Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(252)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 23299002: Make the AES-GCM cipher suites work in DTLS, by moving the (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Fix comments and update patch files Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/ssl/dtlscon.c ('k') | net/third_party/nss/ssl/sslimpl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public 5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 8
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
10 10
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); 78 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); 79 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
80 80
81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, 81 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
82 int maxOutputLen, const unsigned char *input, 82 int maxOutputLen, const unsigned char *input,
83 int inputLen); 83 int inputLen);
84 #ifndef NO_PKCS11_BYPASS 84 #ifndef NO_PKCS11_BYPASS
85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, 85 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
86 unsigned char *out, int *outlen, int maxout, 86 unsigned char *out, int *outlen, int maxout,
87 const unsigned char *in, int inlen, 87 const unsigned char *in, int inlen,
88 » » » » SSL3ContentType type, 88 » » » » const unsigned char *additionalData,
89 » » » » SSL3ProtocolVersion version, 89 » » » » int additionalDataLen);
90 » » » » SSL3SequenceNumber seq_num);
91 #endif 90 #endif
92 91
93 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ 92 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
94 #define MIN_SEND_BUF_LENGTH 4000 93 #define MIN_SEND_BUF_LENGTH 4000
95 94
96 /* This list of SSL3 cipher suites is sorted in descending order of 95 /* This list of SSL3 cipher suites is sorted in descending order of
97 * precedence (desirability). It only includes cipher suites we implement. 96 * precedence (desirability). It only includes cipher suites we implement.
98 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites 97 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
99 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) 98 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
100 */ 99 */
(...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after
389 cipher_camellia_256, mac_sha, kea_dhe_rsa}, 388 cipher_camellia_256, mac_sha, kea_dhe_rsa},
390 389
391 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 390 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
392 cipher_des, mac_sha,kea_rsa_export_1024}, 391 cipher_des, mac_sha,kea_rsa_export_1024},
393 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 392 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
394 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, 393 cipher_rc4_56, mac_sha,kea_rsa_export_1024},
395 394
396 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, 395 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
397 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, 396 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
398 397
399 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_ rsa}, 398 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_ rsa},
400 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, 399 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
401 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ec dhe_rsa}, 400 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec dhe_rsa},
402 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ ecdhe_ecdsa}, 401 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ ecdhe_ecdsa},
403 402
404 #ifdef NSS_ENABLE_ECC 403 #ifdef NSS_ENABLE_ECC
405 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 404 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
406 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, 405 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
407 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , 406 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} ,
408 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, 407 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a},
409 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, 408 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a},
410 409
411 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, 410 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa },
412 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, 411 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa },
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
461 { calg_3des , CKM_DES3_CBC }, 460 { calg_3des , CKM_DES3_CBC },
462 { calg_idea , CKM_IDEA_CBC }, 461 { calg_idea , CKM_IDEA_CBC },
463 { calg_fortezza , CKM_SKIPJACK_CBC64 }, 462 { calg_fortezza , CKM_SKIPJACK_CBC64 },
464 { calg_aes , CKM_AES_CBC }, 463 { calg_aes , CKM_AES_CBC },
465 { calg_camellia , CKM_CAMELLIA_CBC }, 464 { calg_camellia , CKM_CAMELLIA_CBC },
466 { calg_seed , CKM_SEED_CBC }, 465 { calg_seed , CKM_SEED_CBC },
467 { calg_aes_gcm , CKM_AES_GCM }, 466 { calg_aes_gcm , CKM_AES_GCM },
468 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ 467 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
469 }; 468 };
470 469
471 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L 470 #define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
472 #define mmech_md5 CKM_SSL3_MD5_MAC 471 #define mmech_md5 CKM_SSL3_MD5_MAC
473 #define mmech_sha CKM_SSL3_SHA1_MAC 472 #define mmech_sha CKM_SSL3_SHA1_MAC
474 #define mmech_md5_hmac CKM_MD5_HMAC 473 #define mmech_md5_hmac CKM_MD5_HMAC
475 #define mmech_sha_hmac CKM_SHA_1_HMAC 474 #define mmech_sha_hmac CKM_SHA_1_HMAC
476 #define mmech_sha256_hmac CKM_SHA256_HMAC 475 #define mmech_sha256_hmac CKM_SHA256_HMAC
476 #define mmech_sha384_hmac CKM_SHA384_HMAC
477 #define mmech_sha512_hmac CKM_SHA512_HMAC
477 478
478 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 479 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
479 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ 480 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
480 /* mac mmech pad_size mac_size */ 481 /* mac mmech pad_size mac_size */
481 { mac_null, mmech_null, 0, 0 }, 482 { mac_null, mmech_invalid, 0, 0 },
482 { mac_md5, mmech_md5, 48, MD5_LENGTH }, 483 { mac_md5, mmech_md5, 48, MD5_LENGTH },
483 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, 484 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
484 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, 485 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
485 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, 486 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
486 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, 487 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
488 { mac_aead, mmech_invalid, 0, 0 },
487 }; 489 };
488 490
489 /* indexed by SSL3BulkCipher */ 491 /* indexed by SSL3BulkCipher */
490 const char * const ssl3_cipherName[] = { 492 const char * const ssl3_cipherName[] = {
491 "NULL", 493 "NULL",
492 "RC4", 494 "RC4",
493 "RC4-40", 495 "RC4-40",
494 "RC4-56", 496 "RC4-56",
495 "RC2-CBC", 497 "RC2-CBC",
496 "RC2-CBC-40", 498 "RC2-CBC-40",
(...skipping 1262 matching lines...) Expand 10 before | Expand all | Expand 10 after
1759 case CKM_RC2_MAC: 1761 case CKM_RC2_MAC:
1760 case CKM_RC2_MAC_GENERAL: 1762 case CKM_RC2_MAC_GENERAL:
1761 case CKM_RC2_CBC_PAD: 1763 case CKM_RC2_CBC_PAD:
1762 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; 1764 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
1763 default: break; 1765 default: break;
1764 } 1766 }
1765 } 1767 }
1766 return param; 1768 return param;
1767 } 1769 }
1768 1770
1769 /* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which 1771 /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
1770 * is included in the MAC) to |out| and returns its length. */ 1772 * which is included in the MAC or AEAD additional data) to |out| and returns
1773 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1774 * definition of the AEAD additional data.
1775 *
1776 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
1777 * pseudo-header defintiion to use should be decided based on the version of
1778 * the protocol that was negotiated when the cipher spec became current, NOT
1779 * based on the version value in the record itself, and the decision is passed
1780 * to this function as the |includesVersion| argument. But, the |version|
1781 * argument should be the record's version value.
1782 */
1771 static unsigned int 1783 static unsigned int
1772 ssl3_BuildRecordPseudoHeader(unsigned char *out, 1784 ssl3_BuildRecordPseudoHeader(unsigned char *out,
1773 SSL3SequenceNumber seq_num, 1785 SSL3SequenceNumber seq_num,
1774 SSL3ContentType type, 1786 SSL3ContentType type,
1775 PRBool includesVersion, 1787 PRBool includesVersion,
1776 SSL3ProtocolVersion version, 1788 SSL3ProtocolVersion version,
1777 PRBool isDTLS, 1789 PRBool isDTLS,
1778 int length) 1790 int length)
1779 { 1791 {
1780 out[0] = (unsigned char)(seq_num.high >> 24); 1792 out[0] = (unsigned char)(seq_num.high >> 24);
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after
1874 } 1886 }
1875 1887
1876 static SECStatus 1888 static SECStatus
1877 ssl3_AESGCM(ssl3KeyMaterial *keys, 1889 ssl3_AESGCM(ssl3KeyMaterial *keys,
1878 PRBool doDecrypt, 1890 PRBool doDecrypt,
1879 unsigned char *out, 1891 unsigned char *out,
1880 int *outlen, 1892 int *outlen,
1881 int maxout, 1893 int maxout,
1882 const unsigned char *in, 1894 const unsigned char *in,
1883 int inlen, 1895 int inlen,
1884 » SSL3ContentType type, 1896 » const unsigned char *additionalData,
1885 » SSL3ProtocolVersion version, 1897 » int additionalDataLen)
1886 » SSL3SequenceNumber seq_num)
1887 { 1898 {
1888 SECItem param; 1899 SECItem param;
1889 SECStatus rv = SECFailure; 1900 SECStatus rv = SECFailure;
1890 unsigned char nonce[12]; 1901 unsigned char nonce[12];
1891 unsigned char additionalData[13];
1892 unsigned int additionalDataLen;
1893 unsigned int uOutLen; 1902 unsigned int uOutLen;
1894 CK_GCM_PARAMS gcmParams; 1903 CK_GCM_PARAMS gcmParams;
1895 1904
1896 static const int tagSize = 16; 1905 static const int tagSize = 16;
1897 static const int explicitNonceLen = 8; 1906 static const int explicitNonceLen = 8;
1898 1907
1899 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1900 * definition of the AEAD additional data. */
1901 additionalDataLen = ssl3_BuildRecordPseudoHeader(
1902 additionalData, seq_num, type, PR_TRUE /* includes version */,
1903 version, PR_FALSE /* not DTLS */,
1904 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
1905 PORT_Assert(additionalDataLen <= sizeof(additionalData));
1906
1907 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 1908 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
1908 * nonce is formed. */ 1909 * nonce is formed. */
1909 memcpy(nonce, keys->write_iv, 4); 1910 memcpy(nonce, keys->write_iv, 4);
1910 if (doDecrypt) { 1911 if (doDecrypt) {
1911 memcpy(nonce + 4, in, explicitNonceLen); 1912 memcpy(nonce + 4, in, explicitNonceLen);
1912 in += explicitNonceLen; 1913 in += explicitNonceLen;
1913 inlen -= explicitNonceLen; 1914 inlen -= explicitNonceLen;
1914 *outlen = 0; 1915 *outlen = 0;
1915 } else { 1916 } else {
1916 if (maxout < explicitNonceLen) { 1917 if (maxout < explicitNonceLen) {
1917 PORT_SetError(SEC_ERROR_INPUT_LEN); 1918 PORT_SetError(SEC_ERROR_INPUT_LEN);
1918 return SECFailure; 1919 return SECFailure;
1919 } 1920 }
1920 /* Use the 64-bit sequence number as the explicit nonce. */ 1921 /* Use the 64-bit sequence number as the explicit nonce. */
1921 memcpy(nonce + 4, additionalData, explicitNonceLen); 1922 memcpy(nonce + 4, additionalData, explicitNonceLen);
1922 memcpy(out, additionalData, explicitNonceLen); 1923 memcpy(out, additionalData, explicitNonceLen);
1923 out += explicitNonceLen; 1924 out += explicitNonceLen;
1924 maxout -= explicitNonceLen; 1925 maxout -= explicitNonceLen;
1925 *outlen = explicitNonceLen; 1926 *outlen = explicitNonceLen;
1926 } 1927 }
1927 1928
1928 param.type = siBuffer; 1929 param.type = siBuffer;
1929 param.data = (unsigned char *) &gcmParams; 1930 param.data = (unsigned char *) &gcmParams;
1930 param.len = sizeof(gcmParams); 1931 param.len = sizeof(gcmParams);
1931 gcmParams.pIv = nonce; 1932 gcmParams.pIv = nonce;
1932 gcmParams.ulIvLen = sizeof(nonce); 1933 gcmParams.ulIvLen = sizeof(nonce);
1933 gcmParams.pAAD = additionalData; 1934 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
1934 gcmParams.ulAADLen = additionalDataLen; 1935 gcmParams.ulAADLen = additionalDataLen;
1935 gcmParams.ulTagBits = tagSize * 8; 1936 gcmParams.ulTagBits = tagSize * 8;
1936 1937
1937 if (doDecrypt) { 1938 if (doDecrypt) {
1938 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen, 1939 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1939 maxout, in, inlen); 1940 maxout, in, inlen);
1940 } else { 1941 } else {
1941 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen, 1942 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1942 maxout, in, inlen); 1943 maxout, in, inlen);
1943 } 1944 }
1944 *outlen += (int) uOutLen; 1945 *outlen += (int) uOutLen;
1945 1946
1946 return rv; 1947 return rv;
1947 } 1948 }
1948 1949
1949 #ifndef NO_PKCS11_BYPASS 1950 #ifndef NO_PKCS11_BYPASS
1950 static SECStatus 1951 static SECStatus
1951 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, 1952 ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
1952 PRBool doDecrypt, 1953 PRBool doDecrypt,
1953 unsigned char *out, 1954 unsigned char *out,
1954 int *outlen, 1955 int *outlen,
1955 int maxout, 1956 int maxout,
1956 const unsigned char *in, 1957 const unsigned char *in,
1957 int inlen, 1958 int inlen,
1958 » » SSL3ContentType type, 1959 » » const unsigned char *additionalData,
1959 » » SSL3ProtocolVersion version, 1960 » » int additionalDataLen)
1960 » » SSL3SequenceNumber seq_num)
1961 { 1961 {
1962 SECStatus rv = SECFailure; 1962 SECStatus rv = SECFailure;
1963 unsigned char nonce[12]; 1963 unsigned char nonce[12];
1964 unsigned char additionalData[13];
1965 unsigned int additionalDataLen;
1966 unsigned int uOutLen; 1964 unsigned int uOutLen;
1967 AESContext *cx; 1965 AESContext *cx;
1968 CK_GCM_PARAMS gcmParams; 1966 CK_GCM_PARAMS gcmParams;
1969 1967
1970 static const int tagSize = 16; 1968 static const int tagSize = 16;
1971 static const int explicitNonceLen = 8; 1969 static const int explicitNonceLen = 8;
1972 1970
1973 /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1974 * definition of the AEAD additional data. */
1975 additionalDataLen = ssl3_BuildRecordPseudoHeader(
1976 additionalData, seq_num, type, PR_TRUE /* includes version */,
1977 version, PR_FALSE /* not DTLS */,
1978 inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
1979 PORT_Assert(additionalDataLen <= sizeof(additionalData));
1980
1981 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 1971 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
1982 * nonce is formed. */ 1972 * nonce is formed. */
1983 PORT_Assert(keys->write_iv_item.len == 4); 1973 PORT_Assert(keys->write_iv_item.len == 4);
1984 if (keys->write_iv_item.len != 4) { 1974 if (keys->write_iv_item.len != 4) {
1985 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1975 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1986 return SECFailure; 1976 return SECFailure;
1987 } 1977 }
1988 memcpy(nonce, keys->write_iv_item.data, 4); 1978 memcpy(nonce, keys->write_iv_item.data, 4);
1989 if (doDecrypt) { 1979 if (doDecrypt) {
1990 memcpy(nonce + 4, in, explicitNonceLen); 1980 memcpy(nonce + 4, in, explicitNonceLen);
1991 in += explicitNonceLen; 1981 in += explicitNonceLen;
1992 inlen -= explicitNonceLen; 1982 inlen -= explicitNonceLen;
1993 *outlen = 0; 1983 *outlen = 0;
1994 } else { 1984 } else {
1995 if (maxout < explicitNonceLen) { 1985 if (maxout < explicitNonceLen) {
1996 PORT_SetError(SEC_ERROR_INPUT_LEN); 1986 PORT_SetError(SEC_ERROR_INPUT_LEN);
1997 return SECFailure; 1987 return SECFailure;
1998 } 1988 }
1999 /* Use the 64-bit sequence number as the explicit nonce. */ 1989 /* Use the 64-bit sequence number as the explicit nonce. */
2000 memcpy(nonce + 4, additionalData, explicitNonceLen); 1990 memcpy(nonce + 4, additionalData, explicitNonceLen);
2001 memcpy(out, additionalData, explicitNonceLen); 1991 memcpy(out, additionalData, explicitNonceLen);
2002 out += explicitNonceLen; 1992 out += explicitNonceLen;
2003 maxout -= explicitNonceLen; 1993 maxout -= explicitNonceLen;
2004 *outlen = explicitNonceLen; 1994 *outlen = explicitNonceLen;
2005 } 1995 }
2006 1996
2007 gcmParams.pIv = nonce; 1997 gcmParams.pIv = nonce;
2008 gcmParams.ulIvLen = sizeof(nonce); 1998 gcmParams.ulIvLen = sizeof(nonce);
2009 gcmParams.pAAD = additionalData; 1999 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
2010 gcmParams.ulAADLen = additionalDataLen; 2000 gcmParams.ulAADLen = additionalDataLen;
2011 gcmParams.ulTagBits = tagSize * 8; 2001 gcmParams.ulTagBits = tagSize * 8;
2012 2002
2013 cx = (AESContext *)keys->cipher_context; 2003 cx = (AESContext *)keys->cipher_context;
2014 rv = AES_InitContext(cx, keys->write_key_item.data, 2004 rv = AES_InitContext(cx, keys->write_key_item.data,
2015 keys->write_key_item.len, 2005 keys->write_key_item.len,
2016 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, 2006 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
2017 AES_BLOCK_SIZE); 2007 AES_BLOCK_SIZE);
2018 if (rv != SECSuccess) { 2008 if (rv != SECSuccess) {
2019 return rv; 2009 return rv;
(...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after
2300 0x5c, 0x5c, 0x5c, 0x5c 2290 0x5c, 0x5c, 0x5c, 0x5c
2301 }; 2291 };
2302 2292
2303 /* Called from: ssl3_SendRecord() 2293 /* Called from: ssl3_SendRecord()
2304 ** Caller must already hold the SpecReadLock. (wish we could assert that!) 2294 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
2305 */ 2295 */
2306 static SECStatus 2296 static SECStatus
2307 ssl3_ComputeRecordMAC( 2297 ssl3_ComputeRecordMAC(
2308 ssl3CipherSpec * spec, 2298 ssl3CipherSpec * spec,
2309 PRBool useServerMacKey, 2299 PRBool useServerMacKey,
2310 PRBool isDTLS, 2300 const unsigned char *header,
2311 SSL3ContentType type, 2301 unsigned int headerLen,
2312 SSL3ProtocolVersion version,
2313 SSL3SequenceNumber seq_num,
2314 const SSL3Opaque * input, 2302 const SSL3Opaque * input,
2315 int inputLength, 2303 int inputLength,
2316 unsigned char * outbuf, 2304 unsigned char * outbuf,
2317 unsigned int * outLength) 2305 unsigned int * outLength)
2318 { 2306 {
2319 const ssl3MACDef * mac_def; 2307 const ssl3MACDef * mac_def;
2320 SECStatus rv; 2308 SECStatus rv;
2321 PRBool isTLS;
2322 unsigned int tempLen;
2323 unsigned char temp[MAX_MAC_LENGTH];
2324 2309
2325 /* TLS MAC includes the record's version field, SSL's doesn't. 2310 PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
2326 ** We decide which MAC defintiion to use based on the version of
2327 ** the protocol that was negotiated when the spec became current,
2328 ** NOT based on the version value in the record itself.
2329 ** But, we use the record's version value in the computation.
2330 */
2331 isTLS = spec->version > SSL_LIBRARY_VERSION_3_0;
2332 tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS,
2333 » » » » » version, isDTLS, inputLength);
2334 PORT_Assert(tempLen <= sizeof(temp));
2335
2336 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
2337 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); 2311 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
2338 2312
2339 mac_def = spec->mac_def; 2313 mac_def = spec->mac_def;
2340 if (mac_def->mac == mac_null) { 2314 if (mac_def->mac == mac_null) {
2341 *outLength = 0; 2315 *outLength = 0;
2342 return SECSuccess; 2316 return SECSuccess;
2343 } 2317 }
2344 #ifndef NO_PKCS11_BYPASS 2318 #ifndef NO_PKCS11_BYPASS
2345 if (spec->bypassCiphers) { 2319 if (spec->bypassCiphers) {
2346 /* bypass version */ 2320 /* bypass version */
(...skipping 24 matching lines...) Expand all
2371 break; 2345 break;
2372 default: 2346 default:
2373 break; 2347 break;
2374 } 2348 }
2375 if (!hashObj) { 2349 if (!hashObj) {
2376 PORT_Assert(0); 2350 PORT_Assert(0);
2377 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2351 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2378 return SECFailure; 2352 return SECFailure;
2379 } 2353 }
2380 2354
2381 » if (!isTLS) { 2355 » if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2356 » unsigned int tempLen;
2357 » unsigned char temp[MAX_MAC_LENGTH];
2358
2382 /* compute "inner" part of SSL3 MAC */ 2359 /* compute "inner" part of SSL3 MAC */
2383 hashObj->begin(write_mac_context); 2360 hashObj->begin(write_mac_context);
2384 if (useServerMacKey) 2361 if (useServerMacKey)
2385 hashObj->update(write_mac_context, 2362 hashObj->update(write_mac_context,
2386 spec->server.write_mac_key_item.data, 2363 spec->server.write_mac_key_item.data,
2387 spec->server.write_mac_key_item.len); 2364 spec->server.write_mac_key_item.len);
2388 else 2365 else
2389 hashObj->update(write_mac_context, 2366 hashObj->update(write_mac_context,
2390 spec->client.write_mac_key_item.data, 2367 spec->client.write_mac_key_item.data,
2391 spec->client.write_mac_key_item.len); 2368 spec->client.write_mac_key_item.len);
2392 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); 2369 hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
2393 » hashObj->update(write_mac_context, temp, tempLen); 2370 » hashObj->update(write_mac_context, header, headerLen);
2394 hashObj->update(write_mac_context, input, inputLength); 2371 hashObj->update(write_mac_context, input, inputLength);
2395 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); 2372 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
2396 2373
2397 /* compute "outer" part of SSL3 MAC */ 2374 /* compute "outer" part of SSL3 MAC */
2398 hashObj->begin(write_mac_context); 2375 hashObj->begin(write_mac_context);
2399 if (useServerMacKey) 2376 if (useServerMacKey)
2400 hashObj->update(write_mac_context, 2377 hashObj->update(write_mac_context,
2401 spec->server.write_mac_key_item.data, 2378 spec->server.write_mac_key_item.data,
2402 spec->server.write_mac_key_item.len); 2379 spec->server.write_mac_key_item.len);
2403 else 2380 else
(...skipping 10 matching lines...) Expand all
2414 rv = HMAC_Init(cx, hashObj, 2391 rv = HMAC_Init(cx, hashObj,
2415 spec->server.write_mac_key_item.data, 2392 spec->server.write_mac_key_item.data,
2416 spec->server.write_mac_key_item.len, PR_FALSE); 2393 spec->server.write_mac_key_item.len, PR_FALSE);
2417 } else { 2394 } else {
2418 rv = HMAC_Init(cx, hashObj, 2395 rv = HMAC_Init(cx, hashObj,
2419 spec->client.write_mac_key_item.data, 2396 spec->client.write_mac_key_item.data,
2420 spec->client.write_mac_key_item.len, PR_FALSE); 2397 spec->client.write_mac_key_item.len, PR_FALSE);
2421 } 2398 }
2422 if (rv == SECSuccess) { 2399 if (rv == SECSuccess) {
2423 HMAC_Begin(cx); 2400 HMAC_Begin(cx);
2424 » » HMAC_Update(cx, temp, tempLen); 2401 » » HMAC_Update(cx, header, headerLen);
2425 HMAC_Update(cx, input, inputLength); 2402 HMAC_Update(cx, input, inputLength);
2426 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); 2403 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
2427 HMAC_Destroy(cx, PR_FALSE); 2404 HMAC_Destroy(cx, PR_FALSE);
2428 } 2405 }
2429 #undef cx 2406 #undef cx
2430 } 2407 }
2431 } else 2408 } else
2432 #endif 2409 #endif
2433 { 2410 {
2434 PK11Context *mac_context = 2411 PK11Context *mac_context =
2435 (useServerMacKey ? spec->server.write_mac_context 2412 (useServerMacKey ? spec->server.write_mac_context
2436 : spec->client.write_mac_context); 2413 : spec->client.write_mac_context);
2437 rv = PK11_DigestBegin(mac_context); 2414 rv = PK11_DigestBegin(mac_context);
2438 » rv |= PK11_DigestOp(mac_context, temp, tempLen); 2415 » rv |= PK11_DigestOp(mac_context, header, headerLen);
2439 rv |= PK11_DigestOp(mac_context, input, inputLength); 2416 rv |= PK11_DigestOp(mac_context, input, inputLength);
2440 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); 2417 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
2441 } 2418 }
2442 2419
2443 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); 2420 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
2444 2421
2445 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); 2422 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
2446 2423
2447 if (rv != SECSuccess) { 2424 if (rv != SECSuccess) {
2448 rv = SECFailure; 2425 rv = SECFailure;
(...skipping 19 matching lines...) Expand all
2468 /* Called from: ssl3_HandleRecord() 2445 /* Called from: ssl3_HandleRecord()
2469 * Caller must already hold the SpecReadLock. (wish we could assert that!) 2446 * Caller must already hold the SpecReadLock. (wish we could assert that!)
2470 * 2447 *
2471 * On entry: 2448 * On entry:
2472 * originalLen >= inputLen >= MAC size 2449 * originalLen >= inputLen >= MAC size
2473 */ 2450 */
2474 static SECStatus 2451 static SECStatus
2475 ssl3_ComputeRecordMACConstantTime( 2452 ssl3_ComputeRecordMACConstantTime(
2476 ssl3CipherSpec * spec, 2453 ssl3CipherSpec * spec,
2477 PRBool useServerMacKey, 2454 PRBool useServerMacKey,
2478 PRBool isDTLS, 2455 const unsigned char *header,
2479 SSL3ContentType type, 2456 unsigned int headerLen,
2480 SSL3ProtocolVersion version,
2481 SSL3SequenceNumber seq_num,
2482 const SSL3Opaque * input, 2457 const SSL3Opaque * input,
2483 int inputLen, 2458 int inputLen,
2484 int originalLen, 2459 int originalLen,
2485 unsigned char * outbuf, 2460 unsigned char * outbuf,
2486 unsigned int * outLen) 2461 unsigned int * outLen)
2487 { 2462 {
2488 CK_MECHANISM_TYPE macType; 2463 CK_MECHANISM_TYPE macType;
2489 CK_NSS_MAC_CONSTANT_TIME_PARAMS params; 2464 CK_NSS_MAC_CONSTANT_TIME_PARAMS params;
2490 PK11Context * mac_context; 2465 PK11Context * mac_context;
2491 SECItem param; 2466 SECItem param;
2492 SECStatus rv; 2467 SECStatus rv;
2493 unsigned char header[13];
2494 PK11SymKey * key; 2468 PK11SymKey * key;
2495 int recordLength;
2496 2469
2497 PORT_Assert(inputLen >= spec->mac_size); 2470 PORT_Assert(inputLen >= spec->mac_size);
2498 PORT_Assert(originalLen >= inputLen); 2471 PORT_Assert(originalLen >= inputLen);
2499 2472
2500 if (spec->bypassCiphers) { 2473 if (spec->bypassCiphers) {
2501 /* This function doesn't support PKCS#11 bypass. We fallback on the 2474 /* This function doesn't support PKCS#11 bypass. We fallback on the
2502 * non-constant time version. */ 2475 * non-constant time version. */
2503 goto fallback; 2476 goto fallback;
2504 } 2477 }
2505 2478
2506 if (spec->mac_def->mac == mac_null) { 2479 if (spec->mac_def->mac == mac_null) {
2507 *outLen = 0; 2480 *outLen = 0;
2508 return SECSuccess; 2481 return SECSuccess;
2509 } 2482 }
2510 2483
2511 header[0] = (unsigned char)(seq_num.high >> 24);
2512 header[1] = (unsigned char)(seq_num.high >> 16);
2513 header[2] = (unsigned char)(seq_num.high >> 8);
2514 header[3] = (unsigned char)(seq_num.high >> 0);
2515 header[4] = (unsigned char)(seq_num.low >> 24);
2516 header[5] = (unsigned char)(seq_num.low >> 16);
2517 header[6] = (unsigned char)(seq_num.low >> 8);
2518 header[7] = (unsigned char)(seq_num.low >> 0);
2519 header[8] = type;
2520
2521 macType = CKM_NSS_HMAC_CONSTANT_TIME; 2484 macType = CKM_NSS_HMAC_CONSTANT_TIME;
2522 recordLength = inputLen - spec->mac_size;
2523 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 2485 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2524 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; 2486 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
2525 header[9] = recordLength >> 8;
2526 header[10] = recordLength;
2527 params.ulHeaderLen = 11;
2528 } else {
2529 if (isDTLS) {
2530 SSL3ProtocolVersion dtls_version;
2531
2532 dtls_version = dtls_TLSVersionToDTLSVersion(version);
2533 header[9] = dtls_version >> 8;
2534 header[10] = dtls_version;
2535 } else {
2536 header[9] = version >> 8;
2537 header[10] = version;
2538 }
2539 header[11] = recordLength >> 8;
2540 header[12] = recordLength;
2541 params.ulHeaderLen = 13;
2542 } 2487 }
2543 2488
2544 params.macAlg = spec->mac_def->mmech; 2489 params.macAlg = spec->mac_def->mmech;
2545 params.ulBodyTotalLen = originalLen; 2490 params.ulBodyTotalLen = originalLen;
2546 params.pHeader = header; 2491 params.pHeader = (unsigned char *) header; /* const cast */
2492 params.ulHeaderLen = headerLen;
2547 2493
2548 param.data = (unsigned char*) &params; 2494 param.data = (unsigned char*) &params;
2549 param.len = sizeof(params); 2495 param.len = sizeof(params);
2550 param.type = 0; 2496 param.type = 0;
2551 2497
2552 key = spec->server.write_mac_key; 2498 key = spec->server.write_mac_key;
2553 if (!useServerMacKey) { 2499 if (!useServerMacKey) {
2554 key = spec->client.write_mac_key; 2500 key = spec->client.write_mac_key;
2555 } 2501 }
2556 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, &param); 2502 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, &param);
(...skipping 12 matching lines...) Expand all
2569 if (rv != SECSuccess) { 2515 if (rv != SECSuccess) {
2570 rv = SECFailure; 2516 rv = SECFailure;
2571 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2517 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2572 } 2518 }
2573 return rv; 2519 return rv;
2574 2520
2575 fallback: 2521 fallback:
2576 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the 2522 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
2577 * length already. */ 2523 * length already. */
2578 inputLen -= spec->mac_size; 2524 inputLen -= spec->mac_size;
2579 return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, 2525 return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
2580 » » » » version, seq_num, input, inputLen, 2526 » » » » input, inputLen, outbuf, outLen);
2581 » » » » outbuf, outLen);
2582 } 2527 }
2583 2528
2584 static PRBool 2529 static PRBool
2585 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { 2530 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
2586 PK11SlotInfo *slot = NULL; 2531 PK11SlotInfo *slot = NULL;
2587 PRBool isPresent = PR_TRUE; 2532 PRBool isPresent = PR_TRUE;
2588 2533
2589 /* we only care if we are doing client auth */ 2534 /* we only care if we are doing client auth */
2590 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being 2535 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
2591 * used, u.ssl3.clAuthValid will be false and this function will always 2536 * used, u.ssl3.clAuthValid will be false and this function will always
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
2623 sslBuffer * wrBuf) 2568 sslBuffer * wrBuf)
2624 { 2569 {
2625 const ssl3BulkCipherDef * cipher_def; 2570 const ssl3BulkCipherDef * cipher_def;
2626 SECStatus rv; 2571 SECStatus rv;
2627 PRUint32 macLen = 0; 2572 PRUint32 macLen = 0;
2628 PRUint32 fragLen; 2573 PRUint32 fragLen;
2629 PRUint32 p1Len, p2Len, oddLen = 0; 2574 PRUint32 p1Len, p2Len, oddLen = 0;
2630 PRUint16 headerLen; 2575 PRUint16 headerLen;
2631 int ivLen = 0; 2576 int ivLen = 0;
2632 int cipherBytes = 0; 2577 int cipherBytes = 0;
2578 unsigned char pseudoHeader[13];
2579 unsigned int pseudoHeaderLen;
2633 2580
2634 cipher_def = cwSpec->cipher_def; 2581 cipher_def = cwSpec->cipher_def;
2635 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; 2582 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
2636 2583
2637 if (cipher_def->type == type_block && 2584 if (cipher_def->type == type_block &&
2638 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { 2585 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
2639 /* Prepend the per-record explicit IV using technique 2b from 2586 /* Prepend the per-record explicit IV using technique 2b from
2640 * RFC 4346 section 6.2.3.2: The IV is a cryptographically 2587 * RFC 4346 section 6.2.3.2: The IV is a cryptographically
2641 * strong random number XORed with the CBC residue from the previous 2588 * strong random number XORed with the CBC residue from the previous
2642 * record. 2589 * record.
(...skipping 25 matching lines...) Expand all
2668 rv = cwSpec->compressor( 2615 rv = cwSpec->compressor(
2669 cwSpec->compressContext, 2616 cwSpec->compressContext,
2670 wrBuf->buf + headerLen + ivLen, &outlen, 2617 wrBuf->buf + headerLen + ivLen, &outlen,
2671 wrBuf->space - headerLen - ivLen, pIn, contentLen); 2618 wrBuf->space - headerLen - ivLen, pIn, contentLen);
2672 if (rv != SECSuccess) 2619 if (rv != SECSuccess)
2673 return rv; 2620 return rv;
2674 pIn = wrBuf->buf + headerLen + ivLen; 2621 pIn = wrBuf->buf + headerLen + ivLen;
2675 contentLen = outlen; 2622 contentLen = outlen;
2676 } 2623 }
2677 2624
2625 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
2626 pseudoHeader, cwSpec->write_seq_num, type,
2627 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
2628 isDTLS, contentLen);
2629 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
2678 if (cipher_def->type == type_aead) { 2630 if (cipher_def->type == type_aead) {
2679 const int nonceLen = cipher_def->explicit_nonce_size; 2631 const int nonceLen = cipher_def->explicit_nonce_size;
2680 const int tagLen = cipher_def->tag_size; 2632 const int tagLen = cipher_def->tag_size;
2681 2633
2682 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { 2634 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
2683 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2635 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2684 return SECFailure; 2636 return SECFailure;
2685 } 2637 }
2686 2638
2687 cipherBytes = contentLen; 2639 cipherBytes = contentLen;
2688 rv = cwSpec->aead( 2640 rv = cwSpec->aead(
2689 isServer ? &cwSpec->server : &cwSpec->client, 2641 isServer ? &cwSpec->server : &cwSpec->client,
2690 PR_FALSE, /* do encrypt */ 2642 PR_FALSE, /* do encrypt */
2691 wrBuf->buf + headerLen, /* output */ 2643 wrBuf->buf + headerLen, /* output */
2692 &cipherBytes, /* out len */ 2644 &cipherBytes, /* out len */
2693 wrBuf->space - headerLen, /* max out */ 2645 wrBuf->space - headerLen, /* max out */
2694 pIn, contentLen, /* input */ 2646 pIn, contentLen, /* input */
2695 » » type, cwSpec->version, cwSpec->write_seq_num); 2647 » » pseudoHeader, pseudoHeaderLen);
2696 if (rv != SECSuccess) { 2648 if (rv != SECSuccess) {
2697 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2649 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2698 return SECFailure; 2650 return SECFailure;
2699 } 2651 }
2700 } else { 2652 } else {
2701 /* 2653 /*
2702 * Add the MAC 2654 * Add the MAC
2703 */ 2655 */
2704 » rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, 2656 » rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
2705 » type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, 2657 » pseudoHeader, pseudoHeaderLen, pIn, contentLen,
2706 wrBuf->buf + headerLen + ivLen + contentLen, &macLen); 2658 wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
2707 if (rv != SECSuccess) { 2659 if (rv != SECSuccess) {
2708 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2660 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2709 return SECFailure; 2661 return SECFailure;
2710 } 2662 }
2711 p1Len = contentLen; 2663 p1Len = contentLen;
2712 p2Len = macLen; 2664 p2Len = macLen;
2713 fragLen = contentLen + macLen; /* needs to be encrypted */ 2665 fragLen = contentLen + macLen; /* needs to be encrypted */
2714 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); 2666 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
2715 2667
(...skipping 8684 matching lines...) Expand 10 before | Expand all | Expand 10 after
11400 SSL3Opaque hash[MAX_MAC_LENGTH]; 11352 SSL3Opaque hash[MAX_MAC_LENGTH];
11401 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; 11353 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH];
11402 SSL3Opaque *givenHash; 11354 SSL3Opaque *givenHash;
11403 sslBuffer *plaintext; 11355 sslBuffer *plaintext;
11404 sslBuffer temp_buf; 11356 sslBuffer temp_buf;
11405 PRUint64 dtls_seq_num; 11357 PRUint64 dtls_seq_num;
11406 unsigned int ivLen = 0; 11358 unsigned int ivLen = 0;
11407 unsigned int originalLen = 0; 11359 unsigned int originalLen = 0;
11408 unsigned int good; 11360 unsigned int good;
11409 unsigned int minLength; 11361 unsigned int minLength;
11362 unsigned char header[13];
11363 unsigned int headerLen;
11410 11364
11411 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 11365 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11412 11366
11413 if (!ss->ssl3.initialized) { 11367 if (!ss->ssl3.initialized) {
11414 ssl_GetSSL3HandshakeLock(ss); 11368 ssl_GetSSL3HandshakeLock(ss);
11415 rv = ssl3_InitState(ss); 11369 rv = ssl3_InitState(ss);
11416 ssl_ReleaseSSL3HandshakeLock(ss); 11370 ssl_ReleaseSSL3HandshakeLock(ss);
11417 if (rv != SECSuccess) { 11371 if (rv != SECSuccess) {
11418 return rv; /* ssl3_InitState has set the error code. */ 11372 return rv; /* ssl3_InitState has set the error code. */
11419 } 11373 }
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after
11553 11507
11554 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { 11508 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
11555 ssl_ReleaseSpecReadLock(ss); 11509 ssl_ReleaseSpecReadLock(ss);
11556 SSL3_SendAlert(ss, alert_fatal, record_overflow); 11510 SSL3_SendAlert(ss, alert_fatal, record_overflow);
11557 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 11511 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
11558 return SECFailure; 11512 return SECFailure;
11559 } 11513 }
11560 11514
11561 rType = cText->type; 11515 rType = cText->type;
11562 if (cipher_def->type == type_aead) { 11516 if (cipher_def->type == type_aead) {
11517 /* XXX For many AEAD ciphers, the plaintext is shorter than the
11518 * ciphertext by a fixed byte count, but it is not true in general.
11519 * Each AEAD cipher should provide a function that returns the
11520 * plaintext length for a given ciphertext. */
11521 unsigned int decryptedLen =
11522 cText->buf->len - cipher_def->explicit_nonce_size -
11523 cipher_def->tag_size;
11524 headerLen = ssl3_BuildRecordPseudoHeader(
11525 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
11526 rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
11527 PORT_Assert(headerLen <= sizeof(header));
11563 rv = crSpec->aead( 11528 rv = crSpec->aead(
11564 ss->sec.isServer ? &crSpec->client : &crSpec->server, 11529 ss->sec.isServer ? &crSpec->client : &crSpec->server,
11565 PR_TRUE, /* do decrypt */ 11530 PR_TRUE, /* do decrypt */
11566 plaintext->buf, /* out */ 11531 plaintext->buf, /* out */
11567 (int*) &plaintext->len, /* outlen */ 11532 (int*) &plaintext->len, /* outlen */
11568 plaintext->space, /* maxout */ 11533 plaintext->space, /* maxout */
11569 cText->buf->buf, /* in */ 11534 cText->buf->buf, /* in */
11570 cText->buf->len, /* inlen */ 11535 cText->buf->len, /* inlen */
11571 » » rType, /* record type */ 11536 » » header, headerLen);
11572 » » cText->version,
11573 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num);
11574 if (rv != SECSuccess) { 11537 if (rv != SECSuccess) {
11575 good = 0; 11538 good = 0;
11576 } 11539 }
11577 } else { 11540 } else {
11578 if (cipher_def->type == type_block && 11541 if (cipher_def->type == type_block &&
11579 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { 11542 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
11580 goto decrypt_loser; 11543 goto decrypt_loser;
11581 } 11544 }
11582 11545
11583 /* decrypt from cText buf to plaintext. */ 11546 /* decrypt from cText buf to plaintext. */
11584 rv = crSpec->decode( 11547 rv = crSpec->decode(
11585 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, 11548 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
11586 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); 11549 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
11587 if (rv != SECSuccess) { 11550 if (rv != SECSuccess) {
11588 goto decrypt_loser; 11551 goto decrypt_loser;
11589 } 11552 }
11590 11553
11591 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); 11554 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
11592 11555
11593 originalLen = plaintext->len; 11556 originalLen = plaintext->len;
11594 11557
11595 /* If it's a block cipher, check and strip the padding. */ 11558 /* If it's a block cipher, check and strip the padding. */
11596 if (cipher_def->type == type_block) { 11559 if (cipher_def->type == type_block) {
11597 const unsigned int blockSize = cipher_def->block_size; 11560 const unsigned int blockSize = cipher_def->block_size;
11598 const unsigned int macSize = crSpec->mac_size; 11561 const unsigned int macSize = crSpec->mac_size;
11599 11562
11600 » if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { 11563 » if (!isTLS) {
11601 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( 11564 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
11602 plaintext, blockSize, macSize)); 11565 plaintext, blockSize, macSize));
11603 } else { 11566 } else {
11604 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( 11567 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
11605 plaintext, macSize)); 11568 plaintext, macSize));
11606 } 11569 }
11607 } 11570 }
11608 11571
11609 /* compute the MAC */ 11572 /* compute the MAC */
11573 headerLen = ssl3_BuildRecordPseudoHeader(
11574 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
11575 rType, isTLS, cText->version, IS_DTLS(ss),
11576 plaintext->len - crSpec->mac_size);
11577 PORT_Assert(headerLen <= sizeof(header));
11610 if (cipher_def->type == type_block) { 11578 if (cipher_def->type == type_block) {
11611 rv = ssl3_ComputeRecordMACConstantTime( 11579 rv = ssl3_ComputeRecordMACConstantTime(
11612 » » crSpec, (PRBool)(!ss->sec.isServer), 11580 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
11613 » » IS_DTLS(ss), rType, cText->version,
11614 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
11615 plaintext->buf, plaintext->len, originalLen, 11581 plaintext->buf, plaintext->len, originalLen,
11616 hash, &hashBytes); 11582 hash, &hashBytes);
11617 11583
11618 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, 11584 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
11619 crSpec->mac_size); 11585 crSpec->mac_size);
11620 givenHash = givenHashBuf; 11586 givenHash = givenHashBuf;
11621 11587
11622 /* plaintext->len will always have enough space to remove the MAC 11588 /* plaintext->len will always have enough space to remove the MAC
11623 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust 11589 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
11624 * plaintext->len if the result has enough space for the MAC and we 11590 * plaintext->len if the result has enough space for the MAC and we
11625 * tested the unadjusted size against minLength, above. */ 11591 * tested the unadjusted size against minLength, above. */
11626 plaintext->len -= crSpec->mac_size; 11592 plaintext->len -= crSpec->mac_size;
11627 } else { 11593 } else {
11628 /* This is safe because we checked the minLength above. */ 11594 /* This is safe because we checked the minLength above. */
11629 plaintext->len -= crSpec->mac_size; 11595 plaintext->len -= crSpec->mac_size;
11630 11596
11631 rv = ssl3_ComputeRecordMAC( 11597 rv = ssl3_ComputeRecordMAC(
11632 » » crSpec, (PRBool)(!ss->sec.isServer), 11598 » » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
11633 » » IS_DTLS(ss), rType, cText->version, 11599 » » plaintext->buf, plaintext->len, hash, &hashBytes);
11634 » » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
11635 » » plaintext->buf, plaintext->len,
11636 » » hash, &hashBytes);
11637 11600
11638 /* We can read the MAC directly from the record because its location 11601 /* We can read the MAC directly from the record because its location
11639 * is public when a stream cipher is used. */ 11602 * is public when a stream cipher is used. */
11640 givenHash = plaintext->buf + plaintext->len; 11603 givenHash = plaintext->buf + plaintext->len;
11641 } 11604 }
11642 11605
11643 good &= SECStatusToMask(rv); 11606 good &= SECStatusToMask(rv);
11644 11607
11645 if (hashBytes != (unsigned)crSpec->mac_size || 11608 if (hashBytes != (unsigned)crSpec->mac_size ||
11646 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { 11609 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
(...skipping 654 matching lines...) Expand 10 before | Expand all | Expand 10 after
12301 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 12264 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
12302 } 12265 }
12303 } 12266 }
12304 12267
12305 ss->ssl3.initialized = PR_FALSE; 12268 ss->ssl3.initialized = PR_FALSE;
12306 12269
12307 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 12270 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
12308 } 12271 }
12309 12272
12310 /* End of ssl3con.c */ 12273 /* End of ssl3con.c */
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/dtlscon.c ('k') | net/third_party/nss/ssl/sslimpl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698