OLD | NEW |
---|---|
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); | 79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); |
80 | 80 |
81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
82 int maxOutputLen, const unsigned char *input, | 82 int maxOutputLen, const unsigned char *input, |
83 int inputLen); | 83 int inputLen); |
84 #ifndef NO_PKCS11_BYPASS | 84 #ifndef NO_PKCS11_BYPASS |
85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, | 85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
86 unsigned char *out, int *outlen, int maxout, | 86 unsigned char *out, int *outlen, int maxout, |
87 const unsigned char *in, int inlen, | 87 const unsigned char *in, int inlen, |
88 » » » » SSL3ContentType type, | 88 » » » » const unsigned char *additionalData, |
89 » » » » SSL3ProtocolVersion version, | 89 » » » » int additionalDataLen); |
90 » » » » SSL3SequenceNumber seq_num); | |
91 #endif | 90 #endif |
92 | 91 |
93 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 92 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
94 #define MIN_SEND_BUF_LENGTH 4000 | 93 #define MIN_SEND_BUF_LENGTH 4000 |
95 | 94 |
96 /* This list of SSL3 cipher suites is sorted in descending order of | 95 /* This list of SSL3 cipher suites is sorted in descending order of |
97 * precedence (desirability). It only includes cipher suites we implement. | 96 * precedence (desirability). It only includes cipher suites we implement. |
98 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites | 97 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites |
99 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) | 98 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
100 */ | 99 */ |
(...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
389 cipher_camellia_256, mac_sha, kea_dhe_rsa}, | 388 cipher_camellia_256, mac_sha, kea_dhe_rsa}, |
390 | 389 |
391 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, | 390 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, |
392 cipher_des, mac_sha,kea_rsa_export_1024}, | 391 cipher_des, mac_sha,kea_rsa_export_1024}, |
393 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, | 392 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, |
394 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, | 393 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, |
395 | 394 |
396 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 395 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
397 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 396 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
398 | 397 |
399 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_ rsa}, | 398 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_ rsa}, |
400 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, | 399 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, |
401 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ec dhe_rsa}, | 400 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec dhe_rsa}, |
402 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ ecdhe_ecdsa}, | 401 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ ecdhe_ecdsa}, |
403 | 402 |
404 #ifdef NSS_ENABLE_ECC | 403 #ifdef NSS_ENABLE_ECC |
405 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, | 404 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
406 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, | 405 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
407 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , | 406 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , |
408 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, | 407 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, |
409 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, | 408 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, |
410 | 409 |
411 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, | 410 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, |
412 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, | 411 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
467 { calg_aes_gcm , CKM_AES_GCM }, | 466 { calg_aes_gcm , CKM_AES_GCM }, |
468 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ | 467 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
469 }; | 468 }; |
470 | 469 |
471 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L | 470 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L |
472 #define mmech_md5 CKM_SSL3_MD5_MAC | 471 #define mmech_md5 CKM_SSL3_MD5_MAC |
473 #define mmech_sha CKM_SSL3_SHA1_MAC | 472 #define mmech_sha CKM_SSL3_SHA1_MAC |
474 #define mmech_md5_hmac CKM_MD5_HMAC | 473 #define mmech_md5_hmac CKM_MD5_HMAC |
475 #define mmech_sha_hmac CKM_SHA_1_HMAC | 474 #define mmech_sha_hmac CKM_SHA_1_HMAC |
476 #define mmech_sha256_hmac CKM_SHA256_HMAC | 475 #define mmech_sha256_hmac CKM_SHA256_HMAC |
476 #define mmech_sha384_hmac CKM_SHA384_HMAC | |
477 #define mmech_sha512_hmac CKM_SHA512_HMAC | |
477 | 478 |
478 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ | 479 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ |
479 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ | 480 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ |
480 /* mac mmech pad_size mac_size */ | 481 /* mac mmech pad_size mac_size */ |
481 { mac_null, mmech_null, 0, 0 }, | 482 { mac_null, mmech_null, 0, 0 }, |
482 { mac_md5, mmech_md5, 48, MD5_LENGTH }, | 483 { mac_md5, mmech_md5, 48, MD5_LENGTH }, |
483 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, | 484 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, |
484 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, | 485 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, |
485 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, | 486 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, |
486 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, | 487 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, |
488 {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH}, | |
489 {hmac_sha512, mmech_sha512_hmac, 0, SHA512_LENGTH}, | |
490 { mac_aead, mmech_null, 0, 0 }, | |
wtc
2013/08/17 00:21:15
This array element for mac_aead needs to exist but
| |
487 }; | 491 }; |
488 | 492 |
489 /* indexed by SSL3BulkCipher */ | 493 /* indexed by SSL3BulkCipher */ |
490 const char * const ssl3_cipherName[] = { | 494 const char * const ssl3_cipherName[] = { |
491 "NULL", | 495 "NULL", |
492 "RC4", | 496 "RC4", |
493 "RC4-40", | 497 "RC4-40", |
494 "RC4-56", | 498 "RC4-56", |
495 "RC2-CBC", | 499 "RC2-CBC", |
496 "RC2-CBC-40", | 500 "RC2-CBC-40", |
(...skipping 1262 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1759 case CKM_RC2_MAC: | 1763 case CKM_RC2_MAC: |
1760 case CKM_RC2_MAC_GENERAL: | 1764 case CKM_RC2_MAC_GENERAL: |
1761 case CKM_RC2_CBC_PAD: | 1765 case CKM_RC2_CBC_PAD: |
1762 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; | 1766 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; |
1763 default: break; | 1767 default: break; |
1764 } | 1768 } |
1765 } | 1769 } |
1766 return param; | 1770 return param; |
1767 } | 1771 } |
1768 | 1772 |
1769 /* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which | 1773 /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data |
1770 * is included in the MAC) to |out| and returns its length. */ | 1774 * which is included in the MAC or AEAD additional data) to |out| and returns |
1775 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
1776 * definition of the AEAD additional data. | |
1777 * | |
1778 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which | |
1779 * pseudo-header defintiion to use should be decided based on the version of | |
1780 * the protocol that was negotiated when the spec became current, NOT based on | |
1781 * the version value in the record itself, and the decision is passed to this | |
1782 * function as the |includesVersion| argument. But, the |version| argument | |
1783 * should be the record's version value. | |
1784 */ | |
1771 static unsigned int | 1785 static unsigned int |
1772 ssl3_BuildRecordPseudoHeader(unsigned char *out, | 1786 ssl3_BuildRecordPseudoHeader(unsigned char *out, |
1773 SSL3SequenceNumber seq_num, | 1787 SSL3SequenceNumber seq_num, |
1774 SSL3ContentType type, | 1788 SSL3ContentType type, |
1775 PRBool includesVersion, | 1789 PRBool includesVersion, |
1776 SSL3ProtocolVersion version, | 1790 SSL3ProtocolVersion version, |
1777 PRBool isDTLS, | 1791 PRBool isDTLS, |
1778 int length) | 1792 int length) |
1779 { | 1793 { |
1780 out[0] = (unsigned char)(seq_num.high >> 24); | 1794 out[0] = (unsigned char)(seq_num.high >> 24); |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1874 } | 1888 } |
1875 | 1889 |
1876 static SECStatus | 1890 static SECStatus |
1877 ssl3_AESGCM(ssl3KeyMaterial *keys, | 1891 ssl3_AESGCM(ssl3KeyMaterial *keys, |
1878 PRBool doDecrypt, | 1892 PRBool doDecrypt, |
1879 unsigned char *out, | 1893 unsigned char *out, |
1880 int *outlen, | 1894 int *outlen, |
1881 int maxout, | 1895 int maxout, |
1882 const unsigned char *in, | 1896 const unsigned char *in, |
1883 int inlen, | 1897 int inlen, |
1884 » SSL3ContentType type, | 1898 » const unsigned char *additionalData, |
1885 » SSL3ProtocolVersion version, | 1899 » int additionalDataLen) |
1886 » SSL3SequenceNumber seq_num) | |
1887 { | 1900 { |
1888 SECItem param; | 1901 SECItem param; |
1889 SECStatus rv = SECFailure; | 1902 SECStatus rv = SECFailure; |
1890 unsigned char nonce[12]; | 1903 unsigned char nonce[12]; |
1891 unsigned char additionalData[13]; | |
1892 unsigned int additionalDataLen; | |
1893 unsigned int uOutLen; | 1904 unsigned int uOutLen; |
1894 CK_GCM_PARAMS gcmParams; | 1905 CK_GCM_PARAMS gcmParams; |
1895 | 1906 |
1896 static const int tagSize = 16; | 1907 static const int tagSize = 16; |
1897 static const int explicitNonceLen = 8; | 1908 static const int explicitNonceLen = 8; |
1898 | 1909 |
1899 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
1900 * definition of the AEAD additional data. */ | |
1901 additionalDataLen = ssl3_BuildRecordPseudoHeader( | |
1902 additionalData, seq_num, type, PR_TRUE /* includes version */, | |
1903 version, PR_FALSE /* not DTLS */, | |
wtc
2013/08/17 00:21:15
Note that we had to pass PR_FALSE as the |isDTLS|
| |
1904 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); | |
1905 PORT_Assert(additionalDataLen <= sizeof(additionalData)); | |
1906 | |
1907 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the | 1910 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
1908 * nonce is formed. */ | 1911 * nonce is formed. */ |
1909 memcpy(nonce, keys->write_iv, 4); | 1912 memcpy(nonce, keys->write_iv, 4); |
1910 if (doDecrypt) { | 1913 if (doDecrypt) { |
1911 memcpy(nonce + 4, in, explicitNonceLen); | 1914 memcpy(nonce + 4, in, explicitNonceLen); |
1912 in += explicitNonceLen; | 1915 in += explicitNonceLen; |
1913 inlen -= explicitNonceLen; | 1916 inlen -= explicitNonceLen; |
1914 *outlen = 0; | 1917 *outlen = 0; |
1915 } else { | 1918 } else { |
1916 if (maxout < explicitNonceLen) { | 1919 if (maxout < explicitNonceLen) { |
1917 PORT_SetError(SEC_ERROR_INPUT_LEN); | 1920 PORT_SetError(SEC_ERROR_INPUT_LEN); |
1918 return SECFailure; | 1921 return SECFailure; |
1919 } | 1922 } |
1920 /* Use the 64-bit sequence number as the explicit nonce. */ | 1923 /* Use the 64-bit sequence number as the explicit nonce. */ |
1921 memcpy(nonce + 4, additionalData, explicitNonceLen); | 1924 memcpy(nonce + 4, additionalData, explicitNonceLen); |
1922 memcpy(out, additionalData, explicitNonceLen); | 1925 memcpy(out, additionalData, explicitNonceLen); |
1923 out += explicitNonceLen; | 1926 out += explicitNonceLen; |
1924 maxout -= explicitNonceLen; | 1927 maxout -= explicitNonceLen; |
1925 *outlen = explicitNonceLen; | 1928 *outlen = explicitNonceLen; |
1926 } | 1929 } |
1927 | 1930 |
1928 param.type = siBuffer; | 1931 param.type = siBuffer; |
1929 param.data = (unsigned char *) &gcmParams; | 1932 param.data = (unsigned char *) &gcmParams; |
1930 param.len = sizeof(gcmParams); | 1933 param.len = sizeof(gcmParams); |
1931 gcmParams.pIv = nonce; | 1934 gcmParams.pIv = nonce; |
1932 gcmParams.ulIvLen = sizeof(nonce); | 1935 gcmParams.ulIvLen = sizeof(nonce); |
1933 gcmParams.pAAD = additionalData; | 1936 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
1934 gcmParams.ulAADLen = additionalDataLen; | 1937 gcmParams.ulAADLen = additionalDataLen; |
1935 gcmParams.ulTagBits = tagSize * 8; | 1938 gcmParams.ulTagBits = tagSize * 8; |
1936 | 1939 |
1937 if (doDecrypt) { | 1940 if (doDecrypt) { |
1938 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | 1941 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
1939 maxout, in, inlen); | 1942 maxout, in, inlen); |
1940 } else { | 1943 } else { |
1941 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | 1944 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
1942 maxout, in, inlen); | 1945 maxout, in, inlen); |
1943 } | 1946 } |
1944 *outlen += (int) uOutLen; | 1947 *outlen += (int) uOutLen; |
1945 | 1948 |
1946 return rv; | 1949 return rv; |
1947 } | 1950 } |
1948 | 1951 |
1949 #ifndef NO_PKCS11_BYPASS | 1952 #ifndef NO_PKCS11_BYPASS |
1950 static SECStatus | 1953 static SECStatus |
1951 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, | 1954 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, |
1952 PRBool doDecrypt, | 1955 PRBool doDecrypt, |
1953 unsigned char *out, | 1956 unsigned char *out, |
1954 int *outlen, | 1957 int *outlen, |
1955 int maxout, | 1958 int maxout, |
1956 const unsigned char *in, | 1959 const unsigned char *in, |
1957 int inlen, | 1960 int inlen, |
1958 » » SSL3ContentType type, | 1961 » » const unsigned char *additionalData, |
1959 » » SSL3ProtocolVersion version, | 1962 » » int additionalDataLen) |
1960 » » SSL3SequenceNumber seq_num) | |
1961 { | 1963 { |
1962 SECStatus rv = SECFailure; | 1964 SECStatus rv = SECFailure; |
1963 unsigned char nonce[12]; | 1965 unsigned char nonce[12]; |
1964 unsigned char additionalData[13]; | |
1965 unsigned int additionalDataLen; | |
1966 unsigned int uOutLen; | 1966 unsigned int uOutLen; |
1967 AESContext *cx; | 1967 AESContext *cx; |
1968 CK_GCM_PARAMS gcmParams; | 1968 CK_GCM_PARAMS gcmParams; |
1969 | 1969 |
1970 static const int tagSize = 16; | 1970 static const int tagSize = 16; |
1971 static const int explicitNonceLen = 8; | 1971 static const int explicitNonceLen = 8; |
1972 | 1972 |
1973 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
1974 * definition of the AEAD additional data. */ | |
1975 additionalDataLen = ssl3_BuildRecordPseudoHeader( | |
1976 additionalData, seq_num, type, PR_TRUE /* includes version */, | |
1977 version, PR_FALSE /* not DTLS */, | |
1978 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); | |
1979 PORT_Assert(additionalDataLen <= sizeof(additionalData)); | |
1980 | |
1981 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the | 1973 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
1982 * nonce is formed. */ | 1974 * nonce is formed. */ |
1983 PORT_Assert(keys->write_iv_item.len == 4); | 1975 PORT_Assert(keys->write_iv_item.len == 4); |
1984 if (keys->write_iv_item.len != 4) { | 1976 if (keys->write_iv_item.len != 4) { |
1985 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 1977 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1986 return SECFailure; | 1978 return SECFailure; |
1987 } | 1979 } |
1988 memcpy(nonce, keys->write_iv_item.data, 4); | 1980 memcpy(nonce, keys->write_iv_item.data, 4); |
1989 if (doDecrypt) { | 1981 if (doDecrypt) { |
1990 memcpy(nonce + 4, in, explicitNonceLen); | 1982 memcpy(nonce + 4, in, explicitNonceLen); |
1991 in += explicitNonceLen; | 1983 in += explicitNonceLen; |
1992 inlen -= explicitNonceLen; | 1984 inlen -= explicitNonceLen; |
1993 *outlen = 0; | 1985 *outlen = 0; |
1994 } else { | 1986 } else { |
1995 if (maxout < explicitNonceLen) { | 1987 if (maxout < explicitNonceLen) { |
1996 PORT_SetError(SEC_ERROR_INPUT_LEN); | 1988 PORT_SetError(SEC_ERROR_INPUT_LEN); |
1997 return SECFailure; | 1989 return SECFailure; |
1998 } | 1990 } |
1999 /* Use the 64-bit sequence number as the explicit nonce. */ | 1991 /* Use the 64-bit sequence number as the explicit nonce. */ |
2000 memcpy(nonce + 4, additionalData, explicitNonceLen); | 1992 memcpy(nonce + 4, additionalData, explicitNonceLen); |
2001 memcpy(out, additionalData, explicitNonceLen); | 1993 memcpy(out, additionalData, explicitNonceLen); |
2002 out += explicitNonceLen; | 1994 out += explicitNonceLen; |
2003 maxout -= explicitNonceLen; | 1995 maxout -= explicitNonceLen; |
2004 *outlen = explicitNonceLen; | 1996 *outlen = explicitNonceLen; |
2005 } | 1997 } |
2006 | 1998 |
2007 gcmParams.pIv = nonce; | 1999 gcmParams.pIv = nonce; |
2008 gcmParams.ulIvLen = sizeof(nonce); | 2000 gcmParams.ulIvLen = sizeof(nonce); |
2009 gcmParams.pAAD = additionalData; | 2001 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
2010 gcmParams.ulAADLen = additionalDataLen; | 2002 gcmParams.ulAADLen = additionalDataLen; |
2011 gcmParams.ulTagBits = tagSize * 8; | 2003 gcmParams.ulTagBits = tagSize * 8; |
2012 | 2004 |
2013 cx = (AESContext *)keys->cipher_context; | 2005 cx = (AESContext *)keys->cipher_context; |
2014 rv = AES_InitContext(cx, keys->write_key_item.data, | 2006 rv = AES_InitContext(cx, keys->write_key_item.data, |
2015 keys->write_key_item.len, | 2007 keys->write_key_item.len, |
2016 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, | 2008 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, |
2017 AES_BLOCK_SIZE); | 2009 AES_BLOCK_SIZE); |
2018 if (rv != SECSuccess) { | 2010 if (rv != SECSuccess) { |
2019 return rv; | 2011 return rv; |
(...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2300 0x5c, 0x5c, 0x5c, 0x5c | 2292 0x5c, 0x5c, 0x5c, 0x5c |
2301 }; | 2293 }; |
2302 | 2294 |
2303 /* Called from: ssl3_SendRecord() | 2295 /* Called from: ssl3_SendRecord() |
2304 ** Caller must already hold the SpecReadLock. (wish we could assert that!) | 2296 ** Caller must already hold the SpecReadLock. (wish we could assert that!) |
2305 */ | 2297 */ |
2306 static SECStatus | 2298 static SECStatus |
2307 ssl3_ComputeRecordMAC( | 2299 ssl3_ComputeRecordMAC( |
2308 ssl3CipherSpec * spec, | 2300 ssl3CipherSpec * spec, |
2309 PRBool useServerMacKey, | 2301 PRBool useServerMacKey, |
2310 PRBool isDTLS, | 2302 const unsigned char *header, |
2311 SSL3ContentType type, | 2303 unsigned int headerLen, |
2312 SSL3ProtocolVersion version, | |
2313 SSL3SequenceNumber seq_num, | |
2314 const SSL3Opaque * input, | 2304 const SSL3Opaque * input, |
2315 int inputLength, | 2305 int inputLength, |
2316 unsigned char * outbuf, | 2306 unsigned char * outbuf, |
2317 unsigned int * outLength) | 2307 unsigned int * outLength) |
2318 { | 2308 { |
2319 const ssl3MACDef * mac_def; | 2309 const ssl3MACDef * mac_def; |
2320 SECStatus rv; | 2310 SECStatus rv; |
2321 PRBool isTLS; | |
2322 unsigned int tempLen; | |
2323 unsigned char temp[MAX_MAC_LENGTH]; | |
wtc
2013/08/17 00:21:15
|isTLS| is only used once, so I just inline it.
I
| |
2324 | 2311 |
2325 /* TLS MAC includes the record's version field, SSL's doesn't. | 2312 PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen)); |
2326 ** We decide which MAC defintiion to use based on the version of | |
2327 ** the protocol that was negotiated when the spec became current, | |
2328 ** NOT based on the version value in the record itself. | |
2329 ** But, we use the record's version value in the computation. | |
2330 */ | |
2331 isTLS = spec->version > SSL_LIBRARY_VERSION_3_0; | |
2332 tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS, | |
2333 » » » » » version, isDTLS, inputLength); | |
2334 PORT_Assert(tempLen <= sizeof(temp)); | |
2335 | |
2336 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | |
2337 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 2313 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
2338 | 2314 |
2339 mac_def = spec->mac_def; | 2315 mac_def = spec->mac_def; |
2340 if (mac_def->mac == mac_null) { | 2316 if (mac_def->mac == mac_null) { |
2341 *outLength = 0; | 2317 *outLength = 0; |
2342 return SECSuccess; | 2318 return SECSuccess; |
2343 } | 2319 } |
2344 #ifndef NO_PKCS11_BYPASS | 2320 #ifndef NO_PKCS11_BYPASS |
2345 if (spec->bypassCiphers) { | 2321 if (spec->bypassCiphers) { |
2346 /* bypass version */ | 2322 /* bypass version */ |
(...skipping 24 matching lines...) Expand all Loading... | |
2371 break; | 2347 break; |
2372 default: | 2348 default: |
2373 break; | 2349 break; |
2374 } | 2350 } |
2375 if (!hashObj) { | 2351 if (!hashObj) { |
2376 PORT_Assert(0); | 2352 PORT_Assert(0); |
2377 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2353 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2378 return SECFailure; | 2354 return SECFailure; |
2379 } | 2355 } |
2380 | 2356 |
2381 » if (!isTLS) { | 2357 » if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
2358 » unsigned int tempLen; | |
2359 » unsigned char temp[MAX_MAC_LENGTH]; | |
2360 | |
2382 /* compute "inner" part of SSL3 MAC */ | 2361 /* compute "inner" part of SSL3 MAC */ |
2383 hashObj->begin(write_mac_context); | 2362 hashObj->begin(write_mac_context); |
2384 if (useServerMacKey) | 2363 if (useServerMacKey) |
2385 hashObj->update(write_mac_context, | 2364 hashObj->update(write_mac_context, |
2386 spec->server.write_mac_key_item.data, | 2365 spec->server.write_mac_key_item.data, |
2387 spec->server.write_mac_key_item.len); | 2366 spec->server.write_mac_key_item.len); |
2388 else | 2367 else |
2389 hashObj->update(write_mac_context, | 2368 hashObj->update(write_mac_context, |
2390 spec->client.write_mac_key_item.data, | 2369 spec->client.write_mac_key_item.data, |
2391 spec->client.write_mac_key_item.len); | 2370 spec->client.write_mac_key_item.len); |
2392 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); | 2371 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); |
2393 » hashObj->update(write_mac_context, temp, tempLen); | 2372 » hashObj->update(write_mac_context, header, headerLen); |
2394 hashObj->update(write_mac_context, input, inputLength); | 2373 hashObj->update(write_mac_context, input, inputLength); |
2395 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); | 2374 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); |
2396 | 2375 |
2397 /* compute "outer" part of SSL3 MAC */ | 2376 /* compute "outer" part of SSL3 MAC */ |
2398 hashObj->begin(write_mac_context); | 2377 hashObj->begin(write_mac_context); |
2399 if (useServerMacKey) | 2378 if (useServerMacKey) |
2400 hashObj->update(write_mac_context, | 2379 hashObj->update(write_mac_context, |
2401 spec->server.write_mac_key_item.data, | 2380 spec->server.write_mac_key_item.data, |
2402 spec->server.write_mac_key_item.len); | 2381 spec->server.write_mac_key_item.len); |
2403 else | 2382 else |
(...skipping 10 matching lines...) Expand all Loading... | |
2414 rv = HMAC_Init(cx, hashObj, | 2393 rv = HMAC_Init(cx, hashObj, |
2415 spec->server.write_mac_key_item.data, | 2394 spec->server.write_mac_key_item.data, |
2416 spec->server.write_mac_key_item.len, PR_FALSE); | 2395 spec->server.write_mac_key_item.len, PR_FALSE); |
2417 } else { | 2396 } else { |
2418 rv = HMAC_Init(cx, hashObj, | 2397 rv = HMAC_Init(cx, hashObj, |
2419 spec->client.write_mac_key_item.data, | 2398 spec->client.write_mac_key_item.data, |
2420 spec->client.write_mac_key_item.len, PR_FALSE); | 2399 spec->client.write_mac_key_item.len, PR_FALSE); |
2421 } | 2400 } |
2422 if (rv == SECSuccess) { | 2401 if (rv == SECSuccess) { |
2423 HMAC_Begin(cx); | 2402 HMAC_Begin(cx); |
2424 » » HMAC_Update(cx, temp, tempLen); | 2403 » » HMAC_Update(cx, header, headerLen); |
2425 HMAC_Update(cx, input, inputLength); | 2404 HMAC_Update(cx, input, inputLength); |
2426 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); | 2405 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); |
2427 HMAC_Destroy(cx, PR_FALSE); | 2406 HMAC_Destroy(cx, PR_FALSE); |
2428 } | 2407 } |
2429 #undef cx | 2408 #undef cx |
2430 } | 2409 } |
2431 } else | 2410 } else |
2432 #endif | 2411 #endif |
2433 { | 2412 { |
2434 PK11Context *mac_context = | 2413 PK11Context *mac_context = |
2435 (useServerMacKey ? spec->server.write_mac_context | 2414 (useServerMacKey ? spec->server.write_mac_context |
2436 : spec->client.write_mac_context); | 2415 : spec->client.write_mac_context); |
2437 rv = PK11_DigestBegin(mac_context); | 2416 rv = PK11_DigestBegin(mac_context); |
2438 » rv |= PK11_DigestOp(mac_context, temp, tempLen); | 2417 » rv |= PK11_DigestOp(mac_context, header, headerLen); |
2439 rv |= PK11_DigestOp(mac_context, input, inputLength); | 2418 rv |= PK11_DigestOp(mac_context, input, inputLength); |
2440 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); | 2419 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); |
2441 } | 2420 } |
2442 | 2421 |
2443 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); | 2422 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); |
2444 | 2423 |
2445 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); | 2424 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); |
2446 | 2425 |
2447 if (rv != SECSuccess) { | 2426 if (rv != SECSuccess) { |
2448 rv = SECFailure; | 2427 rv = SECFailure; |
(...skipping 19 matching lines...) Expand all Loading... | |
2468 /* Called from: ssl3_HandleRecord() | 2447 /* Called from: ssl3_HandleRecord() |
2469 * Caller must already hold the SpecReadLock. (wish we could assert that!) | 2448 * Caller must already hold the SpecReadLock. (wish we could assert that!) |
2470 * | 2449 * |
2471 * On entry: | 2450 * On entry: |
2472 * originalLen >= inputLen >= MAC size | 2451 * originalLen >= inputLen >= MAC size |
2473 */ | 2452 */ |
2474 static SECStatus | 2453 static SECStatus |
2475 ssl3_ComputeRecordMACConstantTime( | 2454 ssl3_ComputeRecordMACConstantTime( |
2476 ssl3CipherSpec * spec, | 2455 ssl3CipherSpec * spec, |
2477 PRBool useServerMacKey, | 2456 PRBool useServerMacKey, |
2478 PRBool isDTLS, | 2457 const unsigned char *header, |
2479 SSL3ContentType type, | 2458 unsigned int headerLen, |
2480 SSL3ProtocolVersion version, | |
2481 SSL3SequenceNumber seq_num, | |
2482 const SSL3Opaque * input, | 2459 const SSL3Opaque * input, |
2483 int inputLen, | 2460 int inputLen, |
2484 int originalLen, | 2461 int originalLen, |
2485 unsigned char * outbuf, | 2462 unsigned char * outbuf, |
2486 unsigned int * outLen) | 2463 unsigned int * outLen) |
2487 { | 2464 { |
2488 CK_MECHANISM_TYPE macType; | 2465 CK_MECHANISM_TYPE macType; |
2489 CK_NSS_MAC_CONSTANT_TIME_PARAMS params; | 2466 CK_NSS_MAC_CONSTANT_TIME_PARAMS params; |
2490 PK11Context * mac_context; | 2467 PK11Context * mac_context; |
2491 SECItem param; | 2468 SECItem param; |
2492 SECStatus rv; | 2469 SECStatus rv; |
2493 unsigned char header[13]; | |
2494 PK11SymKey * key; | 2470 PK11SymKey * key; |
2495 int recordLength; | |
2496 | 2471 |
2497 PORT_Assert(inputLen >= spec->mac_size); | 2472 PORT_Assert(inputLen >= spec->mac_size); |
2498 PORT_Assert(originalLen >= inputLen); | 2473 PORT_Assert(originalLen >= inputLen); |
2499 | 2474 |
2500 if (spec->bypassCiphers) { | 2475 if (spec->bypassCiphers) { |
2501 /* This function doesn't support PKCS#11 bypass. We fallback on the | 2476 /* This function doesn't support PKCS#11 bypass. We fallback on the |
2502 * non-constant time version. */ | 2477 * non-constant time version. */ |
2503 goto fallback; | 2478 goto fallback; |
2504 } | 2479 } |
2505 | 2480 |
2506 if (spec->mac_def->mac == mac_null) { | 2481 if (spec->mac_def->mac == mac_null) { |
2507 *outLen = 0; | 2482 *outLen = 0; |
2508 return SECSuccess; | 2483 return SECSuccess; |
2509 } | 2484 } |
2510 | 2485 |
2511 header[0] = (unsigned char)(seq_num.high >> 24); | |
2512 header[1] = (unsigned char)(seq_num.high >> 16); | |
2513 header[2] = (unsigned char)(seq_num.high >> 8); | |
2514 header[3] = (unsigned char)(seq_num.high >> 0); | |
2515 header[4] = (unsigned char)(seq_num.low >> 24); | |
2516 header[5] = (unsigned char)(seq_num.low >> 16); | |
2517 header[6] = (unsigned char)(seq_num.low >> 8); | |
2518 header[7] = (unsigned char)(seq_num.low >> 0); | |
2519 header[8] = type; | |
2520 | |
2521 macType = CKM_NSS_HMAC_CONSTANT_TIME; | 2486 macType = CKM_NSS_HMAC_CONSTANT_TIME; |
2522 recordLength = inputLen - spec->mac_size; | |
2523 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 2487 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
2524 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; | 2488 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; |
2525 header[9] = recordLength >> 8; | |
2526 header[10] = recordLength; | |
2527 params.ulHeaderLen = 11; | |
2528 } else { | |
2529 if (isDTLS) { | |
2530 SSL3ProtocolVersion dtls_version; | |
2531 | |
2532 dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
2533 header[9] = dtls_version >> 8; | |
2534 header[10] = dtls_version; | |
2535 } else { | |
2536 header[9] = version >> 8; | |
2537 header[10] = version; | |
2538 } | |
2539 header[11] = recordLength >> 8; | |
2540 header[12] = recordLength; | |
2541 params.ulHeaderLen = 13; | |
2542 } | 2489 } |
2543 | 2490 |
2544 params.macAlg = spec->mac_def->mmech; | 2491 params.macAlg = spec->mac_def->mmech; |
2545 params.ulBodyTotalLen = originalLen; | 2492 params.ulBodyTotalLen = originalLen; |
2546 params.pHeader = header; | 2493 params.pHeader = (unsigned char *) header; /* const cast */ |
2494 params.ulHeaderLen = headerLen; | |
2547 | 2495 |
2548 param.data = (unsigned char*) ¶ms; | 2496 param.data = (unsigned char*) ¶ms; |
2549 param.len = sizeof(params); | 2497 param.len = sizeof(params); |
2550 param.type = 0; | 2498 param.type = 0; |
2551 | 2499 |
2552 key = spec->server.write_mac_key; | 2500 key = spec->server.write_mac_key; |
2553 if (!useServerMacKey) { | 2501 if (!useServerMacKey) { |
2554 key = spec->client.write_mac_key; | 2502 key = spec->client.write_mac_key; |
2555 } | 2503 } |
2556 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, ¶m); | 2504 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, ¶m); |
(...skipping 12 matching lines...) Expand all Loading... | |
2569 if (rv != SECSuccess) { | 2517 if (rv != SECSuccess) { |
2570 rv = SECFailure; | 2518 rv = SECFailure; |
2571 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2519 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2572 } | 2520 } |
2573 return rv; | 2521 return rv; |
2574 | 2522 |
2575 fallback: | 2523 fallback: |
2576 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the | 2524 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the |
2577 * length already. */ | 2525 * length already. */ |
2578 inputLen -= spec->mac_size; | 2526 inputLen -= spec->mac_size; |
2579 return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, | 2527 return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, |
2580 » » » » version, seq_num, input, inputLen, | 2528 » » » » input, inputLen, outbuf, outLen); |
2581 » » » » outbuf, outLen); | |
2582 } | 2529 } |
2583 | 2530 |
2584 static PRBool | 2531 static PRBool |
2585 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { | 2532 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
2586 PK11SlotInfo *slot = NULL; | 2533 PK11SlotInfo *slot = NULL; |
2587 PRBool isPresent = PR_TRUE; | 2534 PRBool isPresent = PR_TRUE; |
2588 | 2535 |
2589 /* we only care if we are doing client auth */ | 2536 /* we only care if we are doing client auth */ |
2590 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 2537 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
2591 * used, u.ssl3.clAuthValid will be false and this function will always | 2538 * used, u.ssl3.clAuthValid will be false and this function will always |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2623 sslBuffer * wrBuf) | 2570 sslBuffer * wrBuf) |
2624 { | 2571 { |
2625 const ssl3BulkCipherDef * cipher_def; | 2572 const ssl3BulkCipherDef * cipher_def; |
2626 SECStatus rv; | 2573 SECStatus rv; |
2627 PRUint32 macLen = 0; | 2574 PRUint32 macLen = 0; |
2628 PRUint32 fragLen; | 2575 PRUint32 fragLen; |
2629 PRUint32 p1Len, p2Len, oddLen = 0; | 2576 PRUint32 p1Len, p2Len, oddLen = 0; |
2630 PRUint16 headerLen; | 2577 PRUint16 headerLen; |
2631 int ivLen = 0; | 2578 int ivLen = 0; |
2632 int cipherBytes = 0; | 2579 int cipherBytes = 0; |
2580 unsigned char pseudoHeader[13]; | |
2581 unsigned int pseudoHeaderLen; | |
2633 | 2582 |
2634 cipher_def = cwSpec->cipher_def; | 2583 cipher_def = cwSpec->cipher_def; |
2635 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; | 2584 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; |
2636 | 2585 |
2637 if (cipher_def->type == type_block && | 2586 if (cipher_def->type == type_block && |
2638 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 2587 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
2639 /* Prepend the per-record explicit IV using technique 2b from | 2588 /* Prepend the per-record explicit IV using technique 2b from |
2640 * RFC 4346 section 6.2.3.2: The IV is a cryptographically | 2589 * RFC 4346 section 6.2.3.2: The IV is a cryptographically |
2641 * strong random number XORed with the CBC residue from the previous | 2590 * strong random number XORed with the CBC residue from the previous |
2642 * record. | 2591 * record. |
(...skipping 25 matching lines...) Expand all Loading... | |
2668 rv = cwSpec->compressor( | 2617 rv = cwSpec->compressor( |
2669 cwSpec->compressContext, | 2618 cwSpec->compressContext, |
2670 wrBuf->buf + headerLen + ivLen, &outlen, | 2619 wrBuf->buf + headerLen + ivLen, &outlen, |
2671 wrBuf->space - headerLen - ivLen, pIn, contentLen); | 2620 wrBuf->space - headerLen - ivLen, pIn, contentLen); |
2672 if (rv != SECSuccess) | 2621 if (rv != SECSuccess) |
2673 return rv; | 2622 return rv; |
2674 pIn = wrBuf->buf + headerLen + ivLen; | 2623 pIn = wrBuf->buf + headerLen + ivLen; |
2675 contentLen = outlen; | 2624 contentLen = outlen; |
2676 } | 2625 } |
2677 | 2626 |
2627 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(pseudoHeader, | |
Ryan Sleevi
2013/08/17 02:00:23
This is really weird indentation of that first par
wtc
2013/08/19 23:31:56
Done.
| |
2628 cwSpec->write_seq_num, type, | |
2629 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, | |
2630 isDTLS, contentLen); | |
2631 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); | |
2678 if (cipher_def->type == type_aead) { | 2632 if (cipher_def->type == type_aead) { |
2679 const int nonceLen = cipher_def->explicit_nonce_size; | 2633 const int nonceLen = cipher_def->explicit_nonce_size; |
2680 const int tagLen = cipher_def->tag_size; | 2634 const int tagLen = cipher_def->tag_size; |
2681 | 2635 |
2682 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { | 2636 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { |
2683 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2637 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2684 return SECFailure; | 2638 return SECFailure; |
2685 } | 2639 } |
2686 | 2640 |
2687 cipherBytes = contentLen; | 2641 cipherBytes = contentLen; |
2688 rv = cwSpec->aead( | 2642 rv = cwSpec->aead( |
2689 isServer ? &cwSpec->server : &cwSpec->client, | 2643 isServer ? &cwSpec->server : &cwSpec->client, |
2690 PR_FALSE, /* do encrypt */ | 2644 PR_FALSE, /* do encrypt */ |
2691 wrBuf->buf + headerLen, /* output */ | 2645 wrBuf->buf + headerLen, /* output */ |
2692 &cipherBytes, /* out len */ | 2646 &cipherBytes, /* out len */ |
2693 wrBuf->space - headerLen, /* max out */ | 2647 wrBuf->space - headerLen, /* max out */ |
2694 pIn, contentLen, /* input */ | 2648 pIn, contentLen, /* input */ |
2695 » » type, cwSpec->version, cwSpec->write_seq_num); | 2649 » » pseudoHeader, pseudoHeaderLen); |
2696 if (rv != SECSuccess) { | 2650 if (rv != SECSuccess) { |
2697 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2651 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2698 return SECFailure; | 2652 return SECFailure; |
2699 } | 2653 } |
2700 } else { | 2654 } else { |
2701 /* | 2655 /* |
2702 * Add the MAC | 2656 * Add the MAC |
2703 */ | 2657 */ |
2704 » rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, | 2658 » rv = ssl3_ComputeRecordMAC(cwSpec, isServer, |
2705 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 2659 » pseudoHeader, pseudoHeaderLen, pIn, contentLen, |
2706 wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | 2660 wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
2707 if (rv != SECSuccess) { | 2661 if (rv != SECSuccess) { |
2708 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2662 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2709 return SECFailure; | 2663 return SECFailure; |
2710 } | 2664 } |
2711 p1Len = contentLen; | 2665 p1Len = contentLen; |
2712 p2Len = macLen; | 2666 p2Len = macLen; |
2713 fragLen = contentLen + macLen; /* needs to be encrypted */ | 2667 fragLen = contentLen + macLen; /* needs to be encrypted */ |
2714 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 2668 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
2715 | 2669 |
(...skipping 8684 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
11400 SSL3Opaque hash[MAX_MAC_LENGTH]; | 11354 SSL3Opaque hash[MAX_MAC_LENGTH]; |
11401 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; | 11355 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; |
11402 SSL3Opaque *givenHash; | 11356 SSL3Opaque *givenHash; |
11403 sslBuffer *plaintext; | 11357 sslBuffer *plaintext; |
11404 sslBuffer temp_buf; | 11358 sslBuffer temp_buf; |
11405 PRUint64 dtls_seq_num; | 11359 PRUint64 dtls_seq_num; |
11406 unsigned int ivLen = 0; | 11360 unsigned int ivLen = 0; |
11407 unsigned int originalLen = 0; | 11361 unsigned int originalLen = 0; |
11408 unsigned int good; | 11362 unsigned int good; |
11409 unsigned int minLength; | 11363 unsigned int minLength; |
11364 unsigned char header[13]; | |
11365 unsigned int headerLen; | |
11410 | 11366 |
11411 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 11367 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
11412 | 11368 |
11413 if (!ss->ssl3.initialized) { | 11369 if (!ss->ssl3.initialized) { |
11414 ssl_GetSSL3HandshakeLock(ss); | 11370 ssl_GetSSL3HandshakeLock(ss); |
11415 rv = ssl3_InitState(ss); | 11371 rv = ssl3_InitState(ss); |
11416 ssl_ReleaseSSL3HandshakeLock(ss); | 11372 ssl_ReleaseSSL3HandshakeLock(ss); |
11417 if (rv != SECSuccess) { | 11373 if (rv != SECSuccess) { |
11418 return rv; /* ssl3_InitState has set the error code. */ | 11374 return rv; /* ssl3_InitState has set the error code. */ |
11419 } | 11375 } |
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
11553 | 11509 |
11554 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { | 11510 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
11555 ssl_ReleaseSpecReadLock(ss); | 11511 ssl_ReleaseSpecReadLock(ss); |
11556 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 11512 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
11557 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 11513 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
11558 return SECFailure; | 11514 return SECFailure; |
11559 } | 11515 } |
11560 | 11516 |
11561 rType = cText->type; | 11517 rType = cText->type; |
11562 if (cipher_def->type == type_aead) { | 11518 if (cipher_def->type == type_aead) { |
11519 /* XXX Is this true for all AEAD ciphers? */ | |
Ryan Sleevi
2013/08/17 02:00:23
No.
This is covered in http://tools.ietf.org/html
wtc
2013/08/19 23:31:56
Done. Thank you for the research. I updated the co
| |
11520 unsigned int decryptedLen = | |
11521 cText->buf->len - cipher_def->explicit_nonce_size - | |
11522 cipher_def->tag_size; | |
11523 headerLen = ssl3_BuildRecordPseudoHeader(header, | |
11524 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, rType, | |
11525 isTLS, cText->version, IS_DTLS(ss), decryptedLen); | |
11526 PORT_Assert(headerLen <= sizeof(header)); | |
11563 rv = crSpec->aead( | 11527 rv = crSpec->aead( |
11564 ss->sec.isServer ? &crSpec->client : &crSpec->server, | 11528 ss->sec.isServer ? &crSpec->client : &crSpec->server, |
11565 PR_TRUE, /* do decrypt */ | 11529 PR_TRUE, /* do decrypt */ |
11566 plaintext->buf, /* out */ | 11530 plaintext->buf, /* out */ |
11567 (int*) &plaintext->len, /* outlen */ | 11531 (int*) &plaintext->len, /* outlen */ |
11568 plaintext->space, /* maxout */ | 11532 plaintext->space, /* maxout */ |
11569 cText->buf->buf, /* in */ | 11533 cText->buf->buf, /* in */ |
11570 cText->buf->len, /* inlen */ | 11534 cText->buf->len, /* inlen */ |
11571 » » rType, /* record type */ | 11535 » » header, headerLen); |
11572 » » cText->version, | |
11573 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num); | |
11574 if (rv != SECSuccess) { | 11536 if (rv != SECSuccess) { |
11575 good = 0; | 11537 good = 0; |
11576 } | 11538 } |
11577 } else { | 11539 } else { |
11578 if (cipher_def->type == type_block && | 11540 if (cipher_def->type == type_block && |
11579 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | 11541 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
11580 goto decrypt_loser; | 11542 goto decrypt_loser; |
11581 } | 11543 } |
11582 | 11544 |
11583 /* decrypt from cText buf to plaintext. */ | 11545 /* decrypt from cText buf to plaintext. */ |
11584 rv = crSpec->decode( | 11546 rv = crSpec->decode( |
11585 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, | 11547 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
11586 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); | 11548 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
11587 if (rv != SECSuccess) { | 11549 if (rv != SECSuccess) { |
11588 goto decrypt_loser; | 11550 goto decrypt_loser; |
11589 } | 11551 } |
11590 | 11552 |
11591 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); | 11553 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
11592 | 11554 |
11593 originalLen = plaintext->len; | 11555 originalLen = plaintext->len; |
11594 | 11556 |
11595 /* If it's a block cipher, check and strip the padding. */ | 11557 /* If it's a block cipher, check and strip the padding. */ |
11596 if (cipher_def->type == type_block) { | 11558 if (cipher_def->type == type_block) { |
11597 const unsigned int blockSize = cipher_def->block_size; | 11559 const unsigned int blockSize = cipher_def->block_size; |
11598 const unsigned int macSize = crSpec->mac_size; | 11560 const unsigned int macSize = crSpec->mac_size; |
11599 | 11561 |
11600 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { | 11562 » if (!isTLS) { |
11601 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 11563 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
11602 plaintext, blockSize, macSize)); | 11564 plaintext, blockSize, macSize)); |
11603 } else { | 11565 } else { |
11604 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 11566 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
11605 plaintext, macSize)); | 11567 plaintext, macSize)); |
11606 } | 11568 } |
11607 } | 11569 } |
11608 | 11570 |
11609 /* compute the MAC */ | 11571 /* compute the MAC */ |
11572 headerLen = ssl3_BuildRecordPseudoHeader(header, | |
11573 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, rType, | |
11574 isTLS, cText->version, IS_DTLS(ss), | |
11575 plaintext->len - crSpec->mac_size); | |
11576 PORT_Assert(headerLen <= sizeof(header)); | |
11610 if (cipher_def->type == type_block) { | 11577 if (cipher_def->type == type_block) { |
11611 rv = ssl3_ComputeRecordMACConstantTime( | 11578 rv = ssl3_ComputeRecordMACConstantTime( |
11612 » » crSpec, (PRBool)(!ss->sec.isServer), | 11579 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
11613 » » IS_DTLS(ss), rType, cText->version, | |
11614 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11615 plaintext->buf, plaintext->len, originalLen, | 11580 plaintext->buf, plaintext->len, originalLen, |
11616 hash, &hashBytes); | 11581 hash, &hashBytes); |
11617 | 11582 |
11618 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | 11583 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
11619 crSpec->mac_size); | 11584 crSpec->mac_size); |
11620 givenHash = givenHashBuf; | 11585 givenHash = givenHashBuf; |
11621 | 11586 |
11622 /* plaintext->len will always have enough space to remove the MAC | 11587 /* plaintext->len will always have enough space to remove the MAC |
11623 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust | 11588 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust |
11624 * plaintext->len if the result has enough space for the MAC and we | 11589 * plaintext->len if the result has enough space for the MAC and we |
11625 * tested the unadjusted size against minLength, above. */ | 11590 * tested the unadjusted size against minLength, above. */ |
11626 plaintext->len -= crSpec->mac_size; | 11591 plaintext->len -= crSpec->mac_size; |
11627 } else { | 11592 } else { |
11628 /* This is safe because we checked the minLength above. */ | 11593 /* This is safe because we checked the minLength above. */ |
11629 plaintext->len -= crSpec->mac_size; | 11594 plaintext->len -= crSpec->mac_size; |
11630 | 11595 |
11631 rv = ssl3_ComputeRecordMAC( | 11596 rv = ssl3_ComputeRecordMAC( |
11632 » » crSpec, (PRBool)(!ss->sec.isServer), | 11597 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
11633 » » IS_DTLS(ss), rType, cText->version, | 11598 » » plaintext->buf, plaintext->len, hash, &hashBytes); |
11634 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11635 » » plaintext->buf, plaintext->len, | |
11636 » » hash, &hashBytes); | |
11637 | 11599 |
11638 /* We can read the MAC directly from the record because its location | 11600 /* We can read the MAC directly from the record because its location |
11639 * is public when a stream cipher is used. */ | 11601 * is public when a stream cipher is used. */ |
11640 givenHash = plaintext->buf + plaintext->len; | 11602 givenHash = plaintext->buf + plaintext->len; |
11641 } | 11603 } |
11642 | 11604 |
11643 good &= SECStatusToMask(rv); | 11605 good &= SECStatusToMask(rv); |
11644 | 11606 |
11645 if (hashBytes != (unsigned)crSpec->mac_size || | 11607 if (hashBytes != (unsigned)crSpec->mac_size || |
11646 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | 11608 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
(...skipping 654 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
12301 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12263 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
12302 } | 12264 } |
12303 } | 12265 } |
12304 | 12266 |
12305 ss->ssl3.initialized = PR_FALSE; | 12267 ss->ssl3.initialized = PR_FALSE; |
12306 | 12268 |
12307 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12269 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
12308 } | 12270 } |
12309 | 12271 |
12310 /* End of ssl3con.c */ | 12272 /* End of ssl3con.c */ |
OLD | NEW |