Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(231)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 992733002: Remove //net (except for Android test stuff) and sdch (Closed) Base URL: git@github.com:domokit/mojo.git@master
Patch Set: Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/third_party/nss/ssl/ssl.rc ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * SSL3 Protocol
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
10
11 #include "cert.h"
12 #include "ssl.h"
13 #include "cryptohi.h" /* for DSAU_ stuff */
14 #include "keyhi.h"
15 #include "secder.h"
16 #include "secitem.h"
17 #include "sechash.h"
18
19 #include "sslimpl.h"
20 #include "sslproto.h"
21 #include "sslerr.h"
22 #include "prtime.h"
23 #include "prinrval.h"
24 #include "prerror.h"
25 #include "pratom.h"
26 #include "prthread.h"
27
28 #include "pk11func.h"
29 #include "secmod.h"
30 #ifndef NO_PKCS11_BYPASS
31 #include "blapi.h"
32 #endif
33
34 /* This is a bodge to allow this code to be compiled against older NSS headers
35 * that don't contain the TLS 1.2 changes. */
36 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21)
38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22)
39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23)
40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
41 #endif
42
43 /* This is a bodge to allow this code to be compiled against older NSS
44 * headers. */
45 #ifndef CKM_NSS_CHACHA20_POLY1305
46 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26)
47
48 typedef struct CK_NSS_AEAD_PARAMS {
49 CK_BYTE_PTR pIv; /* This is the nonce. */
50 CK_ULONG ulIvLen;
51 CK_BYTE_PTR pAAD;
52 CK_ULONG ulAADLen;
53 CK_ULONG ulTagLen;
54 } CK_NSS_AEAD_PARAMS;
55
56 #endif
57
58 #include <stdio.h>
59 #ifdef NSS_ENABLE_ZLIB
60 #include "zlib.h"
61 #endif
62 #ifdef LINUX
63 #include <dlfcn.h>
64 #endif
65
66 #ifndef PK11_SETATTRS
67 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
68 (x)->pValue=(v); (x)->ulValueLen = (l);
69 #endif
70
71 static SECStatus ssl3_AuthCertificate(sslSocket *ss);
72 static void ssl3_CleanupPeerCerts(sslSocket *ss);
73 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
74 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
75 PK11SlotInfo * serverKeySlot);
76 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
77 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
78 static SECStatus ssl3_HandshakeFailure( sslSocket *ss);
79 static SECStatus ssl3_InitState( sslSocket *ss);
80 static SECStatus ssl3_SendCertificate( sslSocket *ss);
81 static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
82 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
83 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
84 static SECStatus ssl3_SendNextProto( sslSocket *ss);
85 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
86 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
87 static SECStatus ssl3_SendServerHello( sslSocket *ss);
88 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
89 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
90 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
91 const unsigned char *b,
92 unsigned int l);
93 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
94 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
95
96 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
97 int maxOutputLen, const unsigned char *input,
98 int inputLen);
99 #ifndef NO_PKCS11_BYPASS
100 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
101 unsigned char *out, int *outlen, int maxout,
102 const unsigned char *in, int inlen,
103 const unsigned char *additionalData,
104 int additionalDataLen);
105 #endif
106
107 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
108 #define MIN_SEND_BUF_LENGTH 4000
109
110 /* This list of SSL3 cipher suites is sorted in descending order of
111 * precedence (desirability). It only includes cipher suites we implement.
112 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
113 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
114 *
115 * Important: See bug 946147 before enabling, reordering, or adding any cipher
116 * suites to this list.
117 */
118 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
119 /* cipher_suite policy enabled isPresent */
120
121 #ifdef NSS_ENABLE_ECC
122 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
123 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
124 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
125 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
126 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
127 * bug 946147.
128 */
129 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
130 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
131 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
132 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
133 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
134 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
135 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
136 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
137 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
138 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
139 #endif /* NSS_ENABLE_ECC */
140
141 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
142 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
143 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
144 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
145 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
146 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
147 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
148 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
149 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
150 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
151 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
152 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
153 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
154 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
155
156 #ifdef NSS_ENABLE_ECC
157 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
158 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
159 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
160 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
161 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
162 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
163 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
164 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
165 #endif /* NSS_ENABLE_ECC */
166
167 /* RSA */
168 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
169 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
170 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
171 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
172 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
173 { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
174 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
175 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
176 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
177 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
178 { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
179 { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
180
181 /* 56-bit DES "domestic" cipher suites */
182 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
183 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
184 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
185 { SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
186
187 /* export ciphersuites with 1024-bit public key exchange keys */
188 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
189 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
190
191 /* export ciphersuites with 512-bit public key exchange keys */
192 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
193 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
194
195 /* ciphersuites with no encryption */
196 #ifdef NSS_ENABLE_ECC
197 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
198 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
199 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
200 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
201 #endif /* NSS_ENABLE_ECC */
202 { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
203 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
204 { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
205 };
206
207 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
208 */
209 #ifdef DEBUG
210 void ssl3_CheckCipherSuiteOrderConsistency()
211 {
212 unsigned int i;
213
214 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
215 * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
216 */
217 PORT_Assert(SSL_NumImplementedCiphers >= PR_ARRAY_SIZE(cipherSuites));
218
219 for (i = 0; i < PR_ARRAY_SIZE(cipherSuites); ++i) {
220 PORT_Assert(SSL_ImplementedCiphers[i] == cipherSuites[i].cipher_suite);
221 }
222 }
223 #endif
224
225 /* This list of SSL3 compression methods is sorted in descending order of
226 * precedence (desirability). It only includes compression methods we
227 * implement.
228 */
229 static const /*SSLCompressionMethod*/ PRUint8 compressions [] = {
230 #ifdef NSS_ENABLE_ZLIB
231 ssl_compression_deflate,
232 #endif
233 ssl_compression_null
234 };
235
236 static const int compressionMethodsCount =
237 sizeof(compressions) / sizeof(compressions[0]);
238
239 /* compressionEnabled returns true iff the compression algorithm is enabled
240 * for the given SSL socket. */
241 static PRBool
242 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression)
243 {
244 switch (compression) {
245 case ssl_compression_null:
246 return PR_TRUE; /* Always enabled */
247 #ifdef NSS_ENABLE_ZLIB
248 case ssl_compression_deflate:
249 return ss->opt.enableDeflate;
250 #endif
251 default:
252 return PR_FALSE;
253 }
254 }
255
256 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
257 ct_RSA_sign,
258 #ifdef NSS_ENABLE_ECC
259 ct_ECDSA_sign,
260 #endif /* NSS_ENABLE_ECC */
261 ct_DSS_sign,
262 };
263
264 /* This block is the contents of the supported_signature_algorithms field of
265 * our TLS 1.2 CertificateRequest message, in wire format. See
266 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
267 *
268 * This block contains only sha256 entries because we only support TLS 1.2
269 * CertificateVerify messages that use the handshake hash. */
270 static const PRUint8 supported_signature_algorithms[] = {
271 tls_hash_sha256, tls_sig_rsa,
272 #ifdef NSS_ENABLE_ECC
273 tls_hash_sha256, tls_sig_ecdsa,
274 #endif
275 tls_hash_sha256, tls_sig_dsa,
276 };
277
278 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
279
280
281 /* This global item is used only in servers. It is is initialized by
282 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
283 */
284 CERTDistNames *ssl3_server_ca_list = NULL;
285 static SSL3Statistics ssl3stats;
286
287 /* indexed by SSL3BulkCipher */
288 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
289 /* |--------- Lengths --------| */
290 /* cipher calg k s type i b t n */
291 /* e e v l a o */
292 /* y c | o g n */
293 /* | r | c | c */
294 /* | e | k | e */
295 /* | t | | | | */
296 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
297 {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0},
298 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0},
299 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0},
300 {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0},
301 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0},
302 {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0},
303 {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0},
304 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0},
305 {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0},
306 {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0},
307 {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0},
308 {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0},
309 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
310 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
311 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
312 {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0},
313 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
314 };
315
316 static const ssl3KEADef kea_defs[] =
317 { /* indexed by SSL3KeyExchangeAlgorithm */
318 /* kea exchKeyType signKeyType is_limited limit tls_keygen */
319 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE},
320 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE},
321 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE},
322 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE},
323 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
324 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
325 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
326 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
327 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
328 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
329 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
330 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
331 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE},
332 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE},
333 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE },
334 #ifdef NSS_ENABLE_ECC
335 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
336 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
337 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
338 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
339 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE},
340 #endif /* NSS_ENABLE_ECC */
341 };
342
343 /* must use ssl_LookupCipherSuiteDef to access */
344 static const ssl3CipherSuiteDef cipher_suite_defs[] =
345 {
346 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */
347
348 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
349 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
350 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
351 {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa},
352 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
353 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
354 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
355 {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
356 cipher_rc2_40, mac_md5, kea_rsa_export},
357 #if 0 /* not implemented */
358 {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa},
359 {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
360 cipher_des40, mac_sha, kea_rsa_export},
361 #endif
362 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa},
363 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa},
364 {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss},
365 {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
366 cipher_3des, mac_sha, kea_dhe_dss},
367 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss},
368 #if 0 /* not implemented */
369 {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
370 cipher_des40, mac_sha, kea_dh_dss_export},
371 {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss},
372 {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss},
373 {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
374 cipher_des40, mac_sha, kea_dh_rsa_export},
375 {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa},
376 {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa},
377 {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
378 cipher_des40, mac_sha, kea_dh_dss_export},
379 {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
380 cipher_des40, mac_sha, kea_dh_rsa_export},
381 #endif
382 {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa},
383 {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
384 cipher_3des, mac_sha, kea_dhe_rsa},
385 #if 0
386 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
387 {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
388 cipher_des40, mac_sha, kea_dh_anon_export},
389 {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon},
390 {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon},
391 #endif
392
393
394 /* New TLS cipher suites */
395 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa},
396 {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa},
397 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss},
398 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa},
399 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_r sa},
400 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa},
401 {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa},
402 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss},
403 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa},
404 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_r sa},
405 #if 0
406 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss},
407 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa},
408 {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon},
409 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss},
410 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa},
411 {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon},
412 #endif
413
414 {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa},
415
416 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
417 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
418 cipher_camellia_128, mac_sha, kea_dhe_dss},
419 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
420 cipher_camellia_128, mac_sha, kea_dhe_rsa},
421 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
422 {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
423 cipher_camellia_256, mac_sha, kea_dhe_dss},
424 {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
425 cipher_camellia_256, mac_sha, kea_dhe_rsa},
426
427 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
428 cipher_des, mac_sha,kea_rsa_export_1024},
429 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
430 cipher_rc4_56, mac_sha,kea_rsa_export_1024},
431
432 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
433 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
434
435 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_ rsa},
436 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
437 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec dhe_rsa},
438 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ ecdhe_ecdsa},
439 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ rsa},
440 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdh e_ecdsa},
441
442 #ifdef NSS_ENABLE_ECC
443 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
444 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
445 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} ,
446 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a},
447 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a},
448
449 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa },
450 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa },
451 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds a},
452 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ec dsa},
453 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_e cdhe_ecdsa},
454 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ec dsa},
455
456 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa},
457 {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa},
458 {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa},
459 {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa},
460 {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa},
461
462 {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa },
463 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa },
464 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa },
465 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa },
466 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecd he_rsa},
467 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa },
468
469 #if 0
470 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon },
471 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon },
472 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon },
473 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon },
474 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon },
475 #endif
476 #endif /* NSS_ENABLE_ECC */
477 };
478
479 static const CK_MECHANISM_TYPE kea_alg_defs[] = {
480 0x80000000L,
481 CKM_RSA_PKCS,
482 CKM_DH_PKCS_DERIVE,
483 CKM_KEA_KEY_DERIVE,
484 CKM_ECDH1_DERIVE
485 };
486
487 typedef struct SSLCipher2MechStr {
488 SSLCipherAlgorithm calg;
489 CK_MECHANISM_TYPE cmech;
490 } SSLCipher2Mech;
491
492 /* indexed by type SSLCipherAlgorithm */
493 static const SSLCipher2Mech alg2Mech[] = {
494 /* calg, cmech */
495 { calg_null , (CK_MECHANISM_TYPE)0x80000000L },
496 { calg_rc4 , CKM_RC4 },
497 { calg_rc2 , CKM_RC2_CBC },
498 { calg_des , CKM_DES_CBC },
499 { calg_3des , CKM_DES3_CBC },
500 { calg_idea , CKM_IDEA_CBC },
501 { calg_fortezza , CKM_SKIPJACK_CBC64 },
502 { calg_aes , CKM_AES_CBC },
503 { calg_camellia , CKM_CAMELLIA_CBC },
504 { calg_seed , CKM_SEED_CBC },
505 { calg_aes_gcm , CKM_AES_GCM },
506 { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 },
507 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
508 };
509
510 #define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
511 #define mmech_md5 CKM_SSL3_MD5_MAC
512 #define mmech_sha CKM_SSL3_SHA1_MAC
513 #define mmech_md5_hmac CKM_MD5_HMAC
514 #define mmech_sha_hmac CKM_SHA_1_HMAC
515 #define mmech_sha256_hmac CKM_SHA256_HMAC
516
517 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
518 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
519 /* mac mmech pad_size mac_size */
520 { mac_null, mmech_invalid, 0, 0 },
521 { mac_md5, mmech_md5, 48, MD5_LENGTH },
522 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
523 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
524 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
525 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
526 { mac_aead, mmech_invalid, 0, 0 },
527 };
528
529 /* indexed by SSL3BulkCipher */
530 const char * const ssl3_cipherName[] = {
531 "NULL",
532 "RC4",
533 "RC4-40",
534 "RC4-56",
535 "RC2-CBC",
536 "RC2-CBC-40",
537 "DES-CBC",
538 "3DES-EDE-CBC",
539 "DES-CBC-40",
540 "IDEA-CBC",
541 "AES-128",
542 "AES-256",
543 "Camellia-128",
544 "Camellia-256",
545 "SEED-CBC",
546 "AES-128-GCM",
547 "missing"
548 };
549
550 #ifdef NSS_ENABLE_ECC
551 /* The ECCWrappedKeyInfo structure defines how various pieces of
552 * information are laid out within wrappedSymmetricWrappingkey
553 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is
554 * a 512-byte buffer (see sslimpl.h), the variable length field
555 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
556 *
557 * XXX For now, NSS only supports named elliptic curves of size 571 bits
558 * or smaller. The public value will fit within 145 bytes and EC params
559 * will fit within 12 bytes. We'll need to revisit this when NSS
560 * supports arbitrary curves.
561 */
562 #define MAX_EC_WRAPPED_KEY_BUFLEN 504
563
564 typedef struct ECCWrappedKeyInfoStr {
565 PRUint16 size; /* EC public key size in bits */
566 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
567 PRUint16 pubValueLen; /* length (in bytes) of EC public value */
568 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */
569 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
570 /* EC public-key params, the EC public value and the wrapped key */
571 } ECCWrappedKeyInfo;
572 #endif /* NSS_ENABLE_ECC */
573
574 #if defined(TRACE)
575
576 static char *
577 ssl3_DecodeHandshakeType(int msgType)
578 {
579 char * rv;
580 static char line[40];
581
582 switch(msgType) {
583 case hello_request: rv = "hello_request (0)"; break;
584 case client_hello: rv = "client_hello (1)"; break;
585 case server_hello: rv = "server_hello (2)"; break;
586 case hello_verify_request: rv = "hello_verify_request (3)"; break;
587 case certificate: rv = "certificate (11)"; break;
588 case server_key_exchange: rv = "server_key_exchange (12)"; break;
589 case certificate_request: rv = "certificate_request (13)"; break;
590 case server_hello_done: rv = "server_hello_done (14)"; break;
591 case certificate_verify: rv = "certificate_verify (15)"; break;
592 case client_key_exchange: rv = "client_key_exchange (16)"; break;
593 case finished: rv = "finished (20)"; break;
594 default:
595 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
596 rv = line;
597 }
598 return rv;
599 }
600
601 static char *
602 ssl3_DecodeContentType(int msgType)
603 {
604 char * rv;
605 static char line[40];
606
607 switch(msgType) {
608 case content_change_cipher_spec:
609 rv = "change_cipher_spec (20)"; break;
610 case content_alert: rv = "alert (21)"; break;
611 case content_handshake: rv = "handshake (22)"; break;
612 case content_application_data:
613 rv = "application_data (23)"; break;
614 default:
615 sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
616 rv = line;
617 }
618 return rv;
619 }
620
621 #endif
622
623 SSL3Statistics *
624 SSL_GetStatistics(void)
625 {
626 return &ssl3stats;
627 }
628
629 typedef struct tooLongStr {
630 #if defined(IS_LITTLE_ENDIAN)
631 PRInt32 low;
632 PRInt32 high;
633 #else
634 PRInt32 high;
635 PRInt32 low;
636 #endif
637 } tooLong;
638
639 void SSL_AtomicIncrementLong(long * x)
640 {
641 if ((sizeof *x) == sizeof(PRInt32)) {
642 PR_ATOMIC_INCREMENT((PRInt32 *)x);
643 } else {
644 tooLong * tl = (tooLong *)x;
645 if (PR_ATOMIC_INCREMENT(&tl->low) == 0)
646 PR_ATOMIC_INCREMENT(&tl->high);
647 }
648 }
649
650 static PRBool
651 ssl3_CipherSuiteAllowedForVersionRange(
652 ssl3CipherSuite cipherSuite,
653 const SSLVersionRange *vrange)
654 {
655 switch (cipherSuite) {
656 /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
657 * later. This set of cipher suites is similar to, but different from, the
658 * set of cipher suites considered exportable by SSL_IsExportCipherSuite.
659 */
660 case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
661 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
662 /* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
663 * SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented
664 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
665 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented
666 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
667 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented
668 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented
669 */
670 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
671 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
672 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
673 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
674 case TLS_RSA_WITH_AES_256_CBC_SHA256:
675 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
676 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
677 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
678 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
679 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
680 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
681 case TLS_RSA_WITH_AES_128_CBC_SHA256:
682 case TLS_RSA_WITH_AES_128_GCM_SHA256:
683 case TLS_RSA_WITH_NULL_SHA256:
684 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
685 default:
686 return PR_TRUE;
687 }
688 }
689
690 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
691 /* XXX This does a linear search. A binary search would be better. */
692 static const ssl3CipherSuiteDef *
693 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
694 {
695 int cipher_suite_def_len =
696 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
697 int i;
698
699 for (i = 0; i < cipher_suite_def_len; i++) {
700 if (cipher_suite_defs[i].cipher_suite == suite)
701 return &cipher_suite_defs[i];
702 }
703 PORT_Assert(PR_FALSE); /* We should never get here. */
704 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
705 return NULL;
706 }
707
708 /* Find the cipher configuration struct associate with suite */
709 /* XXX This does a linear search. A binary search would be better. */
710 static ssl3CipherSuiteCfg *
711 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
712 {
713 int i;
714
715 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
716 if (suites[i].cipher_suite == suite)
717 return &suites[i];
718 }
719 /* return NULL and let the caller handle it. */
720 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
721 return NULL;
722 }
723
724
725 /* Initialize the suite->isPresent value for config_match
726 * Returns count of enabled ciphers supported by extant tokens,
727 * regardless of policy or user preference.
728 * If this returns zero, the user cannot do SSL v3.
729 */
730 int
731 ssl3_config_match_init(sslSocket *ss)
732 {
733 ssl3CipherSuiteCfg * suite;
734 const ssl3CipherSuiteDef *cipher_def;
735 SSLCipherAlgorithm cipher_alg;
736 CK_MECHANISM_TYPE cipher_mech;
737 SSL3KEAType exchKeyType;
738 int i;
739 int numPresent = 0;
740 int numEnabled = 0;
741 PRBool isServer;
742 sslServerCerts *svrAuth;
743
744 PORT_Assert(ss);
745 if (!ss) {
746 PORT_SetError(SEC_ERROR_INVALID_ARGS);
747 return 0;
748 }
749 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
750 return 0;
751 }
752 isServer = (PRBool)(ss->sec.isServer != 0);
753
754 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
755 suite = &ss->cipherSuites[i];
756 if (suite->enabled) {
757 ++numEnabled;
758 /* We need the cipher defs to see if we have a token that can handle
759 * this cipher. It isn't part of the static definition.
760 */
761 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
762 if (!cipher_def) {
763 suite->isPresent = PR_FALSE;
764 continue;
765 }
766 cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
767 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg);
768 cipher_mech = alg2Mech[cipher_alg].cmech;
769 exchKeyType =
770 kea_defs[cipher_def->key_exchange_alg].exchKeyType;
771 #ifndef NSS_ENABLE_ECC
772 svrAuth = ss->serverCerts + exchKeyType;
773 #else
774 /* XXX SSLKEAType isn't really a good choice for
775 * indexing certificates. It doesn't work for
776 * (EC)DHE-* ciphers. Here we use a hack to ensure
777 * that the server uses an RSA cert for (EC)DHE-RSA.
778 */
779 switch (cipher_def->key_exchange_alg) {
780 case kea_ecdhe_rsa:
781 #if NSS_SERVER_DHE_IMPLEMENTED
782 /* XXX NSS does not yet implement the server side of _DHE_
783 * cipher suites. Correcting the computation for svrAuth,
784 * as the case below does, causes NSS SSL servers to begin to
785 * negotiate cipher suites they do not implement. So, until
786 * server side _DHE_ is implemented, keep this disabled.
787 */
788 case kea_dhe_rsa:
789 #endif
790 svrAuth = ss->serverCerts + kt_rsa;
791 break;
792 case kea_ecdh_ecdsa:
793 case kea_ecdh_rsa:
794 /*
795 * XXX We ought to have different indices for
796 * ECDSA- and RSA-signed EC certificates so
797 * we could support both key exchange mechanisms
798 * simultaneously. For now, both of them use
799 * whatever is in the certificate slot for kt_ecdh
800 */
801 default:
802 svrAuth = ss->serverCerts + exchKeyType;
803 break;
804 }
805 #endif /* NSS_ENABLE_ECC */
806
807 /* Mark the suites that are backed by real tokens, certs and keys */
808 suite->isPresent = (PRBool)
809 (((exchKeyType == kt_null) ||
810 ((!isServer || (svrAuth->serverKeyPair &&
811 svrAuth->SERVERKEY &&
812 svrAuth->serverCertChain)) &&
813 PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
814 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
815 if (suite->isPresent)
816 ++numPresent;
817 }
818 }
819 PORT_Assert(numPresent > 0 || numEnabled == 0);
820 if (numPresent <= 0) {
821 PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
822 }
823 return numPresent;
824 }
825
826
827 /* return PR_TRUE if suite matches policy, enabled state and is applicable to
828 * the given version range. */
829 /* It would be a REALLY BAD THING (tm) if we ever permitted the use
830 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with
831 ** policy == SSL_NOT_ALLOWED, report no match.
832 */
833 /* adjust suite enabled to the availability of a token that can do the
834 * cipher suite. */
835 static PRBool
836 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
837 const SSLVersionRange *vrange)
838 {
839 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
840 if (policy == SSL_NOT_ALLOWED || !enabled)
841 return PR_FALSE;
842 return (PRBool)(suite->enabled &&
843 suite->isPresent &&
844 suite->policy != SSL_NOT_ALLOWED &&
845 suite->policy <= policy &&
846 ssl3_CipherSuiteAllowedForVersionRange(
847 suite->cipher_suite, vrange));
848 }
849
850 /* return number of cipher suites that match policy, enabled state and are
851 * applicable for the configured protocol version range. */
852 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
853 static int
854 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
855 {
856 int i, count = 0;
857
858 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
859 return 0;
860 }
861 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
862 if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
863 count++;
864 }
865 if (count <= 0) {
866 PORT_SetError(SSL_ERROR_SSL_DISABLED);
867 }
868 return count;
869 }
870
871 /*
872 * Null compression, mac and encryption functions
873 */
874
875 static SECStatus
876 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
877 const unsigned char *input, int inputLen)
878 {
879 if (inputLen > maxOutputLen) {
880 *outputLen = 0; /* Match PK11_CipherOp in setting outputLen */
881 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
882 return SECFailure;
883 }
884 *outputLen = inputLen;
885 if (input != output)
886 PORT_Memcpy(output, input, inputLen);
887 return SECSuccess;
888 }
889
890 /*
891 * SSL3 Utility functions
892 */
893
894 /* allowLargerPeerVersion controls whether the function will select the
895 * highest enabled SSL version or fail when peerVersion is greater than the
896 * highest enabled version.
897 *
898 * If allowLargerPeerVersion is true, peerVersion is the peer's highest
899 * enabled version rather than the peer's selected version.
900 */
901 SECStatus
902 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion,
903 PRBool allowLargerPeerVersion)
904 {
905 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
906 PORT_SetError(SSL_ERROR_SSL_DISABLED);
907 return SECFailure;
908 }
909
910 if (peerVersion < ss->vrange.min ||
911 (peerVersion > ss->vrange.max && !allowLargerPeerVersion)) {
912 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
913 return SECFailure;
914 }
915
916 ss->version = PR_MIN(peerVersion, ss->vrange.max);
917 PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));
918
919 return SECSuccess;
920 }
921
922 static SECStatus
923 ssl3_GetNewRandom(SSL3Random *random)
924 {
925 SECStatus rv;
926
927 /* first 4 bytes are reserverd for time */
928 rv = PK11_GenerateRandom(random->rand, SSL3_RANDOM_LENGTH);
929 if (rv != SECSuccess) {
930 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
931 }
932 return rv;
933 }
934
935 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
936 SECStatus
937 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
938 PRBool isTLS)
939 {
940 SECStatus rv = SECFailure;
941 PRBool doDerEncode = PR_FALSE;
942 int signatureLen;
943 SECItem hashItem;
944
945 buf->data = NULL;
946
947 switch (key->keyType) {
948 case rsaKey:
949 hashItem.data = hash->u.raw;
950 hashItem.len = hash->len;
951 break;
952 case dsaKey:
953 doDerEncode = isTLS;
954 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
955 * In that case, we use just the SHA1 part. */
956 if (hash->hashAlg == SEC_OID_UNKNOWN) {
957 hashItem.data = hash->u.s.sha;
958 hashItem.len = sizeof(hash->u.s.sha);
959 } else {
960 hashItem.data = hash->u.raw;
961 hashItem.len = hash->len;
962 }
963 break;
964 #ifdef NSS_ENABLE_ECC
965 case ecKey:
966 doDerEncode = PR_TRUE;
967 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
968 * In that case, we use just the SHA1 part. */
969 if (hash->hashAlg == SEC_OID_UNKNOWN) {
970 hashItem.data = hash->u.s.sha;
971 hashItem.len = sizeof(hash->u.s.sha);
972 } else {
973 hashItem.data = hash->u.raw;
974 hashItem.len = hash->len;
975 }
976 break;
977 #endif /* NSS_ENABLE_ECC */
978 default:
979 PORT_SetError(SEC_ERROR_INVALID_KEY);
980 goto done;
981 }
982 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
983
984 if (hash->hashAlg == SEC_OID_UNKNOWN) {
985 signatureLen = PK11_SignatureLen(key);
986 if (signatureLen <= 0) {
987 PORT_SetError(SEC_ERROR_INVALID_KEY);
988 goto done;
989 }
990
991 buf->len = (unsigned)signatureLen;
992 buf->data = (unsigned char *)PORT_Alloc(signatureLen);
993 if (!buf->data)
994 goto done; /* error code was set. */
995
996 rv = PK11_Sign(key, buf, &hashItem);
997 } else {
998 rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem);
999 }
1000 if (rv != SECSuccess) {
1001 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
1002 } else if (doDerEncode) {
1003 SECItem derSig = {siBuffer, NULL, 0};
1004
1005 /* This also works for an ECDSA signature */
1006 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
1007 if (rv == SECSuccess) {
1008 PORT_Free(buf->data); /* discard unencoded signature. */
1009 *buf = derSig; /* give caller encoded signature. */
1010 } else if (derSig.data) {
1011 PORT_Free(derSig.data);
1012 }
1013 }
1014
1015 PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
1016 done:
1017 if (rv != SECSuccess && buf->data) {
1018 PORT_Free(buf->data);
1019 buf->data = NULL;
1020 }
1021 return rv;
1022 }
1023
1024 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
1025 SECStatus
1026 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
1027 SECItem *buf, PRBool isTLS, void *pwArg)
1028 {
1029 SECKEYPublicKey * key;
1030 SECItem * signature = NULL;
1031 SECStatus rv;
1032 SECItem hashItem;
1033 SECOidTag encAlg;
1034 SECOidTag hashAlg;
1035
1036
1037 PRINT_BUF(60, (NULL, "check signed hashes",
1038 buf->data, buf->len));
1039
1040 key = CERT_ExtractPublicKey(cert);
1041 if (key == NULL) {
1042 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
1043 return SECFailure;
1044 }
1045
1046 hashAlg = hash->hashAlg;
1047 switch (key->keyType) {
1048 case rsaKey:
1049 encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION;
1050 hashItem.data = hash->u.raw;
1051 hashItem.len = hash->len;
1052 break;
1053 case dsaKey:
1054 encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE;
1055 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
1056 * In that case, we use just the SHA1 part. */
1057 if (hash->hashAlg == SEC_OID_UNKNOWN) {
1058 hashItem.data = hash->u.s.sha;
1059 hashItem.len = sizeof(hash->u.s.sha);
1060 } else {
1061 hashItem.data = hash->u.raw;
1062 hashItem.len = hash->len;
1063 }
1064 /* Allow DER encoded DSA signatures in SSL 3.0 */
1065 if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
1066 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
1067 if (!signature) {
1068 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1069 return SECFailure;
1070 }
1071 buf = signature;
1072 }
1073 break;
1074
1075 #ifdef NSS_ENABLE_ECC
1076 case ecKey:
1077 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
1078 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
1079 * In that case, we use just the SHA1 part.
1080 * ECDSA signatures always encode the integers r and s using ASN.1
1081 * (unlike DSA where ASN.1 encoding is used with TLS but not with
1082 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
1083 */
1084 if (hash->hashAlg == SEC_OID_UNKNOWN) {
1085 hashAlg = SEC_OID_SHA1;
1086 hashItem.data = hash->u.s.sha;
1087 hashItem.len = sizeof(hash->u.s.sha);
1088 } else {
1089 hashItem.data = hash->u.raw;
1090 hashItem.len = hash->len;
1091 }
1092 break;
1093 #endif /* NSS_ENABLE_ECC */
1094
1095 default:
1096 SECKEY_DestroyPublicKey(key);
1097 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
1098 return SECFailure;
1099 }
1100
1101 PRINT_BUF(60, (NULL, "hash(es) to be verified",
1102 hashItem.data, hashItem.len));
1103
1104 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) {
1105 /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded.
1106 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code
1107 * above always removes the DER encoding of DSA signatures when
1108 * present. Thus DSA signatures are always verified with PK11_Verify.
1109 */
1110 rv = PK11_Verify(key, buf, &hashItem, pwArg);
1111 } else {
1112 rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
1113 pwArg);
1114 }
1115 SECKEY_DestroyPublicKey(key);
1116 if (signature) {
1117 SECITEM_FreeItem(signature, PR_TRUE);
1118 }
1119 if (rv != SECSuccess) {
1120 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1121 }
1122 return rv;
1123 }
1124
1125
1126 /* Caller must set hiLevel error code. */
1127 /* Called from ssl3_ComputeExportRSAKeyHash
1128 * ssl3_ComputeDHKeyHash
1129 * which are called from ssl3_HandleServerKeyExchange.
1130 *
1131 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify
1132 * the pre-1.2, MD5/SHA1 combination hash.
1133 */
1134 SECStatus
1135 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
1136 PRUint8 * hashBuf, unsigned int bufLen,
1137 SSL3Hashes *hashes, PRBool bypassPKCS11)
1138 {
1139 SECStatus rv = SECSuccess;
1140
1141 #ifndef NO_PKCS11_BYPASS
1142 if (bypassPKCS11) {
1143 if (hashAlg == SEC_OID_UNKNOWN) {
1144 MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
1145 SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
1146 hashes->len = MD5_LENGTH + SHA1_LENGTH;
1147 } else if (hashAlg == SEC_OID_SHA1) {
1148 SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
1149 hashes->len = SHA1_LENGTH;
1150 } else if (hashAlg == SEC_OID_SHA256) {
1151 SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
1152 hashes->len = SHA256_LENGTH;
1153 } else if (hashAlg == SEC_OID_SHA384) {
1154 SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
1155 hashes->len = SHA384_LENGTH;
1156 } else if (hashAlg == SEC_OID_SHA512) {
1157 SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
1158 hashes->len = SHA512_LENGTH;
1159 } else {
1160 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1161 return SECFailure;
1162 }
1163 } else
1164 #endif
1165 {
1166 if (hashAlg == SEC_OID_UNKNOWN) {
1167 rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
1168 if (rv != SECSuccess) {
1169 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1170 rv = SECFailure;
1171 goto done;
1172 }
1173
1174 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
1175 if (rv != SECSuccess) {
1176 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
1177 rv = SECFailure;
1178 }
1179 hashes->len = MD5_LENGTH + SHA1_LENGTH;
1180 } else {
1181 hashes->len = HASH_ResultLenByOidTag(hashAlg);
1182 if (hashes->len > sizeof(hashes->u.raw)) {
1183 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1184 rv = SECFailure;
1185 goto done;
1186 }
1187 rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen);
1188 if (rv != SECSuccess) {
1189 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
1190 rv = SECFailure;
1191 }
1192 }
1193 }
1194 hashes->hashAlg = hashAlg;
1195
1196 done:
1197 return rv;
1198 }
1199
1200 /* Caller must set hiLevel error code.
1201 ** Called from ssl3_SendServerKeyExchange and
1202 ** ssl3_HandleServerKeyExchange.
1203 */
1204 static SECStatus
1205 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg,
1206 SECItem modulus, SECItem publicExponent,
1207 SSL3Random *client_rand, SSL3Random *server_rand,
1208 SSL3Hashes *hashes, PRBool bypassPKCS11)
1209 {
1210 PRUint8 * hashBuf;
1211 PRUint8 * pBuf;
1212 SECStatus rv = SECSuccess;
1213 unsigned int bufLen;
1214 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1215
1216 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
1217 if (bufLen <= sizeof buf) {
1218 hashBuf = buf;
1219 } else {
1220 hashBuf = PORT_Alloc(bufLen);
1221 if (!hashBuf) {
1222 return SECFailure;
1223 }
1224 }
1225
1226 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1227 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1228 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1229 pBuf += SSL3_RANDOM_LENGTH;
1230 pBuf[0] = (PRUint8)(modulus.len >> 8);
1231 pBuf[1] = (PRUint8)(modulus.len);
1232 pBuf += 2;
1233 memcpy(pBuf, modulus.data, modulus.len);
1234 pBuf += modulus.len;
1235 pBuf[0] = (PRUint8)(publicExponent.len >> 8);
1236 pBuf[1] = (PRUint8)(publicExponent.len);
1237 pBuf += 2;
1238 memcpy(pBuf, publicExponent.data, publicExponent.len);
1239 pBuf += publicExponent.len;
1240 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1241
1242 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1243 bypassPKCS11);
1244
1245 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
1246 if (hashAlg == SEC_OID_UNKNOWN) {
1247 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result",
1248 hashes->u.s.md5, MD5_LENGTH));
1249 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result",
1250 hashes->u.s.sha, SHA1_LENGTH));
1251 } else {
1252 PRINT_BUF(95, (NULL, "RSAkey hash: result",
1253 hashes->u.raw, hashes->len));
1254 }
1255
1256 if (hashBuf != buf && hashBuf != NULL)
1257 PORT_Free(hashBuf);
1258 return rv;
1259 }
1260
1261 /* Caller must set hiLevel error code. */
1262 /* Called from ssl3_HandleServerKeyExchange. */
1263 static SECStatus
1264 ssl3_ComputeDHKeyHash(SECOidTag hashAlg,
1265 SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
1266 SSL3Random *client_rand, SSL3Random *server_rand,
1267 SSL3Hashes *hashes, PRBool bypassPKCS11)
1268 {
1269 PRUint8 * hashBuf;
1270 PRUint8 * pBuf;
1271 SECStatus rv = SECSuccess;
1272 unsigned int bufLen;
1273 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1274
1275 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
1276 if (bufLen <= sizeof buf) {
1277 hashBuf = buf;
1278 } else {
1279 hashBuf = PORT_Alloc(bufLen);
1280 if (!hashBuf) {
1281 return SECFailure;
1282 }
1283 }
1284
1285 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1286 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1287 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1288 pBuf += SSL3_RANDOM_LENGTH;
1289 pBuf[0] = (PRUint8)(dh_p.len >> 8);
1290 pBuf[1] = (PRUint8)(dh_p.len);
1291 pBuf += 2;
1292 memcpy(pBuf, dh_p.data, dh_p.len);
1293 pBuf += dh_p.len;
1294 pBuf[0] = (PRUint8)(dh_g.len >> 8);
1295 pBuf[1] = (PRUint8)(dh_g.len);
1296 pBuf += 2;
1297 memcpy(pBuf, dh_g.data, dh_g.len);
1298 pBuf += dh_g.len;
1299 pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
1300 pBuf[1] = (PRUint8)(dh_Ys.len);
1301 pBuf += 2;
1302 memcpy(pBuf, dh_Ys.data, dh_Ys.len);
1303 pBuf += dh_Ys.len;
1304 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1305
1306 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1307 bypassPKCS11);
1308
1309 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
1310 if (hashAlg == SEC_OID_UNKNOWN) {
1311 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result",
1312 hashes->u.s.md5, MD5_LENGTH));
1313 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result",
1314 hashes->u.s.sha, SHA1_LENGTH));
1315 } else {
1316 PRINT_BUF(95, (NULL, "DHkey hash: result",
1317 hashes->u.raw, hashes->len));
1318 }
1319
1320 if (hashBuf != buf && hashBuf != NULL)
1321 PORT_Free(hashBuf);
1322 return rv;
1323 }
1324
1325 static void
1326 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
1327 {
1328 num->low++;
1329 if (num->low == 0)
1330 num->high++;
1331 }
1332
1333 /* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
1334 static void
1335 ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
1336 {
1337 if (mat->write_key != NULL) {
1338 PK11_FreeSymKey(mat->write_key);
1339 mat->write_key = NULL;
1340 }
1341 if (mat->write_mac_key != NULL) {
1342 PK11_FreeSymKey(mat->write_mac_key);
1343 mat->write_mac_key = NULL;
1344 }
1345 if (mat->write_mac_context != NULL) {
1346 PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
1347 mat->write_mac_context = NULL;
1348 }
1349 }
1350
1351 /* Called from ssl3_SendChangeCipherSpecs() and
1352 ** ssl3_HandleChangeCipherSpecs()
1353 ** ssl3_DestroySSL3Info
1354 ** Caller must hold SpecWriteLock.
1355 */
1356 void
1357 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName)
1358 {
1359 PRBool freeit = (PRBool)(!spec->bypassCiphers);
1360 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! * /
1361 if (spec->destroy) {
1362 spec->destroy(spec->encodeContext, freeit);
1363 spec->destroy(spec->decodeContext, freeit);
1364 spec->encodeContext = NULL; /* paranoia */
1365 spec->decodeContext = NULL;
1366 }
1367 if (spec->destroyCompressContext && spec->compressContext) {
1368 spec->destroyCompressContext(spec->compressContext, 1);
1369 spec->compressContext = NULL;
1370 }
1371 if (spec->destroyDecompressContext && spec->decompressContext) {
1372 spec->destroyDecompressContext(spec->decompressContext, 1);
1373 spec->decompressContext = NULL;
1374 }
1375 if (freeSrvName && spec->srvVirtName.data) {
1376 SECITEM_FreeItem(&spec->srvVirtName, PR_FALSE);
1377 }
1378 if (spec->master_secret != NULL) {
1379 PK11_FreeSymKey(spec->master_secret);
1380 spec->master_secret = NULL;
1381 }
1382 spec->msItem.data = NULL;
1383 spec->msItem.len = 0;
1384 ssl3_CleanupKeyMaterial(&spec->client);
1385 ssl3_CleanupKeyMaterial(&spec->server);
1386 spec->bypassCiphers = PR_FALSE;
1387 spec->destroy=NULL;
1388 spec->destroyCompressContext = NULL;
1389 spec->destroyDecompressContext = NULL;
1390 }
1391
1392 /* Fill in the pending cipher spec with info from the selected ciphersuite.
1393 ** This is as much initialization as we can do without having key material.
1394 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
1395 ** Caller must hold the ssl3 handshake lock.
1396 ** Acquires & releases SpecWriteLock.
1397 */
1398 static SECStatus
1399 ssl3_SetupPendingCipherSpec(sslSocket *ss)
1400 {
1401 ssl3CipherSpec * pwSpec;
1402 ssl3CipherSpec * cwSpec;
1403 ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite;
1404 SSL3MACAlgorithm mac;
1405 SSL3BulkCipher cipher;
1406 SSL3KeyExchangeAlgorithm kea;
1407 const ssl3CipherSuiteDef *suite_def;
1408 PRBool isTLS;
1409
1410 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1411
1412 ssl_GetSpecWriteLock(ss); /*******************************/
1413
1414 pwSpec = ss->ssl3.pwSpec;
1415 PORT_Assert(pwSpec == ss->ssl3.prSpec);
1416
1417 /* This hack provides maximal interoperability with SSL 3 servers. */
1418 cwSpec = ss->ssl3.cwSpec;
1419 if (cwSpec->mac_def->mac == mac_null) {
1420 /* SSL records are not being MACed. */
1421 cwSpec->version = ss->version;
1422 }
1423
1424 pwSpec->version = ss->version;
1425 isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
1426
1427 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
1428 SSL_GETPID(), ss->fd, suite));
1429
1430 suite_def = ssl_LookupCipherSuiteDef(suite);
1431 if (suite_def == NULL) {
1432 ssl_ReleaseSpecWriteLock(ss);
1433 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */
1434 }
1435
1436 if (IS_DTLS(ss)) {
1437 /* Double-check that we did not pick an RC4 suite */
1438 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
1439 (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
1440 (suite_def->bulk_cipher_alg != cipher_rc4_56));
1441 }
1442
1443 cipher = suite_def->bulk_cipher_alg;
1444 kea = suite_def->key_exchange_alg;
1445 mac = suite_def->mac_alg;
1446 if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS)
1447 mac += 2;
1448
1449 ss->ssl3.hs.suite_def = suite_def;
1450 ss->ssl3.hs.kea_def = &kea_defs[kea];
1451 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
1452
1453 pwSpec->cipher_def = &bulk_cipher_defs[cipher];
1454 PORT_Assert(pwSpec->cipher_def->cipher == cipher);
1455
1456 pwSpec->mac_def = &mac_defs[mac];
1457 PORT_Assert(pwSpec->mac_def->mac == mac);
1458
1459 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB;
1460 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
1461 ss->sec.cipherType = cipher;
1462
1463 pwSpec->encodeContext = NULL;
1464 pwSpec->decodeContext = NULL;
1465
1466 pwSpec->mac_size = pwSpec->mac_def->mac_size;
1467
1468 pwSpec->compression_method = ss->ssl3.hs.compression;
1469 pwSpec->compressContext = NULL;
1470 pwSpec->decompressContext = NULL;
1471
1472 ssl_ReleaseSpecWriteLock(ss); /*******************************/
1473 return SECSuccess;
1474 }
1475
1476 #ifdef NSS_ENABLE_ZLIB
1477 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
1478
1479 static SECStatus
1480 ssl3_MapZlibError(int zlib_error)
1481 {
1482 switch (zlib_error) {
1483 case Z_OK:
1484 return SECSuccess;
1485 default:
1486 return SECFailure;
1487 }
1488 }
1489
1490 static SECStatus
1491 ssl3_DeflateInit(void *void_context)
1492 {
1493 z_stream *context = void_context;
1494 context->zalloc = NULL;
1495 context->zfree = NULL;
1496 context->opaque = NULL;
1497
1498 return ssl3_MapZlibError(deflateInit(context, Z_DEFAULT_COMPRESSION));
1499 }
1500
1501 static SECStatus
1502 ssl3_InflateInit(void *void_context)
1503 {
1504 z_stream *context = void_context;
1505 context->zalloc = NULL;
1506 context->zfree = NULL;
1507 context->opaque = NULL;
1508 context->next_in = NULL;
1509 context->avail_in = 0;
1510
1511 return ssl3_MapZlibError(inflateInit(context));
1512 }
1513
1514 static SECStatus
1515 ssl3_DeflateCompress(void *void_context, unsigned char *out, int *out_len,
1516 int maxout, const unsigned char *in, int inlen)
1517 {
1518 z_stream *context = void_context;
1519
1520 if (!inlen) {
1521 *out_len = 0;
1522 return SECSuccess;
1523 }
1524
1525 context->next_in = (unsigned char*) in;
1526 context->avail_in = inlen;
1527 context->next_out = out;
1528 context->avail_out = maxout;
1529 if (deflate(context, Z_SYNC_FLUSH) != Z_OK) {
1530 return SECFailure;
1531 }
1532 if (context->avail_out == 0) {
1533 /* We ran out of space! */
1534 SSL_TRC(3, ("%d: SSL3[%d] Ran out of buffer while compressing",
1535 SSL_GETPID()));
1536 return SECFailure;
1537 }
1538
1539 *out_len = maxout - context->avail_out;
1540 return SECSuccess;
1541 }
1542
1543 static SECStatus
1544 ssl3_DeflateDecompress(void *void_context, unsigned char *out, int *out_len,
1545 int maxout, const unsigned char *in, int inlen)
1546 {
1547 z_stream *context = void_context;
1548
1549 if (!inlen) {
1550 *out_len = 0;
1551 return SECSuccess;
1552 }
1553
1554 context->next_in = (unsigned char*) in;
1555 context->avail_in = inlen;
1556 context->next_out = out;
1557 context->avail_out = maxout;
1558 if (inflate(context, Z_SYNC_FLUSH) != Z_OK) {
1559 PORT_SetError(SSL_ERROR_DECOMPRESSION_FAILURE);
1560 return SECFailure;
1561 }
1562
1563 *out_len = maxout - context->avail_out;
1564 return SECSuccess;
1565 }
1566
1567 static SECStatus
1568 ssl3_DestroyCompressContext(void *void_context, PRBool unused)
1569 {
1570 deflateEnd(void_context);
1571 PORT_Free(void_context);
1572 return SECSuccess;
1573 }
1574
1575 static SECStatus
1576 ssl3_DestroyDecompressContext(void *void_context, PRBool unused)
1577 {
1578 inflateEnd(void_context);
1579 PORT_Free(void_context);
1580 return SECSuccess;
1581 }
1582
1583 #endif /* NSS_ENABLE_ZLIB */
1584
1585 /* Initialize the compression functions and contexts for the given
1586 * CipherSpec. */
1587 static SECStatus
1588 ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec)
1589 {
1590 /* Setup the compression functions */
1591 switch (pwSpec->compression_method) {
1592 case ssl_compression_null:
1593 pwSpec->compressor = NULL;
1594 pwSpec->decompressor = NULL;
1595 pwSpec->compressContext = NULL;
1596 pwSpec->decompressContext = NULL;
1597 pwSpec->destroyCompressContext = NULL;
1598 pwSpec->destroyDecompressContext = NULL;
1599 break;
1600 #ifdef NSS_ENABLE_ZLIB
1601 case ssl_compression_deflate:
1602 pwSpec->compressor = ssl3_DeflateCompress;
1603 pwSpec->decompressor = ssl3_DeflateDecompress;
1604 pwSpec->compressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1605 pwSpec->decompressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1606 pwSpec->destroyCompressContext = ssl3_DestroyCompressContext;
1607 pwSpec->destroyDecompressContext = ssl3_DestroyDecompressContext;
1608 ssl3_DeflateInit(pwSpec->compressContext);
1609 ssl3_InflateInit(pwSpec->decompressContext);
1610 break;
1611 #endif /* NSS_ENABLE_ZLIB */
1612 default:
1613 PORT_Assert(0);
1614 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1615 return SECFailure;
1616 }
1617
1618 return SECSuccess;
1619 }
1620
1621 #ifndef NO_PKCS11_BYPASS
1622 /* Initialize encryption contexts for pending spec.
1623 * MAC contexts are set up when computing the mac, not here.
1624 * Master Secret already is derived in spec->msItem
1625 * Caller holds Spec write lock.
1626 */
1627 static SECStatus
1628 ssl3_InitPendingContextsBypass(sslSocket *ss)
1629 {
1630 ssl3CipherSpec * pwSpec;
1631 const ssl3BulkCipherDef *cipher_def;
1632 void * serverContext = NULL;
1633 void * clientContext = NULL;
1634 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
1635 int mode = 0;
1636 unsigned int optArg1 = 0;
1637 unsigned int optArg2 = 0;
1638 PRBool server_encrypts = ss->sec.isServer;
1639 SSLCipherAlgorithm calg;
1640 SECStatus rv;
1641
1642 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1643 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
1644 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1645
1646 pwSpec = ss->ssl3.pwSpec;
1647 cipher_def = pwSpec->cipher_def;
1648
1649 calg = cipher_def->calg;
1650
1651 if (calg == ssl_calg_aes_gcm) {
1652 pwSpec->encode = NULL;
1653 pwSpec->decode = NULL;
1654 pwSpec->destroy = NULL;
1655 pwSpec->encodeContext = NULL;
1656 pwSpec->decodeContext = NULL;
1657 pwSpec->aead = ssl3_AESGCMBypass;
1658 ssl3_InitCompressionContext(pwSpec);
1659 return SECSuccess;
1660 }
1661
1662 serverContext = pwSpec->server.cipher_context;
1663 clientContext = pwSpec->client.cipher_context;
1664
1665 switch (calg) {
1666 case ssl_calg_null:
1667 pwSpec->encode = Null_Cipher;
1668 pwSpec->decode = Null_Cipher;
1669 pwSpec->destroy = NULL;
1670 goto success;
1671
1672 case ssl_calg_rc4:
1673 initFn = (BLapiInitContextFunc)RC4_InitContext;
1674 pwSpec->encode = (SSLCipher) RC4_Encrypt;
1675 pwSpec->decode = (SSLCipher) RC4_Decrypt;
1676 pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
1677 break;
1678 case ssl_calg_rc2:
1679 initFn = (BLapiInitContextFunc)RC2_InitContext;
1680 mode = NSS_RC2_CBC;
1681 optArg1 = cipher_def->key_size;
1682 pwSpec->encode = (SSLCipher) RC2_Encrypt;
1683 pwSpec->decode = (SSLCipher) RC2_Decrypt;
1684 pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
1685 break;
1686 case ssl_calg_des:
1687 initFn = (BLapiInitContextFunc)DES_InitContext;
1688 mode = NSS_DES_CBC;
1689 optArg1 = server_encrypts;
1690 pwSpec->encode = (SSLCipher) DES_Encrypt;
1691 pwSpec->decode = (SSLCipher) DES_Decrypt;
1692 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1693 break;
1694 case ssl_calg_3des:
1695 initFn = (BLapiInitContextFunc)DES_InitContext;
1696 mode = NSS_DES_EDE3_CBC;
1697 optArg1 = server_encrypts;
1698 pwSpec->encode = (SSLCipher) DES_Encrypt;
1699 pwSpec->decode = (SSLCipher) DES_Decrypt;
1700 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1701 break;
1702 case ssl_calg_aes:
1703 initFn = (BLapiInitContextFunc)AES_InitContext;
1704 mode = NSS_AES_CBC;
1705 optArg1 = server_encrypts;
1706 optArg2 = AES_BLOCK_SIZE;
1707 pwSpec->encode = (SSLCipher) AES_Encrypt;
1708 pwSpec->decode = (SSLCipher) AES_Decrypt;
1709 pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
1710 break;
1711
1712 case ssl_calg_camellia:
1713 initFn = (BLapiInitContextFunc)Camellia_InitContext;
1714 mode = NSS_CAMELLIA_CBC;
1715 optArg1 = server_encrypts;
1716 optArg2 = CAMELLIA_BLOCK_SIZE;
1717 pwSpec->encode = (SSLCipher) Camellia_Encrypt;
1718 pwSpec->decode = (SSLCipher) Camellia_Decrypt;
1719 pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext;
1720 break;
1721
1722 case ssl_calg_seed:
1723 initFn = (BLapiInitContextFunc)SEED_InitContext;
1724 mode = NSS_SEED_CBC;
1725 optArg1 = server_encrypts;
1726 optArg2 = SEED_BLOCK_SIZE;
1727 pwSpec->encode = (SSLCipher) SEED_Encrypt;
1728 pwSpec->decode = (SSLCipher) SEED_Decrypt;
1729 pwSpec->destroy = (SSLDestroy) SEED_DestroyContext;
1730 break;
1731
1732 case ssl_calg_idea:
1733 case ssl_calg_fortezza :
1734 default:
1735 PORT_Assert(0);
1736 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1737 goto bail_out;
1738 }
1739 rv = (*initFn)(serverContext,
1740 pwSpec->server.write_key_item.data,
1741 pwSpec->server.write_key_item.len,
1742 pwSpec->server.write_iv_item.data,
1743 mode, optArg1, optArg2);
1744 if (rv != SECSuccess) {
1745 PORT_Assert(0);
1746 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1747 goto bail_out;
1748 }
1749
1750 switch (calg) {
1751 case ssl_calg_des:
1752 case ssl_calg_3des:
1753 case ssl_calg_aes:
1754 case ssl_calg_camellia:
1755 case ssl_calg_seed:
1756 /* For block ciphers, if the server is encrypting, then the client
1757 * is decrypting, and vice versa.
1758 */
1759 optArg1 = !optArg1;
1760 break;
1761 /* kill warnings. */
1762 case ssl_calg_null:
1763 case ssl_calg_rc4:
1764 case ssl_calg_rc2:
1765 case ssl_calg_idea:
1766 case ssl_calg_fortezza:
1767 case ssl_calg_aes_gcm:
1768 break;
1769 }
1770
1771 rv = (*initFn)(clientContext,
1772 pwSpec->client.write_key_item.data,
1773 pwSpec->client.write_key_item.len,
1774 pwSpec->client.write_iv_item.data,
1775 mode, optArg1, optArg2);
1776 if (rv != SECSuccess) {
1777 PORT_Assert(0);
1778 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1779 goto bail_out;
1780 }
1781
1782 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
1783 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
1784
1785 ssl3_InitCompressionContext(pwSpec);
1786
1787 success:
1788 return SECSuccess;
1789
1790 bail_out:
1791 return SECFailure;
1792 }
1793 #endif
1794
1795 /* This function should probably be moved to pk11wrap and be named
1796 * PK11_ParamFromIVAndEffectiveKeyBits
1797 */
1798 static SECItem *
1799 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
1800 {
1801 SECItem * param = PK11_ParamFromIV(mtype, iv);
1802 if (param && param->data && param->len >= sizeof(CK_RC2_PARAMS)) {
1803 switch (mtype) {
1804 case CKM_RC2_KEY_GEN:
1805 case CKM_RC2_ECB:
1806 case CKM_RC2_CBC:
1807 case CKM_RC2_MAC:
1808 case CKM_RC2_MAC_GENERAL:
1809 case CKM_RC2_CBC_PAD:
1810 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
1811 default: break;
1812 }
1813 }
1814 return param;
1815 }
1816
1817 /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
1818 * which is included in the MAC or AEAD additional data) to |out| and returns
1819 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1820 * definition of the AEAD additional data.
1821 *
1822 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
1823 * pseudo-header defintiion to use should be decided based on the version of
1824 * the protocol that was negotiated when the cipher spec became current, NOT
1825 * based on the version value in the record itself, and the decision is passed
1826 * to this function as the |includesVersion| argument. But, the |version|
1827 * argument should be the record's version value.
1828 */
1829 static unsigned int
1830 ssl3_BuildRecordPseudoHeader(unsigned char *out,
1831 SSL3SequenceNumber seq_num,
1832 SSL3ContentType type,
1833 PRBool includesVersion,
1834 SSL3ProtocolVersion version,
1835 PRBool isDTLS,
1836 int length)
1837 {
1838 out[0] = (unsigned char)(seq_num.high >> 24);
1839 out[1] = (unsigned char)(seq_num.high >> 16);
1840 out[2] = (unsigned char)(seq_num.high >> 8);
1841 out[3] = (unsigned char)(seq_num.high >> 0);
1842 out[4] = (unsigned char)(seq_num.low >> 24);
1843 out[5] = (unsigned char)(seq_num.low >> 16);
1844 out[6] = (unsigned char)(seq_num.low >> 8);
1845 out[7] = (unsigned char)(seq_num.low >> 0);
1846 out[8] = type;
1847
1848 /* SSL3 MAC doesn't include the record's version field. */
1849 if (!includesVersion) {
1850 out[9] = MSB(length);
1851 out[10] = LSB(length);
1852 return 11;
1853 }
1854
1855 /* TLS MAC and AEAD additional data include version. */
1856 if (isDTLS) {
1857 SSL3ProtocolVersion dtls_version;
1858
1859 dtls_version = dtls_TLSVersionToDTLSVersion(version);
1860 out[9] = MSB(dtls_version);
1861 out[10] = LSB(dtls_version);
1862 } else {
1863 out[9] = MSB(version);
1864 out[10] = LSB(version);
1865 }
1866 out[11] = MSB(length);
1867 out[12] = LSB(length);
1868 return 13;
1869 }
1870
1871 typedef SECStatus (*PK11CryptFcn)(
1872 PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param,
1873 unsigned char *out, unsigned int *outLen, unsigned int maxLen,
1874 const unsigned char *in, unsigned int inLen);
1875
1876 static PK11CryptFcn pk11_encrypt = NULL;
1877 static PK11CryptFcn pk11_decrypt = NULL;
1878
1879 static PRCallOnceType resolvePK11CryptOnce;
1880
1881 static PRStatus
1882 ssl3_ResolvePK11CryptFunctions(void)
1883 {
1884 #ifdef LINUX
1885 /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and
1886 * PK11_Decrypt functions at run time. */
1887 void *handle = dlopen(NULL, RTLD_LAZY);
1888 if (!handle) {
1889 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1890 return PR_FAILURE;
1891 }
1892 pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt");
1893 pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt");
1894 dlclose(handle);
1895 return PR_SUCCESS;
1896 #else
1897 /* On other platforms we use our own copy of NSS. PK11_Encrypt and
1898 * PK11_Decrypt are known to be available. */
1899 pk11_encrypt = PK11_Encrypt;
1900 pk11_decrypt = PK11_Decrypt;
1901 return PR_SUCCESS;
1902 #endif
1903 }
1904
1905 /*
1906 * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access
1907 * to the AES GCM implementation in the NSS softoken. So the presence of
1908 * these two functions implies the NSS version supports AES GCM.
1909 */
1910 static PRBool
1911 ssl3_HasGCMSupport(void)
1912 {
1913 (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions);
1914 return pk11_encrypt != NULL;
1915 }
1916
1917 /* On this socket, disable the GCM cipher suites */
1918 SECStatus
1919 ssl3_DisableGCMSuites(sslSocket * ss)
1920 {
1921 unsigned int i;
1922
1923 for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) {
1924 const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i];
1925 if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) {
1926 SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite,
1927 PR_FALSE);
1928 PORT_Assert(rv == SECSuccess); /* else is coding error */
1929 }
1930 }
1931 return SECSuccess;
1932 }
1933
1934 static SECStatus
1935 ssl3_AESGCM(ssl3KeyMaterial *keys,
1936 PRBool doDecrypt,
1937 unsigned char *out,
1938 int *outlen,
1939 int maxout,
1940 const unsigned char *in,
1941 int inlen,
1942 const unsigned char *additionalData,
1943 int additionalDataLen)
1944 {
1945 SECItem param;
1946 SECStatus rv = SECFailure;
1947 unsigned char nonce[12];
1948 unsigned int uOutLen;
1949 CK_GCM_PARAMS gcmParams;
1950
1951 static const int tagSize = 16;
1952 static const int explicitNonceLen = 8;
1953
1954 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
1955 * nonce is formed. */
1956 memcpy(nonce, keys->write_iv, 4);
1957 if (doDecrypt) {
1958 memcpy(nonce + 4, in, explicitNonceLen);
1959 in += explicitNonceLen;
1960 inlen -= explicitNonceLen;
1961 *outlen = 0;
1962 } else {
1963 if (maxout < explicitNonceLen) {
1964 PORT_SetError(SEC_ERROR_INPUT_LEN);
1965 return SECFailure;
1966 }
1967 /* Use the 64-bit sequence number as the explicit nonce. */
1968 memcpy(nonce + 4, additionalData, explicitNonceLen);
1969 memcpy(out, additionalData, explicitNonceLen);
1970 out += explicitNonceLen;
1971 maxout -= explicitNonceLen;
1972 *outlen = explicitNonceLen;
1973 }
1974
1975 param.type = siBuffer;
1976 param.data = (unsigned char *) &gcmParams;
1977 param.len = sizeof(gcmParams);
1978 gcmParams.pIv = nonce;
1979 gcmParams.ulIvLen = sizeof(nonce);
1980 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
1981 gcmParams.ulAADLen = additionalDataLen;
1982 gcmParams.ulTagBits = tagSize * 8;
1983
1984 if (doDecrypt) {
1985 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1986 maxout, in, inlen);
1987 } else {
1988 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1989 maxout, in, inlen);
1990 }
1991 *outlen += (int) uOutLen;
1992
1993 return rv;
1994 }
1995
1996 #ifndef NO_PKCS11_BYPASS
1997 static SECStatus
1998 ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
1999 PRBool doDecrypt,
2000 unsigned char *out,
2001 int *outlen,
2002 int maxout,
2003 const unsigned char *in,
2004 int inlen,
2005 const unsigned char *additionalData,
2006 int additionalDataLen)
2007 {
2008 SECStatus rv = SECFailure;
2009 unsigned char nonce[12];
2010 unsigned int uOutLen;
2011 AESContext *cx;
2012 CK_GCM_PARAMS gcmParams;
2013
2014 static const int tagSize = 16;
2015 static const int explicitNonceLen = 8;
2016
2017 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
2018 * nonce is formed. */
2019 PORT_Assert(keys->write_iv_item.len == 4);
2020 if (keys->write_iv_item.len != 4) {
2021 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2022 return SECFailure;
2023 }
2024 memcpy(nonce, keys->write_iv_item.data, 4);
2025 if (doDecrypt) {
2026 memcpy(nonce + 4, in, explicitNonceLen);
2027 in += explicitNonceLen;
2028 inlen -= explicitNonceLen;
2029 *outlen = 0;
2030 } else {
2031 if (maxout < explicitNonceLen) {
2032 PORT_SetError(SEC_ERROR_INPUT_LEN);
2033 return SECFailure;
2034 }
2035 /* Use the 64-bit sequence number as the explicit nonce. */
2036 memcpy(nonce + 4, additionalData, explicitNonceLen);
2037 memcpy(out, additionalData, explicitNonceLen);
2038 out += explicitNonceLen;
2039 maxout -= explicitNonceLen;
2040 *outlen = explicitNonceLen;
2041 }
2042
2043 gcmParams.pIv = nonce;
2044 gcmParams.ulIvLen = sizeof(nonce);
2045 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
2046 gcmParams.ulAADLen = additionalDataLen;
2047 gcmParams.ulTagBits = tagSize * 8;
2048
2049 cx = (AESContext *)keys->cipher_context;
2050 rv = AES_InitContext(cx, keys->write_key_item.data,
2051 keys->write_key_item.len,
2052 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
2053 AES_BLOCK_SIZE);
2054 if (rv != SECSuccess) {
2055 return rv;
2056 }
2057 if (doDecrypt) {
2058 rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen);
2059 } else {
2060 rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen);
2061 }
2062 AES_DestroyContext(cx, PR_FALSE);
2063 *outlen += (int) uOutLen;
2064
2065 return rv;
2066 }
2067 #endif
2068
2069 static SECStatus
2070 ssl3_ChaCha20Poly1305(
2071 ssl3KeyMaterial *keys,
2072 PRBool doDecrypt,
2073 unsigned char *out,
2074 int *outlen,
2075 int maxout,
2076 const unsigned char *in,
2077 int inlen,
2078 const unsigned char *additionalData,
2079 int additionalDataLen)
2080 {
2081 SECItem param;
2082 SECStatus rv = SECFailure;
2083 unsigned int uOutLen;
2084 CK_NSS_AEAD_PARAMS aeadParams;
2085 static const int tagSize = 16;
2086
2087 param.type = siBuffer;
2088 param.len = sizeof(aeadParams);
2089 param.data = (unsigned char *) &aeadParams;
2090 memset(&aeadParams, 0, sizeof(aeadParams));
2091 aeadParams.pIv = (unsigned char *) additionalData;
2092 aeadParams.ulIvLen = 8;
2093 aeadParams.pAAD = (unsigned char *) additionalData;
2094 aeadParams.ulAADLen = additionalDataLen;
2095 aeadParams.ulTagLen = tagSize;
2096
2097 if (doDecrypt) {
2098 rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
2099 out, &uOutLen, maxout, in, inlen);
2100 } else {
2101 rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
2102 out, &uOutLen, maxout, in, inlen);
2103 }
2104 *outlen = (int) uOutLen;
2105
2106 return rv;
2107 }
2108
2109 /* Initialize encryption and MAC contexts for pending spec.
2110 * Master Secret already is derived.
2111 * Caller holds Spec write lock.
2112 */
2113 static SECStatus
2114 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
2115 {
2116 ssl3CipherSpec * pwSpec;
2117 const ssl3BulkCipherDef *cipher_def;
2118 PK11Context * serverContext = NULL;
2119 PK11Context * clientContext = NULL;
2120 SECItem * param;
2121 CK_MECHANISM_TYPE mechanism;
2122 CK_MECHANISM_TYPE mac_mech;
2123 CK_ULONG macLength;
2124 CK_ULONG effKeyBits;
2125 SECItem iv;
2126 SECItem mac_param;
2127 SSLCipherAlgorithm calg;
2128
2129 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2130 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
2131 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2132
2133 pwSpec = ss->ssl3.pwSpec;
2134 cipher_def = pwSpec->cipher_def;
2135 macLength = pwSpec->mac_size;
2136 calg = cipher_def->calg;
2137 PORT_Assert(alg2Mech[calg].calg == calg);
2138
2139 pwSpec->client.write_mac_context = NULL;
2140 pwSpec->server.write_mac_context = NULL;
2141
2142 if (calg == calg_aes_gcm || calg == calg_chacha20) {
2143 pwSpec->encode = NULL;
2144 pwSpec->decode = NULL;
2145 pwSpec->destroy = NULL;
2146 pwSpec->encodeContext = NULL;
2147 pwSpec->decodeContext = NULL;
2148 if (calg == calg_aes_gcm) {
2149 pwSpec->aead = ssl3_AESGCM;
2150 } else {
2151 pwSpec->aead = ssl3_ChaCha20Poly1305;
2152 }
2153 return SECSuccess;
2154 }
2155
2156 /*
2157 ** Now setup the MAC contexts,
2158 ** crypto contexts are setup below.
2159 */
2160
2161 mac_mech = pwSpec->mac_def->mmech;
2162 mac_param.data = (unsigned char *)&macLength;
2163 mac_param.len = sizeof(macLength);
2164 mac_param.type = 0;
2165
2166 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
2167 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
2168 if (pwSpec->client.write_mac_context == NULL) {
2169 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2170 goto fail;
2171 }
2172 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
2173 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
2174 if (pwSpec->server.write_mac_context == NULL) {
2175 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2176 goto fail;
2177 }
2178
2179 /*
2180 ** Now setup the crypto contexts.
2181 */
2182
2183 if (calg == calg_null) {
2184 pwSpec->encode = Null_Cipher;
2185 pwSpec->decode = Null_Cipher;
2186 pwSpec->destroy = NULL;
2187 return SECSuccess;
2188 }
2189 mechanism = alg2Mech[calg].cmech;
2190 effKeyBits = cipher_def->key_size * BPB;
2191
2192 /*
2193 * build the server context
2194 */
2195 iv.data = pwSpec->server.write_iv;
2196 iv.len = cipher_def->iv_size;
2197 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
2198 if (param == NULL) {
2199 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
2200 goto fail;
2201 }
2202 serverContext = PK11_CreateContextBySymKey(mechanism,
2203 (ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
2204 pwSpec->server.write_key, param);
2205 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
2206 if (iv.data)
2207 PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
2208 SECITEM_FreeItem(param, PR_TRUE);
2209 if (serverContext == NULL) {
2210 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2211 goto fail;
2212 }
2213
2214 /*
2215 * build the client context
2216 */
2217 iv.data = pwSpec->client.write_iv;
2218 iv.len = cipher_def->iv_size;
2219
2220 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
2221 if (param == NULL) {
2222 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
2223 goto fail;
2224 }
2225 clientContext = PK11_CreateContextBySymKey(mechanism,
2226 (ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
2227 pwSpec->client.write_key, param);
2228 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
2229 if (iv.data)
2230 PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
2231 SECITEM_FreeItem(param,PR_TRUE);
2232 if (clientContext == NULL) {
2233 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2234 goto fail;
2235 }
2236 pwSpec->encode = (SSLCipher) PK11_CipherOp;
2237 pwSpec->decode = (SSLCipher) PK11_CipherOp;
2238 pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
2239
2240 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
2241 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
2242
2243 serverContext = NULL;
2244 clientContext = NULL;
2245
2246 ssl3_InitCompressionContext(pwSpec);
2247
2248 return SECSuccess;
2249
2250 fail:
2251 if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
2252 if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
2253 if (pwSpec->client.write_mac_context != NULL) {
2254 PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
2255 pwSpec->client.write_mac_context = NULL;
2256 }
2257 if (pwSpec->server.write_mac_context != NULL) {
2258 PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
2259 pwSpec->server.write_mac_context = NULL;
2260 }
2261
2262 return SECFailure;
2263 }
2264
2265 /* Complete the initialization of all keys, ciphers, MACs and their contexts
2266 * for the pending Cipher Spec.
2267 * Called from: ssl3_SendClientKeyExchange (for Full handshake)
2268 * ssl3_HandleRSAClientKeyExchange (for Full handshake)
2269 * ssl3_HandleServerHello (for session restart)
2270 * ssl3_HandleClientHello (for session restart)
2271 * Sets error code, but caller probably should override to disambiguate.
2272 * NULL pms means re-use old master_secret.
2273 *
2274 * This code is common to the bypass and PKCS11 execution paths.
2275 * For the bypass case, pms is NULL.
2276 */
2277 SECStatus
2278 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
2279 {
2280 ssl3CipherSpec * pwSpec;
2281 ssl3CipherSpec * cwSpec;
2282 SECStatus rv;
2283
2284 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2285
2286 ssl_GetSpecWriteLock(ss); /**************************************/
2287
2288 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2289
2290 pwSpec = ss->ssl3.pwSpec;
2291 cwSpec = ss->ssl3.cwSpec;
2292
2293 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
2294 rv = ssl3_DeriveMasterSecret(ss, pms);
2295 if (rv != SECSuccess) {
2296 goto done; /* err code set by ssl3_DeriveMasterSecret */
2297 }
2298 }
2299 #ifndef NO_PKCS11_BYPASS
2300 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
2301 /* Double Bypass succeeded in extracting the master_secret */
2302 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
2303 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
2304 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
2305 pwSpec->bypassCiphers = PR_TRUE;
2306 rv = ssl3_KeyAndMacDeriveBypass( pwSpec,
2307 (const unsigned char *)&ss->ssl3.hs.client_random,
2308 (const unsigned char *)&ss->ssl3.hs.server_random,
2309 isTLS,
2310 (PRBool)(kea_def->is_limited));
2311 if (rv == SECSuccess) {
2312 rv = ssl3_InitPendingContextsBypass(ss);
2313 }
2314 } else
2315 #endif
2316 if (pwSpec->master_secret) {
2317 rv = ssl3_DeriveConnectionKeysPKCS11(ss);
2318 if (rv == SECSuccess) {
2319 rv = ssl3_InitPendingContextsPKCS11(ss);
2320 }
2321 } else {
2322 PORT_Assert(pwSpec->master_secret);
2323 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2324 rv = SECFailure;
2325 }
2326 if (rv != SECSuccess) {
2327 goto done;
2328 }
2329
2330 /* Generic behaviors -- common to all crypto methods */
2331 if (!IS_DTLS(ss)) {
2332 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
2333 } else {
2334 if (cwSpec->epoch == PR_UINT16_MAX) {
2335 /* The problem here is that we have rehandshaked too many
2336 * times (you are not allowed to wrap the epoch). The
2337 * spec says you should be discarding the connection
2338 * and start over, so not much we can do here. */
2339 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2340 rv = SECFailure;
2341 goto done;
2342 }
2343 /* The sequence number has the high 16 bits as the epoch. */
2344 pwSpec->epoch = cwSpec->epoch + 1;
2345 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high =
2346 pwSpec->epoch << 16;
2347
2348 dtls_InitRecvdRecords(&pwSpec->recvdRecords);
2349 }
2350 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;
2351
2352 done:
2353 ssl_ReleaseSpecWriteLock(ss); /******************************/
2354 if (rv != SECSuccess)
2355 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2356 return rv;
2357 }
2358
2359 /*
2360 * 60 bytes is 3 times the maximum length MAC size that is supported.
2361 */
2362 static const unsigned char mac_pad_1 [60] = {
2363 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2364 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2365 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2366 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2367 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2368 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2369 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2370 0x36, 0x36, 0x36, 0x36
2371 };
2372 static const unsigned char mac_pad_2 [60] = {
2373 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2374 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2375 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2376 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2377 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2378 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2379 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2380 0x5c, 0x5c, 0x5c, 0x5c
2381 };
2382
2383 /* Called from: ssl3_SendRecord()
2384 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
2385 */
2386 static SECStatus
2387 ssl3_ComputeRecordMAC(
2388 ssl3CipherSpec * spec,
2389 PRBool useServerMacKey,
2390 const unsigned char *header,
2391 unsigned int headerLen,
2392 const SSL3Opaque * input,
2393 int inputLength,
2394 unsigned char * outbuf,
2395 unsigned int * outLength)
2396 {
2397 const ssl3MACDef * mac_def;
2398 SECStatus rv;
2399
2400 PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
2401 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
2402
2403 mac_def = spec->mac_def;
2404 if (mac_def->mac == mac_null) {
2405 *outLength = 0;
2406 return SECSuccess;
2407 }
2408 #ifndef NO_PKCS11_BYPASS
2409 if (spec->bypassCiphers) {
2410 /* bypass version */
2411 const SECHashObject *hashObj = NULL;
2412 unsigned int pad_bytes = 0;
2413 PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS];
2414
2415 switch (mac_def->mac) {
2416 case ssl_mac_null:
2417 *outLength = 0;
2418 return SECSuccess;
2419 case ssl_mac_md5:
2420 pad_bytes = 48;
2421 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
2422 break;
2423 case ssl_mac_sha:
2424 pad_bytes = 40;
2425 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
2426 break;
2427 case ssl_hmac_md5: /* used with TLS */
2428 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
2429 break;
2430 case ssl_hmac_sha: /* used with TLS */
2431 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
2432 break;
2433 case ssl_hmac_sha256: /* used with TLS */
2434 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
2435 break;
2436 default:
2437 break;
2438 }
2439 if (!hashObj) {
2440 PORT_Assert(0);
2441 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2442 return SECFailure;
2443 }
2444
2445 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2446 unsigned int tempLen;
2447 unsigned char temp[MAX_MAC_LENGTH];
2448
2449 /* compute "inner" part of SSL3 MAC */
2450 hashObj->begin(write_mac_context);
2451 if (useServerMacKey)
2452 hashObj->update(write_mac_context,
2453 spec->server.write_mac_key_item.data,
2454 spec->server.write_mac_key_item.len);
2455 else
2456 hashObj->update(write_mac_context,
2457 spec->client.write_mac_key_item.data,
2458 spec->client.write_mac_key_item.len);
2459 hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
2460 hashObj->update(write_mac_context, header, headerLen);
2461 hashObj->update(write_mac_context, input, inputLength);
2462 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
2463
2464 /* compute "outer" part of SSL3 MAC */
2465 hashObj->begin(write_mac_context);
2466 if (useServerMacKey)
2467 hashObj->update(write_mac_context,
2468 spec->server.write_mac_key_item.data,
2469 spec->server.write_mac_key_item.len);
2470 else
2471 hashObj->update(write_mac_context,
2472 spec->client.write_mac_key_item.data,
2473 spec->client.write_mac_key_item.len);
2474 hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
2475 hashObj->update(write_mac_context, temp, tempLen);
2476 hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
2477 rv = SECSuccess;
2478 } else { /* is TLS */
2479 #define cx ((HMACContext *)write_mac_context)
2480 if (useServerMacKey) {
2481 rv = HMAC_Init(cx, hashObj,
2482 spec->server.write_mac_key_item.data,
2483 spec->server.write_mac_key_item.len, PR_FALSE);
2484 } else {
2485 rv = HMAC_Init(cx, hashObj,
2486 spec->client.write_mac_key_item.data,
2487 spec->client.write_mac_key_item.len, PR_FALSE);
2488 }
2489 if (rv == SECSuccess) {
2490 HMAC_Begin(cx);
2491 HMAC_Update(cx, header, headerLen);
2492 HMAC_Update(cx, input, inputLength);
2493 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
2494 HMAC_Destroy(cx, PR_FALSE);
2495 }
2496 #undef cx
2497 }
2498 } else
2499 #endif
2500 {
2501 PK11Context *mac_context =
2502 (useServerMacKey ? spec->server.write_mac_context
2503 : spec->client.write_mac_context);
2504 rv = PK11_DigestBegin(mac_context);
2505 rv |= PK11_DigestOp(mac_context, header, headerLen);
2506 rv |= PK11_DigestOp(mac_context, input, inputLength);
2507 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
2508 }
2509
2510 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
2511
2512 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
2513
2514 if (rv != SECSuccess) {
2515 rv = SECFailure;
2516 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2517 }
2518 return rv;
2519 }
2520
2521 /* Called from: ssl3_HandleRecord()
2522 * Caller must already hold the SpecReadLock. (wish we could assert that!)
2523 *
2524 * On entry:
2525 * originalLen >= inputLen >= MAC size
2526 */
2527 static SECStatus
2528 ssl3_ComputeRecordMACConstantTime(
2529 ssl3CipherSpec * spec,
2530 PRBool useServerMacKey,
2531 const unsigned char *header,
2532 unsigned int headerLen,
2533 const SSL3Opaque * input,
2534 int inputLen,
2535 int originalLen,
2536 unsigned char * outbuf,
2537 unsigned int * outLen)
2538 {
2539 CK_MECHANISM_TYPE macType;
2540 CK_NSS_MAC_CONSTANT_TIME_PARAMS params;
2541 SECItem param, inputItem, outputItem;
2542 SECStatus rv;
2543 PK11SymKey * key;
2544
2545 PORT_Assert(inputLen >= spec->mac_size);
2546 PORT_Assert(originalLen >= inputLen);
2547
2548 if (spec->bypassCiphers) {
2549 /* This function doesn't support PKCS#11 bypass. We fallback on the
2550 * non-constant time version. */
2551 goto fallback;
2552 }
2553
2554 if (spec->mac_def->mac == mac_null) {
2555 *outLen = 0;
2556 return SECSuccess;
2557 }
2558
2559 macType = CKM_NSS_HMAC_CONSTANT_TIME;
2560 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2561 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
2562 }
2563
2564 params.macAlg = spec->mac_def->mmech;
2565 params.ulBodyTotalLen = originalLen;
2566 params.pHeader = (unsigned char *) header; /* const cast */
2567 params.ulHeaderLen = headerLen;
2568
2569 param.data = (unsigned char*) &params;
2570 param.len = sizeof(params);
2571 param.type = 0;
2572
2573 inputItem.data = (unsigned char *) input;
2574 inputItem.len = inputLen;
2575 inputItem.type = 0;
2576
2577 outputItem.data = outbuf;
2578 outputItem.len = *outLen;
2579 outputItem.type = 0;
2580
2581 key = spec->server.write_mac_key;
2582 if (!useServerMacKey) {
2583 key = spec->client.write_mac_key;
2584 }
2585
2586 rv = PK11_SignWithSymKey(key, macType, &param, &outputItem, &inputItem);
2587 if (rv != SECSuccess) {
2588 if (PORT_GetError() == SEC_ERROR_INVALID_ALGORITHM) {
2589 goto fallback;
2590 }
2591
2592 *outLen = 0;
2593 rv = SECFailure;
2594 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2595 return rv;
2596 }
2597
2598 PORT_Assert(outputItem.len == (unsigned)spec->mac_size);
2599 *outLen = outputItem.len;
2600
2601 return rv;
2602
2603 fallback:
2604 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
2605 * length already. */
2606 inputLen -= spec->mac_size;
2607 return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
2608 input, inputLen, outbuf, outLen);
2609 }
2610
2611 static PRBool
2612 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
2613 PK11SlotInfo *slot = NULL;
2614 PRBool isPresent = PR_TRUE;
2615
2616 /* we only care if we are doing client auth */
2617 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
2618 * used, u.ssl3.clAuthValid will be false and this function will always
2619 * return PR_TRUE. */
2620 if (!sid || !sid->u.ssl3.clAuthValid) {
2621 return PR_TRUE;
2622 }
2623
2624 /* get the slot */
2625 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
2626 sid->u.ssl3.clAuthSlotID);
2627 if (slot == NULL ||
2628 !PK11_IsPresent(slot) ||
2629 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) ||
2630 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) ||
2631 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) ||
2632 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
2633 isPresent = PR_FALSE;
2634 }
2635 if (slot) {
2636 PK11_FreeSlot(slot);
2637 }
2638 return isPresent;
2639 }
2640
2641 /* Caller must hold the spec read lock. */
2642 SECStatus
2643 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
2644 PRBool isServer,
2645 PRBool isDTLS,
2646 PRBool capRecordVersion,
2647 SSL3ContentType type,
2648 const SSL3Opaque * pIn,
2649 PRUint32 contentLen,
2650 sslBuffer * wrBuf)
2651 {
2652 const ssl3BulkCipherDef * cipher_def;
2653 SECStatus rv;
2654 PRUint32 macLen = 0;
2655 PRUint32 fragLen;
2656 PRUint32 p1Len, p2Len, oddLen = 0;
2657 PRUint16 headerLen;
2658 int ivLen = 0;
2659 int cipherBytes = 0;
2660 unsigned char pseudoHeader[13];
2661 unsigned int pseudoHeaderLen;
2662
2663 cipher_def = cwSpec->cipher_def;
2664 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
2665
2666 if (cipher_def->type == type_block &&
2667 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
2668 /* Prepend the per-record explicit IV using technique 2b from
2669 * RFC 4346 section 6.2.3.2: The IV is a cryptographically
2670 * strong random number XORed with the CBC residue from the previous
2671 * record.
2672 */
2673 ivLen = cipher_def->iv_size;
2674 if (ivLen > wrBuf->space - headerLen) {
2675 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2676 return SECFailure;
2677 }
2678 rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen);
2679 if (rv != SECSuccess) {
2680 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
2681 return rv;
2682 }
2683 rv = cwSpec->encode( cwSpec->encodeContext,
2684 wrBuf->buf + headerLen,
2685 &cipherBytes, /* output and actual outLen */
2686 ivLen, /* max outlen */
2687 wrBuf->buf + headerLen,
2688 ivLen); /* input and inputLen*/
2689 if (rv != SECSuccess || cipherBytes != ivLen) {
2690 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2691 return SECFailure;
2692 }
2693 }
2694
2695 if (cwSpec->compressor) {
2696 int outlen;
2697 rv = cwSpec->compressor(
2698 cwSpec->compressContext,
2699 wrBuf->buf + headerLen + ivLen, &outlen,
2700 wrBuf->space - headerLen - ivLen, pIn, contentLen);
2701 if (rv != SECSuccess)
2702 return rv;
2703 pIn = wrBuf->buf + headerLen + ivLen;
2704 contentLen = outlen;
2705 }
2706
2707 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
2708 pseudoHeader, cwSpec->write_seq_num, type,
2709 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
2710 isDTLS, contentLen);
2711 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
2712 if (cipher_def->type == type_aead) {
2713 const int nonceLen = cipher_def->explicit_nonce_size;
2714 const int tagLen = cipher_def->tag_size;
2715
2716 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
2717 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2718 return SECFailure;
2719 }
2720
2721 cipherBytes = contentLen;
2722 rv = cwSpec->aead(
2723 isServer ? &cwSpec->server : &cwSpec->client,
2724 PR_FALSE, /* do encrypt */
2725 wrBuf->buf + headerLen, /* output */
2726 &cipherBytes, /* out len */
2727 wrBuf->space - headerLen, /* max out */
2728 pIn, contentLen, /* input */
2729 pseudoHeader, pseudoHeaderLen);
2730 if (rv != SECSuccess) {
2731 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2732 return SECFailure;
2733 }
2734 } else {
2735 /*
2736 * Add the MAC
2737 */
2738 rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
2739 pseudoHeader, pseudoHeaderLen, pIn, contentLen,
2740 wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
2741 if (rv != SECSuccess) {
2742 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2743 return SECFailure;
2744 }
2745 p1Len = contentLen;
2746 p2Len = macLen;
2747 fragLen = contentLen + macLen; /* needs to be encrypted */
2748 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
2749
2750 /*
2751 * Pad the text (if we're doing a block cipher)
2752 * then Encrypt it
2753 */
2754 if (cipher_def->type == type_block) {
2755 unsigned char * pBuf;
2756 int padding_length;
2757 int i;
2758
2759 oddLen = contentLen % cipher_def->block_size;
2760 /* Assume blockSize is a power of two */
2761 padding_length = cipher_def->block_size - 1 -
2762 ((fragLen) & (cipher_def->block_size - 1));
2763 fragLen += padding_length + 1;
2764 PORT_Assert((fragLen % cipher_def->block_size) == 0);
2765
2766 /* Pad according to TLS rules (also acceptable to SSL3). */
2767 pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
2768 for (i = padding_length + 1; i > 0; --i) {
2769 *pBuf-- = padding_length;
2770 }
2771 /* now, if contentLen is not a multiple of block size, fix it */
2772 p2Len = fragLen - p1Len;
2773 }
2774 if (p1Len < 256) {
2775 oddLen = p1Len;
2776 p1Len = 0;
2777 } else {
2778 p1Len -= oddLen;
2779 }
2780 if (oddLen) {
2781 p2Len += oddLen;
2782 PORT_Assert( (cipher_def->block_size < 2) || \
2783 (p2Len % cipher_def->block_size) == 0);
2784 memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len,
2785 oddLen);
2786 }
2787 if (p1Len > 0) {
2788 int cipherBytesPart1 = -1;
2789 rv = cwSpec->encode( cwSpec->encodeContext,
2790 wrBuf->buf + headerLen + ivLen, /* output */
2791 &cipherBytesPart1, /* actual outlen */
2792 p1Len, /* max outlen */
2793 pIn, p1Len); /* input, and inputlen */
2794 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
2795 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
2796 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2797 return SECFailure;
2798 }
2799 cipherBytes += cipherBytesPart1;
2800 }
2801 if (p2Len > 0) {
2802 int cipherBytesPart2 = -1;
2803 rv = cwSpec->encode( cwSpec->encodeContext,
2804 wrBuf->buf + headerLen + ivLen + p1Len,
2805 &cipherBytesPart2, /* output and actual outLen */
2806 p2Len, /* max outlen */
2807 wrBuf->buf + headerLen + ivLen + p1Len,
2808 p2Len); /* input and inputLen*/
2809 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
2810 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
2811 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2812 return SECFailure;
2813 }
2814 cipherBytes += cipherBytesPart2;
2815 }
2816 }
2817
2818 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
2819
2820 wrBuf->len = cipherBytes + headerLen;
2821 wrBuf->buf[0] = type;
2822 if (isDTLS) {
2823 SSL3ProtocolVersion version;
2824
2825 version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
2826 wrBuf->buf[1] = MSB(version);
2827 wrBuf->buf[2] = LSB(version);
2828 wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24);
2829 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
2830 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8);
2831 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0);
2832 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24);
2833 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16);
2834 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8);
2835 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0);
2836 wrBuf->buf[11] = MSB(cipherBytes);
2837 wrBuf->buf[12] = LSB(cipherBytes);
2838 } else {
2839 SSL3ProtocolVersion version = cwSpec->version;
2840
2841 if (capRecordVersion) {
2842 version = PR_MIN(SSL_LIBRARY_VERSION_TLS_1_0, version);
2843 }
2844 wrBuf->buf[1] = MSB(version);
2845 wrBuf->buf[2] = LSB(version);
2846 wrBuf->buf[3] = MSB(cipherBytes);
2847 wrBuf->buf[4] = LSB(cipherBytes);
2848 }
2849
2850 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
2851
2852 return SECSuccess;
2853 }
2854
2855 /* Process the plain text before sending it.
2856 * Returns the number of bytes of plaintext that were successfully sent
2857 * plus the number of bytes of plaintext that were copied into the
2858 * output (write) buffer.
2859 * Returns SECFailure on a hard IO error, memory error, or crypto error.
2860 * Does NOT return SECWouldBlock.
2861 *
2862 * Notes on the use of the private ssl flags:
2863 * (no private SSL flags)
2864 * Attempt to make and send SSL records for all plaintext
2865 * If non-blocking and a send gets WOULD_BLOCK,
2866 * or if the pending (ciphertext) buffer is not empty,
2867 * then buffer remaining bytes of ciphertext into pending buf,
2868 * and continue to do that for all succssive records until all
2869 * bytes are used.
2870 * ssl_SEND_FLAG_FORCE_INTO_BUFFER
2871 * As above, except this suppresses all write attempts, and forces
2872 * all ciphertext into the pending ciphertext buffer.
2873 * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
2874 * Forces the use of the provided epoch
2875 * ssl_SEND_FLAG_CAP_RECORD_VERSION
2876 * Caps the record layer version number of TLS ClientHello to { 3, 1 }
2877 * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
2878 * ClientHello.client_version and use the record layer version number
2879 * (TLSPlaintext.version) instead when negotiating protocol versions. In
2880 * addition, if the record layer version number of ClientHello is { 3, 2 }
2881 * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
2882 * some F5 BIG-IP servers hang if a record containing a ClientHello has a
2883 * version greater than { 3, 1 } and a length greater than 255. Set this
2884 * flag to work around such servers.
2885 */
2886 PRInt32
2887 ssl3_SendRecord( sslSocket * ss,
2888 DTLSEpoch epoch, /* DTLS only */
2889 SSL3ContentType type,
2890 const SSL3Opaque * pIn, /* input buffer */
2891 PRInt32 nIn, /* bytes of input */
2892 PRInt32 flags)
2893 {
2894 sslBuffer * wrBuf = &ss->sec.writeBuf;
2895 SECStatus rv;
2896 PRInt32 totalSent = 0;
2897 PRBool capRecordVersion;
2898
2899 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
2900 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
2901 nIn));
2902 PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
2903
2904 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2905
2906 capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
2907
2908 if (capRecordVersion) {
2909 /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the
2910 * TLS initial ClientHello. */
2911 PORT_Assert(!IS_DTLS(ss));
2912 PORT_Assert(!ss->firstHsDone);
2913 PORT_Assert(type == content_handshake);
2914 PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
2915 }
2916
2917 if (ss->ssl3.initialized == PR_FALSE) {
2918 /* This can happen on a server if the very first incoming record
2919 ** looks like a defective ssl3 record (e.g. too long), and we're
2920 ** trying to send an alert.
2921 */
2922 PR_ASSERT(type == content_alert);
2923 rv = ssl3_InitState(ss);
2924 if (rv != SECSuccess) {
2925 return SECFailure; /* ssl3_InitState has set the error code. */
2926 }
2927 }
2928
2929 /* check for Token Presence */
2930 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
2931 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
2932 return SECFailure;
2933 }
2934
2935 while (nIn > 0) {
2936 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
2937 unsigned int spaceNeeded;
2938 unsigned int numRecords;
2939
2940 ssl_GetSpecReadLock(ss); /********************************/
2941
2942 if (nIn > 1 && ss->opt.cbcRandomIV &&
2943 ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 &&
2944 type == content_application_data &&
2945 ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {
2946 /* We will split the first byte of the record into its own record,
2947 * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h
2948 */
2949 numRecords = 2;
2950 } else {
2951 numRecords = 1;
2952 }
2953
2954 spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE);
2955 if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
2956 ss->ssl3.cwSpec->cipher_def->type == type_block) {
2957 spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size;
2958 }
2959 if (spaceNeeded > wrBuf->space) {
2960 rv = sslBuffer_Grow(wrBuf, spaceNeeded);
2961 if (rv != SECSuccess) {
2962 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
2963 SSL_GETPID(), ss->fd, spaceNeeded));
2964 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
2965 }
2966 }
2967
2968 if (numRecords == 2) {
2969 sslBuffer secondRecord;
2970
2971 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2972 ss->sec.isServer, IS_DTLS(ss),
2973 capRecordVersion, type, pIn,
2974 1, wrBuf);
2975 if (rv != SECSuccess)
2976 goto spec_locked_loser;
2977
2978 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
2979 wrBuf->buf, wrBuf->len));
2980
2981 secondRecord.buf = wrBuf->buf + wrBuf->len;
2982 secondRecord.len = 0;
2983 secondRecord.space = wrBuf->space - wrBuf->len;
2984
2985 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2986 ss->sec.isServer, IS_DTLS(ss),
2987 capRecordVersion, type,
2988 pIn + 1, contentLen - 1,
2989 &secondRecord);
2990 if (rv == SECSuccess) {
2991 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
2992 secondRecord.buf, secondRecord.len));
2993 wrBuf->len += secondRecord.len;
2994 }
2995 } else {
2996 if (!IS_DTLS(ss)) {
2997 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2998 ss->sec.isServer,
2999 IS_DTLS(ss),
3000 capRecordVersion,
3001 type, pIn,
3002 contentLen, wrBuf);
3003 } else {
3004 rv = dtls_CompressMACEncryptRecord(ss, epoch,
3005 !!(flags & ssl_SEND_FLAG_USE_ EPOCH),
3006 type, pIn,
3007 contentLen, wrBuf);
3008 }
3009
3010 if (rv == SECSuccess) {
3011 PRINT_BUF(50, (ss, "send (encrypted) record data:",
3012 wrBuf->buf, wrBuf->len));
3013 }
3014 }
3015
3016 spec_locked_loser:
3017 ssl_ReleaseSpecReadLock(ss); /************************************/
3018
3019 if (rv != SECSuccess)
3020 return SECFailure;
3021
3022 pIn += contentLen;
3023 nIn -= contentLen;
3024 PORT_Assert( nIn >= 0 );
3025
3026 /* If there's still some previously saved ciphertext,
3027 * or the caller doesn't want us to send the data yet,
3028 * then add all our new ciphertext to the amount previously saved.
3029 */
3030 if ((ss->pendingBuf.len > 0) ||
3031 (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
3032
3033 rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len);
3034 if (rv != SECSuccess) {
3035 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
3036 return SECFailure;
3037 }
3038 wrBuf->len = 0; /* All cipher text is saved away. */
3039
3040 if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
3041 PRInt32 sent;
3042 ss->handshakeBegun = 1;
3043 sent = ssl_SendSavedWriteData(ss);
3044 if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
3045 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
3046 return SECFailure;
3047 }
3048 if (ss->pendingBuf.len) {
3049 flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER;
3050 }
3051 }
3052 } else if (wrBuf->len > 0) {
3053 PRInt32 sent;
3054 ss->handshakeBegun = 1;
3055 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len,
3056 flags & ~ssl_SEND_FLAG_MASK);
3057 if (sent < 0) {
3058 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
3059 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
3060 return SECFailure;
3061 }
3062 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
3063 sent = 0;
3064 }
3065 wrBuf->len -= sent;
3066 if (wrBuf->len) {
3067 if (IS_DTLS(ss)) {
3068 /* DTLS just says no in this case. No buffering */
3069 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
3070 return SECFailure;
3071 }
3072 /* now take all the remaining unsent new ciphertext and
3073 * append it to the buffer of previously unsent ciphertext.
3074 */
3075 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
3076 if (rv != SECSuccess) {
3077 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
3078 return SECFailure;
3079 }
3080 }
3081 }
3082 totalSent += contentLen;
3083 }
3084 return totalSent;
3085 }
3086
3087 #define SSL3_PENDING_HIGH_WATER 1024
3088
3089 /* Attempt to send the content of "in" in an SSL application_data record.
3090 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess.
3091 */
3092 int
3093 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
3094 PRInt32 len, PRInt32 flags)
3095 {
3096 PRInt32 totalSent = 0;
3097 PRInt32 discarded = 0;
3098
3099 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3100 /* These flags for internal use only */
3101 PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
3102 ssl_SEND_FLAG_NO_RETRANSMIT)));
3103 if (len < 0 || !in) {
3104 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
3105 return SECFailure;
3106 }
3107
3108 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
3109 !ssl_SocketIsBlocking(ss)) {
3110 PORT_Assert(!ssl_SocketIsBlocking(ss));
3111 PORT_SetError(PR_WOULD_BLOCK_ERROR);
3112 return SECFailure;
3113 }
3114
3115 if (ss->appDataBuffered && len) {
3116 PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
3117 if (in[0] != (unsigned char)(ss->appDataBuffered)) {
3118 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
3119 return SECFailure;
3120 }
3121 in++;
3122 len--;
3123 discarded = 1;
3124 }
3125 while (len > totalSent) {
3126 PRInt32 sent, toSend;
3127
3128 if (totalSent > 0) {
3129 /*
3130 * The thread yield is intended to give the reader thread a
3131 * chance to get some cycles while the writer thread is in
3132 * the middle of a large application data write. (See
3133 * Bugzilla bug 127740, comment #1.)
3134 */
3135 ssl_ReleaseXmitBufLock(ss);
3136 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */
3137 ssl_GetXmitBufLock(ss);
3138 }
3139 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
3140 /*
3141 * Note that the 0 epoch is OK because flags will never require
3142 * its use, as guaranteed by the PORT_Assert above.
3143 */
3144 sent = ssl3_SendRecord(ss, 0, content_application_data,
3145 in + totalSent, toSend, flags);
3146 if (sent < 0) {
3147 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
3148 PORT_Assert(ss->lastWriteBlocked);
3149 break;
3150 }
3151 return SECFailure; /* error code set by ssl3_SendRecord */
3152 }
3153 totalSent += sent;
3154 if (ss->pendingBuf.len) {
3155 /* must be a non-blocking socket */
3156 PORT_Assert(!ssl_SocketIsBlocking(ss));
3157 PORT_Assert(ss->lastWriteBlocked);
3158 break;
3159 }
3160 }
3161 if (ss->pendingBuf.len) {
3162 /* Must be non-blocking. */
3163 PORT_Assert(!ssl_SocketIsBlocking(ss));
3164 if (totalSent > 0) {
3165 ss->appDataBuffered = 0x100 | in[totalSent - 1];
3166 }
3167
3168 totalSent = totalSent + discarded - 1;
3169 if (totalSent <= 0) {
3170 PORT_SetError(PR_WOULD_BLOCK_ERROR);
3171 totalSent = SECFailure;
3172 }
3173 return totalSent;
3174 }
3175 ss->appDataBuffered = 0;
3176 return totalSent + discarded;
3177 }
3178
3179 /* Attempt to send buffered handshake messages.
3180 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
3181 * Always set sendBuf.len to 0, even when returning SECFailure.
3182 *
3183 * Depending on whether we are doing DTLS or not, this either calls
3184 *
3185 * - ssl3_FlushHandshakeMessages if non-DTLS
3186 * - dtls_FlushHandshakeMessages if DTLS
3187 *
3188 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
3189 * ssl3_AppendHandshake(), ssl3_SendClientHello(),
3190 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
3191 * ssl3_SendFinished(),
3192 */
3193 static SECStatus
3194 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
3195 {
3196 if (IS_DTLS(ss)) {
3197 return dtls_FlushHandshakeMessages(ss, flags);
3198 } else {
3199 return ssl3_FlushHandshakeMessages(ss, flags);
3200 }
3201 }
3202
3203 /* Attempt to send the content of sendBuf buffer in an SSL handshake record.
3204 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
3205 * Always set sendBuf.len to 0, even when returning SECFailure.
3206 *
3207 * Called from ssl3_FlushHandshake
3208 */
3209 static SECStatus
3210 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
3211 {
3212 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER |
3213 ssl_SEND_FLAG_CAP_RECORD_VERSION;
3214 PRInt32 rv = SECSuccess;
3215
3216 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3217 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3218
3219 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
3220 return rv;
3221
3222 /* only these flags are allowed */
3223 PORT_Assert(!(flags & ~allowedFlags));
3224 if ((flags & ~allowedFlags) != 0) {
3225 PORT_SetError(SEC_ERROR_INVALID_ARGS);
3226 rv = SECFailure;
3227 } else {
3228 rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
3229 ss->sec.ci.sendBuf.len, flags);
3230 }
3231 if (rv < 0) {
3232 int err = PORT_GetError();
3233 PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
3234 if (err == PR_WOULD_BLOCK_ERROR) {
3235 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3236 }
3237 } else if (rv < ss->sec.ci.sendBuf.len) {
3238 /* short write should never happen */
3239 PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
3240 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3241 rv = SECFailure;
3242 } else {
3243 rv = SECSuccess;
3244 }
3245
3246 /* Whether we succeeded or failed, toss the old handshake data. */
3247 ss->sec.ci.sendBuf.len = 0;
3248 return rv;
3249 }
3250
3251 /*
3252 * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
3253 * the remote client sends a negative response to our certificate request.
3254 * Returns SECFailure if the application has required client auth.
3255 * SECSuccess otherwise.
3256 */
3257 static SECStatus
3258 ssl3_HandleNoCertificate(sslSocket *ss)
3259 {
3260 if (ss->sec.peerCert != NULL) {
3261 if (ss->sec.peerKey != NULL) {
3262 SECKEY_DestroyPublicKey(ss->sec.peerKey);
3263 ss->sec.peerKey = NULL;
3264 }
3265 CERT_DestroyCertificate(ss->sec.peerCert);
3266 ss->sec.peerCert = NULL;
3267 }
3268 ssl3_CleanupPeerCerts(ss);
3269
3270 /* If the server has required client-auth blindly but doesn't
3271 * actually look at the certificate it won't know that no
3272 * certificate was presented so we shutdown the socket to ensure
3273 * an error. We only do this if we haven't already completed the
3274 * first handshake because if we're redoing the handshake we
3275 * know the server is paying attention to the certificate.
3276 */
3277 if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
3278 (!ss->firstHsDone &&
3279 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
3280 PRFileDesc * lower;
3281
3282 if (ss->sec.uncache)
3283 ss->sec.uncache(ss->sec.ci.sid);
3284 SSL3_SendAlert(ss, alert_fatal, bad_certificate);
3285
3286 lower = ss->fd->lower;
3287 #ifdef _WIN32
3288 lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
3289 #else
3290 lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
3291 #endif
3292 PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
3293 return SECFailure;
3294 }
3295 return SECSuccess;
3296 }
3297
3298 /************************************************************************
3299 * Alerts
3300 */
3301
3302 /*
3303 ** Acquires both handshake and XmitBuf locks.
3304 ** Called from: ssl3_IllegalParameter <-
3305 ** ssl3_HandshakeFailure <-
3306 ** ssl3_HandleAlert <- ssl3_HandleRecord.
3307 ** ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
3308 ** ssl3_ConsumeHandshakeVariable <-
3309 ** ssl3_HandleHelloRequest <-
3310 ** ssl3_HandleServerHello <-
3311 ** ssl3_HandleServerKeyExchange <-
3312 ** ssl3_HandleCertificateRequest <-
3313 ** ssl3_HandleServerHelloDone <-
3314 ** ssl3_HandleClientHello <-
3315 ** ssl3_HandleV2ClientHello <-
3316 ** ssl3_HandleCertificateVerify <-
3317 ** ssl3_HandleClientKeyExchange <-
3318 ** ssl3_HandleCertificate <-
3319 ** ssl3_HandleFinished <-
3320 ** ssl3_HandleHandshakeMessage <-
3321 ** ssl3_HandleRecord <-
3322 **
3323 */
3324 SECStatus
3325 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
3326 {
3327 PRUint8 bytes[2];
3328 SECStatus rv;
3329
3330 SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
3331 SSL_GETPID(), ss->fd, level, desc));
3332
3333 bytes[0] = level;
3334 bytes[1] = desc;
3335
3336 ssl_GetSSL3HandshakeLock(ss);
3337 if (level == alert_fatal) {
3338 if (!ss->opt.noCache && ss->sec.ci.sid && ss->sec.uncache) {
3339 ss->sec.uncache(ss->sec.ci.sid);
3340 }
3341 }
3342 ssl_GetXmitBufLock(ss);
3343 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3344 if (rv == SECSuccess) {
3345 PRInt32 sent;
3346 sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2,
3347 desc == no_certificate
3348 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
3349 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
3350 }
3351 ssl_ReleaseXmitBufLock(ss);
3352 ssl_ReleaseSSL3HandshakeLock(ss);
3353 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
3354 }
3355
3356 /*
3357 * Send illegal_parameter alert. Set generic error number.
3358 */
3359 static SECStatus
3360 ssl3_IllegalParameter(sslSocket *ss)
3361 {
3362 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
3363 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3364 : SSL_ERROR_BAD_SERVER );
3365 return SECFailure;
3366 }
3367
3368 /*
3369 * Send handshake_Failure alert. Set generic error number.
3370 */
3371 static SECStatus
3372 ssl3_HandshakeFailure(sslSocket *ss)
3373 {
3374 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
3375 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3376 : SSL_ERROR_BAD_SERVER );
3377 return SECFailure;
3378 }
3379
3380 static void
3381 ssl3_SendAlertForCertError(sslSocket * ss, PRErrorCode errCode)
3382 {
3383 SSL3AlertDescription desc = bad_certificate;
3384 PRBool isTLS = ss->version >= SSL_LIBRARY_VERSION_3_1_TLS;
3385
3386 switch (errCode) {
3387 case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break;
3388 case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break;
3389 case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked; break;
3390 case SEC_ERROR_INADEQUATE_KEY_USAGE:
3391 case SEC_ERROR_INADEQUATE_CERT_TYPE:
3392 desc = certificate_unknown; break;
3393 case SEC_ERROR_UNTRUSTED_CERT:
3394 desc = isTLS ? access_denied : certificate_unknown; break;
3395 case SEC_ERROR_UNKNOWN_ISSUER:
3396 case SEC_ERROR_UNTRUSTED_ISSUER:
3397 desc = isTLS ? unknown_ca : certificate_unknown; break;
3398 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
3399 desc = isTLS ? unknown_ca : certificate_expired; break;
3400
3401 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
3402 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
3403 case SEC_ERROR_CA_CERT_INVALID:
3404 case SEC_ERROR_BAD_SIGNATURE:
3405 default: desc = bad_certificate; break;
3406 }
3407 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
3408 SSL_GETPID(), ss->fd, errCode));
3409
3410 (void) SSL3_SendAlert(ss, alert_fatal, desc);
3411 }
3412
3413
3414 /*
3415 * Send decode_error alert. Set generic error number.
3416 */
3417 SECStatus
3418 ssl3_DecodeError(sslSocket *ss)
3419 {
3420 (void)SSL3_SendAlert(ss, alert_fatal,
3421 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error
3422 : illegal_parameter);
3423 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3424 : SSL_ERROR_BAD_SERVER );
3425 return SECFailure;
3426 }
3427
3428 /* Called from ssl3_HandleRecord.
3429 ** Caller must hold both RecvBuf and Handshake locks.
3430 */
3431 static SECStatus
3432 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
3433 {
3434 SSL3AlertLevel level;
3435 SSL3AlertDescription desc;
3436 int error;
3437
3438 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3439 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3440
3441 SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
3442
3443 if (buf->len != 2) {
3444 (void)ssl3_DecodeError(ss);
3445 PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
3446 return SECFailure;
3447 }
3448 level = (SSL3AlertLevel)buf->buf[0];
3449 desc = (SSL3AlertDescription)buf->buf[1];
3450 buf->len = 0;
3451 SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
3452 SSL_GETPID(), ss->fd, level, desc));
3453
3454 switch (desc) {
3455 case close_notify: ss->recvdCloseNotify = 1;
3456 error = SSL_ERROR_CLOSE_NOTIFY_ALERT; break;
3457 case unexpected_message: error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
3458 break;
3459 case bad_record_mac: error = SSL_ERROR_BAD_MAC_ALERT; break;
3460 case decryption_failed_RESERVED:
3461 error = SSL_ERROR_DECRYPTION_FAILED_ALERT;
3462 break;
3463 case record_overflow: error = SSL_ERROR_RECORD_OVERFLOW_ALERT; break;
3464 case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
3465 break;
3466 case handshake_failure: error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
3467 break;
3468 case no_certificate: error = SSL_ERROR_NO_CERTIFICATE; break;
3469 case bad_certificate: error = SSL_ERROR_BAD_CERT_ALERT; break;
3470 case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
3471 case certificate_revoked: error = SSL_ERROR_REVOKED_CERT_ALERT; break;
3472 case certificate_expired: error = SSL_ERROR_EXPIRED_CERT_ALERT; break;
3473 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
3474 break;
3475 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
3476 case inappropriate_fallback:
3477 error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
3478 break;
3479
3480 /* All alerts below are TLS only. */
3481 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break;
3482 case access_denied: error = SSL_ERROR_ACCESS_DENIED_ALERT; break;
3483 case decode_error: error = SSL_ERROR_DECODE_ERROR_ALERT; break;
3484 case decrypt_error: error = SSL_ERROR_DECRYPT_ERROR_ALERT; break;
3485 case export_restriction: error = SSL_ERROR_EXPORT_RESTRICTION_ALERT;
3486 break;
3487 case protocol_version: error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
3488 case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT;
3489 break;
3490 case internal_error: error = SSL_ERROR_INTERNAL_ERROR_ALERT; break;
3491 case user_canceled: error = SSL_ERROR_USER_CANCELED_ALERT; break;
3492 case no_renegotiation: error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
3493
3494 /* Alerts for TLS client hello extensions */
3495 case unsupported_extension:
3496 error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT; break;
3497 case certificate_unobtainable:
3498 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
3499 case unrecognized_name:
3500 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break;
3501 case bad_certificate_status_response:
3502 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
3503 case bad_certificate_hash_value:
3504 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break;
3505 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break;
3506 }
3507 if (level == alert_fatal) {
3508 if (!ss->opt.noCache) {
3509 if (ss->sec.uncache)
3510 ss->sec.uncache(ss->sec.ci.sid);
3511 }
3512 if ((ss->ssl3.hs.ws == wait_server_hello) &&
3513 (desc == handshake_failure)) {
3514 /* XXX This is a hack. We're assuming that any handshake failure
3515 * XXX on the client hello is a failure to match ciphers.
3516 */
3517 error = SSL_ERROR_NO_CYPHER_OVERLAP;
3518 }
3519 PORT_SetError(error);
3520 return SECFailure;
3521 }
3522 if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
3523 /* I'm a server. I've requested a client cert. He hasn't got one. */
3524 SECStatus rv;
3525
3526 PORT_Assert(ss->sec.isServer);
3527 ss->ssl3.hs.ws = wait_client_key;
3528 rv = ssl3_HandleNoCertificate(ss);
3529 return rv;
3530 }
3531 return SECSuccess;
3532 }
3533
3534 /*
3535 * Change Cipher Specs
3536 * Called from ssl3_HandleServerHelloDone,
3537 * ssl3_HandleClientHello,
3538 * and ssl3_HandleFinished
3539 *
3540 * Acquires and releases spec write lock, to protect switching the current
3541 * and pending write spec pointers.
3542 */
3543
3544 static SECStatus
3545 ssl3_SendChangeCipherSpecs(sslSocket *ss)
3546 {
3547 PRUint8 change = change_cipher_spec_choice;
3548 ssl3CipherSpec * pwSpec;
3549 SECStatus rv;
3550 PRInt32 sent;
3551
3552 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
3553 SSL_GETPID(), ss->fd));
3554
3555 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3556 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3557
3558 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3559 if (rv != SECSuccess) {
3560 return rv; /* error code set by ssl3_FlushHandshake */
3561 }
3562 if (!IS_DTLS(ss)) {
3563 sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1,
3564 ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3565 if (sent < 0) {
3566 return (SECStatus)sent; /* error code set by ssl3_SendRecord */
3567 }
3568 } else {
3569 rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
3570 if (rv != SECSuccess) {
3571 return rv;
3572 }
3573 }
3574
3575 /* swap the pending and current write specs. */
3576 ssl_GetSpecWriteLock(ss); /**************************************/
3577 pwSpec = ss->ssl3.pwSpec;
3578
3579 ss->ssl3.pwSpec = ss->ssl3.cwSpec;
3580 ss->ssl3.cwSpec = pwSpec;
3581
3582 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
3583 SSL_GETPID(), ss->fd ));
3584
3585 /* We need to free up the contexts, keys and certs ! */
3586 /* If we are really through with the old cipher spec
3587 * (Both the read and write sides have changed) destroy it.
3588 */
3589 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
3590 if (!IS_DTLS(ss)) {
3591 ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
3592 } else {
3593 /* With DTLS, we need to set a holddown timer in case the final
3594 * message got lost */
3595 ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS;
3596 dtls_StartTimer(ss, dtls_FinishedTimerCb);
3597 }
3598 }
3599 ssl_ReleaseSpecWriteLock(ss); /**************************************/
3600
3601 return SECSuccess;
3602 }
3603
3604 /* Called from ssl3_HandleRecord.
3605 ** Caller must hold both RecvBuf and Handshake locks.
3606 *
3607 * Acquires and releases spec write lock, to protect switching the current
3608 * and pending write spec pointers.
3609 */
3610 static SECStatus
3611 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
3612 {
3613 ssl3CipherSpec * prSpec;
3614 SSL3WaitState ws = ss->ssl3.hs.ws;
3615 SSL3ChangeCipherSpecChoice change;
3616
3617 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3618 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3619
3620 SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
3621 SSL_GETPID(), ss->fd));
3622
3623 if (ws != wait_change_cipher) {
3624 if (IS_DTLS(ss)) {
3625 /* Ignore this because it's out of order. */
3626 SSL_TRC(3, ("%d: SSL3[%d]: discard out of order "
3627 "DTLS change_cipher_spec",
3628 SSL_GETPID(), ss->fd));
3629 buf->len = 0;
3630 return SECSuccess;
3631 }
3632 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
3633 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
3634 return SECFailure;
3635 }
3636
3637 if(buf->len != 1) {
3638 (void)ssl3_DecodeError(ss);
3639 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
3640 return SECFailure;
3641 }
3642 change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
3643 if (change != change_cipher_spec_choice) {
3644 /* illegal_parameter is correct here for both SSL3 and TLS. */
3645 (void)ssl3_IllegalParameter(ss);
3646 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
3647 return SECFailure;
3648 }
3649 buf->len = 0;
3650
3651 /* Swap the pending and current read specs. */
3652 ssl_GetSpecWriteLock(ss); /*************************************/
3653 prSpec = ss->ssl3.prSpec;
3654
3655 ss->ssl3.prSpec = ss->ssl3.crSpec;
3656 ss->ssl3.crSpec = prSpec;
3657 ss->ssl3.hs.ws = wait_finished;
3658
3659 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
3660 SSL_GETPID(), ss->fd ));
3661
3662 /* If we are really through with the old cipher prSpec
3663 * (Both the read and write sides have changed) destroy it.
3664 */
3665 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
3666 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/);
3667 }
3668 ssl_ReleaseSpecWriteLock(ss); /*************************************/
3669 return SECSuccess;
3670 }
3671
3672 /* This method uses PKCS11 to derive the MS from the PMS, where PMS
3673 ** is a PKCS11 symkey. This is used in all cases except the
3674 ** "triple bypass" with RSA key exchange.
3675 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec.
3676 */
3677 static SECStatus
3678 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
3679 {
3680 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3681 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
3682 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3683 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3684 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3685 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3686 PRBool isTLS12=
3687 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3688 /*
3689 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
3690 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
3691 * data into a 48-byte value.
3692 */
3693 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
3694 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
3695 SECStatus rv = SECFailure;
3696 CK_MECHANISM_TYPE master_derive;
3697 CK_MECHANISM_TYPE key_derive;
3698 SECItem params;
3699 CK_FLAGS keyFlags;
3700 CK_VERSION pms_version;
3701 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
3702
3703 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3704 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3705 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3706 if (isTLS12) {
3707 if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
3708 else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
3709 key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3710 keyFlags = CKF_SIGN | CKF_VERIFY;
3711 } else if (isTLS) {
3712 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
3713 else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
3714 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3715 keyFlags = CKF_SIGN | CKF_VERIFY;
3716 } else {
3717 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
3718 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
3719 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3720 keyFlags = 0;
3721 }
3722
3723 if (pms || !pwSpec->master_secret) {
3724 if (isDH) {
3725 master_params.pVersion = NULL;
3726 } else {
3727 master_params.pVersion = &pms_version;
3728 }
3729 master_params.RandomInfo.pClientRandom = cr;
3730 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
3731 master_params.RandomInfo.pServerRandom = sr;
3732 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
3733
3734 params.data = (unsigned char *) &master_params;
3735 params.len = sizeof master_params;
3736 }
3737
3738 if (pms != NULL) {
3739 #if defined(TRACE)
3740 if (ssl_trace >= 100) {
3741 SECStatus extractRV = PK11_ExtractKeyValue(pms);
3742 if (extractRV == SECSuccess) {
3743 SECItem * keyData = PK11_GetKeyData(pms);
3744 if (keyData && keyData->data && keyData->len) {
3745 ssl_PrintBuf(ss, "Pre-Master Secret",
3746 keyData->data, keyData->len);
3747 }
3748 }
3749 }
3750 #endif
3751 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive,
3752 &params, key_derive, CKA_DERIVE, 0, keyFlags);
3753 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
3754 SSL3ProtocolVersion client_version;
3755 client_version = pms_version.major << 8 | pms_version.minor;
3756
3757 if (IS_DTLS(ss)) {
3758 client_version = dtls_DTLSVersionToTLSVersion(client_version);
3759 }
3760
3761 if (client_version != ss->clientHelloVersion) {
3762 /* Destroy it. Version roll-back detected. */
3763 PK11_FreeSymKey(pwSpec->master_secret);
3764 pwSpec->master_secret = NULL;
3765 }
3766 }
3767 if (pwSpec->master_secret == NULL) {
3768 /* Generate a faux master secret in the same slot as the old one. */
3769 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
3770 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
3771
3772 PK11_FreeSlot(slot);
3773 if (fpms != NULL) {
3774 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
3775 master_derive, &params, key_derive,
3776 CKA_DERIVE, 0, keyFlags);
3777 PK11_FreeSymKey(fpms);
3778 }
3779 }
3780 }
3781 if (pwSpec->master_secret == NULL) {
3782 /* Generate a faux master secret from the internal slot. */
3783 PK11SlotInfo * slot = PK11_GetInternalSlot();
3784 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
3785
3786 PK11_FreeSlot(slot);
3787 if (fpms != NULL) {
3788 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
3789 master_derive, &params, key_derive,
3790 CKA_DERIVE, 0, keyFlags);
3791 if (pwSpec->master_secret == NULL) {
3792 pwSpec->master_secret = fpms; /* use the fpms as the master. */
3793 fpms = NULL;
3794 }
3795 }
3796 if (fpms) {
3797 PK11_FreeSymKey(fpms);
3798 }
3799 }
3800 if (pwSpec->master_secret == NULL) {
3801 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3802 return rv;
3803 }
3804 #ifndef NO_PKCS11_BYPASS
3805 if (ss->opt.bypassPKCS11) {
3806 SECItem * keydata;
3807 /* In hope of doing a "double bypass",
3808 * need to extract the master secret's value from the key object
3809 * and store it raw in the sslSocket struct.
3810 */
3811 rv = PK11_ExtractKeyValue(pwSpec->master_secret);
3812 if (rv != SECSuccess) {
3813 return rv;
3814 }
3815 /* This returns the address of the secItem inside the key struct,
3816 * not a copy or a reference. So, there's no need to free it.
3817 */
3818 keydata = PK11_GetKeyData(pwSpec->master_secret);
3819 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
3820 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
3821 pwSpec->msItem.data = pwSpec->raw_master_secret;
3822 pwSpec->msItem.len = keydata->len;
3823 } else {
3824 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3825 return SECFailure;
3826 }
3827 }
3828 #endif
3829 return SECSuccess;
3830 }
3831
3832
3833 /*
3834 * Derive encryption and MAC Keys (and IVs) from master secret
3835 * Sets a useful error code when returning SECFailure.
3836 *
3837 * Called only from ssl3_InitPendingCipherSpec(),
3838 * which in turn is called from
3839 * sendRSAClientKeyExchange (for Full handshake)
3840 * sendDHClientKeyExchange (for Full handshake)
3841 * ssl3_HandleClientKeyExchange (for Full handshake)
3842 * ssl3_HandleServerHello (for session restart)
3843 * ssl3_HandleClientHello (for session restart)
3844 * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
3845 * ssl3_InitPendingCipherSpec does that.
3846 *
3847 */
3848 static SECStatus
3849 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
3850 {
3851 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3852 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
3853 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3854 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3855 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3856 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3857 PRBool isTLS12=
3858 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3859 /* following variables used in PKCS11 path */
3860 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
3861 PK11SlotInfo * slot = NULL;
3862 PK11SymKey * symKey = NULL;
3863 void * pwArg = ss->pkcs11PinArg;
3864 int keySize;
3865 CK_SSL3_KEY_MAT_PARAMS key_material_params;
3866 CK_SSL3_KEY_MAT_OUT returnedKeys;
3867 CK_MECHANISM_TYPE key_derive;
3868 CK_MECHANISM_TYPE bulk_mechanism;
3869 SSLCipherAlgorithm calg;
3870 SECItem params;
3871 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
3872
3873 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3874 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3875 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3876
3877 if (!pwSpec->master_secret) {
3878 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3879 return SECFailure;
3880 }
3881 /*
3882 * generate the key material
3883 */
3884 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB;
3885 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
3886 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB;
3887 if (cipher_def->type == type_block &&
3888 pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
3889 /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
3890 key_material_params.ulIVSizeInBits = 0;
3891 memset(pwSpec->client.write_iv, 0, cipher_def->iv_size);
3892 memset(pwSpec->server.write_iv, 0, cipher_def->iv_size);
3893 }
3894
3895 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
3896
3897 key_material_params.RandomInfo.pClientRandom = cr;
3898 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
3899 key_material_params.RandomInfo.pServerRandom = sr;
3900 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
3901 key_material_params.pReturnedKeyMaterial = &returnedKeys;
3902
3903 returnedKeys.pIVClient = pwSpec->client.write_iv;
3904 returnedKeys.pIVServer = pwSpec->server.write_iv;
3905 keySize = cipher_def->key_size;
3906
3907 if (skipKeysAndIVs) {
3908 keySize = 0;
3909 key_material_params.ulKeySizeInBits = 0;
3910 key_material_params.ulIVSizeInBits = 0;
3911 returnedKeys.pIVClient = NULL;
3912 returnedKeys.pIVServer = NULL;
3913 }
3914
3915 calg = cipher_def->calg;
3916 PORT_Assert( alg2Mech[calg].calg == calg);
3917 bulk_mechanism = alg2Mech[calg].cmech;
3918
3919 params.data = (unsigned char *)&key_material_params;
3920 params.len = sizeof(key_material_params);
3921
3922 if (isTLS12) {
3923 key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3924 } else if (isTLS) {
3925 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3926 } else {
3927 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3928 }
3929
3930 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
3931 * DERIVE by DEFAULT */
3932 symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
3933 bulk_mechanism, CKA_ENCRYPT, keySize);
3934 if (!symKey) {
3935 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3936 return SECFailure;
3937 }
3938 /* we really should use the actual mac'ing mechanism here, but we
3939 * don't because these types are used to map keytype anyway and both
3940 * mac's map to the same keytype.
3941 */
3942 slot = PK11_GetSlotFromKey(symKey);
3943
3944 PK11_FreeSlot(slot); /* slot is held until the key is freed */
3945 pwSpec->client.write_mac_key =
3946 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3947 CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
3948 if (pwSpec->client.write_mac_key == NULL ) {
3949 goto loser; /* loser sets err */
3950 }
3951 pwSpec->server.write_mac_key =
3952 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3953 CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
3954 if (pwSpec->server.write_mac_key == NULL ) {
3955 goto loser; /* loser sets err */
3956 }
3957 if (!skipKeysAndIVs) {
3958 pwSpec->client.write_key =
3959 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3960 bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
3961 if (pwSpec->client.write_key == NULL ) {
3962 goto loser; /* loser sets err */
3963 }
3964 pwSpec->server.write_key =
3965 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3966 bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
3967 if (pwSpec->server.write_key == NULL ) {
3968 goto loser; /* loser sets err */
3969 }
3970 }
3971 PK11_FreeSymKey(symKey);
3972 return SECSuccess;
3973
3974
3975 loser:
3976 if (symKey) PK11_FreeSymKey(symKey);
3977 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3978 return SECFailure;
3979 }
3980
3981 /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
3982 * buffered messages in ss->ssl3.hs.messages. */
3983 static SECStatus
3984 ssl3_InitHandshakeHashes(sslSocket *ss)
3985 {
3986 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
3987
3988 PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown);
3989 #ifndef NO_PKCS11_BYPASS
3990 if (ss->opt.bypassPKCS11) {
3991 PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
3992 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
3993 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
3994 * then this will need to be updated. */
3995 ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
3996 if (!ss->ssl3.hs.sha_obj) {
3997 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
3998 return SECFailure;
3999 }
4000 ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
4001 ss->ssl3.hs.hashType = handshake_hash_single;
4002 ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
4003 } else {
4004 ss->ssl3.hs.hashType = handshake_hash_combo;
4005 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
4006 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
4007 }
4008 } else
4009 #endif
4010 {
4011 PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
4012 /*
4013 * note: We should probably lookup an SSL3 slot for these
4014 * handshake hashes in hopes that we wind up with the same slots
4015 * that the master secret will wind up in ...
4016 */
4017 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
4018 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4019 * then this will need to be updated. */
4020 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
4021 if (ss->ssl3.hs.sha == NULL) {
4022 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4023 return SECFailure;
4024 }
4025 ss->ssl3.hs.hashType = handshake_hash_single;
4026
4027 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
4028 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4029 return SECFailure;
4030 }
4031
4032 /* Create a backup SHA-1 hash for a potential client auth
4033 * signature.
4034 *
4035 * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
4036 * handshake hash function (SHA-256). If the server or the client
4037 * does not support SHA-256 as a signature hash, we can either
4038 * maintain a backup SHA-1 handshake hash or buffer all handshake
4039 * messages.
4040 */
4041 if (!ss->sec.isServer) {
4042 ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
4043 if (ss->ssl3.hs.backupHash == NULL) {
4044 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4045 return SECFailure;
4046 }
4047
4048 if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) {
4049 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4050 return SECFailure;
4051 }
4052 }
4053 } else {
4054 /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
4055 * created successfully. */
4056 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
4057 if (ss->ssl3.hs.md5 == NULL) {
4058 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4059 return SECFailure;
4060 }
4061 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
4062 if (ss->ssl3.hs.sha == NULL) {
4063 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
4064 ss->ssl3.hs.md5 = NULL;
4065 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4066 return SECFailure;
4067 }
4068 ss->ssl3.hs.hashType = handshake_hash_combo;
4069
4070 if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
4071 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4072 return SECFailure;
4073 }
4074 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
4075 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4076 return SECFailure;
4077 }
4078 }
4079 }
4080
4081 if (ss->ssl3.hs.messages.len > 0) {
4082 if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
4083 ss->ssl3.hs.messages.len) !=
4084 SECSuccess) {
4085 return SECFailure;
4086 }
4087 PORT_Free(ss->ssl3.hs.messages.buf);
4088 ss->ssl3.hs.messages.buf = NULL;
4089 ss->ssl3.hs.messages.len = 0;
4090 ss->ssl3.hs.messages.space = 0;
4091 }
4092
4093 return SECSuccess;
4094 }
4095
4096 static SECStatus
4097 ssl3_RestartHandshakeHashes(sslSocket *ss)
4098 {
4099 SECStatus rv = SECSuccess;
4100
4101 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
4102 SSL_GETPID(), ss->fd ));
4103 ss->ssl3.hs.hashType = handshake_hash_unknown;
4104 ss->ssl3.hs.messages.len = 0;
4105 #ifndef NO_PKCS11_BYPASS
4106 ss->ssl3.hs.sha_obj = NULL;
4107 ss->ssl3.hs.sha_clone = NULL;
4108 #endif
4109 if (ss->ssl3.hs.md5) {
4110 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
4111 ss->ssl3.hs.md5 = NULL;
4112 }
4113 if (ss->ssl3.hs.sha) {
4114 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
4115 ss->ssl3.hs.sha = NULL;
4116 }
4117 return rv;
4118 }
4119
4120 /*
4121 * Handshake messages
4122 */
4123 /* Called from ssl3_InitHandshakeHashes()
4124 ** ssl3_AppendHandshake()
4125 ** ssl3_StartHandshakeHash()
4126 ** ssl3_HandleV2ClientHello()
4127 ** ssl3_HandleHandshakeMessage()
4128 ** Caller must hold the ssl3Handshake lock.
4129 */
4130 static SECStatus
4131 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
4132 unsigned int l)
4133 {
4134 SECStatus rv = SECSuccess;
4135
4136 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4137
4138 /* We need to buffer the handshake messages until we have established
4139 * which handshake hash function to use. */
4140 if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
4141 return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
4142 }
4143
4144 PRINT_BUF(90, (NULL, "handshake hash input:", b, l));
4145
4146 #ifndef NO_PKCS11_BYPASS
4147 if (ss->opt.bypassPKCS11) {
4148 if (ss->ssl3.hs.hashType == handshake_hash_single) {
4149 ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
4150 } else {
4151 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
4152 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
4153 }
4154 return rv;
4155 }
4156 #endif
4157 if (ss->ssl3.hs.hashType == handshake_hash_single) {
4158 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
4159 if (rv != SECSuccess) {
4160 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4161 return rv;
4162 }
4163 if (ss->ssl3.hs.backupHash) {
4164 rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l);
4165 if (rv != SECSuccess) {
4166 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4167 return rv;
4168 }
4169 }
4170 } else {
4171 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
4172 if (rv != SECSuccess) {
4173 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4174 return rv;
4175 }
4176 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
4177 if (rv != SECSuccess) {
4178 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4179 return rv;
4180 }
4181 }
4182 return rv;
4183 }
4184
4185 /**************************************************************************
4186 * Append Handshake functions.
4187 * All these functions set appropriate error codes.
4188 * Most rely on ssl3_AppendHandshake to set the error code.
4189 **************************************************************************/
4190 SECStatus
4191 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
4192 {
4193 unsigned char * src = (unsigned char *)void_src;
4194 int room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
4195 SECStatus rv;
4196
4197 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
4198
4199 if (!bytes)
4200 return SECSuccess;
4201 if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
4202 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
4203 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
4204 if (rv != SECSuccess)
4205 return rv; /* sslBuffer_Grow has set a memory error code. */
4206 room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
4207 }
4208
4209 PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
4210 rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
4211 if (rv != SECSuccess)
4212 return rv; /* error code set by ssl3_UpdateHandshakeHashes */
4213
4214 while (bytes > room) {
4215 if (room > 0)
4216 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src,
4217 room);
4218 ss->sec.ci.sendBuf.len += room;
4219 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
4220 if (rv != SECSuccess) {
4221 return rv; /* error code set by ssl3_FlushHandshake */
4222 }
4223 bytes -= room;
4224 src += room;
4225 room = ss->sec.ci.sendBuf.space;
4226 PORT_Assert(ss->sec.ci.sendBuf.len == 0);
4227 }
4228 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
4229 ss->sec.ci.sendBuf.len += bytes;
4230 return SECSuccess;
4231 }
4232
4233 SECStatus
4234 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
4235 {
4236 SECStatus rv;
4237 PRUint8 b[4];
4238 PRUint8 * p = b;
4239
4240 switch (lenSize) {
4241 case 4:
4242 *p++ = (num >> 24) & 0xff;
4243 case 3:
4244 *p++ = (num >> 16) & 0xff;
4245 case 2:
4246 *p++ = (num >> 8) & 0xff;
4247 case 1:
4248 *p = num & 0xff;
4249 }
4250 SSL_TRC(60, ("%d: number:", SSL_GETPID()));
4251 rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
4252 return rv; /* error code set by AppendHandshake, if applicable. */
4253 }
4254
4255 SECStatus
4256 ssl3_AppendHandshakeVariable(
4257 sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
4258 {
4259 SECStatus rv;
4260
4261 PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
4262 (bytes < (1L<<16) && lenSize == 2) ||
4263 (bytes < (1L<<24) && lenSize == 3));
4264
4265 SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
4266 rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
4267 if (rv != SECSuccess) {
4268 return rv; /* error code set by AppendHandshake, if applicable. */
4269 }
4270 SSL_TRC(60, ("data:"));
4271 rv = ssl3_AppendHandshake(ss, src, bytes);
4272 return rv; /* error code set by AppendHandshake, if applicable. */
4273 }
4274
4275 SECStatus
4276 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
4277 {
4278 SECStatus rv;
4279
4280 /* If we already have a message in place, we need to enqueue it.
4281 * This empties the buffer. This is a convenient place to call
4282 * dtls_StageHandshakeMessage to mark the message boundary.
4283 */
4284 if (IS_DTLS(ss)) {
4285 rv = dtls_StageHandshakeMessage(ss);
4286 if (rv != SECSuccess) {
4287 return rv;
4288 }
4289 }
4290
4291 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
4292 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
4293
4294 rv = ssl3_AppendHandshakeNumber(ss, t, 1);
4295 if (rv != SECSuccess) {
4296 return rv; /* error code set by AppendHandshake, if applicable. */
4297 }
4298 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
4299 if (rv != SECSuccess) {
4300 return rv; /* error code set by AppendHandshake, if applicable. */
4301 }
4302
4303 if (IS_DTLS(ss)) {
4304 /* Note that we make an unfragmented message here. We fragment in the
4305 * transmission code, if necessary */
4306 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2);
4307 if (rv != SECSuccess) {
4308 return rv; /* error code set by AppendHandshake, if applicable. */
4309 }
4310 ss->ssl3.hs.sendMessageSeq++;
4311
4312 /* 0 is the fragment offset, because it's not fragmented yet */
4313 rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
4314 if (rv != SECSuccess) {
4315 return rv; /* error code set by AppendHandshake, if applicable. */
4316 }
4317
4318 /* Fragment length -- set to the packet length because not fragmented */
4319 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
4320 if (rv != SECSuccess) {
4321 return rv; /* error code set by AppendHandshake, if applicable. */
4322 }
4323 }
4324
4325 return rv; /* error code set by AppendHandshake, if applicable. */
4326 }
4327
4328 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
4329 * |sigAndHash| to the current handshake message. */
4330 SECStatus
4331 ssl3_AppendSignatureAndHashAlgorithm(
4332 sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash)
4333 {
4334 unsigned char serialized[2];
4335
4336 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
4337 if (serialized[0] == 0) {
4338 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
4339 return SECFailure;
4340 }
4341
4342 serialized[1] = sigAndHash->sigAlg;
4343
4344 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
4345 }
4346
4347 /**************************************************************************
4348 * Consume Handshake functions.
4349 *
4350 * All data used in these functions is protected by two locks,
4351 * the RecvBufLock and the SSL3HandshakeLock
4352 **************************************************************************/
4353
4354 /* Read up the next "bytes" number of bytes from the (decrypted) input
4355 * stream "b" (which is *length bytes long). Copy them into buffer "v".
4356 * Reduces *length by bytes. Advances *b by bytes.
4357 *
4358 * If this function returns SECFailure, it has already sent an alert,
4359 * and has set a generic error code. The caller should probably
4360 * override the generic error code by setting another.
4361 */
4362 SECStatus
4363 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
4364 PRUint32 *length)
4365 {
4366 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4367 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4368
4369 if ((PRUint32)bytes > *length) {
4370 return ssl3_DecodeError(ss);
4371 }
4372 PORT_Memcpy(v, *b, bytes);
4373 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
4374 *b += bytes;
4375 *length -= bytes;
4376 return SECSuccess;
4377 }
4378
4379 /* Read up the next "bytes" number of bytes from the (decrypted) input
4380 * stream "b" (which is *length bytes long), and interpret them as an
4381 * integer in network byte order. Returns the received value.
4382 * Reduces *length by bytes. Advances *b by bytes.
4383 *
4384 * Returns SECFailure (-1) on failure.
4385 * This value is indistinguishable from the equivalent received value.
4386 * Only positive numbers are to be received this way.
4387 * Thus, the largest value that may be sent this way is 0x7fffffff.
4388 * On error, an alert has been sent, and a generic error code has been set.
4389 */
4390 PRInt32
4391 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
4392 PRUint32 *length)
4393 {
4394 PRUint8 *buf = *b;
4395 int i;
4396 PRInt32 num = 0;
4397
4398 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4399 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4400 PORT_Assert( bytes <= sizeof num);
4401
4402 if ((PRUint32)bytes > *length) {
4403 return ssl3_DecodeError(ss);
4404 }
4405 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
4406
4407 for (i = 0; i < bytes; i++)
4408 num = (num << 8) + buf[i];
4409 *b += bytes;
4410 *length -= bytes;
4411 return num;
4412 }
4413
4414 /* Read in two values from the incoming decrypted byte stream "b", which is
4415 * *length bytes long. The first value is a number whose size is "bytes"
4416 * bytes long. The second value is a byte-string whose size is the value
4417 * of the first number received. The latter byte-string, and its length,
4418 * is returned in the SECItem i.
4419 *
4420 * Returns SECFailure (-1) on failure.
4421 * On error, an alert has been sent, and a generic error code has been set.
4422 *
4423 * RADICAL CHANGE for NSS 3.11. All callers of this function make copies
4424 * of the data returned in the SECItem *i, so making a copy of it here
4425 * is simply wasteful. So, This function now just sets SECItem *i to
4426 * point to the values in the buffer **b.
4427 */
4428 SECStatus
4429 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
4430 SSL3Opaque **b, PRUint32 *length)
4431 {
4432 PRInt32 count;
4433
4434 PORT_Assert(bytes <= 3);
4435 i->len = 0;
4436 i->data = NULL;
4437 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
4438 if (count < 0) { /* Can't test for SECSuccess here. */
4439 return SECFailure;
4440 }
4441 if (count > 0) {
4442 if ((PRUint32)count > *length) {
4443 return ssl3_DecodeError(ss);
4444 }
4445 i->data = *b;
4446 i->len = count;
4447 *b += count;
4448 *length -= count;
4449 }
4450 return SECSuccess;
4451 }
4452
4453 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
4454 * SECOidTag used internally by NSS. */
4455 static const struct {
4456 int tlsHash;
4457 SECOidTag oid;
4458 } tlsHashOIDMap[] = {
4459 { tls_hash_md5, SEC_OID_MD5 },
4460 { tls_hash_sha1, SEC_OID_SHA1 },
4461 { tls_hash_sha224, SEC_OID_SHA224 },
4462 { tls_hash_sha256, SEC_OID_SHA256 },
4463 { tls_hash_sha384, SEC_OID_SHA384 },
4464 { tls_hash_sha512, SEC_OID_SHA512 }
4465 };
4466
4467 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value.
4468 * If the hash is not recognised, SEC_OID_UNKNOWN is returned.
4469 *
4470 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4471 SECOidTag
4472 ssl3_TLSHashAlgorithmToOID(int hashFunc)
4473 {
4474 unsigned int i;
4475
4476 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4477 if (hashFunc == tlsHashOIDMap[i].tlsHash) {
4478 return tlsHashOIDMap[i].oid;
4479 }
4480 }
4481 return SEC_OID_UNKNOWN;
4482 }
4483
4484 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm
4485 * identifier. If the hash is not recognised, zero is returned.
4486 *
4487 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4488 static int
4489 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid)
4490 {
4491 unsigned int i;
4492
4493 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4494 if (oid == tlsHashOIDMap[i].oid) {
4495 return tlsHashOIDMap[i].tlsHash;
4496 }
4497 }
4498 return 0;
4499 }
4500
4501 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm
4502 * identifier for a given KeyType. */
4503 static SECStatus
4504 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType,
4505 TLSSignatureAlgorithm *out)
4506 {
4507 switch (keyType) {
4508 case rsaKey:
4509 *out = tls_sig_rsa;
4510 return SECSuccess;
4511 case dsaKey:
4512 *out = tls_sig_dsa;
4513 return SECSuccess;
4514 case ecKey:
4515 *out = tls_sig_ecdsa;
4516 return SECSuccess;
4517 default:
4518 PORT_SetError(SEC_ERROR_INVALID_KEY);
4519 return SECFailure;
4520 }
4521 }
4522
4523 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature
4524 * algorithm identifier for the given certificate. */
4525 static SECStatus
4526 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert,
4527 TLSSignatureAlgorithm *out)
4528 {
4529 SECKEYPublicKey *key;
4530 KeyType keyType;
4531
4532 key = CERT_ExtractPublicKey(cert);
4533 if (key == NULL) {
4534 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
4535 return SECFailure;
4536 }
4537
4538 keyType = key->keyType;
4539 SECKEY_DestroyPublicKey(key);
4540 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out);
4541 }
4542
4543 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature
4544 * algorithm identifier in |sigAndHash| is consistent with the public key in
4545 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called
4546 * and SECFailure is returned. */
4547 SECStatus
4548 ssl3_CheckSignatureAndHashAlgorithmConsistency(
4549 const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert)
4550 {
4551 SECStatus rv;
4552 TLSSignatureAlgorithm sigAlg;
4553
4554 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg);
4555 if (rv != SECSuccess) {
4556 return rv;
4557 }
4558 if (sigAlg != sigAndHash->sigAlg) {
4559 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
4560 return SECFailure;
4561 }
4562 return SECSuccess;
4563 }
4564
4565 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm
4566 * structure from |b| and puts the resulting value into |out|. |b| and |length|
4567 * are updated accordingly.
4568 *
4569 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4570 SECStatus
4571 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
4572 SSL3Opaque **b,
4573 PRUint32 *length,
4574 SSL3SignatureAndHashAlgorithm *out)
4575 {
4576 unsigned char bytes[2];
4577 SECStatus rv;
4578
4579 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
4580 if (rv != SECSuccess) {
4581 return rv;
4582 }
4583
4584 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]);
4585 if (out->hashAlg == SEC_OID_UNKNOWN) {
4586 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
4587 return SECFailure;
4588 }
4589
4590 out->sigAlg = bytes[1];
4591 return SECSuccess;
4592 }
4593
4594 /**************************************************************************
4595 * end of Consume Handshake functions.
4596 **************************************************************************/
4597
4598 /* Extract the hashes of handshake messages to this point.
4599 * Called from ssl3_SendCertificateVerify
4600 * ssl3_SendFinished
4601 * ssl3_HandleHandshakeMessage
4602 *
4603 * Caller must hold the SSL3HandshakeLock.
4604 * Caller must hold a read or write lock on the Spec R/W lock.
4605 * (There is presently no way to assert on a Read lock.)
4606 */
4607 static SECStatus
4608 ssl3_ComputeHandshakeHashes(sslSocket * ss,
4609 ssl3CipherSpec *spec, /* uses ->master_secret */
4610 SSL3Hashes * hashes, /* output goes here. */
4611 PRUint32 sender)
4612 {
4613 SECStatus rv = SECSuccess;
4614 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
4615 unsigned int outLength;
4616 SSL3Opaque md5_inner[MAX_MAC_LENGTH];
4617 SSL3Opaque sha_inner[MAX_MAC_LENGTH];
4618
4619 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4620 hashes->hashAlg = SEC_OID_UNKNOWN;
4621
4622 #ifndef NO_PKCS11_BYPASS
4623 if (ss->opt.bypassPKCS11 &&
4624 ss->ssl3.hs.hashType == handshake_hash_single) {
4625 /* compute them without PKCS11 */
4626 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
4627
4628 if (!spec->msItem.data) {
4629 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4630 return SECFailure;
4631 }
4632
4633 ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
4634 ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
4635 sizeof(hashes->u.raw));
4636
4637 PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
4638
4639 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4640 * then this will need to be updated. */
4641 hashes->hashAlg = SEC_OID_SHA256;
4642 rv = SECSuccess;
4643 } else if (ss->opt.bypassPKCS11) {
4644 /* compute them without PKCS11 */
4645 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
4646 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
4647
4648 #define md5cx ((MD5Context *)md5_cx)
4649 #define shacx ((SHA1Context *)sha_cx)
4650
4651 if (!spec->msItem.data) {
4652 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4653 return SECFailure;
4654 }
4655
4656 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx);
4657 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
4658
4659 if (!isTLS) {
4660 /* compute hashes for SSL3. */
4661 unsigned char s[4];
4662
4663 s[0] = (unsigned char)(sender >> 24);
4664 s[1] = (unsigned char)(sender >> 16);
4665 s[2] = (unsigned char)(sender >> 8);
4666 s[3] = (unsigned char)sender;
4667
4668 if (sender != 0) {
4669 MD5_Update(md5cx, s, 4);
4670 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
4671 }
4672
4673 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
4674 mac_defs[mac_md5].pad_size));
4675
4676 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
4677 MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
4678 MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
4679
4680 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
4681
4682 if (sender != 0) {
4683 SHA1_Update(shacx, s, 4);
4684 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
4685 }
4686
4687 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
4688 mac_defs[mac_sha].pad_size));
4689
4690 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
4691 SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
4692 SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
4693
4694 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
4695 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4696 mac_defs[mac_md5].pad_size));
4697 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
4698
4699 MD5_Begin(md5cx);
4700 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
4701 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
4702 MD5_Update(md5cx, md5_inner, MD5_LENGTH);
4703 }
4704 MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH);
4705
4706 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4707
4708 if (!isTLS) {
4709 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4710 mac_defs[mac_sha].pad_size));
4711 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
4712
4713 SHA1_Begin(shacx);
4714 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
4715 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
4716 SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
4717 }
4718 SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4719
4720 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ;
4721
4722 hashes->len = MD5_LENGTH + SHA1_LENGTH;
4723 rv = SECSuccess;
4724 #undef md5cx
4725 #undef shacx
4726 } else
4727 #endif
4728 if (ss->ssl3.hs.hashType == handshake_hash_single) {
4729 /* compute hashes with PKCS11 */
4730 PK11Context *h;
4731 unsigned int stateLen;
4732 unsigned char stackBuf[1024];
4733 unsigned char *stateBuf = NULL;
4734
4735 if (!spec->master_secret) {
4736 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4737 return SECFailure;
4738 }
4739
4740 h = ss->ssl3.hs.sha;
4741 stateBuf = PK11_SaveContextAlloc(h, stackBuf,
4742 sizeof(stackBuf), &stateLen);
4743 if (stateBuf == NULL) {
4744 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4745 goto tls12_loser;
4746 }
4747 rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
4748 sizeof(hashes->u.raw));
4749 if (rv != SECSuccess) {
4750 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4751 rv = SECFailure;
4752 goto tls12_loser;
4753 }
4754 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4755 * then this will need to be updated. */
4756 hashes->hashAlg = SEC_OID_SHA256;
4757 rv = SECSuccess;
4758
4759 tls12_loser:
4760 if (stateBuf) {
4761 if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
4762 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4763 rv = SECFailure;
4764 }
4765 if (stateBuf != stackBuf) {
4766 PORT_ZFree(stateBuf, stateLen);
4767 }
4768 }
4769 } else {
4770 /* compute hashes with PKCS11 */
4771 PK11Context * md5;
4772 PK11Context * sha = NULL;
4773 unsigned char *md5StateBuf = NULL;
4774 unsigned char *shaStateBuf = NULL;
4775 unsigned int md5StateLen, shaStateLen;
4776 unsigned char md5StackBuf[256];
4777 unsigned char shaStackBuf[512];
4778
4779 if (!spec->master_secret) {
4780 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4781 return SECFailure;
4782 }
4783
4784 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
4785 sizeof md5StackBuf, &md5StateLen);
4786 if (md5StateBuf == NULL) {
4787 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4788 goto loser;
4789 }
4790 md5 = ss->ssl3.hs.md5;
4791
4792 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
4793 sizeof shaStackBuf, &shaStateLen);
4794 if (shaStateBuf == NULL) {
4795 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4796 goto loser;
4797 }
4798 sha = ss->ssl3.hs.sha;
4799
4800 if (!isTLS) {
4801 /* compute hashes for SSL3. */
4802 unsigned char s[4];
4803
4804 s[0] = (unsigned char)(sender >> 24);
4805 s[1] = (unsigned char)(sender >> 16);
4806 s[2] = (unsigned char)(sender >> 8);
4807 s[3] = (unsigned char)sender;
4808
4809 if (sender != 0) {
4810 rv |= PK11_DigestOp(md5, s, 4);
4811 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
4812 }
4813
4814 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
4815 mac_defs[mac_md5].pad_size));
4816
4817 rv |= PK11_DigestKey(md5,spec->master_secret);
4818 rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
4819 rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
4820 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4821 if (rv != SECSuccess) {
4822 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4823 rv = SECFailure;
4824 goto loser;
4825 }
4826
4827 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
4828
4829 if (sender != 0) {
4830 rv |= PK11_DigestOp(sha, s, 4);
4831 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
4832 }
4833
4834 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
4835 mac_defs[mac_sha].pad_size));
4836
4837 rv |= PK11_DigestKey(sha, spec->master_secret);
4838 rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
4839 rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
4840 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4841 if (rv != SECSuccess) {
4842 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4843 rv = SECFailure;
4844 goto loser;
4845 }
4846
4847 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
4848
4849 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4850 mac_defs[mac_md5].pad_size));
4851 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
4852
4853 rv |= PK11_DigestBegin(md5);
4854 rv |= PK11_DigestKey(md5, spec->master_secret);
4855 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
4856 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
4857 }
4858 rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH);
4859 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4860 if (rv != SECSuccess) {
4861 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4862 rv = SECFailure;
4863 goto loser;
4864 }
4865
4866 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4867
4868 if (!isTLS) {
4869 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4870 mac_defs[mac_sha].pad_size));
4871 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
4872
4873 rv |= PK11_DigestBegin(sha);
4874 rv |= PK11_DigestKey(sha,spec->master_secret);
4875 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
4876 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
4877 }
4878 rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4879 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4880 if (rv != SECSuccess) {
4881 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4882 rv = SECFailure;
4883 goto loser;
4884 }
4885
4886 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ;
4887
4888 hashes->len = MD5_LENGTH + SHA1_LENGTH;
4889 rv = SECSuccess;
4890
4891 loser:
4892 if (md5StateBuf) {
4893 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
4894 != SECSuccess)
4895 {
4896 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4897 rv = SECFailure;
4898 }
4899 if (md5StateBuf != md5StackBuf) {
4900 PORT_ZFree(md5StateBuf, md5StateLen);
4901 }
4902 }
4903 if (shaStateBuf) {
4904 if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
4905 != SECSuccess)
4906 {
4907 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4908 rv = SECFailure;
4909 }
4910 if (shaStateBuf != shaStackBuf) {
4911 PORT_ZFree(shaStateBuf, shaStateLen);
4912 }
4913 }
4914 }
4915 return rv;
4916 }
4917
4918 static SECStatus
4919 ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
4920 SSL3Hashes * hashes) /* output goes here. */
4921 {
4922 SECStatus rv = SECSuccess;
4923
4924 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4925 PORT_Assert( !ss->sec.isServer );
4926 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
4927
4928 rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
4929 sizeof(hashes->u.raw));
4930 if (rv != SECSuccess) {
4931 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4932 rv = SECFailure;
4933 goto loser;
4934 }
4935 hashes->hashAlg = SEC_OID_SHA1;
4936
4937 loser:
4938 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
4939 ss->ssl3.hs.backupHash = NULL;
4940 return rv;
4941 }
4942
4943 /*
4944 * SSL 2 based implementations pass in the initial outbound buffer
4945 * so that the handshake hash can contain the included information.
4946 *
4947 * Called from ssl2_BeginClientHandshake() in sslcon.c
4948 */
4949 SECStatus
4950 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
4951 {
4952 SECStatus rv;
4953
4954 ssl_GetSSL3HandshakeLock(ss); /**************************************/
4955
4956 rv = ssl3_InitState(ss);
4957 if (rv != SECSuccess) {
4958 goto done; /* ssl3_InitState has set the error code. */
4959 }
4960 rv = ssl3_RestartHandshakeHashes(ss);
4961 if (rv != SECSuccess) {
4962 goto done;
4963 }
4964
4965 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
4966 PORT_Memcpy(
4967 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES ],
4968 &ss->sec.ci.clientChallenge,
4969 SSL_CHALLENGE_BYTES);
4970
4971 rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
4972 /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
4973
4974 done:
4975 ssl_ReleaseSSL3HandshakeLock(ss); /**************************************/
4976 return rv;
4977 }
4978
4979 /**************************************************************************
4980 * end of Handshake Hash functions.
4981 * Begin Send and Handle functions for handshakes.
4982 **************************************************************************/
4983
4984 /* Called from ssl3_HandleHelloRequest(),
4985 * ssl3_RedoHandshake()
4986 * ssl2_BeginClientHandshake (when resuming ssl3 session)
4987 * dtls_HandleHelloVerifyRequest(with resending=PR_TRUE)
4988 */
4989 SECStatus
4990 ssl3_SendClientHello(sslSocket *ss, PRBool resending)
4991 {
4992 sslSessionID * sid;
4993 ssl3CipherSpec * cwSpec;
4994 SECStatus rv;
4995 int i;
4996 int length;
4997 int num_suites;
4998 int actual_count = 0;
4999 PRBool isTLS = PR_FALSE;
5000 PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE;
5001 PRInt32 total_exten_len = 0;
5002 unsigned paddingExtensionLen;
5003 unsigned numCompressionMethods;
5004 PRInt32 flags;
5005
5006 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
5007 ss->fd));
5008
5009 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5010 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
5011
5012 rv = ssl3_InitState(ss);
5013 if (rv != SECSuccess) {
5014 return rv; /* ssl3_InitState has set the error code. */
5015 }
5016 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
5017 PORT_Assert(IS_DTLS(ss) || !resending);
5018
5019 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
5020 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
5021
5022 /* We might be starting a session renegotiation in which case we should
5023 * clear previous state.
5024 */
5025 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
5026
5027 rv = ssl3_RestartHandshakeHashes(ss);
5028 if (rv != SECSuccess) {
5029 return rv;
5030 }
5031
5032 /*
5033 * During a renegotiation, ss->clientHelloVersion will be used again to
5034 * work around a Windows SChannel bug. Ensure that it is still enabled.
5035 */
5036 if (ss->firstHsDone) {
5037 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
5038 PORT_SetError(SSL_ERROR_SSL_DISABLED);
5039 return SECFailure;
5040 }
5041
5042 if (ss->clientHelloVersion < ss->vrange.min ||
5043 ss->clientHelloVersion > ss->vrange.max) {
5044 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
5045 return SECFailure;
5046 }
5047 }
5048
5049 /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
5050 * handles expired entries and other details.
5051 * XXX If we've been called from ssl2_BeginClientHandshake, then
5052 * this lookup is duplicative and wasteful.
5053 */
5054 sid = (ss->opt.noCache) ? NULL
5055 : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->u rl);
5056
5057 /* We can't resume based on a different token. If the sid exists,
5058 * make sure the token that holds the master secret still exists ...
5059 * If we previously did client-auth, make sure that the token that holds
5060 * the private key still exists, is logged in, hasn't been removed, etc.
5061 */
5062 if (sid) {
5063 PRBool sidOK = PR_TRUE;
5064 if (sid->u.ssl3.keys.msIsWrapped) {
5065 /* Session key was wrapped, which means it was using PKCS11, */
5066 PK11SlotInfo *slot = NULL;
5067 if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
5068 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
5069 sid->u.ssl3.masterSlotID);
5070 }
5071 if (slot == NULL) {
5072 sidOK = PR_FALSE;
5073 } else {
5074 PK11SymKey *wrapKey = NULL;
5075 if (!PK11_IsPresent(slot) ||
5076 ((wrapKey = PK11_GetWrapKey(slot,
5077 sid->u.ssl3.masterWrapIndex,
5078 sid->u.ssl3.masterWrapMech,
5079 sid->u.ssl3.masterWrapSeries,
5080 ss->pkcs11PinArg)) == NULL) ) {
5081 sidOK = PR_FALSE;
5082 }
5083 if (wrapKey) PK11_FreeSymKey(wrapKey);
5084 PK11_FreeSlot(slot);
5085 slot = NULL;
5086 }
5087 }
5088 /* If we previously did client-auth, make sure that the token that
5089 ** holds the private key still exists, is logged in, hasn't been
5090 ** removed, etc.
5091 */
5092 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
5093 sidOK = PR_FALSE;
5094 }
5095
5096 /* TLS 1.0 (RFC 2246) Appendix E says:
5097 * Whenever a client already knows the highest protocol known to
5098 * a server (for example, when resuming a session), it should
5099 * initiate the connection in that native protocol.
5100 * So we pass sid->version to ssl3_NegotiateVersion() here, except
5101 * when renegotiating.
5102 *
5103 * Windows SChannel compares the client_version inside the RSA
5104 * EncryptedPreMasterSecret of a renegotiation with the
5105 * client_version of the initial ClientHello rather than the
5106 * ClientHello in the renegotiation. To work around this bug, we
5107 * continue to use the client_version used in the initial
5108 * ClientHello when renegotiating.
5109 */
5110 if (sidOK) {
5111 if (ss->firstHsDone) {
5112 /*
5113 * The client_version of the initial ClientHello is still
5114 * available in ss->clientHelloVersion. Ensure that
5115 * sid->version is bounded within
5116 * [ss->vrange.min, ss->clientHelloVersion], otherwise we
5117 * can't use sid.
5118 */
5119 if (sid->version >= ss->vrange.min &&
5120 sid->version <= ss->clientHelloVersion) {
5121 ss->version = ss->clientHelloVersion;
5122 } else {
5123 sidOK = PR_FALSE;
5124 }
5125 } else {
5126 if (ssl3_NegotiateVersion(ss, sid->version,
5127 PR_FALSE) != SECSuccess) {
5128 sidOK = PR_FALSE;
5129 }
5130 }
5131 }
5132
5133 if (!sidOK) {
5134 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
5135 if (ss->sec.uncache)
5136 (*ss->sec.uncache)(sid);
5137 ssl_FreeSID(sid);
5138 sid = NULL;
5139 }
5140 }
5141
5142 if (sid) {
5143 requestingResume = PR_TRUE;
5144 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
5145
5146 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
5147 sid->u.ssl3.sessionIDLength));
5148
5149 ss->ssl3.policy = sid->u.ssl3.policy;
5150 } else {
5151 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
5152
5153 /*
5154 * Windows SChannel compares the client_version inside the RSA
5155 * EncryptedPreMasterSecret of a renegotiation with the
5156 * client_version of the initial ClientHello rather than the
5157 * ClientHello in the renegotiation. To work around this bug, we
5158 * continue to use the client_version used in the initial
5159 * ClientHello when renegotiating.
5160 */
5161 if (ss->firstHsDone) {
5162 ss->version = ss->clientHelloVersion;
5163 } else {
5164 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
5165 PR_TRUE);
5166 if (rv != SECSuccess)
5167 return rv; /* error code was set */
5168 }
5169
5170 sid = ssl3_NewSessionID(ss, PR_FALSE);
5171 if (!sid) {
5172 return SECFailure; /* memory error is set */
5173 }
5174 }
5175
5176 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
5177 ssl_GetSpecWriteLock(ss);
5178 cwSpec = ss->ssl3.cwSpec;
5179 if (cwSpec->mac_def->mac == mac_null) {
5180 /* SSL records are not being MACed. */
5181 cwSpec->version = ss->version;
5182 }
5183 ssl_ReleaseSpecWriteLock(ss);
5184
5185 if (ss->sec.ci.sid != NULL) {
5186 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */
5187 }
5188 ss->sec.ci.sid = sid;
5189
5190 ss->sec.send = ssl3_SendApplicationData;
5191
5192 /* shouldn't get here if SSL3 is disabled, but ... */
5193 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
5194 PR_NOT_REACHED("No versions of SSL 3.0 or later are enabled");
5195 PORT_SetError(SSL_ERROR_SSL_DISABLED);
5196 return SECFailure;
5197 }
5198
5199 /* how many suites does our PKCS11 support (regardless of policy)? */
5200 num_suites = ssl3_config_match_init(ss);
5201 if (!num_suites)
5202 return SECFailure; /* ssl3_config_match_init has set error code. */
5203
5204 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV,
5205 * only if TLS is disabled.
5206 */
5207 if (!ss->firstHsDone && !isTLS) {
5208 /* Must set this before calling Hello Extension Senders,
5209 * to suppress sending of empty RI extension.
5210 */
5211 ss->ssl3.hs.sendingSCSV = PR_TRUE;
5212 }
5213
5214 /* When we attempt session resumption (only), we must lock the sid to
5215 * prevent races with other resumption connections that receive a
5216 * NewSessionTicket that will cause the ticket in the sid to be replaced.
5217 * Once we've copied the session ticket into our ClientHello message, it
5218 * is OK for the ticket to change, so we just need to make sure we hold
5219 * the lock across the calls to ssl3_CallHelloExtensionSenders.
5220 */
5221 if (sid->u.ssl3.lock) {
5222 NSSRWLock_LockRead(sid->u.ssl3.lock);
5223 }
5224
5225 if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
5226 PRUint32 maxBytes = 65535; /* 2^16 - 1 */
5227 PRInt32 extLen;
5228
5229 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
5230 if (extLen < 0) {
5231 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5232 return SECFailure;
5233 }
5234 maxBytes -= extLen;
5235 total_exten_len += extLen;
5236
5237 if (total_exten_len > 0)
5238 total_exten_len += 2;
5239 }
5240
5241 #if defined(NSS_ENABLE_ECC)
5242 if (!total_exten_len || !isTLS) {
5243 /* not sending the elliptic_curves and ec_point_formats extensions */
5244 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
5245 }
5246 #endif
5247
5248 if (IS_DTLS(ss)) {
5249 ssl3_DisableNonDTLSSuites(ss);
5250 }
5251
5252 if (!ssl3_HasGCMSupport()) {
5253 ssl3_DisableGCMSuites(ss);
5254 }
5255
5256 /* how many suites are permitted by policy and user preference? */
5257 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
5258 if (!num_suites) {
5259 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5260 return SECFailure; /* count_cipher_suites has set error code. */
5261 }
5262
5263 fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume ||
5264 ss->version < sid->version);
5265 /* make room for SCSV */
5266 if (ss->ssl3.hs.sendingSCSV) {
5267 ++num_suites;
5268 }
5269 if (fallbackSCSV) {
5270 ++num_suites;
5271 }
5272
5273 /* count compression methods */
5274 numCompressionMethods = 0;
5275 for (i = 0; i < compressionMethodsCount; i++) {
5276 if (compressionEnabled(ss, compressions[i]))
5277 numCompressionMethods++;
5278 }
5279
5280 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
5281 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
5282 2 + num_suites*sizeof(ssl3CipherSuite) +
5283 1 + numCompressionMethods + total_exten_len;
5284 if (IS_DTLS(ss)) {
5285 length += 1 + ss->ssl3.hs.cookieLen;
5286 }
5287
5288 /* A padding extension may be included to ensure that the record containing
5289 * the ClientHello doesn't have a length between 256 and 511 bytes
5290 * (inclusive). Initial, ClientHello records with such lengths trigger bugs
5291 * in F5 devices.
5292 *
5293 * This is not done for DTLS nor for renegotiation. */
5294 if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) {
5295 paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
5296 total_exten_len += paddingExtensionLen;
5297 length += paddingExtensionLen;
5298 } else {
5299 paddingExtensionLen = 0;
5300 }
5301
5302 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
5303 if (rv != SECSuccess) {
5304 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5305 return rv; /* err set by ssl3_AppendHandshake* */
5306 }
5307
5308 if (ss->firstHsDone) {
5309 /* The client hello version must stay unchanged to work around
5310 * the Windows SChannel bug described above. */
5311 PORT_Assert(ss->version == ss->clientHelloVersion);
5312 }
5313 ss->clientHelloVersion = ss->version;
5314 if (IS_DTLS(ss)) {
5315 PRUint16 version;
5316
5317 version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
5318 rv = ssl3_AppendHandshakeNumber(ss, version, 2);
5319 } else {
5320 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
5321 }
5322 if (rv != SECSuccess) {
5323 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5324 return rv; /* err set by ssl3_AppendHandshake* */
5325 }
5326
5327 if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
5328 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
5329 if (rv != SECSuccess) {
5330 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5331 return rv; /* err set by GetNewRandom. */
5332 }
5333 }
5334 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
5335 SSL3_RANDOM_LENGTH);
5336 if (rv != SECSuccess) {
5337 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5338 return rv; /* err set by ssl3_AppendHandshake* */
5339 }
5340
5341 if (sid)
5342 rv = ssl3_AppendHandshakeVariable(
5343 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
5344 else
5345 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
5346 if (rv != SECSuccess) {
5347 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5348 return rv; /* err set by ssl3_AppendHandshake* */
5349 }
5350
5351 if (IS_DTLS(ss)) {
5352 rv = ssl3_AppendHandshakeVariable(
5353 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
5354 if (rv != SECSuccess) {
5355 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5356 return rv; /* err set by ssl3_AppendHandshake* */
5357 }
5358 }
5359
5360 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
5361 if (rv != SECSuccess) {
5362 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5363 return rv; /* err set by ssl3_AppendHandshake* */
5364 }
5365
5366 if (ss->ssl3.hs.sendingSCSV) {
5367 /* Add the actual SCSV */
5368 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
5369 sizeof(ssl3CipherSuite));
5370 if (rv != SECSuccess) {
5371 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5372 return rv; /* err set by ssl3_AppendHandshake* */
5373 }
5374 actual_count++;
5375 }
5376
5377 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
5378 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
5379 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
5380 actual_count++;
5381 if (actual_count > num_suites) {
5382 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5383 /* set error card removal/insertion error */
5384 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5385 return SECFailure;
5386 }
5387 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
5388 sizeof(ssl3CipherSuite));
5389 if (rv != SECSuccess) {
5390 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5391 return rv; /* err set by ssl3_AppendHandshake* */
5392 }
5393 }
5394 }
5395
5396 if (fallbackSCSV) {
5397 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
5398 sizeof(ssl3CipherSuite));
5399 if (rv != SECSuccess) {
5400 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5401 return rv; /* err set by ssl3_AppendHandshake* */
5402 }
5403 actual_count++;
5404 }
5405
5406 /* if cards were removed or inserted between count_cipher_suites and
5407 * generating our list, detect the error here rather than send it off to
5408 * the server.. */
5409 if (actual_count != num_suites) {
5410 /* Card removal/insertion error */
5411 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5412 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5413 return SECFailure;
5414 }
5415
5416 rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
5417 if (rv != SECSuccess) {
5418 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5419 return rv; /* err set by ssl3_AppendHandshake* */
5420 }
5421 for (i = 0; i < compressionMethodsCount; i++) {
5422 if (!compressionEnabled(ss, compressions[i]))
5423 continue;
5424 rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
5425 if (rv != SECSuccess) {
5426 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5427 return rv; /* err set by ssl3_AppendHandshake* */
5428 }
5429 }
5430
5431 if (total_exten_len) {
5432 PRUint32 maxBytes = total_exten_len - 2;
5433 PRInt32 extLen;
5434
5435 rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
5436 if (rv != SECSuccess) {
5437 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5438 return rv; /* err set by AppendHandshake. */
5439 }
5440
5441 extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
5442 if (extLen < 0) {
5443 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5444 return SECFailure;
5445 }
5446 maxBytes -= extLen;
5447
5448 extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
5449 if (extLen < 0) {
5450 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5451 return SECFailure;
5452 }
5453 maxBytes -= extLen;
5454
5455 PORT_Assert(!maxBytes);
5456 }
5457
5458 if (sid->u.ssl3.lock) {
5459 NSSRWLock_UnlockRead(sid->u.ssl3.lock);
5460 }
5461
5462 if (ss->xtnData.sentSessionTicketInClientHello) {
5463 SSL_AtomicIncrementLong(&ssl3stats.sch_sid_stateless_resumes);
5464 }
5465
5466 if (ss->ssl3.hs.sendingSCSV) {
5467 /* Since we sent the SCSV, pretend we sent empty RI extension. */
5468 TLSExtensionData *xtnData = &ss->xtnData;
5469 xtnData->advertised[xtnData->numAdvertised++] =
5470 ssl_renegotiation_info_xtn;
5471 }
5472
5473 flags = 0;
5474 if (!ss->firstHsDone && !IS_DTLS(ss)) {
5475 flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
5476 }
5477 rv = ssl3_FlushHandshake(ss, flags);
5478 if (rv != SECSuccess) {
5479 return rv; /* error code set by ssl3_FlushHandshake */
5480 }
5481
5482 ss->ssl3.hs.ws = wait_server_hello;
5483 return rv;
5484 }
5485
5486
5487 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5488 * ssl3 Hello Request.
5489 * Caller must hold Handshake and RecvBuf locks.
5490 */
5491 static SECStatus
5492 ssl3_HandleHelloRequest(sslSocket *ss)
5493 {
5494 sslSessionID *sid = ss->sec.ci.sid;
5495 SECStatus rv;
5496
5497 SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
5498 SSL_GETPID(), ss->fd));
5499
5500 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5501 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5502
5503 if (ss->ssl3.hs.ws == wait_server_hello)
5504 return SECSuccess;
5505 if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
5506 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
5507 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
5508 return SECFailure;
5509 }
5510 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
5511 ssl_GetXmitBufLock(ss);
5512 rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
5513 ssl_ReleaseXmitBufLock(ss);
5514 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
5515 return SECFailure;
5516 }
5517
5518 if (sid) {
5519 if (ss->sec.uncache)
5520 ss->sec.uncache(sid);
5521 ssl_FreeSID(sid);
5522 ss->sec.ci.sid = NULL;
5523 }
5524
5525 if (IS_DTLS(ss)) {
5526 dtls_RehandshakeCleanup(ss);
5527 }
5528
5529 ssl_GetXmitBufLock(ss);
5530 rv = ssl3_SendClientHello(ss, PR_FALSE);
5531 ssl_ReleaseXmitBufLock(ss);
5532
5533 return rv;
5534 }
5535
5536 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
5537
5538 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
5539 CKM_DES3_ECB,
5540 CKM_CAST5_ECB,
5541 CKM_DES_ECB,
5542 CKM_KEY_WRAP_LYNKS,
5543 CKM_IDEA_ECB,
5544 CKM_CAST3_ECB,
5545 CKM_CAST_ECB,
5546 CKM_RC5_ECB,
5547 CKM_RC2_ECB,
5548 CKM_CDMF_ECB,
5549 CKM_SKIPJACK_WRAP,
5550 CKM_SKIPJACK_CBC64,
5551 CKM_AES_ECB,
5552 CKM_CAMELLIA_ECB,
5553 CKM_SEED_ECB,
5554 UNKNOWN_WRAP_MECHANISM
5555 };
5556
5557 static int
5558 ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
5559 {
5560 const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
5561
5562 while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
5563 ++pMech;
5564 }
5565 return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
5566 : (pMech - wrapMechanismList);
5567 }
5568
5569 static PK11SymKey *
5570 ssl_UnwrapSymWrappingKey(
5571 SSLWrappedSymWrappingKey *pWswk,
5572 SECKEYPrivateKey * svrPrivKey,
5573 SSL3KEAType exchKeyType,
5574 CK_MECHANISM_TYPE masterWrapMech,
5575 void * pwArg)
5576 {
5577 PK11SymKey * unwrappedWrappingKey = NULL;
5578 SECItem wrappedKey;
5579 #ifdef NSS_ENABLE_ECC
5580 PK11SymKey * Ks;
5581 SECKEYPublicKey pubWrapKey;
5582 ECCWrappedKeyInfo *ecWrapped;
5583 #endif /* NSS_ENABLE_ECC */
5584
5585 /* found the wrapping key on disk. */
5586 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
5587 PORT_Assert(pWswk->exchKeyType == exchKeyType);
5588 if (pWswk->symWrapMechanism != masterWrapMech ||
5589 pWswk->exchKeyType != exchKeyType) {
5590 goto loser;
5591 }
5592 wrappedKey.type = siBuffer;
5593 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
5594 wrappedKey.len = pWswk->wrappedSymKeyLen;
5595 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
5596
5597 switch (exchKeyType) {
5598
5599 case kt_rsa:
5600 unwrappedWrappingKey =
5601 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
5602 masterWrapMech, CKA_UNWRAP, 0);
5603 break;
5604
5605 #ifdef NSS_ENABLE_ECC
5606 case kt_ecdh:
5607 /*
5608 * For kt_ecdh, we first create an EC public key based on
5609 * data stored with the wrappedSymmetricWrappingkey. Next,
5610 * we do an ECDH computation involving this public key and
5611 * the SSL server's (long-term) EC private key. The resulting
5612 * shared secret is treated the same way as Fortezza's Ks, i.e.,
5613 * it is used to recover the symmetric wrapping key.
5614 *
5615 * The data in wrappedSymmetricWrappingkey is laid out as defined
5616 * in the ECCWrappedKeyInfo structure.
5617 */
5618 ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey;
5619
5620 PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
5621 ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN);
5622
5623 if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
5624 ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) {
5625 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5626 goto loser;
5627 }
5628
5629 pubWrapKey.keyType = ecKey;
5630 pubWrapKey.u.ec.size = ecWrapped->size;
5631 pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen;
5632 pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var;
5633 pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen;
5634 pubWrapKey.u.ec.publicValue.data = ecWrapped->var +
5635 ecWrapped->encodedParamLen;
5636
5637 wrappedKey.len = ecWrapped->wrappedKeyLen;
5638 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
5639 ecWrapped->pubValueLen;
5640
5641 /* Derive Ks using ECDH */
5642 Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL,
5643 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
5644 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
5645 if (Ks == NULL) {
5646 goto loser;
5647 }
5648
5649 /* Use Ks to unwrap the wrapping key */
5650 unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL,
5651 &wrappedKey, masterWrapMech,
5652 CKA_UNWRAP, 0);
5653 PK11_FreeSymKey(Ks);
5654
5655 break;
5656 #endif
5657
5658 default:
5659 /* Assert? */
5660 SET_ERROR_CODE
5661 goto loser;
5662 }
5663 loser:
5664 return unwrappedWrappingKey;
5665 }
5666
5667 /* Each process sharing the server session ID cache has its own array of
5668 * SymKey pointers for the symmetric wrapping keys that are used to wrap
5669 * the master secrets. There is one key for each KEA type. These Symkeys
5670 * correspond to the wrapped SymKeys kept in the server session cache.
5671 */
5672
5673 typedef struct {
5674 PK11SymKey * symWrapKey[kt_kea_size];
5675 } ssl3SymWrapKey;
5676
5677 static PZLock * symWrapKeysLock = NULL;
5678 static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS];
5679
5680 SECStatus ssl_FreeSymWrapKeysLock(void)
5681 {
5682 if (symWrapKeysLock) {
5683 PZ_DestroyLock(symWrapKeysLock);
5684 symWrapKeysLock = NULL;
5685 return SECSuccess;
5686 }
5687 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
5688 return SECFailure;
5689 }
5690
5691 SECStatus
5692 SSL3_ShutdownServerCache(void)
5693 {
5694 int i, j;
5695
5696 if (!symWrapKeysLock)
5697 return SECSuccess; /* lock was never initialized */
5698 PZ_Lock(symWrapKeysLock);
5699 /* get rid of all symWrapKeys */
5700 for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
5701 for (j = 0; j < kt_kea_size; ++j) {
5702 PK11SymKey ** pSymWrapKey;
5703 pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
5704 if (*pSymWrapKey) {
5705 PK11_FreeSymKey(*pSymWrapKey);
5706 *pSymWrapKey = NULL;
5707 }
5708 }
5709 }
5710
5711 PZ_Unlock(symWrapKeysLock);
5712 return SECSuccess;
5713 }
5714
5715 SECStatus ssl_InitSymWrapKeysLock(void)
5716 {
5717 symWrapKeysLock = PZ_NewLock(nssILockOther);
5718 return symWrapKeysLock ? SECSuccess : SECFailure;
5719 }
5720
5721 /* Try to get wrapping key for mechanism from in-memory array.
5722 * If that fails, look for one on disk.
5723 * If that fails, generate a new one, put the new one on disk,
5724 * Put the new key in the in-memory array.
5725 */
5726 static PK11SymKey *
5727 getWrappingKey( sslSocket * ss,
5728 PK11SlotInfo * masterSecretSlot,
5729 SSL3KEAType exchKeyType,
5730 CK_MECHANISM_TYPE masterWrapMech,
5731 void * pwArg)
5732 {
5733 SECKEYPrivateKey * svrPrivKey;
5734 SECKEYPublicKey * svrPubKey = NULL;
5735 PK11SymKey * unwrappedWrappingKey = NULL;
5736 PK11SymKey ** pSymWrapKey;
5737 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM;
5738 int length;
5739 int symWrapMechIndex;
5740 SECStatus rv;
5741 SECItem wrappedKey;
5742 SSLWrappedSymWrappingKey wswk;
5743 #ifdef NSS_ENABLE_ECC
5744 PK11SymKey * Ks = NULL;
5745 SECKEYPublicKey *pubWrapKey = NULL;
5746 SECKEYPrivateKey *privWrapKey = NULL;
5747 ECCWrappedKeyInfo *ecWrapped;
5748 #endif /* NSS_ENABLE_ECC */
5749
5750 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY;
5751 PORT_Assert(svrPrivKey != NULL);
5752 if (!svrPrivKey) {
5753 return NULL; /* why are we here?!? */
5754 }
5755
5756 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
5757 PORT_Assert(symWrapMechIndex >= 0);
5758 if (symWrapMechIndex < 0)
5759 return NULL; /* invalid masterWrapMech. */
5760
5761 pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
5762
5763 ssl_InitSessionCacheLocks();
5764
5765 PZ_Lock(symWrapKeysLock);
5766
5767 unwrappedWrappingKey = *pSymWrapKey;
5768 if (unwrappedWrappingKey != NULL) {
5769 if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
5770 unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
5771 goto done;
5772 }
5773 /* slot series has changed, so this key is no good any more. */
5774 PK11_FreeSymKey(unwrappedWrappingKey);
5775 *pSymWrapKey = unwrappedWrappingKey = NULL;
5776 }
5777
5778 /* Try to get wrapped SymWrapping key out of the (disk) cache. */
5779 /* Following call fills in wswk on success. */
5780 if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
5781 /* found the wrapped sym wrapping key on disk. */
5782 unwrappedWrappingKey =
5783 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
5784 masterWrapMech, pwArg);
5785 if (unwrappedWrappingKey) {
5786 goto install;
5787 }
5788 }
5789
5790 if (!masterSecretSlot) /* caller doesn't want to create a new one. */
5791 goto loser;
5792
5793 length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
5794 /* Zero length means fixed key length algorithm, or error.
5795 * It's ambiguous.
5796 */
5797 unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
5798 length, pwArg);
5799 if (!unwrappedWrappingKey) {
5800 goto loser;
5801 }
5802
5803 /* Prepare the buffer to receive the wrappedWrappingKey,
5804 * the symmetric wrapping key wrapped using the server's pub key.
5805 */
5806 PORT_Memset(&wswk, 0, sizeof wswk); /* eliminate UMRs. */
5807
5808 if (ss->serverCerts[exchKeyType].serverKeyPair) {
5809 svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey;
5810 }
5811 if (svrPubKey == NULL) {
5812 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5813 goto loser;
5814 }
5815 wrappedKey.type = siBuffer;
5816 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey);
5817 wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
5818
5819 PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
5820 if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
5821 goto loser;
5822
5823 /* wrap symmetric wrapping key in server's public key. */
5824 switch (exchKeyType) {
5825 case kt_rsa:
5826 asymWrapMechanism = CKM_RSA_PKCS;
5827 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
5828 unwrappedWrappingKey, &wrappedKey);
5829 break;
5830
5831 #ifdef NSS_ENABLE_ECC
5832 case kt_ecdh:
5833 /*
5834 * We generate an ephemeral EC key pair. Perform an ECDH
5835 * computation involving this ephemeral EC public key and
5836 * the SSL server's (long-term) EC private key. The resulting
5837 * shared secret is treated in the same way as Fortezza's Ks,
5838 * i.e., it is used to wrap the wrapping key. To facilitate
5839 * unwrapping in ssl_UnwrapWrappingKey, we also store all
5840 * relevant info about the ephemeral EC public key in
5841 * wswk.wrappedSymmetricWrappingkey and lay it out as
5842 * described in the ECCWrappedKeyInfo structure.
5843 */
5844 PORT_Assert(svrPubKey->keyType == ecKey);
5845 if (svrPubKey->keyType != ecKey) {
5846 /* something is wrong in sslsecur.c if this isn't an ecKey */
5847 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5848 rv = SECFailure;
5849 goto ec_cleanup;
5850 }
5851
5852 privWrapKey = SECKEY_CreateECPrivateKey(
5853 &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL);
5854 if ((privWrapKey == NULL) || (pubWrapKey == NULL)) {
5855 rv = SECFailure;
5856 goto ec_cleanup;
5857 }
5858
5859 /* Set the key size in bits */
5860 if (pubWrapKey->u.ec.size == 0) {
5861 pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey);
5862 }
5863
5864 PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len +
5865 pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN);
5866 if (pubWrapKey->u.ec.DEREncodedParams.len +
5867 pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) {
5868 PORT_SetError(SEC_ERROR_INVALID_KEY);
5869 rv = SECFailure;
5870 goto ec_cleanup;
5871 }
5872
5873 /* Derive Ks using ECDH */
5874 Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL,
5875 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
5876 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
5877 if (Ks == NULL) {
5878 rv = SECFailure;
5879 goto ec_cleanup;
5880 }
5881
5882 ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey);
5883 ecWrapped->size = pubWrapKey->u.ec.size;
5884 ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len;
5885 PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data,
5886 pubWrapKey->u.ec.DEREncodedParams.len);
5887
5888 ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len;
5889 PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen,
5890 pubWrapKey->u.ec.publicValue.data,
5891 pubWrapKey->u.ec.publicValue.len);
5892
5893 wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN -
5894 (ecWrapped->encodedParamLen + ecWrapped->pubValueLen);
5895 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
5896 ecWrapped->pubValueLen;
5897
5898 /* wrap symmetricWrapping key with the local Ks */
5899 rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks,
5900 unwrappedWrappingKey, &wrappedKey);
5901
5902 if (rv != SECSuccess) {
5903 goto ec_cleanup;
5904 }
5905
5906 /* Write down the length of wrapped key in the buffer
5907 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
5908 */
5909 ecWrapped->wrappedKeyLen = wrappedKey.len;
5910
5911 ec_cleanup:
5912 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
5913 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
5914 if (Ks) PK11_FreeSymKey(Ks);
5915 asymWrapMechanism = masterWrapMech;
5916 break;
5917 #endif /* NSS_ENABLE_ECC */
5918
5919 default:
5920 rv = SECFailure;
5921 break;
5922 }
5923
5924 if (rv != SECSuccess) {
5925 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
5926 goto loser;
5927 }
5928
5929 PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
5930
5931 wswk.symWrapMechanism = masterWrapMech;
5932 wswk.symWrapMechIndex = symWrapMechIndex;
5933 wswk.asymWrapMechanism = asymWrapMechanism;
5934 wswk.exchKeyType = exchKeyType;
5935 wswk.wrappedSymKeyLen = wrappedKey.len;
5936
5937 /* put it on disk. */
5938 /* If the wrapping key for this KEA type has already been set,
5939 * then abandon the value we just computed and
5940 * use the one we got from the disk.
5941 */
5942 if (ssl_SetWrappingKey(&wswk)) {
5943 /* somebody beat us to it. The original contents of our wswk
5944 * has been replaced with the content on disk. Now, discard
5945 * the key we just created and unwrap this new one.
5946 */
5947 PK11_FreeSymKey(unwrappedWrappingKey);
5948
5949 unwrappedWrappingKey =
5950 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
5951 masterWrapMech, pwArg);
5952 }
5953
5954 install:
5955 if (unwrappedWrappingKey) {
5956 *pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
5957 }
5958
5959 loser:
5960 done:
5961 PZ_Unlock(symWrapKeysLock);
5962 return unwrappedWrappingKey;
5963 }
5964
5965 /* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2|
5966 * bytes to |out|. */
5967 static void
5968 hexEncode(char *out, const unsigned char *in, unsigned int length)
5969 {
5970 static const char hextable[] = "0123456789abcdef";
5971 unsigned int i;
5972
5973 for (i = 0; i < length; i++) {
5974 *(out++) = hextable[in[i] >> 4];
5975 *(out++) = hextable[in[i] & 15];
5976 }
5977 }
5978
5979 /* Called from ssl3_SendClientKeyExchange(). */
5980 /* Presently, this always uses PKCS11. There is no bypass for this. */
5981 static SECStatus
5982 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
5983 {
5984 PK11SymKey * pms = NULL;
5985 SECStatus rv = SECFailure;
5986 SECItem enc_pms = {siBuffer, NULL, 0};
5987 PRBool isTLS;
5988
5989 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5990 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
5991
5992 /* Generate the pre-master secret ... */
5993 ssl_GetSpecWriteLock(ss);
5994 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
5995
5996 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
5997 ssl_ReleaseSpecWriteLock(ss);
5998 if (pms == NULL) {
5999 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6000 goto loser;
6001 }
6002
6003 /* Get the wrapped (encrypted) pre-master secret, enc_pms */
6004 enc_pms.len = SECKEY_PublicKeyStrength(svrPubKey);
6005 enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
6006 if (enc_pms.data == NULL) {
6007 goto loser; /* err set by PORT_Alloc */
6008 }
6009
6010 /* wrap pre-master secret in server's public key. */
6011 rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
6012 if (rv != SECSuccess) {
6013 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6014 goto loser;
6015 }
6016
6017 if (ssl_keylog_iob) {
6018 SECStatus extractRV = PK11_ExtractKeyValue(pms);
6019 if (extractRV == SECSuccess) {
6020 SECItem * keyData = PK11_GetKeyData(pms);
6021 if (keyData && keyData->data && keyData->len) {
6022 #ifdef TRACE
6023 if (ssl_trace >= 100) {
6024 ssl_PrintBuf(ss, "Pre-Master Secret",
6025 keyData->data, keyData->len);
6026 }
6027 #endif
6028 if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {
6029 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
6030
6031 /* There could be multiple, concurrent writers to the
6032 * keylog, so we have to do everything in a single call to
6033 * fwrite. */
6034 char buf[4 + 8*2 + 1 + 48*2 + 1];
6035
6036 strcpy(buf, "RSA ");
6037 hexEncode(buf + 4, enc_pms.data, 8);
6038 buf[20] = ' ';
6039 hexEncode(buf + 21, keyData->data, 48);
6040 buf[sizeof(buf) - 1] = '\n';
6041
6042 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob);
6043 fflush(ssl_keylog_iob);
6044 }
6045 }
6046 }
6047 }
6048
6049 rv = ssl3_InitPendingCipherSpec(ss, pms);
6050 PK11_FreeSymKey(pms); pms = NULL;
6051
6052 if (rv != SECSuccess) {
6053 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6054 goto loser;
6055 }
6056
6057 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
6058 isTLS ? enc_pms.len + 2 : enc_pms.len);
6059 if (rv != SECSuccess) {
6060 goto loser; /* err set by ssl3_AppendHandshake* */
6061 }
6062 if (isTLS) {
6063 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
6064 } else {
6065 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
6066 }
6067 if (rv != SECSuccess) {
6068 goto loser; /* err set by ssl3_AppendHandshake* */
6069 }
6070
6071 rv = SECSuccess;
6072
6073 loser:
6074 if (enc_pms.data != NULL) {
6075 PORT_Free(enc_pms.data);
6076 }
6077 if (pms != NULL) {
6078 PK11_FreeSymKey(pms);
6079 }
6080 return rv;
6081 }
6082
6083 /* Called from ssl3_SendClientKeyExchange(). */
6084 /* Presently, this always uses PKCS11. There is no bypass for this. */
6085 static SECStatus
6086 sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
6087 {
6088 PK11SymKey * pms = NULL;
6089 SECStatus rv = SECFailure;
6090 PRBool isTLS;
6091 CK_MECHANISM_TYPE target;
6092
6093 SECKEYDHParams dhParam; /* DH parameters */
6094 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */
6095 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */
6096
6097 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6098 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6099
6100 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6101
6102 /* Copy DH parameters from server key */
6103
6104 if (svrPubKey->keyType != dhKey) {
6105 PORT_SetError(SEC_ERROR_BAD_KEY);
6106 goto loser;
6107 }
6108 dhParam.prime.data = svrPubKey->u.dh.prime.data;
6109 dhParam.prime.len = svrPubKey->u.dh.prime.len;
6110 dhParam.base.data = svrPubKey->u.dh.base.data;
6111 dhParam.base.len = svrPubKey->u.dh.base.len;
6112
6113 /* Generate ephemeral DH keypair */
6114 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
6115 if (!privKey || !pubKey) {
6116 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
6117 rv = SECFailure;
6118 goto loser;
6119 }
6120 PRINT_BUF(50, (ss, "DH public value:",
6121 pubKey->u.dh.publicValue.data,
6122 pubKey->u.dh.publicValue.len));
6123
6124 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
6125 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
6126
6127 /* Determine the PMS */
6128
6129 pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
6130 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
6131
6132 if (pms == NULL) {
6133 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6134 goto loser;
6135 }
6136
6137 SECKEY_DestroyPrivateKey(privKey);
6138 privKey = NULL;
6139
6140 rv = ssl3_InitPendingCipherSpec(ss, pms);
6141 PK11_FreeSymKey(pms); pms = NULL;
6142
6143 if (rv != SECSuccess) {
6144 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6145 goto loser;
6146 }
6147
6148 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
6149 pubKey->u.dh.publicValue.len + 2);
6150 if (rv != SECSuccess) {
6151 goto loser; /* err set by ssl3_AppendHandshake* */
6152 }
6153 rv = ssl3_AppendHandshakeVariable(ss,
6154 pubKey->u.dh.publicValue.data,
6155 pubKey->u.dh.publicValue.len, 2);
6156 SECKEY_DestroyPublicKey(pubKey);
6157 pubKey = NULL;
6158
6159 if (rv != SECSuccess) {
6160 goto loser; /* err set by ssl3_AppendHandshake* */
6161 }
6162
6163 rv = SECSuccess;
6164
6165
6166 loser:
6167
6168 if(pms) PK11_FreeSymKey(pms);
6169 if(privKey) SECKEY_DestroyPrivateKey(privKey);
6170 if(pubKey) SECKEY_DestroyPublicKey(pubKey);
6171 return rv;
6172 }
6173
6174
6175
6176
6177
6178 /* Called from ssl3_HandleServerHelloDone(). */
6179 static SECStatus
6180 ssl3_SendClientKeyExchange(sslSocket *ss)
6181 {
6182 SECKEYPublicKey * serverKey = NULL;
6183 SECStatus rv = SECFailure;
6184 PRBool isTLS;
6185
6186 SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
6187 SSL_GETPID(), ss->fd));
6188
6189 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6190 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6191
6192 if (ss->sec.peerKey == NULL) {
6193 serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
6194 if (serverKey == NULL) {
6195 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
6196 return SECFailure;
6197 }
6198 } else {
6199 serverKey = ss->sec.peerKey;
6200 ss->sec.peerKey = NULL; /* we're done with it now */
6201 }
6202
6203 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6204 /* enforce limits on kea key sizes. */
6205 if (ss->ssl3.hs.kea_def->is_limited) {
6206 int keyLen = SECKEY_PublicKeyStrength(serverKey); /* bytes */
6207
6208 if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
6209 if (isTLS)
6210 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
6211 else
6212 (void)ssl3_HandshakeFailure(ss);
6213 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
6214 goto loser;
6215 }
6216 }
6217
6218 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
6219 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
6220
6221 switch (ss->ssl3.hs.kea_def->exchKeyType) {
6222 case kt_rsa:
6223 rv = sendRSAClientKeyExchange(ss, serverKey);
6224 break;
6225
6226 case kt_dh:
6227 rv = sendDHClientKeyExchange(ss, serverKey);
6228 break;
6229
6230 #ifdef NSS_ENABLE_ECC
6231 case kt_ecdh:
6232 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
6233 break;
6234 #endif /* NSS_ENABLE_ECC */
6235
6236 default:
6237 /* got an unknown or unsupported Key Exchange Algorithm. */
6238 SEND_ALERT
6239 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
6240 break;
6241 }
6242
6243 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
6244 SSL_GETPID(), ss->fd));
6245
6246 loser:
6247 if (serverKey)
6248 SECKEY_DestroyPublicKey(serverKey);
6249 return rv; /* err code already set. */
6250 }
6251
6252 /* Called from ssl3_HandleServerHelloDone(). */
6253 static SECStatus
6254 ssl3_SendCertificateVerify(sslSocket *ss)
6255 {
6256 SECStatus rv = SECFailure;
6257 PRBool isTLS;
6258 PRBool isTLS12;
6259 SECItem buf = {siBuffer, NULL, 0};
6260 SSL3Hashes hashes;
6261 KeyType keyType;
6262 unsigned int len;
6263 SSL3SignatureAndHashAlgorithm sigAndHash;
6264
6265 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6266 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6267
6268 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
6269 SSL_GETPID(), ss->fd));
6270
6271 ssl_GetSpecReadLock(ss);
6272 if (ss->ssl3.hs.hashType == handshake_hash_single &&
6273 ss->ssl3.hs.backupHash) {
6274 rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
6275 PORT_Assert(!ss->ssl3.hs.backupHash);
6276 } else {
6277 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
6278 }
6279 ssl_ReleaseSpecReadLock(ss);
6280 if (rv != SECSuccess) {
6281 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
6282 }
6283
6284 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6285 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
6286 if (ss->ssl3.platformClientKey) {
6287 #ifdef NSS_PLATFORM_CLIENT_AUTH
6288 keyType = CERT_GetCertKeyType(
6289 &ss->ssl3.clientCertificate->subjectPublicKeyInfo);
6290 rv = ssl3_PlatformSignHashes(
6291 &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType);
6292 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
6293 ss->ssl3.platformClientKey = (PlatformKey)NULL;
6294 #endif /* NSS_PLATFORM_CLIENT_AUTH */
6295 } else {
6296 keyType = ss->ssl3.clientPrivateKey->keyType;
6297 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
6298 if (rv == SECSuccess) {
6299 PK11SlotInfo * slot;
6300 sslSessionID * sid = ss->sec.ci.sid;
6301
6302 /* Remember the info about the slot that did the signing.
6303 ** Later, when doing an SSL restart handshake, verify this.
6304 ** These calls are mere accessors, and can't fail.
6305 */
6306 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
6307 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot);
6308 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot);
6309 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
6310 sid->u.ssl3.clAuthValid = PR_TRUE;
6311 PK11_FreeSlot(slot);
6312 }
6313 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
6314 ss->ssl3.clientPrivateKey = NULL;
6315 }
6316 if (rv != SECSuccess) {
6317 goto done; /* err code was set by ssl3_SignHashes */
6318 }
6319
6320 len = buf.len + 2 + (isTLS12 ? 2 : 0);
6321
6322 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
6323 if (rv != SECSuccess) {
6324 goto done; /* error code set by AppendHandshake */
6325 }
6326 if (isTLS12) {
6327 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
6328 &sigAndHash.sigAlg);
6329 if (rv != SECSuccess) {
6330 goto done;
6331 }
6332 sigAndHash.hashAlg = hashes.hashAlg;
6333
6334 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
6335 if (rv != SECSuccess) {
6336 goto done; /* err set by AppendHandshake. */
6337 }
6338 }
6339 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
6340 if (rv != SECSuccess) {
6341 goto done; /* error code set by AppendHandshake */
6342 }
6343
6344 done:
6345 if (buf.data)
6346 PORT_Free(buf.data);
6347 return rv;
6348 }
6349
6350 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6351 * ssl3 ServerHello message.
6352 * Caller must hold Handshake and RecvBuf locks.
6353 */
6354 static SECStatus
6355 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6356 {
6357 sslSessionID *sid = ss->sec.ci.sid;
6358 PRInt32 temp; /* allow for consume number failure */
6359 PRBool suite_found = PR_FALSE;
6360 int i;
6361 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
6362 SECStatus rv;
6363 SECItem sidBytes = {siBuffer, NULL, 0};
6364 PRBool sid_match;
6365 PRBool isTLS = PR_FALSE;
6366 SSL3AlertDescription desc = illegal_parameter;
6367 SSL3ProtocolVersion version;
6368
6369 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
6370 SSL_GETPID(), ss->fd));
6371 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6372 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6373 PORT_Assert( ss->ssl3.initialized );
6374
6375 if (ss->ssl3.hs.ws != wait_server_hello) {
6376 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
6377 desc = unexpected_message;
6378 goto alert_loser;
6379 }
6380
6381 /* clean up anything left from previous handshake. */
6382 if (ss->ssl3.clientCertChain != NULL) {
6383 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
6384 ss->ssl3.clientCertChain = NULL;
6385 }
6386 if (ss->ssl3.clientCertificate != NULL) {
6387 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
6388 ss->ssl3.clientCertificate = NULL;
6389 }
6390 if (ss->ssl3.clientPrivateKey != NULL) {
6391 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
6392 ss->ssl3.clientPrivateKey = NULL;
6393 }
6394 #ifdef NSS_PLATFORM_CLIENT_AUTH
6395 if (ss->ssl3.platformClientKey) {
6396 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
6397 ss->ssl3.platformClientKey = (PlatformKey)NULL;
6398 }
6399 #endif /* NSS_PLATFORM_CLIENT_AUTH */
6400
6401 if (ss->ssl3.channelID != NULL) {
6402 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
6403 ss->ssl3.channelID = NULL;
6404 }
6405 if (ss->ssl3.channelIDPub != NULL) {
6406 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
6407 ss->ssl3.channelIDPub = NULL;
6408 }
6409
6410 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
6411 if (temp < 0) {
6412 goto loser; /* alert has been sent */
6413 }
6414 version = (SSL3ProtocolVersion)temp;
6415
6416 if (IS_DTLS(ss)) {
6417 /* RFC 4347 required that you verify that the server versions
6418 * match (Section 4.2.1) in the HelloVerifyRequest and the
6419 * ServerHello.
6420 *
6421 * RFC 6347 suggests (SHOULD) that servers always use 1.0
6422 * in HelloVerifyRequest and allows the versions not to match,
6423 * especially when 1.2 is being negotiated.
6424 *
6425 * Therefore we do not check for matching here.
6426 */
6427 version = dtls_DTLSVersionToTLSVersion(version);
6428 if (version == 0) { /* Insane version number */
6429 goto alert_loser;
6430 }
6431 }
6432
6433 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
6434 if (rv != SECSuccess) {
6435 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
6436 : handshake_failure;
6437 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6438 goto alert_loser;
6439 }
6440 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
6441
6442 rv = ssl3_InitHandshakeHashes(ss);
6443 if (rv != SECSuccess) {
6444 desc = internal_error;
6445 errCode = PORT_GetError();
6446 goto alert_loser;
6447 }
6448
6449 rv = ssl3_ConsumeHandshake(
6450 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
6451 if (rv != SECSuccess) {
6452 goto loser; /* alert has been sent */
6453 }
6454
6455 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
6456 if (rv != SECSuccess) {
6457 goto loser; /* alert has been sent */
6458 }
6459 if (sidBytes.len > SSL3_SESSIONID_BYTES) {
6460 if (isTLS)
6461 desc = decode_error;
6462 goto alert_loser; /* malformed. */
6463 }
6464
6465 /* find selected cipher suite in our list. */
6466 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
6467 if (temp < 0) {
6468 goto loser; /* alert has been sent */
6469 }
6470 ssl3_config_match_init(ss);
6471 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
6472 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
6473 if (temp == suite->cipher_suite) {
6474 SSLVersionRange vrange = {ss->version, ss->version};
6475 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
6476 /* config_match already checks whether the cipher suite is
6477 * acceptable for the version, but the check is repeated here
6478 * in order to give a more precise error code. */
6479 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) {
6480 desc = handshake_failure;
6481 errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
6482 goto alert_loser;
6483 }
6484
6485 break; /* failure */
6486 }
6487
6488 suite_found = PR_TRUE;
6489 break; /* success */
6490 }
6491 }
6492 if (!suite_found) {
6493 desc = handshake_failure;
6494 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6495 goto alert_loser;
6496 }
6497 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
6498 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
6499 PORT_Assert(ss->ssl3.hs.suite_def);
6500 if (!ss->ssl3.hs.suite_def) {
6501 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
6502 goto loser; /* we don't send alerts for our screw-ups. */
6503 }
6504
6505 /* find selected compression method in our list. */
6506 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
6507 if (temp < 0) {
6508 goto loser; /* alert has been sent */
6509 }
6510 suite_found = PR_FALSE;
6511 for (i = 0; i < compressionMethodsCount; i++) {
6512 if (temp == compressions[i]) {
6513 if (!compressionEnabled(ss, compressions[i])) {
6514 break; /* failure */
6515 }
6516 suite_found = PR_TRUE;
6517 break; /* success */
6518 }
6519 }
6520 if (!suite_found) {
6521 desc = handshake_failure;
6522 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
6523 goto alert_loser;
6524 }
6525 ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
6526
6527 /* Note that if !isTLS and the extra stuff is not extensions, we
6528 * do NOT goto alert_loser.
6529 * There are some old SSL 3.0 implementations that do send stuff
6530 * after the end of the server hello, and we deliberately ignore
6531 * such stuff in the interest of maximal interoperability (being
6532 * "generous in what you accept").
6533 * Update: Starting in NSS 3.12.6, we handle the renegotiation_info
6534 * extension in SSL 3.0.
6535 */
6536 if (length != 0) {
6537 SECItem extensions;
6538 rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length);
6539 if (rv != SECSuccess || length != 0) {
6540 if (isTLS)
6541 goto alert_loser;
6542 } else {
6543 rv = ssl3_HandleHelloExtensions(ss, &extensions.data,
6544 &extensions.len);
6545 if (rv != SECSuccess)
6546 goto alert_loser;
6547 }
6548 }
6549 if ((ss->opt.requireSafeNegotiation ||
6550 (ss->firstHsDone && (ss->peerRequestedProtection ||
6551 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN))) &&
6552 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
6553 desc = handshake_failure;
6554 errCode = ss->firstHsDone ? SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
6555 : SSL_ERROR_UNSAFE_NEGOTIATION;
6556 goto alert_loser;
6557 }
6558
6559 /* Any errors after this point are not "malformed" errors. */
6560 desc = handshake_failure;
6561
6562 /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
6563 * key exchange algorithm. */
6564 rv = ssl3_SetupPendingCipherSpec(ss);
6565 if (rv != SECSuccess) {
6566 goto alert_loser; /* error code is set. */
6567 }
6568
6569 /* We may or may not have sent a session id, we may get one back or
6570 * not and if so it may match the one we sent.
6571 * Attempt to restore the master secret to see if this is so...
6572 * Don't consider failure to find a matching SID an error.
6573 */
6574 sid_match = (PRBool)(sidBytes.len > 0 &&
6575 sidBytes.len == sid->u.ssl3.sessionIDLength &&
6576 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
6577
6578 if (sid_match &&
6579 sid->version == ss->version &&
6580 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
6581 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
6582
6583 SECItem wrappedMS; /* wrapped master secret. */
6584
6585 ss->sec.authAlgorithm = sid->authAlgorithm;
6586 ss->sec.authKeyBits = sid->authKeyBits;
6587 ss->sec.keaType = sid->keaType;
6588 ss->sec.keaKeyBits = sid->keaKeyBits;
6589
6590 /* 3 cases here:
6591 * a) key is wrapped (implies using PKCS11)
6592 * b) key is unwrapped, but we're still using PKCS11
6593 * c) key is unwrapped, and we're bypassing PKCS11.
6594 */
6595 if (sid->u.ssl3.keys.msIsWrapped) {
6596 PK11SlotInfo *slot;
6597 PK11SymKey * wrapKey; /* wrapping key */
6598 CK_FLAGS keyFlags = 0;
6599
6600 #ifndef NO_PKCS11_BYPASS
6601 if (ss->opt.bypassPKCS11) {
6602 /* we cannot restart a non-bypass session in a
6603 ** bypass socket.
6604 */
6605 break;
6606 }
6607 #endif
6608 /* unwrap master secret with PKCS11 */
6609 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
6610 sid->u.ssl3.masterSlotID);
6611 if (slot == NULL) {
6612 break; /* not considered an error. */
6613 }
6614 if (!PK11_IsPresent(slot)) {
6615 PK11_FreeSlot(slot);
6616 break; /* not considered an error. */
6617 }
6618 wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
6619 sid->u.ssl3.masterWrapMech,
6620 sid->u.ssl3.masterWrapSeries,
6621 ss->pkcs11PinArg);
6622 PK11_FreeSlot(slot);
6623 if (wrapKey == NULL) {
6624 break; /* not considered an error. */
6625 }
6626
6627 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
6628 keyFlags = CKF_SIGN | CKF_VERIFY;
6629 }
6630
6631 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6632 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6633 pwSpec->master_secret =
6634 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
6635 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
6636 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
6637 errCode = PORT_GetError();
6638 PK11_FreeSymKey(wrapKey);
6639 if (pwSpec->master_secret == NULL) {
6640 break; /* errorCode set just after call to UnwrapSymKey. */
6641 }
6642 #ifndef NO_PKCS11_BYPASS
6643 } else if (ss->opt.bypassPKCS11) {
6644 /* MS is not wrapped */
6645 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6646 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6647 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
6648 pwSpec->msItem.data = pwSpec->raw_master_secret;
6649 pwSpec->msItem.len = wrappedMS.len;
6650 #endif
6651 } else {
6652 /* We CAN restart a bypass session in a non-bypass socket. */
6653 /* need to import the raw master secret to session object */
6654 PK11SlotInfo *slot = PK11_GetInternalSlot();
6655 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6656 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6657 pwSpec->master_secret =
6658 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
6659 PK11_OriginUnwrap, CKA_ENCRYPT,
6660 &wrappedMS, NULL);
6661 PK11_FreeSlot(slot);
6662 if (pwSpec->master_secret == NULL) {
6663 break;
6664 }
6665 }
6666
6667 /* Got a Match */
6668 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
6669
6670 /* If we sent a session ticket, then this is a stateless resume. */
6671 if (ss->xtnData.sentSessionTicketInClientHello)
6672 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
6673
6674 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
6675 ss->ssl3.hs.ws = wait_new_session_ticket;
6676 else
6677 ss->ssl3.hs.ws = wait_change_cipher;
6678
6679 ss->ssl3.hs.isResuming = PR_TRUE;
6680
6681 /* copy the peer cert from the SID */
6682 if (sid->peerCert != NULL) {
6683 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
6684 ssl3_CopyPeerCertsFromSID(ss, sid);
6685 }
6686
6687 /* NULL value for PMS signifies re-use of the old MS */
6688 rv = ssl3_InitPendingCipherSpec(ss, NULL);
6689 if (rv != SECSuccess) {
6690 goto alert_loser; /* err code was set */
6691 }
6692 goto winner;
6693 } while (0);
6694
6695 if (sid_match)
6696 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
6697 else
6698 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
6699
6700 /* throw the old one away */
6701 sid->u.ssl3.keys.resumable = PR_FALSE;
6702 if (ss->sec.uncache)
6703 (*ss->sec.uncache)(sid);
6704 ssl_FreeSID(sid);
6705
6706 /* get a new sid */
6707 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
6708 if (sid == NULL) {
6709 goto alert_loser; /* memory error is set. */
6710 }
6711
6712 sid->version = ss->version;
6713 sid->u.ssl3.sessionIDLength = sidBytes.len;
6714 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
6715
6716 /* Copy Signed Certificate Timestamps, if any. */
6717 if (ss->xtnData.signedCertTimestamps.data) {
6718 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
6719 &ss->xtnData.signedCertTimestamps);
6720 if (rv != SECSuccess)
6721 goto loser;
6722 }
6723
6724 ss->ssl3.hs.isResuming = PR_FALSE;
6725 ss->ssl3.hs.ws = wait_server_cert;
6726
6727 winner:
6728 /* Clean up the temporary pointer to the handshake buffer. */
6729 ss->xtnData.signedCertTimestamps.data = NULL;
6730 ss->xtnData.signedCertTimestamps.len = 0;
6731
6732 /* If we will need a ChannelID key then we make the callback now. This
6733 * allows the handshake to be restarted cleanly if the callback returns
6734 * SECWouldBlock. */
6735 if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
6736 rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
6737 &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
6738 if (rv == SECWouldBlock) {
6739 ssl3_SetAlwaysBlock(ss);
6740 return rv;
6741 }
6742 if (rv != SECSuccess ||
6743 ss->ssl3.channelIDPub == NULL ||
6744 ss->ssl3.channelID == NULL) {
6745 PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
6746 desc = internal_error;
6747 goto alert_loser;
6748 }
6749 }
6750
6751 return SECSuccess;
6752
6753 alert_loser:
6754 (void)SSL3_SendAlert(ss, alert_fatal, desc);
6755
6756 loser:
6757 /* Clean up the temporary pointer to the handshake buffer. */
6758 ss->xtnData.signedCertTimestamps.data = NULL;
6759 ss->xtnData.signedCertTimestamps.len = 0;
6760 errCode = ssl_MapLowLevelError(errCode);
6761 return SECFailure;
6762 }
6763
6764 /* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned,
6765 * big-endian integer is > 1 */
6766 static PRBool
6767 ssl3_BigIntGreaterThanOne(const SECItem* mpint) {
6768 unsigned char firstNonZeroByte = 0;
6769 unsigned int i;
6770
6771 for (i = 0; i < mpint->len; i++) {
6772 if (mpint->data[i]) {
6773 firstNonZeroByte = mpint->data[i];
6774 break;
6775 }
6776 }
6777
6778 if (firstNonZeroByte == 0)
6779 return PR_FALSE;
6780 if (firstNonZeroByte > 1)
6781 return PR_TRUE;
6782
6783 /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte
6784 * is followed by another byte. */
6785 return (i < mpint->len - 1);
6786 }
6787
6788 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6789 * ssl3 ServerKeyExchange message.
6790 * Caller must hold Handshake and RecvBuf locks.
6791 */
6792 static SECStatus
6793 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6794 {
6795 PLArenaPool * arena = NULL;
6796 SECKEYPublicKey *peerKey = NULL;
6797 PRBool isTLS, isTLS12;
6798 SECStatus rv;
6799 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
6800 SSL3AlertDescription desc = illegal_parameter;
6801 SSL3Hashes hashes;
6802 SECItem signature = {siBuffer, NULL, 0};
6803 SSL3SignatureAndHashAlgorithm sigAndHash;
6804
6805 sigAndHash.hashAlg = SEC_OID_UNKNOWN;
6806
6807 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
6808 SSL_GETPID(), ss->fd));
6809 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6810 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6811
6812 if (ss->ssl3.hs.ws != wait_server_key &&
6813 ss->ssl3.hs.ws != wait_server_cert) {
6814 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
6815 desc = unexpected_message;
6816 goto alert_loser;
6817 }
6818 if (ss->sec.peerCert == NULL) {
6819 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
6820 desc = unexpected_message;
6821 goto alert_loser;
6822 }
6823
6824 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
6825 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
6826
6827 switch (ss->ssl3.hs.kea_def->exchKeyType) {
6828
6829 case kt_rsa: {
6830 SECItem modulus = {siBuffer, NULL, 0};
6831 SECItem exponent = {siBuffer, NULL, 0};
6832
6833 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
6834 if (rv != SECSuccess) {
6835 goto loser; /* malformed. */
6836 }
6837 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
6838 if (rv != SECSuccess) {
6839 goto loser; /* malformed. */
6840 }
6841 if (isTLS12) {
6842 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6843 &sigAndHash);
6844 if (rv != SECSuccess) {
6845 goto loser; /* malformed or unsupported. */
6846 }
6847 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6848 &sigAndHash, ss->sec.peerCert);
6849 if (rv != SECSuccess) {
6850 goto loser;
6851 }
6852 }
6853 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
6854 if (rv != SECSuccess) {
6855 goto loser; /* malformed. */
6856 }
6857 if (length != 0) {
6858 if (isTLS)
6859 desc = decode_error;
6860 goto alert_loser; /* malformed. */
6861 }
6862
6863 /* failures after this point are not malformed handshakes. */
6864 /* TLS: send decrypt_error if signature failed. */
6865 desc = isTLS ? decrypt_error : handshake_failure;
6866
6867 /*
6868 * check to make sure the hash is signed by right guy
6869 */
6870 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
6871 &ss->ssl3.hs.client_random,
6872 &ss->ssl3.hs.server_random,
6873 &hashes, ss->opt.bypassPKCS11);
6874 if (rv != SECSuccess) {
6875 errCode =
6876 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6877 goto alert_loser;
6878 }
6879 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
6880 isTLS, ss->pkcs11PinArg);
6881 if (rv != SECSuccess) {
6882 errCode =
6883 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6884 goto alert_loser;
6885 }
6886
6887 /*
6888 * we really need to build a new key here because we can no longer
6889 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
6890 * pkcs11 slots and ID's.
6891 */
6892 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
6893 if (arena == NULL) {
6894 goto no_memory;
6895 }
6896
6897 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
6898 if (peerKey == NULL) {
6899 PORT_FreeArena(arena, PR_FALSE);
6900 goto no_memory;
6901 }
6902
6903 peerKey->arena = arena;
6904 peerKey->keyType = rsaKey;
6905 peerKey->pkcs11Slot = NULL;
6906 peerKey->pkcs11ID = CK_INVALID_HANDLE;
6907 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) ||
6908 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
6909 {
6910 PORT_FreeArena(arena, PR_FALSE);
6911 goto no_memory;
6912 }
6913 ss->sec.peerKey = peerKey;
6914 ss->ssl3.hs.ws = wait_cert_request;
6915 return SECSuccess;
6916 }
6917
6918 case kt_dh: {
6919 SECItem dh_p = {siBuffer, NULL, 0};
6920 SECItem dh_g = {siBuffer, NULL, 0};
6921 SECItem dh_Ys = {siBuffer, NULL, 0};
6922
6923 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
6924 if (rv != SECSuccess) {
6925 goto loser; /* malformed. */
6926 }
6927 if (dh_p.len < 512/8) {
6928 errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
6929 goto alert_loser;
6930 }
6931 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
6932 if (rv != SECSuccess) {
6933 goto loser; /* malformed. */
6934 }
6935 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
6936 goto alert_loser;
6937 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
6938 if (rv != SECSuccess) {
6939 goto loser; /* malformed. */
6940 }
6941 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
6942 goto alert_loser;
6943 if (isTLS12) {
6944 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6945 &sigAndHash);
6946 if (rv != SECSuccess) {
6947 goto loser; /* malformed or unsupported. */
6948 }
6949 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6950 &sigAndHash, ss->sec.peerCert);
6951 if (rv != SECSuccess) {
6952 goto loser;
6953 }
6954 }
6955 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
6956 if (rv != SECSuccess) {
6957 goto loser; /* malformed. */
6958 }
6959 if (length != 0) {
6960 if (isTLS)
6961 desc = decode_error;
6962 goto alert_loser; /* malformed. */
6963 }
6964
6965 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
6966 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
6967 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
6968
6969 /* failures after this point are not malformed handshakes. */
6970 /* TLS: send decrypt_error if signature failed. */
6971 desc = isTLS ? decrypt_error : handshake_failure;
6972
6973 /*
6974 * check to make sure the hash is signed by right guy
6975 */
6976 rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
6977 &ss->ssl3.hs.client_random,
6978 &ss->ssl3.hs.server_random,
6979 &hashes, ss->opt.bypassPKCS11);
6980 if (rv != SECSuccess) {
6981 errCode =
6982 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6983 goto alert_loser;
6984 }
6985 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
6986 isTLS, ss->pkcs11PinArg);
6987 if (rv != SECSuccess) {
6988 errCode =
6989 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6990 goto alert_loser;
6991 }
6992
6993 /*
6994 * we really need to build a new key here because we can no longer
6995 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
6996 * pkcs11 slots and ID's.
6997 */
6998 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
6999 if (arena == NULL) {
7000 goto no_memory;
7001 }
7002
7003 ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
7004 if (peerKey == NULL) {
7005 goto no_memory;
7006 }
7007
7008 peerKey->arena = arena;
7009 peerKey->keyType = dhKey;
7010 peerKey->pkcs11Slot = NULL;
7011 peerKey->pkcs11ID = CK_INVALID_HANDLE;
7012
7013 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) ||
7014 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) ||
7015 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys))
7016 {
7017 PORT_FreeArena(arena, PR_FALSE);
7018 goto no_memory;
7019 }
7020 ss->sec.peerKey = peerKey;
7021 ss->ssl3.hs.ws = wait_cert_request;
7022 return SECSuccess;
7023 }
7024
7025 #ifdef NSS_ENABLE_ECC
7026 case kt_ecdh:
7027 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
7028 return rv;
7029 #endif /* NSS_ENABLE_ECC */
7030
7031 default:
7032 desc = handshake_failure;
7033 errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
7034 break; /* goto alert_loser; */
7035 }
7036
7037 alert_loser:
7038 (void)SSL3_SendAlert(ss, alert_fatal, desc);
7039 loser:
7040 PORT_SetError( errCode );
7041 return SECFailure;
7042
7043 no_memory: /* no-memory error has already been set. */
7044 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
7045 return SECFailure;
7046 }
7047
7048
7049 /*
7050 * Returns the TLS signature algorithm for the client authentication key and
7051 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes.
7052 */
7053 static SECStatus
7054 ssl3_ExtractClientKeyInfo(sslSocket *ss,
7055 TLSSignatureAlgorithm *sigAlg,
7056 PRBool *preferSha1)
7057 {
7058 SECStatus rv = SECSuccess;
7059 SECKEYPublicKey *pubk;
7060
7061 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
7062 if (pubk == NULL) {
7063 rv = SECFailure;
7064 goto done;
7065 }
7066
7067 rv = ssl3_TLSSignatureAlgorithmForKeyType(pubk->keyType, sigAlg);
7068 if (rv != SECSuccess) {
7069 goto done;
7070 }
7071
7072 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32)
7073 /* If the key is in CAPI, assume conservatively that the CAPI service
7074 * provider may be unable to sign SHA-256 hashes.
7075 */
7076 if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
7077 /* CAPI only supports RSA and DSA signatures, so we don't need to
7078 * check the key type. */
7079 *preferSha1 = PR_TRUE;
7080 goto done;
7081 }
7082 #endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */
7083
7084 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
7085 * it may be unable to sign SHA-256 hashes. This is the case for older
7086 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
7087 * older, DSA key size is at most 1024 bits and the hash function must
7088 * be SHA-1.
7089 */
7090 if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
7091 *preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
7092 } else {
7093 *preferSha1 = PR_FALSE;
7094 }
7095
7096 done:
7097 if (pubk)
7098 SECKEY_DestroyPublicKey(pubk);
7099 return rv;
7100 }
7101
7102 /* Destroys the backup handshake hash context if we don't need it. Note that
7103 * this function selects the hash algorithm for client authentication
7104 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
7105 * to determine whether to use SHA-1 or SHA-256. */
7106 static void
7107 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
7108 const SECItem *algorithms)
7109 {
7110 SECStatus rv;
7111 TLSSignatureAlgorithm sigAlg;
7112 PRBool preferSha1;
7113 PRBool supportsSha1 = PR_FALSE;
7114 PRBool supportsSha256 = PR_FALSE;
7115 PRBool needBackupHash = PR_FALSE;
7116 unsigned int i;
7117
7118 #ifndef NO_PKCS11_BYPASS
7119 /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
7120 if (ss->opt.bypassPKCS11) {
7121 PORT_Assert(!ss->ssl3.hs.backupHash);
7122 return;
7123 }
7124 #endif
7125 PORT_Assert(ss->ssl3.hs.backupHash);
7126
7127 /* Determine the key's signature algorithm and whether it prefers SHA-1. */
7128 rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
7129 if (rv != SECSuccess) {
7130 goto done;
7131 }
7132
7133 /* Determine the server's hash support for that signature algorithm. */
7134 for (i = 0; i < algorithms->len; i += 2) {
7135 if (algorithms->data[i+1] == sigAlg) {
7136 if (algorithms->data[i] == tls_hash_sha1) {
7137 supportsSha1 = PR_TRUE;
7138 } else if (algorithms->data[i] == tls_hash_sha256) {
7139 supportsSha256 = PR_TRUE;
7140 }
7141 }
7142 }
7143
7144 /* If either the server does not support SHA-256 or the client key prefers
7145 * SHA-1, leave the backup hash. */
7146 if (supportsSha1 && (preferSha1 || !supportsSha256)) {
7147 needBackupHash = PR_TRUE;
7148 }
7149
7150 done:
7151 if (!needBackupHash) {
7152 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
7153 ss->ssl3.hs.backupHash = NULL;
7154 }
7155 }
7156
7157 typedef struct dnameNode {
7158 struct dnameNode *next;
7159 SECItem name;
7160 } dnameNode;
7161
7162 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7163 * ssl3 Certificate Request message.
7164 * Caller must hold Handshake and RecvBuf locks.
7165 */
7166 static SECStatus
7167 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7168 {
7169 PLArenaPool * arena = NULL;
7170 dnameNode * node;
7171 PRInt32 remaining;
7172 PRBool isTLS = PR_FALSE;
7173 PRBool isTLS12 = PR_FALSE;
7174 int i;
7175 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
7176 int nnames = 0;
7177 SECStatus rv;
7178 SSL3AlertDescription desc = illegal_parameter;
7179 SECItem cert_types = {siBuffer, NULL, 0};
7180 SECItem algorithms = {siBuffer, NULL, 0};
7181 CERTDistNames ca_list;
7182 #ifdef NSS_PLATFORM_CLIENT_AUTH
7183 CERTCertList * platform_cert_list = NULL;
7184 CERTCertListNode * certNode = NULL;
7185 #endif /* NSS_PLATFORM_CLIENT_AUTH */
7186
7187 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
7188 SSL_GETPID(), ss->fd));
7189 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7190 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7191
7192 if (ss->ssl3.hs.ws != wait_cert_request &&
7193 ss->ssl3.hs.ws != wait_server_key) {
7194 desc = unexpected_message;
7195 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
7196 goto alert_loser;
7197 }
7198
7199 PORT_Assert(ss->ssl3.clientCertChain == NULL);
7200 PORT_Assert(ss->ssl3.clientCertificate == NULL);
7201 PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
7202 PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
7203
7204 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
7205 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
7206 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
7207 if (rv != SECSuccess)
7208 goto loser; /* malformed, alert has been sent */
7209
7210 PORT_Assert(!ss->requestedCertTypes);
7211 ss->requestedCertTypes = &cert_types;
7212
7213 if (isTLS12) {
7214 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
7215 if (rv != SECSuccess)
7216 goto loser; /* malformed, alert has been sent */
7217 /* An empty or odd-length value is invalid.
7218 * SignatureAndHashAlgorithm
7219 * supported_signature_algorithms<2..2^16-2>;
7220 */
7221 if (algorithms.len == 0 || (algorithms.len & 1) != 0)
7222 goto alert_loser;
7223 }
7224
7225 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
7226 if (arena == NULL)
7227 goto no_mem;
7228
7229 remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
7230 if (remaining < 0)
7231 goto loser; /* malformed, alert has been sent */
7232
7233 if ((PRUint32)remaining > length)
7234 goto alert_loser;
7235
7236 ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
7237 if (node == NULL)
7238 goto no_mem;
7239
7240 while (remaining > 0) {
7241 PRInt32 len;
7242
7243 if (remaining < 2)
7244 goto alert_loser; /* malformed */
7245
7246 node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
7247 if (len <= 0)
7248 goto loser; /* malformed, alert has been sent */
7249
7250 remaining -= 2;
7251 if (remaining < len)
7252 goto alert_loser; /* malformed */
7253
7254 node->name.data = b;
7255 b += len;
7256 length -= len;
7257 remaining -= len;
7258 nnames++;
7259 if (remaining <= 0)
7260 break; /* success */
7261
7262 node->next = PORT_ArenaZNew(arena, dnameNode);
7263 node = node->next;
7264 if (node == NULL)
7265 goto no_mem;
7266 }
7267
7268 ca_list.nnames = nnames;
7269 ca_list.names = PORT_ArenaNewArray(arena, SECItem, nnames);
7270 if (nnames > 0 && ca_list.names == NULL)
7271 goto no_mem;
7272
7273 for(i = 0, node = (dnameNode*)ca_list.head;
7274 i < nnames;
7275 i++, node = node->next) {
7276 ca_list.names[i] = node->name;
7277 }
7278
7279 if (length != 0)
7280 goto alert_loser; /* malformed */
7281
7282 desc = no_certificate;
7283 ss->ssl3.hs.ws = wait_hello_done;
7284
7285 #ifdef NSS_PLATFORM_CLIENT_AUTH
7286 if (ss->getPlatformClientAuthData != NULL) {
7287 /* XXX Should pass cert_types and algorithms in this call!! */
7288 rv = (SECStatus)(*ss->getPlatformClientAuthData)(
7289 ss->getPlatformClientAuthDataArg,
7290 ss->fd, &ca_list,
7291 &platform_cert_list,
7292 (void**)&ss->ssl3.platformClientKey,
7293 &ss->ssl3.clientCertificate,
7294 &ss->ssl3.clientPrivateKey);
7295 } else
7296 #endif
7297 if (ss->getClientAuthData != NULL) {
7298 /* XXX Should pass cert_types and algorithms in this call!! */
7299 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
7300 ss->fd, &ca_list,
7301 &ss->ssl3.clientCertificate,
7302 &ss->ssl3.clientPrivateKey);
7303 } else {
7304 rv = SECFailure; /* force it to send a no_certificate alert */
7305 }
7306
7307 switch (rv) {
7308 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
7309 ssl3_SetAlwaysBlock(ss);
7310 break; /* not an error */
7311
7312 case SECSuccess:
7313 #ifdef NSS_PLATFORM_CLIENT_AUTH
7314 if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
7315 !ss->ssl3.platformClientKey) {
7316 if (platform_cert_list) {
7317 CERT_DestroyCertList(platform_cert_list);
7318 platform_cert_list = NULL;
7319 }
7320 if (ss->ssl3.platformClientKey) {
7321 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
7322 ss->ssl3.platformClientKey = (PlatformKey)NULL;
7323 }
7324 /* Fall through to NSS client auth check */
7325 } else {
7326 certNode = CERT_LIST_HEAD(platform_cert_list);
7327 ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert);
7328
7329 /* Setting ssl3.clientCertChain non-NULL will cause
7330 * ssl3_HandleServerHelloDone to call SendCertificate.
7331 * Note: clientCertChain should include the EE cert as
7332 * clientCertificate is ignored during the actual sending
7333 */
7334 ss->ssl3.clientCertChain =
7335 hack_NewCertificateListFromCertList(platform_cert_list);
7336 CERT_DestroyCertList(platform_cert_list);
7337 platform_cert_list = NULL;
7338 if (ss->ssl3.clientCertChain == NULL) {
7339 if (ss->ssl3.clientCertificate != NULL) {
7340 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7341 ss->ssl3.clientCertificate = NULL;
7342 }
7343 if (ss->ssl3.platformClientKey) {
7344 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
7345 ss->ssl3.platformClientKey = (PlatformKey)NULL;
7346 }
7347 goto send_no_certificate;
7348 }
7349 if (ss->ssl3.hs.hashType == handshake_hash_single) {
7350 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
7351 }
7352 break; /* not an error */
7353 }
7354 #endif /* NSS_PLATFORM_CLIENT_AUTH */
7355 /* check what the callback function returned */
7356 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
7357 /* we are missing either the key or cert */
7358 if (ss->ssl3.clientCertificate) {
7359 /* got a cert, but no key - free it */
7360 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7361 ss->ssl3.clientCertificate = NULL;
7362 }
7363 if (ss->ssl3.clientPrivateKey) {
7364 /* got a key, but no cert - free it */
7365 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7366 ss->ssl3.clientPrivateKey = NULL;
7367 }
7368 goto send_no_certificate;
7369 }
7370 /* Setting ssl3.clientCertChain non-NULL will cause
7371 * ssl3_HandleServerHelloDone to call SendCertificate.
7372 */
7373 ss->ssl3.clientCertChain = CERT_CertChainFromCert(
7374 ss->ssl3.clientCertificate,
7375 certUsageSSLClient, PR_FALSE);
7376 if (ss->ssl3.clientCertChain == NULL) {
7377 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7378 ss->ssl3.clientCertificate = NULL;
7379 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7380 ss->ssl3.clientPrivateKey = NULL;
7381 goto send_no_certificate;
7382 }
7383 if (ss->ssl3.hs.hashType == handshake_hash_single) {
7384 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
7385 }
7386 break; /* not an error */
7387
7388 case SECFailure:
7389 default:
7390 send_no_certificate:
7391 if (isTLS) {
7392 ss->ssl3.sendEmptyCert = PR_TRUE;
7393 } else {
7394 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
7395 }
7396 rv = SECSuccess;
7397 break;
7398 }
7399 goto done;
7400
7401 no_mem:
7402 rv = SECFailure;
7403 PORT_SetError(SEC_ERROR_NO_MEMORY);
7404 goto done;
7405
7406 alert_loser:
7407 if (isTLS && desc == illegal_parameter)
7408 desc = decode_error;
7409 (void)SSL3_SendAlert(ss, alert_fatal, desc);
7410 loser:
7411 PORT_SetError(errCode);
7412 rv = SECFailure;
7413 done:
7414 ss->requestedCertTypes = NULL;
7415 if (arena != NULL)
7416 PORT_FreeArena(arena, PR_FALSE);
7417 #ifdef NSS_PLATFORM_CLIENT_AUTH
7418 if (platform_cert_list)
7419 CERT_DestroyCertList(platform_cert_list);
7420 #endif
7421 return rv;
7422 }
7423
7424 /*
7425 * attempt to restart the handshake after asynchronously handling
7426 * a request for the client's certificate.
7427 *
7428 * inputs:
7429 * cert Client cert chosen by application.
7430 * Note: ssl takes this reference, and does not bump the
7431 * reference count. The caller should drop its reference
7432 * without calling CERT_DestroyCert after calling this function.
7433 *
7434 * key Private key associated with cert. This function takes
7435 * ownership of the private key, so the caller should drop its
7436 * reference without destroying the private key after this
7437 * function returns.
7438 *
7439 * certChain DER-encoded certs, client cert and its signers.
7440 * Note: ssl takes this reference, and does not copy the chain.
7441 * The caller should drop its reference without destroying the
7442 * chain. SSL will free the chain when it is done with it.
7443 *
7444 * Return value: XXX
7445 *
7446 * XXX This code only works on the initial handshake on a connection, XXX
7447 * It does not work on a subsequent handshake (redo).
7448 *
7449 * Caller holds 1stHandshakeLock.
7450 */
7451 SECStatus
7452 ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
7453 CERTCertificate * cert,
7454 SECKEYPrivateKey * key,
7455 CERTCertificateList *certChain)
7456 {
7457 SECStatus rv = SECSuccess;
7458
7459 /* XXX This code only works on the initial handshake on a connection,
7460 ** XXX It does not work on a subsequent handshake (redo).
7461 */
7462 if (ss->handshake != 0) {
7463 ss->handshake = ssl_GatherRecord1stHandshake;
7464 ss->ssl3.clientCertificate = cert;
7465 ss->ssl3.clientPrivateKey = key;
7466 ss->ssl3.clientCertChain = certChain;
7467 if (!cert || !key || !certChain) {
7468 /* we are missing the key, cert, or cert chain */
7469 if (ss->ssl3.clientCertificate) {
7470 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7471 ss->ssl3.clientCertificate = NULL;
7472 }
7473 if (ss->ssl3.clientPrivateKey) {
7474 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7475 ss->ssl3.clientPrivateKey = NULL;
7476 }
7477 if (ss->ssl3.clientCertChain != NULL) {
7478 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
7479 ss->ssl3.clientCertChain = NULL;
7480 }
7481 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) {
7482 ss->ssl3.sendEmptyCert = PR_TRUE;
7483 } else {
7484 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
7485 }
7486 }
7487 } else {
7488 if (cert) {
7489 CERT_DestroyCertificate(cert);
7490 }
7491 if (key) {
7492 SECKEY_DestroyPrivateKey(key);
7493 }
7494 if (certChain) {
7495 CERT_DestroyCertificateList(certChain);
7496 }
7497 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
7498 rv = SECFailure;
7499 }
7500 return rv;
7501 }
7502
7503 static SECStatus
7504 ssl3_CheckFalseStart(sslSocket *ss)
7505 {
7506 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7507 PORT_Assert( !ss->ssl3.hs.authCertificatePending );
7508 PORT_Assert( !ss->ssl3.hs.canFalseStart );
7509
7510 if (!ss->canFalseStartCallback) {
7511 SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
7512 SSL_GETPID(), ss->fd));
7513 } else {
7514 PRBool maybeFalseStart;
7515 SECStatus rv;
7516
7517 /* An attacker can control the selected ciphersuite so we only wish to
7518 * do False Start in the case that the selected ciphersuite is
7519 * sufficiently strong that the attack can gain no advantage.
7520 * Therefore we always require an 80-bit cipher. */
7521 ssl_GetSpecReadLock(ss);
7522 maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
7523 ssl_ReleaseSpecReadLock(ss);
7524
7525 if (!maybeFalseStart) {
7526 SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
7527 SSL_GETPID(), ss->fd));
7528 } else {
7529 rv = (ss->canFalseStartCallback)(ss->fd,
7530 ss->canFalseStartCallbackData,
7531 &ss->ssl3.hs.canFalseStart);
7532 if (rv == SECSuccess) {
7533 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
7534 SSL_GETPID(), ss->fd,
7535 ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
7536 } else {
7537 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
7538 SSL_GETPID(), ss->fd,
7539 PR_ErrorToName(PR_GetError())));
7540 }
7541 return rv;
7542 }
7543 }
7544
7545 ss->ssl3.hs.canFalseStart = PR_FALSE;
7546 return SECSuccess;
7547 }
7548
7549 PRBool
7550 ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
7551 {
7552 PRBool result;
7553
7554 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7555
7556 switch (ss->ssl3.hs.ws) {
7557 case wait_new_session_ticket:
7558 result = PR_TRUE;
7559 break;
7560 case wait_change_cipher:
7561 result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
7562 break;
7563 default:
7564 result = PR_FALSE;
7565 break;
7566 }
7567
7568 return result;
7569 }
7570
7571 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
7572
7573 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7574 * ssl3 Server Hello Done message.
7575 * Caller must hold Handshake and RecvBuf locks.
7576 */
7577 static SECStatus
7578 ssl3_HandleServerHelloDone(sslSocket *ss)
7579 {
7580 SECStatus rv;
7581 SSL3WaitState ws = ss->ssl3.hs.ws;
7582
7583 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
7584 SSL_GETPID(), ss->fd));
7585 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7586 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7587
7588 if (ws != wait_hello_done &&
7589 ws != wait_server_cert &&
7590 ws != wait_server_key &&
7591 ws != wait_cert_request) {
7592 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7593 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
7594 return SECFailure;
7595 }
7596
7597 rv = ssl3_SendClientSecondRound(ss);
7598
7599 return rv;
7600 }
7601
7602 /* Called from ssl3_HandleServerHelloDone and ssl3_AuthCertificateComplete.
7603 *
7604 * Caller must hold Handshake and RecvBuf locks.
7605 */
7606 static SECStatus
7607 ssl3_SendClientSecondRound(sslSocket *ss)
7608 {
7609 SECStatus rv;
7610 PRBool sendClientCert;
7611
7612 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7613 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7614
7615 sendClientCert = !ss->ssl3.sendEmptyCert &&
7616 ss->ssl3.clientCertChain != NULL &&
7617 (ss->ssl3.platformClientKey ||
7618 ss->ssl3.clientPrivateKey != NULL);
7619
7620 if (!sendClientCert &&
7621 ss->ssl3.hs.hashType == handshake_hash_single &&
7622 ss->ssl3.hs.backupHash) {
7623 /* Don't need the backup handshake hash. */
7624 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
7625 ss->ssl3.hs.backupHash = NULL;
7626 }
7627
7628 /* We must wait for the server's certificate to be authenticated before
7629 * sending the client certificate in order to disclosing the client
7630 * certificate to an attacker that does not have a valid cert for the
7631 * domain we are connecting to.
7632 *
7633 * XXX: We should do the same for the NPN extension, but for that we
7634 * need an option to give the application the ability to leak the NPN
7635 * information to get better performance.
7636 *
7637 * During the initial handshake on a connection, we never send/receive
7638 * application data until we have authenticated the server's certificate;
7639 * i.e. we have fully authenticated the handshake before using the cipher
7640 * specs agreed upon for that handshake. During a renegotiation, we may
7641 * continue sending and receiving application data during the handshake
7642 * interleaved with the handshake records. If we were to send the client's
7643 * second round for a renegotiation before the server's certificate was
7644 * authenticated, then the application data sent/received after this point
7645 * would be using cipher spec that hadn't been authenticated. By waiting
7646 * until the server's certificate has been authenticated during
7647 * renegotiations, we ensure that renegotiations have the same property
7648 * as initial handshakes; i.e. we have fully authenticated the handshake
7649 * before using the cipher specs agreed upon for that handshake for
7650 * application data.
7651 */
7652 if (ss->ssl3.hs.restartTarget) {
7653 PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget");
7654 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
7655 return SECFailure;
7656 }
7657 if (ss->ssl3.hs.authCertificatePending &&
7658 (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
7659 SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
7660 " certificate authentication is still pending.",
7661 SSL_GETPID(), ss->fd));
7662 ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
7663 return SECWouldBlock;
7664 }
7665
7666 ssl_GetXmitBufLock(ss); /*******************************/
7667
7668 if (ss->ssl3.sendEmptyCert) {
7669 ss->ssl3.sendEmptyCert = PR_FALSE;
7670 rv = ssl3_SendEmptyCertificate(ss);
7671 /* Don't send verify */
7672 if (rv != SECSuccess) {
7673 goto loser; /* error code is set. */
7674 }
7675 } else if (sendClientCert) {
7676 rv = ssl3_SendCertificate(ss);
7677 if (rv != SECSuccess) {
7678 goto loser; /* error code is set. */
7679 }
7680 }
7681
7682 rv = ssl3_SendClientKeyExchange(ss);
7683 if (rv != SECSuccess) {
7684 goto loser; /* err is set. */
7685 }
7686
7687 if (sendClientCert) {
7688 rv = ssl3_SendCertificateVerify(ss);
7689 if (rv != SECSuccess) {
7690 goto loser; /* err is set. */
7691 }
7692 }
7693
7694 rv = ssl3_SendChangeCipherSpecs(ss);
7695 if (rv != SECSuccess) {
7696 goto loser; /* err code was set. */
7697 }
7698
7699 /* This must be done after we've set ss->ssl3.cwSpec in
7700 * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
7701 * from cwSpec. This must be done before we call ssl3_CheckFalseStart
7702 * because the false start callback (if any) may need the information from
7703 * the functions that depend on this being set.
7704 */
7705 ss->enoughFirstHsDone = PR_TRUE;
7706
7707 if (!ss->firstHsDone) {
7708 /* XXX: If the server's certificate hasn't been authenticated by this
7709 * point, then we may be leaking this NPN message to an attacker.
7710 */
7711 rv = ssl3_SendNextProto(ss);
7712 if (rv != SECSuccess) {
7713 goto loser; /* err code was set. */
7714 }
7715 }
7716
7717 rv = ssl3_SendEncryptedExtensions(ss);
7718 if (rv != SECSuccess) {
7719 goto loser; /* err code was set. */
7720 }
7721
7722 if (!ss->firstHsDone) {
7723 if (ss->opt.enableFalseStart) {
7724 if (!ss->ssl3.hs.authCertificatePending) {
7725 /* When we fix bug 589047, we will need to know whether we are
7726 * false starting before we try to flush the client second
7727 * round to the network. With that in mind, we purposefully
7728 * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
7729 * which includes a call to ssl3_FlushHandshake, so that
7730 * no application develops a reliance on such flushing being
7731 * done before its false start callback is called.
7732 */
7733 ssl_ReleaseXmitBufLock(ss);
7734 rv = ssl3_CheckFalseStart(ss);
7735 ssl_GetXmitBufLock(ss);
7736 if (rv != SECSuccess) {
7737 goto loser;
7738 }
7739 } else {
7740 /* The certificate authentication and the server's Finished
7741 * message are racing each other. If the certificate
7742 * authentication wins, then we will try to false start in
7743 * ssl3_AuthCertificateComplete.
7744 */
7745 SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
7746 " certificate authentication is still pending.",
7747 SSL_GETPID(), ss->fd));
7748 }
7749 }
7750 }
7751
7752 rv = ssl3_SendFinished(ss, 0);
7753 if (rv != SECSuccess) {
7754 goto loser; /* err code was set. */
7755 }
7756
7757 ssl_ReleaseXmitBufLock(ss); /*******************************/
7758
7759 if (!ss->ssl3.hs.isResuming &&
7760 ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
7761 /* If we are negotiating ChannelID on a full handshake then we record
7762 * the handshake hashes in |sid| at this point. They will be needed in
7763 * the event that we resume this session and use ChannelID on the
7764 * resumption handshake. */
7765 SSL3Hashes hashes;
7766 SECItem *originalHandshakeHash =
7767 &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
7768 PORT_Assert(ss->sec.ci.sid->cached == never_cached);
7769
7770 ssl_GetSpecReadLock(ss);
7771 PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
7772 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
7773 ssl_ReleaseSpecReadLock(ss);
7774 if (rv != SECSuccess) {
7775 return rv;
7776 }
7777
7778 PORT_Assert(originalHandshakeHash->len == 0);
7779 originalHandshakeHash->data = PORT_Alloc(hashes.len);
7780 if (!originalHandshakeHash->data)
7781 return SECFailure;
7782 originalHandshakeHash->len = hashes.len;
7783 memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len);
7784 }
7785
7786 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
7787 ss->ssl3.hs.ws = wait_new_session_ticket;
7788 else
7789 ss->ssl3.hs.ws = wait_change_cipher;
7790
7791 PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
7792
7793 return SECSuccess;
7794
7795 loser:
7796 ssl_ReleaseXmitBufLock(ss);
7797 return rv;
7798 }
7799
7800 /*
7801 * Routines used by servers
7802 */
7803 static SECStatus
7804 ssl3_SendHelloRequest(sslSocket *ss)
7805 {
7806 SECStatus rv;
7807
7808 SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
7809 ss->fd));
7810
7811 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7812 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
7813
7814 rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
7815 if (rv != SECSuccess) {
7816 return rv; /* err set by AppendHandshake */
7817 }
7818 rv = ssl3_FlushHandshake(ss, 0);
7819 if (rv != SECSuccess) {
7820 return rv; /* error code set by ssl3_FlushHandshake */
7821 }
7822 ss->ssl3.hs.ws = wait_client_hello;
7823 return SECSuccess;
7824 }
7825
7826 /*
7827 * Called from:
7828 * ssl3_HandleClientHello()
7829 */
7830 static SECComparison
7831 ssl3_ServerNameCompare(const SECItem *name1, const SECItem *name2)
7832 {
7833 if (!name1 != !name2) {
7834 return SECLessThan;
7835 }
7836 if (!name1) {
7837 return SECEqual;
7838 }
7839 if (name1->type != name2->type) {
7840 return SECLessThan;
7841 }
7842 return SECITEM_CompareItem(name1, name2);
7843 }
7844
7845 /* Sets memory error when returning NULL.
7846 * Called from:
7847 * ssl3_SendClientHello()
7848 * ssl3_HandleServerHello()
7849 * ssl3_HandleClientHello()
7850 * ssl3_HandleV2ClientHello()
7851 */
7852 sslSessionID *
7853 ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
7854 {
7855 sslSessionID *sid;
7856
7857 sid = PORT_ZNew(sslSessionID);
7858 if (sid == NULL)
7859 return sid;
7860
7861 if (is_server) {
7862 const SECItem * srvName;
7863 SECStatus rv = SECSuccess;
7864
7865 ssl_GetSpecReadLock(ss); /********************************/
7866 srvName = &ss->ssl3.prSpec->srvVirtName;
7867 if (srvName->len && srvName->data) {
7868 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName, srvName);
7869 }
7870 ssl_ReleaseSpecReadLock(ss); /************************************/
7871 if (rv != SECSuccess) {
7872 PORT_Free(sid);
7873 return NULL;
7874 }
7875 }
7876 sid->peerID = (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
7877 sid->urlSvrName = (ss->url == NULL) ? NULL : PORT_Strdup(ss->url);
7878 sid->addr = ss->sec.ci.peer;
7879 sid->port = ss->sec.ci.port;
7880 sid->references = 1;
7881 sid->cached = never_cached;
7882 sid->version = ss->version;
7883
7884 sid->u.ssl3.keys.resumable = PR_TRUE;
7885 sid->u.ssl3.policy = SSL_ALLOWED;
7886 sid->u.ssl3.clientWriteKey = NULL;
7887 sid->u.ssl3.serverWriteKey = NULL;
7888
7889 if (is_server) {
7890 SECStatus rv;
7891 int pid = SSL_GETPID();
7892
7893 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
7894 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff;
7895 sid->u.ssl3.sessionID[1] = pid & 0xff;
7896 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
7897 SSL3_SESSIONID_BYTES -2);
7898 if (rv != SECSuccess) {
7899 ssl_FreeSID(sid);
7900 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
7901 return NULL;
7902 }
7903 }
7904 return sid;
7905 }
7906
7907 /* Called from: ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
7908 static SECStatus
7909 ssl3_SendServerHelloSequence(sslSocket *ss)
7910 {
7911 const ssl3KEADef *kea_def;
7912 SECStatus rv;
7913
7914 SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
7915 SSL_GETPID(), ss->fd));
7916
7917 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7918 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
7919
7920 rv = ssl3_SendServerHello(ss);
7921 if (rv != SECSuccess) {
7922 return rv; /* err code is set. */
7923 }
7924 rv = ssl3_SendCertificate(ss);
7925 if (rv != SECSuccess) {
7926 return rv; /* error code is set. */
7927 }
7928 rv = ssl3_SendCertificateStatus(ss);
7929 if (rv != SECSuccess) {
7930 return rv; /* error code is set. */
7931 }
7932 /* We have to do this after the call to ssl3_SendServerHello,
7933 * because kea_def is set up by ssl3_SendServerHello().
7934 */
7935 kea_def = ss->ssl3.hs.kea_def;
7936 ss->ssl3.hs.usedStepDownKey = PR_FALSE;
7937
7938 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
7939 /* see if we can legally use the key in the cert. */
7940 int keyLen; /* bytes */
7941
7942 keyLen = PK11_GetPrivateModulusLen(
7943 ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
7944
7945 if (keyLen > 0 &&
7946 keyLen * BPB <= kea_def->key_size_limit ) {
7947 /* XXX AND cert is not signing only!! */
7948 /* just fall through and use it. */
7949 } else if (ss->stepDownKeyPair != NULL) {
7950 ss->ssl3.hs.usedStepDownKey = PR_TRUE;
7951 rv = ssl3_SendServerKeyExchange(ss);
7952 if (rv != SECSuccess) {
7953 return rv; /* err code was set. */
7954 }
7955 } else {
7956 #ifndef HACKED_EXPORT_SERVER
7957 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
7958 return rv;
7959 #endif
7960 }
7961 #ifdef NSS_ENABLE_ECC
7962 } else if ((kea_def->kea == kea_ecdhe_rsa) ||
7963 (kea_def->kea == kea_ecdhe_ecdsa)) {
7964 rv = ssl3_SendServerKeyExchange(ss);
7965 if (rv != SECSuccess) {
7966 return rv; /* err code was set. */
7967 }
7968 #endif /* NSS_ENABLE_ECC */
7969 }
7970
7971 if (ss->opt.requestCertificate) {
7972 rv = ssl3_SendCertificateRequest(ss);
7973 if (rv != SECSuccess) {
7974 return rv; /* err code is set. */
7975 }
7976 }
7977 rv = ssl3_SendServerHelloDone(ss);
7978 if (rv != SECSuccess) {
7979 return rv; /* err code is set. */
7980 }
7981
7982 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
7983 : wait_client_key;
7984 return SECSuccess;
7985 }
7986
7987 /* An empty TLS Renegotiation Info (RI) extension */
7988 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00};
7989
7990 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7991 * ssl3 Client Hello message.
7992 * Caller must hold Handshake and RecvBuf locks.
7993 */
7994 static SECStatus
7995 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7996 {
7997 sslSessionID * sid = NULL;
7998 PRInt32 tmp;
7999 unsigned int i;
8000 int j;
8001 SECStatus rv;
8002 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
8003 SSL3AlertDescription desc = illegal_parameter;
8004 SSL3AlertLevel level = alert_fatal;
8005 SSL3ProtocolVersion version;
8006 SECItem sidBytes = {siBuffer, NULL, 0};
8007 SECItem cookieBytes = {siBuffer, NULL, 0};
8008 SECItem suites = {siBuffer, NULL, 0};
8009 SECItem comps = {siBuffer, NULL, 0};
8010 PRBool haveSpecWriteLock = PR_FALSE;
8011 PRBool haveXmitBufLock = PR_FALSE;
8012
8013 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
8014 SSL_GETPID(), ss->fd));
8015
8016 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8017 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
8018 PORT_Assert( ss->ssl3.initialized );
8019
8020 /* Get peer name of client */
8021 rv = ssl_GetPeerInfo(ss);
8022 if (rv != SECSuccess) {
8023 return rv; /* error code is set. */
8024 }
8025
8026 /* Clearing the handshake pointers so that ssl_Do1stHandshake won't
8027 * call ssl2_HandleMessage.
8028 *
8029 * The issue here is that TLS ordinarily starts out in
8030 * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility
8031 * code paths. That function zeroes these next pointers. But with DTLS,
8032 * we don't even try to do the v2 ClientHello so we skip that function
8033 * and need to reset these values here.
8034 */
8035 if (IS_DTLS(ss)) {
8036 ss->nextHandshake = 0;
8037 ss->securityHandshake = 0;
8038 }
8039
8040 /* We might be starting session renegotiation in which case we should
8041 * clear previous state.
8042 */
8043 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8044 ss->statelessResume = PR_FALSE;
8045
8046 if ((ss->ssl3.hs.ws != wait_client_hello) &&
8047 (ss->ssl3.hs.ws != idle_handshake)) {
8048 desc = unexpected_message;
8049 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
8050 goto alert_loser;
8051 }
8052 if (ss->ssl3.hs.ws == idle_handshake &&
8053 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
8054 desc = no_renegotiation;
8055 level = alert_warning;
8056 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
8057 goto alert_loser;
8058 }
8059
8060 if (IS_DTLS(ss)) {
8061 dtls_RehandshakeCleanup(ss);
8062 }
8063
8064 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
8065 if (tmp < 0)
8066 goto loser; /* malformed, alert already sent */
8067
8068 /* Translate the version */
8069 if (IS_DTLS(ss)) {
8070 ss->clientHelloVersion = version =
8071 dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
8072 } else {
8073 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
8074 }
8075
8076 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8077 if (rv != SECSuccess) {
8078 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
8079 : handshake_failure;
8080 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8081 goto alert_loser;
8082 }
8083
8084 rv = ssl3_InitHandshakeHashes(ss);
8085 if (rv != SECSuccess) {
8086 desc = internal_error;
8087 errCode = PORT_GetError();
8088 goto alert_loser;
8089 }
8090
8091 /* grab the client random data. */
8092 rv = ssl3_ConsumeHandshake(
8093 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
8094 if (rv != SECSuccess) {
8095 goto loser; /* malformed */
8096 }
8097
8098 /* grab the client's SID, if present. */
8099 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
8100 if (rv != SECSuccess) {
8101 goto loser; /* malformed */
8102 }
8103
8104 /* grab the client's cookie, if present. */
8105 if (IS_DTLS(ss)) {
8106 rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length);
8107 if (rv != SECSuccess) {
8108 goto loser; /* malformed */
8109 }
8110 }
8111
8112 /* grab the list of cipher suites. */
8113 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
8114 if (rv != SECSuccess) {
8115 goto loser; /* malformed */
8116 }
8117
8118 /* If the ClientHello version is less than our maximum version, check for a
8119 * TLS_FALLBACK_SCSV and reject the connection if found. */
8120 if (ss->vrange.max > ss->clientHelloVersion) {
8121 for (i = 0; i + 1 < suites.len; i += 2) {
8122 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8123 if (suite_i != TLS_FALLBACK_SCSV)
8124 continue;
8125 desc = inappropriate_fallback;
8126 errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
8127 goto alert_loser;
8128 }
8129 }
8130
8131 /* grab the list of compression methods. */
8132 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
8133 if (rv != SECSuccess) {
8134 goto loser; /* malformed */
8135 }
8136
8137 desc = handshake_failure;
8138
8139 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
8140 * we are restarting a previous session until extensions have been
8141 * parsed, since we might have received a SessionTicket extension.
8142 * Note: we allow extensions even when negotiating SSL3 for the sake
8143 * of interoperability (and backwards compatibility).
8144 */
8145
8146 if (length) {
8147 /* Get length of hello extensions */
8148 PRInt32 extension_length;
8149 extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
8150 if (extension_length < 0) {
8151 goto loser; /* alert already sent */
8152 }
8153 if (extension_length != length) {
8154 ssl3_DecodeError(ss); /* send alert */
8155 goto loser;
8156 }
8157 rv = ssl3_HandleHelloExtensions(ss, &b, &length);
8158 if (rv != SECSuccess) {
8159 goto loser; /* malformed */
8160 }
8161 }
8162 if (!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8163 /* If we didn't receive an RI extension, look for the SCSV,
8164 * and if found, treat it just like an empty RI extension
8165 * by processing a local copy of an empty RI extension.
8166 */
8167 for (i = 0; i + 1 < suites.len; i += 2) {
8168 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8169 if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
8170 SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
8171 PRUint32 L2 = sizeof emptyRIext;
8172 (void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
8173 break;
8174 }
8175 }
8176 }
8177 if (ss->firstHsDone &&
8178 (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN ||
8179 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_TRANSITIONAL) &&
8180 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8181 desc = no_renegotiation;
8182 level = alert_warning;
8183 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
8184 goto alert_loser;
8185 }
8186 if ((ss->opt.requireSafeNegotiation ||
8187 (ss->firstHsDone && ss->peerRequestedProtection)) &&
8188 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8189 desc = handshake_failure;
8190 errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
8191 goto alert_loser;
8192 }
8193
8194 /* We do stateful resumes only if either of the following
8195 * conditions are satisfied: (1) the client does not support the
8196 * session ticket extension, or (2) the client support the session
8197 * ticket extension, but sent an empty ticket.
8198 */
8199 if (!ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) ||
8200 ss->xtnData.emptySessionTicket) {
8201 if (sidBytes.len > 0 && !ss->opt.noCache) {
8202 SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%0 8x%08x%08x%08x",
8203 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
8204 ss->sec.ci.peer.pr_s6_addr32[1],
8205 ss->sec.ci.peer.pr_s6_addr32[2],
8206 ss->sec.ci.peer.pr_s6_addr32[3]));
8207 if (ssl_sid_lookup) {
8208 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data,
8209 sidBytes.len, ss->dbHandle);
8210 } else {
8211 errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
8212 goto loser;
8213 }
8214 }
8215 } else if (ss->statelessResume) {
8216 /* Fill in the client's session ID if doing a stateless resume.
8217 * (When doing stateless resumes, server echos client's SessionID.)
8218 */
8219 sid = ss->sec.ci.sid;
8220 PORT_Assert(sid != NULL); /* Should have already been filled in.*/
8221
8222 if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) {
8223 sid->u.ssl3.sessionIDLength = sidBytes.len;
8224 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data,
8225 sidBytes.len);
8226 sid->u.ssl3.sessionIDLength = sidBytes.len;
8227 } else {
8228 sid->u.ssl3.sessionIDLength = 0;
8229 }
8230 ss->sec.ci.sid = NULL;
8231 }
8232
8233 /* We only send a session ticket extension if the client supports
8234 * the extension and we are unable to do either a stateful or
8235 * stateless resume.
8236 *
8237 * TODO: send a session ticket if performing a stateful
8238 * resumption. (As per RFC4507, a server may issue a session
8239 * ticket while doing a (stateless or stateful) session resume,
8240 * but OpenSSL-0.9.8g does not accept session tickets while
8241 * resuming.)
8242 */
8243 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) {
8244 ssl3_RegisterServerHelloExtensionSender(ss,
8245 ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
8246 }
8247
8248 if (sid != NULL) {
8249 /* We've found a session cache entry for this client.
8250 * Now, if we're going to require a client-auth cert,
8251 * and we don't already have this client's cert in the session cache,
8252 * and this is the first handshake on this connection (not a redo),
8253 * then drop this old cache entry and start a new session.
8254 */
8255 if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
8256 ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
8257 (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
8258 ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE)
8259 && !ss->firstHsDone))) {
8260
8261 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
8262 if (ss->sec.uncache)
8263 ss->sec.uncache(sid);
8264 ssl_FreeSID(sid);
8265 sid = NULL;
8266 }
8267 }
8268
8269 #ifdef NSS_ENABLE_ECC
8270 /* Disable any ECC cipher suites for which we have no cert. */
8271 ssl3_FilterECCipherSuitesByServerCerts(ss);
8272 #endif
8273
8274 if (IS_DTLS(ss)) {
8275 ssl3_DisableNonDTLSSuites(ss);
8276 }
8277
8278 if (!ssl3_HasGCMSupport()) {
8279 ssl3_DisableGCMSuites(ss);
8280 }
8281
8282 #ifdef PARANOID
8283 /* Look for a matching cipher suite. */
8284 j = ssl3_config_match_init(ss);
8285 if (j <= 0) { /* no ciphers are working/supported by PK11 */
8286 errCode = PORT_GetError(); /* error code is already set. */
8287 goto alert_loser;
8288 }
8289 #endif
8290
8291 /* If we already have a session for this client, be sure to pick the
8292 ** same cipher suite and compression method we picked before.
8293 ** This is not a loop, despite appearances.
8294 */
8295 if (sid) do {
8296 ssl3CipherSuiteCfg *suite;
8297 #ifdef PARANOID
8298 SSLVersionRange vrange = {ss->version, ss->version};
8299 #endif
8300
8301 /* Check that the cached compression method is still enabled. */
8302 if (!compressionEnabled(ss, sid->u.ssl3.compression))
8303 break;
8304
8305 /* Check that the cached compression method is in the client's list */
8306 for (i = 0; i < comps.len; i++) {
8307 if (comps.data[i] == sid->u.ssl3.compression)
8308 break;
8309 }
8310 if (i == comps.len)
8311 break;
8312
8313 suite = ss->cipherSuites;
8314 /* Find the entry for the cipher suite used in the cached session. */
8315 for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
8316 if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
8317 break;
8318 }
8319 PORT_Assert(j > 0);
8320 if (j <= 0)
8321 break;
8322 #ifdef PARANOID
8323 /* Double check that the cached cipher suite is still enabled,
8324 * implemented, and allowed by policy. Might have been disabled.
8325 * The product policy won't change during the process lifetime.
8326 * Implemented ("isPresent") shouldn't change for servers.
8327 */
8328 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange))
8329 break;
8330 #else
8331 if (!suite->enabled)
8332 break;
8333 #endif
8334 /* Double check that the cached cipher suite is in the client's list */
8335 for (i = 0; i + 1 < suites.len; i += 2) {
8336 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8337 if (suite_i == suite->cipher_suite) {
8338 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8339 ss->ssl3.hs.suite_def =
8340 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8341
8342 /* Use the cached compression method. */
8343 ss->ssl3.hs.compression = sid->u.ssl3.compression;
8344 goto compression_found;
8345 }
8346 }
8347 } while (0);
8348
8349 /* START A NEW SESSION */
8350
8351 #ifndef PARANOID
8352 /* Look for a matching cipher suite. */
8353 j = ssl3_config_match_init(ss);
8354 if (j <= 0) { /* no ciphers are working/supported by PK11 */
8355 errCode = PORT_GetError(); /* error code is already set. */
8356 goto alert_loser;
8357 }
8358 #endif
8359
8360 /* Select a cipher suite.
8361 **
8362 ** NOTE: This suite selection algorithm should be the same as the one in
8363 ** ssl3_HandleV2ClientHello().
8364 **
8365 ** If TLS 1.0 is enabled, we could handle the case where the client
8366 ** offered TLS 1.1 but offered only export cipher suites by choosing TLS
8367 ** 1.0 and selecting one of those export cipher suites. However, a secure
8368 ** TLS 1.1 client should not have export cipher suites enabled at all,
8369 ** and a TLS 1.1 client should definitely not be offering *only* export
8370 ** cipher suites. Therefore, we refuse to negotiate export cipher suites
8371 ** with any client that indicates support for TLS 1.1 or higher when we
8372 ** (the server) have TLS 1.1 support enabled.
8373 */
8374 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
8375 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
8376 SSLVersionRange vrange = {ss->version, ss->version};
8377 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
8378 continue;
8379 }
8380 for (i = 0; i + 1 < suites.len; i += 2) {
8381 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8382 if (suite_i == suite->cipher_suite) {
8383 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8384 ss->ssl3.hs.suite_def =
8385 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8386 goto suite_found;
8387 }
8388 }
8389 }
8390 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8391 goto alert_loser;
8392
8393 suite_found:
8394 /* Select a compression algorithm. */
8395 for (i = 0; i < comps.len; i++) {
8396 if (!compressionEnabled(ss, comps.data[i]))
8397 continue;
8398 for (j = 0; j < compressionMethodsCount; j++) {
8399 if (comps.data[i] == compressions[j]) {
8400 ss->ssl3.hs.compression =
8401 (SSLCompressionMethod)compressions[j];
8402 goto compression_found;
8403 }
8404 }
8405 }
8406 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
8407 /* null compression must be supported */
8408 goto alert_loser;
8409
8410 compression_found:
8411 suites.data = NULL;
8412 comps.data = NULL;
8413
8414 ss->sec.send = ssl3_SendApplicationData;
8415
8416 /* If there are any failures while processing the old sid,
8417 * we don't consider them to be errors. Instead, We just behave
8418 * as if the client had sent us no sid to begin with, and make a new one.
8419 */
8420 if (sid != NULL) do {
8421 ssl3CipherSpec *pwSpec;
8422 SECItem wrappedMS; /* wrapped key */
8423
8424 if (sid->version != ss->version ||
8425 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite ||
8426 sid->u.ssl3.compression != ss->ssl3.hs.compression) {
8427 break; /* not an error */
8428 }
8429
8430 if (ss->sec.ci.sid) {
8431 if (ss->sec.uncache)
8432 ss->sec.uncache(ss->sec.ci.sid);
8433 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but .. . */
8434 if (ss->sec.ci.sid != sid) {
8435 ssl_FreeSID(ss->sec.ci.sid);
8436 }
8437 ss->sec.ci.sid = NULL;
8438 }
8439 /* we need to resurrect the master secret.... */
8440
8441 ssl_GetSpecWriteLock(ss); haveSpecWriteLock = PR_TRUE;
8442 pwSpec = ss->ssl3.pwSpec;
8443 if (sid->u.ssl3.keys.msIsWrapped) {
8444 PK11SymKey * wrapKey; /* wrapping key */
8445 CK_FLAGS keyFlags = 0;
8446 #ifndef NO_PKCS11_BYPASS
8447 if (ss->opt.bypassPKCS11) {
8448 /* we cannot restart a non-bypass session in a
8449 ** bypass socket.
8450 */
8451 break;
8452 }
8453 #endif
8454
8455 wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
8456 sid->u.ssl3.masterWrapMech,
8457 ss->pkcs11PinArg);
8458 if (!wrapKey) {
8459 /* we have a SID cache entry, but no wrapping key for it??? */
8460 break;
8461 }
8462
8463 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
8464 keyFlags = CKF_SIGN | CKF_VERIFY;
8465 }
8466
8467 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8468 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
8469
8470 /* unwrap the master secret. */
8471 pwSpec->master_secret =
8472 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
8473 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
8474 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
8475 PK11_FreeSymKey(wrapKey);
8476 if (pwSpec->master_secret == NULL) {
8477 break; /* not an error */
8478 }
8479 #ifndef NO_PKCS11_BYPASS
8480 } else if (ss->opt.bypassPKCS11) {
8481 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8482 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
8483 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
8484 pwSpec->msItem.data = pwSpec->raw_master_secret;
8485 pwSpec->msItem.len = wrappedMS.len;
8486 #endif
8487 } else {
8488 /* We CAN restart a bypass session in a non-bypass socket. */
8489 /* need to import the raw master secret to session object */
8490 PK11SlotInfo * slot;
8491 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8492 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
8493 slot = PK11_GetInternalSlot();
8494 pwSpec->master_secret =
8495 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
8496 PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS,
8497 NULL);
8498 PK11_FreeSlot(slot);
8499 if (pwSpec->master_secret == NULL) {
8500 break; /* not an error */
8501 }
8502 }
8503 ss->sec.ci.sid = sid;
8504 if (sid->peerCert != NULL) {
8505 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
8506 ssl3_CopyPeerCertsFromSID(ss, sid);
8507 }
8508
8509 /*
8510 * Old SID passed all tests, so resume this old session.
8511 *
8512 * XXX make sure compression still matches
8513 */
8514 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits );
8515 if (ss->statelessResume)
8516 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes );
8517 ss->ssl3.hs.isResuming = PR_TRUE;
8518
8519 ss->sec.authAlgorithm = sid->authAlgorithm;
8520 ss->sec.authKeyBits = sid->authKeyBits;
8521 ss->sec.keaType = sid->keaType;
8522 ss->sec.keaKeyBits = sid->keaKeyBits;
8523
8524 /* server sids don't remember the server cert we previously sent,
8525 ** but they do remember the kea type we originally used, so we
8526 ** can locate it again, provided that the current ssl socket
8527 ** has had its server certs configured the same as the previous one.
8528 */
8529 ss->sec.localCert =
8530 CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
8531
8532 /* Copy cached name in to pending spec */
8533 if (sid != NULL &&
8534 sid->version > SSL_LIBRARY_VERSION_3_0 &&
8535 sid->u.ssl3.srvName.len && sid->u.ssl3.srvName.data) {
8536 /* Set server name from sid */
8537 SECItem *sidName = &sid->u.ssl3.srvName;
8538 SECItem *pwsName = &ss->ssl3.pwSpec->srvVirtName;
8539 if (pwsName->data) {
8540 SECITEM_FreeItem(pwsName, PR_FALSE);
8541 }
8542 rv = SECITEM_CopyItem(NULL, pwsName, sidName);
8543 if (rv != SECSuccess) {
8544 errCode = PORT_GetError();
8545 desc = internal_error;
8546 goto alert_loser;
8547 }
8548 }
8549
8550 /* Clean up sni name array */
8551 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn) &&
8552 ss->xtnData.sniNameArr) {
8553 PORT_Free(ss->xtnData.sniNameArr);
8554 ss->xtnData.sniNameArr = NULL;
8555 ss->xtnData.sniNameArrSize = 0;
8556 }
8557
8558 ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
8559
8560 rv = ssl3_SendServerHello(ss);
8561 if (rv != SECSuccess) {
8562 errCode = PORT_GetError();
8563 goto loser;
8564 }
8565
8566 if (haveSpecWriteLock) {
8567 ssl_ReleaseSpecWriteLock(ss);
8568 haveSpecWriteLock = PR_FALSE;
8569 }
8570
8571 /* NULL value for PMS signifies re-use of the old MS */
8572 rv = ssl3_InitPendingCipherSpec(ss, NULL);
8573 if (rv != SECSuccess) {
8574 errCode = PORT_GetError();
8575 goto loser;
8576 }
8577
8578 rv = ssl3_SendChangeCipherSpecs(ss);
8579 if (rv != SECSuccess) {
8580 errCode = PORT_GetError();
8581 goto loser;
8582 }
8583 rv = ssl3_SendFinished(ss, 0);
8584 ss->ssl3.hs.ws = wait_change_cipher;
8585 if (rv != SECSuccess) {
8586 errCode = PORT_GetError();
8587 goto loser;
8588 }
8589
8590 if (haveXmitBufLock) {
8591 ssl_ReleaseXmitBufLock(ss);
8592 haveXmitBufLock = PR_FALSE;
8593 }
8594
8595 return SECSuccess;
8596 } while (0);
8597
8598 if (haveSpecWriteLock) {
8599 ssl_ReleaseSpecWriteLock(ss);
8600 haveSpecWriteLock = PR_FALSE;
8601 }
8602
8603 if (sid) { /* we had a sid, but it's no longer valid, free it */
8604 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
8605 if (ss->sec.uncache)
8606 ss->sec.uncache(sid);
8607 ssl_FreeSID(sid);
8608 sid = NULL;
8609 }
8610 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
8611
8612 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) {
8613 int ret = 0;
8614 if (ss->sniSocketConfig) do { /* not a loop */
8615 ret = SSL_SNI_SEND_ALERT;
8616 /* If extension is negotiated, the len of names should > 0. */
8617 if (ss->xtnData.sniNameArrSize) {
8618 /* Calling client callback to reconfigure the socket. */
8619 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd,
8620 ss->xtnData.sniNameArr,
8621 ss->xtnData.sniNameArrSize,
8622 ss->sniSocketConfigArg);
8623 }
8624 if (ret <= SSL_SNI_SEND_ALERT) {
8625 /* Application does not know the name or was not able to
8626 * properly reconfigure the socket. */
8627 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8628 desc = unrecognized_name;
8629 break;
8630 } else if (ret == SSL_SNI_CURRENT_CONFIG_IS_USED) {
8631 SECStatus rv = SECSuccess;
8632 SECItem * cwsName, *pwsName;
8633
8634 ssl_GetSpecWriteLock(ss); /*******************************/
8635 pwsName = &ss->ssl3.pwSpec->srvVirtName;
8636 cwsName = &ss->ssl3.cwSpec->srvVirtName;
8637 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8638 /* not allow name change on the 2d HS */
8639 if (ss->firstHsDone) {
8640 if (ssl3_ServerNameCompare(pwsName, cwsName)) {
8641 ssl_ReleaseSpecWriteLock(ss); /******************/
8642 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8643 desc = handshake_failure;
8644 ret = SSL_SNI_SEND_ALERT;
8645 break;
8646 }
8647 }
8648 #endif
8649 if (pwsName->data) {
8650 SECITEM_FreeItem(pwsName, PR_FALSE);
8651 }
8652 if (cwsName->data) {
8653 rv = SECITEM_CopyItem(NULL, pwsName, cwsName);
8654 }
8655 ssl_ReleaseSpecWriteLock(ss); /**************************/
8656 if (rv != SECSuccess) {
8657 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8658 desc = internal_error;
8659 ret = SSL_SNI_SEND_ALERT;
8660 break;
8661 }
8662 } else if (ret < ss->xtnData.sniNameArrSize) {
8663 /* Application has configured new socket info. Lets check it
8664 * and save the name. */
8665 SECStatus rv;
8666 SECItem * name = &ss->xtnData.sniNameArr[ret];
8667 int configedCiphers;
8668 SECItem * pwsName;
8669
8670 /* get rid of the old name and save the newly picked. */
8671 /* This code is protected by ssl3HandshakeLock. */
8672 ssl_GetSpecWriteLock(ss); /*******************************/
8673 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8674 /* not allow name change on the 2d HS */
8675 if (ss->firstHsDone) {
8676 SECItem *cwsName = &ss->ssl3.cwSpec->srvVirtName;
8677 if (ssl3_ServerNameCompare(name, cwsName)) {
8678 ssl_ReleaseSpecWriteLock(ss); /******************/
8679 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8680 desc = handshake_failure;
8681 ret = SSL_SNI_SEND_ALERT;
8682 break;
8683 }
8684 }
8685 #endif
8686 pwsName = &ss->ssl3.pwSpec->srvVirtName;
8687 if (pwsName->data) {
8688 SECITEM_FreeItem(pwsName, PR_FALSE);
8689 }
8690 rv = SECITEM_CopyItem(NULL, pwsName, name);
8691 ssl_ReleaseSpecWriteLock(ss); /***************************/
8692 if (rv != SECSuccess) {
8693 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8694 desc = internal_error;
8695 ret = SSL_SNI_SEND_ALERT;
8696 break;
8697 }
8698 configedCiphers = ssl3_config_match_init(ss);
8699 if (configedCiphers <= 0) {
8700 /* no ciphers are working/supported */
8701 errCode = PORT_GetError();
8702 desc = handshake_failure;
8703 ret = SSL_SNI_SEND_ALERT;
8704 break;
8705 }
8706 /* Need to tell the client that application has picked
8707 * the name from the offered list and reconfigured the socket.
8708 */
8709 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn,
8710 ssl3_SendServerNameXtn);
8711 } else {
8712 /* Callback returned index outside of the boundary. */
8713 PORT_Assert(ret < ss->xtnData.sniNameArrSize);
8714 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8715 desc = internal_error;
8716 ret = SSL_SNI_SEND_ALERT;
8717 break;
8718 }
8719 } while (0);
8720 /* Free sniNameArr. The data that each SECItem in the array
8721 * points into is the data from the input buffer "b". It will
8722 * not be available outside the scope of this or it's child
8723 * functions.*/
8724 if (ss->xtnData.sniNameArr) {
8725 PORT_Free(ss->xtnData.sniNameArr);
8726 ss->xtnData.sniNameArr = NULL;
8727 ss->xtnData.sniNameArrSize = 0;
8728 }
8729 if (ret <= SSL_SNI_SEND_ALERT) {
8730 /* desc and errCode should be set. */
8731 goto alert_loser;
8732 }
8733 }
8734 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8735 else if (ss->firstHsDone) {
8736 /* Check that we don't have the name is current spec
8737 * if this extension was not negotiated on the 2d hs. */
8738 PRBool passed = PR_TRUE;
8739 ssl_GetSpecReadLock(ss); /*******************************/
8740 if (ss->ssl3.cwSpec->srvVirtName.data) {
8741 passed = PR_FALSE;
8742 }
8743 ssl_ReleaseSpecReadLock(ss); /***************************/
8744 if (!passed) {
8745 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8746 desc = handshake_failure;
8747 goto alert_loser;
8748 }
8749 }
8750 #endif
8751
8752 sid = ssl3_NewSessionID(ss, PR_TRUE);
8753 if (sid == NULL) {
8754 errCode = PORT_GetError();
8755 goto loser; /* memory error is set. */
8756 }
8757 ss->sec.ci.sid = sid;
8758
8759 ss->ssl3.hs.isResuming = PR_FALSE;
8760 ssl_GetXmitBufLock(ss);
8761 rv = ssl3_SendServerHelloSequence(ss);
8762 ssl_ReleaseXmitBufLock(ss);
8763 if (rv != SECSuccess) {
8764 errCode = PORT_GetError();
8765 goto loser;
8766 }
8767
8768 if (haveXmitBufLock) {
8769 ssl_ReleaseXmitBufLock(ss);
8770 haveXmitBufLock = PR_FALSE;
8771 }
8772
8773 return SECSuccess;
8774
8775 alert_loser:
8776 if (haveSpecWriteLock) {
8777 ssl_ReleaseSpecWriteLock(ss);
8778 haveSpecWriteLock = PR_FALSE;
8779 }
8780 (void)SSL3_SendAlert(ss, level, desc);
8781 /* FALLTHRU */
8782 loser:
8783 if (haveSpecWriteLock) {
8784 ssl_ReleaseSpecWriteLock(ss);
8785 haveSpecWriteLock = PR_FALSE;
8786 }
8787
8788 if (haveXmitBufLock) {
8789 ssl_ReleaseXmitBufLock(ss);
8790 haveXmitBufLock = PR_FALSE;
8791 }
8792
8793 PORT_SetError(errCode);
8794 return SECFailure;
8795 }
8796
8797 /*
8798 * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
8799 * in asking to use the V3 handshake.
8800 * Called from ssl2_HandleClientHelloMessage() in sslcon.c
8801 */
8802 SECStatus
8803 ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
8804 {
8805 sslSessionID * sid = NULL;
8806 unsigned char * suites;
8807 unsigned char * random;
8808 SSL3ProtocolVersion version;
8809 SECStatus rv;
8810 int i;
8811 int j;
8812 int sid_length;
8813 int suite_length;
8814 int rand_length;
8815 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
8816 SSL3AlertDescription desc = handshake_failure;
8817
8818 SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
8819
8820 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8821
8822 ssl_GetSSL3HandshakeLock(ss);
8823
8824 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8825
8826 rv = ssl3_InitState(ss);
8827 if (rv != SECSuccess) {
8828 ssl_ReleaseSSL3HandshakeLock(ss);
8829 return rv; /* ssl3_InitState has set the error code. */
8830 }
8831 rv = ssl3_RestartHandshakeHashes(ss);
8832 if (rv != SECSuccess) {
8833 ssl_ReleaseSSL3HandshakeLock(ss);
8834 return rv;
8835 }
8836
8837 if (ss->ssl3.hs.ws != wait_client_hello) {
8838 desc = unexpected_message;
8839 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
8840 goto loser; /* alert_loser */
8841 }
8842
8843 version = (buffer[1] << 8) | buffer[2];
8844 suite_length = (buffer[3] << 8) | buffer[4];
8845 sid_length = (buffer[5] << 8) | buffer[6];
8846 rand_length = (buffer[7] << 8) | buffer[8];
8847 ss->clientHelloVersion = version;
8848
8849 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8850 if (rv != SECSuccess) {
8851 /* send back which ever alert client will understand. */
8852 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure;
8853 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8854 goto alert_loser;
8855 }
8856
8857 rv = ssl3_InitHandshakeHashes(ss);
8858 if (rv != SECSuccess) {
8859 desc = internal_error;
8860 errCode = PORT_GetError();
8861 goto alert_loser;
8862 }
8863
8864 /* if we get a non-zero SID, just ignore it. */
8865 if (length !=
8866 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
8867 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
8868 SSL_GETPID(), ss->fd, length,
8869 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
8870 rand_length));
8871 goto loser; /* malformed */ /* alert_loser */
8872 }
8873
8874 suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
8875 random = suites + suite_length + sid_length;
8876
8877 if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
8878 rand_length > SSL_MAX_CHALLENGE_BYTES) {
8879 goto loser; /* malformed */ /* alert_loser */
8880 }
8881
8882 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
8883
8884 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
8885 PORT_Memcpy(
8886 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
8887 random, rand_length);
8888
8889 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
8890 SSL3_RANDOM_LENGTH));
8891 #ifdef NSS_ENABLE_ECC
8892 /* Disable any ECC cipher suites for which we have no cert. */
8893 ssl3_FilterECCipherSuitesByServerCerts(ss);
8894 #endif
8895 i = ssl3_config_match_init(ss);
8896 if (i <= 0) {
8897 errCode = PORT_GetError(); /* error code is already set. */
8898 goto alert_loser;
8899 }
8900
8901 /* Select a cipher suite.
8902 **
8903 ** NOTE: This suite selection algorithm should be the same as the one in
8904 ** ssl3_HandleClientHello().
8905 **
8906 ** See the comments about export cipher suites in ssl3_HandleClientHello().
8907 */
8908 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
8909 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
8910 SSLVersionRange vrange = {ss->version, ss->version};
8911 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
8912 continue;
8913 }
8914 for (i = 0; i+2 < suite_length; i += 3) {
8915 PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
8916 if (suite_i == suite->cipher_suite) {
8917 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8918 ss->ssl3.hs.suite_def =
8919 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8920 goto suite_found;
8921 }
8922 }
8923 }
8924 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8925 goto alert_loser;
8926
8927 suite_found:
8928
8929 /* Look for the SCSV, and if found, treat it just like an empty RI
8930 * extension by processing a local copy of an empty RI extension.
8931 */
8932 for (i = 0; i+2 < suite_length; i += 3) {
8933 PRUint32 suite_i = (suites[i] << 16) | (suites[i+1] << 8) | suites[i+2];
8934 if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
8935 SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
8936 PRUint32 L2 = sizeof emptyRIext;
8937 (void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
8938 break;
8939 }
8940 }
8941
8942 if (ss->opt.requireSafeNegotiation &&
8943 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8944 desc = handshake_failure;
8945 errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
8946 goto alert_loser;
8947 }
8948
8949 ss->ssl3.hs.compression = ssl_compression_null;
8950 ss->sec.send = ssl3_SendApplicationData;
8951
8952 /* we don't even search for a cache hit here. It's just a miss. */
8953 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
8954 sid = ssl3_NewSessionID(ss, PR_TRUE);
8955 if (sid == NULL) {
8956 errCode = PORT_GetError();
8957 goto loser; /* memory error is set. */
8958 }
8959 ss->sec.ci.sid = sid;
8960 /* do not worry about memory leak of sid since it now belongs to ci */
8961
8962 /* We have to update the handshake hashes before we can send stuff */
8963 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
8964 if (rv != SECSuccess) {
8965 errCode = PORT_GetError();
8966 goto loser;
8967 }
8968
8969 ssl_GetXmitBufLock(ss);
8970 rv = ssl3_SendServerHelloSequence(ss);
8971 ssl_ReleaseXmitBufLock(ss);
8972 if (rv != SECSuccess) {
8973 errCode = PORT_GetError();
8974 goto loser;
8975 }
8976
8977 /* XXX_1 The call stack to here is:
8978 * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
8979 * ssl2_HandleClientHelloMessage returns whatever we return here.
8980 * ssl_Do1stHandshake will continue looping if it gets back either
8981 * SECSuccess or SECWouldBlock.
8982 * SECSuccess is preferable here. See XXX_1 in sslgathr.c.
8983 */
8984 ssl_ReleaseSSL3HandshakeLock(ss);
8985 return SECSuccess;
8986
8987 alert_loser:
8988 SSL3_SendAlert(ss, alert_fatal, desc);
8989 loser:
8990 ssl_ReleaseSSL3HandshakeLock(ss);
8991 PORT_SetError(errCode);
8992 return SECFailure;
8993 }
8994
8995 /* The negotiated version number has been already placed in ss->version.
8996 **
8997 ** Called from: ssl3_HandleClientHello (resuming session),
8998 ** ssl3_SendServerHelloSequence <- ssl3_HandleClientHello (new session),
8999 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
9000 */
9001 static SECStatus
9002 ssl3_SendServerHello(sslSocket *ss)
9003 {
9004 sslSessionID *sid;
9005 SECStatus rv;
9006 PRUint32 maxBytes = 65535;
9007 PRUint32 length;
9008 PRInt32 extensions_len = 0;
9009 SSL3ProtocolVersion version;
9010
9011 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
9012 ss->fd));
9013
9014 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9015 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9016
9017 if (!IS_DTLS(ss)) {
9018 PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
9019
9020 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
9021 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
9022 return SECFailure;
9023 }
9024 } else {
9025 PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0));
9026
9027 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) {
9028 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
9029 return SECFailure;
9030 }
9031 }
9032
9033 sid = ss->sec.ci.sid;
9034
9035 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
9036 &ss->xtnData.serverSenders[0]);
9037 if (extensions_len > 0)
9038 extensions_len += 2; /* Add sizeof total extension length */
9039
9040 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
9041 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
9042 sizeof(ssl3CipherSuite) + 1 + extensions_len;
9043 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
9044 if (rv != SECSuccess) {
9045 return rv; /* err set by AppendHandshake. */
9046 }
9047
9048 if (IS_DTLS(ss)) {
9049 version = dtls_TLSVersionToDTLSVersion(ss->version);
9050 } else {
9051 version = ss->version;
9052 }
9053
9054 rv = ssl3_AppendHandshakeNumber(ss, version, 2);
9055 if (rv != SECSuccess) {
9056 return rv; /* err set by AppendHandshake. */
9057 }
9058 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
9059 if (rv != SECSuccess) {
9060 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
9061 return rv;
9062 }
9063 rv = ssl3_AppendHandshake(
9064 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
9065 if (rv != SECSuccess) {
9066 return rv; /* err set by AppendHandshake. */
9067 }
9068
9069 if (sid)
9070 rv = ssl3_AppendHandshakeVariable(
9071 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
9072 else
9073 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
9074 if (rv != SECSuccess) {
9075 return rv; /* err set by AppendHandshake. */
9076 }
9077
9078 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
9079 if (rv != SECSuccess) {
9080 return rv; /* err set by AppendHandshake. */
9081 }
9082 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
9083 if (rv != SECSuccess) {
9084 return rv; /* err set by AppendHandshake. */
9085 }
9086 if (extensions_len) {
9087 PRInt32 sent_len;
9088
9089 extensions_len -= 2;
9090 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
9091 if (rv != SECSuccess)
9092 return rv; /* err set by ssl3_SetupPendingCipherSpec */
9093 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
9094 &ss->xtnData.serverSenders[0]);
9095 PORT_Assert(sent_len == extensions_len);
9096 if (sent_len != extensions_len) {
9097 if (sent_len >= 0)
9098 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
9099 return SECFailure;
9100 }
9101 }
9102 rv = ssl3_SetupPendingCipherSpec(ss);
9103 if (rv != SECSuccess) {
9104 return rv; /* err set by ssl3_SetupPendingCipherSpec */
9105 }
9106
9107 return SECSuccess;
9108 }
9109
9110 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing
9111 * elements of the handshake. (The negotiated cipher suite determines the
9112 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always
9113 * used. With TLS 1.2, a client may advertise its support for signature and
9114 * hash combinations. */
9115 static SECStatus
9116 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
9117 SSL3SignatureAndHashAlgorithm* out)
9118 {
9119 TLSSignatureAlgorithm sigAlg;
9120 unsigned int i, j;
9121 /* hashPreference expresses our preferences for hash algorithms, most
9122 * preferable first. */
9123 static const PRUint8 hashPreference[] = {
9124 tls_hash_sha256,
9125 tls_hash_sha384,
9126 tls_hash_sha512,
9127 tls_hash_sha1,
9128 };
9129
9130 switch (ss->ssl3.hs.kea_def->kea) {
9131 case kea_rsa:
9132 case kea_rsa_export:
9133 case kea_rsa_export_1024:
9134 case kea_dh_rsa:
9135 case kea_dh_rsa_export:
9136 case kea_dhe_rsa:
9137 case kea_dhe_rsa_export:
9138 case kea_rsa_fips:
9139 case kea_ecdh_rsa:
9140 case kea_ecdhe_rsa:
9141 sigAlg = tls_sig_rsa;
9142 break;
9143 case kea_dh_dss:
9144 case kea_dh_dss_export:
9145 case kea_dhe_dss:
9146 case kea_dhe_dss_export:
9147 sigAlg = tls_sig_dsa;
9148 break;
9149 case kea_ecdh_ecdsa:
9150 case kea_ecdhe_ecdsa:
9151 sigAlg = tls_sig_ecdsa;
9152 break;
9153 default:
9154 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9155 return SECFailure;
9156 }
9157 out->sigAlg = sigAlg;
9158
9159 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) {
9160 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
9161 * prior. */
9162 out->hashAlg = SEC_OID_UNKNOWN;
9163 return SECSuccess;
9164 }
9165
9166 if (ss->ssl3.hs.numClientSigAndHash == 0) {
9167 /* If the client didn't provide any signature_algorithms extension then
9168 * we can assume that they support SHA-1:
9169 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
9170 out->hashAlg = SEC_OID_SHA1;
9171 return SECSuccess;
9172 }
9173
9174 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) {
9175 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
9176 const SSL3SignatureAndHashAlgorithm* sh =
9177 &ss->ssl3.hs.clientSigAndHash[j];
9178 if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) {
9179 out->hashAlg = sh->hashAlg;
9180 return SECSuccess;
9181 }
9182 }
9183 }
9184
9185 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
9186 return SECFailure;
9187 }
9188
9189
9190 static SECStatus
9191 ssl3_SendServerKeyExchange(sslSocket *ss)
9192 {
9193 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
9194 SECStatus rv = SECFailure;
9195 int length;
9196 PRBool isTLS;
9197 SECItem signed_hash = {siBuffer, NULL, 0};
9198 SSL3Hashes hashes;
9199 SECKEYPublicKey * sdPub; /* public key for step-down */
9200 SSL3SignatureAndHashAlgorithm sigAndHash;
9201
9202 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
9203 SSL_GETPID(), ss->fd));
9204
9205 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9206 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9207
9208 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
9209 return SECFailure;
9210 }
9211
9212 switch (kea_def->exchKeyType) {
9213 case kt_rsa:
9214 /* Perform SSL Step-Down here. */
9215 sdPub = ss->stepDownKeyPair->pubKey;
9216 PORT_Assert(sdPub != NULL);
9217 if (!sdPub) {
9218 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9219 return SECFailure;
9220 }
9221 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg,
9222 sdPub->u.rsa.modulus,
9223 sdPub->u.rsa.publicExponent,
9224 &ss->ssl3.hs.client_random,
9225 &ss->ssl3.hs.server_random,
9226 &hashes, ss->opt.bypassPKCS11);
9227 if (rv != SECSuccess) {
9228 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9229 return rv;
9230 }
9231
9232 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
9233 rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY,
9234 &signed_hash, isTLS);
9235 if (rv != SECSuccess) {
9236 goto loser; /* ssl3_SignHashes has set err. */
9237 }
9238 if (signed_hash.data == NULL) {
9239 /* how can this happen and rv == SECSuccess ?? */
9240 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9241 goto loser;
9242 }
9243 length = 2 + sdPub->u.rsa.modulus.len +
9244 2 + sdPub->u.rsa.publicExponent.len +
9245 2 + signed_hash.len;
9246
9247 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
9248 if (rv != SECSuccess) {
9249 goto loser; /* err set by AppendHandshake. */
9250 }
9251
9252 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
9253 sdPub->u.rsa.modulus.len, 2);
9254 if (rv != SECSuccess) {
9255 goto loser; /* err set by AppendHandshake. */
9256 }
9257
9258 rv = ssl3_AppendHandshakeVariable(
9259 ss, sdPub->u.rsa.publicExponent.data,
9260 sdPub->u.rsa.publicExponent.len, 2);
9261 if (rv != SECSuccess) {
9262 goto loser; /* err set by AppendHandshake. */
9263 }
9264
9265 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
9266 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
9267 if (rv != SECSuccess) {
9268 goto loser; /* err set by AppendHandshake. */
9269 }
9270 }
9271
9272 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
9273 signed_hash.len, 2);
9274 if (rv != SECSuccess) {
9275 goto loser; /* err set by AppendHandshake. */
9276 }
9277 PORT_Free(signed_hash.data);
9278 return SECSuccess;
9279
9280 #ifdef NSS_ENABLE_ECC
9281 case kt_ecdh: {
9282 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
9283 return rv;
9284 }
9285 #endif /* NSS_ENABLE_ECC */
9286
9287 case kt_dh:
9288 case kt_null:
9289 default:
9290 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9291 break;
9292 }
9293 loser:
9294 if (signed_hash.data != NULL)
9295 PORT_Free(signed_hash.data);
9296 return SECFailure;
9297 }
9298
9299
9300 static SECStatus
9301 ssl3_SendCertificateRequest(sslSocket *ss)
9302 {
9303 PRBool isTLS12;
9304 SECItem * name;
9305 CERTDistNames *ca_list;
9306 const PRUint8 *certTypes;
9307 const PRUint8 *sigAlgs;
9308 SECItem * names = NULL;
9309 SECStatus rv;
9310 int length;
9311 int i;
9312 int calen = 0;
9313 int nnames = 0;
9314 int certTypesLength;
9315 int sigAlgsLength;
9316
9317 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
9318 SSL_GETPID(), ss->fd));
9319
9320 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9321 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9322
9323 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
9324
9325 /* ssl3.ca_list is initialized to NULL, and never changed. */
9326 ca_list = ss->ssl3.ca_list;
9327 if (!ca_list) {
9328 ca_list = ssl3_server_ca_list;
9329 }
9330
9331 if (ca_list != NULL) {
9332 names = ca_list->names;
9333 nnames = ca_list->nnames;
9334 }
9335
9336 for (i = 0, name = names; i < nnames; i++, name++) {
9337 calen += 2 + name->len;
9338 }
9339
9340 certTypes = certificate_types;
9341 certTypesLength = sizeof certificate_types;
9342 sigAlgs = supported_signature_algorithms;
9343 sigAlgsLength = sizeof supported_signature_algorithms;
9344
9345 length = 1 + certTypesLength + 2 + calen;
9346 if (isTLS12) {
9347 length += 2 + sigAlgsLength;
9348 }
9349
9350 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
9351 if (rv != SECSuccess) {
9352 return rv; /* err set by AppendHandshake. */
9353 }
9354 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
9355 if (rv != SECSuccess) {
9356 return rv; /* err set by AppendHandshake. */
9357 }
9358 if (isTLS12) {
9359 rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2);
9360 if (rv != SECSuccess) {
9361 return rv; /* err set by AppendHandshake. */
9362 }
9363 }
9364 rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
9365 if (rv != SECSuccess) {
9366 return rv; /* err set by AppendHandshake. */
9367 }
9368 for (i = 0, name = names; i < nnames; i++, name++) {
9369 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
9370 if (rv != SECSuccess) {
9371 return rv; /* err set by AppendHandshake. */
9372 }
9373 }
9374
9375 return SECSuccess;
9376 }
9377
9378 static SECStatus
9379 ssl3_SendServerHelloDone(sslSocket *ss)
9380 {
9381 SECStatus rv;
9382
9383 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
9384 SSL_GETPID(), ss->fd));
9385
9386 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9387 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9388
9389 rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
9390 if (rv != SECSuccess) {
9391 return rv; /* err set by AppendHandshake. */
9392 }
9393 rv = ssl3_FlushHandshake(ss, 0);
9394 if (rv != SECSuccess) {
9395 return rv; /* error code set by ssl3_FlushHandshake */
9396 }
9397 return SECSuccess;
9398 }
9399
9400 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
9401 * ssl3 Certificate Verify message
9402 * Caller must hold Handshake and RecvBuf locks.
9403 */
9404 static SECStatus
9405 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
9406 SSL3Hashes *hashes)
9407 {
9408 SECItem signed_hash = {siBuffer, NULL, 0};
9409 SECStatus rv;
9410 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
9411 SSL3AlertDescription desc = handshake_failure;
9412 PRBool isTLS, isTLS12;
9413 SSL3SignatureAndHashAlgorithm sigAndHash;
9414
9415 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
9416 SSL_GETPID(), ss->fd));
9417 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9418 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9419
9420 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
9421 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
9422
9423 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
9424 desc = unexpected_message;
9425 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
9426 goto alert_loser;
9427 }
9428
9429 if (isTLS12) {
9430 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
9431 &sigAndHash);
9432 if (rv != SECSuccess) {
9433 goto loser; /* malformed or unsupported. */
9434 }
9435 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
9436 &sigAndHash, ss->sec.peerCert);
9437 if (rv != SECSuccess) {
9438 errCode = PORT_GetError();
9439 desc = decrypt_error;
9440 goto alert_loser;
9441 }
9442
9443 /* We only support CertificateVerify messages that use the handshake
9444 * hash. */
9445 if (sigAndHash.hashAlg != hashes->hashAlg) {
9446 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM;
9447 desc = decrypt_error;
9448 goto alert_loser;
9449 }
9450 }
9451
9452 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
9453 if (rv != SECSuccess) {
9454 goto loser; /* malformed. */
9455 }
9456
9457 /* XXX verify that the key & kea match */
9458 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
9459 isTLS, ss->pkcs11PinArg);
9460 if (rv != SECSuccess) {
9461 errCode = PORT_GetError();
9462 desc = isTLS ? decrypt_error : handshake_failure;
9463 goto alert_loser;
9464 }
9465
9466 signed_hash.data = NULL;
9467
9468 if (length != 0) {
9469 desc = isTLS ? decode_error : illegal_parameter;
9470 goto alert_loser; /* malformed */
9471 }
9472 ss->ssl3.hs.ws = wait_change_cipher;
9473 return SECSuccess;
9474
9475 alert_loser:
9476 SSL3_SendAlert(ss, alert_fatal, desc);
9477 loser:
9478 PORT_SetError(errCode);
9479 return SECFailure;
9480 }
9481
9482
9483 /* find a slot that is able to generate a PMS and wrap it with RSA.
9484 * Then generate and return the PMS.
9485 * If the serverKeySlot parameter is non-null, this function will use
9486 * that slot to do the job, otherwise it will find a slot.
9487 *
9488 * Called from ssl3_DeriveConnectionKeysPKCS11() (above)
9489 * sendRSAClientKeyExchange() (above)
9490 * ssl3_HandleRSAClientKeyExchange() (below)
9491 * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
9492 */
9493 static PK11SymKey *
9494 ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
9495 PK11SlotInfo * serverKeySlot)
9496 {
9497 PK11SymKey * pms = NULL;
9498 PK11SlotInfo * slot = serverKeySlot;
9499 void * pwArg = ss->pkcs11PinArg;
9500 SECItem param;
9501 CK_VERSION version;
9502 CK_MECHANISM_TYPE mechanism_array[3];
9503
9504 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9505
9506 if (slot == NULL) {
9507 SSLCipherAlgorithm calg;
9508 /* The specReadLock would suffice here, but we cannot assert on
9509 ** read locks. Also, all the callers who call with a non-null
9510 ** slot already hold the SpecWriteLock.
9511 */
9512 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
9513 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
9514
9515 calg = spec->cipher_def->calg;
9516 PORT_Assert(alg2Mech[calg].calg == calg);
9517
9518 /* First get an appropriate slot. */
9519 mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
9520 mechanism_array[1] = CKM_RSA_PKCS;
9521 mechanism_array[2] = alg2Mech[calg].cmech;
9522
9523 slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
9524 if (slot == NULL) {
9525 /* can't find a slot with all three, find a slot with the minimum */
9526 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
9527 if (slot == NULL) {
9528 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
9529 return pms; /* which is NULL */
9530 }
9531 }
9532 }
9533
9534 /* Generate the pre-master secret ... */
9535 if (IS_DTLS(ss)) {
9536 SSL3ProtocolVersion temp;
9537
9538 temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
9539 version.major = MSB(temp);
9540 version.minor = LSB(temp);
9541 } else {
9542 version.major = MSB(ss->clientHelloVersion);
9543 version.minor = LSB(ss->clientHelloVersion);
9544 }
9545
9546 param.data = (unsigned char *)&version;
9547 param.len = sizeof version;
9548
9549 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
9550 if (!serverKeySlot)
9551 PK11_FreeSlot(slot);
9552 if (pms == NULL) {
9553 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9554 }
9555 return pms;
9556 }
9557
9558 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
9559 * return any indication of failure of the Client Key Exchange message,
9560 * where that failure is caused by the content of the client's message.
9561 * This function must not return SECFailure for any reason that is directly
9562 * or indirectly caused by the content of the client's encrypted PMS.
9563 * We must not send an alert and also not drop the connection.
9564 * Instead, we generate a random PMS. This will cause a failure
9565 * in the processing the finished message, which is exactly where
9566 * the failure must occur.
9567 *
9568 * Called from ssl3_HandleClientKeyExchange
9569 */
9570 static SECStatus
9571 ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
9572 SSL3Opaque *b,
9573 PRUint32 length,
9574 SECKEYPrivateKey *serverKey)
9575 {
9576 PK11SymKey * pms;
9577 #ifndef NO_PKCS11_BYPASS
9578 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
9579 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
9580 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
9581 unsigned int outLen = 0;
9582 #endif
9583 PRBool isTLS = PR_FALSE;
9584 SECStatus rv;
9585 SECItem enc_pms;
9586 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
9587 SECItem pmsItem = {siBuffer, NULL, 0};
9588
9589 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9590 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9591 PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec );
9592
9593 enc_pms.data = b;
9594 enc_pms.len = length;
9595 pmsItem.data = rsaPmsBuf;
9596 pmsItem.len = sizeof rsaPmsBuf;
9597
9598 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
9599 PRInt32 kLen;
9600 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
9601 if (kLen < 0) {
9602 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9603 return SECFailure;
9604 }
9605 if ((unsigned)kLen < enc_pms.len) {
9606 enc_pms.len = kLen;
9607 }
9608 isTLS = PR_TRUE;
9609 } else {
9610 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
9611 }
9612
9613 #ifndef NO_PKCS11_BYPASS
9614 if (ss->opt.bypassPKCS11) {
9615 /* TRIPLE BYPASS, get PMS directly from RSA decryption.
9616 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer,
9617 * then, check for version rollback attack, then
9618 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in
9619 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with
9620 * ss and NULL, so that it will use the MS we've already derived here.
9621 */
9622
9623 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen,
9624 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
9625 if (rv != SECSuccess) {
9626 /* triple bypass failed. Let's try for a double bypass. */
9627 goto double_bypass;
9628 } else if (ss->opt.detectRollBack) {
9629 SSL3ProtocolVersion client_version =
9630 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
9631
9632 if (IS_DTLS(ss)) {
9633 client_version = dtls_DTLSVersionToTLSVersion(client_version);
9634 }
9635
9636 if (client_version != ss->clientHelloVersion) {
9637 /* Version roll-back detected. ensure failure. */
9638 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
9639 }
9640 }
9641 /* have PMS, build MS without PKCS11 */
9642 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS,
9643 PR_TRUE);
9644 if (rv != SECSuccess) {
9645 pwSpec->msItem.data = pwSpec->raw_master_secret;
9646 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH;
9647 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
9648 }
9649 rv = ssl3_InitPendingCipherSpec(ss, NULL);
9650 } else
9651 #endif
9652 {
9653 #ifndef NO_PKCS11_BYPASS
9654 double_bypass:
9655 #endif
9656 /*
9657 * unwrap pms out of the incoming buffer
9658 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
9659 * the unwrap. Rather, it is the mechanism with which the
9660 * unwrapped pms will be used.
9661 */
9662 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
9663 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
9664 if (pms != NULL) {
9665 PRINT_BUF(60, (ss, "decrypted premaster secret:",
9666 PK11_GetKeyData(pms)->data,
9667 PK11_GetKeyData(pms)->len));
9668 } else {
9669 /* unwrap failed. Generate a bogus PMS and carry on. */
9670 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey);
9671
9672 ssl_GetSpecWriteLock(ss);
9673 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
9674 ssl_ReleaseSpecWriteLock(ss);
9675 PK11_FreeSlot(slot);
9676 }
9677
9678 if (pms == NULL) {
9679 /* last gasp. */
9680 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9681 return SECFailure;
9682 }
9683
9684 /* This step will derive the MS from the PMS, among other things. */
9685 rv = ssl3_InitPendingCipherSpec(ss, pms);
9686 PK11_FreeSymKey(pms);
9687 }
9688
9689 if (rv != SECSuccess) {
9690 SEND_ALERT
9691 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
9692 }
9693 return SECSuccess;
9694 }
9695
9696
9697 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
9698 * ssl3 ClientKeyExchange message from the remote client
9699 * Caller must hold Handshake and RecvBuf locks.
9700 */
9701 static SECStatus
9702 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
9703 {
9704 SECKEYPrivateKey *serverKey = NULL;
9705 SECStatus rv;
9706 const ssl3KEADef *kea_def;
9707 ssl3KeyPair *serverKeyPair = NULL;
9708 #ifdef NSS_ENABLE_ECC
9709 SECKEYPublicKey *serverPubKey = NULL;
9710 #endif /* NSS_ENABLE_ECC */
9711
9712 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
9713 SSL_GETPID(), ss->fd));
9714
9715 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9716 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9717
9718 if (ss->ssl3.hs.ws != wait_client_key) {
9719 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
9720 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
9721 return SECFailure;
9722 }
9723
9724 kea_def = ss->ssl3.hs.kea_def;
9725
9726 if (ss->ssl3.hs.usedStepDownKey) {
9727 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
9728 && kea_def->exchKeyType == kt_rsa
9729 && ss->stepDownKeyPair != NULL);
9730 if (!kea_def->is_limited ||
9731 kea_def->exchKeyType != kt_rsa ||
9732 ss->stepDownKeyPair == NULL) {
9733 /* shouldn't happen, don't use step down if it does */
9734 goto skip;
9735 }
9736 serverKeyPair = ss->stepDownKeyPair;
9737 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
9738 } else
9739 skip:
9740 #ifdef NSS_ENABLE_ECC
9741 /* XXX Using SSLKEAType to index server certifiates
9742 * does not work for (EC)DHE ciphers. Until we have
9743 * an indexing mechanism general enough for all key
9744 * exchange algorithms, we'll need to deal with each
9745 * one seprately.
9746 */
9747 if ((kea_def->kea == kea_ecdhe_rsa) ||
9748 (kea_def->kea == kea_ecdhe_ecdsa)) {
9749 if (ss->ephemeralECDHKeyPair != NULL) {
9750 serverKeyPair = ss->ephemeralECDHKeyPair;
9751 if (serverKeyPair->pubKey) {
9752 ss->sec.keaKeyBits =
9753 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
9754 }
9755 }
9756 } else
9757 #endif
9758 {
9759 sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
9760 serverKeyPair = sc->serverKeyPair;
9761 ss->sec.keaKeyBits = sc->serverKeyBits;
9762 }
9763
9764 if (serverKeyPair) {
9765 serverKey = serverKeyPair->privKey;
9766 }
9767
9768 if (serverKey == NULL) {
9769 SEND_ALERT
9770 PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
9771 return SECFailure;
9772 }
9773
9774 ss->sec.keaType = kea_def->exchKeyType;
9775
9776 switch (kea_def->exchKeyType) {
9777 case kt_rsa:
9778 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
9779 if (rv != SECSuccess) {
9780 SEND_ALERT
9781 return SECFailure; /* error code set */
9782 }
9783 break;
9784
9785
9786 #ifdef NSS_ENABLE_ECC
9787 case kt_ecdh:
9788 /* XXX We really ought to be able to store multiple
9789 * EC certs (a requirement if we wish to support both
9790 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
9791 * When we make that change, we'll need an index other
9792 * than kt_ecdh to pick the right EC certificate.
9793 */
9794 if (serverKeyPair) {
9795 serverPubKey = serverKeyPair->pubKey;
9796 }
9797 if (serverPubKey == NULL) {
9798 /* XXX Is this the right error code? */
9799 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
9800 return SECFailure;
9801 }
9802 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
9803 serverPubKey, serverKey);
9804 if (rv != SECSuccess) {
9805 return SECFailure; /* error code set */
9806 }
9807 break;
9808 #endif /* NSS_ENABLE_ECC */
9809
9810 default:
9811 (void) ssl3_HandshakeFailure(ss);
9812 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9813 return SECFailure;
9814 }
9815 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
9816 return SECSuccess;
9817
9818 }
9819
9820 /* This is TLS's equivalent of sending a no_certificate alert. */
9821 static SECStatus
9822 ssl3_SendEmptyCertificate(sslSocket *ss)
9823 {
9824 SECStatus rv;
9825
9826 rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
9827 if (rv == SECSuccess) {
9828 rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
9829 }
9830 return rv; /* error, if any, set by functions called above. */
9831 }
9832
9833 SECStatus
9834 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
9835 {
9836 SECStatus rv;
9837 SECItem ticketData;
9838
9839 SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
9840 SSL_GETPID(), ss->fd));
9841
9842 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9843 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9844
9845 PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
9846 PORT_Assert(!ss->ssl3.hs.receivedNewSessionTicket);
9847
9848 if (ss->ssl3.hs.ws != wait_new_session_ticket) {
9849 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
9850 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
9851 return SECFailure;
9852 }
9853
9854 /* RFC5077 Section 3.3: "The client MUST NOT treat the ticket as valid
9855 * until it has verified the server's Finished message." See the comment in
9856 * ssl3_FinishHandshake for more details.
9857 */
9858 ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time();
9859 if (length < 4) {
9860 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9861 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9862 return SECFailure;
9863 }
9864 ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
9865 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
9866
9867 rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
9868 if (length != 0 || rv != SECSuccess) {
9869 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9870 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9871 return SECFailure; /* malformed */
9872 }
9873 rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
9874 &ticketData);
9875 if (rv != SECSuccess) {
9876 return rv;
9877 }
9878 ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
9879
9880 ss->ssl3.hs.ws = wait_change_cipher;
9881 return SECSuccess;
9882 }
9883
9884 #ifdef NISCC_TEST
9885 static PRInt32 connNum = 0;
9886
9887 static SECStatus
9888 get_fake_cert(SECItem *pCertItem, int *pIndex)
9889 {
9890 PRFileDesc *cf;
9891 char * testdir;
9892 char * startat;
9893 char * stopat;
9894 const char *extension;
9895 int fileNum;
9896 PRInt32 numBytes = 0;
9897 PRStatus prStatus;
9898 PRFileInfo info;
9899 char cfn[100];
9900
9901 pCertItem->data = 0;
9902 if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
9903 return SECSuccess;
9904 }
9905 *pIndex = (NULL != strstr(testdir, "root"));
9906 extension = (strstr(testdir, "simple") ? "" : ".der");
9907 fileNum = PR_ATOMIC_INCREMENT(&connNum) - 1;
9908 if ((startat = PR_GetEnv("START_AT")) != NULL) {
9909 fileNum += atoi(startat);
9910 }
9911 if ((stopat = PR_GetEnv("STOP_AT")) != NULL &&
9912 fileNum >= atoi(stopat)) {
9913 *pIndex = -1;
9914 return SECSuccess;
9915 }
9916 sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
9917 cf = PR_Open(cfn, PR_RDONLY, 0);
9918 if (!cf) {
9919 goto loser;
9920 }
9921 prStatus = PR_GetOpenFileInfo(cf, &info);
9922 if (prStatus != PR_SUCCESS) {
9923 PR_Close(cf);
9924 goto loser;
9925 }
9926 pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
9927 if (pCertItem) {
9928 numBytes = PR_Read(cf, pCertItem->data, info.size);
9929 }
9930 PR_Close(cf);
9931 if (numBytes != info.size) {
9932 SECITEM_FreeItem(pCertItem, PR_FALSE);
9933 PORT_SetError(SEC_ERROR_IO);
9934 goto loser;
9935 }
9936 fprintf(stderr, "using %s\n", cfn);
9937 return SECSuccess;
9938
9939 loser:
9940 fprintf(stderr, "failed to use %s\n", cfn);
9941 *pIndex = -1;
9942 return SECFailure;
9943 }
9944 #endif
9945
9946 /*
9947 * Used by both client and server.
9948 * Called from HandleServerHelloDone and from SendServerHelloSequence.
9949 */
9950 static SECStatus
9951 ssl3_SendCertificate(sslSocket *ss)
9952 {
9953 SECStatus rv;
9954 CERTCertificateList *certChain;
9955 int len = 0;
9956 int i;
9957 SSL3KEAType certIndex;
9958 #ifdef NISCC_TEST
9959 SECItem fakeCert;
9960 int ndex = -1;
9961 #endif
9962
9963 SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
9964 SSL_GETPID(), ss->fd));
9965
9966 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9967 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9968
9969 if (ss->sec.localCert)
9970 CERT_DestroyCertificate(ss->sec.localCert);
9971 if (ss->sec.isServer) {
9972 sslServerCerts * sc = NULL;
9973
9974 /* XXX SSLKEAType isn't really a good choice for
9975 * indexing certificates (it breaks when we deal
9976 * with (EC)DHE-* cipher suites. This hack ensures
9977 * the RSA cert is picked for (EC)DHE-RSA.
9978 * Revisit this when we add server side support
9979 * for ECDHE-ECDSA or client-side authentication
9980 * using EC certificates.
9981 */
9982 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
9983 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
9984 certIndex = kt_rsa;
9985 } else {
9986 certIndex = ss->ssl3.hs.kea_def->exchKeyType;
9987 }
9988 sc = ss->serverCerts + certIndex;
9989 certChain = sc->serverCertChain;
9990 ss->sec.authKeyBits = sc->serverKeyBits;
9991 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
9992 ss->sec.localCert = CERT_DupCertificate(sc->serverCert);
9993 } else {
9994 certChain = ss->ssl3.clientCertChain;
9995 ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
9996 }
9997
9998 #ifdef NISCC_TEST
9999 rv = get_fake_cert(&fakeCert, &ndex);
10000 #endif
10001
10002 if (certChain) {
10003 for (i = 0; i < certChain->len; i++) {
10004 #ifdef NISCC_TEST
10005 if (fakeCert.len > 0 && i == ndex) {
10006 len += fakeCert.len + 3;
10007 } else {
10008 len += certChain->certs[i].len + 3;
10009 }
10010 #else
10011 len += certChain->certs[i].len + 3;
10012 #endif
10013 }
10014 }
10015
10016 rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
10017 if (rv != SECSuccess) {
10018 return rv; /* err set by AppendHandshake. */
10019 }
10020 rv = ssl3_AppendHandshakeNumber(ss, len, 3);
10021 if (rv != SECSuccess) {
10022 return rv; /* err set by AppendHandshake. */
10023 }
10024 if (certChain) {
10025 for (i = 0; i < certChain->len; i++) {
10026 #ifdef NISCC_TEST
10027 if (fakeCert.len > 0 && i == ndex) {
10028 rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
10029 fakeCert.len, 3);
10030 SECITEM_FreeItem(&fakeCert, PR_FALSE);
10031 } else {
10032 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
10033 certChain->certs[i].len, 3);
10034 }
10035 #else
10036 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
10037 certChain->certs[i].len, 3);
10038 #endif
10039 if (rv != SECSuccess) {
10040 return rv; /* err set by AppendHandshake. */
10041 }
10042 }
10043 }
10044
10045 return SECSuccess;
10046 }
10047
10048 /*
10049 * Used by server only.
10050 * single-stapling, send only a single cert status
10051 */
10052 static SECStatus
10053 ssl3_SendCertificateStatus(sslSocket *ss)
10054 {
10055 SECStatus rv;
10056 int len = 0;
10057 SECItemArray *statusToSend = NULL;
10058 SSL3KEAType certIndex;
10059
10060 SSL_TRC(3, ("%d: SSL3[%d]: send certificate status handshake",
10061 SSL_GETPID(), ss->fd));
10062
10063 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10064 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10065 PORT_Assert( ss->sec.isServer);
10066
10067 if (!ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn))
10068 return SECSuccess;
10069
10070 /* Use certStatus based on the cert being used. */
10071 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
10072 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
10073 certIndex = kt_rsa;
10074 } else {
10075 certIndex = ss->ssl3.hs.kea_def->exchKeyType;
10076 }
10077 if (ss->certStatusArray[certIndex] && ss->certStatusArray[certIndex]->len) {
10078 statusToSend = ss->certStatusArray[certIndex];
10079 }
10080 if (!statusToSend)
10081 return SECSuccess;
10082
10083 /* Use the array's first item only (single stapling) */
10084 len = 1 + statusToSend->items[0].len + 3;
10085
10086 rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len);
10087 if (rv != SECSuccess) {
10088 return rv; /* err set by AppendHandshake. */
10089 }
10090 rv = ssl3_AppendHandshakeNumber(ss, 1 /*ocsp*/, 1);
10091 if (rv != SECSuccess)
10092 return rv; /* err set by AppendHandshake. */
10093
10094 rv = ssl3_AppendHandshakeVariable(ss,
10095 statusToSend->items[0].data,
10096 statusToSend->items[0].len,
10097 3);
10098 if (rv != SECSuccess)
10099 return rv; /* err set by AppendHandshake. */
10100
10101 return SECSuccess;
10102 }
10103
10104 /* This is used to delete the CA certificates in the peer certificate chain
10105 * from the cert database after they've been validated.
10106 */
10107 static void
10108 ssl3_CleanupPeerCerts(sslSocket *ss)
10109 {
10110 PLArenaPool * arena = ss->ssl3.peerCertArena;
10111 ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
10112
10113 for (; certs; certs = certs->next) {
10114 CERT_DestroyCertificate(certs->cert);
10115 }
10116 if (arena) PORT_FreeArena(arena, PR_FALSE);
10117 ss->ssl3.peerCertArena = NULL;
10118 ss->ssl3.peerCertChain = NULL;
10119 }
10120
10121 static void
10122 ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
10123 {
10124 PLArenaPool *arena;
10125 ssl3CertNode *lastCert = NULL;
10126 ssl3CertNode *certs = NULL;
10127 int i;
10128
10129 if (!sid->peerCertChain[0])
10130 return;
10131 PORT_Assert(!ss->ssl3.peerCertArena);
10132 PORT_Assert(!ss->ssl3.peerCertChain);
10133 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
10134 for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
10135 ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
10136 c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
10137 c->next = NULL;
10138 if (lastCert) {
10139 lastCert->next = c;
10140 } else {
10141 certs = c;
10142 }
10143 lastCert = c;
10144 }
10145 ss->ssl3.peerCertChain = certs;
10146 }
10147
10148 static void
10149 ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
10150 {
10151 int i = 0;
10152 ssl3CertNode *c = certs;
10153 for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
10154 PORT_Assert(!sid->peerCertChain[i]);
10155 sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
10156 }
10157 }
10158
10159 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
10160 * ssl3 CertificateStatus message.
10161 * Caller must hold Handshake and RecvBuf locks.
10162 * This is always called before ssl3_HandleCertificate, even if the Certificate
10163 * message is sent first.
10164 */
10165 static SECStatus
10166 ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
10167 {
10168 PRInt32 status, len;
10169
10170 if (ss->ssl3.hs.ws != wait_certificate_status) {
10171 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
10172 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS);
10173 return SECFailure;
10174 }
10175
10176 PORT_Assert(!ss->sec.isServer);
10177
10178 /* Consume the CertificateStatusType enum */
10179 status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
10180 if (status != 1 /* ocsp */) {
10181 goto format_loser;
10182 }
10183
10184 len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10185 if (len != length) {
10186 goto format_loser;
10187 }
10188
10189 #define MAX_CERTSTATUS_LEN 0x1ffff /* 128k - 1 */
10190 if (length > MAX_CERTSTATUS_LEN)
10191 goto format_loser;
10192 #undef MAX_CERTSTATUS_LEN
10193
10194 /* Array size 1, because we currently implement single-stapling only */
10195 SECITEM_AllocArray(NULL, &ss->sec.ci.sid->peerCertStatus, 1);
10196 if (!ss->sec.ci.sid->peerCertStatus.items)
10197 return SECFailure;
10198
10199 ss->sec.ci.sid->peerCertStatus.items[0].data = PORT_Alloc(length);
10200
10201 if (!ss->sec.ci.sid->peerCertStatus.items[0].data) {
10202 SECITEM_FreeArray(&ss->sec.ci.sid->peerCertStatus, PR_FALSE);
10203 return SECFailure;
10204 }
10205
10206 PORT_Memcpy(ss->sec.ci.sid->peerCertStatus.items[0].data, b, length);
10207 ss->sec.ci.sid->peerCertStatus.items[0].len = length;
10208 ss->sec.ci.sid->peerCertStatus.items[0].type = siBuffer;
10209
10210 return ssl3_AuthCertificate(ss);
10211
10212 format_loser:
10213 return ssl3_DecodeError(ss);
10214 }
10215
10216 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
10217 * ssl3 Certificate message.
10218 * Caller must hold Handshake and RecvBuf locks.
10219 */
10220 static SECStatus
10221 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
10222 {
10223 ssl3CertNode * c;
10224 ssl3CertNode * lastCert = NULL;
10225 PRInt32 remaining = 0;
10226 PRInt32 size;
10227 SECStatus rv;
10228 PRBool isServer = (PRBool)(!!ss->sec.isServer);
10229 PRBool isTLS;
10230 SSL3AlertDescription desc;
10231 int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
10232 SECItem certItem;
10233
10234 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
10235 SSL_GETPID(), ss->fd));
10236 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
10237 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
10238
10239 if ((ss->ssl3.hs.ws != wait_server_cert) &&
10240 (ss->ssl3.hs.ws != wait_client_cert)) {
10241 desc = unexpected_message;
10242 errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
10243 goto alert_loser;
10244 }
10245
10246 if (ss->sec.peerCert != NULL) {
10247 if (ss->sec.peerKey) {
10248 SECKEY_DestroyPublicKey(ss->sec.peerKey);
10249 ss->sec.peerKey = NULL;
10250 }
10251 CERT_DestroyCertificate(ss->sec.peerCert);
10252 ss->sec.peerCert = NULL;
10253 }
10254
10255 ssl3_CleanupPeerCerts(ss);
10256 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
10257
10258 /* It is reported that some TLS client sends a Certificate message
10259 ** with a zero-length message body. We'll treat that case like a
10260 ** normal no_certificates message to maximize interoperability.
10261 */
10262 if (length) {
10263 remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10264 if (remaining < 0)
10265 goto loser; /* fatal alert already sent by ConsumeHandshake. */
10266 if ((PRUint32)remaining > length)
10267 goto decode_loser;
10268 }
10269
10270 if (!remaining) {
10271 if (!(isTLS && isServer)) {
10272 desc = bad_certificate;
10273 goto alert_loser;
10274 }
10275 /* This is TLS's version of a no_certificate alert. */
10276 /* I'm a server. I've requested a client cert. He hasn't got one. */
10277 rv = ssl3_HandleNoCertificate(ss);
10278 if (rv != SECSuccess) {
10279 errCode = PORT_GetError();
10280 goto loser;
10281 }
10282 ss->ssl3.hs.ws = wait_client_key;
10283 return SECSuccess;
10284 }
10285
10286 ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
10287 if (ss->ssl3.peerCertArena == NULL) {
10288 goto loser; /* don't send alerts on memory errors */
10289 }
10290
10291 /* First get the peer cert. */
10292 remaining -= 3;
10293 if (remaining < 0)
10294 goto decode_loser;
10295
10296 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10297 if (size <= 0)
10298 goto loser; /* fatal alert already sent by ConsumeHandshake. */
10299
10300 if (remaining < size)
10301 goto decode_loser;
10302
10303 certItem.data = b;
10304 certItem.len = size;
10305 b += size;
10306 length -= size;
10307 remaining -= size;
10308
10309 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
10310 PR_FALSE, PR_TRUE);
10311 if (ss->sec.peerCert == NULL) {
10312 /* We should report an alert if the cert was bad, but not if the
10313 * problem was just some local problem, like memory error.
10314 */
10315 goto ambiguous_err;
10316 }
10317
10318 /* Now get all of the CA certs. */
10319 while (remaining > 0) {
10320 remaining -= 3;
10321 if (remaining < 0)
10322 goto decode_loser;
10323
10324 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10325 if (size <= 0)
10326 goto loser; /* fatal alert already sent by ConsumeHandshake. */
10327
10328 if (remaining < size)
10329 goto decode_loser;
10330
10331 certItem.data = b;
10332 certItem.len = size;
10333 b += size;
10334 length -= size;
10335 remaining -= size;
10336
10337 c = PORT_ArenaNew(ss->ssl3.peerCertArena, ssl3CertNode);
10338 if (c == NULL) {
10339 goto loser; /* don't send alerts on memory errors */
10340 }
10341
10342 c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
10343 PR_FALSE, PR_TRUE);
10344 if (c->cert == NULL) {
10345 goto ambiguous_err;
10346 }
10347
10348 c->next = NULL;
10349 if (lastCert) {
10350 lastCert->next = c;
10351 } else {
10352 ss->ssl3.peerCertChain = c;
10353 }
10354 lastCert = c;
10355 }
10356
10357 if (remaining != 0)
10358 goto decode_loser;
10359
10360 SECKEY_UpdateCertPQG(ss->sec.peerCert);
10361
10362 if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) {
10363 ss->ssl3.hs.ws = wait_certificate_status;
10364 rv = SECSuccess;
10365 } else {
10366 rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
10367 }
10368
10369 return rv;
10370
10371 ambiguous_err:
10372 errCode = PORT_GetError();
10373 switch (errCode) {
10374 case PR_OUT_OF_MEMORY_ERROR:
10375 case SEC_ERROR_BAD_DATABASE:
10376 case SEC_ERROR_NO_MEMORY:
10377 if (isTLS) {
10378 desc = internal_error;
10379 goto alert_loser;
10380 }
10381 goto loser;
10382 }
10383 ssl3_SendAlertForCertError(ss, errCode);
10384 goto loser;
10385
10386 decode_loser:
10387 desc = isTLS ? decode_error : bad_certificate;
10388
10389 alert_loser:
10390 (void)SSL3_SendAlert(ss, alert_fatal, desc);
10391
10392 loser:
10393 (void)ssl_MapLowLevelError(errCode);
10394 return SECFailure;
10395 }
10396
10397 static SECStatus
10398 ssl3_AuthCertificate(sslSocket *ss)
10399 {
10400 SECStatus rv;
10401 PRBool isServer = (PRBool)(!!ss->sec.isServer);
10402 int errCode;
10403
10404 ss->ssl3.hs.authCertificatePending = PR_FALSE;
10405
10406 /*
10407 * Ask caller-supplied callback function to validate cert chain.
10408 */
10409 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
10410 PR_TRUE, isServer);
10411 if (rv) {
10412 errCode = PORT_GetError();
10413 if (rv != SECWouldBlock) {
10414 if (ss->handleBadCert) {
10415 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
10416 }
10417 }
10418
10419 if (rv == SECWouldBlock) {
10420 if (ss->sec.isServer) {
10421 errCode = SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS;
10422 rv = SECFailure;
10423 goto loser;
10424 }
10425
10426 ss->ssl3.hs.authCertificatePending = PR_TRUE;
10427 rv = SECSuccess;
10428 }
10429
10430 if (rv != SECSuccess) {
10431 ssl3_SendAlertForCertError(ss, errCode);
10432 goto loser;
10433 }
10434 }
10435
10436 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
10437 ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
10438
10439 if (!ss->sec.isServer) {
10440 CERTCertificate *cert = ss->sec.peerCert;
10441
10442 /* set the server authentication and key exchange types and sizes
10443 ** from the value in the cert. If the key exchange key is different,
10444 ** it will get fixed when we handle the server key exchange message.
10445 */
10446 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert);
10447 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
10448 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
10449 if (pubKey) {
10450 ss->sec.keaKeyBits = ss->sec.authKeyBits =
10451 SECKEY_PublicKeyStrengthInBits(pubKey);
10452 #ifdef NSS_ENABLE_ECC
10453 if (ss->sec.keaType == kt_ecdh) {
10454 /* Get authKeyBits from signing key.
10455 * XXX The code below uses a quick approximation of
10456 * key size based on cert->signatureWrap.signature.data
10457 * (which contains the DER encoded signature). The field
10458 * cert->signatureWrap.signature.len contains the
10459 * length of the encoded signature in bits.
10460 */
10461 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
10462 ss->sec.authKeyBits =
10463 cert->signatureWrap.signature.data[3]*8;
10464 if (cert->signatureWrap.signature.data[4] == 0x00)
10465 ss->sec.authKeyBits -= 8;
10466 /*
10467 * XXX: if cert is not signed by ecdsa we should
10468 * destroy pubKey and goto bad_cert
10469 */
10470 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
10471 ss->sec.authKeyBits = cert->signatureWrap.signature.len;
10472 /*
10473 * XXX: if cert is not signed by rsa we should
10474 * destroy pubKey and goto bad_cert
10475 */
10476 }
10477 }
10478 #endif /* NSS_ENABLE_ECC */
10479 SECKEY_DestroyPublicKey(pubKey);
10480 pubKey = NULL;
10481 }
10482
10483 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
10484 if (ss->ssl3.hs.kea_def->is_limited ||
10485 /* XXX OR server cert is signing only. */
10486 #ifdef NSS_ENABLE_ECC
10487 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
10488 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
10489 #endif /* NSS_ENABLE_ECC */
10490 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
10491 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
10492 }
10493 } else {
10494 ss->ssl3.hs.ws = wait_client_key;
10495 }
10496
10497 PORT_Assert(rv == SECSuccess);
10498 if (rv != SECSuccess) {
10499 errCode = SEC_ERROR_LIBRARY_FAILURE;
10500 rv = SECFailure;
10501 goto loser;
10502 }
10503
10504 return rv;
10505
10506 loser:
10507 (void)ssl_MapLowLevelError(errCode);
10508 return SECFailure;
10509 }
10510
10511 static SECStatus ssl3_FinishHandshake(sslSocket *ss);
10512
10513 static SECStatus
10514 ssl3_AlwaysFail(sslSocket * ss)
10515 {
10516 PORT_SetError(PR_INVALID_STATE_ERROR);
10517 return SECFailure;
10518 }
10519
10520 /* Caller must hold 1stHandshakeLock.
10521 */
10522 SECStatus
10523 ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
10524 {
10525 SECStatus rv;
10526
10527 PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
10528
10529 if (ss->sec.isServer) {
10530 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS);
10531 return SECFailure;
10532 }
10533
10534 ssl_GetRecvBufLock(ss);
10535 ssl_GetSSL3HandshakeLock(ss);
10536
10537 if (!ss->ssl3.hs.authCertificatePending) {
10538 PORT_SetError(PR_INVALID_STATE_ERROR);
10539 rv = SECFailure;
10540 goto done;
10541 }
10542
10543 ss->ssl3.hs.authCertificatePending = PR_FALSE;
10544
10545 if (error != 0) {
10546 ss->ssl3.hs.restartTarget = ssl3_AlwaysFail;
10547 ssl3_SendAlertForCertError(ss, error);
10548 rv = SECSuccess;
10549 } else if (ss->ssl3.hs.restartTarget != NULL) {
10550 sslRestartTarget target = ss->ssl3.hs.restartTarget;
10551 ss->ssl3.hs.restartTarget = NULL;
10552
10553 if (target == ssl3_FinishHandshake) {
10554 SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
10555 " with peer's finished message", SSL_GETPID(), ss->fd));
10556 }
10557
10558 rv = target(ss);
10559 /* Even if we blocked here, we have accomplished enough to claim
10560 * success. Any remaining work will be taken care of by subsequent
10561 * calls to SSL_ForceHandshake/PR_Send/PR_Read/etc.
10562 */
10563 if (rv == SECWouldBlock) {
10564 rv = SECSuccess;
10565 }
10566 } else {
10567 SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
10568 " peer's finished message", SSL_GETPID(), ss->fd));
10569
10570 PORT_Assert(!ss->ssl3.hs.isResuming);
10571 PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
10572
10573 if (ss->opt.enableFalseStart &&
10574 !ss->firstHsDone &&
10575 !ss->ssl3.hs.isResuming &&
10576 ssl3_WaitingForStartOfServerSecondRound(ss)) {
10577 /* ssl3_SendClientSecondRound deferred the false start check because
10578 * certificate authentication was pending, so we do it now if we sti ll
10579 * haven't received any of the server's second round yet.
10580 */
10581 rv = ssl3_CheckFalseStart(ss);
10582 } else {
10583 rv = SECSuccess;
10584 }
10585 }
10586
10587 done:
10588 ssl_ReleaseSSL3HandshakeLock(ss);
10589 ssl_ReleaseRecvBufLock(ss);
10590
10591 return rv;
10592 }
10593
10594 static SECStatus
10595 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
10596 PRBool isServer,
10597 const SSL3Hashes * hashes,
10598 TLSFinished * tlsFinished)
10599 {
10600 const char * label;
10601 unsigned int len;
10602 SECStatus rv;
10603
10604 label = isServer ? "server finished" : "client finished";
10605 len = 15;
10606
10607 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
10608 hashes->len, tlsFinished->verify_data,
10609 sizeof tlsFinished->verify_data);
10610
10611 return rv;
10612 }
10613
10614 /* The calling function must acquire and release the appropriate
10615 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
10616 * ss->ssl3.crSpec).
10617 */
10618 SECStatus
10619 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
10620 unsigned int labelLen, const unsigned char *val, unsigned int valLen,
10621 unsigned char *out, unsigned int outLen)
10622 {
10623 SECStatus rv = SECSuccess;
10624
10625 if (spec->master_secret && !spec->bypassCiphers) {
10626 SECItem param = {siBuffer, NULL, 0};
10627 CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL;
10628 PK11Context *prf_context;
10629 unsigned int retLen;
10630
10631 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
10632 mech = CKM_NSS_TLS_PRF_GENERAL_SHA256;
10633 }
10634 prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN,
10635 spec->master_secret, &param);
10636 if (!prf_context)
10637 return SECFailure;
10638
10639 rv = PK11_DigestBegin(prf_context);
10640 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
10641 rv |= PK11_DigestOp(prf_context, val, valLen);
10642 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
10643 PORT_Assert(rv != SECSuccess || retLen == outLen);
10644
10645 PK11_DestroyContext(prf_context, PR_TRUE);
10646 } else {
10647 /* bypass PKCS11 */
10648 #ifdef NO_PKCS11_BYPASS
10649 PORT_Assert(spec->master_secret);
10650 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
10651 rv = SECFailure;
10652 #else
10653 SECItem inData = { siBuffer, };
10654 SECItem outData = { siBuffer, };
10655 PRBool isFIPS = PR_FALSE;
10656
10657 inData.data = (unsigned char *) val;
10658 inData.len = valLen;
10659 outData.data = out;
10660 outData.len = outLen;
10661 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
10662 rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData,
10663 &outData, isFIPS);
10664 } else {
10665 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
10666 }
10667 PORT_Assert(rv != SECSuccess || outData.len == outLen);
10668 #endif
10669 }
10670 return rv;
10671 }
10672
10673 /* called from ssl3_SendClientSecondRound
10674 * ssl3_HandleFinished
10675 */
10676 static SECStatus
10677 ssl3_SendNextProto(sslSocket *ss)
10678 {
10679 SECStatus rv;
10680 int padding_len;
10681 static const unsigned char padding[32] = {0};
10682
10683 if (ss->ssl3.nextProto.len == 0 ||
10684 ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
10685 return SECSuccess;
10686 }
10687
10688 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10689 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10690
10691 padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32);
10692
10693 rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len +
10694 2 + padding_len);
10695 if (rv != SECSuccess) {
10696 return rv; /* error code set by AppendHandshakeHeader */
10697 }
10698 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data,
10699 ss->ssl3.nextProto.len, 1);
10700 if (rv != SECSuccess) {
10701 return rv; /* error code set by AppendHandshake */
10702 }
10703 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
10704 if (rv != SECSuccess) {
10705 return rv; /* error code set by AppendHandshake */
10706 }
10707 return rv;
10708 }
10709
10710 /* called from ssl3_SendFinished
10711 *
10712 * This function is simply a debugging aid and therefore does not return a
10713 * SECStatus. */
10714 static void
10715 ssl3_RecordKeyLog(sslSocket *ss)
10716 {
10717 SECStatus rv;
10718 SECItem *keyData;
10719 char buf[14 /* "CLIENT_RANDOM " */ +
10720 SSL3_RANDOM_LENGTH*2 /* client_random */ +
10721 1 /* " " */ +
10722 48*2 /* master secret */ +
10723 1 /* new line */];
10724 unsigned int j;
10725
10726 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10727
10728 if (!ssl_keylog_iob)
10729 return;
10730
10731 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
10732 if (rv != SECSuccess)
10733 return;
10734
10735 ssl_GetSpecReadLock(ss);
10736
10737 /* keyData does not need to be freed. */
10738 keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
10739 if (!keyData || !keyData->data || keyData->len != 48) {
10740 ssl_ReleaseSpecReadLock(ss);
10741 return;
10742 }
10743
10744 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
10745
10746 /* There could be multiple, concurrent writers to the
10747 * keylog, so we have to do everything in a single call to
10748 * fwrite. */
10749
10750 memcpy(buf, "CLIENT_RANDOM ", 14);
10751 j = 14;
10752 hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
10753 j += SSL3_RANDOM_LENGTH*2;
10754 buf[j++] = ' ';
10755 hexEncode(buf + j, keyData->data, 48);
10756 j += 48*2;
10757 buf[j++] = '\n';
10758
10759 PORT_Assert(j == sizeof(buf));
10760
10761 ssl_ReleaseSpecReadLock(ss);
10762
10763 if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
10764 return;
10765 fflush(ssl_keylog_iob);
10766 return;
10767 }
10768
10769 /* called from ssl3_SendClientSecondRound
10770 * ssl3_HandleFinished
10771 */
10772 static SECStatus
10773 ssl3_SendEncryptedExtensions(sslSocket *ss)
10774 {
10775 static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
10776 static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
10777 /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
10778 * SEQUENCE
10779 * SEQUENCE
10780 * OID id-ecPublicKey
10781 * OID prime256v1
10782 * BIT STRING, length 66, 0 trailing bits: 0x04
10783 *
10784 * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
10785 * public key. Following that are the two field elements as 32-byte,
10786 * big-endian numbers, as required by the Channel ID. */
10787 static const unsigned char P256_SPKI_PREFIX[] = {
10788 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
10789 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
10790 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
10791 0x42, 0x00, 0x04
10792 };
10793 /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
10794 * bytes of ECDSA signature. */
10795 static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
10796 static const int CHANNEL_ID_LENGTH = 128;
10797
10798 SECStatus rv = SECFailure;
10799 SECItem *spki = NULL;
10800 SSL3Hashes hashes;
10801 const unsigned char *pub_bytes;
10802 unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
10803 sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
10804 sizeof(SSL3Hashes)*2];
10805 size_t signed_data_len;
10806 unsigned char digest[SHA256_LENGTH];
10807 SECItem digest_item;
10808 unsigned char signature[64];
10809 SECItem signature_item;
10810
10811 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10812 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10813
10814 if (ss->ssl3.channelID == NULL)
10815 return SECSuccess;
10816
10817 PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn));
10818
10819 if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
10820 PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
10821 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
10822 rv = SECFailure;
10823 goto loser;
10824 }
10825
10826 ssl_GetSpecReadLock(ss);
10827 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
10828 ssl_ReleaseSpecReadLock(ss);
10829
10830 if (rv != SECSuccess)
10831 goto loser;
10832
10833 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
10834 2 + 2 + CHANNEL_ID_LENGTH);
10835 if (rv != SECSuccess)
10836 goto loser; /* error code set by AppendHandshakeHeader */
10837 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
10838 if (rv != SECSuccess)
10839 goto loser; /* error code set by AppendHandshake */
10840 rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
10841 if (rv != SECSuccess)
10842 goto loser; /* error code set by AppendHandshake */
10843
10844 spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
10845
10846 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
10847 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) {
10848 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
10849 rv = SECFailure;
10850 goto loser;
10851 }
10852
10853 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
10854
10855 signed_data_len = 0;
10856 memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC,
10857 sizeof(CHANNEL_ID_MAGIC));
10858 signed_data_len += sizeof(CHANNEL_ID_MAGIC);
10859 if (ss->ssl3.hs.isResuming) {
10860 SECItem *originalHandshakeHash =
10861 &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
10862 PORT_Assert(originalHandshakeHash->len > 0);
10863
10864 memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC,
10865 sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
10866 signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
10867 memcpy(signed_data + signed_data_len, originalHandshakeHash->data,
10868 originalHandshakeHash->len);
10869 signed_data_len += originalHandshakeHash->len;
10870 }
10871 memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len);
10872 signed_data_len += hashes.len;
10873
10874 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len);
10875 if (rv != SECSuccess)
10876 goto loser;
10877
10878 digest_item.data = digest;
10879 digest_item.len = sizeof(digest);
10880
10881 signature_item.data = signature;
10882 signature_item.len = sizeof(signature);
10883
10884 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
10885 if (rv != SECSuccess)
10886 goto loser;
10887
10888 rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
10889 if (rv != SECSuccess)
10890 goto loser;
10891 rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
10892
10893 loser:
10894 if (spki)
10895 SECITEM_FreeItem(spki, PR_TRUE);
10896 if (ss->ssl3.channelID) {
10897 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
10898 ss->ssl3.channelID = NULL;
10899 }
10900 if (ss->ssl3.channelIDPub) {
10901 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
10902 ss->ssl3.channelIDPub = NULL;
10903 }
10904
10905 return rv;
10906 }
10907
10908 /* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake
10909 * after a ChannelID callback returned SECWouldBlock. At this point we have
10910 * processed the server's ServerHello but not yet any further messages. We will
10911 * always get a message from the server after a ServerHello so either they are
10912 * waiting in the buffer or we'll get network I/O. */
10913 SECStatus
10914 ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
10915 SECKEYPublicKey *channelIDPub,
10916 SECKEYPrivateKey *channelID)
10917 {
10918 if (ss->handshake == 0) {
10919 SECKEY_DestroyPublicKey(channelIDPub);
10920 SECKEY_DestroyPrivateKey(channelID);
10921 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
10922 return SECFailure;
10923 }
10924
10925 if (channelIDPub == NULL ||
10926 channelID == NULL) {
10927 if (channelIDPub)
10928 SECKEY_DestroyPublicKey(channelIDPub);
10929 if (channelID)
10930 SECKEY_DestroyPrivateKey(channelID);
10931 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
10932 return SECFailure;
10933 }
10934
10935 if (ss->ssl3.channelID)
10936 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
10937 if (ss->ssl3.channelIDPub)
10938 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
10939
10940 ss->handshake = ssl_GatherRecord1stHandshake;
10941 ss->ssl3.channelID = channelID;
10942 ss->ssl3.channelIDPub = channelIDPub;
10943
10944 return SECSuccess;
10945 }
10946
10947 /* called from ssl3_SendClientSecondRound
10948 * ssl3_HandleClientHello
10949 * ssl3_HandleFinished
10950 */
10951 static SECStatus
10952 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
10953 {
10954 ssl3CipherSpec *cwSpec;
10955 PRBool isTLS;
10956 PRBool isServer = ss->sec.isServer;
10957 SECStatus rv;
10958 SSL3Sender sender = isServer ? sender_server : sender_client;
10959 SSL3Hashes hashes;
10960 TLSFinished tlsFinished;
10961
10962 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
10963
10964 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10965 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10966
10967 ssl_GetSpecReadLock(ss);
10968 cwSpec = ss->ssl3.cwSpec;
10969 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
10970 rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
10971 if (isTLS && rv == SECSuccess) {
10972 rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
10973 }
10974 ssl_ReleaseSpecReadLock(ss);
10975 if (rv != SECSuccess) {
10976 goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */
10977 }
10978
10979 if (isTLS) {
10980 if (isServer)
10981 ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
10982 else
10983 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
10984 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
10985 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
10986 if (rv != SECSuccess)
10987 goto fail; /* err set by AppendHandshake. */
10988 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
10989 if (rv != SECSuccess)
10990 goto fail; /* err set by AppendHandshake. */
10991 } else {
10992 if (isServer)
10993 ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s;
10994 else
10995 ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s;
10996 PORT_Assert(hashes.len == sizeof hashes.u.s);
10997 ss->ssl3.hs.finishedBytes = sizeof hashes.u.s;
10998 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s);
10999 if (rv != SECSuccess)
11000 goto fail; /* err set by AppendHandshake. */
11001 rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s);
11002 if (rv != SECSuccess)
11003 goto fail; /* err set by AppendHandshake. */
11004 }
11005 rv = ssl3_FlushHandshake(ss, flags);
11006 if (rv != SECSuccess) {
11007 goto fail; /* error code set by ssl3_FlushHandshake */
11008 }
11009
11010 ssl3_RecordKeyLog(ss);
11011
11012 return SECSuccess;
11013
11014 fail:
11015 return rv;
11016 }
11017
11018 /* wrap the master secret, and put it into the SID.
11019 * Caller holds the Spec read lock.
11020 */
11021 SECStatus
11022 ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid,
11023 ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType)
11024 {
11025 PK11SymKey * wrappingKey = NULL;
11026 PK11SlotInfo * symKeySlot;
11027 void * pwArg = ss->pkcs11PinArg;
11028 SECStatus rv = SECFailure;
11029 PRBool isServer = ss->sec.isServer;
11030 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
11031 symKeySlot = PK11_GetSlotFromKey(spec->master_secret);
11032 if (!isServer) {
11033 int wrapKeyIndex;
11034 int incarnation;
11035
11036 /* these next few functions are mere accessors and don't fail. */
11037 sid->u.ssl3.masterWrapIndex = wrapKeyIndex =
11038 PK11_GetCurrentWrapIndex(symKeySlot);
11039 PORT_Assert(wrapKeyIndex == 0); /* array has only one entry! */
11040
11041 sid->u.ssl3.masterWrapSeries = incarnation =
11042 PK11_GetSlotSeries(symKeySlot);
11043 sid->u.ssl3.masterSlotID = PK11_GetSlotID(symKeySlot);
11044 sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
11045 sid->u.ssl3.masterValid = PR_TRUE;
11046 /* Get the default wrapping key, for wrapping the master secret before
11047 * placing it in the SID cache entry. */
11048 wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
11049 CKM_INVALID_MECHANISM, incarnation,
11050 pwArg);
11051 if (wrappingKey) {
11052 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
11053 } else {
11054 int keyLength;
11055 /* if the wrappingKey doesn't exist, attempt to create it.
11056 * Note: we intentionally ignore errors here. If we cannot
11057 * generate a wrapping key, it is not fatal to this SSL connection,
11058 * but we will not be able to restart this session.
11059 */
11060 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
11061 keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
11062 /* Zero length means fixed key length algorithm, or error.
11063 * It's ambiguous.
11064 */
11065 wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
11066 keyLength, pwArg);
11067 if (wrappingKey) {
11068 PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
11069 }
11070 }
11071 } else {
11072 /* server socket using session cache. */
11073 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
11074 if (mechanism != CKM_INVALID_MECHANISM) {
11075 wrappingKey =
11076 getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
11077 mechanism, pwArg);
11078 if (wrappingKey) {
11079 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
11080 }
11081 }
11082 }
11083
11084 sid->u.ssl3.masterWrapMech = mechanism;
11085 PK11_FreeSlot(symKeySlot);
11086
11087 if (wrappingKey) {
11088 SECItem wmsItem;
11089
11090 wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
11091 wmsItem.len = sizeof sid->u.ssl3.keys.wrapped_master_secret;
11092 rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
11093 spec->master_secret, &wmsItem);
11094 /* rv is examined below. */
11095 sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
11096 PK11_FreeSymKey(wrappingKey);
11097 }
11098 return rv;
11099 }
11100
11101 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
11102 * ssl3 Finished message from the peer.
11103 * Caller must hold Handshake and RecvBuf locks.
11104 */
11105 static SECStatus
11106 ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
11107 const SSL3Hashes *hashes)
11108 {
11109 sslSessionID * sid = ss->sec.ci.sid;
11110 SECStatus rv = SECSuccess;
11111 PRBool isServer = ss->sec.isServer;
11112 PRBool isTLS;
11113 SSL3KEAType effectiveExchKeyType;
11114
11115 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11116 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11117
11118 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
11119 SSL_GETPID(), ss->fd));
11120
11121 if (ss->ssl3.hs.ws != wait_finished) {
11122 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11123 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
11124 return SECFailure;
11125 }
11126
11127 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
11128 if (isTLS) {
11129 TLSFinished tlsFinished;
11130
11131 if (length != sizeof tlsFinished) {
11132 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
11133 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
11134 return SECFailure;
11135 }
11136 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
11137 hashes, &tlsFinished);
11138 if (!isServer)
11139 ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
11140 else
11141 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
11142 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
11143 if (rv != SECSuccess ||
11144 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
11145 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
11146 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
11147 return SECFailure;
11148 }
11149 } else {
11150 if (length != sizeof(SSL3Finished)) {
11151 (void)ssl3_IllegalParameter(ss);
11152 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
11153 return SECFailure;
11154 }
11155
11156 if (!isServer)
11157 ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s;
11158 else
11159 ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s;
11160 PORT_Assert(hashes->len == sizeof hashes->u.s);
11161 ss->ssl3.hs.finishedBytes = sizeof hashes->u.s;
11162 if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) {
11163 (void)ssl3_HandshakeFailure(ss);
11164 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
11165 return SECFailure;
11166 }
11167 }
11168
11169 ssl_GetXmitBufLock(ss); /*************************************/
11170
11171 if ((isServer && !ss->ssl3.hs.isResuming) ||
11172 (!isServer && ss->ssl3.hs.isResuming)) {
11173 PRInt32 flags = 0;
11174
11175 /* Send a NewSessionTicket message if the client sent us
11176 * either an empty session ticket, or one that did not verify.
11177 * (Note that if either of these conditions was met, then the
11178 * server has sent a SessionTicket extension in the
11179 * ServerHello message.)
11180 */
11181 if (isServer && !ss->ssl3.hs.isResuming &&
11182 ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
11183 /* RFC 5077 Section 3.3: "In the case of a full handshake, the
11184 * server MUST verify the client's Finished message before sending
11185 * the ticket." Presumably, this also means that the client's
11186 * certificate, if any, must be verified beforehand too.
11187 */
11188 rv = ssl3_SendNewSessionTicket(ss);
11189 if (rv != SECSuccess) {
11190 goto xmit_loser;
11191 }
11192 }
11193
11194 rv = ssl3_SendChangeCipherSpecs(ss);
11195 if (rv != SECSuccess) {
11196 goto xmit_loser; /* err is set. */
11197 }
11198 /* If this thread is in SSL_SecureSend (trying to write some data)
11199 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
11200 ** last two handshake messages (change cipher spec and finished)
11201 ** will be sent in the same send/write call as the application data.
11202 */
11203 if (ss->writerThread == PR_GetCurrentThread()) {
11204 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
11205 }
11206
11207 if (!isServer) {
11208 if (!ss->firstHsDone) {
11209 rv = ssl3_SendNextProto(ss);
11210 if (rv != SECSuccess) {
11211 goto xmit_loser; /* err code was set. */
11212 }
11213 }
11214 rv = ssl3_SendEncryptedExtensions(ss);
11215 if (rv != SECSuccess)
11216 goto xmit_loser; /* err code was set. */
11217 }
11218
11219 if (IS_DTLS(ss)) {
11220 flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
11221 }
11222
11223 rv = ssl3_SendFinished(ss, flags);
11224 if (rv != SECSuccess) {
11225 goto xmit_loser; /* err is set. */
11226 }
11227 }
11228
11229 xmit_loser:
11230 ssl_ReleaseXmitBufLock(ss); /*************************************/
11231 if (rv != SECSuccess) {
11232 return rv;
11233 }
11234
11235 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
11236 effectiveExchKeyType = kt_rsa;
11237 } else {
11238 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
11239 }
11240
11241 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
11242 /* fill in the sid */
11243 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
11244 sid->u.ssl3.compression = ss->ssl3.hs.compression;
11245 sid->u.ssl3.policy = ss->ssl3.policy;
11246 #ifdef NSS_ENABLE_ECC
11247 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
11248 #endif
11249 sid->u.ssl3.exchKeyType = effectiveExchKeyType;
11250 sid->version = ss->version;
11251 sid->authAlgorithm = ss->sec.authAlgorithm;
11252 sid->authKeyBits = ss->sec.authKeyBits;
11253 sid->keaType = ss->sec.keaType;
11254 sid->keaKeyBits = ss->sec.keaKeyBits;
11255 sid->lastAccessTime = sid->creationTime = ssl_Time();
11256 sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
11257 sid->localCert = CERT_DupCertificate(ss->sec.localCert);
11258
11259 ssl_GetSpecReadLock(ss); /*************************************/
11260
11261 /* Copy the master secret (wrapped or unwrapped) into the sid */
11262 if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
11263 sid->u.ssl3.keys.wrapped_master_secret_len =
11264 ss->ssl3.crSpec->msItem.len;
11265 memcpy(sid->u.ssl3.keys.wrapped_master_secret,
11266 ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
11267 sid->u.ssl3.masterValid = PR_TRUE;
11268 sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
11269 rv = SECSuccess;
11270 } else {
11271 rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid,
11272 ss->ssl3.crSpec,
11273 effectiveExchKeyType);
11274 sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
11275 }
11276 ssl_ReleaseSpecReadLock(ss); /*************************************/
11277
11278 /* If the wrap failed, we don't cache the sid.
11279 * The connection continues normally however.
11280 */
11281 ss->ssl3.hs.cacheSID = rv == SECSuccess;
11282 }
11283
11284 if (ss->ssl3.hs.authCertificatePending) {
11285 if (ss->ssl3.hs.restartTarget) {
11286 PR_NOT_REACHED("ssl3_HandleFinished: unexpected restartTarget");
11287 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
11288 return SECFailure;
11289 }
11290
11291 ss->ssl3.hs.restartTarget = ssl3_FinishHandshake;
11292 return SECWouldBlock;
11293 }
11294
11295 rv = ssl3_FinishHandshake(ss);
11296 return rv;
11297 }
11298
11299 /* The return type is SECStatus instead of void because this function needs
11300 * to have type sslRestartTarget.
11301 */
11302 SECStatus
11303 ssl3_FinishHandshake(sslSocket * ss)
11304 {
11305 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11306 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11307 PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
11308
11309 /* The first handshake is now completed. */
11310 ss->handshake = NULL;
11311
11312 /* RFC 5077 Section 3.3: "The client MUST NOT treat the ticket as valid
11313 * until it has verified the server's Finished message." When the server
11314 * sends a NewSessionTicket in a resumption handshake, we must wait until
11315 * the handshake is finished (we have verified the server's Finished
11316 * AND the server's certificate) before we update the ticket in the sid.
11317 *
11318 * This must be done before we call (*ss->sec.cache)(ss->sec.ci.sid)
11319 * because CacheSID requires the session ticket to already be set, and also
11320 * because of the lazy lock creation scheme used by CacheSID and
11321 * ssl3_SetSIDSessionTicket.
11322 */
11323 if (ss->ssl3.hs.receivedNewSessionTicket) {
11324 PORT_Assert(!ss->sec.isServer);
11325 ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ss->ssl3.hs.newSessionTicket);
11326 /* The sid took over the ticket data */
11327 PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
11328 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
11329 }
11330
11331 if (ss->ssl3.hs.cacheSID && ss->sec.isServer) {
11332 PORT_Assert(ss->sec.ci.sid->cached == never_cached);
11333 (*ss->sec.cache)(ss->sec.ci.sid);
11334 ss->ssl3.hs.cacheSID = PR_FALSE;
11335 }
11336
11337 ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
11338 ss->ssl3.hs.ws = idle_handshake;
11339
11340 ssl_FinishHandshake(ss);
11341
11342 return SECSuccess;
11343 }
11344
11345 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
11346 * hanshake message.
11347 * Caller must hold Handshake and RecvBuf locks.
11348 */
11349 SECStatus
11350 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
11351 {
11352 SECStatus rv = SECSuccess;
11353 SSL3HandshakeType type = ss->ssl3.hs.msg_type;
11354 SSL3Hashes hashes; /* computed hashes are put here. */
11355 PRUint8 hdr[4];
11356 PRUint8 dtlsData[8];
11357
11358 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11359 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11360 /*
11361 * We have to compute the hashes before we update them with the
11362 * current message.
11363 */
11364 ssl_GetSpecReadLock(ss); /************************************/
11365 if((type == finished) || (type == certificate_verify)) {
11366 SSL3Sender sender = (SSL3Sender)0;
11367 ssl3CipherSpec *rSpec = ss->ssl3.prSpec;
11368
11369 if (type == finished) {
11370 sender = ss->sec.isServer ? sender_client : sender_server;
11371 rSpec = ss->ssl3.crSpec;
11372 }
11373 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
11374 }
11375 ssl_ReleaseSpecReadLock(ss); /************************************/
11376 if (rv != SECSuccess) {
11377 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/
11378 }
11379 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
11380 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
11381
11382 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
11383 hdr[1] = (PRUint8)(length >> 16);
11384 hdr[2] = (PRUint8)(length >> 8);
11385 hdr[3] = (PRUint8)(length );
11386
11387 /* Start new handshake hashes when we start a new handshake */
11388 if (ss->ssl3.hs.msg_type == client_hello) {
11389 rv = ssl3_RestartHandshakeHashes(ss);
11390 if (rv != SECSuccess) {
11391 return rv;
11392 }
11393 }
11394 /* We should not include hello_request and hello_verify_request messages
11395 * in the handshake hashes */
11396 if ((ss->ssl3.hs.msg_type != hello_request) &&
11397 (ss->ssl3.hs.msg_type != hello_verify_request)) {
11398 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
11399 if (rv != SECSuccess) return rv; /* err code already set. */
11400
11401 /* Extra data to simulate a complete DTLS handshake fragment */
11402 if (IS_DTLS(ss)) {
11403 /* Sequence number */
11404 dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq);
11405 dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq);
11406
11407 /* Fragment offset */
11408 dtlsData[2] = 0;
11409 dtlsData[3] = 0;
11410 dtlsData[4] = 0;
11411
11412 /* Fragment length */
11413 dtlsData[5] = (PRUint8)(length >> 16);
11414 dtlsData[6] = (PRUint8)(length >> 8);
11415 dtlsData[7] = (PRUint8)(length );
11416
11417 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData,
11418 sizeof(dtlsData));
11419 if (rv != SECSuccess) return rv; /* err code already set. */
11420 }
11421
11422 /* The message body */
11423 rv = ssl3_UpdateHandshakeHashes(ss, b, length);
11424 if (rv != SECSuccess) return rv; /* err code already set. */
11425 }
11426
11427 PORT_SetError(0); /* each message starts with no error. */
11428
11429 if (ss->ssl3.hs.ws == wait_certificate_status &&
11430 ss->ssl3.hs.msg_type != certificate_status) {
11431 /* If we negotiated the certificate_status extension then we deferred
11432 * certificate validation until we get the CertificateStatus messsage.
11433 * But the CertificateStatus message is optional. If the server did
11434 * not send it then we need to validate the certificate now. If the
11435 * server does send the CertificateStatus message then we will
11436 * authenticate the certificate in ssl3_HandleCertificateStatus.
11437 */
11438 rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
11439 PORT_Assert(rv != SECWouldBlock);
11440 if (rv != SECSuccess) {
11441 return rv;
11442 }
11443 }
11444
11445 switch (ss->ssl3.hs.msg_type) {
11446 case hello_request:
11447 if (length != 0) {
11448 (void)ssl3_DecodeError(ss);
11449 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
11450 return SECFailure;
11451 }
11452 if (ss->sec.isServer) {
11453 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11454 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
11455 return SECFailure;
11456 }
11457 rv = ssl3_HandleHelloRequest(ss);
11458 break;
11459 case client_hello:
11460 if (!ss->sec.isServer) {
11461 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11462 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
11463 return SECFailure;
11464 }
11465 rv = ssl3_HandleClientHello(ss, b, length);
11466 break;
11467 case server_hello:
11468 if (ss->sec.isServer) {
11469 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11470 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
11471 return SECFailure;
11472 }
11473 rv = ssl3_HandleServerHello(ss, b, length);
11474 break;
11475 case hello_verify_request:
11476 if (!IS_DTLS(ss) || ss->sec.isServer) {
11477 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11478 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
11479 return SECFailure;
11480 }
11481 rv = dtls_HandleHelloVerifyRequest(ss, b, length);
11482 break;
11483 case certificate:
11484 rv = ssl3_HandleCertificate(ss, b, length);
11485 break;
11486 case certificate_status:
11487 rv = ssl3_HandleCertificateStatus(ss, b, length);
11488 break;
11489 case server_key_exchange:
11490 if (ss->sec.isServer) {
11491 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11492 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
11493 return SECFailure;
11494 }
11495 rv = ssl3_HandleServerKeyExchange(ss, b, length);
11496 break;
11497 case certificate_request:
11498 if (ss->sec.isServer) {
11499 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11500 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
11501 return SECFailure;
11502 }
11503 rv = ssl3_HandleCertificateRequest(ss, b, length);
11504 break;
11505 case server_hello_done:
11506 if (length != 0) {
11507 (void)ssl3_DecodeError(ss);
11508 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
11509 return SECFailure;
11510 }
11511 if (ss->sec.isServer) {
11512 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11513 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
11514 return SECFailure;
11515 }
11516 rv = ssl3_HandleServerHelloDone(ss);
11517 break;
11518 case certificate_verify:
11519 if (!ss->sec.isServer) {
11520 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11521 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
11522 return SECFailure;
11523 }
11524 rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
11525 break;
11526 case client_key_exchange:
11527 if (!ss->sec.isServer) {
11528 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11529 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
11530 return SECFailure;
11531 }
11532 rv = ssl3_HandleClientKeyExchange(ss, b, length);
11533 break;
11534 case new_session_ticket:
11535 if (ss->sec.isServer) {
11536 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11537 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
11538 return SECFailure;
11539 }
11540 rv = ssl3_HandleNewSessionTicket(ss, b, length);
11541 break;
11542 case finished:
11543 rv = ssl3_HandleFinished(ss, b, length, &hashes);
11544 break;
11545 default:
11546 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11547 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
11548 rv = SECFailure;
11549 }
11550
11551 if (IS_DTLS(ss) && (rv != SECFailure)) {
11552 /* Increment the expected sequence number */
11553 ss->ssl3.hs.recvMessageSeq++;
11554 }
11555
11556 return rv;
11557 }
11558
11559 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
11560 * origBuf is the decrypted ssl record content.
11561 * Caller must hold the handshake and RecvBuf locks.
11562 */
11563 static SECStatus
11564 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
11565 {
11566 /*
11567 * There may be a partial handshake message already in the handshake
11568 * state. The incoming buffer may contain another portion, or a
11569 * complete message or several messages followed by another portion.
11570 *
11571 * Each message is made contiguous before being passed to the actual
11572 * message parser.
11573 */
11574 sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer p ointer */
11575 SECStatus rv;
11576
11577 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11578 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11579
11580 if (buf->buf == NULL) {
11581 *buf = *origBuf;
11582 }
11583 while (buf->len > 0) {
11584 if (ss->ssl3.hs.header_bytes < 4) {
11585 PRUint8 t;
11586 t = *(buf->buf++);
11587 buf->len--;
11588 if (ss->ssl3.hs.header_bytes++ == 0)
11589 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
11590 else
11591 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
11592 if (ss->ssl3.hs.header_bytes < 4)
11593 continue;
11594
11595 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */
11596 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
11597 (void)ssl3_DecodeError(ss);
11598 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
11599 return SECFailure;
11600 }
11601 #undef MAX_HANDSHAKE_MSG_LEN
11602
11603 /* If msg_len is zero, be sure we fall through,
11604 ** even if buf->len is zero.
11605 */
11606 if (ss->ssl3.hs.msg_len > 0)
11607 continue;
11608 }
11609
11610 /*
11611 * Header has been gathered and there is at least one byte of new
11612 * data available for this message. If it can be done right out
11613 * of the original buffer, then use it from there.
11614 */
11615 if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
11616 /* handle it from input buffer */
11617 rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
11618 if (rv == SECFailure) {
11619 /* This test wants to fall through on either
11620 * SECSuccess or SECWouldBlock.
11621 * ssl3_HandleHandshakeMessage MUST set the error code.
11622 */
11623 return rv;
11624 }
11625 buf->buf += ss->ssl3.hs.msg_len;
11626 buf->len -= ss->ssl3.hs.msg_len;
11627 ss->ssl3.hs.msg_len = 0;
11628 ss->ssl3.hs.header_bytes = 0;
11629 if (rv != SECSuccess) { /* return if SECWouldBlock. */
11630 return rv;
11631 }
11632 } else {
11633 /* must be copied to msg_body and dealt with from there */
11634 unsigned int bytes;
11635
11636 PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len);
11637 bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body. len);
11638
11639 /* Grow the buffer if needed */
11640 rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
11641 if (rv != SECSuccess) {
11642 /* sslBuffer_Grow has set a memory error code. */
11643 return SECFailure;
11644 }
11645
11646 PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
11647 buf->buf, bytes);
11648 ss->ssl3.hs.msg_body.len += bytes;
11649 buf->buf += bytes;
11650 buf->len -= bytes;
11651
11652 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
11653
11654 /* if we have a whole message, do it */
11655 if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
11656 rv = ssl3_HandleHandshakeMessage(
11657 ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
11658 if (rv == SECFailure) {
11659 /* This test wants to fall through on either
11660 * SECSuccess or SECWouldBlock.
11661 * ssl3_HandleHandshakeMessage MUST set error code.
11662 */
11663 return rv;
11664 }
11665 ss->ssl3.hs.msg_body.len = 0;
11666 ss->ssl3.hs.msg_len = 0;
11667 ss->ssl3.hs.header_bytes = 0;
11668 if (rv != SECSuccess) { /* return if SECWouldBlock. */
11669 return rv;
11670 }
11671 } else {
11672 PORT_Assert(buf->len == 0);
11673 break;
11674 }
11675 }
11676 } /* end loop */
11677
11678 origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
11679 buf->buf = NULL; /* not a leak. */
11680 return SECSuccess;
11681 }
11682
11683 /* These macros return the given value with the MSB copied to all the other
11684 * bits. They use the fact that arithmetic shift shifts-in the sign bit.
11685 * However, this is not ensured by the C standard so you may need to replace
11686 * them with something else for odd compilers. */
11687 #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
11688 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
11689
11690 /* SECStatusToMask returns, in constant time, a mask value of all ones if
11691 * rv == SECSuccess. Otherwise it returns zero. */
11692 static unsigned int
11693 SECStatusToMask(SECStatus rv)
11694 {
11695 unsigned int good;
11696 /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results
11697 * in the MSB being set to one iff it was zero before. */
11698 good = rv ^ SECSuccess;
11699 good--;
11700 return DUPLICATE_MSB_TO_ALL(good);
11701 }
11702
11703 /* ssl_ConstantTimeGE returns 0xff if a>=b and 0x00 otherwise. */
11704 static unsigned char
11705 ssl_ConstantTimeGE(unsigned int a, unsigned int b)
11706 {
11707 a -= b;
11708 return DUPLICATE_MSB_TO_ALL(~a);
11709 }
11710
11711 /* ssl_ConstantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */
11712 static unsigned char
11713 ssl_ConstantTimeEQ8(unsigned char a, unsigned char b)
11714 {
11715 unsigned int c = a ^ b;
11716 c--;
11717 return DUPLICATE_MSB_TO_ALL_8(c);
11718 }
11719
11720 static SECStatus
11721 ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
11722 unsigned int blockSize,
11723 unsigned int macSize)
11724 {
11725 unsigned int paddingLength, good, t;
11726 const unsigned int overhead = 1 /* padding length byte */ + macSize;
11727
11728 /* These lengths are all public so we can test them in non-constant
11729 * time. */
11730 if (overhead > plaintext->len) {
11731 return SECFailure;
11732 }
11733
11734 paddingLength = plaintext->buf[plaintext->len-1];
11735 /* SSLv3 padding bytes are random and cannot be checked. */
11736 t = plaintext->len;
11737 t -= paddingLength+overhead;
11738 /* If len >= paddingLength+overhead then the MSB of t is zero. */
11739 good = DUPLICATE_MSB_TO_ALL(~t);
11740 /* SSLv3 requires that the padding is minimal. */
11741 t = blockSize - (paddingLength+1);
11742 good &= DUPLICATE_MSB_TO_ALL(~t);
11743 plaintext->len -= good & (paddingLength+1);
11744 return (good & SECSuccess) | (~good & SECFailure);
11745 }
11746
11747 static SECStatus
11748 ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize)
11749 {
11750 unsigned int paddingLength, good, t, toCheck, i;
11751 const unsigned int overhead = 1 /* padding length byte */ + macSize;
11752
11753 /* These lengths are all public so we can test them in non-constant
11754 * time. */
11755 if (overhead > plaintext->len) {
11756 return SECFailure;
11757 }
11758
11759 paddingLength = plaintext->buf[plaintext->len-1];
11760 t = plaintext->len;
11761 t -= paddingLength+overhead;
11762 /* If len >= paddingLength+overhead then the MSB of t is zero. */
11763 good = DUPLICATE_MSB_TO_ALL(~t);
11764
11765 /* The padding consists of a length byte at the end of the record and then
11766 * that many bytes of padding, all with the same value as the length byte.
11767 * Thus, with the length byte included, there are paddingLength+1 bytes of
11768 * padding.
11769 *
11770 * We can't check just |paddingLength+1| bytes because that leaks
11771 * decrypted information. Therefore we always have to check the maximum
11772 * amount of padding possible. (Again, the length of the record is
11773 * public information so we can use it.) */
11774 toCheck = 255; /* maximum amount of padding. */
11775 if (toCheck > plaintext->len-1) {
11776 toCheck = plaintext->len-1;
11777 }
11778
11779 for (i = 0; i < toCheck; i++) {
11780 unsigned int t = paddingLength - i;
11781 /* If i <= paddingLength then the MSB of t is zero and mask is
11782 * 0xff. Otherwise, mask is 0. */
11783 unsigned char mask = DUPLICATE_MSB_TO_ALL(~t);
11784 unsigned char b = plaintext->buf[plaintext->len-1-i];
11785 /* The final |paddingLength+1| bytes should all have the value
11786 * |paddingLength|. Therefore the XOR should be zero. */
11787 good &= ~(mask&(paddingLength ^ b));
11788 }
11789
11790 /* If any of the final |paddingLength+1| bytes had the wrong value,
11791 * one or more of the lower eight bits of |good| will be cleared. We
11792 * AND the bottom 8 bits together and duplicate the result to all the
11793 * bits. */
11794 good &= good >> 4;
11795 good &= good >> 2;
11796 good &= good >> 1;
11797 good <<= sizeof(good)*8-1;
11798 good = DUPLICATE_MSB_TO_ALL(good);
11799
11800 plaintext->len -= good & (paddingLength+1);
11801 return (good & SECSuccess) | (~good & SECFailure);
11802 }
11803
11804 /* On entry:
11805 * originalLength >= macSize
11806 * macSize <= MAX_MAC_LENGTH
11807 * plaintext->len >= macSize
11808 */
11809 static void
11810 ssl_CBCExtractMAC(sslBuffer *plaintext,
11811 unsigned int originalLength,
11812 SSL3Opaque* out,
11813 unsigned int macSize)
11814 {
11815 unsigned char rotatedMac[MAX_MAC_LENGTH];
11816 /* macEnd is the index of |plaintext->buf| just after the end of the
11817 * MAC. */
11818 unsigned macEnd = plaintext->len;
11819 unsigned macStart = macEnd - macSize;
11820 /* scanStart contains the number of bytes that we can ignore because
11821 * the MAC's position can only vary by 255 bytes. */
11822 unsigned scanStart = 0;
11823 unsigned i, j, divSpoiler;
11824 unsigned char rotateOffset;
11825
11826 if (originalLength > macSize + 255 + 1)
11827 scanStart = originalLength - (macSize + 255 + 1);
11828
11829 /* divSpoiler contains a multiple of macSize that is used to cause the
11830 * modulo operation to be constant time. Without this, the time varies
11831 * based on the amount of padding when running on Intel chips at least.
11832 *
11833 * The aim of right-shifting macSize is so that the compiler doesn't
11834 * figure out that it can remove divSpoiler as that would require it
11835 * to prove that macSize is always even, which I hope is beyond it. */
11836 divSpoiler = macSize >> 1;
11837 divSpoiler <<= (sizeof(divSpoiler)-1)*8;
11838 rotateOffset = (divSpoiler + macStart - scanStart) % macSize;
11839
11840 memset(rotatedMac, 0, macSize);
11841 for (i = scanStart; i < originalLength;) {
11842 for (j = 0; j < macSize && i < originalLength; i++, j++) {
11843 unsigned char macStarted = ssl_ConstantTimeGE(i, macStart);
11844 unsigned char macEnded = ssl_ConstantTimeGE(i, macEnd);
11845 unsigned char b = 0;
11846 b = plaintext->buf[i];
11847 rotatedMac[j] |= b & macStarted & ~macEnded;
11848 }
11849 }
11850
11851 /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
11852 * we could line-align |rotatedMac| and rotate in place. */
11853 memset(out, 0, macSize);
11854 for (i = 0; i < macSize; i++) {
11855 unsigned char offset =
11856 (divSpoiler + macSize - rotateOffset + i) % macSize;
11857 for (j = 0; j < macSize; j++) {
11858 out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset);
11859 }
11860 }
11861 }
11862
11863 /* if cText is non-null, then decipher, check MAC, and decompress the
11864 * SSL record from cText->buf (typically gs->inbuf)
11865 * into databuf (typically gs->buf), and any previous contents of databuf
11866 * is lost. Then handle databuf according to its SSL record type,
11867 * unless it's an application record.
11868 *
11869 * If cText is NULL, then the ciphertext has previously been deciphered and
11870 * checked, and is already sitting in databuf. It is processed as an SSL
11871 * Handshake message.
11872 *
11873 * DOES NOT process the decrypted/decompressed application data.
11874 * On return, databuf contains the decrypted/decompressed record.
11875 *
11876 * Called from ssl3_GatherCompleteHandshake
11877 * ssl3_RestartHandshakeAfterCertReq
11878 *
11879 * Caller must hold the RecvBufLock.
11880 *
11881 * This function aquires and releases the SSL3Handshake Lock, holding the
11882 * lock around any calls to functions that handle records other than
11883 * Application Data records.
11884 */
11885 SECStatus
11886 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
11887 {
11888 const ssl3BulkCipherDef *cipher_def;
11889 ssl3CipherSpec * crSpec;
11890 SECStatus rv;
11891 unsigned int hashBytes = MAX_MAC_LENGTH + 1;
11892 PRBool isTLS;
11893 SSL3ContentType rType;
11894 SSL3Opaque hash[MAX_MAC_LENGTH];
11895 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH];
11896 SSL3Opaque *givenHash;
11897 sslBuffer *plaintext;
11898 sslBuffer temp_buf;
11899 PRUint64 dtls_seq_num;
11900 unsigned int ivLen = 0;
11901 unsigned int originalLen = 0;
11902 unsigned int good;
11903 unsigned int minLength;
11904 unsigned char header[13];
11905 unsigned int headerLen;
11906
11907 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11908
11909 if (!ss->ssl3.initialized) {
11910 ssl_GetSSL3HandshakeLock(ss);
11911 rv = ssl3_InitState(ss);
11912 ssl_ReleaseSSL3HandshakeLock(ss);
11913 if (rv != SECSuccess) {
11914 return rv; /* ssl3_InitState has set the error code. */
11915 }
11916 }
11917
11918 /* check for Token Presence */
11919 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
11920 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
11921 return SECFailure;
11922 }
11923
11924 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
11925 * This implies that databuf holds a previously deciphered SSL Handshake
11926 * message.
11927 */
11928 if (cText == NULL) {
11929 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
11930 SSL_GETPID(), ss->fd));
11931 rType = content_handshake;
11932 goto process_it;
11933 }
11934
11935 ssl_GetSpecReadLock(ss); /******************************************/
11936
11937 crSpec = ss->ssl3.crSpec;
11938 cipher_def = crSpec->cipher_def;
11939
11940 /*
11941 * DTLS relevance checks:
11942 * Note that this code currently ignores all out-of-epoch packets,
11943 * which means we lose some in the case of rehandshake +
11944 * loss/reordering. Since DTLS is explicitly unreliable, this
11945 * seems like a good tradeoff for implementation effort and is
11946 * consistent with the guidance of RFC 6347 Sections 4.1 and 4.2.4.1
11947 */
11948 if (IS_DTLS(ss)) {
11949 DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff;
11950
11951 if (crSpec->epoch != epoch) {
11952 ssl_ReleaseSpecReadLock(ss);
11953 SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet "
11954 "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
11955 /* Silently drop the packet */
11956 databuf->len = 0; /* Needed to ensure data not left around */
11957 return SECSuccess;
11958 }
11959
11960 dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) |
11961 ((PRUint64)cText->seq_num.low);
11962
11963 if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num) != 0) {
11964 ssl_ReleaseSpecReadLock(ss);
11965 SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting "
11966 "potentially replayed packet", SSL_GETPID(), ss->fd));
11967 /* Silently drop the packet */
11968 databuf->len = 0; /* Needed to ensure data not left around */
11969 return SECSuccess;
11970 }
11971 }
11972
11973 good = ~0U;
11974 minLength = crSpec->mac_size;
11975 if (cipher_def->type == type_block) {
11976 /* CBC records have a padding length byte at the end. */
11977 minLength++;
11978 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
11979 /* With >= TLS 1.1, CBC records have an explicit IV. */
11980 minLength += cipher_def->iv_size;
11981 }
11982 } else if (cipher_def->type == type_aead) {
11983 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
11984 }
11985
11986 /* We can perform this test in variable time because the record's total
11987 * length and the ciphersuite are both public knowledge. */
11988 if (cText->buf->len < minLength) {
11989 goto decrypt_loser;
11990 }
11991
11992 if (cipher_def->type == type_block &&
11993 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
11994 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
11995 * "The receiver decrypts the entire GenericBlockCipher structure and
11996 * then discards the first cipher block corresponding to the IV
11997 * component." Instead, we decrypt the first cipher block and then
11998 * discard it before decrypting the rest.
11999 */
12000 SSL3Opaque iv[MAX_IV_LENGTH];
12001 int decoded;
12002
12003 ivLen = cipher_def->iv_size;
12004 if (ivLen < 8 || ivLen > sizeof(iv)) {
12005 ssl_ReleaseSpecReadLock(ss);
12006 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
12007 return SECFailure;
12008 }
12009
12010 PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen));
12011
12012 /* The decryption result is garbage, but since we just throw away
12013 * the block it doesn't matter. The decryption of the next block
12014 * depends only on the ciphertext of the IV block.
12015 */
12016 rv = crSpec->decode(crSpec->decodeContext, iv, &decoded,
12017 sizeof(iv), cText->buf->buf, ivLen);
12018
12019 good &= SECStatusToMask(rv);
12020 }
12021
12022 /* If we will be decompressing the buffer we need to decrypt somewhere
12023 * other than into databuf */
12024 if (crSpec->decompressor) {
12025 temp_buf.buf = NULL;
12026 temp_buf.space = 0;
12027 plaintext = &temp_buf;
12028 } else {
12029 plaintext = databuf;
12030 }
12031
12032 plaintext->len = 0; /* filled in by decode call below. */
12033 if (plaintext->space < MAX_FRAGMENT_LENGTH) {
12034 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048);
12035 if (rv != SECSuccess) {
12036 ssl_ReleaseSpecReadLock(ss);
12037 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
12038 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
12039 /* sslBuffer_Grow has set a memory error code. */
12040 /* Perhaps we should send an alert. (but we have no memory!) */
12041 return SECFailure;
12042 }
12043 }
12044
12045 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen,
12046 cText->buf->len - ivLen));
12047
12048 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
12049
12050 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
12051 ssl_ReleaseSpecReadLock(ss);
12052 SSL3_SendAlert(ss, alert_fatal, record_overflow);
12053 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
12054 return SECFailure;
12055 }
12056
12057 rType = cText->type;
12058 if (cipher_def->type == type_aead) {
12059 /* XXX For many AEAD ciphers, the plaintext is shorter than the
12060 * ciphertext by a fixed byte count, but it is not true in general.
12061 * Each AEAD cipher should provide a function that returns the
12062 * plaintext length for a given ciphertext. */
12063 unsigned int decryptedLen =
12064 cText->buf->len - cipher_def->explicit_nonce_size -
12065 cipher_def->tag_size;
12066 headerLen = ssl3_BuildRecordPseudoHeader(
12067 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
12068 rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
12069 PORT_Assert(headerLen <= sizeof(header));
12070 rv = crSpec->aead(
12071 ss->sec.isServer ? &crSpec->client : &crSpec->server,
12072 PR_TRUE, /* do decrypt */
12073 plaintext->buf, /* out */
12074 (int*) &plaintext->len, /* outlen */
12075 plaintext->space, /* maxout */
12076 cText->buf->buf, /* in */
12077 cText->buf->len, /* inlen */
12078 header, headerLen);
12079 if (rv != SECSuccess) {
12080 good = 0;
12081 }
12082 } else {
12083 if (cipher_def->type == type_block &&
12084 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
12085 goto decrypt_loser;
12086 }
12087
12088 /* decrypt from cText buf to plaintext. */
12089 rv = crSpec->decode(
12090 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
12091 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
12092 if (rv != SECSuccess) {
12093 goto decrypt_loser;
12094 }
12095
12096 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
12097
12098 originalLen = plaintext->len;
12099
12100 /* If it's a block cipher, check and strip the padding. */
12101 if (cipher_def->type == type_block) {
12102 const unsigned int blockSize = cipher_def->block_size;
12103 const unsigned int macSize = crSpec->mac_size;
12104
12105 if (!isTLS) {
12106 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
12107 plaintext, blockSize, macSize));
12108 } else {
12109 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
12110 plaintext, macSize));
12111 }
12112 }
12113
12114 /* compute the MAC */
12115 headerLen = ssl3_BuildRecordPseudoHeader(
12116 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
12117 rType, isTLS, cText->version, IS_DTLS(ss),
12118 plaintext->len - crSpec->mac_size);
12119 PORT_Assert(headerLen <= sizeof(header));
12120 if (cipher_def->type == type_block) {
12121 rv = ssl3_ComputeRecordMACConstantTime(
12122 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
12123 plaintext->buf, plaintext->len, originalLen,
12124 hash, &hashBytes);
12125
12126 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
12127 crSpec->mac_size);
12128 givenHash = givenHashBuf;
12129
12130 /* plaintext->len will always have enough space to remove the MAC
12131 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
12132 * plaintext->len if the result has enough space for the MAC and we
12133 * tested the unadjusted size against minLength, above. */
12134 plaintext->len -= crSpec->mac_size;
12135 } else {
12136 /* This is safe because we checked the minLength above. */
12137 plaintext->len -= crSpec->mac_size;
12138
12139 rv = ssl3_ComputeRecordMAC(
12140 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
12141 plaintext->buf, plaintext->len, hash, &hashBytes);
12142
12143 /* We can read the MAC directly from the record because its location
12144 * is public when a stream cipher is used. */
12145 givenHash = plaintext->buf + plaintext->len;
12146 }
12147
12148 good &= SECStatusToMask(rv);
12149
12150 if (hashBytes != (unsigned)crSpec->mac_size ||
12151 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
12152 /* We're allowed to leak whether or not the MAC check was correct */
12153 good = 0;
12154 }
12155 }
12156
12157 if (good == 0) {
12158 decrypt_loser:
12159 /* must not hold spec lock when calling SSL3_SendAlert. */
12160 ssl_ReleaseSpecReadLock(ss);
12161
12162 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
12163
12164 if (!IS_DTLS(ss)) {
12165 SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
12166 /* always log mac error, in case attacker can read server logs. */
12167 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
12168 return SECFailure;
12169 } else {
12170 /* Silently drop the packet */
12171 databuf->len = 0; /* Needed to ensure data not left around */
12172 return SECSuccess;
12173 }
12174 }
12175
12176 if (!IS_DTLS(ss)) {
12177 ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
12178 } else {
12179 dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num);
12180 }
12181
12182 ssl_ReleaseSpecReadLock(ss); /*****************************************/
12183
12184 /*
12185 * The decrypted data is now in plaintext.
12186 */
12187
12188 /* possibly decompress the record. If we aren't using compression then
12189 * plaintext == databuf and so the uncompressed data is already in
12190 * databuf. */
12191 if (crSpec->decompressor) {
12192 if (databuf->space < plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION) {
12193 rv = sslBuffer_Grow(
12194 databuf, plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION);
12195 if (rv != SECSuccess) {
12196 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
12197 SSL_GETPID(), ss->fd,
12198 plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION));
12199 /* sslBuffer_Grow has set a memory error code. */
12200 /* Perhaps we should send an alert. (but we have no memory!) */
12201 PORT_Free(plaintext->buf);
12202 return SECFailure;
12203 }
12204 }
12205
12206 rv = crSpec->decompressor(crSpec->decompressContext,
12207 databuf->buf,
12208 (int*) &databuf->len,
12209 databuf->space,
12210 plaintext->buf,
12211 plaintext->len);
12212
12213 if (rv != SECSuccess) {
12214 int err = ssl_MapLowLevelError(SSL_ERROR_DECOMPRESSION_FAILURE);
12215 SSL3_SendAlert(ss, alert_fatal,
12216 isTLS ? decompression_failure : bad_record_mac);
12217
12218 /* There appears to be a bug with (at least) Apache + OpenSSL where
12219 * resumed SSLv3 connections don't actually use compression. See
12220 * comments 93-95 of
12221 * https://bugzilla.mozilla.org/show_bug.cgi?id=275744
12222 *
12223 * So, if we get a decompression error, and the record appears to
12224 * be already uncompressed, then we return a more specific error
12225 * code to hopefully save somebody some debugging time in the
12226 * future.
12227 */
12228 if (plaintext->len >= 4) {
12229 unsigned int len = ((unsigned int) plaintext->buf[1] << 16) |
12230 ((unsigned int) plaintext->buf[2] << 8) |
12231 (unsigned int) plaintext->buf[3];
12232 if (len == plaintext->len - 4) {
12233 /* This appears to be uncompressed already */
12234 err = SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD;
12235 }
12236 }
12237
12238 PORT_Free(plaintext->buf);
12239 PORT_SetError(err);
12240 return SECFailure;
12241 }
12242
12243 PORT_Free(plaintext->buf);
12244 }
12245
12246 /*
12247 ** Having completed the decompression, check the length again.
12248 */
12249 if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
12250 SSL3_SendAlert(ss, alert_fatal, record_overflow);
12251 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
12252 return SECFailure;
12253 }
12254
12255 /* Application data records are processed by the caller of this
12256 ** function, not by this function.
12257 */
12258 if (rType == content_application_data) {
12259 if (ss->firstHsDone)
12260 return SECSuccess;
12261 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
12262 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
12263 return SECFailure;
12264 }
12265
12266 /* It's a record that must be handled by ssl itself, not the application.
12267 */
12268 process_it:
12269 /* XXX Get the xmit lock here. Odds are very high that we'll be xmiting
12270 * data ang getting the xmit lock here prevents deadlocks.
12271 */
12272 ssl_GetSSL3HandshakeLock(ss);
12273
12274 /* All the functions called in this switch MUST set error code if
12275 ** they return SECFailure or SECWouldBlock.
12276 */
12277 switch (rType) {
12278 case content_change_cipher_spec:
12279 rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
12280 break;
12281 case content_alert:
12282 rv = ssl3_HandleAlert(ss, databuf);
12283 break;
12284 case content_handshake:
12285 if (!IS_DTLS(ss)) {
12286 rv = ssl3_HandleHandshake(ss, databuf);
12287 } else {
12288 rv = dtls_HandleHandshake(ss, databuf);
12289 }
12290 break;
12291 /*
12292 case content_application_data is handled before this switch
12293 */
12294 default:
12295 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
12296 SSL_GETPID(), ss->fd, cText->type));
12297 /* XXX Send an alert ??? */
12298 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
12299 rv = SECFailure;
12300 break;
12301 }
12302
12303 ssl_ReleaseSSL3HandshakeLock(ss);
12304 return rv;
12305 }
12306
12307 /*
12308 * Initialization functions
12309 */
12310
12311 /* Called from ssl3_InitState, immediately below. */
12312 /* Caller must hold the SpecWriteLock. */
12313 static void
12314 ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
12315 {
12316 spec->cipher_def = &bulk_cipher_defs[cipher_null];
12317 PORT_Assert(spec->cipher_def->cipher == cipher_null);
12318 spec->mac_def = &mac_defs[mac_null];
12319 PORT_Assert(spec->mac_def->mac == mac_null);
12320 spec->encode = Null_Cipher;
12321 spec->decode = Null_Cipher;
12322 spec->destroy = NULL;
12323 spec->compressor = NULL;
12324 spec->decompressor = NULL;
12325 spec->destroyCompressContext = NULL;
12326 spec->destroyDecompressContext = NULL;
12327 spec->mac_size = 0;
12328 spec->master_secret = NULL;
12329 spec->bypassCiphers = PR_FALSE;
12330
12331 spec->msItem.data = NULL;
12332 spec->msItem.len = 0;
12333
12334 spec->client.write_key = NULL;
12335 spec->client.write_mac_key = NULL;
12336 spec->client.write_mac_context = NULL;
12337
12338 spec->server.write_key = NULL;
12339 spec->server.write_mac_key = NULL;
12340 spec->server.write_mac_context = NULL;
12341
12342 spec->write_seq_num.high = 0;
12343 spec->write_seq_num.low = 0;
12344
12345 spec->read_seq_num.high = 0;
12346 spec->read_seq_num.low = 0;
12347
12348 spec->epoch = 0;
12349 dtls_InitRecvdRecords(&spec->recvdRecords);
12350
12351 spec->version = ss->vrange.max;
12352 }
12353
12354 /* Called from: ssl3_SendRecord
12355 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
12356 ** ssl3_SendClientHello()
12357 ** ssl3_HandleV2ClientHello()
12358 ** ssl3_HandleRecord()
12359 **
12360 ** This function should perhaps acquire and release the SpecWriteLock.
12361 **
12362 **
12363 */
12364 static SECStatus
12365 ssl3_InitState(sslSocket *ss)
12366 {
12367 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
12368
12369 if (ss->ssl3.initialized)
12370 return SECSuccess; /* Function should be idempotent */
12371
12372 ss->ssl3.policy = SSL_ALLOWED;
12373
12374 ssl_GetSpecWriteLock(ss);
12375 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
12376 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
12377 ss->ssl3.hs.sendingSCSV = PR_FALSE;
12378 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
12379 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
12380
12381 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
12382 #ifdef NSS_ENABLE_ECC
12383 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss);
12384 #endif
12385 ssl_ReleaseSpecWriteLock(ss);
12386
12387 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
12388
12389 if (IS_DTLS(ss)) {
12390 ss->ssl3.hs.sendMessageSeq = 0;
12391 ss->ssl3.hs.recvMessageSeq = 0;
12392 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
12393 ss->ssl3.hs.rtRetries = 0;
12394 ss->ssl3.hs.recvdHighWater = -1;
12395 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
12396 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
12397 }
12398
12399 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
12400 ss->ssl3.hs.messages.buf = NULL;
12401 ss->ssl3.hs.messages.space = 0;
12402
12403 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
12404 PORT_Memset(&ss->ssl3.hs.newSessionTicket, 0,
12405 sizeof(ss->ssl3.hs.newSessionTicket));
12406
12407 ss->ssl3.initialized = PR_TRUE;
12408 return SECSuccess;
12409 }
12410
12411 /* Returns a reference counted object that contains a key pair.
12412 * Or NULL on failure. Initial ref count is 1.
12413 * Uses the keys in the pair as input.
12414 */
12415 ssl3KeyPair *
12416 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
12417 {
12418 ssl3KeyPair * pair;
12419
12420 if (!privKey || !pubKey) {
12421 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
12422 return NULL;
12423 }
12424 pair = PORT_ZNew(ssl3KeyPair);
12425 if (!pair)
12426 return NULL; /* error code is set. */
12427 pair->refCount = 1;
12428 pair->privKey = privKey;
12429 pair->pubKey = pubKey;
12430 return pair; /* success */
12431 }
12432
12433 ssl3KeyPair *
12434 ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
12435 {
12436 PR_ATOMIC_INCREMENT(&keyPair->refCount);
12437 return keyPair;
12438 }
12439
12440 void
12441 ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
12442 {
12443 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount);
12444 if (!newCount) {
12445 if (keyPair->privKey)
12446 SECKEY_DestroyPrivateKey(keyPair->privKey);
12447 if (keyPair->pubKey)
12448 SECKEY_DestroyPublicKey( keyPair->pubKey);
12449 PORT_Free(keyPair);
12450 }
12451 }
12452
12453
12454
12455 /*
12456 * Creates the public and private RSA keys for SSL Step down.
12457 * Called from SSL_ConfigSecureServer in sslsecur.c
12458 */
12459 SECStatus
12460 ssl3_CreateRSAStepDownKeys(sslSocket *ss)
12461 {
12462 SECStatus rv = SECSuccess;
12463 SECKEYPrivateKey * privKey; /* RSA step down key */
12464 SECKEYPublicKey * pubKey; /* RSA step down key */
12465
12466 if (ss->stepDownKeyPair)
12467 ssl3_FreeKeyPair(ss->stepDownKeyPair);
12468 ss->stepDownKeyPair = NULL;
12469 #ifndef HACKED_EXPORT_SERVER
12470 /* Sigh, should have a get key strength call for private keys */
12471 if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
12472 EXPORT_RSA_KEY_LENGTH) {
12473 /* need to ask for the key size in bits */
12474 privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
12475 &pubKey, NULL);
12476 if (!privKey || !pubKey ||
12477 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
12478 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
12479 rv = SECFailure;
12480 }
12481 }
12482 #endif
12483 return rv;
12484 }
12485
12486
12487 /* record the export policy for this cipher suite */
12488 SECStatus
12489 ssl3_SetPolicy(ssl3CipherSuite which, int policy)
12490 {
12491 ssl3CipherSuiteCfg *suite;
12492
12493 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12494 if (suite == NULL) {
12495 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12496 }
12497 suite->policy = policy;
12498
12499 return SECSuccess;
12500 }
12501
12502 SECStatus
12503 ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
12504 {
12505 ssl3CipherSuiteCfg *suite;
12506 PRInt32 policy;
12507 SECStatus rv;
12508
12509 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12510 if (suite) {
12511 policy = suite->policy;
12512 rv = SECSuccess;
12513 } else {
12514 policy = SSL_NOT_ALLOWED;
12515 rv = SECFailure; /* err code was set by Lookup. */
12516 }
12517 *oPolicy = policy;
12518 return rv;
12519 }
12520
12521 /* record the user preference for this suite */
12522 SECStatus
12523 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
12524 {
12525 ssl3CipherSuiteCfg *suite;
12526
12527 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12528 if (suite == NULL) {
12529 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12530 }
12531 suite->enabled = enabled;
12532 return SECSuccess;
12533 }
12534
12535 /* return the user preference for this suite */
12536 SECStatus
12537 ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
12538 {
12539 ssl3CipherSuiteCfg *suite;
12540 PRBool pref;
12541 SECStatus rv;
12542
12543 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12544 if (suite) {
12545 pref = suite->enabled;
12546 rv = SECSuccess;
12547 } else {
12548 pref = SSL_NOT_ALLOWED;
12549 rv = SECFailure; /* err code was set by Lookup. */
12550 }
12551 *enabled = pref;
12552 return rv;
12553 }
12554
12555 SECStatus
12556 ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
12557 {
12558 ssl3CipherSuiteCfg *suite;
12559
12560 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
12561 if (suite == NULL) {
12562 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12563 }
12564 suite->enabled = enabled;
12565 return SECSuccess;
12566 }
12567
12568 SECStatus
12569 ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
12570 {
12571 ssl3CipherSuiteCfg *suite;
12572 PRBool pref;
12573 SECStatus rv;
12574
12575 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
12576 if (suite) {
12577 pref = suite->enabled;
12578 rv = SECSuccess;
12579 } else {
12580 pref = SSL_NOT_ALLOWED;
12581 rv = SECFailure; /* err code was set by Lookup. */
12582 }
12583 *enabled = pref;
12584 return rv;
12585 }
12586
12587 SECStatus
12588 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int len)
12589 {
12590 /* |i| iterates over |ciphers| while |done| and |j| iterate over
12591 * |ss->cipherSuites|. */
12592 unsigned int i, done;
12593
12594 for (i = done = 0; i < len; i++) {
12595 PRUint16 id = ciphers[i];
12596 unsigned int existingIndex, j;
12597 PRBool found = PR_FALSE;
12598
12599 for (j = done; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
12600 if (ss->cipherSuites[j].cipher_suite == id) {
12601 existingIndex = j;
12602 found = PR_TRUE;
12603 break;
12604 }
12605 }
12606
12607 if (!found) {
12608 continue;
12609 }
12610
12611 if (existingIndex != done) {
12612 const ssl3CipherSuiteCfg temp = ss->cipherSuites[done];
12613 ss->cipherSuites[done] = ss->cipherSuites[existingIndex];
12614 ss->cipherSuites[existingIndex] = temp;
12615 }
12616 done++;
12617 }
12618
12619 /* Disable all cipher suites that weren't included. */
12620 for (; done < ssl_V3_SUITES_IMPLEMENTED; done++) {
12621 ss->cipherSuites[done].enabled = 0;
12622 }
12623
12624 return SECSuccess;
12625 }
12626
12627 /* copy global default policy into socket. */
12628 void
12629 ssl3_InitSocketPolicy(sslSocket *ss)
12630 {
12631 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
12632 }
12633
12634 SECStatus
12635 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
12636 unsigned char *out,
12637 unsigned int *outLen,
12638 unsigned int outLenMax) {
12639 PRBool isTLS;
12640 int index = 0;
12641 unsigned int len;
12642 SECStatus rv = SECFailure;
12643
12644 *outLen = 0;
12645
12646 ssl_GetSSL3HandshakeLock(ss);
12647
12648 ssl_GetSpecReadLock(ss);
12649 isTLS = (PRBool)(ss->ssl3.cwSpec->version > SSL_LIBRARY_VERSION_3_0);
12650 ssl_ReleaseSpecReadLock(ss);
12651
12652 /* The tls-unique channel binding is the first Finished structure in the
12653 * handshake. In the case of a resumption, that's the server's Finished.
12654 * Otherwise, it's the client's Finished. */
12655 len = ss->ssl3.hs.finishedBytes;
12656
12657 /* Sending or receiving a Finished message will set finishedBytes to a
12658 * non-zero value. */
12659 if (len == 0) {
12660 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
12661 goto loser;
12662 }
12663
12664 /* If we are in the middle of a renegotiation then the channel binding
12665 * value is poorly defined and depends on the direction that it will be
12666 * used on. Therefore we simply return an error in this case. */
12667 if (ss->firstHsDone && ss->ssl3.hs.ws != idle_handshake) {
12668 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
12669 goto loser;
12670 }
12671
12672 /* If resuming, then we want the second Finished value in the array, which
12673 * is the server's */
12674 if (ss->ssl3.hs.isResuming)
12675 index = 1;
12676
12677 *outLen = len;
12678 if (outLenMax < len) {
12679 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
12680 goto loser;
12681 }
12682
12683 if (isTLS) {
12684 memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len);
12685 } else {
12686 memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len);
12687 }
12688
12689 rv = SECSuccess;
12690
12691 loser:
12692 ssl_ReleaseSSL3HandshakeLock(ss);
12693 return rv;
12694 }
12695
12696 /* ssl3_config_match_init must have already been called by
12697 * the caller of this function.
12698 */
12699 SECStatus
12700 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
12701 {
12702 int i, count = 0;
12703
12704 PORT_Assert(ss != 0);
12705 if (!ss) {
12706 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
12707 return SECFailure;
12708 }
12709 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
12710 *size = 0;
12711 return SECSuccess;
12712 }
12713 if (cs == NULL) {
12714 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
12715 return SECSuccess;
12716 }
12717
12718 /* ssl3_config_match_init was called by the caller of this function. */
12719 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
12720 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
12721 if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) {
12722 if (cs != NULL) {
12723 *cs++ = 0x00;
12724 *cs++ = (suite->cipher_suite >> 8) & 0xFF;
12725 *cs++ = suite->cipher_suite & 0xFF;
12726 }
12727 count++;
12728 }
12729 }
12730 *size = count;
12731 return SECSuccess;
12732 }
12733
12734 /*
12735 ** If ssl3 socket has completed the first handshake, and is in idle state,
12736 ** then start a new handshake.
12737 ** If flushCache is true, the SID cache will be flushed first, forcing a
12738 ** "Full" handshake (not a session restart handshake), to be done.
12739 **
12740 ** called from SSL_RedoHandshake(), which already holds the handshake locks.
12741 */
12742 SECStatus
12743 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
12744 {
12745 sslSessionID * sid = ss->sec.ci.sid;
12746 SECStatus rv;
12747
12748 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
12749
12750 if (!ss->firstHsDone ||
12751 ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
12752 ss->ssl3.initialized &&
12753 (ss->ssl3.hs.ws != idle_handshake))) {
12754 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
12755 return SECFailure;
12756 }
12757
12758 if (IS_DTLS(ss)) {
12759 dtls_RehandshakeCleanup(ss);
12760 }
12761
12762 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
12763 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
12764 return SECFailure;
12765 }
12766 if (sid && flushCache) {
12767 if (ss->sec.uncache)
12768 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */
12769 ssl_FreeSID(sid); /* dec ref count and free if zero. */
12770 ss->sec.ci.sid = NULL;
12771 }
12772
12773 ssl_GetXmitBufLock(ss); /**************************************/
12774
12775 /* start off a new handshake. */
12776 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
12777 : ssl3_SendClientHello(ss, PR_FALSE);
12778
12779 ssl_ReleaseXmitBufLock(ss); /**************************************/
12780 return rv;
12781 }
12782
12783 /* Called from ssl_DestroySocketContents() in sslsock.c */
12784 void
12785 ssl3_DestroySSL3Info(sslSocket *ss)
12786 {
12787
12788 if (ss->ssl3.clientCertificate != NULL)
12789 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
12790
12791 if (ss->ssl3.clientPrivateKey != NULL)
12792 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
12793 #ifdef NSS_PLATFORM_CLIENT_AUTH
12794 if (ss->ssl3.platformClientKey)
12795 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
12796 #endif /* NSS_PLATFORM_CLIENT_AUTH */
12797
12798 if (ss->ssl3.channelID)
12799 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
12800 if (ss->ssl3.channelIDPub)
12801 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
12802
12803 if (ss->ssl3.peerCertArena != NULL)
12804 ssl3_CleanupPeerCerts(ss);
12805
12806 if (ss->ssl3.clientCertChain != NULL) {
12807 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
12808 ss->ssl3.clientCertChain = NULL;
12809 }
12810
12811 /* clean up handshake */
12812 #ifndef NO_PKCS11_BYPASS
12813 if (ss->opt.bypassPKCS11) {
12814 if (ss->ssl3.hs.hashType == handshake_hash_combo) {
12815 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
12816 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
12817 } else if (ss->ssl3.hs.hashType == handshake_hash_single) {
12818 ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE);
12819 }
12820 }
12821 #endif
12822 if (ss->ssl3.hs.md5) {
12823 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
12824 }
12825 if (ss->ssl3.hs.sha) {
12826 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
12827 }
12828 if (ss->ssl3.hs.clientSigAndHash) {
12829 PORT_Free(ss->ssl3.hs.clientSigAndHash);
12830 }
12831 if (ss->ssl3.hs.messages.buf) {
12832 PORT_Free(ss->ssl3.hs.messages.buf);
12833 ss->ssl3.hs.messages.buf = NULL;
12834 ss->ssl3.hs.messages.len = 0;
12835 ss->ssl3.hs.messages.space = 0;
12836 }
12837
12838 /* free the SSL3Buffer (msg_body) */
12839 PORT_Free(ss->ssl3.hs.msg_body.buf);
12840
12841 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
12842
12843 /* free up the CipherSpecs */
12844 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
12845 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
12846
12847 /* Destroy the DTLS data */
12848 if (IS_DTLS(ss)) {
12849 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
12850 if (ss->ssl3.hs.recvdFragments.buf) {
12851 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
12852 }
12853 }
12854
12855 ss->ssl3.initialized = PR_FALSE;
12856
12857 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
12858 }
12859
12860 /* End of ssl3con.c */
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/ssl.rc ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698