OLD | NEW |
---|---|
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); | 79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); |
80 | 80 |
81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
82 int maxOutputLen, const unsigned char *input, | 82 int maxOutputLen, const unsigned char *input, |
83 int inputLen); | 83 int inputLen); |
84 #ifndef NO_PKCS11_BYPASS | 84 #ifndef NO_PKCS11_BYPASS |
85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, | 85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
86 unsigned char *out, int *outlen, int maxout, | 86 unsigned char *out, int *outlen, int maxout, |
87 const unsigned char *in, int inlen, | 87 const unsigned char *in, int inlen, |
88 » » » » SSL3ContentType type, | 88 » » » » const unsigned char *additionalData, |
89 » » » » SSL3ProtocolVersion version, | 89 » » » » int additionalDataLen); |
90 » » » » SSL3SequenceNumber seq_num); | |
91 #endif | 90 #endif |
92 | 91 |
93 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 92 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
94 #define MIN_SEND_BUF_LENGTH 4000 | 93 #define MIN_SEND_BUF_LENGTH 4000 |
95 | 94 |
96 /* This list of SSL3 cipher suites is sorted in descending order of | 95 /* This list of SSL3 cipher suites is sorted in descending order of |
97 * precedence (desirability). It only includes cipher suites we implement. | 96 * precedence (desirability). It only includes cipher suites we implement. |
98 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites | 97 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites |
99 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) | 98 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) |
100 */ | 99 */ |
(...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
389 cipher_camellia_256, mac_sha, kea_dhe_rsa}, | 388 cipher_camellia_256, mac_sha, kea_dhe_rsa}, |
390 | 389 |
391 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, | 390 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, |
392 cipher_des, mac_sha,kea_rsa_export_1024}, | 391 cipher_des, mac_sha,kea_rsa_export_1024}, |
393 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, | 392 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, |
394 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, | 393 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, |
395 | 394 |
396 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 395 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
397 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 396 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
398 | 397 |
399 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_ rsa}, | 398 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_ rsa}, |
400 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, | 399 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, |
401 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ec dhe_rsa}, | 400 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec dhe_rsa}, |
402 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ ecdhe_ecdsa}, | 401 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ ecdhe_ecdsa}, |
403 | 402 |
404 #ifdef NSS_ENABLE_ECC | 403 #ifdef NSS_ENABLE_ECC |
405 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, | 404 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
406 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, | 405 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
407 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , | 406 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , |
408 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, | 407 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, |
409 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, | 408 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, |
410 | 409 |
411 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, | 410 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, |
412 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, | 411 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
461 { calg_3des , CKM_DES3_CBC }, | 460 { calg_3des , CKM_DES3_CBC }, |
462 { calg_idea , CKM_IDEA_CBC }, | 461 { calg_idea , CKM_IDEA_CBC }, |
463 { calg_fortezza , CKM_SKIPJACK_CBC64 }, | 462 { calg_fortezza , CKM_SKIPJACK_CBC64 }, |
464 { calg_aes , CKM_AES_CBC }, | 463 { calg_aes , CKM_AES_CBC }, |
465 { calg_camellia , CKM_CAMELLIA_CBC }, | 464 { calg_camellia , CKM_CAMELLIA_CBC }, |
466 { calg_seed , CKM_SEED_CBC }, | 465 { calg_seed , CKM_SEED_CBC }, |
467 { calg_aes_gcm , CKM_AES_GCM }, | 466 { calg_aes_gcm , CKM_AES_GCM }, |
468 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ | 467 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
469 }; | 468 }; |
470 | 469 |
471 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L | 470 #define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L |
wtc
2013/08/19 23:31:57
0x80000000 is the CKM_VENDOR_DEFINED. I think we a
| |
472 #define mmech_md5 CKM_SSL3_MD5_MAC | 471 #define mmech_md5 CKM_SSL3_MD5_MAC |
473 #define mmech_sha CKM_SSL3_SHA1_MAC | 472 #define mmech_sha CKM_SSL3_SHA1_MAC |
474 #define mmech_md5_hmac CKM_MD5_HMAC | 473 #define mmech_md5_hmac CKM_MD5_HMAC |
475 #define mmech_sha_hmac CKM_SHA_1_HMAC | 474 #define mmech_sha_hmac CKM_SHA_1_HMAC |
476 #define mmech_sha256_hmac CKM_SHA256_HMAC | 475 #define mmech_sha256_hmac CKM_SHA256_HMAC |
476 #define mmech_sha384_hmac CKM_SHA384_HMAC | |
477 #define mmech_sha512_hmac CKM_SHA512_HMAC | |
477 | 478 |
478 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ | 479 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ |
479 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ | 480 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ |
480 /* mac mmech pad_size mac_size */ | 481 /* mac mmech pad_size mac_size */ |
481 { mac_null, mmech_null, 0, 0 }, | 482 { mac_null, mmech_invalid, 0, 0 }, |
482 { mac_md5, mmech_md5, 48, MD5_LENGTH }, | 483 { mac_md5, mmech_md5, 48, MD5_LENGTH }, |
483 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, | 484 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, |
484 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, | 485 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, |
485 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, | 486 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, |
486 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, | 487 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, |
488 { mac_aead, mmech_invalid, 0, 0 }, | |
487 }; | 489 }; |
488 | 490 |
489 /* indexed by SSL3BulkCipher */ | 491 /* indexed by SSL3BulkCipher */ |
490 const char * const ssl3_cipherName[] = { | 492 const char * const ssl3_cipherName[] = { |
491 "NULL", | 493 "NULL", |
492 "RC4", | 494 "RC4", |
493 "RC4-40", | 495 "RC4-40", |
494 "RC4-56", | 496 "RC4-56", |
495 "RC2-CBC", | 497 "RC2-CBC", |
496 "RC2-CBC-40", | 498 "RC2-CBC-40", |
(...skipping 1262 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1759 case CKM_RC2_MAC: | 1761 case CKM_RC2_MAC: |
1760 case CKM_RC2_MAC_GENERAL: | 1762 case CKM_RC2_MAC_GENERAL: |
1761 case CKM_RC2_CBC_PAD: | 1763 case CKM_RC2_CBC_PAD: |
1762 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; | 1764 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; |
1763 default: break; | 1765 default: break; |
1764 } | 1766 } |
1765 } | 1767 } |
1766 return param; | 1768 return param; |
1767 } | 1769 } |
1768 | 1770 |
1769 /* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which | 1771 /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data |
1770 * is included in the MAC) to |out| and returns its length. */ | 1772 * which is included in the MAC or AEAD additional data) to |out| and returns |
1773 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
1774 * definition of the AEAD additional data. | |
1775 * | |
1776 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which | |
1777 * pseudo-header defintiion to use should be decided based on the version of | |
1778 * the protocol that was negotiated when the spec became current, NOT based on | |
Ryan Sleevi
2013/08/20 01:38:50
s/spec/cipher spec/?
My concern is the ambiguity
wtc
2013/08/20 19:13:11
Done.
| |
1779 * the version value in the record itself, and the decision is passed to this | |
1780 * function as the |includesVersion| argument. But, the |version| argument | |
1781 * should be the record's version value. | |
1782 */ | |
1771 static unsigned int | 1783 static unsigned int |
1772 ssl3_BuildRecordPseudoHeader(unsigned char *out, | 1784 ssl3_BuildRecordPseudoHeader(unsigned char *out, |
1773 SSL3SequenceNumber seq_num, | 1785 SSL3SequenceNumber seq_num, |
1774 SSL3ContentType type, | 1786 SSL3ContentType type, |
1775 PRBool includesVersion, | 1787 PRBool includesVersion, |
1776 SSL3ProtocolVersion version, | 1788 SSL3ProtocolVersion version, |
1777 PRBool isDTLS, | 1789 PRBool isDTLS, |
1778 int length) | 1790 int length) |
1779 { | 1791 { |
1780 out[0] = (unsigned char)(seq_num.high >> 24); | 1792 out[0] = (unsigned char)(seq_num.high >> 24); |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1874 } | 1886 } |
1875 | 1887 |
1876 static SECStatus | 1888 static SECStatus |
1877 ssl3_AESGCM(ssl3KeyMaterial *keys, | 1889 ssl3_AESGCM(ssl3KeyMaterial *keys, |
1878 PRBool doDecrypt, | 1890 PRBool doDecrypt, |
1879 unsigned char *out, | 1891 unsigned char *out, |
1880 int *outlen, | 1892 int *outlen, |
1881 int maxout, | 1893 int maxout, |
1882 const unsigned char *in, | 1894 const unsigned char *in, |
1883 int inlen, | 1895 int inlen, |
1884 » SSL3ContentType type, | 1896 » const unsigned char *additionalData, |
1885 » SSL3ProtocolVersion version, | 1897 » int additionalDataLen) |
1886 » SSL3SequenceNumber seq_num) | |
1887 { | 1898 { |
1888 SECItem param; | 1899 SECItem param; |
1889 SECStatus rv = SECFailure; | 1900 SECStatus rv = SECFailure; |
1890 unsigned char nonce[12]; | 1901 unsigned char nonce[12]; |
1891 unsigned char additionalData[13]; | |
1892 unsigned int additionalDataLen; | |
1893 unsigned int uOutLen; | 1902 unsigned int uOutLen; |
1894 CK_GCM_PARAMS gcmParams; | 1903 CK_GCM_PARAMS gcmParams; |
1895 | 1904 |
1896 static const int tagSize = 16; | 1905 static const int tagSize = 16; |
1897 static const int explicitNonceLen = 8; | 1906 static const int explicitNonceLen = 8; |
1898 | 1907 |
1899 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
1900 * definition of the AEAD additional data. */ | |
1901 additionalDataLen = ssl3_BuildRecordPseudoHeader( | |
1902 additionalData, seq_num, type, PR_TRUE /* includes version */, | |
1903 version, PR_FALSE /* not DTLS */, | |
1904 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); | |
1905 PORT_Assert(additionalDataLen <= sizeof(additionalData)); | |
1906 | |
1907 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the | 1908 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
1908 * nonce is formed. */ | 1909 * nonce is formed. */ |
1909 memcpy(nonce, keys->write_iv, 4); | 1910 memcpy(nonce, keys->write_iv, 4); |
1910 if (doDecrypt) { | 1911 if (doDecrypt) { |
1911 memcpy(nonce + 4, in, explicitNonceLen); | 1912 memcpy(nonce + 4, in, explicitNonceLen); |
1912 in += explicitNonceLen; | 1913 in += explicitNonceLen; |
1913 inlen -= explicitNonceLen; | 1914 inlen -= explicitNonceLen; |
1914 *outlen = 0; | 1915 *outlen = 0; |
1915 } else { | 1916 } else { |
1916 if (maxout < explicitNonceLen) { | 1917 if (maxout < explicitNonceLen) { |
1917 PORT_SetError(SEC_ERROR_INPUT_LEN); | 1918 PORT_SetError(SEC_ERROR_INPUT_LEN); |
1918 return SECFailure; | 1919 return SECFailure; |
1919 } | 1920 } |
1920 /* Use the 64-bit sequence number as the explicit nonce. */ | 1921 /* Use the 64-bit sequence number as the explicit nonce. */ |
1921 memcpy(nonce + 4, additionalData, explicitNonceLen); | 1922 memcpy(nonce + 4, additionalData, explicitNonceLen); |
1922 memcpy(out, additionalData, explicitNonceLen); | 1923 memcpy(out, additionalData, explicitNonceLen); |
1923 out += explicitNonceLen; | 1924 out += explicitNonceLen; |
1924 maxout -= explicitNonceLen; | 1925 maxout -= explicitNonceLen; |
1925 *outlen = explicitNonceLen; | 1926 *outlen = explicitNonceLen; |
1926 } | 1927 } |
1927 | 1928 |
1928 param.type = siBuffer; | 1929 param.type = siBuffer; |
1929 param.data = (unsigned char *) &gcmParams; | 1930 param.data = (unsigned char *) &gcmParams; |
1930 param.len = sizeof(gcmParams); | 1931 param.len = sizeof(gcmParams); |
1931 gcmParams.pIv = nonce; | 1932 gcmParams.pIv = nonce; |
1932 gcmParams.ulIvLen = sizeof(nonce); | 1933 gcmParams.ulIvLen = sizeof(nonce); |
1933 gcmParams.pAAD = additionalData; | 1934 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
1934 gcmParams.ulAADLen = additionalDataLen; | 1935 gcmParams.ulAADLen = additionalDataLen; |
1935 gcmParams.ulTagBits = tagSize * 8; | 1936 gcmParams.ulTagBits = tagSize * 8; |
1936 | 1937 |
1937 if (doDecrypt) { | 1938 if (doDecrypt) { |
1938 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | 1939 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
1939 maxout, in, inlen); | 1940 maxout, in, inlen); |
1940 } else { | 1941 } else { |
1941 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | 1942 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
1942 maxout, in, inlen); | 1943 maxout, in, inlen); |
1943 } | 1944 } |
1944 *outlen += (int) uOutLen; | 1945 *outlen += (int) uOutLen; |
1945 | 1946 |
1946 return rv; | 1947 return rv; |
1947 } | 1948 } |
1948 | 1949 |
1949 #ifndef NO_PKCS11_BYPASS | 1950 #ifndef NO_PKCS11_BYPASS |
1950 static SECStatus | 1951 static SECStatus |
1951 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, | 1952 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, |
1952 PRBool doDecrypt, | 1953 PRBool doDecrypt, |
1953 unsigned char *out, | 1954 unsigned char *out, |
1954 int *outlen, | 1955 int *outlen, |
1955 int maxout, | 1956 int maxout, |
1956 const unsigned char *in, | 1957 const unsigned char *in, |
1957 int inlen, | 1958 int inlen, |
1958 » » SSL3ContentType type, | 1959 » » const unsigned char *additionalData, |
1959 » » SSL3ProtocolVersion version, | 1960 » » int additionalDataLen) |
1960 » » SSL3SequenceNumber seq_num) | |
1961 { | 1961 { |
1962 SECStatus rv = SECFailure; | 1962 SECStatus rv = SECFailure; |
1963 unsigned char nonce[12]; | 1963 unsigned char nonce[12]; |
1964 unsigned char additionalData[13]; | |
1965 unsigned int additionalDataLen; | |
1966 unsigned int uOutLen; | 1964 unsigned int uOutLen; |
1967 AESContext *cx; | 1965 AESContext *cx; |
1968 CK_GCM_PARAMS gcmParams; | 1966 CK_GCM_PARAMS gcmParams; |
1969 | 1967 |
1970 static const int tagSize = 16; | 1968 static const int tagSize = 16; |
1971 static const int explicitNonceLen = 8; | 1969 static const int explicitNonceLen = 8; |
1972 | 1970 |
1973 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
1974 * definition of the AEAD additional data. */ | |
1975 additionalDataLen = ssl3_BuildRecordPseudoHeader( | |
1976 additionalData, seq_num, type, PR_TRUE /* includes version */, | |
1977 version, PR_FALSE /* not DTLS */, | |
1978 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); | |
1979 PORT_Assert(additionalDataLen <= sizeof(additionalData)); | |
1980 | |
1981 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the | 1971 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
1982 * nonce is formed. */ | 1972 * nonce is formed. */ |
1983 PORT_Assert(keys->write_iv_item.len == 4); | 1973 PORT_Assert(keys->write_iv_item.len == 4); |
1984 if (keys->write_iv_item.len != 4) { | 1974 if (keys->write_iv_item.len != 4) { |
1985 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 1975 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1986 return SECFailure; | 1976 return SECFailure; |
1987 } | 1977 } |
1988 memcpy(nonce, keys->write_iv_item.data, 4); | 1978 memcpy(nonce, keys->write_iv_item.data, 4); |
1989 if (doDecrypt) { | 1979 if (doDecrypt) { |
1990 memcpy(nonce + 4, in, explicitNonceLen); | 1980 memcpy(nonce + 4, in, explicitNonceLen); |
1991 in += explicitNonceLen; | 1981 in += explicitNonceLen; |
1992 inlen -= explicitNonceLen; | 1982 inlen -= explicitNonceLen; |
1993 *outlen = 0; | 1983 *outlen = 0; |
1994 } else { | 1984 } else { |
1995 if (maxout < explicitNonceLen) { | 1985 if (maxout < explicitNonceLen) { |
1996 PORT_SetError(SEC_ERROR_INPUT_LEN); | 1986 PORT_SetError(SEC_ERROR_INPUT_LEN); |
1997 return SECFailure; | 1987 return SECFailure; |
1998 } | 1988 } |
1999 /* Use the 64-bit sequence number as the explicit nonce. */ | 1989 /* Use the 64-bit sequence number as the explicit nonce. */ |
2000 memcpy(nonce + 4, additionalData, explicitNonceLen); | 1990 memcpy(nonce + 4, additionalData, explicitNonceLen); |
2001 memcpy(out, additionalData, explicitNonceLen); | 1991 memcpy(out, additionalData, explicitNonceLen); |
2002 out += explicitNonceLen; | 1992 out += explicitNonceLen; |
2003 maxout -= explicitNonceLen; | 1993 maxout -= explicitNonceLen; |
2004 *outlen = explicitNonceLen; | 1994 *outlen = explicitNonceLen; |
2005 } | 1995 } |
2006 | 1996 |
2007 gcmParams.pIv = nonce; | 1997 gcmParams.pIv = nonce; |
2008 gcmParams.ulIvLen = sizeof(nonce); | 1998 gcmParams.ulIvLen = sizeof(nonce); |
2009 gcmParams.pAAD = additionalData; | 1999 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
2010 gcmParams.ulAADLen = additionalDataLen; | 2000 gcmParams.ulAADLen = additionalDataLen; |
2011 gcmParams.ulTagBits = tagSize * 8; | 2001 gcmParams.ulTagBits = tagSize * 8; |
2012 | 2002 |
2013 cx = (AESContext *)keys->cipher_context; | 2003 cx = (AESContext *)keys->cipher_context; |
2014 rv = AES_InitContext(cx, keys->write_key_item.data, | 2004 rv = AES_InitContext(cx, keys->write_key_item.data, |
2015 keys->write_key_item.len, | 2005 keys->write_key_item.len, |
2016 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, | 2006 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, |
2017 AES_BLOCK_SIZE); | 2007 AES_BLOCK_SIZE); |
2018 if (rv != SECSuccess) { | 2008 if (rv != SECSuccess) { |
2019 return rv; | 2009 return rv; |
(...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2300 0x5c, 0x5c, 0x5c, 0x5c | 2290 0x5c, 0x5c, 0x5c, 0x5c |
2301 }; | 2291 }; |
2302 | 2292 |
2303 /* Called from: ssl3_SendRecord() | 2293 /* Called from: ssl3_SendRecord() |
2304 ** Caller must already hold the SpecReadLock. (wish we could assert that!) | 2294 ** Caller must already hold the SpecReadLock. (wish we could assert that!) |
2305 */ | 2295 */ |
2306 static SECStatus | 2296 static SECStatus |
2307 ssl3_ComputeRecordMAC( | 2297 ssl3_ComputeRecordMAC( |
2308 ssl3CipherSpec * spec, | 2298 ssl3CipherSpec * spec, |
2309 PRBool useServerMacKey, | 2299 PRBool useServerMacKey, |
2310 PRBool isDTLS, | 2300 const unsigned char *header, |
2311 SSL3ContentType type, | 2301 unsigned int headerLen, |
2312 SSL3ProtocolVersion version, | |
2313 SSL3SequenceNumber seq_num, | |
2314 const SSL3Opaque * input, | 2302 const SSL3Opaque * input, |
2315 int inputLength, | 2303 int inputLength, |
2316 unsigned char * outbuf, | 2304 unsigned char * outbuf, |
2317 unsigned int * outLength) | 2305 unsigned int * outLength) |
2318 { | 2306 { |
2319 const ssl3MACDef * mac_def; | 2307 const ssl3MACDef * mac_def; |
2320 SECStatus rv; | 2308 SECStatus rv; |
2321 PRBool isTLS; | |
2322 unsigned int tempLen; | |
2323 unsigned char temp[MAX_MAC_LENGTH]; | |
2324 | 2309 |
2325 /* TLS MAC includes the record's version field, SSL's doesn't. | 2310 PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen)); |
2326 ** We decide which MAC defintiion to use based on the version of | |
2327 ** the protocol that was negotiated when the spec became current, | |
2328 ** NOT based on the version value in the record itself. | |
2329 ** But, we use the record's version value in the computation. | |
2330 */ | |
2331 isTLS = spec->version > SSL_LIBRARY_VERSION_3_0; | |
2332 tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS, | |
2333 » » » » » version, isDTLS, inputLength); | |
2334 PORT_Assert(tempLen <= sizeof(temp)); | |
2335 | |
2336 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | |
2337 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 2311 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
2338 | 2312 |
2339 mac_def = spec->mac_def; | 2313 mac_def = spec->mac_def; |
2340 if (mac_def->mac == mac_null) { | 2314 if (mac_def->mac == mac_null) { |
2341 *outLength = 0; | 2315 *outLength = 0; |
2342 return SECSuccess; | 2316 return SECSuccess; |
2343 } | 2317 } |
2344 #ifndef NO_PKCS11_BYPASS | 2318 #ifndef NO_PKCS11_BYPASS |
2345 if (spec->bypassCiphers) { | 2319 if (spec->bypassCiphers) { |
2346 /* bypass version */ | 2320 /* bypass version */ |
(...skipping 24 matching lines...) Expand all Loading... | |
2371 break; | 2345 break; |
2372 default: | 2346 default: |
2373 break; | 2347 break; |
2374 } | 2348 } |
2375 if (!hashObj) { | 2349 if (!hashObj) { |
2376 PORT_Assert(0); | 2350 PORT_Assert(0); |
2377 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2351 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2378 return SECFailure; | 2352 return SECFailure; |
2379 } | 2353 } |
2380 | 2354 |
2381 » if (!isTLS) { | 2355 » if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
2356 » unsigned int tempLen; | |
2357 » unsigned char temp[MAX_MAC_LENGTH]; | |
2358 | |
2382 /* compute "inner" part of SSL3 MAC */ | 2359 /* compute "inner" part of SSL3 MAC */ |
2383 hashObj->begin(write_mac_context); | 2360 hashObj->begin(write_mac_context); |
2384 if (useServerMacKey) | 2361 if (useServerMacKey) |
2385 hashObj->update(write_mac_context, | 2362 hashObj->update(write_mac_context, |
2386 spec->server.write_mac_key_item.data, | 2363 spec->server.write_mac_key_item.data, |
2387 spec->server.write_mac_key_item.len); | 2364 spec->server.write_mac_key_item.len); |
2388 else | 2365 else |
2389 hashObj->update(write_mac_context, | 2366 hashObj->update(write_mac_context, |
2390 spec->client.write_mac_key_item.data, | 2367 spec->client.write_mac_key_item.data, |
2391 spec->client.write_mac_key_item.len); | 2368 spec->client.write_mac_key_item.len); |
2392 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); | 2369 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); |
2393 » hashObj->update(write_mac_context, temp, tempLen); | 2370 » hashObj->update(write_mac_context, header, headerLen); |
2394 hashObj->update(write_mac_context, input, inputLength); | 2371 hashObj->update(write_mac_context, input, inputLength); |
2395 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); | 2372 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); |
2396 | 2373 |
2397 /* compute "outer" part of SSL3 MAC */ | 2374 /* compute "outer" part of SSL3 MAC */ |
2398 hashObj->begin(write_mac_context); | 2375 hashObj->begin(write_mac_context); |
2399 if (useServerMacKey) | 2376 if (useServerMacKey) |
2400 hashObj->update(write_mac_context, | 2377 hashObj->update(write_mac_context, |
2401 spec->server.write_mac_key_item.data, | 2378 spec->server.write_mac_key_item.data, |
2402 spec->server.write_mac_key_item.len); | 2379 spec->server.write_mac_key_item.len); |
2403 else | 2380 else |
(...skipping 10 matching lines...) Expand all Loading... | |
2414 rv = HMAC_Init(cx, hashObj, | 2391 rv = HMAC_Init(cx, hashObj, |
2415 spec->server.write_mac_key_item.data, | 2392 spec->server.write_mac_key_item.data, |
2416 spec->server.write_mac_key_item.len, PR_FALSE); | 2393 spec->server.write_mac_key_item.len, PR_FALSE); |
2417 } else { | 2394 } else { |
2418 rv = HMAC_Init(cx, hashObj, | 2395 rv = HMAC_Init(cx, hashObj, |
2419 spec->client.write_mac_key_item.data, | 2396 spec->client.write_mac_key_item.data, |
2420 spec->client.write_mac_key_item.len, PR_FALSE); | 2397 spec->client.write_mac_key_item.len, PR_FALSE); |
2421 } | 2398 } |
2422 if (rv == SECSuccess) { | 2399 if (rv == SECSuccess) { |
2423 HMAC_Begin(cx); | 2400 HMAC_Begin(cx); |
2424 » » HMAC_Update(cx, temp, tempLen); | 2401 » » HMAC_Update(cx, header, headerLen); |
2425 HMAC_Update(cx, input, inputLength); | 2402 HMAC_Update(cx, input, inputLength); |
2426 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); | 2403 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); |
2427 HMAC_Destroy(cx, PR_FALSE); | 2404 HMAC_Destroy(cx, PR_FALSE); |
2428 } | 2405 } |
2429 #undef cx | 2406 #undef cx |
2430 } | 2407 } |
2431 } else | 2408 } else |
2432 #endif | 2409 #endif |
2433 { | 2410 { |
2434 PK11Context *mac_context = | 2411 PK11Context *mac_context = |
2435 (useServerMacKey ? spec->server.write_mac_context | 2412 (useServerMacKey ? spec->server.write_mac_context |
2436 : spec->client.write_mac_context); | 2413 : spec->client.write_mac_context); |
2437 rv = PK11_DigestBegin(mac_context); | 2414 rv = PK11_DigestBegin(mac_context); |
2438 » rv |= PK11_DigestOp(mac_context, temp, tempLen); | 2415 » rv |= PK11_DigestOp(mac_context, header, headerLen); |
2439 rv |= PK11_DigestOp(mac_context, input, inputLength); | 2416 rv |= PK11_DigestOp(mac_context, input, inputLength); |
2440 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); | 2417 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); |
2441 } | 2418 } |
2442 | 2419 |
2443 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); | 2420 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); |
2444 | 2421 |
2445 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); | 2422 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); |
2446 | 2423 |
2447 if (rv != SECSuccess) { | 2424 if (rv != SECSuccess) { |
2448 rv = SECFailure; | 2425 rv = SECFailure; |
(...skipping 19 matching lines...) Expand all Loading... | |
2468 /* Called from: ssl3_HandleRecord() | 2445 /* Called from: ssl3_HandleRecord() |
2469 * Caller must already hold the SpecReadLock. (wish we could assert that!) | 2446 * Caller must already hold the SpecReadLock. (wish we could assert that!) |
2470 * | 2447 * |
2471 * On entry: | 2448 * On entry: |
2472 * originalLen >= inputLen >= MAC size | 2449 * originalLen >= inputLen >= MAC size |
2473 */ | 2450 */ |
2474 static SECStatus | 2451 static SECStatus |
2475 ssl3_ComputeRecordMACConstantTime( | 2452 ssl3_ComputeRecordMACConstantTime( |
2476 ssl3CipherSpec * spec, | 2453 ssl3CipherSpec * spec, |
2477 PRBool useServerMacKey, | 2454 PRBool useServerMacKey, |
2478 PRBool isDTLS, | 2455 const unsigned char *header, |
2479 SSL3ContentType type, | 2456 unsigned int headerLen, |
2480 SSL3ProtocolVersion version, | |
2481 SSL3SequenceNumber seq_num, | |
2482 const SSL3Opaque * input, | 2457 const SSL3Opaque * input, |
2483 int inputLen, | 2458 int inputLen, |
2484 int originalLen, | 2459 int originalLen, |
2485 unsigned char * outbuf, | 2460 unsigned char * outbuf, |
2486 unsigned int * outLen) | 2461 unsigned int * outLen) |
2487 { | 2462 { |
2488 CK_MECHANISM_TYPE macType; | 2463 CK_MECHANISM_TYPE macType; |
2489 CK_NSS_MAC_CONSTANT_TIME_PARAMS params; | 2464 CK_NSS_MAC_CONSTANT_TIME_PARAMS params; |
2490 PK11Context * mac_context; | 2465 PK11Context * mac_context; |
2491 SECItem param; | 2466 SECItem param; |
2492 SECStatus rv; | 2467 SECStatus rv; |
2493 unsigned char header[13]; | |
2494 PK11SymKey * key; | 2468 PK11SymKey * key; |
2495 int recordLength; | |
2496 | 2469 |
2497 PORT_Assert(inputLen >= spec->mac_size); | 2470 PORT_Assert(inputLen >= spec->mac_size); |
2498 PORT_Assert(originalLen >= inputLen); | 2471 PORT_Assert(originalLen >= inputLen); |
2499 | 2472 |
2500 if (spec->bypassCiphers) { | 2473 if (spec->bypassCiphers) { |
2501 /* This function doesn't support PKCS#11 bypass. We fallback on the | 2474 /* This function doesn't support PKCS#11 bypass. We fallback on the |
2502 * non-constant time version. */ | 2475 * non-constant time version. */ |
2503 goto fallback; | 2476 goto fallback; |
2504 } | 2477 } |
2505 | 2478 |
2506 if (spec->mac_def->mac == mac_null) { | 2479 if (spec->mac_def->mac == mac_null) { |
2507 *outLen = 0; | 2480 *outLen = 0; |
2508 return SECSuccess; | 2481 return SECSuccess; |
2509 } | 2482 } |
2510 | 2483 |
2511 header[0] = (unsigned char)(seq_num.high >> 24); | |
2512 header[1] = (unsigned char)(seq_num.high >> 16); | |
2513 header[2] = (unsigned char)(seq_num.high >> 8); | |
2514 header[3] = (unsigned char)(seq_num.high >> 0); | |
2515 header[4] = (unsigned char)(seq_num.low >> 24); | |
2516 header[5] = (unsigned char)(seq_num.low >> 16); | |
2517 header[6] = (unsigned char)(seq_num.low >> 8); | |
2518 header[7] = (unsigned char)(seq_num.low >> 0); | |
2519 header[8] = type; | |
2520 | |
2521 macType = CKM_NSS_HMAC_CONSTANT_TIME; | 2484 macType = CKM_NSS_HMAC_CONSTANT_TIME; |
2522 recordLength = inputLen - spec->mac_size; | |
2523 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 2485 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
2524 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; | 2486 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; |
2525 header[9] = recordLength >> 8; | |
2526 header[10] = recordLength; | |
2527 params.ulHeaderLen = 11; | |
2528 } else { | |
2529 if (isDTLS) { | |
2530 SSL3ProtocolVersion dtls_version; | |
2531 | |
2532 dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
2533 header[9] = dtls_version >> 8; | |
2534 header[10] = dtls_version; | |
2535 } else { | |
2536 header[9] = version >> 8; | |
2537 header[10] = version; | |
2538 } | |
2539 header[11] = recordLength >> 8; | |
2540 header[12] = recordLength; | |
2541 params.ulHeaderLen = 13; | |
2542 } | 2487 } |
2543 | 2488 |
2544 params.macAlg = spec->mac_def->mmech; | 2489 params.macAlg = spec->mac_def->mmech; |
2545 params.ulBodyTotalLen = originalLen; | 2490 params.ulBodyTotalLen = originalLen; |
2546 params.pHeader = header; | 2491 params.pHeader = (unsigned char *) header; /* const cast */ |
2492 params.ulHeaderLen = headerLen; | |
2547 | 2493 |
2548 param.data = (unsigned char*) ¶ms; | 2494 param.data = (unsigned char*) ¶ms; |
2549 param.len = sizeof(params); | 2495 param.len = sizeof(params); |
2550 param.type = 0; | 2496 param.type = 0; |
2551 | 2497 |
2552 key = spec->server.write_mac_key; | 2498 key = spec->server.write_mac_key; |
2553 if (!useServerMacKey) { | 2499 if (!useServerMacKey) { |
2554 key = spec->client.write_mac_key; | 2500 key = spec->client.write_mac_key; |
2555 } | 2501 } |
2556 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, ¶m); | 2502 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, ¶m); |
(...skipping 12 matching lines...) Expand all Loading... | |
2569 if (rv != SECSuccess) { | 2515 if (rv != SECSuccess) { |
2570 rv = SECFailure; | 2516 rv = SECFailure; |
2571 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2517 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2572 } | 2518 } |
2573 return rv; | 2519 return rv; |
2574 | 2520 |
2575 fallback: | 2521 fallback: |
2576 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the | 2522 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the |
2577 * length already. */ | 2523 * length already. */ |
2578 inputLen -= spec->mac_size; | 2524 inputLen -= spec->mac_size; |
2579 return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, | 2525 return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, |
2580 » » » » version, seq_num, input, inputLen, | 2526 » » » » input, inputLen, outbuf, outLen); |
2581 » » » » outbuf, outLen); | |
2582 } | 2527 } |
2583 | 2528 |
2584 static PRBool | 2529 static PRBool |
2585 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { | 2530 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { |
2586 PK11SlotInfo *slot = NULL; | 2531 PK11SlotInfo *slot = NULL; |
2587 PRBool isPresent = PR_TRUE; | 2532 PRBool isPresent = PR_TRUE; |
2588 | 2533 |
2589 /* we only care if we are doing client auth */ | 2534 /* we only care if we are doing client auth */ |
2590 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being | 2535 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being |
2591 * used, u.ssl3.clAuthValid will be false and this function will always | 2536 * used, u.ssl3.clAuthValid will be false and this function will always |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2623 sslBuffer * wrBuf) | 2568 sslBuffer * wrBuf) |
2624 { | 2569 { |
2625 const ssl3BulkCipherDef * cipher_def; | 2570 const ssl3BulkCipherDef * cipher_def; |
2626 SECStatus rv; | 2571 SECStatus rv; |
2627 PRUint32 macLen = 0; | 2572 PRUint32 macLen = 0; |
2628 PRUint32 fragLen; | 2573 PRUint32 fragLen; |
2629 PRUint32 p1Len, p2Len, oddLen = 0; | 2574 PRUint32 p1Len, p2Len, oddLen = 0; |
2630 PRUint16 headerLen; | 2575 PRUint16 headerLen; |
2631 int ivLen = 0; | 2576 int ivLen = 0; |
2632 int cipherBytes = 0; | 2577 int cipherBytes = 0; |
2578 unsigned char pseudoHeader[13]; | |
2579 unsigned int pseudoHeaderLen; | |
2633 | 2580 |
2634 cipher_def = cwSpec->cipher_def; | 2581 cipher_def = cwSpec->cipher_def; |
2635 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; | 2582 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; |
2636 | 2583 |
2637 if (cipher_def->type == type_block && | 2584 if (cipher_def->type == type_block && |
2638 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 2585 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
2639 /* Prepend the per-record explicit IV using technique 2b from | 2586 /* Prepend the per-record explicit IV using technique 2b from |
2640 * RFC 4346 section 6.2.3.2: The IV is a cryptographically | 2587 * RFC 4346 section 6.2.3.2: The IV is a cryptographically |
2641 * strong random number XORed with the CBC residue from the previous | 2588 * strong random number XORed with the CBC residue from the previous |
2642 * record. | 2589 * record. |
(...skipping 25 matching lines...) Expand all Loading... | |
2668 rv = cwSpec->compressor( | 2615 rv = cwSpec->compressor( |
2669 cwSpec->compressContext, | 2616 cwSpec->compressContext, |
2670 wrBuf->buf + headerLen + ivLen, &outlen, | 2617 wrBuf->buf + headerLen + ivLen, &outlen, |
2671 wrBuf->space - headerLen - ivLen, pIn, contentLen); | 2618 wrBuf->space - headerLen - ivLen, pIn, contentLen); |
2672 if (rv != SECSuccess) | 2619 if (rv != SECSuccess) |
2673 return rv; | 2620 return rv; |
2674 pIn = wrBuf->buf + headerLen + ivLen; | 2621 pIn = wrBuf->buf + headerLen + ivLen; |
2675 contentLen = outlen; | 2622 contentLen = outlen; |
2676 } | 2623 } |
2677 | 2624 |
2625 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader( | |
2626 pseudoHeader, cwSpec->write_seq_num, type, | |
2627 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, | |
2628 isDTLS, contentLen); | |
2629 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); | |
2678 if (cipher_def->type == type_aead) { | 2630 if (cipher_def->type == type_aead) { |
2679 const int nonceLen = cipher_def->explicit_nonce_size; | 2631 const int nonceLen = cipher_def->explicit_nonce_size; |
2680 const int tagLen = cipher_def->tag_size; | 2632 const int tagLen = cipher_def->tag_size; |
2681 | 2633 |
2682 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { | 2634 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { |
2683 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2635 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2684 return SECFailure; | 2636 return SECFailure; |
2685 } | 2637 } |
2686 | 2638 |
2687 cipherBytes = contentLen; | 2639 cipherBytes = contentLen; |
2688 rv = cwSpec->aead( | 2640 rv = cwSpec->aead( |
2689 isServer ? &cwSpec->server : &cwSpec->client, | 2641 isServer ? &cwSpec->server : &cwSpec->client, |
2690 PR_FALSE, /* do encrypt */ | 2642 PR_FALSE, /* do encrypt */ |
2691 wrBuf->buf + headerLen, /* output */ | 2643 wrBuf->buf + headerLen, /* output */ |
2692 &cipherBytes, /* out len */ | 2644 &cipherBytes, /* out len */ |
2693 wrBuf->space - headerLen, /* max out */ | 2645 wrBuf->space - headerLen, /* max out */ |
2694 pIn, contentLen, /* input */ | 2646 pIn, contentLen, /* input */ |
2695 » » type, cwSpec->version, cwSpec->write_seq_num); | 2647 » » pseudoHeader, pseudoHeaderLen); |
2696 if (rv != SECSuccess) { | 2648 if (rv != SECSuccess) { |
2697 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2649 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2698 return SECFailure; | 2650 return SECFailure; |
2699 } | 2651 } |
2700 } else { | 2652 } else { |
2701 /* | 2653 /* |
2702 * Add the MAC | 2654 * Add the MAC |
2703 */ | 2655 */ |
2704 » rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, | 2656 » rv = ssl3_ComputeRecordMAC(cwSpec, isServer, |
2705 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 2657 » pseudoHeader, pseudoHeaderLen, pIn, contentLen, |
2706 wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | 2658 wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
2707 if (rv != SECSuccess) { | 2659 if (rv != SECSuccess) { |
2708 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2660 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2709 return SECFailure; | 2661 return SECFailure; |
2710 } | 2662 } |
2711 p1Len = contentLen; | 2663 p1Len = contentLen; |
2712 p2Len = macLen; | 2664 p2Len = macLen; |
2713 fragLen = contentLen + macLen; /* needs to be encrypted */ | 2665 fragLen = contentLen + macLen; /* needs to be encrypted */ |
2714 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 2666 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
2715 | 2667 |
(...skipping 8684 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
11400 SSL3Opaque hash[MAX_MAC_LENGTH]; | 11352 SSL3Opaque hash[MAX_MAC_LENGTH]; |
11401 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; | 11353 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; |
11402 SSL3Opaque *givenHash; | 11354 SSL3Opaque *givenHash; |
11403 sslBuffer *plaintext; | 11355 sslBuffer *plaintext; |
11404 sslBuffer temp_buf; | 11356 sslBuffer temp_buf; |
11405 PRUint64 dtls_seq_num; | 11357 PRUint64 dtls_seq_num; |
11406 unsigned int ivLen = 0; | 11358 unsigned int ivLen = 0; |
11407 unsigned int originalLen = 0; | 11359 unsigned int originalLen = 0; |
11408 unsigned int good; | 11360 unsigned int good; |
11409 unsigned int minLength; | 11361 unsigned int minLength; |
11362 unsigned char header[13]; | |
11363 unsigned int headerLen; | |
11410 | 11364 |
11411 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 11365 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
11412 | 11366 |
11413 if (!ss->ssl3.initialized) { | 11367 if (!ss->ssl3.initialized) { |
11414 ssl_GetSSL3HandshakeLock(ss); | 11368 ssl_GetSSL3HandshakeLock(ss); |
11415 rv = ssl3_InitState(ss); | 11369 rv = ssl3_InitState(ss); |
11416 ssl_ReleaseSSL3HandshakeLock(ss); | 11370 ssl_ReleaseSSL3HandshakeLock(ss); |
11417 if (rv != SECSuccess) { | 11371 if (rv != SECSuccess) { |
11418 return rv; /* ssl3_InitState has set the error code. */ | 11372 return rv; /* ssl3_InitState has set the error code. */ |
11419 } | 11373 } |
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
11553 | 11507 |
11554 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { | 11508 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
11555 ssl_ReleaseSpecReadLock(ss); | 11509 ssl_ReleaseSpecReadLock(ss); |
11556 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 11510 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
11557 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 11511 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
11558 return SECFailure; | 11512 return SECFailure; |
11559 } | 11513 } |
11560 | 11514 |
11561 rType = cText->type; | 11515 rType = cText->type; |
11562 if (cipher_def->type == type_aead) { | 11516 if (cipher_def->type == type_aead) { |
11517 /* XXX For many AEAD ciphers, the plaintext is shorter than the | |
11518 * ciphertext by a fixed byte count, but it is not true in general. | |
11519 * Each AEAD cipher should provide a function that returns the | |
11520 * plaintext length for a given ciphertext. */ | |
Ryan Sleevi
2013/08/20 01:38:50
How *would* this work for the AES-CBC+SHA case?
I
wtc
2013/08/20 19:13:11
You are right. I believe AEAD_AES_128_CBC_HMAC_SHA
| |
11521 unsigned int decryptedLen = | |
11522 cText->buf->len - cipher_def->explicit_nonce_size - | |
11523 cipher_def->tag_size; | |
11524 headerLen = ssl3_BuildRecordPseudoHeader( | |
11525 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11526 rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen); | |
11527 PORT_Assert(headerLen <= sizeof(header)); | |
11563 rv = crSpec->aead( | 11528 rv = crSpec->aead( |
11564 ss->sec.isServer ? &crSpec->client : &crSpec->server, | 11529 ss->sec.isServer ? &crSpec->client : &crSpec->server, |
11565 PR_TRUE, /* do decrypt */ | 11530 PR_TRUE, /* do decrypt */ |
11566 plaintext->buf, /* out */ | 11531 plaintext->buf, /* out */ |
11567 (int*) &plaintext->len, /* outlen */ | 11532 (int*) &plaintext->len, /* outlen */ |
11568 plaintext->space, /* maxout */ | 11533 plaintext->space, /* maxout */ |
11569 cText->buf->buf, /* in */ | 11534 cText->buf->buf, /* in */ |
11570 cText->buf->len, /* inlen */ | 11535 cText->buf->len, /* inlen */ |
11571 » » rType, /* record type */ | 11536 » » header, headerLen); |
11572 » » cText->version, | |
11573 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num); | |
11574 if (rv != SECSuccess) { | 11537 if (rv != SECSuccess) { |
11575 good = 0; | 11538 good = 0; |
11576 } | 11539 } |
11577 } else { | 11540 } else { |
11578 if (cipher_def->type == type_block && | 11541 if (cipher_def->type == type_block && |
11579 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | 11542 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
11580 goto decrypt_loser; | 11543 goto decrypt_loser; |
11581 } | 11544 } |
11582 | 11545 |
11583 /* decrypt from cText buf to plaintext. */ | 11546 /* decrypt from cText buf to plaintext. */ |
11584 rv = crSpec->decode( | 11547 rv = crSpec->decode( |
11585 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, | 11548 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
11586 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); | 11549 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
11587 if (rv != SECSuccess) { | 11550 if (rv != SECSuccess) { |
11588 goto decrypt_loser; | 11551 goto decrypt_loser; |
11589 } | 11552 } |
11590 | 11553 |
11591 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); | 11554 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
11592 | 11555 |
11593 originalLen = plaintext->len; | 11556 originalLen = plaintext->len; |
11594 | 11557 |
11595 /* If it's a block cipher, check and strip the padding. */ | 11558 /* If it's a block cipher, check and strip the padding. */ |
11596 if (cipher_def->type == type_block) { | 11559 if (cipher_def->type == type_block) { |
11597 const unsigned int blockSize = cipher_def->block_size; | 11560 const unsigned int blockSize = cipher_def->block_size; |
11598 const unsigned int macSize = crSpec->mac_size; | 11561 const unsigned int macSize = crSpec->mac_size; |
11599 | 11562 |
11600 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { | 11563 » if (!isTLS) { |
11601 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 11564 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
11602 plaintext, blockSize, macSize)); | 11565 plaintext, blockSize, macSize)); |
11603 } else { | 11566 } else { |
11604 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 11567 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
11605 plaintext, macSize)); | 11568 plaintext, macSize)); |
11606 } | 11569 } |
11607 } | 11570 } |
11608 | 11571 |
11609 /* compute the MAC */ | 11572 /* compute the MAC */ |
11573 headerLen = ssl3_BuildRecordPseudoHeader( | |
11574 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11575 rType, isTLS, cText->version, IS_DTLS(ss), | |
11576 plaintext->len - crSpec->mac_size); | |
11577 PORT_Assert(headerLen <= sizeof(header)); | |
11610 if (cipher_def->type == type_block) { | 11578 if (cipher_def->type == type_block) { |
11611 rv = ssl3_ComputeRecordMACConstantTime( | 11579 rv = ssl3_ComputeRecordMACConstantTime( |
11612 » » crSpec, (PRBool)(!ss->sec.isServer), | 11580 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
11613 » » IS_DTLS(ss), rType, cText->version, | |
11614 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11615 plaintext->buf, plaintext->len, originalLen, | 11581 plaintext->buf, plaintext->len, originalLen, |
11616 hash, &hashBytes); | 11582 hash, &hashBytes); |
11617 | 11583 |
11618 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | 11584 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
11619 crSpec->mac_size); | 11585 crSpec->mac_size); |
11620 givenHash = givenHashBuf; | 11586 givenHash = givenHashBuf; |
11621 | 11587 |
11622 /* plaintext->len will always have enough space to remove the MAC | 11588 /* plaintext->len will always have enough space to remove the MAC |
11623 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust | 11589 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust |
11624 * plaintext->len if the result has enough space for the MAC and we | 11590 * plaintext->len if the result has enough space for the MAC and we |
11625 * tested the unadjusted size against minLength, above. */ | 11591 * tested the unadjusted size against minLength, above. */ |
11626 plaintext->len -= crSpec->mac_size; | 11592 plaintext->len -= crSpec->mac_size; |
11627 } else { | 11593 } else { |
11628 /* This is safe because we checked the minLength above. */ | 11594 /* This is safe because we checked the minLength above. */ |
11629 plaintext->len -= crSpec->mac_size; | 11595 plaintext->len -= crSpec->mac_size; |
11630 | 11596 |
11631 rv = ssl3_ComputeRecordMAC( | 11597 rv = ssl3_ComputeRecordMAC( |
11632 » » crSpec, (PRBool)(!ss->sec.isServer), | 11598 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
11633 » » IS_DTLS(ss), rType, cText->version, | 11599 » » plaintext->buf, plaintext->len, hash, &hashBytes); |
11634 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
11635 » » plaintext->buf, plaintext->len, | |
11636 » » hash, &hashBytes); | |
11637 | 11600 |
11638 /* We can read the MAC directly from the record because its location | 11601 /* We can read the MAC directly from the record because its location |
11639 * is public when a stream cipher is used. */ | 11602 * is public when a stream cipher is used. */ |
11640 givenHash = plaintext->buf + plaintext->len; | 11603 givenHash = plaintext->buf + plaintext->len; |
11641 } | 11604 } |
11642 | 11605 |
11643 good &= SECStatusToMask(rv); | 11606 good &= SECStatusToMask(rv); |
11644 | 11607 |
11645 if (hashBytes != (unsigned)crSpec->mac_size || | 11608 if (hashBytes != (unsigned)crSpec->mac_size || |
11646 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | 11609 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
(...skipping 654 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
12301 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12264 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
12302 } | 12265 } |
12303 } | 12266 } |
12304 | 12267 |
12305 ss->ssl3.initialized = PR_FALSE; | 12268 ss->ssl3.initialized = PR_FALSE; |
12306 | 12269 |
12307 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12270 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
12308 } | 12271 } |
12309 | 12272 |
12310 /* End of ssl3con.c */ | 12273 /* End of ssl3con.c */ |
OLD | NEW |