Chromium Code Reviews Chromium Code Reviews
Issue 23545010:
On Windows, prepare to generate SHA-1 signatures for TLS 1.2 client authentication. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: net/third_party/nss/ssl/ssl3con.c |
| =================================================================== |
| --- net/third_party/nss/ssl/ssl3con.c (revision 219612) |
| +++ net/third_party/nss/ssl/ssl3con.c (working copy) |
| @@ -3933,6 +3933,22 @@ |
| ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| return SECFailure; |
| } |
| + |
| +#ifdef _WIN32 |
| + /* A backup SHA-1 hash for a potential client auth signature. */ |
| + if (!ss->sec.isServer) { |
| + ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1); |
| + if (ss->ssl3.hs.md5 == NULL) { |
| + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| + return SECFailure; |
| + } |
| + |
| + if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) { |
| + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| + return SECFailure; |
| + } |
| + } |
| +#endif |
| } else { |
| /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or |
| * created successfully. */ |
| @@ -4043,6 +4059,13 @@ |
| ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| return rv; |
| } |
| + if (ss->ssl3.hs.md5) { |
| + rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
| + if (rv != SECSuccess) { |
| + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| + return rv; |
| + } |
| + } |
| } else { |
| rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
| if (rv != SECSuccess) { |
| @@ -4791,6 +4814,30 @@ |
| return rv; |
| } |
| +static SECStatus |
| +ssl3_ComputeBackupHandshakeHashes(sslSocket * ss, |
| + SSL3Hashes * hashes) /* output goes here. */ |
| +{ |
| + SECStatus rv = SECSuccess; |
| + |
| + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| + PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); |
| + |
| + rv = PK11_DigestFinal(ss->ssl3.hs.md5, hashes->u.raw, &hashes->len, |
| + sizeof(hashes->u.raw)); |
| + if (rv != SECSuccess) { |
| + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| + rv = SECFailure; |
| + goto loser; |
| + } |
| + hashes->hashAlg = SEC_OID_SHA1; |
| + |
| +loser: |
| + PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| + ss->ssl3.hs.md5 = NULL; |
| + return rv; |
| +} |
| + |
| /* |
| * SSL 2 based implementations pass in the initial outbound buffer |
| * so that the handshake hash can contain the included information. |
| @@ -6044,7 +6091,17 @@ |
| SSL_GETPID(), ss->fd)); |
| ssl_GetSpecReadLock(ss); |
| - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
| + /* In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the handshake hash |
| + * function (SHA-256). If the server or the client does not support SHA-256 |
| + * as a signature hash, we can either maintain a backup SHA-1 handshake |
| + * hash or buffer all handshake messages. |
| + */ |
| + if (ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { |
| + rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes); |
|
agl
2013/08/28 22:16:03
(doesn't matter): here you are using tabs rather t
|
| + PORT_Assert(ss->ssl3.hs.md5 == NULL); |
| + } else { |
| + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
| + } |
| ssl_ReleaseSpecReadLock(ss); |
| if (rv != SECSuccess) { |
| goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
| @@ -6098,11 +6155,6 @@ |
| if (rv != SECSuccess) { |
| goto done; |
| } |
| - /* We always sign using the handshake hash function. It's possible that |
| - * a server could support SHA-256 as the handshake hash but not as a |
| - * signature hash. In that case we wouldn't be able to do client |
| - * certificates with it. The alternative is to buffer all handshake |
| - * messages. */ |
| sigAndHash.hashAlg = hashes.hashAlg; |
| rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
| @@ -6994,6 +7046,35 @@ |
| } |
| goto send_no_certificate; |
| } |
| + |
| + if (isTLS12 && ss->ssl3.hs.md5) { |
| + PRBool need_backup_hash = PR_FALSE; |
| +#ifdef _WIN32 |
| + /* If the key is in CAPI, check if the CAPI service provider |
| + * supports SHA-256. Use SHA-1 if it doesn't. */ |
| + if (ss->ssl3.platformClientKey->dwKeySpec != |
| + CERT_NCRYPT_KEY_SPEC) { |
| + HCRYPTPROV prov = ss->ssl3.platformClientKey->hCryptProv; |
| + PROV_ENUMALGS alg_info; |
| + DWORD size = sizeof(alg_info); |
| + DWORD flags = CRYPT_FIRST; |
| + need_backup_hash = PR_TRUE; |
| + while (CryptGetProvParam(prov, PP_ENUMALGS, |
|
wtc
2013/08/28 22:05:45
It may be cheaper to check SHA-256 support by tryi
|
| + (BYTE *)&alg_info, &size, flags)) { |
| + if (alg_info.aiAlgid == CALG_SHA_256) { |
| + need_backup_hash = PR_FALSE; |
| + break; |
| + } |
| + size = sizeof(alg_info); |
| + flags = CRYPT_NEXT; |
| + } |
| + } |
| +#endif /* _WIN32 */ |
| + if (!need_backup_hash) { |
| + PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| + ss->ssl3.hs.md5 = NULL; |
| + } |
| + } |
| break; /* not an error */ |
| } |
| #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| @@ -7227,6 +7308,13 @@ |
| (ss->ssl3.platformClientKey || |
| ss->ssl3.clientPrivateKey != NULL); |
| + if (!sendClientCert && |
| + ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { |
| + /* Don't need the backup handshake hash. */ |
| + PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| + ss->ssl3.hs.md5 = NULL; |
| + } |
| + |
| /* We must wait for the server's certificate to be authenticated before |
| * sending the client certificate in order to disclosing the client |
| * certificate to an attacker that does not have a valid cert for the |
