Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(557)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 23299002: Make the AES-GCM cipher suites work in DTLS, by moving the (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/third_party/nss/ssl/dtlscon.c ('K') | « net/third_party/nss/ssl/dtlscon.c ('k') | net/third_party/nss/ssl/sslimpl.h » ('j') | net/third_party/nss/ssl/sslimpl.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public 5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 8
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
10 10
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); 78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); 79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
80 80
81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, 81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
82 int maxOutputLen, const unsigned char *input, 82 int maxOutputLen, const unsigned char *input,
83 int inputLen); 83 int inputLen);
84 #ifndef NO_PKCS11_BYPASS 84 #ifndef NO_PKCS11_BYPASS
85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, 85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
86 unsigned char *out, int *outlen, int maxout, 86 unsigned char *out, int *outlen, int maxout,
87 const unsigned char *in, int inlen, 87 const unsigned char *in, int inlen,
88 » » » » SSL3ContentType type, 88 » » » » const unsigned char *additionalData,
89 » » » » SSL3ProtocolVersion version, 89 » » » » int additionalDataLen);
90 » » » » SSL3SequenceNumber seq_num);
91 #endif 90 #endif
92 91
93 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ 92 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
94 #define MIN_SEND_BUF_LENGTH 4000 93 #define MIN_SEND_BUF_LENGTH 4000
95 94
96 /* This list of SSL3 cipher suites is sorted in descending order of 95 /* This list of SSL3 cipher suites is sorted in descending order of
97 * precedence (desirability). It only includes cipher suites we implement. 96 * precedence (desirability). It only includes cipher suites we implement.
98 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites 97 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
99 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) 98 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
100 */ 99 */
(...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after
389 cipher_camellia_256, mac_sha, kea_dhe_rsa}, 388 cipher_camellia_256, mac_sha, kea_dhe_rsa},
390 389
391 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 390 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
392 cipher_des, mac_sha,kea_rsa_export_1024}, 391 cipher_des, mac_sha,kea_rsa_export_1024},
393 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 392 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
394 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, 393 cipher_rc4_56, mac_sha,kea_rsa_export_1024},
395 394
396 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, 395 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
397 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, 396 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
398 397
399 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_ rsa}, 398 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_ rsa},
400 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, 399 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
401 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ec dhe_rsa}, 400 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec dhe_rsa},
402 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ ecdhe_ecdsa}, 401 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ ecdhe_ecdsa},
403 402
404 #ifdef NSS_ENABLE_ECC 403 #ifdef NSS_ENABLE_ECC
405 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 404 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
406 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, 405 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
407 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , 406 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} ,
408 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, 407 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a},
409 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, 408 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a},
410 409
411 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, 410 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa },
412 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, 411 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa },
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after
467 { calg_aes_gcm , CKM_AES_GCM }, 466 { calg_aes_gcm , CKM_AES_GCM },
468 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ 467 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
469 }; 468 };
470 469
471 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L 470 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L
472 #define mmech_md5 CKM_SSL3_MD5_MAC 471 #define mmech_md5 CKM_SSL3_MD5_MAC
473 #define mmech_sha CKM_SSL3_SHA1_MAC 472 #define mmech_sha CKM_SSL3_SHA1_MAC
474 #define mmech_md5_hmac CKM_MD5_HMAC 473 #define mmech_md5_hmac CKM_MD5_HMAC
475 #define mmech_sha_hmac CKM_SHA_1_HMAC 474 #define mmech_sha_hmac CKM_SHA_1_HMAC
476 #define mmech_sha256_hmac CKM_SHA256_HMAC 475 #define mmech_sha256_hmac CKM_SHA256_HMAC
476 #define mmech_sha384_hmac CKM_SHA384_HMAC
477 #define mmech_sha512_hmac CKM_SHA512_HMAC
477 478
478 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 479 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
479 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ 480 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
480 /* mac mmech pad_size mac_size */ 481 /* mac mmech pad_size mac_size */
481 { mac_null, mmech_null, 0, 0 }, 482 { mac_null, mmech_null, 0, 0 },
482 { mac_md5, mmech_md5, 48, MD5_LENGTH }, 483 { mac_md5, mmech_md5, 48, MD5_LENGTH },
483 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, 484 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
484 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, 485 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
485 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, 486 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
486 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, 487 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
488 {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH},
489 {hmac_sha512, mmech_sha512_hmac, 0, SHA512_LENGTH},
490 { mac_aead, mmech_null, 0, 0 },
wtc 2013/08/17 00:21:15 This array element for mac_aead needs to exist but
487 }; 491 };
488 492
489 /* indexed by SSL3BulkCipher */ 493 /* indexed by SSL3BulkCipher */
490 const char * const ssl3_cipherName[] = { 494 const char * const ssl3_cipherName[] = {
491 "NULL", 495 "NULL",
492 "RC4", 496 "RC4",
493 "RC4-40", 497 "RC4-40",
494 "RC4-56", 498 "RC4-56",
495 "RC2-CBC", 499 "RC2-CBC",
496 "RC2-CBC-40", 500 "RC2-CBC-40",
(...skipping 1262 matching lines...) Expand 10 before | Expand all | Expand 10 after
1759 case CKM_RC2_MAC: 1763 case CKM_RC2_MAC:
1760 case CKM_RC2_MAC_GENERAL: 1764 case CKM_RC2_MAC_GENERAL:
1761 case CKM_RC2_CBC_PAD: 1765 case CKM_RC2_CBC_PAD:
1762 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; 1766 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
1763 default: break; 1767 default: break;
1764 } 1768 }
1765 } 1769 }
1766 return param; 1770 return param;
1767 } 1771 }
1768 1772
1769 /* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which 1773 /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
1770 * is included in the MAC) to |out| and returns its length. */ 1774 * which is included in the MAC or AEAD additional data) to |out| and returns
1775 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1776 * definition of the AEAD additional data.
1777 *
1778 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
1779 * pseudo-header defintiion to use should be decided based on the version of
1780 * the protocol that was negotiated when the spec became current, NOT based on
1781 * the version value in the record itself, and the decision is passed to this
1782 * function as the |includesVersion| argument. But, the |version| argument
1783 * should be the record's version value.
1784 */
1771 static unsigned int 1785 static unsigned int
1772 ssl3_BuildRecordPseudoHeader(unsigned char *out, 1786 ssl3_BuildRecordPseudoHeader(unsigned char *out,
1773 SSL3SequenceNumber seq_num, 1787 SSL3SequenceNumber seq_num,
1774 SSL3ContentType type, 1788 SSL3ContentType type,
1775 PRBool includesVersion, 1789 PRBool includesVersion,
1776 SSL3ProtocolVersion version, 1790 SSL3ProtocolVersion version,
1777 PRBool isDTLS, 1791 PRBool isDTLS,
1778 int length) 1792 int length)
1779 { 1793 {
1780 out[0] = (unsigned char)(seq_num.high >> 24); 1794 out[0] = (unsigned char)(seq_num.high >> 24);
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after
1874 } 1888 }
1875 1889
1876 static SECStatus 1890 static SECStatus
1877 ssl3_AESGCM(ssl3KeyMaterial *keys, 1891 ssl3_AESGCM(ssl3KeyMaterial *keys,
1878 PRBool doDecrypt, 1892 PRBool doDecrypt,
1879 unsigned char *out, 1893 unsigned char *out,
1880 int *outlen, 1894 int *outlen,
1881 int maxout, 1895 int maxout,
1882 const unsigned char *in, 1896 const unsigned char *in,
1883 int inlen, 1897 int inlen,
1884 » SSL3ContentType type, 1898 » const unsigned char *additionalData,
1885 » SSL3ProtocolVersion version, 1899 » int additionalDataLen)
1886 » SSL3SequenceNumber seq_num)
1887 { 1900 {
1888 SECItem param; 1901 SECItem param;
1889 SECStatus rv = SECFailure; 1902 SECStatus rv = SECFailure;
1890 unsigned char nonce[12]; 1903 unsigned char nonce[12];
1891 unsigned char additionalData[13];
1892 unsigned int additionalDataLen;
1893 unsigned int uOutLen; 1904 unsigned int uOutLen;
1894 CK_GCM_PARAMS gcmParams; 1905 CK_GCM_PARAMS gcmParams;
1895 1906
1896 static const int tagSize = 16; 1907 static const int tagSize = 16;
1897 static const int explicitNonceLen = 8; 1908 static const int explicitNonceLen = 8;
1898 1909
1899 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1900 * definition of the AEAD additional data. */
1901 additionalDataLen = ssl3_BuildRecordPseudoHeader(
1902 additionalData, seq_num, type, PR_TRUE /* includes version */,
1903 version, PR_FALSE /* not DTLS */,
wtc 2013/08/17 00:21:15 Note that we had to pass PR_FALSE as the |isDTLS|
1904 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
1905 PORT_Assert(additionalDataLen <= sizeof(additionalData));
1906
1907 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 1910 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
1908 * nonce is formed. */ 1911 * nonce is formed. */
1909 memcpy(nonce, keys->write_iv, 4); 1912 memcpy(nonce, keys->write_iv, 4);
1910 if (doDecrypt) { 1913 if (doDecrypt) {
1911 memcpy(nonce + 4, in, explicitNonceLen); 1914 memcpy(nonce + 4, in, explicitNonceLen);
1912 in += explicitNonceLen; 1915 in += explicitNonceLen;
1913 inlen -= explicitNonceLen; 1916 inlen -= explicitNonceLen;
1914 *outlen = 0; 1917 *outlen = 0;
1915 } else { 1918 } else {
1916 if (maxout < explicitNonceLen) { 1919 if (maxout < explicitNonceLen) {
1917 PORT_SetError(SEC_ERROR_INPUT_LEN); 1920 PORT_SetError(SEC_ERROR_INPUT_LEN);
1918 return SECFailure; 1921 return SECFailure;
1919 } 1922 }
1920 /* Use the 64-bit sequence number as the explicit nonce. */ 1923 /* Use the 64-bit sequence number as the explicit nonce. */
1921 memcpy(nonce + 4, additionalData, explicitNonceLen); 1924 memcpy(nonce + 4, additionalData, explicitNonceLen);
1922 memcpy(out, additionalData, explicitNonceLen); 1925 memcpy(out, additionalData, explicitNonceLen);
1923 out += explicitNonceLen; 1926 out += explicitNonceLen;
1924 maxout -= explicitNonceLen; 1927 maxout -= explicitNonceLen;
1925 *outlen = explicitNonceLen; 1928 *outlen = explicitNonceLen;
1926 } 1929 }
1927 1930
1928 param.type = siBuffer; 1931 param.type = siBuffer;
1929 param.data = (unsigned char *) &gcmParams; 1932 param.data = (unsigned char *) &gcmParams;
1930 param.len = sizeof(gcmParams); 1933 param.len = sizeof(gcmParams);
1931 gcmParams.pIv = nonce; 1934 gcmParams.pIv = nonce;
1932 gcmParams.ulIvLen = sizeof(nonce); 1935 gcmParams.ulIvLen = sizeof(nonce);
1933 gcmParams.pAAD = additionalData; 1936 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
1934 gcmParams.ulAADLen = additionalDataLen; 1937 gcmParams.ulAADLen = additionalDataLen;
1935 gcmParams.ulTagBits = tagSize * 8; 1938 gcmParams.ulTagBits = tagSize * 8;
1936 1939
1937 if (doDecrypt) { 1940 if (doDecrypt) {
1938 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen, 1941 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1939 maxout, in, inlen); 1942 maxout, in, inlen);
1940 } else { 1943 } else {
1941 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen, 1944 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1942 maxout, in, inlen); 1945 maxout, in, inlen);
1943 } 1946 }
1944 *outlen += (int) uOutLen; 1947 *outlen += (int) uOutLen;
1945 1948
1946 return rv; 1949 return rv;
1947 } 1950 }
1948 1951
1949 #ifndef NO_PKCS11_BYPASS 1952 #ifndef NO_PKCS11_BYPASS
1950 static SECStatus 1953 static SECStatus
1951 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, 1954 ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
1952 PRBool doDecrypt, 1955 PRBool doDecrypt,
1953 unsigned char *out, 1956 unsigned char *out,
1954 int *outlen, 1957 int *outlen,
1955 int maxout, 1958 int maxout,
1956 const unsigned char *in, 1959 const unsigned char *in,
1957 int inlen, 1960 int inlen,
1958 » » SSL3ContentType type, 1961 » » const unsigned char *additionalData,
1959 » » SSL3ProtocolVersion version, 1962 » » int additionalDataLen)
1960 » » SSL3SequenceNumber seq_num)
1961 { 1963 {
1962 SECStatus rv = SECFailure; 1964 SECStatus rv = SECFailure;
1963 unsigned char nonce[12]; 1965 unsigned char nonce[12];
1964 unsigned char additionalData[13];
1965 unsigned int additionalDataLen;
1966 unsigned int uOutLen; 1966 unsigned int uOutLen;
1967 AESContext *cx; 1967 AESContext *cx;
1968 CK_GCM_PARAMS gcmParams; 1968 CK_GCM_PARAMS gcmParams;
1969 1969
1970 static const int tagSize = 16; 1970 static const int tagSize = 16;
1971 static const int explicitNonceLen = 8; 1971 static const int explicitNonceLen = 8;
1972 1972
1973 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1974 * definition of the AEAD additional data. */
1975 additionalDataLen = ssl3_BuildRecordPseudoHeader(
1976 additionalData, seq_num, type, PR_TRUE /* includes version */,
1977 version, PR_FALSE /* not DTLS */,
1978 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
1979 PORT_Assert(additionalDataLen <= sizeof(additionalData));
1980
1981 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 1973 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
1982 * nonce is formed. */ 1974 * nonce is formed. */
1983 PORT_Assert(keys->write_iv_item.len == 4); 1975 PORT_Assert(keys->write_iv_item.len == 4);
1984 if (keys->write_iv_item.len != 4) { 1976 if (keys->write_iv_item.len != 4) {
1985 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1977 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1986 return SECFailure; 1978 return SECFailure;
1987 } 1979 }
1988 memcpy(nonce, keys->write_iv_item.data, 4); 1980 memcpy(nonce, keys->write_iv_item.data, 4);
1989 if (doDecrypt) { 1981 if (doDecrypt) {
1990 memcpy(nonce + 4, in, explicitNonceLen); 1982 memcpy(nonce + 4, in, explicitNonceLen);
1991 in += explicitNonceLen; 1983 in += explicitNonceLen;
1992 inlen -= explicitNonceLen; 1984 inlen -= explicitNonceLen;
1993 *outlen = 0; 1985 *outlen = 0;
1994 } else { 1986 } else {
1995 if (maxout < explicitNonceLen) { 1987 if (maxout < explicitNonceLen) {
1996 PORT_SetError(SEC_ERROR_INPUT_LEN); 1988 PORT_SetError(SEC_ERROR_INPUT_LEN);
1997 return SECFailure; 1989 return SECFailure;
1998 } 1990 }
1999 /* Use the 64-bit sequence number as the explicit nonce. */ 1991 /* Use the 64-bit sequence number as the explicit nonce. */
2000 memcpy(nonce + 4, additionalData, explicitNonceLen); 1992 memcpy(nonce + 4, additionalData, explicitNonceLen);
2001 memcpy(out, additionalData, explicitNonceLen); 1993 memcpy(out, additionalData, explicitNonceLen);
2002 out += explicitNonceLen; 1994 out += explicitNonceLen;
2003 maxout -= explicitNonceLen; 1995 maxout -= explicitNonceLen;
2004 *outlen = explicitNonceLen; 1996 *outlen = explicitNonceLen;
2005 } 1997 }
2006 1998
2007 gcmParams.pIv = nonce; 1999 gcmParams.pIv = nonce;
2008 gcmParams.ulIvLen = sizeof(nonce); 2000 gcmParams.ulIvLen = sizeof(nonce);
2009 gcmParams.pAAD = additionalData; 2001 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
2010 gcmParams.ulAADLen = additionalDataLen; 2002 gcmParams.ulAADLen = additionalDataLen;
2011 gcmParams.ulTagBits = tagSize * 8; 2003 gcmParams.ulTagBits = tagSize * 8;
2012 2004
2013 cx = (AESContext *)keys->cipher_context; 2005 cx = (AESContext *)keys->cipher_context;
2014 rv = AES_InitContext(cx, keys->write_key_item.data, 2006 rv = AES_InitContext(cx, keys->write_key_item.data,
2015 keys->write_key_item.len, 2007 keys->write_key_item.len,
2016 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, 2008 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
2017 AES_BLOCK_SIZE); 2009 AES_BLOCK_SIZE);
2018 if (rv != SECSuccess) { 2010 if (rv != SECSuccess) {
2019 return rv; 2011 return rv;
(...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after
2300 0x5c, 0x5c, 0x5c, 0x5c 2292 0x5c, 0x5c, 0x5c, 0x5c
2301 }; 2293 };
2302 2294
2303 /* Called from: ssl3_SendRecord() 2295 /* Called from: ssl3_SendRecord()
2304 ** Caller must already hold the SpecReadLock. (wish we could assert that!) 2296 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
2305 */ 2297 */
2306 static SECStatus 2298 static SECStatus
2307 ssl3_ComputeRecordMAC( 2299 ssl3_ComputeRecordMAC(
2308 ssl3CipherSpec * spec, 2300 ssl3CipherSpec * spec,
2309 PRBool useServerMacKey, 2301 PRBool useServerMacKey,
2310 PRBool isDTLS, 2302 const unsigned char *header,
2311 SSL3ContentType type, 2303 unsigned int headerLen,
2312 SSL3ProtocolVersion version,
2313 SSL3SequenceNumber seq_num,
2314 const SSL3Opaque * input, 2304 const SSL3Opaque * input,
2315 int inputLength, 2305 int inputLength,
2316 unsigned char * outbuf, 2306 unsigned char * outbuf,
2317 unsigned int * outLength) 2307 unsigned int * outLength)
2318 { 2308 {
2319 const ssl3MACDef * mac_def; 2309 const ssl3MACDef * mac_def;
2320 SECStatus rv; 2310 SECStatus rv;
2321 PRBool isTLS;
2322 unsigned int tempLen;
2323 unsigned char temp[MAX_MAC_LENGTH];
wtc 2013/08/17 00:21:15 |isTLS| is only used once, so I just inline it. I
2324 2311
2325 /* TLS MAC includes the record's version field, SSL's doesn't. 2312 PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
2326 ** We decide which MAC defintiion to use based on the version of
2327 ** the protocol that was negotiated when the spec became current,
2328 ** NOT based on the version value in the record itself.
2329 ** But, we use the record's version value in the computation.
2330 */
2331 isTLS = spec->version > SSL_LIBRARY_VERSION_3_0;
2332 tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS,
2333 » » » » » version, isDTLS, inputLength);
2334 PORT_Assert(tempLen <= sizeof(temp));
2335
2336 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
2337 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); 2313 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
2338 2314
2339 mac_def = spec->mac_def; 2315 mac_def = spec->mac_def;
2340 if (mac_def->mac == mac_null) { 2316 if (mac_def->mac == mac_null) {
2341 *outLength = 0; 2317 *outLength = 0;
2342 return SECSuccess; 2318 return SECSuccess;
2343 } 2319 }
2344 #ifndef NO_PKCS11_BYPASS 2320 #ifndef NO_PKCS11_BYPASS
2345 if (spec->bypassCiphers) { 2321 if (spec->bypassCiphers) {
2346 /* bypass version */ 2322 /* bypass version */
(...skipping 24 matching lines...) Expand all
2371 break; 2347 break;
2372 default: 2348 default:
2373 break; 2349 break;
2374 } 2350 }
2375 if (!hashObj) { 2351 if (!hashObj) {
2376 PORT_Assert(0); 2352 PORT_Assert(0);
2377 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2353 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2378 return SECFailure; 2354 return SECFailure;
2379 } 2355 }
2380 2356
2381 » if (!isTLS) { 2357 » if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2358 » unsigned int tempLen;
2359 » unsigned char temp[MAX_MAC_LENGTH];
2360
2382 /* compute "inner" part of SSL3 MAC */ 2361 /* compute "inner" part of SSL3 MAC */
2383 hashObj->begin(write_mac_context); 2362 hashObj->begin(write_mac_context);
2384 if (useServerMacKey) 2363 if (useServerMacKey)
2385 hashObj->update(write_mac_context, 2364 hashObj->update(write_mac_context,
2386 spec->server.write_mac_key_item.data, 2365 spec->server.write_mac_key_item.data,
2387 spec->server.write_mac_key_item.len); 2366 spec->server.write_mac_key_item.len);
2388 else 2367 else
2389 hashObj->update(write_mac_context, 2368 hashObj->update(write_mac_context,
2390 spec->client.write_mac_key_item.data, 2369 spec->client.write_mac_key_item.data,
2391 spec->client.write_mac_key_item.len); 2370 spec->client.write_mac_key_item.len);
2392 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); 2371 hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
2393 » hashObj->update(write_mac_context, temp, tempLen); 2372 » hashObj->update(write_mac_context, header, headerLen);
2394 hashObj->update(write_mac_context, input, inputLength); 2373 hashObj->update(write_mac_context, input, inputLength);
2395 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); 2374 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
2396 2375
2397 /* compute "outer" part of SSL3 MAC */ 2376 /* compute "outer" part of SSL3 MAC */
2398 hashObj->begin(write_mac_context); 2377 hashObj->begin(write_mac_context);
2399 if (useServerMacKey) 2378 if (useServerMacKey)
2400 hashObj->update(write_mac_context, 2379 hashObj->update(write_mac_context,
2401 spec->server.write_mac_key_item.data, 2380 spec->server.write_mac_key_item.data,
2402 spec->server.write_mac_key_item.len); 2381 spec->server.write_mac_key_item.len);
2403 else 2382 else
(...skipping 10 matching lines...) Expand all
2414 rv = HMAC_Init(cx, hashObj, 2393 rv = HMAC_Init(cx, hashObj,
2415 spec->server.write_mac_key_item.data, 2394 spec->server.write_mac_key_item.data,
2416 spec->server.write_mac_key_item.len, PR_FALSE); 2395 spec->server.write_mac_key_item.len, PR_FALSE);
2417 } else { 2396 } else {
2418 rv = HMAC_Init(cx, hashObj, 2397 rv = HMAC_Init(cx, hashObj,
2419 spec->client.write_mac_key_item.data, 2398 spec->client.write_mac_key_item.data,
2420 spec->client.write_mac_key_item.len, PR_FALSE); 2399 spec->client.write_mac_key_item.len, PR_FALSE);
2421 } 2400 }
2422 if (rv == SECSuccess) { 2401 if (rv == SECSuccess) {
2423 HMAC_Begin(cx); 2402 HMAC_Begin(cx);
2424 » » HMAC_Update(cx, temp, tempLen); 2403 » » HMAC_Update(cx, header, headerLen);
2425 HMAC_Update(cx, input, inputLength); 2404 HMAC_Update(cx, input, inputLength);
2426 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); 2405 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
2427 HMAC_Destroy(cx, PR_FALSE); 2406 HMAC_Destroy(cx, PR_FALSE);
2428 } 2407 }
2429 #undef cx 2408 #undef cx
2430 } 2409 }
2431 } else 2410 } else
2432 #endif 2411 #endif
2433 { 2412 {
2434 PK11Context *mac_context = 2413 PK11Context *mac_context =
2435 (useServerMacKey ? spec->server.write_mac_context 2414 (useServerMacKey ? spec->server.write_mac_context
2436 : spec->client.write_mac_context); 2415 : spec->client.write_mac_context);
2437 rv = PK11_DigestBegin(mac_context); 2416 rv = PK11_DigestBegin(mac_context);
2438 » rv |= PK11_DigestOp(mac_context, temp, tempLen); 2417 » rv |= PK11_DigestOp(mac_context, header, headerLen);
2439 rv |= PK11_DigestOp(mac_context, input, inputLength); 2418 rv |= PK11_DigestOp(mac_context, input, inputLength);
2440 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); 2419 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
2441 } 2420 }
2442 2421
2443 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); 2422 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
2444 2423
2445 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); 2424 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
2446 2425
2447 if (rv != SECSuccess) { 2426 if (rv != SECSuccess) {
2448 rv = SECFailure; 2427 rv = SECFailure;
(...skipping 19 matching lines...) Expand all
2468 /* Called from: ssl3_HandleRecord() 2447 /* Called from: ssl3_HandleRecord()
2469 * Caller must already hold the SpecReadLock. (wish we could assert that!) 2448 * Caller must already hold the SpecReadLock. (wish we could assert that!)
2470 * 2449 *
2471 * On entry: 2450 * On entry:
2472 * originalLen >= inputLen >= MAC size 2451 * originalLen >= inputLen >= MAC size
2473 */ 2452 */
2474 static SECStatus 2453 static SECStatus
2475 ssl3_ComputeRecordMACConstantTime( 2454 ssl3_ComputeRecordMACConstantTime(
2476 ssl3CipherSpec * spec, 2455 ssl3CipherSpec * spec,
2477 PRBool useServerMacKey, 2456 PRBool useServerMacKey,
2478 PRBool isDTLS, 2457 const unsigned char *header,
2479 SSL3ContentType type, 2458 unsigned int headerLen,
2480 SSL3ProtocolVersion version,
2481 SSL3SequenceNumber seq_num,
2482 const SSL3Opaque * input, 2459 const SSL3Opaque * input,
2483 int inputLen, 2460 int inputLen,
2484 int originalLen, 2461 int originalLen,
2485 unsigned char * outbuf, 2462 unsigned char * outbuf,
2486 unsigned int * outLen) 2463 unsigned int * outLen)
2487 { 2464 {
2488 CK_MECHANISM_TYPE macType; 2465 CK_MECHANISM_TYPE macType;
2489 CK_NSS_MAC_CONSTANT_TIME_PARAMS params; 2466 CK_NSS_MAC_CONSTANT_TIME_PARAMS params;
2490 PK11Context * mac_context; 2467 PK11Context * mac_context;
2491 SECItem param; 2468 SECItem param;
2492 SECStatus rv; 2469 SECStatus rv;
2493 unsigned char header[13];
2494 PK11SymKey * key; 2470 PK11SymKey * key;
2495 int recordLength;
2496 2471
2497 PORT_Assert(inputLen >= spec->mac_size); 2472 PORT_Assert(inputLen >= spec->mac_size);
2498 PORT_Assert(originalLen >= inputLen); 2473 PORT_Assert(originalLen >= inputLen);
2499 2474
2500 if (spec->bypassCiphers) { 2475 if (spec->bypassCiphers) {
2501 /* This function doesn't support PKCS#11 bypass. We fallback on the 2476 /* This function doesn't support PKCS#11 bypass. We fallback on the
2502 * non-constant time version. */ 2477 * non-constant time version. */
2503 goto fallback; 2478 goto fallback;
2504 } 2479 }
2505 2480
2506 if (spec->mac_def->mac == mac_null) { 2481 if (spec->mac_def->mac == mac_null) {
2507 *outLen = 0; 2482 *outLen = 0;
2508 return SECSuccess; 2483 return SECSuccess;
2509 } 2484 }
2510 2485
2511 header[0] = (unsigned char)(seq_num.high >> 24);
2512 header[1] = (unsigned char)(seq_num.high >> 16);
2513 header[2] = (unsigned char)(seq_num.high >> 8);
2514 header[3] = (unsigned char)(seq_num.high >> 0);
2515 header[4] = (unsigned char)(seq_num.low >> 24);
2516 header[5] = (unsigned char)(seq_num.low >> 16);
2517 header[6] = (unsigned char)(seq_num.low >> 8);
2518 header[7] = (unsigned char)(seq_num.low >> 0);
2519 header[8] = type;
2520
2521 macType = CKM_NSS_HMAC_CONSTANT_TIME; 2486 macType = CKM_NSS_HMAC_CONSTANT_TIME;
2522 recordLength = inputLen - spec->mac_size;
2523 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 2487 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2524 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; 2488 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
2525 header[9] = recordLength >> 8;
2526 header[10] = recordLength;
2527 params.ulHeaderLen = 11;
2528 } else {
2529 if (isDTLS) {
2530 SSL3ProtocolVersion dtls_version;
2531
2532 dtls_version = dtls_TLSVersionToDTLSVersion(version);
2533 header[9] = dtls_version >> 8;
2534 header[10] = dtls_version;
2535 } else {
2536 header[9] = version >> 8;
2537 header[10] = version;
2538 }
2539 header[11] = recordLength >> 8;
2540 header[12] = recordLength;
2541 params.ulHeaderLen = 13;
2542 } 2489 }
2543 2490
2544 params.macAlg = spec->mac_def->mmech; 2491 params.macAlg = spec->mac_def->mmech;
2545 params.ulBodyTotalLen = originalLen; 2492 params.ulBodyTotalLen = originalLen;
2546 params.pHeader = header; 2493 params.pHeader = (unsigned char *) header; /* const cast */
2494 params.ulHeaderLen = headerLen;
2547 2495
2548 param.data = (unsigned char*) &params; 2496 param.data = (unsigned char*) &params;
2549 param.len = sizeof(params); 2497 param.len = sizeof(params);
2550 param.type = 0; 2498 param.type = 0;
2551 2499
2552 key = spec->server.write_mac_key; 2500 key = spec->server.write_mac_key;
2553 if (!useServerMacKey) { 2501 if (!useServerMacKey) {
2554 key = spec->client.write_mac_key; 2502 key = spec->client.write_mac_key;
2555 } 2503 }
2556 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, &param); 2504 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, &param);
(...skipping 12 matching lines...) Expand all
2569 if (rv != SECSuccess) { 2517 if (rv != SECSuccess) {
2570 rv = SECFailure; 2518 rv = SECFailure;
2571 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2519 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2572 } 2520 }
2573 return rv; 2521 return rv;
2574 2522
2575 fallback: 2523 fallback:
2576 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the 2524 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
2577 * length already. */ 2525 * length already. */
2578 inputLen -= spec->mac_size; 2526 inputLen -= spec->mac_size;
2579 return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, 2527 return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
2580 » » » » version, seq_num, input, inputLen, 2528 » » » » input, inputLen, outbuf, outLen);
2581 » » » » outbuf, outLen);
2582 } 2529 }
2583 2530
2584 static PRBool 2531 static PRBool
2585 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { 2532 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
2586 PK11SlotInfo *slot = NULL; 2533 PK11SlotInfo *slot = NULL;
2587 PRBool isPresent = PR_TRUE; 2534 PRBool isPresent = PR_TRUE;
2588 2535
2589 /* we only care if we are doing client auth */ 2536 /* we only care if we are doing client auth */
2590 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being 2537 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
2591 * used, u.ssl3.clAuthValid will be false and this function will always 2538 * used, u.ssl3.clAuthValid will be false and this function will always
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
2623 sslBuffer * wrBuf) 2570 sslBuffer * wrBuf)
2624 { 2571 {
2625 const ssl3BulkCipherDef * cipher_def; 2572 const ssl3BulkCipherDef * cipher_def;
2626 SECStatus rv; 2573 SECStatus rv;
2627 PRUint32 macLen = 0; 2574 PRUint32 macLen = 0;
2628 PRUint32 fragLen; 2575 PRUint32 fragLen;
2629 PRUint32 p1Len, p2Len, oddLen = 0; 2576 PRUint32 p1Len, p2Len, oddLen = 0;
2630 PRUint16 headerLen; 2577 PRUint16 headerLen;
2631 int ivLen = 0; 2578 int ivLen = 0;
2632 int cipherBytes = 0; 2579 int cipherBytes = 0;
2580 unsigned char pseudoHeader[13];
2581 unsigned int pseudoHeaderLen;
2633 2582
2634 cipher_def = cwSpec->cipher_def; 2583 cipher_def = cwSpec->cipher_def;
2635 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; 2584 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
2636 2585
2637 if (cipher_def->type == type_block && 2586 if (cipher_def->type == type_block &&
2638 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { 2587 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
2639 /* Prepend the per-record explicit IV using technique 2b from 2588 /* Prepend the per-record explicit IV using technique 2b from
2640 * RFC 4346 section 6.2.3.2: The IV is a cryptographically 2589 * RFC 4346 section 6.2.3.2: The IV is a cryptographically
2641 * strong random number XORed with the CBC residue from the previous 2590 * strong random number XORed with the CBC residue from the previous
2642 * record. 2591 * record.
(...skipping 25 matching lines...) Expand all
2668 rv = cwSpec->compressor( 2617 rv = cwSpec->compressor(
2669 cwSpec->compressContext, 2618 cwSpec->compressContext,
2670 wrBuf->buf + headerLen + ivLen, &outlen, 2619 wrBuf->buf + headerLen + ivLen, &outlen,
2671 wrBuf->space - headerLen - ivLen, pIn, contentLen); 2620 wrBuf->space - headerLen - ivLen, pIn, contentLen);
2672 if (rv != SECSuccess) 2621 if (rv != SECSuccess)
2673 return rv; 2622 return rv;
2674 pIn = wrBuf->buf + headerLen + ivLen; 2623 pIn = wrBuf->buf + headerLen + ivLen;
2675 contentLen = outlen; 2624 contentLen = outlen;
2676 } 2625 }
2677 2626
2627 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(pseudoHeader,
Ryan Sleevi 2013/08/17 02:00:23 This is really weird indentation of that first par
wtc 2013/08/19 23:31:56 Done.
2628 cwSpec->write_seq_num, type,
2629 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
2630 isDTLS, contentLen);
2631 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
2678 if (cipher_def->type == type_aead) { 2632 if (cipher_def->type == type_aead) {
2679 const int nonceLen = cipher_def->explicit_nonce_size; 2633 const int nonceLen = cipher_def->explicit_nonce_size;
2680 const int tagLen = cipher_def->tag_size; 2634 const int tagLen = cipher_def->tag_size;
2681 2635
2682 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { 2636 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
2683 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2637 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2684 return SECFailure; 2638 return SECFailure;
2685 } 2639 }
2686 2640
2687 cipherBytes = contentLen; 2641 cipherBytes = contentLen;
2688 rv = cwSpec->aead( 2642 rv = cwSpec->aead(
2689 isServer ? &cwSpec->server : &cwSpec->client, 2643 isServer ? &cwSpec->server : &cwSpec->client,
2690 PR_FALSE, /* do encrypt */ 2644 PR_FALSE, /* do encrypt */
2691 wrBuf->buf + headerLen, /* output */ 2645 wrBuf->buf + headerLen, /* output */
2692 &cipherBytes, /* out len */ 2646 &cipherBytes, /* out len */
2693 wrBuf->space - headerLen, /* max out */ 2647 wrBuf->space - headerLen, /* max out */
2694 pIn, contentLen, /* input */ 2648 pIn, contentLen, /* input */
2695 » » type, cwSpec->version, cwSpec->write_seq_num); 2649 » » pseudoHeader, pseudoHeaderLen);
2696 if (rv != SECSuccess) { 2650 if (rv != SECSuccess) {
2697 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2651 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2698 return SECFailure; 2652 return SECFailure;
2699 } 2653 }
2700 } else { 2654 } else {
2701 /* 2655 /*
2702 * Add the MAC 2656 * Add the MAC
2703 */ 2657 */
2704 » rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, 2658 » rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
2705 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, 2659 » pseudoHeader, pseudoHeaderLen, pIn, contentLen,
2706 wrBuf->buf + headerLen + ivLen + contentLen, &macLen); 2660 wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
2707 if (rv != SECSuccess) { 2661 if (rv != SECSuccess) {
2708 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2662 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2709 return SECFailure; 2663 return SECFailure;
2710 } 2664 }
2711 p1Len = contentLen; 2665 p1Len = contentLen;
2712 p2Len = macLen; 2666 p2Len = macLen;
2713 fragLen = contentLen + macLen; /* needs to be encrypted */ 2667 fragLen = contentLen + macLen; /* needs to be encrypted */
2714 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); 2668 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
2715 2669
(...skipping 8684 matching lines...) Expand 10 before | Expand all | Expand 10 after
11400 SSL3Opaque hash[MAX_MAC_LENGTH]; 11354 SSL3Opaque hash[MAX_MAC_LENGTH];
11401 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; 11355 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH];
11402 SSL3Opaque *givenHash; 11356 SSL3Opaque *givenHash;
11403 sslBuffer *plaintext; 11357 sslBuffer *plaintext;
11404 sslBuffer temp_buf; 11358 sslBuffer temp_buf;
11405 PRUint64 dtls_seq_num; 11359 PRUint64 dtls_seq_num;
11406 unsigned int ivLen = 0; 11360 unsigned int ivLen = 0;
11407 unsigned int originalLen = 0; 11361 unsigned int originalLen = 0;
11408 unsigned int good; 11362 unsigned int good;
11409 unsigned int minLength; 11363 unsigned int minLength;
11364 unsigned char header[13];
11365 unsigned int headerLen;
11410 11366
11411 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 11367 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11412 11368
11413 if (!ss->ssl3.initialized) { 11369 if (!ss->ssl3.initialized) {
11414 ssl_GetSSL3HandshakeLock(ss); 11370 ssl_GetSSL3HandshakeLock(ss);
11415 rv = ssl3_InitState(ss); 11371 rv = ssl3_InitState(ss);
11416 ssl_ReleaseSSL3HandshakeLock(ss); 11372 ssl_ReleaseSSL3HandshakeLock(ss);
11417 if (rv != SECSuccess) { 11373 if (rv != SECSuccess) {
11418 return rv; /* ssl3_InitState has set the error code. */ 11374 return rv; /* ssl3_InitState has set the error code. */
11419 } 11375 }
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after
11553 11509
11554 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { 11510 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
11555 ssl_ReleaseSpecReadLock(ss); 11511 ssl_ReleaseSpecReadLock(ss);
11556 SSL3_SendAlert(ss, alert_fatal, record_overflow); 11512 SSL3_SendAlert(ss, alert_fatal, record_overflow);
11557 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 11513 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
11558 return SECFailure; 11514 return SECFailure;
11559 } 11515 }
11560 11516
11561 rType = cText->type; 11517 rType = cText->type;
11562 if (cipher_def->type == type_aead) { 11518 if (cipher_def->type == type_aead) {
11519 /* XXX Is this true for all AEAD ciphers? */
Ryan Sleevi 2013/08/17 02:00:23 No. This is covered in http://tools.ietf.org/html
wtc 2013/08/19 23:31:56 Done. Thank you for the research. I updated the co
11520 unsigned int decryptedLen =
11521 cText->buf->len - cipher_def->explicit_nonce_size -
11522 cipher_def->tag_size;
11523 headerLen = ssl3_BuildRecordPseudoHeader(header,
11524 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, rType,
11525 isTLS, cText->version, IS_DTLS(ss), decryptedLen);
11526 PORT_Assert(headerLen <= sizeof(header));
11563 rv = crSpec->aead( 11527 rv = crSpec->aead(
11564 ss->sec.isServer ? &crSpec->client : &crSpec->server, 11528 ss->sec.isServer ? &crSpec->client : &crSpec->server,
11565 PR_TRUE, /* do decrypt */ 11529 PR_TRUE, /* do decrypt */
11566 plaintext->buf, /* out */ 11530 plaintext->buf, /* out */
11567 (int*) &plaintext->len, /* outlen */ 11531 (int*) &plaintext->len, /* outlen */
11568 plaintext->space, /* maxout */ 11532 plaintext->space, /* maxout */
11569 cText->buf->buf, /* in */ 11533 cText->buf->buf, /* in */
11570 cText->buf->len, /* inlen */ 11534 cText->buf->len, /* inlen */
11571 » » rType, /* record type */ 11535 » » header, headerLen);
11572 » » cText->version,
11573 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num);
11574 if (rv != SECSuccess) { 11536 if (rv != SECSuccess) {
11575 good = 0; 11537 good = 0;
11576 } 11538 }
11577 } else { 11539 } else {
11578 if (cipher_def->type == type_block && 11540 if (cipher_def->type == type_block &&
11579 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { 11541 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
11580 goto decrypt_loser; 11542 goto decrypt_loser;
11581 } 11543 }
11582 11544
11583 /* decrypt from cText buf to plaintext. */ 11545 /* decrypt from cText buf to plaintext. */
11584 rv = crSpec->decode( 11546 rv = crSpec->decode(
11585 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, 11547 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
11586 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); 11548 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
11587 if (rv != SECSuccess) { 11549 if (rv != SECSuccess) {
11588 goto decrypt_loser; 11550 goto decrypt_loser;
11589 } 11551 }
11590 11552
11591 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); 11553 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
11592 11554
11593 originalLen = plaintext->len; 11555 originalLen = plaintext->len;
11594 11556
11595 /* If it's a block cipher, check and strip the padding. */ 11557 /* If it's a block cipher, check and strip the padding. */
11596 if (cipher_def->type == type_block) { 11558 if (cipher_def->type == type_block) {
11597 const unsigned int blockSize = cipher_def->block_size; 11559 const unsigned int blockSize = cipher_def->block_size;
11598 const unsigned int macSize = crSpec->mac_size; 11560 const unsigned int macSize = crSpec->mac_size;
11599 11561
11600 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { 11562 » if (!isTLS) {
11601 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( 11563 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
11602 plaintext, blockSize, macSize)); 11564 plaintext, blockSize, macSize));
11603 } else { 11565 } else {
11604 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( 11566 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
11605 plaintext, macSize)); 11567 plaintext, macSize));
11606 } 11568 }
11607 } 11569 }
11608 11570
11609 /* compute the MAC */ 11571 /* compute the MAC */
11572 headerLen = ssl3_BuildRecordPseudoHeader(header,
11573 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, rType,
11574 isTLS, cText->version, IS_DTLS(ss),
11575 plaintext->len - crSpec->mac_size);
11576 PORT_Assert(headerLen <= sizeof(header));
11610 if (cipher_def->type == type_block) { 11577 if (cipher_def->type == type_block) {
11611 rv = ssl3_ComputeRecordMACConstantTime( 11578 rv = ssl3_ComputeRecordMACConstantTime(
11612 » » crSpec, (PRBool)(!ss->sec.isServer), 11579 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
11613 » » IS_DTLS(ss), rType, cText->version,
11614 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
11615 plaintext->buf, plaintext->len, originalLen, 11580 plaintext->buf, plaintext->len, originalLen,
11616 hash, &hashBytes); 11581 hash, &hashBytes);
11617 11582
11618 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, 11583 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
11619 crSpec->mac_size); 11584 crSpec->mac_size);
11620 givenHash = givenHashBuf; 11585 givenHash = givenHashBuf;
11621 11586
11622 /* plaintext->len will always have enough space to remove the MAC 11587 /* plaintext->len will always have enough space to remove the MAC
11623 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust 11588 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
11624 * plaintext->len if the result has enough space for the MAC and we 11589 * plaintext->len if the result has enough space for the MAC and we
11625 * tested the unadjusted size against minLength, above. */ 11590 * tested the unadjusted size against minLength, above. */
11626 plaintext->len -= crSpec->mac_size; 11591 plaintext->len -= crSpec->mac_size;
11627 } else { 11592 } else {
11628 /* This is safe because we checked the minLength above. */ 11593 /* This is safe because we checked the minLength above. */
11629 plaintext->len -= crSpec->mac_size; 11594 plaintext->len -= crSpec->mac_size;
11630 11595
11631 rv = ssl3_ComputeRecordMAC( 11596 rv = ssl3_ComputeRecordMAC(
11632 » » crSpec, (PRBool)(!ss->sec.isServer), 11597 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
11633 » » IS_DTLS(ss), rType, cText->version, 11598 » » plaintext->buf, plaintext->len, hash, &hashBytes);
11634 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
11635 » » plaintext->buf, plaintext->len,
11636 » » hash, &hashBytes);
11637 11599
11638 /* We can read the MAC directly from the record because its location 11600 /* We can read the MAC directly from the record because its location
11639 * is public when a stream cipher is used. */ 11601 * is public when a stream cipher is used. */
11640 givenHash = plaintext->buf + plaintext->len; 11602 givenHash = plaintext->buf + plaintext->len;
11641 } 11603 }
11642 11604
11643 good &= SECStatusToMask(rv); 11605 good &= SECStatusToMask(rv);
11644 11606
11645 if (hashBytes != (unsigned)crSpec->mac_size || 11607 if (hashBytes != (unsigned)crSpec->mac_size ||
11646 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { 11608 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
(...skipping 654 matching lines...) Expand 10 before | Expand all | Expand 10 after
12301 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 12263 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
12302 } 12264 }
12303 } 12265 }
12304 12266
12305 ss->ssl3.initialized = PR_FALSE; 12267 ss->ssl3.initialized = PR_FALSE;
12306 12268
12307 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 12269 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
12308 } 12270 }
12309 12271
12310 /* End of ssl3con.c */ 12272 /* End of ssl3con.c */
OLDNEW
« net/third_party/nss/ssl/dtlscon.c ('K') | « net/third_party/nss/ssl/dtlscon.c ('k') | net/third_party/nss/ssl/sslimpl.h » ('j') | net/third_party/nss/ssl/sslimpl.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698