| OLD | NEW |
|---|
| 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
| 2 /* | 2 /* |
| 3 * SSL3 Protocol | 3 * SSL3 Protocol |
| 4 * | 4 * |
| 5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
| 6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 8 | 8 |
| 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
| 10 | 10 |
| (...skipping 3656 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3667 if (ss->ssl3.hs.sha == NULL) { | 3667 if (ss->ssl3.hs.sha == NULL) { |
| 3668 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3668 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3669 return SECFailure; | 3669 return SECFailure; |
| 3670 } | 3670 } |
| 3671 ss->ssl3.hs.hashType = handshake_hash_single; | 3671 ss->ssl3.hs.hashType = handshake_hash_single; |
| 3672 | 3672 |
| 3673 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { | 3673 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { |
| 3674 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 3674 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 3675 return SECFailure; | 3675 return SECFailure; |
| 3676 } | 3676 } |
| 3677 |
| 3678 #ifdef _WIN32 |
| 3679 /* A backup SHA-1 hash for a potential client auth signature. */ |
| 3680 if (!ss->sec.isServer) { |
| 3681 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1); |
| 3682 if (ss->ssl3.hs.md5 == NULL) { |
| 3683 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3684 return SECFailure; |
| 3685 } |
| 3686 |
| 3687 if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) { |
| 3688 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3689 return SECFailure; |
| 3690 } |
| 3691 } |
| 3692 #endif |
| 3677 } else { | 3693 } else { |
| 3678 /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or | 3694 /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or |
| 3679 * created successfully. */ | 3695 * created successfully. */ |
| 3680 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); | 3696 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); |
| 3681 if (ss->ssl3.hs.md5 == NULL) { | 3697 if (ss->ssl3.hs.md5 == NULL) { |
| 3682 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3698 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 3683 return SECFailure; | 3699 return SECFailure; |
| 3684 } | 3700 } |
| 3685 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1); | 3701 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1); |
| 3686 if (ss->ssl3.hs.sha == NULL) { | 3702 if (ss->ssl3.hs.sha == NULL) { |
| (...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3777 } | 3793 } |
| 3778 return rv; | 3794 return rv; |
| 3779 } | 3795 } |
| 3780 #endif | 3796 #endif |
| 3781 if (ss->ssl3.hs.hashType == handshake_hash_single) { | 3797 if (ss->ssl3.hs.hashType == handshake_hash_single) { |
| 3782 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); | 3798 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); |
| 3783 if (rv != SECSuccess) { | 3799 if (rv != SECSuccess) { |
| 3784 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | 3800 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 3785 return rv; | 3801 return rv; |
| 3786 } | 3802 } |
| 3803 if (ss->ssl3.hs.md5) { |
| 3804 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
| 3805 if (rv != SECSuccess) { |
| 3806 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3807 return rv; |
| 3808 } |
| 3809 } |
| 3787 } else { | 3810 } else { |
| 3788 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); | 3811 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
| 3789 if (rv != SECSuccess) { | 3812 if (rv != SECSuccess) { |
| 3790 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3813 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 3791 return rv; | 3814 return rv; |
| 3792 } | 3815 } |
| 3793 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); | 3816 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); |
| 3794 if (rv != SECSuccess) { | 3817 if (rv != SECSuccess) { |
| 3795 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3818 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3796 return rv; | 3819 return rv; |
| (...skipping 728 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4525 rv = SECFailure; | 4548 rv = SECFailure; |
| 4526 } | 4549 } |
| 4527 if (shaStateBuf != shaStackBuf) { | 4550 if (shaStateBuf != shaStackBuf) { |
| 4528 PORT_ZFree(shaStateBuf, shaStateLen); | 4551 PORT_ZFree(shaStateBuf, shaStateLen); |
| 4529 } | 4552 } |
| 4530 } | 4553 } |
| 4531 } | 4554 } |
| 4532 return rv; | 4555 return rv; |
| 4533 } | 4556 } |
| 4534 | 4557 |
| 4558 static SECStatus |
| 4559 ssl3_ComputeBackupHandshakeHashes(sslSocket * ss, |
| 4560 SSL3Hashes * hashes) /* output goes here. */ |
| 4561 { |
| 4562 SECStatus rv = SECSuccess; |
| 4563 |
| 4564 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 4565 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); |
| 4566 |
| 4567 rv = PK11_DigestFinal(ss->ssl3.hs.md5, hashes->u.raw, &hashes->len, |
| 4568 sizeof(hashes->u.raw)); |
| 4569 if (rv != SECSuccess) { |
| 4570 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 4571 rv = SECFailure; |
| 4572 goto loser; |
| 4573 } |
| 4574 hashes->hashAlg = SEC_OID_SHA1; |
| 4575 |
| 4576 loser: |
| 4577 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 4578 ss->ssl3.hs.md5 = NULL; |
| 4579 return rv; |
| 4580 } |
| 4581 |
| 4535 /* | 4582 /* |
| 4536 * SSL 2 based implementations pass in the initial outbound buffer | 4583 * SSL 2 based implementations pass in the initial outbound buffer |
| 4537 * so that the handshake hash can contain the included information. | 4584 * so that the handshake hash can contain the included information. |
| 4538 * | 4585 * |
| 4539 * Called from ssl2_BeginClientHandshake() in sslcon.c | 4586 * Called from ssl2_BeginClientHandshake() in sslcon.c |
| 4540 */ | 4587 */ |
| 4541 SECStatus | 4588 SECStatus |
| 4542 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) | 4589 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) |
| 4543 { | 4590 { |
| 4544 SECStatus rv; | 4591 SECStatus rv; |
| (...skipping 1229 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5774 unsigned int len; | 5821 unsigned int len; |
| 5775 SSL3SignatureAndHashAlgorithm sigAndHash; | 5822 SSL3SignatureAndHashAlgorithm sigAndHash; |
| 5776 | 5823 |
| 5777 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 5824 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 5778 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 5825 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 5779 | 5826 |
| 5780 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", | 5827 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", |
| 5781 SSL_GETPID(), ss->fd)); | 5828 SSL_GETPID(), ss->fd)); |
| 5782 | 5829 |
| 5783 ssl_GetSpecReadLock(ss); | 5830 ssl_GetSpecReadLock(ss); |
| 5784 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | 5831 /* In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the handshake hash |
| 5832 * function (SHA-256). If the server or the client does not support SHA-256 |
| 5833 * as a signature hash, we can either maintain a backup SHA-1 handshake |
| 5834 * hash or buffer all handshake messages. |
| 5835 */ |
| 5836 if (ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { |
| 5837 » rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes); |
| 5838 » PORT_Assert(ss->ssl3.hs.md5 == NULL); |
| 5839 } else { |
| 5840 » rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
| 5841 } |
| 5785 ssl_ReleaseSpecReadLock(ss); | 5842 ssl_ReleaseSpecReadLock(ss); |
| 5786 if (rv != SECSuccess) { | 5843 if (rv != SECSuccess) { |
| 5787 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ | 5844 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
| 5788 } | 5845 } |
| 5789 | 5846 |
| 5790 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 5847 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 5791 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 5848 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 5792 if (ss->ssl3.platformClientKey) { | 5849 if (ss->ssl3.platformClientKey) { |
| 5793 #ifdef NSS_PLATFORM_CLIENT_AUTH | 5850 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5794 keyType = CERT_GetCertKeyType( | 5851 keyType = CERT_GetCertKeyType( |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5828 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); | 5885 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); |
| 5829 if (rv != SECSuccess) { | 5886 if (rv != SECSuccess) { |
| 5830 goto done; /* error code set by AppendHandshake */ | 5887 goto done; /* error code set by AppendHandshake */ |
| 5831 } | 5888 } |
| 5832 if (isTLS12) { | 5889 if (isTLS12) { |
| 5833 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, | 5890 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, |
| 5834 &sigAndHash.sigAlg); | 5891 &sigAndHash.sigAlg); |
| 5835 if (rv != SECSuccess) { | 5892 if (rv != SECSuccess) { |
| 5836 goto done; | 5893 goto done; |
| 5837 } | 5894 } |
| 5838 /* We always sign using the handshake hash function. It's possible that | |
| 5839 * a server could support SHA-256 as the handshake hash but not as a | |
| 5840 * signature hash. In that case we wouldn't be able to do client | |
| 5841 * certificates with it. The alternative is to buffer all handshake | |
| 5842 * messages. */ | |
| 5843 sigAndHash.hashAlg = hashes.hashAlg; | 5895 sigAndHash.hashAlg = hashes.hashAlg; |
| 5844 | 5896 |
| 5845 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); | 5897 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
| 5846 if (rv != SECSuccess) { | 5898 if (rv != SECSuccess) { |
| 5847 goto done; /* err set by AppendHandshake. */ | 5899 goto done; /* err set by AppendHandshake. */ |
| 5848 } | 5900 } |
| 5849 } | 5901 } |
| 5850 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | 5902 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
| 5851 if (rv != SECSuccess) { | 5903 if (rv != SECSuccess) { |
| 5852 goto done; /* error code set by AppendHandshake */ | 5904 goto done; /* error code set by AppendHandshake */ |
| (...skipping 871 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6724 if (ss->ssl3.clientCertificate != NULL) { | 6776 if (ss->ssl3.clientCertificate != NULL) { |
| 6725 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 6777 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 6726 ss->ssl3.clientCertificate = NULL; | 6778 ss->ssl3.clientCertificate = NULL; |
| 6727 } | 6779 } |
| 6728 if (ss->ssl3.platformClientKey) { | 6780 if (ss->ssl3.platformClientKey) { |
| 6729 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 6781 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| 6730 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 6782 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 6731 } | 6783 } |
| 6732 goto send_no_certificate; | 6784 goto send_no_certificate; |
| 6733 } | 6785 } |
| 6786 |
| 6787 if (isTLS12 && ss->ssl3.hs.md5) { |
| 6788 PRBool need_backup_hash = PR_FALSE; |
| 6789 #ifdef _WIN32 |
| 6790 /* If the key is in CAPI, assume conservatively that the CAPI |
| 6791 * service provider may be unable to sign SHA-256 hashes. |
| 6792 * Use SHA-1 if the server supports it. */ |
| 6793 if (ss->ssl3.platformClientKey->dwKeySpec != |
| 6794 CERT_NCRYPT_KEY_SPEC) { |
| 6795 for (i = 0; i < algorithms.len; i += 2) { |
| 6796 /* CAPI only supports RSA and DSA signatures. */ |
| 6797 if (algorithms.data[i] == tls_hash_sha1 && |
| 6798 (algorithms.data[i+1] == tls_sig_rsa || |
| 6799 algorithms.data[i+1] == tls_sig_dsa)) { |
| 6800 need_backup_hash = PR_TRUE; |
| 6801 break; |
| 6802 } |
| 6803 } |
| 6804 } |
| 6805 #endif /* _WIN32 */ |
| 6806 if (!need_backup_hash) { |
| 6807 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 6808 ss->ssl3.hs.md5 = NULL; |
| 6809 } |
| 6810 } |
| 6734 break; /* not an error */ | 6811 break; /* not an error */ |
| 6735 } | 6812 } |
| 6736 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 6813 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 6737 /* check what the callback function returned */ | 6814 /* check what the callback function returned */ |
| 6738 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 6815 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
| 6739 /* we are missing either the key or cert */ | 6816 /* we are missing either the key or cert */ |
| 6740 if (ss->ssl3.clientCertificate) { | 6817 if (ss->ssl3.clientCertificate) { |
| 6741 /* got a cert, but no key - free it */ | 6818 /* got a cert, but no key - free it */ |
| 6742 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 6819 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
| 6743 ss->ssl3.clientCertificate = NULL; | 6820 ss->ssl3.clientCertificate = NULL; |
| (...skipping 213 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6957 PRBool sendClientCert; | 7034 PRBool sendClientCert; |
| 6958 | 7035 |
| 6959 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 7036 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 6960 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 7037 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 6961 | 7038 |
| 6962 sendClientCert = !ss->ssl3.sendEmptyCert && | 7039 sendClientCert = !ss->ssl3.sendEmptyCert && |
| 6963 ss->ssl3.clientCertChain != NULL && | 7040 ss->ssl3.clientCertChain != NULL && |
| 6964 (ss->ssl3.platformClientKey || | 7041 (ss->ssl3.platformClientKey || |
| 6965 ss->ssl3.clientPrivateKey != NULL); | 7042 ss->ssl3.clientPrivateKey != NULL); |
| 6966 | 7043 |
| 7044 if (!sendClientCert && |
| 7045 ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { |
| 7046 /* Don't need the backup handshake hash. */ |
| 7047 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 7048 ss->ssl3.hs.md5 = NULL; |
| 7049 } |
| 7050 |
| 6967 /* We must wait for the server's certificate to be authenticated before | 7051 /* We must wait for the server's certificate to be authenticated before |
| 6968 * sending the client certificate in order to disclosing the client | 7052 * sending the client certificate in order to disclosing the client |
| 6969 * certificate to an attacker that does not have a valid cert for the | 7053 * certificate to an attacker that does not have a valid cert for the |
| 6970 * domain we are connecting to. | 7054 * domain we are connecting to. |
| 6971 * | 7055 * |
| 6972 * XXX: We should do the same for the NPN extension, but for that we | 7056 * XXX: We should do the same for the NPN extension, but for that we |
| 6973 * need an option to give the application the ability to leak the NPN | 7057 * need an option to give the application the ability to leak the NPN |
| 6974 * information to get better performance. | 7058 * information to get better performance. |
| 6975 * | 7059 * |
| 6976 * During the initial handshake on a connection, we never send/receive | 7060 * During the initial handshake on a connection, we never send/receive |
| (...skipping 4993 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 11970 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12054 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
| 11971 } | 12055 } |
| 11972 } | 12056 } |
| 11973 | 12057 |
| 11974 ss->ssl3.initialized = PR_FALSE; | 12058 ss->ssl3.initialized = PR_FALSE; |
| 11975 | 12059 |
| 11976 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12060 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
| 11977 } | 12061 } |
| 11978 | 12062 |
| 11979 /* End of ssl3con.c */ | 12063 /* End of ssl3con.c */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 23880004:
Merge 220595 "On Windows, prefer to generate SHA-1 signatures fo..." (Closed)
Base URL: svn://svn.chromium.org/chrome/branches/1599/src/