OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 3656 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3667 if (ss->ssl3.hs.sha == NULL) { | 3667 if (ss->ssl3.hs.sha == NULL) { |
3668 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3668 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3669 return SECFailure; | 3669 return SECFailure; |
3670 } | 3670 } |
3671 ss->ssl3.hs.hashType = handshake_hash_single; | 3671 ss->ssl3.hs.hashType = handshake_hash_single; |
3672 | 3672 |
3673 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { | 3673 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { |
3674 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 3674 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
3675 return SECFailure; | 3675 return SECFailure; |
3676 } | 3676 } |
| 3677 |
| 3678 #ifdef _WIN32 |
| 3679 /* A backup SHA-1 hash for a potential client auth signature. */ |
| 3680 if (!ss->sec.isServer) { |
| 3681 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1); |
| 3682 if (ss->ssl3.hs.md5 == NULL) { |
| 3683 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3684 return SECFailure; |
| 3685 } |
| 3686 |
| 3687 if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) { |
| 3688 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3689 return SECFailure; |
| 3690 } |
| 3691 } |
| 3692 #endif |
3677 } else { | 3693 } else { |
3678 /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or | 3694 /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or |
3679 * created successfully. */ | 3695 * created successfully. */ |
3680 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); | 3696 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); |
3681 if (ss->ssl3.hs.md5 == NULL) { | 3697 if (ss->ssl3.hs.md5 == NULL) { |
3682 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3698 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
3683 return SECFailure; | 3699 return SECFailure; |
3684 } | 3700 } |
3685 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1); | 3701 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1); |
3686 if (ss->ssl3.hs.sha == NULL) { | 3702 if (ss->ssl3.hs.sha == NULL) { |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3777 } | 3793 } |
3778 return rv; | 3794 return rv; |
3779 } | 3795 } |
3780 #endif | 3796 #endif |
3781 if (ss->ssl3.hs.hashType == handshake_hash_single) { | 3797 if (ss->ssl3.hs.hashType == handshake_hash_single) { |
3782 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); | 3798 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); |
3783 if (rv != SECSuccess) { | 3799 if (rv != SECSuccess) { |
3784 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 3800 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
3785 return rv; | 3801 return rv; |
3786 } | 3802 } |
| 3803 if (ss->ssl3.hs.md5) { |
| 3804 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
| 3805 if (rv != SECSuccess) { |
| 3806 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3807 return rv; |
| 3808 } |
| 3809 } |
3787 } else { | 3810 } else { |
3788 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); | 3811 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
3789 if (rv != SECSuccess) { | 3812 if (rv != SECSuccess) { |
3790 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3813 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
3791 return rv; | 3814 return rv; |
3792 } | 3815 } |
3793 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); | 3816 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); |
3794 if (rv != SECSuccess) { | 3817 if (rv != SECSuccess) { |
3795 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3818 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3796 return rv; | 3819 return rv; |
(...skipping 728 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4525 rv = SECFailure; | 4548 rv = SECFailure; |
4526 } | 4549 } |
4527 if (shaStateBuf != shaStackBuf) { | 4550 if (shaStateBuf != shaStackBuf) { |
4528 PORT_ZFree(shaStateBuf, shaStateLen); | 4551 PORT_ZFree(shaStateBuf, shaStateLen); |
4529 } | 4552 } |
4530 } | 4553 } |
4531 } | 4554 } |
4532 return rv; | 4555 return rv; |
4533 } | 4556 } |
4534 | 4557 |
| 4558 static SECStatus |
| 4559 ssl3_ComputeBackupHandshakeHashes(sslSocket * ss, |
| 4560 SSL3Hashes * hashes) /* output goes here. */ |
| 4561 { |
| 4562 SECStatus rv = SECSuccess; |
| 4563 |
| 4564 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 4565 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); |
| 4566 |
| 4567 rv = PK11_DigestFinal(ss->ssl3.hs.md5, hashes->u.raw, &hashes->len, |
| 4568 sizeof(hashes->u.raw)); |
| 4569 if (rv != SECSuccess) { |
| 4570 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 4571 rv = SECFailure; |
| 4572 goto loser; |
| 4573 } |
| 4574 hashes->hashAlg = SEC_OID_SHA1; |
| 4575 |
| 4576 loser: |
| 4577 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 4578 ss->ssl3.hs.md5 = NULL; |
| 4579 return rv; |
| 4580 } |
| 4581 |
4535 /* | 4582 /* |
4536 * SSL 2 based implementations pass in the initial outbound buffer | 4583 * SSL 2 based implementations pass in the initial outbound buffer |
4537 * so that the handshake hash can contain the included information. | 4584 * so that the handshake hash can contain the included information. |
4538 * | 4585 * |
4539 * Called from ssl2_BeginClientHandshake() in sslcon.c | 4586 * Called from ssl2_BeginClientHandshake() in sslcon.c |
4540 */ | 4587 */ |
4541 SECStatus | 4588 SECStatus |
4542 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) | 4589 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) |
4543 { | 4590 { |
4544 SECStatus rv; | 4591 SECStatus rv; |
(...skipping 1229 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5774 unsigned int len; | 5821 unsigned int len; |
5775 SSL3SignatureAndHashAlgorithm sigAndHash; | 5822 SSL3SignatureAndHashAlgorithm sigAndHash; |
5776 | 5823 |
5777 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 5824 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5778 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 5825 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5779 | 5826 |
5780 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", | 5827 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", |
5781 SSL_GETPID(), ss->fd)); | 5828 SSL_GETPID(), ss->fd)); |
5782 | 5829 |
5783 ssl_GetSpecReadLock(ss); | 5830 ssl_GetSpecReadLock(ss); |
5784 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | 5831 /* In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the handshake hash |
| 5832 * function (SHA-256). If the server or the client does not support SHA-256 |
| 5833 * as a signature hash, we can either maintain a backup SHA-1 handshake |
| 5834 * hash or buffer all handshake messages. |
| 5835 */ |
| 5836 if (ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { |
| 5837 » rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes); |
| 5838 » PORT_Assert(ss->ssl3.hs.md5 == NULL); |
| 5839 } else { |
| 5840 » rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
| 5841 } |
5785 ssl_ReleaseSpecReadLock(ss); | 5842 ssl_ReleaseSpecReadLock(ss); |
5786 if (rv != SECSuccess) { | 5843 if (rv != SECSuccess) { |
5787 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ | 5844 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
5788 } | 5845 } |
5789 | 5846 |
5790 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 5847 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
5791 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 5848 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
5792 if (ss->ssl3.platformClientKey) { | 5849 if (ss->ssl3.platformClientKey) { |
5793 #ifdef NSS_PLATFORM_CLIENT_AUTH | 5850 #ifdef NSS_PLATFORM_CLIENT_AUTH |
5794 keyType = CERT_GetCertKeyType( | 5851 keyType = CERT_GetCertKeyType( |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5828 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); | 5885 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); |
5829 if (rv != SECSuccess) { | 5886 if (rv != SECSuccess) { |
5830 goto done; /* error code set by AppendHandshake */ | 5887 goto done; /* error code set by AppendHandshake */ |
5831 } | 5888 } |
5832 if (isTLS12) { | 5889 if (isTLS12) { |
5833 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, | 5890 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, |
5834 &sigAndHash.sigAlg); | 5891 &sigAndHash.sigAlg); |
5835 if (rv != SECSuccess) { | 5892 if (rv != SECSuccess) { |
5836 goto done; | 5893 goto done; |
5837 } | 5894 } |
5838 /* We always sign using the handshake hash function. It's possible that | |
5839 * a server could support SHA-256 as the handshake hash but not as a | |
5840 * signature hash. In that case we wouldn't be able to do client | |
5841 * certificates with it. The alternative is to buffer all handshake | |
5842 * messages. */ | |
5843 sigAndHash.hashAlg = hashes.hashAlg; | 5895 sigAndHash.hashAlg = hashes.hashAlg; |
5844 | 5896 |
5845 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); | 5897 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
5846 if (rv != SECSuccess) { | 5898 if (rv != SECSuccess) { |
5847 goto done; /* err set by AppendHandshake. */ | 5899 goto done; /* err set by AppendHandshake. */ |
5848 } | 5900 } |
5849 } | 5901 } |
5850 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | 5902 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
5851 if (rv != SECSuccess) { | 5903 if (rv != SECSuccess) { |
5852 goto done; /* error code set by AppendHandshake */ | 5904 goto done; /* error code set by AppendHandshake */ |
(...skipping 871 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6724 if (ss->ssl3.clientCertificate != NULL) { | 6776 if (ss->ssl3.clientCertificate != NULL) { |
6725 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 6777 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
6726 ss->ssl3.clientCertificate = NULL; | 6778 ss->ssl3.clientCertificate = NULL; |
6727 } | 6779 } |
6728 if (ss->ssl3.platformClientKey) { | 6780 if (ss->ssl3.platformClientKey) { |
6729 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 6781 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
6730 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 6782 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
6731 } | 6783 } |
6732 goto send_no_certificate; | 6784 goto send_no_certificate; |
6733 } | 6785 } |
| 6786 |
| 6787 if (isTLS12 && ss->ssl3.hs.md5) { |
| 6788 PRBool need_backup_hash = PR_FALSE; |
| 6789 #ifdef _WIN32 |
| 6790 /* If the key is in CAPI, assume conservatively that the CAPI |
| 6791 * service provider may be unable to sign SHA-256 hashes. |
| 6792 * Use SHA-1 if the server supports it. */ |
| 6793 if (ss->ssl3.platformClientKey->dwKeySpec != |
| 6794 CERT_NCRYPT_KEY_SPEC) { |
| 6795 for (i = 0; i < algorithms.len; i += 2) { |
| 6796 /* CAPI only supports RSA and DSA signatures. */ |
| 6797 if (algorithms.data[i] == tls_hash_sha1 && |
| 6798 (algorithms.data[i+1] == tls_sig_rsa || |
| 6799 algorithms.data[i+1] == tls_sig_dsa)) { |
| 6800 need_backup_hash = PR_TRUE; |
| 6801 break; |
| 6802 } |
| 6803 } |
| 6804 } |
| 6805 #endif /* _WIN32 */ |
| 6806 if (!need_backup_hash) { |
| 6807 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 6808 ss->ssl3.hs.md5 = NULL; |
| 6809 } |
| 6810 } |
6734 break; /* not an error */ | 6811 break; /* not an error */ |
6735 } | 6812 } |
6736 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 6813 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
6737 /* check what the callback function returned */ | 6814 /* check what the callback function returned */ |
6738 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 6815 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
6739 /* we are missing either the key or cert */ | 6816 /* we are missing either the key or cert */ |
6740 if (ss->ssl3.clientCertificate) { | 6817 if (ss->ssl3.clientCertificate) { |
6741 /* got a cert, but no key - free it */ | 6818 /* got a cert, but no key - free it */ |
6742 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 6819 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
6743 ss->ssl3.clientCertificate = NULL; | 6820 ss->ssl3.clientCertificate = NULL; |
(...skipping 213 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6957 PRBool sendClientCert; | 7034 PRBool sendClientCert; |
6958 | 7035 |
6959 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 7036 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
6960 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 7037 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
6961 | 7038 |
6962 sendClientCert = !ss->ssl3.sendEmptyCert && | 7039 sendClientCert = !ss->ssl3.sendEmptyCert && |
6963 ss->ssl3.clientCertChain != NULL && | 7040 ss->ssl3.clientCertChain != NULL && |
6964 (ss->ssl3.platformClientKey || | 7041 (ss->ssl3.platformClientKey || |
6965 ss->ssl3.clientPrivateKey != NULL); | 7042 ss->ssl3.clientPrivateKey != NULL); |
6966 | 7043 |
| 7044 if (!sendClientCert && |
| 7045 ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { |
| 7046 /* Don't need the backup handshake hash. */ |
| 7047 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 7048 ss->ssl3.hs.md5 = NULL; |
| 7049 } |
| 7050 |
6967 /* We must wait for the server's certificate to be authenticated before | 7051 /* We must wait for the server's certificate to be authenticated before |
6968 * sending the client certificate in order to disclosing the client | 7052 * sending the client certificate in order to disclosing the client |
6969 * certificate to an attacker that does not have a valid cert for the | 7053 * certificate to an attacker that does not have a valid cert for the |
6970 * domain we are connecting to. | 7054 * domain we are connecting to. |
6971 * | 7055 * |
6972 * XXX: We should do the same for the NPN extension, but for that we | 7056 * XXX: We should do the same for the NPN extension, but for that we |
6973 * need an option to give the application the ability to leak the NPN | 7057 * need an option to give the application the ability to leak the NPN |
6974 * information to get better performance. | 7058 * information to get better performance. |
6975 * | 7059 * |
6976 * During the initial handshake on a connection, we never send/receive | 7060 * During the initial handshake on a connection, we never send/receive |
(...skipping 4993 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11970 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12054 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
11971 } | 12055 } |
11972 } | 12056 } |
11973 | 12057 |
11974 ss->ssl3.initialized = PR_FALSE; | 12058 ss->ssl3.initialized = PR_FALSE; |
11975 | 12059 |
11976 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12060 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
11977 } | 12061 } |
11978 | 12062 |
11979 /* End of ssl3con.c */ | 12063 /* End of ssl3con.c */ |
OLD | NEW |