Use the TLS 1.2 mechanisms for PKCS #11.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 17 matching lines @@
 #include "pk11func.h"
 #include "secmod.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
 
 /* This is a bodge to allow this code to be compiled against older NSS headers
  * that don't contain the TLS 1.2 changes. */
 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
 #define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
-#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
-#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
-#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
+#define CKM_TLS12_MASTER_KEY_DERIVE         0x000003E0
+#define CKM_TLS12_KEY_AND_MAC_DERIVE        0x000003E1
+#define CKM_TLS12_MASTER_KEY_DERIVE_DH      0x000003E2
 #endif
 
 #include <stdio.h>
 #ifdef NSS_ENABLE_ZLIB
 #include "zlib.h"
 #endif
 #ifdef LINUX
 #include <dlfcn.h>
 #endif
 
@@ skipping 3545 matching lines @@
      * data into a 48-byte value. 
      */
     PRBool    isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
                                (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
     SECStatus         rv = SECFailure;
     CK_MECHANISM_TYPE master_derive;
     CK_MECHANISM_TYPE key_derive;
     SECItem           params;
     CK_FLAGS          keyFlags;
     CK_VERSION        pms_version;
-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
+    /* master_params may be used as a CK_SSL3_MASTER_KEY_DERIVE_PARAMS */
+    CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
+    unsigned int      master_params_len;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
     if (isTLS12) {
-        if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
-        else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
-        key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+        if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
+        else master_derive = CKM_TLS12_MASTER_KEY_DERIVE;
+        key_derive    = CKM_TLS12_KEY_AND_MAC_DERIVE;
         keyFlags      = CKF_SIGN | CKF_VERIFY;
     } else if (isTLS) {
         if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
         else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
         key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
         keyFlags      = CKF_SIGN | CKF_VERIFY;
     } else {
         if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
         else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
         key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
         keyFlags      = 0;
     }
 
     if (pms || !pwSpec->master_secret) {
         if (isDH) {
             master_params.pVersion                     = NULL;
         } else {
             master_params.pVersion                     = &pms_version;
         }
         master_params.RandomInfo.pClientRandom     = cr;
         master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
         master_params.RandomInfo.pServerRandom     = sr;
         master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
+        if (isTLS12) {
+            master_params.prfHashMechanism = CKM_SHA256;
+            master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
+        } else {
+            master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
+        }
 
         params.data = (unsigned char *) &master_params;
-        params.len  = sizeof master_params;
+        params.len  = master_params_len;
     }
 
     if (pms != NULL) {
 #if defined(TRACE)
         if (ssl_trace >= 100) {
             SECStatus extractRV = PK11_ExtractKeyValue(pms);
             if (extractRV == SECSuccess) {
                 SECItem * keyData = PK11_GetKeyData(pms);
                 if (keyData && keyData->data && keyData->len) {
                     ssl_PrintBuf(ss, "Pre-Master Secret", 
@@ skipping 109 matching lines @@
     PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
                                 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
     PRBool            isTLS12=
             (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
     /* following variables used in PKCS11 path */
     const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
     PK11SlotInfo *         slot   = NULL;
     PK11SymKey *           symKey = NULL;
     void *                 pwArg  = ss->pkcs11PinArg;
     int                    keySize;
-    CK_SSL3_KEY_MAT_PARAMS key_material_params;
+    CK_TLS12_KEY_MAT_PARAMS key_material_params; /* may be used as a
+                                                  * CK_SSL3_KEY_MAT_PARAMS */
+    unsigned int           key_material_params_len;
     CK_SSL3_KEY_MAT_OUT    returnedKeys;
     CK_MECHANISM_TYPE      key_derive;
     CK_MECHANISM_TYPE      bulk_mechanism;
     SSLCipherAlgorithm     calg;
     SECItem                params;
     PRBool         skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
@@ skipping 33 matching lines @@
         key_material_params.ulKeySizeInBits = 0;
         key_material_params.ulIVSizeInBits  = 0;
         returnedKeys.pIVClient              = NULL;
         returnedKeys.pIVServer              = NULL;
     }
 
     calg = cipher_def->calg;
     PORT_Assert(     alg2Mech[calg].calg == calg);
     bulk_mechanism = alg2Mech[calg].cmech;
 
-    params.data    = (unsigned char *)&key_material_params;
-    params.len     = sizeof(key_material_params);
-
     if (isTLS12) {
-        key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+        key_derive    = CKM_TLS12_KEY_AND_MAC_DERIVE;
+        key_material_params.prfHashMechanism = CKM_SHA256;
+        key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS);
     } else if (isTLS) {
         key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
+        key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
     } else {
         key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
+        key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
     }
 
+    params.data = (unsigned char *)&key_material_params;
+    params.len  = key_material_params_len;
+
     /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
      * DERIVE by DEFAULT */
     symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
                          bulk_mechanism, CKA_ENCRYPT, keySize);
     if (!symKey) {
         ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
         return SECFailure;
     }
     /* we really should use the actual mac'ing mechanism here, but we
      * don't because these types are used to map keytype anyway and both
@@ skipping 6245 matching lines @@
 
     return rv;
 }
 
 static SECStatus
 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
                         PRBool          isServer,
                 const   SSL3Hashes   *  hashes,
                         TLSFinished  *  tlsFinished)
 {
-    const char * label;
-    unsigned int len;
-    SECStatus    rv;
+    SECStatus rv;
+    CK_TLS12_MAC_PARAMS tls12_mac_params;
+    SECItem param = {siBuffer, NULL, 0};
+    PK11Context *prf_context;
+    unsigned int retLen;
 
-    label = isServer ? "server finished" : "client finished";
-    len   = 15;
+    if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) {
+        tls12_mac_params.prfHashMechanism = CKM_TLS_PRF;
+    } else {
+        tls12_mac_params.prfHashMechanism = CKM_SHA256;
+    }
+    tls12_mac_params.ulMacLength = 12;
+    tls12_mac_params.ulServerOrClient = isServer ? 1 : 2;
+    param.data = (unsigned char *)&tls12_mac_params;
+    param.len = sizeof(tls12_mac_params);
+    prf_context = PK11_CreateContextBySymKey(CKM_TLS12_MAC, CKA_SIGN,
+                                             spec->master_secret, &param);
+    if (!prf_context)
+        return SECFailure;
 
-    rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
-        hashes->len, tlsFinished->verify_data,
-        sizeof tlsFinished->verify_data);
+    rv  = PK11_DigestBegin(prf_context);
+    rv |= PK11_DigestOp(prf_context, hashes->u.raw, hashes->len);
+    rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, &retLen,
+                           sizeof tlsFinished->verify_data);
+    PORT_Assert(rv != SECSuccess || retLen == sizeof tlsFinished->verify_data);
+
+    PK11_DestroyContext(prf_context, PR_TRUE);
 
     return rv;
 }
 
 /* The calling function must acquire and release the appropriate
  * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
  * ss->ssl3.crSpec).
  */
 SECStatus
 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
@@ skipping 2144 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */