5135 |
4829 if (IS_DTLS(ss)) { | 5136 if (IS_DTLS(ss)) { |
4830 ssl3_DisableNonDTLSSuites(ss); | 5137 ssl3_DisableNonDTLSSuites(ss); |
4831 } | 5138 } |
4832 | 5139 |
| 5140 if (!ssl3_HasGCMSupport()) { |
| 5141 ssl3_DisableGCMSuites(ss); |
| 5142 } |
| 5143 |
4833 /* how many suites are permitted by policy and user preference? */ | 5144 /* how many suites are permitted by policy and user preference? */ |
4834 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); | 5145 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
4835 if (!num_suites) | 5146 if (!num_suites) |
4836 return SECFailure; /* count_cipher_suites has set error code. */ | 5147 return SECFailure; /* count_cipher_suites has set error code. */ |
4837 if (ss->ssl3.hs.sendingSCSV) { | 5148 if (ss->ssl3.hs.sendingSCSV) { |
4838 ++num_suites; /* make room for SCSV */ | 5149 ++num_suites; /* make room for SCSV */ |
4839 } | 5150 } |
4840 | 5151 |
4841 /* count compression methods */ | 5152 /* count compression methods */ |
4842 numCompressionMethods = 0; | 5153 numCompressionMethods = 0; |
(...skipping 2685 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7528 | 7839 |
7529 #ifdef NSS_ENABLE_ECC | 7840 #ifdef NSS_ENABLE_ECC |
7530 /* Disable any ECC cipher suites for which we have no cert. */ | 7841 /* Disable any ECC cipher suites for which we have no cert. */ |
7531 ssl3_FilterECCipherSuitesByServerCerts(ss); | 7842 ssl3_FilterECCipherSuitesByServerCerts(ss); |
7532 #endif | 7843 #endif |
7533 | 7844 |
7534 if (IS_DTLS(ss)) { | 7845 if (IS_DTLS(ss)) { |
7535 ssl3_DisableNonDTLSSuites(ss); | 7846 ssl3_DisableNonDTLSSuites(ss); |
7536 } | 7847 } |
7537 | 7848 |
| 7849 if (!ssl3_HasGCMSupport()) { |
| 7850 ssl3_DisableGCMSuites(ss); |
| 7851 } |
| 7852 |
7538 #ifdef PARANOID | 7853 #ifdef PARANOID |
7539 /* Look for a matching cipher suite. */ | 7854 /* Look for a matching cipher suite. */ |
7540 j = ssl3_config_match_init(ss); | 7855 j = ssl3_config_match_init(ss); |
7541 if (j <= 0) { /* no ciphers are working/supported by PK11 */ | 7856 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
7542 errCode = PORT_GetError(); /* error code is already set. */ | 7857 errCode = PORT_GetError(); /* error code is already set. */ |
7543 goto alert_loser; | 7858 goto alert_loser; |
7544 } | 7859 } |
7545 #endif | 7860 #endif |
7546 | 7861 |
7547 /* If we already have a session for this client, be sure to pick the | 7862 /* If we already have a session for this client, be sure to pick the |
(...skipping 2391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9939 return rv; | 10254 return rv; |
9940 } | 10255 } |
9941 | 10256 |
9942 /* called from ssl3_SendFinished | 10257 /* called from ssl3_SendFinished |
9943 * | 10258 * |
9944 * This function is simply a debugging aid and therefore does not return a | 10259 * This function is simply a debugging aid and therefore does not return a |
9945 * SECStatus. */ | 10260 * SECStatus. */ |
9946 static void | 10261 static void |
9947 ssl3_RecordKeyLog(sslSocket *ss) | 10262 ssl3_RecordKeyLog(sslSocket *ss) |
9948 { | 10263 { |
9949 sslSessionID *sid; | |
9950 SECStatus rv; | 10264 SECStatus rv; |
9951 SECItem *keyData; | 10265 SECItem *keyData; |
9952 char buf[14 /* "CLIENT_RANDOM " */ + | 10266 char buf[14 /* "CLIENT_RANDOM " */ + |
9953 SSL3_RANDOM_LENGTH*2 /* client_random */ + | 10267 SSL3_RANDOM_LENGTH*2 /* client_random */ + |
9954 1 /* " " */ + | 10268 1 /* " " */ + |
9955 48*2 /* master secret */ + | 10269 48*2 /* master secret */ + |
9956 1 /* new line */]; | 10270 1 /* new line */]; |
9957 unsigned int j; | 10271 unsigned int j; |
9958 | 10272 |
9959 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 10273 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
9960 | 10274 |
9961 sid = ss->sec.ci.sid; | |
9962 | |
9963 if (!ssl_keylog_iob) | 10275 if (!ssl_keylog_iob) |
9964 return; | 10276 return; |
9965 | 10277 |
9966 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); | 10278 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); |
9967 if (rv != SECSuccess) | 10279 if (rv != SECSuccess) |
9968 return; | 10280 return; |
9969 | 10281 |
9970 ssl_GetSpecReadLock(ss); | 10282 ssl_GetSpecReadLock(ss); |
9971 | 10283 |
9972 /* keyData does not need to be freed. */ | 10284 /* keyData does not need to be freed. */ |
(...skipping 1191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11164 | 11476 |
11165 good = ~0U; | 11477 good = ~0U; |
11166 minLength = crSpec->mac_size; | 11478 minLength = crSpec->mac_size; |
11167 if (cipher_def->type == type_block) { | 11479 if (cipher_def->type == type_block) { |
11168 /* CBC records have a padding length byte at the end. */ | 11480 /* CBC records have a padding length byte at the end. */ |
11169 minLength++; | 11481 minLength++; |
11170 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 11482 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
11171 /* With >= TLS 1.1, CBC records have an explicit IV. */ | 11483 /* With >= TLS 1.1, CBC records have an explicit IV. */ |
11172 minLength += cipher_def->iv_size; | 11484 minLength += cipher_def->iv_size; |
11173 } | 11485 } |
| 11486 } else if (cipher_def->type == type_aead) { |
| 11487 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; |
11174 } | 11488 } |
11175 | 11489 |
11176 /* We can perform this test in variable time because the record's total | 11490 /* We can perform this test in variable time because the record's total |
11177 * length and the ciphersuite are both public knowledge. */ | 11491 * length and the ciphersuite are both public knowledge. */ |
11178 if (cText->buf->len < minLength) { | 11492 if (cText->buf->len < minLength) { |
11179 goto decrypt_loser; | 11493 » goto decrypt_loser; |
11180 } | 11494 } |
11181 | 11495 |
11182 if (cipher_def->type == type_block && | 11496 if (cipher_def->type == type_block && |
11183 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 11497 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
11184 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | 11498 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states |
11185 * "The receiver decrypts the entire GenericBlockCipher structure and | 11499 * "The receiver decrypts the entire GenericBlockCipher structure and |
11186 * then discards the first cipher block corresponding to the IV | 11500 * then discards the first cipher block corresponding to the IV |
11187 * component." Instead, we decrypt the first cipher block and then | 11501 * component." Instead, we decrypt the first cipher block and then |
11188 * discard it before decrypting the rest. | 11502 * discard it before decrypting the rest. |
11189 */ | 11503 */ |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11237 | 11551 |
11238 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); | 11552 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); |
11239 | 11553 |
11240 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { | 11554 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
11241 ssl_ReleaseSpecReadLock(ss); | 11555 ssl_ReleaseSpecReadLock(ss); |
11242 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 11556 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
11243 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 11557 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
11244 return SECFailure; | 11558 return SECFailure; |
11245 } | 11559 } |
11246 | 11560 |
11247 if (cipher_def->type == type_block && | 11561 rType = cText->type; |
11248 » ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | 11562 if (cipher_def->type == type_aead) { |
11249 » goto decrypt_loser; | 11563 » rv = crSpec->aead( |
11250 } | 11564 » » ss->sec.isServer ? &crSpec->client : &crSpec->server, |
| 11565 » » PR_TRUE, /* do decrypt */ |
| 11566 » » plaintext->buf, /* out */ |
| 11567 » » (int*) &plaintext->len, /* outlen */ |
| 11568 » » plaintext->space, /* maxout */ |
| 11569 » » cText->buf->buf, /* in */ |
| 11570 » » cText->buf->len, /* inlen */ |
| 11571 » » rType, /* record type */ |
| 11572 » » cText->version, |
| 11573 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num); |
| 11574 » if (rv != SECSuccess) { |
| 11575 » good = 0; |
| 11576 » } |
| 11577 } else { |
| 11578 » if (cipher_def->type == type_block && |
| 11579 » ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
| 11580 » goto decrypt_loser; |
| 11581 » } |
11251 | 11582 |
11252 /* decrypt from cText buf to plaintext. */ | 11583 » /* decrypt from cText buf to plaintext. */ |
11253 rv = crSpec->decode( | 11584 » rv = crSpec->decode( |
11254 » crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, | 11585 » crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
11255 » plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); | 11586 » plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
11256 if (rv != SECSuccess) { | 11587 » if (rv != SECSuccess) { |
11257 » goto decrypt_loser; | 11588 » goto decrypt_loser; |
11258 } | 11589 » } |
11259 | 11590 |
11260 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); | 11591 » PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
11261 | 11592 |
11262 originalLen = plaintext->len; | 11593 » originalLen = plaintext->len; |
11263 | 11594 |
11264 /* If it's a block cipher, check and strip the padding. */ | 11595 » /* If it's a block cipher, check and strip the padding. */ |
11265 if (cipher_def->type == type_block) { | 11596 » if (cipher_def->type == type_block) { |
11266 » const unsigned int blockSize = cipher_def->block_size; | 11597 » const unsigned int blockSize = cipher_def->block_size; |
11267 » const unsigned int macSize = crSpec->mac_size; | 11598 » const unsigned int macSize = crSpec->mac_size; |
11268 | 11599 |
11269 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { | 11600 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { |
11270 » good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 11601 » » good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
11271 » » » plaintext, blockSize, macSize)); | 11602 » » » plaintext, blockSize, macSize)); |
| 11603 » } else { |
| 11604 » » good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
| 11605 » » » plaintext, macSize)); |
| 11606 » } |
| 11607 » } |
| 11608 |
| 11609 » /* compute the MAC */ |
| 11610 » if (cipher_def->type == type_block) { |
| 11611 » rv = ssl3_ComputeRecordMACConstantTime( |
| 11612 » » crSpec, (PRBool)(!ss->sec.isServer), |
| 11613 » » IS_DTLS(ss), rType, cText->version, |
| 11614 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 11615 » » plaintext->buf, plaintext->len, originalLen, |
| 11616 » » hash, &hashBytes); |
| 11617 |
| 11618 » ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
| 11619 » » » crSpec->mac_size); |
| 11620 » givenHash = givenHashBuf; |
| 11621 |
| 11622 » /* plaintext->len will always have enough space to remove the MAC |
| 11623 » * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust |
| 11624 » * plaintext->len if the result has enough space for the MAC and we |
| 11625 » * tested the unadjusted size against minLength, above. */ |
| 11626 » plaintext->len -= crSpec->mac_size; |
11272 } else { | 11627 } else { |
11273 » good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 11628 » /* This is safe because we checked the minLength above. */ |
11274 » » » plaintext, macSize)); | 11629 » plaintext->len -= crSpec->mac_size; |
| 11630 |
| 11631 » rv = ssl3_ComputeRecordMAC( |
| 11632 » » crSpec, (PRBool)(!ss->sec.isServer), |
| 11633 » » IS_DTLS(ss), rType, cText->version, |
| 11634 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 11635 » » plaintext->buf, plaintext->len, |
| 11636 » » hash, &hashBytes); |
| 11637 |
| 11638 » /* We can read the MAC directly from the record because its location |
| 11639 » * is public when a stream cipher is used. */ |
| 11640 » givenHash = plaintext->buf + plaintext->len; |
| 11641 » } |
| 11642 |
| 11643 » good &= SECStatusToMask(rv); |
| 11644 |
| 11645 » if (hashBytes != (unsigned)crSpec->mac_size || |
| 11646 » NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
| 11647 » /* We're allowed to leak whether or not the MAC check was correct */ |
| 11648 » good = 0; |
11275 } | 11649 } |
11276 } | 11650 } |
11277 | 11651 |
11278 /* compute the MAC */ | |
11279 rType = cText->type; | |
11280 if (cipher_def->type == type_block) { | |
11281 rv = ssl3_ComputeRecordMACConstantTime( | |
11282 crSpec, (PRBool)(!ss->sec.isServer), | |
11283 IS_DTLS(ss), rType, cText->version, | |
11284 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11285 plaintext->buf, plaintext->len, originalLen, | |
11286 hash, &hashBytes); | |
11287 | |
11288 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | |
11289 crSpec->mac_size); | |
11290 givenHash = givenHashBuf; | |
11291 | |
11292 /* plaintext->len will always have enough space to remove the MAC | |
11293 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust | |
11294 * plaintext->len if the result has enough space for the MAC and we | |
11295 * tested the unadjusted size against minLength, above. */ | |
11296 plaintext->len -= crSpec->mac_size; | |
11297 } else { | |
11298 /* This is safe because we checked the minLength above. */ | |
11299 plaintext->len -= crSpec->mac_size; | |
11300 | |
11301 rv = ssl3_ComputeRecordMAC( | |
11302 crSpec, (PRBool)(!ss->sec.isServer), | |
11303 IS_DTLS(ss), rType, cText->version, | |
11304 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11305 plaintext->buf, plaintext->len, | |
11306 hash, &hashBytes); | |
11307 | |
11308 /* We can read the MAC directly from the record because its location is | |
11309 * public when a stream cipher is used. */ | |
11310 givenHash = plaintext->buf + plaintext->len; | |
11311 } | |
11312 | |
11313 good &= SECStatusToMask(rv); | |
11314 | |
11315 if (hashBytes != (unsigned)crSpec->mac_size || | |
11316 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | |
11317 /* We're allowed to leak whether or not the MAC check was correct */ | |
11318 good = 0; | |
11319 } | |
11320 | |
11321 if (good == 0) { | 11652 if (good == 0) { |
11322 decrypt_loser: | 11653 decrypt_loser: |
11323 /* must not hold spec lock when calling SSL3_SendAlert. */ | 11654 /* must not hold spec lock when calling SSL3_SendAlert. */ |
11324 ssl_ReleaseSpecReadLock(ss); | 11655 ssl_ReleaseSpecReadLock(ss); |
11325 | 11656 |
11326 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); | 11657 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); |
11327 | 11658 |
11328 if (!IS_DTLS(ss)) { | 11659 if (!IS_DTLS(ss)) { |
11329 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | 11660 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); |
11330 /* always log mac error, in case attacker can read server logs. */ | 11661 /* always log mac error, in case attacker can read server logs. */ |
(...skipping 639 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11970 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12301 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
11971 } | 12302 } |
11972 } | 12303 } |
11973 | 12304 |
11974 ss->ssl3.initialized = PR_FALSE; | 12305 ss->ssl3.initialized = PR_FALSE; |
11975 | 12306 |
11976 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12307 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
11977 } | 12308 } |
11978 | 12309 |
11979 /* End of ssl3con.c */ | 12310 /* End of ssl3con.c */ |
OLD | NEW |