On Windows, prepare to generate SHA-1 signatures for TLS 1.2 client authentication.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 3915 matching lines @@
             if (ss->ssl3.hs.sha == NULL) {
                 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                 return SECFailure;
             }
             ss->ssl3.hs.hashType = handshake_hash_single;
 
             if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
                 return SECFailure;
             }
+
+#ifdef _WIN32
+            /* A backup SHA-1 hash for a potential client auth signature. */
+            if (!ss->sec.isServer) {
+                ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1);
+                if (ss->ssl3.hs.md5 == NULL) {
+                    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+                    return SECFailure;
+                }
+
+                if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
+                    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+                    return SECFailure;
+                }
+            }
+#endif
         } else {
             /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
              * created successfully. */
             ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
             if (ss->ssl3.hs.md5 == NULL) {
                 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
                 return SECFailure;
             }
             ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
             if (ss->ssl3.hs.sha == NULL) {
@@ skipping 90 matching lines @@
         }
         return rv;
     }
 #endif
     if (ss->ssl3.hs.hashType == handshake_hash_single) {
         rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             return rv;
         }
+        if (ss->ssl3.hs.md5) {
+            rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
+            if (rv != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+                return rv;
+            }
+        }
     } else {
         rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
             return rv;
         }
         rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
             return rv;
@@ skipping 728 matching lines @@
                 rv = SECFailure;
             }
             if (shaStateBuf != shaStackBuf) {
                 PORT_ZFree(shaStateBuf, shaStateLen);
             }
         }
     }
     return rv;
 }
 
+static SECStatus
+ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
+                                  SSL3Hashes * hashes) /* output goes here. */
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
+
+    rv = PK11_DigestFinal(ss->ssl3.hs.md5, hashes->u.raw, &hashes->len,
+                          sizeof(hashes->u.raw));
+    if (rv != SECSuccess) {
+        ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+        rv = SECFailure;
+        goto loser;
+    }
+    hashes->hashAlg = SEC_OID_SHA1;
+
+loser:
+    PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
+    ss->ssl3.hs.md5 = NULL;
+    return rv;
+}
+
 /*
  * SSL 2 based implementations pass in the initial outbound buffer
  * so that the handshake hash can contain the included information.
  *
  * Called from ssl2_BeginClientHandshake() in sslcon.c
  */
 SECStatus
 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
 {
     SECStatus rv;
@@ skipping 1233 matching lines @@
     unsigned int  len;
     SSL3SignatureAndHashAlgorithm sigAndHash;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
                 SSL_GETPID(), ss->fd));
 
     ssl_GetSpecReadLock(ss);
-    rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
+    /* In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the handshake hash
+     * function (SHA-256). If the server or the client does not support SHA-256
+     * as a signature hash, we can either maintain a backup SHA-1 handshake
+     * hash or buffer all handshake messages.
+     */
+    if (ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) {
+        rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);

[agl, 2013/08/28 22:16:03]

(doesn't matter): here you are using tabs rather than 8 spaces at the beginning
of the line (which I believe is NSS style), but codereview isn't showing that in
other parts of the file.

+        PORT_Assert(ss->ssl3.hs.md5 == NULL);
+    } else {
+        rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
+    }
     ssl_ReleaseSpecReadLock(ss);
     if (rv != SECSuccess) {
         goto done;      /* err code was set by ssl3_ComputeHandshakeHashes */
     }
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
     if (ss->ssl3.platformClientKey) {
 #ifdef NSS_PLATFORM_CLIENT_AUTH
         keyType = CERT_GetCertKeyType(
@@ skipping 33 matching lines @@
     rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
     if (rv != SECSuccess) {
         goto done;      /* error code set by AppendHandshake */
     }
     if (isTLS12) {
         rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
                                                   &sigAndHash.sigAlg);
         if (rv != SECSuccess) {
             goto done;
         }
-        /* We always sign using the handshake hash function. It's possible that
-         * a server could support SHA-256 as the handshake hash but not as a
-         * signature hash. In that case we wouldn't be able to do client
-         * certificates with it. The alternative is to buffer all handshake
-         * messages. */
         sigAndHash.hashAlg = hashes.hashAlg;
 
         rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
         if (rv != SECSuccess) {
             goto done;  /* err set by AppendHandshake. */
         }
     }
     rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
     if (rv != SECSuccess) {
         goto done;      /* error code set by AppendHandshake */
@@ skipping 871 matching lines @@
                 if (ss->ssl3.clientCertificate != NULL) {
                     CERT_DestroyCertificate(ss->ssl3.clientCertificate);
                     ss->ssl3.clientCertificate = NULL;
                 }
                 if (ss->ssl3.platformClientKey) {
                     ssl_FreePlatformKey(ss->ssl3.platformClientKey);
                     ss->ssl3.platformClientKey = (PlatformKey)NULL;
                 }
                 goto send_no_certificate;
             }
+
+            if (isTLS12 && ss->ssl3.hs.md5) {
+                PRBool need_backup_hash = PR_FALSE;
+#ifdef _WIN32
+                /* If the key is in CAPI, check if the CAPI service provider
+                 * supports SHA-256. Use SHA-1 if it doesn't. */
+                if (ss->ssl3.platformClientKey->dwKeySpec !=
+                    CERT_NCRYPT_KEY_SPEC) {
+                    HCRYPTPROV prov = ss->ssl3.platformClientKey->hCryptProv;
+                    PROV_ENUMALGS alg_info;
+                    DWORD size = sizeof(alg_info);
+                    DWORD flags = CRYPT_FIRST;
+                    need_backup_hash = PR_TRUE;
+                    while (CryptGetProvParam(prov, PP_ENUMALGS,

[wtc, 2013/08/28 22:05:45]

It may be cheaper to check SHA-256 support by trying to create
a SHA-256 hash object in the CAPI service provider...

+                        (BYTE *)&alg_info, &size, flags)) {
+                        if (alg_info.aiAlgid == CALG_SHA_256) {
+                            need_backup_hash = PR_FALSE;
+                            break;
+                        }
+                        size = sizeof(alg_info);
+                        flags = CRYPT_NEXT;
+                    }
+                }
+#endif  /* _WIN32 */
+                if (!need_backup_hash) {
+                    PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
+                    ss->ssl3.hs.md5 = NULL;
+                }
+            }
             break;  /* not an error */
         }
 #endif   /* NSS_PLATFORM_CLIENT_AUTH */
         /* check what the callback function returned */
         if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
             /* we are missing either the key or cert */
             if (ss->ssl3.clientCertificate) {
                 /* got a cert, but no key - free it */
                 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
                 ss->ssl3.clientCertificate = NULL;
@@ skipping 213 matching lines @@
     PRBool sendClientCert;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     sendClientCert = !ss->ssl3.sendEmptyCert &&
                      ss->ssl3.clientCertChain  != NULL &&
                      (ss->ssl3.platformClientKey ||
                      ss->ssl3.clientPrivateKey != NULL);
 
+    if (!sendClientCert &&
+        ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) {
+        /* Don't need the backup handshake hash. */
+        PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
+        ss->ssl3.hs.md5 = NULL;
+    }
+
     /* We must wait for the server's certificate to be authenticated before
      * sending the client certificate in order to disclosing the client
      * certificate to an attacker that does not have a valid cert for the
      * domain we are connecting to.
      *
      * XXX: We should do the same for the NPN extension, but for that we
      * need an option to give the application the ability to leak the NPN
      * information to get better performance.
      *
      * During the initial handshake on a connection, we never send/receive
@@ skipping 5024 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */