OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 6571 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6582 loser: | 6582 loser: |
6583 PORT_SetError( errCode ); | 6583 PORT_SetError( errCode ); |
6584 return SECFailure; | 6584 return SECFailure; |
6585 | 6585 |
6586 no_memory: /* no-memory error has already been set. */ | 6586 no_memory: /* no-memory error has already been set. */ |
6587 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 6587 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
6588 return SECFailure; | 6588 return SECFailure; |
6589 } | 6589 } |
6590 | 6590 |
6591 | 6591 |
| 6592 /* |
| 6593 * Returns true if the client authentication key is an RSA or DSA key that |
| 6594 * may be able to sign only SHA-1 hashes. |
| 6595 */ |
| 6596 static PRBool |
| 6597 ssl3_ClientKeyPrefersSHA1(sslSocket *ss) |
| 6598 { |
| 6599 SECKEYPublicKey *pubk; |
| 6600 PRBool prefer_sha1 = PR_FALSE; |
| 6601 |
| 6602 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) |
| 6603 /* If the key is in CAPI, assume conservatively that the CAPI service |
| 6604 * provider may be unable to sign SHA-256 hashes. |
| 6605 */ |
| 6606 if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { |
| 6607 /* CAPI only supports RSA and DSA signatures, so we don't need to |
| 6608 * check the key type. */ |
| 6609 return PR_TRUE; |
| 6610 } |
| 6611 #endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ |
| 6612 |
| 6613 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that |
| 6614 * it may be unable to sign SHA-256 hashes. This is the case for older |
| 6615 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and |
| 6616 * older, DSA key size is at most 1024 bits and the hash function must |
| 6617 * be SHA-1. |
| 6618 */ |
| 6619 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); |
| 6620 if (pubk == NULL) { |
| 6621 return PR_FALSE; |
| 6622 } |
| 6623 if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) { |
| 6624 prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128; |
| 6625 } |
| 6626 SECKEY_DestroyPublicKey(pubk); |
| 6627 return prefer_sha1; |
| 6628 } |
| 6629 |
| 6630 /* Destroys the backup handshake hash context if we don't need it. */ |
| 6631 static void |
| 6632 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, |
| 6633 const SECItem *algorithms) |
| 6634 { |
| 6635 PRBool need_backup_hash = PR_FALSE; |
| 6636 unsigned int i; |
| 6637 |
| 6638 PORT_Assert(ss->ssl3.hs.md5); |
| 6639 if (ssl3_ClientKeyPrefersSHA1(ss)) { |
| 6640 /* Use SHA-1 if the server supports it. */ |
| 6641 for (i = 0; i < algorithms->len; i += 2) { |
| 6642 if (algorithms->data[i] == tls_hash_sha1 && |
| 6643 (algorithms->data[i+1] == tls_sig_rsa || |
| 6644 algorithms->data[i+1] == tls_sig_dsa)) { |
| 6645 need_backup_hash = PR_TRUE; |
| 6646 break; |
| 6647 } |
| 6648 } |
| 6649 } |
| 6650 if (!need_backup_hash) { |
| 6651 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 6652 ss->ssl3.hs.md5 = NULL; |
| 6653 } |
| 6654 } |
| 6655 |
6592 typedef struct dnameNode { | 6656 typedef struct dnameNode { |
6593 struct dnameNode *next; | 6657 struct dnameNode *next; |
6594 SECItem name; | 6658 SECItem name; |
6595 } dnameNode; | 6659 } dnameNode; |
6596 | 6660 |
6597 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 6661 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
6598 * ssl3 Certificate Request message. | 6662 * ssl3 Certificate Request message. |
6599 * Caller must hold Handshake and RecvBuf locks. | 6663 * Caller must hold Handshake and RecvBuf locks. |
6600 */ | 6664 */ |
6601 static SECStatus | 6665 static SECStatus |
(...skipping 172 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6774 if (ss->ssl3.clientCertificate != NULL) { | 6838 if (ss->ssl3.clientCertificate != NULL) { |
6775 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 6839 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
6776 ss->ssl3.clientCertificate = NULL; | 6840 ss->ssl3.clientCertificate = NULL; |
6777 } | 6841 } |
6778 if (ss->ssl3.platformClientKey) { | 6842 if (ss->ssl3.platformClientKey) { |
6779 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 6843 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
6780 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 6844 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
6781 } | 6845 } |
6782 goto send_no_certificate; | 6846 goto send_no_certificate; |
6783 } | 6847 } |
6784 | 6848 » if (isTLS12) { |
6785 » if (isTLS12 && ss->ssl3.hs.md5) { | 6849 » » ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
6786 » » PRBool need_backup_hash = PR_FALSE; | |
6787 » » PRBool prefer_sha1 = PR_FALSE; | |
6788 #ifdef _WIN32 | |
6789 » » /* If the key is in CAPI, assume conservatively that the CAPI | |
6790 » » * service provider may be unable to sign SHA-256 hashes. | |
6791 » » */ | |
6792 » » if (ss->ssl3.platformClientKey->dwKeySpec != | |
6793 » » CERT_NCRYPT_KEY_SPEC) { | |
6794 » » /* CAPI only supports RSA and DSA signatures, so we don't | |
6795 » » * need to check the key type. */ | |
6796 » » prefer_sha1 = PR_TRUE; | |
6797 » » } | |
6798 #endif /* _WIN32 */ | |
6799 » » /* If the key is a 1024-bit RSA or DSA key, assume | |
6800 » » * conservatively that it may be unable to sign SHA-256 | |
6801 » » * hashes. This is the case for older Estonian ID cards that | |
6802 » » * have 1024-bit RSA keys. In FIPS 186-2 and older, DSA key | |
6803 » » * size is at most 1024 bits and the hash function must be | |
6804 » » * SHA-1. | |
6805 » » */ | |
6806 » » if (!prefer_sha1) { | |
6807 » » SECKEYPublicKey *pubk = | |
6808 » » » CERT_ExtractPublicKey(ss->ssl3.clientCertificate); | |
6809 » » if (pubk == NULL) { | |
6810 » » » errCode = SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE; | |
6811 » » » goto loser; | |
6812 » » } | |
6813 » » if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) { | |
6814 » » » prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128; | |
6815 » » } | |
6816 » » SECKEY_DestroyPublicKey(pubk); | |
6817 » » } | |
6818 » » /* Use SHA-1 if the server supports it. */ | |
6819 » » if (prefer_sha1) { | |
6820 » » for (i = 0; i < algorithms.len; i += 2) { | |
6821 » » » if (algorithms.data[i] == tls_hash_sha1 && | |
6822 » » » (algorithms.data[i+1] == tls_sig_rsa || | |
6823 » » » algorithms.data[i+1] == tls_sig_dsa)) { | |
6824 » » » need_backup_hash = PR_TRUE; | |
6825 » » » break; | |
6826 » » » } | |
6827 » » } | |
6828 » » } | |
6829 » » if (!need_backup_hash) { | |
6830 » » PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); | |
6831 » » ss->ssl3.hs.md5 = NULL; | |
6832 » » } | |
6833 } | 6850 } |
6834 break; /* not an error */ | 6851 break; /* not an error */ |
6835 } | 6852 } |
6836 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 6853 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
6837 /* check what the callback function returned */ | 6854 /* check what the callback function returned */ |
6838 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 6855 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
6839 /* we are missing either the key or cert */ | 6856 /* we are missing either the key or cert */ |
6840 if (ss->ssl3.clientCertificate) { | 6857 if (ss->ssl3.clientCertificate) { |
6841 /* got a cert, but no key - free it */ | 6858 /* got a cert, but no key - free it */ |
6842 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 6859 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
(...skipping 16 matching lines...) Expand all Loading... |
6859 if (ss->ssl3.clientCertificate != NULL) { | 6876 if (ss->ssl3.clientCertificate != NULL) { |
6860 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 6877 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
6861 ss->ssl3.clientCertificate = NULL; | 6878 ss->ssl3.clientCertificate = NULL; |
6862 } | 6879 } |
6863 if (ss->ssl3.clientPrivateKey != NULL) { | 6880 if (ss->ssl3.clientPrivateKey != NULL) { |
6864 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 6881 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
6865 ss->ssl3.clientPrivateKey = NULL; | 6882 ss->ssl3.clientPrivateKey = NULL; |
6866 } | 6883 } |
6867 goto send_no_certificate; | 6884 goto send_no_certificate; |
6868 } | 6885 } |
| 6886 if (isTLS12) { |
| 6887 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
| 6888 } |
6869 break; /* not an error */ | 6889 break; /* not an error */ |
6870 | 6890 |
6871 case SECFailure: | 6891 case SECFailure: |
6872 default: | 6892 default: |
6873 send_no_certificate: | 6893 send_no_certificate: |
6874 if (isTLS) { | 6894 if (isTLS) { |
6875 ss->ssl3.sendEmptyCert = PR_TRUE; | 6895 ss->ssl3.sendEmptyCert = PR_TRUE; |
6876 } else { | 6896 } else { |
6877 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); | 6897 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); |
6878 } | 6898 } |
(...skipping 5198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12077 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12097 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
12078 } | 12098 } |
12079 } | 12099 } |
12080 | 12100 |
12081 ss->ssl3.initialized = PR_FALSE; | 12101 ss->ssl3.initialized = PR_FALSE; |
12082 | 12102 |
12083 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12103 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
12084 } | 12104 } |
12085 | 12105 |
12086 /* End of ssl3con.c */ | 12106 /* End of ssl3con.c */ |
OLD | NEW |