1 /* 2 * SSL3 Protocol 3 * 4 * ***** BEGIN LICENSE BLOCK ***** 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 6 * 7 * The contents of this file are subject to the Mozilla Public License Version 8 * 1.1 (the "License"); you may not use this file except in compliance with 9 * the License. You may obtain a copy of the License at 10 * http://www.mozilla.org/MPL/ 11 * 12 * Software distributed under the License is distributed on an "AS IS" basis, 13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 14 * for the specific language governing rights and limitations under the 15 * License. 16 * 17 * The Original Code is the Netscape security libraries. 18 * 19 * The Initial Developer of the Original Code is 20 * Netscape Communications Corporation. 21 * Portions created by the Initial Developer are Copyright (C) 1994-2000 22 * the Initial Developer. All Rights Reserved. 23 * 24 * Contributor(s): 25 * Dr Stephen Henson <stephen.henson (at) gemplus.com> 26 * Dr Vipul Gupta <vipul.gupta (at) sun.com> and 27 * Douglas Stebila <douglas (at) stebila.ca>, Sun Microsystems Laboratories 28 * 29 * Alternatively, the contents of this file may be used under the terms of 30 * either the GNU General Public License Version 2 or later (the "GPL"), or 31 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 32 * in which case the provisions of the GPL or the LGPL are applicable instead 33 * of those above. If you wish to allow use of your version of this file only 34 * under the terms of either the GPL or the LGPL, and not to allow others to 35 * use your version of this file under the terms of the MPL, indicate your 36 * decision by deleting the provisions above and replace them with the notice 37 * and other provisions required by the GPL or the LGPL. If you do not delete 38 * the provisions above, a recipient may use your version of this file under 39 * the terms of any one of the MPL, the GPL or the LGPL. 40 * 41 * ***** END LICENSE BLOCK ***** */ 42 /* $Id: ssl3con.c,v 1.126 2009/12/01 17:59:46 wtc%google.com Exp $ */ 43 44 #include "cert.h" 45 #include "ssl.h" 46 #include "cryptohi.h" /* for DSAU_ stuff */ 47 #include "keyhi.h" 48 #include "secder.h" 49 #include "secitem.h" 50 51 #include "sslimpl.h" 52 #include "sslproto.h" 53 #include "sslerr.h" 54 #include "prtime.h" 55 #include "prinrval.h" 56 #include "prerror.h" 57 #include "pratom.h" 58 #include "prthread.h" 59 60 #include "pk11func.h" 61 #include "secmod.h" 62 #include "blapi.h" 63 64 #include <stdio.h> 65 #ifdef NSS_ENABLE_ZLIB 66 #include "zlib.h" 67 #endif 68 69 #ifndef PK11_SETATTRS 70 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ 71 (x)->pValue=(v); (x)->ulValueLen = (l); 72 #endif 73 74 static void ssl3_CleanupPeerCerts(sslSocket *ss); 75 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, 76 PK11SlotInfo * serverKeySlot); 77 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); 78 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss); 79 static SECStatus ssl3_HandshakeFailure( sslSocket *ss); 80 static SECStatus ssl3_InitState( sslSocket *ss); 81 static SECStatus ssl3_SendCertificate( sslSocket *ss); 82 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); 83 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); 84 static SECStatus ssl3_SendNextProto( sslSocket *ss); 85 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); 86 static SECStatus ssl3_SendServerHello( sslSocket *ss); 87 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); 88 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); 89 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); 90 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, unsigned char *b, 91 unsigned int l); 92 93 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, 94 int maxOutputLen, const unsigned char *input, 95 int inputLen); 96 97 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ 98 #define MIN_SEND_BUF_LENGTH 4000 99 100 #define MAX_CIPHER_SUITES 20 101 102 /* This list of SSL3 cipher suites is sorted in descending order of 103 * precedence (desirability). It only includes cipher suites we implement. 104 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites 105 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) 106 */ 107 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { 108 /* cipher_suite policy enabled is_present*/ 109 #ifdef NSS_ENABLE_ECC 110 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 111 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 112 #endif /* NSS_ENABLE_ECC */ 113 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 114 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 115 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 116 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 117 #ifdef NSS_ENABLE_ECC 118 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 119 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 120 #endif /* NSS_ENABLE_ECC */ 121 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 122 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 123 124 #ifdef NSS_ENABLE_ECC 125 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 126 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 127 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 128 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 129 #endif /* NSS_ENABLE_ECC */ 130 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 131 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 132 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 133 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 134 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 135 #ifdef NSS_ENABLE_ECC 136 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 137 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 138 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 139 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 140 #endif /* NSS_ENABLE_ECC */ 141 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 142 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 143 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 144 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 145 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 146 147 #ifdef NSS_ENABLE_ECC 148 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 149 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 150 #endif /* NSS_ENABLE_ECC */ 151 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 152 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 153 #ifdef NSS_ENABLE_ECC 154 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 155 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 156 #endif /* NSS_ENABLE_ECC */ 157 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 158 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 159 160 161 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 162 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 163 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 164 { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 165 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 166 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 167 168 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 169 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 170 171 #ifdef NSS_ENABLE_ECC 172 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 173 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 174 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 175 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 176 #endif /* NSS_ENABLE_ECC */ 177 { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 178 { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 179 180 }; 181 182 /* This list of SSL3 compression methods is sorted in descending order of 183 * precedence (desirability). It only includes compression methods we 184 * implement. 185 */ 186 static const /*SSLCompressionMethod*/ uint8 compressions [] = { 187 #ifdef NSS_ENABLE_ZLIB 188 ssl_compression_deflate, 189 #endif 190 ssl_compression_null 191 }; 192 193 static const int compressionMethodsCount = 194 sizeof(compressions) / sizeof(compressions[0]); 195 196 /* compressionEnabled returns true iff the compression algorithm is enabled 197 * for the given SSL socket. */ 198 static PRBool 199 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression) 200 { 201 switch (compression) { 202 case ssl_compression_null: 203 return PR_TRUE; /* Always enabled */ 204 #ifdef NSS_ENABLE_ZLIB 205 case ssl_compression_deflate: 206 return ss->opt.enableDeflate; 207 #endif 208 default: 209 return PR_FALSE; 210 } 211 } 212 213 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { 214 ct_RSA_sign, 215 ct_DSS_sign, 216 #ifdef NSS_ENABLE_ECC 217 ct_ECDSA_sign, 218 #endif /* NSS_ENABLE_ECC */ 219 }; 220 221 #ifdef NSS_ENABLE_ZLIB 222 /* 223 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a 224 * maximum TLS record payload of 2**14 bytes, that's 29 bytes. 225 */ 226 #define SSL3_COMPRESSION_MAX_EXPANSION 29 227 #else /* !NSS_ENABLE_ZLIB */ 228 #define SSL3_COMPRESSION_MAX_EXPANSION 0 229 #endif 230 231 /* 232 * make sure there is room in the write buffer for padding and 233 * other compression and cryptographic expansions. 234 */ 235 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION 236 237 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ 238 239 240 /* This is a hack to make sure we don't do double handshakes for US policy */ 241 PRBool ssl3_global_policy_some_restricted = PR_FALSE; 242 243 /* This global item is used only in servers. It is is initialized by 244 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). 245 */ 246 CERTDistNames *ssl3_server_ca_list = NULL; 247 static SSL3Statistics ssl3stats; 248 249 /* indexed by SSL3BulkCipher */ 250 static const ssl3BulkCipherDef bulk_cipher_defs[] = { 251 /* cipher calg keySz secretSz type ivSz BlkSz keygen */ 252 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, 253 {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, 254 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, 255 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, 256 {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, 257 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, 258 {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong}, 259 {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, 260 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, 261 {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, 262 {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, 263 {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, 264 {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong}, 265 {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong}, 266 {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong}, 267 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, 268 }; 269 270 static const ssl3KEADef kea_defs[] = 271 { /* indexed by SSL3KeyExchangeAlgorithm */ 272 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ 273 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, 274 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, 275 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, 276 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, 277 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, 278 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE}, 279 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 280 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, 281 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, 282 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE}, 283 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 284 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, 285 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE}, 286 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE}, 287 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE }, 288 #ifdef NSS_ENABLE_ECC 289 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, 290 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, 291 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 292 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 293 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE}, 294 #endif /* NSS_ENABLE_ECC */ 295 }; 296 297 /* must use ssl_LookupCipherSuiteDef to access */ 298 static const ssl3CipherSuiteDef cipher_suite_defs[] = 299 { 300 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ 301 302 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, 303 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, 304 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, 305 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, 306 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, 307 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, 308 {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 309 cipher_rc2_40, mac_md5, kea_rsa_export}, 310 #if 0 /* not implemented */ 311 {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, 312 {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 313 cipher_des40, mac_sha, kea_rsa_export}, 314 #endif 315 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, 316 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, 317 {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, 318 {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 319 cipher_3des, mac_sha, kea_dhe_dss}, 320 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss}, 321 #if 0 /* not implemented */ 322 {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, 323 cipher_des40, mac_sha, kea_dh_dss_export}, 324 {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, 325 {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, 326 {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, 327 cipher_des40, mac_sha, kea_dh_rsa_export}, 328 {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, 329 {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, 330 {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 331 cipher_des40, mac_sha, kea_dh_dss_export}, 332 {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 333 cipher_des40, mac_sha, kea_dh_rsa_export}, 334 #endif 335 {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, 336 {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 337 cipher_3des, mac_sha, kea_dhe_rsa}, 338 #if 0 339 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export}, 340 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4, mac_md5, kea_dh_anon_export}, 341 {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, 342 cipher_des40, mac_sha, kea_dh_anon_export}, 343 {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, 344 {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, 345 #endif 346 347 348 /* New TLS cipher suites */ 349 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, 350 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, 351 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, 352 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, 353 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, 354 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, 355 #if 0 356 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, 357 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, 358 {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, 359 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, 360 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, 361 {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, 362 #endif 363 364 {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa}, 365 366 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa}, 367 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 368 cipher_camellia_128, mac_sha, kea_dhe_dss}, 369 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 370 cipher_camellia_128, mac_sha, kea_dhe_rsa}, 371 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa}, 372 {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, 373 cipher_camellia_256, mac_sha, kea_dhe_dss}, 374 {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 375 cipher_camellia_256, mac_sha, kea_dhe_rsa}, 376 377 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 378 cipher_des, mac_sha,kea_rsa_export_1024}, 379 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 380 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, 381 382 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, 383 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, 384 385 #ifdef NSS_ENABLE_ECC 386 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 387 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, 388 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}, 389 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa}, 390 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa}, 391 392 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa}, 393 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa}, 394 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa}, 395 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa}, 396 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa}, 397 398 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa}, 399 {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa}, 400 {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa}, 401 {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa}, 402 {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa}, 403 404 {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa}, 405 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa}, 406 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa}, 407 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa}, 408 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa}, 409 410 #if 0 411 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon}, 412 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon}, 413 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon}, 414 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon}, 415 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon}, 416 #endif 417 #endif /* NSS_ENABLE_ECC */ 418 }; 419 420 static const CK_MECHANISM_TYPE kea_alg_defs[] = { 421 0x80000000L, 422 CKM_RSA_PKCS, 423 CKM_DH_PKCS_DERIVE, 424 CKM_KEA_KEY_DERIVE, 425 CKM_ECDH1_DERIVE 426 }; 427 428 typedef struct SSLCipher2MechStr { 429 SSLCipherAlgorithm calg; 430 CK_MECHANISM_TYPE cmech; 431 } SSLCipher2Mech; 432 433 /* indexed by type SSLCipherAlgorithm */ 434 static const SSLCipher2Mech alg2Mech[] = { 435 /* calg, cmech */ 436 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, 437 { calg_rc4 , CKM_RC4 }, 438 { calg_rc2 , CKM_RC2_CBC }, 439 { calg_des , CKM_DES_CBC }, 440 { calg_3des , CKM_DES3_CBC }, 441 { calg_idea , CKM_IDEA_CBC }, 442 { calg_fortezza , CKM_SKIPJACK_CBC64 }, 443 { calg_aes , CKM_AES_CBC }, 444 { calg_camellia , CKM_CAMELLIA_CBC }, 445 { calg_seed , CKM_SEED_CBC }, 446 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ 447 }; 448 449 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L 450 #define mmech_md5 CKM_SSL3_MD5_MAC 451 #define mmech_sha CKM_SSL3_SHA1_MAC 452 #define mmech_md5_hmac CKM_MD5_HMAC 453 #define mmech_sha_hmac CKM_SHA_1_HMAC 454 455 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 456 /* mac mmech pad_size mac_size */ 457 { mac_null, mmech_null, 0, 0 }, 458 { mac_md5, mmech_md5, 48, MD5_LENGTH }, 459 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, 460 {hmac_md5, mmech_md5_hmac, 48, MD5_LENGTH }, 461 {hmac_sha, mmech_sha_hmac, 40, SHA1_LENGTH}, 462 }; 463 464 /* indexed by SSL3BulkCipher */ 465 const char * const ssl3_cipherName[] = { 466 "NULL", 467 "RC4", 468 "RC4-40", 469 "RC4-56", 470 "RC2-CBC", 471 "RC2-CBC-40", 472 "DES-CBC", 473 "3DES-EDE-CBC", 474 "DES-CBC-40", 475 "IDEA-CBC", 476 "AES-128", 477 "AES-256", 478 "Camellia-128", 479 "Camellia-256", 480 "SEED-CBC", 481 "missing" 482 }; 483 484 #ifdef NSS_ENABLE_ECC 485 /* The ECCWrappedKeyInfo structure defines how various pieces of 486 * information are laid out within wrappedSymmetricWrappingkey 487 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is 488 * a 512-byte buffer (see sslimpl.h), the variable length field 489 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. 490 * 491 * XXX For now, NSS only supports named elliptic curves of size 571 bits 492 * or smaller. The public value will fit within 145 bytes and EC params 493 * will fit within 12 bytes. We'll need to revisit this when NSS 494 * supports arbitrary curves. 495 */ 496 #define MAX_EC_WRAPPED_KEY_BUFLEN 504 497 498 typedef struct ECCWrappedKeyInfoStr { 499 PRUint16 size; /* EC public key size in bits */ 500 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */ 501 PRUint16 pubValueLen; /* length (in bytes) of EC public value */ 502 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */ 503 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */ 504 /* EC public-key params, the EC public value and the wrapped key */ 505 } ECCWrappedKeyInfo; 506 #endif /* NSS_ENABLE_ECC */ 507 508 #if defined(TRACE) 509 510 static char * 511 ssl3_DecodeHandshakeType(int msgType) 512 { 513 char * rv; 514 static char line[40]; 515 516 switch(msgType) { 517 case hello_request: rv = "hello_request (0)"; break; 518 case client_hello: rv = "client_hello (1)"; break; 519 case server_hello: rv = "server_hello (2)"; break; 520 case certificate: rv = "certificate (11)"; break; 521 case server_key_exchange: rv = "server_key_exchange (12)"; break; 522 case certificate_request: rv = "certificate_request (13)"; break; 523 case server_hello_done: rv = "server_hello_done (14)"; break; 524 case certificate_verify: rv = "certificate_verify (15)"; break; 525 case client_key_exchange: rv = "client_key_exchange (16)"; break; 526 case finished: rv = "finished (20)"; break; 527 default: 528 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); 529 rv = line; 530 } 531 return rv; 532 } 533 534 static char * 535 ssl3_DecodeContentType(int msgType) 536 { 537 char * rv; 538 static char line[40]; 539 540 switch(msgType) { 541 case content_change_cipher_spec: 542 rv = "change_cipher_spec (20)"; break; 543 case content_alert: rv = "alert (21)"; break; 544 case content_handshake: rv = "handshake (22)"; break; 545 case content_application_data: 546 rv = "application_data (23)"; break; 547 default: 548 sprintf(line, "*UNKNOWN* record type! (%d)", msgType); 549 rv = line; 550 } 551 return rv; 552 } 553 554 #endif 555 556 SSL3Statistics * 557 SSL_GetStatistics(void) 558 { 559 return &ssl3stats; 560 } 561 562 typedef struct tooLongStr { 563 #if defined(IS_LITTLE_ENDIAN) 564 PRInt32 low; 565 PRInt32 high; 566 #else 567 PRInt32 high; 568 PRInt32 low; 569 #endif 570 } tooLong; 571 572 void SSL_AtomicIncrementLong(long * x) 573 { 574 if ((sizeof *x) == sizeof(PRInt32)) { 575 PR_AtomicIncrement((PRInt32 *)x); 576 } else { 577 tooLong * tl = (tooLong *)x; 578 if (PR_AtomicIncrement(&tl->low) == 0) 579 PR_AtomicIncrement(&tl->high); 580 } 581 } 582 583 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ 584 /* XXX This does a linear search. A binary search would be better. */ 585 static const ssl3CipherSuiteDef * 586 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite) 587 { 588 int cipher_suite_def_len = 589 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]); 590 int i; 591 592 for (i = 0; i < cipher_suite_def_len; i++) { 593 if (cipher_suite_defs[i].cipher_suite == suite) 594 return &cipher_suite_defs[i]; 595 } 596 PORT_Assert(PR_FALSE); /* We should never get here. */ 597 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); 598 return NULL; 599 } 600 601 /* Find the cipher configuration struct associate with suite */ 602 /* XXX This does a linear search. A binary search would be better. */ 603 static ssl3CipherSuiteCfg * 604 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites) 605 { 606 int i; 607 608 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 609 if (suites[i].cipher_suite == suite) 610 return &suites[i]; 611 } 612 /* return NULL and let the caller handle it. */ 613 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); 614 return NULL; 615 } 616 617 618 /* Initialize the suite->isPresent value for config_match 619 * Returns count of enabled ciphers supported by extant tokens, 620 * regardless of policy or user preference. 621 * If this returns zero, the user cannot do SSL v3. 622 */ 623 int 624 ssl3_config_match_init(sslSocket *ss) 625 { 626 ssl3CipherSuiteCfg * suite; 627 const ssl3CipherSuiteDef *cipher_def; 628 SSLCipherAlgorithm cipher_alg; 629 CK_MECHANISM_TYPE cipher_mech; 630 SSL3KEAType exchKeyType; 631 int i; 632 int numPresent = 0; 633 int numEnabled = 0; 634 PRBool isServer; 635 sslServerCerts *svrAuth; 636 637 PORT_Assert(ss); 638 if (!ss) { 639 PORT_SetError(SEC_ERROR_INVALID_ARGS); 640 return 0; 641 } 642 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { 643 return 0; 644 } 645 isServer = (PRBool)(ss->sec.isServer != 0); 646 647 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 648 suite = &ss->cipherSuites[i]; 649 if (suite->enabled) { 650 ++numEnabled; 651 /* We need the cipher defs to see if we have a token that can handle 652 * this cipher. It isn't part of the static definition. 653 */ 654 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); 655 if (!cipher_def) { 656 suite->isPresent = PR_FALSE; 657 continue; 658 } 659 cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg; 660 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); 661 cipher_mech = alg2Mech[cipher_alg].cmech; 662 exchKeyType = 663 kea_defs[cipher_def->key_exchange_alg].exchKeyType; 664 #ifndef NSS_ENABLE_ECC 665 svrAuth = ss->serverCerts + exchKeyType; 666 #else 667 /* XXX SSLKEAType isn't really a good choice for 668 * indexing certificates. It doesn't work for 669 * (EC)DHE-* ciphers. Here we use a hack to ensure 670 * that the server uses an RSA cert for (EC)DHE-RSA. 671 */ 672 switch (cipher_def->key_exchange_alg) { 673 case kea_ecdhe_rsa: 674 #if NSS_SERVER_DHE_IMPLEMENTED 675 /* XXX NSS does not yet implement the server side of _DHE_ 676 * cipher suites. Correcting the computation for svrAuth, 677 * as the case below does, causes NSS SSL servers to begin to 678 * negotiate cipher suites they do not implement. So, until 679 * server side _DHE_ is implemented, keep this disabled. 680 */ 681 case kea_dhe_rsa: 682 #endif 683 svrAuth = ss->serverCerts + kt_rsa; 684 break; 685 case kea_ecdh_ecdsa: 686 case kea_ecdh_rsa: 687 /* 688 * XXX We ought to have different indices for 689 * ECDSA- and RSA-signed EC certificates so 690 * we could support both key exchange mechanisms 691 * simultaneously. For now, both of them use 692 * whatever is in the certificate slot for kt_ecdh 693 */ 694 default: 695 svrAuth = ss->serverCerts + exchKeyType; 696 break; 697 } 698 #endif /* NSS_ENABLE_ECC */ 699 700 /* Mark the suites that are backed by real tokens, certs and keys */ 701 suite->isPresent = (PRBool) 702 (((exchKeyType == kt_null) || 703 ((!isServer || (svrAuth->serverKeyPair && 704 svrAuth->SERVERKEY && 705 svrAuth->serverCertChain)) && 706 PK11_TokenExists(kea_alg_defs[exchKeyType]))) && 707 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech))); 708 if (suite->isPresent) 709 ++numPresent; 710 } 711 } 712 PORT_Assert(numPresent > 0 || numEnabled == 0); 713 if (numPresent <= 0) { 714 PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED); 715 } 716 return numPresent; 717 } 718 719 720 /* return PR_TRUE if suite matches policy and enabled state */ 721 /* It would be a REALLY BAD THING (tm) if we ever permitted the use 722 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with 723 ** policy == SSL_NOT_ALLOWED, report no match. 724 */ 725 /* adjust suite enabled to the availability of a token that can do the 726 * cipher suite. */ 727 static PRBool 728 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) 729 { 730 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); 731 if (policy == SSL_NOT_ALLOWED || !enabled) 732 return PR_FALSE; 733 return (PRBool)(suite->enabled && 734 suite->isPresent && 735 suite->policy != SSL_NOT_ALLOWED && 736 suite->policy <= policy); 737 } 738 739 /* return number of cipher suites that match policy and enabled state */ 740 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ 741 static int 742 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) 743 { 744 int i, count = 0; 745 746 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { 747 return 0; 748 } 749 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 750 if (config_match(&ss->cipherSuites[i], policy, enabled)) 751 count++; 752 } 753 if (count <= 0) { 754 PORT_SetError(SSL_ERROR_SSL_DISABLED); 755 } 756 return count; 757 } 758 759 static PRBool 760 anyRestrictedEnabled(sslSocket *ss) 761 { 762 int i; 763 764 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { 765 return PR_FALSE; 766 } 767 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 768 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 769 if (suite->policy == SSL_RESTRICTED && 770 suite->enabled && 771 suite->isPresent) 772 return PR_TRUE; 773 } 774 return PR_FALSE; 775 } 776 777 /* 778 * Null compression, mac and encryption functions 779 */ 780 781 static SECStatus 782 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, 783 const unsigned char *input, int inputLen) 784 { 785 *outputLen = inputLen; 786 if (input != output) 787 PORT_Memcpy(output, input, inputLen); 788 return SECSuccess; 789 } 790 791 /* 792 * SSL3 Utility functions 793 */ 794 795 SECStatus 796 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion) 797 { 798 SSL3ProtocolVersion version; 799 SSL3ProtocolVersion maxVersion; 800 801 if (ss->opt.enableTLS) { 802 maxVersion = SSL_LIBRARY_VERSION_3_1_TLS; 803 } else if (ss->opt.enableSSL3) { 804 maxVersion = SSL_LIBRARY_VERSION_3_0; 805 } else { 806 /* what are we doing here? */ 807 PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS); 808 PORT_SetError(SSL_ERROR_SSL_DISABLED); 809 return SECFailure; 810 } 811 812 ss->version = version = PR_MIN(maxVersion, peerVersion); 813 814 if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->opt.enableTLS) || 815 (version == SSL_LIBRARY_VERSION_3_0 && ss->opt.enableSSL3)) { 816 return SECSuccess; 817 } 818 819 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 820 return SECFailure; 821 822 } 823 824 static SECStatus 825 ssl3_GetNewRandom(SSL3Random *random) 826 { 827 PRUint32 gmt = ssl_Time(); 828 SECStatus rv; 829 830 random->rand[0] = (unsigned char)(gmt >> 24); 831 random->rand[1] = (unsigned char)(gmt >> 16); 832 random->rand[2] = (unsigned char)(gmt >> 8); 833 random->rand[3] = (unsigned char)(gmt); 834 835 /* first 4 bytes are reserverd for time */ 836 rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4); 837 if (rv != SECSuccess) { 838 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 839 } 840 return rv; 841 } 842 843 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */ 844 SECStatus 845 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 846 PRBool isTLS) 847 { 848 SECStatus rv = SECFailure; 849 PRBool doDerEncode = PR_FALSE; 850 int signatureLen; 851 SECItem hashItem; 852 853 buf->data = NULL; 854 signatureLen = PK11_SignatureLen(key); 855 if (signatureLen <= 0) { 856 PORT_SetError(SEC_ERROR_INVALID_KEY); 857 goto done; 858 } 859 860 buf->len = (unsigned)signatureLen; 861 buf->data = (unsigned char *)PORT_Alloc(signatureLen); 862 if (!buf->data) 863 goto done; /* error code was set. */ 864 865 switch (key->keyType) { 866 case rsaKey: 867 hashItem.data = hash->md5; 868 hashItem.len = sizeof(SSL3Hashes); 869 break; 870 case dsaKey: 871 doDerEncode = isTLS; 872 hashItem.data = hash->sha; 873 hashItem.len = sizeof(hash->sha); 874 break; 875 #ifdef NSS_ENABLE_ECC 876 case ecKey: 877 doDerEncode = PR_TRUE; 878 hashItem.data = hash->sha; 879 hashItem.len = sizeof(hash->sha); 880 break; 881 #endif /* NSS_ENABLE_ECC */ 882 default: 883 PORT_SetError(SEC_ERROR_INVALID_KEY); 884 goto done; 885 } 886 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); 887 888 rv = PK11_Sign(key, buf, &hashItem); 889 if (rv != SECSuccess) { 890 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); 891 } else if (doDerEncode) { 892 SECItem derSig = {siBuffer, NULL, 0}; 893 894 /* This also works for an ECDSA signature */ 895 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); 896 if (rv == SECSuccess) { 897 PORT_Free(buf->data); /* discard unencoded signature. */ 898 *buf = derSig; /* give caller encoded signature. */ 899 } else if (derSig.data) { 900 PORT_Free(derSig.data); 901 } 902 } 903 904 PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len)); 905 done: 906 if (rv != SECSuccess && buf->data) { 907 PORT_Free(buf->data); 908 buf->data = NULL; 909 } 910 return rv; 911 } 912 913 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ 914 SECStatus 915 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 916 SECItem *buf, PRBool isTLS, void *pwArg) 917 { 918 SECKEYPublicKey * key; 919 SECItem * signature = NULL; 920 SECStatus rv; 921 SECItem hashItem; 922 #ifdef NSS_ENABLE_ECC 923 unsigned int len; 924 #endif /* NSS_ENABLE_ECC */ 925 926 927 PRINT_BUF(60, (NULL, "check signed hashes", 928 buf->data, buf->len)); 929 930 key = CERT_ExtractPublicKey(cert); 931 if (key == NULL) { 932 /* CERT_ExtractPublicKey doesn't set error code */ 933 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 934 return SECFailure; 935 } 936 937 switch (key->keyType) { 938 case rsaKey: 939 hashItem.data = hash->md5; 940 hashItem.len = sizeof(SSL3Hashes); 941 break; 942 case dsaKey: 943 hashItem.data = hash->sha; 944 hashItem.len = sizeof(hash->sha); 945 /* Allow DER encoded DSA signatures in SSL 3.0 */ 946 if (isTLS || buf->len != DSA_SIGNATURE_LEN) { 947 signature = DSAU_DecodeDerSig(buf); 948 if (!signature) { 949 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 950 return SECFailure; 951 } 952 buf = signature; 953 } 954 break; 955 956 #ifdef NSS_ENABLE_ECC 957 case ecKey: 958 hashItem.data = hash->sha; 959 hashItem.len = sizeof(hash->sha); 960 /* 961 * ECDSA signatures always encode the integers r and s 962 * using ASN (unlike DSA where ASN encoding is used 963 * with TLS but not with SSL3) 964 */ 965 len = SECKEY_SignatureLen(key); 966 if (len == 0) { 967 SECKEY_DestroyPublicKey(key); 968 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); 969 return SECFailure; 970 } 971 signature = DSAU_DecodeDerSigToLen(buf, len); 972 if (!signature) { 973 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 974 return SECFailure; 975 } 976 buf = signature; 977 break; 978 #endif /* NSS_ENABLE_ECC */ 979 980 default: 981 SECKEY_DestroyPublicKey(key); 982 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 983 return SECFailure; 984 } 985 986 PRINT_BUF(60, (NULL, "hash(es) to be verified", 987 hashItem.data, hashItem.len)); 988 989 rv = PK11_Verify(key, buf, &hashItem, pwArg); 990 SECKEY_DestroyPublicKey(key); 991 if (signature) { 992 SECITEM_FreeItem(signature, PR_TRUE); 993 } 994 if (rv != SECSuccess) { 995 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 996 } 997 return rv; 998 } 999 1000 1001 /* Caller must set hiLevel error code. */ 1002 /* Called from ssl3_ComputeExportRSAKeyHash 1003 * ssl3_ComputeDHKeyHash 1004 * which are called from ssl3_HandleServerKeyExchange. 1005 */ 1006 SECStatus 1007 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen, 1008 SSL3Hashes *hashes, PRBool bypassPKCS11) 1009 { 1010 SECStatus rv = SECSuccess; 1011 1012 if (bypassPKCS11) { 1013 MD5_HashBuf (hashes->md5, hashBuf, bufLen); 1014 SHA1_HashBuf(hashes->sha, hashBuf, bufLen); 1015 } else { 1016 rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen); 1017 if (rv != SECSuccess) { 1018 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 1019 rv = SECFailure; 1020 goto done; 1021 } 1022 1023 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen); 1024 if (rv != SECSuccess) { 1025 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 1026 rv = SECFailure; 1027 } 1028 } 1029 done: 1030 return rv; 1031 } 1032 1033 /* Caller must set hiLevel error code. 1034 ** Called from ssl3_SendServerKeyExchange and 1035 ** ssl3_HandleServerKeyExchange. 1036 */ 1037 static SECStatus 1038 ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent, 1039 SSL3Random *client_rand, SSL3Random *server_rand, 1040 SSL3Hashes *hashes, PRBool bypassPKCS11) 1041 { 1042 PRUint8 * hashBuf; 1043 PRUint8 * pBuf; 1044 SECStatus rv = SECSuccess; 1045 unsigned int bufLen; 1046 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1047 1048 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; 1049 if (bufLen <= sizeof buf) { 1050 hashBuf = buf; 1051 } else { 1052 hashBuf = PORT_Alloc(bufLen); 1053 if (!hashBuf) { 1054 return SECFailure; 1055 } 1056 } 1057 1058 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 1059 pBuf = hashBuf + SSL3_RANDOM_LENGTH; 1060 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); 1061 pBuf += SSL3_RANDOM_LENGTH; 1062 pBuf[0] = (PRUint8)(modulus.len >> 8); 1063 pBuf[1] = (PRUint8)(modulus.len); 1064 pBuf += 2; 1065 memcpy(pBuf, modulus.data, modulus.len); 1066 pBuf += modulus.len; 1067 pBuf[0] = (PRUint8)(publicExponent.len >> 8); 1068 pBuf[1] = (PRUint8)(publicExponent.len); 1069 pBuf += 2; 1070 memcpy(pBuf, publicExponent.data, publicExponent.len); 1071 pBuf += publicExponent.len; 1072 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1073 1074 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); 1075 1076 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); 1077 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH)); 1078 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); 1079 1080 if (hashBuf != buf && hashBuf != NULL) 1081 PORT_Free(hashBuf); 1082 return rv; 1083 } 1084 1085 /* Caller must set hiLevel error code. */ 1086 /* Called from ssl3_HandleServerKeyExchange. */ 1087 static SECStatus 1088 ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys, 1089 SSL3Random *client_rand, SSL3Random *server_rand, 1090 SSL3Hashes *hashes, PRBool bypassPKCS11) 1091 { 1092 PRUint8 * hashBuf; 1093 PRUint8 * pBuf; 1094 SECStatus rv = SECSuccess; 1095 unsigned int bufLen; 1096 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1097 1098 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; 1099 if (bufLen <= sizeof buf) { 1100 hashBuf = buf; 1101 } else { 1102 hashBuf = PORT_Alloc(bufLen); 1103 if (!hashBuf) { 1104 return SECFailure; 1105 } 1106 } 1107 1108 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 1109 pBuf = hashBuf + SSL3_RANDOM_LENGTH; 1110 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); 1111 pBuf += SSL3_RANDOM_LENGTH; 1112 pBuf[0] = (PRUint8)(dh_p.len >> 8); 1113 pBuf[1] = (PRUint8)(dh_p.len); 1114 pBuf += 2; 1115 memcpy(pBuf, dh_p.data, dh_p.len); 1116 pBuf += dh_p.len; 1117 pBuf[0] = (PRUint8)(dh_g.len >> 8); 1118 pBuf[1] = (PRUint8)(dh_g.len); 1119 pBuf += 2; 1120 memcpy(pBuf, dh_g.data, dh_g.len); 1121 pBuf += dh_g.len; 1122 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); 1123 pBuf[1] = (PRUint8)(dh_Ys.len); 1124 pBuf += 2; 1125 memcpy(pBuf, dh_Ys.data, dh_Ys.len); 1126 pBuf += dh_Ys.len; 1127 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1128 1129 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); 1130 1131 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); 1132 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH)); 1133 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); 1134 1135 if (hashBuf != buf && hashBuf != NULL) 1136 PORT_Free(hashBuf); 1137 return rv; 1138 } 1139 1140 static void 1141 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) 1142 { 1143 num->low++; 1144 if (num->low == 0) 1145 num->high++; 1146 } 1147 1148 /* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */ 1149 static void 1150 ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat) 1151 { 1152 if (mat->write_key != NULL) { 1153 PK11_FreeSymKey(mat->write_key); 1154 mat->write_key = NULL; 1155 } 1156 if (mat->write_mac_key != NULL) { 1157 PK11_FreeSymKey(mat->write_mac_key); 1158 mat->write_mac_key = NULL; 1159 } 1160 if (mat->write_mac_context != NULL) { 1161 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); 1162 mat->write_mac_context = NULL; 1163 } 1164 } 1165 1166 /* Called from ssl3_SendChangeCipherSpecs() and 1167 ** ssl3_HandleChangeCipherSpecs() 1168 ** ssl3_DestroySSL3Info 1169 ** Caller must hold SpecWriteLock. 1170 */ 1171 static void 1172 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec) 1173 { 1174 PRBool freeit = (PRBool)(!spec->bypassCiphers); 1175 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */ 1176 if (spec->destroy) { 1177 spec->destroy(spec->encodeContext, freeit); 1178 spec->destroy(spec->decodeContext, freeit); 1179 spec->encodeContext = NULL; /* paranoia */ 1180 spec->decodeContext = NULL; 1181 } 1182 if (spec->destroyCompressContext && spec->compressContext) { 1183 spec->destroyCompressContext(spec->compressContext, 1); 1184 spec->compressContext = NULL; 1185 } 1186 if (spec->destroyDecompressContext && spec->decompressContext) { 1187 spec->destroyDecompressContext(spec->decompressContext, 1); 1188 spec->decompressContext = NULL; 1189 } 1190 if (spec->master_secret != NULL) { 1191 PK11_FreeSymKey(spec->master_secret); 1192 spec->master_secret = NULL; 1193 } 1194 spec->msItem.data = NULL; 1195 spec->msItem.len = 0; 1196 ssl3_CleanupKeyMaterial(&spec->client); 1197 ssl3_CleanupKeyMaterial(&spec->server); 1198 spec->bypassCiphers = PR_FALSE; 1199 spec->destroy=NULL; 1200 spec->destroyCompressContext = NULL; 1201 spec->destroyDecompressContext = NULL; 1202 } 1203 1204 /* Fill in the pending cipher spec with info from the selected ciphersuite. 1205 ** This is as much initialization as we can do without having key material. 1206 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello() 1207 ** Caller must hold the ssl3 handshake lock. 1208 ** Acquires & releases SpecWriteLock. 1209 */ 1210 static SECStatus 1211 ssl3_SetupPendingCipherSpec(sslSocket *ss) 1212 { 1213 ssl3CipherSpec * pwSpec; 1214 ssl3CipherSpec * cwSpec; 1215 ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite; 1216 SSL3MACAlgorithm mac; 1217 SSL3BulkCipher cipher; 1218 SSL3KeyExchangeAlgorithm kea; 1219 const ssl3CipherSuiteDef *suite_def; 1220 PRBool isTLS; 1221 1222 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1223 1224 ssl_GetSpecWriteLock(ss); /*******************************/ 1225 1226 pwSpec = ss->ssl3.pwSpec; 1227 PORT_Assert(pwSpec == ss->ssl3.prSpec); 1228 1229 /* This hack provides maximal interoperability with SSL 3 servers. */ 1230 cwSpec = ss->ssl3.cwSpec; 1231 if (cwSpec->mac_def->mac == mac_null) { 1232 /* SSL records are not being MACed. */ 1233 cwSpec->version = ss->version; 1234 } 1235 1236 pwSpec->version = ss->version; 1237 isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0); 1238 1239 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", 1240 SSL_GETPID(), ss->fd, suite)); 1241 1242 suite_def = ssl_LookupCipherSuiteDef(suite); 1243 if (suite_def == NULL) { 1244 ssl_ReleaseSpecWriteLock(ss); 1245 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ 1246 } 1247 1248 1249 cipher = suite_def->bulk_cipher_alg; 1250 kea = suite_def->key_exchange_alg; 1251 mac = suite_def->mac_alg; 1252 if (isTLS) 1253 mac += 2; 1254 1255 ss->ssl3.hs.suite_def = suite_def; 1256 ss->ssl3.hs.kea_def = &kea_defs[kea]; 1257 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); 1258 1259 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; 1260 PORT_Assert(pwSpec->cipher_def->cipher == cipher); 1261 1262 pwSpec->mac_def = &mac_defs[mac]; 1263 PORT_Assert(pwSpec->mac_def->mac == mac); 1264 1265 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB; 1266 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB; 1267 ss->sec.cipherType = cipher; 1268 1269 pwSpec->encodeContext = NULL; 1270 pwSpec->decodeContext = NULL; 1271 1272 pwSpec->mac_size = pwSpec->mac_def->mac_size; 1273 1274 pwSpec->compression_method = ss->ssl3.hs.compression; 1275 pwSpec->compressContext = NULL; 1276 pwSpec->decompressContext = NULL; 1277 1278 ssl_ReleaseSpecWriteLock(ss); /*******************************/ 1279 return SECSuccess; 1280 } 1281 1282 #ifdef NSS_ENABLE_ZLIB 1283 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) 1284 1285 static SECStatus 1286 ssl3_MapZlibError(int zlib_error) 1287 { 1288 switch (zlib_error) { 1289 case Z_OK: 1290 return SECSuccess; 1291 default: 1292 return SECFailure; 1293 } 1294 } 1295 1296 static SECStatus 1297 ssl3_DeflateInit(void *void_context) 1298 { 1299 z_stream *context = void_context; 1300 context->zalloc = NULL; 1301 context->zfree = NULL; 1302 context->opaque = NULL; 1303 1304 return ssl3_MapZlibError(deflateInit(context, Z_DEFAULT_COMPRESSION)); 1305 } 1306 1307 static SECStatus 1308 ssl3_InflateInit(void *void_context) 1309 { 1310 z_stream *context = void_context; 1311 context->zalloc = NULL; 1312 context->zfree = NULL; 1313 context->opaque = NULL; 1314 context->next_in = NULL; 1315 context->avail_in = 0; 1316 1317 return ssl3_MapZlibError(inflateInit(context)); 1318 } 1319 1320 static SECStatus 1321 ssl3_DeflateCompress(void *void_context, unsigned char *out, int *out_len, 1322 int maxout, const unsigned char *in, int inlen) 1323 { 1324 z_stream *context = void_context; 1325 1326 if (!inlen) { 1327 *out_len = 0; 1328 return SECSuccess; 1329 } 1330 1331 context->next_in = (unsigned char*) in; 1332 context->avail_in = inlen; 1333 context->next_out = out; 1334 context->avail_out = maxout; 1335 if (deflate(context, Z_SYNC_FLUSH) != Z_OK) { 1336 return SECFailure; 1337 } 1338 if (context->avail_out == 0) { 1339 /* We ran out of space! */ 1340 SSL_TRC(3, ("%d: SSL3[%d] Ran out of buffer while compressing", 1341 SSL_GETPID())); 1342 return SECFailure; 1343 } 1344 1345 *out_len = maxout - context->avail_out; 1346 return SECSuccess; 1347 } 1348 1349 static SECStatus 1350 ssl3_DeflateDecompress(void *void_context, unsigned char *out, int *out_len, 1351 int maxout, const unsigned char *in, int inlen) 1352 { 1353 z_stream *context = void_context; 1354 1355 if (!inlen) { 1356 *out_len = 0; 1357 return SECSuccess; 1358 } 1359 1360 context->next_in = (unsigned char*) in; 1361 context->avail_in = inlen; 1362 context->next_out = out; 1363 context->avail_out = maxout; 1364 if (inflate(context, Z_SYNC_FLUSH) != Z_OK) { 1365 PORT_SetError(SSL_ERROR_DECOMPRESSION_FAILURE); 1366 return SECFailure; 1367 } 1368 1369 *out_len = maxout - context->avail_out; 1370 return SECSuccess; 1371 } 1372 1373 static SECStatus 1374 ssl3_DestroyCompressContext(void *void_context, PRBool unused) 1375 { 1376 deflateEnd(void_context); 1377 PORT_Free(void_context); 1378 return SECSuccess; 1379 } 1380 1381 static SECStatus 1382 ssl3_DestroyDecompressContext(void *void_context, PRBool unused) 1383 { 1384 inflateEnd(void_context); 1385 PORT_Free(void_context); 1386 return SECSuccess; 1387 } 1388 1389 #endif /* NSS_ENABLE_ZLIB */ 1390 1391 /* Initialize the compression functions and contexts for the given 1392 * CipherSpec. */ 1393 static SECStatus 1394 ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec) 1395 { 1396 /* Setup the compression functions */ 1397 switch (pwSpec->compression_method) { 1398 case ssl_compression_null: 1399 pwSpec->compressor = NULL; 1400 pwSpec->decompressor = NULL; 1401 pwSpec->compressContext = NULL; 1402 pwSpec->decompressContext = NULL; 1403 pwSpec->destroyCompressContext = NULL; 1404 pwSpec->destroyDecompressContext = NULL; 1405 break; 1406 #ifdef NSS_ENABLE_ZLIB 1407 case ssl_compression_deflate: 1408 pwSpec->compressor = ssl3_DeflateCompress; 1409 pwSpec->decompressor = ssl3_DeflateDecompress; 1410 pwSpec->compressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE); 1411 pwSpec->decompressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE); 1412 pwSpec->destroyCompressContext = ssl3_DestroyCompressContext; 1413 pwSpec->destroyDecompressContext = ssl3_DestroyDecompressContext; 1414 ssl3_DeflateInit(pwSpec->compressContext); 1415 ssl3_InflateInit(pwSpec->decompressContext); 1416 break; 1417 #endif /* NSS_ENABLE_ZLIB */ 1418 default: 1419 PORT_Assert(0); 1420 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1421 return SECFailure; 1422 } 1423 1424 return SECSuccess; 1425 } 1426 1427 /* Initialize encryption and MAC contexts for pending spec. 1428 * Master Secret already is derived in spec->msItem 1429 * Caller holds Spec write lock. 1430 */ 1431 static SECStatus 1432 ssl3_InitPendingContextsBypass(sslSocket *ss) 1433 { 1434 ssl3CipherSpec * pwSpec; 1435 const ssl3BulkCipherDef *cipher_def; 1436 void * serverContext = NULL; 1437 void * clientContext = NULL; 1438 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; 1439 int mode = 0; 1440 unsigned int optArg1 = 0; 1441 unsigned int optArg2 = 0; 1442 PRBool server_encrypts = ss->sec.isServer; 1443 CK_ULONG macLength; 1444 SSLCipherAlgorithm calg; 1445 SSLCompressionMethod compression_method; 1446 SECStatus rv; 1447 1448 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1449 1450 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 1451 1452 pwSpec = ss->ssl3.pwSpec; 1453 cipher_def = pwSpec->cipher_def; 1454 macLength = pwSpec->mac_size; 1455 1456 /* MAC setup is done when computing the mac, not here. 1457 * Now setup the crypto contexts. 1458 */ 1459 1460 calg = cipher_def->calg; 1461 compression_method = pwSpec->compression_method; 1462 1463 serverContext = pwSpec->server.cipher_context; 1464 clientContext = pwSpec->client.cipher_context; 1465 1466 switch (calg) { 1467 case ssl_calg_null: 1468 pwSpec->encode = Null_Cipher; 1469 pwSpec->decode = Null_Cipher; 1470 pwSpec->destroy = NULL; 1471 goto success; 1472 1473 case ssl_calg_rc4: 1474 initFn = (BLapiInitContextFunc)RC4_InitContext; 1475 pwSpec->encode = (SSLCipher) RC4_Encrypt; 1476 pwSpec->decode = (SSLCipher) RC4_Decrypt; 1477 pwSpec->destroy = (SSLDestroy) RC4_DestroyContext; 1478 break; 1479 case ssl_calg_rc2: 1480 initFn = (BLapiInitContextFunc)RC2_InitContext; 1481 mode = NSS_RC2_CBC; 1482 optArg1 = cipher_def->key_size; 1483 pwSpec->encode = (SSLCipher) RC2_Encrypt; 1484 pwSpec->decode = (SSLCipher) RC2_Decrypt; 1485 pwSpec->destroy = (SSLDestroy) RC2_DestroyContext; 1486 break; 1487 case ssl_calg_des: 1488 initFn = (BLapiInitContextFunc)DES_InitContext; 1489 mode = NSS_DES_CBC; 1490 optArg1 = server_encrypts; 1491 pwSpec->encode = (SSLCipher) DES_Encrypt; 1492 pwSpec->decode = (SSLCipher) DES_Decrypt; 1493 pwSpec->destroy = (SSLDestroy) DES_DestroyContext; 1494 break; 1495 case ssl_calg_3des: 1496 initFn = (BLapiInitContextFunc)DES_InitContext; 1497 mode = NSS_DES_EDE3_CBC; 1498 optArg1 = server_encrypts; 1499 pwSpec->encode = (SSLCipher) DES_Encrypt; 1500 pwSpec->decode = (SSLCipher) DES_Decrypt; 1501 pwSpec->destroy = (SSLDestroy) DES_DestroyContext; 1502 break; 1503 case ssl_calg_aes: 1504 initFn = (BLapiInitContextFunc)AES_InitContext; 1505 mode = NSS_AES_CBC; 1506 optArg1 = server_encrypts; 1507 optArg2 = AES_BLOCK_SIZE; 1508 pwSpec->encode = (SSLCipher) AES_Encrypt; 1509 pwSpec->decode = (SSLCipher) AES_Decrypt; 1510 pwSpec->destroy = (SSLDestroy) AES_DestroyContext; 1511 break; 1512 1513 case ssl_calg_camellia: 1514 initFn = (BLapiInitContextFunc)Camellia_InitContext; 1515 mode = NSS_CAMELLIA_CBC; 1516 optArg1 = server_encrypts; 1517 optArg2 = CAMELLIA_BLOCK_SIZE; 1518 pwSpec->encode = (SSLCipher) Camellia_Encrypt; 1519 pwSpec->decode = (SSLCipher) Camellia_Decrypt; 1520 pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext; 1521 break; 1522 1523 case ssl_calg_seed: 1524 initFn = (BLapiInitContextFunc)SEED_InitContext; 1525 mode = NSS_SEED_CBC; 1526 optArg1 = server_encrypts; 1527 optArg2 = SEED_BLOCK_SIZE; 1528 pwSpec->encode = (SSLCipher) SEED_Encrypt; 1529 pwSpec->decode = (SSLCipher) SEED_Decrypt; 1530 pwSpec->destroy = (SSLDestroy) SEED_DestroyContext; 1531 break; 1532 1533 case ssl_calg_idea: 1534 case ssl_calg_fortezza : 1535 default: 1536 PORT_Assert(0); 1537 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1538 goto bail_out; 1539 } 1540 rv = (*initFn)(serverContext, 1541 pwSpec->server.write_key_item.data, 1542 pwSpec->server.write_key_item.len, 1543 pwSpec->server.write_iv_item.data, 1544 mode, optArg1, optArg2); 1545 if (rv != SECSuccess) { 1546 PORT_Assert(0); 1547 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1548 goto bail_out; 1549 } 1550 1551 switch (calg) { 1552 case ssl_calg_des: 1553 case ssl_calg_3des: 1554 case ssl_calg_aes: 1555 case ssl_calg_camellia: 1556 case ssl_calg_seed: 1557 /* For block ciphers, if the server is encrypting, then the client 1558 * is decrypting, and vice versa. 1559 */ 1560 optArg1 = !optArg1; 1561 } 1562 1563 rv = (*initFn)(clientContext, 1564 pwSpec->client.write_key_item.data, 1565 pwSpec->client.write_key_item.len, 1566 pwSpec->client.write_iv_item.data, 1567 mode, optArg1, optArg2); 1568 if (rv != SECSuccess) { 1569 PORT_Assert(0); 1570 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1571 goto bail_out; 1572 } 1573 1574 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext; 1575 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext; 1576 1577 ssl3_InitCompressionContext(pwSpec); 1578 1579 success: 1580 return SECSuccess; 1581 1582 bail_out: 1583 return SECFailure; 1584 } 1585 1586 /* This function should probably be moved to pk11wrap and be named 1587 * PK11_ParamFromIVAndEffectiveKeyBits 1588 */ 1589 static SECItem * 1590 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits) 1591 { 1592 SECItem * param = PK11_ParamFromIV(mtype, iv); 1593 if (param && param->data && param->len >= sizeof(CK_RC2_PARAMS)) { 1594 switch (mtype) { 1595 case CKM_RC2_KEY_GEN: 1596 case CKM_RC2_ECB: 1597 case CKM_RC2_CBC: 1598 case CKM_RC2_MAC: 1599 case CKM_RC2_MAC_GENERAL: 1600 case CKM_RC2_CBC_PAD: 1601 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; 1602 default: break; 1603 } 1604 } 1605 return param; 1606 } 1607 1608 /* Initialize encryption and MAC contexts for pending spec. 1609 * Master Secret already is derived. 1610 * Caller holds Spec write lock. 1611 */ 1612 static SECStatus 1613 ssl3_InitPendingContextsPKCS11(sslSocket *ss) 1614 { 1615 ssl3CipherSpec * pwSpec; 1616 const ssl3BulkCipherDef *cipher_def; 1617 PK11Context * serverContext = NULL; 1618 PK11Context * clientContext = NULL; 1619 SECItem * param; 1620 CK_MECHANISM_TYPE mechanism; 1621 CK_MECHANISM_TYPE mac_mech; 1622 CK_ULONG macLength; 1623 CK_ULONG effKeyBits; 1624 SECItem iv; 1625 SECItem mac_param; 1626 SSLCipherAlgorithm calg; 1627 1628 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1629 1630 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 1631 1632 pwSpec = ss->ssl3.pwSpec; 1633 cipher_def = pwSpec->cipher_def; 1634 macLength = pwSpec->mac_size; 1635 1636 /* 1637 ** Now setup the MAC contexts, 1638 ** crypto contexts are setup below. 1639 */ 1640 1641 pwSpec->client.write_mac_context = NULL; 1642 pwSpec->server.write_mac_context = NULL; 1643 mac_mech = pwSpec->mac_def->mmech; 1644 mac_param.data = (unsigned char *)&macLength; 1645 mac_param.len = sizeof(macLength); 1646 mac_param.type = 0; 1647 1648 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( 1649 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); 1650 if (pwSpec->client.write_mac_context == NULL) { 1651 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 1652 goto fail; 1653 } 1654 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( 1655 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); 1656 if (pwSpec->server.write_mac_context == NULL) { 1657 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 1658 goto fail; 1659 } 1660 1661 /* 1662 ** Now setup the crypto contexts. 1663 */ 1664 1665 calg = cipher_def->calg; 1666 PORT_Assert(alg2Mech[calg].calg == calg); 1667 1668 if (calg == calg_null) { 1669 pwSpec->encode = Null_Cipher; 1670 pwSpec->decode = Null_Cipher; 1671 pwSpec->destroy = NULL; 1672 return SECSuccess; 1673 } 1674 mechanism = alg2Mech[calg].cmech; 1675 effKeyBits = cipher_def->key_size * BPB; 1676 1677 /* 1678 * build the server context 1679 */ 1680 iv.data = pwSpec->server.write_iv; 1681 iv.len = cipher_def->iv_size; 1682 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); 1683 if (param == NULL) { 1684 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); 1685 goto fail; 1686 } 1687 serverContext = PK11_CreateContextBySymKey(mechanism, 1688 (ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT), 1689 pwSpec->server.write_key, param); 1690 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len); 1691 if (iv.data) 1692 PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len); 1693 SECITEM_FreeItem(param, PR_TRUE); 1694 if (serverContext == NULL) { 1695 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 1696 goto fail; 1697 } 1698 1699 /* 1700 * build the client context 1701 */ 1702 iv.data = pwSpec->client.write_iv; 1703 iv.len = cipher_def->iv_size; 1704 1705 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); 1706 if (param == NULL) { 1707 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); 1708 goto fail; 1709 } 1710 clientContext = PK11_CreateContextBySymKey(mechanism, 1711 (ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT), 1712 pwSpec->client.write_key, param); 1713 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len); 1714 if (iv.data) 1715 PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len); 1716 SECITEM_FreeItem(param,PR_TRUE); 1717 if (clientContext == NULL) { 1718 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 1719 goto fail; 1720 } 1721 pwSpec->encode = (SSLCipher) PK11_CipherOp; 1722 pwSpec->decode = (SSLCipher) PK11_CipherOp; 1723 pwSpec->destroy = (SSLDestroy) PK11_DestroyContext; 1724 1725 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext; 1726 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext; 1727 1728 serverContext = NULL; 1729 clientContext = NULL; 1730 1731 ssl3_InitCompressionContext(pwSpec); 1732 1733 return SECSuccess; 1734 1735 fail: 1736 if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE); 1737 if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE); 1738 if (pwSpec->client.write_mac_context != NULL) { 1739 PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE); 1740 pwSpec->client.write_mac_context = NULL; 1741 } 1742 if (pwSpec->server.write_mac_context != NULL) { 1743 PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE); 1744 pwSpec->server.write_mac_context = NULL; 1745 } 1746 1747 return SECFailure; 1748 } 1749 1750 /* Complete the initialization of all keys, ciphers, MACs and their contexts 1751 * for the pending Cipher Spec. 1752 * Called from: ssl3_SendClientKeyExchange (for Full handshake) 1753 * ssl3_HandleRSAClientKeyExchange (for Full handshake) 1754 * ssl3_HandleServerHello (for session restart) 1755 * ssl3_HandleClientHello (for session restart) 1756 * Sets error code, but caller probably should override to disambiguate. 1757 * NULL pms means re-use old master_secret. 1758 * 1759 * This code is common to the bypass and PKCS11 execution paths. 1760 * For the bypass case, pms is NULL. 1761 */ 1762 SECStatus 1763 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) 1764 { 1765 ssl3CipherSpec * pwSpec; 1766 SECStatus rv; 1767 1768 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1769 1770 ssl_GetSpecWriteLock(ss); /**************************************/ 1771 1772 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 1773 1774 pwSpec = ss->ssl3.pwSpec; 1775 1776 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { 1777 rv = ssl3_DeriveMasterSecret(ss, pms); 1778 if (rv != SECSuccess) { 1779 goto done; /* err code set by ssl3_DeriveMasterSecret */ 1780 } 1781 } 1782 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { 1783 /* Double Bypass succeeded in extracting the master_secret */ 1784 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 1785 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 1786 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 1787 pwSpec->bypassCiphers = PR_TRUE; 1788 rv = ssl3_KeyAndMacDeriveBypass( pwSpec, 1789 (const unsigned char *)&ss->ssl3.hs.client_random, 1790 (const unsigned char *)&ss->ssl3.hs.server_random, 1791 isTLS, 1792 (PRBool)(kea_def->is_limited)); 1793 if (rv == SECSuccess) { 1794 rv = ssl3_InitPendingContextsBypass(ss); 1795 } 1796 } else if (pwSpec->master_secret) { 1797 rv = ssl3_DeriveConnectionKeysPKCS11(ss); 1798 if (rv == SECSuccess) { 1799 rv = ssl3_InitPendingContextsPKCS11(ss); 1800 } 1801 } else { 1802 PORT_Assert(pwSpec->master_secret); 1803 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1804 rv = SECFailure; 1805 } 1806 1807 done: 1808 ssl_ReleaseSpecWriteLock(ss); /******************************/ 1809 if (rv != SECSuccess) 1810 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 1811 return rv; 1812 } 1813 1814 /* 1815 * 60 bytes is 3 times the maximum length MAC size that is supported. 1816 */ 1817 static const unsigned char mac_pad_1 [60] = { 1818 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 1819 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 1820 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 1821 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 1822 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 1823 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 1824 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 1825 0x36, 0x36, 0x36, 0x36 1826 }; 1827 static const unsigned char mac_pad_2 [60] = { 1828 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 1829 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 1830 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 1831 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 1832 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 1833 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 1834 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 1835 0x5c, 0x5c, 0x5c, 0x5c 1836 }; 1837 1838 /* Called from: ssl3_SendRecord() 1839 ** ssl3_HandleRecord() 1840 ** Caller must already hold the SpecReadLock. (wish we could assert that!) 1841 */ 1842 static SECStatus 1843 ssl3_ComputeRecordMAC( 1844 ssl3CipherSpec * spec, 1845 PRBool useServerMacKey, 1846 SSL3ContentType type, 1847 SSL3ProtocolVersion version, 1848 SSL3SequenceNumber seq_num, 1849 const SSL3Opaque * input, 1850 int inputLength, 1851 unsigned char * outbuf, 1852 unsigned int * outLength) 1853 { 1854 const ssl3MACDef * mac_def; 1855 SECStatus rv; 1856 PRBool isTLS; 1857 unsigned int tempLen; 1858 unsigned char temp[MAX_MAC_LENGTH]; 1859 1860 temp[0] = (unsigned char)(seq_num.high >> 24); 1861 temp[1] = (unsigned char)(seq_num.high >> 16); 1862 temp[2] = (unsigned char)(seq_num.high >> 8); 1863 temp[3] = (unsigned char)(seq_num.high >> 0); 1864 temp[4] = (unsigned char)(seq_num.low >> 24); 1865 temp[5] = (unsigned char)(seq_num.low >> 16); 1866 temp[6] = (unsigned char)(seq_num.low >> 8); 1867 temp[7] = (unsigned char)(seq_num.low >> 0); 1868 temp[8] = type; 1869 1870 /* TLS MAC includes the record's version field, SSL's doesn't. 1871 ** We decide which MAC defintiion to use based on the version of 1872 ** the protocol that was negotiated when the spec became current, 1873 ** NOT based on the version value in the record itself. 1874 ** But, we use the record'v version value in the computation. 1875 */ 1876 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 1877 temp[9] = MSB(inputLength); 1878 temp[10] = LSB(inputLength); 1879 tempLen = 11; 1880 isTLS = PR_FALSE; 1881 } else { 1882 /* New TLS hash includes version. */ 1883 temp[9] = MSB(version); 1884 temp[10] = LSB(version); 1885 temp[11] = MSB(inputLength); 1886 temp[12] = LSB(inputLength); 1887 tempLen = 13; 1888 isTLS = PR_TRUE; 1889 } 1890 1891 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); 1892 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); 1893 1894 mac_def = spec->mac_def; 1895 if (mac_def->mac == mac_null) { 1896 *outLength = 0; 1897 return SECSuccess; 1898 } 1899 if (! spec->bypassCiphers) { 1900 PK11Context *mac_context = 1901 (useServerMacKey ? spec->server.write_mac_context 1902 : spec->client.write_mac_context); 1903 rv = PK11_DigestBegin(mac_context); 1904 rv |= PK11_DigestOp(mac_context, temp, tempLen); 1905 rv |= PK11_DigestOp(mac_context, input, inputLength); 1906 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); 1907 } else { 1908 /* bypass version */ 1909 const SECHashObject *hashObj = NULL; 1910 unsigned int pad_bytes = 0; 1911 PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS]; 1912 1913 switch (mac_def->mac) { 1914 case ssl_mac_null: 1915 *outLength = 0; 1916 return SECSuccess; 1917 case ssl_mac_md5: 1918 pad_bytes = 48; 1919 hashObj = HASH_GetRawHashObject(HASH_AlgMD5); 1920 break; 1921 case ssl_mac_sha: 1922 pad_bytes = 40; 1923 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); 1924 break; 1925 case ssl_hmac_md5: /* used with TLS */ 1926 hashObj = HASH_GetRawHashObject(HASH_AlgMD5); 1927 break; 1928 case ssl_hmac_sha: /* used with TLS */ 1929 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); 1930 break; 1931 default: 1932 break; 1933 } 1934 if (!hashObj) { 1935 PORT_Assert(0); 1936 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1937 return SECFailure; 1938 } 1939 1940 if (!isTLS) { 1941 /* compute "inner" part of SSL3 MAC */ 1942 hashObj->begin(write_mac_context); 1943 if (useServerMacKey) 1944 hashObj->update(write_mac_context, 1945 spec->server.write_mac_key_item.data, 1946 spec->server.write_mac_key_item.len); 1947 else 1948 hashObj->update(write_mac_context, 1949 spec->client.write_mac_key_item.data, 1950 spec->client.write_mac_key_item.len); 1951 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); 1952 hashObj->update(write_mac_context, temp, tempLen); 1953 hashObj->update(write_mac_context, input, inputLength); 1954 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); 1955 1956 /* compute "outer" part of SSL3 MAC */ 1957 hashObj->begin(write_mac_context); 1958 if (useServerMacKey) 1959 hashObj->update(write_mac_context, 1960 spec->server.write_mac_key_item.data, 1961 spec->server.write_mac_key_item.len); 1962 else 1963 hashObj->update(write_mac_context, 1964 spec->client.write_mac_key_item.data, 1965 spec->client.write_mac_key_item.len); 1966 hashObj->update(write_mac_context, mac_pad_2, pad_bytes); 1967 hashObj->update(write_mac_context, temp, tempLen); 1968 hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size); 1969 rv = SECSuccess; 1970 } else { /* is TLS */ 1971 #define cx ((HMACContext *)write_mac_context) 1972 if (useServerMacKey) { 1973 rv = HMAC_Init(cx, hashObj, 1974 spec->server.write_mac_key_item.data, 1975 spec->server.write_mac_key_item.len, PR_FALSE); 1976 } else { 1977 rv = HMAC_Init(cx, hashObj, 1978 spec->client.write_mac_key_item.data, 1979 spec->client.write_mac_key_item.len, PR_FALSE); 1980 } 1981 if (rv == SECSuccess) { 1982 HMAC_Begin(cx); 1983 HMAC_Update(cx, temp, tempLen); 1984 HMAC_Update(cx, input, inputLength); 1985 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); 1986 HMAC_Destroy(cx, PR_FALSE); 1987 } 1988 #undef cx 1989 } 1990 } 1991 1992 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); 1993 1994 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); 1995 1996 if (rv != SECSuccess) { 1997 rv = SECFailure; 1998 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 1999 } 2000 return rv; 2001 } 2002 2003 static PRBool 2004 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { 2005 PK11SlotInfo *slot = NULL; 2006 PRBool isPresent = PR_TRUE; 2007 2008 /* we only care if we are doing client auth */ 2009 if (!sid || !sid->u.ssl3.clAuthValid) { 2010 return PR_TRUE; 2011 } 2012 2013 /* get the slot */ 2014 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID, 2015 sid->u.ssl3.clAuthSlotID); 2016 if (slot == NULL || 2017 !PK11_IsPresent(slot) || 2018 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) || 2019 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) || 2020 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) || 2021 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { 2022 isPresent = PR_FALSE; 2023 } 2024 if (slot) { 2025 PK11_FreeSlot(slot); 2026 } 2027 return isPresent; 2028 } 2029 2030 static SECStatus 2031 ssl3_CompressMACEncryptRecord(sslSocket * ss, 2032 SSL3ContentType type, 2033 const SSL3Opaque * pIn, 2034 PRUint32 contentLen) 2035 { 2036 ssl3CipherSpec * cwSpec; 2037 const ssl3BulkCipherDef * cipher_def; 2038 sslBuffer * wrBuf = &ss->sec.writeBuf; 2039 SECStatus rv; 2040 PRUint32 macLen = 0; 2041 PRUint32 fragLen; 2042 PRUint32 p1Len, p2Len, oddLen = 0; 2043 PRInt32 cipherBytes = 0; 2044 2045 ssl_GetSpecReadLock(ss); /********************************/ 2046 2047 cwSpec = ss->ssl3.cwSpec; 2048 cipher_def = cwSpec->cipher_def; 2049 2050 if (cwSpec->compressor) { 2051 int outlen; 2052 rv = cwSpec->compressor( 2053 cwSpec->compressContext, wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, 2054 &outlen, wrBuf->space - SSL3_RECORD_HEADER_LENGTH, pIn, contentLen); 2055 if (rv != SECSuccess) 2056 return rv; 2057 pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH; 2058 contentLen = outlen; 2059 } 2060 2061 /* 2062 * Add the MAC 2063 */ 2064 rv = ssl3_ComputeRecordMAC( cwSpec, (PRBool)(ss->sec.isServer), 2065 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, 2066 wrBuf->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen); 2067 if (rv != SECSuccess) { 2068 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2069 goto spec_locked_loser; 2070 } 2071 p1Len = contentLen; 2072 p2Len = macLen; 2073 fragLen = contentLen + macLen; /* needs to be encrypted */ 2074 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); 2075 2076 /* 2077 * Pad the text (if we're doing a block cipher) 2078 * then Encrypt it 2079 */ 2080 if (cipher_def->type == type_block) { 2081 unsigned char * pBuf; 2082 int padding_length; 2083 int i; 2084 2085 oddLen = contentLen % cipher_def->block_size; 2086 /* Assume blockSize is a power of two */ 2087 padding_length = cipher_def->block_size - 1 - 2088 ((fragLen) & (cipher_def->block_size - 1)); 2089 fragLen += padding_length + 1; 2090 PORT_Assert((fragLen % cipher_def->block_size) == 0); 2091 2092 /* Pad according to TLS rules (also acceptable to SSL3). */ 2093 pBuf = &wrBuf->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1]; 2094 for (i = padding_length + 1; i > 0; --i) { 2095 *pBuf-- = padding_length; 2096 } 2097 /* now, if contentLen is not a multiple of block size, fix it */ 2098 p2Len = fragLen - p1Len; 2099 } 2100 if (p1Len < 256) { 2101 oddLen = p1Len; 2102 p1Len = 0; 2103 } else { 2104 p1Len -= oddLen; 2105 } 2106 if (oddLen) { 2107 p2Len += oddLen; 2108 PORT_Assert( (cipher_def->block_size < 2) || \ 2109 (p2Len % cipher_def->block_size) == 0); 2110 memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, 2111 pIn + p1Len, oddLen); 2112 } 2113 if (p1Len > 0) { 2114 rv = cwSpec->encode( cwSpec->encodeContext, 2115 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, /* output */ 2116 &cipherBytes, /* actual outlen */ 2117 p1Len, /* max outlen */ 2118 pIn, p1Len); /* input, and inputlen */ 2119 PORT_Assert(rv == SECSuccess && cipherBytes == p1Len); 2120 if (rv != SECSuccess || cipherBytes != p1Len) { 2121 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2122 goto spec_locked_loser; 2123 } 2124 } 2125 if (p2Len > 0) { 2126 PRInt32 cipherBytesPart2 = -1; 2127 rv = cwSpec->encode( cwSpec->encodeContext, 2128 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, 2129 &cipherBytesPart2, /* output and actual outLen */ 2130 p2Len, /* max outlen */ 2131 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, 2132 p2Len); /* input and inputLen*/ 2133 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len); 2134 if (rv != SECSuccess || cipherBytesPart2 != p2Len) { 2135 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2136 goto spec_locked_loser; 2137 } 2138 cipherBytes += cipherBytesPart2; 2139 } 2140 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); 2141 2142 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); 2143 2144 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH; 2145 wrBuf->buf[0] = type; 2146 wrBuf->buf[1] = MSB(cwSpec->version); 2147 wrBuf->buf[2] = LSB(cwSpec->version); 2148 wrBuf->buf[3] = MSB(cipherBytes); 2149 wrBuf->buf[4] = LSB(cipherBytes); 2150 2151 ssl_ReleaseSpecReadLock(ss); /************************************/ 2152 2153 return SECSuccess; 2154 2155 spec_locked_loser: 2156 ssl_ReleaseSpecReadLock(ss); 2157 return SECFailure; 2158 } 2159 2160 /* Process the plain text before sending it. 2161 * Returns the number of bytes of plaintext that were successfully sent 2162 * plus the number of bytes of plaintext that were copied into the 2163 * output (write) buffer. 2164 * Returns SECFailure on a hard IO error, memory error, or crypto error. 2165 * Does NOT return SECWouldBlock. 2166 * 2167 * Notes on the use of the private ssl flags: 2168 * (no private SSL flags) 2169 * Attempt to make and send SSL records for all plaintext 2170 * If non-blocking and a send gets WOULD_BLOCK, 2171 * or if the pending (ciphertext) buffer is not empty, 2172 * then buffer remaining bytes of ciphertext into pending buf, 2173 * and continue to do that for all succssive records until all 2174 * bytes are used. 2175 * ssl_SEND_FLAG_FORCE_INTO_BUFFER 2176 * As above, except this suppresses all write attempts, and forces 2177 * all ciphertext into the pending ciphertext buffer. 2178 * 2179 */ 2180 static PRInt32 2181 ssl3_SendRecord( sslSocket * ss, 2182 SSL3ContentType type, 2183 const SSL3Opaque * pIn, /* input buffer */ 2184 PRInt32 nIn, /* bytes of input */ 2185 PRInt32 flags) 2186 { 2187 sslBuffer * wrBuf = &ss->sec.writeBuf; 2188 SECStatus rv; 2189 PRInt32 totalSent = 0; 2190 2191 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", 2192 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type), 2193 nIn)); 2194 PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn)); 2195 2196 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 2197 2198 if (ss->ssl3.initialized == PR_FALSE) { 2199 /* This can happen on a server if the very first incoming record 2200 ** looks like a defective ssl3 record (e.g. too long), and we're 2201 ** trying to send an alert. 2202 */ 2203 PR_ASSERT(type == content_alert); 2204 rv = ssl3_InitState(ss); 2205 if (rv != SECSuccess) { 2206 return SECFailure; /* ssl3_InitState has set the error code. */ 2207 } 2208 } 2209 2210 /* check for Token Presence */ 2211 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) { 2212 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 2213 return SECFailure; 2214 } 2215 2216 while (nIn > 0) { 2217 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH); 2218 2219 if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) { 2220 PRInt32 newSpace = PR_MAX(wrBuf->space * 2, contentLen); 2221 newSpace = PR_MIN(newSpace, MAX_FRAGMENT_LENGTH); 2222 newSpace += SSL3_BUFFER_FUDGE; 2223 rv = sslBuffer_Grow(wrBuf, newSpace); 2224 if (rv != SECSuccess) { 2225 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", 2226 SSL_GETPID(), ss->fd, newSpace)); 2227 return SECFailure; /* sslBuffer_Grow set a memory error code. */ 2228 } 2229 } 2230 2231 rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen); 2232 if (rv != SECSuccess) 2233 return SECFailure; 2234 2235 pIn += contentLen; 2236 nIn -= contentLen; 2237 PORT_Assert( nIn >= 0 ); 2238 2239 PRINT_BUF(50, (ss, "send (encrypted) record data:", wrBuf->buf, wrBuf->len)); 2240 2241 /* If there's still some previously saved ciphertext, 2242 * or the caller doesn't want us to send the data yet, 2243 * then add all our new ciphertext to the amount previously saved. 2244 */ 2245 if ((ss->pendingBuf.len > 0) || 2246 (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) { 2247 2248 rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len); 2249 if (rv != SECSuccess) { 2250 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ 2251 return SECFailure; 2252 } 2253 wrBuf->len = 0; /* All cipher text is saved away. */ 2254 2255 if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) { 2256 PRInt32 sent; 2257 ss->handshakeBegun = 1; 2258 sent = ssl_SendSavedWriteData(ss); 2259 if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) { 2260 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); 2261 return SECFailure; 2262 } 2263 if (ss->pendingBuf.len) { 2264 flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER; 2265 } 2266 } 2267 } else if (wrBuf->len > 0) { 2268 PRInt32 sent; 2269 ss->handshakeBegun = 1; 2270 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len, 2271 flags & ~ssl_SEND_FLAG_MASK); 2272 if (sent < 0) { 2273 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { 2274 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); 2275 return SECFailure; 2276 } 2277 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ 2278 sent = 0; 2279 } 2280 wrBuf->len -= sent; 2281 if (wrBuf->len) { 2282 /* now take all the remaining unsent new ciphertext and 2283 * append it to the buffer of previously unsent ciphertext. 2284 */ 2285 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); 2286 if (rv != SECSuccess) { 2287 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ 2288 return SECFailure; 2289 } 2290 } 2291 } 2292 totalSent += contentLen; 2293 } 2294 return totalSent; 2295 } 2296 2297 #define SSL3_PENDING_HIGH_WATER 1024 2298 2299 /* Attempt to send the content of "in" in an SSL application_data record. 2300 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. 2301 */ 2302 int 2303 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, 2304 PRInt32 len, PRInt32 flags) 2305 { 2306 PRInt32 totalSent = 0; 2307 PRInt32 discarded = 0; 2308 2309 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 2310 if (len < 0 || !in) { 2311 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 2312 return SECFailure; 2313 } 2314 2315 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && 2316 !ssl_SocketIsBlocking(ss)) { 2317 PORT_Assert(!ssl_SocketIsBlocking(ss)); 2318 PORT_SetError(PR_WOULD_BLOCK_ERROR); 2319 return SECFailure; 2320 } 2321 2322 if (ss->appDataBuffered && len) { 2323 PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered)); 2324 if (in[0] != (unsigned char)(ss->appDataBuffered)) { 2325 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 2326 return SECFailure; 2327 } 2328 in++; 2329 len--; 2330 discarded = 1; 2331 } 2332 while (len > totalSent) { 2333 PRInt32 sent, toSend; 2334 2335 if (totalSent > 0) { 2336 /* 2337 * The thread yield is intended to give the reader thread a 2338 * chance to get some cycles while the writer thread is in 2339 * the middle of a large application data write. (See 2340 * Bugzilla bug 127740, comment #1.) 2341 */ 2342 ssl_ReleaseXmitBufLock(ss); 2343 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ 2344 ssl_GetXmitBufLock(ss); 2345 } 2346 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); 2347 sent = ssl3_SendRecord(ss, content_application_data, 2348 in + totalSent, toSend, flags); 2349 if (sent < 0) { 2350 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { 2351 PORT_Assert(ss->lastWriteBlocked); 2352 break; 2353 } 2354 return SECFailure; /* error code set by ssl3_SendRecord */ 2355 } 2356 totalSent += sent; 2357 if (ss->pendingBuf.len) { 2358 /* must be a non-blocking socket */ 2359 PORT_Assert(!ssl_SocketIsBlocking(ss)); 2360 PORT_Assert(ss->lastWriteBlocked); 2361 break; 2362 } 2363 } 2364 if (ss->pendingBuf.len) { 2365 /* Must be non-blocking. */ 2366 PORT_Assert(!ssl_SocketIsBlocking(ss)); 2367 if (totalSent > 0) { 2368 ss->appDataBuffered = 0x100 | in[totalSent - 1]; 2369 } 2370 2371 totalSent = totalSent + discarded - 1; 2372 if (totalSent <= 0) { 2373 PORT_SetError(PR_WOULD_BLOCK_ERROR); 2374 totalSent = SECFailure; 2375 } 2376 return totalSent; 2377 } 2378 ss->appDataBuffered = 0; 2379 return totalSent + discarded; 2380 } 2381 2382 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. 2383 * This function returns SECSuccess or SECFailure, never SECWouldBlock. 2384 * Always set sendBuf.len to 0, even when returning SECFailure. 2385 * 2386 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), 2387 * ssl3_AppendHandshake(), ssl3_SendClientHello(), 2388 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), 2389 * ssl3_SendFinished(), 2390 */ 2391 static SECStatus 2392 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) 2393 { 2394 PRInt32 rv = SECSuccess; 2395 2396 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2397 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 2398 2399 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) 2400 return rv; 2401 2402 /* only this flag is allowed */ 2403 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); 2404 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { 2405 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2406 rv = SECFailure; 2407 } else { 2408 rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf, 2409 ss->sec.ci.sendBuf.len, flags); 2410 } 2411 if (rv < 0) { 2412 int err = PORT_GetError(); 2413 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); 2414 if (err == PR_WOULD_BLOCK_ERROR) { 2415 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2416 } 2417 } else if (rv < ss->sec.ci.sendBuf.len) { 2418 /* short write should never happen */ 2419 PORT_Assert(rv >= ss->sec.ci.sendBuf.len); 2420 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2421 rv = SECFailure; 2422 } else { 2423 rv = SECSuccess; 2424 } 2425 2426 /* Whether we succeeded or failed, toss the old handshake data. */ 2427 ss->sec.ci.sendBuf.len = 0; 2428 return rv; 2429 } 2430 2431 /* 2432 * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when 2433 * the remote client sends a negative response to our certificate request. 2434 * Returns SECFailure if the application has required client auth. 2435 * SECSuccess otherwise. 2436 */ 2437 static SECStatus 2438 ssl3_HandleNoCertificate(sslSocket *ss) 2439 { 2440 if (ss->sec.peerCert != NULL) { 2441 if (ss->sec.peerKey != NULL) { 2442 SECKEY_DestroyPublicKey(ss->sec.peerKey); 2443 ss->sec.peerKey = NULL; 2444 } 2445 CERT_DestroyCertificate(ss->sec.peerCert); 2446 ss->sec.peerCert = NULL; 2447 } 2448 ssl3_CleanupPeerCerts(ss); 2449 2450 /* If the server has required client-auth blindly but doesn't 2451 * actually look at the certificate it won't know that no 2452 * certificate was presented so we shutdown the socket to ensure 2453 * an error. We only do this if we haven't already completed the 2454 * first handshake because if we're redoing the handshake we 2455 * know the server is paying attention to the certificate. 2456 */ 2457 if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) || 2458 (!ss->firstHsDone && 2459 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) { 2460 PRFileDesc * lower; 2461 2462 ss->sec.uncache(ss->sec.ci.sid); 2463 SSL3_SendAlert(ss, alert_fatal, bad_certificate); 2464 2465 lower = ss->fd->lower; 2466 #ifdef _WIN32 2467 lower->methods->shutdown(lower, PR_SHUTDOWN_SEND); 2468 #else 2469 lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH); 2470 #endif 2471 PORT_SetError(SSL_ERROR_NO_CERTIFICATE); 2472 return SECFailure; 2473 } 2474 return SECSuccess; 2475 } 2476 2477 /************************************************************************ 2478 * Alerts 2479 */ 2480 2481 /* 2482 ** Acquires both handshake and XmitBuf locks. 2483 ** Called from: ssl3_IllegalParameter <- 2484 ** ssl3_HandshakeFailure <- 2485 ** ssl3_HandleAlert <- ssl3_HandleRecord. 2486 ** ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord 2487 ** ssl3_ConsumeHandshakeVariable <- 2488 ** ssl3_HandleHelloRequest <- 2489 ** ssl3_HandleServerHello <- 2490 ** ssl3_HandleServerKeyExchange <- 2491 ** ssl3_HandleCertificateRequest <- 2492 ** ssl3_HandleServerHelloDone <- 2493 ** ssl3_HandleClientHello <- 2494 ** ssl3_HandleV2ClientHello <- 2495 ** ssl3_HandleCertificateVerify <- 2496 ** ssl3_HandleClientKeyExchange <- 2497 ** ssl3_HandleCertificate <- 2498 ** ssl3_HandleFinished <- 2499 ** ssl3_HandleHandshakeMessage <- 2500 ** ssl3_HandleRecord <- 2501 ** 2502 */ 2503 SECStatus 2504 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc) 2505 { 2506 uint8 bytes[2]; 2507 SECStatus rv; 2508 2509 SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d", 2510 SSL_GETPID(), ss->fd, level, desc)); 2511 2512 bytes[0] = level; 2513 bytes[1] = desc; 2514 2515 ssl_GetSSL3HandshakeLock(ss); 2516 if (level == alert_fatal) { 2517 if (ss->sec.ci.sid) { 2518 ss->sec.uncache(ss->sec.ci.sid); 2519 } 2520 } 2521 ssl_GetXmitBufLock(ss); 2522 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); 2523 if (rv == SECSuccess) { 2524 PRInt32 sent; 2525 sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 2526 desc == no_certificate 2527 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); 2528 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; 2529 } 2530 ssl_ReleaseXmitBufLock(ss); 2531 ssl_ReleaseSSL3HandshakeLock(ss); 2532 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ 2533 } 2534 2535 /* 2536 * Send illegal_parameter alert. Set generic error number. 2537 */ 2538 static SECStatus 2539 ssl3_IllegalParameter(sslSocket *ss) 2540 { 2541 PRBool isTLS; 2542 2543 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 2544 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); 2545 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT 2546 : SSL_ERROR_BAD_SERVER ); 2547 return SECFailure; 2548 } 2549 2550 /* 2551 * Send handshake_Failure alert. Set generic error number. 2552 */ 2553 static SECStatus 2554 ssl3_HandshakeFailure(sslSocket *ss) 2555 { 2556 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 2557 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT 2558 : SSL_ERROR_BAD_SERVER ); 2559 return SECFailure; 2560 } 2561 2562 /* 2563 * Send handshake_Failure alert. Set generic error number. 2564 */ 2565 static SECStatus 2566 ssl3_DecodeError(sslSocket *ss) 2567 { 2568 (void)SSL3_SendAlert(ss, alert_fatal, 2569 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 2570 : illegal_parameter); 2571 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT 2572 : SSL_ERROR_BAD_SERVER ); 2573 return SECFailure; 2574 } 2575 2576 /* Called from ssl3_HandleRecord. 2577 ** Caller must hold both RecvBuf and Handshake locks. 2578 */ 2579 static SECStatus 2580 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf) 2581 { 2582 SSL3AlertLevel level; 2583 SSL3AlertDescription desc; 2584 int error; 2585 2586 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 2587 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 2588 2589 SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd)); 2590 2591 if (buf->len != 2) { 2592 (void)ssl3_DecodeError(ss); 2593 PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT); 2594 return SECFailure; 2595 } 2596 level = (SSL3AlertLevel)buf->buf[0]; 2597 desc = (SSL3AlertDescription)buf->buf[1]; 2598 buf->len = 0; 2599 SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d", 2600 SSL_GETPID(), ss->fd, level, desc)); 2601 2602 switch (desc) { 2603 case close_notify: ss->recvdCloseNotify = 1; 2604 error = SSL_ERROR_CLOSE_NOTIFY_ALERT; break; 2605 case unexpected_message: error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT; 2606 break; 2607 case bad_record_mac: error = SSL_ERROR_BAD_MAC_ALERT; break; 2608 case decryption_failed: error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 2609 break; 2610 case record_overflow: error = SSL_ERROR_RECORD_OVERFLOW_ALERT; break; 2611 case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT; 2612 break; 2613 case handshake_failure: error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT; 2614 break; 2615 case no_certificate: error = SSL_ERROR_NO_CERTIFICATE; break; 2616 case bad_certificate: error = SSL_ERROR_BAD_CERT_ALERT; break; 2617 case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break; 2618 case certificate_revoked: error = SSL_ERROR_REVOKED_CERT_ALERT; break; 2619 case certificate_expired: error = SSL_ERROR_EXPIRED_CERT_ALERT; break; 2620 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT; 2621 break; 2622 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break; 2623 2624 /* All alerts below are TLS only. */ 2625 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break; 2626 case access_denied: error = SSL_ERROR_ACCESS_DENIED_ALERT; break; 2627 case decode_error: error = SSL_ERROR_DECODE_ERROR_ALERT; break; 2628 case decrypt_error: error = SSL_ERROR_DECRYPT_ERROR_ALERT; break; 2629 case export_restriction: error = SSL_ERROR_EXPORT_RESTRICTION_ALERT; 2630 break; 2631 case protocol_version: error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break; 2632 case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT; 2633 break; 2634 case internal_error: error = SSL_ERROR_INTERNAL_ERROR_ALERT; break; 2635 case user_canceled: error = SSL_ERROR_USER_CANCELED_ALERT; break; 2636 case no_renegotiation: error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break; 2637 2638 /* Alerts for TLS client hello extensions */ 2639 case unsupported_extension: 2640 error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT; break; 2641 case certificate_unobtainable: 2642 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; 2643 case unrecognized_name: 2644 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; 2645 case bad_certificate_status_response: 2646 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; 2647 case bad_certificate_hash_value: 2648 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; 2649 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; 2650 } 2651 if (level == alert_fatal) { 2652 ss->sec.uncache(ss->sec.ci.sid); 2653 if ((ss->ssl3.hs.ws == wait_server_hello) && 2654 (desc == handshake_failure)) { 2655 /* XXX This is a hack. We're assuming that any handshake failure 2656 * XXX on the client hello is a failure to match ciphers. 2657 */ 2658 error = SSL_ERROR_NO_CYPHER_OVERLAP; 2659 } 2660 PORT_SetError(error); 2661 return SECFailure; 2662 } 2663 if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) { 2664 /* I'm a server. I've requested a client cert. He hasn't got one. */ 2665 SECStatus rv; 2666 2667 PORT_Assert(ss->sec.isServer); 2668 ss->ssl3.hs.ws = wait_client_key; 2669 rv = ssl3_HandleNoCertificate(ss); 2670 return rv; 2671 } 2672 return SECSuccess; 2673 } 2674 2675 /* 2676 * Change Cipher Specs 2677 * Called from ssl3_HandleServerHelloDone, 2678 * ssl3_HandleClientHello, 2679 * and ssl3_HandleFinished 2680 * 2681 * Acquires and releases spec write lock, to protect switching the current 2682 * and pending write spec pointers. 2683 */ 2684 2685 static SECStatus 2686 ssl3_SendChangeCipherSpecs(sslSocket *ss) 2687 { 2688 uint8 change = change_cipher_spec_choice; 2689 ssl3CipherSpec * pwSpec; 2690 SECStatus rv; 2691 PRInt32 sent; 2692 2693 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", 2694 SSL_GETPID(), ss->fd)); 2695 2696 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 2697 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2698 2699 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); 2700 if (rv != SECSuccess) { 2701 return rv; /* error code set by ssl3_FlushHandshake */ 2702 } 2703 sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1, 2704 ssl_SEND_FLAG_FORCE_INTO_BUFFER); 2705 if (sent < 0) { 2706 return (SECStatus)sent; /* error code set by ssl3_SendRecord */ 2707 } 2708 2709 /* swap the pending and current write specs. */ 2710 ssl_GetSpecWriteLock(ss); /**************************************/ 2711 pwSpec = ss->ssl3.pwSpec; 2712 pwSpec->write_seq_num.high = 0; 2713 pwSpec->write_seq_num.low = 0; 2714 2715 ss->ssl3.pwSpec = ss->ssl3.cwSpec; 2716 ss->ssl3.cwSpec = pwSpec; 2717 2718 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", 2719 SSL_GETPID(), ss->fd )); 2720 2721 /* We need to free up the contexts, keys and certs ! */ 2722 /* If we are really through with the old cipher spec 2723 * (Both the read and write sides have changed) destroy it. 2724 */ 2725 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { 2726 ssl3_DestroyCipherSpec(ss->ssl3.pwSpec); 2727 } 2728 ssl_ReleaseSpecWriteLock(ss); /**************************************/ 2729 2730 return SECSuccess; 2731 } 2732 2733 /* Called from ssl3_HandleRecord. 2734 ** Caller must hold both RecvBuf and Handshake locks. 2735 * 2736 * Acquires and releases spec write lock, to protect switching the current 2737 * and pending write spec pointers. 2738 */ 2739 static SECStatus 2740 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf) 2741 { 2742 ssl3CipherSpec * prSpec; 2743 SSL3WaitState ws = ss->ssl3.hs.ws; 2744 SSL3ChangeCipherSpecChoice change; 2745 2746 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 2747 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 2748 2749 SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record", 2750 SSL_GETPID(), ss->fd)); 2751 2752 if (ws != wait_change_cipher) { 2753 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 2754 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); 2755 return SECFailure; 2756 } 2757 2758 if(buf->len != 1) { 2759 (void)ssl3_DecodeError(ss); 2760 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); 2761 return SECFailure; 2762 } 2763 change = (SSL3ChangeCipherSpecChoice)buf->buf[0]; 2764 if (change != change_cipher_spec_choice) { 2765 /* illegal_parameter is correct here for both SSL3 and TLS. */ 2766 (void)ssl3_IllegalParameter(ss); 2767 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); 2768 return SECFailure; 2769 } 2770 buf->len = 0; 2771 2772 /* Swap the pending and current read specs. */ 2773 ssl_GetSpecWriteLock(ss); /*************************************/ 2774 prSpec = ss->ssl3.prSpec; 2775 prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0; 2776 2777 ss->ssl3.prSpec = ss->ssl3.crSpec; 2778 ss->ssl3.crSpec = prSpec; 2779 ss->ssl3.hs.ws = wait_finished; 2780 2781 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", 2782 SSL_GETPID(), ss->fd )); 2783 2784 /* If we are really through with the old cipher prSpec 2785 * (Both the read and write sides have changed) destroy it. 2786 */ 2787 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { 2788 ssl3_DestroyCipherSpec(ss->ssl3.prSpec); 2789 } 2790 ssl_ReleaseSpecWriteLock(ss); /*************************************/ 2791 return SECSuccess; 2792 } 2793 2794 /* This method uses PKCS11 to derive the MS from the PMS, where PMS 2795 ** is a PKCS11 symkey. This is used in all cases except the 2796 ** "triple bypass" with RSA key exchange. 2797 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec. 2798 */ 2799 static SECStatus 2800 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) 2801 { 2802 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 2803 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; 2804 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 2805 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 2806 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 2807 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 2808 /* 2809 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH 2810 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size 2811 * data into a 48-byte value. 2812 */ 2813 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || 2814 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); 2815 SECStatus rv = SECFailure; 2816 CK_MECHANISM_TYPE master_derive; 2817 CK_MECHANISM_TYPE key_derive; 2818 SECItem params; 2819 CK_FLAGS keyFlags; 2820 CK_VERSION pms_version; 2821 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; 2822 2823 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2824 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 2825 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 2826 if (isTLS) { 2827 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; 2828 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; 2829 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 2830 keyFlags = CKF_SIGN | CKF_VERIFY; 2831 } else { 2832 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; 2833 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; 2834 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 2835 keyFlags = 0; 2836 } 2837 2838 if (pms || !pwSpec->master_secret) { 2839 master_params.pVersion = &pms_version; 2840 master_params.RandomInfo.pClientRandom = cr; 2841 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; 2842 master_params.RandomInfo.pServerRandom = sr; 2843 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; 2844 2845 params.data = (unsigned char *) &master_params; 2846 params.len = sizeof master_params; 2847 } 2848 2849 if (pms != NULL) { 2850 #if defined(TRACE) 2851 if (ssl_trace >= 100) { 2852 SECStatus extractRV = PK11_ExtractKeyValue(pms); 2853 if (extractRV == SECSuccess) { 2854 SECItem * keyData = PK11_GetKeyData(pms); 2855 if (keyData && keyData->data && keyData->len) { 2856 ssl_PrintBuf(ss, "Pre-Master Secret", 2857 keyData->data, keyData->len); 2858 } 2859 } 2860 } 2861 #endif 2862 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, 2863 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); 2864 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { 2865 SSL3ProtocolVersion client_version; 2866 client_version = pms_version.major << 8 | pms_version.minor; 2867 if (client_version != ss->clientHelloVersion) { 2868 /* Destroy it. Version roll-back detected. */ 2869 PK11_FreeSymKey(pwSpec->master_secret); 2870 pwSpec->master_secret = NULL; 2871 } 2872 } 2873 if (pwSpec->master_secret == NULL) { 2874 /* Generate a faux master secret in the same slot as the old one. */ 2875 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); 2876 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); 2877 2878 PK11_FreeSlot(slot); 2879 if (fpms != NULL) { 2880 pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 2881 master_derive, ¶ms, key_derive, 2882 CKA_DERIVE, 0, keyFlags); 2883 PK11_FreeSymKey(fpms); 2884 } 2885 } 2886 } 2887 if (pwSpec->master_secret == NULL) { 2888 /* Generate a faux master secret from the internal slot. */ 2889 PK11SlotInfo * slot = PK11_GetInternalSlot(); 2890 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); 2891 2892 PK11_FreeSlot(slot); 2893 if (fpms != NULL) { 2894 pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 2895 master_derive, ¶ms, key_derive, 2896 CKA_DERIVE, 0, keyFlags); 2897 if (pwSpec->master_secret == NULL) { 2898 pwSpec->master_secret = fpms; /* use the fpms as the master. */ 2899 fpms = NULL; 2900 } 2901 } 2902 if (fpms) { 2903 PK11_FreeSymKey(fpms); 2904 } 2905 } 2906 if (pwSpec->master_secret == NULL) { 2907 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 2908 return rv; 2909 } 2910 if (ss->opt.bypassPKCS11) { 2911 SECItem * keydata; 2912 /* In hope of doing a "double bypass", 2913 * need to extract the master secret's value from the key object 2914 * and store it raw in the sslSocket struct. 2915 */ 2916 rv = PK11_ExtractKeyValue(pwSpec->master_secret); 2917 if (rv != SECSuccess) { 2918 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) 2919 /* The double bypass failed. 2920 * Attempt to revert to an all PKCS#11, non-bypass method. 2921 * Do we need any unacquired locks here? 2922 */ 2923 ss->opt.bypassPKCS11 = 0; 2924 rv = ssl3_NewHandshakeHashes(ss); 2925 if (rv == SECSuccess) { 2926 rv = ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, 2927 ss->ssl3.hs.messages.len); 2928 } 2929 #endif 2930 return rv; 2931 } 2932 /* This returns the address of the secItem inside the key struct, 2933 * not a copy or a reference. So, there's no need to free it. 2934 */ 2935 keydata = PK11_GetKeyData(pwSpec->master_secret); 2936 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) { 2937 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len); 2938 pwSpec->msItem.data = pwSpec->raw_master_secret; 2939 pwSpec->msItem.len = keydata->len; 2940 } else { 2941 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2942 return SECFailure; 2943 } 2944 } 2945 return SECSuccess; 2946 } 2947 2948 2949 /* 2950 * Derive encryption and MAC Keys (and IVs) from master secret 2951 * Sets a useful error code when returning SECFailure. 2952 * 2953 * Called only from ssl3_InitPendingCipherSpec(), 2954 * which in turn is called from 2955 * sendRSAClientKeyExchange (for Full handshake) 2956 * sendDHClientKeyExchange (for Full handshake) 2957 * ssl3_HandleClientKeyExchange (for Full handshake) 2958 * ssl3_HandleServerHello (for session restart) 2959 * ssl3_HandleClientHello (for session restart) 2960 * Caller MUST hold the specWriteLock, and SSL3HandshakeLock. 2961 * ssl3_InitPendingCipherSpec does that. 2962 * 2963 */ 2964 static SECStatus 2965 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) 2966 { 2967 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 2968 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 2969 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 2970 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 2971 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 2972 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 2973 /* following variables used in PKCS11 path */ 2974 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; 2975 PK11SlotInfo * slot = NULL; 2976 PK11SymKey * symKey = NULL; 2977 void * pwArg = ss->pkcs11PinArg; 2978 int keySize; 2979 CK_SSL3_KEY_MAT_PARAMS key_material_params; 2980 CK_SSL3_KEY_MAT_OUT returnedKeys; 2981 CK_MECHANISM_TYPE key_derive; 2982 CK_MECHANISM_TYPE bulk_mechanism; 2983 SSLCipherAlgorithm calg; 2984 SECItem params; 2985 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); 2986 2987 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2988 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 2989 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 2990 2991 if (!pwSpec->master_secret) { 2992 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 2993 return SECFailure; 2994 } 2995 /* 2996 * generate the key material 2997 */ 2998 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB; 2999 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB; 3000 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; 3001 3002 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); 3003 /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ 3004 3005 key_material_params.RandomInfo.pClientRandom = cr; 3006 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; 3007 key_material_params.RandomInfo.pServerRandom = sr; 3008 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; 3009 key_material_params.pReturnedKeyMaterial = &returnedKeys; 3010 3011 returnedKeys.pIVClient = pwSpec->client.write_iv; 3012 returnedKeys.pIVServer = pwSpec->server.write_iv; 3013 keySize = cipher_def->key_size; 3014 3015 if (skipKeysAndIVs) { 3016 keySize = 0; 3017 key_material_params.ulKeySizeInBits = 0; 3018 key_material_params.ulIVSizeInBits = 0; 3019 returnedKeys.pIVClient = NULL; 3020 returnedKeys.pIVServer = NULL; 3021 } 3022 3023 calg = cipher_def->calg; 3024 PORT_Assert( alg2Mech[calg].calg == calg); 3025 bulk_mechanism = alg2Mech[calg].cmech; 3026 3027 params.data = (unsigned char *)&key_material_params; 3028 params.len = sizeof(key_material_params); 3029 3030 if (isTLS) { 3031 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 3032 } else { 3033 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 3034 } 3035 3036 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and 3037 * DERIVE by DEFAULT */ 3038 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, 3039 bulk_mechanism, CKA_ENCRYPT, keySize); 3040 if (!symKey) { 3041 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3042 return SECFailure; 3043 } 3044 /* we really should use the actual mac'ing mechanism here, but we 3045 * don't because these types are used to map keytype anyway and both 3046 * mac's map to the same keytype. 3047 */ 3048 slot = PK11_GetSlotFromKey(symKey); 3049 3050 PK11_FreeSlot(slot); /* slot is held until the key is freed */ 3051 pwSpec->client.write_mac_key = 3052 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3053 CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg); 3054 if (pwSpec->client.write_mac_key == NULL ) { 3055 goto loser; /* loser sets err */ 3056 } 3057 pwSpec->server.write_mac_key = 3058 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3059 CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg); 3060 if (pwSpec->server.write_mac_key == NULL ) { 3061 goto loser; /* loser sets err */ 3062 } 3063 if (!skipKeysAndIVs) { 3064 pwSpec->client.write_key = 3065 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3066 bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg); 3067 if (pwSpec->client.write_key == NULL ) { 3068 goto loser; /* loser sets err */ 3069 } 3070 pwSpec->server.write_key = 3071 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3072 bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg); 3073 if (pwSpec->server.write_key == NULL ) { 3074 goto loser; /* loser sets err */ 3075 } 3076 } 3077 PK11_FreeSymKey(symKey); 3078 return SECSuccess; 3079 3080 3081 loser: 3082 if (symKey) PK11_FreeSymKey(symKey); 3083 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3084 return SECFailure; 3085 } 3086 3087 static SECStatus 3088 ssl3_RestartHandshakeHashes(sslSocket *ss) 3089 { 3090 SECStatus rv = SECSuccess; 3091 3092 if (ss->opt.bypassPKCS11) { 3093 ss->ssl3.hs.messages.len = 0; 3094 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); 3095 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); 3096 } else { 3097 rv = PK11_DigestBegin(ss->ssl3.hs.md5); 3098 if (rv != SECSuccess) { 3099 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3100 return rv; 3101 } 3102 rv = PK11_DigestBegin(ss->ssl3.hs.sha); 3103 if (rv != SECSuccess) { 3104 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3105 return rv; 3106 } 3107 } 3108 return rv; 3109 } 3110 3111 static SECStatus 3112 ssl3_NewHandshakeHashes(sslSocket *ss) 3113 { 3114 PK11Context *md5 = NULL; 3115 PK11Context *sha = NULL; 3116 3117 /* 3118 * note: We should probably lookup an SSL3 slot for these 3119 * handshake hashes in hopes that we wind up with the same slots 3120 * that the master secret will wind up in ... 3121 */ 3122 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); 3123 if (ss->opt.bypassPKCS11) { 3124 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); 3125 ss->ssl3.hs.messages.buf = NULL; 3126 ss->ssl3.hs.messages.space = 0; 3127 } else { 3128 ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); 3129 ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); 3130 if (md5 == NULL) { 3131 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3132 goto loser; 3133 } 3134 if (sha == NULL) { 3135 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3136 goto loser; 3137 } 3138 } 3139 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { 3140 return SECSuccess; 3141 } 3142 3143 loser: 3144 if (md5 != NULL) { 3145 PK11_DestroyContext(md5, PR_TRUE); 3146 ss->ssl3.hs.md5 = NULL; 3147 } 3148 if (sha != NULL) { 3149 PK11_DestroyContext(sha, PR_TRUE); 3150 ss->ssl3.hs.sha = NULL; 3151 } 3152 return SECFailure; 3153 3154 } 3155 3156 /* 3157 * Handshake messages 3158 */ 3159 /* Called from ssl3_AppendHandshake() 3160 ** ssl3_StartHandshakeHash() 3161 ** ssl3_HandleV2ClientHello() 3162 ** ssl3_HandleHandshakeMessage() 3163 ** Caller must hold the ssl3Handshake lock. 3164 */ 3165 static SECStatus 3166 ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l) 3167 { 3168 SECStatus rv = SECSuccess; 3169 3170 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3171 3172 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); 3173 3174 if (ss->opt.bypassPKCS11) { 3175 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); 3176 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); 3177 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) 3178 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); 3179 #endif 3180 return rv; 3181 } 3182 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); 3183 if (rv != SECSuccess) { 3184 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3185 return rv; 3186 } 3187 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); 3188 if (rv != SECSuccess) { 3189 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3190 return rv; 3191 } 3192 return rv; 3193 } 3194 3195 /************************************************************************** 3196 * Append Handshake functions. 3197 * All these functions set appropriate error codes. 3198 * Most rely on ssl3_AppendHandshake to set the error code. 3199 **************************************************************************/ 3200 SECStatus 3201 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes) 3202 { 3203 unsigned char * src = (unsigned char *)void_src; 3204 int room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len; 3205 SECStatus rv; 3206 3207 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */ 3208 3209 if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) { 3210 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH, 3211 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes))); 3212 if (rv != SECSuccess) 3213 return rv; /* sslBuffer_Grow has set a memory error code. */ 3214 room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len; 3215 } 3216 3217 PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes)); 3218 rv = ssl3_UpdateHandshakeHashes(ss, src, bytes); 3219 if (rv != SECSuccess) 3220 return rv; /* error code set by ssl3_UpdateHandshakeHashes */ 3221 3222 while (bytes > room) { 3223 if (room > 0) 3224 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, 3225 room); 3226 ss->sec.ci.sendBuf.len += room; 3227 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); 3228 if (rv != SECSuccess) { 3229 return rv; /* error code set by ssl3_FlushHandshake */ 3230 } 3231 bytes -= room; 3232 src += room; 3233 room = ss->sec.ci.sendBuf.space; 3234 PORT_Assert(ss->sec.ci.sendBuf.len == 0); 3235 } 3236 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes); 3237 ss->sec.ci.sendBuf.len += bytes; 3238 return SECSuccess; 3239 } 3240 3241 SECStatus 3242 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize) 3243 { 3244 SECStatus rv; 3245 uint8 b[4]; 3246 uint8 * p = b; 3247 3248 switch (lenSize) { 3249 case 4: 3250 *p++ = (num >> 24) & 0xff; 3251 case 3: 3252 *p++ = (num >> 16) & 0xff; 3253 case 2: 3254 *p++ = (num >> 8) & 0xff; 3255 case 1: 3256 *p = num & 0xff; 3257 } 3258 SSL_TRC(60, ("%d: number:", SSL_GETPID())); 3259 rv = ssl3_AppendHandshake(ss, &b[0], lenSize); 3260 return rv; /* error code set by AppendHandshake, if applicable. */ 3261 } 3262 3263 SECStatus 3264 ssl3_AppendHandshakeVariable( 3265 sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize) 3266 { 3267 SECStatus rv; 3268 3269 PORT_Assert((bytes < (1<<8) && lenSize == 1) || 3270 (bytes < (1L<<16) && lenSize == 2) || 3271 (bytes < (1L<<24) && lenSize == 3)); 3272 3273 SSL_TRC(60,("%d: append variable:", SSL_GETPID())); 3274 rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize); 3275 if (rv != SECSuccess) { 3276 return rv; /* error code set by AppendHandshake, if applicable. */ 3277 } 3278 SSL_TRC(60, ("data:")); 3279 rv = ssl3_AppendHandshake(ss, src, bytes); 3280 return rv; /* error code set by AppendHandshake, if applicable. */ 3281 } 3282 3283 SECStatus 3284 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) 3285 { 3286 SECStatus rv; 3287 3288 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", 3289 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); 3290 PRINT_BUF(60, (ss, "MD5 handshake hash:", 3291 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); 3292 PRINT_BUF(95, (ss, "SHA handshake hash:", 3293 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); 3294 3295 rv = ssl3_AppendHandshakeNumber(ss, t, 1); 3296 if (rv != SECSuccess) { 3297 return rv; /* error code set by AppendHandshake, if applicable. */ 3298 } 3299 rv = ssl3_AppendHandshakeNumber(ss, length, 3); 3300 return rv; /* error code set by AppendHandshake, if applicable. */ 3301 } 3302 3303 /************************************************************************** 3304 * Consume Handshake functions. 3305 * 3306 * All data used in these functions is protected by two locks, 3307 * the RecvBufLock and the SSL3HandshakeLock 3308 **************************************************************************/ 3309 3310 /* Read up the next "bytes" number of bytes from the (decrypted) input 3311 * stream "b" (which is *length bytes long). Copy them into buffer "v". 3312 * Reduces *length by bytes. Advances *b by bytes. 3313 * 3314 * If this function returns SECFailure, it has already sent an alert, 3315 * and has set a generic error code. The caller should probably 3316 * override the generic error code by setting another. 3317 */ 3318 SECStatus 3319 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b, 3320 PRUint32 *length) 3321 { 3322 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 3323 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3324 3325 if ((PRUint32)bytes > *length) { 3326 return ssl3_DecodeError(ss); 3327 } 3328 PORT_Memcpy(v, *b, bytes); 3329 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes)); 3330 *b += bytes; 3331 *length -= bytes; 3332 return SECSuccess; 3333 } 3334 3335 /* Read up the next "bytes" number of bytes from the (decrypted) input 3336 * stream "b" (which is *length bytes long), and interpret them as an 3337 * integer in network byte order. Returns the received value. 3338 * Reduces *length by bytes. Advances *b by bytes. 3339 * 3340 * Returns SECFailure (-1) on failure. 3341 * This value is indistinguishable from the equivalent received value. 3342 * Only positive numbers are to be received this way. 3343 * Thus, the largest value that may be sent this way is 0x7fffffff. 3344 * On error, an alert has been sent, and a generic error code has been set. 3345 */ 3346 PRInt32 3347 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b, 3348 PRUint32 *length) 3349 { 3350 uint8 *buf = *b; 3351 int i; 3352 PRInt32 num = 0; 3353 3354 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 3355 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3356 PORT_Assert( bytes <= sizeof num); 3357 3358 if ((PRUint32)bytes > *length) { 3359 return ssl3_DecodeError(ss); 3360 } 3361 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes)); 3362 3363 for (i = 0; i < bytes; i++) 3364 num = (num << 8) + buf[i]; 3365 *b += bytes; 3366 *length -= bytes; 3367 return num; 3368 } 3369 3370 /* Read in two values from the incoming decrypted byte stream "b", which is 3371 * *length bytes long. The first value is a number whose size is "bytes" 3372 * bytes long. The second value is a byte-string whose size is the value 3373 * of the first number received. The latter byte-string, and its length, 3374 * is returned in the SECItem i. 3375 * 3376 * Returns SECFailure (-1) on failure. 3377 * On error, an alert has been sent, and a generic error code has been set. 3378 * 3379 * RADICAL CHANGE for NSS 3.11. All callers of this function make copies 3380 * of the data returned in the SECItem *i, so making a copy of it here 3381 * is simply wasteful. So, This function now just sets SECItem *i to 3382 * point to the values in the buffer **b. 3383 */ 3384 SECStatus 3385 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, 3386 SSL3Opaque **b, PRUint32 *length) 3387 { 3388 PRInt32 count; 3389 3390 PORT_Assert(bytes <= 3); 3391 i->len = 0; 3392 i->data = NULL; 3393 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length); 3394 if (count < 0) { /* Can't test for SECSuccess here. */ 3395 return SECFailure; 3396 } 3397 if (count > 0) { 3398 if ((PRUint32)count > *length) { 3399 return ssl3_DecodeError(ss); 3400 } 3401 i->data = *b; 3402 i->len = count; 3403 *b += count; 3404 *length -= count; 3405 } 3406 return SECSuccess; 3407 } 3408 3409 /************************************************************************** 3410 * end of Consume Handshake functions. 3411 **************************************************************************/ 3412 3413 /* Extract the hashes of handshake messages to this point. 3414 * Called from ssl3_SendCertificateVerify 3415 * ssl3_SendFinished 3416 * ssl3_HandleHandshakeMessage 3417 * 3418 * Caller must hold the SSL3HandshakeLock. 3419 * Caller must hold a read or write lock on the Spec R/W lock. 3420 * (There is presently no way to assert on a Read lock.) 3421 */ 3422 static SECStatus 3423 ssl3_ComputeHandshakeHashes(sslSocket * ss, 3424 ssl3CipherSpec *spec, /* uses ->master_secret */ 3425 SSL3Hashes * hashes, /* output goes here. */ 3426 PRUint32 sender) 3427 { 3428 SECStatus rv = SECSuccess; 3429 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); 3430 unsigned int outLength; 3431 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; 3432 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; 3433 3434 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3435 3436 if (ss->opt.bypassPKCS11) { 3437 /* compute them without PKCS11 */ 3438 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; 3439 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; 3440 3441 #define md5cx ((MD5Context *)md5_cx) 3442 #define shacx ((SHA1Context *)sha_cx) 3443 3444 if (!spec->msItem.data) { 3445 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); 3446 return SECFailure; 3447 } 3448 3449 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); 3450 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx); 3451 3452 if (!isTLS) { 3453 /* compute hashes for SSL3. */ 3454 unsigned char s[4]; 3455 3456 s[0] = (unsigned char)(sender >> 24); 3457 s[1] = (unsigned char)(sender >> 16); 3458 s[2] = (unsigned char)(sender >> 8); 3459 s[3] = (unsigned char)sender; 3460 3461 if (sender != 0) { 3462 MD5_Update(md5cx, s, 4); 3463 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); 3464 } 3465 3466 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 3467 mac_defs[mac_md5].pad_size)); 3468 3469 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); 3470 MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size); 3471 MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH); 3472 3473 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength)); 3474 3475 if (sender != 0) { 3476 SHA1_Update(shacx, s, 4); 3477 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4)); 3478 } 3479 3480 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 3481 mac_defs[mac_sha].pad_size)); 3482 3483 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); 3484 SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size); 3485 SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH); 3486 3487 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); 3488 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 3489 mac_defs[mac_md5].pad_size)); 3490 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)); 3491 3492 MD5_Begin(md5cx); 3493 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); 3494 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); 3495 MD5_Update(md5cx, md5_inner, MD5_LENGTH); 3496 } 3497 MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH); 3498 3499 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); 3500 3501 if (!isTLS) { 3502 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 3503 mac_defs[mac_sha].pad_size)); 3504 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)); 3505 3506 SHA1_Begin(shacx); 3507 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); 3508 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); 3509 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); 3510 } 3511 SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH); 3512 3513 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); 3514 3515 rv = SECSuccess; 3516 #undef md5cx 3517 #undef shacx 3518 } else { 3519 /* compute hases with PKCS11 */ 3520 PK11Context * md5; 3521 PK11Context * sha = NULL; 3522 unsigned char *md5StateBuf = NULL; 3523 unsigned char *shaStateBuf = NULL; 3524 unsigned int md5StateLen, shaStateLen; 3525 unsigned char md5StackBuf[256]; 3526 unsigned char shaStackBuf[512]; 3527 3528 if (!spec->master_secret) { 3529 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); 3530 return SECFailure; 3531 } 3532 3533 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf, 3534 sizeof md5StackBuf, &md5StateLen); 3535 if (md5StateBuf == NULL) { 3536 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3537 goto loser; 3538 } 3539 md5 = ss->ssl3.hs.md5; 3540 3541 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf, 3542 sizeof shaStackBuf, &shaStateLen); 3543 if (shaStateBuf == NULL) { 3544 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3545 goto loser; 3546 } 3547 sha = ss->ssl3.hs.sha; 3548 3549 if (!isTLS) { 3550 /* compute hashes for SSL3. */ 3551 unsigned char s[4]; 3552 3553 s[0] = (unsigned char)(sender >> 24); 3554 s[1] = (unsigned char)(sender >> 16); 3555 s[2] = (unsigned char)(sender >> 8); 3556 s[3] = (unsigned char)sender; 3557 3558 if (sender != 0) { 3559 rv |= PK11_DigestOp(md5, s, 4); 3560 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); 3561 } 3562 3563 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 3564 mac_defs[mac_md5].pad_size)); 3565 3566 rv |= PK11_DigestKey(md5,spec->master_secret); 3567 rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size); 3568 rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH); 3569 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); 3570 if (rv != SECSuccess) { 3571 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3572 rv = SECFailure; 3573 goto loser; 3574 } 3575 3576 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength)); 3577 3578 if (sender != 0) { 3579 rv |= PK11_DigestOp(sha, s, 4); 3580 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4)); 3581 } 3582 3583 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 3584 mac_defs[mac_sha].pad_size)); 3585 3586 rv |= PK11_DigestKey(sha, spec->master_secret); 3587 rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size); 3588 rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH); 3589 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); 3590 if (rv != SECSuccess) { 3591 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3592 rv = SECFailure; 3593 goto loser; 3594 } 3595 3596 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); 3597 3598 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 3599 mac_defs[mac_md5].pad_size)); 3600 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)); 3601 3602 rv |= PK11_DigestBegin(md5); 3603 rv |= PK11_DigestKey(md5, spec->master_secret); 3604 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); 3605 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); 3606 } 3607 rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH); 3608 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); 3609 if (rv != SECSuccess) { 3610 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3611 rv = SECFailure; 3612 goto loser; 3613 } 3614 3615 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); 3616 3617 if (!isTLS) { 3618 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 3619 mac_defs[mac_sha].pad_size)); 3620 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)); 3621 3622 rv |= PK11_DigestBegin(sha); 3623 rv |= PK11_DigestKey(sha,spec->master_secret); 3624 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); 3625 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); 3626 } 3627 rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH); 3628 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); 3629 if (rv != SECSuccess) { 3630 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3631 rv = SECFailure; 3632 goto loser; 3633 } 3634 3635 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); 3636 3637 rv = SECSuccess; 3638 3639 loser: 3640 if (md5StateBuf) { 3641 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) 3642 != SECSuccess) 3643 { 3644 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3645 rv = SECFailure; 3646 } 3647 if (md5StateBuf != md5StackBuf) { 3648 PORT_ZFree(md5StateBuf, md5StateLen); 3649 } 3650 } 3651 if (shaStateBuf) { 3652 if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen) 3653 != SECSuccess) 3654 { 3655 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3656 rv = SECFailure; 3657 } 3658 if (shaStateBuf != shaStackBuf) { 3659 PORT_ZFree(shaStateBuf, shaStateLen); 3660 } 3661 } 3662 } 3663 return rv; 3664 } 3665 3666 /* 3667 * SSL 2 based implementations pass in the initial outbound buffer 3668 * so that the handshake hash can contain the included information. 3669 * 3670 * Called from ssl2_BeginClientHandshake() in sslcon.c 3671 */ 3672 SECStatus 3673 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) 3674 { 3675 SECStatus rv; 3676 3677 ssl_GetSSL3HandshakeLock(ss); /**************************************/ 3678 3679 rv = ssl3_InitState(ss); 3680 if (rv != SECSuccess) { 3681 goto done; /* ssl3_InitState has set the error code. */ 3682 } 3683 3684 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH); 3685 PORT_Memcpy( 3686 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES], 3687 &ss->sec.ci.clientChallenge, 3688 SSL_CHALLENGE_BYTES); 3689 3690 rv = ssl3_UpdateHandshakeHashes(ss, buf, length); 3691 /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */ 3692 3693 done: 3694 ssl_ReleaseSSL3HandshakeLock(ss); /**************************************/ 3695 return rv; 3696 } 3697 3698 /************************************************************************** 3699 * end of Handshake Hash functions. 3700 * Begin Send and Handle functions for handshakes. 3701 **************************************************************************/ 3702 3703 /* Called from ssl3_HandleHelloRequest(), 3704 * ssl3_HandleFinished() (for step-up) 3705 * ssl3_RedoHandshake() 3706 * ssl2_BeginClientHandshake (when resuming ssl3 session) 3707 */ 3708 SECStatus 3709 ssl3_SendClientHello(sslSocket *ss) 3710 { 3711 sslSessionID * sid; 3712 ssl3CipherSpec * cwSpec; 3713 SECStatus rv; 3714 int i; 3715 int length; 3716 int num_suites; 3717 int actual_count = 0; 3718 PRInt32 total_exten_len = 0; 3719 unsigned numCompressionMethods; 3720 3721 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), 3722 ss->fd)); 3723 3724 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3725 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 3726 3727 rv = ssl3_InitState(ss); 3728 if (rv != SECSuccess) { 3729 return rv; /* ssl3_InitState has set the error code. */ 3730 } 3731 3732 /* We might be starting a session renegotiation in which case we should 3733 * clear previous state. 3734 */ 3735 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 3736 3737 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", 3738 SSL_GETPID(), ss->fd )); 3739 rv = ssl3_RestartHandshakeHashes(ss); 3740 if (rv != SECSuccess) { 3741 return rv; 3742 } 3743 3744 /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup 3745 * handles expired entries and other details. 3746 * XXX If we've been called from ssl2_BeginClientHandshake, then 3747 * this lookup is duplicative and wasteful. 3748 */ 3749 sid = (ss->opt.noCache) ? NULL 3750 : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url); 3751 3752 /* We can't resume based on a different token. If the sid exists, 3753 * make sure the token that holds the master secret still exists ... 3754 * If we previously did client-auth, make sure that the token that holds 3755 * the private key still exists, is logged in, hasn't been removed, etc. 3756 */ 3757 if (sid) { 3758 PRBool sidOK = PR_TRUE; 3759 if (sid->u.ssl3.keys.msIsWrapped) { 3760 /* Session key was wrapped, which means it was using PKCS11, */ 3761 PK11SlotInfo *slot = NULL; 3762 if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) { 3763 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, 3764 sid->u.ssl3.masterSlotID); 3765 } 3766 if (slot == NULL) { 3767 sidOK = PR_FALSE; 3768 } else { 3769 PK11SymKey *wrapKey = NULL; 3770 if (!PK11_IsPresent(slot) || 3771 ((wrapKey = PK11_GetWrapKey(slot, 3772 sid->u.ssl3.masterWrapIndex, 3773 sid->u.ssl3.masterWrapMech, 3774 sid->u.ssl3.masterWrapSeries, 3775 ss->pkcs11PinArg)) == NULL) ) { 3776 sidOK = PR_FALSE; 3777 } 3778 if (wrapKey) PK11_FreeSymKey(wrapKey); 3779 PK11_FreeSlot(slot); 3780 slot = NULL; 3781 } 3782 } 3783 /* If we previously did client-auth, make sure that the token that 3784 ** holds the private key still exists, is logged in, hasn't been 3785 ** removed, etc. 3786 */ 3787 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) { 3788 sidOK = PR_FALSE; 3789 } 3790 3791 if (!sidOK) { 3792 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok ); 3793 (*ss->sec.uncache)(sid); 3794 ssl_FreeSID(sid); 3795 sid = NULL; 3796 } 3797 } 3798 3799 if (sid) { 3800 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); 3801 3802 /* Are we attempting a stateless session resume? */ 3803 if (sid->version > SSL_LIBRARY_VERSION_3_0 && 3804 sid->u.ssl3.sessionTicket.ticket.data) 3805 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes ); 3806 3807 rv = ssl3_NegotiateVersion(ss, sid->version); 3808 if (rv != SECSuccess) 3809 return rv; /* error code was set */ 3810 3811 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, 3812 sid->u.ssl3.sessionIDLength)); 3813 3814 ss->ssl3.policy = sid->u.ssl3.policy; 3815 } else { 3816 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); 3817 3818 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS); 3819 if (rv != SECSuccess) 3820 return rv; /* error code was set */ 3821 3822 sid = ssl3_NewSessionID(ss, PR_FALSE); 3823 if (!sid) { 3824 return SECFailure; /* memory error is set */ 3825 } 3826 } 3827 3828 ssl_GetSpecWriteLock(ss); 3829 cwSpec = ss->ssl3.cwSpec; 3830 if (cwSpec->mac_def->mac == mac_null) { 3831 /* SSL records are not being MACed. */ 3832 cwSpec->version = ss->version; 3833 } 3834 ssl_ReleaseSpecWriteLock(ss); 3835 3836 if (ss->sec.ci.sid != NULL) { 3837 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */ 3838 } 3839 ss->sec.ci.sid = sid; 3840 3841 ss->sec.send = ssl3_SendApplicationData; 3842 3843 /* shouldn't get here if SSL3 is disabled, but ... */ 3844 PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS); 3845 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { 3846 PORT_SetError(SSL_ERROR_SSL_DISABLED); 3847 return SECFailure; 3848 } 3849 3850 /* how many suites does our PKCS11 support (regardless of policy)? */ 3851 num_suites = ssl3_config_match_init(ss); 3852 if (!num_suites) 3853 return SECFailure; /* ssl3_config_match_init has set error code. */ 3854 3855 if (ss->opt.enableTLS && ss->version > SSL_LIBRARY_VERSION_3_0) { 3856 PRUint32 maxBytes = 65535; /* 2^16 - 1 */ 3857 PRInt32 extLen; 3858 3859 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL); 3860 if (extLen < 0) { 3861 return SECFailure; 3862 } 3863 maxBytes -= extLen; 3864 total_exten_len += extLen; 3865 3866 if (total_exten_len > 0) 3867 total_exten_len += 2; 3868 } 3869 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B) 3870 else { /* SSL3 only */ 3871 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ 3872 } 3873 #endif 3874 3875 /* how many suites are permitted by policy and user preference? */ 3876 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); 3877 if (!num_suites) 3878 return SECFailure; /* count_cipher_suites has set error code. */ 3879 3880 /* count compression methods */ 3881 numCompressionMethods = 0; 3882 for (i = 0; i < compressionMethodsCount; i++) { 3883 if (compressionEnabled(ss, compressions[i])) 3884 numCompressionMethods++; 3885 } 3886 3887 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 3888 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + 3889 2 + num_suites*sizeof(ssl3CipherSuite) + 3890 1 + numCompressionMethods + total_exten_len; 3891 3892 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); 3893 if (rv != SECSuccess) { 3894 return rv; /* err set by ssl3_AppendHandshake* */ 3895 } 3896 3897 ss->clientHelloVersion = ss->version; 3898 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); 3899 if (rv != SECSuccess) { 3900 return rv; /* err set by ssl3_AppendHandshake* */ 3901 } 3902 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); 3903 if (rv != SECSuccess) { 3904 return rv; /* err set by GetNewRandom. */ 3905 } 3906 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, 3907 SSL3_RANDOM_LENGTH); 3908 if (rv != SECSuccess) { 3909 return rv; /* err set by ssl3_AppendHandshake* */ 3910 } 3911 3912 if (sid) 3913 rv = ssl3_AppendHandshakeVariable( 3914 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); 3915 else 3916 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 3917 if (rv != SECSuccess) { 3918 return rv; /* err set by ssl3_AppendHandshake* */ 3919 } 3920 3921 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); 3922 if (rv != SECSuccess) { 3923 return rv; /* err set by ssl3_AppendHandshake* */ 3924 } 3925 3926 3927 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 3928 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 3929 if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { 3930 actual_count++; 3931 if (actual_count > num_suites) { 3932 /* set error card removal/insertion error */ 3933 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 3934 return SECFailure; 3935 } 3936 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite, 3937 sizeof(ssl3CipherSuite)); 3938 if (rv != SECSuccess) { 3939 return rv; /* err set by ssl3_AppendHandshake* */ 3940 } 3941 } 3942 } 3943 3944 /* if cards were removed or inserted between count_cipher_suites and 3945 * generating our list, detect the error here rather than send it off to 3946 * the server.. */ 3947 if (actual_count != num_suites) { 3948 /* Card removal/insertion error */ 3949 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 3950 return SECFailure; 3951 } 3952 3953 rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1); 3954 if (rv != SECSuccess) { 3955 return rv; /* err set by ssl3_AppendHandshake* */ 3956 } 3957 for (i = 0; i < compressionMethodsCount; i++) { 3958 if (!compressionEnabled(ss, compressions[i])) 3959 continue; 3960 rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1); 3961 if (rv != SECSuccess) { 3962 return rv; /* err set by ssl3_AppendHandshake* */ 3963 } 3964 } 3965 3966 if (total_exten_len) { 3967 PRUint32 maxBytes = total_exten_len - 2; 3968 PRInt32 extLen; 3969 3970 rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2); 3971 if (rv != SECSuccess) { 3972 return rv; /* err set by AppendHandshake. */ 3973 } 3974 3975 extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL); 3976 if (extLen < 0) { 3977 return SECFailure; 3978 } 3979 maxBytes -= extLen; 3980 PORT_Assert(!maxBytes); 3981 } 3982 3983 3984 rv = ssl3_FlushHandshake(ss, 0); 3985 if (rv != SECSuccess) { 3986 return rv; /* error code set by ssl3_FlushHandshake */ 3987 } 3988 3989 ss->ssl3.hs.ws = wait_server_hello; 3990 return rv; 3991 } 3992 3993 3994 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 3995 * ssl3 Hello Request. 3996 * Caller must hold Handshake and RecvBuf locks. 3997 */ 3998 static SECStatus 3999 ssl3_HandleHelloRequest(sslSocket *ss) 4000 { 4001 sslSessionID *sid = ss->sec.ci.sid; 4002 SECStatus rv; 4003 4004 SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake", 4005 SSL_GETPID(), ss->fd)); 4006 4007 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 4008 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4009 4010 if (ss->ssl3.hs.ws == wait_server_hello) 4011 return SECSuccess; 4012 if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) { 4013 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 4014 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST); 4015 return SECFailure; 4016 } 4017 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { 4018 ssl_GetXmitBufLock(ss); 4019 rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation); 4020 ssl_ReleaseXmitBufLock(ss); 4021 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); 4022 return SECFailure; 4023 } 4024 4025 if (sid) { 4026 ss->sec.uncache(sid); 4027 ssl_FreeSID(sid); 4028 ss->sec.ci.sid = NULL; 4029 } 4030 4031 ssl_GetXmitBufLock(ss); 4032 rv = ssl3_SendClientHello(ss); 4033 ssl_ReleaseXmitBufLock(ss); 4034 4035 return rv; 4036 } 4037 4038 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff 4039 4040 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { 4041 CKM_DES3_ECB, 4042 CKM_CAST5_ECB, 4043 CKM_DES_ECB, 4044 CKM_KEY_WRAP_LYNKS, 4045 CKM_IDEA_ECB, 4046 CKM_CAST3_ECB, 4047 CKM_CAST_ECB, 4048 CKM_RC5_ECB, 4049 CKM_RC2_ECB, 4050 CKM_CDMF_ECB, 4051 CKM_SKIPJACK_WRAP, 4052 CKM_SKIPJACK_CBC64, 4053 CKM_AES_ECB, 4054 CKM_CAMELLIA_ECB, 4055 CKM_SEED_ECB, 4056 UNKNOWN_WRAP_MECHANISM 4057 }; 4058 4059 static int 4060 ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech) 4061 { 4062 const CK_MECHANISM_TYPE *pMech = wrapMechanismList; 4063 4064 while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) { 4065 ++pMech; 4066 } 4067 return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1 4068 : (pMech - wrapMechanismList); 4069 } 4070 4071 static PK11SymKey * 4072 ssl_UnwrapSymWrappingKey( 4073 SSLWrappedSymWrappingKey *pWswk, 4074 SECKEYPrivateKey * svrPrivKey, 4075 SSL3KEAType exchKeyType, 4076 CK_MECHANISM_TYPE masterWrapMech, 4077 void * pwArg) 4078 { 4079 PK11SymKey * unwrappedWrappingKey = NULL; 4080 SECItem wrappedKey; 4081 #ifdef NSS_ENABLE_ECC 4082 PK11SymKey * Ks; 4083 SECKEYPublicKey pubWrapKey; 4084 ECCWrappedKeyInfo *ecWrapped; 4085 #endif /* NSS_ENABLE_ECC */ 4086 4087 /* found the wrapping key on disk. */ 4088 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech); 4089 PORT_Assert(pWswk->exchKeyType == exchKeyType); 4090 if (pWswk->symWrapMechanism != masterWrapMech || 4091 pWswk->exchKeyType != exchKeyType) { 4092 goto loser; 4093 } 4094 wrappedKey.type = siBuffer; 4095 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey; 4096 wrappedKey.len = pWswk->wrappedSymKeyLen; 4097 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey); 4098 4099 switch (exchKeyType) { 4100 4101 case kt_rsa: 4102 unwrappedWrappingKey = 4103 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, 4104 masterWrapMech, CKA_UNWRAP, 0); 4105 break; 4106 4107 #ifdef NSS_ENABLE_ECC 4108 case kt_ecdh: 4109 /* 4110 * For kt_ecdh, we first create an EC public key based on 4111 * data stored with the wrappedSymmetricWrappingkey. Next, 4112 * we do an ECDH computation involving this public key and 4113 * the SSL server's (long-term) EC private key. The resulting 4114 * shared secret is treated the same way as Fortezza's Ks, i.e., 4115 * it is used to recover the symmetric wrapping key. 4116 * 4117 * The data in wrappedSymmetricWrappingkey is laid out as defined 4118 * in the ECCWrappedKeyInfo structure. 4119 */ 4120 ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey; 4121 4122 PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen + 4123 ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN); 4124 4125 if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen + 4126 ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) { 4127 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 4128 goto loser; 4129 } 4130 4131 pubWrapKey.keyType = ecKey; 4132 pubWrapKey.u.ec.size = ecWrapped->size; 4133 pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen; 4134 pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var; 4135 pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen; 4136 pubWrapKey.u.ec.publicValue.data = ecWrapped->var + 4137 ecWrapped->encodedParamLen; 4138 4139 wrappedKey.len = ecWrapped->wrappedKeyLen; 4140 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen + 4141 ecWrapped->pubValueLen; 4142 4143 /* Derive Ks using ECDH */ 4144 Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL, 4145 NULL, CKM_ECDH1_DERIVE, masterWrapMech, 4146 CKA_DERIVE, 0, CKD_NULL, NULL, NULL); 4147 if (Ks == NULL) { 4148 goto loser; 4149 } 4150 4151 /* Use Ks to unwrap the wrapping key */ 4152 unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL, 4153 &wrappedKey, masterWrapMech, 4154 CKA_UNWRAP, 0); 4155 PK11_FreeSymKey(Ks); 4156 4157 break; 4158 #endif 4159 4160 default: 4161 /* Assert? */ 4162 SET_ERROR_CODE 4163 goto loser; 4164 } 4165 loser: 4166 return unwrappedWrappingKey; 4167 } 4168 4169 /* Each process sharing the server session ID cache has its own array of 4170 * SymKey pointers for the symmetric wrapping keys that are used to wrap 4171 * the master secrets. There is one key for each KEA type. These Symkeys 4172 * correspond to the wrapped SymKeys kept in the server session cache. 4173 */ 4174 4175 typedef struct { 4176 PK11SymKey * symWrapKey[kt_kea_size]; 4177 } ssl3SymWrapKey; 4178 4179 static PZLock * symWrapKeysLock = NULL; 4180 static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS]; 4181 4182 SECStatus ssl_FreeSymWrapKeysLock(void) 4183 { 4184 if (symWrapKeysLock) { 4185 PZ_DestroyLock(symWrapKeysLock); 4186 symWrapKeysLock = NULL; 4187 return SECSuccess; 4188 } 4189 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 4190 return SECFailure; 4191 } 4192 4193 SECStatus 4194 SSL3_ShutdownServerCache(void) 4195 { 4196 int i, j; 4197 4198 if (!symWrapKeysLock) 4199 return SECSuccess; /* lock was never initialized */ 4200 PZ_Lock(symWrapKeysLock); 4201 /* get rid of all symWrapKeys */ 4202 for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) { 4203 for (j = 0; j < kt_kea_size; ++j) { 4204 PK11SymKey ** pSymWrapKey; 4205 pSymWrapKey = &symWrapKeys[i].symWrapKey[j]; 4206 if (*pSymWrapKey) { 4207 PK11_FreeSymKey(*pSymWrapKey); 4208 *pSymWrapKey = NULL; 4209 } 4210 } 4211 } 4212 4213 PZ_Unlock(symWrapKeysLock); 4214 ssl_FreeSessionCacheLocks(); 4215 return SECSuccess; 4216 } 4217 4218 SECStatus ssl_InitSymWrapKeysLock(void) 4219 { 4220 symWrapKeysLock = PZ_NewLock(nssILockOther); 4221 return symWrapKeysLock ? SECSuccess : SECFailure; 4222 } 4223 4224 /* Try to get wrapping key for mechanism from in-memory array. 4225 * If that fails, look for one on disk. 4226 * If that fails, generate a new one, put the new one on disk, 4227 * Put the new key in the in-memory array. 4228 */ 4229 static PK11SymKey * 4230 getWrappingKey( sslSocket * ss, 4231 PK11SlotInfo * masterSecretSlot, 4232 SSL3KEAType exchKeyType, 4233 CK_MECHANISM_TYPE masterWrapMech, 4234 void * pwArg) 4235 { 4236 SECKEYPrivateKey * svrPrivKey; 4237 SECKEYPublicKey * svrPubKey = NULL; 4238 PK11SymKey * unwrappedWrappingKey = NULL; 4239 PK11SymKey ** pSymWrapKey; 4240 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM; 4241 int length; 4242 int symWrapMechIndex; 4243 SECStatus rv; 4244 SECItem wrappedKey; 4245 SSLWrappedSymWrappingKey wswk; 4246 4247 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY; 4248 PORT_Assert(svrPrivKey != NULL); 4249 if (!svrPrivKey) { 4250 return NULL; /* why are we here?!? */ 4251 } 4252 4253 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech); 4254 PORT_Assert(symWrapMechIndex >= 0); 4255 if (symWrapMechIndex < 0) 4256 return NULL; /* invalid masterWrapMech. */ 4257 4258 pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType]; 4259 4260 ssl_InitSessionCacheLocks(PR_TRUE); 4261 4262 PZ_Lock(symWrapKeysLock); 4263 4264 unwrappedWrappingKey = *pSymWrapKey; 4265 if (unwrappedWrappingKey != NULL) { 4266 if (PK11_VerifyKeyOK(unwrappedWrappingKey)) { 4267 unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey); 4268 goto done; 4269 } 4270 /* slot series has changed, so this key is no good any more. */ 4271 PK11_FreeSymKey(unwrappedWrappingKey); 4272 *pSymWrapKey = unwrappedWrappingKey = NULL; 4273 } 4274 4275 /* Try to get wrapped SymWrapping key out of the (disk) cache. */ 4276 /* Following call fills in wswk on success. */ 4277 if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) { 4278 /* found the wrapped sym wrapping key on disk. */ 4279 unwrappedWrappingKey = 4280 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType, 4281 masterWrapMech, pwArg); 4282 if (unwrappedWrappingKey) { 4283 goto install; 4284 } 4285 } 4286 4287 if (!masterSecretSlot) /* caller doesn't want to create a new one. */ 4288 goto loser; 4289 4290 length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech); 4291 /* Zero length means fixed key length algorithm, or error. 4292 * It's ambiguous. 4293 */ 4294 unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL, 4295 length, pwArg); 4296 if (!unwrappedWrappingKey) { 4297 goto loser; 4298 } 4299 4300 /* Prepare the buffer to receive the wrappedWrappingKey, 4301 * the symmetric wrapping key wrapped using the server's pub key. 4302 */ 4303 PORT_Memset(&wswk, 0, sizeof wswk); /* eliminate UMRs. */ 4304 4305 if (ss->serverCerts[exchKeyType].serverKeyPair) { 4306 svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey; 4307 } 4308 if (svrPubKey == NULL) { 4309 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 4310 goto loser; 4311 } 4312 wrappedKey.type = siBuffer; 4313 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey); 4314 wrappedKey.data = wswk.wrappedSymmetricWrappingkey; 4315 4316 PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey); 4317 if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey) 4318 goto loser; 4319 4320 /* wrap symmetric wrapping key in server's public key. */ 4321 switch (exchKeyType) { 4322 #ifdef NSS_ENABLE_ECC 4323 PK11SymKey * Ks = NULL; 4324 SECKEYPublicKey *pubWrapKey = NULL; 4325 SECKEYPrivateKey *privWrapKey = NULL; 4326 ECCWrappedKeyInfo *ecWrapped; 4327 #endif /* NSS_ENABLE_ECC */ 4328 4329 case kt_rsa: 4330 asymWrapMechanism = CKM_RSA_PKCS; 4331 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey, 4332 unwrappedWrappingKey, &wrappedKey); 4333 break; 4334 4335 #ifdef NSS_ENABLE_ECC 4336 case kt_ecdh: 4337 /* 4338 * We generate an ephemeral EC key pair. Perform an ECDH 4339 * computation involving this ephemeral EC public key and 4340 * the SSL server's (long-term) EC private key. The resulting 4341 * shared secret is treated in the same way as Fortezza's Ks, 4342 * i.e., it is used to wrap the wrapping key. To facilitate 4343 * unwrapping in ssl_UnwrapWrappingKey, we also store all 4344 * relevant info about the ephemeral EC public key in 4345 * wswk.wrappedSymmetricWrappingkey and lay it out as 4346 * described in the ECCWrappedKeyInfo structure. 4347 */ 4348 PORT_Assert(svrPubKey->keyType == ecKey); 4349 if (svrPubKey->keyType != ecKey) { 4350 /* something is wrong in sslsecur.c if this isn't an ecKey */ 4351 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 4352 rv = SECFailure; 4353 goto ec_cleanup; 4354 } 4355 4356 privWrapKey = SECKEY_CreateECPrivateKey( 4357 &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL); 4358 if ((privWrapKey == NULL) || (pubWrapKey == NULL)) { 4359 rv = SECFailure; 4360 goto ec_cleanup; 4361 } 4362 4363 /* Set the key size in bits */ 4364 if (pubWrapKey->u.ec.size == 0) { 4365 pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey); 4366 } 4367 4368 PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len + 4369 pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN); 4370 if (pubWrapKey->u.ec.DEREncodedParams.len + 4371 pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) { 4372 PORT_SetError(SEC_ERROR_INVALID_KEY); 4373 rv = SECFailure; 4374 goto ec_cleanup; 4375 } 4376 4377 /* Derive Ks using ECDH */ 4378 Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL, 4379 NULL, CKM_ECDH1_DERIVE, masterWrapMech, 4380 CKA_DERIVE, 0, CKD_NULL, NULL, NULL); 4381 if (Ks == NULL) { 4382 rv = SECFailure; 4383 goto ec_cleanup; 4384 } 4385 4386 ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey); 4387 ecWrapped->size = pubWrapKey->u.ec.size; 4388 ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len; 4389 PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data, 4390 pubWrapKey->u.ec.DEREncodedParams.len); 4391 4392 ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len; 4393 PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen, 4394 pubWrapKey->u.ec.publicValue.data, 4395 pubWrapKey->u.ec.publicValue.len); 4396 4397 wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN - 4398 (ecWrapped->encodedParamLen + ecWrapped->pubValueLen); 4399 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen + 4400 ecWrapped->pubValueLen; 4401 4402 /* wrap symmetricWrapping key with the local Ks */ 4403 rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks, 4404 unwrappedWrappingKey, &wrappedKey); 4405 4406 if (rv != SECSuccess) { 4407 goto ec_cleanup; 4408 } 4409 4410 /* Write down the length of wrapped key in the buffer 4411 * wswk.wrappedSymmetricWrappingkey at the appropriate offset 4412 */ 4413 ecWrapped->wrappedKeyLen = wrappedKey.len; 4414 4415 ec_cleanup: 4416 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey); 4417 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey); 4418 if (Ks) PK11_FreeSymKey(Ks); 4419 asymWrapMechanism = masterWrapMech; 4420 break; 4421 #endif /* NSS_ENABLE_ECC */ 4422 4423 default: 4424 rv = SECFailure; 4425 break; 4426 } 4427 4428 if (rv != SECSuccess) { 4429 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 4430 goto loser; 4431 } 4432 4433 PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM); 4434 4435 wswk.symWrapMechanism = masterWrapMech; 4436 wswk.symWrapMechIndex = symWrapMechIndex; 4437 wswk.asymWrapMechanism = asymWrapMechanism; 4438 wswk.exchKeyType = exchKeyType; 4439 wswk.wrappedSymKeyLen = wrappedKey.len; 4440 4441 /* put it on disk. */ 4442 /* If the wrapping key for this KEA type has already been set, 4443 * then abandon the value we just computed and 4444 * use the one we got from the disk. 4445 */ 4446 if (ssl_SetWrappingKey(&wswk)) { 4447 /* somebody beat us to it. The original contents of our wswk 4448 * has been replaced with the content on disk. Now, discard 4449 * the key we just created and unwrap this new one. 4450 */ 4451 PK11_FreeSymKey(unwrappedWrappingKey); 4452 4453 unwrappedWrappingKey = 4454 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType, 4455 masterWrapMech, pwArg); 4456 } 4457 4458 install: 4459 if (unwrappedWrappingKey) { 4460 *pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey); 4461 } 4462 4463 loser: 4464 done: 4465 PZ_Unlock(symWrapKeysLock); 4466 return unwrappedWrappingKey; 4467 } 4468 4469 4470 /* Called from ssl3_SendClientKeyExchange(). */ 4471 /* Presently, this always uses PKCS11. There is no bypass for this. */ 4472 static SECStatus 4473 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) 4474 { 4475 PK11SymKey * pms = NULL; 4476 SECStatus rv = SECFailure; 4477 SECItem enc_pms = {siBuffer, NULL, 0}; 4478 PRBool isTLS; 4479 4480 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4481 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 4482 4483 /* Generate the pre-master secret ... */ 4484 ssl_GetSpecWriteLock(ss); 4485 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 4486 4487 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL); 4488 ssl_ReleaseSpecWriteLock(ss); 4489 if (pms == NULL) { 4490 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 4491 goto loser; 4492 } 4493 4494 #if defined(TRACE) 4495 if (ssl_trace >= 100) { 4496 SECStatus extractRV = PK11_ExtractKeyValue(pms); 4497 if (extractRV == SECSuccess) { 4498 SECItem * keyData = PK11_GetKeyData(pms); 4499 if (keyData && keyData->data && keyData->len) { 4500 ssl_PrintBuf(ss, "Pre-Master Secret", 4501 keyData->data, keyData->len); 4502 } 4503 } 4504 } 4505 #endif 4506 4507 /* Get the wrapped (encrypted) pre-master secret, enc_pms */ 4508 enc_pms.len = SECKEY_PublicKeyStrength(svrPubKey); 4509 enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len); 4510 if (enc_pms.data == NULL) { 4511 goto loser; /* err set by PORT_Alloc */ 4512 } 4513 4514 /* wrap pre-master secret in server's public key. */ 4515 rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms); 4516 if (rv != SECSuccess) { 4517 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 4518 goto loser; 4519 } 4520 4521 rv = ssl3_InitPendingCipherSpec(ss, pms); 4522 PK11_FreeSymKey(pms); pms = NULL; 4523 4524 if (rv != SECSuccess) { 4525 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 4526 goto loser; 4527 } 4528 4529 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 4530 isTLS ? enc_pms.len + 2 : enc_pms.len); 4531 if (rv != SECSuccess) { 4532 goto loser; /* err set by ssl3_AppendHandshake* */ 4533 } 4534 if (isTLS) { 4535 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2); 4536 } else { 4537 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len); 4538 } 4539 if (rv != SECSuccess) { 4540 goto loser; /* err set by ssl3_AppendHandshake* */ 4541 } 4542 4543 rv = SECSuccess; 4544 4545 loser: 4546 if (enc_pms.data != NULL) { 4547 PORT_Free(enc_pms.data); 4548 } 4549 if (pms != NULL) { 4550 PK11_FreeSymKey(pms); 4551 } 4552 return rv; 4553 } 4554 4555 /* Called from ssl3_SendClientKeyExchange(). */ 4556 /* Presently, this always uses PKCS11. There is no bypass for this. */ 4557 static SECStatus 4558 sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) 4559 { 4560 PK11SymKey * pms = NULL; 4561 SECStatus rv = SECFailure; 4562 PRBool isTLS; 4563 CK_MECHANISM_TYPE target; 4564 4565 SECKEYDHParams dhParam; /* DH parameters */ 4566 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */ 4567 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */ 4568 4569 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4570 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 4571 4572 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 4573 4574 /* Copy DH parameters from server key */ 4575 4576 if (svrPubKey->keyType != dhKey) { 4577 PORT_SetError(SEC_ERROR_BAD_KEY); 4578 goto loser; 4579 } 4580 dhParam.prime.data = svrPubKey->u.dh.prime.data; 4581 dhParam.prime.len = svrPubKey->u.dh.prime.len; 4582 dhParam.base.data = svrPubKey->u.dh.base.data; 4583 dhParam.base.len = svrPubKey->u.dh.base.len; 4584 4585 /* Generate ephemeral DH keypair */ 4586 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL); 4587 if (!privKey || !pubKey) { 4588 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); 4589 rv = SECFailure; 4590 goto loser; 4591 } 4592 PRINT_BUF(50, (ss, "DH public value:", 4593 pubKey->u.dh.publicValue.data, 4594 pubKey->u.dh.publicValue.len)); 4595 4596 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; 4597 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH; 4598 4599 /* Determine the PMS */ 4600 4601 pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL, 4602 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); 4603 4604 if (pms == NULL) { 4605 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 4606 goto loser; 4607 } 4608 4609 SECKEY_DestroyPrivateKey(privKey); 4610 privKey = NULL; 4611 4612 rv = ssl3_InitPendingCipherSpec(ss, pms); 4613 PK11_FreeSymKey(pms); pms = NULL; 4614 4615 if (rv != SECSuccess) { 4616 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 4617 goto loser; 4618 } 4619 4620 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 4621 pubKey->u.dh.publicValue.len + 2); 4622 if (rv != SECSuccess) { 4623 goto loser; /* err set by ssl3_AppendHandshake* */ 4624 } 4625 rv = ssl3_AppendHandshakeVariable(ss, 4626 pubKey->u.dh.publicValue.data, 4627 pubKey->u.dh.publicValue.len, 2); 4628 SECKEY_DestroyPublicKey(pubKey); 4629 pubKey = NULL; 4630 4631 if (rv != SECSuccess) { 4632 goto loser; /* err set by ssl3_AppendHandshake* */ 4633 } 4634 4635 rv = SECSuccess; 4636 4637 4638 loser: 4639 4640 if(pms) PK11_FreeSymKey(pms); 4641 if(privKey) SECKEY_DestroyPrivateKey(privKey); 4642 if(pubKey) SECKEY_DestroyPublicKey(pubKey); 4643 return rv; 4644 } 4645 4646 4647 4648 4649 4650 /* Called from ssl3_HandleServerHelloDone(). */ 4651 static SECStatus 4652 ssl3_SendClientKeyExchange(sslSocket *ss) 4653 { 4654 SECKEYPublicKey * serverKey = NULL; 4655 SECStatus rv = SECFailure; 4656 PRBool isTLS; 4657 4658 SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake", 4659 SSL_GETPID(), ss->fd)); 4660 4661 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 4662 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 4663 4664 if (ss->sec.peerKey == NULL) { 4665 serverKey = CERT_ExtractPublicKey(ss->sec.peerCert); 4666 if (serverKey == NULL) { 4667 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 4668 return SECFailure; 4669 } 4670 } else { 4671 serverKey = ss->sec.peerKey; 4672 ss->sec.peerKey = NULL; /* we're done with it now */ 4673 } 4674 4675 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 4676 /* enforce limits on kea key sizes. */ 4677 if (ss->ssl3.hs.kea_def->is_limited) { 4678 int keyLen = SECKEY_PublicKeyStrength(serverKey); /* bytes */ 4679 4680 if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) { 4681 if (isTLS) 4682 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction); 4683 else 4684 (void)ssl3_HandshakeFailure(ss); 4685 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); 4686 goto loser; 4687 } 4688 } 4689 4690 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; 4691 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey); 4692 4693 switch (ss->ssl3.hs.kea_def->exchKeyType) { 4694 case kt_rsa: 4695 rv = sendRSAClientKeyExchange(ss, serverKey); 4696 break; 4697 4698 case kt_dh: 4699 rv = sendDHClientKeyExchange(ss, serverKey); 4700 break; 4701 4702 #ifdef NSS_ENABLE_ECC 4703 case kt_ecdh: 4704 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey); 4705 break; 4706 #endif /* NSS_ENABLE_ECC */ 4707 4708 default: 4709 /* got an unknown or unsupported Key Exchange Algorithm. */ 4710 SEND_ALERT 4711 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 4712 break; 4713 } 4714 4715 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange", 4716 SSL_GETPID(), ss->fd)); 4717 4718 loser: 4719 if (serverKey) 4720 SECKEY_DestroyPublicKey(serverKey); 4721 return rv; /* err code already set. */ 4722 } 4723 4724 /* Called from ssl3_HandleServerHelloDone(). */ 4725 static SECStatus 4726 ssl3_SendCertificateVerify(sslSocket *ss) 4727 { 4728 SECStatus rv = SECFailure; 4729 PRBool isTLS; 4730 SECItem buf = {siBuffer, NULL, 0}; 4731 SSL3Hashes hashes; 4732 4733 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 4734 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 4735 4736 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", 4737 SSL_GETPID(), ss->fd)); 4738 4739 ssl_GetSpecReadLock(ss); 4740 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); 4741 ssl_ReleaseSpecReadLock(ss); 4742 if (rv != SECSuccess) { 4743 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ 4744 } 4745 4746 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 4747 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); 4748 if (rv == SECSuccess) { 4749 PK11SlotInfo * slot; 4750 sslSessionID * sid = ss->sec.ci.sid; 4751 4752 /* Remember the info about the slot that did the signing. 4753 ** Later, when doing an SSL restart handshake, verify this. 4754 ** These calls are mere accessors, and can't fail. 4755 */ 4756 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); 4757 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); 4758 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); 4759 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); 4760 sid->u.ssl3.clAuthValid = PR_TRUE; 4761 PK11_FreeSlot(slot); 4762 } 4763 /* If we're doing RSA key exchange, we're all done with the private key 4764 * here. Diffie-Hellman key exchanges need the client's 4765 * private key for the key exchange. 4766 */ 4767 if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) { 4768 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 4769 ss->ssl3.clientPrivateKey = NULL; 4770 } 4771 if (rv != SECSuccess) { 4772 goto done; /* err code was set by ssl3_SignHashes */ 4773 } 4774 4775 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); 4776 if (rv != SECSuccess) { 4777 goto done; /* error code set by AppendHandshake */ 4778 } 4779 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); 4780 if (rv != SECSuccess) { 4781 goto done; /* error code set by AppendHandshake */ 4782 } 4783 4784 done: 4785 if (buf.data) 4786 PORT_Free(buf.data); 4787 return rv; 4788 } 4789 4790 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 4791 * ssl3 ServerHello message. 4792 * Caller must hold Handshake and RecvBuf locks. 4793 */ 4794 static SECStatus 4795 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 4796 { 4797 sslSessionID *sid = ss->sec.ci.sid; 4798 PRInt32 temp; /* allow for consume number failure */ 4799 PRBool suite_found = PR_FALSE; 4800 int i; 4801 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO; 4802 SECStatus rv; 4803 SECItem sidBytes = {siBuffer, NULL, 0}; 4804 PRBool sid_match; 4805 PRBool isTLS = PR_FALSE; 4806 SSL3AlertDescription desc = illegal_parameter; 4807 SSL3ProtocolVersion version; 4808 4809 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake", 4810 SSL_GETPID(), ss->fd)); 4811 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 4812 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4813 4814 rv = ssl3_InitState(ss); 4815 if (rv != SECSuccess) { 4816 errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */ 4817 goto alert_loser; 4818 } 4819 if (ss->ssl3.hs.ws != wait_server_hello) { 4820 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO; 4821 desc = unexpected_message; 4822 goto alert_loser; 4823 } 4824 4825 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 4826 if (temp < 0) { 4827 goto loser; /* alert has been sent */ 4828 } 4829 version = (SSL3ProtocolVersion)temp; 4830 4831 /* this is appropriate since the negotiation is complete, and we only 4832 ** know SSL 3.x. 4833 */ 4834 if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) { 4835 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 4836 : handshake_failure; 4837 goto alert_loser; 4838 } 4839 4840 rv = ssl3_NegotiateVersion(ss, version); 4841 if (rv != SECSuccess) { 4842 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 4843 : handshake_failure; 4844 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 4845 goto alert_loser; 4846 } 4847 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); 4848 4849 rv = ssl3_ConsumeHandshake( 4850 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); 4851 if (rv != SECSuccess) { 4852 goto loser; /* alert has been sent */ 4853 } 4854 4855 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 4856 if (rv != SECSuccess) { 4857 goto loser; /* alert has been sent */ 4858 } 4859 if (sidBytes.len > SSL3_SESSIONID_BYTES) { 4860 if (isTLS) 4861 desc = decode_error; 4862 goto alert_loser; /* malformed. */ 4863 } 4864 4865 /* find selected cipher suite in our list. */ 4866 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 4867 if (temp < 0) { 4868 goto loser; /* alert has been sent */ 4869 } 4870 ssl3_config_match_init(ss); 4871 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 4872 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 4873 if ((temp == suite->cipher_suite) && 4874 (config_match(suite, ss->ssl3.policy, PR_TRUE))) { 4875 suite_found = PR_TRUE; 4876 break; /* success */ 4877 } 4878 } 4879 if (!suite_found) { 4880 desc = handshake_failure; 4881 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 4882 goto alert_loser; 4883 } 4884 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp; 4885 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp); 4886 PORT_Assert(ss->ssl3.hs.suite_def); 4887 if (!ss->ssl3.hs.suite_def) { 4888 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE); 4889 goto loser; /* we don't send alerts for our screw-ups. */ 4890 } 4891 4892 /* find selected compression method in our list. */ 4893 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); 4894 if (temp < 0) { 4895 goto loser; /* alert has been sent */ 4896 } 4897 suite_found = PR_FALSE; 4898 for (i = 0; i < compressionMethodsCount; i++) { 4899 if (temp == compressions[i] && 4900 compressionEnabled(ss, compressions[i])) { 4901 suite_found = PR_TRUE; 4902 break; /* success */ 4903 } 4904 } 4905 if (!suite_found) { 4906 desc = handshake_failure; 4907 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; 4908 goto alert_loser; 4909 } 4910 ss->ssl3.hs.compression = (SSLCompressionMethod)temp; 4911 4912 /* Note that if !isTLS && length != 0, we do NOT goto alert_loser. 4913 * There are some old SSL 3.0 implementations that do send stuff 4914 * after the end of the server hello, and we deliberately ignore 4915 * such stuff in the interest of maximal interoperability (being 4916 * "generous in what you accept"). 4917 */ 4918 if (isTLS && length != 0) { 4919 SECItem extensions; 4920 rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length); 4921 if (rv != SECSuccess || length != 0) 4922 goto alert_loser; 4923 rv = ssl3_HandleHelloExtensions(ss, &extensions.data, &extensions.len); 4924 if (rv != SECSuccess) 4925 goto alert_loser; 4926 } 4927 4928 /* Any errors after this point are not "malformed" errors. */ 4929 desc = handshake_failure; 4930 4931 /* we need to call ssl3_SetupPendingCipherSpec here so we can check the 4932 * key exchange algorithm. */ 4933 rv = ssl3_SetupPendingCipherSpec(ss); 4934 if (rv != SECSuccess) { 4935 goto alert_loser; /* error code is set. */ 4936 } 4937 4938 /* We may or may not have sent a session id, we may get one back or 4939 * not and if so it may match the one we sent. 4940 * Attempt to restore the master secret to see if this is so... 4941 * Don't consider failure to find a matching SID an error. 4942 */ 4943 sid_match = (PRBool)(sidBytes.len > 0 && 4944 sidBytes.len == sid->u.ssl3.sessionIDLength && 4945 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len)); 4946 4947 if (sid_match && 4948 sid->version == ss->version && 4949 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do { 4950 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; 4951 4952 SECItem wrappedMS; /* wrapped master secret. */ 4953 4954 ss->sec.authAlgorithm = sid->authAlgorithm; 4955 ss->sec.authKeyBits = sid->authKeyBits; 4956 ss->sec.keaType = sid->keaType; 4957 ss->sec.keaKeyBits = sid->keaKeyBits; 4958 4959 /* 3 cases here: 4960 * a) key is wrapped (implies using PKCS11) 4961 * b) key is unwrapped, but we're still using PKCS11 4962 * c) key is unwrapped, and we're bypassing PKCS11. 4963 */ 4964 if (sid->u.ssl3.keys.msIsWrapped) { 4965 PK11SlotInfo *slot; 4966 PK11SymKey * wrapKey; /* wrapping key */ 4967 CK_FLAGS keyFlags = 0; 4968 4969 if (ss->opt.bypassPKCS11) { 4970 /* we cannot restart a non-bypass session in a 4971 ** bypass socket. 4972 */ 4973 break; 4974 } 4975 /* unwrap master secret with PKCS11 */ 4976 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, 4977 sid->u.ssl3.masterSlotID); 4978 if (slot == NULL) { 4979 break; /* not considered an error. */ 4980 } 4981 if (!PK11_IsPresent(slot)) { 4982 PK11_FreeSlot(slot); 4983 break; /* not considered an error. */ 4984 } 4985 wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex, 4986 sid->u.ssl3.masterWrapMech, 4987 sid->u.ssl3.masterWrapSeries, 4988 ss->pkcs11PinArg); 4989 PK11_FreeSlot(slot); 4990 if (wrapKey == NULL) { 4991 break; /* not considered an error. */ 4992 } 4993 4994 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ 4995 keyFlags = CKF_SIGN | CKF_VERIFY; 4996 } 4997 4998 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 4999 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 5000 pwSpec->master_secret = 5001 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 5002 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE, 5003 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags); 5004 errCode = PORT_GetError(); 5005 PK11_FreeSymKey(wrapKey); 5006 if (pwSpec->master_secret == NULL) { 5007 break; /* errorCode set just after call to UnwrapSymKey. */ 5008 } 5009 } else if (ss->opt.bypassPKCS11) { 5010 /* MS is not wrapped */ 5011 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 5012 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 5013 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); 5014 pwSpec->msItem.data = pwSpec->raw_master_secret; 5015 pwSpec->msItem.len = wrappedMS.len; 5016 } else { 5017 /* We CAN restart a bypass session in a non-bypass socket. */ 5018 /* need to import the raw master secret to session object */ 5019 PK11SlotInfo *slot = PK11_GetInternalSlot(); 5020 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 5021 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 5022 pwSpec->master_secret = 5023 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 5024 PK11_OriginUnwrap, CKA_ENCRYPT, 5025 &wrappedMS, NULL); 5026 PK11_FreeSlot(slot); 5027 if (pwSpec->master_secret == NULL) { 5028 break; 5029 } 5030 } 5031 5032 /* Got a Match */ 5033 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits ); 5034 5035 /* If we sent a session ticket, then this is a stateless resume. */ 5036 if (sid->version > SSL_LIBRARY_VERSION_3_0 && 5037 sid->u.ssl3.sessionTicket.ticket.data != NULL) 5038 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes ); 5039 5040 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn)) 5041 ss->ssl3.hs.ws = wait_new_session_ticket; 5042 else 5043 ss->ssl3.hs.ws = wait_change_cipher; 5044 5045 ss->ssl3.hs.isResuming = PR_TRUE; 5046 5047 /* copy the peer cert from the SID */ 5048 if (sid->peerCert != NULL) { 5049 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); 5050 } 5051 5052 5053 /* NULL value for PMS signifies re-use of the old MS */ 5054 rv = ssl3_InitPendingCipherSpec(ss, NULL); 5055 if (rv != SECSuccess) { 5056 goto alert_loser; /* err code was set */ 5057 } 5058 return SECSuccess; 5059 } while (0); 5060 5061 if (sid_match) 5062 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); 5063 else 5064 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses ); 5065 5066 /* throw the old one away */ 5067 sid->u.ssl3.keys.resumable = PR_FALSE; 5068 (*ss->sec.uncache)(sid); 5069 ssl_FreeSID(sid); 5070 5071 /* get a new sid */ 5072 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); 5073 if (sid == NULL) { 5074 goto alert_loser; /* memory error is set. */ 5075 } 5076 5077 sid->version = ss->version; 5078 sid->u.ssl3.sessionIDLength = sidBytes.len; 5079 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); 5080 5081 ss->ssl3.hs.isResuming = PR_FALSE; 5082 ss->ssl3.hs.ws = wait_server_cert; 5083 return SECSuccess; 5084 5085 alert_loser: 5086 (void)SSL3_SendAlert(ss, alert_fatal, desc); 5087 5088 loser: 5089 errCode = ssl_MapLowLevelError(errCode); 5090 return SECFailure; 5091 } 5092 5093 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 5094 * ssl3 ServerKeyExchange message. 5095 * Caller must hold Handshake and RecvBuf locks. 5096 */ 5097 static SECStatus 5098 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 5099 { 5100 PRArenaPool * arena = NULL; 5101 SECKEYPublicKey *peerKey = NULL; 5102 PRBool isTLS; 5103 SECStatus rv; 5104 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; 5105 SSL3AlertDescription desc = illegal_parameter; 5106 SSL3Hashes hashes; 5107 SECItem signature = {siBuffer, NULL, 0}; 5108 5109 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", 5110 SSL_GETPID(), ss->fd)); 5111 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 5112 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 5113 5114 if (ss->ssl3.hs.ws != wait_server_key && 5115 ss->ssl3.hs.ws != wait_server_cert) { 5116 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; 5117 desc = unexpected_message; 5118 goto alert_loser; 5119 } 5120 if (ss->sec.peerCert == NULL) { 5121 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; 5122 desc = unexpected_message; 5123 goto alert_loser; 5124 } 5125 5126 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 5127 5128 switch (ss->ssl3.hs.kea_def->exchKeyType) { 5129 5130 case kt_rsa: { 5131 SECItem modulus = {siBuffer, NULL, 0}; 5132 SECItem exponent = {siBuffer, NULL, 0}; 5133 5134 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); 5135 if (rv != SECSuccess) { 5136 goto loser; /* malformed. */ 5137 } 5138 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); 5139 if (rv != SECSuccess) { 5140 goto loser; /* malformed. */ 5141 } 5142 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 5143 if (rv != SECSuccess) { 5144 goto loser; /* malformed. */ 5145 } 5146 if (length != 0) { 5147 if (isTLS) 5148 desc = decode_error; 5149 goto alert_loser; /* malformed. */ 5150 } 5151 5152 /* failures after this point are not malformed handshakes. */ 5153 /* TLS: send decrypt_error if signature failed. */ 5154 desc = isTLS ? decrypt_error : handshake_failure; 5155 5156 /* 5157 * check to make sure the hash is signed by right guy 5158 */ 5159 rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent, 5160 &ss->ssl3.hs.client_random, 5161 &ss->ssl3.hs.server_random, 5162 &hashes, ss->opt.bypassPKCS11); 5163 if (rv != SECSuccess) { 5164 errCode = 5165 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 5166 goto alert_loser; 5167 } 5168 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 5169 isTLS, ss->pkcs11PinArg); 5170 if (rv != SECSuccess) { 5171 errCode = 5172 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 5173 goto alert_loser; 5174 } 5175 5176 /* 5177 * we really need to build a new key here because we can no longer 5178 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate 5179 * pkcs11 slots and ID's. 5180 */ 5181 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 5182 if (arena == NULL) { 5183 goto no_memory; 5184 } 5185 5186 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); 5187 if (peerKey == NULL) { 5188 PORT_FreeArena(arena, PR_FALSE); 5189 goto no_memory; 5190 } 5191 5192 peerKey->arena = arena; 5193 peerKey->keyType = rsaKey; 5194 peerKey->pkcs11Slot = NULL; 5195 peerKey->pkcs11ID = CK_INVALID_HANDLE; 5196 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) || 5197 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent)) 5198 { 5199 PORT_FreeArena(arena, PR_FALSE); 5200 goto no_memory; 5201 } 5202 ss->sec.peerKey = peerKey; 5203 ss->ssl3.hs.ws = wait_cert_request; 5204 return SECSuccess; 5205 } 5206 5207 case kt_dh: { 5208 SECItem dh_p = {siBuffer, NULL, 0}; 5209 SECItem dh_g = {siBuffer, NULL, 0}; 5210 SECItem dh_Ys = {siBuffer, NULL, 0}; 5211 5212 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); 5213 if (rv != SECSuccess) { 5214 goto loser; /* malformed. */ 5215 } 5216 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); 5217 if (rv != SECSuccess) { 5218 goto loser; /* malformed. */ 5219 } 5220 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); 5221 if (rv != SECSuccess) { 5222 goto loser; /* malformed. */ 5223 } 5224 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 5225 if (rv != SECSuccess) { 5226 goto loser; /* malformed. */ 5227 } 5228 if (length != 0) { 5229 if (isTLS) 5230 desc = decode_error; 5231 goto alert_loser; /* malformed. */ 5232 } 5233 5234 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); 5235 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); 5236 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); 5237 5238 /* failures after this point are not malformed handshakes. */ 5239 /* TLS: send decrypt_error if signature failed. */ 5240 desc = isTLS ? decrypt_error : handshake_failure; 5241 5242 /* 5243 * check to make sure the hash is signed by right guy 5244 */ 5245 rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys, 5246 &ss->ssl3.hs.client_random, 5247 &ss->ssl3.hs.server_random, 5248 &hashes, ss->opt.bypassPKCS11); 5249 if (rv != SECSuccess) { 5250 errCode = 5251 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 5252 goto alert_loser; 5253 } 5254 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 5255 isTLS, ss->pkcs11PinArg); 5256 if (rv != SECSuccess) { 5257 errCode = 5258 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 5259 goto alert_loser; 5260 } 5261 5262 /* 5263 * we really need to build a new key here because we can no longer 5264 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate 5265 * pkcs11 slots and ID's. 5266 */ 5267 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 5268 if (arena == NULL) { 5269 goto no_memory; 5270 } 5271 5272 ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); 5273 if (peerKey == NULL) { 5274 goto no_memory; 5275 } 5276 5277 peerKey->arena = arena; 5278 peerKey->keyType = dhKey; 5279 peerKey->pkcs11Slot = NULL; 5280 peerKey->pkcs11ID = CK_INVALID_HANDLE; 5281 5282 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) || 5283 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) || 5284 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys)) 5285 { 5286 PORT_FreeArena(arena, PR_FALSE); 5287 goto no_memory; 5288 } 5289 ss->sec.peerKey = peerKey; 5290 ss->ssl3.hs.ws = wait_cert_request; 5291 return SECSuccess; 5292 } 5293 5294 #ifdef NSS_ENABLE_ECC 5295 case kt_ecdh: 5296 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length); 5297 return rv; 5298 #endif /* NSS_ENABLE_ECC */ 5299 5300 default: 5301 desc = handshake_failure; 5302 errCode = SEC_ERROR_UNSUPPORTED_KEYALG; 5303 break; /* goto alert_loser; */ 5304 } 5305 5306 alert_loser: 5307 (void)SSL3_SendAlert(ss, alert_fatal, desc); 5308 loser: 5309 PORT_SetError( errCode ); 5310 return SECFailure; 5311 5312 no_memory: /* no-memory error has already been set. */ 5313 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 5314 return SECFailure; 5315 } 5316 5317 5318 typedef struct dnameNode { 5319 struct dnameNode *next; 5320 SECItem name; 5321 } dnameNode; 5322 5323 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 5324 * ssl3 Certificate Request message. 5325 * Caller must hold Handshake and RecvBuf locks. 5326 */ 5327 static SECStatus 5328 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 5329 { 5330 PRArenaPool * arena = NULL; 5331 dnameNode * node; 5332 PRInt32 remaining; 5333 PRBool isTLS = PR_FALSE; 5334 int i; 5335 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST; 5336 int nnames = 0; 5337 SECStatus rv; 5338 SSL3AlertDescription desc = illegal_parameter; 5339 SECItem cert_types = {siBuffer, NULL, 0}; 5340 CERTDistNames ca_list; 5341 5342 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", 5343 SSL_GETPID(), ss->fd)); 5344 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 5345 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 5346 5347 if (ss->ssl3.hs.ws != wait_cert_request && 5348 ss->ssl3.hs.ws != wait_server_key) { 5349 desc = unexpected_message; 5350 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST; 5351 goto alert_loser; 5352 } 5353 5354 /* clean up anything left from previous handshake. */ 5355 if (ss->ssl3.clientCertChain != NULL) { 5356 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); 5357 ss->ssl3.clientCertChain = NULL; 5358 } 5359 if (ss->ssl3.clientCertificate != NULL) { 5360 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 5361 ss->ssl3.clientCertificate = NULL; 5362 } 5363 if (ss->ssl3.clientPrivateKey != NULL) { 5364 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 5365 ss->ssl3.clientPrivateKey = NULL; 5366 } 5367 5368 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 5369 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); 5370 if (rv != SECSuccess) 5371 goto loser; /* malformed, alert has been sent */ 5372 5373 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 5374 if (arena == NULL) 5375 goto no_mem; 5376 5377 remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 5378 if (remaining < 0) 5379 goto loser; /* malformed, alert has been sent */ 5380 5381 if ((PRUint32)remaining > length) 5382 goto alert_loser; 5383 5384 ca_list.head = node = PORT_ArenaZNew(arena, dnameNode); 5385 if (node == NULL) 5386 goto no_mem; 5387 5388 while (remaining > 0) { 5389 PRInt32 len; 5390 5391 if (remaining < 2) 5392 goto alert_loser; /* malformed */ 5393 5394 node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 5395 if (len <= 0) 5396 goto loser; /* malformed, alert has been sent */ 5397 5398 remaining -= 2; 5399 if (remaining < len) 5400 goto alert_loser; /* malformed */ 5401 5402 node->name.data = b; 5403 b += len; 5404 length -= len; 5405 remaining -= len; 5406 nnames++; 5407 if (remaining <= 0) 5408 break; /* success */ 5409 5410 node->next = PORT_ArenaZNew(arena, dnameNode); 5411 node = node->next; 5412 if (node == NULL) 5413 goto no_mem; 5414 } 5415 5416 ca_list.nnames = nnames; 5417 ca_list.names = PORT_ArenaNewArray(arena, SECItem, nnames); 5418 if (nnames > 0 && ca_list.names == NULL) 5419 goto no_mem; 5420 5421 for(i = 0, node = (dnameNode*)ca_list.head; 5422 i < nnames; 5423 i++, node = node->next) { 5424 ca_list.names[i] = node->name; 5425 } 5426 5427 if (length != 0) 5428 goto alert_loser; /* malformed */ 5429 5430 desc = no_certificate; 5431 ss->ssl3.hs.ws = wait_hello_done; 5432 5433 if (ss->getClientAuthData == NULL) { 5434 rv = SECFailure; /* force it to send a no_certificate alert */ 5435 } else { 5436 /* XXX Should pass cert_types in this call!! */ 5437 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, 5438 ss->fd, &ca_list, 5439 &ss->ssl3.clientCertificate, 5440 &ss->ssl3.clientPrivateKey); 5441 } 5442 switch (rv) { 5443 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ 5444 ssl_SetAlwaysBlock(ss); 5445 break; /* not an error */ 5446 5447 case SECSuccess: 5448 /* check what the callback function returned */ 5449 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { 5450 /* we are missing either the key or cert */ 5451 if (ss->ssl3.clientCertificate) { 5452 /* got a cert, but no key - free it */ 5453 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 5454 ss->ssl3.clientCertificate = NULL; 5455 } 5456 if (ss->ssl3.clientPrivateKey) { 5457 /* got a key, but no cert - free it */ 5458 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 5459 ss->ssl3.clientPrivateKey = NULL; 5460 } 5461 goto send_no_certificate; 5462 } 5463 /* Setting ssl3.clientCertChain non-NULL will cause 5464 * ssl3_HandleServerHelloDone to call SendCertificate. 5465 */ 5466 ss->ssl3.clientCertChain = CERT_CertChainFromCert( 5467 ss->ssl3.clientCertificate, 5468 certUsageSSLClient, PR_FALSE); 5469 if (ss->ssl3.clientCertChain == NULL) { 5470 if (ss->ssl3.clientCertificate != NULL) { 5471 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 5472 ss->ssl3.clientCertificate = NULL; 5473 } 5474 if (ss->ssl3.clientPrivateKey != NULL) { 5475 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 5476 ss->ssl3.clientPrivateKey = NULL; 5477 } 5478 goto send_no_certificate; 5479 } 5480 break; /* not an error */ 5481 5482 case SECFailure: 5483 default: 5484 send_no_certificate: 5485 if (isTLS) { 5486 ss->ssl3.sendEmptyCert = PR_TRUE; 5487 } else { 5488 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); 5489 } 5490 rv = SECSuccess; 5491 break; 5492 } 5493 goto done; 5494 5495 no_mem: 5496 rv = SECFailure; 5497 PORT_SetError(SEC_ERROR_NO_MEMORY); 5498 goto done; 5499 5500 alert_loser: 5501 if (isTLS && desc == illegal_parameter) 5502 desc = decode_error; 5503 (void)SSL3_SendAlert(ss, alert_fatal, desc); 5504 loser: 5505 PORT_SetError(errCode); 5506 rv = SECFailure; 5507 done: 5508 if (arena != NULL) 5509 PORT_FreeArena(arena, PR_FALSE); 5510 return rv; 5511 } 5512 5513 /* 5514 * attempt to restart the handshake after asynchronously handling 5515 * a request for the client's certificate. 5516 * 5517 * inputs: 5518 * cert Client cert chosen by application. 5519 * Note: ssl takes this reference, and does not bump the 5520 * reference count. The caller should drop its reference 5521 * without calling CERT_DestroyCert after calling this function. 5522 * 5523 * key Private key associated with cert. This function makes a 5524 * copy of the private key, so the caller remains responsible 5525 * for destroying its copy after this function returns. 5526 * 5527 * certChain DER-encoded certs, client cert and its signers. 5528 * Note: ssl takes this reference, and does not copy the chain. 5529 * The caller should drop its reference without destroying the 5530 * chain. SSL will free the chain when it is done with it. 5531 * 5532 * Return value: XXX 5533 * 5534 * XXX This code only works on the initial handshake on a connection, XXX 5535 * It does not work on a subsequent handshake (redo). 5536 * 5537 * Caller holds 1stHandshakeLock. 5538 */ 5539 SECStatus 5540 ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, 5541 CERTCertificate * cert, 5542 SECKEYPrivateKey * key, 5543 CERTCertificateList *certChain) 5544 { 5545 SECStatus rv = SECSuccess; 5546 5547 if (MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)) { 5548 /* XXX This code only works on the initial handshake on a connection, 5549 ** XXX It does not work on a subsequent handshake (redo). 5550 */ 5551 if (ss->handshake != 0) { 5552 ss->handshake = ssl_GatherRecord1stHandshake; 5553 ss->ssl3.clientCertificate = cert; 5554 ss->ssl3.clientCertChain = certChain; 5555 if (key == NULL) { 5556 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); 5557 ss->ssl3.clientPrivateKey = NULL; 5558 } else { 5559 ss->ssl3.clientPrivateKey = SECKEY_CopyPrivateKey(key); 5560 } 5561 ssl_GetRecvBufLock(ss); 5562 if (ss->ssl3.hs.msgState.buf != NULL) { 5563 rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf); 5564 } 5565 ssl_ReleaseRecvBufLock(ss); 5566 } 5567 } 5568 return rv; 5569 } 5570 5571 5572 5573 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 5574 * ssl3 Server Hello Done message. 5575 * Caller must hold Handshake and RecvBuf locks. 5576 */ 5577 static SECStatus 5578 ssl3_HandleServerHelloDone(sslSocket *ss) 5579 { 5580 SECStatus rv; 5581 SSL3WaitState ws = ss->ssl3.hs.ws; 5582 PRBool send_verify = PR_FALSE; 5583 5584 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake", 5585 SSL_GETPID(), ss->fd)); 5586 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 5587 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 5588 5589 if (ws != wait_hello_done && 5590 ws != wait_server_cert && 5591 ws != wait_server_key && 5592 ws != wait_cert_request) { 5593 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 5594 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); 5595 return SECFailure; 5596 } 5597 5598 ssl_GetXmitBufLock(ss); /*******************************/ 5599 5600 if (ss->ssl3.sendEmptyCert) { 5601 ss->ssl3.sendEmptyCert = PR_FALSE; 5602 rv = ssl3_SendEmptyCertificate(ss); 5603 /* Don't send verify */ 5604 if (rv != SECSuccess) { 5605 goto loser; /* error code is set. */ 5606 } 5607 } else 5608 if (ss->ssl3.clientCertChain != NULL && 5609 ss->ssl3.clientPrivateKey != NULL) { 5610 send_verify = PR_TRUE; 5611 rv = ssl3_SendCertificate(ss); 5612 if (rv != SECSuccess) { 5613 goto loser; /* error code is set. */ 5614 } 5615 } 5616 5617 rv = ssl3_SendClientKeyExchange(ss); 5618 if (rv != SECSuccess) { 5619 goto loser; /* err is set. */ 5620 } 5621 5622 if (send_verify) { 5623 rv = ssl3_SendCertificateVerify(ss); 5624 if (rv != SECSuccess) { 5625 goto loser; /* err is set. */ 5626 } 5627 } 5628 rv = ssl3_SendChangeCipherSpecs(ss); 5629 if (rv != SECSuccess) { 5630 goto loser; /* err code was set. */ 5631 } 5632 5633 rv = ssl3_SendNextProto(ss); 5634 if (rv != SECSuccess) { 5635 goto loser; /* err code was set. */ 5636 } 5637 5638 rv = ssl3_SendFinished(ss, 0); 5639 if (rv != SECSuccess) { 5640 goto loser; /* err code was set. */ 5641 } 5642 5643 ssl_ReleaseXmitBufLock(ss); /*******************************/ 5644 5645 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn)) 5646 ss->ssl3.hs.ws = wait_new_session_ticket; 5647 else 5648 ss->ssl3.hs.ws = wait_change_cipher; 5649 return SECSuccess; 5650 5651 loser: 5652 ssl_ReleaseXmitBufLock(ss); 5653 return rv; 5654 } 5655 5656 /* 5657 * Routines used by servers 5658 */ 5659 static SECStatus 5660 ssl3_SendHelloRequest(sslSocket *ss) 5661 { 5662 SECStatus rv; 5663 5664 SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(), 5665 ss->fd)); 5666 5667 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 5668 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 5669 5670 rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0); 5671 if (rv != SECSuccess) { 5672 return rv; /* err set by AppendHandshake */ 5673 } 5674 rv = ssl3_FlushHandshake(ss, 0); 5675 if (rv != SECSuccess) { 5676 return rv; /* error code set by ssl3_FlushHandshake */ 5677 } 5678 ss->ssl3.hs.ws = wait_client_hello; 5679 return SECSuccess; 5680 } 5681 5682 /* Sets memory error when returning NULL. 5683 * Called from: 5684 * ssl3_SendClientHello() 5685 * ssl3_HandleServerHello() 5686 * ssl3_HandleClientHello() 5687 * ssl3_HandleV2ClientHello() 5688 */ 5689 sslSessionID * 5690 ssl3_NewSessionID(sslSocket *ss, PRBool is_server) 5691 { 5692 sslSessionID *sid; 5693 5694 sid = PORT_ZNew(sslSessionID); 5695 if (sid == NULL) 5696 return sid; 5697 5698 sid->peerID = (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID); 5699 sid->urlSvrName = (ss->url == NULL) ? NULL : PORT_Strdup(ss->url); 5700 sid->addr = ss->sec.ci.peer; 5701 sid->port = ss->sec.ci.port; 5702 sid->references = 1; 5703 sid->cached = never_cached; 5704 sid->version = ss->version; 5705 5706 sid->u.ssl3.keys.resumable = PR_TRUE; 5707 sid->u.ssl3.policy = SSL_ALLOWED; 5708 sid->u.ssl3.clientWriteKey = NULL; 5709 sid->u.ssl3.serverWriteKey = NULL; 5710 5711 if (is_server) { 5712 SECStatus rv; 5713 int pid = SSL_GETPID(); 5714 5715 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; 5716 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff; 5717 sid->u.ssl3.sessionID[1] = pid & 0xff; 5718 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2, 5719 SSL3_SESSIONID_BYTES -2); 5720 if (rv != SECSuccess) { 5721 ssl_FreeSID(sid); 5722 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 5723 return NULL; 5724 } 5725 } 5726 return sid; 5727 } 5728 5729 /* Called from: ssl3_HandleClientHello, ssl3_HandleV2ClientHello */ 5730 static SECStatus 5731 ssl3_SendServerHelloSequence(sslSocket *ss) 5732 { 5733 const ssl3KEADef *kea_def; 5734 SECStatus rv; 5735 5736 SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence", 5737 SSL_GETPID(), ss->fd)); 5738 5739 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 5740 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 5741 5742 rv = ssl3_SendServerHello(ss); 5743 if (rv != SECSuccess) { 5744 return rv; /* err code is set. */ 5745 } 5746 rv = ssl3_SendCertificate(ss); 5747 if (rv != SECSuccess) { 5748 return rv; /* error code is set. */ 5749 } 5750 /* We have to do this after the call to ssl3_SendServerHello, 5751 * because kea_def is set up by ssl3_SendServerHello(). 5752 */ 5753 kea_def = ss->ssl3.hs.kea_def; 5754 ss->ssl3.hs.usedStepDownKey = PR_FALSE; 5755 5756 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { 5757 /* see if we can legally use the key in the cert. */ 5758 int keyLen; /* bytes */ 5759 5760 keyLen = PK11_GetPrivateModulusLen( 5761 ss->serverCerts[kea_def->exchKeyType].SERVERKEY); 5762 5763 if (keyLen > 0 && 5764 keyLen * BPB <= kea_def->key_size_limit ) { 5765 /* XXX AND cert is not signing only!! */ 5766 /* just fall through and use it. */ 5767 } else if (ss->stepDownKeyPair != NULL) { 5768 ss->ssl3.hs.usedStepDownKey = PR_TRUE; 5769 rv = ssl3_SendServerKeyExchange(ss); 5770 if (rv != SECSuccess) { 5771 return rv; /* err code was set. */ 5772 } 5773 } else { 5774 #ifndef HACKED_EXPORT_SERVER 5775 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); 5776 return rv; 5777 #endif 5778 } 5779 #ifdef NSS_ENABLE_ECC 5780 } else if ((kea_def->kea == kea_ecdhe_rsa) || 5781 (kea_def->kea == kea_ecdhe_ecdsa)) { 5782 rv = ssl3_SendServerKeyExchange(ss); 5783 if (rv != SECSuccess) { 5784 return rv; /* err code was set. */ 5785 } 5786 #endif /* NSS_ENABLE_ECC */ 5787 } 5788 5789 if (ss->opt.requestCertificate) { 5790 rv = ssl3_SendCertificateRequest(ss); 5791 if (rv != SECSuccess) { 5792 return rv; /* err code is set. */ 5793 } 5794 } 5795 rv = ssl3_SendServerHelloDone(ss); 5796 if (rv != SECSuccess) { 5797 return rv; /* err code is set. */ 5798 } 5799 5800 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert 5801 : wait_client_key; 5802 return SECSuccess; 5803 } 5804 5805 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 5806 * ssl3 Client Hello message. 5807 * Caller must hold Handshake and RecvBuf locks. 5808 */ 5809 static SECStatus 5810 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 5811 { 5812 sslSessionID * sid = NULL; 5813 PRInt32 tmp; 5814 unsigned int i; 5815 int j; 5816 SECStatus rv; 5817 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; 5818 SSL3AlertDescription desc = illegal_parameter; 5819 SSL3AlertLevel level = alert_fatal; 5820 SSL3ProtocolVersion version; 5821 SECItem sidBytes = {siBuffer, NULL, 0}; 5822 SECItem suites = {siBuffer, NULL, 0}; 5823 SECItem comps = {siBuffer, NULL, 0}; 5824 PRBool haveSpecWriteLock = PR_FALSE; 5825 PRBool haveXmitBufLock = PR_FALSE; 5826 5827 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", 5828 SSL_GETPID(), ss->fd)); 5829 5830 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 5831 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 5832 5833 /* Get peer name of client */ 5834 rv = ssl_GetPeerInfo(ss); 5835 if (rv != SECSuccess) { 5836 return rv; /* error code is set. */ 5837 } 5838 5839 /* We might be starting session renegotiation in which case we should 5840 * clear previous state. 5841 */ 5842 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 5843 ss->statelessResume = PR_FALSE; 5844 5845 rv = ssl3_InitState(ss); 5846 if (rv != SECSuccess) { 5847 return rv; /* ssl3_InitState has set the error code. */ 5848 } 5849 5850 if ((ss->ssl3.hs.ws != wait_client_hello) && 5851 (ss->ssl3.hs.ws != idle_handshake)) { 5852 desc = unexpected_message; 5853 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; 5854 goto alert_loser; 5855 } 5856 if (ss->ssl3.hs.ws == idle_handshake && 5857 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { 5858 desc = no_renegotiation; 5859 level = alert_warning; 5860 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; 5861 goto alert_loser; 5862 } 5863 5864 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 5865 if (tmp < 0) 5866 goto loser; /* malformed, alert already sent */ 5867 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; 5868 rv = ssl3_NegotiateVersion(ss, version); 5869 if (rv != SECSuccess) { 5870 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 5871 : handshake_failure; 5872 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 5873 goto alert_loser; 5874 } 5875 5876 /* grab the client random data. */ 5877 rv = ssl3_ConsumeHandshake( 5878 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); 5879 if (rv != SECSuccess) { 5880 goto loser; /* malformed */ 5881 } 5882 5883 /* grab the client's SID, if present. */ 5884 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 5885 if (rv != SECSuccess) { 5886 goto loser; /* malformed */ 5887 } 5888 5889 /* grab the list of cipher suites. */ 5890 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); 5891 if (rv != SECSuccess) { 5892 goto loser; /* malformed */ 5893 } 5894 5895 /* grab the list of compression methods. */ 5896 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); 5897 if (rv != SECSuccess) { 5898 goto loser; /* malformed */ 5899 } 5900 5901 desc = handshake_failure; 5902 5903 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if 5904 * we are restarting a previous session until extensions have been 5905 * parsed, since we might have received a SessionTicket extension. 5906 * Note: we allow extensions even when negotiating SSL3 for the sake 5907 * of interoperability (and backwards compatibility). 5908 */ 5909 5910 if (length) { 5911 /* Get length of hello extensions */ 5912 PRInt32 extension_length; 5913 extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 5914 if (extension_length < 0) { 5915 goto loser; /* alert already sent */ 5916 } 5917 if (extension_length != length) { 5918 ssl3_DecodeError(ss); /* send alert */ 5919 goto loser; 5920 } 5921 rv = ssl3_HandleHelloExtensions(ss, &b, &length); 5922 if (rv != SECSuccess) { 5923 goto loser; /* malformed */ 5924 } 5925 } 5926 5927 /* We do stateful resumes only if either of the following 5928 * conditions are satisfied: (1) the client does not support the 5929 * session ticket extension, or (2) the client support the session 5930 * ticket extension, but sent an empty ticket. 5931 */ 5932 if (!ssl3_ExtensionNegotiated(ss, session_ticket_xtn) || 5933 ss->xtnData.emptySessionTicket) { 5934 if (sidBytes.len > 0 && !ss->opt.noCache) { 5935 SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x", 5936 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0], 5937 ss->sec.ci.peer.pr_s6_addr32[1], 5938 ss->sec.ci.peer.pr_s6_addr32[2], 5939 ss->sec.ci.peer.pr_s6_addr32[3])); 5940 if (ssl_sid_lookup) { 5941 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data, 5942 sidBytes.len, ss->dbHandle); 5943 } else { 5944 errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED; 5945 goto loser; 5946 } 5947 } 5948 } else if (ss->statelessResume) { 5949 /* Fill in the client's session ID if doing a stateless resume. 5950 * (When doing stateless resumes, server echos client's SessionID.) 5951 */ 5952 sid = ss->sec.ci.sid; 5953 PORT_Assert(sid != NULL); /* Should have already been filled in.*/ 5954 5955 if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) { 5956 sid->u.ssl3.sessionIDLength = sidBytes.len; 5957 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, 5958 sidBytes.len); 5959 sid->u.ssl3.sessionIDLength = sidBytes.len; 5960 } else { 5961 sid->u.ssl3.sessionIDLength = 0; 5962 } 5963 ss->sec.ci.sid = NULL; 5964 } 5965 5966 /* We only send a session ticket extension if the client supports 5967 * the extension and we are unable to do either a stateful or 5968 * stateless resume. 5969 * 5970 * TODO: send a session ticket if performing a stateful 5971 * resumption. (As per RFC4507, a server may issue a session 5972 * ticket while doing a (stateless or stateful) session resume, 5973 * but OpenSSL-0.9.8g does not accept session tickets while 5974 * resuming.) 5975 */ 5976 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn) && sid == NULL) { 5977 ssl3_RegisterServerHelloExtensionSender(ss, 5978 session_ticket_xtn, ssl3_SendSessionTicketXtn); 5979 } 5980 5981 if (sid != NULL) { 5982 /* We've found a session cache entry for this client. 5983 * Now, if we're going to require a client-auth cert, 5984 * and we don't already have this client's cert in the session cache, 5985 * and this is the first handshake on this connection (not a redo), 5986 * then drop this old cache entry and start a new session. 5987 */ 5988 if ((sid->peerCert == NULL) && ss->opt.requestCertificate && 5989 ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) || 5990 (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) || 5991 ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 5992 && !ss->firstHsDone))) { 5993 5994 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok ); 5995 ss->sec.uncache(sid); 5996 ssl_FreeSID(sid); 5997 sid = NULL; 5998 } 5999 } 6000 6001 #ifdef NSS_ENABLE_ECC 6002 /* Disable any ECC cipher suites for which we have no cert. */ 6003 ssl3_FilterECCipherSuitesByServerCerts(ss); 6004 #endif 6005 6006 #ifdef PARANOID 6007 /* Look for a matching cipher suite. */ 6008 j = ssl3_config_match_init(ss); 6009 if (j <= 0) { /* no ciphers are working/supported by PK11 */ 6010 errCode = PORT_GetError(); /* error code is already set. */ 6011 goto alert_loser; 6012 } 6013 #endif 6014 6015 /* If we already have a session for this client, be sure to pick the 6016 ** same cipher suite and compression method we picked before. 6017 ** This is not a loop, despite appearances. 6018 */ 6019 if (sid) do { 6020 ssl3CipherSuiteCfg *suite; 6021 6022 /* Check that the cached compression method is still enabled. */ 6023 if (!compressionEnabled(ss, sid->u.ssl3.compression)) 6024 break; 6025 6026 /* Check that the cached compression method is in the client's list */ 6027 for (i = 0; i < comps.len; i++) { 6028 if (comps.data[i] == sid->u.ssl3.compression) 6029 break; 6030 } 6031 if (i == comps.len) 6032 break; 6033 6034 suite = ss->cipherSuites; 6035 /* Find the entry for the cipher suite used in the cached session. */ 6036 for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) { 6037 if (suite->cipher_suite == sid->u.ssl3.cipherSuite) 6038 break; 6039 } 6040 PORT_Assert(j > 0); 6041 if (j <= 0) 6042 break; 6043 #ifdef PARANOID 6044 /* Double check that the cached cipher suite is still enabled, 6045 * implemented, and allowed by policy. Might have been disabled. 6046 * The product policy won't change during the process lifetime. 6047 * Implemented ("isPresent") shouldn't change for servers. 6048 */ 6049 if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) 6050 break; 6051 #else 6052 if (!suite->enabled) 6053 break; 6054 #endif 6055 /* Double check that the cached cipher suite is in the client's list */ 6056 for (i = 0; i < suites.len; i += 2) { 6057 if ((suites.data[i] == MSB(suite->cipher_suite)) && 6058 (suites.data[i + 1] == LSB(suite->cipher_suite))) { 6059 6060 ss->ssl3.hs.cipher_suite = suite->cipher_suite; 6061 ss->ssl3.hs.suite_def = 6062 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); 6063 6064 /* Use the cached compression method. */ 6065 ss->ssl3.hs.compression = sid->u.ssl3.compression; 6066 goto compression_found; 6067 } 6068 } 6069 } while (0); 6070 6071 /* START A NEW SESSION */ 6072 6073 #ifndef PARANOID 6074 /* Look for a matching cipher suite. */ 6075 j = ssl3_config_match_init(ss); 6076 if (j <= 0) { /* no ciphers are working/supported by PK11 */ 6077 errCode = PORT_GetError(); /* error code is already set. */ 6078 goto alert_loser; 6079 } 6080 #endif 6081 6082 /* Select a cipher suite. 6083 ** NOTE: This suite selection algorithm should be the same as the one in 6084 ** ssl3_HandleV2ClientHello(). 6085 */ 6086 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { 6087 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; 6088 if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) 6089 continue; 6090 for (i = 0; i < suites.len; i += 2) { 6091 if ((suites.data[i] == MSB(suite->cipher_suite)) && 6092 (suites.data[i + 1] == LSB(suite->cipher_suite))) { 6093 6094 ss->ssl3.hs.cipher_suite = suite->cipher_suite; 6095 ss->ssl3.hs.suite_def = 6096 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); 6097 goto suite_found; 6098 } 6099 } 6100 } 6101 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 6102 goto alert_loser; 6103 6104 suite_found: 6105 /* Look for a matching compression algorithm. */ 6106 for (i = 0; i < comps.len; i++) { 6107 for (j = 0; j < compressionMethodsCount; j++) { 6108 if (comps.data[i] == compressions[j] && 6109 compressionEnabled(ss, compressions[j])) { 6110 ss->ssl3.hs.compression = 6111 (SSLCompressionMethod)compressions[j]; 6112 goto compression_found; 6113 } 6114 } 6115 } 6116 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; 6117 /* null compression must be supported */ 6118 goto alert_loser; 6119 6120 compression_found: 6121 suites.data = NULL; 6122 comps.data = NULL; 6123 6124 ss->sec.send = ssl3_SendApplicationData; 6125 6126 /* If there are any failures while processing the old sid, 6127 * we don't consider them to be errors. Instead, We just behave 6128 * as if the client had sent us no sid to begin with, and make a new one. 6129 */ 6130 if (sid != NULL) do { 6131 ssl3CipherSpec *pwSpec; 6132 SECItem wrappedMS; /* wrapped key */ 6133 6134 if (sid->version != ss->version || 6135 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) { 6136 break; /* not an error */ 6137 } 6138 6139 if (ss->sec.ci.sid) { 6140 ss->sec.uncache(ss->sec.ci.sid); 6141 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ... */ 6142 if (ss->sec.ci.sid != sid) { 6143 ssl_FreeSID(ss->sec.ci.sid); 6144 } 6145 ss->sec.ci.sid = NULL; 6146 } 6147 /* we need to resurrect the master secret.... */ 6148 6149 ssl_GetSpecWriteLock(ss); haveSpecWriteLock = PR_TRUE; 6150 pwSpec = ss->ssl3.pwSpec; 6151 if (sid->u.ssl3.keys.msIsWrapped) { 6152 PK11SymKey * wrapKey; /* wrapping key */ 6153 CK_FLAGS keyFlags = 0; 6154 if (ss->opt.bypassPKCS11) { 6155 /* we cannot restart a non-bypass session in a 6156 ** bypass socket. 6157 */ 6158 break; 6159 } 6160 6161 wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType, 6162 sid->u.ssl3.masterWrapMech, 6163 ss->pkcs11PinArg); 6164 if (!wrapKey) { 6165 /* we have a SID cache entry, but no wrapping key for it??? */ 6166 break; 6167 } 6168 6169 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ 6170 keyFlags = CKF_SIGN | CKF_VERIFY; 6171 } 6172 6173 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 6174 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 6175 6176 /* unwrap the master secret. */ 6177 pwSpec->master_secret = 6178 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 6179 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE, 6180 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags); 6181 PK11_FreeSymKey(wrapKey); 6182 if (pwSpec->master_secret == NULL) { 6183 break; /* not an error */ 6184 } 6185 } else if (ss->opt.bypassPKCS11) { 6186 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 6187 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 6188 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); 6189 pwSpec->msItem.data = pwSpec->raw_master_secret; 6190 pwSpec->msItem.len = wrappedMS.len; 6191 } else { 6192 /* We CAN restart a bypass session in a non-bypass socket. */ 6193 /* need to import the raw master secret to session object */ 6194 PK11SlotInfo * slot; 6195 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 6196 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 6197 slot = PK11_GetInternalSlot(); 6198 pwSpec->master_secret = 6199 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 6200 PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS, 6201 NULL); 6202 PK11_FreeSlot(slot); 6203 if (pwSpec->master_secret == NULL) { 6204 break; /* not an error */ 6205 } 6206 } 6207 ss->sec.ci.sid = sid; 6208 if (sid->peerCert != NULL) { 6209 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); 6210 } 6211 6212 /* 6213 * Old SID passed all tests, so resume this old session. 6214 * 6215 * XXX make sure compression still matches 6216 */ 6217 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits ); 6218 if (ss->statelessResume) 6219 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes ); 6220 ss->ssl3.hs.isResuming = PR_TRUE; 6221 6222 ss->sec.authAlgorithm = sid->authAlgorithm; 6223 ss->sec.authKeyBits = sid->authKeyBits; 6224 ss->sec.keaType = sid->keaType; 6225 ss->sec.keaKeyBits = sid->keaKeyBits; 6226 6227 /* server sids don't remember the server cert we previously sent, 6228 ** but they do remember the kea type we originally used, so we 6229 ** can locate it again, provided that the current ssl socket 6230 ** has had its server certs configured the same as the previous one. 6231 */ 6232 ss->sec.localCert = 6233 CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert); 6234 6235 ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE; 6236 6237 rv = ssl3_SendServerHello(ss); 6238 if (rv != SECSuccess) { 6239 errCode = PORT_GetError(); 6240 goto loser; 6241 } 6242 6243 if (haveSpecWriteLock) { 6244 ssl_ReleaseSpecWriteLock(ss); 6245 haveSpecWriteLock = PR_FALSE; 6246 } 6247 6248 /* NULL value for PMS signifies re-use of the old MS */ 6249 rv = ssl3_InitPendingCipherSpec(ss, NULL); 6250 if (rv != SECSuccess) { 6251 errCode = PORT_GetError(); 6252 goto loser; 6253 } 6254 6255 rv = ssl3_SendChangeCipherSpecs(ss); 6256 if (rv != SECSuccess) { 6257 errCode = PORT_GetError(); 6258 goto loser; 6259 } 6260 rv = ssl3_SendFinished(ss, 0); 6261 ss->ssl3.hs.ws = wait_change_cipher; 6262 if (rv != SECSuccess) { 6263 errCode = PORT_GetError(); 6264 goto loser; 6265 } 6266 6267 if (haveXmitBufLock) { 6268 ssl_ReleaseXmitBufLock(ss); 6269 haveXmitBufLock = PR_FALSE; 6270 } 6271 6272 return SECSuccess; 6273 } while (0); 6274 6275 if (haveSpecWriteLock) { 6276 ssl_ReleaseSpecWriteLock(ss); 6277 haveSpecWriteLock = PR_FALSE; 6278 } 6279 6280 if (sid) { /* we had a sid, but it's no longer valid, free it */ 6281 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok ); 6282 ss->sec.uncache(sid); 6283 ssl_FreeSID(sid); 6284 sid = NULL; 6285 } 6286 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); 6287 6288 sid = ssl3_NewSessionID(ss, PR_TRUE); 6289 if (sid == NULL) { 6290 errCode = PORT_GetError(); 6291 goto loser; /* memory error is set. */ 6292 } 6293 ss->sec.ci.sid = sid; 6294 6295 ss->ssl3.hs.isResuming = PR_FALSE; 6296 ssl_GetXmitBufLock(ss); 6297 rv = ssl3_SendServerHelloSequence(ss); 6298 ssl_ReleaseXmitBufLock(ss); 6299 if (rv != SECSuccess) { 6300 errCode = PORT_GetError(); 6301 goto loser; 6302 } 6303 6304 if (haveXmitBufLock) { 6305 ssl_ReleaseXmitBufLock(ss); 6306 haveXmitBufLock = PR_FALSE; 6307 } 6308 6309 return SECSuccess; 6310 6311 alert_loser: 6312 if (haveSpecWriteLock) { 6313 ssl_ReleaseSpecWriteLock(ss); 6314 haveSpecWriteLock = PR_FALSE; 6315 } 6316 (void)SSL3_SendAlert(ss, level, desc); 6317 /* FALLTHRU */ 6318 loser: 6319 if (haveSpecWriteLock) { 6320 ssl_ReleaseSpecWriteLock(ss); 6321 haveSpecWriteLock = PR_FALSE; 6322 } 6323 6324 if (haveXmitBufLock) { 6325 ssl_ReleaseXmitBufLock(ss); 6326 haveXmitBufLock = PR_FALSE; 6327 } 6328 6329 PORT_SetError(errCode); 6330 return SECFailure; 6331 } 6332 6333 /* 6334 * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes 6335 * in asking to use the V3 handshake. 6336 * Called from ssl2_HandleClientHelloMessage() in sslcon.c 6337 */ 6338 SECStatus 6339 ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) 6340 { 6341 sslSessionID * sid = NULL; 6342 unsigned char * suites; 6343 unsigned char * random; 6344 SSL3ProtocolVersion version; 6345 SECStatus rv; 6346 int i; 6347 int j; 6348 int sid_length; 6349 int suite_length; 6350 int rand_length; 6351 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; 6352 SSL3AlertDescription desc = handshake_failure; 6353 6354 SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd)); 6355 6356 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 6357 6358 ssl_GetSSL3HandshakeLock(ss); 6359 6360 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 6361 6362 rv = ssl3_InitState(ss); 6363 if (rv != SECSuccess) { 6364 ssl_ReleaseSSL3HandshakeLock(ss); 6365 return rv; /* ssl3_InitState has set the error code. */ 6366 } 6367 6368 if (ss->ssl3.hs.ws != wait_client_hello) { 6369 desc = unexpected_message; 6370 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; 6371 goto loser; /* alert_loser */ 6372 } 6373 6374 version = (buffer[1] << 8) | buffer[2]; 6375 suite_length = (buffer[3] << 8) | buffer[4]; 6376 sid_length = (buffer[5] << 8) | buffer[6]; 6377 rand_length = (buffer[7] << 8) | buffer[8]; 6378 ss->clientHelloVersion = version; 6379 6380 rv = ssl3_NegotiateVersion(ss, version); 6381 if (rv != SECSuccess) { 6382 /* send back which ever alert client will understand. */ 6383 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure; 6384 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 6385 goto alert_loser; 6386 } 6387 6388 /* if we get a non-zero SID, just ignore it. */ 6389 if (length != 6390 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { 6391 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", 6392 SSL_GETPID(), ss->fd, length, 6393 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + 6394 rand_length)); 6395 goto loser; /* malformed */ /* alert_loser */ 6396 } 6397 6398 suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES; 6399 random = suites + suite_length + sid_length; 6400 6401 if (rand_length < SSL_MIN_CHALLENGE_BYTES || 6402 rand_length > SSL_MAX_CHALLENGE_BYTES) { 6403 goto loser; /* malformed */ /* alert_loser */ 6404 } 6405 6406 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH); 6407 6408 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH); 6409 PORT_Memcpy( 6410 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length], 6411 random, rand_length); 6412 6413 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0], 6414 SSL3_RANDOM_LENGTH)); 6415 #ifdef NSS_ENABLE_ECC 6416 /* Disable any ECC cipher suites for which we have no cert. */ 6417 ssl3_FilterECCipherSuitesByServerCerts(ss); 6418 #endif 6419 i = ssl3_config_match_init(ss); 6420 if (i <= 0) { 6421 errCode = PORT_GetError(); /* error code is already set. */ 6422 goto alert_loser; 6423 } 6424 6425 /* Select a cipher suite. 6426 ** NOTE: This suite selection algorithm should be the same as the one in 6427 ** ssl3_HandleClientHello(). 6428 */ 6429 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { 6430 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; 6431 if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) 6432 continue; 6433 for (i = 0; i < suite_length; i += 3) { 6434 if ((suites[i] == 0) && 6435 (suites[i+1] == MSB(suite->cipher_suite)) && 6436 (suites[i+2] == LSB(suite->cipher_suite))) { 6437 6438 ss->ssl3.hs.cipher_suite = suite->cipher_suite; 6439 ss->ssl3.hs.suite_def = 6440 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); 6441 goto suite_found; 6442 } 6443 } 6444 } 6445 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 6446 goto alert_loser; 6447 6448 suite_found: 6449 6450 ss->ssl3.hs.compression = ssl_compression_null; 6451 ss->sec.send = ssl3_SendApplicationData; 6452 6453 /* we don't even search for a cache hit here. It's just a miss. */ 6454 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); 6455 sid = ssl3_NewSessionID(ss, PR_TRUE); 6456 if (sid == NULL) { 6457 errCode = PORT_GetError(); 6458 goto loser; /* memory error is set. */ 6459 } 6460 ss->sec.ci.sid = sid; 6461 /* do not worry about memory leak of sid since it now belongs to ci */ 6462 6463 /* We have to update the handshake hashes before we can send stuff */ 6464 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length); 6465 if (rv != SECSuccess) { 6466 errCode = PORT_GetError(); 6467 goto loser; 6468 } 6469 6470 ssl_GetXmitBufLock(ss); 6471 rv = ssl3_SendServerHelloSequence(ss); 6472 ssl_ReleaseXmitBufLock(ss); 6473 if (rv != SECSuccess) { 6474 errCode = PORT_GetError(); 6475 goto loser; 6476 } 6477 6478 /* XXX_1 The call stack to here is: 6479 * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here. 6480 * ssl2_HandleClientHelloMessage returns whatever we return here. 6481 * ssl_Do1stHandshake will continue looping if it gets back either 6482 * SECSuccess or SECWouldBlock. 6483 * SECSuccess is preferable here. See XXX_1 in sslgathr.c. 6484 */ 6485 ssl_ReleaseSSL3HandshakeLock(ss); 6486 return SECSuccess; 6487 6488 alert_loser: 6489 SSL3_SendAlert(ss, alert_fatal, desc); 6490 loser: 6491 ssl_ReleaseSSL3HandshakeLock(ss); 6492 PORT_SetError(errCode); 6493 return SECFailure; 6494 } 6495 6496 /* The negotiated version number has been already placed in ss->version. 6497 ** 6498 ** Called from: ssl3_HandleClientHello (resuming session), 6499 ** ssl3_SendServerHelloSequence <- ssl3_HandleClientHello (new session), 6500 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) 6501 */ 6502 static SECStatus 6503 ssl3_SendServerHello(sslSocket *ss) 6504 { 6505 sslSessionID *sid; 6506 SECStatus rv; 6507 PRUint32 maxBytes = 65535; 6508 PRUint32 length; 6509 PRInt32 extensions_len = 0; 6510 6511 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), 6512 ss->fd)); 6513 6514 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 6515 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 6516 PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); 6517 6518 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { 6519 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 6520 return SECFailure; 6521 } 6522 6523 sid = ss->sec.ci.sid; 6524 6525 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, 6526 &ss->xtnData.serverSenders[0]); 6527 if (extensions_len > 0) 6528 extensions_len += 2; /* Add sizeof total extension length */ 6529 6530 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + 6531 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + 6532 sizeof(ssl3CipherSuite) + 1 + extensions_len; 6533 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); 6534 if (rv != SECSuccess) { 6535 return rv; /* err set by AppendHandshake. */ 6536 } 6537 6538 rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2); 6539 if (rv != SECSuccess) { 6540 return rv; /* err set by AppendHandshake. */ 6541 } 6542 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); 6543 if (rv != SECSuccess) { 6544 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 6545 return rv; 6546 } 6547 rv = ssl3_AppendHandshake( 6548 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); 6549 if (rv != SECSuccess) { 6550 return rv; /* err set by AppendHandshake. */ 6551 } 6552 6553 if (sid) 6554 rv = ssl3_AppendHandshakeVariable( 6555 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); 6556 else 6557 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 6558 if (rv != SECSuccess) { 6559 return rv; /* err set by AppendHandshake. */ 6560 } 6561 6562 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2); 6563 if (rv != SECSuccess) { 6564 return rv; /* err set by AppendHandshake. */ 6565 } 6566 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1); 6567 if (rv != SECSuccess) { 6568 return rv; /* err set by AppendHandshake. */ 6569 } 6570 if (extensions_len) { 6571 PRInt32 sent_len; 6572 6573 extensions_len -= 2; 6574 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2); 6575 if (rv != SECSuccess) 6576 return rv; /* err set by ssl3_SetupPendingCipherSpec */ 6577 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len, 6578 &ss->xtnData.serverSenders[0]); 6579 PORT_Assert(sent_len == extensions_len); 6580 if (sent_len != extensions_len) { 6581 if (sent_len >= 0) 6582 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 6583 return SECFailure; 6584 } 6585 } 6586 rv = ssl3_SetupPendingCipherSpec(ss); 6587 if (rv != SECSuccess) { 6588 return rv; /* err set by ssl3_SetupPendingCipherSpec */ 6589 } 6590 6591 return SECSuccess; 6592 } 6593 6594 6595 static SECStatus 6596 ssl3_SendServerKeyExchange(sslSocket *ss) 6597 { 6598 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 6599 SECStatus rv = SECFailure; 6600 int length; 6601 PRBool isTLS; 6602 SECItem signed_hash = {siBuffer, NULL, 0}; 6603 SSL3Hashes hashes; 6604 SECKEYPublicKey * sdPub; /* public key for step-down */ 6605 6606 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", 6607 SSL_GETPID(), ss->fd)); 6608 6609 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 6610 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 6611 6612 switch (kea_def->exchKeyType) { 6613 case kt_rsa: 6614 /* Perform SSL Step-Down here. */ 6615 sdPub = ss->stepDownKeyPair->pubKey; 6616 PORT_Assert(sdPub != NULL); 6617 if (!sdPub) { 6618 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6619 return SECFailure; 6620 } 6621 rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus, 6622 sdPub->u.rsa.publicExponent, 6623 &ss->ssl3.hs.client_random, 6624 &ss->ssl3.hs.server_random, 6625 &hashes, ss->opt.bypassPKCS11); 6626 if (rv != SECSuccess) { 6627 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6628 return rv; 6629 } 6630 6631 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 6632 rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY, 6633 &signed_hash, isTLS); 6634 if (rv != SECSuccess) { 6635 goto loser; /* ssl3_SignHashes has set err. */ 6636 } 6637 if (signed_hash.data == NULL) { 6638 /* how can this happen and rv == SECSuccess ?? */ 6639 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6640 goto loser; 6641 } 6642 length = 2 + sdPub->u.rsa.modulus.len + 6643 2 + sdPub->u.rsa.publicExponent.len + 6644 2 + signed_hash.len; 6645 6646 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); 6647 if (rv != SECSuccess) { 6648 goto loser; /* err set by AppendHandshake. */ 6649 } 6650 6651 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data, 6652 sdPub->u.rsa.modulus.len, 2); 6653 if (rv != SECSuccess) { 6654 goto loser; /* err set by AppendHandshake. */ 6655 } 6656 6657 rv = ssl3_AppendHandshakeVariable( 6658 ss, sdPub->u.rsa.publicExponent.data, 6659 sdPub->u.rsa.publicExponent.len, 2); 6660 if (rv != SECSuccess) { 6661 goto loser; /* err set by AppendHandshake. */ 6662 } 6663 6664 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, 6665 signed_hash.len, 2); 6666 if (rv != SECSuccess) { 6667 goto loser; /* err set by AppendHandshake. */ 6668 } 6669 PORT_Free(signed_hash.data); 6670 return SECSuccess; 6671 6672 #ifdef NSS_ENABLE_ECC 6673 case kt_ecdh: { 6674 rv = ssl3_SendECDHServerKeyExchange(ss); 6675 return rv; 6676 } 6677 #endif /* NSS_ENABLE_ECC */ 6678 6679 case kt_dh: 6680 case kt_null: 6681 default: 6682 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 6683 break; 6684 } 6685 loser: 6686 if (signed_hash.data != NULL) 6687 PORT_Free(signed_hash.data); 6688 return SECFailure; 6689 } 6690 6691 6692 static SECStatus 6693 ssl3_SendCertificateRequest(sslSocket *ss) 6694 { 6695 SECItem * name; 6696 CERTDistNames *ca_list; 6697 const uint8 * certTypes; 6698 SECItem * names = NULL; 6699 SECStatus rv; 6700 int length; 6701 int i; 6702 int calen = 0; 6703 int nnames = 0; 6704 int certTypesLength; 6705 6706 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", 6707 SSL_GETPID(), ss->fd)); 6708 6709 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 6710 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 6711 6712 /* ssl3.ca_list is initialized to NULL, and never changed. */ 6713 ca_list = ss->ssl3.ca_list; 6714 if (!ca_list) { 6715 ca_list = ssl3_server_ca_list; 6716 } 6717 6718 if (ca_list != NULL) { 6719 names = ca_list->names; 6720 nnames = ca_list->nnames; 6721 } 6722 6723 if (!nnames) { 6724 PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA); 6725 return SECFailure; 6726 } 6727 6728 for (i = 0, name = names; i < nnames; i++, name++) { 6729 calen += 2 + name->len; 6730 } 6731 6732 certTypes = certificate_types; 6733 certTypesLength = sizeof certificate_types; 6734 6735 length = 1 + certTypesLength + 2 + calen; 6736 6737 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); 6738 if (rv != SECSuccess) { 6739 return rv; /* err set by AppendHandshake. */ 6740 } 6741 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1); 6742 if (rv != SECSuccess) { 6743 return rv; /* err set by AppendHandshake. */ 6744 } 6745 rv = ssl3_AppendHandshakeNumber(ss, calen, 2); 6746 if (rv != SECSuccess) { 6747 return rv; /* err set by AppendHandshake. */ 6748 } 6749 for (i = 0, name = names; i < nnames; i++, name++) { 6750 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2); 6751 if (rv != SECSuccess) { 6752 return rv; /* err set by AppendHandshake. */ 6753 } 6754 } 6755 6756 return SECSuccess; 6757 } 6758 6759 static SECStatus 6760 ssl3_SendServerHelloDone(sslSocket *ss) 6761 { 6762 SECStatus rv; 6763 6764 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake", 6765 SSL_GETPID(), ss->fd)); 6766 6767 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 6768 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 6769 6770 rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0); 6771 if (rv != SECSuccess) { 6772 return rv; /* err set by AppendHandshake. */ 6773 } 6774 rv = ssl3_FlushHandshake(ss, 0); 6775 if (rv != SECSuccess) { 6776 return rv; /* error code set by ssl3_FlushHandshake */ 6777 } 6778 return SECSuccess; 6779 } 6780 6781 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 6782 * ssl3 Certificate Verify message 6783 * Caller must hold Handshake and RecvBuf locks. 6784 */ 6785 static SECStatus 6786 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, 6787 SSL3Hashes *hashes) 6788 { 6789 SECItem signed_hash = {siBuffer, NULL, 0}; 6790 SECStatus rv; 6791 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; 6792 SSL3AlertDescription desc = handshake_failure; 6793 PRBool isTLS; 6794 6795 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", 6796 SSL_GETPID(), ss->fd)); 6797 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 6798 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6799 6800 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { 6801 desc = unexpected_message; 6802 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; 6803 goto alert_loser; 6804 } 6805 6806 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); 6807 if (rv != SECSuccess) { 6808 goto loser; /* malformed. */ 6809 } 6810 6811 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 6812 6813 /* XXX verify that the key & kea match */ 6814 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, 6815 isTLS, ss->pkcs11PinArg); 6816 if (rv != SECSuccess) { 6817 errCode = PORT_GetError(); 6818 desc = isTLS ? decrypt_error : handshake_failure; 6819 goto alert_loser; 6820 } 6821 6822 signed_hash.data = NULL; 6823 6824 if (length != 0) { 6825 desc = isTLS ? decode_error : illegal_parameter; 6826 goto alert_loser; /* malformed */ 6827 } 6828 ss->ssl3.hs.ws = wait_change_cipher; 6829 return SECSuccess; 6830 6831 alert_loser: 6832 SSL3_SendAlert(ss, alert_fatal, desc); 6833 loser: 6834 PORT_SetError(errCode); 6835 return SECFailure; 6836 } 6837 6838 6839 /* find a slot that is able to generate a PMS and wrap it with RSA. 6840 * Then generate and return the PMS. 6841 * If the serverKeySlot parameter is non-null, this function will use 6842 * that slot to do the job, otherwise it will find a slot. 6843 * 6844 * Called from ssl3_DeriveConnectionKeysPKCS11() (above) 6845 * sendRSAClientKeyExchange() (above) 6846 * ssl3_HandleRSAClientKeyExchange() (below) 6847 * Caller must hold the SpecWriteLock, the SSL3HandshakeLock 6848 */ 6849 static PK11SymKey * 6850 ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, 6851 PK11SlotInfo * serverKeySlot) 6852 { 6853 PK11SymKey * pms = NULL; 6854 PK11SlotInfo * slot = serverKeySlot; 6855 void * pwArg = ss->pkcs11PinArg; 6856 SECItem param; 6857 CK_VERSION version; 6858 CK_MECHANISM_TYPE mechanism_array[3]; 6859 6860 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6861 6862 if (slot == NULL) { 6863 SSLCipherAlgorithm calg; 6864 /* The specReadLock would suffice here, but we cannot assert on 6865 ** read locks. Also, all the callers who call with a non-null 6866 ** slot already hold the SpecWriteLock. 6867 */ 6868 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 6869 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 6870 6871 calg = spec->cipher_def->calg; 6872 PORT_Assert(alg2Mech[calg].calg == calg); 6873 6874 /* First get an appropriate slot. */ 6875 mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN; 6876 mechanism_array[1] = CKM_RSA_PKCS; 6877 mechanism_array[2] = alg2Mech[calg].cmech; 6878 6879 slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg); 6880 if (slot == NULL) { 6881 /* can't find a slot with all three, find a slot with the minimum */ 6882 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); 6883 if (slot == NULL) { 6884 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); 6885 return pms; /* which is NULL */ 6886 } 6887 } 6888 } 6889 6890 /* Generate the pre-master secret ... */ 6891 version.major = MSB(ss->clientHelloVersion); 6892 version.minor = LSB(ss->clientHelloVersion); 6893 6894 param.data = (unsigned char *)&version; 6895 param.len = sizeof version; 6896 6897 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); 6898 if (!serverKeySlot) 6899 PK11_FreeSlot(slot); 6900 if (pms == NULL) { 6901 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 6902 } 6903 return pms; 6904 } 6905 6906 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER 6907 * return any indication of failure of the Client Key Exchange message, 6908 * where that failure is caused by the content of the client's message. 6909 * This function must not return SECFailure for any reason that is directly 6910 * or indirectly caused by the content of the client's encrypted PMS. 6911 * We must not send an alert and also not drop the connection. 6912 * Instead, we generate a random PMS. This will cause a failure 6913 * in the processing the finished message, which is exactly where 6914 * the failure must occur. 6915 * 6916 * Called from ssl3_HandleClientKeyExchange 6917 */ 6918 static SECStatus 6919 ssl3_HandleRSAClientKeyExchange(sslSocket *ss, 6920 SSL3Opaque *b, 6921 PRUint32 length, 6922 SECKEYPrivateKey *serverKey) 6923 { 6924 PK11SymKey * pms; 6925 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 6926 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 6927 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 6928 unsigned int outLen = 0; 6929 PRBool isTLS = PR_FALSE; 6930 SECStatus rv; 6931 SECItem enc_pms; 6932 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; 6933 SECItem pmsItem = {siBuffer, NULL, 0}; 6934 6935 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 6936 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6937 6938 enc_pms.data = b; 6939 enc_pms.len = length; 6940 pmsItem.data = rsaPmsBuf; 6941 pmsItem.len = sizeof rsaPmsBuf; 6942 6943 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ 6944 PRInt32 kLen; 6945 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len); 6946 if (kLen < 0) { 6947 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 6948 return SECFailure; 6949 } 6950 if ((unsigned)kLen < enc_pms.len) { 6951 enc_pms.len = kLen; 6952 } 6953 isTLS = PR_TRUE; 6954 } else { 6955 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0); 6956 } 6957 6958 if (ss->opt.bypassPKCS11) { 6959 /* TRIPLE BYPASS, get PMS directly from RSA decryption. 6960 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, 6961 * then, check for version rollback attack, then 6962 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in 6963 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with 6964 * ss and NULL, so that it will use the MS we've already derived here. 6965 */ 6966 6967 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 6968 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); 6969 if (rv != SECSuccess) { 6970 /* triple bypass failed. Let's try for a double bypass. */ 6971 goto double_bypass; 6972 } else if (ss->opt.detectRollBack) { 6973 SSL3ProtocolVersion client_version = 6974 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; 6975 if (client_version != ss->clientHelloVersion) { 6976 /* Version roll-back detected. ensure failure. */ 6977 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); 6978 } 6979 } 6980 /* have PMS, build MS without PKCS11 */ 6981 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 6982 PR_TRUE); 6983 if (rv != SECSuccess) { 6984 pwSpec->msItem.data = pwSpec->raw_master_secret; 6985 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; 6986 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len); 6987 } 6988 rv = ssl3_InitPendingCipherSpec(ss, NULL); 6989 } else { 6990 double_bypass: 6991 /* 6992 * unwrap pms out of the incoming buffer 6993 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do 6994 * the unwrap. Rather, it is the mechanism with which the 6995 * unwrapped pms will be used. 6996 */ 6997 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms, 6998 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); 6999 if (pms != NULL) { 7000 PRINT_BUF(60, (ss, "decrypted premaster secret:", 7001 PK11_GetKeyData(pms)->data, 7002 PK11_GetKeyData(pms)->len)); 7003 } else { 7004 /* unwrap failed. Generate a bogus PMS and carry on. */ 7005 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey); 7006 7007 ssl_GetSpecWriteLock(ss); 7008 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); 7009 ssl_ReleaseSpecWriteLock(ss); 7010 PK11_FreeSlot(slot); 7011 } 7012 7013 if (pms == NULL) { 7014 /* last gasp. */ 7015 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 7016 return SECFailure; 7017 } 7018 7019 /* This step will derive the MS from the PMS, among other things. */ 7020 rv = ssl3_InitPendingCipherSpec(ss, pms); 7021 PK11_FreeSymKey(pms); 7022 } 7023 7024 if (rv != SECSuccess) { 7025 SEND_ALERT 7026 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ 7027 } 7028 return SECSuccess; 7029 } 7030 7031 7032 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 7033 * ssl3 ClientKeyExchange message from the remote client 7034 * Caller must hold Handshake and RecvBuf locks. 7035 */ 7036 static SECStatus 7037 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 7038 { 7039 SECKEYPrivateKey *serverKey = NULL; 7040 SECStatus rv; 7041 const ssl3KEADef * kea_def; 7042 ssl3KeyPair *serverKeyPair = NULL; 7043 #ifdef NSS_ENABLE_ECC 7044 SECKEYPublicKey *serverPubKey = NULL; 7045 #endif /* NSS_ENABLE_ECC */ 7046 7047 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", 7048 SSL_GETPID(), ss->fd)); 7049 7050 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7051 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7052 7053 if (ss->ssl3.hs.ws != wait_client_key) { 7054 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 7055 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); 7056 return SECFailure; 7057 } 7058 7059 kea_def = ss->ssl3.hs.kea_def; 7060 7061 if (ss->ssl3.hs.usedStepDownKey) { 7062 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */ 7063 && kea_def->exchKeyType == kt_rsa 7064 && ss->stepDownKeyPair != NULL); 7065 if (!kea_def->is_limited || 7066 kea_def->exchKeyType != kt_rsa || 7067 ss->stepDownKeyPair == NULL) { 7068 /* shouldn't happen, don't use step down if it does */ 7069 goto skip; 7070 } 7071 serverKeyPair = ss->stepDownKeyPair; 7072 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; 7073 } else 7074 skip: 7075 #ifdef NSS_ENABLE_ECC 7076 /* XXX Using SSLKEAType to index server certifiates 7077 * does not work for (EC)DHE ciphers. Until we have 7078 * an indexing mechanism general enough for all key 7079 * exchange algorithms, we'll need to deal with each 7080 * one seprately. 7081 */ 7082 if ((kea_def->kea == kea_ecdhe_rsa) || 7083 (kea_def->kea == kea_ecdhe_ecdsa)) { 7084 if (ss->ephemeralECDHKeyPair != NULL) { 7085 serverKeyPair = ss->ephemeralECDHKeyPair; 7086 if (serverKeyPair->pubKey) { 7087 ss->sec.keaKeyBits = 7088 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey); 7089 } 7090 } 7091 } else 7092 #endif 7093 { 7094 sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType; 7095 serverKeyPair = sc->serverKeyPair; 7096 ss->sec.keaKeyBits = sc->serverKeyBits; 7097 } 7098 7099 if (serverKeyPair) { 7100 serverKey = serverKeyPair->privKey; 7101 } 7102 7103 if (serverKey == NULL) { 7104 SEND_ALERT 7105 PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG); 7106 return SECFailure; 7107 } 7108 7109 ss->sec.keaType = kea_def->exchKeyType; 7110 7111 switch (kea_def->exchKeyType) { 7112 case kt_rsa: 7113 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey); 7114 if (rv != SECSuccess) { 7115 SEND_ALERT 7116 return SECFailure; /* error code set */ 7117 } 7118 break; 7119 7120 7121 #ifdef NSS_ENABLE_ECC 7122 case kt_ecdh: 7123 /* XXX We really ought to be able to store multiple 7124 * EC certs (a requirement if we wish to support both 7125 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently). 7126 * When we make that change, we'll need an index other 7127 * than kt_ecdh to pick the right EC certificate. 7128 */ 7129 if (serverKeyPair) { 7130 serverPubKey = serverKeyPair->pubKey; 7131 } 7132 if (serverPubKey == NULL) { 7133 /* XXX Is this the right error code? */ 7134 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 7135 return SECFailure; 7136 } 7137 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length, 7138 serverPubKey, serverKey); 7139 if (rv != SECSuccess) { 7140 return SECFailure; /* error code set */ 7141 } 7142 break; 7143 #endif /* NSS_ENABLE_ECC */ 7144 7145 default: 7146 (void) ssl3_HandshakeFailure(ss); 7147 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 7148 return SECFailure; 7149 } 7150 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher; 7151 return SECSuccess; 7152 7153 } 7154 7155 /* This is TLS's equivalent of sending a no_certificate alert. */ 7156 static SECStatus 7157 ssl3_SendEmptyCertificate(sslSocket *ss) 7158 { 7159 SECStatus rv; 7160 7161 rv = ssl3_AppendHandshakeHeader(ss, certificate, 3); 7162 if (rv == SECSuccess) { 7163 rv = ssl3_AppendHandshakeNumber(ss, 0, 3); 7164 } 7165 return rv; /* error, if any, set by functions called above. */ 7166 } 7167 7168 SECStatus 7169 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 7170 { 7171 SECStatus rv; 7172 NewSessionTicket session_ticket; 7173 7174 SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake", 7175 SSL_GETPID(), ss->fd)); 7176 7177 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7178 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7179 7180 if (ss->ssl3.hs.ws != wait_new_session_ticket) { 7181 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 7182 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); 7183 return SECFailure; 7184 } 7185 7186 session_ticket.received_timestamp = ssl_Time(); 7187 if (length < 4) { 7188 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 7189 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 7190 return SECFailure; 7191 } 7192 session_ticket.ticket_lifetime_hint = 7193 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length); 7194 7195 rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2, 7196 &b, &length); 7197 if (length != 0 || rv != SECSuccess) { 7198 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 7199 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 7200 return SECFailure; /* malformed */ 7201 } 7202 7203 rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket); 7204 if (rv != SECSuccess) { 7205 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 7206 PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT); 7207 return SECFailure; 7208 } 7209 ss->ssl3.hs.ws = wait_change_cipher; 7210 return SECSuccess; 7211 } 7212 7213 #ifdef NISCC_TEST 7214 static PRInt32 connNum = 0; 7215 7216 static SECStatus 7217 get_fake_cert(SECItem *pCertItem, int *pIndex) 7218 { 7219 PRFileDesc *cf; 7220 char * testdir; 7221 char * startat; 7222 char * stopat; 7223 const char *extension; 7224 int fileNum; 7225 PRInt32 numBytes = 0; 7226 PRStatus prStatus; 7227 PRFileInfo info; 7228 char cfn[100]; 7229 7230 pCertItem->data = 0; 7231 if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) { 7232 return SECSuccess; 7233 } 7234 *pIndex = (NULL != strstr(testdir, "root")); 7235 extension = (strstr(testdir, "simple") ? "" : ".der"); 7236 fileNum = PR_AtomicIncrement(&connNum) - 1; 7237 if ((startat = PR_GetEnv("START_AT")) != NULL) { 7238 fileNum += atoi(startat); 7239 } 7240 if ((stopat = PR_GetEnv("STOP_AT")) != NULL && 7241 fileNum >= atoi(stopat)) { 7242 *pIndex = -1; 7243 return SECSuccess; 7244 } 7245 sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension); 7246 cf = PR_Open(cfn, PR_RDONLY, 0); 7247 if (!cf) { 7248 goto loser; 7249 } 7250 prStatus = PR_GetOpenFileInfo(cf, &info); 7251 if (prStatus != PR_SUCCESS) { 7252 PR_Close(cf); 7253 goto loser; 7254 } 7255 pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size); 7256 if (pCertItem) { 7257 numBytes = PR_Read(cf, pCertItem->data, info.size); 7258 } 7259 PR_Close(cf); 7260 if (numBytes != info.size) { 7261 SECITEM_FreeItem(pCertItem, PR_FALSE); 7262 PORT_SetError(SEC_ERROR_IO); 7263 goto loser; 7264 } 7265 fprintf(stderr, "using %s\n", cfn); 7266 return SECSuccess; 7267 7268 loser: 7269 fprintf(stderr, "failed to use %s\n", cfn); 7270 *pIndex = -1; 7271 return SECFailure; 7272 } 7273 #endif 7274 7275 /* 7276 * Used by both client and server. 7277 * Called from HandleServerHelloDone and from SendServerHelloSequence. 7278 */ 7279 static SECStatus 7280 ssl3_SendCertificate(sslSocket *ss) 7281 { 7282 SECStatus rv; 7283 CERTCertificateList *certChain; 7284 int len = 0; 7285 int i; 7286 SSL3KEAType certIndex; 7287 #ifdef NISCC_TEST 7288 SECItem fakeCert; 7289 int ndex = -1; 7290 #endif 7291 7292 SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake", 7293 SSL_GETPID(), ss->fd)); 7294 7295 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 7296 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 7297 7298 if (ss->sec.localCert) 7299 CERT_DestroyCertificate(ss->sec.localCert); 7300 if (ss->sec.isServer) { 7301 sslServerCerts * sc = NULL; 7302 7303 /* XXX SSLKEAType isn't really a good choice for 7304 * indexing certificates (it breaks when we deal 7305 * with (EC)DHE-* cipher suites. This hack ensures 7306 * the RSA cert is picked for (EC)DHE-RSA. 7307 * Revisit this when we add server side support 7308 * for ECDHE-ECDSA or client-side authentication 7309 * using EC certificates. 7310 */ 7311 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) || 7312 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) { 7313 certIndex = kt_rsa; 7314 } else { 7315 certIndex = ss->ssl3.hs.kea_def->exchKeyType; 7316 } 7317 sc = ss->serverCerts + certIndex; 7318 certChain = sc->serverCertChain; 7319 ss->sec.authKeyBits = sc->serverKeyBits; 7320 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; 7321 ss->sec.localCert = CERT_DupCertificate(sc->serverCert); 7322 } else { 7323 certChain = ss->ssl3.clientCertChain; 7324 ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate); 7325 } 7326 7327 #ifdef NISCC_TEST 7328 rv = get_fake_cert(&fakeCert, &ndex); 7329 #endif 7330 7331 if (certChain) { 7332 for (i = 0; i < certChain->len; i++) { 7333 #ifdef NISCC_TEST 7334 if (fakeCert.len > 0 && i == ndex) { 7335 len += fakeCert.len + 3; 7336 } else { 7337 len += certChain->certs[i].len + 3; 7338 } 7339 #else 7340 len += certChain->certs[i].len + 3; 7341 #endif 7342 } 7343 } 7344 7345 rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3); 7346 if (rv != SECSuccess) { 7347 return rv; /* err set by AppendHandshake. */ 7348 } 7349 rv = ssl3_AppendHandshakeNumber(ss, len, 3); 7350 if (rv != SECSuccess) { 7351 return rv; /* err set by AppendHandshake. */ 7352 } 7353 if (certChain) { 7354 for (i = 0; i < certChain->len; i++) { 7355 #ifdef NISCC_TEST 7356 if (fakeCert.len > 0 && i == ndex) { 7357 rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data, 7358 fakeCert.len, 3); 7359 SECITEM_FreeItem(&fakeCert, PR_FALSE); 7360 } else { 7361 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data, 7362 certChain->certs[i].len, 3); 7363 } 7364 #else 7365 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data, 7366 certChain->certs[i].len, 3); 7367 #endif 7368 if (rv != SECSuccess) { 7369 return rv; /* err set by AppendHandshake. */ 7370 } 7371 } 7372 } 7373 7374 return SECSuccess; 7375 } 7376 7377 /* This is used to delete the CA certificates in the peer certificate chain 7378 * from the cert database after they've been validated. 7379 */ 7380 static void 7381 ssl3_CleanupPeerCerts(sslSocket *ss) 7382 { 7383 PRArenaPool * arena = ss->ssl3.peerCertArena; 7384 ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain; 7385 7386 for (; certs; certs = certs->next) { 7387 CERT_DestroyCertificate(certs->cert); 7388 } 7389 if (arena) PORT_FreeArena(arena, PR_FALSE); 7390 ss->ssl3.peerCertArena = NULL; 7391 ss->ssl3.peerCertChain = NULL; 7392 } 7393 7394 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 7395 * ssl3 Certificate message. 7396 * Caller must hold Handshake and RecvBuf locks. 7397 */ 7398 static SECStatus 7399 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 7400 { 7401 ssl3CertNode * c; 7402 ssl3CertNode * certs = NULL; 7403 PRArenaPool * arena = NULL; 7404 CERTCertificate *cert; 7405 PRInt32 remaining = 0; 7406 PRInt32 size; 7407 SECStatus rv; 7408 PRBool isServer = (PRBool)(!!ss->sec.isServer); 7409 PRBool trusted = PR_FALSE; 7410 PRBool isTLS; 7411 SSL3AlertDescription desc = bad_certificate; 7412 int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE; 7413 SECItem certItem; 7414 7415 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake", 7416 SSL_GETPID(), ss->fd)); 7417 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7418 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7419 7420 if ((ss->ssl3.hs.ws != wait_server_cert) && 7421 (ss->ssl3.hs.ws != wait_client_cert)) { 7422 desc = unexpected_message; 7423 errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE; 7424 goto alert_loser; 7425 } 7426 7427 if (ss->sec.peerCert != NULL) { 7428 if (ss->sec.peerKey) { 7429 SECKEY_DestroyPublicKey(ss->sec.peerKey); 7430 ss->sec.peerKey = NULL; 7431 } 7432 CERT_DestroyCertificate(ss->sec.peerCert); 7433 ss->sec.peerCert = NULL; 7434 } 7435 7436 ssl3_CleanupPeerCerts(ss); 7437 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 7438 7439 /* It is reported that some TLS client sends a Certificate message 7440 ** with a zero-length message body. We'll treat that case like a 7441 ** normal no_certificates message to maximize interoperability. 7442 */ 7443 if (length) { 7444 remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 7445 if (remaining < 0) 7446 goto loser; /* fatal alert already sent by ConsumeHandshake. */ 7447 if ((PRUint32)remaining > length) 7448 goto decode_loser; 7449 } 7450 7451 if (!remaining) { 7452 if (!(isTLS && isServer)) 7453 goto alert_loser; 7454 /* This is TLS's version of a no_certificate alert. */ 7455 /* I'm a server. I've requested a client cert. He hasn't got one. */ 7456 rv = ssl3_HandleNoCertificate(ss); 7457 if (rv != SECSuccess) { 7458 errCode = PORT_GetError(); 7459 goto loser; 7460 } 7461 goto cert_block; 7462 } 7463 7464 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 7465 if ( arena == NULL ) { 7466 goto loser; /* don't send alerts on memory errors */ 7467 } 7468 7469 /* First get the peer cert. */ 7470 remaining -= 3; 7471 if (remaining < 0) 7472 goto decode_loser; 7473 7474 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 7475 if (size <= 0) 7476 goto loser; /* fatal alert already sent by ConsumeHandshake. */ 7477 7478 if (remaining < size) 7479 goto decode_loser; 7480 7481 certItem.data = b; 7482 certItem.len = size; 7483 b += size; 7484 length -= size; 7485 remaining -= size; 7486 7487 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL, 7488 PR_FALSE, PR_TRUE); 7489 if (ss->sec.peerCert == NULL) { 7490 /* We should report an alert if the cert was bad, but not if the 7491 * problem was just some local problem, like memory error. 7492 */ 7493 goto ambiguous_err; 7494 } 7495 7496 /* Now get all of the CA certs. */ 7497 while (remaining > 0) { 7498 remaining -= 3; 7499 if (remaining < 0) 7500 goto decode_loser; 7501 7502 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 7503 if (size <= 0) 7504 goto loser; /* fatal alert already sent by ConsumeHandshake. */ 7505 7506 if (remaining < size) 7507 goto decode_loser; 7508 7509 certItem.data = b; 7510 certItem.len = size; 7511 b += size; 7512 length -= size; 7513 remaining -= size; 7514 7515 c = PORT_ArenaNew(arena, ssl3CertNode); 7516 if (c == NULL) { 7517 goto loser; /* don't send alerts on memory errors */ 7518 } 7519 7520 c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL, 7521 PR_FALSE, PR_TRUE); 7522 if (c->cert == NULL) { 7523 goto ambiguous_err; 7524 } 7525 7526 if (c->cert->trust) 7527 trusted = PR_TRUE; 7528 7529 c->next = certs; 7530 certs = c; 7531 } 7532 7533 if (remaining != 0) 7534 goto decode_loser; 7535 7536 SECKEY_UpdateCertPQG(ss->sec.peerCert); 7537 7538 /* 7539 * Ask caller-supplied callback function to validate cert chain. 7540 */ 7541 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, 7542 PR_TRUE, isServer); 7543 if (rv) { 7544 errCode = PORT_GetError(); 7545 if (!ss->handleBadCert) { 7546 goto bad_cert; 7547 } 7548 rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd); 7549 if ( rv ) { 7550 if ( rv == SECWouldBlock ) { 7551 /* someone will handle this connection asynchronously*/ 7552 SSL_DBG(("%d: SSL3[%d]: go to async cert handler", 7553 SSL_GETPID(), ss->fd)); 7554 ss->ssl3.peerCertChain = certs; 7555 certs = NULL; 7556 ssl_SetAlwaysBlock(ss); 7557 goto cert_block; 7558 } 7559 /* cert is bad */ 7560 goto bad_cert; 7561 } 7562 /* cert is good */ 7563 } 7564 7565 /* start SSL Step Up, if appropriate */ 7566 cert = ss->sec.peerCert; 7567 if (!isServer && 7568 ssl3_global_policy_some_restricted && 7569 ss->ssl3.policy == SSL_ALLOWED && 7570 anyRestrictedEnabled(ss) && 7571 SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert, 7572 PR_FALSE, /* checkSig */ 7573 certUsageSSLServerWithStepUp, 7574 /*XXX*/ ss->authCertificateArg) ) { 7575 ss->ssl3.policy = SSL_RESTRICTED; 7576 ss->ssl3.hs.rehandshake = PR_TRUE; 7577 } 7578 7579 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); 7580 7581 if (!ss->sec.isServer) { 7582 /* set the server authentication and key exchange types and sizes 7583 ** from the value in the cert. If the key exchange key is different, 7584 ** it will get fixed when we handle the server key exchange message. 7585 */ 7586 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); 7587 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; 7588 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; 7589 if (pubKey) { 7590 ss->sec.keaKeyBits = ss->sec.authKeyBits = 7591 SECKEY_PublicKeyStrengthInBits(pubKey); 7592 #ifdef NSS_ENABLE_ECC 7593 if (ss->sec.keaType == kt_ecdh) { 7594 /* Get authKeyBits from signing key. 7595 * XXX The code below uses a quick approximation of 7596 * key size based on cert->signatureWrap.signature.data 7597 * (which contains the DER encoded signature). The field 7598 * cert->signatureWrap.signature.len contains the 7599 * length of the encoded signature in bits. 7600 */ 7601 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) { 7602 ss->sec.authKeyBits = 7603 cert->signatureWrap.signature.data[3]*8; 7604 if (cert->signatureWrap.signature.data[4] == 0x00) 7605 ss->sec.authKeyBits -= 8; 7606 /* 7607 * XXX: if cert is not signed by ecdsa we should 7608 * destroy pubKey and goto bad_cert 7609 */ 7610 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) { 7611 ss->sec.authKeyBits = cert->signatureWrap.signature.len; 7612 /* 7613 * XXX: if cert is not signed by rsa we should 7614 * destroy pubKey and goto bad_cert 7615 */ 7616 } 7617 } 7618 #endif /* NSS_ENABLE_ECC */ 7619 SECKEY_DestroyPublicKey(pubKey); 7620 pubKey = NULL; 7621 } 7622 } 7623 7624 ss->ssl3.peerCertChain = certs; certs = NULL; arena = NULL; 7625 7626 cert_block: 7627 if (ss->sec.isServer) { 7628 ss->ssl3.hs.ws = wait_client_key; 7629 } else { 7630 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */ 7631 if (ss->ssl3.hs.kea_def->is_limited || 7632 /* XXX OR server cert is signing only. */ 7633 #ifdef NSS_ENABLE_ECC 7634 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || 7635 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || 7636 #endif /* NSS_ENABLE_ECC */ 7637 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) { 7638 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */ 7639 } 7640 } 7641 7642 /* rv must normally be equal to SECSuccess here. If we called 7643 * handleBadCert, it can also be SECWouldBlock. 7644 */ 7645 return rv; 7646 7647 ambiguous_err: 7648 errCode = PORT_GetError(); 7649 switch (errCode) { 7650 case PR_OUT_OF_MEMORY_ERROR: 7651 case SEC_ERROR_BAD_DATABASE: 7652 case SEC_ERROR_NO_MEMORY: 7653 if (isTLS) { 7654 desc = internal_error; 7655 goto alert_loser; 7656 } 7657 goto loser; 7658 } 7659 /* fall through to bad_cert. */ 7660 7661 bad_cert: /* caller has set errCode. */ 7662 switch (errCode) { 7663 case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break; 7664 case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break; 7665 case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked; break; 7666 case SEC_ERROR_INADEQUATE_KEY_USAGE: 7667 case SEC_ERROR_INADEQUATE_CERT_TYPE: 7668 desc = certificate_unknown; break; 7669 case SEC_ERROR_UNTRUSTED_CERT: 7670 desc = isTLS ? access_denied : certificate_unknown; break; 7671 case SEC_ERROR_UNKNOWN_ISSUER: 7672 case SEC_ERROR_UNTRUSTED_ISSUER: 7673 desc = isTLS ? unknown_ca : certificate_unknown; break; 7674 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 7675 desc = isTLS ? unknown_ca : certificate_expired; break; 7676 7677 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE: 7678 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID: 7679 case SEC_ERROR_CA_CERT_INVALID: 7680 case SEC_ERROR_BAD_SIGNATURE: 7681 default: desc = bad_certificate; break; 7682 } 7683 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", 7684 SSL_GETPID(), ss->fd, errCode)); 7685 7686 goto alert_loser; 7687 7688 decode_loser: 7689 desc = isTLS ? decode_error : bad_certificate; 7690 7691 alert_loser: 7692 (void)SSL3_SendAlert(ss, alert_fatal, desc); 7693 7694 loser: 7695 ss->ssl3.peerCertChain = certs; certs = NULL; arena = NULL; 7696 ssl3_CleanupPeerCerts(ss); 7697 7698 if (ss->sec.peerCert != NULL) { 7699 CERT_DestroyCertificate(ss->sec.peerCert); 7700 ss->sec.peerCert = NULL; 7701 } 7702 (void)ssl_MapLowLevelError(errCode); 7703 return SECFailure; 7704 } 7705 7706 7707 /* restart an SSL connection that we stopped to run certificate dialogs 7708 ** XXX Need to document here how an application marks a cert to show that 7709 ** the application has accepted it (overridden CERT_VerifyCert). 7710 * 7711 * XXX This code only works on the initial handshake on a connection, XXX 7712 * It does not work on a subsequent handshake (redo). 7713 * 7714 * Return value: XXX 7715 * 7716 * Caller holds 1stHandshakeLock. 7717 */ 7718 int 7719 ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) 7720 { 7721 CERTCertificate * cert; 7722 int rv = SECSuccess; 7723 7724 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { 7725 SET_ERROR_CODE 7726 return SECFailure; 7727 } 7728 if (!ss->ssl3.initialized) { 7729 SET_ERROR_CODE 7730 return SECFailure; 7731 } 7732 7733 cert = ss->sec.peerCert; 7734 7735 /* Permit step up if user decided to accept the cert */ 7736 if (!ss->sec.isServer && 7737 ssl3_global_policy_some_restricted && 7738 ss->ssl3.policy == SSL_ALLOWED && 7739 anyRestrictedEnabled(ss) && 7740 (SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert, 7741 PR_FALSE, /* checksig */ 7742 certUsageSSLServerWithStepUp, 7743 /*XXX*/ ss->authCertificateArg) )) { 7744 ss->ssl3.policy = SSL_RESTRICTED; 7745 ss->ssl3.hs.rehandshake = PR_TRUE; 7746 } 7747 7748 if (ss->handshake != NULL) { 7749 ss->handshake = ssl_GatherRecord1stHandshake; 7750 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); 7751 7752 ssl_GetRecvBufLock(ss); 7753 if (ss->ssl3.hs.msgState.buf != NULL) { 7754 rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf); 7755 } 7756 ssl_ReleaseRecvBufLock(ss); 7757 } 7758 7759 return rv; 7760 } 7761 7762 static SECStatus 7763 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, 7764 PRBool isServer, 7765 const SSL3Finished * hashes, 7766 TLSFinished * tlsFinished) 7767 { 7768 const char * label; 7769 unsigned int len; 7770 SECStatus rv; 7771 7772 label = isServer ? "server finished" : "client finished"; 7773 len = 15; 7774 7775 if (spec->master_secret && !spec->bypassCiphers) { 7776 SECItem param = {siBuffer, NULL, 0}; 7777 PK11Context *prf_context = 7778 PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, 7779 spec->master_secret, ¶m); 7780 if (!prf_context) 7781 return SECFailure; 7782 7783 rv = PK11_DigestBegin(prf_context); 7784 rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len); 7785 rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes); 7786 rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, 7787 &len, sizeof tlsFinished->verify_data); 7788 PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished); 7789 7790 PK11_DestroyContext(prf_context, PR_TRUE); 7791 } else { 7792 /* bypass PKCS11 */ 7793 SECItem inData = { siBuffer, }; 7794 SECItem outData = { siBuffer, }; 7795 PRBool isFIPS = PR_FALSE; 7796 7797 inData.data = (unsigned char *)hashes->md5; 7798 inData.len = sizeof hashes[0]; 7799 outData.data = tlsFinished->verify_data; 7800 outData.len = sizeof tlsFinished->verify_data; 7801 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); 7802 PORT_Assert(rv != SECSuccess || \ 7803 outData.len == sizeof tlsFinished->verify_data); 7804 } 7805 return rv; 7806 } 7807 7808 /* called from ssl3_HandleServerHelloDone 7809 */ 7810 static SECStatus 7811 ssl3_SendNextProto(sslSocket *ss) 7812 { 7813 SECStatus rv; 7814 int padding_len; 7815 static const unsigned char padding[32] = {0}; 7816 7817 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NO_SUPPORT) 7818 return SECSuccess; 7819 7820 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 7821 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 7822 7823 padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32); 7824 7825 rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len + 7826 2 + padding_len); 7827 if (rv != SECSuccess) { 7828 return rv; /* error code set by AppendHandshakeHeader */ 7829 } 7830 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data, 7831 ss->ssl3.nextProto.len, 1); 7832 if (rv != SECSuccess) { 7833 return rv; /* error code set by AppendHandshake */ 7834 } 7835 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1); 7836 if (rv != SECSuccess) { 7837 return rv; /* error code set by AppendHandshake */ 7838 } 7839 return rv; 7840 } 7841 7842 /* called from ssl3_HandleServerHelloDone 7843 * ssl3_HandleClientHello 7844 * ssl3_HandleFinished 7845 */ 7846 static SECStatus 7847 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) 7848 { 7849 ssl3CipherSpec *cwSpec; 7850 PRBool isTLS; 7851 PRBool isServer = ss->sec.isServer; 7852 SECStatus rv; 7853 SSL3Sender sender = isServer ? sender_server : sender_client; 7854 SSL3Finished hashes; 7855 TLSFinished tlsFinished; 7856 7857 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd)); 7858 7859 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 7860 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 7861 7862 ssl_GetSpecReadLock(ss); 7863 cwSpec = ss->ssl3.cwSpec; 7864 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); 7865 rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender); 7866 if (isTLS && rv == SECSuccess) { 7867 rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished); 7868 } 7869 ssl_ReleaseSpecReadLock(ss); 7870 if (rv != SECSuccess) { 7871 goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */ 7872 } 7873 7874 if (isTLS) { 7875 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); 7876 if (rv != SECSuccess) 7877 goto fail; /* err set by AppendHandshake. */ 7878 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); 7879 if (rv != SECSuccess) 7880 goto fail; /* err set by AppendHandshake. */ 7881 } else { 7882 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes); 7883 if (rv != SECSuccess) 7884 goto fail; /* err set by AppendHandshake. */ 7885 rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes); 7886 if (rv != SECSuccess) 7887 goto fail; /* err set by AppendHandshake. */ 7888 } 7889 rv = ssl3_FlushHandshake(ss, flags); 7890 if (rv != SECSuccess) { 7891 goto fail; /* error code set by ssl3_FlushHandshake */ 7892 } 7893 return SECSuccess; 7894 7895 fail: 7896 return rv; 7897 } 7898 7899 /* wrap the master secret, and put it into the SID. 7900 * Caller holds the Spec read lock. 7901 */ 7902 SECStatus 7903 ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid, 7904 ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType) 7905 { 7906 PK11SymKey * wrappingKey = NULL; 7907 PK11SlotInfo * symKeySlot; 7908 void * pwArg = ss->pkcs11PinArg; 7909 SECStatus rv = SECFailure; 7910 PRBool isServer = ss->sec.isServer; 7911 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; 7912 symKeySlot = PK11_GetSlotFromKey(spec->master_secret); 7913 if (!isServer) { 7914 int wrapKeyIndex; 7915 int incarnation; 7916 7917 /* these next few functions are mere accessors and don't fail. */ 7918 sid->u.ssl3.masterWrapIndex = wrapKeyIndex = 7919 PK11_GetCurrentWrapIndex(symKeySlot); 7920 PORT_Assert(wrapKeyIndex == 0); /* array has only one entry! */ 7921 7922 sid->u.ssl3.masterWrapSeries = incarnation = 7923 PK11_GetSlotSeries(symKeySlot); 7924 sid->u.ssl3.masterSlotID = PK11_GetSlotID(symKeySlot); 7925 sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot); 7926 sid->u.ssl3.masterValid = PR_TRUE; 7927 /* Get the default wrapping key, for wrapping the master secret before 7928 * placing it in the SID cache entry. */ 7929 wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex, 7930 CKM_INVALID_MECHANISM, incarnation, 7931 pwArg); 7932 if (wrappingKey) { 7933 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */ 7934 } else { 7935 int keyLength; 7936 /* if the wrappingKey doesn't exist, attempt to create it. 7937 * Note: we intentionally ignore errors here. If we cannot 7938 * generate a wrapping key, it is not fatal to this SSL connection, 7939 * but we will not be able to restart this session. 7940 */ 7941 mechanism = PK11_GetBestWrapMechanism(symKeySlot); 7942 keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism); 7943 /* Zero length means fixed key length algorithm, or error. 7944 * It's ambiguous. 7945 */ 7946 wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL, 7947 keyLength, pwArg); 7948 if (wrappingKey) { 7949 PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey); 7950 } 7951 } 7952 } else { 7953 /* server socket using session cache. */ 7954 mechanism = PK11_GetBestWrapMechanism(symKeySlot); 7955 if (mechanism != CKM_INVALID_MECHANISM) { 7956 wrappingKey = 7957 getWrappingKey(ss, symKeySlot, effectiveExchKeyType, 7958 mechanism, pwArg); 7959 if (wrappingKey) { 7960 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */ 7961 } 7962 } 7963 } 7964 7965 sid->u.ssl3.masterWrapMech = mechanism; 7966 PK11_FreeSlot(symKeySlot); 7967 7968 if (wrappingKey) { 7969 SECItem wmsItem; 7970 7971 wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret; 7972 wmsItem.len = sizeof sid->u.ssl3.keys.wrapped_master_secret; 7973 rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey, 7974 spec->master_secret, &wmsItem); 7975 /* rv is examined below. */ 7976 sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len; 7977 PK11_FreeSymKey(wrappingKey); 7978 } 7979 return rv; 7980 } 7981 7982 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 7983 * ssl3 Finished message from the peer. 7984 * Caller must hold Handshake and RecvBuf locks. 7985 */ 7986 static SECStatus 7987 ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, 7988 const SSL3Hashes *hashes) 7989 { 7990 sslSessionID * sid = ss->sec.ci.sid; 7991 SECStatus rv = SECSuccess; 7992 PRBool isServer = ss->sec.isServer; 7993 PRBool isTLS; 7994 PRBool doStepUp; 7995 SSL3KEAType effectiveExchKeyType; 7996 7997 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7998 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7999 8000 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake", 8001 SSL_GETPID(), ss->fd)); 8002 8003 if (ss->ssl3.hs.ws != wait_finished) { 8004 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8005 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED); 8006 return SECFailure; 8007 } 8008 8009 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0); 8010 if (isTLS) { 8011 TLSFinished tlsFinished; 8012 8013 if (length != sizeof tlsFinished) { 8014 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 8015 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); 8016 return SECFailure; 8017 } 8018 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, 8019 hashes, &tlsFinished); 8020 if (rv != SECSuccess || 8021 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { 8022 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); 8023 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 8024 return SECFailure; 8025 } 8026 } else { 8027 if (length != sizeof(SSL3Hashes)) { 8028 (void)ssl3_IllegalParameter(ss); 8029 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); 8030 return SECFailure; 8031 } 8032 8033 if (0 != NSS_SecureMemcmp(hashes, b, length)) { 8034 (void)ssl3_HandshakeFailure(ss); 8035 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 8036 return SECFailure; 8037 } 8038 } 8039 8040 doStepUp = (PRBool)(!isServer && ss->ssl3.hs.rehandshake); 8041 8042 ssl_GetXmitBufLock(ss); /*************************************/ 8043 8044 if ((isServer && !ss->ssl3.hs.isResuming) || 8045 (!isServer && ss->ssl3.hs.isResuming)) { 8046 PRInt32 flags = 0; 8047 8048 /* Send a NewSessionTicket message if the client sent us 8049 * either an empty session ticket, or one that did not verify. 8050 * (Note that if either of these conditions was met, then the 8051 * server has sent a SessionTicket extension in the 8052 * ServerHello message.) 8053 */ 8054 if (isServer && !ss->ssl3.hs.isResuming && 8055 ssl3_ExtensionNegotiated(ss, session_ticket_xtn)) { 8056 rv = ssl3_SendNewSessionTicket(ss); 8057 if (rv != SECSuccess) { 8058 goto xmit_loser; 8059 } 8060 } 8061 8062 rv = ssl3_SendChangeCipherSpecs(ss); 8063 if (rv != SECSuccess) { 8064 goto xmit_loser; /* err is set. */ 8065 } 8066 /* If this thread is in SSL_SecureSend (trying to write some data) 8067 ** or if it is going to step up, 8068 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the 8069 ** last two handshake messages (change cipher spec and finished) 8070 ** will be sent in the same send/write call as the application data. 8071 */ 8072 if (doStepUp || ss->writerThread == PR_GetCurrentThread()) { 8073 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; 8074 } 8075 rv = ssl3_SendFinished(ss, flags); 8076 if (rv != SECSuccess) { 8077 goto xmit_loser; /* err is set. */ 8078 } 8079 } 8080 8081 /* Optimization: don't cache this connection if we're going to step up. */ 8082 if (doStepUp) { 8083 ssl_FreeSID(sid); 8084 ss->sec.ci.sid = sid = NULL; 8085 ss->ssl3.hs.rehandshake = PR_FALSE; 8086 rv = ssl3_SendClientHello(ss); 8087 xmit_loser: 8088 ssl_ReleaseXmitBufLock(ss); 8089 return rv; /* err code is set if appropriate. */ 8090 } 8091 8092 ssl_ReleaseXmitBufLock(ss); /*************************************/ 8093 8094 /* The first handshake is now completed. */ 8095 ss->handshake = NULL; 8096 ss->firstHsDone = PR_TRUE; 8097 ss->gs.writeOffset = 0; 8098 ss->gs.readOffset = 0; 8099 8100 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { 8101 effectiveExchKeyType = kt_rsa; 8102 } else { 8103 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; 8104 } 8105 8106 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) { 8107 /* fill in the sid */ 8108 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; 8109 sid->u.ssl3.compression = ss->ssl3.hs.compression; 8110 sid->u.ssl3.policy = ss->ssl3.policy; 8111 #ifdef NSS_ENABLE_ECC 8112 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; 8113 #endif 8114 sid->u.ssl3.exchKeyType = effectiveExchKeyType; 8115 sid->version = ss->version; 8116 sid->authAlgorithm = ss->sec.authAlgorithm; 8117 sid->authKeyBits = ss->sec.authKeyBits; 8118 sid->keaType = ss->sec.keaType; 8119 sid->keaKeyBits = ss->sec.keaKeyBits; 8120 sid->lastAccessTime = sid->creationTime = ssl_Time(); 8121 sid->expirationTime = sid->creationTime + ssl3_sid_timeout; 8122 sid->localCert = CERT_DupCertificate(ss->sec.localCert); 8123 8124 ssl_GetSpecReadLock(ss); /*************************************/ 8125 8126 /* Copy the master secret (wrapped or unwrapped) into the sid */ 8127 if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) { 8128 sid->u.ssl3.keys.wrapped_master_secret_len = 8129 ss->ssl3.crSpec->msItem.len; 8130 memcpy(sid->u.ssl3.keys.wrapped_master_secret, 8131 ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len); 8132 sid->u.ssl3.masterValid = PR_TRUE; 8133 sid->u.ssl3.keys.msIsWrapped = PR_FALSE; 8134 rv = SECSuccess; 8135 } else { 8136 rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid, 8137 ss->ssl3.crSpec, 8138 effectiveExchKeyType); 8139 sid->u.ssl3.keys.msIsWrapped = PR_TRUE; 8140 } 8141 ssl_ReleaseSpecReadLock(ss); /*************************************/ 8142 8143 /* If the wrap failed, we don't cache the sid. 8144 * The connection continues normally however. 8145 */ 8146 if (rv == SECSuccess) { 8147 (*ss->sec.cache)(sid); 8148 } 8149 } 8150 ss->ssl3.hs.ws = idle_handshake; 8151 8152 /* Do the handshake callback for sslv3 here. */ 8153 if (ss->handshakeCallback != NULL) { 8154 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); 8155 } 8156 8157 return SECSuccess; 8158 } 8159 8160 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 8161 * hanshake message. 8162 * Caller must hold Handshake and RecvBuf locks. 8163 */ 8164 static SECStatus 8165 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 8166 { 8167 SECStatus rv = SECSuccess; 8168 SSL3HandshakeType type = ss->ssl3.hs.msg_type; 8169 SSL3Hashes hashes; /* computed hashes are put here. */ 8170 PRUint8 hdr[4]; 8171 8172 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 8173 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 8174 /* 8175 * We have to compute the hashes before we update them with the 8176 * current message. 8177 */ 8178 ssl_GetSpecReadLock(ss); /************************************/ 8179 if((type == finished) || (type == certificate_verify)) { 8180 SSL3Sender sender = (SSL3Sender)0; 8181 ssl3CipherSpec *rSpec = ss->ssl3.prSpec; 8182 8183 if (type == finished) { 8184 sender = ss->sec.isServer ? sender_client : sender_server; 8185 rSpec = ss->ssl3.crSpec; 8186 } 8187 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); 8188 } 8189 ssl_ReleaseSpecReadLock(ss); /************************************/ 8190 if (rv != SECSuccess) { 8191 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ 8192 } 8193 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(), 8194 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type))); 8195 PRINT_BUF(60, (ss, "MD5 handshake hash:", 8196 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); 8197 PRINT_BUF(95, (ss, "SHA handshake hash:", 8198 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); 8199 8200 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; 8201 hdr[1] = (PRUint8)(length >> 16); 8202 hdr[2] = (PRUint8)(length >> 8); 8203 hdr[3] = (PRUint8)(length ); 8204 8205 /* Start new handshake hashes when we start a new handshake */ 8206 if (ss->ssl3.hs.msg_type == client_hello) { 8207 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", 8208 SSL_GETPID(), ss->fd )); 8209 rv = ssl3_RestartHandshakeHashes(ss); 8210 if (rv != SECSuccess) { 8211 return rv; 8212 } 8213 } 8214 /* We should not include hello_request messages in the handshake hashes */ 8215 if (ss->ssl3.hs.msg_type != hello_request) { 8216 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); 8217 if (rv != SECSuccess) return rv; /* err code already set. */ 8218 rv = ssl3_UpdateHandshakeHashes(ss, b, length); 8219 if (rv != SECSuccess) return rv; /* err code already set. */ 8220 } 8221 8222 PORT_SetError(0); /* each message starts with no error. */ 8223 switch (ss->ssl3.hs.msg_type) { 8224 case hello_request: 8225 if (length != 0) { 8226 (void)ssl3_DecodeError(ss); 8227 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); 8228 return SECFailure; 8229 } 8230 if (ss->sec.isServer) { 8231 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8232 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST); 8233 return SECFailure; 8234 } 8235 rv = ssl3_HandleHelloRequest(ss); 8236 break; 8237 case client_hello: 8238 if (!ss->sec.isServer) { 8239 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8240 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO); 8241 return SECFailure; 8242 } 8243 rv = ssl3_HandleClientHello(ss, b, length); 8244 break; 8245 case server_hello: 8246 if (ss->sec.isServer) { 8247 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8248 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); 8249 return SECFailure; 8250 } 8251 rv = ssl3_HandleServerHello(ss, b, length); 8252 break; 8253 case certificate: 8254 rv = ssl3_HandleCertificate(ss, b, length); 8255 break; 8256 case server_key_exchange: 8257 if (ss->sec.isServer) { 8258 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8259 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); 8260 return SECFailure; 8261 } 8262 rv = ssl3_HandleServerKeyExchange(ss, b, length); 8263 break; 8264 case certificate_request: 8265 if (ss->sec.isServer) { 8266 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8267 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); 8268 return SECFailure; 8269 } 8270 rv = ssl3_HandleCertificateRequest(ss, b, length); 8271 break; 8272 case server_hello_done: 8273 if (length != 0) { 8274 (void)ssl3_DecodeError(ss); 8275 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE); 8276 return SECFailure; 8277 } 8278 if (ss->sec.isServer) { 8279 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8280 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); 8281 return SECFailure; 8282 } 8283 rv = ssl3_HandleServerHelloDone(ss); 8284 break; 8285 case certificate_verify: 8286 if (!ss->sec.isServer) { 8287 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8288 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY); 8289 return SECFailure; 8290 } 8291 rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes); 8292 break; 8293 case client_key_exchange: 8294 if (!ss->sec.isServer) { 8295 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8296 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); 8297 return SECFailure; 8298 } 8299 rv = ssl3_HandleClientKeyExchange(ss, b, length); 8300 break; 8301 case new_session_ticket: 8302 if (ss->sec.isServer) { 8303 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8304 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); 8305 return SECFailure; 8306 } 8307 rv = ssl3_HandleNewSessionTicket(ss, b, length); 8308 break; 8309 case finished: 8310 rv = ssl3_HandleFinished(ss, b, length, &hashes); 8311 break; 8312 default: 8313 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 8314 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); 8315 rv = SECFailure; 8316 } 8317 return rv; 8318 } 8319 8320 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. 8321 * origBuf is the decrypted ssl record content. 8322 * Caller must hold the handshake and RecvBuf locks. 8323 */ 8324 static SECStatus 8325 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) 8326 { 8327 /* 8328 * There may be a partial handshake message already in the handshake 8329 * state. The incoming buffer may contain another portion, or a 8330 * complete message or several messages followed by another portion. 8331 * 8332 * Each message is made contiguous before being passed to the actual 8333 * message parser. 8334 */ 8335 sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */ 8336 SECStatus rv; 8337 8338 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 8339 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 8340 8341 if (buf->buf == NULL) { 8342 *buf = *origBuf; 8343 } 8344 while (buf->len > 0) { 8345 if (ss->ssl3.hs.header_bytes < 4) { 8346 uint8 t; 8347 t = *(buf->buf++); 8348 buf->len--; 8349 if (ss->ssl3.hs.header_bytes++ == 0) 8350 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t; 8351 else 8352 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t; 8353 if (ss->ssl3.hs.header_bytes < 4) 8354 continue; 8355 8356 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ 8357 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { 8358 (void)ssl3_DecodeError(ss); 8359 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 8360 return SECFailure; 8361 } 8362 #undef MAX_HANDSHAKE_MSG_LEN 8363 8364 /* If msg_len is zero, be sure we fall through, 8365 ** even if buf->len is zero. 8366 */ 8367 if (ss->ssl3.hs.msg_len > 0) 8368 continue; 8369 } 8370 8371 /* 8372 * Header has been gathered and there is at least one byte of new 8373 * data available for this message. If it can be done right out 8374 * of the original buffer, then use it from there. 8375 */ 8376 if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) { 8377 /* handle it from input buffer */ 8378 rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len); 8379 if (rv == SECFailure) { 8380 /* This test wants to fall through on either 8381 * SECSuccess or SECWouldBlock. 8382 * ssl3_HandleHandshakeMessage MUST set the error code. 8383 */ 8384 return rv; 8385 } 8386 buf->buf += ss->ssl3.hs.msg_len; 8387 buf->len -= ss->ssl3.hs.msg_len; 8388 ss->ssl3.hs.msg_len = 0; 8389 ss->ssl3.hs.header_bytes = 0; 8390 if (rv != SECSuccess) { /* return if SECWouldBlock. */ 8391 return rv; 8392 } 8393 } else { 8394 /* must be copied to msg_body and dealt with from there */ 8395 unsigned int bytes; 8396 8397 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len); 8398 bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len); 8399 8400 /* Grow the buffer if needed */ 8401 rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len); 8402 if (rv != SECSuccess) { 8403 /* sslBuffer_Grow has set a memory error code. */ 8404 return SECFailure; 8405 } 8406 8407 PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len, 8408 buf->buf, bytes); 8409 ss->ssl3.hs.msg_body.len += bytes; 8410 buf->buf += bytes; 8411 buf->len -= bytes; 8412 8413 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len); 8414 8415 /* if we have a whole message, do it */ 8416 if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) { 8417 rv = ssl3_HandleHandshakeMessage( 8418 ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len); 8419 /* 8420 * XXX This appears to be wrong. This error handling 8421 * should clean up after a SECWouldBlock return, like the 8422 * error handling used 40 lines before/above this one, 8423 */ 8424 if (rv != SECSuccess) { 8425 /* ssl3_HandleHandshakeMessage MUST set error code. */ 8426 return rv; 8427 } 8428 ss->ssl3.hs.msg_body.len = 0; 8429 ss->ssl3.hs.msg_len = 0; 8430 ss->ssl3.hs.header_bytes = 0; 8431 } else { 8432 PORT_Assert(buf->len == 0); 8433 break; 8434 } 8435 } 8436 } /* end loop */ 8437 8438 origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */ 8439 buf->buf = NULL; /* not a leak. */ 8440 return SECSuccess; 8441 } 8442 8443 /* if cText is non-null, then decipher, check MAC, and decompress the 8444 * SSL record from cText->buf (typically gs->inbuf) 8445 * into databuf (typically gs->buf), and any previous contents of databuf 8446 * is lost. Then handle databuf according to its SSL record type, 8447 * unless it's an application record. 8448 * 8449 * If cText is NULL, then the ciphertext has previously been deciphered and 8450 * checked, and is already sitting in databuf. It is processed as an SSL 8451 * Handshake message. 8452 * 8453 * DOES NOT process the decrypted/decompressed application data. 8454 * On return, databuf contains the decrypted/decompressed record. 8455 * 8456 * Called from ssl3_GatherCompleteHandshake 8457 * ssl3_RestartHandshakeAfterCertReq 8458 * ssl3_RestartHandshakeAfterServerCert 8459 * 8460 * Caller must hold the RecvBufLock. 8461 * 8462 * This function aquires and releases the SSL3Handshake Lock, holding the 8463 * lock around any calls to functions that handle records other than 8464 * Application Data records. 8465 */ 8466 SECStatus 8467 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) 8468 { 8469 const ssl3BulkCipherDef *cipher_def; 8470 ssl3CipherSpec * crSpec; 8471 SECStatus rv; 8472 unsigned int hashBytes = MAX_MAC_LENGTH + 1; 8473 unsigned int padding_length; 8474 PRBool isTLS; 8475 PRBool padIsBad = PR_FALSE; 8476 SSL3ContentType rType; 8477 SSL3Opaque hash[MAX_MAC_LENGTH]; 8478 sslBuffer *plaintext; 8479 sslBuffer temp_buf; 8480 8481 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 8482 8483 if (!ss->ssl3.initialized) { 8484 ssl_GetSSL3HandshakeLock(ss); 8485 rv = ssl3_InitState(ss); 8486 ssl_ReleaseSSL3HandshakeLock(ss); 8487 if (rv != SECSuccess) { 8488 return rv; /* ssl3_InitState has set the error code. */ 8489 } 8490 } 8491 8492 /* check for Token Presence */ 8493 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) { 8494 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 8495 return SECFailure; 8496 } 8497 8498 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX(). 8499 * This implies that databuf holds a previously deciphered SSL Handshake 8500 * message. 8501 */ 8502 if (cText == NULL) { 8503 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake", 8504 SSL_GETPID(), ss->fd)); 8505 rType = content_handshake; 8506 goto process_it; 8507 } 8508 8509 ssl_GetSpecReadLock(ss); /******************************************/ 8510 8511 crSpec = ss->ssl3.crSpec; 8512 8513 /* If we will be decompressing the buffer we need to decrypt somewhere 8514 * other than into databuf */ 8515 if (crSpec->decompressor) { 8516 temp_buf.buf = NULL; 8517 temp_buf.space = 0; 8518 plaintext = &temp_buf; 8519 } else { 8520 plaintext = databuf; 8521 } 8522 8523 plaintext->len = 0; /* filled in by decode call below. */ 8524 if (plaintext->space < MAX_FRAGMENT_LENGTH) { 8525 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); 8526 if (rv != SECSuccess) { 8527 ssl_ReleaseSpecReadLock(ss); 8528 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", 8529 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); 8530 /* sslBuffer_Grow has set a memory error code. */ 8531 /* Perhaps we should send an alert. (but we have no memory!) */ 8532 return SECFailure; 8533 } 8534 } 8535 8536 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len)); 8537 8538 cipher_def = crSpec->cipher_def; 8539 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); 8540 8541 if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) { 8542 ssl_ReleaseSpecReadLock(ss); 8543 SSL3_SendAlert(ss, alert_fatal, record_overflow); 8544 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 8545 return SECFailure; 8546 } 8547 8548 /* decrypt from cText buf to plaintext. */ 8549 rv = crSpec->decode( 8550 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, 8551 plaintext->space, cText->buf->buf, cText->buf->len); 8552 8553 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); 8554 if (rv != SECSuccess) { 8555 int err = ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE); 8556 ssl_ReleaseSpecReadLock(ss); 8557 SSL3_SendAlert(ss, alert_fatal, 8558 isTLS ? decryption_failed : bad_record_mac); 8559 PORT_SetError(err); 8560 return SECFailure; 8561 } 8562 8563 /* If it's a block cipher, check and strip the padding. */ 8564 if (cipher_def->type == type_block) { 8565 padding_length = *(plaintext->buf + plaintext->len - 1); 8566 /* TLS permits padding to exceed the block size, up to 255 bytes. */ 8567 if (padding_length + 1 + crSpec->mac_size > plaintext->len) 8568 padIsBad = PR_TRUE; 8569 /* if TLS, check value of first padding byte. */ 8570 else if (padding_length && isTLS && 8571 padding_length != *(plaintext->buf + 8572 plaintext->len - (padding_length + 1))) 8573 padIsBad = PR_TRUE; 8574 else 8575 plaintext->len -= padding_length + 1; 8576 } 8577 8578 /* Remove the MAC. */ 8579 if (plaintext->len >= crSpec->mac_size) 8580 plaintext->len -= crSpec->mac_size; 8581 else 8582 padIsBad = PR_TRUE; /* really macIsBad */ 8583 8584 /* compute the MAC */ 8585 rType = cText->type; 8586 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer), 8587 rType, cText->version, crSpec->read_seq_num, 8588 plaintext->buf, plaintext->len, hash, &hashBytes); 8589 if (rv != SECSuccess) { 8590 int err = ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 8591 ssl_ReleaseSpecReadLock(ss); 8592 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); 8593 PORT_SetError(err); 8594 return rv; 8595 } 8596 8597 /* Check the MAC */ 8598 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || 8599 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash, 8600 crSpec->mac_size) != 0) { 8601 /* must not hold spec lock when calling SSL3_SendAlert. */ 8602 ssl_ReleaseSpecReadLock(ss); 8603 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); 8604 /* always log mac error, in case attacker can read server logs. */ 8605 PORT_SetError(SSL_ERROR_BAD_MAC_READ); 8606 8607 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); 8608 8609 return SECFailure; 8610 } 8611 8612 8613 8614 ssl3_BumpSequenceNumber(&crSpec->read_seq_num); 8615 8616 ssl_ReleaseSpecReadLock(ss); /*****************************************/ 8617 8618 /* 8619 * The decrypted data is now in plaintext. 8620 */ 8621 8622 /* possibly decompress the record. If we aren't using compression then 8623 * plaintext == databuf and so the uncompressed data is already in 8624 * databuf. */ 8625 if (crSpec->decompressor) { 8626 if (databuf->space < plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION) { 8627 rv = sslBuffer_Grow( 8628 databuf, plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION); 8629 if (rv != SECSuccess) { 8630 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", 8631 SSL_GETPID(), ss->fd, 8632 plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION)); 8633 /* sslBuffer_Grow has set a memory error code. */ 8634 /* Perhaps we should send an alert. (but we have no memory!) */ 8635 PORT_Free(plaintext->buf); 8636 return SECFailure; 8637 } 8638 } 8639 8640 rv = crSpec->decompressor(crSpec->decompressContext, 8641 databuf->buf, 8642 (int*) &databuf->len, 8643 databuf->space, 8644 plaintext->buf, 8645 plaintext->len); 8646 if (rv != SECSuccess) { 8647 int err = ssl_MapLowLevelError(SSL_ERROR_DECOMPRESSION_FAILURE); 8648 PORT_Free(plaintext->buf); 8649 SSL3_SendAlert(ss, alert_fatal, 8650 isTLS ? decompression_failure : bad_record_mac); 8651 PORT_SetError(err); 8652 return SECFailure; 8653 } 8654 8655 PORT_Free(plaintext->buf); 8656 } 8657 8658 /* 8659 ** Having completed the decompression, check the length again. 8660 */ 8661 if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) { 8662 SSL3_SendAlert(ss, alert_fatal, record_overflow); 8663 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 8664 return SECFailure; 8665 } 8666 8667 /* Application data records are processed by the caller of this 8668 ** function, not by this function. 8669 */ 8670 if (rType == content_application_data) { 8671 return SECSuccess; 8672 } 8673 8674 /* It's a record that must be handled by ssl itself, not the application. 8675 */ 8676 process_it: 8677 /* XXX Get the xmit lock here. Odds are very high that we'll be xmiting 8678 * data ang getting the xmit lock here prevents deadlocks. 8679 */ 8680 ssl_GetSSL3HandshakeLock(ss); 8681 8682 /* All the functions called in this switch MUST set error code if 8683 ** they return SECFailure or SECWouldBlock. 8684 */ 8685 switch (rType) { 8686 case content_change_cipher_spec: 8687 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); 8688 break; 8689 case content_alert: 8690 rv = ssl3_HandleAlert(ss, databuf); 8691 break; 8692 case content_handshake: 8693 rv = ssl3_HandleHandshake(ss, databuf); 8694 break; 8695 /* 8696 case content_application_data is handled before this switch 8697 */ 8698 default: 8699 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", 8700 SSL_GETPID(), ss->fd, cText->type)); 8701 /* XXX Send an alert ??? */ 8702 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); 8703 rv = SECFailure; 8704 break; 8705 } 8706 8707 ssl_ReleaseSSL3HandshakeLock(ss); 8708 return rv; 8709 8710 } 8711 8712 /* 8713 * Initialization functions 8714 */ 8715 8716 /* Called from ssl3_InitState, immediately below. */ 8717 /* Caller must hold the SpecWriteLock. */ 8718 static void 8719 ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec) 8720 { 8721 spec->cipher_def = &bulk_cipher_defs[cipher_null]; 8722 PORT_Assert(spec->cipher_def->cipher == cipher_null); 8723 spec->mac_def = &mac_defs[mac_null]; 8724 PORT_Assert(spec->mac_def->mac == mac_null); 8725 spec->encode = Null_Cipher; 8726 spec->decode = Null_Cipher; 8727 spec->destroy = NULL; 8728 spec->compressor = NULL; 8729 spec->decompressor = NULL; 8730 spec->destroyCompressContext = NULL; 8731 spec->destroyDecompressContext = NULL; 8732 spec->mac_size = 0; 8733 spec->master_secret = NULL; 8734 spec->bypassCiphers = PR_FALSE; 8735 8736 spec->msItem.data = NULL; 8737 spec->msItem.len = 0; 8738 8739 spec->client.write_key = NULL; 8740 spec->client.write_mac_key = NULL; 8741 spec->client.write_mac_context = NULL; 8742 8743 spec->server.write_key = NULL; 8744 spec->server.write_mac_key = NULL; 8745 spec->server.write_mac_context = NULL; 8746 8747 spec->write_seq_num.high = 0; 8748 spec->write_seq_num.low = 0; 8749 8750 spec->read_seq_num.high = 0; 8751 spec->read_seq_num.low = 0; 8752 8753 spec->version = ss->opt.enableTLS 8754 ? SSL_LIBRARY_VERSION_3_1_TLS 8755 : SSL_LIBRARY_VERSION_3_0; 8756 } 8757 8758 /* Called from: ssl3_SendRecord 8759 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() 8760 ** ssl3_SendClientHello() 8761 ** ssl3_HandleServerHello() 8762 ** ssl3_HandleClientHello() 8763 ** ssl3_HandleV2ClientHello() 8764 ** ssl3_HandleRecord() 8765 ** 8766 ** This function should perhaps acquire and release the SpecWriteLock. 8767 ** 8768 ** 8769 */ 8770 static SECStatus 8771 ssl3_InitState(sslSocket *ss) 8772 { 8773 SECStatus rv; 8774 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 8775 8776 if (ss->ssl3.initialized) 8777 return SECSuccess; /* Function should be idempotent */ 8778 8779 ss->ssl3.policy = SSL_ALLOWED; 8780 8781 ssl_GetSpecWriteLock(ss); 8782 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; 8783 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; 8784 ss->ssl3.hs.rehandshake = PR_FALSE; 8785 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); 8786 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); 8787 8788 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; 8789 #ifdef NSS_ENABLE_ECC 8790 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK; 8791 #endif 8792 ssl_ReleaseSpecWriteLock(ss); 8793 8794 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 8795 8796 rv = ssl3_NewHandshakeHashes(ss); 8797 if (rv == SECSuccess) { 8798 ss->ssl3.initialized = PR_TRUE; 8799 } 8800 8801 return rv; 8802 } 8803 8804 /* Returns a reference counted object that contains a key pair. 8805 * Or NULL on failure. Initial ref count is 1. 8806 * Uses the keys in the pair as input. 8807 */ 8808 ssl3KeyPair * 8809 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey) 8810 { 8811 ssl3KeyPair * pair; 8812 8813 if (!privKey || !pubKey) { 8814 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 8815 return NULL; 8816 } 8817 pair = PORT_ZNew(ssl3KeyPair); 8818 if (!pair) 8819 return NULL; /* error code is set. */ 8820 pair->refCount = 1; 8821 pair->privKey = privKey; 8822 pair->pubKey = pubKey; 8823 return pair; /* success */ 8824 } 8825 8826 ssl3KeyPair * 8827 ssl3_GetKeyPairRef(ssl3KeyPair * keyPair) 8828 { 8829 PR_AtomicIncrement(&keyPair->refCount); 8830 return keyPair; 8831 } 8832 8833 void 8834 ssl3_FreeKeyPair(ssl3KeyPair * keyPair) 8835 { 8836 PRInt32 newCount = PR_AtomicDecrement(&keyPair->refCount); 8837 if (!newCount) { 8838 if (keyPair->privKey) 8839 SECKEY_DestroyPrivateKey(keyPair->privKey); 8840 if (keyPair->pubKey) 8841 SECKEY_DestroyPublicKey( keyPair->pubKey); 8842 PORT_Free(keyPair); 8843 } 8844 } 8845 8846 8847 8848 /* 8849 * Creates the public and private RSA keys for SSL Step down. 8850 * Called from SSL_ConfigSecureServer in sslsecur.c 8851 */ 8852 SECStatus 8853 ssl3_CreateRSAStepDownKeys(sslSocket *ss) 8854 { 8855 SECStatus rv = SECSuccess; 8856 SECKEYPrivateKey * privKey; /* RSA step down key */ 8857 SECKEYPublicKey * pubKey; /* RSA step down key */ 8858 8859 if (ss->stepDownKeyPair) 8860 ssl3_FreeKeyPair(ss->stepDownKeyPair); 8861 ss->stepDownKeyPair = NULL; 8862 #ifndef HACKED_EXPORT_SERVER 8863 /* Sigh, should have a get key strength call for private keys */ 8864 if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) > 8865 EXPORT_RSA_KEY_LENGTH) { 8866 /* need to ask for the key size in bits */ 8867 privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB, 8868 &pubKey, NULL); 8869 if (!privKey || !pubKey || 8870 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) { 8871 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); 8872 rv = SECFailure; 8873 } 8874 } 8875 #endif 8876 return rv; 8877 } 8878 8879 8880 /* record the export policy for this cipher suite */ 8881 SECStatus 8882 ssl3_SetPolicy(ssl3CipherSuite which, int policy) 8883 { 8884 ssl3CipherSuiteCfg *suite; 8885 8886 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 8887 if (suite == NULL) { 8888 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ 8889 } 8890 suite->policy = policy; 8891 8892 if (policy == SSL_RESTRICTED) { 8893 ssl3_global_policy_some_restricted = PR_TRUE; 8894 } 8895 8896 return SECSuccess; 8897 } 8898 8899 SECStatus 8900 ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) 8901 { 8902 ssl3CipherSuiteCfg *suite; 8903 PRInt32 policy; 8904 SECStatus rv; 8905 8906 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 8907 if (suite) { 8908 policy = suite->policy; 8909 rv = SECSuccess; 8910 } else { 8911 policy = SSL_NOT_ALLOWED; 8912 rv = SECFailure; /* err code was set by Lookup. */ 8913 } 8914 *oPolicy = policy; 8915 return rv; 8916 } 8917 8918 /* record the user preference for this suite */ 8919 SECStatus 8920 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) 8921 { 8922 ssl3CipherSuiteCfg *suite; 8923 8924 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 8925 if (suite == NULL) { 8926 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ 8927 } 8928 suite->enabled = enabled; 8929 return SECSuccess; 8930 } 8931 8932 /* return the user preference for this suite */ 8933 SECStatus 8934 ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled) 8935 { 8936 ssl3CipherSuiteCfg *suite; 8937 PRBool pref; 8938 SECStatus rv; 8939 8940 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 8941 if (suite) { 8942 pref = suite->enabled; 8943 rv = SECSuccess; 8944 } else { 8945 pref = SSL_NOT_ALLOWED; 8946 rv = SECFailure; /* err code was set by Lookup. */ 8947 } 8948 *enabled = pref; 8949 return rv; 8950 } 8951 8952 SECStatus 8953 ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled) 8954 { 8955 ssl3CipherSuiteCfg *suite; 8956 8957 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites); 8958 if (suite == NULL) { 8959 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ 8960 } 8961 suite->enabled = enabled; 8962 return SECSuccess; 8963 } 8964 8965 SECStatus 8966 ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled) 8967 { 8968 ssl3CipherSuiteCfg *suite; 8969 PRBool pref; 8970 SECStatus rv; 8971 8972 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites); 8973 if (suite) { 8974 pref = suite->enabled; 8975 rv = SECSuccess; 8976 } else { 8977 pref = SSL_NOT_ALLOWED; 8978 rv = SECFailure; /* err code was set by Lookup. */ 8979 } 8980 *enabled = pref; 8981 return rv; 8982 } 8983 8984 /* copy global default policy into socket. */ 8985 void 8986 ssl3_InitSocketPolicy(sslSocket *ss) 8987 { 8988 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); 8989 } 8990 8991 /* ssl3_config_match_init must have already been called by 8992 * the caller of this function. 8993 */ 8994 SECStatus 8995 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) 8996 { 8997 int i, count = 0; 8998 8999 PORT_Assert(ss != 0); 9000 if (!ss) { 9001 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 9002 return SECFailure; 9003 } 9004 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { 9005 *size = 0; 9006 return SECSuccess; 9007 } 9008 if (cs == NULL) { 9009 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); 9010 return SECSuccess; 9011 } 9012 9013 /* ssl3_config_match_init was called by the caller of this function. */ 9014 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 9015 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 9016 if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { 9017 if (cs != NULL) { 9018 *cs++ = 0x00; 9019 *cs++ = (suite->cipher_suite >> 8) & 0xFF; 9020 *cs++ = suite->cipher_suite & 0xFF; 9021 } 9022 count++; 9023 } 9024 } 9025 *size = count; 9026 return SECSuccess; 9027 } 9028 9029 /* 9030 ** If ssl3 socket has completed the first handshake, and is in idle state, 9031 ** then start a new handshake. 9032 ** If flushCache is true, the SID cache will be flushed first, forcing a 9033 ** "Full" handshake (not a session restart handshake), to be done. 9034 ** 9035 ** called from SSL_RedoHandshake(), which already holds the handshake locks. 9036 */ 9037 SECStatus 9038 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache) 9039 { 9040 sslSessionID * sid = ss->sec.ci.sid; 9041 SECStatus rv; 9042 9043 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 9044 9045 if (!ss->firstHsDone || 9046 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && 9047 ss->ssl3.initialized && 9048 (ss->ssl3.hs.ws != idle_handshake))) { 9049 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); 9050 return SECFailure; 9051 } 9052 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { 9053 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); 9054 return SECFailure; 9055 } 9056 if (sid && flushCache) { 9057 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ 9058 ssl_FreeSID(sid); /* dec ref count and free if zero. */ 9059 ss->sec.ci.sid = NULL; 9060 } 9061 9062 ssl_GetXmitBufLock(ss); /**************************************/ 9063 9064 /* start off a new handshake. */ 9065 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) 9066 : ssl3_SendClientHello(ss); 9067 9068 ssl_ReleaseXmitBufLock(ss); /**************************************/ 9069 return rv; 9070 } 9071 9072 /* Called from ssl_DestroySocketContents() in sslsock.c */ 9073 void 9074 ssl3_DestroySSL3Info(sslSocket *ss) 9075 { 9076 9077 if (ss->ssl3.clientCertificate != NULL) 9078 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 9079 9080 if (ss->ssl3.clientPrivateKey != NULL) 9081 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 9082 9083 if (ss->ssl3.peerCertArena != NULL) 9084 ssl3_CleanupPeerCerts(ss); 9085 9086 if (ss->ssl3.clientCertChain != NULL) { 9087 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); 9088 ss->ssl3.clientCertChain = NULL; 9089 } 9090 9091 /* clean up handshake */ 9092 if (ss->opt.bypassPKCS11) { 9093 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); 9094 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); 9095 } 9096 if (ss->ssl3.hs.md5) { 9097 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); 9098 } 9099 if (ss->ssl3.hs.sha) { 9100 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); 9101 } 9102 if (ss->ssl3.hs.messages.buf) { 9103 PORT_Free(ss->ssl3.hs.messages.buf); 9104 ss->ssl3.hs.messages.buf = NULL; 9105 ss->ssl3.hs.messages.len = 0; 9106 ss->ssl3.hs.messages.space = 0; 9107 } 9108 9109 /* free the SSL3Buffer (msg_body) */ 9110 PORT_Free(ss->ssl3.hs.msg_body.buf); 9111 9112 /* free up the CipherSpecs */ 9113 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0]); 9114 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1]); 9115 9116 ss->ssl3.initialized = PR_FALSE; 9117 9118 if (ss->ssl3.nextProto.data) { 9119 PORT_Free(ss->ssl3.nextProto.data); 9120 ss->ssl3.nextProto.data = NULL; 9121 } 9122 } 9123 9124 /* End of ssl3con.c */ 9125
