Home | History | Annotate | Download | only in ssl 
      1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
      2 /*
      3  * SSL3 Protocol
      4  *
      5  * This Source Code Form is subject to the terms of the Mozilla Public
      6  * License, v. 2.0. If a copy of the MPL was not distributed with this
      7  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      8 
      9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
     10 
     11 #include "cert.h"
     12 #include "ssl.h"
     13 #include "cryptohi.h"	/* for DSAU_ stuff */
     14 #include "keyhi.h"
     15 #include "secder.h"
     16 #include "secitem.h"
     17 #include "sechash.h"
     18 
     19 #include "sslimpl.h"
     20 #include "sslproto.h"
     21 #include "sslerr.h"
     22 #include "prtime.h"
     23 #include "prinrval.h"
     24 #include "prerror.h"
     25 #include "pratom.h"
     26 #include "prthread.h"
     27 
     28 #include "pk11func.h"
     29 #include "secmod.h"
     30 #ifndef NO_PKCS11_BYPASS
     31 #include "blapi.h"
     32 #endif
     33 
     34 /* This is a bodge to allow this code to be compiled against older NSS headers
     35  * that don't contain the TLS 1.2 changes. */
     36 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
     37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
     38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
     39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
     40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
     41 #endif
     42 
     43 #include <stdio.h>
     44 #ifdef NSS_ENABLE_ZLIB
     45 #include "zlib.h"
     46 #endif
     47 
     48 #ifndef PK11_SETATTRS
     49 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
     50 		(x)->pValue=(v); (x)->ulValueLen = (l);
     51 #endif
     52 
     53 static SECStatus ssl3_AuthCertificate(sslSocket *ss);
     54 static void      ssl3_CleanupPeerCerts(sslSocket *ss);
     55 static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
     56 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
     57                                        PK11SlotInfo * serverKeySlot);
     58 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
     59 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
     60 static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
     61 static SECStatus ssl3_InitState(             sslSocket *ss);
     62 static SECStatus ssl3_SendCertificate(       sslSocket *ss);
     63 static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
     64 static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
     65 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
     66 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
     67 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
     68 static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
     69 static SECStatus ssl3_SendServerHello(       sslSocket *ss);
     70 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
     71 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
     72 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
     73                                              const unsigned char *b,
     74                                              unsigned int l);
     75 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
     76 static int       ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
     77 
     78 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
     79 			     int maxOutputLen, const unsigned char *input,
     80 			     int inputLen);
     81 
     82 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
     83 #define MIN_SEND_BUF_LENGTH  4000
     84 
     85 /* This list of SSL3 cipher suites is sorted in descending order of
     86  * precedence (desirability).  It only includes cipher suites we implement.
     87  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
     88  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
     89  */
     90 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
     91    /*      cipher_suite                         policy      enabled is_present*/
     92 #ifdef NSS_ENABLE_ECC
     93  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
     94  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
     95 #endif /* NSS_ENABLE_ECC */
     96  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
     97  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
     98  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
     99  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    100  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    101 #ifdef NSS_ENABLE_ECC
    102  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    103  { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    104 #endif /* NSS_ENABLE_ECC */
    105  { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,  	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    106  { TLS_RSA_WITH_AES_256_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    107  { TLS_RSA_WITH_AES_256_CBC_SHA256,	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    108 
    109 #ifdef NSS_ENABLE_ECC
    110  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    111  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    112  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    113  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    114  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    115  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    116 #endif /* NSS_ENABLE_ECC */
    117  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    118  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    119  { TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    120  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    121  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    122  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    123 #ifdef NSS_ENABLE_ECC
    124  { TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    125  { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    126  { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    127  { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    128 #endif /* NSS_ENABLE_ECC */
    129  { TLS_RSA_WITH_SEED_CBC_SHA,              SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    130  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,  	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    131  { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    132  { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
    133  { TLS_RSA_WITH_AES_128_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    134  { TLS_RSA_WITH_AES_128_CBC_SHA256,	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    135 
    136 #ifdef NSS_ENABLE_ECC
    137  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    138  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    139 #endif /* NSS_ENABLE_ECC */
    140  { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    141  { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
    142 #ifdef NSS_ENABLE_ECC
    143  { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    144  { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    145 #endif /* NSS_ENABLE_ECC */
    146  { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    147  { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
    148 
    149 
    150  { SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    151  { SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    152  { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    153  { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    154  { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    155  { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    156 
    157  { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    158  { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    159 
    160 #ifdef NSS_ENABLE_ECC
    161  { TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    162  { TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    163  { TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    164  { TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
    165 #endif /* NSS_ENABLE_ECC */
    166  { SSL_RSA_WITH_NULL_SHA,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    167  { TLS_RSA_WITH_NULL_SHA256,               SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    168  { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
    169 
    170 };
    171 
    172 /* This list of SSL3 compression methods is sorted in descending order of
    173  * precedence (desirability).  It only includes compression methods we
    174  * implement.
    175  */
    176 static const /*SSLCompressionMethod*/ PRUint8 compressions [] = {
    177 #ifdef NSS_ENABLE_ZLIB
    178     ssl_compression_deflate,
    179 #endif
    180     ssl_compression_null
    181 };
    182 
    183 static const int compressionMethodsCount =
    184     sizeof(compressions) / sizeof(compressions[0]);
    185 
    186 /* compressionEnabled returns true iff the compression algorithm is enabled
    187  * for the given SSL socket. */
    188 static PRBool
    189 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression)
    190 {
    191     switch (compression) {
    192     case ssl_compression_null:
    193 	return PR_TRUE;  /* Always enabled */
    194 #ifdef NSS_ENABLE_ZLIB
    195     case ssl_compression_deflate:
    196 	return ss->opt.enableDeflate;
    197 #endif
    198     default:
    199 	return PR_FALSE;
    200     }
    201 }
    202 
    203 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
    204     ct_RSA_sign,
    205 #ifdef NSS_ENABLE_ECC
    206     ct_ECDSA_sign,
    207 #endif /* NSS_ENABLE_ECC */
    208     ct_DSS_sign,
    209 };
    210 
    211 /* This block is the contents of the supported_signature_algorithms field of
    212  * our TLS 1.2 CertificateRequest message, in wire format. See
    213  * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
    214  *
    215  * This block contains only sha256 entries because we only support TLS 1.2
    216  * CertificateVerify messages that use the handshake hash. */
    217 static const PRUint8 supported_signature_algorithms[] = {
    218     tls_hash_sha256, tls_sig_rsa,
    219 #ifdef NSS_ENABLE_ECC
    220     tls_hash_sha256, tls_sig_ecdsa,
    221 #endif
    222     tls_hash_sha256, tls_sig_dsa,
    223 };
    224 
    225 #define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
    226 
    227 
    228 /* This global item is used only in servers.  It is is initialized by
    229 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
    230 */
    231 CERTDistNames *ssl3_server_ca_list = NULL;
    232 static SSL3Statistics ssl3stats;
    233 
    234 /* indexed by SSL3BulkCipher */
    235 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
    236     /* cipher          calg        keySz secretSz  type  ivSz BlkSz keygen */
    237     {cipher_null,      calg_null,      0,  0, type_stream,  0, 0, kg_null},
    238     {cipher_rc4,       calg_rc4,      16, 16, type_stream,  0, 0, kg_strong},
    239     {cipher_rc4_40,    calg_rc4,      16,  5, type_stream,  0, 0, kg_export},
    240     {cipher_rc4_56,    calg_rc4,      16,  7, type_stream,  0, 0, kg_export},
    241     {cipher_rc2,       calg_rc2,      16, 16, type_block,   8, 8, kg_strong},
    242     {cipher_rc2_40,    calg_rc2,      16,  5, type_block,   8, 8, kg_export},
    243     {cipher_des,       calg_des,       8,  8, type_block,   8, 8, kg_strong},
    244     {cipher_3des,      calg_3des,     24, 24, type_block,   8, 8, kg_strong},
    245     {cipher_des40,     calg_des,       8,  5, type_block,   8, 8, kg_export},
    246     {cipher_idea,      calg_idea,     16, 16, type_block,   8, 8, kg_strong},
    247     {cipher_aes_128,   calg_aes,      16, 16, type_block,  16,16, kg_strong},
    248     {cipher_aes_256,   calg_aes,      32, 32, type_block,  16,16, kg_strong},
    249     {cipher_camellia_128, calg_camellia,16, 16, type_block,  16,16, kg_strong},
    250     {cipher_camellia_256, calg_camellia,32, 32, type_block,  16,16, kg_strong},
    251     {cipher_seed,      calg_seed,     16, 16, type_block,  16,16, kg_strong},
    252     {cipher_missing,   calg_null,      0,  0, type_stream,  0, 0, kg_null},
    253 };
    254 
    255 static const ssl3KEADef kea_defs[] =
    256 { /* indexed by SSL3KeyExchangeAlgorithm */
    257     /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
    258     {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
    259     {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
    260     {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
    261     {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
    262     {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
    263     {kea_dh_dss_export,  kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
    264     {kea_dh_rsa,         kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
    265     {kea_dh_rsa_export,  kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
    266     {kea_dhe_dss,        kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
    267     {kea_dhe_dss_export, kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
    268     {kea_dhe_rsa,        kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
    269     {kea_dhe_rsa_export, kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
    270     {kea_dh_anon,        kt_dh,       sign_null, PR_FALSE,   0, PR_FALSE},
    271     {kea_dh_anon_export, kt_dh,       sign_null, PR_TRUE,  512, PR_FALSE},
    272     {kea_rsa_fips,       kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_TRUE },
    273 #ifdef NSS_ENABLE_ECC
    274     {kea_ecdh_ecdsa,     kt_ecdh,     sign_ecdsa,  PR_FALSE, 0, PR_FALSE},
    275     {kea_ecdhe_ecdsa,    kt_ecdh,     sign_ecdsa,  PR_FALSE,   0, PR_FALSE},
    276     {kea_ecdh_rsa,       kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
    277     {kea_ecdhe_rsa,      kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
    278     {kea_ecdh_anon,      kt_ecdh,     sign_null,  PR_FALSE,   0, PR_FALSE},
    279 #endif /* NSS_ENABLE_ECC */
    280 };
    281 
    282 /* must use ssl_LookupCipherSuiteDef to access */
    283 static const ssl3CipherSuiteDef cipher_suite_defs[] =
    284 {
    285 /*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
    286 
    287     {SSL_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
    288     {SSL_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
    289     {SSL_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
    290     {TLS_RSA_WITH_NULL_SHA256,      cipher_null,   hmac_sha256, kea_rsa},
    291     {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
    292     {SSL_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
    293     {SSL_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
    294     {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
    295                                     cipher_rc2_40, mac_md5, kea_rsa_export},
    296 #if 0 /* not implemented */
    297     {SSL_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
    298     {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
    299                                     cipher_des40,  mac_sha, kea_rsa_export},
    300 #endif
    301     {SSL_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
    302     {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
    303     {SSL_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
    304     {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
    305                                     cipher_3des,   mac_sha, kea_dhe_dss},
    306     {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss},
    307 #if 0 /* not implemented */
    308     {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
    309                                     cipher_des40,  mac_sha, kea_dh_dss_export},
    310     {SSL_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
    311     {SSL_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
    312     {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
    313                                     cipher_des40,  mac_sha, kea_dh_rsa_export},
    314     {SSL_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
    315     {SSL_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
    316     {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
    317                                     cipher_des40,  mac_sha, kea_dh_dss_export},
    318     {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
    319                                     cipher_des40,  mac_sha, kea_dh_rsa_export},
    320 #endif
    321     {SSL_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
    322     {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
    323                                     cipher_3des,   mac_sha, kea_dhe_rsa},
    324 #if 0
    325     {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
    326     {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
    327                                     cipher_des40,  mac_sha, kea_dh_anon_export},
    328     {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
    329     {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
    330 #endif
    331 
    332 
    333 /* New TLS cipher suites */
    334     {TLS_RSA_WITH_AES_128_CBC_SHA,     	cipher_aes_128, mac_sha, kea_rsa},
    335     {TLS_RSA_WITH_AES_128_CBC_SHA256,	cipher_aes_128, hmac_sha256, kea_rsa},
    336     {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_dss},
    337     {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_rsa},
    338     {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa},
    339     {TLS_RSA_WITH_AES_256_CBC_SHA,     	cipher_aes_256, mac_sha, kea_rsa},
    340     {TLS_RSA_WITH_AES_256_CBC_SHA256,	cipher_aes_256, hmac_sha256, kea_rsa},
    341     {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_dss},
    342     {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_rsa},
    343     {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa},
    344 #if 0
    345     {TLS_DH_DSS_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_dss},
    346     {TLS_DH_RSA_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_rsa},
    347     {TLS_DH_ANON_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dh_anon},
    348     {TLS_DH_DSS_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_dss},
    349     {TLS_DH_RSA_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_rsa},
    350     {TLS_DH_ANON_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dh_anon},
    351 #endif
    352 
    353     {TLS_RSA_WITH_SEED_CBC_SHA,	    cipher_seed,   mac_sha, kea_rsa},
    354 
    355     {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
    356     {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
    357      cipher_camellia_128, mac_sha, kea_dhe_dss},
    358     {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
    359      cipher_camellia_128, mac_sha, kea_dhe_rsa},
    360     {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,	cipher_camellia_256, mac_sha, kea_rsa},
    361     {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
    362      cipher_camellia_256, mac_sha, kea_dhe_dss},
    363     {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
    364      cipher_camellia_256, mac_sha, kea_dhe_rsa},
    365 
    366     {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
    367                                     cipher_des,    mac_sha,kea_rsa_export_1024},
    368     {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
    369                                     cipher_rc4_56, mac_sha,kea_rsa_export_1024},
    370 
    371     {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
    372     {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
    373 
    374 #ifdef NSS_ENABLE_ECC
    375     {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
    376     {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
    377     {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
    378     {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
    379     {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
    380 
    381     {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
    382     {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
    383     {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
    384     {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
    385     {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa},
    386     {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
    387 
    388     {TLS_ECDH_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_rsa},
    389     {TLS_ECDH_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_rsa},
    390     {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_rsa},
    391     {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_rsa},
    392     {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_rsa},
    393 
    394     {TLS_ECDHE_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdhe_rsa},
    395     {TLS_ECDHE_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdhe_rsa},
    396     {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdhe_rsa},
    397     {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdhe_rsa},
    398     {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa},
    399     {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdhe_rsa},
    400 
    401 #if 0
    402     {TLS_ECDH_anon_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_anon},
    403     {TLS_ECDH_anon_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_anon},
    404     {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_anon},
    405     {TLS_ECDH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_anon},
    406     {TLS_ECDH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_anon},
    407 #endif
    408 #endif /* NSS_ENABLE_ECC */
    409 };
    410 
    411 static const CK_MECHANISM_TYPE kea_alg_defs[] = {
    412     0x80000000L,
    413     CKM_RSA_PKCS,
    414     CKM_DH_PKCS_DERIVE,
    415     CKM_KEA_KEY_DERIVE,
    416     CKM_ECDH1_DERIVE
    417 };
    418 
    419 typedef struct SSLCipher2MechStr {
    420     SSLCipherAlgorithm  calg;
    421     CK_MECHANISM_TYPE   cmech;
    422 } SSLCipher2Mech;
    423 
    424 /* indexed by type SSLCipherAlgorithm */
    425 static const SSLCipher2Mech alg2Mech[] = {
    426     /* calg,          cmech  */
    427     { calg_null     , (CK_MECHANISM_TYPE)0x80000000L	},
    428     { calg_rc4      , CKM_RC4				},
    429     { calg_rc2      , CKM_RC2_CBC			},
    430     { calg_des      , CKM_DES_CBC			},
    431     { calg_3des     , CKM_DES3_CBC			},
    432     { calg_idea     , CKM_IDEA_CBC			},
    433     { calg_fortezza , CKM_SKIPJACK_CBC64                },
    434     { calg_aes      , CKM_AES_CBC			},
    435     { calg_camellia , CKM_CAMELLIA_CBC			},
    436     { calg_seed     , CKM_SEED_CBC			},
    437 /*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
    438 };
    439 
    440 #define mmech_null     (CK_MECHANISM_TYPE)0x80000000L
    441 #define mmech_md5      CKM_SSL3_MD5_MAC
    442 #define mmech_sha      CKM_SSL3_SHA1_MAC
    443 #define mmech_md5_hmac CKM_MD5_HMAC
    444 #define mmech_sha_hmac CKM_SHA_1_HMAC
    445 #define mmech_sha256_hmac CKM_SHA256_HMAC
    446 
    447 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
    448     /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
    449     /* mac      mmech       pad_size  mac_size                       */
    450     { mac_null, mmech_null,       0,  0          },
    451     { mac_md5,  mmech_md5,       48,  MD5_LENGTH },
    452     { mac_sha,  mmech_sha,       40,  SHA1_LENGTH},
    453     {hmac_md5,  mmech_md5_hmac,   0,  MD5_LENGTH },
    454     {hmac_sha,  mmech_sha_hmac,   0,  SHA1_LENGTH},
    455     {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
    456 };
    457 
    458 /* indexed by SSL3BulkCipher */
    459 const char * const ssl3_cipherName[] = {
    460     "NULL",
    461     "RC4",
    462     "RC4-40",
    463     "RC4-56",
    464     "RC2-CBC",
    465     "RC2-CBC-40",
    466     "DES-CBC",
    467     "3DES-EDE-CBC",
    468     "DES-CBC-40",
    469     "IDEA-CBC",
    470     "AES-128",
    471     "AES-256",
    472     "Camellia-128",
    473     "Camellia-256",
    474     "SEED-CBC",
    475     "missing"
    476 };
    477 
    478 #ifdef NSS_ENABLE_ECC
    479 /* The ECCWrappedKeyInfo structure defines how various pieces of
    480  * information are laid out within wrappedSymmetricWrappingkey
    481  * for ECDH key exchange. Since wrappedSymmetricWrappingkey is
    482  * a 512-byte buffer (see sslimpl.h), the variable length field
    483  * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
    484  *
    485  * XXX For now, NSS only supports named elliptic curves of size 571 bits
    486  * or smaller. The public value will fit within 145 bytes and EC params
    487  * will fit within 12 bytes. We'll need to revisit this when NSS
    488  * supports arbitrary curves.
    489  */
    490 #define MAX_EC_WRAPPED_KEY_BUFLEN  504
    491 
    492 typedef struct ECCWrappedKeyInfoStr {
    493     PRUint16 size;            /* EC public key size in bits */
    494     PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
    495     PRUint16 pubValueLen;     /* length (in bytes) of EC public value */
    496     PRUint16 wrappedKeyLen;   /* length (in bytes) of the wrapped key */
    497     PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
    498     /* EC public-key params, the EC public value and the wrapped key  */
    499 } ECCWrappedKeyInfo;
    500 #endif /* NSS_ENABLE_ECC */
    501 
    502 #if defined(TRACE)
    503 
    504 static char *
    505 ssl3_DecodeHandshakeType(int msgType)
    506 {
    507     char * rv;
    508     static char line[40];
    509 
    510     switch(msgType) {
    511     case hello_request:	        rv = "hello_request (0)";               break;
    512     case client_hello:	        rv = "client_hello  (1)";               break;
    513     case server_hello:	        rv = "server_hello  (2)";               break;
    514     case hello_verify_request:  rv = "hello_verify_request (3)";        break;
    515     case certificate:	        rv = "certificate  (11)";               break;
    516     case server_key_exchange:	rv = "server_key_exchange (12)";        break;
    517     case certificate_request:	rv = "certificate_request (13)";        break;
    518     case server_hello_done:	rv = "server_hello_done   (14)";        break;
    519     case certificate_verify:	rv = "certificate_verify  (15)";        break;
    520     case client_key_exchange:	rv = "client_key_exchange (16)";        break;
    521     case finished:	        rv = "finished     (20)";               break;
    522     default:
    523         sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
    524 	rv = line;
    525     }
    526     return rv;
    527 }
    528 
    529 static char *
    530 ssl3_DecodeContentType(int msgType)
    531 {
    532     char * rv;
    533     static char line[40];
    534 
    535     switch(msgType) {
    536     case content_change_cipher_spec:
    537                                 rv = "change_cipher_spec (20)";         break;
    538     case content_alert:	        rv = "alert      (21)";                 break;
    539     case content_handshake:	rv = "handshake  (22)";                 break;
    540     case content_application_data:
    541                                 rv = "application_data (23)";           break;
    542     default:
    543         sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
    544 	rv = line;
    545     }
    546     return rv;
    547 }
    548 
    549 #endif
    550 
    551 SSL3Statistics *
    552 SSL_GetStatistics(void)
    553 {
    554     return &ssl3stats;
    555 }
    556 
    557 typedef struct tooLongStr {
    558 #if defined(IS_LITTLE_ENDIAN)
    559     PRInt32 low;
    560     PRInt32 high;
    561 #else
    562     PRInt32 high;
    563     PRInt32 low;
    564 #endif
    565 } tooLong;
    566 
    567 void SSL_AtomicIncrementLong(long * x)
    568 {
    569     if ((sizeof *x) == sizeof(PRInt32)) {
    570         PR_ATOMIC_INCREMENT((PRInt32 *)x);
    571     } else {
    572     	tooLong * tl = (tooLong *)x;
    573 	if (PR_ATOMIC_INCREMENT(&tl->low) == 0)
    574 	    PR_ATOMIC_INCREMENT(&tl->high);
    575     }
    576 }
    577 
    578 static PRBool
    579 ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
    580 				  SSL3ProtocolVersion version)
    581 {
    582     switch (cipherSuite) {
    583     /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
    584      * later. This set of cipher suites is similar to, but different from, the
    585      * set of cipher suites considered exportable by SSL_IsExportCipherSuite.
    586      */
    587     case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
    588     case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
    589     /*   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:      never implemented
    590      *   SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:   never implemented
    591      *   SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
    592      *   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
    593      *   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
    594      *   SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5:     never implemented
    595      *   SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:  never implemented
    596      */
    597 	return version <= SSL_LIBRARY_VERSION_TLS_1_0;
    598     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
    599     case TLS_RSA_WITH_AES_256_CBC_SHA256:
    600     case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
    601     case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
    602     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    603     case TLS_RSA_WITH_AES_128_CBC_SHA256:
    604     case TLS_RSA_WITH_NULL_SHA256:
    605 	return version >= SSL_LIBRARY_VERSION_TLS_1_2;
    606     default:
    607 	return PR_TRUE;
    608     }
    609 }
    610 
    611 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
    612 /* XXX This does a linear search.  A binary search would be better. */
    613 static const ssl3CipherSuiteDef *
    614 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
    615 {
    616     int cipher_suite_def_len =
    617 	sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
    618     int i;
    619 
    620     for (i = 0; i < cipher_suite_def_len; i++) {
    621 	if (cipher_suite_defs[i].cipher_suite == suite)
    622 	    return &cipher_suite_defs[i];
    623     }
    624     PORT_Assert(PR_FALSE);  /* We should never get here. */
    625     PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
    626     return NULL;
    627 }
    628 
    629 /* Find the cipher configuration struct associate with suite */
    630 /* XXX This does a linear search.  A binary search would be better. */
    631 static ssl3CipherSuiteCfg *
    632 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
    633 {
    634     int i;
    635 
    636     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
    637 	if (suites[i].cipher_suite == suite)
    638 	    return &suites[i];
    639     }
    640     /* return NULL and let the caller handle it.  */
    641     PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
    642     return NULL;
    643 }
    644 
    645 
    646 /* Initialize the suite->isPresent value for config_match
    647  * Returns count of enabled ciphers supported by extant tokens,
    648  * regardless of policy or user preference.
    649  * If this returns zero, the user cannot do SSL v3.
    650  */
    651 int
    652 ssl3_config_match_init(sslSocket *ss)
    653 {
    654     ssl3CipherSuiteCfg *      suite;
    655     const ssl3CipherSuiteDef *cipher_def;
    656     SSLCipherAlgorithm        cipher_alg;
    657     CK_MECHANISM_TYPE         cipher_mech;
    658     SSL3KEAType               exchKeyType;
    659     int                       i;
    660     int                       numPresent		= 0;
    661     int                       numEnabled		= 0;
    662     PRBool                    isServer;
    663     sslServerCerts           *svrAuth;
    664 
    665     PORT_Assert(ss);
    666     if (!ss) {
    667     	PORT_SetError(SEC_ERROR_INVALID_ARGS);
    668 	return 0;
    669     }
    670     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
    671     	return 0;
    672     }
    673     isServer = (PRBool)(ss->sec.isServer != 0);
    674 
    675     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
    676 	suite = &ss->cipherSuites[i];
    677 	if (suite->enabled) {
    678 	    ++numEnabled;
    679 	    /* We need the cipher defs to see if we have a token that can handle
    680 	     * this cipher.  It isn't part of the static definition.
    681 	     */
    682 	    cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
    683 	    if (!cipher_def) {
    684 	    	suite->isPresent = PR_FALSE;
    685 		continue;
    686 	    }
    687 	    cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
    688 	    PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
    689 	    cipher_mech = alg2Mech[cipher_alg].cmech;
    690 	    exchKeyType =
    691 	    	    kea_defs[cipher_def->key_exchange_alg].exchKeyType;
    692 #ifndef NSS_ENABLE_ECC
    693 	    svrAuth = ss->serverCerts + exchKeyType;
    694 #else
    695 	    /* XXX SSLKEAType isn't really a good choice for
    696 	     * indexing certificates. It doesn't work for
    697 	     * (EC)DHE-* ciphers. Here we use a hack to ensure
    698 	     * that the server uses an RSA cert for (EC)DHE-RSA.
    699 	     */
    700 	    switch (cipher_def->key_exchange_alg) {
    701 	    case kea_ecdhe_rsa:
    702 #if NSS_SERVER_DHE_IMPLEMENTED
    703 	    /* XXX NSS does not yet implement the server side of _DHE_
    704 	     * cipher suites.  Correcting the computation for svrAuth,
    705 	     * as the case below does, causes NSS SSL servers to begin to
    706 	     * negotiate cipher suites they do not implement.  So, until
    707 	     * server side _DHE_ is implemented, keep this disabled.
    708 	     */
    709 	    case kea_dhe_rsa:
    710 #endif
    711 		svrAuth = ss->serverCerts + kt_rsa;
    712 		break;
    713 	    case kea_ecdh_ecdsa:
    714 	    case kea_ecdh_rsa:
    715 	        /*
    716 		 * XXX We ought to have different indices for
    717 		 * ECDSA- and RSA-signed EC certificates so
    718 		 * we could support both key exchange mechanisms
    719 		 * simultaneously. For now, both of them use
    720 		 * whatever is in the certificate slot for kt_ecdh
    721 		 */
    722 	    default:
    723 		svrAuth = ss->serverCerts + exchKeyType;
    724 		break;
    725 	    }
    726 #endif /* NSS_ENABLE_ECC */
    727 
    728 	    /* Mark the suites that are backed by real tokens, certs and keys */
    729 	    suite->isPresent = (PRBool)
    730 		(((exchKeyType == kt_null) ||
    731 		   ((!isServer || (svrAuth->serverKeyPair &&
    732 		                   svrAuth->SERVERKEY &&
    733 				   svrAuth->serverCertChain)) &&
    734 		    PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
    735 		((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
    736 	    if (suite->isPresent)
    737 	    	++numPresent;
    738 	}
    739     }
    740     PORT_Assert(numPresent > 0 || numEnabled == 0);
    741     if (numPresent <= 0) {
    742 	PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
    743     }
    744     return numPresent;
    745 }
    746 
    747 
    748 /* return PR_TRUE if suite matches policy and enabled state */
    749 /* It would be a REALLY BAD THING (tm) if we ever permitted the use
    750 ** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
    751 ** policy == SSL_NOT_ALLOWED, report no match.
    752 */
    753 /* adjust suite enabled to the availability of a token that can do the
    754  * cipher suite. */
    755 static PRBool
    756 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
    757 {
    758     PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
    759     if (policy == SSL_NOT_ALLOWED || !enabled)
    760     	return PR_FALSE;
    761     return (PRBool)(suite->enabled &&
    762                     suite->isPresent &&
    763 	            suite->policy != SSL_NOT_ALLOWED &&
    764 		    suite->policy <= policy);
    765 }
    766 
    767 /* return number of cipher suites that match policy and enabled state */
    768 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
    769 static int
    770 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
    771 {
    772     int i, count = 0;
    773 
    774     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
    775     	return 0;
    776     }
    777     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
    778 	if (config_match(&ss->cipherSuites[i], policy, enabled))
    779 	    count++;
    780     }
    781     if (count <= 0) {
    782 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
    783     }
    784     return count;
    785 }
    786 
    787 /*
    788  * Null compression, mac and encryption functions
    789  */
    790 
    791 static SECStatus
    792 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
    793 	    const unsigned char *input, int inputLen)
    794 {
    795     *outputLen = inputLen;
    796     if (input != output)
    797 	PORT_Memcpy(output, input, inputLen);
    798     return SECSuccess;
    799 }
    800 
    801 /*
    802  * SSL3 Utility functions
    803  */
    804 
    805 /* allowLargerPeerVersion controls whether the function will select the
    806  * highest enabled SSL version or fail when peerVersion is greater than the
    807  * highest enabled version.
    808  *
    809  * If allowLargerPeerVersion is true, peerVersion is the peer's highest
    810  * enabled version rather than the peer's selected version.
    811  */
    812 SECStatus
    813 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion,
    814 		      PRBool allowLargerPeerVersion)
    815 {
    816     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
    817 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
    818 	return SECFailure;
    819     }
    820 
    821     if (peerVersion < ss->vrange.min ||
    822 	(peerVersion > ss->vrange.max && !allowLargerPeerVersion)) {
    823 	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
    824 	return SECFailure;
    825     }
    826 
    827     ss->version = PR_MIN(peerVersion, ss->vrange.max);
    828     PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));
    829 
    830     return SECSuccess;
    831 }
    832 
    833 static SECStatus
    834 ssl3_GetNewRandom(SSL3Random *random)
    835 {
    836     PRUint32 gmt = ssl_Time();
    837     SECStatus rv;
    838 
    839     random->rand[0] = (unsigned char)(gmt >> 24);
    840     random->rand[1] = (unsigned char)(gmt >> 16);
    841     random->rand[2] = (unsigned char)(gmt >>  8);
    842     random->rand[3] = (unsigned char)(gmt);
    843 
    844     /* first 4 bytes are reserverd for time */
    845     rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
    846     if (rv != SECSuccess) {
    847 	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
    848     }
    849     return rv;
    850 }
    851 
    852 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
    853 SECStatus
    854 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
    855                 PRBool isTLS)
    856 {
    857     SECStatus rv		= SECFailure;
    858     PRBool    doDerEncode       = PR_FALSE;
    859     int       signatureLen;
    860     SECItem   hashItem;
    861 
    862     buf->data    = NULL;
    863 
    864     switch (key->keyType) {
    865     case rsaKey:
    866 	hashItem.data = hash->u.raw;
    867 	hashItem.len = hash->len;
    868 	break;
    869     case dsaKey:
    870 	doDerEncode = isTLS;
    871 	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
    872 	 * In that case, we use just the SHA1 part. */
    873 	if (hash->hashAlg == SEC_OID_UNKNOWN) {
    874 	    hashItem.data = hash->u.s.sha;
    875 	    hashItem.len = sizeof(hash->u.s.sha);
    876 	} else {
    877 	    hashItem.data = hash->u.raw;
    878 	    hashItem.len = hash->len;
    879 	}
    880 	break;
    881 #ifdef NSS_ENABLE_ECC
    882     case ecKey:
    883 	doDerEncode = PR_TRUE;
    884 	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
    885 	 * In that case, we use just the SHA1 part. */
    886 	if (hash->hashAlg == SEC_OID_UNKNOWN) {
    887 	    hashItem.data = hash->u.s.sha;
    888 	    hashItem.len = sizeof(hash->u.s.sha);
    889 	} else {
    890 	    hashItem.data = hash->u.raw;
    891 	    hashItem.len = hash->len;
    892 	}
    893 	break;
    894 #endif /* NSS_ENABLE_ECC */
    895     default:
    896 	PORT_SetError(SEC_ERROR_INVALID_KEY);
    897 	goto done;
    898     }
    899     PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
    900 
    901     if (hash->hashAlg == SEC_OID_UNKNOWN) {
    902 	signatureLen = PK11_SignatureLen(key);
    903 	if (signatureLen <= 0) {
    904 	    PORT_SetError(SEC_ERROR_INVALID_KEY);
    905 	    goto done;
    906 	}
    907 
    908 	buf->len  = (unsigned)signatureLen;
    909 	buf->data = (unsigned char *)PORT_Alloc(signatureLen);
    910 	if (!buf->data)
    911 	    goto done;  /* error code was set. */
    912 
    913 	rv = PK11_Sign(key, buf, &hashItem);
    914     } else {
    915 	rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem);
    916     }
    917     if (rv != SECSuccess) {
    918 	ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
    919     } else if (doDerEncode) {
    920 	SECItem   derSig	= {siBuffer, NULL, 0};
    921 
    922 	/* This also works for an ECDSA signature */
    923 	rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
    924 	if (rv == SECSuccess) {
    925 	    PORT_Free(buf->data);	/* discard unencoded signature. */
    926 	    *buf = derSig;		/* give caller encoded signature. */
    927 	} else if (derSig.data) {
    928 	    PORT_Free(derSig.data);
    929 	}
    930     }
    931 
    932     PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
    933 done:
    934     if (rv != SECSuccess && buf->data) {
    935 	PORT_Free(buf->data);
    936 	buf->data = NULL;
    937     }
    938     return rv;
    939 }
    940 
    941 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
    942 SECStatus
    943 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
    944                         SECItem *buf, PRBool isTLS, void *pwArg)
    945 {
    946     SECKEYPublicKey * key;
    947     SECItem *         signature	= NULL;
    948     SECStatus         rv;
    949     SECItem           hashItem;
    950     SECOidTag         encAlg;
    951     SECOidTag         hashAlg;
    952 
    953 
    954     PRINT_BUF(60, (NULL, "check signed hashes",
    955                   buf->data, buf->len));
    956 
    957     key = CERT_ExtractPublicKey(cert);
    958     if (key == NULL) {
    959 	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
    960     	return SECFailure;
    961     }
    962 
    963     hashAlg = hash->hashAlg;
    964     switch (key->keyType) {
    965     case rsaKey:
    966 	encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION;
    967 	hashItem.data = hash->u.raw;
    968 	hashItem.len = hash->len;
    969 	break;
    970     case dsaKey:
    971 	encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE;
    972 	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
    973 	 * In that case, we use just the SHA1 part. */
    974 	if (hash->hashAlg == SEC_OID_UNKNOWN) {
    975 	    hashItem.data = hash->u.s.sha;
    976 	    hashItem.len = sizeof(hash->u.s.sha);
    977 	} else {
    978 	    hashItem.data = hash->u.raw;
    979 	    hashItem.len = hash->len;
    980 	}
    981 	/* Allow DER encoded DSA signatures in SSL 3.0 */
    982 	if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
    983 	    signature = DSAU_DecodeDerSig(buf);
    984 	    if (!signature) {
    985 	    	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
    986 		return SECFailure;
    987 	    }
    988 	    buf = signature;
    989 	}
    990 	break;
    991 
    992 #ifdef NSS_ENABLE_ECC
    993     case ecKey:
    994 	encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
    995 	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
    996 	 * In that case, we use just the SHA1 part.
    997 	 * ECDSA signatures always encode the integers r and s using ASN.1
    998 	 * (unlike DSA where ASN.1 encoding is used with TLS but not with
    999 	 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
   1000 	 */
   1001 	if (hash->hashAlg == SEC_OID_UNKNOWN) {
   1002 	    hashAlg = SEC_OID_SHA1;
   1003 	    hashItem.data = hash->u.s.sha;
   1004 	    hashItem.len = sizeof(hash->u.s.sha);
   1005 	} else {
   1006 	    hashItem.data = hash->u.raw;
   1007 	    hashItem.len = hash->len;
   1008 	}
   1009 	break;
   1010 #endif /* NSS_ENABLE_ECC */
   1011 
   1012     default:
   1013     	SECKEY_DestroyPublicKey(key);
   1014 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
   1015 	return SECFailure;
   1016     }
   1017 
   1018     PRINT_BUF(60, (NULL, "hash(es) to be verified",
   1019                   hashItem.data, hashItem.len));
   1020 
   1021     if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) {
   1022 	/* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded.
   1023 	 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code
   1024 	 * above always removes the DER encoding of DSA signatures when
   1025 	 * present. Thus DSA signatures are always verified with PK11_Verify.
   1026 	 */
   1027 	rv = PK11_Verify(key, buf, &hashItem, pwArg);
   1028     } else {
   1029 	rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
   1030 				    pwArg);
   1031     }
   1032     SECKEY_DestroyPublicKey(key);
   1033     if (signature) {
   1034     	SECITEM_FreeItem(signature, PR_TRUE);
   1035     }
   1036     if (rv != SECSuccess) {
   1037 	ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
   1038     }
   1039     return rv;
   1040 }
   1041 
   1042 
   1043 /* Caller must set hiLevel error code. */
   1044 /* Called from ssl3_ComputeExportRSAKeyHash
   1045  *             ssl3_ComputeDHKeyHash
   1046  * which are called from ssl3_HandleServerKeyExchange.
   1047  *
   1048  * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify
   1049  * the pre-1.2, MD5/SHA1 combination hash.
   1050  */
   1051 SECStatus
   1052 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
   1053 			  PRUint8 * hashBuf, unsigned int bufLen,
   1054 			  SSL3Hashes *hashes, PRBool bypassPKCS11)
   1055 {
   1056     SECStatus     rv 		= SECSuccess;
   1057 
   1058 #ifndef NO_PKCS11_BYPASS
   1059     if (bypassPKCS11) {
   1060 	if (hashAlg == SEC_OID_UNKNOWN) {
   1061 	    MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
   1062 	    SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
   1063 	    hashes->len = MD5_LENGTH + SHA1_LENGTH;
   1064 	} else if (hashAlg == SEC_OID_SHA1) {
   1065 	    SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
   1066 	    hashes->len = SHA1_LENGTH;
   1067 	} else if (hashAlg == SEC_OID_SHA256) {
   1068 	    SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
   1069 	    hashes->len = SHA256_LENGTH;
   1070 	} else if (hashAlg == SEC_OID_SHA384) {
   1071 	    SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
   1072 	    hashes->len = SHA384_LENGTH;
   1073 	} else if (hashAlg == SEC_OID_SHA512) {
   1074 	    SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
   1075 	    hashes->len = SHA512_LENGTH;
   1076 	} else {
   1077 	    PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
   1078 	    return SECFailure;
   1079 	}
   1080     } else
   1081 #endif
   1082     {
   1083 	if (hashAlg == SEC_OID_UNKNOWN) {
   1084 	    rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
   1085 	    if (rv != SECSuccess) {
   1086 		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   1087 		rv = SECFailure;
   1088 		goto done;
   1089 	    }
   1090 
   1091 	    rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
   1092 	    if (rv != SECSuccess) {
   1093 		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   1094 		rv = SECFailure;
   1095 	    }
   1096 	    hashes->len = MD5_LENGTH + SHA1_LENGTH;
   1097 	} else {
   1098 	    hashes->len = HASH_ResultLenByOidTag(hashAlg);
   1099 	    if (hashes->len > sizeof(hashes->u.raw)) {
   1100 		ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
   1101 		rv = SECFailure;
   1102 		goto done;
   1103 	    }
   1104 	    rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen);
   1105 	    if (rv != SECSuccess) {
   1106 		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
   1107 		rv = SECFailure;
   1108 	    }
   1109 	}
   1110     }
   1111     hashes->hashAlg = hashAlg;
   1112 
   1113 done:
   1114     return rv;
   1115 }
   1116 
   1117 /* Caller must set hiLevel error code.
   1118 ** Called from ssl3_SendServerKeyExchange and
   1119 **             ssl3_HandleServerKeyExchange.
   1120 */
   1121 static SECStatus
   1122 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg,
   1123 			     SECItem modulus, SECItem publicExponent,
   1124 			     SSL3Random *client_rand, SSL3Random *server_rand,
   1125 			     SSL3Hashes *hashes, PRBool bypassPKCS11)
   1126 {
   1127     PRUint8     * hashBuf;
   1128     PRUint8     * pBuf;
   1129     SECStatus     rv 		= SECSuccess;
   1130     unsigned int  bufLen;
   1131     PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
   1132 
   1133     bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
   1134     if (bufLen <= sizeof buf) {
   1135     	hashBuf = buf;
   1136     } else {
   1137     	hashBuf = PORT_Alloc(bufLen);
   1138 	if (!hashBuf) {
   1139 	    return SECFailure;
   1140 	}
   1141     }
   1142 
   1143     memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
   1144     	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
   1145     memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
   1146     	pBuf += SSL3_RANDOM_LENGTH;
   1147     pBuf[0]  = (PRUint8)(modulus.len >> 8);
   1148     pBuf[1]  = (PRUint8)(modulus.len);
   1149     	pBuf += 2;
   1150     memcpy(pBuf, modulus.data, modulus.len);
   1151     	pBuf += modulus.len;
   1152     pBuf[0] = (PRUint8)(publicExponent.len >> 8);
   1153     pBuf[1] = (PRUint8)(publicExponent.len);
   1154     	pBuf += 2;
   1155     memcpy(pBuf, publicExponent.data, publicExponent.len);
   1156     	pBuf += publicExponent.len;
   1157     PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
   1158 
   1159     rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
   1160 				   bypassPKCS11);
   1161 
   1162     PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
   1163     if (hashAlg == SEC_OID_UNKNOWN) {
   1164 	PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result",
   1165 		  hashes->u.s.md5, MD5_LENGTH));
   1166 	PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result",
   1167 		  hashes->u.s.sha, SHA1_LENGTH));
   1168     } else {
   1169 	PRINT_BUF(95, (NULL, "RSAkey hash: result",
   1170 		  hashes->u.raw, hashes->len));
   1171     }
   1172 
   1173     if (hashBuf != buf && hashBuf != NULL)
   1174     	PORT_Free(hashBuf);
   1175     return rv;
   1176 }
   1177 
   1178 /* Caller must set hiLevel error code. */
   1179 /* Called from ssl3_HandleServerKeyExchange. */
   1180 static SECStatus
   1181 ssl3_ComputeDHKeyHash(SECOidTag hashAlg,
   1182 		      SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
   1183 		      SSL3Random *client_rand, SSL3Random *server_rand,
   1184 		      SSL3Hashes *hashes, PRBool bypassPKCS11)
   1185 {
   1186     PRUint8     * hashBuf;
   1187     PRUint8     * pBuf;
   1188     SECStatus     rv 		= SECSuccess;
   1189     unsigned int  bufLen;
   1190     PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
   1191 
   1192     bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
   1193     if (bufLen <= sizeof buf) {
   1194     	hashBuf = buf;
   1195     } else {
   1196     	hashBuf = PORT_Alloc(bufLen);
   1197 	if (!hashBuf) {
   1198 	    return SECFailure;
   1199 	}
   1200     }
   1201 
   1202     memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
   1203     	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
   1204     memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
   1205     	pBuf += SSL3_RANDOM_LENGTH;
   1206     pBuf[0]  = (PRUint8)(dh_p.len >> 8);
   1207     pBuf[1]  = (PRUint8)(dh_p.len);
   1208     	pBuf += 2;
   1209     memcpy(pBuf, dh_p.data, dh_p.len);
   1210     	pBuf += dh_p.len;
   1211     pBuf[0] = (PRUint8)(dh_g.len >> 8);
   1212     pBuf[1] = (PRUint8)(dh_g.len);
   1213     	pBuf += 2;
   1214     memcpy(pBuf, dh_g.data, dh_g.len);
   1215     	pBuf += dh_g.len;
   1216     pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
   1217     pBuf[1] = (PRUint8)(dh_Ys.len);
   1218     	pBuf += 2;
   1219     memcpy(pBuf, dh_Ys.data, dh_Ys.len);
   1220     	pBuf += dh_Ys.len;
   1221     PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
   1222 
   1223     rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
   1224 				   bypassPKCS11);
   1225 
   1226     PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
   1227     if (hashAlg == SEC_OID_UNKNOWN) {
   1228 	PRINT_BUF(95, (NULL, "DHkey hash: MD5 result",
   1229 		  hashes->u.s.md5, MD5_LENGTH));
   1230 	PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result",
   1231 		  hashes->u.s.sha, SHA1_LENGTH));
   1232     } else {
   1233 	PRINT_BUF(95, (NULL, "DHkey hash: result",
   1234 		  hashes->u.raw, hashes->len));
   1235     }
   1236 
   1237     if (hashBuf != buf && hashBuf != NULL)
   1238     	PORT_Free(hashBuf);
   1239     return rv;
   1240 }
   1241 
   1242 static void
   1243 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
   1244 {
   1245     num->low++;
   1246     if (num->low == 0)
   1247 	num->high++;
   1248 }
   1249 
   1250 /* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
   1251 static void
   1252 ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
   1253 {
   1254     if (mat->write_key != NULL) {
   1255 	PK11_FreeSymKey(mat->write_key);
   1256 	mat->write_key = NULL;
   1257     }
   1258     if (mat->write_mac_key != NULL) {
   1259 	PK11_FreeSymKey(mat->write_mac_key);
   1260 	mat->write_mac_key = NULL;
   1261     }
   1262     if (mat->write_mac_context != NULL) {
   1263 	PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
   1264 	mat->write_mac_context = NULL;
   1265     }
   1266 }
   1267 
   1268 /* Called from ssl3_SendChangeCipherSpecs() and
   1269 **	       ssl3_HandleChangeCipherSpecs()
   1270 **             ssl3_DestroySSL3Info
   1271 ** Caller must hold SpecWriteLock.
   1272 */
   1273 void
   1274 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName)
   1275 {
   1276     PRBool freeit = (PRBool)(!spec->bypassCiphers);
   1277 /*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
   1278     if (spec->destroy) {
   1279 	spec->destroy(spec->encodeContext, freeit);
   1280 	spec->destroy(spec->decodeContext, freeit);
   1281 	spec->encodeContext = NULL; /* paranoia */
   1282 	spec->decodeContext = NULL;
   1283     }
   1284     if (spec->destroyCompressContext && spec->compressContext) {
   1285 	spec->destroyCompressContext(spec->compressContext, 1);
   1286 	spec->compressContext = NULL;
   1287     }
   1288     if (spec->destroyDecompressContext && spec->decompressContext) {
   1289 	spec->destroyDecompressContext(spec->decompressContext, 1);
   1290 	spec->decompressContext = NULL;
   1291     }
   1292     if (freeSrvName && spec->srvVirtName.data) {
   1293         SECITEM_FreeItem(&spec->srvVirtName, PR_FALSE);
   1294     }
   1295     if (spec->master_secret != NULL) {
   1296 	PK11_FreeSymKey(spec->master_secret);
   1297 	spec->master_secret = NULL;
   1298     }
   1299     spec->msItem.data = NULL;
   1300     spec->msItem.len  = 0;
   1301     ssl3_CleanupKeyMaterial(&spec->client);
   1302     ssl3_CleanupKeyMaterial(&spec->server);
   1303     spec->bypassCiphers = PR_FALSE;
   1304     spec->destroy=NULL;
   1305     spec->destroyCompressContext = NULL;
   1306     spec->destroyDecompressContext = NULL;
   1307 }
   1308 
   1309 /* Fill in the pending cipher spec with info from the selected ciphersuite.
   1310 ** This is as much initialization as we can do without having key material.
   1311 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
   1312 ** Caller must hold the ssl3 handshake lock.
   1313 ** Acquires & releases SpecWriteLock.
   1314 */
   1315 static SECStatus
   1316 ssl3_SetupPendingCipherSpec(sslSocket *ss)
   1317 {
   1318     ssl3CipherSpec *          pwSpec;
   1319     ssl3CipherSpec *          cwSpec;
   1320     ssl3CipherSuite           suite     = ss->ssl3.hs.cipher_suite;
   1321     SSL3MACAlgorithm          mac;
   1322     SSL3BulkCipher            cipher;
   1323     SSL3KeyExchangeAlgorithm  kea;
   1324     const ssl3CipherSuiteDef *suite_def;
   1325     PRBool                    isTLS;
   1326 
   1327     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   1328 
   1329     ssl_GetSpecWriteLock(ss);  /*******************************/
   1330 
   1331     pwSpec = ss->ssl3.pwSpec;
   1332     PORT_Assert(pwSpec == ss->ssl3.prSpec);
   1333 
   1334     /* This hack provides maximal interoperability with SSL 3 servers. */
   1335     cwSpec = ss->ssl3.cwSpec;
   1336     if (cwSpec->mac_def->mac == mac_null) {
   1337 	/* SSL records are not being MACed. */
   1338 	cwSpec->version = ss->version;
   1339     }
   1340 
   1341     pwSpec->version  = ss->version;
   1342     isTLS  = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
   1343 
   1344     SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
   1345 		SSL_GETPID(), ss->fd, suite));
   1346 
   1347     suite_def = ssl_LookupCipherSuiteDef(suite);
   1348     if (suite_def == NULL) {
   1349 	ssl_ReleaseSpecWriteLock(ss);
   1350 	return SECFailure;	/* error code set by ssl_LookupCipherSuiteDef */
   1351     }
   1352 
   1353     if (IS_DTLS(ss)) {
   1354 	/* Double-check that we did not pick an RC4 suite */
   1355 	PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
   1356 		    (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
   1357 		    (suite_def->bulk_cipher_alg != cipher_rc4_56));
   1358     }
   1359 
   1360     cipher = suite_def->bulk_cipher_alg;
   1361     kea    = suite_def->key_exchange_alg;
   1362     mac    = suite_def->mac_alg;
   1363     if (mac <= ssl_mac_sha && isTLS)
   1364 	mac += 2;
   1365 
   1366     ss->ssl3.hs.suite_def = suite_def;
   1367     ss->ssl3.hs.kea_def   = &kea_defs[kea];
   1368     PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
   1369 
   1370     pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
   1371     PORT_Assert(pwSpec->cipher_def->cipher == cipher);
   1372 
   1373     pwSpec->mac_def = &mac_defs[mac];
   1374     PORT_Assert(pwSpec->mac_def->mac == mac);
   1375 
   1376     ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
   1377     ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
   1378     ss->sec.cipherType    = cipher;
   1379 
   1380     pwSpec->encodeContext = NULL;
   1381     pwSpec->decodeContext = NULL;
   1382 
   1383     pwSpec->mac_size = pwSpec->mac_def->mac_size;
   1384 
   1385     pwSpec->compression_method = ss->ssl3.hs.compression;
   1386     pwSpec->compressContext = NULL;
   1387     pwSpec->decompressContext = NULL;
   1388 
   1389     ssl_ReleaseSpecWriteLock(ss);  /*******************************/
   1390     return SECSuccess;
   1391 }
   1392 
   1393 #ifdef NSS_ENABLE_ZLIB
   1394 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
   1395 
   1396 static SECStatus
   1397 ssl3_MapZlibError(int zlib_error)
   1398 {
   1399     switch (zlib_error) {
   1400     case Z_OK:
   1401         return SECSuccess;
   1402     default:
   1403         return SECFailure;
   1404     }
   1405 }
   1406 
   1407 static SECStatus
   1408 ssl3_DeflateInit(void *void_context)
   1409 {
   1410     z_stream *context = void_context;
   1411     context->zalloc = NULL;
   1412     context->zfree = NULL;
   1413     context->opaque = NULL;
   1414 
   1415     return ssl3_MapZlibError(deflateInit(context, Z_DEFAULT_COMPRESSION));
   1416 }
   1417 
   1418 static SECStatus
   1419 ssl3_InflateInit(void *void_context)
   1420 {
   1421     z_stream *context = void_context;
   1422     context->zalloc = NULL;
   1423     context->zfree = NULL;
   1424     context->opaque = NULL;
   1425     context->next_in = NULL;
   1426     context->avail_in = 0;
   1427 
   1428     return ssl3_MapZlibError(inflateInit(context));
   1429 }
   1430 
   1431 static SECStatus
   1432 ssl3_DeflateCompress(void *void_context, unsigned char *out, int *out_len,
   1433                      int maxout, const unsigned char *in, int inlen)
   1434 {
   1435     z_stream *context = void_context;
   1436 
   1437     if (!inlen) {
   1438         *out_len = 0;
   1439         return SECSuccess;
   1440     }
   1441 
   1442     context->next_in = (unsigned char*) in;
   1443     context->avail_in = inlen;
   1444     context->next_out = out;
   1445     context->avail_out = maxout;
   1446     if (deflate(context, Z_SYNC_FLUSH) != Z_OK) {
   1447         return SECFailure;
   1448     }
   1449     if (context->avail_out == 0) {
   1450         /* We ran out of space! */
   1451         SSL_TRC(3, ("%d: SSL3[%d] Ran out of buffer while compressing",
   1452                     SSL_GETPID()));
   1453         return SECFailure;
   1454     }
   1455 
   1456     *out_len = maxout - context->avail_out;
   1457     return SECSuccess;
   1458 }
   1459 
   1460 static SECStatus
   1461 ssl3_DeflateDecompress(void *void_context, unsigned char *out, int *out_len,
   1462                        int maxout, const unsigned char *in, int inlen)
   1463 {
   1464     z_stream *context = void_context;
   1465 
   1466     if (!inlen) {
   1467         *out_len = 0;
   1468         return SECSuccess;
   1469     }
   1470 
   1471     context->next_in = (unsigned char*) in;
   1472     context->avail_in = inlen;
   1473     context->next_out = out;
   1474     context->avail_out = maxout;
   1475     if (inflate(context, Z_SYNC_FLUSH) != Z_OK) {
   1476         PORT_SetError(SSL_ERROR_DECOMPRESSION_FAILURE);
   1477         return SECFailure;
   1478     }
   1479 
   1480     *out_len = maxout - context->avail_out;
   1481     return SECSuccess;
   1482 }
   1483 
   1484 static SECStatus
   1485 ssl3_DestroyCompressContext(void *void_context, PRBool unused)
   1486 {
   1487     deflateEnd(void_context);
   1488     PORT_Free(void_context);
   1489     return SECSuccess;
   1490 }
   1491 
   1492 static SECStatus
   1493 ssl3_DestroyDecompressContext(void *void_context, PRBool unused)
   1494 {
   1495     inflateEnd(void_context);
   1496     PORT_Free(void_context);
   1497     return SECSuccess;
   1498 }
   1499 
   1500 #endif /* NSS_ENABLE_ZLIB */
   1501 
   1502 /* Initialize the compression functions and contexts for the given
   1503  * CipherSpec.  */
   1504 static SECStatus
   1505 ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec)
   1506 {
   1507     /* Setup the compression functions */
   1508     switch (pwSpec->compression_method) {
   1509     case ssl_compression_null:
   1510 	pwSpec->compressor = NULL;
   1511 	pwSpec->decompressor = NULL;
   1512 	pwSpec->compressContext = NULL;
   1513 	pwSpec->decompressContext = NULL;
   1514 	pwSpec->destroyCompressContext = NULL;
   1515 	pwSpec->destroyDecompressContext = NULL;
   1516 	break;
   1517 #ifdef NSS_ENABLE_ZLIB
   1518     case ssl_compression_deflate:
   1519 	pwSpec->compressor = ssl3_DeflateCompress;
   1520 	pwSpec->decompressor = ssl3_DeflateDecompress;
   1521 	pwSpec->compressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
   1522 	pwSpec->decompressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
   1523 	pwSpec->destroyCompressContext = ssl3_DestroyCompressContext;
   1524 	pwSpec->destroyDecompressContext = ssl3_DestroyDecompressContext;
   1525 	ssl3_DeflateInit(pwSpec->compressContext);
   1526 	ssl3_InflateInit(pwSpec->decompressContext);
   1527 	break;
   1528 #endif /* NSS_ENABLE_ZLIB */
   1529     default:
   1530 	PORT_Assert(0);
   1531 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   1532 	return SECFailure;
   1533     }
   1534 
   1535     return SECSuccess;
   1536 }
   1537 
   1538 #ifndef NO_PKCS11_BYPASS
   1539 /* Initialize encryption contexts for pending spec.
   1540  * MAC contexts are set up when computing the mac, not here.
   1541  * Master Secret already is derived in spec->msItem
   1542  * Caller holds Spec write lock.
   1543  */
   1544 static SECStatus
   1545 ssl3_InitPendingContextsBypass(sslSocket *ss)
   1546 {
   1547       ssl3CipherSpec  *  pwSpec;
   1548       const ssl3BulkCipherDef *cipher_def;
   1549       void *             serverContext = NULL;
   1550       void *             clientContext = NULL;
   1551       BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
   1552       int                mode     = 0;
   1553       unsigned int       optArg1  = 0;
   1554       unsigned int       optArg2  = 0;
   1555       PRBool             server_encrypts = ss->sec.isServer;
   1556       SSLCipherAlgorithm calg;
   1557       SSLCompressionMethod compression_method;
   1558       SECStatus          rv;
   1559 
   1560     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   1561     PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
   1562     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
   1563 
   1564     pwSpec        = ss->ssl3.pwSpec;
   1565     cipher_def    = pwSpec->cipher_def;
   1566 
   1567     calg = cipher_def->calg;
   1568     compression_method = pwSpec->compression_method;
   1569 
   1570     serverContext = pwSpec->server.cipher_context;
   1571     clientContext = pwSpec->client.cipher_context;
   1572 
   1573     switch (calg) {
   1574     case ssl_calg_null:
   1575 	pwSpec->encode  = Null_Cipher;
   1576 	pwSpec->decode  = Null_Cipher;
   1577         pwSpec->destroy = NULL;
   1578 	goto success;
   1579 
   1580     case ssl_calg_rc4:
   1581       	initFn = (BLapiInitContextFunc)RC4_InitContext;
   1582 	pwSpec->encode  = (SSLCipher) RC4_Encrypt;
   1583 	pwSpec->decode  = (SSLCipher) RC4_Decrypt;
   1584 	pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
   1585 	break;
   1586     case ssl_calg_rc2:
   1587       	initFn = (BLapiInitContextFunc)RC2_InitContext;
   1588 	mode = NSS_RC2_CBC;
   1589 	optArg1 = cipher_def->key_size;
   1590 	pwSpec->encode  = (SSLCipher) RC2_Encrypt;
   1591 	pwSpec->decode  = (SSLCipher) RC2_Decrypt;
   1592 	pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
   1593 	break;
   1594     case ssl_calg_des:
   1595       	initFn = (BLapiInitContextFunc)DES_InitContext;
   1596 	mode = NSS_DES_CBC;
   1597 	optArg1 = server_encrypts;
   1598 	pwSpec->encode  = (SSLCipher) DES_Encrypt;
   1599 	pwSpec->decode  = (SSLCipher) DES_Decrypt;
   1600 	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
   1601 	break;
   1602     case ssl_calg_3des:
   1603       	initFn = (BLapiInitContextFunc)DES_InitContext;
   1604 	mode = NSS_DES_EDE3_CBC;
   1605 	optArg1 = server_encrypts;
   1606 	pwSpec->encode  = (SSLCipher) DES_Encrypt;
   1607 	pwSpec->decode  = (SSLCipher) DES_Decrypt;
   1608 	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
   1609 	break;
   1610     case ssl_calg_aes:
   1611       	initFn = (BLapiInitContextFunc)AES_InitContext;
   1612 	mode = NSS_AES_CBC;
   1613 	optArg1 = server_encrypts;
   1614 	optArg2 = AES_BLOCK_SIZE;
   1615 	pwSpec->encode  = (SSLCipher) AES_Encrypt;
   1616 	pwSpec->decode  = (SSLCipher) AES_Decrypt;
   1617 	pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
   1618 	break;
   1619 
   1620     case ssl_calg_camellia:
   1621       	initFn = (BLapiInitContextFunc)Camellia_InitContext;
   1622 	mode = NSS_CAMELLIA_CBC;
   1623 	optArg1 = server_encrypts;
   1624 	optArg2 = CAMELLIA_BLOCK_SIZE;
   1625 	pwSpec->encode  = (SSLCipher) Camellia_Encrypt;
   1626 	pwSpec->decode  = (SSLCipher) Camellia_Decrypt;
   1627 	pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext;
   1628 	break;
   1629 
   1630     case ssl_calg_seed:
   1631       	initFn = (BLapiInitContextFunc)SEED_InitContext;
   1632 	mode = NSS_SEED_CBC;
   1633 	optArg1 = server_encrypts;
   1634 	optArg2 = SEED_BLOCK_SIZE;
   1635 	pwSpec->encode  = (SSLCipher) SEED_Encrypt;
   1636 	pwSpec->decode  = (SSLCipher) SEED_Decrypt;
   1637 	pwSpec->destroy = (SSLDestroy) SEED_DestroyContext;
   1638 	break;
   1639 
   1640     case ssl_calg_idea:
   1641     case ssl_calg_fortezza :
   1642     default:
   1643 	PORT_Assert(0);
   1644 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   1645 	goto bail_out;
   1646     }
   1647     rv = (*initFn)(serverContext,
   1648 		   pwSpec->server.write_key_item.data,
   1649 		   pwSpec->server.write_key_item.len,
   1650 		   pwSpec->server.write_iv_item.data,
   1651 		   mode, optArg1, optArg2);
   1652     if (rv != SECSuccess) {
   1653 	PORT_Assert(0);
   1654 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   1655 	goto bail_out;
   1656     }
   1657 
   1658     switch (calg) {
   1659     case ssl_calg_des:
   1660     case ssl_calg_3des:
   1661     case ssl_calg_aes:
   1662     case ssl_calg_camellia:
   1663     case ssl_calg_seed:
   1664 	/* For block ciphers, if the server is encrypting, then the client
   1665 	* is decrypting, and vice versa.
   1666 	*/
   1667         optArg1 = !optArg1;
   1668         break;
   1669     /* kill warnings. */
   1670     case ssl_calg_null:
   1671     case ssl_calg_rc4:
   1672     case ssl_calg_rc2:
   1673     case ssl_calg_idea:
   1674     case ssl_calg_fortezza:
   1675         break;
   1676     }
   1677 
   1678     rv = (*initFn)(clientContext,
   1679 		   pwSpec->client.write_key_item.data,
   1680 		   pwSpec->client.write_key_item.len,
   1681 		   pwSpec->client.write_iv_item.data,
   1682 		   mode, optArg1, optArg2);
   1683     if (rv != SECSuccess) {
   1684 	PORT_Assert(0);
   1685 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   1686 	goto bail_out;
   1687     }
   1688 
   1689     pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
   1690     pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
   1691 
   1692     ssl3_InitCompressionContext(pwSpec);
   1693 
   1694 success:
   1695     return SECSuccess;
   1696 
   1697 bail_out:
   1698     return SECFailure;
   1699 }
   1700 #endif
   1701 
   1702 /* This function should probably be moved to pk11wrap and be named
   1703  * PK11_ParamFromIVAndEffectiveKeyBits
   1704  */
   1705 static SECItem *
   1706 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
   1707 {
   1708     SECItem * param = PK11_ParamFromIV(mtype, iv);
   1709     if (param && param->data  && param->len >= sizeof(CK_RC2_PARAMS)) {
   1710 	switch (mtype) {
   1711 	case CKM_RC2_KEY_GEN:
   1712 	case CKM_RC2_ECB:
   1713 	case CKM_RC2_CBC:
   1714 	case CKM_RC2_MAC:
   1715 	case CKM_RC2_MAC_GENERAL:
   1716 	case CKM_RC2_CBC_PAD:
   1717 	    *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
   1718 	default: break;
   1719 	}
   1720     }
   1721     return param;
   1722 }
   1723 
   1724 /* Initialize encryption and MAC contexts for pending spec.
   1725  * Master Secret already is derived.
   1726  * Caller holds Spec write lock.
   1727  */
   1728 static SECStatus
   1729 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
   1730 {
   1731       ssl3CipherSpec  *  pwSpec;
   1732       const ssl3BulkCipherDef *cipher_def;
   1733       PK11Context *      serverContext = NULL;
   1734       PK11Context *      clientContext = NULL;
   1735       SECItem *          param;
   1736       CK_MECHANISM_TYPE  mechanism;
   1737       CK_MECHANISM_TYPE  mac_mech;
   1738       CK_ULONG           macLength;
   1739       CK_ULONG           effKeyBits;
   1740       SECItem            iv;
   1741       SECItem            mac_param;
   1742       SSLCipherAlgorithm calg;
   1743 
   1744     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   1745     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
   1746     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
   1747 
   1748     pwSpec        = ss->ssl3.pwSpec;
   1749     cipher_def    = pwSpec->cipher_def;
   1750     macLength     = pwSpec->mac_size;
   1751 
   1752     /*
   1753     ** Now setup the MAC contexts,
   1754     **   crypto contexts are setup below.
   1755     */
   1756 
   1757     pwSpec->client.write_mac_context = NULL;
   1758     pwSpec->server.write_mac_context = NULL;
   1759     mac_mech       = pwSpec->mac_def->mmech;
   1760     mac_param.data = (unsigned char *)&macLength;
   1761     mac_param.len  = sizeof(macLength);
   1762     mac_param.type = 0;
   1763 
   1764     pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
   1765 	    mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
   1766     if (pwSpec->client.write_mac_context == NULL)  {
   1767 	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
   1768 	goto fail;
   1769     }
   1770     pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
   1771 	    mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
   1772     if (pwSpec->server.write_mac_context == NULL) {
   1773 	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
   1774 	goto fail;
   1775     }
   1776 
   1777     /*
   1778     ** Now setup the crypto contexts.
   1779     */
   1780 
   1781     calg = cipher_def->calg;
   1782     PORT_Assert(alg2Mech[calg].calg == calg);
   1783 
   1784     if (calg == calg_null) {
   1785 	pwSpec->encode  = Null_Cipher;
   1786 	pwSpec->decode  = Null_Cipher;
   1787 	pwSpec->destroy = NULL;
   1788 	return SECSuccess;
   1789     }
   1790     mechanism = alg2Mech[calg].cmech;
   1791     effKeyBits = cipher_def->key_size * BPB;
   1792 
   1793     /*
   1794      * build the server context
   1795      */
   1796     iv.data = pwSpec->server.write_iv;
   1797     iv.len  = cipher_def->iv_size;
   1798     param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
   1799     if (param == NULL) {
   1800 	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
   1801     	goto fail;
   1802     }
   1803     serverContext = PK11_CreateContextBySymKey(mechanism,
   1804 				(ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
   1805 				pwSpec->server.write_key, param);
   1806     iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
   1807     if (iv.data)
   1808     	PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
   1809     SECITEM_FreeItem(param, PR_TRUE);
   1810     if (serverContext == NULL) {
   1811 	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
   1812     	goto fail;
   1813     }
   1814 
   1815     /*
   1816      * build the client context
   1817      */
   1818     iv.data = pwSpec->client.write_iv;
   1819     iv.len  = cipher_def->iv_size;
   1820 
   1821     param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
   1822     if (param == NULL) {
   1823 	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
   1824     	goto fail;
   1825     }
   1826     clientContext = PK11_CreateContextBySymKey(mechanism,
   1827 				(ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
   1828 				pwSpec->client.write_key, param);
   1829     iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
   1830     if (iv.data)
   1831     	PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
   1832     SECITEM_FreeItem(param,PR_TRUE);
   1833     if (clientContext == NULL) {
   1834 	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
   1835     	goto fail;
   1836     }
   1837     pwSpec->encode  = (SSLCipher) PK11_CipherOp;
   1838     pwSpec->decode  = (SSLCipher) PK11_CipherOp;
   1839     pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
   1840 
   1841     pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
   1842     pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
   1843 
   1844     serverContext = NULL;
   1845     clientContext = NULL;
   1846 
   1847     ssl3_InitCompressionContext(pwSpec);
   1848 
   1849     return SECSuccess;
   1850 
   1851 fail:
   1852     if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
   1853     if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
   1854     if (pwSpec->client.write_mac_context != NULL) {
   1855     	PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
   1856 	pwSpec->client.write_mac_context = NULL;
   1857     }
   1858     if (pwSpec->server.write_mac_context != NULL) {
   1859     	PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
   1860 	pwSpec->server.write_mac_context = NULL;
   1861     }
   1862 
   1863     return SECFailure;
   1864 }
   1865 
   1866 /* Complete the initialization of all keys, ciphers, MACs and their contexts
   1867  * for the pending Cipher Spec.
   1868  * Called from: ssl3_SendClientKeyExchange 	(for Full handshake)
   1869  *              ssl3_HandleRSAClientKeyExchange	(for Full handshake)
   1870  *              ssl3_HandleServerHello		(for session restart)
   1871  *              ssl3_HandleClientHello		(for session restart)
   1872  * Sets error code, but caller probably should override to disambiguate.
   1873  * NULL pms means re-use old master_secret.
   1874  *
   1875  * This code is common to the bypass and PKCS11 execution paths.
   1876  * For the bypass case,  pms is NULL.
   1877  */
   1878 SECStatus
   1879 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
   1880 {
   1881     ssl3CipherSpec  *  pwSpec;
   1882     ssl3CipherSpec  *  cwSpec;
   1883     SECStatus          rv;
   1884 
   1885     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   1886 
   1887     ssl_GetSpecWriteLock(ss);	/**************************************/
   1888 
   1889     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
   1890 
   1891     pwSpec        = ss->ssl3.pwSpec;
   1892     cwSpec        = ss->ssl3.cwSpec;
   1893 
   1894     if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
   1895 	rv = ssl3_DeriveMasterSecret(ss, pms);
   1896 	if (rv != SECSuccess) {
   1897 	    goto done;  /* err code set by ssl3_DeriveMasterSecret */
   1898 	}
   1899     }
   1900 #ifndef NO_PKCS11_BYPASS
   1901     if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
   1902 	/* Double Bypass succeeded in extracting the master_secret */
   1903 	const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
   1904 	PRBool             isTLS   = (PRBool)(kea_def->tls_keygen ||
   1905                                 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
   1906 	pwSpec->bypassCiphers = PR_TRUE;
   1907 	rv = ssl3_KeyAndMacDeriveBypass( pwSpec,
   1908 			     (const unsigned char *)&ss->ssl3.hs.client_random,
   1909 			     (const unsigned char *)&ss->ssl3.hs.server_random,
   1910 			     isTLS,
   1911 			     (PRBool)(kea_def->is_limited));
   1912 	if (rv == SECSuccess) {
   1913 	    rv = ssl3_InitPendingContextsBypass(ss);
   1914 	}
   1915     } else
   1916 #endif
   1917     if (pwSpec->master_secret) {
   1918 	rv = ssl3_DeriveConnectionKeysPKCS11(ss);
   1919 	if (rv == SECSuccess) {
   1920 	    rv = ssl3_InitPendingContextsPKCS11(ss);
   1921 	}
   1922     } else {
   1923 	PORT_Assert(pwSpec->master_secret);
   1924 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   1925 	rv = SECFailure;
   1926     }
   1927     if (rv != SECSuccess) {
   1928 	goto done;
   1929     }
   1930 
   1931     /* Generic behaviors -- common to all crypto methods */
   1932     if (!IS_DTLS(ss)) {
   1933 	pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
   1934     } else {
   1935 	if (cwSpec->epoch == PR_UINT16_MAX) {
   1936 	    /* The problem here is that we have rehandshaked too many
   1937 	     * times (you are not allowed to wrap the epoch). The
   1938 	     * spec says you should be discarding the connection
   1939 	     * and start over, so not much we can do here. */
   1940 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   1941 	    rv = SECFailure;
   1942 	    goto done;
   1943 	}
   1944 	/* The sequence number has the high 16 bits as the epoch. */
   1945 	pwSpec->epoch = cwSpec->epoch + 1;
   1946 	pwSpec->read_seq_num.high = pwSpec->write_seq_num.high =
   1947 	    pwSpec->epoch << 16;
   1948 
   1949 	dtls_InitRecvdRecords(&pwSpec->recvdRecords);
   1950     }
   1951     pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;
   1952 
   1953 done:
   1954     ssl_ReleaseSpecWriteLock(ss);	/******************************/
   1955     if (rv != SECSuccess)
   1956 	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
   1957     return rv;
   1958 }
   1959 
   1960 /*
   1961  * 60 bytes is 3 times the maximum length MAC size that is supported.
   1962  */
   1963 static const unsigned char mac_pad_1 [60] = {
   1964     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
   1965     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
   1966     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
   1967     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
   1968     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
   1969     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
   1970     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
   1971     0x36, 0x36, 0x36, 0x36
   1972 };
   1973 static const unsigned char mac_pad_2 [60] = {
   1974     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
   1975     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
   1976     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
   1977     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
   1978     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
   1979     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
   1980     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
   1981     0x5c, 0x5c, 0x5c, 0x5c
   1982 };
   1983 
   1984 /* Called from: ssl3_SendRecord()
   1985 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
   1986 */
   1987 static SECStatus
   1988 ssl3_ComputeRecordMAC(
   1989     ssl3CipherSpec *   spec,
   1990     PRBool             useServerMacKey,
   1991     PRBool             isDTLS,
   1992     SSL3ContentType    type,
   1993     SSL3ProtocolVersion version,
   1994     SSL3SequenceNumber seq_num,
   1995     const SSL3Opaque * input,
   1996     int                inputLength,
   1997     unsigned char *    outbuf,
   1998     unsigned int *     outLength)
   1999 {
   2000     const ssl3MACDef * mac_def;
   2001     SECStatus          rv;
   2002 #ifndef NO_PKCS11_BYPASS
   2003     PRBool             isTLS;
   2004 #endif
   2005     unsigned int       tempLen;
   2006     unsigned char      temp[MAX_MAC_LENGTH];
   2007 
   2008     temp[0] = (unsigned char)(seq_num.high >> 24);
   2009     temp[1] = (unsigned char)(seq_num.high >> 16);
   2010     temp[2] = (unsigned char)(seq_num.high >>  8);
   2011     temp[3] = (unsigned char)(seq_num.high >>  0);
   2012     temp[4] = (unsigned char)(seq_num.low  >> 24);
   2013     temp[5] = (unsigned char)(seq_num.low  >> 16);
   2014     temp[6] = (unsigned char)(seq_num.low  >>  8);
   2015     temp[7] = (unsigned char)(seq_num.low  >>  0);
   2016     temp[8] = type;
   2017 
   2018     /* TLS MAC includes the record's version field, SSL's doesn't.
   2019     ** We decide which MAC defintiion to use based on the version of
   2020     ** the protocol that was negotiated when the spec became current,
   2021     ** NOT based on the version value in the record itself.
   2022     ** But, we use the record'v version value in the computation.
   2023     */
   2024     if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
   2025 	temp[9]  = MSB(inputLength);
   2026 	temp[10] = LSB(inputLength);
   2027 	tempLen  = 11;
   2028 #ifndef NO_PKCS11_BYPASS
   2029 	isTLS    = PR_FALSE;
   2030 #endif
   2031     } else {
   2032     	/* New TLS hash includes version. */
   2033 	if (isDTLS) {
   2034 	    SSL3ProtocolVersion dtls_version;
   2035 
   2036 	    dtls_version = dtls_TLSVersionToDTLSVersion(version);
   2037 	    temp[9]  = MSB(dtls_version);
   2038 	    temp[10] = LSB(dtls_version);
   2039         } else {
   2040 	    temp[9]  = MSB(version);
   2041 	    temp[10] = LSB(version);
   2042         }
   2043 	temp[11] = MSB(inputLength);
   2044 	temp[12] = LSB(inputLength);
   2045 	tempLen  = 13;
   2046 #ifndef NO_PKCS11_BYPASS
   2047 	isTLS    = PR_TRUE;
   2048 #endif
   2049     }
   2050 
   2051     PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
   2052     PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
   2053 
   2054     mac_def = spec->mac_def;
   2055     if (mac_def->mac == mac_null) {
   2056 	*outLength = 0;
   2057 	return SECSuccess;
   2058     }
   2059 #ifndef NO_PKCS11_BYPASS
   2060     if (spec->bypassCiphers) {
   2061 	/* bypass version */
   2062 	const SECHashObject *hashObj = NULL;
   2063 	unsigned int       pad_bytes = 0;
   2064 	PRUint64           write_mac_context[MAX_MAC_CONTEXT_LLONGS];
   2065 
   2066 	switch (mac_def->mac) {
   2067 	case ssl_mac_null:
   2068 	    *outLength = 0;
   2069 	    return SECSuccess;
   2070 	case ssl_mac_md5:
   2071 	    pad_bytes = 48;
   2072 	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
   2073 	    break;
   2074 	case ssl_mac_sha:
   2075 	    pad_bytes = 40;
   2076 	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
   2077 	    break;
   2078 	case ssl_hmac_md5: /* used with TLS */
   2079 	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
   2080 	    break;
   2081 	case ssl_hmac_sha: /* used with TLS */
   2082 	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
   2083 	    break;
   2084 	case ssl_hmac_sha256: /* used with TLS */
   2085 	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
   2086 	    break;
   2087 	default:
   2088 	    break;
   2089 	}
   2090 	if (!hashObj) {
   2091 	    PORT_Assert(0);
   2092 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   2093 	    return SECFailure;
   2094 	}
   2095 
   2096 	if (!isTLS) {
   2097 	    /* compute "inner" part of SSL3 MAC */
   2098 	    hashObj->begin(write_mac_context);
   2099 	    if (useServerMacKey)
   2100 		hashObj->update(write_mac_context,
   2101 				spec->server.write_mac_key_item.data,
   2102 				spec->server.write_mac_key_item.len);
   2103 	    else
   2104 		hashObj->update(write_mac_context,
   2105 				spec->client.write_mac_key_item.data,
   2106 				spec->client.write_mac_key_item.len);
   2107 	    hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
   2108 	    hashObj->update(write_mac_context, temp,  tempLen);
   2109 	    hashObj->update(write_mac_context, input, inputLength);
   2110 	    hashObj->end(write_mac_context,    temp, &tempLen, sizeof temp);
   2111 
   2112 	    /* compute "outer" part of SSL3 MAC */
   2113 	    hashObj->begin(write_mac_context);
   2114 	    if (useServerMacKey)
   2115 		hashObj->update(write_mac_context,
   2116 				spec->server.write_mac_key_item.data,
   2117 				spec->server.write_mac_key_item.len);
   2118 	    else
   2119 		hashObj->update(write_mac_context,
   2120 				spec->client.write_mac_key_item.data,
   2121 				spec->client.write_mac_key_item.len);
   2122 	    hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
   2123 	    hashObj->update(write_mac_context, temp, tempLen);
   2124 	    hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
   2125 	    rv = SECSuccess;
   2126 	} else { /* is TLS */
   2127 #define cx ((HMACContext *)write_mac_context)
   2128 	    if (useServerMacKey) {
   2129 		rv = HMAC_Init(cx, hashObj,
   2130 			       spec->server.write_mac_key_item.data,
   2131 			       spec->server.write_mac_key_item.len, PR_FALSE);
   2132 	    } else {
   2133 		rv = HMAC_Init(cx, hashObj,
   2134 			       spec->client.write_mac_key_item.data,
   2135 			       spec->client.write_mac_key_item.len, PR_FALSE);
   2136 	    }
   2137 	    if (rv == SECSuccess) {
   2138 		HMAC_Begin(cx);
   2139 		HMAC_Update(cx, temp, tempLen);
   2140 		HMAC_Update(cx, input, inputLength);
   2141 		rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
   2142 		HMAC_Destroy(cx, PR_FALSE);
   2143 	    }
   2144 #undef cx
   2145 	}
   2146     } else
   2147 #endif
   2148     {
   2149 	PK11Context *mac_context =
   2150 	    (useServerMacKey ? spec->server.write_mac_context
   2151 	                     : spec->client.write_mac_context);
   2152 	rv  = PK11_DigestBegin(mac_context);
   2153 	rv |= PK11_DigestOp(mac_context, temp, tempLen);
   2154 	rv |= PK11_DigestOp(mac_context, input, inputLength);
   2155 	rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
   2156     }
   2157 
   2158     PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
   2159 
   2160     PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
   2161 
   2162     if (rv != SECSuccess) {
   2163     	rv = SECFailure;
   2164 	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
   2165     }
   2166     return rv;
   2167 }
   2168 
   2169 /* This is a bodge to allow this code to be compiled against older NSS headers
   2170  * that don't contain the CBC constant-time changes. */
   2171 #ifndef CKM_NSS_HMAC_CONSTANT_TIME
   2172 #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19)
   2173 #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20)
   2174 
   2175 typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
   2176     CK_MECHANISM_TYPE macAlg;   /* in */
   2177     CK_ULONG ulBodyTotalLen;    /* in */
   2178     CK_BYTE * pHeader;          /* in */
   2179     CK_ULONG ulHeaderLen;       /* in */
   2180 } CK_NSS_MAC_CONSTANT_TIME_PARAMS;
   2181 #endif
   2182 
   2183 /* Called from: ssl3_HandleRecord()
   2184  * Caller must already hold the SpecReadLock. (wish we could assert that!)
   2185  *
   2186  * On entry:
   2187  *   originalLen >= inputLen >= MAC size
   2188 */
   2189 static SECStatus
   2190 ssl3_ComputeRecordMACConstantTime(
   2191     ssl3CipherSpec *   spec,
   2192     PRBool             useServerMacKey,
   2193     PRBool             isDTLS,
   2194     SSL3ContentType    type,
   2195     SSL3ProtocolVersion version,
   2196     SSL3SequenceNumber seq_num,
   2197     const SSL3Opaque * input,
   2198     int                inputLen,
   2199     int                originalLen,
   2200     unsigned char *    outbuf,
   2201     unsigned int *     outLen)
   2202 {
   2203     CK_MECHANISM_TYPE            macType;
   2204     CK_NSS_MAC_CONSTANT_TIME_PARAMS params;
   2205     PK11Context *                mac_context;
   2206     SECItem                      param;
   2207     SECStatus                    rv;
   2208     unsigned char                header[13];
   2209     PK11SymKey *                 key;
   2210     int                          recordLength;
   2211 
   2212     PORT_Assert(inputLen >= spec->mac_size);
   2213     PORT_Assert(originalLen >= inputLen);
   2214 
   2215     if (spec->bypassCiphers) {
   2216 	/* This function doesn't support PKCS#11 bypass. We fallback on the
   2217 	 * non-constant time version. */
   2218 	goto fallback;
   2219     }
   2220 
   2221     if (spec->mac_def->mac == mac_null) {
   2222 	*outLen = 0;
   2223 	return SECSuccess;
   2224     }
   2225 
   2226     header[0] = (unsigned char)(seq_num.high >> 24);
   2227     header[1] = (unsigned char)(seq_num.high >> 16);
   2228     header[2] = (unsigned char)(seq_num.high >>  8);
   2229     header[3] = (unsigned char)(seq_num.high >>  0);
   2230     header[4] = (unsigned char)(seq_num.low  >> 24);
   2231     header[5] = (unsigned char)(seq_num.low  >> 16);
   2232     header[6] = (unsigned char)(seq_num.low  >>  8);
   2233     header[7] = (unsigned char)(seq_num.low  >>  0);
   2234     header[8] = type;
   2235 
   2236     macType = CKM_NSS_HMAC_CONSTANT_TIME;
   2237     recordLength = inputLen - spec->mac_size;
   2238     if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
   2239 	macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
   2240 	header[9] = recordLength >> 8;
   2241 	header[10] = recordLength;
   2242 	params.ulHeaderLen = 11;
   2243     } else {
   2244 	if (isDTLS) {
   2245 	    SSL3ProtocolVersion dtls_version;
   2246 
   2247 	    dtls_version = dtls_TLSVersionToDTLSVersion(version);
   2248 	    header[9] = dtls_version >> 8;
   2249 	    header[10] = dtls_version;
   2250 	} else {
   2251 	    header[9] = version >> 8;
   2252 	    header[10] = version;
   2253 	}
   2254 	header[11] = recordLength >> 8;
   2255 	header[12] = recordLength;
   2256 	params.ulHeaderLen = 13;
   2257     }
   2258 
   2259     params.macAlg = spec->mac_def->mmech;
   2260     params.ulBodyTotalLen = originalLen;
   2261     params.pHeader = header;
   2262 
   2263     param.data = (unsigned char*) &params;
   2264     param.len = sizeof(params);
   2265     param.type = 0;
   2266 
   2267     key = spec->server.write_mac_key;
   2268     if (!useServerMacKey) {
   2269 	key = spec->client.write_mac_key;
   2270     }
   2271     mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, &param);
   2272     if (mac_context == NULL) {
   2273 	/* Older versions of NSS may not support constant-time MAC. */
   2274 	goto fallback;
   2275     }
   2276 
   2277     rv  = PK11_DigestBegin(mac_context);
   2278     rv |= PK11_DigestOp(mac_context, input, inputLen);
   2279     rv |= PK11_DigestFinal(mac_context, outbuf, outLen, spec->mac_size);
   2280     PK11_DestroyContext(mac_context, PR_TRUE);
   2281 
   2282     PORT_Assert(rv != SECSuccess || *outLen == (unsigned)spec->mac_size);
   2283 
   2284     if (rv != SECSuccess) {
   2285 	rv = SECFailure;
   2286 	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
   2287     }
   2288     return rv;
   2289 
   2290 fallback:
   2291     /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
   2292      * length already. */
   2293     inputLen -= spec->mac_size;
   2294     return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type,
   2295 				 version, seq_num, input, inputLen,
   2296 				 outbuf, outLen);
   2297 }
   2298 
   2299 static PRBool
   2300 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
   2301     PK11SlotInfo *slot = NULL;
   2302     PRBool isPresent = PR_TRUE;
   2303 
   2304     /* we only care if we are doing client auth */
   2305     /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
   2306      * used, u.ssl3.clAuthValid will be false and this function will always
   2307      * return PR_TRUE. */
   2308     if (!sid || !sid->u.ssl3.clAuthValid) {
   2309 	return PR_TRUE;
   2310     }
   2311 
   2312     /* get the slot */
   2313     slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
   2314 	                     sid->u.ssl3.clAuthSlotID);
   2315     if (slot == NULL ||
   2316 	!PK11_IsPresent(slot) ||
   2317 	sid->u.ssl3.clAuthSeries     != PK11_GetSlotSeries(slot) ||
   2318 	sid->u.ssl3.clAuthSlotID     != PK11_GetSlotID(slot)     ||
   2319 	sid->u.ssl3.clAuthModuleID   != PK11_GetModuleID(slot)   ||
   2320 	(PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
   2321 	isPresent = PR_FALSE;
   2322     }
   2323     if (slot) {
   2324 	PK11_FreeSlot(slot);
   2325     }
   2326     return isPresent;
   2327 }
   2328 
   2329 /* Caller must hold the spec read lock. */
   2330 SECStatus
   2331 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
   2332 		              PRBool             isServer,
   2333 			      PRBool             isDTLS,
   2334 			      PRBool             capRecordVersion,
   2335                               SSL3ContentType    type,
   2336 		              const SSL3Opaque * pIn,
   2337 		              PRUint32           contentLen,
   2338 		              sslBuffer *        wrBuf)
   2339 {
   2340     const ssl3BulkCipherDef * cipher_def;
   2341     SECStatus                 rv;
   2342     PRUint32                  macLen = 0;
   2343     PRUint32                  fragLen;
   2344     PRUint32  p1Len, p2Len, oddLen = 0;
   2345     PRUint16                  headerLen;
   2346     int                       ivLen = 0;
   2347     int                       cipherBytes = 0;
   2348 
   2349     cipher_def = cwSpec->cipher_def;
   2350     headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
   2351 
   2352     if (cipher_def->type == type_block &&
   2353 	cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
   2354 	/* Prepend the per-record explicit IV using technique 2b from
   2355 	 * RFC 4346 section 6.2.3.2: The IV is a cryptographically
   2356 	 * strong random number XORed with the CBC residue from the previous
   2357 	 * record.
   2358 	 */
   2359 	ivLen = cipher_def->iv_size;
   2360 	if (ivLen > wrBuf->space - headerLen) {
   2361 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   2362 	    return SECFailure;
   2363 	}
   2364 	rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen);
   2365 	if (rv != SECSuccess) {
   2366 	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
   2367 	    return rv;
   2368 	}
   2369 	rv = cwSpec->encode( cwSpec->encodeContext,
   2370 	    wrBuf->buf + headerLen,
   2371 	    &cipherBytes,                       /* output and actual outLen */
   2372 	    ivLen,                              /* max outlen */
   2373 	    wrBuf->buf + headerLen,
   2374 	    ivLen);                             /* input and inputLen*/
   2375 	if (rv != SECSuccess || cipherBytes != ivLen) {
   2376 	    PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
   2377 	    return SECFailure;
   2378 	}
   2379     }
   2380 
   2381     if (cwSpec->compressor) {
   2382 	int outlen;
   2383 	rv = cwSpec->compressor(
   2384 	    cwSpec->compressContext,
   2385 	    wrBuf->buf + headerLen + ivLen, &outlen,
   2386 	    wrBuf->space - headerLen - ivLen, pIn, contentLen);
   2387 	if (rv != SECSuccess)
   2388 	    return rv;
   2389 	pIn = wrBuf->buf + headerLen + ivLen;
   2390 	contentLen = outlen;
   2391     }
   2392 
   2393     /*
   2394      * Add the MAC
   2395      */
   2396     rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
   2397 	type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
   2398 	wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
   2399     if (rv != SECSuccess) {
   2400 	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
   2401 	return SECFailure;
   2402     }
   2403     p1Len   = contentLen;
   2404     p2Len   = macLen;
   2405     fragLen = contentLen + macLen;	/* needs to be encrypted */
   2406     PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
   2407 
   2408     /*
   2409      * Pad the text (if we're doing a block cipher)
   2410      * then Encrypt it
   2411      */
   2412     if (cipher_def->type == type_block) {
   2413 	unsigned char * pBuf;
   2414 	int             padding_length;
   2415 	int             i;
   2416 
   2417 	oddLen = contentLen % cipher_def->block_size;
   2418 	/* Assume blockSize is a power of two */
   2419 	padding_length = cipher_def->block_size - 1 -
   2420 			((fragLen) & (cipher_def->block_size - 1));
   2421 	fragLen += padding_length + 1;
   2422 	PORT_Assert((fragLen % cipher_def->block_size) == 0);
   2423 
   2424 	/* Pad according to TLS rules (also acceptable to SSL3). */
   2425 	pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
   2426 	for (i = padding_length + 1; i > 0; --i) {
   2427 	    *pBuf-- = padding_length;
   2428 	}
   2429 	/* now, if contentLen is not a multiple of block size, fix it */
   2430 	p2Len = fragLen - p1Len;
   2431     }
   2432     if (p1Len < 256) {
   2433 	oddLen = p1Len;
   2434 	p1Len = 0;
   2435     } else {
   2436 	p1Len -= oddLen;
   2437     }
   2438     if (oddLen) {
   2439 	p2Len += oddLen;
   2440 	PORT_Assert( (cipher_def->block_size < 2) || \
   2441 		     (p2Len % cipher_def->block_size) == 0);
   2442 	memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
   2443     }
   2444     if (p1Len > 0) {
   2445 	int cipherBytesPart1 = -1;
   2446 	rv = cwSpec->encode( cwSpec->encodeContext,
   2447 	    wrBuf->buf + headerLen + ivLen,         /* output */
   2448 	    &cipherBytesPart1,                      /* actual outlen */
   2449 	    p1Len,                                  /* max outlen */
   2450 	    pIn, p1Len);                      /* input, and inputlen */
   2451 	PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
   2452 	if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
   2453 	    PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
   2454 	    return SECFailure;
   2455 	}
   2456 	cipherBytes += cipherBytesPart1;
   2457     }
   2458     if (p2Len > 0) {
   2459 	int cipherBytesPart2 = -1;
   2460 	rv = cwSpec->encode( cwSpec->encodeContext,
   2461 	    wrBuf->buf + headerLen + ivLen + p1Len,
   2462 	    &cipherBytesPart2,          /* output and actual outLen */
   2463 	    p2Len,                             /* max outlen */
   2464 	    wrBuf->buf + headerLen + ivLen + p1Len,
   2465 	    p2Len);                            /* input and inputLen*/
   2466 	PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
   2467 	if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
   2468 	    PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
   2469 	    return SECFailure;
   2470 	}
   2471 	cipherBytes += cipherBytesPart2;
   2472     }
   2473     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
   2474 
   2475     wrBuf->len    = cipherBytes + headerLen;
   2476     wrBuf->buf[0] = type;
   2477     if (isDTLS) {
   2478 	SSL3ProtocolVersion version;
   2479 
   2480 	version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
   2481 	wrBuf->buf[1] = MSB(version);
   2482 	wrBuf->buf[2] = LSB(version);
   2483 	wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24);
   2484 	wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
   2485 	wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >>  8);
   2486 	wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >>  0);
   2487 	wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low  >> 24);
   2488 	wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low  >> 16);
   2489 	wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low  >>  8);
   2490 	wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >>  0);
   2491 	wrBuf->buf[11] = MSB(cipherBytes);
   2492 	wrBuf->buf[12] = LSB(cipherBytes);
   2493     } else {
   2494 	SSL3ProtocolVersion version = cwSpec->version;
   2495 
   2496 	if (capRecordVersion) {
   2497 	    version = PR_MIN(SSL_LIBRARY_VERSION_TLS_1_0, version);
   2498 	}
   2499 	wrBuf->buf[1] = MSB(version);
   2500 	wrBuf->buf[2] = LSB(version);
   2501 	wrBuf->buf[3] = MSB(cipherBytes);
   2502 	wrBuf->buf[4] = LSB(cipherBytes);
   2503     }
   2504 
   2505     ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
   2506 
   2507     return SECSuccess;
   2508 }
   2509 
   2510 /* Process the plain text before sending it.
   2511  * Returns the number of bytes of plaintext that were successfully sent
   2512  * 	plus the number of bytes of plaintext that were copied into the
   2513  *	output (write) buffer.
   2514  * Returns SECFailure on a hard IO error, memory error, or crypto error.
   2515  * Does NOT return SECWouldBlock.
   2516  *
   2517  * Notes on the use of the private ssl flags:
   2518  * (no private SSL flags)
   2519  *    Attempt to make and send SSL records for all plaintext
   2520  *    If non-blocking and a send gets WOULD_BLOCK,
   2521  *    or if the pending (ciphertext) buffer is not empty,
   2522  *    then buffer remaining bytes of ciphertext into pending buf,
   2523  *    and continue to do that for all succssive records until all
   2524  *    bytes are used.
   2525  * ssl_SEND_FLAG_FORCE_INTO_BUFFER
   2526  *    As above, except this suppresses all write attempts, and forces
   2527  *    all ciphertext into the pending ciphertext buffer.
   2528  * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
   2529  *    Forces the use of the provided epoch
   2530  * ssl_SEND_FLAG_CAP_RECORD_VERSION
   2531  *    Caps the record layer version number of TLS ClientHello to { 3, 1 }
   2532  *    (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
   2533  *    ClientHello.client_version and use the record layer version number
   2534  *    (TLSPlaintext.version) instead when negotiating protocol versions. In
   2535  *    addition, if the record layer version number of ClientHello is { 3, 2 }
   2536  *    (TLS 1.1) or higher, these servers reset the TCP connections. Set this
   2537  *    flag to work around such servers.
   2538  */
   2539 PRInt32
   2540 ssl3_SendRecord(   sslSocket *        ss,
   2541                    DTLSEpoch          epoch, /* DTLS only */
   2542                    SSL3ContentType    type,
   2543 		   const SSL3Opaque * pIn,   /* input buffer */
   2544 		   PRInt32            nIn,   /* bytes of input */
   2545 		   PRInt32            flags)
   2546 {
   2547     sslBuffer      *          wrBuf 	  = &ss->sec.writeBuf;
   2548     SECStatus                 rv;
   2549     PRInt32                   totalSent   = 0;
   2550     PRBool                    capRecordVersion;
   2551 
   2552     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
   2553 		SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
   2554 		nIn));
   2555     PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
   2556 
   2557     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
   2558 
   2559     capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
   2560 
   2561     if (capRecordVersion) {
   2562 	/* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the
   2563 	 * TLS initial ClientHello. */
   2564 	PORT_Assert(!IS_DTLS(ss));
   2565 	PORT_Assert(!ss->firstHsDone);
   2566 	PORT_Assert(type == content_handshake);
   2567 	PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
   2568     }
   2569 
   2570     if (ss->ssl3.initialized == PR_FALSE) {
   2571 	/* This can happen on a server if the very first incoming record
   2572 	** looks like a defective ssl3 record (e.g. too long), and we're
   2573 	** trying to send an alert.
   2574 	*/
   2575 	PR_ASSERT(type == content_alert);
   2576 	rv = ssl3_InitState(ss);
   2577 	if (rv != SECSuccess) {
   2578 	    return SECFailure;	/* ssl3_InitState has set the error code. */
   2579     	}
   2580     }
   2581 
   2582     /* check for Token Presence */
   2583     if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
   2584 	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
   2585 	return SECFailure;
   2586     }
   2587 
   2588     while (nIn > 0) {
   2589 	PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
   2590 	unsigned int spaceNeeded;
   2591 	unsigned int numRecords;
   2592 
   2593 	ssl_GetSpecReadLock(ss);    /********************************/
   2594 
   2595 	if (nIn > 1 && ss->opt.cbcRandomIV &&
   2596 	    ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 &&
   2597 	    type == content_application_data &&
   2598 	    ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {
   2599 	    /* We will split the first byte of the record into its own record,
   2600 	     * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h
   2601 	     */
   2602 	    numRecords = 2;
   2603 	} else {
   2604 	    numRecords = 1;
   2605 	}
   2606 
   2607 	spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE);
   2608 	if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
   2609 	    ss->ssl3.cwSpec->cipher_def->type == type_block) {
   2610 	    spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size;
   2611 	}
   2612 	if (spaceNeeded > wrBuf->space) {
   2613 	    rv = sslBuffer_Grow(wrBuf, spaceNeeded);
   2614 	    if (rv != SECSuccess) {
   2615 		SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
   2616 			 SSL_GETPID(), ss->fd, spaceNeeded));
   2617 		goto spec_locked_loser; /* sslBuffer_Grow set error code. */
   2618 	    }
   2619 	}
   2620 
   2621 	if (numRecords == 2) {
   2622 	    sslBuffer secondRecord;
   2623 
   2624 	    rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
   2625 					       ss->sec.isServer, IS_DTLS(ss),
   2626 					       capRecordVersion, type, pIn,
   2627 					       1, wrBuf);
   2628 	    if (rv != SECSuccess)
   2629 	        goto spec_locked_loser;
   2630 
   2631 	    PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
   2632 	                   wrBuf->buf, wrBuf->len));
   2633 
   2634 	    secondRecord.buf = wrBuf->buf + wrBuf->len;
   2635 	    secondRecord.len = 0;
   2636 	    secondRecord.space = wrBuf->space - wrBuf->len;
   2637 
   2638 	    rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
   2639 	                                       ss->sec.isServer, IS_DTLS(ss),
   2640 					       capRecordVersion, type,
   2641 					       pIn + 1, contentLen - 1,
   2642 	                                       &secondRecord);
   2643 	    if (rv == SECSuccess) {
   2644 	        PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
   2645 	                       secondRecord.buf, secondRecord.len));
   2646 	        wrBuf->len += secondRecord.len;
   2647 	    }
   2648 	} else {
   2649 	    if (!IS_DTLS(ss)) {
   2650 		rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
   2651 						   ss->sec.isServer,
   2652 						   IS_DTLS(ss),
   2653 						   capRecordVersion,
   2654 						   type, pIn,
   2655 						   contentLen, wrBuf);
   2656 	    } else {
   2657 		rv = dtls_CompressMACEncryptRecord(ss, epoch,
   2658 						   !!(flags & ssl_SEND_FLAG_USE_EPOCH),
   2659 						   type, pIn,
   2660 						   contentLen, wrBuf);
   2661 	    }
   2662 
   2663 	    if (rv == SECSuccess) {
   2664 	        PRINT_BUF(50, (ss, "send (encrypted) record data:",
   2665 	                       wrBuf->buf, wrBuf->len));
   2666 	    }
   2667 	}
   2668 
   2669 spec_locked_loser:
   2670 	ssl_ReleaseSpecReadLock(ss); /************************************/
   2671 
   2672 	if (rv != SECSuccess)
   2673 	    return SECFailure;
   2674 
   2675 	pIn += contentLen;
   2676 	nIn -= contentLen;
   2677 	PORT_Assert( nIn >= 0 );
   2678 
   2679 	/* If there's still some previously saved ciphertext,
   2680 	 * or the caller doesn't want us to send the data yet,
   2681 	 * then add all our new ciphertext to the amount previously saved.
   2682 	 */
   2683 	if ((ss->pendingBuf.len > 0) ||
   2684 	    (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
   2685 
   2686 	    rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len);
   2687 	    if (rv != SECSuccess) {
   2688 		/* presumably a memory error, SEC_ERROR_NO_MEMORY */
   2689 		return SECFailure;
   2690 	    }
   2691 	    wrBuf->len = 0;	/* All cipher text is saved away. */
   2692 
   2693 	    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
   2694 		PRInt32   sent;
   2695 		ss->handshakeBegun = 1;
   2696 		sent = ssl_SendSavedWriteData(ss);
   2697 		if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
   2698 		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
   2699 		    return SECFailure;
   2700 		}
   2701 		if (ss->pendingBuf.len) {
   2702 		    flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER;
   2703 		}
   2704 	    }
   2705 	} else if (wrBuf->len > 0) {
   2706 	    PRInt32   sent;
   2707 	    ss->handshakeBegun = 1;
   2708 	    sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len,
   2709 			       flags & ~ssl_SEND_FLAG_MASK);
   2710 	    if (sent < 0) {
   2711 		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
   2712 		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
   2713 		    return SECFailure;
   2714 		}
   2715 		/* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
   2716 		sent = 0;
   2717 	    }
   2718 	    wrBuf->len -= sent;
   2719 	    if (wrBuf->len) {
   2720 		if (IS_DTLS(ss)) {
   2721 		    /* DTLS just says no in this case. No buffering */
   2722 		    PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
   2723 		    return SECFailure;
   2724 		}
   2725 		/* now take all the remaining unsent new ciphertext and
   2726 		 * append it to the buffer of previously unsent ciphertext.
   2727 		 */
   2728 		rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
   2729 		if (rv != SECSuccess) {
   2730 		    /* presumably a memory error, SEC_ERROR_NO_MEMORY */
   2731 		    return SECFailure;
   2732 		}
   2733 	    }
   2734 	}
   2735 	totalSent += contentLen;
   2736     }
   2737     return totalSent;
   2738 }
   2739 
   2740 #define SSL3_PENDING_HIGH_WATER 1024
   2741 
   2742 /* Attempt to send the content of "in" in an SSL application_data record.
   2743  * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
   2744  */
   2745 int
   2746 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
   2747 			 PRInt32 len, PRInt32 flags)
   2748 {
   2749     PRInt32   totalSent	= 0;
   2750     PRInt32   discarded = 0;
   2751 
   2752     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
   2753     /* These flags for internal use only */
   2754     PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
   2755 			   ssl_SEND_FLAG_NO_RETRANSMIT)));
   2756     if (len < 0 || !in) {
   2757 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   2758 	return SECFailure;
   2759     }
   2760 
   2761     if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
   2762         !ssl_SocketIsBlocking(ss)) {
   2763 	PORT_Assert(!ssl_SocketIsBlocking(ss));
   2764 	PORT_SetError(PR_WOULD_BLOCK_ERROR);
   2765 	return SECFailure;
   2766     }
   2767 
   2768     if (ss->appDataBuffered && len) {
   2769 	PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
   2770 	if (in[0] != (unsigned char)(ss->appDataBuffered)) {
   2771 	    PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   2772 	    return SECFailure;
   2773 	}
   2774     	in++;
   2775 	len--;
   2776 	discarded = 1;
   2777     }
   2778     while (len > totalSent) {
   2779 	PRInt32   sent, toSend;
   2780 
   2781 	if (totalSent > 0) {
   2782 	    /*
   2783 	     * The thread yield is intended to give the reader thread a
   2784 	     * chance to get some cycles while the writer thread is in
   2785 	     * the middle of a large application data write.  (See
   2786 	     * Bugzilla bug 127740, comment #1.)
   2787 	     */
   2788 	    ssl_ReleaseXmitBufLock(ss);
   2789 	    PR_Sleep(PR_INTERVAL_NO_WAIT);	/* PR_Yield(); */
   2790 	    ssl_GetXmitBufLock(ss);
   2791 	}
   2792 	toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
   2793 	/*
   2794 	 * Note that the 0 epoch is OK because flags will never require
   2795 	 * its use, as guaranteed by the PORT_Assert above.
   2796 	 */
   2797 	sent = ssl3_SendRecord(ss, 0, content_application_data,
   2798 	                       in + totalSent, toSend, flags);
   2799 	if (sent < 0) {
   2800 	    if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
   2801 		PORT_Assert(ss->lastWriteBlocked);
   2802 	    	break;
   2803 	    }
   2804 	    return SECFailure; /* error code set by ssl3_SendRecord */
   2805 	}
   2806 	totalSent += sent;
   2807 	if (ss->pendingBuf.len) {
   2808 	    /* must be a non-blocking socket */
   2809 	    PORT_Assert(!ssl_SocketIsBlocking(ss));
   2810 	    PORT_Assert(ss->lastWriteBlocked);
   2811 	    break;
   2812 	}
   2813     }
   2814     if (ss->pendingBuf.len) {
   2815 	/* Must be non-blocking. */
   2816 	PORT_Assert(!ssl_SocketIsBlocking(ss));
   2817 	if (totalSent > 0) {
   2818 	    ss->appDataBuffered = 0x100 | in[totalSent - 1];
   2819 	}
   2820 
   2821 	totalSent = totalSent + discarded - 1;
   2822 	if (totalSent <= 0) {
   2823 	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
   2824 	    totalSent = SECFailure;
   2825 	}
   2826 	return totalSent;
   2827     }
   2828     ss->appDataBuffered = 0;
   2829     return totalSent + discarded;
   2830 }
   2831 
   2832 /* Attempt to send buffered handshake messages.
   2833  * This function returns SECSuccess or SECFailure, never SECWouldBlock.
   2834  * Always set sendBuf.len to 0, even when returning SECFailure.
   2835  *
   2836  * Depending on whether we are doing DTLS or not, this either calls
   2837  *
   2838  * - ssl3_FlushHandshakeMessages if non-DTLS
   2839  * - dtls_FlushHandshakeMessages if DTLS
   2840  *
   2841  * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
   2842  *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
   2843  *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
   2844  *             ssl3_SendFinished(),
   2845  */
   2846 static SECStatus
   2847 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
   2848 {
   2849     if (IS_DTLS(ss)) {
   2850         return dtls_FlushHandshakeMessages(ss, flags);
   2851     } else {
   2852         return ssl3_FlushHandshakeMessages(ss, flags);
   2853     }
   2854 }
   2855 
   2856 /* Attempt to send the content of sendBuf buffer in an SSL handshake record.
   2857  * This function returns SECSuccess or SECFailure, never SECWouldBlock.
   2858  * Always set sendBuf.len to 0, even when returning SECFailure.
   2859  *
   2860  * Called from ssl3_FlushHandshake
   2861  */
   2862 static SECStatus
   2863 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
   2864 {
   2865     static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER |
   2866                                         ssl_SEND_FLAG_CAP_RECORD_VERSION;
   2867     PRInt32 rv = SECSuccess;
   2868 
   2869     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   2870     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
   2871 
   2872     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
   2873 	return rv;
   2874 
   2875     /* only these flags are allowed */
   2876     PORT_Assert(!(flags & ~allowedFlags));
   2877     if ((flags & ~allowedFlags) != 0) {
   2878 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
   2879 	rv = SECFailure;
   2880     } else {
   2881 	rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
   2882 			     ss->sec.ci.sendBuf.len, flags);
   2883     }
   2884     if (rv < 0) {
   2885     	int err = PORT_GetError();
   2886 	PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
   2887 	if (err == PR_WOULD_BLOCK_ERROR) {
   2888 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   2889 	}
   2890     } else if (rv < ss->sec.ci.sendBuf.len) {
   2891     	/* short write should never happen */
   2892 	PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
   2893 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   2894 	rv = SECFailure;
   2895     } else {
   2896 	rv = SECSuccess;
   2897     }
   2898 
   2899     /* Whether we succeeded or failed, toss the old handshake data. */
   2900     ss->sec.ci.sendBuf.len = 0;
   2901     return rv;
   2902 }
   2903 
   2904 /*
   2905  * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
   2906  * the remote client sends a negative response to our certificate request.
   2907  * Returns SECFailure if the application has required client auth.
   2908  *         SECSuccess otherwise.
   2909  */
   2910 static SECStatus
   2911 ssl3_HandleNoCertificate(sslSocket *ss)
   2912 {
   2913     if (ss->sec.peerCert != NULL) {
   2914 	if (ss->sec.peerKey != NULL) {
   2915 	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
   2916 	    ss->sec.peerKey = NULL;
   2917 	}
   2918 	CERT_DestroyCertificate(ss->sec.peerCert);
   2919 	ss->sec.peerCert = NULL;
   2920     }
   2921     ssl3_CleanupPeerCerts(ss);
   2922 
   2923     /* If the server has required client-auth blindly but doesn't
   2924      * actually look at the certificate it won't know that no
   2925      * certificate was presented so we shutdown the socket to ensure
   2926      * an error.  We only do this if we haven't already completed the
   2927      * first handshake because if we're redoing the handshake we
   2928      * know the server is paying attention to the certificate.
   2929      */
   2930     if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
   2931 	(!ss->firstHsDone &&
   2932 	 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
   2933 	PRFileDesc * lower;
   2934 
   2935 	if (ss->sec.uncache)
   2936             ss->sec.uncache(ss->sec.ci.sid);
   2937 	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
   2938 
   2939 	lower = ss->fd->lower;
   2940 #ifdef _WIN32
   2941 	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
   2942 #else
   2943 	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
   2944 #endif
   2945 	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
   2946 	return SECFailure;
   2947     }
   2948     return SECSuccess;
   2949 }
   2950 
   2951 /************************************************************************
   2952  * Alerts
   2953  */
   2954 
   2955 /*
   2956 ** Acquires both handshake and XmitBuf locks.
   2957 ** Called from: ssl3_IllegalParameter	<-
   2958 **              ssl3_HandshakeFailure	<-
   2959 **              ssl3_HandleAlert	<- ssl3_HandleRecord.
   2960 **              ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
   2961 **              ssl3_ConsumeHandshakeVariable <-
   2962 **              ssl3_HandleHelloRequest	<-
   2963 **              ssl3_HandleServerHello	<-
   2964 **              ssl3_HandleServerKeyExchange <-
   2965 **              ssl3_HandleCertificateRequest <-
   2966 **              ssl3_HandleServerHelloDone <-
   2967 **              ssl3_HandleClientHello	<-
   2968 **              ssl3_HandleV2ClientHello <-
   2969 **              ssl3_HandleCertificateVerify <-
   2970 **              ssl3_HandleClientKeyExchange <-
   2971 **              ssl3_HandleCertificate	<-
   2972 **              ssl3_HandleFinished	<-
   2973 **              ssl3_HandleHandshakeMessage <-
   2974 **              ssl3_HandleRecord	<-
   2975 **
   2976 */
   2977 SECStatus
   2978 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
   2979 {
   2980     PRUint8 	bytes[2];
   2981     SECStatus	rv;
   2982 
   2983     SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
   2984 		SSL_GETPID(), ss->fd, level, desc));
   2985 
   2986     bytes[0] = level;
   2987     bytes[1] = desc;
   2988 
   2989     ssl_GetSSL3HandshakeLock(ss);
   2990     if (level == alert_fatal) {
   2991 	if (!ss->opt.noCache && ss->sec.ci.sid && ss->sec.uncache) {
   2992 	    ss->sec.uncache(ss->sec.ci.sid);
   2993 	}
   2994     }
   2995     ssl_GetXmitBufLock(ss);
   2996     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
   2997     if (rv == SECSuccess) {
   2998 	PRInt32 sent;
   2999 	sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2,
   3000 			       desc == no_certificate
   3001 			       ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
   3002 	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
   3003     }
   3004     ssl_ReleaseXmitBufLock(ss);
   3005     ssl_ReleaseSSL3HandshakeLock(ss);
   3006     return rv;	/* error set by ssl3_FlushHandshake or ssl3_SendRecord */
   3007 }
   3008 
   3009 /*
   3010  * Send illegal_parameter alert.  Set generic error number.
   3011  */
   3012 static SECStatus
   3013 ssl3_IllegalParameter(sslSocket *ss)
   3014 {
   3015     PRBool isTLS;
   3016 
   3017     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
   3018     (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
   3019     PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
   3020                                    : SSL_ERROR_BAD_SERVER );
   3021     return SECFailure;
   3022 }
   3023 
   3024 /*
   3025  * Send handshake_Failure alert.  Set generic error number.
   3026  */
   3027 static SECStatus
   3028 ssl3_HandshakeFailure(sslSocket *ss)
   3029 {
   3030     (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
   3031     PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
   3032                                     : SSL_ERROR_BAD_SERVER );
   3033     return SECFailure;
   3034 }
   3035 
   3036 static void
   3037 ssl3_SendAlertForCertError(sslSocket * ss, PRErrorCode errCode)
   3038 {
   3039     SSL3AlertDescription desc	= bad_certificate;
   3040     PRBool isTLS = ss->version >= SSL_LIBRARY_VERSION_3_1_TLS;
   3041 
   3042     switch (errCode) {
   3043     case SEC_ERROR_LIBRARY_FAILURE:     desc = unsupported_certificate; break;
   3044     case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired;     break;
   3045     case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked;     break;
   3046     case SEC_ERROR_INADEQUATE_KEY_USAGE:
   3047     case SEC_ERROR_INADEQUATE_CERT_TYPE:
   3048 		                        desc = certificate_unknown;     break;
   3049     case SEC_ERROR_UNTRUSTED_CERT:
   3050 		    desc = isTLS ? access_denied : certificate_unknown; break;
   3051     case SEC_ERROR_UNKNOWN_ISSUER:
   3052     case SEC_ERROR_UNTRUSTED_ISSUER:
   3053 		    desc = isTLS ? unknown_ca : certificate_unknown; break;
   3054     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
   3055 		    desc = isTLS ? unknown_ca : certificate_expired; break;
   3056 
   3057     case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
   3058     case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
   3059     case SEC_ERROR_CA_CERT_INVALID:
   3060     case SEC_ERROR_BAD_SIGNATURE:
   3061     default:                            desc = bad_certificate;     break;
   3062     }
   3063     SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
   3064 	     SSL_GETPID(), ss->fd, errCode));
   3065 
   3066     (void) SSL3_SendAlert(ss, alert_fatal, desc);
   3067 }
   3068 
   3069 
   3070 /*
   3071  * Send decode_error alert.  Set generic error number.
   3072  */
   3073 SECStatus
   3074 ssl3_DecodeError(sslSocket *ss)
   3075 {
   3076     (void)SSL3_SendAlert(ss, alert_fatal,
   3077 		  ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error
   3078 							: illegal_parameter);
   3079     PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
   3080                                     : SSL_ERROR_BAD_SERVER );
   3081     return SECFailure;
   3082 }
   3083 
   3084 /* Called from ssl3_HandleRecord.
   3085 ** Caller must hold both RecvBuf and Handshake locks.
   3086 */
   3087 static SECStatus
   3088 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
   3089 {
   3090     SSL3AlertLevel       level;
   3091     SSL3AlertDescription desc;
   3092     int                  error;
   3093 
   3094     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   3095     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   3096 
   3097     SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
   3098 
   3099     if (buf->len != 2) {
   3100 	(void)ssl3_DecodeError(ss);
   3101 	PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
   3102 	return SECFailure;
   3103     }
   3104     level = (SSL3AlertLevel)buf->buf[0];
   3105     desc  = (SSL3AlertDescription)buf->buf[1];
   3106     buf->len = 0;
   3107     SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
   3108         SSL_GETPID(), ss->fd, level, desc));
   3109 
   3110     switch (desc) {
   3111     case close_notify:		ss->recvdCloseNotify = 1;
   3112 		        	error = SSL_ERROR_CLOSE_NOTIFY_ALERT;     break;
   3113     case unexpected_message: 	error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
   3114 									  break;
   3115     case bad_record_mac: 	error = SSL_ERROR_BAD_MAC_ALERT; 	  break;
   3116     case decryption_failed_RESERVED:
   3117                                 error = SSL_ERROR_DECRYPTION_FAILED_ALERT;
   3118     									  break;
   3119     case record_overflow: 	error = SSL_ERROR_RECORD_OVERFLOW_ALERT;  break;
   3120     case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
   3121 									  break;
   3122     case handshake_failure: 	error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
   3123 			        					  break;
   3124     case no_certificate: 	error = SSL_ERROR_NO_CERTIFICATE;	  break;
   3125     case bad_certificate: 	error = SSL_ERROR_BAD_CERT_ALERT; 	  break;
   3126     case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
   3127     case certificate_revoked: 	error = SSL_ERROR_REVOKED_CERT_ALERT; 	  break;
   3128     case certificate_expired: 	error = SSL_ERROR_EXPIRED_CERT_ALERT; 	  break;
   3129     case certificate_unknown: 	error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
   3130 			        					  break;
   3131     case illegal_parameter: 	error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
   3132 
   3133     /* All alerts below are TLS only. */
   3134     case unknown_ca: 		error = SSL_ERROR_UNKNOWN_CA_ALERT;       break;
   3135     case access_denied: 	error = SSL_ERROR_ACCESS_DENIED_ALERT;    break;
   3136     case decode_error: 		error = SSL_ERROR_DECODE_ERROR_ALERT;     break;
   3137     case decrypt_error: 	error = SSL_ERROR_DECRYPT_ERROR_ALERT;    break;
   3138     case export_restriction: 	error = SSL_ERROR_EXPORT_RESTRICTION_ALERT;
   3139     									  break;
   3140     case protocol_version: 	error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
   3141     case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT;
   3142     									  break;
   3143     case internal_error: 	error = SSL_ERROR_INTERNAL_ERROR_ALERT;   break;
   3144     case user_canceled: 	error = SSL_ERROR_USER_CANCELED_ALERT;    break;
   3145     case no_renegotiation: 	error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
   3146 
   3147     /* Alerts for TLS client hello extensions */
   3148     case unsupported_extension:
   3149 			error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT;    break;
   3150     case certificate_unobtainable:
   3151 			error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
   3152     case unrecognized_name:
   3153 			error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;        break;
   3154     case bad_certificate_status_response:
   3155 			error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
   3156     case bad_certificate_hash_value:
   3157 			error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT;      break;
   3158     default: 		error = SSL_ERROR_RX_UNKNOWN_ALERT;               break;
   3159     }
   3160     if (level == alert_fatal) {
   3161 	if (!ss->opt.noCache) {
   3162 	    if (ss->sec.uncache)
   3163                 ss->sec.uncache(ss->sec.ci.sid);
   3164 	}
   3165 	if ((ss->ssl3.hs.ws == wait_server_hello) &&
   3166 	    (desc == handshake_failure)) {
   3167 	    /* XXX This is a hack.  We're assuming that any handshake failure
   3168 	     * XXX on the client hello is a failure to match ciphers.
   3169 	     */
   3170 	    error = SSL_ERROR_NO_CYPHER_OVERLAP;
   3171 	}
   3172 	PORT_SetError(error);
   3173 	return SECFailure;
   3174     }
   3175     if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
   3176     	/* I'm a server. I've requested a client cert. He hasn't got one. */
   3177 	SECStatus rv;
   3178 
   3179 	PORT_Assert(ss->sec.isServer);
   3180 	ss->ssl3.hs.ws = wait_client_key;
   3181 	rv = ssl3_HandleNoCertificate(ss);
   3182 	return rv;
   3183     }
   3184     return SECSuccess;
   3185 }
   3186 
   3187 /*
   3188  * Change Cipher Specs
   3189  * Called from ssl3_HandleServerHelloDone,
   3190  *             ssl3_HandleClientHello,
   3191  * and         ssl3_HandleFinished
   3192  *
   3193  * Acquires and releases spec write lock, to protect switching the current
   3194  * and pending write spec pointers.
   3195  */
   3196 
   3197 static SECStatus
   3198 ssl3_SendChangeCipherSpecs(sslSocket *ss)
   3199 {
   3200     PRUint8           change = change_cipher_spec_choice;
   3201     ssl3CipherSpec *  pwSpec;
   3202     SECStatus         rv;
   3203     PRInt32           sent;
   3204 
   3205     SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
   3206 		SSL_GETPID(), ss->fd));
   3207 
   3208     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
   3209     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   3210 
   3211     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
   3212     if (rv != SECSuccess) {
   3213 	return rv;	/* error code set by ssl3_FlushHandshake */
   3214     }
   3215     if (!IS_DTLS(ss)) {
   3216 	sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1,
   3217 			       ssl_SEND_FLAG_FORCE_INTO_BUFFER);
   3218 	if (sent < 0) {
   3219 	    return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
   3220 	}
   3221     } else {
   3222 	rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
   3223 	if (rv != SECSuccess) {
   3224 	    return rv;
   3225 	}
   3226     }
   3227 
   3228     /* swap the pending and current write specs. */
   3229     ssl_GetSpecWriteLock(ss);	/**************************************/
   3230     pwSpec                     = ss->ssl3.pwSpec;
   3231 
   3232     ss->ssl3.pwSpec = ss->ssl3.cwSpec;
   3233     ss->ssl3.cwSpec = pwSpec;
   3234 
   3235     SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
   3236 		SSL_GETPID(), ss->fd ));
   3237 
   3238     /* We need to free up the contexts, keys and certs ! */
   3239     /* If we are really through with the old cipher spec
   3240      * (Both the read and write sides have changed) destroy it.
   3241      */
   3242     if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
   3243 	if (!IS_DTLS(ss)) {
   3244 	    ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
   3245 	} else {
   3246 	    /* With DTLS, we need to set a holddown timer in case the final
   3247 	     * message got lost */
   3248 	    ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS;
   3249 	    dtls_StartTimer(ss, dtls_FinishedTimerCb);
   3250 	}
   3251     }
   3252     ssl_ReleaseSpecWriteLock(ss); /**************************************/
   3253 
   3254     return SECSuccess;
   3255 }
   3256 
   3257 /* Called from ssl3_HandleRecord.
   3258 ** Caller must hold both RecvBuf and Handshake locks.
   3259  *
   3260  * Acquires and releases spec write lock, to protect switching the current
   3261  * and pending write spec pointers.
   3262 */
   3263 static SECStatus
   3264 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
   3265 {
   3266     ssl3CipherSpec *           prSpec;
   3267     SSL3WaitState              ws      = ss->ssl3.hs.ws;
   3268     SSL3ChangeCipherSpecChoice change;
   3269 
   3270     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   3271     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   3272 
   3273     SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
   3274 		SSL_GETPID(), ss->fd));
   3275 
   3276     if (ws != wait_change_cipher) {
   3277 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   3278 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
   3279 	return SECFailure;
   3280     }
   3281 
   3282     if(buf->len != 1) {
   3283 	(void)ssl3_DecodeError(ss);
   3284 	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
   3285 	return SECFailure;
   3286     }
   3287     change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
   3288     if (change != change_cipher_spec_choice) {
   3289 	/* illegal_parameter is correct here for both SSL3 and TLS. */
   3290 	(void)ssl3_IllegalParameter(ss);
   3291 	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
   3292 	return SECFailure;
   3293     }
   3294     buf->len = 0;
   3295 
   3296     /* Swap the pending and current read specs. */
   3297     ssl_GetSpecWriteLock(ss);   /*************************************/
   3298     prSpec                    = ss->ssl3.prSpec;
   3299 
   3300     ss->ssl3.prSpec  = ss->ssl3.crSpec;
   3301     ss->ssl3.crSpec  = prSpec;
   3302     ss->ssl3.hs.ws   = wait_finished;
   3303 
   3304     SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
   3305 		SSL_GETPID(), ss->fd ));
   3306 
   3307     /* If we are really through with the old cipher prSpec
   3308      * (Both the read and write sides have changed) destroy it.
   3309      */
   3310     if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
   3311     	ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/);
   3312     }
   3313     ssl_ReleaseSpecWriteLock(ss);   /*************************************/
   3314     return SECSuccess;
   3315 }
   3316 
   3317 /* This method uses PKCS11 to derive the MS from the PMS, where PMS
   3318 ** is a PKCS11 symkey. This is used in all cases except the
   3319 ** "triple bypass" with RSA key exchange.
   3320 ** Called from ssl3_InitPendingCipherSpec.   prSpec is pwSpec.
   3321 */
   3322 static SECStatus
   3323 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
   3324 {
   3325     ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
   3326     const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
   3327     unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
   3328     unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
   3329     PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
   3330                                 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
   3331     PRBool            isTLS12=
   3332 	    (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
   3333     /*
   3334      * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
   3335      * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
   3336      * data into a 48-byte value.
   3337      */
   3338     PRBool    isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
   3339 	                       (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
   3340     SECStatus         rv = SECFailure;
   3341     CK_MECHANISM_TYPE master_derive;
   3342     CK_MECHANISM_TYPE key_derive;
   3343     SECItem           params;
   3344     CK_FLAGS          keyFlags;
   3345     CK_VERSION        pms_version;
   3346     CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
   3347 
   3348     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   3349     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
   3350     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
   3351     if (isTLS12) {
   3352 	if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
   3353 	else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
   3354 	key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
   3355 	keyFlags      = CKF_SIGN | CKF_VERIFY;
   3356     } else if (isTLS) {
   3357 	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
   3358 	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
   3359 	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
   3360 	keyFlags      = CKF_SIGN | CKF_VERIFY;
   3361     } else {
   3362 	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
   3363 	else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
   3364 	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
   3365 	keyFlags      = 0;
   3366     }
   3367 
   3368     if (pms || !pwSpec->master_secret) {
   3369 	if (isDH) {
   3370 	    master_params.pVersion                     = NULL;
   3371 	} else {
   3372 	    master_params.pVersion                     = &pms_version;
   3373 	}
   3374 	master_params.RandomInfo.pClientRandom     = cr;
   3375 	master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
   3376 	master_params.RandomInfo.pServerRandom     = sr;
   3377 	master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
   3378 
   3379 	params.data = (unsigned char *) &master_params;
   3380 	params.len  = sizeof master_params;
   3381     }
   3382 
   3383     if (pms != NULL) {
   3384 #if defined(TRACE)
   3385 	if (ssl_trace >= 100) {
   3386 	    SECStatus extractRV = PK11_ExtractKeyValue(pms);
   3387 	    if (extractRV == SECSuccess) {
   3388 		SECItem * keyData = PK11_GetKeyData(pms);
   3389 		if (keyData && keyData->data && keyData->len) {
   3390 		    ssl_PrintBuf(ss, "Pre-Master Secret",
   3391 				 keyData->data, keyData->len);
   3392 		}
   3393 	    }
   3394 	}
   3395 #endif
   3396 	pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive,
   3397 				&params, key_derive, CKA_DERIVE, 0, keyFlags);
   3398 	if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
   3399 	    SSL3ProtocolVersion client_version;
   3400 	    client_version = pms_version.major << 8 | pms_version.minor;
   3401 
   3402 	    if (IS_DTLS(ss)) {
   3403 		client_version = dtls_DTLSVersionToTLSVersion(client_version);
   3404 	    }
   3405 
   3406 	    if (client_version != ss->clientHelloVersion) {
   3407 		/* Destroy it.  Version roll-back detected. */
   3408 		PK11_FreeSymKey(pwSpec->master_secret);
   3409 	    	pwSpec->master_secret = NULL;
   3410 	    }
   3411 	}
   3412 	if (pwSpec->master_secret == NULL) {
   3413 	    /* Generate a faux master secret in the same slot as the old one. */
   3414 	    PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
   3415 	    PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
   3416 
   3417 	    PK11_FreeSlot(slot);
   3418 	    if (fpms != NULL) {
   3419 		pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
   3420 					master_derive, &params, key_derive,
   3421 					CKA_DERIVE, 0, keyFlags);
   3422 		PK11_FreeSymKey(fpms);
   3423 	    }
   3424 	}
   3425     }
   3426     if (pwSpec->master_secret == NULL) {
   3427 	/* Generate a faux master secret from the internal slot. */
   3428 	PK11SlotInfo *  slot = PK11_GetInternalSlot();
   3429 	PK11SymKey *    fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
   3430 
   3431 	PK11_FreeSlot(slot);
   3432 	if (fpms != NULL) {
   3433 	    pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
   3434 					master_derive, &params, key_derive,
   3435 					CKA_DERIVE, 0, keyFlags);
   3436 	    if (pwSpec->master_secret == NULL) {
   3437 	    	pwSpec->master_secret = fpms; /* use the fpms as the master. */
   3438 		fpms = NULL;
   3439 	    }
   3440 	}
   3441 	if (fpms) {
   3442 	    PK11_FreeSymKey(fpms);
   3443     	}
   3444     }
   3445     if (pwSpec->master_secret == NULL) {
   3446 	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
   3447 	return rv;
   3448     }
   3449 #ifndef NO_PKCS11_BYPASS
   3450     if (ss->opt.bypassPKCS11) {
   3451 	SECItem * keydata;
   3452 	/* In hope of doing a "double bypass",
   3453 	 * need to extract the master secret's value from the key object
   3454 	 * and store it raw in the sslSocket struct.
   3455 	 */
   3456 	rv = PK11_ExtractKeyValue(pwSpec->master_secret);
   3457 	if (rv != SECSuccess) {
   3458 	    return rv;
   3459 	}
   3460 	/* This returns the address of the secItem inside the key struct,
   3461 	 * not a copy or a reference.  So, there's no need to free it.
   3462 	 */
   3463 	keydata = PK11_GetKeyData(pwSpec->master_secret);
   3464 	if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
   3465 	    memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
   3466 	    pwSpec->msItem.data = pwSpec->raw_master_secret;
   3467 	    pwSpec->msItem.len  = keydata->len;
   3468 	} else {
   3469 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   3470 	    return SECFailure;
   3471 	}
   3472     }
   3473 #endif
   3474     return SECSuccess;
   3475 }
   3476 
   3477 
   3478 /*
   3479  * Derive encryption and MAC Keys (and IVs) from master secret
   3480  * Sets a useful error code when returning SECFailure.
   3481  *
   3482  * Called only from ssl3_InitPendingCipherSpec(),
   3483  * which in turn is called from
   3484  *              sendRSAClientKeyExchange        (for Full handshake)
   3485  *              sendDHClientKeyExchange         (for Full handshake)
   3486  *              ssl3_HandleClientKeyExchange    (for Full handshake)
   3487  *              ssl3_HandleServerHello          (for session restart)
   3488  *              ssl3_HandleClientHello          (for session restart)
   3489  * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
   3490  * ssl3_InitPendingCipherSpec does that.
   3491  *
   3492  */
   3493 static SECStatus
   3494 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
   3495 {
   3496     ssl3CipherSpec *         pwSpec     = ss->ssl3.pwSpec;
   3497     const ssl3KEADef *       kea_def    = ss->ssl3.hs.kea_def;
   3498     unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
   3499     unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
   3500     PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
   3501                                 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
   3502     PRBool            isTLS12=
   3503 	    (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
   3504     /* following variables used in PKCS11 path */
   3505     const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
   3506     PK11SlotInfo *         slot   = NULL;
   3507     PK11SymKey *           symKey = NULL;
   3508     void *                 pwArg  = ss->pkcs11PinArg;
   3509     int                    keySize;
   3510     CK_SSL3_KEY_MAT_PARAMS key_material_params;
   3511     CK_SSL3_KEY_MAT_OUT    returnedKeys;
   3512     CK_MECHANISM_TYPE      key_derive;
   3513     CK_MECHANISM_TYPE      bulk_mechanism;
   3514     SSLCipherAlgorithm     calg;
   3515     SECItem                params;
   3516     PRBool         skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
   3517 
   3518     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   3519     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
   3520     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
   3521 
   3522     if (!pwSpec->master_secret) {
   3523 	PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
   3524 	return SECFailure;
   3525     }
   3526     /*
   3527      * generate the key material
   3528      */
   3529     key_material_params.ulMacSizeInBits = pwSpec->mac_size           * BPB;
   3530     key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
   3531     key_material_params.ulIVSizeInBits  = cipher_def->iv_size        * BPB;
   3532     if (cipher_def->type == type_block &&
   3533 	pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
   3534 	/* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
   3535 	key_material_params.ulIVSizeInBits = 0;
   3536 	memset(pwSpec->client.write_iv, 0, cipher_def->iv_size);
   3537 	memset(pwSpec->server.write_iv, 0, cipher_def->iv_size);
   3538     }
   3539 
   3540     key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
   3541     /* was:	(CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
   3542 
   3543     key_material_params.RandomInfo.pClientRandom     = cr;
   3544     key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
   3545     key_material_params.RandomInfo.pServerRandom     = sr;
   3546     key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
   3547     key_material_params.pReturnedKeyMaterial         = &returnedKeys;
   3548 
   3549     returnedKeys.pIVClient = pwSpec->client.write_iv;
   3550     returnedKeys.pIVServer = pwSpec->server.write_iv;
   3551     keySize                = cipher_def->key_size;
   3552 
   3553     if (skipKeysAndIVs) {
   3554 	keySize                             = 0;
   3555         key_material_params.ulKeySizeInBits = 0;
   3556         key_material_params.ulIVSizeInBits  = 0;
   3557     	returnedKeys.pIVClient              = NULL;
   3558     	returnedKeys.pIVServer              = NULL;
   3559     }
   3560 
   3561     calg = cipher_def->calg;
   3562     PORT_Assert(     alg2Mech[calg].calg == calg);
   3563     bulk_mechanism = alg2Mech[calg].cmech;
   3564 
   3565     params.data    = (unsigned char *)&key_material_params;
   3566     params.len     = sizeof(key_material_params);
   3567 
   3568     if (isTLS12) {
   3569 	key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
   3570     } else if (isTLS) {
   3571 	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
   3572     } else {
   3573 	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
   3574     }
   3575 
   3576     /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
   3577      * DERIVE by DEFAULT */
   3578     symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
   3579                          bulk_mechanism, CKA_ENCRYPT, keySize);
   3580     if (!symKey) {
   3581 	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
   3582 	return SECFailure;
   3583     }
   3584     /* we really should use the actual mac'ing mechanism here, but we
   3585      * don't because these types are used to map keytype anyway and both
   3586      * mac's map to the same keytype.
   3587      */
   3588     slot  = PK11_GetSlotFromKey(symKey);
   3589 
   3590     PK11_FreeSlot(slot); /* slot is held until the key is freed */
   3591     pwSpec->client.write_mac_key =
   3592     	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
   3593 	    CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
   3594     if (pwSpec->client.write_mac_key == NULL ) {
   3595 	goto loser;	/* loser sets err */
   3596     }
   3597     pwSpec->server.write_mac_key =
   3598     	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
   3599 	    CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
   3600     if (pwSpec->server.write_mac_key == NULL ) {
   3601 	goto loser;	/* loser sets err */
   3602     }
   3603     if (!skipKeysAndIVs) {
   3604 	pwSpec->client.write_key =
   3605 		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
   3606 		     bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
   3607 	if (pwSpec->client.write_key == NULL ) {
   3608 	    goto loser;	/* loser sets err */
   3609 	}
   3610 	pwSpec->server.write_key =
   3611 		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
   3612 		     bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
   3613 	if (pwSpec->server.write_key == NULL ) {
   3614 	    goto loser;	/* loser sets err */
   3615 	}
   3616     }
   3617     PK11_FreeSymKey(symKey);
   3618     return SECSuccess;
   3619 
   3620 
   3621 loser:
   3622     if (symKey) PK11_FreeSymKey(symKey);
   3623     ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
   3624     return SECFailure;
   3625 }
   3626 
   3627 /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
   3628  * buffered messages in ss->ssl3.hs.messages. */
   3629 static SECStatus
   3630 ssl3_InitHandshakeHashes(sslSocket *ss)
   3631 {
   3632     SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
   3633 
   3634     PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown);
   3635 #ifndef NO_PKCS11_BYPASS
   3636     if (ss->opt.bypassPKCS11) {
   3637 	PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
   3638 	if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
   3639 	    /* If we ever support ciphersuites where the PRF hash isn't SHA-256
   3640 	     * then this will need to be updated. */
   3641 	    ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
   3642 	    if (!ss->ssl3.hs.sha_obj) {
   3643 		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
   3644 		return SECFailure;
   3645 	    }
   3646 	    ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
   3647 	    ss->ssl3.hs.hashType = handshake_hash_single;
   3648 	    ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
   3649 	} else {
   3650 	    ss->ssl3.hs.hashType = handshake_hash_combo;
   3651 	    MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
   3652 	    SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
   3653 	}
   3654     } else
   3655 #endif
   3656     {
   3657 	PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
   3658 	/*
   3659 	 * note: We should probably lookup an SSL3 slot for these
   3660 	 * handshake hashes in hopes that we wind up with the same slots
   3661 	 * that the master secret will wind up in ...
   3662 	 */
   3663 	if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
   3664 	    /* If we ever support ciphersuites where the PRF hash isn't SHA-256
   3665 	     * then this will need to be updated. */
   3666 	    ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
   3667 	    if (ss->ssl3.hs.sha == NULL) {
   3668 		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   3669 		return SECFailure;
   3670 	    }
   3671 	    ss->ssl3.hs.hashType = handshake_hash_single;
   3672 
   3673 	    if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
   3674 		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
   3675 		return SECFailure;
   3676 	    }
   3677 
   3678 	    /* A backup SHA-1 hash for a potential client auth signature. */
   3679 	    if (!ss->sec.isServer) {
   3680 		ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1);
   3681 		if (ss->ssl3.hs.md5 == NULL) {
   3682 		    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   3683 		    return SECFailure;
   3684 		}
   3685 
   3686 		if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
   3687 		    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   3688 		    return SECFailure;
   3689 		}
   3690 	    }
   3691 	} else {
   3692 	    /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
   3693 	     * created successfully. */
   3694 	    ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
   3695 	    if (ss->ssl3.hs.md5 == NULL) {
   3696 		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   3697 		return SECFailure;
   3698 	    }
   3699 	    ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
   3700 	    if (ss->ssl3.hs.sha == NULL) {
   3701 		PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
   3702 		ss->ssl3.hs.md5 = NULL;
   3703 		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   3704 		return SECFailure;
   3705 	    }
   3706 	    ss->ssl3.hs.hashType = handshake_hash_combo;
   3707 
   3708 	    if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
   3709 		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   3710 		return SECFailure;
   3711 	    }
   3712 	    if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
   3713 		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   3714 		return SECFailure;
   3715 	    }
   3716 	}
   3717     }
   3718 
   3719     if (ss->ssl3.hs.messages.len > 0) {
   3720 	if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
   3721 				       ss->ssl3.hs.messages.len) !=
   3722 	    SECSuccess) {
   3723 	    return SECFailure;
   3724 	}
   3725 	PORT_Free(ss->ssl3.hs.messages.buf);
   3726 	ss->ssl3.hs.messages.buf = NULL;
   3727 	ss->ssl3.hs.messages.len = 0;
   3728 	ss->ssl3.hs.messages.space = 0;
   3729     }
   3730 
   3731     return SECSuccess;
   3732 }
   3733 
   3734 static SECStatus
   3735 ssl3_RestartHandshakeHashes(sslSocket *ss)
   3736 {
   3737     SECStatus rv = SECSuccess;
   3738 
   3739     SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
   3740 	    SSL_GETPID(), ss->fd ));
   3741     ss->ssl3.hs.hashType = handshake_hash_unknown;
   3742     ss->ssl3.hs.messages.len = 0;
   3743 #ifndef NO_PKCS11_BYPASS
   3744     ss->ssl3.hs.sha_obj = NULL;
   3745     ss->ssl3.hs.sha_clone = NULL;
   3746 #endif
   3747     if (ss->ssl3.hs.md5) {
   3748 	PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
   3749 	ss->ssl3.hs.md5 = NULL;
   3750     }
   3751     if (ss->ssl3.hs.sha) {
   3752 	PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
   3753 	ss->ssl3.hs.sha = NULL;
   3754     }
   3755     return rv;
   3756 }
   3757 
   3758 /*
   3759  * Handshake messages
   3760  */
   3761 /* Called from	ssl3_InitHandshakeHashes()
   3762 **		ssl3_AppendHandshake()
   3763 **		ssl3_StartHandshakeHash()
   3764 **		ssl3_HandleV2ClientHello()
   3765 **		ssl3_HandleHandshakeMessage()
   3766 ** Caller must hold the ssl3Handshake lock.
   3767 */
   3768 static SECStatus
   3769 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
   3770 			   unsigned int l)
   3771 {
   3772     SECStatus  rv = SECSuccess;
   3773 
   3774     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   3775 
   3776     /* We need to buffer the handshake messages until we have established
   3777      * which handshake hash function to use. */
   3778     if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
   3779 	return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
   3780     }
   3781 
   3782     PRINT_BUF(90, (NULL, "handshake hash input:", b, l));
   3783 
   3784 #ifndef NO_PKCS11_BYPASS
   3785     if (ss->opt.bypassPKCS11) {
   3786 	if (ss->ssl3.hs.hashType == handshake_hash_single) {
   3787 	    ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
   3788 	} else {
   3789 	    MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
   3790 	    SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
   3791 	}
   3792 	return rv;
   3793     }
   3794 #endif
   3795     if (ss->ssl3.hs.hashType == handshake_hash_single) {
   3796 	rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
   3797 	if (rv != SECSuccess) {
   3798 	    ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
   3799 	    return rv;
   3800 	}
   3801 	if (ss->ssl3.hs.md5) {
   3802 	    rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
   3803 	    if (rv != SECSuccess) {
   3804 		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   3805 		return rv;
   3806 	    }
   3807 	}
   3808     } else {
   3809 	rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
   3810 	if (rv != SECSuccess) {
   3811 	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   3812 	    return rv;
   3813 	}
   3814 	rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
   3815 	if (rv != SECSuccess) {
   3816 	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   3817 	    return rv;
   3818 	}
   3819     }
   3820     return rv;
   3821 }
   3822 
   3823 /**************************************************************************
   3824  * Append Handshake functions.
   3825  * All these functions set appropriate error codes.
   3826  * Most rely on ssl3_AppendHandshake to set the error code.
   3827  **************************************************************************/
   3828 SECStatus
   3829 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
   3830 {
   3831     unsigned char *  src  = (unsigned char *)void_src;
   3832     int              room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
   3833     SECStatus        rv;
   3834 
   3835     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
   3836 
   3837     if (!bytes)
   3838     	return SECSuccess;
   3839     if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
   3840 	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
   3841 		 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
   3842 	if (rv != SECSuccess)
   3843 	    return rv;	/* sslBuffer_Grow has set a memory error code. */
   3844 	room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
   3845     }
   3846 
   3847     PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
   3848     rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
   3849     if (rv != SECSuccess)
   3850 	return rv;	/* error code set by ssl3_UpdateHandshakeHashes */
   3851 
   3852     while (bytes > room) {
   3853 	if (room > 0)
   3854 	    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src,
   3855 	                room);
   3856 	ss->sec.ci.sendBuf.len += room;
   3857 	rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
   3858 	if (rv != SECSuccess) {
   3859 	    return rv;	/* error code set by ssl3_FlushHandshake */
   3860 	}
   3861 	bytes -= room;
   3862 	src += room;
   3863 	room = ss->sec.ci.sendBuf.space;
   3864 	PORT_Assert(ss->sec.ci.sendBuf.len == 0);
   3865     }
   3866     PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
   3867     ss->sec.ci.sendBuf.len += bytes;
   3868     return SECSuccess;
   3869 }
   3870 
   3871 SECStatus
   3872 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
   3873 {
   3874     SECStatus rv;
   3875     PRUint8   b[4];
   3876     PRUint8 * p = b;
   3877 
   3878     switch (lenSize) {
   3879       case 4:
   3880 	*p++ = (num >> 24) & 0xff;
   3881       case 3:
   3882 	*p++ = (num >> 16) & 0xff;
   3883       case 2:
   3884 	*p++ = (num >> 8) & 0xff;
   3885       case 1:
   3886 	*p = num & 0xff;
   3887     }
   3888     SSL_TRC(60, ("%d: number:", SSL_GETPID()));
   3889     rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
   3890     return rv;	/* error code set by AppendHandshake, if applicable. */
   3891 }
   3892 
   3893 SECStatus
   3894 ssl3_AppendHandshakeVariable(
   3895     sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
   3896 {
   3897     SECStatus rv;
   3898 
   3899     PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
   3900 	      (bytes < (1L<<16) && lenSize == 2) ||
   3901 	      (bytes < (1L<<24) && lenSize == 3));
   3902 
   3903     SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
   3904     rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
   3905     if (rv != SECSuccess) {
   3906 	return rv;	/* error code set by AppendHandshake, if applicable. */
   3907     }
   3908     SSL_TRC(60, ("data:"));
   3909     rv = ssl3_AppendHandshake(ss, src, bytes);
   3910     return rv;	/* error code set by AppendHandshake, if applicable. */
   3911 }
   3912 
   3913 SECStatus
   3914 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
   3915 {
   3916     SECStatus rv;
   3917 
   3918     /* If we already have a message in place, we need to enqueue it.
   3919      * This empties the buffer. This is a convenient place to call
   3920      * dtls_StageHandshakeMessage to mark the message boundary.
   3921      */
   3922     if (IS_DTLS(ss)) {
   3923 	rv = dtls_StageHandshakeMessage(ss);
   3924 	if (rv != SECSuccess) {
   3925 	    return rv;
   3926 	}
   3927     }
   3928 
   3929     SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
   3930     	SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
   3931 
   3932     rv = ssl3_AppendHandshakeNumber(ss, t, 1);
   3933     if (rv != SECSuccess) {
   3934     	return rv;	/* error code set by AppendHandshake, if applicable. */
   3935     }
   3936     rv = ssl3_AppendHandshakeNumber(ss, length, 3);
   3937     if (rv != SECSuccess) {
   3938     	return rv;	/* error code set by AppendHandshake, if applicable. */
   3939     }
   3940 
   3941     if (IS_DTLS(ss)) {
   3942 	/* Note that we make an unfragmented message here. We fragment in the
   3943 	 * transmission code, if necessary */
   3944 	rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2);
   3945 	if (rv != SECSuccess) {
   3946 	    return rv;	/* error code set by AppendHandshake, if applicable. */
   3947 	}
   3948 	ss->ssl3.hs.sendMessageSeq++;
   3949 
   3950 	/* 0 is the fragment offset, because it's not fragmented yet */
   3951 	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
   3952 	if (rv != SECSuccess) {
   3953 	    return rv;	/* error code set by AppendHandshake, if applicable. */
   3954 	}
   3955 
   3956 	/* Fragment length -- set to the packet length because not fragmented */
   3957 	rv = ssl3_AppendHandshakeNumber(ss, length, 3);
   3958 	if (rv != SECSuccess) {
   3959 	    return rv;	/* error code set by AppendHandshake, if applicable. */
   3960 	}
   3961     }
   3962 
   3963     return rv;		/* error code set by AppendHandshake, if applicable. */
   3964 }
   3965 
   3966 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
   3967  * |sigAndHash| to the current handshake message. */
   3968 SECStatus
   3969 ssl3_AppendSignatureAndHashAlgorithm(
   3970 	sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash)
   3971 {
   3972     unsigned char serialized[2];
   3973 
   3974     serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
   3975     if (serialized[0] == 0) {
   3976 	PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
   3977 	return SECFailure;
   3978     }
   3979 
   3980     serialized[1] = sigAndHash->sigAlg;
   3981 
   3982     return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
   3983 }
   3984 
   3985 /**************************************************************************
   3986  * Consume Handshake functions.
   3987  *
   3988  * All data used in these functions is protected by two locks,
   3989  * the RecvBufLock and the SSL3HandshakeLock
   3990  **************************************************************************/
   3991 
   3992 /* Read up the next "bytes" number of bytes from the (decrypted) input
   3993  * stream "b" (which is *length bytes long). Copy them into buffer "v".
   3994  * Reduces *length by bytes.  Advances *b by bytes.
   3995  *
   3996  * If this function returns SECFailure, it has already sent an alert,
   3997  * and has set a generic error code.  The caller should probably
   3998  * override the generic error code by setting another.
   3999  */
   4000 SECStatus
   4001 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
   4002 		      PRUint32 *length)
   4003 {
   4004     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   4005     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   4006 
   4007     if ((PRUint32)bytes > *length) {
   4008 	return ssl3_DecodeError(ss);
   4009     }
   4010     PORT_Memcpy(v, *b, bytes);
   4011     PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
   4012     *b      += bytes;
   4013     *length -= bytes;
   4014     return SECSuccess;
   4015 }
   4016 
   4017 /* Read up the next "bytes" number of bytes from the (decrypted) input
   4018  * stream "b" (which is *length bytes long), and interpret them as an
   4019  * integer in network byte order.  Returns the received value.
   4020  * Reduces *length by bytes.  Advances *b by bytes.
   4021  *
   4022  * Returns SECFailure (-1) on failure.
   4023  * This value is indistinguishable from the equivalent received value.
   4024  * Only positive numbers are to be received this way.
   4025  * Thus, the largest value that may be sent this way is 0x7fffffff.
   4026  * On error, an alert has been sent, and a generic error code has been set.
   4027  */
   4028 PRInt32
   4029 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
   4030 			    PRUint32 *length)
   4031 {
   4032     PRUint8  *buf = *b;
   4033     int       i;
   4034     PRInt32   num = 0;
   4035 
   4036     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   4037     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   4038     PORT_Assert( bytes <= sizeof num);
   4039 
   4040     if ((PRUint32)bytes > *length) {
   4041 	return ssl3_DecodeError(ss);
   4042     }
   4043     PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
   4044 
   4045     for (i = 0; i < bytes; i++)
   4046 	num = (num << 8) + buf[i];
   4047     *b      += bytes;
   4048     *length -= bytes;
   4049     return num;
   4050 }
   4051 
   4052 /* Read in two values from the incoming decrypted byte stream "b", which is
   4053  * *length bytes long.  The first value is a number whose size is "bytes"
   4054  * bytes long.  The second value is a byte-string whose size is the value
   4055  * of the first number received.  The latter byte-string, and its length,
   4056  * is returned in the SECItem i.
   4057  *
   4058  * Returns SECFailure (-1) on failure.
   4059  * On error, an alert has been sent, and a generic error code has been set.
   4060  *
   4061  * RADICAL CHANGE for NSS 3.11.  All callers of this function make copies
   4062  * of the data returned in the SECItem *i, so making a copy of it here
   4063  * is simply wasteful.  So, This function now just sets SECItem *i to
   4064  * point to the values in the buffer **b.
   4065  */
   4066 SECStatus
   4067 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
   4068 			      SSL3Opaque **b, PRUint32 *length)
   4069 {
   4070     PRInt32   count;
   4071 
   4072     PORT_Assert(bytes <= 3);
   4073     i->len  = 0;
   4074     i->data = NULL;
   4075     count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
   4076     if (count < 0) { 		/* Can't test for SECSuccess here. */
   4077     	return SECFailure;
   4078     }
   4079     if (count > 0) {
   4080 	if ((PRUint32)count > *length) {
   4081 	    return ssl3_DecodeError(ss);
   4082 	}
   4083 	i->data = *b;
   4084 	i->len  = count;
   4085 	*b      += count;
   4086 	*length -= count;
   4087     }
   4088     return SECSuccess;
   4089 }
   4090 
   4091 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
   4092  * SECOidTag used internally by NSS. */
   4093 static const struct {
   4094     int tlsHash;
   4095     SECOidTag oid;
   4096 } tlsHashOIDMap[] = {
   4097     { tls_hash_md5, SEC_OID_MD5 },
   4098     { tls_hash_sha1, SEC_OID_SHA1 },
   4099     { tls_hash_sha224, SEC_OID_SHA224 },
   4100     { tls_hash_sha256, SEC_OID_SHA256 },
   4101     { tls_hash_sha384, SEC_OID_SHA384 },
   4102     { tls_hash_sha512, SEC_OID_SHA512 }
   4103 };
   4104 
   4105 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value.
   4106  * If the hash is not recognised, SEC_OID_UNKNOWN is returned.
   4107  *
   4108  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
   4109 SECOidTag
   4110 ssl3_TLSHashAlgorithmToOID(int hashFunc)
   4111 {
   4112     unsigned int i;
   4113 
   4114     for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
   4115 	if (hashFunc == tlsHashOIDMap[i].tlsHash) {
   4116 	    return tlsHashOIDMap[i].oid;
   4117 	}
   4118     }
   4119     return SEC_OID_UNKNOWN;
   4120 }
   4121 
   4122 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm
   4123  * identifier. If the hash is not recognised, zero is returned.
   4124  *
   4125  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
   4126 static int
   4127 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid)
   4128 {
   4129     unsigned int i;
   4130 
   4131     for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
   4132 	if (oid == tlsHashOIDMap[i].oid) {
   4133 	    return tlsHashOIDMap[i].tlsHash;
   4134 	}
   4135     }
   4136     return 0;
   4137 }
   4138 
   4139 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm
   4140  * identifier for a given KeyType. */
   4141 static SECStatus
   4142 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType,
   4143 				     TLSSignatureAlgorithm *out)
   4144 {
   4145     switch (keyType) {
   4146     case rsaKey:
   4147 	*out = tls_sig_rsa;
   4148 	return SECSuccess;
   4149     case dsaKey:
   4150 	*out = tls_sig_dsa;
   4151 	return SECSuccess;
   4152     case ecKey:
   4153 	*out = tls_sig_ecdsa;
   4154 	return SECSuccess;
   4155     default:
   4156 	PORT_SetError(SEC_ERROR_INVALID_KEY);
   4157 	return SECFailure;
   4158     }
   4159 }
   4160 
   4161 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature
   4162  * algorithm identifier for the given certificate. */
   4163 static SECStatus
   4164 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert,
   4165 					 TLSSignatureAlgorithm *out)
   4166 {
   4167     SECKEYPublicKey *key;
   4168     KeyType keyType;
   4169 
   4170     key = CERT_ExtractPublicKey(cert);
   4171     if (key == NULL) {
   4172 	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
   4173     	return SECFailure;
   4174     }
   4175 
   4176     keyType = key->keyType;
   4177     SECKEY_DestroyPublicKey(key);
   4178     return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out);
   4179 }
   4180 
   4181 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature
   4182  * algorithm identifier in |sigAndHash| is consistent with the public key in
   4183  * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called
   4184  * and SECFailure is returned. */
   4185 SECStatus
   4186 ssl3_CheckSignatureAndHashAlgorithmConsistency(
   4187 	const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert)
   4188 {
   4189     SECStatus rv;
   4190     TLSSignatureAlgorithm sigAlg;
   4191 
   4192     rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg);
   4193     if (rv != SECSuccess) {
   4194 	return rv;
   4195     }
   4196     if (sigAlg != sigAndHash->sigAlg) {
   4197 	PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
   4198 	return SECFailure;
   4199     }
   4200     return SECSuccess;
   4201 }
   4202 
   4203 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm
   4204  * structure from |b| and puts the resulting value into |out|. |b| and |length|
   4205  * are updated accordingly.
   4206  *
   4207  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
   4208 SECStatus
   4209 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
   4210 				      SSL3Opaque **b,
   4211 				      PRUint32 *length,
   4212 				      SSL3SignatureAndHashAlgorithm *out)
   4213 {
   4214     unsigned char bytes[2];
   4215     SECStatus rv;
   4216 
   4217     rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
   4218     if (rv != SECSuccess) {
   4219 	return rv;
   4220     }
   4221 
   4222     out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]);
   4223     if (out->hashAlg == SEC_OID_UNKNOWN) {
   4224 	PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
   4225 	return SECFailure;
   4226     }
   4227 
   4228     out->sigAlg = bytes[1];
   4229     return SECSuccess;
   4230 }
   4231 
   4232 /**************************************************************************
   4233  * end of Consume Handshake functions.
   4234  **************************************************************************/
   4235 
   4236 /* Extract the hashes of handshake messages to this point.
   4237  * Called from ssl3_SendCertificateVerify
   4238  *             ssl3_SendFinished
   4239  *             ssl3_HandleHandshakeMessage
   4240  *
   4241  * Caller must hold the SSL3HandshakeLock.
   4242  * Caller must hold a read or write lock on the Spec R/W lock.
   4243  *	(There is presently no way to assert on a Read lock.)
   4244  */
   4245 static SECStatus
   4246 ssl3_ComputeHandshakeHashes(sslSocket *     ss,
   4247                             ssl3CipherSpec *spec,   /* uses ->master_secret */
   4248 			    SSL3Hashes *    hashes, /* output goes here. */
   4249 			    PRUint32        sender)
   4250 {
   4251     SECStatus     rv        = SECSuccess;
   4252     PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
   4253     unsigned int  outLength;
   4254     SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
   4255     SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
   4256 
   4257     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   4258     hashes->hashAlg = SEC_OID_UNKNOWN;
   4259 
   4260 #ifndef NO_PKCS11_BYPASS
   4261     if (ss->opt.bypassPKCS11 &&
   4262 	ss->ssl3.hs.hashType == handshake_hash_single) {
   4263 	/* compute them without PKCS11 */
   4264 	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
   4265 
   4266 	if (!spec->msItem.data) {
   4267 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
   4268 	    return SECFailure;
   4269 	}
   4270 
   4271 	ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
   4272 	ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
   4273 				 sizeof(hashes->u.raw));
   4274 
   4275 	PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
   4276 
   4277 	/* If we ever support ciphersuites where the PRF hash isn't SHA-256
   4278 	 * then this will need to be updated. */
   4279 	hashes->hashAlg = SEC_OID_SHA256;
   4280 	rv = SECSuccess;
   4281     } else if (ss->opt.bypassPKCS11) {
   4282 	/* compute them without PKCS11 */
   4283 	PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
   4284 	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
   4285 
   4286 #define md5cx ((MD5Context *)md5_cx)
   4287 #define shacx ((SHA1Context *)sha_cx)
   4288 
   4289 	if (!spec->msItem.data) {
   4290 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
   4291 	    return SECFailure;
   4292 	}
   4293 
   4294 	MD5_Clone (md5cx,  (MD5Context *)ss->ssl3.hs.md5_cx);
   4295 	SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
   4296 
   4297 	if (!isTLS) {
   4298 	    /* compute hashes for SSL3. */
   4299 	    unsigned char s[4];
   4300 
   4301 	    s[0] = (unsigned char)(sender >> 24);
   4302 	    s[1] = (unsigned char)(sender >> 16);
   4303 	    s[2] = (unsigned char)(sender >> 8);
   4304 	    s[3] = (unsigned char)sender;
   4305 
   4306 	    if (sender != 0) {
   4307 		MD5_Update(md5cx, s, 4);
   4308 		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
   4309 	    }
   4310 
   4311 	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
   4312 			    mac_defs[mac_md5].pad_size));
   4313 
   4314 	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
   4315 	    MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
   4316 	    MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
   4317 
   4318 	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
   4319 
   4320 	    if (sender != 0) {
   4321 		SHA1_Update(shacx, s, 4);
   4322 		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
   4323 	    }
   4324 
   4325 	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
   4326 			    mac_defs[mac_sha].pad_size));
   4327 
   4328 	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
   4329 	    SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
   4330 	    SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
   4331 
   4332 	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
   4333 	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
   4334 			    mac_defs[mac_md5].pad_size));
   4335 	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
   4336 
   4337 	    MD5_Begin(md5cx);
   4338 	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
   4339 	    MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
   4340 	    MD5_Update(md5cx, md5_inner, MD5_LENGTH);
   4341 	}
   4342 	MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH);
   4343 
   4344 	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
   4345 
   4346 	if (!isTLS) {
   4347 	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
   4348 			    mac_defs[mac_sha].pad_size));
   4349 	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
   4350 
   4351 	    SHA1_Begin(shacx);
   4352 	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
   4353 	    SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
   4354 	    SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
   4355 	}
   4356 	SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH);
   4357 
   4358 	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH));
   4359 
   4360 	hashes->len = MD5_LENGTH + SHA1_LENGTH;
   4361 	rv = SECSuccess;
   4362 #undef md5cx
   4363 #undef shacx
   4364     } else
   4365 #endif
   4366     if (ss->ssl3.hs.hashType == handshake_hash_single) {
   4367 	/* compute hashes with PKCS11 */
   4368 	PK11Context *h;
   4369 	unsigned int  stateLen;
   4370 	unsigned char stackBuf[1024];
   4371 	unsigned char *stateBuf = NULL;
   4372 
   4373 	if (!spec->master_secret) {
   4374 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
   4375 	    return SECFailure;
   4376 	}
   4377 
   4378 	h = ss->ssl3.hs.sha;
   4379 	stateBuf = PK11_SaveContextAlloc(h, stackBuf,
   4380 					 sizeof(stackBuf), &stateLen);
   4381 	if (stateBuf == NULL) {
   4382 	    ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
   4383 	    goto tls12_loser;
   4384 	}
   4385 	rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
   4386 			       sizeof(hashes->u.raw));
   4387 	if (rv != SECSuccess) {
   4388 	    ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
   4389 	    rv = SECFailure;
   4390 	    goto tls12_loser;
   4391 	}
   4392 	/* If we ever support ciphersuites where the PRF hash isn't SHA-256
   4393 	 * then this will need to be updated. */
   4394 	hashes->hashAlg = SEC_OID_SHA256;
   4395 	rv = SECSuccess;
   4396 
   4397 tls12_loser:
   4398 	if (stateBuf) {
   4399 	    if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
   4400 		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
   4401 		rv = SECFailure;
   4402 	    }
   4403 	    if (stateBuf != stackBuf) {
   4404 		PORT_ZFree(stateBuf, stateLen);
   4405 	    }
   4406 	}
   4407     } else {
   4408 	/* compute hashes with PKCS11 */
   4409 	PK11Context * md5;
   4410 	PK11Context * sha       = NULL;
   4411 	unsigned char *md5StateBuf = NULL;
   4412 	unsigned char *shaStateBuf = NULL;
   4413 	unsigned int  md5StateLen, shaStateLen;
   4414 	unsigned char md5StackBuf[256];
   4415 	unsigned char shaStackBuf[512];
   4416 
   4417 	if (!spec->master_secret) {
   4418 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
   4419 	    return SECFailure;
   4420 	}
   4421 
   4422 	md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
   4423 					    sizeof md5StackBuf, &md5StateLen);
   4424 	if (md5StateBuf == NULL) {
   4425 	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   4426 	    goto loser;
   4427 	}
   4428 	md5 = ss->ssl3.hs.md5;
   4429 
   4430 	shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
   4431 					    sizeof shaStackBuf, &shaStateLen);
   4432 	if (shaStateBuf == NULL) {
   4433 	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   4434 	    goto loser;
   4435 	}
   4436 	sha = ss->ssl3.hs.sha;
   4437 
   4438 	if (!isTLS) {
   4439 	    /* compute hashes for SSL3. */
   4440 	    unsigned char s[4];
   4441 
   4442 	    s[0] = (unsigned char)(sender >> 24);
   4443 	    s[1] = (unsigned char)(sender >> 16);
   4444 	    s[2] = (unsigned char)(sender >> 8);
   4445 	    s[3] = (unsigned char)sender;
   4446 
   4447 	    if (sender != 0) {
   4448 		rv |= PK11_DigestOp(md5, s, 4);
   4449 		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
   4450 	    }
   4451 
   4452 	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
   4453 			  mac_defs[mac_md5].pad_size));
   4454 
   4455 	    rv |= PK11_DigestKey(md5,spec->master_secret);
   4456 	    rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
   4457 	    rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
   4458 	    PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
   4459 	    if (rv != SECSuccess) {
   4460 		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   4461 		rv = SECFailure;
   4462 		goto loser;
   4463 	    }
   4464 
   4465 	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
   4466 
   4467 	    if (sender != 0) {
   4468 		rv |= PK11_DigestOp(sha, s, 4);
   4469 		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
   4470 	    }
   4471 
   4472 	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
   4473 			  mac_defs[mac_sha].pad_size));
   4474 
   4475 	    rv |= PK11_DigestKey(sha, spec->master_secret);
   4476 	    rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
   4477 	    rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
   4478 	    PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
   4479 	    if (rv != SECSuccess) {
   4480 		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   4481 		rv = SECFailure;
   4482 		goto loser;
   4483 	    }
   4484 
   4485 	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
   4486 
   4487 	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
   4488 			  mac_defs[mac_md5].pad_size));
   4489 	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
   4490 
   4491 	    rv |= PK11_DigestBegin(md5);
   4492 	    rv |= PK11_DigestKey(md5, spec->master_secret);
   4493 	    rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
   4494 	    rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
   4495 	}
   4496 	rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH);
   4497 	PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
   4498 	if (rv != SECSuccess) {
   4499 	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   4500 	    rv = SECFailure;
   4501 	    goto loser;
   4502 	}
   4503 
   4504 	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
   4505 
   4506 	if (!isTLS) {
   4507 	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
   4508 			  mac_defs[mac_sha].pad_size));
   4509 	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
   4510 
   4511 	    rv |= PK11_DigestBegin(sha);
   4512 	    rv |= PK11_DigestKey(sha,spec->master_secret);
   4513 	    rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
   4514 	    rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
   4515 	}
   4516 	rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH);
   4517 	PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
   4518 	if (rv != SECSuccess) {
   4519 	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   4520 	    rv = SECFailure;
   4521 	    goto loser;
   4522 	}
   4523 
   4524 	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH));
   4525 
   4526 	hashes->len = MD5_LENGTH + SHA1_LENGTH;
   4527 	rv = SECSuccess;
   4528 
   4529     loser:
   4530 	if (md5StateBuf) {
   4531 	    if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
   4532 		 != SECSuccess)
   4533 	    {
   4534 		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
   4535 		rv = SECFailure;
   4536 	    }
   4537 	    if (md5StateBuf != md5StackBuf) {
   4538 		PORT_ZFree(md5StateBuf, md5StateLen);
   4539 	    }
   4540 	}
   4541 	if (shaStateBuf) {
   4542 	    if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
   4543 		 != SECSuccess)
   4544 	    {
   4545 		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   4546 		rv = SECFailure;
   4547 	    }
   4548 	    if (shaStateBuf != shaStackBuf) {
   4549 		PORT_ZFree(shaStateBuf, shaStateLen);
   4550 	    }
   4551 	}
   4552     }
   4553     return rv;
   4554 }
   4555 
   4556 static SECStatus
   4557 ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
   4558 				  SSL3Hashes * hashes) /* output goes here. */
   4559 {
   4560     SECStatus rv = SECSuccess;
   4561 
   4562     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   4563     PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
   4564 
   4565     rv = PK11_DigestFinal(ss->ssl3.hs.md5, hashes->u.raw, &hashes->len,
   4566 			  sizeof(hashes->u.raw));
   4567     if (rv != SECSuccess) {
   4568 	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
   4569 	rv = SECFailure;
   4570 	goto loser;
   4571     }
   4572     hashes->hashAlg = SEC_OID_SHA1;
   4573 
   4574 loser:
   4575     PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
   4576     ss->ssl3.hs.md5 = NULL;
   4577     return rv;
   4578 }
   4579 
   4580 /*
   4581  * SSL 2 based implementations pass in the initial outbound buffer
   4582  * so that the handshake hash can contain the included information.
   4583  *
   4584  * Called from ssl2_BeginClientHandshake() in sslcon.c
   4585  */
   4586 SECStatus
   4587 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
   4588 {
   4589     SECStatus rv;
   4590 
   4591     ssl_GetSSL3HandshakeLock(ss);  /**************************************/
   4592 
   4593     rv = ssl3_InitState(ss);
   4594     if (rv != SECSuccess) {
   4595 	goto done;		/* ssl3_InitState has set the error code. */
   4596     }
   4597     rv = ssl3_RestartHandshakeHashes(ss);
   4598     if (rv != SECSuccess) {
   4599 	goto done;
   4600     }
   4601 
   4602     PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
   4603     PORT_Memcpy(
   4604 	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
   4605 	&ss->sec.ci.clientChallenge,
   4606 	SSL_CHALLENGE_BYTES);
   4607 
   4608     rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
   4609     /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
   4610 
   4611 done:
   4612     ssl_ReleaseSSL3HandshakeLock(ss);  /**************************************/
   4613     return rv;
   4614 }
   4615 
   4616 /**************************************************************************
   4617  * end of Handshake Hash functions.
   4618  * Begin Send and Handle functions for handshakes.
   4619  **************************************************************************/
   4620 
   4621 /* Called from ssl3_HandleHelloRequest(),
   4622  *             ssl3_RedoHandshake()
   4623  *             ssl2_BeginClientHandshake (when resuming ssl3 session)
   4624  *             dtls_HandleHelloVerifyRequest(with resending=PR_TRUE)
   4625  */
   4626 SECStatus
   4627 ssl3_SendClientHello(sslSocket *ss, PRBool resending)
   4628 {
   4629     sslSessionID *   sid;
   4630     ssl3CipherSpec * cwSpec;
   4631     SECStatus        rv;
   4632     int              i;
   4633     int              length;
   4634     int              num_suites;
   4635     int              actual_count = 0;
   4636     PRBool           isTLS = PR_FALSE;
   4637     PRBool           requestingResume = PR_FALSE;
   4638     PRInt32          total_exten_len = 0;
   4639     unsigned         numCompressionMethods;
   4640     PRInt32          flags;
   4641 
   4642     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
   4643 		ss->fd));
   4644 
   4645     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   4646     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
   4647 
   4648     rv = ssl3_InitState(ss);
   4649     if (rv != SECSuccess) {
   4650 	return rv;		/* ssl3_InitState has set the error code. */
   4651     }
   4652     ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
   4653     PORT_Assert(IS_DTLS(ss) || !resending);
   4654 
   4655     /* We might be starting a session renegotiation in which case we should
   4656      * clear previous state.
   4657      */
   4658     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
   4659 
   4660     rv = ssl3_RestartHandshakeHashes(ss);
   4661     if (rv != SECSuccess) {
   4662 	return rv;
   4663     }
   4664 
   4665     /*
   4666      * During a renegotiation, ss->clientHelloVersion will be used again to
   4667      * work around a Windows SChannel bug. Ensure that it is still enabled.
   4668      */
   4669     if (ss->firstHsDone) {
   4670 	if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
   4671 	    PORT_SetError(SSL_ERROR_SSL_DISABLED);
   4672 	    return SECFailure;
   4673 	}
   4674 
   4675 	if (ss->clientHelloVersion < ss->vrange.min ||
   4676 	    ss->clientHelloVersion > ss->vrange.max) {
   4677 	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
   4678 	    return SECFailure;
   4679 	}
   4680     }
   4681 
   4682     /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
   4683      * handles expired entries and other details.
   4684      * XXX If we've been called from ssl2_BeginClientHandshake, then
   4685      * this lookup is duplicative and wasteful.
   4686      */
   4687     sid = (ss->opt.noCache) ? NULL
   4688 	    : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
   4689 
   4690     /* We can't resume based on a different token. If the sid exists,
   4691      * make sure the token that holds the master secret still exists ...
   4692      * If we previously did client-auth, make sure that the token that holds
   4693      * the private key still exists, is logged in, hasn't been removed, etc.
   4694      */
   4695     if (sid) {
   4696 	PRBool sidOK = PR_TRUE;
   4697 	if (sid->u.ssl3.keys.msIsWrapped) {
   4698 	    /* Session key was wrapped, which means it was using PKCS11, */
   4699 	    PK11SlotInfo *slot = NULL;
   4700 	    if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
   4701 		slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
   4702 					 sid->u.ssl3.masterSlotID);
   4703 	    }
   4704 	    if (slot == NULL) {
   4705 	       sidOK = PR_FALSE;
   4706 	    } else {
   4707 		PK11SymKey *wrapKey = NULL;
   4708 		if (!PK11_IsPresent(slot) ||
   4709 		    ((wrapKey = PK11_GetWrapKey(slot,
   4710 						sid->u.ssl3.masterWrapIndex,
   4711 						sid->u.ssl3.masterWrapMech,
   4712 						sid->u.ssl3.masterWrapSeries,
   4713 						ss->pkcs11PinArg)) == NULL) ) {
   4714 		    sidOK = PR_FALSE;
   4715 		}
   4716 		if (wrapKey) PK11_FreeSymKey(wrapKey);
   4717 		PK11_FreeSlot(slot);
   4718 		slot = NULL;
   4719 	    }
   4720 	}
   4721 	/* If we previously did client-auth, make sure that the token that
   4722 	** holds the private key still exists, is logged in, hasn't been
   4723 	** removed, etc.
   4724 	*/
   4725 	if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
   4726 	    sidOK = PR_FALSE;
   4727 	}
   4728 
   4729 	/* TLS 1.0 (RFC 2246) Appendix E says:
   4730 	 *   Whenever a client already knows the highest protocol known to
   4731 	 *   a server (for example, when resuming a session), it should
   4732 	 *   initiate the connection in that native protocol.
   4733 	 * So we pass sid->version to ssl3_NegotiateVersion() here, except
   4734 	 * when renegotiating.
   4735 	 *
   4736 	 * Windows SChannel compares the client_version inside the RSA
   4737 	 * EncryptedPreMasterSecret of a renegotiation with the
   4738 	 * client_version of the initial ClientHello rather than the
   4739 	 * ClientHello in the renegotiation. To work around this bug, we
   4740 	 * continue to use the client_version used in the initial
   4741 	 * ClientHello when renegotiating.
   4742 	 */
   4743 	if (sidOK) {
   4744 	    if (ss->firstHsDone) {
   4745 		/*
   4746 		 * The client_version of the initial ClientHello is still
   4747 		 * available in ss->clientHelloVersion. Ensure that
   4748 		 * sid->version is bounded within
   4749 		 * [ss->vrange.min, ss->clientHelloVersion], otherwise we
   4750 		 * can't use sid.
   4751 		 */
   4752 		if (sid->version >= ss->vrange.min &&
   4753 		    sid->version <= ss->clientHelloVersion) {
   4754 		    ss->version = ss->clientHelloVersion;
   4755 		} else {
   4756 		    sidOK = PR_FALSE;
   4757 		}
   4758 	    } else {
   4759 		if (ssl3_NegotiateVersion(ss, sid->version,
   4760 					  PR_FALSE) != SECSuccess) {
   4761 		    sidOK = PR_FALSE;
   4762 		}
   4763 	    }
   4764 	}
   4765 
   4766 	if (!sidOK) {
   4767 	    SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
   4768 	    if (ss->sec.uncache)
   4769                 (*ss->sec.uncache)(sid);
   4770 	    ssl_FreeSID(sid);
   4771 	    sid = NULL;
   4772 	}
   4773     }
   4774 
   4775     if (sid) {
   4776 	requestingResume = PR_TRUE;
   4777 	SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
   4778 
   4779 	/* Are we attempting a stateless session resume? */
   4780 	if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
   4781 	    sid->u.ssl3.sessionTicket.ticket.data)
   4782 	    SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
   4783 
   4784 	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
   4785 		      sid->u.ssl3.sessionIDLength));
   4786 
   4787 	ss->ssl3.policy = sid->u.ssl3.policy;
   4788     } else {
   4789 	SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
   4790 
   4791 	/*
   4792 	 * Windows SChannel compares the client_version inside the RSA
   4793 	 * EncryptedPreMasterSecret of a renegotiation with the
   4794 	 * client_version of the initial ClientHello rather than the
   4795 	 * ClientHello in the renegotiation. To work around this bug, we
   4796 	 * continue to use the client_version used in the initial
   4797 	 * ClientHello when renegotiating.
   4798 	 */
   4799 	if (ss->firstHsDone) {
   4800 	    ss->version = ss->clientHelloVersion;
   4801 	} else {
   4802 	    rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
   4803 				       PR_TRUE);
   4804 	    if (rv != SECSuccess)
   4805 		return rv;	/* error code was set */
   4806 	}
   4807 
   4808 	sid = ssl3_NewSessionID(ss, PR_FALSE);
   4809 	if (!sid) {
   4810 	    return SECFailure;	/* memory error is set */
   4811         }
   4812     }
   4813 
   4814     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
   4815     ssl_GetSpecWriteLock(ss);
   4816     cwSpec = ss->ssl3.cwSpec;
   4817     if (cwSpec->mac_def->mac == mac_null) {
   4818 	/* SSL records are not being MACed. */
   4819 	cwSpec->version = ss->version;
   4820     }
   4821     ssl_ReleaseSpecWriteLock(ss);
   4822 
   4823     if (ss->sec.ci.sid != NULL) {
   4824 	ssl_FreeSID(ss->sec.ci.sid);	/* decrement ref count, free if zero */
   4825     }
   4826     ss->sec.ci.sid = sid;
   4827 
   4828     ss->sec.send = ssl3_SendApplicationData;
   4829 
   4830     /* shouldn't get here if SSL3 is disabled, but ... */
   4831     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
   4832 	PR_NOT_REACHED("No versions of SSL 3.0 or later are enabled");
   4833 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
   4834     	return SECFailure;
   4835     }
   4836 
   4837     /* how many suites does our PKCS11 support (regardless of policy)? */
   4838     num_suites = ssl3_config_match_init(ss);
   4839     if (!num_suites)
   4840     	return SECFailure;	/* ssl3_config_match_init has set error code. */
   4841 
   4842     /* HACK for SCSV in SSL 3.0.  On initial handshake, prepend SCSV,
   4843      * only if TLS is disabled.
   4844      */
   4845     if (!ss->firstHsDone && !isTLS) {
   4846 	/* Must set this before calling Hello Extension Senders,
   4847 	 * to suppress sending of empty RI extension.
   4848 	 */
   4849 	ss->ssl3.hs.sendingSCSV = PR_TRUE;
   4850     }
   4851 
   4852     if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
   4853 	PRUint32 maxBytes = 65535; /* 2^16 - 1 */
   4854 	PRInt32  extLen;
   4855 
   4856 	extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
   4857 	if (extLen < 0) {
   4858 	    return SECFailure;
   4859 	}
   4860 	maxBytes        -= extLen;
   4861 	total_exten_len += extLen;
   4862 
   4863 	if (total_exten_len > 0)
   4864 	    total_exten_len += 2;
   4865     }
   4866 
   4867 #if defined(NSS_ENABLE_ECC)
   4868     if (!total_exten_len || !isTLS) {
   4869 	/* not sending the elliptic_curves and ec_point_formats extensions */
   4870     	ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
   4871     }
   4872 #endif
   4873 
   4874     if (IS_DTLS(ss)) {
   4875 	ssl3_DisableNonDTLSSuites(ss);
   4876     }
   4877 
   4878     /* how many suites are permitted by policy and user preference? */
   4879     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
   4880     if (!num_suites)
   4881     	return SECFailure;	/* count_cipher_suites has set error code. */
   4882     if (ss->ssl3.hs.sendingSCSV) {
   4883 	++num_suites;   /* make room for SCSV */
   4884     }
   4885 
   4886     /* count compression methods */
   4887     numCompressionMethods = 0;
   4888     for (i = 0; i < compressionMethodsCount; i++) {
   4889 	if (compressionEnabled(ss, compressions[i]))
   4890 	    numCompressionMethods++;
   4891     }
   4892 
   4893     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
   4894 	1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
   4895 	2 + num_suites*sizeof(ssl3CipherSuite) +
   4896 	1 + numCompressionMethods + total_exten_len;
   4897     if (IS_DTLS(ss)) {
   4898 	length += 1 + ss->ssl3.hs.cookieLen;
   4899     }
   4900 
   4901     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
   4902     if (rv != SECSuccess) {
   4903 	return rv;	/* err set by ssl3_AppendHandshake* */
   4904     }
   4905 
   4906     if (ss->firstHsDone) {
   4907 	/* The client hello version must stay unchanged to work around
   4908 	 * the Windows SChannel bug described above. */
   4909 	PORT_Assert(ss->version == ss->clientHelloVersion);
   4910     }
   4911     ss->clientHelloVersion = ss->version;
   4912     if (IS_DTLS(ss)) {
   4913 	PRUint16 version;
   4914 
   4915 	version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
   4916 	rv = ssl3_AppendHandshakeNumber(ss, version, 2);
   4917     } else {
   4918 	rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
   4919     }
   4920     if (rv != SECSuccess) {
   4921 	return rv;	/* err set by ssl3_AppendHandshake* */
   4922     }
   4923 
   4924     if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
   4925 	rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
   4926 	if (rv != SECSuccess) {
   4927 	    return rv;	/* err set by GetNewRandom. */
   4928 	}
   4929     }
   4930     rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
   4931                               SSL3_RANDOM_LENGTH);
   4932     if (rv != SECSuccess) {
   4933 	return rv;	/* err set by ssl3_AppendHandshake* */
   4934     }
   4935 
   4936     if (sid)
   4937 	rv = ssl3_AppendHandshakeVariable(
   4938 	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
   4939     else
   4940 	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
   4941     if (rv != SECSuccess) {
   4942 	return rv;	/* err set by ssl3_AppendHandshake* */
   4943     }
   4944 
   4945     if (IS_DTLS(ss)) {
   4946 	rv = ssl3_AppendHandshakeVariable(
   4947 	    ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
   4948 	if (rv != SECSuccess) {
   4949 	    return rv;	/* err set by ssl3_AppendHandshake* */
   4950 	}
   4951     }
   4952 
   4953     rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
   4954     if (rv != SECSuccess) {
   4955 	return rv;	/* err set by ssl3_AppendHandshake* */
   4956     }
   4957 
   4958     if (ss->ssl3.hs.sendingSCSV) {
   4959 	/* Add the actual SCSV */
   4960 	rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
   4961 					sizeof(ssl3CipherSuite));
   4962 	if (rv != SECSuccess) {
   4963 	    return rv;	/* err set by ssl3_AppendHandshake* */
   4964 	}
   4965 	actual_count++;
   4966     }
   4967     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
   4968 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
   4969 	if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
   4970 	    actual_count++;
   4971 	    if (actual_count > num_suites) {
   4972 		/* set error card removal/insertion error */
   4973 		PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
   4974 		return SECFailure;
   4975 	    }
   4976 	    rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
   4977 					    sizeof(ssl3CipherSuite));
   4978 	    if (rv != SECSuccess) {
   4979 		return rv;	/* err set by ssl3_AppendHandshake* */
   4980 	    }
   4981 	}
   4982     }
   4983 
   4984     /* if cards were removed or inserted between count_cipher_suites and
   4985      * generating our list, detect the error here rather than send it off to
   4986      * the server.. */
   4987     if (actual_count != num_suites) {
   4988 	/* Card removal/insertion error */
   4989 	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
   4990 	return SECFailure;
   4991     }
   4992 
   4993     rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
   4994     if (rv != SECSuccess) {
   4995 	return rv;	/* err set by ssl3_AppendHandshake* */
   4996     }
   4997     for (i = 0; i < compressionMethodsCount; i++) {
   4998 	if (!compressionEnabled(ss, compressions[i]))
   4999 	    continue;
   5000 	rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
   5001 	if (rv != SECSuccess) {
   5002 	    return rv;	/* err set by ssl3_AppendHandshake* */
   5003 	}
   5004     }
   5005 
   5006     if (total_exten_len) {
   5007 	PRUint32 maxBytes = total_exten_len - 2;
   5008 	PRInt32  extLen;
   5009 
   5010 	rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
   5011 	if (rv != SECSuccess) {
   5012 	    return rv;	/* err set by AppendHandshake. */
   5013 	}
   5014 
   5015 	extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
   5016 	if (extLen < 0) {
   5017 	    return SECFailure;
   5018 	}
   5019 	maxBytes -= extLen;
   5020 	PORT_Assert(!maxBytes);
   5021     }
   5022     if (ss->ssl3.hs.sendingSCSV) {
   5023 	/* Since we sent the SCSV, pretend we sent empty RI extension. */
   5024 	TLSExtensionData *xtnData = &ss->xtnData;
   5025 	xtnData->advertised[xtnData->numAdvertised++] =
   5026 	    ssl_renegotiation_info_xtn;
   5027     }
   5028 
   5029     flags = 0;
   5030     if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) {
   5031 	flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
   5032     }
   5033     rv = ssl3_FlushHandshake(ss, flags);
   5034     if (rv != SECSuccess) {
   5035 	return rv;	/* error code set by ssl3_FlushHandshake */
   5036     }
   5037 
   5038     ss->ssl3.hs.ws = wait_server_hello;
   5039     return rv;
   5040 }
   5041 
   5042 
   5043 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   5044  * ssl3 Hello Request.
   5045  * Caller must hold Handshake and RecvBuf locks.
   5046  */
   5047 static SECStatus
   5048 ssl3_HandleHelloRequest(sslSocket *ss)
   5049 {
   5050     sslSessionID *sid = ss->sec.ci.sid;
   5051     SECStatus     rv;
   5052 
   5053     SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
   5054 		SSL_GETPID(), ss->fd));
   5055 
   5056     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   5057     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   5058 
   5059     if (ss->ssl3.hs.ws == wait_server_hello)
   5060 	return SECSuccess;
   5061     if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
   5062 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   5063 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
   5064 	return SECFailure;
   5065     }
   5066     if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
   5067 	ssl_GetXmitBufLock(ss);
   5068 	rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
   5069 	ssl_ReleaseXmitBufLock(ss);
   5070 	PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
   5071 	return SECFailure;
   5072     }
   5073 
   5074     if (sid) {
   5075 	if (ss->sec.uncache)
   5076             ss->sec.uncache(sid);
   5077 	ssl_FreeSID(sid);
   5078 	ss->sec.ci.sid = NULL;
   5079     }
   5080 
   5081     if (IS_DTLS(ss)) {
   5082 	dtls_RehandshakeCleanup(ss);
   5083     }
   5084 
   5085     ssl_GetXmitBufLock(ss);
   5086     rv = ssl3_SendClientHello(ss, PR_FALSE);
   5087     ssl_ReleaseXmitBufLock(ss);
   5088 
   5089     return rv;
   5090 }
   5091 
   5092 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
   5093 
   5094 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
   5095     CKM_DES3_ECB,
   5096     CKM_CAST5_ECB,
   5097     CKM_DES_ECB,
   5098     CKM_KEY_WRAP_LYNKS,
   5099     CKM_IDEA_ECB,
   5100     CKM_CAST3_ECB,
   5101     CKM_CAST_ECB,
   5102     CKM_RC5_ECB,
   5103     CKM_RC2_ECB,
   5104     CKM_CDMF_ECB,
   5105     CKM_SKIPJACK_WRAP,
   5106     CKM_SKIPJACK_CBC64,
   5107     CKM_AES_ECB,
   5108     CKM_CAMELLIA_ECB,
   5109     CKM_SEED_ECB,
   5110     UNKNOWN_WRAP_MECHANISM
   5111 };
   5112 
   5113 static int
   5114 ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
   5115 {
   5116     const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
   5117 
   5118     while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
   5119     	++pMech;
   5120     }
   5121     return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
   5122                                               : (pMech - wrapMechanismList);
   5123 }
   5124 
   5125 static PK11SymKey *
   5126 ssl_UnwrapSymWrappingKey(
   5127 	SSLWrappedSymWrappingKey *pWswk,
   5128 	SECKEYPrivateKey *        svrPrivKey,
   5129 	SSL3KEAType               exchKeyType,
   5130 	CK_MECHANISM_TYPE         masterWrapMech,
   5131 	void *                    pwArg)
   5132 {
   5133     PK11SymKey *             unwrappedWrappingKey  = NULL;
   5134     SECItem                  wrappedKey;
   5135 #ifdef NSS_ENABLE_ECC
   5136     PK11SymKey *             Ks;
   5137     SECKEYPublicKey          pubWrapKey;
   5138     ECCWrappedKeyInfo        *ecWrapped;
   5139 #endif /* NSS_ENABLE_ECC */
   5140 
   5141     /* found the wrapping key on disk. */
   5142     PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
   5143     PORT_Assert(pWswk->exchKeyType      == exchKeyType);
   5144     if (pWswk->symWrapMechanism != masterWrapMech ||
   5145 	pWswk->exchKeyType      != exchKeyType) {
   5146 	goto loser;
   5147     }
   5148     wrappedKey.type = siBuffer;
   5149     wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
   5150     wrappedKey.len  = pWswk->wrappedSymKeyLen;
   5151     PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
   5152 
   5153     switch (exchKeyType) {
   5154 
   5155     case kt_rsa:
   5156 	unwrappedWrappingKey =
   5157 	    PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
   5158 				 masterWrapMech, CKA_UNWRAP, 0);
   5159 	break;
   5160 
   5161 #ifdef NSS_ENABLE_ECC
   5162     case kt_ecdh:
   5163         /*
   5164          * For kt_ecdh, we first create an EC public key based on
   5165          * data stored with the wrappedSymmetricWrappingkey. Next,
   5166          * we do an ECDH computation involving this public key and
   5167          * the SSL server's (long-term) EC private key. The resulting
   5168          * shared secret is treated the same way as Fortezza's Ks, i.e.,
   5169          * it is used to recover the symmetric wrapping key.
   5170          *
   5171          * The data in wrappedSymmetricWrappingkey is laid out as defined
   5172          * in the ECCWrappedKeyInfo structure.
   5173          */
   5174         ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey;
   5175 
   5176         PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
   5177             ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN);
   5178 
   5179         if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
   5180             ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) {
   5181             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   5182             goto loser;
   5183         }
   5184 
   5185         pubWrapKey.keyType = ecKey;
   5186         pubWrapKey.u.ec.size = ecWrapped->size;
   5187         pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen;
   5188         pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var;
   5189         pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen;
   5190         pubWrapKey.u.ec.publicValue.data = ecWrapped->var +
   5191             ecWrapped->encodedParamLen;
   5192 
   5193         wrappedKey.len  = ecWrapped->wrappedKeyLen;
   5194         wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
   5195             ecWrapped->pubValueLen;
   5196 
   5197         /* Derive Ks using ECDH */
   5198         Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL,
   5199 				   NULL, CKM_ECDH1_DERIVE, masterWrapMech,
   5200 				   CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
   5201         if (Ks == NULL) {
   5202             goto loser;
   5203         }
   5204 
   5205         /*  Use Ks to unwrap the wrapping key */
   5206         unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL,
   5207 						 &wrappedKey, masterWrapMech,
   5208 						 CKA_UNWRAP, 0);
   5209         PK11_FreeSymKey(Ks);
   5210 
   5211         break;
   5212 #endif
   5213 
   5214     default:
   5215 	/* Assert? */
   5216 	SET_ERROR_CODE
   5217 	goto loser;
   5218     }
   5219 loser:
   5220     return unwrappedWrappingKey;
   5221 }
   5222 
   5223 /* Each process sharing the server session ID cache has its own array of
   5224  * SymKey pointers for the symmetric wrapping keys that are used to wrap
   5225  * the master secrets.  There is one key for each KEA type.  These Symkeys
   5226  * correspond to the wrapped SymKeys kept in the server session cache.
   5227  */
   5228 
   5229 typedef struct {
   5230     PK11SymKey *      symWrapKey[kt_kea_size];
   5231 } ssl3SymWrapKey;
   5232 
   5233 static PZLock *          symWrapKeysLock = NULL;
   5234 static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
   5235 
   5236 SECStatus ssl_FreeSymWrapKeysLock(void)
   5237 {
   5238     if (symWrapKeysLock) {
   5239         PZ_DestroyLock(symWrapKeysLock);
   5240         symWrapKeysLock = NULL;
   5241         return SECSuccess;
   5242     }
   5243     PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
   5244     return SECFailure;
   5245 }
   5246 
   5247 SECStatus
   5248 SSL3_ShutdownServerCache(void)
   5249 {
   5250     int             i, j;
   5251 
   5252     if (!symWrapKeysLock)
   5253     	return SECSuccess;	/* lock was never initialized */
   5254     PZ_Lock(symWrapKeysLock);
   5255     /* get rid of all symWrapKeys */
   5256     for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
   5257     	for (j = 0; j < kt_kea_size; ++j) {
   5258 	    PK11SymKey **   pSymWrapKey;
   5259 	    pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
   5260 	    if (*pSymWrapKey) {
   5261 		PK11_FreeSymKey(*pSymWrapKey);
   5262 	    	*pSymWrapKey = NULL;
   5263 	    }
   5264 	}
   5265     }
   5266 
   5267     PZ_Unlock(symWrapKeysLock);
   5268     ssl_FreeSessionCacheLocks();
   5269     return SECSuccess;
   5270 }
   5271 
   5272 SECStatus ssl_InitSymWrapKeysLock(void)
   5273 {
   5274     symWrapKeysLock = PZ_NewLock(nssILockOther);
   5275     return symWrapKeysLock ? SECSuccess : SECFailure;
   5276 }
   5277 
   5278 /* Try to get wrapping key for mechanism from in-memory array.
   5279  * If that fails, look for one on disk.
   5280  * If that fails, generate a new one, put the new one on disk,
   5281  * Put the new key in the in-memory array.
   5282  */
   5283 static PK11SymKey *
   5284 getWrappingKey( sslSocket *       ss,
   5285 		PK11SlotInfo *    masterSecretSlot,
   5286 		SSL3KEAType       exchKeyType,
   5287                 CK_MECHANISM_TYPE masterWrapMech,
   5288 	        void *            pwArg)
   5289 {
   5290     SECKEYPrivateKey *       svrPrivKey;
   5291     SECKEYPublicKey *        svrPubKey             = NULL;
   5292     PK11SymKey *             unwrappedWrappingKey  = NULL;
   5293     PK11SymKey **            pSymWrapKey;
   5294     CK_MECHANISM_TYPE        asymWrapMechanism = CKM_INVALID_MECHANISM;
   5295     int                      length;
   5296     int                      symWrapMechIndex;
   5297     SECStatus                rv;
   5298     SECItem                  wrappedKey;
   5299     SSLWrappedSymWrappingKey wswk;
   5300 #ifdef NSS_ENABLE_ECC
   5301     PK11SymKey *      Ks = NULL;
   5302     SECKEYPublicKey   *pubWrapKey = NULL;
   5303     SECKEYPrivateKey  *privWrapKey = NULL;
   5304     ECCWrappedKeyInfo *ecWrapped;
   5305 #endif /* NSS_ENABLE_ECC */
   5306 
   5307     svrPrivKey  = ss->serverCerts[exchKeyType].SERVERKEY;
   5308     PORT_Assert(svrPrivKey != NULL);
   5309     if (!svrPrivKey) {
   5310     	return NULL;	/* why are we here?!? */
   5311     }
   5312 
   5313     symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
   5314     PORT_Assert(symWrapMechIndex >= 0);
   5315     if (symWrapMechIndex < 0)
   5316     	return NULL;	/* invalid masterWrapMech. */
   5317 
   5318     pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
   5319 
   5320     ssl_InitSessionCacheLocks(PR_TRUE);
   5321 
   5322     PZ_Lock(symWrapKeysLock);
   5323 
   5324     unwrappedWrappingKey = *pSymWrapKey;
   5325     if (unwrappedWrappingKey != NULL) {
   5326 	if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
   5327 	    unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
   5328 	    goto done;
   5329 	}
   5330 	/* slot series has changed, so this key is no good any more. */
   5331 	PK11_FreeSymKey(unwrappedWrappingKey);
   5332 	*pSymWrapKey = unwrappedWrappingKey = NULL;
   5333     }
   5334 
   5335     /* Try to get wrapped SymWrapping key out of the (disk) cache. */
   5336     /* Following call fills in wswk on success. */
   5337     if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
   5338     	/* found the wrapped sym wrapping key on disk. */
   5339 	unwrappedWrappingKey =
   5340 	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
   5341                                      masterWrapMech, pwArg);
   5342 	if (unwrappedWrappingKey) {
   5343 	    goto install;
   5344 	}
   5345     }
   5346 
   5347     if (!masterSecretSlot) 	/* caller doesn't want to create a new one. */
   5348     	goto loser;
   5349 
   5350     length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
   5351     /* Zero length means fixed key length algorithm, or error.
   5352      * It's ambiguous.
   5353      */
   5354     unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
   5355                                        length, pwArg);
   5356     if (!unwrappedWrappingKey) {
   5357     	goto loser;
   5358     }
   5359 
   5360     /* Prepare the buffer to receive the wrappedWrappingKey,
   5361      * the symmetric wrapping key wrapped using the server's pub key.
   5362      */
   5363     PORT_Memset(&wswk, 0, sizeof wswk);	/* eliminate UMRs. */
   5364 
   5365     if (ss->serverCerts[exchKeyType].serverKeyPair) {
   5366 	svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey;
   5367     }
   5368     if (svrPubKey == NULL) {
   5369 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   5370 	goto loser;
   5371     }
   5372     wrappedKey.type = siBuffer;
   5373     wrappedKey.len  = SECKEY_PublicKeyStrength(svrPubKey);
   5374     wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
   5375 
   5376     PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
   5377     if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
   5378     	goto loser;
   5379 
   5380     /* wrap symmetric wrapping key in server's public key. */
   5381     switch (exchKeyType) {
   5382     case kt_rsa:
   5383 	asymWrapMechanism = CKM_RSA_PKCS;
   5384 	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
   5385 	                        unwrappedWrappingKey, &wrappedKey);
   5386 	break;
   5387 
   5388 #ifdef NSS_ENABLE_ECC
   5389     case kt_ecdh:
   5390 	/*
   5391 	 * We generate an ephemeral EC key pair. Perform an ECDH
   5392 	 * computation involving this ephemeral EC public key and
   5393 	 * the SSL server's (long-term) EC private key. The resulting
   5394 	 * shared secret is treated in the same way as Fortezza's Ks,
   5395 	 * i.e., it is used to wrap the wrapping key. To facilitate
   5396 	 * unwrapping in ssl_UnwrapWrappingKey, we also store all
   5397 	 * relevant info about the ephemeral EC public key in
   5398 	 * wswk.wrappedSymmetricWrappingkey and lay it out as
   5399 	 * described in the ECCWrappedKeyInfo structure.
   5400 	 */
   5401 	PORT_Assert(svrPubKey->keyType == ecKey);
   5402 	if (svrPubKey->keyType != ecKey) {
   5403 	    /* something is wrong in sslsecur.c if this isn't an ecKey */
   5404 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   5405 	    rv = SECFailure;
   5406 	    goto ec_cleanup;
   5407 	}
   5408 
   5409 	privWrapKey = SECKEY_CreateECPrivateKey(
   5410 	    &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL);
   5411 	if ((privWrapKey == NULL) || (pubWrapKey == NULL)) {
   5412 	    rv = SECFailure;
   5413 	    goto ec_cleanup;
   5414 	}
   5415 
   5416 	/* Set the key size in bits */
   5417 	if (pubWrapKey->u.ec.size == 0) {
   5418 	    pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey);
   5419 	}
   5420 
   5421 	PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len +
   5422 	    pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN);
   5423 	if (pubWrapKey->u.ec.DEREncodedParams.len +
   5424 	    pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) {
   5425 	    PORT_SetError(SEC_ERROR_INVALID_KEY);
   5426 	    rv = SECFailure;
   5427 	    goto ec_cleanup;
   5428 	}
   5429 
   5430 	/* Derive Ks using ECDH */
   5431 	Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL,
   5432 				   NULL, CKM_ECDH1_DERIVE, masterWrapMech,
   5433 				   CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
   5434 	if (Ks == NULL) {
   5435 	    rv = SECFailure;
   5436 	    goto ec_cleanup;
   5437 	}
   5438 
   5439 	ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey);
   5440 	ecWrapped->size = pubWrapKey->u.ec.size;
   5441 	ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len;
   5442 	PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data,
   5443 	    pubWrapKey->u.ec.DEREncodedParams.len);
   5444 
   5445 	ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len;
   5446 	PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen,
   5447 		    pubWrapKey->u.ec.publicValue.data,
   5448 		    pubWrapKey->u.ec.publicValue.len);
   5449 
   5450 	wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN -
   5451 	    (ecWrapped->encodedParamLen + ecWrapped->pubValueLen);
   5452 	wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
   5453 	    ecWrapped->pubValueLen;
   5454 
   5455 	/* wrap symmetricWrapping key with the local Ks */
   5456 	rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks,
   5457 			     unwrappedWrappingKey, &wrappedKey);
   5458 
   5459 	if (rv != SECSuccess) {
   5460 	    goto ec_cleanup;
   5461 	}
   5462 
   5463 	/* Write down the length of wrapped key in the buffer
   5464 	 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
   5465 	 */
   5466 	ecWrapped->wrappedKeyLen = wrappedKey.len;
   5467 
   5468 ec_cleanup:
   5469 	if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
   5470 	if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
   5471 	if (Ks) PK11_FreeSymKey(Ks);
   5472 	asymWrapMechanism = masterWrapMech;
   5473 	break;
   5474 #endif /* NSS_ENABLE_ECC */
   5475 
   5476     default:
   5477 	rv = SECFailure;
   5478 	break;
   5479     }
   5480 
   5481     if (rv != SECSuccess) {
   5482 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   5483 	goto loser;
   5484     }
   5485 
   5486     PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
   5487 
   5488     wswk.symWrapMechanism  = masterWrapMech;
   5489     wswk.symWrapMechIndex  = symWrapMechIndex;
   5490     wswk.asymWrapMechanism = asymWrapMechanism;
   5491     wswk.exchKeyType       = exchKeyType;
   5492     wswk.wrappedSymKeyLen  = wrappedKey.len;
   5493 
   5494     /* put it on disk. */
   5495     /* If the wrapping key for this KEA type has already been set,
   5496      * then abandon the value we just computed and
   5497      * use the one we got from the disk.
   5498      */
   5499     if (ssl_SetWrappingKey(&wswk)) {
   5500     	/* somebody beat us to it.  The original contents of our wswk
   5501 	 * has been replaced with the content on disk.  Now, discard
   5502 	 * the key we just created and unwrap this new one.
   5503 	 */
   5504     	PK11_FreeSymKey(unwrappedWrappingKey);
   5505 
   5506 	unwrappedWrappingKey =
   5507 	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
   5508                                      masterWrapMech, pwArg);
   5509     }
   5510 
   5511 install:
   5512     if (unwrappedWrappingKey) {
   5513 	*pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
   5514     }
   5515 
   5516 loser:
   5517 done:
   5518     PZ_Unlock(symWrapKeysLock);
   5519     return unwrappedWrappingKey;
   5520 }
   5521 
   5522 /* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2|
   5523  * bytes to |out|. */
   5524 static void
   5525 hexEncode(char *out, const unsigned char *in, unsigned int length)
   5526 {
   5527     static const char hextable[] = "0123456789abcdef";
   5528     unsigned int i;
   5529 
   5530     for (i = 0; i < length; i++) {
   5531 	*(out++) = hextable[in[i] >> 4];
   5532 	*(out++) = hextable[in[i] & 15];
   5533     }
   5534 }
   5535 
   5536 /* Called from ssl3_SendClientKeyExchange(). */
   5537 /* Presently, this always uses PKCS11.  There is no bypass for this. */
   5538 static SECStatus
   5539 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
   5540 {
   5541     PK11SymKey *	pms 		= NULL;
   5542     SECStatus           rv    		= SECFailure;
   5543     SECItem 		enc_pms 	= {siBuffer, NULL, 0};
   5544     PRBool              isTLS;
   5545 
   5546     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   5547     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   5548 
   5549     /* Generate the pre-master secret ...  */
   5550     ssl_GetSpecWriteLock(ss);
   5551     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
   5552 
   5553     pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
   5554     ssl_ReleaseSpecWriteLock(ss);
   5555     if (pms == NULL) {
   5556 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   5557 	goto loser;
   5558     }
   5559 
   5560     /* Get the wrapped (encrypted) pre-master secret, enc_pms */
   5561     enc_pms.len  = SECKEY_PublicKeyStrength(svrPubKey);
   5562     enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
   5563     if (enc_pms.data == NULL) {
   5564 	goto loser;	/* err set by PORT_Alloc */
   5565     }
   5566 
   5567     /* wrap pre-master secret in server's public key. */
   5568     rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
   5569     if (rv != SECSuccess) {
   5570 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   5571 	goto loser;
   5572     }
   5573 
   5574     if (ssl_keylog_iob) {
   5575 	SECStatus extractRV = PK11_ExtractKeyValue(pms);
   5576 	if (extractRV == SECSuccess) {
   5577 	    SECItem * keyData = PK11_GetKeyData(pms);
   5578 	    if (keyData && keyData->data && keyData->len) {
   5579 #ifdef TRACE
   5580 		if (ssl_trace >= 100) {
   5581 		    ssl_PrintBuf(ss, "Pre-Master Secret",
   5582 				 keyData->data, keyData->len);
   5583 		}
   5584 #endif
   5585 		if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {
   5586 		    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
   5587 
   5588 		    /* There could be multiple, concurrent writers to the
   5589 		     * keylog, so we have to do everything in a single call to
   5590 		     * fwrite. */
   5591 		    char buf[4 + 8*2 + 1 + 48*2 + 1];
   5592 
   5593 		    strcpy(buf, "RSA ");
   5594 		    hexEncode(buf + 4, enc_pms.data, 8);
   5595 		    buf[20] = ' ';
   5596 		    hexEncode(buf + 21, keyData->data, 48);
   5597 		    buf[sizeof(buf) - 1] = '\n';
   5598 
   5599 		    fwrite(buf, sizeof(buf), 1, ssl_keylog_iob);
   5600 		    fflush(ssl_keylog_iob);
   5601 		}
   5602 	    }
   5603 	}
   5604     }
   5605 
   5606     rv = ssl3_InitPendingCipherSpec(ss,  pms);
   5607     PK11_FreeSymKey(pms); pms = NULL;
   5608 
   5609     if (rv != SECSuccess) {
   5610 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   5611 	goto loser;
   5612     }
   5613 
   5614     rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
   5615 				    isTLS ? enc_pms.len + 2 : enc_pms.len);
   5616     if (rv != SECSuccess) {
   5617 	goto loser;	/* err set by ssl3_AppendHandshake* */
   5618     }
   5619     if (isTLS) {
   5620     	rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
   5621     } else {
   5622 	rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
   5623     }
   5624     if (rv != SECSuccess) {
   5625 	goto loser;	/* err set by ssl3_AppendHandshake* */
   5626     }
   5627 
   5628     rv = SECSuccess;
   5629 
   5630 loser:
   5631     if (enc_pms.data != NULL) {
   5632 	PORT_Free(enc_pms.data);
   5633     }
   5634     if (pms != NULL) {
   5635     	PK11_FreeSymKey(pms);
   5636     }
   5637     return rv;
   5638 }
   5639 
   5640 /* Called from ssl3_SendClientKeyExchange(). */
   5641 /* Presently, this always uses PKCS11.  There is no bypass for this. */
   5642 static SECStatus
   5643 sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
   5644 {
   5645     PK11SymKey *	pms 		= NULL;
   5646     SECStatus           rv    		= SECFailure;
   5647     PRBool              isTLS;
   5648     CK_MECHANISM_TYPE	target;
   5649 
   5650     SECKEYDHParams	dhParam;		/* DH parameters */
   5651     SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral DH key */
   5652     SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral DH key */
   5653 
   5654     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   5655     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   5656 
   5657     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
   5658 
   5659     /* Copy DH parameters from server key */
   5660 
   5661     if (svrPubKey->keyType != dhKey) {
   5662 	PORT_SetError(SEC_ERROR_BAD_KEY);
   5663 	goto loser;
   5664     }
   5665     dhParam.prime.data = svrPubKey->u.dh.prime.data;
   5666     dhParam.prime.len = svrPubKey->u.dh.prime.len;
   5667     dhParam.base.data = svrPubKey->u.dh.base.data;
   5668     dhParam.base.len = svrPubKey->u.dh.base.len;
   5669 
   5670     /* Generate ephemeral DH keypair */
   5671     privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
   5672     if (!privKey || !pubKey) {
   5673 	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
   5674 	    rv = SECFailure;
   5675 	    goto loser;
   5676     }
   5677     PRINT_BUF(50, (ss, "DH public value:",
   5678 					pubKey->u.dh.publicValue.data,
   5679 					pubKey->u.dh.publicValue.len));
   5680 
   5681     if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
   5682     else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
   5683 
   5684     /* Determine the PMS */
   5685 
   5686     pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
   5687 			    CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
   5688 
   5689     if (pms == NULL) {
   5690 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   5691 	goto loser;
   5692     }
   5693 
   5694     SECKEY_DestroyPrivateKey(privKey);
   5695     privKey = NULL;
   5696 
   5697     rv = ssl3_InitPendingCipherSpec(ss,  pms);
   5698     PK11_FreeSymKey(pms); pms = NULL;
   5699 
   5700     if (rv != SECSuccess) {
   5701 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   5702 	goto loser;
   5703     }
   5704 
   5705     rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
   5706 					pubKey->u.dh.publicValue.len + 2);
   5707     if (rv != SECSuccess) {
   5708 	goto loser;	/* err set by ssl3_AppendHandshake* */
   5709     }
   5710     rv = ssl3_AppendHandshakeVariable(ss,
   5711 					pubKey->u.dh.publicValue.data,
   5712 					pubKey->u.dh.publicValue.len, 2);
   5713     SECKEY_DestroyPublicKey(pubKey);
   5714     pubKey = NULL;
   5715 
   5716     if (rv != SECSuccess) {
   5717 	goto loser;	/* err set by ssl3_AppendHandshake* */
   5718     }
   5719 
   5720     rv = SECSuccess;
   5721 
   5722 
   5723 loser:
   5724 
   5725     if(pms) PK11_FreeSymKey(pms);
   5726     if(privKey) SECKEY_DestroyPrivateKey(privKey);
   5727     if(pubKey) SECKEY_DestroyPublicKey(pubKey);
   5728     return rv;
   5729 }
   5730 
   5731 
   5732 
   5733 
   5734 
   5735 /* Called from ssl3_HandleServerHelloDone(). */
   5736 static SECStatus
   5737 ssl3_SendClientKeyExchange(sslSocket *ss)
   5738 {
   5739     SECKEYPublicKey *	serverKey 	= NULL;
   5740     SECStatus 		rv 		= SECFailure;
   5741     PRBool              isTLS;
   5742 
   5743     SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
   5744 		SSL_GETPID(), ss->fd));
   5745 
   5746     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   5747     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   5748 
   5749     if (ss->sec.peerKey == NULL) {
   5750 	serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
   5751 	if (serverKey == NULL) {
   5752 	    ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
   5753 	    return SECFailure;
   5754 	}
   5755     } else {
   5756 	serverKey = ss->sec.peerKey;
   5757 	ss->sec.peerKey = NULL; /* we're done with it now */
   5758     }
   5759 
   5760     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
   5761     /* enforce limits on kea key sizes. */
   5762     if (ss->ssl3.hs.kea_def->is_limited) {
   5763 	int keyLen = SECKEY_PublicKeyStrength(serverKey);	/* bytes */
   5764 
   5765 	if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
   5766 	    if (isTLS)
   5767 		(void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
   5768 	    else
   5769 		(void)ssl3_HandshakeFailure(ss);
   5770 	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
   5771 	    goto loser;
   5772 	}
   5773     }
   5774 
   5775     ss->sec.keaType    = ss->ssl3.hs.kea_def->exchKeyType;
   5776     ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
   5777 
   5778     switch (ss->ssl3.hs.kea_def->exchKeyType) {
   5779     case kt_rsa:
   5780 	rv = sendRSAClientKeyExchange(ss, serverKey);
   5781 	break;
   5782 
   5783     case kt_dh:
   5784 	rv = sendDHClientKeyExchange(ss, serverKey);
   5785 	break;
   5786 
   5787 #ifdef NSS_ENABLE_ECC
   5788     case kt_ecdh:
   5789 	rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
   5790 	break;
   5791 #endif /* NSS_ENABLE_ECC */
   5792 
   5793     default:
   5794 	/* got an unknown or unsupported Key Exchange Algorithm.  */
   5795 	SEND_ALERT
   5796 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
   5797 	break;
   5798     }
   5799 
   5800     SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
   5801 		SSL_GETPID(), ss->fd));
   5802 
   5803 loser:
   5804     if (serverKey)
   5805     	SECKEY_DestroyPublicKey(serverKey);
   5806     return rv;	/* err code already set. */
   5807 }
   5808 
   5809 /* Called from ssl3_HandleServerHelloDone(). */
   5810 static SECStatus
   5811 ssl3_SendCertificateVerify(sslSocket *ss)
   5812 {
   5813     SECStatus     rv		= SECFailure;
   5814     PRBool        isTLS;
   5815     PRBool        isTLS12;
   5816     SECItem       buf           = {siBuffer, NULL, 0};
   5817     SSL3Hashes    hashes;
   5818     KeyType       keyType;
   5819     unsigned int  len;
   5820     SSL3SignatureAndHashAlgorithm sigAndHash;
   5821 
   5822     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   5823     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   5824 
   5825     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
   5826 		SSL_GETPID(), ss->fd));
   5827 
   5828     ssl_GetSpecReadLock(ss);
   5829     /* In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the handshake hash
   5830      * function (SHA-256). If the server or the client does not support SHA-256
   5831      * as a signature hash, we can either maintain a backup SHA-1 handshake
   5832      * hash or buffer all handshake messages.
   5833      */
   5834     if (ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) {
   5835 	rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
   5836 	PORT_Assert(ss->ssl3.hs.md5 == NULL);
   5837     } else {
   5838 	rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
   5839     }
   5840     ssl_ReleaseSpecReadLock(ss);
   5841     if (rv != SECSuccess) {
   5842 	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
   5843     }
   5844 
   5845     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
   5846     isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
   5847     if (ss->ssl3.platformClientKey) {
   5848 #ifdef NSS_PLATFORM_CLIENT_AUTH
   5849 	keyType = CERT_GetCertKeyType(
   5850 	    &ss->ssl3.clientCertificate->subjectPublicKeyInfo);
   5851 	rv = ssl3_PlatformSignHashes(
   5852 	    &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType);
   5853 	ssl_FreePlatformKey(ss->ssl3.platformClientKey);
   5854 	ss->ssl3.platformClientKey = (PlatformKey)NULL;
   5855 #endif /* NSS_PLATFORM_CLIENT_AUTH */
   5856     } else {
   5857 	keyType = ss->ssl3.clientPrivateKey->keyType;
   5858 	rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
   5859 	if (rv == SECSuccess) {
   5860 	    PK11SlotInfo * slot;
   5861 	    sslSessionID * sid   = ss->sec.ci.sid;
   5862 
   5863 	    /* Remember the info about the slot that did the signing.
   5864 	    ** Later, when doing an SSL restart handshake, verify this.
   5865 	    ** These calls are mere accessors, and can't fail.
   5866 	    */
   5867 	    slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
   5868 	    sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
   5869 	    sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
   5870 	    sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
   5871 	    sid->u.ssl3.clAuthValid      = PR_TRUE;
   5872 	    PK11_FreeSlot(slot);
   5873 	}
   5874 	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
   5875 	ss->ssl3.clientPrivateKey = NULL;
   5876     }
   5877     if (rv != SECSuccess) {
   5878 	goto done;	/* err code was set by ssl3_SignHashes */
   5879     }
   5880 
   5881     len = buf.len + 2 + (isTLS12 ? 2 : 0);
   5882 
   5883     rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
   5884     if (rv != SECSuccess) {
   5885 	goto done;	/* error code set by AppendHandshake */
   5886     }
   5887     if (isTLS12) {
   5888 	rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
   5889 						  &sigAndHash.sigAlg);
   5890 	if (rv != SECSuccess) {
   5891 	    goto done;
   5892 	}
   5893 	sigAndHash.hashAlg = hashes.hashAlg;
   5894 
   5895 	rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
   5896 	if (rv != SECSuccess) {
   5897 	    goto done; 	/* err set by AppendHandshake. */
   5898 	}
   5899     }
   5900     rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
   5901     if (rv != SECSuccess) {
   5902 	goto done;	/* error code set by AppendHandshake */
   5903     }
   5904 
   5905 done:
   5906     if (buf.data)
   5907 	PORT_Free(buf.data);
   5908     return rv;
   5909 }
   5910 
   5911 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   5912  * ssl3 ServerHello message.
   5913  * Caller must hold Handshake and RecvBuf locks.
   5914  */
   5915 static SECStatus
   5916 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   5917 {
   5918     sslSessionID *sid		= ss->sec.ci.sid;
   5919     PRInt32       temp;		/* allow for consume number failure */
   5920     PRBool        suite_found   = PR_FALSE;
   5921     int           i;
   5922     int           errCode	= SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
   5923     SECStatus     rv;
   5924     SECItem       sidBytes 	= {siBuffer, NULL, 0};
   5925     PRBool        sid_match;
   5926     PRBool        isTLS		= PR_FALSE;
   5927     SSL3AlertDescription desc   = illegal_parameter;
   5928     SSL3ProtocolVersion version;
   5929 
   5930     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
   5931     	SSL_GETPID(), ss->fd));
   5932     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   5933     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   5934     PORT_Assert( ss->ssl3.initialized );
   5935 
   5936     if (ss->ssl3.hs.ws != wait_server_hello) {
   5937         errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
   5938 	desc    = unexpected_message;
   5939 	goto alert_loser;
   5940     }
   5941 
   5942     /* clean up anything left from previous handshake. */
   5943     if (ss->ssl3.clientCertChain != NULL) {
   5944        CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
   5945        ss->ssl3.clientCertChain = NULL;
   5946     }
   5947     if (ss->ssl3.clientCertificate != NULL) {
   5948        CERT_DestroyCertificate(ss->ssl3.clientCertificate);
   5949        ss->ssl3.clientCertificate = NULL;
   5950     }
   5951     if (ss->ssl3.clientPrivateKey != NULL) {
   5952        SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
   5953        ss->ssl3.clientPrivateKey = NULL;
   5954     }
   5955 #ifdef NSS_PLATFORM_CLIENT_AUTH
   5956     if (ss->ssl3.platformClientKey) {
   5957        ssl_FreePlatformKey(ss->ssl3.platformClientKey);
   5958        ss->ssl3.platformClientKey = (PlatformKey)NULL;
   5959     }
   5960 #endif  /* NSS_PLATFORM_CLIENT_AUTH */
   5961 
   5962     if (ss->ssl3.channelID != NULL) {
   5963 	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
   5964 	ss->ssl3.channelID = NULL;
   5965     }
   5966     if (ss->ssl3.channelIDPub != NULL) {
   5967 	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
   5968 	ss->ssl3.channelIDPub = NULL;
   5969     }
   5970 
   5971     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
   5972     if (temp < 0) {
   5973     	goto loser; 	/* alert has been sent */
   5974     }
   5975     version = (SSL3ProtocolVersion)temp;
   5976 
   5977     if (IS_DTLS(ss)) {
   5978 	/* RFC 4347 required that you verify that the server versions
   5979 	 * match (Section 4.2.1) in the HelloVerifyRequest and the
   5980 	 * ServerHello.
   5981 	 *
   5982 	 * RFC 6347 suggests (SHOULD) that servers always use 1.0
   5983 	 * in HelloVerifyRequest and allows the versions not to match,
   5984 	 * especially when 1.2 is being negotiated.
   5985 	 *
   5986 	 * Therefore we do not check for matching here.
   5987 	 */
   5988 	version = dtls_DTLSVersionToTLSVersion(version);
   5989 	if (version == 0) {  /* Insane version number */
   5990             goto alert_loser;
   5991 	}
   5992     }
   5993 
   5994     rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
   5995     if (rv != SECSuccess) {
   5996     	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
   5997 						   : handshake_failure;
   5998 	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
   5999 	goto alert_loser;
   6000     }
   6001     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
   6002 
   6003     rv = ssl3_InitHandshakeHashes(ss);
   6004     if (rv != SECSuccess) {
   6005 	desc = internal_error;
   6006 	errCode = PORT_GetError();
   6007 	goto alert_loser;
   6008     }
   6009 
   6010     rv = ssl3_ConsumeHandshake(
   6011 	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
   6012     if (rv != SECSuccess) {
   6013     	goto loser; 	/* alert has been sent */
   6014     }
   6015 
   6016     rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
   6017     if (rv != SECSuccess) {
   6018     	goto loser; 	/* alert has been sent */
   6019     }
   6020     if (sidBytes.len > SSL3_SESSIONID_BYTES) {
   6021 	if (isTLS)
   6022 	    desc = decode_error;
   6023 	goto alert_loser;	/* malformed. */
   6024     }
   6025 
   6026     /* find selected cipher suite in our list. */
   6027     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
   6028     if (temp < 0) {
   6029     	goto loser; 	/* alert has been sent */
   6030     }
   6031     ssl3_config_match_init(ss);
   6032     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
   6033 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
   6034 	if (temp == suite->cipher_suite) {
   6035 	    if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
   6036 		break;	/* failure */
   6037 	    }
   6038 	    if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
   6039 						   ss->version)) {
   6040 		desc    = handshake_failure;
   6041 		errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
   6042 		goto alert_loser;
   6043 	    }
   6044 
   6045 	    suite_found = PR_TRUE;
   6046 	    break;	/* success */
   6047 	}
   6048     }
   6049     if (!suite_found) {
   6050     	desc    = handshake_failure;
   6051 	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
   6052 	goto alert_loser;
   6053     }
   6054     ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
   6055     ss->ssl3.hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
   6056     PORT_Assert(ss->ssl3.hs.suite_def);
   6057     if (!ss->ssl3.hs.suite_def) {
   6058     	PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
   6059 	goto loser;	/* we don't send alerts for our screw-ups. */
   6060     }
   6061 
   6062     /* find selected compression method in our list. */
   6063     temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
   6064     if (temp < 0) {
   6065     	goto loser; 	/* alert has been sent */
   6066     }
   6067     suite_found = PR_FALSE;
   6068     for (i = 0; i < compressionMethodsCount; i++) {
   6069 	if (temp == compressions[i]) {
   6070 	    if (!compressionEnabled(ss, compressions[i])) {
   6071 		break;	/* failure */
   6072 	    }
   6073 	    suite_found = PR_TRUE;
   6074 	    break;	/* success */
   6075     	}
   6076     }
   6077     if (!suite_found) {
   6078     	desc    = handshake_failure;
   6079 	errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
   6080 	goto alert_loser;
   6081     }
   6082     ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
   6083 
   6084     /* Note that if !isTLS and the extra stuff is not extensions, we
   6085      * do NOT goto alert_loser.
   6086      * There are some old SSL 3.0 implementations that do send stuff
   6087      * after the end of the server hello, and we deliberately ignore
   6088      * such stuff in the interest of maximal interoperability (being
   6089      * "generous in what you accept").
   6090      * Update: Starting in NSS 3.12.6, we handle the renegotiation_info
   6091      * extension in SSL 3.0.
   6092      */
   6093     if (length != 0) {
   6094 	SECItem extensions;
   6095 	rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length);
   6096 	if (rv != SECSuccess || length != 0) {
   6097 	    if (isTLS)
   6098 		goto alert_loser;
   6099 	} else {
   6100 	    rv = ssl3_HandleHelloExtensions(ss, &extensions.data,
   6101 					    &extensions.len);
   6102 	    if (rv != SECSuccess)
   6103 		goto alert_loser;
   6104 	}
   6105     }
   6106     if ((ss->opt.requireSafeNegotiation ||
   6107          (ss->firstHsDone && (ss->peerRequestedProtection ||
   6108 	 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN))) &&
   6109 	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
   6110 	desc = handshake_failure;
   6111 	errCode = ss->firstHsDone ? SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
   6112 	                          : SSL_ERROR_UNSAFE_NEGOTIATION;
   6113 	goto alert_loser;
   6114     }
   6115 
   6116     /* Any errors after this point are not "malformed" errors. */
   6117     desc    = handshake_failure;
   6118 
   6119     /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
   6120      * key exchange algorithm. */
   6121     rv = ssl3_SetupPendingCipherSpec(ss);
   6122     if (rv != SECSuccess) {
   6123 	goto alert_loser;	/* error code is set. */
   6124     }
   6125 
   6126     /* We may or may not have sent a session id, we may get one back or
   6127      * not and if so it may match the one we sent.
   6128      * Attempt to restore the master secret to see if this is so...
   6129      * Don't consider failure to find a matching SID an error.
   6130      */
   6131     sid_match = (PRBool)(sidBytes.len > 0 &&
   6132 	sidBytes.len == sid->u.ssl3.sessionIDLength &&
   6133 	!PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
   6134 
   6135     if (sid_match &&
   6136 	sid->version == ss->version &&
   6137 	sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
   6138 	ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
   6139 
   6140 	SECItem       wrappedMS;   /* wrapped master secret. */
   6141 
   6142 	ss->sec.authAlgorithm = sid->authAlgorithm;
   6143 	ss->sec.authKeyBits   = sid->authKeyBits;
   6144 	ss->sec.keaType       = sid->keaType;
   6145 	ss->sec.keaKeyBits    = sid->keaKeyBits;
   6146 
   6147 	/* 3 cases here:
   6148 	 * a) key is wrapped (implies using PKCS11)
   6149 	 * b) key is unwrapped, but we're still using PKCS11
   6150 	 * c) key is unwrapped, and we're bypassing PKCS11.
   6151 	 */
   6152 	if (sid->u.ssl3.keys.msIsWrapped) {
   6153 	    PK11SlotInfo *slot;
   6154 	    PK11SymKey *  wrapKey;     /* wrapping key */
   6155 	    CK_FLAGS      keyFlags      = 0;
   6156 
   6157 #ifndef NO_PKCS11_BYPASS
   6158 	    if (ss->opt.bypassPKCS11) {
   6159 		/* we cannot restart a non-bypass session in a
   6160 		** bypass socket.
   6161 		*/
   6162 		break;
   6163 	    }
   6164 #endif
   6165 	    /* unwrap master secret with PKCS11 */
   6166 	    slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
   6167 				     sid->u.ssl3.masterSlotID);
   6168 	    if (slot == NULL) {
   6169 		break;		/* not considered an error. */
   6170 	    }
   6171 	    if (!PK11_IsPresent(slot)) {
   6172 		PK11_FreeSlot(slot);
   6173 		break;		/* not considered an error. */
   6174 	    }
   6175 	    wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
   6176 				      sid->u.ssl3.masterWrapMech,
   6177 				      sid->u.ssl3.masterWrapSeries,
   6178 				      ss->pkcs11PinArg);
   6179 	    PK11_FreeSlot(slot);
   6180 	    if (wrapKey == NULL) {
   6181 		break;		/* not considered an error. */
   6182 	    }
   6183 
   6184 	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
   6185 		keyFlags = CKF_SIGN | CKF_VERIFY;
   6186 	    }
   6187 
   6188 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
   6189 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
   6190 	    pwSpec->master_secret =
   6191 		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
   6192 			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
   6193 			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
   6194 	    errCode = PORT_GetError();
   6195 	    PK11_FreeSymKey(wrapKey);
   6196 	    if (pwSpec->master_secret == NULL) {
   6197 		break;	/* errorCode set just after call to UnwrapSymKey. */
   6198 	    }
   6199 #ifndef NO_PKCS11_BYPASS
   6200 	} else if (ss->opt.bypassPKCS11) {
   6201 	    /* MS is not wrapped */
   6202 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
   6203 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
   6204 	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
   6205 	    pwSpec->msItem.data = pwSpec->raw_master_secret;
   6206 	    pwSpec->msItem.len  = wrappedMS.len;
   6207 #endif
   6208 	} else {
   6209 	    /* We CAN restart a bypass session in a non-bypass socket. */
   6210 	    /* need to import the raw master secret to session object */
   6211 	    PK11SlotInfo *slot = PK11_GetInternalSlot();
   6212 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
   6213 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
   6214 	    pwSpec->master_secret =
   6215 		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
   6216 				  PK11_OriginUnwrap, CKA_ENCRYPT,
   6217 				  &wrappedMS, NULL);
   6218 	    PK11_FreeSlot(slot);
   6219 	    if (pwSpec->master_secret == NULL) {
   6220 		break;
   6221 	    }
   6222 	}
   6223 
   6224 	/* Got a Match */
   6225 	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
   6226 
   6227 	/* If we sent a session ticket, then this is a stateless resume. */
   6228 	if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
   6229 	    sid->u.ssl3.sessionTicket.ticket.data != NULL)
   6230 	    SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
   6231 
   6232 	if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
   6233 	    ss->ssl3.hs.ws = wait_new_session_ticket;
   6234 	else
   6235 	    ss->ssl3.hs.ws = wait_change_cipher;
   6236 
   6237 	ss->ssl3.hs.isResuming = PR_TRUE;
   6238 
   6239 	/* copy the peer cert from the SID */
   6240 	if (sid->peerCert != NULL) {
   6241 	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
   6242 	    ssl3_CopyPeerCertsFromSID(ss, sid);
   6243 	}
   6244 
   6245 	/* NULL value for PMS signifies re-use of the old MS */
   6246 	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
   6247 	if (rv != SECSuccess) {
   6248 	    goto alert_loser;	/* err code was set */
   6249 	}
   6250 	goto winner;
   6251     } while (0);
   6252 
   6253     if (sid_match)
   6254 	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
   6255     else
   6256 	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
   6257 
   6258     /* throw the old one away */
   6259     sid->u.ssl3.keys.resumable = PR_FALSE;
   6260     if (ss->sec.uncache)
   6261         (*ss->sec.uncache)(sid);
   6262     ssl_FreeSID(sid);
   6263 
   6264     /* get a new sid */
   6265     ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
   6266     if (sid == NULL) {
   6267 	goto alert_loser;	/* memory error is set. */
   6268     }
   6269 
   6270     sid->version = ss->version;
   6271     sid->u.ssl3.sessionIDLength = sidBytes.len;
   6272     PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
   6273 
   6274     ss->ssl3.hs.isResuming = PR_FALSE;
   6275     ss->ssl3.hs.ws         = wait_server_cert;
   6276 
   6277 winner:
   6278     /* If we will need a ChannelID key then we make the callback now. This
   6279      * allows the handshake to be restarted cleanly if the callback returns
   6280      * SECWouldBlock. */
   6281     if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
   6282 	rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
   6283 			      &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
   6284 	if (rv == SECWouldBlock) {
   6285 	    ssl3_SetAlwaysBlock(ss);
   6286 	    return rv;
   6287 	}
   6288 	if (rv != SECSuccess ||
   6289 	    ss->ssl3.channelIDPub == NULL ||
   6290 	    ss->ssl3.channelID == NULL) {
   6291 	    PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
   6292 	    desc = internal_error;
   6293 	    goto alert_loser;
   6294 	}
   6295     }
   6296 
   6297     return SECSuccess;
   6298 
   6299 alert_loser:
   6300     (void)SSL3_SendAlert(ss, alert_fatal, desc);
   6301 
   6302 loser:
   6303     errCode = ssl_MapLowLevelError(errCode);
   6304     return SECFailure;
   6305 }
   6306 
   6307 /* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned,
   6308  * big-endian integer is > 1 */
   6309 static PRBool
   6310 ssl3_BigIntGreaterThanOne(const SECItem* mpint) {
   6311     unsigned char firstNonZeroByte = 0;
   6312     unsigned int i;
   6313 
   6314     for (i = 0; i < mpint->len; i++) {
   6315 	if (mpint->data[i]) {
   6316 	    firstNonZeroByte = mpint->data[i];
   6317 	    break;
   6318 	}
   6319     }
   6320 
   6321     if (firstNonZeroByte == 0)
   6322 	return PR_FALSE;
   6323     if (firstNonZeroByte > 1)
   6324 	return PR_TRUE;
   6325 
   6326     /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte
   6327      * is followed by another byte. */
   6328     return (i < mpint->len - 1);
   6329 }
   6330 
   6331 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   6332  * ssl3 ServerKeyExchange message.
   6333  * Caller must hold Handshake and RecvBuf locks.
   6334  */
   6335 static SECStatus
   6336 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   6337 {
   6338     PLArenaPool *    arena     = NULL;
   6339     SECKEYPublicKey *peerKey   = NULL;
   6340     PRBool           isTLS, isTLS12;
   6341     SECStatus        rv;
   6342     int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
   6343     SSL3AlertDescription desc  = illegal_parameter;
   6344     SSL3Hashes       hashes;
   6345     SECItem          signature = {siBuffer, NULL, 0};
   6346     SSL3SignatureAndHashAlgorithm sigAndHash;
   6347 
   6348     sigAndHash.hashAlg = SEC_OID_UNKNOWN;
   6349 
   6350     SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
   6351 		SSL_GETPID(), ss->fd));
   6352     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   6353     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   6354 
   6355     if (ss->ssl3.hs.ws != wait_server_key &&
   6356 	ss->ssl3.hs.ws != wait_server_cert) {
   6357 	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
   6358 	desc    = unexpected_message;
   6359 	goto alert_loser;
   6360     }
   6361     if (ss->sec.peerCert == NULL) {
   6362 	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
   6363 	desc    = unexpected_message;
   6364 	goto alert_loser;
   6365     }
   6366 
   6367     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
   6368     isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
   6369 
   6370     switch (ss->ssl3.hs.kea_def->exchKeyType) {
   6371 
   6372     case kt_rsa: {
   6373 	SECItem          modulus   = {siBuffer, NULL, 0};
   6374 	SECItem          exponent  = {siBuffer, NULL, 0};
   6375 
   6376     	rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
   6377     	if (rv != SECSuccess) {
   6378 	    goto loser;		/* malformed. */
   6379 	}
   6380     	rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
   6381     	if (rv != SECSuccess) {
   6382 	    goto loser;		/* malformed. */
   6383 	}
   6384 	if (isTLS12) {
   6385 	    rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
   6386 						       &sigAndHash);
   6387 	    if (rv != SECSuccess) {
   6388 		goto loser;	/* malformed or unsupported. */
   6389 	    }
   6390 	    rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
   6391 		    &sigAndHash, ss->sec.peerCert);
   6392 	    if (rv != SECSuccess) {
   6393 		goto loser;
   6394 	    }
   6395 	}
   6396     	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
   6397     	if (rv != SECSuccess) {
   6398 	    goto loser;		/* malformed. */
   6399 	}
   6400     	if (length != 0) {
   6401 	    if (isTLS)
   6402 		desc = decode_error;
   6403 	    goto alert_loser;		/* malformed. */
   6404 	}
   6405 
   6406 	/* failures after this point are not malformed handshakes. */
   6407 	/* TLS: send decrypt_error if signature failed. */
   6408     	desc = isTLS ? decrypt_error : handshake_failure;
   6409 
   6410     	/*
   6411      	 *  check to make sure the hash is signed by right guy
   6412      	 */
   6413 	rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
   6414 					  &ss->ssl3.hs.client_random,
   6415 					  &ss->ssl3.hs.server_random,
   6416 					  &hashes, ss->opt.bypassPKCS11);
   6417         if (rv != SECSuccess) {
   6418 	    errCode =
   6419 	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   6420 	    goto alert_loser;
   6421 	}
   6422         rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
   6423 				    isTLS, ss->pkcs11PinArg);
   6424 	if (rv != SECSuccess)  {
   6425 	    errCode =
   6426 	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   6427 	    goto alert_loser;
   6428 	}
   6429 
   6430 	/*
   6431 	 * we really need to build a new key here because we can no longer
   6432 	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
   6433 	 * pkcs11 slots and ID's.
   6434 	 */
   6435     	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   6436 	if (arena == NULL) {
   6437 	    goto no_memory;
   6438 	}
   6439 
   6440     	peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
   6441     	if (peerKey == NULL) {
   6442             PORT_FreeArena(arena, PR_FALSE);
   6443 	    goto no_memory;
   6444 	}
   6445 
   6446 	peerKey->arena              = arena;
   6447 	peerKey->keyType            = rsaKey;
   6448 	peerKey->pkcs11Slot         = NULL;
   6449 	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
   6450 	if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus,        &modulus) ||
   6451 	    SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
   6452 	{
   6453             PORT_FreeArena(arena, PR_FALSE);
   6454 	    goto no_memory;
   6455         }
   6456     	ss->sec.peerKey = peerKey;
   6457     	ss->ssl3.hs.ws = wait_cert_request;
   6458     	return SECSuccess;
   6459     }
   6460 
   6461     case kt_dh: {
   6462 	SECItem          dh_p      = {siBuffer, NULL, 0};
   6463 	SECItem          dh_g      = {siBuffer, NULL, 0};
   6464 	SECItem          dh_Ys     = {siBuffer, NULL, 0};
   6465 
   6466     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
   6467     	if (rv != SECSuccess) {
   6468 	    goto loser;		/* malformed. */
   6469 	}
   6470 	if (dh_p.len < 512/8) {
   6471 	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
   6472 	    goto alert_loser;
   6473 	}
   6474     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
   6475     	if (rv != SECSuccess) {
   6476 	    goto loser;		/* malformed. */
   6477 	}
   6478 	if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
   6479 	    goto alert_loser;
   6480     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
   6481     	if (rv != SECSuccess) {
   6482 	    goto loser;		/* malformed. */
   6483 	}
   6484 	if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
   6485 	    goto alert_loser;
   6486 	if (isTLS12) {
   6487 	    rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
   6488 						       &sigAndHash);
   6489 	    if (rv != SECSuccess) {
   6490 		goto loser;	/* malformed or unsupported. */
   6491 	    }
   6492 	    rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
   6493 		    &sigAndHash, ss->sec.peerCert);
   6494 	    if (rv != SECSuccess) {
   6495 		goto loser;
   6496 	    }
   6497 	}
   6498     	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
   6499     	if (rv != SECSuccess) {
   6500 	    goto loser;		/* malformed. */
   6501 	}
   6502     	if (length != 0) {
   6503 	    if (isTLS)
   6504 		desc = decode_error;
   6505 	    goto alert_loser;		/* malformed. */
   6506 	}
   6507 
   6508 	PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
   6509 	PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
   6510 	PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
   6511 
   6512 	/* failures after this point are not malformed handshakes. */
   6513 	/* TLS: send decrypt_error if signature failed. */
   6514     	desc = isTLS ? decrypt_error : handshake_failure;
   6515 
   6516     	/*
   6517      	 *  check to make sure the hash is signed by right guy
   6518      	 */
   6519 	rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
   6520 					  &ss->ssl3.hs.client_random,
   6521 					  &ss->ssl3.hs.server_random,
   6522 					  &hashes, ss->opt.bypassPKCS11);
   6523         if (rv != SECSuccess) {
   6524 	    errCode =
   6525 	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   6526 	    goto alert_loser;
   6527 	}
   6528         rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
   6529 				    isTLS, ss->pkcs11PinArg);
   6530 	if (rv != SECSuccess)  {
   6531 	    errCode =
   6532 	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   6533 	    goto alert_loser;
   6534 	}
   6535 
   6536 	/*
   6537 	 * we really need to build a new key here because we can no longer
   6538 	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
   6539 	 * pkcs11 slots and ID's.
   6540 	 */
   6541     	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   6542 	if (arena == NULL) {
   6543 	    goto no_memory;
   6544 	}
   6545 
   6546     	ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
   6547     	if (peerKey == NULL) {
   6548 	    goto no_memory;
   6549 	}
   6550 
   6551 	peerKey->arena              = arena;
   6552 	peerKey->keyType            = dhKey;
   6553 	peerKey->pkcs11Slot         = NULL;
   6554 	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
   6555 
   6556 	if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime,        &dh_p) ||
   6557 	    SECITEM_CopyItem(arena, &peerKey->u.dh.base,         &dh_g) ||
   6558 	    SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue,  &dh_Ys))
   6559 	{
   6560             PORT_FreeArena(arena, PR_FALSE);
   6561 	    goto no_memory;
   6562         }
   6563     	ss->sec.peerKey = peerKey;
   6564     	ss->ssl3.hs.ws = wait_cert_request;
   6565     	return SECSuccess;
   6566     }
   6567 
   6568 #ifdef NSS_ENABLE_ECC
   6569     case kt_ecdh:
   6570 	rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
   6571 	return rv;
   6572 #endif /* NSS_ENABLE_ECC */
   6573 
   6574     default:
   6575     	desc    = handshake_failure;
   6576 	errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
   6577 	break;		/* goto alert_loser; */
   6578     }
   6579 
   6580 alert_loser:
   6581     (void)SSL3_SendAlert(ss, alert_fatal, desc);
   6582 loser:
   6583     PORT_SetError( errCode );
   6584     return SECFailure;
   6585 
   6586 no_memory:	/* no-memory error has already been set. */
   6587     ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   6588     return SECFailure;
   6589 }
   6590 
   6591 
   6592 /*
   6593  * Returns true if the client authentication key is an RSA or DSA key that
   6594  * may be able to sign only SHA-1 hashes.
   6595  */
   6596 static PRBool
   6597 ssl3_ClientKeyPrefersSHA1(sslSocket *ss)
   6598 {
   6599     SECKEYPublicKey *pubk;
   6600     PRBool prefer_sha1 = PR_FALSE;
   6601 
   6602 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32)
   6603     /* If the key is in CAPI, assume conservatively that the CAPI service
   6604      * provider may be unable to sign SHA-256 hashes.
   6605      */
   6606     if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
   6607 	/* CAPI only supports RSA and DSA signatures, so we don't need to
   6608 	 * check the key type. */
   6609 	return PR_TRUE;
   6610     }
   6611 #endif  /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */
   6612 
   6613     /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
   6614      * it may be unable to sign SHA-256 hashes. This is the case for older
   6615      * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
   6616      * older, DSA key size is at most 1024 bits and the hash function must
   6617      * be SHA-1.
   6618      */
   6619     pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
   6620     if (pubk == NULL) {
   6621 	return PR_FALSE;
   6622     }
   6623     if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
   6624 	prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
   6625     }
   6626     SECKEY_DestroyPublicKey(pubk);
   6627     return prefer_sha1;
   6628 }
   6629 
   6630 /* Destroys the backup handshake hash context if we don't need it. */
   6631 static void
   6632 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
   6633 					   const SECItem *algorithms)
   6634 {
   6635     PRBool need_backup_hash = PR_FALSE;
   6636     unsigned int i;
   6637 
   6638     PORT_Assert(ss->ssl3.hs.md5);
   6639     if (ssl3_ClientKeyPrefersSHA1(ss)) {
   6640 	/* Use SHA-1 if the server supports it. */
   6641 	for (i = 0; i < algorithms->len; i += 2) {
   6642 	    if (algorithms->data[i] == tls_hash_sha1 &&
   6643 		(algorithms->data[i+1] == tls_sig_rsa ||
   6644 		 algorithms->data[i+1] == tls_sig_dsa)) {
   6645 		need_backup_hash = PR_TRUE;
   6646 		break;
   6647 	    }
   6648 	}
   6649     }
   6650     if (!need_backup_hash) {
   6651 	PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
   6652 	ss->ssl3.hs.md5 = NULL;
   6653     }
   6654 }
   6655 
   6656 typedef struct dnameNode {
   6657     struct dnameNode *next;
   6658     SECItem           name;
   6659 } dnameNode;
   6660 
   6661 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   6662  * ssl3 Certificate Request message.
   6663  * Caller must hold Handshake and RecvBuf locks.
   6664  */
   6665 static SECStatus
   6666 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   6667 {
   6668     PLArenaPool *        arena       = NULL;
   6669     dnameNode *          node;
   6670     PRInt32              remaining;
   6671     PRBool               isTLS       = PR_FALSE;
   6672     PRBool               isTLS12     = PR_FALSE;
   6673     int                  i;
   6674     int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
   6675     int                  nnames      = 0;
   6676     SECStatus            rv;
   6677     SSL3AlertDescription desc        = illegal_parameter;
   6678     SECItem              cert_types  = {siBuffer, NULL, 0};
   6679     SECItem              algorithms  = {siBuffer, NULL, 0};
   6680     CERTDistNames        ca_list;
   6681 #ifdef NSS_PLATFORM_CLIENT_AUTH
   6682     CERTCertList *       platform_cert_list = NULL;
   6683     CERTCertListNode *   certNode = NULL;
   6684 #endif  /* NSS_PLATFORM_CLIENT_AUTH */
   6685 
   6686     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
   6687 		SSL_GETPID(), ss->fd));
   6688     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   6689     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   6690 
   6691     if (ss->ssl3.hs.ws != wait_cert_request &&
   6692     	ss->ssl3.hs.ws != wait_server_key) {
   6693 	desc    = unexpected_message;
   6694 	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
   6695 	goto alert_loser;
   6696     }
   6697 
   6698     PORT_Assert(ss->ssl3.clientCertChain == NULL);
   6699     PORT_Assert(ss->ssl3.clientCertificate == NULL);
   6700     PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
   6701     PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
   6702 
   6703     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
   6704     isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
   6705     rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
   6706     if (rv != SECSuccess)
   6707     	goto loser;		/* malformed, alert has been sent */
   6708 
   6709     PORT_Assert(!ss->requestedCertTypes);
   6710     ss->requestedCertTypes = &cert_types;
   6711 
   6712     if (isTLS12) {
   6713 	rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
   6714 	if (rv != SECSuccess)
   6715 	    goto loser;		/* malformed, alert has been sent */
   6716 	/* An empty or odd-length value is invalid.
   6717 	 *    SignatureAndHashAlgorithm
   6718 	 *      supported_signature_algorithms<2..2^16-2>;
   6719 	 */
   6720 	if (algorithms.len == 0 || (algorithms.len & 1) != 0)
   6721 	    goto alert_loser;
   6722     }
   6723 
   6724     arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   6725     if (arena == NULL)
   6726     	goto no_mem;
   6727 
   6728     remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
   6729     if (remaining < 0)
   6730     	goto loser;	 	/* malformed, alert has been sent */
   6731 
   6732     if ((PRUint32)remaining > length)
   6733 	goto alert_loser;
   6734 
   6735     ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
   6736     if (node == NULL)
   6737     	goto no_mem;
   6738 
   6739     while (remaining > 0) {
   6740 	PRInt32 len;
   6741 
   6742 	if (remaining < 2)
   6743 	    goto alert_loser;	/* malformed */
   6744 
   6745 	node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
   6746 	if (len <= 0)
   6747 	    goto loser;		/* malformed, alert has been sent */
   6748 
   6749 	remaining -= 2;
   6750 	if (remaining < len)
   6751 	    goto alert_loser;	/* malformed */
   6752 
   6753 	node->name.data = b;
   6754 	b         += len;
   6755 	length    -= len;
   6756 	remaining -= len;
   6757 	nnames++;
   6758 	if (remaining <= 0)
   6759 	    break;		/* success */
   6760 
   6761 	node->next = PORT_ArenaZNew(arena, dnameNode);
   6762 	node = node->next;
   6763 	if (node == NULL)
   6764 	    goto no_mem;
   6765     }
   6766 
   6767     ca_list.nnames = nnames;
   6768     ca_list.names  = PORT_ArenaNewArray(arena, SECItem, nnames);
   6769     if (nnames > 0 && ca_list.names == NULL)
   6770         goto no_mem;
   6771 
   6772     for(i = 0, node = (dnameNode*)ca_list.head;
   6773 	i < nnames;
   6774 	i++, node = node->next) {
   6775 	ca_list.names[i] = node->name;
   6776     }
   6777 
   6778     if (length != 0)
   6779         goto alert_loser;   	/* malformed */
   6780 
   6781     desc = no_certificate;
   6782     ss->ssl3.hs.ws = wait_hello_done;
   6783 
   6784 #ifdef NSS_PLATFORM_CLIENT_AUTH
   6785     if (ss->getPlatformClientAuthData != NULL) {
   6786 	/* XXX Should pass cert_types and algorithms in this call!! */
   6787         rv = (SECStatus)(*ss->getPlatformClientAuthData)(
   6788                                         ss->getPlatformClientAuthDataArg,
   6789                                         ss->fd, &ca_list,
   6790                                         &platform_cert_list,
   6791                                         (void**)&ss->ssl3.platformClientKey,
   6792                                         &ss->ssl3.clientCertificate,
   6793                                         &ss->ssl3.clientPrivateKey);
   6794     } else
   6795 #endif
   6796     if (ss->getClientAuthData != NULL) {
   6797 	/* XXX Should pass cert_types and algorithms in this call!! */
   6798 	rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
   6799 						 ss->fd, &ca_list,
   6800 						 &ss->ssl3.clientCertificate,
   6801 						 &ss->ssl3.clientPrivateKey);
   6802     } else {
   6803 	rv = SECFailure; /* force it to send a no_certificate alert */
   6804     }
   6805 
   6806     switch (rv) {
   6807     case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
   6808 	ssl3_SetAlwaysBlock(ss);
   6809 	break;	/* not an error */
   6810 
   6811     case SECSuccess:
   6812 #ifdef NSS_PLATFORM_CLIENT_AUTH
   6813         if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
   6814             !ss->ssl3.platformClientKey) {
   6815             if (platform_cert_list) {
   6816                 CERT_DestroyCertList(platform_cert_list);
   6817                 platform_cert_list = NULL;
   6818             }
   6819             if (ss->ssl3.platformClientKey) {
   6820                 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
   6821                 ss->ssl3.platformClientKey = (PlatformKey)NULL;
   6822             }
   6823 	    /* Fall through to NSS client auth check */
   6824         } else {
   6825 	    certNode = CERT_LIST_HEAD(platform_cert_list);
   6826 	    ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert);
   6827 
   6828 	    /* Setting ssl3.clientCertChain non-NULL will cause
   6829 	     * ssl3_HandleServerHelloDone to call SendCertificate.
   6830 	     * Note: clientCertChain should include the EE cert as
   6831 	     * clientCertificate is ignored during the actual sending
   6832 	     */
   6833 	    ss->ssl3.clientCertChain =
   6834 		    hack_NewCertificateListFromCertList(platform_cert_list);
   6835 	    CERT_DestroyCertList(platform_cert_list);
   6836 	    platform_cert_list = NULL;
   6837 	    if (ss->ssl3.clientCertChain == NULL) {
   6838 		if (ss->ssl3.clientCertificate != NULL) {
   6839 		    CERT_DestroyCertificate(ss->ssl3.clientCertificate);
   6840 		    ss->ssl3.clientCertificate = NULL;
   6841 		}
   6842 		if (ss->ssl3.platformClientKey) {
   6843 		    ssl_FreePlatformKey(ss->ssl3.platformClientKey);
   6844 		    ss->ssl3.platformClientKey = (PlatformKey)NULL;
   6845 		}
   6846 		goto send_no_certificate;
   6847 	    }
   6848 	    if (isTLS12) {
   6849 		ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
   6850 	    }
   6851 	    break;  /* not an error */
   6852 	}
   6853 #endif   /* NSS_PLATFORM_CLIENT_AUTH */
   6854         /* check what the callback function returned */
   6855         if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
   6856             /* we are missing either the key or cert */
   6857             if (ss->ssl3.clientCertificate) {
   6858                 /* got a cert, but no key - free it */
   6859                 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
   6860                 ss->ssl3.clientCertificate = NULL;
   6861             }
   6862             if (ss->ssl3.clientPrivateKey) {
   6863                 /* got a key, but no cert - free it */
   6864                 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
   6865                 ss->ssl3.clientPrivateKey = NULL;
   6866             }
   6867             goto send_no_certificate;
   6868         }
   6869 	/* Setting ssl3.clientCertChain non-NULL will cause
   6870 	 * ssl3_HandleServerHelloDone to call SendCertificate.
   6871 	 */
   6872 	ss->ssl3.clientCertChain = CERT_CertChainFromCert(
   6873 					ss->ssl3.clientCertificate,
   6874 					certUsageSSLClient, PR_FALSE);
   6875 	if (ss->ssl3.clientCertChain == NULL) {
   6876 	    if (ss->ssl3.clientCertificate != NULL) {
   6877 		CERT_DestroyCertificate(ss->ssl3.clientCertificate);
   6878 		ss->ssl3.clientCertificate = NULL;
   6879 	    }
   6880 	    if (ss->ssl3.clientPrivateKey != NULL) {
   6881 		SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
   6882 		ss->ssl3.clientPrivateKey = NULL;
   6883 	    }
   6884 	    goto send_no_certificate;
   6885 	}
   6886 	if (isTLS12) {
   6887 	    ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
   6888 	}
   6889 	break;	/* not an error */
   6890 
   6891     case SECFailure:
   6892     default:
   6893 send_no_certificate:
   6894 	if (isTLS) {
   6895 	    ss->ssl3.sendEmptyCert = PR_TRUE;
   6896 	} else {
   6897 	    (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
   6898 	}
   6899 	rv = SECSuccess;
   6900 	break;
   6901     }
   6902     goto done;
   6903 
   6904 no_mem:
   6905     rv = SECFailure;
   6906     PORT_SetError(SEC_ERROR_NO_MEMORY);
   6907     goto done;
   6908 
   6909 alert_loser:
   6910     if (isTLS && desc == illegal_parameter)
   6911     	desc = decode_error;
   6912     (void)SSL3_SendAlert(ss, alert_fatal, desc);
   6913 loser:
   6914     PORT_SetError(errCode);
   6915     rv = SECFailure;
   6916 done:
   6917     ss->requestedCertTypes = NULL;
   6918     if (arena != NULL)
   6919     	PORT_FreeArena(arena, PR_FALSE);
   6920 #ifdef NSS_PLATFORM_CLIENT_AUTH
   6921     if (platform_cert_list)
   6922         CERT_DestroyCertList(platform_cert_list);
   6923 #endif
   6924     return rv;
   6925 }
   6926 
   6927 /*
   6928  * attempt to restart the handshake after asynchronously handling
   6929  * a request for the client's certificate.
   6930  *
   6931  * inputs:
   6932  *	cert	Client cert chosen by application.
   6933  *		Note: ssl takes this reference, and does not bump the
   6934  *		reference count.  The caller should drop its reference
   6935  *		without calling CERT_DestroyCert after calling this function.
   6936  *
   6937  *	key	Private key associated with cert.  This function takes
   6938  *		ownership of the private key, so the caller should drop its
   6939  *		reference without destroying the private key after this
   6940  *		function returns.
   6941  *
   6942  *	certChain  DER-encoded certs, client cert and its signers.
   6943  *		Note: ssl takes this reference, and does not copy the chain.
   6944  *		The caller should drop its reference without destroying the
   6945  *		chain.  SSL will free the chain when it is done with it.
   6946  *
   6947  * Return value: XXX
   6948  *
   6949  * XXX This code only works on the initial handshake on a connection, XXX
   6950  *     It does not work on a subsequent handshake (redo).
   6951  *
   6952  * Caller holds 1stHandshakeLock.
   6953  */
   6954 SECStatus
   6955 ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
   6956 				CERTCertificate *    cert,
   6957 				SECKEYPrivateKey *   key,
   6958 				CERTCertificateList *certChain)
   6959 {
   6960     SECStatus        rv          = SECSuccess;
   6961 
   6962     /* XXX This code only works on the initial handshake on a connection,
   6963     ** XXX It does not work on a subsequent handshake (redo).
   6964     */
   6965     if (ss->handshake != 0) {
   6966 	ss->handshake              = ssl_GatherRecord1stHandshake;
   6967 	ss->ssl3.clientCertificate = cert;
   6968 	ss->ssl3.clientPrivateKey  = key;
   6969 	ss->ssl3.clientCertChain   = certChain;
   6970         if (!cert || !key || !certChain) {
   6971             /* we are missing the key, cert, or cert chain */
   6972             if (ss->ssl3.clientCertificate) {
   6973                 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
   6974                 ss->ssl3.clientCertificate = NULL;
   6975             }
   6976             if (ss->ssl3.clientPrivateKey) {
   6977                 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
   6978                 ss->ssl3.clientPrivateKey = NULL;
   6979             }
   6980             if (ss->ssl3.clientCertChain != NULL) {
   6981                 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
   6982                 ss->ssl3.clientCertChain = NULL;
   6983             }
   6984             if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) {
   6985                 ss->ssl3.sendEmptyCert = PR_TRUE;
   6986             } else {
   6987                 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
   6988             }
   6989 	}
   6990     } else {
   6991 	if (cert) {
   6992 	    CERT_DestroyCertificate(cert);
   6993 	}
   6994 	if (key) {
   6995 	    SECKEY_DestroyPrivateKey(key);
   6996 	}
   6997 	if (certChain) {
   6998 	    CERT_DestroyCertificateList(certChain);
   6999 	}
   7000 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   7001 	rv = SECFailure;
   7002     }
   7003     return rv;
   7004 }
   7005 
   7006 PRBool
   7007 ssl3_CanFalseStart(sslSocket *ss) {
   7008     PRBool rv;
   7009 
   7010     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   7011 
   7012     /* XXX: does not take into account whether we are waiting for
   7013      * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
   7014      * that is done, this function could return different results each time it
   7015      * would be called.
   7016      */
   7017 
   7018     ssl_GetSpecReadLock(ss);
   7019     rv = ss->opt.enableFalseStart &&
   7020 	 !ss->sec.isServer &&
   7021 	 !ss->ssl3.hs.isResuming &&
   7022 	 ss->ssl3.cwSpec &&
   7023 
   7024 	 /* An attacker can control the selected ciphersuite so we only wish to
   7025 	  * do False Start in the case that the selected ciphersuite is
   7026 	  * sufficiently strong that the attack can gain no advantage.
   7027 	  * Therefore we require an 80-bit cipher and a forward-secret key
   7028 	  * exchange. */
   7029 	 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
   7030 	(ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
   7031 	 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
   7032 	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
   7033 	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
   7034     ssl_ReleaseSpecReadLock(ss);
   7035     return rv;
   7036 }
   7037 
   7038 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
   7039 
   7040 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   7041  * ssl3 Server Hello Done message.
   7042  * Caller must hold Handshake and RecvBuf locks.
   7043  */
   7044 static SECStatus
   7045 ssl3_HandleServerHelloDone(sslSocket *ss)
   7046 {
   7047     SECStatus     rv;
   7048     SSL3WaitState ws          = ss->ssl3.hs.ws;
   7049 
   7050     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
   7051 		SSL_GETPID(), ss->fd));
   7052     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   7053     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   7054 
   7055     if (ws != wait_hello_done  &&
   7056         ws != wait_server_cert &&
   7057 	ws != wait_server_key  &&
   7058 	ws != wait_cert_request) {
   7059 	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   7060 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
   7061 	return SECFailure;
   7062     }
   7063 
   7064     rv = ssl3_SendClientSecondRound(ss);
   7065 
   7066     return rv;
   7067 }
   7068 
   7069 /* Called from ssl3_HandleServerHelloDone and ssl3_AuthCertificateComplete.
   7070  *
   7071  * Caller must hold Handshake and RecvBuf locks.
   7072  */
   7073 static SECStatus
   7074 ssl3_SendClientSecondRound(sslSocket *ss)
   7075 {
   7076     SECStatus rv;
   7077     PRBool sendClientCert;
   7078 
   7079     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   7080     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   7081 
   7082     sendClientCert = !ss->ssl3.sendEmptyCert &&
   7083 		     ss->ssl3.clientCertChain  != NULL &&
   7084 		     (ss->ssl3.platformClientKey ||
   7085 		     ss->ssl3.clientPrivateKey != NULL);
   7086 
   7087     if (!sendClientCert &&
   7088 	ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) {
   7089 	/* Don't need the backup handshake hash. */
   7090 	PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
   7091 	ss->ssl3.hs.md5 = NULL;
   7092     }
   7093 
   7094     /* We must wait for the server's certificate to be authenticated before
   7095      * sending the client certificate in order to disclosing the client
   7096      * certificate to an attacker that does not have a valid cert for the
   7097      * domain we are connecting to.
   7098      *
   7099      * XXX: We should do the same for the NPN extension, but for that we
   7100      * need an option to give the application the ability to leak the NPN
   7101      * information to get better performance.
   7102      *
   7103      * During the initial handshake on a connection, we never send/receive
   7104      * application data until we have authenticated the server's certificate;
   7105      * i.e. we have fully authenticated the handshake before using the cipher
   7106      * specs agreed upon for that handshake. During a renegotiation, we may
   7107      * continue sending and receiving application data during the handshake
   7108      * interleaved with the handshake records. If we were to send the client's
   7109      * second round for a renegotiation before the server's certificate was
   7110      * authenticated, then the application data sent/received after this point
   7111      * would be using cipher spec that hadn't been authenticated. By waiting
   7112      * until the server's certificate has been authenticated during
   7113      * renegotiations, we ensure that renegotiations have the same property
   7114      * as initial handshakes; i.e. we have fully authenticated the handshake
   7115      * before using the cipher specs agreed upon for that handshake for
   7116      * application data.
   7117      */
   7118     if (ss->ssl3.hs.restartTarget) {
   7119 	PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget");
   7120 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   7121 	return SECFailure;
   7122     }
   7123     if (ss->ssl3.hs.authCertificatePending &&
   7124 	(sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
   7125 	ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
   7126 	return SECWouldBlock;
   7127     }
   7128 
   7129     ssl_GetXmitBufLock(ss);		/*******************************/
   7130 
   7131     if (ss->ssl3.sendEmptyCert) {
   7132 	ss->ssl3.sendEmptyCert = PR_FALSE;
   7133 	rv = ssl3_SendEmptyCertificate(ss);
   7134 	/* Don't send verify */
   7135 	if (rv != SECSuccess) {
   7136 	    goto loser;	/* error code is set. */
   7137     	}
   7138     } else if (sendClientCert) {
   7139 	rv = ssl3_SendCertificate(ss);
   7140 	if (rv != SECSuccess) {
   7141 	    goto loser;	/* error code is set. */
   7142     	}
   7143     }
   7144 
   7145     rv = ssl3_SendClientKeyExchange(ss);
   7146     if (rv != SECSuccess) {
   7147     	goto loser;	/* err is set. */
   7148     }
   7149 
   7150     if (sendClientCert) {
   7151 	rv = ssl3_SendCertificateVerify(ss);
   7152 	if (rv != SECSuccess) {
   7153 	    goto loser;	/* err is set. */
   7154         }
   7155     }
   7156 
   7157     rv = ssl3_SendChangeCipherSpecs(ss);
   7158     if (rv != SECSuccess) {
   7159 	goto loser;	/* err code was set. */
   7160     }
   7161 
   7162     /* XXX: If the server's certificate hasn't been authenticated by this
   7163      * point, then we may be leaking this NPN message to an attacker.
   7164      */
   7165     if (!ss->firstHsDone) {
   7166 	rv = ssl3_SendNextProto(ss);
   7167 	if (rv != SECSuccess) {
   7168 	    goto loser;	/* err code was set. */
   7169 	}
   7170     }
   7171     rv = ssl3_SendEncryptedExtensions(ss);
   7172     if (rv != SECSuccess) {
   7173 	goto loser; /* err code was set. */
   7174     }
   7175 
   7176     rv = ssl3_SendFinished(ss, 0);
   7177     if (rv != SECSuccess) {
   7178 	goto loser;	/* err code was set. */
   7179     }
   7180 
   7181     ssl_ReleaseXmitBufLock(ss);		/*******************************/
   7182 
   7183     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
   7184 	ss->ssl3.hs.ws = wait_new_session_ticket;
   7185     else
   7186 	ss->ssl3.hs.ws = wait_change_cipher;
   7187 
   7188     /* Do the handshake callback for sslv3 here, if we can false start. */
   7189     if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
   7190 	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
   7191     }
   7192 
   7193     return SECSuccess;
   7194 
   7195 loser:
   7196     ssl_ReleaseXmitBufLock(ss);
   7197     return rv;
   7198 }
   7199 
   7200 /*
   7201  * Routines used by servers
   7202  */
   7203 static SECStatus
   7204 ssl3_SendHelloRequest(sslSocket *ss)
   7205 {
   7206     SECStatus rv;
   7207 
   7208     SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
   7209 		ss->fd));
   7210 
   7211     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   7212     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
   7213 
   7214     rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
   7215     if (rv != SECSuccess) {
   7216 	return rv;	/* err set by AppendHandshake */
   7217     }
   7218     rv = ssl3_FlushHandshake(ss, 0);
   7219     if (rv != SECSuccess) {
   7220 	return rv;	/* error code set by ssl3_FlushHandshake */
   7221     }
   7222     ss->ssl3.hs.ws = wait_client_hello;
   7223     return SECSuccess;
   7224 }
   7225 
   7226 /*
   7227  * Called from:
   7228  *	ssl3_HandleClientHello()
   7229  */
   7230 static SECComparison
   7231 ssl3_ServerNameCompare(const SECItem *name1, const SECItem *name2)
   7232 {
   7233     if (!name1 != !name2) {
   7234         return SECLessThan;
   7235     }
   7236     if (!name1) {
   7237         return SECEqual;
   7238     }
   7239     if (name1->type != name2->type) {
   7240         return SECLessThan;
   7241     }
   7242     return SECITEM_CompareItem(name1, name2);
   7243 }
   7244 
   7245 /* Sets memory error when returning NULL.
   7246  * Called from:
   7247  *	ssl3_SendClientHello()
   7248  *	ssl3_HandleServerHello()
   7249  *	ssl3_HandleClientHello()
   7250  *	ssl3_HandleV2ClientHello()
   7251  */
   7252 sslSessionID *
   7253 ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
   7254 {
   7255     sslSessionID *sid;
   7256 
   7257     sid = PORT_ZNew(sslSessionID);
   7258     if (sid == NULL)
   7259     	return sid;
   7260 
   7261     if (is_server) {
   7262         const SECItem *  srvName;
   7263         SECStatus        rv = SECSuccess;
   7264 
   7265         ssl_GetSpecReadLock(ss);	/********************************/
   7266         srvName = &ss->ssl3.prSpec->srvVirtName;
   7267         if (srvName->len && srvName->data) {
   7268             rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName, srvName);
   7269         }
   7270         ssl_ReleaseSpecReadLock(ss); /************************************/
   7271         if (rv != SECSuccess) {
   7272             PORT_Free(sid);
   7273             return NULL;
   7274         }
   7275     }
   7276     sid->peerID		= (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
   7277     sid->urlSvrName	= (ss->url    == NULL) ? NULL : PORT_Strdup(ss->url);
   7278     sid->addr           = ss->sec.ci.peer;
   7279     sid->port           = ss->sec.ci.port;
   7280     sid->references     = 1;
   7281     sid->cached         = never_cached;
   7282     sid->version        = ss->version;
   7283 
   7284     sid->u.ssl3.keys.resumable = PR_TRUE;
   7285     sid->u.ssl3.policy         = SSL_ALLOWED;
   7286     sid->u.ssl3.clientWriteKey = NULL;
   7287     sid->u.ssl3.serverWriteKey = NULL;
   7288 
   7289     if (is_server) {
   7290 	SECStatus rv;
   7291 	int       pid = SSL_GETPID();
   7292 
   7293 	sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
   7294 	sid->u.ssl3.sessionID[0]    = (pid >> 8) & 0xff;
   7295 	sid->u.ssl3.sessionID[1]    =  pid       & 0xff;
   7296 	rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
   7297 	                         SSL3_SESSIONID_BYTES -2);
   7298 	if (rv != SECSuccess) {
   7299 	    ssl_FreeSID(sid);
   7300 	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
   7301 	    return NULL;
   7302     	}
   7303     }
   7304     return sid;
   7305 }
   7306 
   7307 /* Called from:  ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
   7308 static SECStatus
   7309 ssl3_SendServerHelloSequence(sslSocket *ss)
   7310 {
   7311     const ssl3KEADef *kea_def;
   7312     SECStatus         rv;
   7313 
   7314     SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
   7315 		SSL_GETPID(), ss->fd));
   7316 
   7317     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   7318     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
   7319 
   7320     rv = ssl3_SendServerHello(ss);
   7321     if (rv != SECSuccess) {
   7322 	return rv;	/* err code is set. */
   7323     }
   7324     rv = ssl3_SendCertificate(ss);
   7325     if (rv != SECSuccess) {
   7326 	return rv;	/* error code is set. */
   7327     }
   7328     rv = ssl3_SendCertificateStatus(ss);
   7329     if (rv != SECSuccess) {
   7330 	return rv;	/* error code is set. */
   7331     }
   7332     /* We have to do this after the call to ssl3_SendServerHello,
   7333      * because kea_def is set up by ssl3_SendServerHello().
   7334      */
   7335     kea_def = ss->ssl3.hs.kea_def;
   7336     ss->ssl3.hs.usedStepDownKey = PR_FALSE;
   7337 
   7338     if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
   7339 	/* see if we can legally use the key in the cert. */
   7340 	int keyLen;  /* bytes */
   7341 
   7342 	keyLen = PK11_GetPrivateModulusLen(
   7343 			    ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
   7344 
   7345 	if (keyLen > 0 &&
   7346 	    keyLen * BPB <= kea_def->key_size_limit ) {
   7347 	    /* XXX AND cert is not signing only!! */
   7348 	    /* just fall through and use it. */
   7349 	} else if (ss->stepDownKeyPair != NULL) {
   7350 	    ss->ssl3.hs.usedStepDownKey = PR_TRUE;
   7351 	    rv = ssl3_SendServerKeyExchange(ss);
   7352 	    if (rv != SECSuccess) {
   7353 		return rv;	/* err code was set. */
   7354 	    }
   7355 	} else {
   7356 #ifndef HACKED_EXPORT_SERVER
   7357 	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
   7358 	    return rv;
   7359 #endif
   7360 	}
   7361 #ifdef NSS_ENABLE_ECC
   7362     } else if ((kea_def->kea == kea_ecdhe_rsa) ||
   7363 	       (kea_def->kea == kea_ecdhe_ecdsa)) {
   7364 	rv = ssl3_SendServerKeyExchange(ss);
   7365 	if (rv != SECSuccess) {
   7366 	    return rv;	/* err code was set. */
   7367 	}
   7368 #endif /* NSS_ENABLE_ECC */
   7369     }
   7370 
   7371     if (ss->opt.requestCertificate) {
   7372 	rv = ssl3_SendCertificateRequest(ss);
   7373 	if (rv != SECSuccess) {
   7374 	    return rv;		/* err code is set. */
   7375 	}
   7376     }
   7377     rv = ssl3_SendServerHelloDone(ss);
   7378     if (rv != SECSuccess) {
   7379 	return rv;		/* err code is set. */
   7380     }
   7381 
   7382     ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
   7383                                                : wait_client_key;
   7384     return SECSuccess;
   7385 }
   7386 
   7387 /* An empty TLS Renegotiation Info (RI) extension */
   7388 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00};
   7389 
   7390 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   7391  * ssl3 Client Hello message.
   7392  * Caller must hold Handshake and RecvBuf locks.
   7393  */
   7394 static SECStatus
   7395 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   7396 {
   7397     sslSessionID *      sid      = NULL;
   7398     PRInt32		tmp;
   7399     unsigned int        i;
   7400     int                 j;
   7401     SECStatus           rv;
   7402     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
   7403     SSL3AlertDescription desc    = illegal_parameter;
   7404     SSL3AlertLevel      level    = alert_fatal;
   7405     SSL3ProtocolVersion version;
   7406     SECItem             sidBytes = {siBuffer, NULL, 0};
   7407     SECItem             cookieBytes = {siBuffer, NULL, 0};
   7408     SECItem             suites   = {siBuffer, NULL, 0};
   7409     SECItem             comps    = {siBuffer, NULL, 0};
   7410     PRBool              haveSpecWriteLock = PR_FALSE;
   7411     PRBool              haveXmitBufLock   = PR_FALSE;
   7412 
   7413     SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
   7414     	SSL_GETPID(), ss->fd));
   7415 
   7416     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   7417     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   7418     PORT_Assert( ss->ssl3.initialized );
   7419 
   7420     /* Get peer name of client */
   7421     rv = ssl_GetPeerInfo(ss);
   7422     if (rv != SECSuccess) {
   7423 	return rv;		/* error code is set. */
   7424     }
   7425 
   7426     /* Clearing the handshake pointers so that ssl_Do1stHandshake won't
   7427      * call ssl2_HandleMessage.
   7428      *
   7429      * The issue here is that TLS ordinarily starts out in
   7430      * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility
   7431      * code paths. That function zeroes these next pointers. But with DTLS,
   7432      * we don't even try to do the v2 ClientHello so we skip that function
   7433      * and need to reset these values here.
   7434      */
   7435     if (IS_DTLS(ss)) {
   7436 	ss->nextHandshake     = 0;
   7437 	ss->securityHandshake = 0;
   7438     }
   7439 
   7440     /* We might be starting session renegotiation in which case we should
   7441      * clear previous state.
   7442      */
   7443     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
   7444     ss->statelessResume = PR_FALSE;
   7445 
   7446     if ((ss->ssl3.hs.ws != wait_client_hello) &&
   7447 	(ss->ssl3.hs.ws != idle_handshake)) {
   7448 	desc    = unexpected_message;
   7449 	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
   7450 	goto alert_loser;
   7451     }
   7452     if (ss->ssl3.hs.ws == idle_handshake  &&
   7453         ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
   7454 	desc    = no_renegotiation;
   7455 	level   = alert_warning;
   7456 	errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
   7457 	goto alert_loser;
   7458     }
   7459 
   7460     if (IS_DTLS(ss)) {
   7461 	dtls_RehandshakeCleanup(ss);
   7462     }
   7463 
   7464     tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
   7465     if (tmp < 0)
   7466 	goto loser;		/* malformed, alert already sent */
   7467 
   7468     /* Translate the version */
   7469     if (IS_DTLS(ss)) {
   7470 	ss->clientHelloVersion = version =
   7471 	    dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
   7472     } else {
   7473 	ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
   7474     }
   7475 
   7476     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
   7477     if (rv != SECSuccess) {
   7478     	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
   7479 	                                           : handshake_failure;
   7480 	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
   7481 	goto alert_loser;
   7482     }
   7483 
   7484     rv = ssl3_InitHandshakeHashes(ss);
   7485     if (rv != SECSuccess) {
   7486 	desc = internal_error;
   7487 	errCode = PORT_GetError();
   7488 	goto alert_loser;
   7489     }
   7490 
   7491     /* grab the client random data. */
   7492     rv = ssl3_ConsumeHandshake(
   7493 	ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
   7494     if (rv != SECSuccess) {
   7495 	goto loser;		/* malformed */
   7496     }
   7497 
   7498     /* grab the client's SID, if present. */
   7499     rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
   7500     if (rv != SECSuccess) {
   7501 	goto loser;		/* malformed */
   7502     }
   7503 
   7504     /* grab the client's cookie, if present. */
   7505     if (IS_DTLS(ss)) {
   7506 	rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length);
   7507 	if (rv != SECSuccess) {
   7508 	    goto loser;		/* malformed */
   7509 	}
   7510     }
   7511 
   7512     /* grab the list of cipher suites. */
   7513     rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
   7514     if (rv != SECSuccess) {
   7515 	goto loser;		/* malformed */
   7516     }
   7517 
   7518     /* grab the list of compression methods. */
   7519     rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
   7520     if (rv != SECSuccess) {
   7521 	goto loser;		/* malformed */
   7522     }
   7523 
   7524     desc = handshake_failure;
   7525 
   7526     /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
   7527      * we are restarting a previous session until extensions have been
   7528      * parsed, since we might have received a SessionTicket extension.
   7529      * Note: we allow extensions even when negotiating SSL3 for the sake
   7530      * of interoperability (and backwards compatibility).
   7531      */
   7532 
   7533     if (length) {
   7534 	/* Get length of hello extensions */
   7535 	PRInt32 extension_length;
   7536 	extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
   7537 	if (extension_length < 0) {
   7538 	    goto loser;				/* alert already sent */
   7539 	}
   7540 	if (extension_length != length) {
   7541 	    ssl3_DecodeError(ss);		/* send alert */
   7542 	    goto loser;
   7543 	}
   7544 	rv = ssl3_HandleHelloExtensions(ss, &b, &length);
   7545 	if (rv != SECSuccess) {
   7546 	    goto loser;		/* malformed */
   7547 	}
   7548     }
   7549     if (!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
   7550     	/* If we didn't receive an RI extension, look for the SCSV,
   7551 	 * and if found, treat it just like an empty RI extension
   7552 	 * by processing a local copy of an empty RI extension.
   7553 	 */
   7554 	for (i = 0; i + 1 < suites.len; i += 2) {
   7555 	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
   7556 	    if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
   7557 		SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
   7558 		PRUint32     L2 = sizeof emptyRIext;
   7559 		(void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
   7560 	    	break;
   7561 	    }
   7562 	}
   7563     }
   7564     if (ss->firstHsDone &&
   7565         (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN ||
   7566         ss->opt.enableRenegotiation == SSL_RENEGOTIATE_TRANSITIONAL) &&
   7567 	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
   7568 	desc    = no_renegotiation;
   7569 	level   = alert_warning;
   7570 	errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
   7571 	goto alert_loser;
   7572     }
   7573     if ((ss->opt.requireSafeNegotiation ||
   7574          (ss->firstHsDone && ss->peerRequestedProtection)) &&
   7575 	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
   7576 	desc = handshake_failure;
   7577 	errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
   7578     	goto alert_loser;
   7579     }
   7580 
   7581     /* We do stateful resumes only if either of the following
   7582      * conditions are satisfied: (1) the client does not support the
   7583      * session ticket extension, or (2) the client support the session
   7584      * ticket extension, but sent an empty ticket.
   7585      */
   7586     if (!ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) ||
   7587 	ss->xtnData.emptySessionTicket) {
   7588 	if (sidBytes.len > 0 && !ss->opt.noCache) {
   7589 	    SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
   7590 			SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
   7591 			ss->sec.ci.peer.pr_s6_addr32[1],
   7592 			ss->sec.ci.peer.pr_s6_addr32[2],
   7593 			ss->sec.ci.peer.pr_s6_addr32[3]));
   7594 	    if (ssl_sid_lookup) {
   7595 		sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data,
   7596 					sidBytes.len, ss->dbHandle);
   7597 	    } else {
   7598 		errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
   7599 		goto loser;
   7600 	    }
   7601 	}
   7602     } else if (ss->statelessResume) {
   7603 	/* Fill in the client's session ID if doing a stateless resume.
   7604 	 * (When doing stateless resumes, server echos client's SessionID.)
   7605 	 */
   7606 	sid = ss->sec.ci.sid;
   7607 	PORT_Assert(sid != NULL);  /* Should have already been filled in.*/
   7608 
   7609 	if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) {
   7610 	    sid->u.ssl3.sessionIDLength = sidBytes.len;
   7611 	    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data,
   7612 		sidBytes.len);
   7613 	    sid->u.ssl3.sessionIDLength = sidBytes.len;
   7614 	} else {
   7615 	    sid->u.ssl3.sessionIDLength = 0;
   7616 	}
   7617 	ss->sec.ci.sid = NULL;
   7618     }
   7619 
   7620     /* We only send a session ticket extension if the client supports
   7621      * the extension and we are unable to do either a stateful or
   7622      * stateless resume.
   7623      *
   7624      * TODO: send a session ticket if performing a stateful
   7625      * resumption.  (As per RFC4507, a server may issue a session
   7626      * ticket while doing a (stateless or stateful) session resume,
   7627      * but OpenSSL-0.9.8g does not accept session tickets while
   7628      * resuming.)
   7629      */
   7630     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) {
   7631 	ssl3_RegisterServerHelloExtensionSender(ss,
   7632 	    ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
   7633     }
   7634 
   7635     if (sid != NULL) {
   7636 	/* We've found a session cache entry for this client.
   7637 	 * Now, if we're going to require a client-auth cert,
   7638 	 * and we don't already have this client's cert in the session cache,
   7639 	 * and this is the first handshake on this connection (not a redo),
   7640 	 * then drop this old cache entry and start a new session.
   7641 	 */
   7642 	if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
   7643 	    ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
   7644 	     (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
   7645 	     ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE)
   7646 	      && !ss->firstHsDone))) {
   7647 
   7648 	    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
   7649 	    if (ss->sec.uncache)
   7650                 ss->sec.uncache(sid);
   7651 	    ssl_FreeSID(sid);
   7652 	    sid = NULL;
   7653 	}
   7654     }
   7655 
   7656 #ifdef NSS_ENABLE_ECC
   7657     /* Disable any ECC cipher suites for which we have no cert. */
   7658     ssl3_FilterECCipherSuitesByServerCerts(ss);
   7659 #endif
   7660 
   7661     if (IS_DTLS(ss)) {
   7662 	ssl3_DisableNonDTLSSuites(ss);
   7663     }
   7664 
   7665 #ifdef PARANOID
   7666     /* Look for a matching cipher suite. */
   7667     j = ssl3_config_match_init(ss);
   7668     if (j <= 0) {		/* no ciphers are working/supported by PK11 */
   7669     	errCode = PORT_GetError();	/* error code is already set. */
   7670 	goto alert_loser;
   7671     }
   7672 #endif
   7673 
   7674     /* If we already have a session for this client, be sure to pick the
   7675     ** same cipher suite and compression method we picked before.
   7676     ** This is not a loop, despite appearances.
   7677     */
   7678     if (sid) do {
   7679 	ssl3CipherSuiteCfg *suite;
   7680 
   7681 	/* Check that the cached compression method is still enabled. */
   7682 	if (!compressionEnabled(ss, sid->u.ssl3.compression))
   7683 	    break;
   7684 
   7685 	/* Check that the cached compression method is in the client's list */
   7686 	for (i = 0; i < comps.len; i++) {
   7687 	    if (comps.data[i] == sid->u.ssl3.compression)
   7688 		break;
   7689 	}
   7690 	if (i == comps.len)
   7691 	    break;
   7692 
   7693 	suite = ss->cipherSuites;
   7694 	/* Find the entry for the cipher suite used in the cached session. */
   7695 	for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
   7696 	    if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
   7697 		break;
   7698 	}
   7699 	PORT_Assert(j > 0);
   7700 	if (j <= 0)
   7701 	    break;
   7702 #ifdef PARANOID
   7703 	/* Double check that the cached cipher suite is still enabled,
   7704 	 * implemented, and allowed by policy.  Might have been disabled.
   7705 	 * The product policy won't change during the process lifetime.
   7706 	 * Implemented ("isPresent") shouldn't change for servers.
   7707 	 */
   7708 	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
   7709 	    break;
   7710 #else
   7711 	if (!suite->enabled)
   7712 	    break;
   7713 #endif
   7714 	/* Double check that the cached cipher suite is in the client's list */
   7715 	for (i = 0; i + 1 < suites.len; i += 2) {
   7716 	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
   7717 	    if (suite_i == suite->cipher_suite) {
   7718 		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
   7719 		ss->ssl3.hs.suite_def =
   7720 		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
   7721 
   7722 		/* Use the cached compression method. */
   7723 		ss->ssl3.hs.compression = sid->u.ssl3.compression;
   7724 		goto compression_found;
   7725 	    }
   7726 	}
   7727     } while (0);
   7728 
   7729     /* START A NEW SESSION */
   7730 
   7731 #ifndef PARANOID
   7732     /* Look for a matching cipher suite. */
   7733     j = ssl3_config_match_init(ss);
   7734     if (j <= 0) {		/* no ciphers are working/supported by PK11 */
   7735     	errCode = PORT_GetError();	/* error code is already set. */
   7736 	goto alert_loser;
   7737     }
   7738 #endif
   7739 
   7740     /* Select a cipher suite.
   7741     **
   7742     ** NOTE: This suite selection algorithm should be the same as the one in
   7743     ** ssl3_HandleV2ClientHello().
   7744     **
   7745     ** If TLS 1.0 is enabled, we could handle the case where the client
   7746     ** offered TLS 1.1 but offered only export cipher suites by choosing TLS
   7747     ** 1.0 and selecting one of those export cipher suites. However, a secure
   7748     ** TLS 1.1 client should not have export cipher suites enabled at all,
   7749     ** and a TLS 1.1 client should definitely not be offering *only* export
   7750     ** cipher suites. Therefore, we refuse to negotiate export cipher suites
   7751     ** with any client that indicates support for TLS 1.1 or higher when we
   7752     ** (the server) have TLS 1.1 support enabled.
   7753     */
   7754     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
   7755 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
   7756 	if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
   7757 	    !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
   7758 					       ss->version)) {
   7759 	    continue;
   7760 	}
   7761 	for (i = 0; i + 1 < suites.len; i += 2) {
   7762 	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
   7763 	    if (suite_i == suite->cipher_suite) {
   7764 		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
   7765 		ss->ssl3.hs.suite_def =
   7766 		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
   7767 		goto suite_found;
   7768 	    }
   7769 	}
   7770     }
   7771     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
   7772     goto alert_loser;
   7773 
   7774 suite_found:
   7775     /* Look for a matching compression algorithm. */
   7776     for (i = 0; i < comps.len; i++) {
   7777 	if (!compressionEnabled(ss, comps.data[i]))
   7778 	    continue;
   7779 	for (j = 0; j < compressionMethodsCount; j++) {
   7780 	    if (comps.data[i] == compressions[j]) {
   7781 		ss->ssl3.hs.compression =
   7782 					(SSLCompressionMethod)compressions[j];
   7783 		goto compression_found;
   7784 	    }
   7785 	}
   7786     }
   7787     errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
   7788     				/* null compression must be supported */
   7789     goto alert_loser;
   7790 
   7791 compression_found:
   7792     suites.data = NULL;
   7793     comps.data = NULL;
   7794 
   7795     ss->sec.send = ssl3_SendApplicationData;
   7796 
   7797     /* If there are any failures while processing the old sid,
   7798      * we don't consider them to be errors.  Instead, We just behave
   7799      * as if the client had sent us no sid to begin with, and make a new one.
   7800      */
   7801     if (sid != NULL) do {
   7802 	ssl3CipherSpec *pwSpec;
   7803 	SECItem         wrappedMS;  	/* wrapped key */
   7804 
   7805 	if (sid->version != ss->version  ||
   7806 	    sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite ||
   7807 	    sid->u.ssl3.compression != ss->ssl3.hs.compression) {
   7808 	    break;	/* not an error */
   7809 	}
   7810 
   7811 	if (ss->sec.ci.sid) {
   7812 	    if (ss->sec.uncache)
   7813                 ss->sec.uncache(ss->sec.ci.sid);
   7814 	    PORT_Assert(ss->sec.ci.sid != sid);  /* should be impossible, but ... */
   7815 	    if (ss->sec.ci.sid != sid) {
   7816 		ssl_FreeSID(ss->sec.ci.sid);
   7817 	    }
   7818 	    ss->sec.ci.sid = NULL;
   7819 	}
   7820 	/* we need to resurrect the master secret.... */
   7821 
   7822 	ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
   7823 	pwSpec = ss->ssl3.pwSpec;
   7824 	if (sid->u.ssl3.keys.msIsWrapped) {
   7825 	    PK11SymKey *    wrapKey; 	/* wrapping key */
   7826 	    CK_FLAGS        keyFlags      = 0;
   7827 #ifndef NO_PKCS11_BYPASS
   7828 	    if (ss->opt.bypassPKCS11) {
   7829 		/* we cannot restart a non-bypass session in a
   7830 		** bypass socket.
   7831 		*/
   7832 		break;
   7833 	    }
   7834 #endif
   7835 
   7836 	    wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
   7837 				     sid->u.ssl3.masterWrapMech,
   7838 				     ss->pkcs11PinArg);
   7839 	    if (!wrapKey) {
   7840 		/* we have a SID cache entry, but no wrapping key for it??? */
   7841 		break;
   7842 	    }
   7843 
   7844 	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
   7845 		keyFlags = CKF_SIGN | CKF_VERIFY;
   7846 	    }
   7847 
   7848 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
   7849 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
   7850 
   7851 	    /* unwrap the master secret. */
   7852 	    pwSpec->master_secret =
   7853 		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
   7854 			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
   7855 			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
   7856 	    PK11_FreeSymKey(wrapKey);
   7857 	    if (pwSpec->master_secret == NULL) {
   7858 		break;	/* not an error */
   7859 	    }
   7860 #ifndef NO_PKCS11_BYPASS
   7861 	} else if (ss->opt.bypassPKCS11) {
   7862 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
   7863 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
   7864 	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
   7865 	    pwSpec->msItem.data = pwSpec->raw_master_secret;
   7866 	    pwSpec->msItem.len  = wrappedMS.len;
   7867 #endif
   7868 	} else {
   7869 	    /* We CAN restart a bypass session in a non-bypass socket. */
   7870 	    /* need to import the raw master secret to session object */
   7871 	    PK11SlotInfo * slot;
   7872 	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
   7873 	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
   7874 	    slot = PK11_GetInternalSlot();
   7875 	    pwSpec->master_secret =
   7876 		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
   7877 				  PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS,
   7878 				  NULL);
   7879 	    PK11_FreeSlot(slot);
   7880 	    if (pwSpec->master_secret == NULL) {
   7881 		break;	/* not an error */
   7882 	    }
   7883 	}
   7884 	ss->sec.ci.sid = sid;
   7885 	if (sid->peerCert != NULL) {
   7886 	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
   7887 	    ssl3_CopyPeerCertsFromSID(ss, sid);
   7888 	}
   7889 
   7890 	/*
   7891 	 * Old SID passed all tests, so resume this old session.
   7892 	 *
   7893 	 * XXX make sure compression still matches
   7894 	 */
   7895 	SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits );
   7896 	if (ss->statelessResume)
   7897 	    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes );
   7898 	ss->ssl3.hs.isResuming = PR_TRUE;
   7899 
   7900         ss->sec.authAlgorithm = sid->authAlgorithm;
   7901 	ss->sec.authKeyBits   = sid->authKeyBits;
   7902 	ss->sec.keaType       = sid->keaType;
   7903 	ss->sec.keaKeyBits    = sid->keaKeyBits;
   7904 
   7905 	/* server sids don't remember the server cert we previously sent,
   7906 	** but they do remember the kea type we originally used, so we
   7907 	** can locate it again, provided that the current ssl socket
   7908 	** has had its server certs configured the same as the previous one.
   7909 	*/
   7910 	ss->sec.localCert     =
   7911 		CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
   7912 
   7913         /* Copy cached name in to pending spec */
   7914         if (sid != NULL &&
   7915             sid->version > SSL_LIBRARY_VERSION_3_0 &&
   7916             sid->u.ssl3.srvName.len && sid->u.ssl3.srvName.data) {
   7917             /* Set server name from sid */
   7918             SECItem *sidName = &sid->u.ssl3.srvName;
   7919             SECItem *pwsName = &ss->ssl3.pwSpec->srvVirtName;
   7920             if (pwsName->data) {
   7921                 SECITEM_FreeItem(pwsName, PR_FALSE);
   7922             }
   7923             rv = SECITEM_CopyItem(NULL, pwsName, sidName);
   7924             if (rv != SECSuccess) {
   7925                 errCode = PORT_GetError();
   7926                 desc = internal_error;
   7927                 goto alert_loser;
   7928             }
   7929         }
   7930 
   7931         /* Clean up sni name array */
   7932         if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn) &&
   7933             ss->xtnData.sniNameArr) {
   7934             PORT_Free(ss->xtnData.sniNameArr);
   7935             ss->xtnData.sniNameArr = NULL;
   7936             ss->xtnData.sniNameArrSize = 0;
   7937         }
   7938 
   7939 	ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
   7940 
   7941 	rv = ssl3_SendServerHello(ss);
   7942 	if (rv != SECSuccess) {
   7943 	    errCode = PORT_GetError();
   7944 	    goto loser;
   7945 	}
   7946 
   7947 	if (haveSpecWriteLock) {
   7948 	    ssl_ReleaseSpecWriteLock(ss);
   7949 	    haveSpecWriteLock = PR_FALSE;
   7950 	}
   7951 
   7952 	/* NULL value for PMS signifies re-use of the old MS */
   7953 	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
   7954 	if (rv != SECSuccess) {
   7955 	    errCode = PORT_GetError();
   7956 	    goto loser;
   7957 	}
   7958 
   7959 	rv = ssl3_SendChangeCipherSpecs(ss);
   7960 	if (rv != SECSuccess) {
   7961 	    errCode = PORT_GetError();
   7962 	    goto loser;
   7963 	}
   7964 	rv = ssl3_SendFinished(ss, 0);
   7965 	ss->ssl3.hs.ws = wait_change_cipher;
   7966 	if (rv != SECSuccess) {
   7967 	    errCode = PORT_GetError();
   7968 	    goto loser;
   7969 	}
   7970 
   7971 	if (haveXmitBufLock) {
   7972 	    ssl_ReleaseXmitBufLock(ss);
   7973 	    haveXmitBufLock = PR_FALSE;
   7974 	}
   7975 
   7976         return SECSuccess;
   7977     } while (0);
   7978 
   7979     if (haveSpecWriteLock) {
   7980 	ssl_ReleaseSpecWriteLock(ss);
   7981 	haveSpecWriteLock = PR_FALSE;
   7982     }
   7983 
   7984     if (sid) { 	/* we had a sid, but it's no longer valid, free it */
   7985 	SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
   7986 	if (ss->sec.uncache)
   7987             ss->sec.uncache(sid);
   7988 	ssl_FreeSID(sid);
   7989 	sid = NULL;
   7990     }
   7991     SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
   7992 
   7993     if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) {
   7994         int ret = 0;
   7995         if (ss->sniSocketConfig) do { /* not a loop */
   7996             ret = SSL_SNI_SEND_ALERT;
   7997             /* If extension is negotiated, the len of names should > 0. */
   7998             if (ss->xtnData.sniNameArrSize) {
   7999                 /* Calling client callback to reconfigure the socket. */
   8000                 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd,
   8001                                          ss->xtnData.sniNameArr,
   8002                                       ss->xtnData.sniNameArrSize,
   8003                                           ss->sniSocketConfigArg);
   8004             }
   8005             if (ret <= SSL_SNI_SEND_ALERT) {
   8006                 /* Application does not know the name or was not able to
   8007                  * properly reconfigure the socket. */
   8008                 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
   8009                 desc = unrecognized_name;
   8010                 break;
   8011             } else if (ret == SSL_SNI_CURRENT_CONFIG_IS_USED) {
   8012                 SECStatus       rv = SECSuccess;
   8013                 SECItem *       cwsName, *pwsName;
   8014 
   8015                 ssl_GetSpecWriteLock(ss);  /*******************************/
   8016                 pwsName = &ss->ssl3.pwSpec->srvVirtName;
   8017                 cwsName = &ss->ssl3.cwSpec->srvVirtName;
   8018 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
   8019                 /* not allow name change on the 2d HS */
   8020                 if (ss->firstHsDone) {
   8021                     if (ssl3_ServerNameCompare(pwsName, cwsName)) {
   8022                         ssl_ReleaseSpecWriteLock(ss);  /******************/
   8023                         errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
   8024                         desc = handshake_failure;
   8025                         ret = SSL_SNI_SEND_ALERT;
   8026                         break;
   8027                     }
   8028                 }
   8029 #endif
   8030                 if (pwsName->data) {
   8031                     SECITEM_FreeItem(pwsName, PR_FALSE);
   8032                 }
   8033                 if (cwsName->data) {
   8034                     rv = SECITEM_CopyItem(NULL, pwsName, cwsName);
   8035                 }
   8036                 ssl_ReleaseSpecWriteLock(ss);  /**************************/
   8037                 if (rv != SECSuccess) {
   8038                     errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
   8039                     desc = internal_error;
   8040                     ret = SSL_SNI_SEND_ALERT;
   8041                     break;
   8042                 }
   8043             } else if (ret < ss->xtnData.sniNameArrSize) {
   8044                 /* Application has configured new socket info. Lets check it
   8045                  * and save the name. */
   8046                 SECStatus       rv;
   8047                 SECItem *       name = &ss->xtnData.sniNameArr[ret];
   8048                 int             configedCiphers;
   8049                 SECItem *       pwsName;
   8050 
   8051                 /* get rid of the old name and save the newly picked. */
   8052                 /* This code is protected by ssl3HandshakeLock. */
   8053                 ssl_GetSpecWriteLock(ss);  /*******************************/
   8054 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
   8055                 /* not allow name change on the 2d HS */
   8056                 if (ss->firstHsDone) {
   8057                     SECItem *cwsName = &ss->ssl3.cwSpec->srvVirtName;
   8058                     if (ssl3_ServerNameCompare(name, cwsName)) {
   8059                         ssl_ReleaseSpecWriteLock(ss);  /******************/
   8060                         errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
   8061                         desc = handshake_failure;
   8062                         ret = SSL_SNI_SEND_ALERT;
   8063                         break;
   8064                     }
   8065                 }
   8066 #endif
   8067                 pwsName = &ss->ssl3.pwSpec->srvVirtName;
   8068                 if (pwsName->data) {
   8069                     SECITEM_FreeItem(pwsName, PR_FALSE);
   8070                 }
   8071                 rv = SECITEM_CopyItem(NULL, pwsName, name);
   8072                 ssl_ReleaseSpecWriteLock(ss);  /***************************/
   8073                 if (rv != SECSuccess) {
   8074                     errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
   8075                     desc = internal_error;
   8076                     ret = SSL_SNI_SEND_ALERT;
   8077                     break;
   8078                 }
   8079                 configedCiphers = ssl3_config_match_init(ss);
   8080                 if (configedCiphers <= 0) {
   8081                     /* no ciphers are working/supported */
   8082                     errCode = PORT_GetError();
   8083                     desc = handshake_failure;
   8084                     ret = SSL_SNI_SEND_ALERT;
   8085                     break;
   8086                 }
   8087                 /* Need to tell the client that application has picked
   8088                  * the name from the offered list and reconfigured the socket.
   8089                  */
   8090                 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn,
   8091                                                         ssl3_SendServerNameXtn);
   8092             } else {
   8093                 /* Callback returned index outside of the boundary. */
   8094                 PORT_Assert(ret < ss->xtnData.sniNameArrSize);
   8095                 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
   8096                 desc = internal_error;
   8097                 ret = SSL_SNI_SEND_ALERT;
   8098                 break;
   8099             }
   8100         } while (0);
   8101         /* Free sniNameArr. The data that each SECItem in the array
   8102          * points into is the data from the input buffer "b". It will
   8103          * not be available outside the scope of this or it's child
   8104          * functions.*/
   8105         if (ss->xtnData.sniNameArr) {
   8106             PORT_Free(ss->xtnData.sniNameArr);
   8107             ss->xtnData.sniNameArr = NULL;
   8108             ss->xtnData.sniNameArrSize = 0;
   8109         }
   8110         if (ret <= SSL_SNI_SEND_ALERT) {
   8111             /* desc and errCode should be set. */
   8112             goto alert_loser;
   8113         }
   8114     }
   8115 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
   8116     else if (ss->firstHsDone) {
   8117         /* Check that we don't have the name is current spec
   8118          * if this extension was not negotiated on the 2d hs. */
   8119         PRBool passed = PR_TRUE;
   8120         ssl_GetSpecReadLock(ss);  /*******************************/
   8121         if (ss->ssl3.cwSpec->srvVirtName.data) {
   8122             passed = PR_FALSE;
   8123         }
   8124         ssl_ReleaseSpecReadLock(ss);  /***************************/
   8125         if (!passed) {
   8126             errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
   8127             desc = handshake_failure;
   8128             goto alert_loser;
   8129         }
   8130     }
   8131 #endif
   8132 
   8133     sid = ssl3_NewSessionID(ss, PR_TRUE);
   8134     if (sid == NULL) {
   8135 	errCode = PORT_GetError();
   8136 	goto loser;	/* memory error is set. */
   8137     }
   8138     ss->sec.ci.sid = sid;
   8139 
   8140     ss->ssl3.hs.isResuming = PR_FALSE;
   8141     ssl_GetXmitBufLock(ss);
   8142     rv = ssl3_SendServerHelloSequence(ss);
   8143     ssl_ReleaseXmitBufLock(ss);
   8144     if (rv != SECSuccess) {
   8145 	errCode = PORT_GetError();
   8146 	goto loser;
   8147     }
   8148 
   8149     if (haveXmitBufLock) {
   8150 	ssl_ReleaseXmitBufLock(ss);
   8151 	haveXmitBufLock = PR_FALSE;
   8152     }
   8153 
   8154     return SECSuccess;
   8155 
   8156 alert_loser:
   8157     if (haveSpecWriteLock) {
   8158 	ssl_ReleaseSpecWriteLock(ss);
   8159 	haveSpecWriteLock = PR_FALSE;
   8160     }
   8161     (void)SSL3_SendAlert(ss, level, desc);
   8162     /* FALLTHRU */
   8163 loser:
   8164     if (haveSpecWriteLock) {
   8165 	ssl_ReleaseSpecWriteLock(ss);
   8166 	haveSpecWriteLock = PR_FALSE;
   8167     }
   8168 
   8169     if (haveXmitBufLock) {
   8170 	ssl_ReleaseXmitBufLock(ss);
   8171 	haveXmitBufLock = PR_FALSE;
   8172     }
   8173 
   8174     PORT_SetError(errCode);
   8175     return SECFailure;
   8176 }
   8177 
   8178 /*
   8179  * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
   8180  * in asking to use the V3 handshake.
   8181  * Called from ssl2_HandleClientHelloMessage() in sslcon.c
   8182  */
   8183 SECStatus
   8184 ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
   8185 {
   8186     sslSessionID *      sid 		= NULL;
   8187     unsigned char *     suites;
   8188     unsigned char *     random;
   8189     SSL3ProtocolVersion version;
   8190     SECStatus           rv;
   8191     int                 i;
   8192     int                 j;
   8193     int                 sid_length;
   8194     int                 suite_length;
   8195     int                 rand_length;
   8196     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
   8197     SSL3AlertDescription desc    = handshake_failure;
   8198 
   8199     SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
   8200 
   8201     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   8202 
   8203     ssl_GetSSL3HandshakeLock(ss);
   8204 
   8205     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
   8206 
   8207     rv = ssl3_InitState(ss);
   8208     if (rv != SECSuccess) {
   8209 	ssl_ReleaseSSL3HandshakeLock(ss);
   8210 	return rv;		/* ssl3_InitState has set the error code. */
   8211     }
   8212     rv = ssl3_RestartHandshakeHashes(ss);
   8213     if (rv != SECSuccess) {
   8214 	ssl_ReleaseSSL3HandshakeLock(ss);
   8215 	return rv;
   8216     }
   8217 
   8218     if (ss->ssl3.hs.ws != wait_client_hello) {
   8219 	desc    = unexpected_message;
   8220 	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
   8221 	goto loser;	/* alert_loser */
   8222     }
   8223 
   8224     version      = (buffer[1] << 8) | buffer[2];
   8225     suite_length = (buffer[3] << 8) | buffer[4];
   8226     sid_length   = (buffer[5] << 8) | buffer[6];
   8227     rand_length  = (buffer[7] << 8) | buffer[8];
   8228     ss->clientHelloVersion = version;
   8229 
   8230     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
   8231     if (rv != SECSuccess) {
   8232 	/* send back which ever alert client will understand. */
   8233     	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
   8234 	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
   8235 	goto alert_loser;
   8236     }
   8237 
   8238     rv = ssl3_InitHandshakeHashes(ss);
   8239     if (rv != SECSuccess) {
   8240 	desc = internal_error;
   8241 	errCode = PORT_GetError();
   8242 	goto alert_loser;
   8243     }
   8244 
   8245     /* if we get a non-zero SID, just ignore it. */
   8246     if (length !=
   8247         SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
   8248 	SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
   8249 		 SSL_GETPID(), ss->fd, length,
   8250 		 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
   8251 		 rand_length));
   8252 	goto loser;	/* malformed */	/* alert_loser */
   8253     }
   8254 
   8255     suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
   8256     random = suites + suite_length + sid_length;
   8257 
   8258     if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
   8259 	rand_length > SSL_MAX_CHALLENGE_BYTES) {
   8260 	goto loser;	/* malformed */	/* alert_loser */
   8261     }
   8262 
   8263     PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
   8264 
   8265     PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
   8266     PORT_Memcpy(
   8267 	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
   8268 	random, rand_length);
   8269 
   8270     PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
   8271 		   SSL3_RANDOM_LENGTH));
   8272 #ifdef NSS_ENABLE_ECC
   8273     /* Disable any ECC cipher suites for which we have no cert. */
   8274     ssl3_FilterECCipherSuitesByServerCerts(ss);
   8275 #endif
   8276     i = ssl3_config_match_init(ss);
   8277     if (i <= 0) {
   8278     	errCode = PORT_GetError();	/* error code is already set. */
   8279 	goto alert_loser;
   8280     }
   8281 
   8282     /* Select a cipher suite.
   8283     **
   8284     ** NOTE: This suite selection algorithm should be the same as the one in
   8285     ** ssl3_HandleClientHello().
   8286     **
   8287     ** See the comments about export cipher suites in ssl3_HandleClientHello().
   8288     */
   8289     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
   8290 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
   8291 	if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
   8292 	    !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
   8293 					       ss->version)) {
   8294 	    continue;
   8295 	}
   8296 	for (i = 0; i+2 < suite_length; i += 3) {
   8297 	    PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
   8298 	    if (suite_i == suite->cipher_suite) {
   8299 		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
   8300 		ss->ssl3.hs.suite_def =
   8301 		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
   8302 		goto suite_found;
   8303 	    }
   8304 	}
   8305     }
   8306     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
   8307     goto alert_loser;
   8308 
   8309 suite_found:
   8310 
   8311     /* Look for the SCSV, and if found, treat it just like an empty RI
   8312      * extension by processing a local copy of an empty RI extension.
   8313      */
   8314     for (i = 0; i+2 < suite_length; i += 3) {
   8315 	PRUint32 suite_i = (suites[i] << 16) | (suites[i+1] << 8) | suites[i+2];
   8316 	if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
   8317 	    SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
   8318 	    PRUint32     L2 = sizeof emptyRIext;
   8319 	    (void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
   8320 	    break;
   8321 	}
   8322     }
   8323 
   8324     if (ss->opt.requireSafeNegotiation &&
   8325 	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
   8326 	desc = handshake_failure;
   8327 	errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
   8328     	goto alert_loser;
   8329     }
   8330 
   8331     ss->ssl3.hs.compression = ssl_compression_null;
   8332     ss->sec.send            = ssl3_SendApplicationData;
   8333 
   8334     /* we don't even search for a cache hit here.  It's just a miss. */
   8335     SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
   8336     sid = ssl3_NewSessionID(ss, PR_TRUE);
   8337     if (sid == NULL) {
   8338     	errCode = PORT_GetError();
   8339 	goto loser;	/* memory error is set. */
   8340     }
   8341     ss->sec.ci.sid = sid;
   8342     /* do not worry about memory leak of sid since it now belongs to ci */
   8343 
   8344     /* We have to update the handshake hashes before we can send stuff */
   8345     rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
   8346     if (rv != SECSuccess) {
   8347     	errCode = PORT_GetError();
   8348 	goto loser;
   8349     }
   8350 
   8351     ssl_GetXmitBufLock(ss);
   8352     rv = ssl3_SendServerHelloSequence(ss);
   8353     ssl_ReleaseXmitBufLock(ss);
   8354     if (rv != SECSuccess) {
   8355     	errCode = PORT_GetError();
   8356 	goto loser;
   8357     }
   8358 
   8359     /* XXX_1 	The call stack to here is:
   8360      * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
   8361      * ssl2_HandleClientHelloMessage returns whatever we return here.
   8362      * ssl_Do1stHandshake will continue looping if it gets back either
   8363      *		SECSuccess or SECWouldBlock.
   8364      * SECSuccess is preferable here.  See XXX_1 in sslgathr.c.
   8365      */
   8366     ssl_ReleaseSSL3HandshakeLock(ss);
   8367     return SECSuccess;
   8368 
   8369 alert_loser:
   8370     SSL3_SendAlert(ss, alert_fatal, desc);
   8371 loser:
   8372     ssl_ReleaseSSL3HandshakeLock(ss);
   8373     PORT_SetError(errCode);
   8374     return SECFailure;
   8375 }
   8376 
   8377 /* The negotiated version number has been already placed in ss->version.
   8378 **
   8379 ** Called from:  ssl3_HandleClientHello                     (resuming session),
   8380 ** 	ssl3_SendServerHelloSequence <- ssl3_HandleClientHello   (new session),
   8381 ** 	ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
   8382 */
   8383 static SECStatus
   8384 ssl3_SendServerHello(sslSocket *ss)
   8385 {
   8386     sslSessionID *sid;
   8387     SECStatus     rv;
   8388     PRUint32      maxBytes = 65535;
   8389     PRUint32      length;
   8390     PRInt32       extensions_len = 0;
   8391     SSL3ProtocolVersion version;
   8392 
   8393     SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
   8394 		ss->fd));
   8395 
   8396     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   8397     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   8398 
   8399     if (!IS_DTLS(ss)) {
   8400 	PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
   8401 
   8402 	if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
   8403 	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
   8404 	    return SECFailure;
   8405 	}
   8406     } else {
   8407 	PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0));
   8408 
   8409 	if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) {
   8410 	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
   8411 	    return SECFailure;
   8412 	}
   8413     }
   8414 
   8415     sid = ss->sec.ci.sid;
   8416 
   8417     extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
   8418 					       &ss->xtnData.serverSenders[0]);
   8419     if (extensions_len > 0)
   8420     	extensions_len += 2; /* Add sizeof total extension length */
   8421 
   8422     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
   8423              ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
   8424 	     sizeof(ssl3CipherSuite) + 1 + extensions_len;
   8425     rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
   8426     if (rv != SECSuccess) {
   8427 	return rv;	/* err set by AppendHandshake. */
   8428     }
   8429 
   8430     if (IS_DTLS(ss)) {
   8431 	version = dtls_TLSVersionToDTLSVersion(ss->version);
   8432     } else {
   8433 	version = ss->version;
   8434     }
   8435 
   8436     rv = ssl3_AppendHandshakeNumber(ss, version, 2);
   8437     if (rv != SECSuccess) {
   8438 	return rv;	/* err set by AppendHandshake. */
   8439     }
   8440     rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
   8441     if (rv != SECSuccess) {
   8442 	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
   8443 	return rv;
   8444     }
   8445     rv = ssl3_AppendHandshake(
   8446 	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
   8447     if (rv != SECSuccess) {
   8448 	return rv;	/* err set by AppendHandshake. */
   8449     }
   8450 
   8451     if (sid)
   8452 	rv = ssl3_AppendHandshakeVariable(
   8453 	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
   8454     else
   8455 	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
   8456     if (rv != SECSuccess) {
   8457 	return rv;	/* err set by AppendHandshake. */
   8458     }
   8459 
   8460     rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
   8461     if (rv != SECSuccess) {
   8462 	return rv;	/* err set by AppendHandshake. */
   8463     }
   8464     rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
   8465     if (rv != SECSuccess) {
   8466 	return rv;	/* err set by AppendHandshake. */
   8467     }
   8468     if (extensions_len) {
   8469 	PRInt32 sent_len;
   8470 
   8471     	extensions_len -= 2;
   8472 	rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
   8473 	if (rv != SECSuccess)
   8474 	    return rv;	/* err set by ssl3_SetupPendingCipherSpec */
   8475 	sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
   8476 					   &ss->xtnData.serverSenders[0]);
   8477         PORT_Assert(sent_len == extensions_len);
   8478 	if (sent_len != extensions_len) {
   8479 	    if (sent_len >= 0)
   8480 	    	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   8481 	    return SECFailure;
   8482 	}
   8483     }
   8484     rv = ssl3_SetupPendingCipherSpec(ss);
   8485     if (rv != SECSuccess) {
   8486 	return rv;	/* err set by ssl3_SetupPendingCipherSpec */
   8487     }
   8488 
   8489     return SECSuccess;
   8490 }
   8491 
   8492 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing
   8493  * elements of the handshake. (The negotiated cipher suite determines the
   8494  * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always
   8495  * used. With TLS 1.2, a client may advertise its support for signature and
   8496  * hash combinations. */
   8497 static SECStatus
   8498 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
   8499 				SSL3SignatureAndHashAlgorithm* out)
   8500 {
   8501     TLSSignatureAlgorithm sigAlg;
   8502     unsigned int i, j;
   8503     /* hashPreference expresses our preferences for hash algorithms, most
   8504      * preferable first. */
   8505     static const PRUint8 hashPreference[] = {
   8506 	tls_hash_sha256,
   8507 	tls_hash_sha384,
   8508 	tls_hash_sha512,
   8509 	tls_hash_sha1,
   8510     };
   8511 
   8512     switch (ss->ssl3.hs.kea_def->kea) {
   8513     case kea_rsa:
   8514     case kea_rsa_export:
   8515     case kea_rsa_export_1024:
   8516     case kea_dh_rsa:
   8517     case kea_dh_rsa_export:
   8518     case kea_dhe_rsa:
   8519     case kea_dhe_rsa_export:
   8520     case kea_rsa_fips:
   8521     case kea_ecdh_rsa:
   8522     case kea_ecdhe_rsa:
   8523 	sigAlg = tls_sig_rsa;
   8524 	break;
   8525     case kea_dh_dss:
   8526     case kea_dh_dss_export:
   8527     case kea_dhe_dss:
   8528     case kea_dhe_dss_export:
   8529 	sigAlg = tls_sig_dsa;
   8530 	break;
   8531     case kea_ecdh_ecdsa:
   8532     case kea_ecdhe_ecdsa:
   8533 	sigAlg = tls_sig_ecdsa;
   8534 	break;
   8535     default:
   8536 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
   8537 	return SECFailure;
   8538     }
   8539     out->sigAlg = sigAlg;
   8540 
   8541     if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) {
   8542 	/* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
   8543 	 * prior. */
   8544 	out->hashAlg = SEC_OID_UNKNOWN;
   8545 	return SECSuccess;
   8546     }
   8547 
   8548     if (ss->ssl3.hs.numClientSigAndHash == 0) {
   8549 	/* If the client didn't provide any signature_algorithms extension then
   8550 	 * we can assume that they support SHA-1:
   8551 	 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
   8552 	out->hashAlg = SEC_OID_SHA1;
   8553 	return SECSuccess;
   8554     }
   8555 
   8556     for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) {
   8557 	for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
   8558 	    const SSL3SignatureAndHashAlgorithm* sh =
   8559 		&ss->ssl3.hs.clientSigAndHash[j];
   8560 	    if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) {
   8561 		out->hashAlg = sh->hashAlg;
   8562 		return SECSuccess;
   8563 	    }
   8564 	}
   8565     }
   8566 
   8567     PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
   8568     return SECFailure;
   8569 }
   8570 
   8571 
   8572 static SECStatus
   8573 ssl3_SendServerKeyExchange(sslSocket *ss)
   8574 {
   8575     const ssl3KEADef * kea_def     = ss->ssl3.hs.kea_def;
   8576     SECStatus          rv          = SECFailure;
   8577     int                length;
   8578     PRBool             isTLS;
   8579     SECItem            signed_hash = {siBuffer, NULL, 0};
   8580     SSL3Hashes         hashes;
   8581     SECKEYPublicKey *  sdPub;	/* public key for step-down */
   8582     SSL3SignatureAndHashAlgorithm sigAndHash;
   8583 
   8584     SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
   8585 		SSL_GETPID(), ss->fd));
   8586 
   8587     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   8588     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   8589 
   8590     if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
   8591 	return SECFailure;
   8592     }
   8593 
   8594     switch (kea_def->exchKeyType) {
   8595     case kt_rsa:
   8596 	/* Perform SSL Step-Down here. */
   8597 	sdPub = ss->stepDownKeyPair->pubKey;
   8598 	PORT_Assert(sdPub != NULL);
   8599 	if (!sdPub) {
   8600 	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   8601 	    return SECFailure;
   8602 	}
   8603 	rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg,
   8604 					  sdPub->u.rsa.modulus,
   8605 					  sdPub->u.rsa.publicExponent,
   8606 	                                  &ss->ssl3.hs.client_random,
   8607 	                                  &ss->ssl3.hs.server_random,
   8608 					  &hashes, ss->opt.bypassPKCS11);
   8609         if (rv != SECSuccess) {
   8610 	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   8611 	    return rv;
   8612 	}
   8613 
   8614 	isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
   8615 	rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY,
   8616 	                     &signed_hash, isTLS);
   8617         if (rv != SECSuccess) {
   8618 	    goto loser;		/* ssl3_SignHashes has set err. */
   8619 	}
   8620 	if (signed_hash.data == NULL) {
   8621 	    /* how can this happen and rv == SECSuccess ?? */
   8622 	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
   8623 	    goto loser;
   8624 	}
   8625 	length = 2 + sdPub->u.rsa.modulus.len +
   8626 	         2 + sdPub->u.rsa.publicExponent.len +
   8627 	         2 + signed_hash.len;
   8628 
   8629 	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
   8630 	if (rv != SECSuccess) {
   8631 	    goto loser; 	/* err set by AppendHandshake. */
   8632 	}
   8633 
   8634 	rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
   8635 					  sdPub->u.rsa.modulus.len, 2);
   8636 	if (rv != SECSuccess) {
   8637 	    goto loser; 	/* err set by AppendHandshake. */
   8638 	}
   8639 
   8640 	rv = ssl3_AppendHandshakeVariable(
   8641 				ss, sdPub->u.rsa.publicExponent.data,
   8642 				sdPub->u.rsa.publicExponent.len, 2);
   8643 	if (rv != SECSuccess) {
   8644 	    goto loser; 	/* err set by AppendHandshake. */
   8645 	}
   8646 
   8647 	if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
   8648 	    rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
   8649 	    if (rv != SECSuccess) {
   8650 		goto loser; 	/* err set by AppendHandshake. */
   8651 	    }
   8652 	}
   8653 
   8654 	rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
   8655 	                                  signed_hash.len, 2);
   8656 	if (rv != SECSuccess) {
   8657 	    goto loser; 	/* err set by AppendHandshake. */
   8658 	}
   8659 	PORT_Free(signed_hash.data);
   8660 	return SECSuccess;
   8661 
   8662 #ifdef NSS_ENABLE_ECC
   8663     case kt_ecdh: {
   8664 	rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
   8665 	return rv;
   8666     }
   8667 #endif /* NSS_ENABLE_ECC */
   8668 
   8669     case kt_dh:
   8670     case kt_null:
   8671     default:
   8672 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
   8673 	break;
   8674     }
   8675 loser:
   8676     if (signed_hash.data != NULL)
   8677     	PORT_Free(signed_hash.data);
   8678     return SECFailure;
   8679 }
   8680 
   8681 
   8682 static SECStatus
   8683 ssl3_SendCertificateRequest(sslSocket *ss)
   8684 {
   8685     PRBool         isTLS12;
   8686     SECItem *      name;
   8687     CERTDistNames *ca_list;
   8688     const PRUint8 *certTypes;
   8689     const PRUint8 *sigAlgs;
   8690     SECItem *      names	= NULL;
   8691     SECStatus      rv;
   8692     int            length;
   8693     int            i;
   8694     int            calen	= 0;
   8695     int            nnames	= 0;
   8696     int            certTypesLength;
   8697     int            sigAlgsLength;
   8698 
   8699     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
   8700 		SSL_GETPID(), ss->fd));
   8701 
   8702     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   8703     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   8704 
   8705     isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
   8706 
   8707     /* ssl3.ca_list is initialized to NULL, and never changed. */
   8708     ca_list = ss->ssl3.ca_list;
   8709     if (!ca_list) {
   8710 	ca_list = ssl3_server_ca_list;
   8711     }
   8712 
   8713     if (ca_list != NULL) {
   8714 	names = ca_list->names;
   8715 	nnames = ca_list->nnames;
   8716     }
   8717 
   8718     for (i = 0, name = names; i < nnames; i++, name++) {
   8719 	calen += 2 + name->len;
   8720     }
   8721 
   8722     certTypes       = certificate_types;
   8723     certTypesLength = sizeof certificate_types;
   8724     sigAlgs         = supported_signature_algorithms;
   8725     sigAlgsLength   = sizeof supported_signature_algorithms;
   8726 
   8727     length = 1 + certTypesLength + 2 + calen;
   8728     if (isTLS12) {
   8729 	length += 2 + sigAlgsLength;
   8730     }
   8731 
   8732     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
   8733     if (rv != SECSuccess) {
   8734 	return rv; 		/* err set by AppendHandshake. */
   8735     }
   8736     rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
   8737     if (rv != SECSuccess) {
   8738 	return rv; 		/* err set by AppendHandshake. */
   8739     }
   8740     if (isTLS12) {
   8741 	rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2);
   8742 	if (rv != SECSuccess) {
   8743 	    return rv; 		/* err set by AppendHandshake. */
   8744 	}
   8745     }
   8746     rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
   8747     if (rv != SECSuccess) {
   8748 	return rv; 		/* err set by AppendHandshake. */
   8749     }
   8750     for (i = 0, name = names; i < nnames; i++, name++) {
   8751 	rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
   8752 	if (rv != SECSuccess) {
   8753 	    return rv; 		/* err set by AppendHandshake. */
   8754 	}
   8755     }
   8756 
   8757     return SECSuccess;
   8758 }
   8759 
   8760 static SECStatus
   8761 ssl3_SendServerHelloDone(sslSocket *ss)
   8762 {
   8763     SECStatus rv;
   8764 
   8765     SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
   8766 		SSL_GETPID(), ss->fd));
   8767 
   8768     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   8769     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   8770 
   8771     rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
   8772     if (rv != SECSuccess) {
   8773 	return rv; 		/* err set by AppendHandshake. */
   8774     }
   8775     rv = ssl3_FlushHandshake(ss, 0);
   8776     if (rv != SECSuccess) {
   8777 	return rv;	/* error code set by ssl3_FlushHandshake */
   8778     }
   8779     return SECSuccess;
   8780 }
   8781 
   8782 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   8783  * ssl3 Certificate Verify message
   8784  * Caller must hold Handshake and RecvBuf locks.
   8785  */
   8786 static SECStatus
   8787 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
   8788 			     SSL3Hashes *hashes)
   8789 {
   8790     SECItem              signed_hash = {siBuffer, NULL, 0};
   8791     SECStatus            rv;
   8792     int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
   8793     SSL3AlertDescription desc        = handshake_failure;
   8794     PRBool               isTLS, isTLS12;
   8795     SSL3SignatureAndHashAlgorithm sigAndHash;
   8796 
   8797     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
   8798 		SSL_GETPID(), ss->fd));
   8799     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   8800     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   8801 
   8802     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
   8803     isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
   8804 
   8805     if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
   8806 	desc    = unexpected_message;
   8807 	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
   8808 	goto alert_loser;
   8809     }
   8810 
   8811     if (isTLS12) {
   8812 	rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
   8813 						   &sigAndHash);
   8814 	if (rv != SECSuccess) {
   8815 	    goto loser;	/* malformed or unsupported. */
   8816 	}
   8817 	rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
   8818 		&sigAndHash, ss->sec.peerCert);
   8819 	if (rv != SECSuccess) {
   8820 	    errCode = PORT_GetError();
   8821 	    desc = decrypt_error;
   8822 	    goto alert_loser;
   8823 	}
   8824 
   8825 	/* We only support CertificateVerify messages that use the handshake
   8826 	 * hash. */
   8827 	if (sigAndHash.hashAlg != hashes->hashAlg) {
   8828 	    errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM;
   8829 	    desc = decrypt_error;
   8830 	    goto alert_loser;
   8831 	}
   8832     }
   8833 
   8834     rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
   8835     if (rv != SECSuccess) {
   8836 	goto loser;		/* malformed. */
   8837     }
   8838 
   8839     /* XXX verify that the key & kea match */
   8840     rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
   8841 				 isTLS, ss->pkcs11PinArg);
   8842     if (rv != SECSuccess) {
   8843     	errCode = PORT_GetError();
   8844 	desc = isTLS ? decrypt_error : handshake_failure;
   8845 	goto alert_loser;
   8846     }
   8847 
   8848     signed_hash.data = NULL;
   8849 
   8850     if (length != 0) {
   8851 	desc    = isTLS ? decode_error : illegal_parameter;
   8852 	goto alert_loser;	/* malformed */
   8853     }
   8854     ss->ssl3.hs.ws = wait_change_cipher;
   8855     return SECSuccess;
   8856 
   8857 alert_loser:
   8858     SSL3_SendAlert(ss, alert_fatal, desc);
   8859 loser:
   8860     PORT_SetError(errCode);
   8861     return SECFailure;
   8862 }
   8863 
   8864 
   8865 /* find a slot that is able to generate a PMS and wrap it with RSA.
   8866  * Then generate and return the PMS.
   8867  * If the serverKeySlot parameter is non-null, this function will use
   8868  * that slot to do the job, otherwise it will find a slot.
   8869  *
   8870  * Called from  ssl3_DeriveConnectionKeysPKCS11()  (above)
   8871  *		sendRSAClientKeyExchange()         (above)
   8872  *		ssl3_HandleRSAClientKeyExchange()  (below)
   8873  * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
   8874  */
   8875 static PK11SymKey *
   8876 ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
   8877                     PK11SlotInfo * serverKeySlot)
   8878 {
   8879     PK11SymKey *      pms		= NULL;
   8880     PK11SlotInfo *    slot		= serverKeySlot;
   8881     void *	      pwArg 		= ss->pkcs11PinArg;
   8882     SECItem           param;
   8883     CK_VERSION 	      version;
   8884     CK_MECHANISM_TYPE mechanism_array[3];
   8885 
   8886     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   8887 
   8888     if (slot == NULL) {
   8889 	SSLCipherAlgorithm calg;
   8890 	/* The specReadLock would suffice here, but we cannot assert on
   8891 	** read locks.  Also, all the callers who call with a non-null
   8892 	** slot already hold the SpecWriteLock.
   8893 	*/
   8894 	PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
   8895 	PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
   8896 
   8897         calg = spec->cipher_def->calg;
   8898 	PORT_Assert(alg2Mech[calg].calg == calg);
   8899 
   8900 	/* First get an appropriate slot.  */
   8901 	mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
   8902 	mechanism_array[1] = CKM_RSA_PKCS;
   8903 	mechanism_array[2] = alg2Mech[calg].cmech;
   8904 
   8905 	slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
   8906 	if (slot == NULL) {
   8907 	   /* can't find a slot with all three, find a slot with the minimum */
   8908 	    slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
   8909 	    if (slot == NULL) {
   8910 		PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
   8911 		return pms;	/* which is NULL */
   8912 	    }
   8913 	}
   8914     }
   8915 
   8916     /* Generate the pre-master secret ...  */
   8917     if (IS_DTLS(ss)) {
   8918 	SSL3ProtocolVersion temp;
   8919 
   8920 	temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
   8921 	version.major = MSB(temp);
   8922 	version.minor = LSB(temp);
   8923     } else {
   8924 	version.major = MSB(ss->clientHelloVersion);
   8925 	version.minor = LSB(ss->clientHelloVersion);
   8926     }
   8927 
   8928     param.data = (unsigned char *)&version;
   8929     param.len  = sizeof version;
   8930 
   8931     pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
   8932     if (!serverKeySlot)
   8933 	PK11_FreeSlot(slot);
   8934     if (pms == NULL) {
   8935 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   8936     }
   8937     return pms;
   8938 }
   8939 
   8940 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
   8941  * return any indication of failure of the Client Key Exchange message,
   8942  * where that failure is caused by the content of the client's message.
   8943  * This function must not return SECFailure for any reason that is directly
   8944  * or indirectly caused by the content of the client's encrypted PMS.
   8945  * We must not send an alert and also not drop the connection.
   8946  * Instead, we generate a random PMS.  This will cause a failure
   8947  * in the processing the finished message, which is exactly where
   8948  * the failure must occur.
   8949  *
   8950  * Called from ssl3_HandleClientKeyExchange
   8951  */
   8952 static SECStatus
   8953 ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
   8954                                 SSL3Opaque *b,
   8955 				PRUint32 length,
   8956 				SECKEYPrivateKey *serverKey)
   8957 {
   8958     PK11SymKey *      pms;
   8959 #ifndef NO_PKCS11_BYPASS
   8960     unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
   8961     unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
   8962     ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
   8963     unsigned int      outLen = 0;
   8964 #endif
   8965     PRBool            isTLS  = PR_FALSE;
   8966     SECStatus         rv;
   8967     SECItem           enc_pms;
   8968     unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
   8969     SECItem           pmsItem = {siBuffer, NULL, 0};
   8970 
   8971     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   8972     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   8973     PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec );
   8974 
   8975     enc_pms.data = b;
   8976     enc_pms.len  = length;
   8977     pmsItem.data = rsaPmsBuf;
   8978     pmsItem.len  = sizeof rsaPmsBuf;
   8979 
   8980     if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
   8981 	PRInt32 kLen;
   8982 	kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
   8983 	if (kLen < 0) {
   8984 	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   8985 	    return SECFailure;
   8986 	}
   8987 	if ((unsigned)kLen < enc_pms.len) {
   8988 	    enc_pms.len = kLen;
   8989 	}
   8990 	isTLS = PR_TRUE;
   8991     } else {
   8992 	isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
   8993     }
   8994 
   8995 #ifndef NO_PKCS11_BYPASS
   8996     if (ss->opt.bypassPKCS11) {
   8997 	/* TRIPLE BYPASS, get PMS directly from RSA decryption.
   8998 	 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer,
   8999 	 * then, check for version rollback attack, then
   9000 	 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in
   9001 	 * pwSpec->msItem.  Finally call ssl3_InitPendingCipherSpec with
   9002 	 * ss and NULL, so that it will use the MS we've already derived here.
   9003 	 */
   9004 
   9005 	rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen,
   9006 				   sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
   9007 	if (rv != SECSuccess) {
   9008 	    /* triple bypass failed.  Let's try for a double bypass. */
   9009 	    goto double_bypass;
   9010 	} else if (ss->opt.detectRollBack) {
   9011 	    SSL3ProtocolVersion client_version =
   9012 					 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
   9013 
   9014 	    if (IS_DTLS(ss)) {
   9015 		client_version = dtls_DTLSVersionToTLSVersion(client_version);
   9016 	    }
   9017 
   9018 	    if (client_version != ss->clientHelloVersion) {
   9019 		/* Version roll-back detected. ensure failure.  */
   9020 		rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
   9021 	    }
   9022 	}
   9023 	/* have PMS, build MS without PKCS11 */
   9024 	rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS,
   9025 					PR_TRUE);
   9026 	if (rv != SECSuccess) {
   9027 	    pwSpec->msItem.data = pwSpec->raw_master_secret;
   9028 	    pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
   9029 	    PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
   9030 	}
   9031 	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
   9032     } else
   9033 #endif
   9034     {
   9035 #ifndef NO_PKCS11_BYPASS
   9036 double_bypass:
   9037 #endif
   9038 	/*
   9039 	 * unwrap pms out of the incoming buffer
   9040 	 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
   9041 	 *	the unwrap.  Rather, it is the mechanism with which the
   9042 	 *      unwrapped pms will be used.
   9043 	 */
   9044 	pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
   9045 				   CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
   9046 	if (pms != NULL) {
   9047 	    PRINT_BUF(60, (ss, "decrypted premaster secret:",
   9048 			   PK11_GetKeyData(pms)->data,
   9049 			   PK11_GetKeyData(pms)->len));
   9050 	} else {
   9051 	    /* unwrap failed. Generate a bogus PMS and carry on. */
   9052 	    PK11SlotInfo *  slot   = PK11_GetSlotFromPrivateKey(serverKey);
   9053 
   9054 	    ssl_GetSpecWriteLock(ss);
   9055 	    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
   9056 	    ssl_ReleaseSpecWriteLock(ss);
   9057 	    PK11_FreeSlot(slot);
   9058 	}
   9059 
   9060 	if (pms == NULL) {
   9061 	    /* last gasp.  */
   9062 	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
   9063 	    return SECFailure;
   9064 	}
   9065 
   9066 	/* This step will derive the MS from the PMS, among other things. */
   9067 	rv = ssl3_InitPendingCipherSpec(ss,  pms);
   9068 	PK11_FreeSymKey(pms);
   9069     }
   9070 
   9071     if (rv != SECSuccess) {
   9072 	SEND_ALERT
   9073 	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
   9074     }
   9075     return SECSuccess;
   9076 }
   9077 
   9078 
   9079 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   9080  * ssl3 ClientKeyExchange message from the remote client
   9081  * Caller must hold Handshake and RecvBuf locks.
   9082  */
   9083 static SECStatus
   9084 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   9085 {
   9086     SECKEYPrivateKey *serverKey         = NULL;
   9087     SECStatus         rv;
   9088     const ssl3KEADef *kea_def;
   9089     ssl3KeyPair     *serverKeyPair      = NULL;
   9090 #ifdef NSS_ENABLE_ECC
   9091     SECKEYPublicKey *serverPubKey       = NULL;
   9092 #endif /* NSS_ENABLE_ECC */
   9093 
   9094     SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
   9095 		SSL_GETPID(), ss->fd));
   9096 
   9097     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   9098     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   9099 
   9100     if (ss->ssl3.hs.ws != wait_client_key) {
   9101 	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   9102     	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
   9103 	return SECFailure;
   9104     }
   9105 
   9106     kea_def   = ss->ssl3.hs.kea_def;
   9107 
   9108     if (ss->ssl3.hs.usedStepDownKey) {
   9109 	 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
   9110 		 && kea_def->exchKeyType == kt_rsa
   9111 		 && ss->stepDownKeyPair != NULL);
   9112 	 if (!kea_def->is_limited  ||
   9113 	      kea_def->exchKeyType != kt_rsa ||
   9114 	      ss->stepDownKeyPair == NULL) {
   9115 	 	/* shouldn't happen, don't use step down if it does */
   9116 		goto skip;
   9117 	 }
   9118     	serverKeyPair = ss->stepDownKeyPair;
   9119 	ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
   9120     } else
   9121 skip:
   9122 #ifdef NSS_ENABLE_ECC
   9123     /* XXX Using SSLKEAType to index server certifiates
   9124      * does not work for (EC)DHE ciphers. Until we have
   9125      * an indexing mechanism general enough for all key
   9126      * exchange algorithms, we'll need to deal with each
   9127      * one seprately.
   9128      */
   9129     if ((kea_def->kea == kea_ecdhe_rsa) ||
   9130                (kea_def->kea == kea_ecdhe_ecdsa)) {
   9131 	if (ss->ephemeralECDHKeyPair != NULL) {
   9132 	   serverKeyPair = ss->ephemeralECDHKeyPair;
   9133 	   if (serverKeyPair->pubKey) {
   9134 		ss->sec.keaKeyBits =
   9135 		    SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
   9136 	   }
   9137 	}
   9138     } else
   9139 #endif
   9140     {
   9141 	sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
   9142 	serverKeyPair = sc->serverKeyPair;
   9143 	ss->sec.keaKeyBits = sc->serverKeyBits;
   9144     }
   9145 
   9146     if (serverKeyPair) {
   9147 	serverKey = serverKeyPair->privKey;
   9148     }
   9149 
   9150     if (serverKey == NULL) {
   9151     	SEND_ALERT
   9152 	PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
   9153 	return SECFailure;
   9154     }
   9155 
   9156     ss->sec.keaType    = kea_def->exchKeyType;
   9157 
   9158     switch (kea_def->exchKeyType) {
   9159     case kt_rsa:
   9160 	rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
   9161 	if (rv != SECSuccess) {
   9162 	    SEND_ALERT
   9163 	    return SECFailure;	/* error code set */
   9164 	}
   9165 	break;
   9166 
   9167 
   9168 #ifdef NSS_ENABLE_ECC
   9169     case kt_ecdh:
   9170 	/* XXX We really ought to be able to store multiple
   9171 	 * EC certs (a requirement if we wish to support both
   9172 	 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
   9173 	 * When we make that change, we'll need an index other
   9174 	 * than kt_ecdh to pick the right EC certificate.
   9175 	 */
   9176 	if (serverKeyPair) {
   9177 	    serverPubKey = serverKeyPair->pubKey;
   9178         }
   9179 	if (serverPubKey == NULL) {
   9180 	    /* XXX Is this the right error code? */
   9181 	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
   9182 	    return SECFailure;
   9183 	}
   9184 	rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
   9185 					      serverPubKey, serverKey);
   9186 	if (rv != SECSuccess) {
   9187 	    return SECFailure;	/* error code set */
   9188 	}
   9189 	break;
   9190 #endif /* NSS_ENABLE_ECC */
   9191 
   9192     default:
   9193 	(void) ssl3_HandshakeFailure(ss);
   9194 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
   9195 	return SECFailure;
   9196     }
   9197     ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
   9198     return SECSuccess;
   9199 
   9200 }
   9201 
   9202 /* This is TLS's equivalent of sending a no_certificate alert. */
   9203 static SECStatus
   9204 ssl3_SendEmptyCertificate(sslSocket *ss)
   9205 {
   9206     SECStatus            rv;
   9207 
   9208     rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
   9209     if (rv == SECSuccess) {
   9210 	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
   9211     }
   9212     return rv;	/* error, if any, set by functions called above. */
   9213 }
   9214 
   9215 SECStatus
   9216 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   9217 {
   9218     SECStatus         rv;
   9219     NewSessionTicket  session_ticket;
   9220 
   9221     SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
   9222 		SSL_GETPID(), ss->fd));
   9223 
   9224     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   9225     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   9226 
   9227     if (ss->ssl3.hs.ws != wait_new_session_ticket) {
   9228 	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   9229 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
   9230 	return SECFailure;
   9231     }
   9232 
   9233     session_ticket.received_timestamp = ssl_Time();
   9234     if (length < 4) {
   9235 	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
   9236 	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
   9237 	return SECFailure;
   9238     }
   9239     session_ticket.ticket_lifetime_hint =
   9240 	(PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
   9241 
   9242     rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2,
   9243 	&b, &length);
   9244     if (length != 0 || rv != SECSuccess) {
   9245 	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
   9246 	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
   9247 	return SECFailure;  /* malformed */
   9248     }
   9249 
   9250     rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket);
   9251     if (rv != SECSuccess) {
   9252 	(void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
   9253 	PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT);
   9254 	return SECFailure;
   9255     }
   9256     ss->ssl3.hs.ws = wait_change_cipher;
   9257     return SECSuccess;
   9258 }
   9259 
   9260 #ifdef NISCC_TEST
   9261 static PRInt32 connNum = 0;
   9262 
   9263 static SECStatus
   9264 get_fake_cert(SECItem *pCertItem, int *pIndex)
   9265 {
   9266     PRFileDesc *cf;
   9267     char *      testdir;
   9268     char *      startat;
   9269     char *      stopat;
   9270     const char *extension;
   9271     int         fileNum;
   9272     PRInt32     numBytes   = 0;
   9273     PRStatus    prStatus;
   9274     PRFileInfo  info;
   9275     char        cfn[100];
   9276 
   9277     pCertItem->data = 0;
   9278     if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
   9279 	return SECSuccess;
   9280     }
   9281     *pIndex   = (NULL != strstr(testdir, "root"));
   9282     extension = (strstr(testdir, "simple") ? "" : ".der");
   9283     fileNum     = PR_ATOMIC_INCREMENT(&connNum) - 1;
   9284     if ((startat = PR_GetEnv("START_AT")) != NULL) {
   9285 	fileNum += atoi(startat);
   9286     }
   9287     if ((stopat = PR_GetEnv("STOP_AT")) != NULL &&
   9288 	fileNum >= atoi(stopat)) {
   9289 	*pIndex = -1;
   9290 	return SECSuccess;
   9291     }
   9292     sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
   9293     cf = PR_Open(cfn, PR_RDONLY, 0);
   9294     if (!cf) {
   9295 	goto loser;
   9296     }
   9297     prStatus = PR_GetOpenFileInfo(cf, &info);
   9298     if (prStatus != PR_SUCCESS) {
   9299 	PR_Close(cf);
   9300 	goto loser;
   9301     }
   9302     pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
   9303     if (pCertItem) {
   9304 	numBytes = PR_Read(cf, pCertItem->data, info.size);
   9305     }
   9306     PR_Close(cf);
   9307     if (numBytes != info.size) {
   9308 	SECITEM_FreeItem(pCertItem, PR_FALSE);
   9309 	PORT_SetError(SEC_ERROR_IO);
   9310 	goto loser;
   9311     }
   9312     fprintf(stderr, "using %s\n", cfn);
   9313     return SECSuccess;
   9314 
   9315 loser:
   9316     fprintf(stderr, "failed to use %s\n", cfn);
   9317     *pIndex = -1;
   9318     return SECFailure;
   9319 }
   9320 #endif
   9321 
   9322 /*
   9323  * Used by both client and server.
   9324  * Called from HandleServerHelloDone and from SendServerHelloSequence.
   9325  */
   9326 static SECStatus
   9327 ssl3_SendCertificate(sslSocket *ss)
   9328 {
   9329     SECStatus            rv;
   9330     CERTCertificateList *certChain;
   9331     int                  len 		= 0;
   9332     int                  i;
   9333     SSL3KEAType          certIndex;
   9334 #ifdef NISCC_TEST
   9335     SECItem              fakeCert;
   9336     int                  ndex           = -1;
   9337 #endif
   9338 
   9339     SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
   9340 		SSL_GETPID(), ss->fd));
   9341 
   9342     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   9343     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   9344 
   9345     if (ss->sec.localCert)
   9346     	CERT_DestroyCertificate(ss->sec.localCert);
   9347     if (ss->sec.isServer) {
   9348 	sslServerCerts * sc = NULL;
   9349 
   9350 	/* XXX SSLKEAType isn't really a good choice for
   9351 	 * indexing certificates (it breaks when we deal
   9352 	 * with (EC)DHE-* cipher suites. This hack ensures
   9353 	 * the RSA cert is picked for (EC)DHE-RSA.
   9354 	 * Revisit this when we add server side support
   9355 	 * for ECDHE-ECDSA or client-side authentication
   9356 	 * using EC certificates.
   9357 	 */
   9358 	if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
   9359 	    (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
   9360 	    certIndex = kt_rsa;
   9361 	} else {
   9362 	    certIndex = ss->ssl3.hs.kea_def->exchKeyType;
   9363 	}
   9364 	sc                    = ss->serverCerts + certIndex;
   9365 	certChain             = sc->serverCertChain;
   9366 	ss->sec.authKeyBits   = sc->serverKeyBits;
   9367 	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
   9368 	ss->sec.localCert     = CERT_DupCertificate(sc->serverCert);
   9369     } else {
   9370 	certChain          = ss->ssl3.clientCertChain;
   9371 	ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
   9372     }
   9373 
   9374 #ifdef NISCC_TEST
   9375     rv = get_fake_cert(&fakeCert, &ndex);
   9376 #endif
   9377 
   9378     if (certChain) {
   9379 	for (i = 0; i < certChain->len; i++) {
   9380 #ifdef NISCC_TEST
   9381 	    if (fakeCert.len > 0 && i == ndex) {
   9382 		len += fakeCert.len + 3;
   9383 	    } else {
   9384 		len += certChain->certs[i].len + 3;
   9385 	    }
   9386 #else
   9387 	    len += certChain->certs[i].len + 3;
   9388 #endif
   9389 	}
   9390     }
   9391 
   9392     rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
   9393     if (rv != SECSuccess) {
   9394 	return rv; 		/* err set by AppendHandshake. */
   9395     }
   9396     rv = ssl3_AppendHandshakeNumber(ss, len, 3);
   9397     if (rv != SECSuccess) {
   9398 	return rv; 		/* err set by AppendHandshake. */
   9399     }
   9400     if (certChain) {
   9401         for (i = 0; i < certChain->len; i++) {
   9402 #ifdef NISCC_TEST
   9403             if (fakeCert.len > 0 && i == ndex) {
   9404                 rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
   9405                                                   fakeCert.len, 3);
   9406                 SECITEM_FreeItem(&fakeCert, PR_FALSE);
   9407             } else {
   9408                 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
   9409                                                   certChain->certs[i].len, 3);
   9410             }
   9411 #else
   9412             rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
   9413                                               certChain->certs[i].len, 3);
   9414 #endif
   9415             if (rv != SECSuccess) {
   9416                 return rv; 		/* err set by AppendHandshake. */
   9417             }
   9418         }
   9419     }
   9420 
   9421     return SECSuccess;
   9422 }
   9423 
   9424 /*
   9425  * Used by server only.
   9426  * single-stapling, send only a single cert status
   9427  */
   9428 static SECStatus
   9429 ssl3_SendCertificateStatus(sslSocket *ss)
   9430 {
   9431     SECStatus rv;
   9432     int len = 0;
   9433     SECItemArray *statusToSend = NULL;
   9434     SSL3KEAType certIndex;
   9435 
   9436     SSL_TRC(3, ("%d: SSL3[%d]: send certificate status handshake",
   9437 		SSL_GETPID(), ss->fd));
   9438 
   9439     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   9440     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   9441     PORT_Assert( ss->sec.isServer);
   9442 
   9443     if (!ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn))
   9444 	return SECSuccess;
   9445 
   9446     /* Use certStatus based on the cert being used. */
   9447     if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
   9448 	(ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
   9449 	certIndex = kt_rsa;
   9450     } else {
   9451 	certIndex = ss->ssl3.hs.kea_def->exchKeyType;
   9452     }
   9453     if (ss->certStatusArray[certIndex] && ss->certStatusArray[certIndex]->len) {
   9454 	statusToSend = ss->certStatusArray[certIndex];
   9455     }
   9456     if (!statusToSend)
   9457 	return SECSuccess;
   9458 
   9459     /* Use the array's first item only (single stapling) */
   9460     len = 1 + statusToSend->items[0].len + 3;
   9461 
   9462     rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len);
   9463     if (rv != SECSuccess) {
   9464 	return rv; 		/* err set by AppendHandshake. */
   9465     }
   9466     rv = ssl3_AppendHandshakeNumber(ss, 1 /*ocsp*/, 1);
   9467     if (rv != SECSuccess)
   9468 	return rv; 		/* err set by AppendHandshake. */
   9469 
   9470     rv = ssl3_AppendHandshakeVariable(ss,
   9471 				      statusToSend->items[0].data,
   9472 				      statusToSend->items[0].len,
   9473 				      3);
   9474     if (rv != SECSuccess)
   9475 	return rv; 		/* err set by AppendHandshake. */
   9476 
   9477     return SECSuccess;
   9478 }
   9479 
   9480 /* This is used to delete the CA certificates in the peer certificate chain
   9481  * from the cert database after they've been validated.
   9482  */
   9483 static void
   9484 ssl3_CleanupPeerCerts(sslSocket *ss)
   9485 {
   9486     PLArenaPool * arena = ss->ssl3.peerCertArena;
   9487     ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
   9488 
   9489     for (; certs; certs = certs->next) {
   9490 	CERT_DestroyCertificate(certs->cert);
   9491     }
   9492     if (arena) PORT_FreeArena(arena, PR_FALSE);
   9493     ss->ssl3.peerCertArena = NULL;
   9494     ss->ssl3.peerCertChain = NULL;
   9495 }
   9496 
   9497 static void
   9498 ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
   9499 {
   9500     PLArenaPool *arena;
   9501     ssl3CertNode *lastCert = NULL;
   9502     ssl3CertNode *certs = NULL;
   9503     int i;
   9504 
   9505     if (!sid->peerCertChain[0])
   9506 	return;
   9507     PORT_Assert(!ss->ssl3.peerCertArena);
   9508     PORT_Assert(!ss->ssl3.peerCertChain);
   9509     ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   9510     for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
   9511 	ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
   9512 	c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
   9513 	c->next = NULL;
   9514 	if (lastCert) {
   9515 	    lastCert->next = c;
   9516 	} else {
   9517 	    certs = c;
   9518 	}
   9519 	lastCert = c;
   9520     }
   9521     ss->ssl3.peerCertChain = certs;
   9522 }
   9523 
   9524 static void
   9525 ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
   9526 {
   9527     int i = 0;
   9528     ssl3CertNode *c = certs;
   9529     for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
   9530 	PORT_Assert(!sid->peerCertChain[i]);
   9531 	sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
   9532     }
   9533 }
   9534 
   9535 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   9536  * ssl3 CertificateStatus message.
   9537  * Caller must hold Handshake and RecvBuf locks.
   9538  * This is always called before ssl3_HandleCertificate, even if the Certificate
   9539  * message is sent first.
   9540  */
   9541 static SECStatus
   9542 ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   9543 {
   9544     PRInt32 status, len;
   9545 
   9546     if (ss->ssl3.hs.ws != wait_certificate_status) {
   9547         (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   9548         PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS);
   9549         return SECFailure;
   9550     }
   9551 
   9552     PORT_Assert(!ss->sec.isServer);
   9553 
   9554     /* Consume the CertificateStatusType enum */
   9555     status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
   9556     if (status != 1 /* ocsp */) {
   9557        goto format_loser;
   9558     }
   9559 
   9560     len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
   9561     if (len != length) {
   9562        goto format_loser;
   9563     }
   9564 
   9565 #define MAX_CERTSTATUS_LEN 0x1ffff   /* 128k - 1 */
   9566     if (length > MAX_CERTSTATUS_LEN)
   9567        goto format_loser;
   9568 #undef MAX_CERTSTATUS_LEN
   9569 
   9570     /* Array size 1, because we currently implement single-stapling only */
   9571     SECITEM_AllocArray(NULL, &ss->sec.ci.sid->peerCertStatus, 1);
   9572     if (!ss->sec.ci.sid->peerCertStatus.items)
   9573        return SECFailure;
   9574 
   9575     ss->sec.ci.sid->peerCertStatus.items[0].data = PORT_Alloc(length);
   9576 
   9577     if (!ss->sec.ci.sid->peerCertStatus.items[0].data) {
   9578         SECITEM_FreeArray(&ss->sec.ci.sid->peerCertStatus, PR_FALSE);
   9579         return SECFailure;
   9580     }
   9581 
   9582     PORT_Memcpy(ss->sec.ci.sid->peerCertStatus.items[0].data, b, length);
   9583     ss->sec.ci.sid->peerCertStatus.items[0].len = length;
   9584     ss->sec.ci.sid->peerCertStatus.items[0].type = siBuffer;
   9585 
   9586     return ssl3_AuthCertificate(ss);
   9587 
   9588 format_loser:
   9589     return ssl3_DecodeError(ss);
   9590 }
   9591 
   9592 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   9593  * ssl3 Certificate message.
   9594  * Caller must hold Handshake and RecvBuf locks.
   9595  */
   9596 static SECStatus
   9597 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   9598 {
   9599     ssl3CertNode *   c;
   9600     ssl3CertNode *   lastCert 	= NULL;
   9601     PRInt32          remaining  = 0;
   9602     PRInt32          size;
   9603     SECStatus        rv;
   9604     PRBool           isServer	= (PRBool)(!!ss->sec.isServer);
   9605     PRBool           isTLS;
   9606     SSL3AlertDescription desc;
   9607     int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
   9608     SECItem          certItem;
   9609 
   9610     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
   9611 		SSL_GETPID(), ss->fd));
   9612     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   9613     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   9614 
   9615     if ((ss->ssl3.hs.ws != wait_server_cert) &&
   9616 	(ss->ssl3.hs.ws != wait_client_cert)) {
   9617 	desc    = unexpected_message;
   9618 	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
   9619 	goto alert_loser;
   9620     }
   9621 
   9622     if (ss->sec.peerCert != NULL) {
   9623 	if (ss->sec.peerKey) {
   9624 	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
   9625 	    ss->sec.peerKey = NULL;
   9626 	}
   9627 	CERT_DestroyCertificate(ss->sec.peerCert);
   9628 	ss->sec.peerCert = NULL;
   9629     }
   9630 
   9631     ssl3_CleanupPeerCerts(ss);
   9632     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
   9633 
   9634     /* It is reported that some TLS client sends a Certificate message
   9635     ** with a zero-length message body.  We'll treat that case like a
   9636     ** normal no_certificates message to maximize interoperability.
   9637     */
   9638     if (length) {
   9639 	remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
   9640 	if (remaining < 0)
   9641 	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
   9642 	if ((PRUint32)remaining > length)
   9643 	    goto decode_loser;
   9644     }
   9645 
   9646     if (!remaining) {
   9647 	if (!(isTLS && isServer)) {
   9648 	    desc = bad_certificate;
   9649 	    goto alert_loser;
   9650 	}
   9651     	/* This is TLS's version of a no_certificate alert. */
   9652     	/* I'm a server. I've requested a client cert. He hasn't got one. */
   9653 	rv = ssl3_HandleNoCertificate(ss);
   9654 	if (rv != SECSuccess) {
   9655 	    errCode = PORT_GetError();
   9656 	    goto loser;
   9657 	}
   9658        ss->ssl3.hs.ws = wait_client_key;
   9659        return SECSuccess;
   9660     }
   9661 
   9662     ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   9663     if (ss->ssl3.peerCertArena == NULL) {
   9664 	goto loser;	/* don't send alerts on memory errors */
   9665     }
   9666 
   9667     /* First get the peer cert. */
   9668     remaining -= 3;
   9669     if (remaining < 0)
   9670 	goto decode_loser;
   9671 
   9672     size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
   9673     if (size <= 0)
   9674 	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
   9675 
   9676     if (remaining < size)
   9677 	goto decode_loser;
   9678 
   9679     certItem.data = b;
   9680     certItem.len = size;
   9681     b      += size;
   9682     length -= size;
   9683     remaining -= size;
   9684 
   9685     ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
   9686                                             PR_FALSE, PR_TRUE);
   9687     if (ss->sec.peerCert == NULL) {
   9688 	/* We should report an alert if the cert was bad, but not if the
   9689 	 * problem was just some local problem, like memory error.
   9690 	 */
   9691 	goto ambiguous_err;
   9692     }
   9693 
   9694     /* Now get all of the CA certs. */
   9695     while (remaining > 0) {
   9696 	remaining -= 3;
   9697 	if (remaining < 0)
   9698 	    goto decode_loser;
   9699 
   9700 	size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
   9701 	if (size <= 0)
   9702 	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
   9703 
   9704 	if (remaining < size)
   9705 	    goto decode_loser;
   9706 
   9707 	certItem.data = b;
   9708 	certItem.len = size;
   9709 	b      += size;
   9710 	length -= size;
   9711 	remaining -= size;
   9712 
   9713 	c = PORT_ArenaNew(ss->ssl3.peerCertArena, ssl3CertNode);
   9714 	if (c == NULL) {
   9715 	    goto loser;	/* don't send alerts on memory errors */
   9716 	}
   9717 
   9718 	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
   9719 	                                  PR_FALSE, PR_TRUE);
   9720 	if (c->cert == NULL) {
   9721 	    goto ambiguous_err;
   9722 	}
   9723 
   9724 	c->next = NULL;
   9725 	if (lastCert) {
   9726 	    lastCert->next = c;
   9727 	} else {
   9728 	    ss->ssl3.peerCertChain = c;
   9729 	}
   9730 	lastCert = c;
   9731     }
   9732 
   9733     if (remaining != 0)
   9734         goto decode_loser;
   9735 
   9736     SECKEY_UpdateCertPQG(ss->sec.peerCert);
   9737 
   9738     if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) {
   9739        ss->ssl3.hs.ws = wait_certificate_status;
   9740        rv = SECSuccess;
   9741     } else {
   9742        rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
   9743     }
   9744 
   9745     return rv;
   9746 
   9747 ambiguous_err:
   9748     errCode = PORT_GetError();
   9749     switch (errCode) {
   9750     case PR_OUT_OF_MEMORY_ERROR:
   9751     case SEC_ERROR_BAD_DATABASE:
   9752     case SEC_ERROR_NO_MEMORY:
   9753        if (isTLS) {
   9754            desc = internal_error;
   9755            goto alert_loser;
   9756        }
   9757        goto loser;
   9758     }
   9759     ssl3_SendAlertForCertError(ss, errCode);
   9760     goto loser;
   9761 
   9762 decode_loser:
   9763     desc = isTLS ? decode_error : bad_certificate;
   9764 
   9765 alert_loser:
   9766     (void)SSL3_SendAlert(ss, alert_fatal, desc);
   9767 
   9768 loser:
   9769     (void)ssl_MapLowLevelError(errCode);
   9770     return SECFailure;
   9771 }
   9772 
   9773 static SECStatus
   9774 ssl3_AuthCertificate(sslSocket *ss)
   9775 {
   9776     SECStatus        rv;
   9777     PRBool           isServer   = (PRBool)(!!ss->sec.isServer);
   9778     int              errCode;
   9779 
   9780     ss->ssl3.hs.authCertificatePending = PR_FALSE;
   9781 
   9782     /*
   9783      * Ask caller-supplied callback function to validate cert chain.
   9784      */
   9785     rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
   9786 					   PR_TRUE, isServer);
   9787     if (rv) {
   9788 	errCode = PORT_GetError();
   9789 	if (rv != SECWouldBlock) {
   9790 	    if (ss->handleBadCert) {
   9791 		rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
   9792 	    }
   9793 	}
   9794 
   9795 	if (rv == SECWouldBlock) {
   9796 	    if (ss->sec.isServer) {
   9797 		errCode = SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS;
   9798 		rv = SECFailure;
   9799 		goto loser;
   9800 	    }
   9801 
   9802 	    ss->ssl3.hs.authCertificatePending = PR_TRUE;
   9803 	    rv = SECSuccess;
   9804 
   9805 	    /* XXX: Async cert validation and False Start don't work together
   9806 	     * safely yet; if we leave False Start enabled, we may end up false
   9807 	     * starting (sending application data) before we
   9808 	     * SSL_AuthCertificateComplete has been called.
   9809 	     */
   9810 	    ss->opt.enableFalseStart = PR_FALSE;
   9811 	}
   9812 
   9813 	if (rv != SECSuccess) {
   9814 	    ssl3_SendAlertForCertError(ss, errCode);
   9815 	    goto loser;
   9816 	}
   9817     }
   9818 
   9819     ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
   9820     ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
   9821 
   9822     if (!ss->sec.isServer) {
   9823         CERTCertificate *cert = ss->sec.peerCert;
   9824 
   9825 	/* set the server authentication and key exchange types and sizes
   9826 	** from the value in the cert.  If the key exchange key is different,
   9827 	** it will get fixed when we handle the server key exchange message.
   9828 	*/
   9829 	SECKEYPublicKey * pubKey  = CERT_ExtractPublicKey(cert);
   9830 	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
   9831 	ss->sec.keaType       = ss->ssl3.hs.kea_def->exchKeyType;
   9832 	if (pubKey) {
   9833 	    ss->sec.keaKeyBits = ss->sec.authKeyBits =
   9834 		SECKEY_PublicKeyStrengthInBits(pubKey);
   9835 #ifdef NSS_ENABLE_ECC
   9836 	    if (ss->sec.keaType == kt_ecdh) {
   9837 		/* Get authKeyBits from signing key.
   9838 		 * XXX The code below uses a quick approximation of
   9839 		 * key size based on cert->signatureWrap.signature.data
   9840 		 * (which contains the DER encoded signature). The field
   9841 		 * cert->signatureWrap.signature.len contains the
   9842 		 * length of the encoded signature in bits.
   9843 		 */
   9844 		if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
   9845 		    ss->sec.authKeyBits =
   9846 			cert->signatureWrap.signature.data[3]*8;
   9847 		    if (cert->signatureWrap.signature.data[4] == 0x00)
   9848 			    ss->sec.authKeyBits -= 8;
   9849 		    /*
   9850 		     * XXX: if cert is not signed by ecdsa we should
   9851 		     * destroy pubKey and goto bad_cert
   9852 		     */
   9853 		} else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
   9854 		    ss->sec.authKeyBits = cert->signatureWrap.signature.len;
   9855 		    /*
   9856 		     * XXX: if cert is not signed by rsa we should
   9857 		     * destroy pubKey and goto bad_cert
   9858 		     */
   9859 		}
   9860 	    }
   9861 #endif /* NSS_ENABLE_ECC */
   9862 	    SECKEY_DestroyPublicKey(pubKey);
   9863 	    pubKey = NULL;
   9864     	}
   9865 
   9866 	ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
   9867 	if (ss->ssl3.hs.kea_def->is_limited ||
   9868 	    /* XXX OR server cert is signing only. */
   9869 #ifdef NSS_ENABLE_ECC
   9870 	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
   9871 	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
   9872 #endif /* NSS_ENABLE_ECC */
   9873 	    ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
   9874 	    ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
   9875 	}
   9876     } else {
   9877 	ss->ssl3.hs.ws = wait_client_key;
   9878     }
   9879 
   9880     PORT_Assert(rv == SECSuccess);
   9881     if (rv != SECSuccess) {
   9882 	errCode = SEC_ERROR_LIBRARY_FAILURE;
   9883 	rv = SECFailure;
   9884 	goto loser;
   9885     }
   9886 
   9887     return rv;
   9888 
   9889 loser:
   9890     (void)ssl_MapLowLevelError(errCode);
   9891     return SECFailure;
   9892 }
   9893 
   9894 static SECStatus ssl3_FinishHandshake(sslSocket *ss);
   9895 
   9896 static SECStatus
   9897 ssl3_AlwaysFail(sslSocket * ss)
   9898 {
   9899     PORT_SetError(PR_INVALID_STATE_ERROR);
   9900     return SECFailure;
   9901 }
   9902 
   9903 /* Caller must hold 1stHandshakeLock.
   9904 */
   9905 SECStatus
   9906 ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
   9907 {
   9908     SECStatus rv;
   9909 
   9910     PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
   9911 
   9912     if (ss->sec.isServer) {
   9913 	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS);
   9914 	return SECFailure;
   9915     }
   9916 
   9917     ssl_GetRecvBufLock(ss);
   9918     ssl_GetSSL3HandshakeLock(ss);
   9919 
   9920     if (!ss->ssl3.hs.authCertificatePending) {
   9921 	PORT_SetError(PR_INVALID_STATE_ERROR);
   9922 	rv = SECFailure;
   9923 	goto done;
   9924     }
   9925 
   9926     ss->ssl3.hs.authCertificatePending = PR_FALSE;
   9927 
   9928     if (error != 0) {
   9929 	ss->ssl3.hs.restartTarget = ssl3_AlwaysFail;
   9930 	ssl3_SendAlertForCertError(ss, error);
   9931 	rv = SECSuccess;
   9932     } else if (ss->ssl3.hs.restartTarget != NULL) {
   9933 	sslRestartTarget target = ss->ssl3.hs.restartTarget;
   9934 	ss->ssl3.hs.restartTarget = NULL;
   9935 	rv = target(ss);
   9936 	/* Even if we blocked here, we have accomplished enough to claim
   9937 	 * success. Any remaining work will be taken care of by subsequent
   9938 	 * calls to SSL_ForceHandshake/PR_Send/PR_Read/etc.
   9939 	 */
   9940 	if (rv == SECWouldBlock) {
   9941 	    rv = SECSuccess;
   9942 	}
   9943     } else {
   9944 	rv = SECSuccess;
   9945     }
   9946 
   9947 done:
   9948     ssl_ReleaseSSL3HandshakeLock(ss);
   9949     ssl_ReleaseRecvBufLock(ss);
   9950 
   9951     return rv;
   9952 }
   9953 
   9954 static SECStatus
   9955 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
   9956 			PRBool          isServer,
   9957                 const   SSL3Hashes   *  hashes,
   9958                         TLSFinished  *  tlsFinished)
   9959 {
   9960     const char * label;
   9961     unsigned int len;
   9962     SECStatus    rv;
   9963 
   9964     label = isServer ? "server finished" : "client finished";
   9965     len   = 15;
   9966 
   9967     rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
   9968 	hashes->len, tlsFinished->verify_data,
   9969 	sizeof tlsFinished->verify_data);
   9970 
   9971     return rv;
   9972 }
   9973 
   9974 /* The calling function must acquire and release the appropriate
   9975  * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
   9976  * ss->ssl3.crSpec).
   9977  */
   9978 SECStatus
   9979 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
   9980     unsigned int labelLen, const unsigned char *val, unsigned int valLen,
   9981     unsigned char *out, unsigned int outLen)
   9982 {
   9983     SECStatus rv = SECSuccess;
   9984 
   9985     if (spec->master_secret && !spec->bypassCiphers) {
   9986 	SECItem param = {siBuffer, NULL, 0};
   9987 	CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL;
   9988 	PK11Context *prf_context;
   9989 	unsigned int retLen;
   9990 
   9991 	if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
   9992 	    mech = CKM_NSS_TLS_PRF_GENERAL_SHA256;
   9993 	}
   9994 	prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN,
   9995 						 spec->master_secret, &param);
   9996 	if (!prf_context)
   9997 	    return SECFailure;
   9998 
   9999 	rv  = PK11_DigestBegin(prf_context);
   10000 	rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
   10001 	rv |= PK11_DigestOp(prf_context, val, valLen);
   10002 	rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
   10003 	PORT_Assert(rv != SECSuccess || retLen == outLen);
   10004 
   10005 	PK11_DestroyContext(prf_context, PR_TRUE);
   10006     } else {
   10007 	/* bypass PKCS11 */
   10008 #ifdef NO_PKCS11_BYPASS
   10009 	PORT_Assert(spec->master_secret);
   10010 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   10011 	rv = SECFailure;
   10012 #else
   10013 	SECItem inData  = { siBuffer, };
   10014 	SECItem outData = { siBuffer, };
   10015 	PRBool isFIPS   = PR_FALSE;
   10016 
   10017 	inData.data  = (unsigned char *) val;
   10018 	inData.len   = valLen;
   10019 	outData.data = out;
   10020 	outData.len  = outLen;
   10021 	if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
   10022 	    rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData,
   10023 			    &outData, isFIPS);
   10024 	} else {
   10025 	    rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
   10026 	}
   10027 	PORT_Assert(rv != SECSuccess || outData.len == outLen);
   10028 #endif
   10029     }
   10030     return rv;
   10031 }
   10032 
   10033 /* called from ssl3_HandleServerHelloDone
   10034  */
   10035 static SECStatus
   10036 ssl3_SendNextProto(sslSocket *ss)
   10037 {
   10038     SECStatus rv;
   10039     int padding_len;
   10040     static const unsigned char padding[32] = {0};
   10041 
   10042     if (ss->ssl3.nextProto.len == 0 ||
   10043         ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
   10044 	return SECSuccess;
   10045     }
   10046 
   10047     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   10048     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   10049 
   10050     padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32);
   10051 
   10052     rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len +
   10053 						    2 + padding_len);
   10054     if (rv != SECSuccess) {
   10055 	return rv;	/* error code set by AppendHandshakeHeader */
   10056     }
   10057     rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data,
   10058 				      ss->ssl3.nextProto.len, 1);
   10059     if (rv != SECSuccess) {
   10060 	return rv;	/* error code set by AppendHandshake */
   10061     }
   10062     rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
   10063     if (rv != SECSuccess) {
   10064 	return rv;	/* error code set by AppendHandshake */
   10065     }
   10066     return rv;
   10067 }
   10068 
   10069 /* called from ssl3_SendFinished
   10070  *
   10071  * This function is simply a debugging aid and therefore does not return a
   10072  * SECStatus. */
   10073 static void
   10074 ssl3_RecordKeyLog(sslSocket *ss)
   10075 {
   10076     sslSessionID *sid;
   10077     SECStatus rv;
   10078     SECItem *keyData;
   10079     char buf[14 /* "CLIENT_RANDOM " */ +
   10080 	     SSL3_RANDOM_LENGTH*2 /* client_random */ +
   10081 	     1 /* " " */ +
   10082 	     48*2 /* master secret */ +
   10083              1 /* new line */];
   10084     unsigned int j;
   10085 
   10086     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   10087 
   10088     sid = ss->sec.ci.sid;
   10089 
   10090     if (!ssl_keylog_iob)
   10091 	return;
   10092 
   10093     rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
   10094     if (rv != SECSuccess)
   10095 	return;
   10096 
   10097     ssl_GetSpecReadLock(ss);
   10098 
   10099     /* keyData does not need to be freed. */
   10100     keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
   10101     if (!keyData || !keyData->data || keyData->len != 48) {
   10102 	ssl_ReleaseSpecReadLock(ss);
   10103 	return;
   10104     }
   10105 
   10106     /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
   10107 
   10108     /* There could be multiple, concurrent writers to the
   10109      * keylog, so we have to do everything in a single call to
   10110      * fwrite. */
   10111 
   10112     memcpy(buf, "CLIENT_RANDOM ", 14);
   10113     j = 14;
   10114     hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
   10115     j += SSL3_RANDOM_LENGTH*2;
   10116     buf[j++] = ' ';
   10117     hexEncode(buf + j, keyData->data, 48);
   10118     j += 48*2;
   10119     buf[j++] = '\n';
   10120 
   10121     PORT_Assert(j == sizeof(buf));
   10122 
   10123     ssl_ReleaseSpecReadLock(ss);
   10124 
   10125     if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
   10126         return;
   10127     fflush(ssl_keylog_iob);
   10128     return;
   10129 }
   10130 
   10131 /* called from ssl3_SendClientSecondRound
   10132  *	     ssl3_HandleFinished
   10133  */
   10134 static SECStatus
   10135 ssl3_SendEncryptedExtensions(sslSocket *ss)
   10136 {
   10137     static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
   10138     /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
   10139      * SEQUENCE
   10140      *   SEQUENCE
   10141      *     OID id-ecPublicKey
   10142      *     OID prime256v1
   10143      *   BIT STRING, length 66, 0 trailing bits: 0x04
   10144      *
   10145      * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
   10146      * public key. Following that are the two field elements as 32-byte,
   10147      * big-endian numbers, as required by the Channel ID. */
   10148     static const unsigned char P256_SPKI_PREFIX[] = {
   10149 	0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
   10150 	0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
   10151 	0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
   10152 	0x42, 0x00, 0x04
   10153     };
   10154     /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
   10155      * bytes of ECDSA signature. */
   10156     static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
   10157     static const int CHANNEL_ID_LENGTH = 128;
   10158 
   10159     SECStatus rv = SECFailure;
   10160     SECItem *spki = NULL;
   10161     SSL3Hashes hashes;
   10162     const unsigned char *pub_bytes;
   10163     unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
   10164     unsigned char digest[SHA256_LENGTH];
   10165     SECItem digest_item;
   10166     unsigned char signature[64];
   10167     SECItem signature_item;
   10168 
   10169     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   10170     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   10171 
   10172     if (ss->ssl3.channelID == NULL)
   10173 	return SECSuccess;
   10174 
   10175     PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn));
   10176 
   10177     if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
   10178 	PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
   10179 	PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
   10180 	rv = SECFailure;
   10181 	goto loser;
   10182     }
   10183 
   10184     ssl_GetSpecReadLock(ss);
   10185     rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
   10186     ssl_ReleaseSpecReadLock(ss);
   10187 
   10188     if (rv != SECSuccess)
   10189 	goto loser;
   10190 
   10191     rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
   10192 				    2 + 2 + CHANNEL_ID_LENGTH);
   10193     if (rv != SECSuccess)
   10194 	goto loser;	/* error code set by AppendHandshakeHeader */
   10195     rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
   10196     if (rv != SECSuccess)
   10197 	goto loser;	/* error code set by AppendHandshake */
   10198     rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
   10199     if (rv != SECSuccess)
   10200 	goto loser;	/* error code set by AppendHandshake */
   10201 
   10202     spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
   10203 
   10204     if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
   10205 	memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
   10206 	PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
   10207 	rv = SECFailure;
   10208 	goto loser;
   10209     }
   10210 
   10211     pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
   10212 
   10213     memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
   10214     memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len);
   10215 
   10216     rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data,
   10217 		      sizeof(CHANNEL_ID_MAGIC) + hashes.len);
   10218     if (rv != SECSuccess)
   10219 	goto loser;
   10220 
   10221     digest_item.data = digest;
   10222     digest_item.len = sizeof(digest);
   10223 
   10224     signature_item.data = signature;
   10225     signature_item.len = sizeof(signature);
   10226 
   10227     rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
   10228     if (rv != SECSuccess)
   10229 	goto loser;
   10230 
   10231     rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
   10232     if (rv != SECSuccess)
   10233 	goto loser;
   10234     rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
   10235 
   10236 loser:
   10237     if (spki)
   10238 	SECITEM_FreeItem(spki, PR_TRUE);
   10239     if (ss->ssl3.channelID) {
   10240 	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
   10241 	ss->ssl3.channelID = NULL;
   10242     }
   10243     if (ss->ssl3.channelIDPub) {
   10244 	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
   10245 	ss->ssl3.channelIDPub = NULL;
   10246     }
   10247 
   10248     return rv;
   10249 }
   10250 
   10251 /* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake
   10252  * after a ChannelID callback returned SECWouldBlock. At this point we have
   10253  * processed the server's ServerHello but not yet any further messages. We will
   10254  * always get a message from the server after a ServerHello so either they are
   10255  * waiting in the buffer or we'll get network I/O. */
   10256 SECStatus
   10257 ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
   10258 				       SECKEYPublicKey *channelIDPub,
   10259 				       SECKEYPrivateKey *channelID)
   10260 {
   10261     if (ss->handshake == 0) {
   10262 	SECKEY_DestroyPublicKey(channelIDPub);
   10263 	SECKEY_DestroyPrivateKey(channelID);
   10264 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   10265 	return SECFailure;
   10266     }
   10267 
   10268     if (channelIDPub == NULL ||
   10269 	channelID == NULL) {
   10270 	if (channelIDPub)
   10271 	    SECKEY_DestroyPublicKey(channelIDPub);
   10272 	if (channelID)
   10273 	    SECKEY_DestroyPrivateKey(channelID);
   10274 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   10275 	return SECFailure;
   10276     }
   10277 
   10278     if (ss->ssl3.channelID)
   10279 	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
   10280     if (ss->ssl3.channelIDPub)
   10281 	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
   10282 
   10283     ss->handshake = ssl_GatherRecord1stHandshake;
   10284     ss->ssl3.channelID = channelID;
   10285     ss->ssl3.channelIDPub = channelIDPub;
   10286 
   10287     return SECSuccess;
   10288 }
   10289 
   10290 /* called from ssl3_HandleServerHelloDone
   10291  *             ssl3_HandleClientHello
   10292  *             ssl3_HandleFinished
   10293  */
   10294 static SECStatus
   10295 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
   10296 {
   10297     ssl3CipherSpec *cwSpec;
   10298     PRBool          isTLS;
   10299     PRBool          isServer = ss->sec.isServer;
   10300     SECStatus       rv;
   10301     SSL3Sender      sender = isServer ? sender_server : sender_client;
   10302     SSL3Hashes      hashes;
   10303     TLSFinished     tlsFinished;
   10304 
   10305     SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
   10306 
   10307     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
   10308     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   10309 
   10310     ssl_GetSpecReadLock(ss);
   10311     cwSpec = ss->ssl3.cwSpec;
   10312     isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
   10313     rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
   10314     if (isTLS && rv == SECSuccess) {
   10315 	rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
   10316     }
   10317     ssl_ReleaseSpecReadLock(ss);
   10318     if (rv != SECSuccess) {
   10319 	goto fail;	/* err code was set by ssl3_ComputeHandshakeHashes */
   10320     }
   10321 
   10322     if (isTLS) {
   10323 	if (isServer)
   10324 	    ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
   10325 	else
   10326 	    ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
   10327 	ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
   10328 	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
   10329 	if (rv != SECSuccess)
   10330 	    goto fail; 		/* err set by AppendHandshake. */
   10331 	rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
   10332 	if (rv != SECSuccess)
   10333 	    goto fail; 		/* err set by AppendHandshake. */
   10334     } else {
   10335 	if (isServer)
   10336 	    ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s;
   10337 	else
   10338 	    ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s;
   10339 	PORT_Assert(hashes.len == sizeof hashes.u.s);
   10340 	ss->ssl3.hs.finishedBytes = sizeof hashes.u.s;
   10341 	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s);
   10342 	if (rv != SECSuccess)
   10343 	    goto fail; 		/* err set by AppendHandshake. */
   10344 	rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s);
   10345 	if (rv != SECSuccess)
   10346 	    goto fail; 		/* err set by AppendHandshake. */
   10347     }
   10348     rv = ssl3_FlushHandshake(ss, flags);
   10349     if (rv != SECSuccess) {
   10350 	goto fail;	/* error code set by ssl3_FlushHandshake */
   10351     }
   10352 
   10353     ssl3_RecordKeyLog(ss);
   10354 
   10355     return SECSuccess;
   10356 
   10357 fail:
   10358     return rv;
   10359 }
   10360 
   10361 /* wrap the master secret, and put it into the SID.
   10362  * Caller holds the Spec read lock.
   10363  */
   10364 SECStatus
   10365 ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid,
   10366     ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType)
   10367 {
   10368     PK11SymKey *      wrappingKey  = NULL;
   10369     PK11SlotInfo *    symKeySlot;
   10370     void *            pwArg        = ss->pkcs11PinArg;
   10371     SECStatus         rv           = SECFailure;
   10372     PRBool            isServer     = ss->sec.isServer;
   10373     CK_MECHANISM_TYPE mechanism    = CKM_INVALID_MECHANISM;
   10374     symKeySlot = PK11_GetSlotFromKey(spec->master_secret);
   10375     if (!isServer) {
   10376 	int  wrapKeyIndex;
   10377 	int  incarnation;
   10378 
   10379 	/* these next few functions are mere accessors and don't fail. */
   10380 	sid->u.ssl3.masterWrapIndex  = wrapKeyIndex =
   10381 				       PK11_GetCurrentWrapIndex(symKeySlot);
   10382 	PORT_Assert(wrapKeyIndex == 0);	/* array has only one entry! */
   10383 
   10384 	sid->u.ssl3.masterWrapSeries = incarnation =
   10385 				       PK11_GetSlotSeries(symKeySlot);
   10386 	sid->u.ssl3.masterSlotID   = PK11_GetSlotID(symKeySlot);
   10387 	sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
   10388 	sid->u.ssl3.masterValid    = PR_TRUE;
   10389 	/* Get the default wrapping key, for wrapping the master secret before
   10390 	 * placing it in the SID cache entry. */
   10391 	wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
   10392 				      CKM_INVALID_MECHANISM, incarnation,
   10393 				      pwArg);
   10394 	if (wrappingKey) {
   10395 	    mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
   10396 	} else {
   10397 	    int keyLength;
   10398 	    /* if the wrappingKey doesn't exist, attempt to create it.
   10399 	     * Note: we intentionally ignore errors here.  If we cannot
   10400 	     * generate a wrapping key, it is not fatal to this SSL connection,
   10401 	     * but we will not be able to restart this session.
   10402 	     */
   10403 	    mechanism = PK11_GetBestWrapMechanism(symKeySlot);
   10404 	    keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
   10405 	    /* Zero length means fixed key length algorithm, or error.
   10406 	     * It's ambiguous.
   10407 	     */
   10408 	    wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
   10409 				      keyLength, pwArg);
   10410 	    if (wrappingKey) {
   10411 		PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
   10412 	    }
   10413 	}
   10414     } else {
   10415 	/* server socket using session cache. */
   10416 	mechanism = PK11_GetBestWrapMechanism(symKeySlot);
   10417 	if (mechanism != CKM_INVALID_MECHANISM) {
   10418 	    wrappingKey =
   10419 		getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
   10420 			       mechanism, pwArg);
   10421 	    if (wrappingKey) {
   10422 		mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
   10423 	    }
   10424 	}
   10425     }
   10426 
   10427     sid->u.ssl3.masterWrapMech = mechanism;
   10428     PK11_FreeSlot(symKeySlot);
   10429 
   10430     if (wrappingKey) {
   10431 	SECItem wmsItem;
   10432 
   10433 	wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
   10434 	wmsItem.len  = sizeof sid->u.ssl3.keys.wrapped_master_secret;
   10435 	rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
   10436 			     spec->master_secret, &wmsItem);
   10437 	/* rv is examined below. */
   10438 	sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
   10439 	PK11_FreeSymKey(wrappingKey);
   10440     }
   10441     return rv;
   10442 }
   10443 
   10444 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   10445  * ssl3 Finished message from the peer.
   10446  * Caller must hold Handshake and RecvBuf locks.
   10447  */
   10448 static SECStatus
   10449 ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
   10450 		    const SSL3Hashes *hashes)
   10451 {
   10452     sslSessionID *    sid	   = ss->sec.ci.sid;
   10453     SECStatus         rv           = SECSuccess;
   10454     PRBool            isServer     = ss->sec.isServer;
   10455     PRBool            isTLS;
   10456     SSL3KEAType       effectiveExchKeyType;
   10457 
   10458     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   10459     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   10460 
   10461     SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
   10462     	SSL_GETPID(), ss->fd));
   10463 
   10464     if (ss->ssl3.hs.ws != wait_finished) {
   10465 	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10466     	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
   10467 	return SECFailure;
   10468     }
   10469 
   10470     isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
   10471     if (isTLS) {
   10472 	TLSFinished tlsFinished;
   10473 
   10474 	if (length != sizeof tlsFinished) {
   10475 	    (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
   10476 	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
   10477 	    return SECFailure;
   10478 	}
   10479 	rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
   10480 	                             hashes, &tlsFinished);
   10481 	if (!isServer)
   10482 	    ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
   10483 	else
   10484 	    ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
   10485 	ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
   10486 	if (rv != SECSuccess ||
   10487 	    0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
   10488 	    (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
   10489 	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
   10490 	    return SECFailure;
   10491 	}
   10492     } else {
   10493 	if (length != sizeof(SSL3Finished)) {
   10494 	    (void)ssl3_IllegalParameter(ss);
   10495 	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
   10496 	    return SECFailure;
   10497 	}
   10498 
   10499 	if (!isServer)
   10500 	    ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s;
   10501 	else
   10502 	    ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s;
   10503 	PORT_Assert(hashes->len == sizeof hashes->u.s);
   10504 	ss->ssl3.hs.finishedBytes = sizeof hashes->u.s;
   10505 	if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) {
   10506 	    (void)ssl3_HandshakeFailure(ss);
   10507 	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
   10508 	    return SECFailure;
   10509 	}
   10510     }
   10511 
   10512     ssl_GetXmitBufLock(ss);	/*************************************/
   10513 
   10514     if ((isServer && !ss->ssl3.hs.isResuming) ||
   10515 	(!isServer && ss->ssl3.hs.isResuming)) {
   10516 	PRInt32 flags = 0;
   10517 
   10518 	/* Send a NewSessionTicket message if the client sent us
   10519 	 * either an empty session ticket, or one that did not verify.
   10520 	 * (Note that if either of these conditions was met, then the
   10521 	 * server has sent a SessionTicket extension in the
   10522 	 * ServerHello message.)
   10523 	 */
   10524 	if (isServer && !ss->ssl3.hs.isResuming &&
   10525 	    ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
   10526 	    rv = ssl3_SendNewSessionTicket(ss);
   10527 	    if (rv != SECSuccess) {
   10528 		goto xmit_loser;
   10529 	    }
   10530 	}
   10531 
   10532 	rv = ssl3_SendChangeCipherSpecs(ss);
   10533 	if (rv != SECSuccess) {
   10534 	    goto xmit_loser;	/* err is set. */
   10535 	}
   10536 	/* If this thread is in SSL_SecureSend (trying to write some data)
   10537 	** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
   10538 	** last two handshake messages (change cipher spec and finished)
   10539 	** will be sent in the same send/write call as the application data.
   10540 	*/
   10541 	if (ss->writerThread == PR_GetCurrentThread()) {
   10542 	    flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
   10543 	}
   10544 
   10545 	if (!isServer) {
   10546 	    if (!ss->firstHsDone) {
   10547 		rv = ssl3_SendNextProto(ss);
   10548 		if (rv != SECSuccess) {
   10549 		    goto xmit_loser; /* err code was set. */
   10550 		}
   10551 	    }
   10552 	    rv = ssl3_SendEncryptedExtensions(ss);
   10553 	    if (rv != SECSuccess)
   10554 		goto xmit_loser; /* err code was set. */
   10555 	}
   10556 
   10557 	if (IS_DTLS(ss)) {
   10558 	    flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
   10559 	}
   10560 
   10561 	rv = ssl3_SendFinished(ss, flags);
   10562 	if (rv != SECSuccess) {
   10563 	    goto xmit_loser;	/* err is set. */
   10564 	}
   10565     }
   10566 
   10567 xmit_loser:
   10568     ssl_ReleaseXmitBufLock(ss);	/*************************************/
   10569     if (rv != SECSuccess) {
   10570         return rv;
   10571     }
   10572 
   10573     ss->gs.writeOffset = 0;
   10574     ss->gs.readOffset  = 0;
   10575 
   10576     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
   10577 	effectiveExchKeyType = kt_rsa;
   10578     } else {
   10579 	effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
   10580     }
   10581 
   10582     if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
   10583 	/* fill in the sid */
   10584 	sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
   10585 	sid->u.ssl3.compression = ss->ssl3.hs.compression;
   10586 	sid->u.ssl3.policy      = ss->ssl3.policy;
   10587 #ifdef NSS_ENABLE_ECC
   10588 	sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
   10589 #endif
   10590 	sid->u.ssl3.exchKeyType = effectiveExchKeyType;
   10591 	sid->version            = ss->version;
   10592 	sid->authAlgorithm      = ss->sec.authAlgorithm;
   10593 	sid->authKeyBits        = ss->sec.authKeyBits;
   10594 	sid->keaType            = ss->sec.keaType;
   10595 	sid->keaKeyBits         = ss->sec.keaKeyBits;
   10596 	sid->lastAccessTime     = sid->creationTime = ssl_Time();
   10597 	sid->expirationTime     = sid->creationTime + ssl3_sid_timeout;
   10598 	sid->localCert          = CERT_DupCertificate(ss->sec.localCert);
   10599 
   10600 	ssl_GetSpecReadLock(ss);	/*************************************/
   10601 
   10602 	/* Copy the master secret (wrapped or unwrapped) into the sid */
   10603 	if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
   10604 	    sid->u.ssl3.keys.wrapped_master_secret_len =
   10605 			    ss->ssl3.crSpec->msItem.len;
   10606 	    memcpy(sid->u.ssl3.keys.wrapped_master_secret,
   10607 		   ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
   10608 	    sid->u.ssl3.masterValid    = PR_TRUE;
   10609 	    sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
   10610 	    rv = SECSuccess;
   10611 	} else {
   10612 	    rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid,
   10613 					       ss->ssl3.crSpec,
   10614 					       effectiveExchKeyType);
   10615 	    sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
   10616 	}
   10617 	ssl_ReleaseSpecReadLock(ss);  /*************************************/
   10618 
   10619 	/* If the wrap failed, we don't cache the sid.
   10620 	 * The connection continues normally however.
   10621 	 */
   10622 	ss->ssl3.hs.cacheSID = rv == SECSuccess;
   10623     }
   10624 
   10625     if (ss->ssl3.hs.authCertificatePending) {
   10626 	if (ss->ssl3.hs.restartTarget) {
   10627 	    PR_NOT_REACHED("ssl3_HandleFinished: unexpected restartTarget");
   10628 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   10629 	    return SECFailure;
   10630 	}
   10631 
   10632 	ss->ssl3.hs.restartTarget = ssl3_FinishHandshake;
   10633 	return SECWouldBlock;
   10634     }
   10635 
   10636     rv = ssl3_FinishHandshake(ss);
   10637     return rv;
   10638 }
   10639 
   10640 SECStatus
   10641 ssl3_FinishHandshake(sslSocket * ss)
   10642 {
   10643     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   10644     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   10645     PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
   10646 
   10647     /* The first handshake is now completed. */
   10648     ss->handshake           = NULL;
   10649     ss->firstHsDone         = PR_TRUE;
   10650 
   10651     if (ss->ssl3.hs.cacheSID) {
   10652 	(*ss->sec.cache)(ss->sec.ci.sid);
   10653 	ss->ssl3.hs.cacheSID = PR_FALSE;
   10654     }
   10655 
   10656     ss->ssl3.hs.ws = idle_handshake;
   10657 
   10658     /* Do the handshake callback for sslv3 here, if we cannot false start. */
   10659     if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
   10660 	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
   10661     }
   10662 
   10663     return SECSuccess;
   10664 }
   10665 
   10666 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
   10667  * hanshake message.
   10668  * Caller must hold Handshake and RecvBuf locks.
   10669  */
   10670 SECStatus
   10671 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
   10672 {
   10673     SECStatus         rv 	= SECSuccess;
   10674     SSL3HandshakeType type 	= ss->ssl3.hs.msg_type;
   10675     SSL3Hashes        hashes;	/* computed hashes are put here. */
   10676     PRUint8           hdr[4];
   10677     PRUint8           dtlsData[8];
   10678 
   10679     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   10680     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   10681     /*
   10682      * We have to compute the hashes before we update them with the
   10683      * current message.
   10684      */
   10685     ssl_GetSpecReadLock(ss);	/************************************/
   10686     if((type == finished) || (type == certificate_verify)) {
   10687 	SSL3Sender      sender = (SSL3Sender)0;
   10688 	ssl3CipherSpec *rSpec  = ss->ssl3.prSpec;
   10689 
   10690 	if (type == finished) {
   10691 	    sender = ss->sec.isServer ? sender_client : sender_server;
   10692 	    rSpec  = ss->ssl3.crSpec;
   10693 	}
   10694 	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
   10695     }
   10696     ssl_ReleaseSpecReadLock(ss); /************************************/
   10697     if (rv != SECSuccess) {
   10698 	return rv;	/* error code was set by ssl3_ComputeHandshakeHashes*/
   10699     }
   10700     SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
   10701 		ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
   10702 
   10703     hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
   10704     hdr[1] = (PRUint8)(length >> 16);
   10705     hdr[2] = (PRUint8)(length >>  8);
   10706     hdr[3] = (PRUint8)(length      );
   10707 
   10708     /* Start new handshake hashes when we start a new handshake */
   10709     if (ss->ssl3.hs.msg_type == client_hello) {
   10710 	rv = ssl3_RestartHandshakeHashes(ss);
   10711 	if (rv != SECSuccess) {
   10712 	    return rv;
   10713 	}
   10714     }
   10715     /* We should not include hello_request and hello_verify_request messages
   10716      * in the handshake hashes */
   10717     if ((ss->ssl3.hs.msg_type != hello_request) &&
   10718 	(ss->ssl3.hs.msg_type != hello_verify_request)) {
   10719 	rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
   10720 	if (rv != SECSuccess) return rv;	/* err code already set. */
   10721 
   10722 	/* Extra data to simulate a complete DTLS handshake fragment */
   10723 	if (IS_DTLS(ss)) {
   10724 	    /* Sequence number */
   10725 	    dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq);
   10726 	    dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq);
   10727 
   10728 	    /* Fragment offset */
   10729 	    dtlsData[2] = 0;
   10730 	    dtlsData[3] = 0;
   10731 	    dtlsData[4] = 0;
   10732 
   10733 	    /* Fragment length */
   10734 	    dtlsData[5] = (PRUint8)(length >> 16);
   10735 	    dtlsData[6] = (PRUint8)(length >>  8);
   10736 	    dtlsData[7] = (PRUint8)(length      );
   10737 
   10738 	    rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData,
   10739 					    sizeof(dtlsData));
   10740 	    if (rv != SECSuccess) return rv;	/* err code already set. */
   10741 	}
   10742 
   10743 	/* The message body */
   10744 	rv = ssl3_UpdateHandshakeHashes(ss, b, length);
   10745 	if (rv != SECSuccess) return rv;	/* err code already set. */
   10746     }
   10747 
   10748     PORT_SetError(0);	/* each message starts with no error. */
   10749 
   10750     if (ss->ssl3.hs.ws == wait_certificate_status &&
   10751         ss->ssl3.hs.msg_type != certificate_status) {
   10752         /* If we negotiated the certificate_status extension then we deferred
   10753          * certificate validation until we get the CertificateStatus messsage.
   10754          * But the CertificateStatus message is optional. If the server did
   10755          * not send it then we need to validate the certificate now. If the
   10756          * server does send the CertificateStatus message then we will
   10757          * authenticate the certificate in ssl3_HandleCertificateStatus.
   10758          */
   10759         rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
   10760         PORT_Assert(rv != SECWouldBlock);
   10761         if (rv != SECSuccess) {
   10762             return rv;
   10763         }
   10764     }
   10765 
   10766     switch (ss->ssl3.hs.msg_type) {
   10767     case hello_request:
   10768 	if (length != 0) {
   10769 	    (void)ssl3_DecodeError(ss);
   10770 	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
   10771 	    return SECFailure;
   10772 	}
   10773 	if (ss->sec.isServer) {
   10774 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10775 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
   10776 	    return SECFailure;
   10777 	}
   10778 	rv = ssl3_HandleHelloRequest(ss);
   10779 	break;
   10780     case client_hello:
   10781 	if (!ss->sec.isServer) {
   10782 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10783 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
   10784 	    return SECFailure;
   10785 	}
   10786 	rv = ssl3_HandleClientHello(ss, b, length);
   10787 	break;
   10788     case server_hello:
   10789 	if (ss->sec.isServer) {
   10790 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10791 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
   10792 	    return SECFailure;
   10793 	}
   10794 	rv = ssl3_HandleServerHello(ss, b, length);
   10795 	break;
   10796     case hello_verify_request:
   10797 	if (!IS_DTLS(ss) || ss->sec.isServer) {
   10798 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10799 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
   10800 	    return SECFailure;
   10801 	}
   10802 	rv = dtls_HandleHelloVerifyRequest(ss, b, length);
   10803 	break;
   10804     case certificate:
   10805 	rv = ssl3_HandleCertificate(ss, b, length);
   10806 	break;
   10807     case certificate_status:
   10808 	rv = ssl3_HandleCertificateStatus(ss, b, length);
   10809 	break;
   10810     case server_key_exchange:
   10811 	if (ss->sec.isServer) {
   10812 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10813 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
   10814 	    return SECFailure;
   10815 	}
   10816 	rv = ssl3_HandleServerKeyExchange(ss, b, length);
   10817 	break;
   10818     case certificate_request:
   10819 	if (ss->sec.isServer) {
   10820 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10821 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
   10822 	    return SECFailure;
   10823 	}
   10824 	rv = ssl3_HandleCertificateRequest(ss, b, length);
   10825 	break;
   10826     case server_hello_done:
   10827 	if (length != 0) {
   10828 	    (void)ssl3_DecodeError(ss);
   10829 	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
   10830 	    return SECFailure;
   10831 	}
   10832 	if (ss->sec.isServer) {
   10833 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10834 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
   10835 	    return SECFailure;
   10836 	}
   10837 	rv = ssl3_HandleServerHelloDone(ss);
   10838 	break;
   10839     case certificate_verify:
   10840 	if (!ss->sec.isServer) {
   10841 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10842 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
   10843 	    return SECFailure;
   10844 	}
   10845 	rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
   10846 	break;
   10847     case client_key_exchange:
   10848 	if (!ss->sec.isServer) {
   10849 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10850 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
   10851 	    return SECFailure;
   10852 	}
   10853 	rv = ssl3_HandleClientKeyExchange(ss, b, length);
   10854 	break;
   10855     case new_session_ticket:
   10856 	if (ss->sec.isServer) {
   10857 	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10858 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
   10859 	    return SECFailure;
   10860 	}
   10861 	rv = ssl3_HandleNewSessionTicket(ss, b, length);
   10862 	break;
   10863     case finished:
   10864         rv = ssl3_HandleFinished(ss, b, length, &hashes);
   10865 	break;
   10866     default:
   10867 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   10868 	PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
   10869 	rv = SECFailure;
   10870     }
   10871 
   10872     if (IS_DTLS(ss) && (rv != SECFailure)) {
   10873 	/* Increment the expected sequence number */
   10874 	ss->ssl3.hs.recvMessageSeq++;
   10875     }
   10876 
   10877     return rv;
   10878 }
   10879 
   10880 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
   10881  * origBuf is the decrypted ssl record content.
   10882  * Caller must hold the handshake and RecvBuf locks.
   10883  */
   10884 static SECStatus
   10885 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
   10886 {
   10887     /*
   10888      * There may be a partial handshake message already in the handshake
   10889      * state. The incoming buffer may contain another portion, or a
   10890      * complete message or several messages followed by another portion.
   10891      *
   10892      * Each message is made contiguous before being passed to the actual
   10893      * message parser.
   10894      */
   10895     sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */
   10896     SECStatus rv;
   10897 
   10898     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   10899     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   10900 
   10901     if (buf->buf == NULL) {
   10902 	*buf = *origBuf;
   10903     }
   10904     while (buf->len > 0) {
   10905 	if (ss->ssl3.hs.header_bytes < 4) {
   10906 	    PRUint8 t;
   10907 	    t = *(buf->buf++);
   10908 	    buf->len--;
   10909 	    if (ss->ssl3.hs.header_bytes++ == 0)
   10910 		ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
   10911 	    else
   10912 		ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
   10913 	    if (ss->ssl3.hs.header_bytes < 4)
   10914 	    	continue;
   10915 
   10916 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff	/* 128k - 1 */
   10917 	    if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
   10918 		(void)ssl3_DecodeError(ss);
   10919 		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
   10920 		return SECFailure;
   10921 	    }
   10922 #undef MAX_HANDSHAKE_MSG_LEN
   10923 
   10924 	    /* If msg_len is zero, be sure we fall through,
   10925 	    ** even if buf->len is zero.
   10926 	    */
   10927 	    if (ss->ssl3.hs.msg_len > 0)
   10928 	    	continue;
   10929 	}
   10930 
   10931 	/*
   10932 	 * Header has been gathered and there is at least one byte of new
   10933 	 * data available for this message. If it can be done right out
   10934 	 * of the original buffer, then use it from there.
   10935 	 */
   10936 	if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
   10937 	    /* handle it from input buffer */
   10938 	    rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
   10939 	    if (rv == SECFailure) {
   10940 		/* This test wants to fall through on either
   10941 		 * SECSuccess or SECWouldBlock.
   10942 		 * ssl3_HandleHandshakeMessage MUST set the error code.
   10943 		 */
   10944 		return rv;
   10945 	    }
   10946 	    buf->buf += ss->ssl3.hs.msg_len;
   10947 	    buf->len -= ss->ssl3.hs.msg_len;
   10948 	    ss->ssl3.hs.msg_len = 0;
   10949 	    ss->ssl3.hs.header_bytes = 0;
   10950 	    if (rv != SECSuccess) { /* return if SECWouldBlock. */
   10951 		return rv;
   10952 	    }
   10953 	} else {
   10954 	    /* must be copied to msg_body and dealt with from there */
   10955 	    unsigned int bytes;
   10956 
   10957 	    PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len);
   10958 	    bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
   10959 
   10960 	    /* Grow the buffer if needed */
   10961 	    rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
   10962 	    if (rv != SECSuccess) {
   10963 		/* sslBuffer_Grow has set a memory error code. */
   10964 		return SECFailure;
   10965 	    }
   10966 
   10967 	    PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
   10968 		        buf->buf, bytes);
   10969 	    ss->ssl3.hs.msg_body.len += bytes;
   10970 	    buf->buf += bytes;
   10971 	    buf->len -= bytes;
   10972 
   10973 	    PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
   10974 
   10975 	    /* if we have a whole message, do it */
   10976 	    if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
   10977 		rv = ssl3_HandleHandshakeMessage(
   10978 		    ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
   10979 		if (rv == SECFailure) {
   10980 		    /* This test wants to fall through on either
   10981 		     * SECSuccess or SECWouldBlock.
   10982 		     * ssl3_HandleHandshakeMessage MUST set error code.
   10983 		     */
   10984 		    return rv;
   10985 		}
   10986 		ss->ssl3.hs.msg_body.len = 0;
   10987 		ss->ssl3.hs.msg_len = 0;
   10988 		ss->ssl3.hs.header_bytes = 0;
   10989 		if (rv != SECSuccess) { /* return if SECWouldBlock. */
   10990 		    return rv;
   10991 		}
   10992 	    } else {
   10993 		PORT_Assert(buf->len == 0);
   10994 		break;
   10995 	    }
   10996 	}
   10997     }	/* end loop */
   10998 
   10999     origBuf->len = 0;	/* So ssl3_GatherAppDataRecord will keep looping. */
   11000     buf->buf = NULL;	/* not a leak. */
   11001     return SECSuccess;
   11002 }
   11003 
   11004 /* These macros return the given value with the MSB copied to all the other
   11005  * bits. They use the fact that arithmetic shift shifts-in the sign bit.
   11006  * However, this is not ensured by the C standard so you may need to replace
   11007  * them with something else for odd compilers. */
   11008 #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
   11009 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
   11010 
   11011 /* SECStatusToMask returns, in constant time, a mask value of all ones if
   11012  * rv == SECSuccess.  Otherwise it returns zero. */
   11013 static unsigned int
   11014 SECStatusToMask(SECStatus rv)
   11015 {
   11016     unsigned int good;
   11017     /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results
   11018      * in the MSB being set to one iff it was zero before. */
   11019     good = rv ^ SECSuccess;
   11020     good--;
   11021     return DUPLICATE_MSB_TO_ALL(good);
   11022 }
   11023 
   11024 /* ssl_ConstantTimeGE returns 0xff if a>=b and 0x00 otherwise. */
   11025 static unsigned char
   11026 ssl_ConstantTimeGE(unsigned int a, unsigned int b)
   11027 {
   11028     a -= b;
   11029     return DUPLICATE_MSB_TO_ALL(~a);
   11030 }
   11031 
   11032 /* ssl_ConstantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */
   11033 static unsigned char
   11034 ssl_ConstantTimeEQ8(unsigned char a, unsigned char b)
   11035 {
   11036     unsigned int c = a ^ b;
   11037     c--;
   11038     return DUPLICATE_MSB_TO_ALL_8(c);
   11039 }
   11040 
   11041 static SECStatus
   11042 ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
   11043 			  unsigned int blockSize,
   11044 			  unsigned int macSize)
   11045 {
   11046     unsigned int paddingLength, good, t;
   11047     const unsigned int overhead = 1 /* padding length byte */ + macSize;
   11048 
   11049     /* These lengths are all public so we can test them in non-constant
   11050      * time. */
   11051     if (overhead > plaintext->len) {
   11052 	return SECFailure;
   11053     }
   11054 
   11055     paddingLength = plaintext->buf[plaintext->len-1];
   11056     /* SSLv3 padding bytes are random and cannot be checked. */
   11057     t = plaintext->len;
   11058     t -= paddingLength+overhead;
   11059     /* If len >= paddingLength+overhead then the MSB of t is zero. */
   11060     good = DUPLICATE_MSB_TO_ALL(~t);
   11061     /* SSLv3 requires that the padding is minimal. */
   11062     t = blockSize - (paddingLength+1);
   11063     good &= DUPLICATE_MSB_TO_ALL(~t);
   11064     plaintext->len -= good & (paddingLength+1);
   11065     return (good & SECSuccess) | (~good & SECFailure);
   11066 }
   11067 
   11068 static SECStatus
   11069 ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize)
   11070 {
   11071     unsigned int paddingLength, good, t, toCheck, i;
   11072     const unsigned int overhead = 1 /* padding length byte */ + macSize;
   11073 
   11074     /* These lengths are all public so we can test them in non-constant
   11075      * time. */
   11076     if (overhead > plaintext->len) {
   11077 	return SECFailure;
   11078     }
   11079 
   11080     paddingLength = plaintext->buf[plaintext->len-1];
   11081     t = plaintext->len;
   11082     t -= paddingLength+overhead;
   11083     /* If len >= paddingLength+overhead then the MSB of t is zero. */
   11084     good = DUPLICATE_MSB_TO_ALL(~t);
   11085 
   11086     /* The padding consists of a length byte at the end of the record and then
   11087      * that many bytes of padding, all with the same value as the length byte.
   11088      * Thus, with the length byte included, there are paddingLength+1 bytes of
   11089      * padding.
   11090      *
   11091      * We can't check just |paddingLength+1| bytes because that leaks
   11092      * decrypted information. Therefore we always have to check the maximum
   11093      * amount of padding possible. (Again, the length of the record is
   11094      * public information so we can use it.) */
   11095     toCheck = 255; /* maximum amount of padding. */
   11096     if (toCheck > plaintext->len-1) {
   11097 	toCheck = plaintext->len-1;
   11098     }
   11099 
   11100     for (i = 0; i < toCheck; i++) {
   11101 	unsigned int t = paddingLength - i;
   11102 	/* If i <= paddingLength then the MSB of t is zero and mask is
   11103 	 * 0xff.  Otherwise, mask is 0. */
   11104 	unsigned char mask = DUPLICATE_MSB_TO_ALL(~t);
   11105 	unsigned char b = plaintext->buf[plaintext->len-1-i];
   11106 	/* The final |paddingLength+1| bytes should all have the value
   11107 	 * |paddingLength|. Therefore the XOR should be zero. */
   11108 	good &= ~(mask&(paddingLength ^ b));
   11109     }
   11110 
   11111     /* If any of the final |paddingLength+1| bytes had the wrong value,
   11112      * one or more of the lower eight bits of |good| will be cleared. We
   11113      * AND the bottom 8 bits together and duplicate the result to all the
   11114      * bits. */
   11115     good &= good >> 4;
   11116     good &= good >> 2;
   11117     good &= good >> 1;
   11118     good <<= sizeof(good)*8-1;
   11119     good = DUPLICATE_MSB_TO_ALL(good);
   11120 
   11121     plaintext->len -= good & (paddingLength+1);
   11122     return (good & SECSuccess) | (~good & SECFailure);
   11123 }
   11124 
   11125 /* On entry:
   11126  *   originalLength >= macSize
   11127  *   macSize <= MAX_MAC_LENGTH
   11128  *   plaintext->len >= macSize
   11129  */
   11130 static void
   11131 ssl_CBCExtractMAC(sslBuffer *plaintext,
   11132 		  unsigned int originalLength,
   11133 		  SSL3Opaque* out,
   11134 		  unsigned int macSize)
   11135 {
   11136     unsigned char rotatedMac[MAX_MAC_LENGTH];
   11137     /* macEnd is the index of |plaintext->buf| just after the end of the
   11138      * MAC. */
   11139     unsigned macEnd = plaintext->len;
   11140     unsigned macStart = macEnd - macSize;
   11141     /* scanStart contains the number of bytes that we can ignore because
   11142      * the MAC's position can only vary by 255 bytes. */
   11143     unsigned scanStart = 0;
   11144     unsigned i, j, divSpoiler;
   11145     unsigned char rotateOffset;
   11146 
   11147     if (originalLength > macSize + 255 + 1)
   11148 	scanStart = originalLength - (macSize + 255 + 1);
   11149 
   11150     /* divSpoiler contains a multiple of macSize that is used to cause the
   11151      * modulo operation to be constant time. Without this, the time varies
   11152      * based on the amount of padding when running on Intel chips at least.
   11153      *
   11154      * The aim of right-shifting macSize is so that the compiler doesn't
   11155      * figure out that it can remove divSpoiler as that would require it
   11156      * to prove that macSize is always even, which I hope is beyond it. */
   11157     divSpoiler = macSize >> 1;
   11158     divSpoiler <<= (sizeof(divSpoiler)-1)*8;
   11159     rotateOffset = (divSpoiler + macStart - scanStart) % macSize;
   11160 
   11161     memset(rotatedMac, 0, macSize);
   11162     for (i = scanStart; i < originalLength;) {
   11163 	for (j = 0; j < macSize && i < originalLength; i++, j++) {
   11164 	    unsigned char macStarted = ssl_ConstantTimeGE(i, macStart);
   11165 	    unsigned char macEnded = ssl_ConstantTimeGE(i, macEnd);
   11166 	    unsigned char b = 0;
   11167 	    b = plaintext->buf[i];
   11168 	    rotatedMac[j] |= b & macStarted & ~macEnded;
   11169 	}
   11170     }
   11171 
   11172     /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
   11173      * we could line-align |rotatedMac| and rotate in place. */
   11174     memset(out, 0, macSize);
   11175     for (i = 0; i < macSize; i++) {
   11176 	unsigned char offset =
   11177 	    (divSpoiler + macSize - rotateOffset + i) % macSize;
   11178 	for (j = 0; j < macSize; j++) {
   11179 	    out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset);
   11180 	}
   11181     }
   11182 }
   11183 
   11184 /* if cText is non-null, then decipher, check MAC, and decompress the
   11185  * SSL record from cText->buf (typically gs->inbuf)
   11186  * into databuf (typically gs->buf), and any previous contents of databuf
   11187  * is lost.  Then handle databuf according to its SSL record type,
   11188  * unless it's an application record.
   11189  *
   11190  * If cText is NULL, then the ciphertext has previously been deciphered and
   11191  * checked, and is already sitting in databuf.  It is processed as an SSL
   11192  * Handshake message.
   11193  *
   11194  * DOES NOT process the decrypted/decompressed application data.
   11195  * On return, databuf contains the decrypted/decompressed record.
   11196  *
   11197  * Called from ssl3_GatherCompleteHandshake
   11198  *             ssl3_RestartHandshakeAfterCertReq
   11199  *
   11200  * Caller must hold the RecvBufLock.
   11201  *
   11202  * This function aquires and releases the SSL3Handshake Lock, holding the
   11203  * lock around any calls to functions that handle records other than
   11204  * Application Data records.
   11205  */
   11206 SECStatus
   11207 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
   11208 {
   11209     const ssl3BulkCipherDef *cipher_def;
   11210     ssl3CipherSpec *     crSpec;
   11211     SECStatus            rv;
   11212     unsigned int         hashBytes = MAX_MAC_LENGTH + 1;
   11213     PRBool               isTLS;
   11214     SSL3ContentType      rType;
   11215     SSL3Opaque           hash[MAX_MAC_LENGTH];
   11216     SSL3Opaque           givenHashBuf[MAX_MAC_LENGTH];
   11217     SSL3Opaque          *givenHash;
   11218     sslBuffer           *plaintext;
   11219     sslBuffer            temp_buf;
   11220     PRUint64             dtls_seq_num;
   11221     unsigned int         ivLen = 0;
   11222     unsigned int         originalLen = 0;
   11223     unsigned int         good;
   11224     unsigned int         minLength;
   11225 
   11226     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
   11227 
   11228     if (!ss->ssl3.initialized) {
   11229 	ssl_GetSSL3HandshakeLock(ss);
   11230 	rv = ssl3_InitState(ss);
   11231 	ssl_ReleaseSSL3HandshakeLock(ss);
   11232 	if (rv != SECSuccess) {
   11233 	    return rv;		/* ssl3_InitState has set the error code. */
   11234     	}
   11235     }
   11236 
   11237     /* check for Token Presence */
   11238     if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
   11239 	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
   11240 	return SECFailure;
   11241     }
   11242 
   11243     /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
   11244      * This implies that databuf holds a previously deciphered SSL Handshake
   11245      * message.
   11246      */
   11247     if (cText == NULL) {
   11248 	SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
   11249 		 SSL_GETPID(), ss->fd));
   11250 	rType = content_handshake;
   11251 	goto process_it;
   11252     }
   11253 
   11254     ssl_GetSpecReadLock(ss); /******************************************/
   11255 
   11256     crSpec = ss->ssl3.crSpec;
   11257     cipher_def = crSpec->cipher_def;
   11258 
   11259     /*
   11260      * DTLS relevance checks:
   11261      * Note that this code currently ignores all out-of-epoch packets,
   11262      * which means we lose some in the case of rehandshake +
   11263      * loss/reordering. Since DTLS is explicitly unreliable, this
   11264      * seems like a good tradeoff for implementation effort and is
   11265      * consistent with the guidance of RFC 6347 Sections 4.1 and 4.2.4.1
   11266      */
   11267     if (IS_DTLS(ss)) {
   11268 	DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff;
   11269 
   11270 	if (crSpec->epoch != epoch) {
   11271 	    ssl_ReleaseSpecReadLock(ss);
   11272 	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet "
   11273 		     "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
   11274 	    /* Silently drop the packet */
   11275             databuf->len = 0; /* Needed to ensure data not left around */
   11276 	    return SECSuccess;
   11277 	}
   11278 
   11279 	dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) |
   11280 			((PRUint64)cText->seq_num.low);
   11281 
   11282 	if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num) != 0) {
   11283 	    ssl_ReleaseSpecReadLock(ss);
   11284 	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting "
   11285 		     "potentially replayed packet", SSL_GETPID(), ss->fd));
   11286 	    /* Silently drop the packet */
   11287             databuf->len = 0; /* Needed to ensure data not left around */
   11288 	    return SECSuccess;
   11289 	}
   11290     }
   11291 
   11292     good = ~0U;
   11293     minLength = crSpec->mac_size;
   11294     if (cipher_def->type == type_block) {
   11295 	/* CBC records have a padding length byte at the end. */
   11296 	minLength++;
   11297 	if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
   11298 	    /* With >= TLS 1.1, CBC records have an explicit IV. */
   11299 	    minLength += cipher_def->iv_size;
   11300 	}
   11301     }
   11302 
   11303     /* We can perform this test in variable time because the record's total
   11304      * length and the ciphersuite are both public knowledge. */
   11305     if (cText->buf->len < minLength) {
   11306         goto decrypt_loser;
   11307     }
   11308 
   11309     if (cipher_def->type == type_block &&
   11310 	crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
   11311 	/* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
   11312 	 * "The receiver decrypts the entire GenericBlockCipher structure and
   11313 	 * then discards the first cipher block corresponding to the IV
   11314 	 * component." Instead, we decrypt the first cipher block and then
   11315 	 * discard it before decrypting the rest.
   11316 	 */
   11317 	SSL3Opaque iv[MAX_IV_LENGTH];
   11318 	int decoded;
   11319 
   11320 	ivLen = cipher_def->iv_size;
   11321 	if (ivLen < 8 || ivLen > sizeof(iv)) {
   11322 	    ssl_ReleaseSpecReadLock(ss);
   11323 	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
   11324 	    return SECFailure;
   11325 	}
   11326 
   11327 	PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen));
   11328 
   11329 	/* The decryption result is garbage, but since we just throw away
   11330 	 * the block it doesn't matter.  The decryption of the next block
   11331 	 * depends only on the ciphertext of the IV block.
   11332 	 */
   11333 	rv = crSpec->decode(crSpec->decodeContext, iv, &decoded,
   11334 			    sizeof(iv), cText->buf->buf, ivLen);
   11335 
   11336 	good &= SECStatusToMask(rv);
   11337     }
   11338 
   11339     /* If we will be decompressing the buffer we need to decrypt somewhere
   11340      * other than into databuf */
   11341     if (crSpec->decompressor) {
   11342 	temp_buf.buf = NULL;
   11343 	temp_buf.space = 0;
   11344 	plaintext = &temp_buf;
   11345     } else {
   11346 	plaintext = databuf;
   11347     }
   11348 
   11349     plaintext->len = 0; /* filled in by decode call below. */
   11350     if (plaintext->space < MAX_FRAGMENT_LENGTH) {
   11351 	rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048);
   11352 	if (rv != SECSuccess) {
   11353 	    ssl_ReleaseSpecReadLock(ss);
   11354 	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
   11355 		     SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
   11356 	    /* sslBuffer_Grow has set a memory error code. */
   11357 	    /* Perhaps we should send an alert. (but we have no memory!) */
   11358 	    return SECFailure;
   11359 	}
   11360     }
   11361 
   11362     PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen,
   11363 				      cText->buf->len - ivLen));
   11364 
   11365     isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
   11366 
   11367     if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
   11368 	ssl_ReleaseSpecReadLock(ss);
   11369 	SSL3_SendAlert(ss, alert_fatal, record_overflow);
   11370 	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
   11371 	return SECFailure;
   11372     }
   11373 
   11374     if (cipher_def->type == type_block &&
   11375 	((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
   11376 	goto decrypt_loser;
   11377     }
   11378 
   11379     /* decrypt from cText buf to plaintext. */
   11380     rv = crSpec->decode(
   11381 	crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
   11382 	plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
   11383     if (rv != SECSuccess) {
   11384 	goto decrypt_loser;
   11385     }
   11386 
   11387     PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
   11388 
   11389     originalLen = plaintext->len;
   11390 
   11391     /* If it's a block cipher, check and strip the padding. */
   11392     if (cipher_def->type == type_block) {
   11393 	const unsigned int blockSize = cipher_def->block_size;
   11394 	const unsigned int macSize = crSpec->mac_size;
   11395 
   11396 	if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
   11397 	    good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
   11398 			plaintext, blockSize, macSize));
   11399 	} else {
   11400 	    good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
   11401 			plaintext, macSize));
   11402 	}
   11403     }
   11404 
   11405     /* compute the MAC */
   11406     rType = cText->type;
   11407     if (cipher_def->type == type_block) {
   11408 	rv = ssl3_ComputeRecordMACConstantTime(
   11409 	    crSpec, (PRBool)(!ss->sec.isServer),
   11410 	    IS_DTLS(ss), rType, cText->version,
   11411 	    IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
   11412 	    plaintext->buf, plaintext->len, originalLen,
   11413 	    hash, &hashBytes);
   11414 
   11415 	ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
   11416 			  crSpec->mac_size);
   11417 	givenHash = givenHashBuf;
   11418 
   11419 	/* plaintext->len will always have enough space to remove the MAC
   11420 	 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
   11421 	 * plaintext->len if the result has enough space for the MAC and we
   11422 	 * tested the unadjusted size against minLength, above. */
   11423 	plaintext->len -= crSpec->mac_size;
   11424     } else {
   11425 	/* This is safe because we checked the minLength above. */
   11426 	plaintext->len -= crSpec->mac_size;
   11427 
   11428 	rv = ssl3_ComputeRecordMAC(
   11429 	    crSpec, (PRBool)(!ss->sec.isServer),
   11430 	    IS_DTLS(ss), rType, cText->version,
   11431 	    IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
   11432 	    plaintext->buf, plaintext->len,
   11433 	    hash, &hashBytes);
   11434 
   11435 	/* We can read the MAC directly from the record because its location is
   11436 	 * public when a stream cipher is used. */
   11437 	givenHash = plaintext->buf + plaintext->len;
   11438     }
   11439 
   11440     good &= SECStatusToMask(rv);
   11441 
   11442     if (hashBytes != (unsigned)crSpec->mac_size ||
   11443 	NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
   11444 	/* We're allowed to leak whether or not the MAC check was correct */
   11445 	good = 0;
   11446     }
   11447 
   11448     if (good == 0) {
   11449 decrypt_loser:
   11450 	/* must not hold spec lock when calling SSL3_SendAlert. */
   11451 	ssl_ReleaseSpecReadLock(ss);
   11452 
   11453 	SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
   11454 
   11455 	if (!IS_DTLS(ss)) {
   11456 	    SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
   11457 	    /* always log mac error, in case attacker can read server logs. */
   11458 	    PORT_SetError(SSL_ERROR_BAD_MAC_READ);
   11459 	    return SECFailure;
   11460 	} else {
   11461 	    /* Silently drop the packet */
   11462             databuf->len = 0; /* Needed to ensure data not left around */
   11463 	    return SECSuccess;
   11464 	}
   11465     }
   11466 
   11467     if (!IS_DTLS(ss)) {
   11468 	ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
   11469     } else {
   11470 	dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num);
   11471     }
   11472 
   11473     ssl_ReleaseSpecReadLock(ss); /*****************************************/
   11474 
   11475     /*
   11476      * The decrypted data is now in plaintext.
   11477      */
   11478 
   11479     /* possibly decompress the record. If we aren't using compression then
   11480      * plaintext == databuf and so the uncompressed data is already in
   11481      * databuf. */
   11482     if (crSpec->decompressor) {
   11483 	if (databuf->space < plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION) {
   11484 	    rv = sslBuffer_Grow(
   11485 	        databuf, plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION);
   11486 	    if (rv != SECSuccess) {
   11487 		SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
   11488 			 SSL_GETPID(), ss->fd,
   11489 			 plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION));
   11490 		/* sslBuffer_Grow has set a memory error code. */
   11491 		/* Perhaps we should send an alert. (but we have no memory!) */
   11492 		PORT_Free(plaintext->buf);
   11493 		return SECFailure;
   11494 	    }
   11495 	}
   11496 
   11497 	rv = crSpec->decompressor(crSpec->decompressContext,
   11498 				  databuf->buf,
   11499 				  (int*) &databuf->len,
   11500 				  databuf->space,
   11501 				  plaintext->buf,
   11502 				  plaintext->len);
   11503 
   11504 	if (rv != SECSuccess) {
   11505 	    int err = ssl_MapLowLevelError(SSL_ERROR_DECOMPRESSION_FAILURE);
   11506 	    SSL3_SendAlert(ss, alert_fatal,
   11507 			   isTLS ? decompression_failure : bad_record_mac);
   11508 
   11509 	    /* There appears to be a bug with (at least) Apache + OpenSSL where
   11510 	     * resumed SSLv3 connections don't actually use compression. See
   11511 	     * comments 93-95 of
   11512 	     * https://bugzilla.mozilla.org/show_bug.cgi?id=275744
   11513 	     *
   11514 	     * So, if we get a decompression error, and the record appears to
   11515 	     * be already uncompressed, then we return a more specific error
   11516 	     * code to hopefully save somebody some debugging time in the
   11517 	     * future.
   11518 	     */
   11519 	    if (plaintext->len >= 4) {
   11520 		unsigned int len = ((unsigned int) plaintext->buf[1] << 16) |
   11521 		                   ((unsigned int) plaintext->buf[2] << 8) |
   11522 		                   (unsigned int) plaintext->buf[3];
   11523 		if (len == plaintext->len - 4) {
   11524 		    /* This appears to be uncompressed already */
   11525 		    err = SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD;
   11526 		}
   11527 	    }
   11528 
   11529 	    PORT_Free(plaintext->buf);
   11530 	    PORT_SetError(err);
   11531 	    return SECFailure;
   11532 	}
   11533 
   11534 	PORT_Free(plaintext->buf);
   11535     }
   11536 
   11537     /*
   11538     ** Having completed the decompression, check the length again.
   11539     */
   11540     if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
   11541 	SSL3_SendAlert(ss, alert_fatal, record_overflow);
   11542 	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
   11543 	return SECFailure;
   11544     }
   11545 
   11546     /* Application data records are processed by the caller of this
   11547     ** function, not by this function.
   11548     */
   11549     if (rType == content_application_data) {
   11550 	if (ss->firstHsDone)
   11551 	    return SECSuccess;
   11552 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
   11553 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
   11554 	return SECFailure;
   11555     }
   11556 
   11557     /* It's a record that must be handled by ssl itself, not the application.
   11558     */
   11559 process_it:
   11560     /* XXX  Get the xmit lock here.  Odds are very high that we'll be xmiting
   11561      * data ang getting the xmit lock here prevents deadlocks.
   11562      */
   11563     ssl_GetSSL3HandshakeLock(ss);
   11564 
   11565     /* All the functions called in this switch MUST set error code if
   11566     ** they return SECFailure or SECWouldBlock.
   11567     */
   11568     switch (rType) {
   11569     case content_change_cipher_spec:
   11570 	rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
   11571 	break;
   11572     case content_alert:
   11573 	rv = ssl3_HandleAlert(ss, databuf);
   11574 	break;
   11575     case content_handshake:
   11576 	if (!IS_DTLS(ss)) {
   11577 	    rv = ssl3_HandleHandshake(ss, databuf);
   11578 	} else {
   11579 	    rv = dtls_HandleHandshake(ss, databuf);
   11580 	}
   11581 	break;
   11582     /*
   11583     case content_application_data is handled before this switch
   11584     */
   11585     default:
   11586 	SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
   11587 		 SSL_GETPID(), ss->fd, cText->type));
   11588 	/* XXX Send an alert ???  */
   11589 	PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
   11590 	rv = SECFailure;
   11591 	break;
   11592     }
   11593 
   11594     ssl_ReleaseSSL3HandshakeLock(ss);
   11595     return rv;
   11596 
   11597 }
   11598 
   11599 /*
   11600  * Initialization functions
   11601  */
   11602 
   11603 /* Called from ssl3_InitState, immediately below. */
   11604 /* Caller must hold the SpecWriteLock. */
   11605 static void
   11606 ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
   11607 {
   11608     spec->cipher_def               = &bulk_cipher_defs[cipher_null];
   11609     PORT_Assert(spec->cipher_def->cipher == cipher_null);
   11610     spec->mac_def                  = &mac_defs[mac_null];
   11611     PORT_Assert(spec->mac_def->mac == mac_null);
   11612     spec->encode                   = Null_Cipher;
   11613     spec->decode                   = Null_Cipher;
   11614     spec->destroy                  = NULL;
   11615     spec->compressor               = NULL;
   11616     spec->decompressor             = NULL;
   11617     spec->destroyCompressContext   = NULL;
   11618     spec->destroyDecompressContext = NULL;
   11619     spec->mac_size                 = 0;
   11620     spec->master_secret            = NULL;
   11621     spec->bypassCiphers            = PR_FALSE;
   11622 
   11623     spec->msItem.data              = NULL;
   11624     spec->msItem.len               = 0;
   11625 
   11626     spec->client.write_key         = NULL;
   11627     spec->client.write_mac_key     = NULL;
   11628     spec->client.write_mac_context = NULL;
   11629 
   11630     spec->server.write_key         = NULL;
   11631     spec->server.write_mac_key     = NULL;
   11632     spec->server.write_mac_context = NULL;
   11633 
   11634     spec->write_seq_num.high       = 0;
   11635     spec->write_seq_num.low        = 0;
   11636 
   11637     spec->read_seq_num.high        = 0;
   11638     spec->read_seq_num.low         = 0;
   11639 
   11640     spec->epoch                    = 0;
   11641     dtls_InitRecvdRecords(&spec->recvdRecords);
   11642 
   11643     spec->version                  = ss->vrange.max;
   11644 }
   11645 
   11646 /* Called from:	ssl3_SendRecord
   11647 **		ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
   11648 **		ssl3_SendClientHello()
   11649 **		ssl3_HandleV2ClientHello()
   11650 **		ssl3_HandleRecord()
   11651 **
   11652 ** This function should perhaps acquire and release the SpecWriteLock.
   11653 **
   11654 **
   11655 */
   11656 static SECStatus
   11657 ssl3_InitState(sslSocket *ss)
   11658 {
   11659     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   11660 
   11661     if (ss->ssl3.initialized)
   11662     	return SECSuccess;	/* Function should be idempotent */
   11663 
   11664     ss->ssl3.policy = SSL_ALLOWED;
   11665 
   11666     ssl_GetSpecWriteLock(ss);
   11667     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
   11668     ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
   11669     ss->ssl3.hs.sendingSCSV = PR_FALSE;
   11670     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
   11671     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
   11672 
   11673     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
   11674 #ifdef NSS_ENABLE_ECC
   11675     ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss);
   11676 #endif
   11677     ssl_ReleaseSpecWriteLock(ss);
   11678 
   11679     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
   11680 
   11681     if (IS_DTLS(ss)) {
   11682 	ss->ssl3.hs.sendMessageSeq = 0;
   11683 	ss->ssl3.hs.recvMessageSeq = 0;
   11684 	ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
   11685 	ss->ssl3.hs.rtRetries = 0;
   11686 	ss->ssl3.hs.recvdHighWater = -1;
   11687 	PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
   11688 	dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
   11689     }
   11690 
   11691     PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
   11692     ss->ssl3.hs.messages.buf = NULL;
   11693     ss->ssl3.hs.messages.space = 0;
   11694 
   11695     ss->ssl3.initialized = PR_TRUE;
   11696     return SECSuccess;
   11697 }
   11698 
   11699 /* Returns a reference counted object that contains a key pair.
   11700  * Or NULL on failure.  Initial ref count is 1.
   11701  * Uses the keys in the pair as input.
   11702  */
   11703 ssl3KeyPair *
   11704 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
   11705 {
   11706     ssl3KeyPair * pair;
   11707 
   11708     if (!privKey || !pubKey) {
   11709 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   11710     	return NULL;
   11711     }
   11712     pair = PORT_ZNew(ssl3KeyPair);
   11713     if (!pair)
   11714     	return NULL;			/* error code is set. */
   11715     pair->refCount = 1;
   11716     pair->privKey  = privKey;
   11717     pair->pubKey   = pubKey;
   11718     return pair;			/* success */
   11719 }
   11720 
   11721 ssl3KeyPair *
   11722 ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
   11723 {
   11724     PR_ATOMIC_INCREMENT(&keyPair->refCount);
   11725     return keyPair;
   11726 }
   11727 
   11728 void
   11729 ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
   11730 {
   11731     PRInt32 newCount =  PR_ATOMIC_DECREMENT(&keyPair->refCount);
   11732     if (!newCount) {
   11733 	if (keyPair->privKey)
   11734 	    SECKEY_DestroyPrivateKey(keyPair->privKey);
   11735 	if (keyPair->pubKey)
   11736 	    SECKEY_DestroyPublicKey( keyPair->pubKey);
   11737     	PORT_Free(keyPair);
   11738     }
   11739 }
   11740 
   11741 
   11742 
   11743 /*
   11744  * Creates the public and private RSA keys for SSL Step down.
   11745  * Called from SSL_ConfigSecureServer in sslsecur.c
   11746  */
   11747 SECStatus
   11748 ssl3_CreateRSAStepDownKeys(sslSocket *ss)
   11749 {
   11750     SECStatus             rv  	 = SECSuccess;
   11751     SECKEYPrivateKey *    privKey;		/* RSA step down key */
   11752     SECKEYPublicKey *     pubKey;		/* RSA step down key */
   11753 
   11754     if (ss->stepDownKeyPair)
   11755 	ssl3_FreeKeyPair(ss->stepDownKeyPair);
   11756     ss->stepDownKeyPair = NULL;
   11757 #ifndef HACKED_EXPORT_SERVER
   11758     /* Sigh, should have a get key strength call for private keys */
   11759     if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
   11760                                                      EXPORT_RSA_KEY_LENGTH) {
   11761 	/* need to ask for the key size in bits */
   11762 	privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
   11763 					     &pubKey, NULL);
   11764     	if (!privKey || !pubKey ||
   11765 	    !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
   11766 	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
   11767 	    rv = SECFailure;
   11768 	}
   11769     }
   11770 #endif
   11771     return rv;
   11772 }
   11773 
   11774 
   11775 /* record the export policy for this cipher suite */
   11776 SECStatus
   11777 ssl3_SetPolicy(ssl3CipherSuite which, int policy)
   11778 {
   11779     ssl3CipherSuiteCfg *suite;
   11780 
   11781     suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
   11782     if (suite == NULL) {
   11783 	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
   11784     }
   11785     suite->policy = policy;
   11786 
   11787     return SECSuccess;
   11788 }
   11789 
   11790 SECStatus
   11791 ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
   11792 {
   11793     ssl3CipherSuiteCfg *suite;
   11794     PRInt32             policy;
   11795     SECStatus           rv;
   11796 
   11797     suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
   11798     if (suite) {
   11799     	policy = suite->policy;
   11800 	rv     = SECSuccess;
   11801     } else {
   11802     	policy = SSL_NOT_ALLOWED;
   11803 	rv     = SECFailure;	/* err code was set by Lookup. */
   11804     }
   11805     *oPolicy = policy;
   11806     return rv;
   11807 }
   11808 
   11809 /* record the user preference for this suite */
   11810 SECStatus
   11811 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
   11812 {
   11813     ssl3CipherSuiteCfg *suite;
   11814 
   11815     suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
   11816     if (suite == NULL) {
   11817 	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
   11818     }
   11819     suite->enabled = enabled;
   11820     return SECSuccess;
   11821 }
   11822 
   11823 /* return the user preference for this suite */
   11824 SECStatus
   11825 ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
   11826 {
   11827     ssl3CipherSuiteCfg *suite;
   11828     PRBool              pref;
   11829     SECStatus           rv;
   11830 
   11831     suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
   11832     if (suite) {
   11833     	pref   = suite->enabled;
   11834 	rv     = SECSuccess;
   11835     } else {
   11836     	pref   = SSL_NOT_ALLOWED;
   11837 	rv     = SECFailure;	/* err code was set by Lookup. */
   11838     }
   11839     *enabled = pref;
   11840     return rv;
   11841 }
   11842 
   11843 SECStatus
   11844 ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
   11845 {
   11846     ssl3CipherSuiteCfg *suite;
   11847 
   11848     suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
   11849     if (suite == NULL) {
   11850 	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
   11851     }
   11852     suite->enabled = enabled;
   11853     return SECSuccess;
   11854 }
   11855 
   11856 SECStatus
   11857 ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
   11858 {
   11859     ssl3CipherSuiteCfg *suite;
   11860     PRBool              pref;
   11861     SECStatus           rv;
   11862 
   11863     suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
   11864     if (suite) {
   11865     	pref   = suite->enabled;
   11866 	rv     = SECSuccess;
   11867     } else {
   11868     	pref   = SSL_NOT_ALLOWED;
   11869 	rv     = SECFailure;	/* err code was set by Lookup. */
   11870     }
   11871     *enabled = pref;
   11872     return rv;
   11873 }
   11874 
   11875 /* copy global default policy into socket. */
   11876 void
   11877 ssl3_InitSocketPolicy(sslSocket *ss)
   11878 {
   11879     PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
   11880 }
   11881 
   11882 SECStatus
   11883 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
   11884 				unsigned char *out,
   11885 				unsigned int *outLen,
   11886 				unsigned int outLenMax) {
   11887     PRBool       isTLS;
   11888     int          index = 0;
   11889     unsigned int len;
   11890     SECStatus    rv = SECFailure;
   11891 
   11892     *outLen = 0;
   11893 
   11894     ssl_GetSSL3HandshakeLock(ss);
   11895 
   11896     ssl_GetSpecReadLock(ss);
   11897     isTLS = (PRBool)(ss->ssl3.cwSpec->version > SSL_LIBRARY_VERSION_3_0);
   11898     ssl_ReleaseSpecReadLock(ss);
   11899 
   11900     /* The tls-unique channel binding is the first Finished structure in the
   11901      * handshake. In the case of a resumption, that's the server's Finished.
   11902      * Otherwise, it's the client's Finished. */
   11903     len = ss->ssl3.hs.finishedBytes;
   11904 
   11905     /* Sending or receiving a Finished message will set finishedBytes to a
   11906      * non-zero value. */
   11907     if (len == 0) {
   11908 	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
   11909 	goto loser;
   11910     }
   11911 
   11912     /* If we are in the middle of a renegotiation then the channel binding
   11913      * value is poorly defined and depends on the direction that it will be
   11914      * used on. Therefore we simply return an error in this case. */
   11915     if (ss->firstHsDone && ss->ssl3.hs.ws != idle_handshake) {
   11916 	PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
   11917 	goto loser;
   11918     }
   11919 
   11920     /* If resuming, then we want the second Finished value in the array, which
   11921      * is the server's */
   11922     if (ss->ssl3.hs.isResuming)
   11923 	index = 1;
   11924 
   11925     *outLen = len;
   11926     if (outLenMax < len) {
   11927 	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
   11928 	goto loser;
   11929     }
   11930 
   11931     if (isTLS) {
   11932 	memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len);
   11933     } else {
   11934 	memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len);
   11935     }
   11936 
   11937     rv = SECSuccess;
   11938 
   11939 loser:
   11940     ssl_ReleaseSSL3HandshakeLock(ss);
   11941     return rv;
   11942 }
   11943 
   11944 /* ssl3_config_match_init must have already been called by
   11945  * the caller of this function.
   11946  */
   11947 SECStatus
   11948 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
   11949 {
   11950     int i, count = 0;
   11951 
   11952     PORT_Assert(ss != 0);
   11953     if (!ss) {
   11954 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
   11955 	return SECFailure;
   11956     }
   11957     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
   11958     	*size = 0;
   11959 	return SECSuccess;
   11960     }
   11961     if (cs == NULL) {
   11962 	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
   11963 	return SECSuccess;
   11964     }
   11965 
   11966     /* ssl3_config_match_init was called by the caller of this function. */
   11967     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
   11968 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
   11969 	if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
   11970 	    if (cs != NULL) {
   11971 		*cs++ = 0x00;
   11972 		*cs++ = (suite->cipher_suite >> 8) & 0xFF;
   11973 		*cs++ =  suite->cipher_suite       & 0xFF;
   11974 	    }
   11975 	    count++;
   11976 	}
   11977     }
   11978     *size = count;
   11979     return SECSuccess;
   11980 }
   11981 
   11982 /*
   11983 ** If ssl3 socket has completed the first handshake, and is in idle state,
   11984 ** then start a new handshake.
   11985 ** If flushCache is true, the SID cache will be flushed first, forcing a
   11986 ** "Full" handshake (not a session restart handshake), to be done.
   11987 **
   11988 ** called from SSL_RedoHandshake(), which already holds the handshake locks.
   11989 */
   11990 SECStatus
   11991 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
   11992 {
   11993     sslSessionID *   sid = ss->sec.ci.sid;
   11994     SECStatus        rv;
   11995 
   11996     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
   11997 
   11998     if (!ss->firstHsDone ||
   11999         ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
   12000 	 ss->ssl3.initialized &&
   12001 	 (ss->ssl3.hs.ws != idle_handshake))) {
   12002 	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
   12003 	return SECFailure;
   12004     }
   12005 
   12006     if (IS_DTLS(ss)) {
   12007 	dtls_RehandshakeCleanup(ss);
   12008     }
   12009 
   12010     if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
   12011 	PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
   12012 	return SECFailure;
   12013     }
   12014     if (sid && flushCache) {
   12015         if (ss->sec.uncache)
   12016             ss->sec.uncache(sid); /* remove it from whichever cache it's in. */
   12017 	ssl_FreeSID(sid);	/* dec ref count and free if zero. */
   12018 	ss->sec.ci.sid = NULL;
   12019     }
   12020 
   12021     ssl_GetXmitBufLock(ss);	/**************************************/
   12022 
   12023     /* start off a new handshake. */
   12024     rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
   12025                             : ssl3_SendClientHello(ss, PR_FALSE);
   12026 
   12027     ssl_ReleaseXmitBufLock(ss);	/**************************************/
   12028     return rv;
   12029 }
   12030 
   12031 /* Called from ssl_DestroySocketContents() in sslsock.c */
   12032 void
   12033 ssl3_DestroySSL3Info(sslSocket *ss)
   12034 {
   12035 
   12036     if (ss->ssl3.clientCertificate != NULL)
   12037 	CERT_DestroyCertificate(ss->ssl3.clientCertificate);
   12038 
   12039     if (ss->ssl3.clientPrivateKey != NULL)
   12040 	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
   12041 #ifdef NSS_PLATFORM_CLIENT_AUTH
   12042     if (ss->ssl3.platformClientKey)
   12043 	ssl_FreePlatformKey(ss->ssl3.platformClientKey);
   12044 #endif /* NSS_PLATFORM_CLIENT_AUTH */
   12045 
   12046     if (ss->ssl3.channelID)
   12047 	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
   12048     if (ss->ssl3.channelIDPub)
   12049 	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
   12050 
   12051     if (ss->ssl3.peerCertArena != NULL)
   12052 	ssl3_CleanupPeerCerts(ss);
   12053 
   12054     if (ss->ssl3.clientCertChain != NULL) {
   12055        CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
   12056        ss->ssl3.clientCertChain = NULL;
   12057     }
   12058 
   12059     /* clean up handshake */
   12060 #ifndef NO_PKCS11_BYPASS
   12061     if (ss->opt.bypassPKCS11) {
   12062 	if (ss->ssl3.hs.hashType == handshake_hash_combo) {
   12063 	    SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
   12064 	    MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
   12065 	} else if (ss->ssl3.hs.hashType == handshake_hash_single) {
   12066 	    ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE);
   12067 	}
   12068     }
   12069 #endif
   12070     if (ss->ssl3.hs.md5) {
   12071 	PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
   12072     }
   12073     if (ss->ssl3.hs.sha) {
   12074 	PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
   12075     }
   12076     if (ss->ssl3.hs.clientSigAndHash) {
   12077 	PORT_Free(ss->ssl3.hs.clientSigAndHash);
   12078     }
   12079     if (ss->ssl3.hs.messages.buf) {
   12080     	PORT_Free(ss->ssl3.hs.messages.buf);
   12081 	ss->ssl3.hs.messages.buf = NULL;
   12082 	ss->ssl3.hs.messages.len = 0;
   12083 	ss->ssl3.hs.messages.space = 0;
   12084     }
   12085 
   12086     /* free the SSL3Buffer (msg_body) */
   12087     PORT_Free(ss->ssl3.hs.msg_body.buf);
   12088 
   12089     /* free up the CipherSpecs */
   12090     ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
   12091     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
   12092 
   12093     /* Destroy the DTLS data */
   12094     if (IS_DTLS(ss)) {
   12095 	dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
   12096 	if (ss->ssl3.hs.recvdFragments.buf) {
   12097 	    PORT_Free(ss->ssl3.hs.recvdFragments.buf);
   12098 	}
   12099     }
   12100 
   12101     ss->ssl3.initialized = PR_FALSE;
   12102 
   12103     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
   12104 }
   12105 
   12106 /* End of ssl3con.c */
   12107