1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * SSL3 Protocol 4 * 5 * This Source Code Form is subject to the terms of the Mozilla Public 6 * License, v. 2.0. If a copy of the MPL was not distributed with this 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 8 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ 10 11 #include "cert.h" 12 #include "ssl.h" 13 #include "cryptohi.h" /* for DSAU_ stuff */ 14 #include "keyhi.h" 15 #include "secder.h" 16 #include "secitem.h" 17 #include "sechash.h" 18 19 #include "sslimpl.h" 20 #include "sslproto.h" 21 #include "sslerr.h" 22 #include "prtime.h" 23 #include "prinrval.h" 24 #include "prerror.h" 25 #include "pratom.h" 26 #include "prthread.h" 27 28 #include "pk11func.h" 29 #include "secmod.h" 30 #ifndef NO_PKCS11_BYPASS 31 #include "blapi.h" 32 #endif 33 34 /* This is a bodge to allow this code to be compiled against older NSS headers 35 * that don't contain the TLS 1.2 changes. */ 36 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) 38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) 39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) 40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) 41 #endif 42 43 /* This is a bodge to allow this code to be compiled against older NSS 44 * headers. */ 45 #ifndef CKM_NSS_CHACHA20_POLY1305 46 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26) 47 48 typedef struct CK_NSS_AEAD_PARAMS { 49 CK_BYTE_PTR pIv; /* This is the nonce. */ 50 CK_ULONG ulIvLen; 51 CK_BYTE_PTR pAAD; 52 CK_ULONG ulAADLen; 53 CK_ULONG ulTagLen; 54 } CK_NSS_AEAD_PARAMS; 55 56 #endif 57 58 #include <stdio.h> 59 #ifdef NSS_ENABLE_ZLIB 60 #include "zlib.h" 61 #endif 62 #ifdef LINUX 63 #include <dlfcn.h> 64 #endif 65 66 #ifndef PK11_SETATTRS 67 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ 68 (x)->pValue=(v); (x)->ulValueLen = (l); 69 #endif 70 71 static SECStatus ssl3_AuthCertificate(sslSocket *ss); 72 static void ssl3_CleanupPeerCerts(sslSocket *ss); 73 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); 74 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, 75 PK11SlotInfo * serverKeySlot); 76 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); 77 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss); 78 static SECStatus ssl3_HandshakeFailure( sslSocket *ss); 79 static SECStatus ssl3_InitState( sslSocket *ss); 80 static SECStatus ssl3_SendCertificate( sslSocket *ss); 81 static SECStatus ssl3_SendCertificateStatus( sslSocket *ss); 82 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); 83 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); 84 static SECStatus ssl3_SendNextProto( sslSocket *ss); 85 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); 86 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); 87 static SECStatus ssl3_SendServerHello( sslSocket *ss); 88 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); 89 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); 90 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, 91 const unsigned char *b, 92 unsigned int l); 93 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); 94 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); 95 96 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, 97 int maxOutputLen, const unsigned char *input, 98 int inputLen); 99 #ifndef NO_PKCS11_BYPASS 100 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, 101 unsigned char *out, int *outlen, int maxout, 102 const unsigned char *in, int inlen, 103 const unsigned char *additionalData, 104 int additionalDataLen); 105 #endif 106 107 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ 108 #define MIN_SEND_BUF_LENGTH 4000 109 110 /* This list of SSL3 cipher suites is sorted in descending order of 111 * precedence (desirability). It only includes cipher suites we implement. 112 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites 113 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) 114 */ 115 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { 116 /* cipher_suite policy enabled is_present*/ 117 #ifdef NSS_ENABLE_ECC 118 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 119 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 120 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 121 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 122 #endif /* NSS_ENABLE_ECC */ 123 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 124 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 125 126 #ifdef NSS_ENABLE_ECC 127 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 128 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 129 #endif /* NSS_ENABLE_ECC */ 130 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 131 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 132 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 133 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 134 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 135 #ifdef NSS_ENABLE_ECC 136 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 137 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 138 #endif /* NSS_ENABLE_ECC */ 139 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 140 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 141 { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 142 143 #ifdef NSS_ENABLE_ECC 144 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 145 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 146 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 147 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 148 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 149 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 150 #endif /* NSS_ENABLE_ECC */ 151 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 152 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 153 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 154 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 155 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 156 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 157 #ifdef NSS_ENABLE_ECC 158 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 159 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 160 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 161 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 162 #endif /* NSS_ENABLE_ECC */ 163 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 164 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 165 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 166 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 167 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 168 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 169 170 #ifdef NSS_ENABLE_ECC 171 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 172 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 173 #endif /* NSS_ENABLE_ECC */ 174 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 175 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 176 #ifdef NSS_ENABLE_ECC 177 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 178 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 179 #endif /* NSS_ENABLE_ECC */ 180 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 181 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, 182 183 184 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 185 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 186 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 187 { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 188 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 189 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 190 191 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 192 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 193 194 #ifdef NSS_ENABLE_ECC 195 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 196 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 197 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 198 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, 199 #endif /* NSS_ENABLE_ECC */ 200 { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 201 { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 202 { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 203 204 }; 205 206 /* This list of SSL3 compression methods is sorted in descending order of 207 * precedence (desirability). It only includes compression methods we 208 * implement. 209 */ 210 static const /*SSLCompressionMethod*/ PRUint8 compressions [] = { 211 #ifdef NSS_ENABLE_ZLIB 212 ssl_compression_deflate, 213 #endif 214 ssl_compression_null 215 }; 216 217 static const int compressionMethodsCount = 218 sizeof(compressions) / sizeof(compressions[0]); 219 220 /* compressionEnabled returns true iff the compression algorithm is enabled 221 * for the given SSL socket. */ 222 static PRBool 223 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression) 224 { 225 switch (compression) { 226 case ssl_compression_null: 227 return PR_TRUE; /* Always enabled */ 228 #ifdef NSS_ENABLE_ZLIB 229 case ssl_compression_deflate: 230 return ss->opt.enableDeflate; 231 #endif 232 default: 233 return PR_FALSE; 234 } 235 } 236 237 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = { 238 ct_RSA_sign, 239 #ifdef NSS_ENABLE_ECC 240 ct_ECDSA_sign, 241 #endif /* NSS_ENABLE_ECC */ 242 ct_DSS_sign, 243 }; 244 245 /* This block is the contents of the supported_signature_algorithms field of 246 * our TLS 1.2 CertificateRequest message, in wire format. See 247 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 248 * 249 * This block contains only sha256 entries because we only support TLS 1.2 250 * CertificateVerify messages that use the handshake hash. */ 251 static const PRUint8 supported_signature_algorithms[] = { 252 tls_hash_sha256, tls_sig_rsa, 253 #ifdef NSS_ENABLE_ECC 254 tls_hash_sha256, tls_sig_ecdsa, 255 #endif 256 tls_hash_sha256, tls_sig_dsa, 257 }; 258 259 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ 260 261 262 /* This global item is used only in servers. It is is initialized by 263 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). 264 */ 265 CERTDistNames *ssl3_server_ca_list = NULL; 266 static SSL3Statistics ssl3stats; 267 268 /* indexed by SSL3BulkCipher */ 269 static const ssl3BulkCipherDef bulk_cipher_defs[] = { 270 /* |--------- Lengths --------| */ 271 /* cipher calg k s type i b t n */ 272 /* e e v l a o */ 273 /* y c | o g n */ 274 /* | r | c | c */ 275 /* | e | k | e */ 276 /* | t | | | | */ 277 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, 278 {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0}, 279 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0}, 280 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0}, 281 {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0}, 282 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0}, 283 {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0}, 284 {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0}, 285 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0}, 286 {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0}, 287 {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, 288 {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, 289 {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, 290 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, 291 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, 292 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, 293 {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, 294 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, 295 }; 296 297 static const ssl3KEADef kea_defs[] = 298 { /* indexed by SSL3KeyExchangeAlgorithm */ 299 /* kea exchKeyType signKeyType is_limited limit tls_keygen */ 300 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, 301 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, 302 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE}, 303 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE}, 304 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, 305 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE}, 306 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 307 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, 308 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, 309 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE}, 310 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 311 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, 312 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE}, 313 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE}, 314 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE }, 315 #ifdef NSS_ENABLE_ECC 316 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, 317 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, 318 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 319 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 320 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE}, 321 #endif /* NSS_ENABLE_ECC */ 322 }; 323 324 /* must use ssl_LookupCipherSuiteDef to access */ 325 static const ssl3CipherSuiteDef cipher_suite_defs[] = 326 { 327 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ 328 329 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, 330 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, 331 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, 332 {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, 333 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, 334 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, 335 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, 336 {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 337 cipher_rc2_40, mac_md5, kea_rsa_export}, 338 #if 0 /* not implemented */ 339 {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, 340 {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 341 cipher_des40, mac_sha, kea_rsa_export}, 342 #endif 343 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, 344 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, 345 {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, 346 {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 347 cipher_3des, mac_sha, kea_dhe_dss}, 348 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss}, 349 #if 0 /* not implemented */ 350 {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, 351 cipher_des40, mac_sha, kea_dh_dss_export}, 352 {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, 353 {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, 354 {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, 355 cipher_des40, mac_sha, kea_dh_rsa_export}, 356 {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, 357 {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, 358 {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 359 cipher_des40, mac_sha, kea_dh_dss_export}, 360 {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 361 cipher_des40, mac_sha, kea_dh_rsa_export}, 362 #endif 363 {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, 364 {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 365 cipher_3des, mac_sha, kea_dhe_rsa}, 366 #if 0 367 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export}, 368 {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, 369 cipher_des40, mac_sha, kea_dh_anon_export}, 370 {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, 371 {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, 372 #endif 373 374 375 /* New TLS cipher suites */ 376 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, 377 {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, 378 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, 379 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, 380 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa}, 381 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, 382 {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, 383 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, 384 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, 385 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa}, 386 #if 0 387 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, 388 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, 389 {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, 390 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, 391 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, 392 {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, 393 #endif 394 395 {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa}, 396 397 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa}, 398 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 399 cipher_camellia_128, mac_sha, kea_dhe_dss}, 400 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 401 cipher_camellia_128, mac_sha, kea_dhe_rsa}, 402 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa}, 403 {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, 404 cipher_camellia_256, mac_sha, kea_dhe_dss}, 405 {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 406 cipher_camellia_256, mac_sha, kea_dhe_rsa}, 407 408 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 409 cipher_des, mac_sha,kea_rsa_export_1024}, 410 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 411 cipher_rc4_56, mac_sha,kea_rsa_export_1024}, 412 413 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, 414 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, 415 416 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, 417 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, 418 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, 419 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, 420 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa}, 421 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa}, 422 423 #ifdef NSS_ENABLE_ECC 424 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 425 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, 426 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}, 427 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa}, 428 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa}, 429 430 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa}, 431 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa}, 432 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa}, 433 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa}, 434 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa}, 435 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa}, 436 437 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa}, 438 {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa}, 439 {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa}, 440 {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa}, 441 {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa}, 442 443 {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa}, 444 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa}, 445 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa}, 446 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa}, 447 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa}, 448 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa}, 449 450 #if 0 451 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon}, 452 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon}, 453 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon}, 454 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon}, 455 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon}, 456 #endif 457 #endif /* NSS_ENABLE_ECC */ 458 }; 459 460 static const CK_MECHANISM_TYPE kea_alg_defs[] = { 461 0x80000000L, 462 CKM_RSA_PKCS, 463 CKM_DH_PKCS_DERIVE, 464 CKM_KEA_KEY_DERIVE, 465 CKM_ECDH1_DERIVE 466 }; 467 468 typedef struct SSLCipher2MechStr { 469 SSLCipherAlgorithm calg; 470 CK_MECHANISM_TYPE cmech; 471 } SSLCipher2Mech; 472 473 /* indexed by type SSLCipherAlgorithm */ 474 static const SSLCipher2Mech alg2Mech[] = { 475 /* calg, cmech */ 476 { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, 477 { calg_rc4 , CKM_RC4 }, 478 { calg_rc2 , CKM_RC2_CBC }, 479 { calg_des , CKM_DES_CBC }, 480 { calg_3des , CKM_DES3_CBC }, 481 { calg_idea , CKM_IDEA_CBC }, 482 { calg_fortezza , CKM_SKIPJACK_CBC64 }, 483 { calg_aes , CKM_AES_CBC }, 484 { calg_camellia , CKM_CAMELLIA_CBC }, 485 { calg_seed , CKM_SEED_CBC }, 486 { calg_aes_gcm , CKM_AES_GCM }, 487 { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 }, 488 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ 489 }; 490 491 #define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L 492 #define mmech_md5 CKM_SSL3_MD5_MAC 493 #define mmech_sha CKM_SSL3_SHA1_MAC 494 #define mmech_md5_hmac CKM_MD5_HMAC 495 #define mmech_sha_hmac CKM_SHA_1_HMAC 496 #define mmech_sha256_hmac CKM_SHA256_HMAC 497 #define mmech_sha384_hmac CKM_SHA384_HMAC 498 #define mmech_sha512_hmac CKM_SHA512_HMAC 499 500 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 501 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ 502 /* mac mmech pad_size mac_size */ 503 { mac_null, mmech_invalid, 0, 0 }, 504 { mac_md5, mmech_md5, 48, MD5_LENGTH }, 505 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, 506 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, 507 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, 508 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, 509 { mac_aead, mmech_invalid, 0, 0 }, 510 }; 511 512 /* indexed by SSL3BulkCipher */ 513 const char * const ssl3_cipherName[] = { 514 "NULL", 515 "RC4", 516 "RC4-40", 517 "RC4-56", 518 "RC2-CBC", 519 "RC2-CBC-40", 520 "DES-CBC", 521 "3DES-EDE-CBC", 522 "DES-CBC-40", 523 "IDEA-CBC", 524 "AES-128", 525 "AES-256", 526 "Camellia-128", 527 "Camellia-256", 528 "SEED-CBC", 529 "AES-128-GCM", 530 "missing" 531 }; 532 533 #ifdef NSS_ENABLE_ECC 534 /* The ECCWrappedKeyInfo structure defines how various pieces of 535 * information are laid out within wrappedSymmetricWrappingkey 536 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is 537 * a 512-byte buffer (see sslimpl.h), the variable length field 538 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. 539 * 540 * XXX For now, NSS only supports named elliptic curves of size 571 bits 541 * or smaller. The public value will fit within 145 bytes and EC params 542 * will fit within 12 bytes. We'll need to revisit this when NSS 543 * supports arbitrary curves. 544 */ 545 #define MAX_EC_WRAPPED_KEY_BUFLEN 504 546 547 typedef struct ECCWrappedKeyInfoStr { 548 PRUint16 size; /* EC public key size in bits */ 549 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */ 550 PRUint16 pubValueLen; /* length (in bytes) of EC public value */ 551 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */ 552 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */ 553 /* EC public-key params, the EC public value and the wrapped key */ 554 } ECCWrappedKeyInfo; 555 #endif /* NSS_ENABLE_ECC */ 556 557 #if defined(TRACE) 558 559 static char * 560 ssl3_DecodeHandshakeType(int msgType) 561 { 562 char * rv; 563 static char line[40]; 564 565 switch(msgType) { 566 case hello_request: rv = "hello_request (0)"; break; 567 case client_hello: rv = "client_hello (1)"; break; 568 case server_hello: rv = "server_hello (2)"; break; 569 case hello_verify_request: rv = "hello_verify_request (3)"; break; 570 case certificate: rv = "certificate (11)"; break; 571 case server_key_exchange: rv = "server_key_exchange (12)"; break; 572 case certificate_request: rv = "certificate_request (13)"; break; 573 case server_hello_done: rv = "server_hello_done (14)"; break; 574 case certificate_verify: rv = "certificate_verify (15)"; break; 575 case client_key_exchange: rv = "client_key_exchange (16)"; break; 576 case finished: rv = "finished (20)"; break; 577 default: 578 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); 579 rv = line; 580 } 581 return rv; 582 } 583 584 static char * 585 ssl3_DecodeContentType(int msgType) 586 { 587 char * rv; 588 static char line[40]; 589 590 switch(msgType) { 591 case content_change_cipher_spec: 592 rv = "change_cipher_spec (20)"; break; 593 case content_alert: rv = "alert (21)"; break; 594 case content_handshake: rv = "handshake (22)"; break; 595 case content_application_data: 596 rv = "application_data (23)"; break; 597 default: 598 sprintf(line, "*UNKNOWN* record type! (%d)", msgType); 599 rv = line; 600 } 601 return rv; 602 } 603 604 #endif 605 606 SSL3Statistics * 607 SSL_GetStatistics(void) 608 { 609 return &ssl3stats; 610 } 611 612 typedef struct tooLongStr { 613 #if defined(IS_LITTLE_ENDIAN) 614 PRInt32 low; 615 PRInt32 high; 616 #else 617 PRInt32 high; 618 PRInt32 low; 619 #endif 620 } tooLong; 621 622 void SSL_AtomicIncrementLong(long * x) 623 { 624 if ((sizeof *x) == sizeof(PRInt32)) { 625 PR_ATOMIC_INCREMENT((PRInt32 *)x); 626 } else { 627 tooLong * tl = (tooLong *)x; 628 if (PR_ATOMIC_INCREMENT(&tl->low) == 0) 629 PR_ATOMIC_INCREMENT(&tl->high); 630 } 631 } 632 633 static PRBool 634 ssl3_CipherSuiteAllowedForVersionRange( 635 ssl3CipherSuite cipherSuite, 636 const SSLVersionRange *vrange) 637 { 638 switch (cipherSuite) { 639 /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or 640 * later. This set of cipher suites is similar to, but different from, the 641 * set of cipher suites considered exportable by SSL_IsExportCipherSuite. 642 */ 643 case SSL_RSA_EXPORT_WITH_RC4_40_MD5: 644 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: 645 /* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented 646 * SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented 647 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented 648 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented 649 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented 650 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented 651 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented 652 */ 653 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; 654 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: 655 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: 656 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 657 case TLS_RSA_WITH_AES_256_CBC_SHA256: 658 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 659 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 660 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 661 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 662 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 663 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 664 case TLS_RSA_WITH_AES_128_CBC_SHA256: 665 case TLS_RSA_WITH_AES_128_GCM_SHA256: 666 case TLS_RSA_WITH_NULL_SHA256: 667 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; 668 default: 669 return PR_TRUE; 670 } 671 } 672 673 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ 674 /* XXX This does a linear search. A binary search would be better. */ 675 static const ssl3CipherSuiteDef * 676 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite) 677 { 678 int cipher_suite_def_len = 679 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]); 680 int i; 681 682 for (i = 0; i < cipher_suite_def_len; i++) { 683 if (cipher_suite_defs[i].cipher_suite == suite) 684 return &cipher_suite_defs[i]; 685 } 686 PORT_Assert(PR_FALSE); /* We should never get here. */ 687 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); 688 return NULL; 689 } 690 691 /* Find the cipher configuration struct associate with suite */ 692 /* XXX This does a linear search. A binary search would be better. */ 693 static ssl3CipherSuiteCfg * 694 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites) 695 { 696 int i; 697 698 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 699 if (suites[i].cipher_suite == suite) 700 return &suites[i]; 701 } 702 /* return NULL and let the caller handle it. */ 703 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); 704 return NULL; 705 } 706 707 708 /* Initialize the suite->isPresent value for config_match 709 * Returns count of enabled ciphers supported by extant tokens, 710 * regardless of policy or user preference. 711 * If this returns zero, the user cannot do SSL v3. 712 */ 713 int 714 ssl3_config_match_init(sslSocket *ss) 715 { 716 ssl3CipherSuiteCfg * suite; 717 const ssl3CipherSuiteDef *cipher_def; 718 SSLCipherAlgorithm cipher_alg; 719 CK_MECHANISM_TYPE cipher_mech; 720 SSL3KEAType exchKeyType; 721 int i; 722 int numPresent = 0; 723 int numEnabled = 0; 724 PRBool isServer; 725 sslServerCerts *svrAuth; 726 727 PORT_Assert(ss); 728 if (!ss) { 729 PORT_SetError(SEC_ERROR_INVALID_ARGS); 730 return 0; 731 } 732 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { 733 return 0; 734 } 735 isServer = (PRBool)(ss->sec.isServer != 0); 736 737 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 738 suite = &ss->cipherSuites[i]; 739 if (suite->enabled) { 740 ++numEnabled; 741 /* We need the cipher defs to see if we have a token that can handle 742 * this cipher. It isn't part of the static definition. 743 */ 744 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); 745 if (!cipher_def) { 746 suite->isPresent = PR_FALSE; 747 continue; 748 } 749 cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg; 750 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); 751 cipher_mech = alg2Mech[cipher_alg].cmech; 752 exchKeyType = 753 kea_defs[cipher_def->key_exchange_alg].exchKeyType; 754 #ifndef NSS_ENABLE_ECC 755 svrAuth = ss->serverCerts + exchKeyType; 756 #else 757 /* XXX SSLKEAType isn't really a good choice for 758 * indexing certificates. It doesn't work for 759 * (EC)DHE-* ciphers. Here we use a hack to ensure 760 * that the server uses an RSA cert for (EC)DHE-RSA. 761 */ 762 switch (cipher_def->key_exchange_alg) { 763 case kea_ecdhe_rsa: 764 #if NSS_SERVER_DHE_IMPLEMENTED 765 /* XXX NSS does not yet implement the server side of _DHE_ 766 * cipher suites. Correcting the computation for svrAuth, 767 * as the case below does, causes NSS SSL servers to begin to 768 * negotiate cipher suites they do not implement. So, until 769 * server side _DHE_ is implemented, keep this disabled. 770 */ 771 case kea_dhe_rsa: 772 #endif 773 svrAuth = ss->serverCerts + kt_rsa; 774 break; 775 case kea_ecdh_ecdsa: 776 case kea_ecdh_rsa: 777 /* 778 * XXX We ought to have different indices for 779 * ECDSA- and RSA-signed EC certificates so 780 * we could support both key exchange mechanisms 781 * simultaneously. For now, both of them use 782 * whatever is in the certificate slot for kt_ecdh 783 */ 784 default: 785 svrAuth = ss->serverCerts + exchKeyType; 786 break; 787 } 788 #endif /* NSS_ENABLE_ECC */ 789 790 /* Mark the suites that are backed by real tokens, certs and keys */ 791 suite->isPresent = (PRBool) 792 (((exchKeyType == kt_null) || 793 ((!isServer || (svrAuth->serverKeyPair && 794 svrAuth->SERVERKEY && 795 svrAuth->serverCertChain)) && 796 PK11_TokenExists(kea_alg_defs[exchKeyType]))) && 797 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech))); 798 if (suite->isPresent) 799 ++numPresent; 800 } 801 } 802 PORT_Assert(numPresent > 0 || numEnabled == 0); 803 if (numPresent <= 0) { 804 PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED); 805 } 806 return numPresent; 807 } 808 809 810 /* return PR_TRUE if suite matches policy, enabled state and is applicable to 811 * the given version range. */ 812 /* It would be a REALLY BAD THING (tm) if we ever permitted the use 813 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with 814 ** policy == SSL_NOT_ALLOWED, report no match. 815 */ 816 /* adjust suite enabled to the availability of a token that can do the 817 * cipher suite. */ 818 static PRBool 819 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, 820 const SSLVersionRange *vrange) 821 { 822 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); 823 if (policy == SSL_NOT_ALLOWED || !enabled) 824 return PR_FALSE; 825 return (PRBool)(suite->enabled && 826 suite->isPresent && 827 suite->policy != SSL_NOT_ALLOWED && 828 suite->policy <= policy && 829 ssl3_CipherSuiteAllowedForVersionRange( 830 suite->cipher_suite, vrange)); 831 } 832 833 /* return number of cipher suites that match policy, enabled state and are 834 * applicable for the configured protocol version range. */ 835 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ 836 static int 837 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) 838 { 839 int i, count = 0; 840 841 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { 842 return 0; 843 } 844 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 845 if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange)) 846 count++; 847 } 848 if (count <= 0) { 849 PORT_SetError(SSL_ERROR_SSL_DISABLED); 850 } 851 return count; 852 } 853 854 /* 855 * Null compression, mac and encryption functions 856 */ 857 858 static SECStatus 859 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, 860 const unsigned char *input, int inputLen) 861 { 862 if (inputLen > maxOutputLen) { 863 *outputLen = 0; /* Match PK11_CipherOp in setting outputLen */ 864 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 865 return SECFailure; 866 } 867 *outputLen = inputLen; 868 if (input != output) 869 PORT_Memcpy(output, input, inputLen); 870 return SECSuccess; 871 } 872 873 /* 874 * SSL3 Utility functions 875 */ 876 877 /* allowLargerPeerVersion controls whether the function will select the 878 * highest enabled SSL version or fail when peerVersion is greater than the 879 * highest enabled version. 880 * 881 * If allowLargerPeerVersion is true, peerVersion is the peer's highest 882 * enabled version rather than the peer's selected version. 883 */ 884 SECStatus 885 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion, 886 PRBool allowLargerPeerVersion) 887 { 888 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { 889 PORT_SetError(SSL_ERROR_SSL_DISABLED); 890 return SECFailure; 891 } 892 893 if (peerVersion < ss->vrange.min || 894 (peerVersion > ss->vrange.max && !allowLargerPeerVersion)) { 895 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 896 return SECFailure; 897 } 898 899 ss->version = PR_MIN(peerVersion, ss->vrange.max); 900 PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version)); 901 902 return SECSuccess; 903 } 904 905 static SECStatus 906 ssl3_GetNewRandom(SSL3Random *random) 907 { 908 PRUint32 gmt = ssl_Time(); 909 SECStatus rv; 910 911 random->rand[0] = (unsigned char)(gmt >> 24); 912 random->rand[1] = (unsigned char)(gmt >> 16); 913 random->rand[2] = (unsigned char)(gmt >> 8); 914 random->rand[3] = (unsigned char)(gmt); 915 916 /* first 4 bytes are reserverd for time */ 917 rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4); 918 if (rv != SECSuccess) { 919 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 920 } 921 return rv; 922 } 923 924 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */ 925 SECStatus 926 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 927 PRBool isTLS) 928 { 929 SECStatus rv = SECFailure; 930 PRBool doDerEncode = PR_FALSE; 931 int signatureLen; 932 SECItem hashItem; 933 934 buf->data = NULL; 935 936 switch (key->keyType) { 937 case rsaKey: 938 hashItem.data = hash->u.raw; 939 hashItem.len = hash->len; 940 break; 941 case dsaKey: 942 doDerEncode = isTLS; 943 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. 944 * In that case, we use just the SHA1 part. */ 945 if (hash->hashAlg == SEC_OID_UNKNOWN) { 946 hashItem.data = hash->u.s.sha; 947 hashItem.len = sizeof(hash->u.s.sha); 948 } else { 949 hashItem.data = hash->u.raw; 950 hashItem.len = hash->len; 951 } 952 break; 953 #ifdef NSS_ENABLE_ECC 954 case ecKey: 955 doDerEncode = PR_TRUE; 956 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. 957 * In that case, we use just the SHA1 part. */ 958 if (hash->hashAlg == SEC_OID_UNKNOWN) { 959 hashItem.data = hash->u.s.sha; 960 hashItem.len = sizeof(hash->u.s.sha); 961 } else { 962 hashItem.data = hash->u.raw; 963 hashItem.len = hash->len; 964 } 965 break; 966 #endif /* NSS_ENABLE_ECC */ 967 default: 968 PORT_SetError(SEC_ERROR_INVALID_KEY); 969 goto done; 970 } 971 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); 972 973 if (hash->hashAlg == SEC_OID_UNKNOWN) { 974 signatureLen = PK11_SignatureLen(key); 975 if (signatureLen <= 0) { 976 PORT_SetError(SEC_ERROR_INVALID_KEY); 977 goto done; 978 } 979 980 buf->len = (unsigned)signatureLen; 981 buf->data = (unsigned char *)PORT_Alloc(signatureLen); 982 if (!buf->data) 983 goto done; /* error code was set. */ 984 985 rv = PK11_Sign(key, buf, &hashItem); 986 } else { 987 rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem); 988 } 989 if (rv != SECSuccess) { 990 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); 991 } else if (doDerEncode) { 992 SECItem derSig = {siBuffer, NULL, 0}; 993 994 /* This also works for an ECDSA signature */ 995 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); 996 if (rv == SECSuccess) { 997 PORT_Free(buf->data); /* discard unencoded signature. */ 998 *buf = derSig; /* give caller encoded signature. */ 999 } else if (derSig.data) { 1000 PORT_Free(derSig.data); 1001 } 1002 } 1003 1004 PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len)); 1005 done: 1006 if (rv != SECSuccess && buf->data) { 1007 PORT_Free(buf->data); 1008 buf->data = NULL; 1009 } 1010 return rv; 1011 } 1012 1013 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ 1014 SECStatus 1015 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 1016 SECItem *buf, PRBool isTLS, void *pwArg) 1017 { 1018 SECKEYPublicKey * key; 1019 SECItem * signature = NULL; 1020 SECStatus rv; 1021 SECItem hashItem; 1022 SECOidTag encAlg; 1023 SECOidTag hashAlg; 1024 1025 1026 PRINT_BUF(60, (NULL, "check signed hashes", 1027 buf->data, buf->len)); 1028 1029 key = CERT_ExtractPublicKey(cert); 1030 if (key == NULL) { 1031 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 1032 return SECFailure; 1033 } 1034 1035 hashAlg = hash->hashAlg; 1036 switch (key->keyType) { 1037 case rsaKey: 1038 encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; 1039 hashItem.data = hash->u.raw; 1040 hashItem.len = hash->len; 1041 break; 1042 case dsaKey: 1043 encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; 1044 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. 1045 * In that case, we use just the SHA1 part. */ 1046 if (hash->hashAlg == SEC_OID_UNKNOWN) { 1047 hashItem.data = hash->u.s.sha; 1048 hashItem.len = sizeof(hash->u.s.sha); 1049 } else { 1050 hashItem.data = hash->u.raw; 1051 hashItem.len = hash->len; 1052 } 1053 /* Allow DER encoded DSA signatures in SSL 3.0 */ 1054 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { 1055 signature = DSAU_DecodeDerSig(buf); 1056 if (!signature) { 1057 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1058 return SECFailure; 1059 } 1060 buf = signature; 1061 } 1062 break; 1063 1064 #ifdef NSS_ENABLE_ECC 1065 case ecKey: 1066 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; 1067 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. 1068 * In that case, we use just the SHA1 part. 1069 * ECDSA signatures always encode the integers r and s using ASN.1 1070 * (unlike DSA where ASN.1 encoding is used with TLS but not with 1071 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. 1072 */ 1073 if (hash->hashAlg == SEC_OID_UNKNOWN) { 1074 hashAlg = SEC_OID_SHA1; 1075 hashItem.data = hash->u.s.sha; 1076 hashItem.len = sizeof(hash->u.s.sha); 1077 } else { 1078 hashItem.data = hash->u.raw; 1079 hashItem.len = hash->len; 1080 } 1081 break; 1082 #endif /* NSS_ENABLE_ECC */ 1083 1084 default: 1085 SECKEY_DestroyPublicKey(key); 1086 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 1087 return SECFailure; 1088 } 1089 1090 PRINT_BUF(60, (NULL, "hash(es) to be verified", 1091 hashItem.data, hashItem.len)); 1092 1093 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) { 1094 /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded. 1095 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code 1096 * above always removes the DER encoding of DSA signatures when 1097 * present. Thus DSA signatures are always verified with PK11_Verify. 1098 */ 1099 rv = PK11_Verify(key, buf, &hashItem, pwArg); 1100 } else { 1101 rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg, 1102 pwArg); 1103 } 1104 SECKEY_DestroyPublicKey(key); 1105 if (signature) { 1106 SECITEM_FreeItem(signature, PR_TRUE); 1107 } 1108 if (rv != SECSuccess) { 1109 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1110 } 1111 return rv; 1112 } 1113 1114 1115 /* Caller must set hiLevel error code. */ 1116 /* Called from ssl3_ComputeExportRSAKeyHash 1117 * ssl3_ComputeDHKeyHash 1118 * which are called from ssl3_HandleServerKeyExchange. 1119 * 1120 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify 1121 * the pre-1.2, MD5/SHA1 combination hash. 1122 */ 1123 SECStatus 1124 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg, 1125 PRUint8 * hashBuf, unsigned int bufLen, 1126 SSL3Hashes *hashes, PRBool bypassPKCS11) 1127 { 1128 SECStatus rv = SECSuccess; 1129 1130 #ifndef NO_PKCS11_BYPASS 1131 if (bypassPKCS11) { 1132 if (hashAlg == SEC_OID_UNKNOWN) { 1133 MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen); 1134 SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); 1135 hashes->len = MD5_LENGTH + SHA1_LENGTH; 1136 } else if (hashAlg == SEC_OID_SHA1) { 1137 SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); 1138 hashes->len = SHA1_LENGTH; 1139 } else if (hashAlg == SEC_OID_SHA256) { 1140 SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); 1141 hashes->len = SHA256_LENGTH; 1142 } else if (hashAlg == SEC_OID_SHA384) { 1143 SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); 1144 hashes->len = SHA384_LENGTH; 1145 } else if (hashAlg == SEC_OID_SHA512) { 1146 SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen); 1147 hashes->len = SHA512_LENGTH; 1148 } else { 1149 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); 1150 return SECFailure; 1151 } 1152 } else 1153 #endif 1154 { 1155 if (hashAlg == SEC_OID_UNKNOWN) { 1156 rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); 1157 if (rv != SECSuccess) { 1158 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 1159 rv = SECFailure; 1160 goto done; 1161 } 1162 1163 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); 1164 if (rv != SECSuccess) { 1165 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 1166 rv = SECFailure; 1167 } 1168 hashes->len = MD5_LENGTH + SHA1_LENGTH; 1169 } else { 1170 hashes->len = HASH_ResultLenByOidTag(hashAlg); 1171 if (hashes->len > sizeof(hashes->u.raw)) { 1172 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); 1173 rv = SECFailure; 1174 goto done; 1175 } 1176 rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen); 1177 if (rv != SECSuccess) { 1178 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); 1179 rv = SECFailure; 1180 } 1181 } 1182 } 1183 hashes->hashAlg = hashAlg; 1184 1185 done: 1186 return rv; 1187 } 1188 1189 /* Caller must set hiLevel error code. 1190 ** Called from ssl3_SendServerKeyExchange and 1191 ** ssl3_HandleServerKeyExchange. 1192 */ 1193 static SECStatus 1194 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg, 1195 SECItem modulus, SECItem publicExponent, 1196 SSL3Random *client_rand, SSL3Random *server_rand, 1197 SSL3Hashes *hashes, PRBool bypassPKCS11) 1198 { 1199 PRUint8 * hashBuf; 1200 PRUint8 * pBuf; 1201 SECStatus rv = SECSuccess; 1202 unsigned int bufLen; 1203 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1204 1205 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; 1206 if (bufLen <= sizeof buf) { 1207 hashBuf = buf; 1208 } else { 1209 hashBuf = PORT_Alloc(bufLen); 1210 if (!hashBuf) { 1211 return SECFailure; 1212 } 1213 } 1214 1215 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 1216 pBuf = hashBuf + SSL3_RANDOM_LENGTH; 1217 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); 1218 pBuf += SSL3_RANDOM_LENGTH; 1219 pBuf[0] = (PRUint8)(modulus.len >> 8); 1220 pBuf[1] = (PRUint8)(modulus.len); 1221 pBuf += 2; 1222 memcpy(pBuf, modulus.data, modulus.len); 1223 pBuf += modulus.len; 1224 pBuf[0] = (PRUint8)(publicExponent.len >> 8); 1225 pBuf[1] = (PRUint8)(publicExponent.len); 1226 pBuf += 2; 1227 memcpy(pBuf, publicExponent.data, publicExponent.len); 1228 pBuf += publicExponent.len; 1229 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1230 1231 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, 1232 bypassPKCS11); 1233 1234 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); 1235 if (hashAlg == SEC_OID_UNKNOWN) { 1236 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", 1237 hashes->u.s.md5, MD5_LENGTH)); 1238 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", 1239 hashes->u.s.sha, SHA1_LENGTH)); 1240 } else { 1241 PRINT_BUF(95, (NULL, "RSAkey hash: result", 1242 hashes->u.raw, hashes->len)); 1243 } 1244 1245 if (hashBuf != buf && hashBuf != NULL) 1246 PORT_Free(hashBuf); 1247 return rv; 1248 } 1249 1250 /* Caller must set hiLevel error code. */ 1251 /* Called from ssl3_HandleServerKeyExchange. */ 1252 static SECStatus 1253 ssl3_ComputeDHKeyHash(SECOidTag hashAlg, 1254 SECItem dh_p, SECItem dh_g, SECItem dh_Ys, 1255 SSL3Random *client_rand, SSL3Random *server_rand, 1256 SSL3Hashes *hashes, PRBool bypassPKCS11) 1257 { 1258 PRUint8 * hashBuf; 1259 PRUint8 * pBuf; 1260 SECStatus rv = SECSuccess; 1261 unsigned int bufLen; 1262 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1263 1264 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; 1265 if (bufLen <= sizeof buf) { 1266 hashBuf = buf; 1267 } else { 1268 hashBuf = PORT_Alloc(bufLen); 1269 if (!hashBuf) { 1270 return SECFailure; 1271 } 1272 } 1273 1274 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 1275 pBuf = hashBuf + SSL3_RANDOM_LENGTH; 1276 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); 1277 pBuf += SSL3_RANDOM_LENGTH; 1278 pBuf[0] = (PRUint8)(dh_p.len >> 8); 1279 pBuf[1] = (PRUint8)(dh_p.len); 1280 pBuf += 2; 1281 memcpy(pBuf, dh_p.data, dh_p.len); 1282 pBuf += dh_p.len; 1283 pBuf[0] = (PRUint8)(dh_g.len >> 8); 1284 pBuf[1] = (PRUint8)(dh_g.len); 1285 pBuf += 2; 1286 memcpy(pBuf, dh_g.data, dh_g.len); 1287 pBuf += dh_g.len; 1288 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); 1289 pBuf[1] = (PRUint8)(dh_Ys.len); 1290 pBuf += 2; 1291 memcpy(pBuf, dh_Ys.data, dh_Ys.len); 1292 pBuf += dh_Ys.len; 1293 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1294 1295 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, 1296 bypassPKCS11); 1297 1298 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); 1299 if (hashAlg == SEC_OID_UNKNOWN) { 1300 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", 1301 hashes->u.s.md5, MD5_LENGTH)); 1302 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", 1303 hashes->u.s.sha, SHA1_LENGTH)); 1304 } else { 1305 PRINT_BUF(95, (NULL, "DHkey hash: result", 1306 hashes->u.raw, hashes->len)); 1307 } 1308 1309 if (hashBuf != buf && hashBuf != NULL) 1310 PORT_Free(hashBuf); 1311 return rv; 1312 } 1313 1314 static void 1315 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) 1316 { 1317 num->low++; 1318 if (num->low == 0) 1319 num->high++; 1320 } 1321 1322 /* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */ 1323 static void 1324 ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat) 1325 { 1326 if (mat->write_key != NULL) { 1327 PK11_FreeSymKey(mat->write_key); 1328 mat->write_key = NULL; 1329 } 1330 if (mat->write_mac_key != NULL) { 1331 PK11_FreeSymKey(mat->write_mac_key); 1332 mat->write_mac_key = NULL; 1333 } 1334 if (mat->write_mac_context != NULL) { 1335 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); 1336 mat->write_mac_context = NULL; 1337 } 1338 } 1339 1340 /* Called from ssl3_SendChangeCipherSpecs() and 1341 ** ssl3_HandleChangeCipherSpecs() 1342 ** ssl3_DestroySSL3Info 1343 ** Caller must hold SpecWriteLock. 1344 */ 1345 void 1346 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) 1347 { 1348 PRBool freeit = (PRBool)(!spec->bypassCiphers); 1349 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */ 1350 if (spec->destroy) { 1351 spec->destroy(spec->encodeContext, freeit); 1352 spec->destroy(spec->decodeContext, freeit); 1353 spec->encodeContext = NULL; /* paranoia */ 1354 spec->decodeContext = NULL; 1355 } 1356 if (spec->destroyCompressContext && spec->compressContext) { 1357 spec->destroyCompressContext(spec->compressContext, 1); 1358 spec->compressContext = NULL; 1359 } 1360 if (spec->destroyDecompressContext && spec->decompressContext) { 1361 spec->destroyDecompressContext(spec->decompressContext, 1); 1362 spec->decompressContext = NULL; 1363 } 1364 if (freeSrvName && spec->srvVirtName.data) { 1365 SECITEM_FreeItem(&spec->srvVirtName, PR_FALSE); 1366 } 1367 if (spec->master_secret != NULL) { 1368 PK11_FreeSymKey(spec->master_secret); 1369 spec->master_secret = NULL; 1370 } 1371 spec->msItem.data = NULL; 1372 spec->msItem.len = 0; 1373 ssl3_CleanupKeyMaterial(&spec->client); 1374 ssl3_CleanupKeyMaterial(&spec->server); 1375 spec->bypassCiphers = PR_FALSE; 1376 spec->destroy=NULL; 1377 spec->destroyCompressContext = NULL; 1378 spec->destroyDecompressContext = NULL; 1379 } 1380 1381 /* Fill in the pending cipher spec with info from the selected ciphersuite. 1382 ** This is as much initialization as we can do without having key material. 1383 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello() 1384 ** Caller must hold the ssl3 handshake lock. 1385 ** Acquires & releases SpecWriteLock. 1386 */ 1387 static SECStatus 1388 ssl3_SetupPendingCipherSpec(sslSocket *ss) 1389 { 1390 ssl3CipherSpec * pwSpec; 1391 ssl3CipherSpec * cwSpec; 1392 ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite; 1393 SSL3MACAlgorithm mac; 1394 SSL3BulkCipher cipher; 1395 SSL3KeyExchangeAlgorithm kea; 1396 const ssl3CipherSuiteDef *suite_def; 1397 PRBool isTLS; 1398 1399 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1400 1401 ssl_GetSpecWriteLock(ss); /*******************************/ 1402 1403 pwSpec = ss->ssl3.pwSpec; 1404 PORT_Assert(pwSpec == ss->ssl3.prSpec); 1405 1406 /* This hack provides maximal interoperability with SSL 3 servers. */ 1407 cwSpec = ss->ssl3.cwSpec; 1408 if (cwSpec->mac_def->mac == mac_null) { 1409 /* SSL records are not being MACed. */ 1410 cwSpec->version = ss->version; 1411 } 1412 1413 pwSpec->version = ss->version; 1414 isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0); 1415 1416 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", 1417 SSL_GETPID(), ss->fd, suite)); 1418 1419 suite_def = ssl_LookupCipherSuiteDef(suite); 1420 if (suite_def == NULL) { 1421 ssl_ReleaseSpecWriteLock(ss); 1422 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ 1423 } 1424 1425 if (IS_DTLS(ss)) { 1426 /* Double-check that we did not pick an RC4 suite */ 1427 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && 1428 (suite_def->bulk_cipher_alg != cipher_rc4_40) && 1429 (suite_def->bulk_cipher_alg != cipher_rc4_56)); 1430 } 1431 1432 cipher = suite_def->bulk_cipher_alg; 1433 kea = suite_def->key_exchange_alg; 1434 mac = suite_def->mac_alg; 1435 if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) 1436 mac += 2; 1437 1438 ss->ssl3.hs.suite_def = suite_def; 1439 ss->ssl3.hs.kea_def = &kea_defs[kea]; 1440 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); 1441 1442 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; 1443 PORT_Assert(pwSpec->cipher_def->cipher == cipher); 1444 1445 pwSpec->mac_def = &mac_defs[mac]; 1446 PORT_Assert(pwSpec->mac_def->mac == mac); 1447 1448 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB; 1449 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB; 1450 ss->sec.cipherType = cipher; 1451 1452 pwSpec->encodeContext = NULL; 1453 pwSpec->decodeContext = NULL; 1454 1455 pwSpec->mac_size = pwSpec->mac_def->mac_size; 1456 1457 pwSpec->compression_method = ss->ssl3.hs.compression; 1458 pwSpec->compressContext = NULL; 1459 pwSpec->decompressContext = NULL; 1460 1461 ssl_ReleaseSpecWriteLock(ss); /*******************************/ 1462 return SECSuccess; 1463 } 1464 1465 #ifdef NSS_ENABLE_ZLIB 1466 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) 1467 1468 static SECStatus 1469 ssl3_MapZlibError(int zlib_error) 1470 { 1471 switch (zlib_error) { 1472 case Z_OK: 1473 return SECSuccess; 1474 default: 1475 return SECFailure; 1476 } 1477 } 1478 1479 static SECStatus 1480 ssl3_DeflateInit(void *void_context) 1481 { 1482 z_stream *context = void_context; 1483 context->zalloc = NULL; 1484 context->zfree = NULL; 1485 context->opaque = NULL; 1486 1487 return ssl3_MapZlibError(deflateInit(context, Z_DEFAULT_COMPRESSION)); 1488 } 1489 1490 static SECStatus 1491 ssl3_InflateInit(void *void_context) 1492 { 1493 z_stream *context = void_context; 1494 context->zalloc = NULL; 1495 context->zfree = NULL; 1496 context->opaque = NULL; 1497 context->next_in = NULL; 1498 context->avail_in = 0; 1499 1500 return ssl3_MapZlibError(inflateInit(context)); 1501 } 1502 1503 static SECStatus 1504 ssl3_DeflateCompress(void *void_context, unsigned char *out, int *out_len, 1505 int maxout, const unsigned char *in, int inlen) 1506 { 1507 z_stream *context = void_context; 1508 1509 if (!inlen) { 1510 *out_len = 0; 1511 return SECSuccess; 1512 } 1513 1514 context->next_in = (unsigned char*) in; 1515 context->avail_in = inlen; 1516 context->next_out = out; 1517 context->avail_out = maxout; 1518 if (deflate(context, Z_SYNC_FLUSH) != Z_OK) { 1519 return SECFailure; 1520 } 1521 if (context->avail_out == 0) { 1522 /* We ran out of space! */ 1523 SSL_TRC(3, ("%d: SSL3[%d] Ran out of buffer while compressing", 1524 SSL_GETPID())); 1525 return SECFailure; 1526 } 1527 1528 *out_len = maxout - context->avail_out; 1529 return SECSuccess; 1530 } 1531 1532 static SECStatus 1533 ssl3_DeflateDecompress(void *void_context, unsigned char *out, int *out_len, 1534 int maxout, const unsigned char *in, int inlen) 1535 { 1536 z_stream *context = void_context; 1537 1538 if (!inlen) { 1539 *out_len = 0; 1540 return SECSuccess; 1541 } 1542 1543 context->next_in = (unsigned char*) in; 1544 context->avail_in = inlen; 1545 context->next_out = out; 1546 context->avail_out = maxout; 1547 if (inflate(context, Z_SYNC_FLUSH) != Z_OK) { 1548 PORT_SetError(SSL_ERROR_DECOMPRESSION_FAILURE); 1549 return SECFailure; 1550 } 1551 1552 *out_len = maxout - context->avail_out; 1553 return SECSuccess; 1554 } 1555 1556 static SECStatus 1557 ssl3_DestroyCompressContext(void *void_context, PRBool unused) 1558 { 1559 deflateEnd(void_context); 1560 PORT_Free(void_context); 1561 return SECSuccess; 1562 } 1563 1564 static SECStatus 1565 ssl3_DestroyDecompressContext(void *void_context, PRBool unused) 1566 { 1567 inflateEnd(void_context); 1568 PORT_Free(void_context); 1569 return SECSuccess; 1570 } 1571 1572 #endif /* NSS_ENABLE_ZLIB */ 1573 1574 /* Initialize the compression functions and contexts for the given 1575 * CipherSpec. */ 1576 static SECStatus 1577 ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec) 1578 { 1579 /* Setup the compression functions */ 1580 switch (pwSpec->compression_method) { 1581 case ssl_compression_null: 1582 pwSpec->compressor = NULL; 1583 pwSpec->decompressor = NULL; 1584 pwSpec->compressContext = NULL; 1585 pwSpec->decompressContext = NULL; 1586 pwSpec->destroyCompressContext = NULL; 1587 pwSpec->destroyDecompressContext = NULL; 1588 break; 1589 #ifdef NSS_ENABLE_ZLIB 1590 case ssl_compression_deflate: 1591 pwSpec->compressor = ssl3_DeflateCompress; 1592 pwSpec->decompressor = ssl3_DeflateDecompress; 1593 pwSpec->compressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE); 1594 pwSpec->decompressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE); 1595 pwSpec->destroyCompressContext = ssl3_DestroyCompressContext; 1596 pwSpec->destroyDecompressContext = ssl3_DestroyDecompressContext; 1597 ssl3_DeflateInit(pwSpec->compressContext); 1598 ssl3_InflateInit(pwSpec->decompressContext); 1599 break; 1600 #endif /* NSS_ENABLE_ZLIB */ 1601 default: 1602 PORT_Assert(0); 1603 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1604 return SECFailure; 1605 } 1606 1607 return SECSuccess; 1608 } 1609 1610 #ifndef NO_PKCS11_BYPASS 1611 /* Initialize encryption contexts for pending spec. 1612 * MAC contexts are set up when computing the mac, not here. 1613 * Master Secret already is derived in spec->msItem 1614 * Caller holds Spec write lock. 1615 */ 1616 static SECStatus 1617 ssl3_InitPendingContextsBypass(sslSocket *ss) 1618 { 1619 ssl3CipherSpec * pwSpec; 1620 const ssl3BulkCipherDef *cipher_def; 1621 void * serverContext = NULL; 1622 void * clientContext = NULL; 1623 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; 1624 int mode = 0; 1625 unsigned int optArg1 = 0; 1626 unsigned int optArg2 = 0; 1627 PRBool server_encrypts = ss->sec.isServer; 1628 SSLCipherAlgorithm calg; 1629 SECStatus rv; 1630 1631 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1632 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 1633 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 1634 1635 pwSpec = ss->ssl3.pwSpec; 1636 cipher_def = pwSpec->cipher_def; 1637 1638 calg = cipher_def->calg; 1639 1640 if (calg == calg_aes_gcm) { 1641 pwSpec->encode = NULL; 1642 pwSpec->decode = NULL; 1643 pwSpec->destroy = NULL; 1644 pwSpec->encodeContext = NULL; 1645 pwSpec->decodeContext = NULL; 1646 pwSpec->aead = ssl3_AESGCMBypass; 1647 ssl3_InitCompressionContext(pwSpec); 1648 return SECSuccess; 1649 } 1650 1651 serverContext = pwSpec->server.cipher_context; 1652 clientContext = pwSpec->client.cipher_context; 1653 1654 switch (calg) { 1655 case ssl_calg_null: 1656 pwSpec->encode = Null_Cipher; 1657 pwSpec->decode = Null_Cipher; 1658 pwSpec->destroy = NULL; 1659 goto success; 1660 1661 case ssl_calg_rc4: 1662 initFn = (BLapiInitContextFunc)RC4_InitContext; 1663 pwSpec->encode = (SSLCipher) RC4_Encrypt; 1664 pwSpec->decode = (SSLCipher) RC4_Decrypt; 1665 pwSpec->destroy = (SSLDestroy) RC4_DestroyContext; 1666 break; 1667 case ssl_calg_rc2: 1668 initFn = (BLapiInitContextFunc)RC2_InitContext; 1669 mode = NSS_RC2_CBC; 1670 optArg1 = cipher_def->key_size; 1671 pwSpec->encode = (SSLCipher) RC2_Encrypt; 1672 pwSpec->decode = (SSLCipher) RC2_Decrypt; 1673 pwSpec->destroy = (SSLDestroy) RC2_DestroyContext; 1674 break; 1675 case ssl_calg_des: 1676 initFn = (BLapiInitContextFunc)DES_InitContext; 1677 mode = NSS_DES_CBC; 1678 optArg1 = server_encrypts; 1679 pwSpec->encode = (SSLCipher) DES_Encrypt; 1680 pwSpec->decode = (SSLCipher) DES_Decrypt; 1681 pwSpec->destroy = (SSLDestroy) DES_DestroyContext; 1682 break; 1683 case ssl_calg_3des: 1684 initFn = (BLapiInitContextFunc)DES_InitContext; 1685 mode = NSS_DES_EDE3_CBC; 1686 optArg1 = server_encrypts; 1687 pwSpec->encode = (SSLCipher) DES_Encrypt; 1688 pwSpec->decode = (SSLCipher) DES_Decrypt; 1689 pwSpec->destroy = (SSLDestroy) DES_DestroyContext; 1690 break; 1691 case ssl_calg_aes: 1692 initFn = (BLapiInitContextFunc)AES_InitContext; 1693 mode = NSS_AES_CBC; 1694 optArg1 = server_encrypts; 1695 optArg2 = AES_BLOCK_SIZE; 1696 pwSpec->encode = (SSLCipher) AES_Encrypt; 1697 pwSpec->decode = (SSLCipher) AES_Decrypt; 1698 pwSpec->destroy = (SSLDestroy) AES_DestroyContext; 1699 break; 1700 1701 case ssl_calg_camellia: 1702 initFn = (BLapiInitContextFunc)Camellia_InitContext; 1703 mode = NSS_CAMELLIA_CBC; 1704 optArg1 = server_encrypts; 1705 optArg2 = CAMELLIA_BLOCK_SIZE; 1706 pwSpec->encode = (SSLCipher) Camellia_Encrypt; 1707 pwSpec->decode = (SSLCipher) Camellia_Decrypt; 1708 pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext; 1709 break; 1710 1711 case ssl_calg_seed: 1712 initFn = (BLapiInitContextFunc)SEED_InitContext; 1713 mode = NSS_SEED_CBC; 1714 optArg1 = server_encrypts; 1715 optArg2 = SEED_BLOCK_SIZE; 1716 pwSpec->encode = (SSLCipher) SEED_Encrypt; 1717 pwSpec->decode = (SSLCipher) SEED_Decrypt; 1718 pwSpec->destroy = (SSLDestroy) SEED_DestroyContext; 1719 break; 1720 1721 case ssl_calg_idea: 1722 case ssl_calg_fortezza : 1723 default: 1724 PORT_Assert(0); 1725 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1726 goto bail_out; 1727 } 1728 rv = (*initFn)(serverContext, 1729 pwSpec->server.write_key_item.data, 1730 pwSpec->server.write_key_item.len, 1731 pwSpec->server.write_iv_item.data, 1732 mode, optArg1, optArg2); 1733 if (rv != SECSuccess) { 1734 PORT_Assert(0); 1735 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1736 goto bail_out; 1737 } 1738 1739 switch (calg) { 1740 case ssl_calg_des: 1741 case ssl_calg_3des: 1742 case ssl_calg_aes: 1743 case ssl_calg_camellia: 1744 case ssl_calg_seed: 1745 /* For block ciphers, if the server is encrypting, then the client 1746 * is decrypting, and vice versa. 1747 */ 1748 optArg1 = !optArg1; 1749 break; 1750 /* kill warnings. */ 1751 case ssl_calg_null: 1752 case ssl_calg_rc4: 1753 case ssl_calg_rc2: 1754 case ssl_calg_idea: 1755 case ssl_calg_fortezza: 1756 break; 1757 } 1758 1759 rv = (*initFn)(clientContext, 1760 pwSpec->client.write_key_item.data, 1761 pwSpec->client.write_key_item.len, 1762 pwSpec->client.write_iv_item.data, 1763 mode, optArg1, optArg2); 1764 if (rv != SECSuccess) { 1765 PORT_Assert(0); 1766 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1767 goto bail_out; 1768 } 1769 1770 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext; 1771 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext; 1772 1773 ssl3_InitCompressionContext(pwSpec); 1774 1775 success: 1776 return SECSuccess; 1777 1778 bail_out: 1779 return SECFailure; 1780 } 1781 #endif 1782 1783 /* This function should probably be moved to pk11wrap and be named 1784 * PK11_ParamFromIVAndEffectiveKeyBits 1785 */ 1786 static SECItem * 1787 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits) 1788 { 1789 SECItem * param = PK11_ParamFromIV(mtype, iv); 1790 if (param && param->data && param->len >= sizeof(CK_RC2_PARAMS)) { 1791 switch (mtype) { 1792 case CKM_RC2_KEY_GEN: 1793 case CKM_RC2_ECB: 1794 case CKM_RC2_CBC: 1795 case CKM_RC2_MAC: 1796 case CKM_RC2_MAC_GENERAL: 1797 case CKM_RC2_CBC_PAD: 1798 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; 1799 default: break; 1800 } 1801 } 1802 return param; 1803 } 1804 1805 /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data 1806 * which is included in the MAC or AEAD additional data) to |out| and returns 1807 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the 1808 * definition of the AEAD additional data. 1809 * 1810 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which 1811 * pseudo-header defintiion to use should be decided based on the version of 1812 * the protocol that was negotiated when the cipher spec became current, NOT 1813 * based on the version value in the record itself, and the decision is passed 1814 * to this function as the |includesVersion| argument. But, the |version| 1815 * argument should be the record's version value. 1816 */ 1817 static unsigned int 1818 ssl3_BuildRecordPseudoHeader(unsigned char *out, 1819 SSL3SequenceNumber seq_num, 1820 SSL3ContentType type, 1821 PRBool includesVersion, 1822 SSL3ProtocolVersion version, 1823 PRBool isDTLS, 1824 int length) 1825 { 1826 out[0] = (unsigned char)(seq_num.high >> 24); 1827 out[1] = (unsigned char)(seq_num.high >> 16); 1828 out[2] = (unsigned char)(seq_num.high >> 8); 1829 out[3] = (unsigned char)(seq_num.high >> 0); 1830 out[4] = (unsigned char)(seq_num.low >> 24); 1831 out[5] = (unsigned char)(seq_num.low >> 16); 1832 out[6] = (unsigned char)(seq_num.low >> 8); 1833 out[7] = (unsigned char)(seq_num.low >> 0); 1834 out[8] = type; 1835 1836 /* SSL3 MAC doesn't include the record's version field. */ 1837 if (!includesVersion) { 1838 out[9] = MSB(length); 1839 out[10] = LSB(length); 1840 return 11; 1841 } 1842 1843 /* TLS MAC and AEAD additional data include version. */ 1844 if (isDTLS) { 1845 SSL3ProtocolVersion dtls_version; 1846 1847 dtls_version = dtls_TLSVersionToDTLSVersion(version); 1848 out[9] = MSB(dtls_version); 1849 out[10] = LSB(dtls_version); 1850 } else { 1851 out[9] = MSB(version); 1852 out[10] = LSB(version); 1853 } 1854 out[11] = MSB(length); 1855 out[12] = LSB(length); 1856 return 13; 1857 } 1858 1859 typedef SECStatus (*PK11CryptFcn)( 1860 PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param, 1861 unsigned char *out, unsigned int *outLen, unsigned int maxLen, 1862 const unsigned char *in, unsigned int inLen); 1863 1864 static PK11CryptFcn pk11_encrypt = NULL; 1865 static PK11CryptFcn pk11_decrypt = NULL; 1866 1867 static PRCallOnceType resolvePK11CryptOnce; 1868 1869 static PRStatus 1870 ssl3_ResolvePK11CryptFunctions(void) 1871 { 1872 #ifdef LINUX 1873 /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and 1874 * PK11_Decrypt functions at run time. */ 1875 void *handle = dlopen(NULL, RTLD_LAZY); 1876 if (!handle) { 1877 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1878 return PR_FAILURE; 1879 } 1880 pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt"); 1881 pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt"); 1882 dlclose(handle); 1883 return PR_SUCCESS; 1884 #else 1885 /* On other platforms we use our own copy of NSS. PK11_Encrypt and 1886 * PK11_Decrypt are known to be available. */ 1887 pk11_encrypt = PK11_Encrypt; 1888 pk11_decrypt = PK11_Decrypt; 1889 return PR_SUCCESS; 1890 #endif 1891 } 1892 1893 /* 1894 * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access 1895 * to the AES GCM implementation in the NSS softoken. So the presence of 1896 * these two functions implies the NSS version supports AES GCM. 1897 */ 1898 static PRBool 1899 ssl3_HasGCMSupport(void) 1900 { 1901 (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions); 1902 return pk11_encrypt != NULL; 1903 } 1904 1905 /* On this socket, disable the GCM cipher suites */ 1906 SECStatus 1907 ssl3_DisableGCMSuites(sslSocket * ss) 1908 { 1909 unsigned int i; 1910 1911 for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) { 1912 const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i]; 1913 if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) { 1914 SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite, 1915 PR_FALSE); 1916 PORT_Assert(rv == SECSuccess); /* else is coding error */ 1917 } 1918 } 1919 return SECSuccess; 1920 } 1921 1922 static SECStatus 1923 ssl3_AESGCM(ssl3KeyMaterial *keys, 1924 PRBool doDecrypt, 1925 unsigned char *out, 1926 int *outlen, 1927 int maxout, 1928 const unsigned char *in, 1929 int inlen, 1930 const unsigned char *additionalData, 1931 int additionalDataLen) 1932 { 1933 SECItem param; 1934 SECStatus rv = SECFailure; 1935 unsigned char nonce[12]; 1936 unsigned int uOutLen; 1937 CK_GCM_PARAMS gcmParams; 1938 1939 static const int tagSize = 16; 1940 static const int explicitNonceLen = 8; 1941 1942 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 1943 * nonce is formed. */ 1944 memcpy(nonce, keys->write_iv, 4); 1945 if (doDecrypt) { 1946 memcpy(nonce + 4, in, explicitNonceLen); 1947 in += explicitNonceLen; 1948 inlen -= explicitNonceLen; 1949 *outlen = 0; 1950 } else { 1951 if (maxout < explicitNonceLen) { 1952 PORT_SetError(SEC_ERROR_INPUT_LEN); 1953 return SECFailure; 1954 } 1955 /* Use the 64-bit sequence number as the explicit nonce. */ 1956 memcpy(nonce + 4, additionalData, explicitNonceLen); 1957 memcpy(out, additionalData, explicitNonceLen); 1958 out += explicitNonceLen; 1959 maxout -= explicitNonceLen; 1960 *outlen = explicitNonceLen; 1961 } 1962 1963 param.type = siBuffer; 1964 param.data = (unsigned char *) &gcmParams; 1965 param.len = sizeof(gcmParams); 1966 gcmParams.pIv = nonce; 1967 gcmParams.ulIvLen = sizeof(nonce); 1968 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ 1969 gcmParams.ulAADLen = additionalDataLen; 1970 gcmParams.ulTagBits = tagSize * 8; 1971 1972 if (doDecrypt) { 1973 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, 1974 maxout, in, inlen); 1975 } else { 1976 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, 1977 maxout, in, inlen); 1978 } 1979 *outlen += (int) uOutLen; 1980 1981 return rv; 1982 } 1983 1984 #ifndef NO_PKCS11_BYPASS 1985 static SECStatus 1986 ssl3_AESGCMBypass(ssl3KeyMaterial *keys, 1987 PRBool doDecrypt, 1988 unsigned char *out, 1989 int *outlen, 1990 int maxout, 1991 const unsigned char *in, 1992 int inlen, 1993 const unsigned char *additionalData, 1994 int additionalDataLen) 1995 { 1996 SECStatus rv = SECFailure; 1997 unsigned char nonce[12]; 1998 unsigned int uOutLen; 1999 AESContext *cx; 2000 CK_GCM_PARAMS gcmParams; 2001 2002 static const int tagSize = 16; 2003 static const int explicitNonceLen = 8; 2004 2005 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 2006 * nonce is formed. */ 2007 PORT_Assert(keys->write_iv_item.len == 4); 2008 if (keys->write_iv_item.len != 4) { 2009 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2010 return SECFailure; 2011 } 2012 memcpy(nonce, keys->write_iv_item.data, 4); 2013 if (doDecrypt) { 2014 memcpy(nonce + 4, in, explicitNonceLen); 2015 in += explicitNonceLen; 2016 inlen -= explicitNonceLen; 2017 *outlen = 0; 2018 } else { 2019 if (maxout < explicitNonceLen) { 2020 PORT_SetError(SEC_ERROR_INPUT_LEN); 2021 return SECFailure; 2022 } 2023 /* Use the 64-bit sequence number as the explicit nonce. */ 2024 memcpy(nonce + 4, additionalData, explicitNonceLen); 2025 memcpy(out, additionalData, explicitNonceLen); 2026 out += explicitNonceLen; 2027 maxout -= explicitNonceLen; 2028 *outlen = explicitNonceLen; 2029 } 2030 2031 gcmParams.pIv = nonce; 2032 gcmParams.ulIvLen = sizeof(nonce); 2033 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ 2034 gcmParams.ulAADLen = additionalDataLen; 2035 gcmParams.ulTagBits = tagSize * 8; 2036 2037 cx = (AESContext *)keys->cipher_context; 2038 rv = AES_InitContext(cx, keys->write_key_item.data, 2039 keys->write_key_item.len, 2040 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, 2041 AES_BLOCK_SIZE); 2042 if (rv != SECSuccess) { 2043 return rv; 2044 } 2045 if (doDecrypt) { 2046 rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); 2047 } else { 2048 rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); 2049 } 2050 AES_DestroyContext(cx, PR_FALSE); 2051 *outlen += (int) uOutLen; 2052 2053 return rv; 2054 } 2055 #endif 2056 2057 static SECStatus 2058 ssl3_ChaCha20Poly1305( 2059 ssl3KeyMaterial *keys, 2060 PRBool doDecrypt, 2061 unsigned char *out, 2062 int *outlen, 2063 int maxout, 2064 const unsigned char *in, 2065 int inlen, 2066 const unsigned char *additionalData, 2067 int additionalDataLen) 2068 { 2069 SECItem param; 2070 SECStatus rv = SECFailure; 2071 unsigned int uOutLen; 2072 CK_NSS_AEAD_PARAMS aeadParams; 2073 static const int tagSize = 16; 2074 2075 param.type = siBuffer; 2076 param.len = sizeof(aeadParams); 2077 param.data = (unsigned char *) &aeadParams; 2078 memset(&aeadParams, 0, sizeof(aeadParams)); 2079 aeadParams.pIv = (unsigned char *) additionalData; 2080 aeadParams.ulIvLen = 8; 2081 aeadParams.pAAD = (unsigned char *) additionalData; 2082 aeadParams.ulAADLen = additionalDataLen; 2083 aeadParams.ulTagLen = tagSize; 2084 2085 if (doDecrypt) { 2086 rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, 2087 out, &uOutLen, maxout, in, inlen); 2088 } else { 2089 rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, 2090 out, &uOutLen, maxout, in, inlen); 2091 } 2092 *outlen = (int) uOutLen; 2093 2094 return rv; 2095 } 2096 2097 /* Initialize encryption and MAC contexts for pending spec. 2098 * Master Secret already is derived. 2099 * Caller holds Spec write lock. 2100 */ 2101 static SECStatus 2102 ssl3_InitPendingContextsPKCS11(sslSocket *ss) 2103 { 2104 ssl3CipherSpec * pwSpec; 2105 const ssl3BulkCipherDef *cipher_def; 2106 PK11Context * serverContext = NULL; 2107 PK11Context * clientContext = NULL; 2108 SECItem * param; 2109 CK_MECHANISM_TYPE mechanism; 2110 CK_MECHANISM_TYPE mac_mech; 2111 CK_ULONG macLength; 2112 CK_ULONG effKeyBits; 2113 SECItem iv; 2114 SECItem mac_param; 2115 SSLCipherAlgorithm calg; 2116 2117 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2118 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 2119 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 2120 2121 pwSpec = ss->ssl3.pwSpec; 2122 cipher_def = pwSpec->cipher_def; 2123 macLength = pwSpec->mac_size; 2124 calg = cipher_def->calg; 2125 PORT_Assert(alg2Mech[calg].calg == calg); 2126 2127 pwSpec->client.write_mac_context = NULL; 2128 pwSpec->server.write_mac_context = NULL; 2129 2130 if (calg == calg_aes_gcm || calg == calg_chacha20) { 2131 pwSpec->encode = NULL; 2132 pwSpec->decode = NULL; 2133 pwSpec->destroy = NULL; 2134 pwSpec->encodeContext = NULL; 2135 pwSpec->decodeContext = NULL; 2136 if (calg == calg_aes_gcm) { 2137 pwSpec->aead = ssl3_AESGCM; 2138 } else { 2139 pwSpec->aead = ssl3_ChaCha20Poly1305; 2140 } 2141 return SECSuccess; 2142 } 2143 2144 /* 2145 ** Now setup the MAC contexts, 2146 ** crypto contexts are setup below. 2147 */ 2148 2149 mac_mech = pwSpec->mac_def->mmech; 2150 mac_param.data = (unsigned char *)&macLength; 2151 mac_param.len = sizeof(macLength); 2152 mac_param.type = 0; 2153 2154 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey( 2155 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param); 2156 if (pwSpec->client.write_mac_context == NULL) { 2157 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 2158 goto fail; 2159 } 2160 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey( 2161 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param); 2162 if (pwSpec->server.write_mac_context == NULL) { 2163 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 2164 goto fail; 2165 } 2166 2167 /* 2168 ** Now setup the crypto contexts. 2169 */ 2170 2171 if (calg == calg_null) { 2172 pwSpec->encode = Null_Cipher; 2173 pwSpec->decode = Null_Cipher; 2174 pwSpec->destroy = NULL; 2175 return SECSuccess; 2176 } 2177 mechanism = alg2Mech[calg].cmech; 2178 effKeyBits = cipher_def->key_size * BPB; 2179 2180 /* 2181 * build the server context 2182 */ 2183 iv.data = pwSpec->server.write_iv; 2184 iv.len = cipher_def->iv_size; 2185 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); 2186 if (param == NULL) { 2187 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); 2188 goto fail; 2189 } 2190 serverContext = PK11_CreateContextBySymKey(mechanism, 2191 (ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT), 2192 pwSpec->server.write_key, param); 2193 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len); 2194 if (iv.data) 2195 PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len); 2196 SECITEM_FreeItem(param, PR_TRUE); 2197 if (serverContext == NULL) { 2198 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 2199 goto fail; 2200 } 2201 2202 /* 2203 * build the client context 2204 */ 2205 iv.data = pwSpec->client.write_iv; 2206 iv.len = cipher_def->iv_size; 2207 2208 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); 2209 if (param == NULL) { 2210 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); 2211 goto fail; 2212 } 2213 clientContext = PK11_CreateContextBySymKey(mechanism, 2214 (ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT), 2215 pwSpec->client.write_key, param); 2216 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len); 2217 if (iv.data) 2218 PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len); 2219 SECITEM_FreeItem(param,PR_TRUE); 2220 if (clientContext == NULL) { 2221 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); 2222 goto fail; 2223 } 2224 pwSpec->encode = (SSLCipher) PK11_CipherOp; 2225 pwSpec->decode = (SSLCipher) PK11_CipherOp; 2226 pwSpec->destroy = (SSLDestroy) PK11_DestroyContext; 2227 2228 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext; 2229 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext; 2230 2231 serverContext = NULL; 2232 clientContext = NULL; 2233 2234 ssl3_InitCompressionContext(pwSpec); 2235 2236 return SECSuccess; 2237 2238 fail: 2239 if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE); 2240 if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE); 2241 if (pwSpec->client.write_mac_context != NULL) { 2242 PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE); 2243 pwSpec->client.write_mac_context = NULL; 2244 } 2245 if (pwSpec->server.write_mac_context != NULL) { 2246 PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE); 2247 pwSpec->server.write_mac_context = NULL; 2248 } 2249 2250 return SECFailure; 2251 } 2252 2253 /* Complete the initialization of all keys, ciphers, MACs and their contexts 2254 * for the pending Cipher Spec. 2255 * Called from: ssl3_SendClientKeyExchange (for Full handshake) 2256 * ssl3_HandleRSAClientKeyExchange (for Full handshake) 2257 * ssl3_HandleServerHello (for session restart) 2258 * ssl3_HandleClientHello (for session restart) 2259 * Sets error code, but caller probably should override to disambiguate. 2260 * NULL pms means re-use old master_secret. 2261 * 2262 * This code is common to the bypass and PKCS11 execution paths. 2263 * For the bypass case, pms is NULL. 2264 */ 2265 SECStatus 2266 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) 2267 { 2268 ssl3CipherSpec * pwSpec; 2269 ssl3CipherSpec * cwSpec; 2270 SECStatus rv; 2271 2272 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2273 2274 ssl_GetSpecWriteLock(ss); /**************************************/ 2275 2276 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 2277 2278 pwSpec = ss->ssl3.pwSpec; 2279 cwSpec = ss->ssl3.cwSpec; 2280 2281 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { 2282 rv = ssl3_DeriveMasterSecret(ss, pms); 2283 if (rv != SECSuccess) { 2284 goto done; /* err code set by ssl3_DeriveMasterSecret */ 2285 } 2286 } 2287 #ifndef NO_PKCS11_BYPASS 2288 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { 2289 /* Double Bypass succeeded in extracting the master_secret */ 2290 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 2291 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 2292 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 2293 pwSpec->bypassCiphers = PR_TRUE; 2294 rv = ssl3_KeyAndMacDeriveBypass( pwSpec, 2295 (const unsigned char *)&ss->ssl3.hs.client_random, 2296 (const unsigned char *)&ss->ssl3.hs.server_random, 2297 isTLS, 2298 (PRBool)(kea_def->is_limited)); 2299 if (rv == SECSuccess) { 2300 rv = ssl3_InitPendingContextsBypass(ss); 2301 } 2302 } else 2303 #endif 2304 if (pwSpec->master_secret) { 2305 rv = ssl3_DeriveConnectionKeysPKCS11(ss); 2306 if (rv == SECSuccess) { 2307 rv = ssl3_InitPendingContextsPKCS11(ss); 2308 } 2309 } else { 2310 PORT_Assert(pwSpec->master_secret); 2311 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2312 rv = SECFailure; 2313 } 2314 if (rv != SECSuccess) { 2315 goto done; 2316 } 2317 2318 /* Generic behaviors -- common to all crypto methods */ 2319 if (!IS_DTLS(ss)) { 2320 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0; 2321 } else { 2322 if (cwSpec->epoch == PR_UINT16_MAX) { 2323 /* The problem here is that we have rehandshaked too many 2324 * times (you are not allowed to wrap the epoch). The 2325 * spec says you should be discarding the connection 2326 * and start over, so not much we can do here. */ 2327 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2328 rv = SECFailure; 2329 goto done; 2330 } 2331 /* The sequence number has the high 16 bits as the epoch. */ 2332 pwSpec->epoch = cwSpec->epoch + 1; 2333 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 2334 pwSpec->epoch << 16; 2335 2336 dtls_InitRecvdRecords(&pwSpec->recvdRecords); 2337 } 2338 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0; 2339 2340 done: 2341 ssl_ReleaseSpecWriteLock(ss); /******************************/ 2342 if (rv != SECSuccess) 2343 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 2344 return rv; 2345 } 2346 2347 /* 2348 * 60 bytes is 3 times the maximum length MAC size that is supported. 2349 */ 2350 static const unsigned char mac_pad_1 [60] = { 2351 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 2352 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 2353 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 2354 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 2355 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 2356 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 2357 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 2358 0x36, 0x36, 0x36, 0x36 2359 }; 2360 static const unsigned char mac_pad_2 [60] = { 2361 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 2362 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 2363 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 2364 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 2365 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 2366 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 2367 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 2368 0x5c, 0x5c, 0x5c, 0x5c 2369 }; 2370 2371 /* Called from: ssl3_SendRecord() 2372 ** Caller must already hold the SpecReadLock. (wish we could assert that!) 2373 */ 2374 static SECStatus 2375 ssl3_ComputeRecordMAC( 2376 ssl3CipherSpec * spec, 2377 PRBool useServerMacKey, 2378 const unsigned char *header, 2379 unsigned int headerLen, 2380 const SSL3Opaque * input, 2381 int inputLength, 2382 unsigned char * outbuf, 2383 unsigned int * outLength) 2384 { 2385 const ssl3MACDef * mac_def; 2386 SECStatus rv; 2387 2388 PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen)); 2389 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); 2390 2391 mac_def = spec->mac_def; 2392 if (mac_def->mac == mac_null) { 2393 *outLength = 0; 2394 return SECSuccess; 2395 } 2396 #ifndef NO_PKCS11_BYPASS 2397 if (spec->bypassCiphers) { 2398 /* bypass version */ 2399 const SECHashObject *hashObj = NULL; 2400 unsigned int pad_bytes = 0; 2401 PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS]; 2402 2403 switch (mac_def->mac) { 2404 case ssl_mac_null: 2405 *outLength = 0; 2406 return SECSuccess; 2407 case ssl_mac_md5: 2408 pad_bytes = 48; 2409 hashObj = HASH_GetRawHashObject(HASH_AlgMD5); 2410 break; 2411 case ssl_mac_sha: 2412 pad_bytes = 40; 2413 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); 2414 break; 2415 case ssl_hmac_md5: /* used with TLS */ 2416 hashObj = HASH_GetRawHashObject(HASH_AlgMD5); 2417 break; 2418 case ssl_hmac_sha: /* used with TLS */ 2419 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); 2420 break; 2421 case ssl_hmac_sha256: /* used with TLS */ 2422 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 2423 break; 2424 default: 2425 break; 2426 } 2427 if (!hashObj) { 2428 PORT_Assert(0); 2429 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2430 return SECFailure; 2431 } 2432 2433 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 2434 unsigned int tempLen; 2435 unsigned char temp[MAX_MAC_LENGTH]; 2436 2437 /* compute "inner" part of SSL3 MAC */ 2438 hashObj->begin(write_mac_context); 2439 if (useServerMacKey) 2440 hashObj->update(write_mac_context, 2441 spec->server.write_mac_key_item.data, 2442 spec->server.write_mac_key_item.len); 2443 else 2444 hashObj->update(write_mac_context, 2445 spec->client.write_mac_key_item.data, 2446 spec->client.write_mac_key_item.len); 2447 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); 2448 hashObj->update(write_mac_context, header, headerLen); 2449 hashObj->update(write_mac_context, input, inputLength); 2450 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); 2451 2452 /* compute "outer" part of SSL3 MAC */ 2453 hashObj->begin(write_mac_context); 2454 if (useServerMacKey) 2455 hashObj->update(write_mac_context, 2456 spec->server.write_mac_key_item.data, 2457 spec->server.write_mac_key_item.len); 2458 else 2459 hashObj->update(write_mac_context, 2460 spec->client.write_mac_key_item.data, 2461 spec->client.write_mac_key_item.len); 2462 hashObj->update(write_mac_context, mac_pad_2, pad_bytes); 2463 hashObj->update(write_mac_context, temp, tempLen); 2464 hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size); 2465 rv = SECSuccess; 2466 } else { /* is TLS */ 2467 #define cx ((HMACContext *)write_mac_context) 2468 if (useServerMacKey) { 2469 rv = HMAC_Init(cx, hashObj, 2470 spec->server.write_mac_key_item.data, 2471 spec->server.write_mac_key_item.len, PR_FALSE); 2472 } else { 2473 rv = HMAC_Init(cx, hashObj, 2474 spec->client.write_mac_key_item.data, 2475 spec->client.write_mac_key_item.len, PR_FALSE); 2476 } 2477 if (rv == SECSuccess) { 2478 HMAC_Begin(cx); 2479 HMAC_Update(cx, header, headerLen); 2480 HMAC_Update(cx, input, inputLength); 2481 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); 2482 HMAC_Destroy(cx, PR_FALSE); 2483 } 2484 #undef cx 2485 } 2486 } else 2487 #endif 2488 { 2489 PK11Context *mac_context = 2490 (useServerMacKey ? spec->server.write_mac_context 2491 : spec->client.write_mac_context); 2492 rv = PK11_DigestBegin(mac_context); 2493 rv |= PK11_DigestOp(mac_context, header, headerLen); 2494 rv |= PK11_DigestOp(mac_context, input, inputLength); 2495 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); 2496 } 2497 2498 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); 2499 2500 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); 2501 2502 if (rv != SECSuccess) { 2503 rv = SECFailure; 2504 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2505 } 2506 return rv; 2507 } 2508 2509 /* This is a bodge to allow this code to be compiled against older NSS headers 2510 * that don't contain the CBC constant-time changes. */ 2511 #ifndef CKM_NSS_HMAC_CONSTANT_TIME 2512 #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19) 2513 #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20) 2514 2515 typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS { 2516 CK_MECHANISM_TYPE macAlg; /* in */ 2517 CK_ULONG ulBodyTotalLen; /* in */ 2518 CK_BYTE * pHeader; /* in */ 2519 CK_ULONG ulHeaderLen; /* in */ 2520 } CK_NSS_MAC_CONSTANT_TIME_PARAMS; 2521 #endif 2522 2523 /* Called from: ssl3_HandleRecord() 2524 * Caller must already hold the SpecReadLock. (wish we could assert that!) 2525 * 2526 * On entry: 2527 * originalLen >= inputLen >= MAC size 2528 */ 2529 static SECStatus 2530 ssl3_ComputeRecordMACConstantTime( 2531 ssl3CipherSpec * spec, 2532 PRBool useServerMacKey, 2533 const unsigned char *header, 2534 unsigned int headerLen, 2535 const SSL3Opaque * input, 2536 int inputLen, 2537 int originalLen, 2538 unsigned char * outbuf, 2539 unsigned int * outLen) 2540 { 2541 CK_MECHANISM_TYPE macType; 2542 CK_NSS_MAC_CONSTANT_TIME_PARAMS params; 2543 PK11Context * mac_context; 2544 SECItem param; 2545 SECStatus rv; 2546 PK11SymKey * key; 2547 2548 PORT_Assert(inputLen >= spec->mac_size); 2549 PORT_Assert(originalLen >= inputLen); 2550 2551 if (spec->bypassCiphers) { 2552 /* This function doesn't support PKCS#11 bypass. We fallback on the 2553 * non-constant time version. */ 2554 goto fallback; 2555 } 2556 2557 if (spec->mac_def->mac == mac_null) { 2558 *outLen = 0; 2559 return SECSuccess; 2560 } 2561 2562 macType = CKM_NSS_HMAC_CONSTANT_TIME; 2563 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 2564 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; 2565 } 2566 2567 params.macAlg = spec->mac_def->mmech; 2568 params.ulBodyTotalLen = originalLen; 2569 params.pHeader = (unsigned char *) header; /* const cast */ 2570 params.ulHeaderLen = headerLen; 2571 2572 param.data = (unsigned char*) ¶ms; 2573 param.len = sizeof(params); 2574 param.type = 0; 2575 2576 key = spec->server.write_mac_key; 2577 if (!useServerMacKey) { 2578 key = spec->client.write_mac_key; 2579 } 2580 mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, ¶m); 2581 if (mac_context == NULL) { 2582 /* Older versions of NSS may not support constant-time MAC. */ 2583 goto fallback; 2584 } 2585 2586 rv = PK11_DigestBegin(mac_context); 2587 rv |= PK11_DigestOp(mac_context, input, inputLen); 2588 rv |= PK11_DigestFinal(mac_context, outbuf, outLen, spec->mac_size); 2589 PK11_DestroyContext(mac_context, PR_TRUE); 2590 2591 PORT_Assert(rv != SECSuccess || *outLen == (unsigned)spec->mac_size); 2592 2593 if (rv != SECSuccess) { 2594 rv = SECFailure; 2595 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2596 } 2597 return rv; 2598 2599 fallback: 2600 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the 2601 * length already. */ 2602 inputLen -= spec->mac_size; 2603 return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, 2604 input, inputLen, outbuf, outLen); 2605 } 2606 2607 static PRBool 2608 ssl3_ClientAuthTokenPresent(sslSessionID *sid) { 2609 PK11SlotInfo *slot = NULL; 2610 PRBool isPresent = PR_TRUE; 2611 2612 /* we only care if we are doing client auth */ 2613 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being 2614 * used, u.ssl3.clAuthValid will be false and this function will always 2615 * return PR_TRUE. */ 2616 if (!sid || !sid->u.ssl3.clAuthValid) { 2617 return PR_TRUE; 2618 } 2619 2620 /* get the slot */ 2621 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID, 2622 sid->u.ssl3.clAuthSlotID); 2623 if (slot == NULL || 2624 !PK11_IsPresent(slot) || 2625 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) || 2626 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) || 2627 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) || 2628 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { 2629 isPresent = PR_FALSE; 2630 } 2631 if (slot) { 2632 PK11_FreeSlot(slot); 2633 } 2634 return isPresent; 2635 } 2636 2637 /* Caller must hold the spec read lock. */ 2638 SECStatus 2639 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, 2640 PRBool isServer, 2641 PRBool isDTLS, 2642 PRBool capRecordVersion, 2643 SSL3ContentType type, 2644 const SSL3Opaque * pIn, 2645 PRUint32 contentLen, 2646 sslBuffer * wrBuf) 2647 { 2648 const ssl3BulkCipherDef * cipher_def; 2649 SECStatus rv; 2650 PRUint32 macLen = 0; 2651 PRUint32 fragLen; 2652 PRUint32 p1Len, p2Len, oddLen = 0; 2653 PRUint16 headerLen; 2654 int ivLen = 0; 2655 int cipherBytes = 0; 2656 unsigned char pseudoHeader[13]; 2657 unsigned int pseudoHeaderLen; 2658 2659 cipher_def = cwSpec->cipher_def; 2660 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; 2661 2662 if (cipher_def->type == type_block && 2663 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { 2664 /* Prepend the per-record explicit IV using technique 2b from 2665 * RFC 4346 section 6.2.3.2: The IV is a cryptographically 2666 * strong random number XORed with the CBC residue from the previous 2667 * record. 2668 */ 2669 ivLen = cipher_def->iv_size; 2670 if (ivLen > wrBuf->space - headerLen) { 2671 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2672 return SECFailure; 2673 } 2674 rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen); 2675 if (rv != SECSuccess) { 2676 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 2677 return rv; 2678 } 2679 rv = cwSpec->encode( cwSpec->encodeContext, 2680 wrBuf->buf + headerLen, 2681 &cipherBytes, /* output and actual outLen */ 2682 ivLen, /* max outlen */ 2683 wrBuf->buf + headerLen, 2684 ivLen); /* input and inputLen*/ 2685 if (rv != SECSuccess || cipherBytes != ivLen) { 2686 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2687 return SECFailure; 2688 } 2689 } 2690 2691 if (cwSpec->compressor) { 2692 int outlen; 2693 rv = cwSpec->compressor( 2694 cwSpec->compressContext, 2695 wrBuf->buf + headerLen + ivLen, &outlen, 2696 wrBuf->space - headerLen - ivLen, pIn, contentLen); 2697 if (rv != SECSuccess) 2698 return rv; 2699 pIn = wrBuf->buf + headerLen + ivLen; 2700 contentLen = outlen; 2701 } 2702 2703 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader( 2704 pseudoHeader, cwSpec->write_seq_num, type, 2705 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, 2706 isDTLS, contentLen); 2707 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); 2708 if (cipher_def->type == type_aead) { 2709 const int nonceLen = cipher_def->explicit_nonce_size; 2710 const int tagLen = cipher_def->tag_size; 2711 2712 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { 2713 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2714 return SECFailure; 2715 } 2716 2717 cipherBytes = contentLen; 2718 rv = cwSpec->aead( 2719 isServer ? &cwSpec->server : &cwSpec->client, 2720 PR_FALSE, /* do encrypt */ 2721 wrBuf->buf + headerLen, /* output */ 2722 &cipherBytes, /* out len */ 2723 wrBuf->space - headerLen, /* max out */ 2724 pIn, contentLen, /* input */ 2725 pseudoHeader, pseudoHeaderLen); 2726 if (rv != SECSuccess) { 2727 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2728 return SECFailure; 2729 } 2730 } else { 2731 /* 2732 * Add the MAC 2733 */ 2734 rv = ssl3_ComputeRecordMAC(cwSpec, isServer, 2735 pseudoHeader, pseudoHeaderLen, pIn, contentLen, 2736 wrBuf->buf + headerLen + ivLen + contentLen, &macLen); 2737 if (rv != SECSuccess) { 2738 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 2739 return SECFailure; 2740 } 2741 p1Len = contentLen; 2742 p2Len = macLen; 2743 fragLen = contentLen + macLen; /* needs to be encrypted */ 2744 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); 2745 2746 /* 2747 * Pad the text (if we're doing a block cipher) 2748 * then Encrypt it 2749 */ 2750 if (cipher_def->type == type_block) { 2751 unsigned char * pBuf; 2752 int padding_length; 2753 int i; 2754 2755 oddLen = contentLen % cipher_def->block_size; 2756 /* Assume blockSize is a power of two */ 2757 padding_length = cipher_def->block_size - 1 - 2758 ((fragLen) & (cipher_def->block_size - 1)); 2759 fragLen += padding_length + 1; 2760 PORT_Assert((fragLen % cipher_def->block_size) == 0); 2761 2762 /* Pad according to TLS rules (also acceptable to SSL3). */ 2763 pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; 2764 for (i = padding_length + 1; i > 0; --i) { 2765 *pBuf-- = padding_length; 2766 } 2767 /* now, if contentLen is not a multiple of block size, fix it */ 2768 p2Len = fragLen - p1Len; 2769 } 2770 if (p1Len < 256) { 2771 oddLen = p1Len; 2772 p1Len = 0; 2773 } else { 2774 p1Len -= oddLen; 2775 } 2776 if (oddLen) { 2777 p2Len += oddLen; 2778 PORT_Assert( (cipher_def->block_size < 2) || \ 2779 (p2Len % cipher_def->block_size) == 0); 2780 memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, 2781 oddLen); 2782 } 2783 if (p1Len > 0) { 2784 int cipherBytesPart1 = -1; 2785 rv = cwSpec->encode( cwSpec->encodeContext, 2786 wrBuf->buf + headerLen + ivLen, /* output */ 2787 &cipherBytesPart1, /* actual outlen */ 2788 p1Len, /* max outlen */ 2789 pIn, p1Len); /* input, and inputlen */ 2790 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); 2791 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { 2792 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2793 return SECFailure; 2794 } 2795 cipherBytes += cipherBytesPart1; 2796 } 2797 if (p2Len > 0) { 2798 int cipherBytesPart2 = -1; 2799 rv = cwSpec->encode( cwSpec->encodeContext, 2800 wrBuf->buf + headerLen + ivLen + p1Len, 2801 &cipherBytesPart2, /* output and actual outLen */ 2802 p2Len, /* max outlen */ 2803 wrBuf->buf + headerLen + ivLen + p1Len, 2804 p2Len); /* input and inputLen*/ 2805 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); 2806 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { 2807 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 2808 return SECFailure; 2809 } 2810 cipherBytes += cipherBytesPart2; 2811 } 2812 } 2813 2814 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); 2815 2816 wrBuf->len = cipherBytes + headerLen; 2817 wrBuf->buf[0] = type; 2818 if (isDTLS) { 2819 SSL3ProtocolVersion version; 2820 2821 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); 2822 wrBuf->buf[1] = MSB(version); 2823 wrBuf->buf[2] = LSB(version); 2824 wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24); 2825 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16); 2826 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8); 2827 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0); 2828 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24); 2829 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16); 2830 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8); 2831 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0); 2832 wrBuf->buf[11] = MSB(cipherBytes); 2833 wrBuf->buf[12] = LSB(cipherBytes); 2834 } else { 2835 SSL3ProtocolVersion version = cwSpec->version; 2836 2837 if (capRecordVersion) { 2838 version = PR_MIN(SSL_LIBRARY_VERSION_TLS_1_0, version); 2839 } 2840 wrBuf->buf[1] = MSB(version); 2841 wrBuf->buf[2] = LSB(version); 2842 wrBuf->buf[3] = MSB(cipherBytes); 2843 wrBuf->buf[4] = LSB(cipherBytes); 2844 } 2845 2846 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); 2847 2848 return SECSuccess; 2849 } 2850 2851 /* Process the plain text before sending it. 2852 * Returns the number of bytes of plaintext that were successfully sent 2853 * plus the number of bytes of plaintext that were copied into the 2854 * output (write) buffer. 2855 * Returns SECFailure on a hard IO error, memory error, or crypto error. 2856 * Does NOT return SECWouldBlock. 2857 * 2858 * Notes on the use of the private ssl flags: 2859 * (no private SSL flags) 2860 * Attempt to make and send SSL records for all plaintext 2861 * If non-blocking and a send gets WOULD_BLOCK, 2862 * or if the pending (ciphertext) buffer is not empty, 2863 * then buffer remaining bytes of ciphertext into pending buf, 2864 * and continue to do that for all succssive records until all 2865 * bytes are used. 2866 * ssl_SEND_FLAG_FORCE_INTO_BUFFER 2867 * As above, except this suppresses all write attempts, and forces 2868 * all ciphertext into the pending ciphertext buffer. 2869 * ssl_SEND_FLAG_USE_EPOCH (for DTLS) 2870 * Forces the use of the provided epoch 2871 * ssl_SEND_FLAG_CAP_RECORD_VERSION 2872 * Caps the record layer version number of TLS ClientHello to { 3, 1 } 2873 * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore 2874 * ClientHello.client_version and use the record layer version number 2875 * (TLSPlaintext.version) instead when negotiating protocol versions. In 2876 * addition, if the record layer version number of ClientHello is { 3, 2 } 2877 * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly, 2878 * some F5 BIG-IP servers hang if a record containing a ClientHello has a 2879 * version greater than 0x0301 and a length greater than 255. Set this flag 2880 * to work around such servers. 2881 */ 2882 PRInt32 2883 ssl3_SendRecord( sslSocket * ss, 2884 DTLSEpoch epoch, /* DTLS only */ 2885 SSL3ContentType type, 2886 const SSL3Opaque * pIn, /* input buffer */ 2887 PRInt32 nIn, /* bytes of input */ 2888 PRInt32 flags) 2889 { 2890 sslBuffer * wrBuf = &ss->sec.writeBuf; 2891 SECStatus rv; 2892 PRInt32 totalSent = 0; 2893 PRBool capRecordVersion; 2894 2895 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", 2896 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type), 2897 nIn)); 2898 PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn)); 2899 2900 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 2901 2902 capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0); 2903 2904 if (capRecordVersion) { 2905 /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the 2906 * TLS initial ClientHello. */ 2907 PORT_Assert(!IS_DTLS(ss)); 2908 PORT_Assert(!ss->firstHsDone); 2909 PORT_Assert(type == content_handshake); 2910 PORT_Assert(ss->ssl3.hs.ws == wait_server_hello); 2911 } 2912 2913 if (ss->ssl3.initialized == PR_FALSE) { 2914 /* This can happen on a server if the very first incoming record 2915 ** looks like a defective ssl3 record (e.g. too long), and we're 2916 ** trying to send an alert. 2917 */ 2918 PR_ASSERT(type == content_alert); 2919 rv = ssl3_InitState(ss); 2920 if (rv != SECSuccess) { 2921 return SECFailure; /* ssl3_InitState has set the error code. */ 2922 } 2923 } 2924 2925 /* check for Token Presence */ 2926 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) { 2927 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 2928 return SECFailure; 2929 } 2930 2931 while (nIn > 0) { 2932 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH); 2933 unsigned int spaceNeeded; 2934 unsigned int numRecords; 2935 2936 ssl_GetSpecReadLock(ss); /********************************/ 2937 2938 if (nIn > 1 && ss->opt.cbcRandomIV && 2939 ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 && 2940 type == content_application_data && 2941 ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) { 2942 /* We will split the first byte of the record into its own record, 2943 * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h 2944 */ 2945 numRecords = 2; 2946 } else { 2947 numRecords = 1; 2948 } 2949 2950 spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE); 2951 if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 && 2952 ss->ssl3.cwSpec->cipher_def->type == type_block) { 2953 spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size; 2954 } 2955 if (spaceNeeded > wrBuf->space) { 2956 rv = sslBuffer_Grow(wrBuf, spaceNeeded); 2957 if (rv != SECSuccess) { 2958 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", 2959 SSL_GETPID(), ss->fd, spaceNeeded)); 2960 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ 2961 } 2962 } 2963 2964 if (numRecords == 2) { 2965 sslBuffer secondRecord; 2966 2967 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, 2968 ss->sec.isServer, IS_DTLS(ss), 2969 capRecordVersion, type, pIn, 2970 1, wrBuf); 2971 if (rv != SECSuccess) 2972 goto spec_locked_loser; 2973 2974 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", 2975 wrBuf->buf, wrBuf->len)); 2976 2977 secondRecord.buf = wrBuf->buf + wrBuf->len; 2978 secondRecord.len = 0; 2979 secondRecord.space = wrBuf->space - wrBuf->len; 2980 2981 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, 2982 ss->sec.isServer, IS_DTLS(ss), 2983 capRecordVersion, type, 2984 pIn + 1, contentLen - 1, 2985 &secondRecord); 2986 if (rv == SECSuccess) { 2987 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", 2988 secondRecord.buf, secondRecord.len)); 2989 wrBuf->len += secondRecord.len; 2990 } 2991 } else { 2992 if (!IS_DTLS(ss)) { 2993 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, 2994 ss->sec.isServer, 2995 IS_DTLS(ss), 2996 capRecordVersion, 2997 type, pIn, 2998 contentLen, wrBuf); 2999 } else { 3000 rv = dtls_CompressMACEncryptRecord(ss, epoch, 3001 !!(flags & ssl_SEND_FLAG_USE_EPOCH), 3002 type, pIn, 3003 contentLen, wrBuf); 3004 } 3005 3006 if (rv == SECSuccess) { 3007 PRINT_BUF(50, (ss, "send (encrypted) record data:", 3008 wrBuf->buf, wrBuf->len)); 3009 } 3010 } 3011 3012 spec_locked_loser: 3013 ssl_ReleaseSpecReadLock(ss); /************************************/ 3014 3015 if (rv != SECSuccess) 3016 return SECFailure; 3017 3018 pIn += contentLen; 3019 nIn -= contentLen; 3020 PORT_Assert( nIn >= 0 ); 3021 3022 /* If there's still some previously saved ciphertext, 3023 * or the caller doesn't want us to send the data yet, 3024 * then add all our new ciphertext to the amount previously saved. 3025 */ 3026 if ((ss->pendingBuf.len > 0) || 3027 (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) { 3028 3029 rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len); 3030 if (rv != SECSuccess) { 3031 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ 3032 return SECFailure; 3033 } 3034 wrBuf->len = 0; /* All cipher text is saved away. */ 3035 3036 if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) { 3037 PRInt32 sent; 3038 ss->handshakeBegun = 1; 3039 sent = ssl_SendSavedWriteData(ss); 3040 if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) { 3041 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); 3042 return SECFailure; 3043 } 3044 if (ss->pendingBuf.len) { 3045 flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER; 3046 } 3047 } 3048 } else if (wrBuf->len > 0) { 3049 PRInt32 sent; 3050 ss->handshakeBegun = 1; 3051 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len, 3052 flags & ~ssl_SEND_FLAG_MASK); 3053 if (sent < 0) { 3054 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { 3055 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); 3056 return SECFailure; 3057 } 3058 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ 3059 sent = 0; 3060 } 3061 wrBuf->len -= sent; 3062 if (wrBuf->len) { 3063 if (IS_DTLS(ss)) { 3064 /* DTLS just says no in this case. No buffering */ 3065 PR_SetError(PR_WOULD_BLOCK_ERROR, 0); 3066 return SECFailure; 3067 } 3068 /* now take all the remaining unsent new ciphertext and 3069 * append it to the buffer of previously unsent ciphertext. 3070 */ 3071 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); 3072 if (rv != SECSuccess) { 3073 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ 3074 return SECFailure; 3075 } 3076 } 3077 } 3078 totalSent += contentLen; 3079 } 3080 return totalSent; 3081 } 3082 3083 #define SSL3_PENDING_HIGH_WATER 1024 3084 3085 /* Attempt to send the content of "in" in an SSL application_data record. 3086 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. 3087 */ 3088 int 3089 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, 3090 PRInt32 len, PRInt32 flags) 3091 { 3092 PRInt32 totalSent = 0; 3093 PRInt32 discarded = 0; 3094 3095 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 3096 /* These flags for internal use only */ 3097 PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH | 3098 ssl_SEND_FLAG_NO_RETRANSMIT))); 3099 if (len < 0 || !in) { 3100 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 3101 return SECFailure; 3102 } 3103 3104 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && 3105 !ssl_SocketIsBlocking(ss)) { 3106 PORT_Assert(!ssl_SocketIsBlocking(ss)); 3107 PORT_SetError(PR_WOULD_BLOCK_ERROR); 3108 return SECFailure; 3109 } 3110 3111 if (ss->appDataBuffered && len) { 3112 PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered)); 3113 if (in[0] != (unsigned char)(ss->appDataBuffered)) { 3114 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 3115 return SECFailure; 3116 } 3117 in++; 3118 len--; 3119 discarded = 1; 3120 } 3121 while (len > totalSent) { 3122 PRInt32 sent, toSend; 3123 3124 if (totalSent > 0) { 3125 /* 3126 * The thread yield is intended to give the reader thread a 3127 * chance to get some cycles while the writer thread is in 3128 * the middle of a large application data write. (See 3129 * Bugzilla bug 127740, comment #1.) 3130 */ 3131 ssl_ReleaseXmitBufLock(ss); 3132 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ 3133 ssl_GetXmitBufLock(ss); 3134 } 3135 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); 3136 /* 3137 * Note that the 0 epoch is OK because flags will never require 3138 * its use, as guaranteed by the PORT_Assert above. 3139 */ 3140 sent = ssl3_SendRecord(ss, 0, content_application_data, 3141 in + totalSent, toSend, flags); 3142 if (sent < 0) { 3143 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { 3144 PORT_Assert(ss->lastWriteBlocked); 3145 break; 3146 } 3147 return SECFailure; /* error code set by ssl3_SendRecord */ 3148 } 3149 totalSent += sent; 3150 if (ss->pendingBuf.len) { 3151 /* must be a non-blocking socket */ 3152 PORT_Assert(!ssl_SocketIsBlocking(ss)); 3153 PORT_Assert(ss->lastWriteBlocked); 3154 break; 3155 } 3156 } 3157 if (ss->pendingBuf.len) { 3158 /* Must be non-blocking. */ 3159 PORT_Assert(!ssl_SocketIsBlocking(ss)); 3160 if (totalSent > 0) { 3161 ss->appDataBuffered = 0x100 | in[totalSent - 1]; 3162 } 3163 3164 totalSent = totalSent + discarded - 1; 3165 if (totalSent <= 0) { 3166 PORT_SetError(PR_WOULD_BLOCK_ERROR); 3167 totalSent = SECFailure; 3168 } 3169 return totalSent; 3170 } 3171 ss->appDataBuffered = 0; 3172 return totalSent + discarded; 3173 } 3174 3175 /* Attempt to send buffered handshake messages. 3176 * This function returns SECSuccess or SECFailure, never SECWouldBlock. 3177 * Always set sendBuf.len to 0, even when returning SECFailure. 3178 * 3179 * Depending on whether we are doing DTLS or not, this either calls 3180 * 3181 * - ssl3_FlushHandshakeMessages if non-DTLS 3182 * - dtls_FlushHandshakeMessages if DTLS 3183 * 3184 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), 3185 * ssl3_AppendHandshake(), ssl3_SendClientHello(), 3186 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), 3187 * ssl3_SendFinished(), 3188 */ 3189 static SECStatus 3190 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) 3191 { 3192 if (IS_DTLS(ss)) { 3193 return dtls_FlushHandshakeMessages(ss, flags); 3194 } else { 3195 return ssl3_FlushHandshakeMessages(ss, flags); 3196 } 3197 } 3198 3199 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. 3200 * This function returns SECSuccess or SECFailure, never SECWouldBlock. 3201 * Always set sendBuf.len to 0, even when returning SECFailure. 3202 * 3203 * Called from ssl3_FlushHandshake 3204 */ 3205 static SECStatus 3206 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) 3207 { 3208 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER | 3209 ssl_SEND_FLAG_CAP_RECORD_VERSION; 3210 PRInt32 rv = SECSuccess; 3211 3212 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 3213 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 3214 3215 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) 3216 return rv; 3217 3218 /* only these flags are allowed */ 3219 PORT_Assert(!(flags & ~allowedFlags)); 3220 if ((flags & ~allowedFlags) != 0) { 3221 PORT_SetError(SEC_ERROR_INVALID_ARGS); 3222 rv = SECFailure; 3223 } else { 3224 rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf, 3225 ss->sec.ci.sendBuf.len, flags); 3226 } 3227 if (rv < 0) { 3228 int err = PORT_GetError(); 3229 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); 3230 if (err == PR_WOULD_BLOCK_ERROR) { 3231 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 3232 } 3233 } else if (rv < ss->sec.ci.sendBuf.len) { 3234 /* short write should never happen */ 3235 PORT_Assert(rv >= ss->sec.ci.sendBuf.len); 3236 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 3237 rv = SECFailure; 3238 } else { 3239 rv = SECSuccess; 3240 } 3241 3242 /* Whether we succeeded or failed, toss the old handshake data. */ 3243 ss->sec.ci.sendBuf.len = 0; 3244 return rv; 3245 } 3246 3247 /* 3248 * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when 3249 * the remote client sends a negative response to our certificate request. 3250 * Returns SECFailure if the application has required client auth. 3251 * SECSuccess otherwise. 3252 */ 3253 static SECStatus 3254 ssl3_HandleNoCertificate(sslSocket *ss) 3255 { 3256 if (ss->sec.peerCert != NULL) { 3257 if (ss->sec.peerKey != NULL) { 3258 SECKEY_DestroyPublicKey(ss->sec.peerKey); 3259 ss->sec.peerKey = NULL; 3260 } 3261 CERT_DestroyCertificate(ss->sec.peerCert); 3262 ss->sec.peerCert = NULL; 3263 } 3264 ssl3_CleanupPeerCerts(ss); 3265 3266 /* If the server has required client-auth blindly but doesn't 3267 * actually look at the certificate it won't know that no 3268 * certificate was presented so we shutdown the socket to ensure 3269 * an error. We only do this if we haven't already completed the 3270 * first handshake because if we're redoing the handshake we 3271 * know the server is paying attention to the certificate. 3272 */ 3273 if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) || 3274 (!ss->firstHsDone && 3275 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) { 3276 PRFileDesc * lower; 3277 3278 if (ss->sec.uncache) 3279 ss->sec.uncache(ss->sec.ci.sid); 3280 SSL3_SendAlert(ss, alert_fatal, bad_certificate); 3281 3282 lower = ss->fd->lower; 3283 #ifdef _WIN32 3284 lower->methods->shutdown(lower, PR_SHUTDOWN_SEND); 3285 #else 3286 lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH); 3287 #endif 3288 PORT_SetError(SSL_ERROR_NO_CERTIFICATE); 3289 return SECFailure; 3290 } 3291 return SECSuccess; 3292 } 3293 3294 /************************************************************************ 3295 * Alerts 3296 */ 3297 3298 /* 3299 ** Acquires both handshake and XmitBuf locks. 3300 ** Called from: ssl3_IllegalParameter <- 3301 ** ssl3_HandshakeFailure <- 3302 ** ssl3_HandleAlert <- ssl3_HandleRecord. 3303 ** ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord 3304 ** ssl3_ConsumeHandshakeVariable <- 3305 ** ssl3_HandleHelloRequest <- 3306 ** ssl3_HandleServerHello <- 3307 ** ssl3_HandleServerKeyExchange <- 3308 ** ssl3_HandleCertificateRequest <- 3309 ** ssl3_HandleServerHelloDone <- 3310 ** ssl3_HandleClientHello <- 3311 ** ssl3_HandleV2ClientHello <- 3312 ** ssl3_HandleCertificateVerify <- 3313 ** ssl3_HandleClientKeyExchange <- 3314 ** ssl3_HandleCertificate <- 3315 ** ssl3_HandleFinished <- 3316 ** ssl3_HandleHandshakeMessage <- 3317 ** ssl3_HandleRecord <- 3318 ** 3319 */ 3320 SECStatus 3321 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc) 3322 { 3323 PRUint8 bytes[2]; 3324 SECStatus rv; 3325 3326 SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d", 3327 SSL_GETPID(), ss->fd, level, desc)); 3328 3329 bytes[0] = level; 3330 bytes[1] = desc; 3331 3332 ssl_GetSSL3HandshakeLock(ss); 3333 if (level == alert_fatal) { 3334 if (!ss->opt.noCache && ss->sec.ci.sid && ss->sec.uncache) { 3335 ss->sec.uncache(ss->sec.ci.sid); 3336 } 3337 } 3338 ssl_GetXmitBufLock(ss); 3339 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); 3340 if (rv == SECSuccess) { 3341 PRInt32 sent; 3342 sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2, 3343 desc == no_certificate 3344 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); 3345 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; 3346 } 3347 ssl_ReleaseXmitBufLock(ss); 3348 ssl_ReleaseSSL3HandshakeLock(ss); 3349 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ 3350 } 3351 3352 /* 3353 * Send illegal_parameter alert. Set generic error number. 3354 */ 3355 static SECStatus 3356 ssl3_IllegalParameter(sslSocket *ss) 3357 { 3358 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); 3359 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT 3360 : SSL_ERROR_BAD_SERVER ); 3361 return SECFailure; 3362 } 3363 3364 /* 3365 * Send handshake_Failure alert. Set generic error number. 3366 */ 3367 static SECStatus 3368 ssl3_HandshakeFailure(sslSocket *ss) 3369 { 3370 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 3371 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT 3372 : SSL_ERROR_BAD_SERVER ); 3373 return SECFailure; 3374 } 3375 3376 static void 3377 ssl3_SendAlertForCertError(sslSocket * ss, PRErrorCode errCode) 3378 { 3379 SSL3AlertDescription desc = bad_certificate; 3380 PRBool isTLS = ss->version >= SSL_LIBRARY_VERSION_3_1_TLS; 3381 3382 switch (errCode) { 3383 case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break; 3384 case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break; 3385 case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked; break; 3386 case SEC_ERROR_INADEQUATE_KEY_USAGE: 3387 case SEC_ERROR_INADEQUATE_CERT_TYPE: 3388 desc = certificate_unknown; break; 3389 case SEC_ERROR_UNTRUSTED_CERT: 3390 desc = isTLS ? access_denied : certificate_unknown; break; 3391 case SEC_ERROR_UNKNOWN_ISSUER: 3392 case SEC_ERROR_UNTRUSTED_ISSUER: 3393 desc = isTLS ? unknown_ca : certificate_unknown; break; 3394 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 3395 desc = isTLS ? unknown_ca : certificate_expired; break; 3396 3397 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE: 3398 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID: 3399 case SEC_ERROR_CA_CERT_INVALID: 3400 case SEC_ERROR_BAD_SIGNATURE: 3401 default: desc = bad_certificate; break; 3402 } 3403 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", 3404 SSL_GETPID(), ss->fd, errCode)); 3405 3406 (void) SSL3_SendAlert(ss, alert_fatal, desc); 3407 } 3408 3409 3410 /* 3411 * Send decode_error alert. Set generic error number. 3412 */ 3413 SECStatus 3414 ssl3_DecodeError(sslSocket *ss) 3415 { 3416 (void)SSL3_SendAlert(ss, alert_fatal, 3417 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 3418 : illegal_parameter); 3419 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT 3420 : SSL_ERROR_BAD_SERVER ); 3421 return SECFailure; 3422 } 3423 3424 /* Called from ssl3_HandleRecord. 3425 ** Caller must hold both RecvBuf and Handshake locks. 3426 */ 3427 static SECStatus 3428 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf) 3429 { 3430 SSL3AlertLevel level; 3431 SSL3AlertDescription desc; 3432 int error; 3433 3434 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 3435 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3436 3437 SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd)); 3438 3439 if (buf->len != 2) { 3440 (void)ssl3_DecodeError(ss); 3441 PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT); 3442 return SECFailure; 3443 } 3444 level = (SSL3AlertLevel)buf->buf[0]; 3445 desc = (SSL3AlertDescription)buf->buf[1]; 3446 buf->len = 0; 3447 SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d", 3448 SSL_GETPID(), ss->fd, level, desc)); 3449 3450 switch (desc) { 3451 case close_notify: ss->recvdCloseNotify = 1; 3452 error = SSL_ERROR_CLOSE_NOTIFY_ALERT; break; 3453 case unexpected_message: error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT; 3454 break; 3455 case bad_record_mac: error = SSL_ERROR_BAD_MAC_ALERT; break; 3456 case decryption_failed_RESERVED: 3457 error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 3458 break; 3459 case record_overflow: error = SSL_ERROR_RECORD_OVERFLOW_ALERT; break; 3460 case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT; 3461 break; 3462 case handshake_failure: error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT; 3463 break; 3464 case no_certificate: error = SSL_ERROR_NO_CERTIFICATE; break; 3465 case bad_certificate: error = SSL_ERROR_BAD_CERT_ALERT; break; 3466 case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break; 3467 case certificate_revoked: error = SSL_ERROR_REVOKED_CERT_ALERT; break; 3468 case certificate_expired: error = SSL_ERROR_EXPIRED_CERT_ALERT; break; 3469 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT; 3470 break; 3471 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break; 3472 case inappropriate_fallback: 3473 error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; 3474 break; 3475 3476 /* All alerts below are TLS only. */ 3477 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break; 3478 case access_denied: error = SSL_ERROR_ACCESS_DENIED_ALERT; break; 3479 case decode_error: error = SSL_ERROR_DECODE_ERROR_ALERT; break; 3480 case decrypt_error: error = SSL_ERROR_DECRYPT_ERROR_ALERT; break; 3481 case export_restriction: error = SSL_ERROR_EXPORT_RESTRICTION_ALERT; 3482 break; 3483 case protocol_version: error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break; 3484 case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT; 3485 break; 3486 case internal_error: error = SSL_ERROR_INTERNAL_ERROR_ALERT; break; 3487 case user_canceled: error = SSL_ERROR_USER_CANCELED_ALERT; break; 3488 case no_renegotiation: error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break; 3489 3490 /* Alerts for TLS client hello extensions */ 3491 case unsupported_extension: 3492 error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT; break; 3493 case certificate_unobtainable: 3494 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; 3495 case unrecognized_name: 3496 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; 3497 case bad_certificate_status_response: 3498 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; 3499 case bad_certificate_hash_value: 3500 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; 3501 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; 3502 } 3503 if (level == alert_fatal) { 3504 if (!ss->opt.noCache) { 3505 if (ss->sec.uncache) 3506 ss->sec.uncache(ss->sec.ci.sid); 3507 } 3508 if ((ss->ssl3.hs.ws == wait_server_hello) && 3509 (desc == handshake_failure)) { 3510 /* XXX This is a hack. We're assuming that any handshake failure 3511 * XXX on the client hello is a failure to match ciphers. 3512 */ 3513 error = SSL_ERROR_NO_CYPHER_OVERLAP; 3514 } 3515 PORT_SetError(error); 3516 return SECFailure; 3517 } 3518 if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) { 3519 /* I'm a server. I've requested a client cert. He hasn't got one. */ 3520 SECStatus rv; 3521 3522 PORT_Assert(ss->sec.isServer); 3523 ss->ssl3.hs.ws = wait_client_key; 3524 rv = ssl3_HandleNoCertificate(ss); 3525 return rv; 3526 } 3527 return SECSuccess; 3528 } 3529 3530 /* 3531 * Change Cipher Specs 3532 * Called from ssl3_HandleServerHelloDone, 3533 * ssl3_HandleClientHello, 3534 * and ssl3_HandleFinished 3535 * 3536 * Acquires and releases spec write lock, to protect switching the current 3537 * and pending write spec pointers. 3538 */ 3539 3540 static SECStatus 3541 ssl3_SendChangeCipherSpecs(sslSocket *ss) 3542 { 3543 PRUint8 change = change_cipher_spec_choice; 3544 ssl3CipherSpec * pwSpec; 3545 SECStatus rv; 3546 PRInt32 sent; 3547 3548 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", 3549 SSL_GETPID(), ss->fd)); 3550 3551 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 3552 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 3553 3554 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); 3555 if (rv != SECSuccess) { 3556 return rv; /* error code set by ssl3_FlushHandshake */ 3557 } 3558 if (!IS_DTLS(ss)) { 3559 sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1, 3560 ssl_SEND_FLAG_FORCE_INTO_BUFFER); 3561 if (sent < 0) { 3562 return (SECStatus)sent; /* error code set by ssl3_SendRecord */ 3563 } 3564 } else { 3565 rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1); 3566 if (rv != SECSuccess) { 3567 return rv; 3568 } 3569 } 3570 3571 /* swap the pending and current write specs. */ 3572 ssl_GetSpecWriteLock(ss); /**************************************/ 3573 pwSpec = ss->ssl3.pwSpec; 3574 3575 ss->ssl3.pwSpec = ss->ssl3.cwSpec; 3576 ss->ssl3.cwSpec = pwSpec; 3577 3578 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", 3579 SSL_GETPID(), ss->fd )); 3580 3581 /* We need to free up the contexts, keys and certs ! */ 3582 /* If we are really through with the old cipher spec 3583 * (Both the read and write sides have changed) destroy it. 3584 */ 3585 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { 3586 if (!IS_DTLS(ss)) { 3587 ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/); 3588 } else { 3589 /* With DTLS, we need to set a holddown timer in case the final 3590 * message got lost */ 3591 ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS; 3592 dtls_StartTimer(ss, dtls_FinishedTimerCb); 3593 } 3594 } 3595 ssl_ReleaseSpecWriteLock(ss); /**************************************/ 3596 3597 return SECSuccess; 3598 } 3599 3600 /* Called from ssl3_HandleRecord. 3601 ** Caller must hold both RecvBuf and Handshake locks. 3602 * 3603 * Acquires and releases spec write lock, to protect switching the current 3604 * and pending write spec pointers. 3605 */ 3606 static SECStatus 3607 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf) 3608 { 3609 ssl3CipherSpec * prSpec; 3610 SSL3WaitState ws = ss->ssl3.hs.ws; 3611 SSL3ChangeCipherSpecChoice change; 3612 3613 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 3614 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3615 3616 SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record", 3617 SSL_GETPID(), ss->fd)); 3618 3619 if (ws != wait_change_cipher) { 3620 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 3621 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); 3622 return SECFailure; 3623 } 3624 3625 if(buf->len != 1) { 3626 (void)ssl3_DecodeError(ss); 3627 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); 3628 return SECFailure; 3629 } 3630 change = (SSL3ChangeCipherSpecChoice)buf->buf[0]; 3631 if (change != change_cipher_spec_choice) { 3632 /* illegal_parameter is correct here for both SSL3 and TLS. */ 3633 (void)ssl3_IllegalParameter(ss); 3634 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); 3635 return SECFailure; 3636 } 3637 buf->len = 0; 3638 3639 /* Swap the pending and current read specs. */ 3640 ssl_GetSpecWriteLock(ss); /*************************************/ 3641 prSpec = ss->ssl3.prSpec; 3642 3643 ss->ssl3.prSpec = ss->ssl3.crSpec; 3644 ss->ssl3.crSpec = prSpec; 3645 ss->ssl3.hs.ws = wait_finished; 3646 3647 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", 3648 SSL_GETPID(), ss->fd )); 3649 3650 /* If we are really through with the old cipher prSpec 3651 * (Both the read and write sides have changed) destroy it. 3652 */ 3653 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { 3654 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/); 3655 } 3656 ssl_ReleaseSpecWriteLock(ss); /*************************************/ 3657 return SECSuccess; 3658 } 3659 3660 /* This method uses PKCS11 to derive the MS from the PMS, where PMS 3661 ** is a PKCS11 symkey. This is used in all cases except the 3662 ** "triple bypass" with RSA key exchange. 3663 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec. 3664 */ 3665 static SECStatus 3666 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) 3667 { 3668 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 3669 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; 3670 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 3671 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 3672 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 3673 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 3674 PRBool isTLS12= 3675 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); 3676 /* 3677 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH 3678 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size 3679 * data into a 48-byte value. 3680 */ 3681 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || 3682 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); 3683 SECStatus rv = SECFailure; 3684 CK_MECHANISM_TYPE master_derive; 3685 CK_MECHANISM_TYPE key_derive; 3686 SECItem params; 3687 CK_FLAGS keyFlags; 3688 CK_VERSION pms_version; 3689 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; 3690 3691 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 3692 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 3693 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 3694 if (isTLS12) { 3695 if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; 3696 else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256; 3697 key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; 3698 keyFlags = CKF_SIGN | CKF_VERIFY; 3699 } else if (isTLS) { 3700 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; 3701 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; 3702 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 3703 keyFlags = CKF_SIGN | CKF_VERIFY; 3704 } else { 3705 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; 3706 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; 3707 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 3708 keyFlags = 0; 3709 } 3710 3711 if (pms || !pwSpec->master_secret) { 3712 if (isDH) { 3713 master_params.pVersion = NULL; 3714 } else { 3715 master_params.pVersion = &pms_version; 3716 } 3717 master_params.RandomInfo.pClientRandom = cr; 3718 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; 3719 master_params.RandomInfo.pServerRandom = sr; 3720 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; 3721 3722 params.data = (unsigned char *) &master_params; 3723 params.len = sizeof master_params; 3724 } 3725 3726 if (pms != NULL) { 3727 #if defined(TRACE) 3728 if (ssl_trace >= 100) { 3729 SECStatus extractRV = PK11_ExtractKeyValue(pms); 3730 if (extractRV == SECSuccess) { 3731 SECItem * keyData = PK11_GetKeyData(pms); 3732 if (keyData && keyData->data && keyData->len) { 3733 ssl_PrintBuf(ss, "Pre-Master Secret", 3734 keyData->data, keyData->len); 3735 } 3736 } 3737 } 3738 #endif 3739 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, 3740 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); 3741 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { 3742 SSL3ProtocolVersion client_version; 3743 client_version = pms_version.major << 8 | pms_version.minor; 3744 3745 if (IS_DTLS(ss)) { 3746 client_version = dtls_DTLSVersionToTLSVersion(client_version); 3747 } 3748 3749 if (client_version != ss->clientHelloVersion) { 3750 /* Destroy it. Version roll-back detected. */ 3751 PK11_FreeSymKey(pwSpec->master_secret); 3752 pwSpec->master_secret = NULL; 3753 } 3754 } 3755 if (pwSpec->master_secret == NULL) { 3756 /* Generate a faux master secret in the same slot as the old one. */ 3757 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); 3758 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); 3759 3760 PK11_FreeSlot(slot); 3761 if (fpms != NULL) { 3762 pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 3763 master_derive, ¶ms, key_derive, 3764 CKA_DERIVE, 0, keyFlags); 3765 PK11_FreeSymKey(fpms); 3766 } 3767 } 3768 } 3769 if (pwSpec->master_secret == NULL) { 3770 /* Generate a faux master secret from the internal slot. */ 3771 PK11SlotInfo * slot = PK11_GetInternalSlot(); 3772 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); 3773 3774 PK11_FreeSlot(slot); 3775 if (fpms != NULL) { 3776 pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 3777 master_derive, ¶ms, key_derive, 3778 CKA_DERIVE, 0, keyFlags); 3779 if (pwSpec->master_secret == NULL) { 3780 pwSpec->master_secret = fpms; /* use the fpms as the master. */ 3781 fpms = NULL; 3782 } 3783 } 3784 if (fpms) { 3785 PK11_FreeSymKey(fpms); 3786 } 3787 } 3788 if (pwSpec->master_secret == NULL) { 3789 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3790 return rv; 3791 } 3792 #ifndef NO_PKCS11_BYPASS 3793 if (ss->opt.bypassPKCS11) { 3794 SECItem * keydata; 3795 /* In hope of doing a "double bypass", 3796 * need to extract the master secret's value from the key object 3797 * and store it raw in the sslSocket struct. 3798 */ 3799 rv = PK11_ExtractKeyValue(pwSpec->master_secret); 3800 if (rv != SECSuccess) { 3801 return rv; 3802 } 3803 /* This returns the address of the secItem inside the key struct, 3804 * not a copy or a reference. So, there's no need to free it. 3805 */ 3806 keydata = PK11_GetKeyData(pwSpec->master_secret); 3807 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) { 3808 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len); 3809 pwSpec->msItem.data = pwSpec->raw_master_secret; 3810 pwSpec->msItem.len = keydata->len; 3811 } else { 3812 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 3813 return SECFailure; 3814 } 3815 } 3816 #endif 3817 return SECSuccess; 3818 } 3819 3820 3821 /* 3822 * Derive encryption and MAC Keys (and IVs) from master secret 3823 * Sets a useful error code when returning SECFailure. 3824 * 3825 * Called only from ssl3_InitPendingCipherSpec(), 3826 * which in turn is called from 3827 * sendRSAClientKeyExchange (for Full handshake) 3828 * sendDHClientKeyExchange (for Full handshake) 3829 * ssl3_HandleClientKeyExchange (for Full handshake) 3830 * ssl3_HandleServerHello (for session restart) 3831 * ssl3_HandleClientHello (for session restart) 3832 * Caller MUST hold the specWriteLock, and SSL3HandshakeLock. 3833 * ssl3_InitPendingCipherSpec does that. 3834 * 3835 */ 3836 static SECStatus 3837 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) 3838 { 3839 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 3840 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 3841 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 3842 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 3843 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 3844 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 3845 PRBool isTLS12= 3846 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); 3847 /* following variables used in PKCS11 path */ 3848 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; 3849 PK11SlotInfo * slot = NULL; 3850 PK11SymKey * symKey = NULL; 3851 void * pwArg = ss->pkcs11PinArg; 3852 int keySize; 3853 CK_SSL3_KEY_MAT_PARAMS key_material_params; 3854 CK_SSL3_KEY_MAT_OUT returnedKeys; 3855 CK_MECHANISM_TYPE key_derive; 3856 CK_MECHANISM_TYPE bulk_mechanism; 3857 SSLCipherAlgorithm calg; 3858 SECItem params; 3859 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); 3860 3861 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 3862 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 3863 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 3864 3865 if (!pwSpec->master_secret) { 3866 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3867 return SECFailure; 3868 } 3869 /* 3870 * generate the key material 3871 */ 3872 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB; 3873 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB; 3874 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; 3875 if (cipher_def->type == type_block && 3876 pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { 3877 /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ 3878 key_material_params.ulIVSizeInBits = 0; 3879 memset(pwSpec->client.write_iv, 0, cipher_def->iv_size); 3880 memset(pwSpec->server.write_iv, 0, cipher_def->iv_size); 3881 } 3882 3883 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); 3884 3885 key_material_params.RandomInfo.pClientRandom = cr; 3886 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; 3887 key_material_params.RandomInfo.pServerRandom = sr; 3888 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; 3889 key_material_params.pReturnedKeyMaterial = &returnedKeys; 3890 3891 returnedKeys.pIVClient = pwSpec->client.write_iv; 3892 returnedKeys.pIVServer = pwSpec->server.write_iv; 3893 keySize = cipher_def->key_size; 3894 3895 if (skipKeysAndIVs) { 3896 keySize = 0; 3897 key_material_params.ulKeySizeInBits = 0; 3898 key_material_params.ulIVSizeInBits = 0; 3899 returnedKeys.pIVClient = NULL; 3900 returnedKeys.pIVServer = NULL; 3901 } 3902 3903 calg = cipher_def->calg; 3904 PORT_Assert( alg2Mech[calg].calg == calg); 3905 bulk_mechanism = alg2Mech[calg].cmech; 3906 3907 params.data = (unsigned char *)&key_material_params; 3908 params.len = sizeof(key_material_params); 3909 3910 if (isTLS12) { 3911 key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; 3912 } else if (isTLS) { 3913 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 3914 } else { 3915 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 3916 } 3917 3918 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and 3919 * DERIVE by DEFAULT */ 3920 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, 3921 bulk_mechanism, CKA_ENCRYPT, keySize); 3922 if (!symKey) { 3923 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3924 return SECFailure; 3925 } 3926 /* we really should use the actual mac'ing mechanism here, but we 3927 * don't because these types are used to map keytype anyway and both 3928 * mac's map to the same keytype. 3929 */ 3930 slot = PK11_GetSlotFromKey(symKey); 3931 3932 PK11_FreeSlot(slot); /* slot is held until the key is freed */ 3933 pwSpec->client.write_mac_key = 3934 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3935 CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg); 3936 if (pwSpec->client.write_mac_key == NULL ) { 3937 goto loser; /* loser sets err */ 3938 } 3939 pwSpec->server.write_mac_key = 3940 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3941 CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg); 3942 if (pwSpec->server.write_mac_key == NULL ) { 3943 goto loser; /* loser sets err */ 3944 } 3945 if (!skipKeysAndIVs) { 3946 pwSpec->client.write_key = 3947 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3948 bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg); 3949 if (pwSpec->client.write_key == NULL ) { 3950 goto loser; /* loser sets err */ 3951 } 3952 pwSpec->server.write_key = 3953 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, 3954 bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg); 3955 if (pwSpec->server.write_key == NULL ) { 3956 goto loser; /* loser sets err */ 3957 } 3958 } 3959 PK11_FreeSymKey(symKey); 3960 return SECSuccess; 3961 3962 3963 loser: 3964 if (symKey) PK11_FreeSymKey(symKey); 3965 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3966 return SECFailure; 3967 } 3968 3969 /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in 3970 * buffered messages in ss->ssl3.hs.messages. */ 3971 static SECStatus 3972 ssl3_InitHandshakeHashes(sslSocket *ss) 3973 { 3974 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); 3975 3976 PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); 3977 #ifndef NO_PKCS11_BYPASS 3978 if (ss->opt.bypassPKCS11) { 3979 PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); 3980 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { 3981 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 3982 * then this will need to be updated. */ 3983 ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); 3984 if (!ss->ssl3.hs.sha_obj) { 3985 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); 3986 return SECFailure; 3987 } 3988 ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone; 3989 ss->ssl3.hs.hashType = handshake_hash_single; 3990 ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx); 3991 } else { 3992 ss->ssl3.hs.hashType = handshake_hash_combo; 3993 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); 3994 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); 3995 } 3996 } else 3997 #endif 3998 { 3999 PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha); 4000 /* 4001 * note: We should probably lookup an SSL3 slot for these 4002 * handshake hashes in hopes that we wind up with the same slots 4003 * that the master secret will wind up in ... 4004 */ 4005 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { 4006 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 4007 * then this will need to be updated. */ 4008 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256); 4009 if (ss->ssl3.hs.sha == NULL) { 4010 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4011 return SECFailure; 4012 } 4013 ss->ssl3.hs.hashType = handshake_hash_single; 4014 4015 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { 4016 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); 4017 return SECFailure; 4018 } 4019 4020 /* A backup SHA-1 hash for a potential client auth signature. */ 4021 if (!ss->sec.isServer) { 4022 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1); 4023 if (ss->ssl3.hs.md5 == NULL) { 4024 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4025 return SECFailure; 4026 } 4027 4028 if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) { 4029 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4030 return SECFailure; 4031 } 4032 } 4033 } else { 4034 /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or 4035 * created successfully. */ 4036 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); 4037 if (ss->ssl3.hs.md5 == NULL) { 4038 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4039 return SECFailure; 4040 } 4041 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1); 4042 if (ss->ssl3.hs.sha == NULL) { 4043 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); 4044 ss->ssl3.hs.md5 = NULL; 4045 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4046 return SECFailure; 4047 } 4048 ss->ssl3.hs.hashType = handshake_hash_combo; 4049 4050 if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) { 4051 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4052 return SECFailure; 4053 } 4054 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { 4055 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4056 return SECFailure; 4057 } 4058 } 4059 } 4060 4061 if (ss->ssl3.hs.messages.len > 0) { 4062 if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, 4063 ss->ssl3.hs.messages.len) != 4064 SECSuccess) { 4065 return SECFailure; 4066 } 4067 PORT_Free(ss->ssl3.hs.messages.buf); 4068 ss->ssl3.hs.messages.buf = NULL; 4069 ss->ssl3.hs.messages.len = 0; 4070 ss->ssl3.hs.messages.space = 0; 4071 } 4072 4073 return SECSuccess; 4074 } 4075 4076 static SECStatus 4077 ssl3_RestartHandshakeHashes(sslSocket *ss) 4078 { 4079 SECStatus rv = SECSuccess; 4080 4081 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", 4082 SSL_GETPID(), ss->fd )); 4083 ss->ssl3.hs.hashType = handshake_hash_unknown; 4084 ss->ssl3.hs.messages.len = 0; 4085 #ifndef NO_PKCS11_BYPASS 4086 ss->ssl3.hs.sha_obj = NULL; 4087 ss->ssl3.hs.sha_clone = NULL; 4088 #endif 4089 if (ss->ssl3.hs.md5) { 4090 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); 4091 ss->ssl3.hs.md5 = NULL; 4092 } 4093 if (ss->ssl3.hs.sha) { 4094 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); 4095 ss->ssl3.hs.sha = NULL; 4096 } 4097 return rv; 4098 } 4099 4100 /* 4101 * Handshake messages 4102 */ 4103 /* Called from ssl3_InitHandshakeHashes() 4104 ** ssl3_AppendHandshake() 4105 ** ssl3_StartHandshakeHash() 4106 ** ssl3_HandleV2ClientHello() 4107 ** ssl3_HandleHandshakeMessage() 4108 ** Caller must hold the ssl3Handshake lock. 4109 */ 4110 static SECStatus 4111 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, 4112 unsigned int l) 4113 { 4114 SECStatus rv = SECSuccess; 4115 4116 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4117 4118 /* We need to buffer the handshake messages until we have established 4119 * which handshake hash function to use. */ 4120 if (ss->ssl3.hs.hashType == handshake_hash_unknown) { 4121 return sslBuffer_Append(&ss->ssl3.hs.messages, b, l); 4122 } 4123 4124 PRINT_BUF(90, (NULL, "handshake hash input:", b, l)); 4125 4126 #ifndef NO_PKCS11_BYPASS 4127 if (ss->opt.bypassPKCS11) { 4128 if (ss->ssl3.hs.hashType == handshake_hash_single) { 4129 ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l); 4130 } else { 4131 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); 4132 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); 4133 } 4134 return rv; 4135 } 4136 #endif 4137 if (ss->ssl3.hs.hashType == handshake_hash_single) { 4138 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); 4139 if (rv != SECSuccess) { 4140 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); 4141 return rv; 4142 } 4143 if (ss->ssl3.hs.md5) { 4144 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); 4145 if (rv != SECSuccess) { 4146 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4147 return rv; 4148 } 4149 } 4150 } else { 4151 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); 4152 if (rv != SECSuccess) { 4153 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4154 return rv; 4155 } 4156 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); 4157 if (rv != SECSuccess) { 4158 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4159 return rv; 4160 } 4161 } 4162 return rv; 4163 } 4164 4165 /************************************************************************** 4166 * Append Handshake functions. 4167 * All these functions set appropriate error codes. 4168 * Most rely on ssl3_AppendHandshake to set the error code. 4169 **************************************************************************/ 4170 SECStatus 4171 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes) 4172 { 4173 unsigned char * src = (unsigned char *)void_src; 4174 int room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len; 4175 SECStatus rv; 4176 4177 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */ 4178 4179 if (!bytes) 4180 return SECSuccess; 4181 if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) { 4182 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH, 4183 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes))); 4184 if (rv != SECSuccess) 4185 return rv; /* sslBuffer_Grow has set a memory error code. */ 4186 room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len; 4187 } 4188 4189 PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes)); 4190 rv = ssl3_UpdateHandshakeHashes(ss, src, bytes); 4191 if (rv != SECSuccess) 4192 return rv; /* error code set by ssl3_UpdateHandshakeHashes */ 4193 4194 while (bytes > room) { 4195 if (room > 0) 4196 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, 4197 room); 4198 ss->sec.ci.sendBuf.len += room; 4199 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); 4200 if (rv != SECSuccess) { 4201 return rv; /* error code set by ssl3_FlushHandshake */ 4202 } 4203 bytes -= room; 4204 src += room; 4205 room = ss->sec.ci.sendBuf.space; 4206 PORT_Assert(ss->sec.ci.sendBuf.len == 0); 4207 } 4208 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes); 4209 ss->sec.ci.sendBuf.len += bytes; 4210 return SECSuccess; 4211 } 4212 4213 SECStatus 4214 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize) 4215 { 4216 SECStatus rv; 4217 PRUint8 b[4]; 4218 PRUint8 * p = b; 4219 4220 switch (lenSize) { 4221 case 4: 4222 *p++ = (num >> 24) & 0xff; 4223 case 3: 4224 *p++ = (num >> 16) & 0xff; 4225 case 2: 4226 *p++ = (num >> 8) & 0xff; 4227 case 1: 4228 *p = num & 0xff; 4229 } 4230 SSL_TRC(60, ("%d: number:", SSL_GETPID())); 4231 rv = ssl3_AppendHandshake(ss, &b[0], lenSize); 4232 return rv; /* error code set by AppendHandshake, if applicable. */ 4233 } 4234 4235 SECStatus 4236 ssl3_AppendHandshakeVariable( 4237 sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize) 4238 { 4239 SECStatus rv; 4240 4241 PORT_Assert((bytes < (1<<8) && lenSize == 1) || 4242 (bytes < (1L<<16) && lenSize == 2) || 4243 (bytes < (1L<<24) && lenSize == 3)); 4244 4245 SSL_TRC(60,("%d: append variable:", SSL_GETPID())); 4246 rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize); 4247 if (rv != SECSuccess) { 4248 return rv; /* error code set by AppendHandshake, if applicable. */ 4249 } 4250 SSL_TRC(60, ("data:")); 4251 rv = ssl3_AppendHandshake(ss, src, bytes); 4252 return rv; /* error code set by AppendHandshake, if applicable. */ 4253 } 4254 4255 SECStatus 4256 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) 4257 { 4258 SECStatus rv; 4259 4260 /* If we already have a message in place, we need to enqueue it. 4261 * This empties the buffer. This is a convenient place to call 4262 * dtls_StageHandshakeMessage to mark the message boundary. 4263 */ 4264 if (IS_DTLS(ss)) { 4265 rv = dtls_StageHandshakeMessage(ss); 4266 if (rv != SECSuccess) { 4267 return rv; 4268 } 4269 } 4270 4271 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", 4272 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); 4273 4274 rv = ssl3_AppendHandshakeNumber(ss, t, 1); 4275 if (rv != SECSuccess) { 4276 return rv; /* error code set by AppendHandshake, if applicable. */ 4277 } 4278 rv = ssl3_AppendHandshakeNumber(ss, length, 3); 4279 if (rv != SECSuccess) { 4280 return rv; /* error code set by AppendHandshake, if applicable. */ 4281 } 4282 4283 if (IS_DTLS(ss)) { 4284 /* Note that we make an unfragmented message here. We fragment in the 4285 * transmission code, if necessary */ 4286 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2); 4287 if (rv != SECSuccess) { 4288 return rv; /* error code set by AppendHandshake, if applicable. */ 4289 } 4290 ss->ssl3.hs.sendMessageSeq++; 4291 4292 /* 0 is the fragment offset, because it's not fragmented yet */ 4293 rv = ssl3_AppendHandshakeNumber(ss, 0, 3); 4294 if (rv != SECSuccess) { 4295 return rv; /* error code set by AppendHandshake, if applicable. */ 4296 } 4297 4298 /* Fragment length -- set to the packet length because not fragmented */ 4299 rv = ssl3_AppendHandshakeNumber(ss, length, 3); 4300 if (rv != SECSuccess) { 4301 return rv; /* error code set by AppendHandshake, if applicable. */ 4302 } 4303 } 4304 4305 return rv; /* error code set by AppendHandshake, if applicable. */ 4306 } 4307 4308 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of 4309 * |sigAndHash| to the current handshake message. */ 4310 SECStatus 4311 ssl3_AppendSignatureAndHashAlgorithm( 4312 sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash) 4313 { 4314 unsigned char serialized[2]; 4315 4316 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg); 4317 if (serialized[0] == 0) { 4318 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); 4319 return SECFailure; 4320 } 4321 4322 serialized[1] = sigAndHash->sigAlg; 4323 4324 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); 4325 } 4326 4327 /************************************************************************** 4328 * Consume Handshake functions. 4329 * 4330 * All data used in these functions is protected by two locks, 4331 * the RecvBufLock and the SSL3HandshakeLock 4332 **************************************************************************/ 4333 4334 /* Read up the next "bytes" number of bytes from the (decrypted) input 4335 * stream "b" (which is *length bytes long). Copy them into buffer "v". 4336 * Reduces *length by bytes. Advances *b by bytes. 4337 * 4338 * If this function returns SECFailure, it has already sent an alert, 4339 * and has set a generic error code. The caller should probably 4340 * override the generic error code by setting another. 4341 */ 4342 SECStatus 4343 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b, 4344 PRUint32 *length) 4345 { 4346 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 4347 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4348 4349 if ((PRUint32)bytes > *length) { 4350 return ssl3_DecodeError(ss); 4351 } 4352 PORT_Memcpy(v, *b, bytes); 4353 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes)); 4354 *b += bytes; 4355 *length -= bytes; 4356 return SECSuccess; 4357 } 4358 4359 /* Read up the next "bytes" number of bytes from the (decrypted) input 4360 * stream "b" (which is *length bytes long), and interpret them as an 4361 * integer in network byte order. Returns the received value. 4362 * Reduces *length by bytes. Advances *b by bytes. 4363 * 4364 * Returns SECFailure (-1) on failure. 4365 * This value is indistinguishable from the equivalent received value. 4366 * Only positive numbers are to be received this way. 4367 * Thus, the largest value that may be sent this way is 0x7fffffff. 4368 * On error, an alert has been sent, and a generic error code has been set. 4369 */ 4370 PRInt32 4371 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b, 4372 PRUint32 *length) 4373 { 4374 PRUint8 *buf = *b; 4375 int i; 4376 PRInt32 num = 0; 4377 4378 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 4379 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4380 PORT_Assert( bytes <= sizeof num); 4381 4382 if ((PRUint32)bytes > *length) { 4383 return ssl3_DecodeError(ss); 4384 } 4385 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes)); 4386 4387 for (i = 0; i < bytes; i++) 4388 num = (num << 8) + buf[i]; 4389 *b += bytes; 4390 *length -= bytes; 4391 return num; 4392 } 4393 4394 /* Read in two values from the incoming decrypted byte stream "b", which is 4395 * *length bytes long. The first value is a number whose size is "bytes" 4396 * bytes long. The second value is a byte-string whose size is the value 4397 * of the first number received. The latter byte-string, and its length, 4398 * is returned in the SECItem i. 4399 * 4400 * Returns SECFailure (-1) on failure. 4401 * On error, an alert has been sent, and a generic error code has been set. 4402 * 4403 * RADICAL CHANGE for NSS 3.11. All callers of this function make copies 4404 * of the data returned in the SECItem *i, so making a copy of it here 4405 * is simply wasteful. So, This function now just sets SECItem *i to 4406 * point to the values in the buffer **b. 4407 */ 4408 SECStatus 4409 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, 4410 SSL3Opaque **b, PRUint32 *length) 4411 { 4412 PRInt32 count; 4413 4414 PORT_Assert(bytes <= 3); 4415 i->len = 0; 4416 i->data = NULL; 4417 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length); 4418 if (count < 0) { /* Can't test for SECSuccess here. */ 4419 return SECFailure; 4420 } 4421 if (count > 0) { 4422 if ((PRUint32)count > *length) { 4423 return ssl3_DecodeError(ss); 4424 } 4425 i->data = *b; 4426 i->len = count; 4427 *b += count; 4428 *length -= count; 4429 } 4430 return SECSuccess; 4431 } 4432 4433 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the 4434 * SECOidTag used internally by NSS. */ 4435 static const struct { 4436 int tlsHash; 4437 SECOidTag oid; 4438 } tlsHashOIDMap[] = { 4439 { tls_hash_md5, SEC_OID_MD5 }, 4440 { tls_hash_sha1, SEC_OID_SHA1 }, 4441 { tls_hash_sha224, SEC_OID_SHA224 }, 4442 { tls_hash_sha256, SEC_OID_SHA256 }, 4443 { tls_hash_sha384, SEC_OID_SHA384 }, 4444 { tls_hash_sha512, SEC_OID_SHA512 } 4445 }; 4446 4447 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. 4448 * If the hash is not recognised, SEC_OID_UNKNOWN is returned. 4449 * 4450 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 4451 SECOidTag 4452 ssl3_TLSHashAlgorithmToOID(int hashFunc) 4453 { 4454 unsigned int i; 4455 4456 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { 4457 if (hashFunc == tlsHashOIDMap[i].tlsHash) { 4458 return tlsHashOIDMap[i].oid; 4459 } 4460 } 4461 return SEC_OID_UNKNOWN; 4462 } 4463 4464 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm 4465 * identifier. If the hash is not recognised, zero is returned. 4466 * 4467 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 4468 static int 4469 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid) 4470 { 4471 unsigned int i; 4472 4473 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { 4474 if (oid == tlsHashOIDMap[i].oid) { 4475 return tlsHashOIDMap[i].tlsHash; 4476 } 4477 } 4478 return 0; 4479 } 4480 4481 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm 4482 * identifier for a given KeyType. */ 4483 static SECStatus 4484 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, 4485 TLSSignatureAlgorithm *out) 4486 { 4487 switch (keyType) { 4488 case rsaKey: 4489 *out = tls_sig_rsa; 4490 return SECSuccess; 4491 case dsaKey: 4492 *out = tls_sig_dsa; 4493 return SECSuccess; 4494 case ecKey: 4495 *out = tls_sig_ecdsa; 4496 return SECSuccess; 4497 default: 4498 PORT_SetError(SEC_ERROR_INVALID_KEY); 4499 return SECFailure; 4500 } 4501 } 4502 4503 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature 4504 * algorithm identifier for the given certificate. */ 4505 static SECStatus 4506 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert, 4507 TLSSignatureAlgorithm *out) 4508 { 4509 SECKEYPublicKey *key; 4510 KeyType keyType; 4511 4512 key = CERT_ExtractPublicKey(cert); 4513 if (key == NULL) { 4514 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 4515 return SECFailure; 4516 } 4517 4518 keyType = key->keyType; 4519 SECKEY_DestroyPublicKey(key); 4520 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out); 4521 } 4522 4523 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature 4524 * algorithm identifier in |sigAndHash| is consistent with the public key in 4525 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called 4526 * and SECFailure is returned. */ 4527 SECStatus 4528 ssl3_CheckSignatureAndHashAlgorithmConsistency( 4529 const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert) 4530 { 4531 SECStatus rv; 4532 TLSSignatureAlgorithm sigAlg; 4533 4534 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg); 4535 if (rv != SECSuccess) { 4536 return rv; 4537 } 4538 if (sigAlg != sigAndHash->sigAlg) { 4539 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); 4540 return SECFailure; 4541 } 4542 return SECSuccess; 4543 } 4544 4545 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm 4546 * structure from |b| and puts the resulting value into |out|. |b| and |length| 4547 * are updated accordingly. 4548 * 4549 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 4550 SECStatus 4551 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, 4552 SSL3Opaque **b, 4553 PRUint32 *length, 4554 SSL3SignatureAndHashAlgorithm *out) 4555 { 4556 unsigned char bytes[2]; 4557 SECStatus rv; 4558 4559 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length); 4560 if (rv != SECSuccess) { 4561 return rv; 4562 } 4563 4564 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]); 4565 if (out->hashAlg == SEC_OID_UNKNOWN) { 4566 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); 4567 return SECFailure; 4568 } 4569 4570 out->sigAlg = bytes[1]; 4571 return SECSuccess; 4572 } 4573 4574 /************************************************************************** 4575 * end of Consume Handshake functions. 4576 **************************************************************************/ 4577 4578 /* Extract the hashes of handshake messages to this point. 4579 * Called from ssl3_SendCertificateVerify 4580 * ssl3_SendFinished 4581 * ssl3_HandleHandshakeMessage 4582 * 4583 * Caller must hold the SSL3HandshakeLock. 4584 * Caller must hold a read or write lock on the Spec R/W lock. 4585 * (There is presently no way to assert on a Read lock.) 4586 */ 4587 static SECStatus 4588 ssl3_ComputeHandshakeHashes(sslSocket * ss, 4589 ssl3CipherSpec *spec, /* uses ->master_secret */ 4590 SSL3Hashes * hashes, /* output goes here. */ 4591 PRUint32 sender) 4592 { 4593 SECStatus rv = SECSuccess; 4594 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); 4595 unsigned int outLength; 4596 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; 4597 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; 4598 4599 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4600 hashes->hashAlg = SEC_OID_UNKNOWN; 4601 4602 #ifndef NO_PKCS11_BYPASS 4603 if (ss->opt.bypassPKCS11 && 4604 ss->ssl3.hs.hashType == handshake_hash_single) { 4605 /* compute them without PKCS11 */ 4606 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; 4607 4608 if (!spec->msItem.data) { 4609 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); 4610 return SECFailure; 4611 } 4612 4613 ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); 4614 ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, 4615 sizeof(hashes->u.raw)); 4616 4617 PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); 4618 4619 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 4620 * then this will need to be updated. */ 4621 hashes->hashAlg = SEC_OID_SHA256; 4622 rv = SECSuccess; 4623 } else if (ss->opt.bypassPKCS11) { 4624 /* compute them without PKCS11 */ 4625 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; 4626 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; 4627 4628 #define md5cx ((MD5Context *)md5_cx) 4629 #define shacx ((SHA1Context *)sha_cx) 4630 4631 if (!spec->msItem.data) { 4632 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); 4633 return SECFailure; 4634 } 4635 4636 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); 4637 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx); 4638 4639 if (!isTLS) { 4640 /* compute hashes for SSL3. */ 4641 unsigned char s[4]; 4642 4643 s[0] = (unsigned char)(sender >> 24); 4644 s[1] = (unsigned char)(sender >> 16); 4645 s[2] = (unsigned char)(sender >> 8); 4646 s[3] = (unsigned char)sender; 4647 4648 if (sender != 0) { 4649 MD5_Update(md5cx, s, 4); 4650 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); 4651 } 4652 4653 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 4654 mac_defs[mac_md5].pad_size)); 4655 4656 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); 4657 MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size); 4658 MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH); 4659 4660 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength)); 4661 4662 if (sender != 0) { 4663 SHA1_Update(shacx, s, 4); 4664 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4)); 4665 } 4666 4667 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 4668 mac_defs[mac_sha].pad_size)); 4669 4670 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); 4671 SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size); 4672 SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH); 4673 4674 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); 4675 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 4676 mac_defs[mac_md5].pad_size)); 4677 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)); 4678 4679 MD5_Begin(md5cx); 4680 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); 4681 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); 4682 MD5_Update(md5cx, md5_inner, MD5_LENGTH); 4683 } 4684 MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH); 4685 4686 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH)); 4687 4688 if (!isTLS) { 4689 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 4690 mac_defs[mac_sha].pad_size)); 4691 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)); 4692 4693 SHA1_Begin(shacx); 4694 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); 4695 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); 4696 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); 4697 } 4698 SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH); 4699 4700 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)); 4701 4702 hashes->len = MD5_LENGTH + SHA1_LENGTH; 4703 rv = SECSuccess; 4704 #undef md5cx 4705 #undef shacx 4706 } else 4707 #endif 4708 if (ss->ssl3.hs.hashType == handshake_hash_single) { 4709 /* compute hashes with PKCS11 */ 4710 PK11Context *h; 4711 unsigned int stateLen; 4712 unsigned char stackBuf[1024]; 4713 unsigned char *stateBuf = NULL; 4714 4715 if (!spec->master_secret) { 4716 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); 4717 return SECFailure; 4718 } 4719 4720 h = ss->ssl3.hs.sha; 4721 stateBuf = PK11_SaveContextAlloc(h, stackBuf, 4722 sizeof(stackBuf), &stateLen); 4723 if (stateBuf == NULL) { 4724 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); 4725 goto tls12_loser; 4726 } 4727 rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len, 4728 sizeof(hashes->u.raw)); 4729 if (rv != SECSuccess) { 4730 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); 4731 rv = SECFailure; 4732 goto tls12_loser; 4733 } 4734 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 4735 * then this will need to be updated. */ 4736 hashes->hashAlg = SEC_OID_SHA256; 4737 rv = SECSuccess; 4738 4739 tls12_loser: 4740 if (stateBuf) { 4741 if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { 4742 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); 4743 rv = SECFailure; 4744 } 4745 if (stateBuf != stackBuf) { 4746 PORT_ZFree(stateBuf, stateLen); 4747 } 4748 } 4749 } else { 4750 /* compute hashes with PKCS11 */ 4751 PK11Context * md5; 4752 PK11Context * sha = NULL; 4753 unsigned char *md5StateBuf = NULL; 4754 unsigned char *shaStateBuf = NULL; 4755 unsigned int md5StateLen, shaStateLen; 4756 unsigned char md5StackBuf[256]; 4757 unsigned char shaStackBuf[512]; 4758 4759 if (!spec->master_secret) { 4760 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); 4761 return SECFailure; 4762 } 4763 4764 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf, 4765 sizeof md5StackBuf, &md5StateLen); 4766 if (md5StateBuf == NULL) { 4767 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4768 goto loser; 4769 } 4770 md5 = ss->ssl3.hs.md5; 4771 4772 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf, 4773 sizeof shaStackBuf, &shaStateLen); 4774 if (shaStateBuf == NULL) { 4775 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4776 goto loser; 4777 } 4778 sha = ss->ssl3.hs.sha; 4779 4780 if (!isTLS) { 4781 /* compute hashes for SSL3. */ 4782 unsigned char s[4]; 4783 4784 s[0] = (unsigned char)(sender >> 24); 4785 s[1] = (unsigned char)(sender >> 16); 4786 s[2] = (unsigned char)(sender >> 8); 4787 s[3] = (unsigned char)sender; 4788 4789 if (sender != 0) { 4790 rv |= PK11_DigestOp(md5, s, 4); 4791 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); 4792 } 4793 4794 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 4795 mac_defs[mac_md5].pad_size)); 4796 4797 rv |= PK11_DigestKey(md5,spec->master_secret); 4798 rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size); 4799 rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH); 4800 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); 4801 if (rv != SECSuccess) { 4802 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4803 rv = SECFailure; 4804 goto loser; 4805 } 4806 4807 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength)); 4808 4809 if (sender != 0) { 4810 rv |= PK11_DigestOp(sha, s, 4); 4811 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4)); 4812 } 4813 4814 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 4815 mac_defs[mac_sha].pad_size)); 4816 4817 rv |= PK11_DigestKey(sha, spec->master_secret); 4818 rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size); 4819 rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH); 4820 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); 4821 if (rv != SECSuccess) { 4822 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4823 rv = SECFailure; 4824 goto loser; 4825 } 4826 4827 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); 4828 4829 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 4830 mac_defs[mac_md5].pad_size)); 4831 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)); 4832 4833 rv |= PK11_DigestBegin(md5); 4834 rv |= PK11_DigestKey(md5, spec->master_secret); 4835 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); 4836 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); 4837 } 4838 rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH); 4839 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); 4840 if (rv != SECSuccess) { 4841 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4842 rv = SECFailure; 4843 goto loser; 4844 } 4845 4846 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH)); 4847 4848 if (!isTLS) { 4849 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 4850 mac_defs[mac_sha].pad_size)); 4851 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)); 4852 4853 rv |= PK11_DigestBegin(sha); 4854 rv |= PK11_DigestKey(sha,spec->master_secret); 4855 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); 4856 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); 4857 } 4858 rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH); 4859 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); 4860 if (rv != SECSuccess) { 4861 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4862 rv = SECFailure; 4863 goto loser; 4864 } 4865 4866 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)); 4867 4868 hashes->len = MD5_LENGTH + SHA1_LENGTH; 4869 rv = SECSuccess; 4870 4871 loser: 4872 if (md5StateBuf) { 4873 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) 4874 != SECSuccess) 4875 { 4876 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4877 rv = SECFailure; 4878 } 4879 if (md5StateBuf != md5StackBuf) { 4880 PORT_ZFree(md5StateBuf, md5StateLen); 4881 } 4882 } 4883 if (shaStateBuf) { 4884 if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen) 4885 != SECSuccess) 4886 { 4887 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4888 rv = SECFailure; 4889 } 4890 if (shaStateBuf != shaStackBuf) { 4891 PORT_ZFree(shaStateBuf, shaStateLen); 4892 } 4893 } 4894 } 4895 return rv; 4896 } 4897 4898 static SECStatus 4899 ssl3_ComputeBackupHandshakeHashes(sslSocket * ss, 4900 SSL3Hashes * hashes) /* output goes here. */ 4901 { 4902 SECStatus rv = SECSuccess; 4903 4904 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4905 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); 4906 4907 rv = PK11_DigestFinal(ss->ssl3.hs.md5, hashes->u.raw, &hashes->len, 4908 sizeof(hashes->u.raw)); 4909 if (rv != SECSuccess) { 4910 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4911 rv = SECFailure; 4912 goto loser; 4913 } 4914 hashes->hashAlg = SEC_OID_SHA1; 4915 4916 loser: 4917 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); 4918 ss->ssl3.hs.md5 = NULL; 4919 return rv; 4920 } 4921 4922 /* 4923 * SSL 2 based implementations pass in the initial outbound buffer 4924 * so that the handshake hash can contain the included information. 4925 * 4926 * Called from ssl2_BeginClientHandshake() in sslcon.c 4927 */ 4928 SECStatus 4929 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) 4930 { 4931 SECStatus rv; 4932 4933 ssl_GetSSL3HandshakeLock(ss); /**************************************/ 4934 4935 rv = ssl3_InitState(ss); 4936 if (rv != SECSuccess) { 4937 goto done; /* ssl3_InitState has set the error code. */ 4938 } 4939 rv = ssl3_RestartHandshakeHashes(ss); 4940 if (rv != SECSuccess) { 4941 goto done; 4942 } 4943 4944 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH); 4945 PORT_Memcpy( 4946 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES], 4947 &ss->sec.ci.clientChallenge, 4948 SSL_CHALLENGE_BYTES); 4949 4950 rv = ssl3_UpdateHandshakeHashes(ss, buf, length); 4951 /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */ 4952 4953 done: 4954 ssl_ReleaseSSL3HandshakeLock(ss); /**************************************/ 4955 return rv; 4956 } 4957 4958 /************************************************************************** 4959 * end of Handshake Hash functions. 4960 * Begin Send and Handle functions for handshakes. 4961 **************************************************************************/ 4962 4963 /* Called from ssl3_HandleHelloRequest(), 4964 * ssl3_RedoHandshake() 4965 * ssl2_BeginClientHandshake (when resuming ssl3 session) 4966 * dtls_HandleHelloVerifyRequest(with resending=PR_TRUE) 4967 */ 4968 SECStatus 4969 ssl3_SendClientHello(sslSocket *ss, PRBool resending) 4970 { 4971 sslSessionID * sid; 4972 ssl3CipherSpec * cwSpec; 4973 SECStatus rv; 4974 int i; 4975 int length; 4976 int num_suites; 4977 int actual_count = 0; 4978 PRBool isTLS = PR_FALSE; 4979 PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE; 4980 PRInt32 total_exten_len = 0; 4981 unsigned paddingExtensionLen; 4982 unsigned numCompressionMethods; 4983 PRInt32 flags; 4984 4985 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), 4986 ss->fd)); 4987 4988 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4989 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 4990 4991 rv = ssl3_InitState(ss); 4992 if (rv != SECSuccess) { 4993 return rv; /* ssl3_InitState has set the error code. */ 4994 } 4995 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ 4996 PORT_Assert(IS_DTLS(ss) || !resending); 4997 4998 /* We might be starting a session renegotiation in which case we should 4999 * clear previous state. 5000 */ 5001 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 5002 5003 rv = ssl3_RestartHandshakeHashes(ss); 5004 if (rv != SECSuccess) { 5005 return rv; 5006 } 5007 5008 /* 5009 * During a renegotiation, ss->clientHelloVersion will be used again to 5010 * work around a Windows SChannel bug. Ensure that it is still enabled. 5011 */ 5012 if (ss->firstHsDone) { 5013 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { 5014 PORT_SetError(SSL_ERROR_SSL_DISABLED); 5015 return SECFailure; 5016 } 5017 5018 if (ss->clientHelloVersion < ss->vrange.min || 5019 ss->clientHelloVersion > ss->vrange.max) { 5020 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 5021 return SECFailure; 5022 } 5023 } 5024 5025 /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup 5026 * handles expired entries and other details. 5027 * XXX If we've been called from ssl2_BeginClientHandshake, then 5028 * this lookup is duplicative and wasteful. 5029 */ 5030 sid = (ss->opt.noCache) ? NULL 5031 : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url); 5032 5033 /* We can't resume based on a different token. If the sid exists, 5034 * make sure the token that holds the master secret still exists ... 5035 * If we previously did client-auth, make sure that the token that holds 5036 * the private key still exists, is logged in, hasn't been removed, etc. 5037 */ 5038 if (sid) { 5039 PRBool sidOK = PR_TRUE; 5040 if (sid->u.ssl3.keys.msIsWrapped) { 5041 /* Session key was wrapped, which means it was using PKCS11, */ 5042 PK11SlotInfo *slot = NULL; 5043 if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) { 5044 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, 5045 sid->u.ssl3.masterSlotID); 5046 } 5047 if (slot == NULL) { 5048 sidOK = PR_FALSE; 5049 } else { 5050 PK11SymKey *wrapKey = NULL; 5051 if (!PK11_IsPresent(slot) || 5052 ((wrapKey = PK11_GetWrapKey(slot, 5053 sid->u.ssl3.masterWrapIndex, 5054 sid->u.ssl3.masterWrapMech, 5055 sid->u.ssl3.masterWrapSeries, 5056 ss->pkcs11PinArg)) == NULL) ) { 5057 sidOK = PR_FALSE; 5058 } 5059 if (wrapKey) PK11_FreeSymKey(wrapKey); 5060 PK11_FreeSlot(slot); 5061 slot = NULL; 5062 } 5063 } 5064 /* If we previously did client-auth, make sure that the token that 5065 ** holds the private key still exists, is logged in, hasn't been 5066 ** removed, etc. 5067 */ 5068 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) { 5069 sidOK = PR_FALSE; 5070 } 5071 5072 /* TLS 1.0 (RFC 2246) Appendix E says: 5073 * Whenever a client already knows the highest protocol known to 5074 * a server (for example, when resuming a session), it should 5075 * initiate the connection in that native protocol. 5076 * So we pass sid->version to ssl3_NegotiateVersion() here, except 5077 * when renegotiating. 5078 * 5079 * Windows SChannel compares the client_version inside the RSA 5080 * EncryptedPreMasterSecret of a renegotiation with the 5081 * client_version of the initial ClientHello rather than the 5082 * ClientHello in the renegotiation. To work around this bug, we 5083 * continue to use the client_version used in the initial 5084 * ClientHello when renegotiating. 5085 */ 5086 if (sidOK) { 5087 if (ss->firstHsDone) { 5088 /* 5089 * The client_version of the initial ClientHello is still 5090 * available in ss->clientHelloVersion. Ensure that 5091 * sid->version is bounded within 5092 * [ss->vrange.min, ss->clientHelloVersion], otherwise we 5093 * can't use sid. 5094 */ 5095 if (sid->version >= ss->vrange.min && 5096 sid->version <= ss->clientHelloVersion) { 5097 ss->version = ss->clientHelloVersion; 5098 } else { 5099 sidOK = PR_FALSE; 5100 } 5101 } else { 5102 if (ssl3_NegotiateVersion(ss, sid->version, 5103 PR_FALSE) != SECSuccess) { 5104 sidOK = PR_FALSE; 5105 } 5106 } 5107 } 5108 5109 if (!sidOK) { 5110 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok ); 5111 if (ss->sec.uncache) 5112 (*ss->sec.uncache)(sid); 5113 ssl_FreeSID(sid); 5114 sid = NULL; 5115 } 5116 } 5117 5118 if (sid) { 5119 requestingResume = PR_TRUE; 5120 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); 5121 5122 /* Are we attempting a stateless session resume? */ 5123 if (sid->version > SSL_LIBRARY_VERSION_3_0 && 5124 sid->u.ssl3.sessionTicket.ticket.data) 5125 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes ); 5126 5127 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, 5128 sid->u.ssl3.sessionIDLength)); 5129 5130 ss->ssl3.policy = sid->u.ssl3.policy; 5131 } else { 5132 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); 5133 5134 /* 5135 * Windows SChannel compares the client_version inside the RSA 5136 * EncryptedPreMasterSecret of a renegotiation with the 5137 * client_version of the initial ClientHello rather than the 5138 * ClientHello in the renegotiation. To work around this bug, we 5139 * continue to use the client_version used in the initial 5140 * ClientHello when renegotiating. 5141 */ 5142 if (ss->firstHsDone) { 5143 ss->version = ss->clientHelloVersion; 5144 } else { 5145 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED, 5146 PR_TRUE); 5147 if (rv != SECSuccess) 5148 return rv; /* error code was set */ 5149 } 5150 5151 sid = ssl3_NewSessionID(ss, PR_FALSE); 5152 if (!sid) { 5153 return SECFailure; /* memory error is set */ 5154 } 5155 } 5156 5157 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); 5158 ssl_GetSpecWriteLock(ss); 5159 cwSpec = ss->ssl3.cwSpec; 5160 if (cwSpec->mac_def->mac == mac_null) { 5161 /* SSL records are not being MACed. */ 5162 cwSpec->version = ss->version; 5163 } 5164 ssl_ReleaseSpecWriteLock(ss); 5165 5166 if (ss->sec.ci.sid != NULL) { 5167 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */ 5168 } 5169 ss->sec.ci.sid = sid; 5170 5171 ss->sec.send = ssl3_SendApplicationData; 5172 5173 /* shouldn't get here if SSL3 is disabled, but ... */ 5174 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { 5175 PR_NOT_REACHED("No versions of SSL 3.0 or later are enabled"); 5176 PORT_SetError(SSL_ERROR_SSL_DISABLED); 5177 return SECFailure; 5178 } 5179 5180 /* how many suites does our PKCS11 support (regardless of policy)? */ 5181 num_suites = ssl3_config_match_init(ss); 5182 if (!num_suites) 5183 return SECFailure; /* ssl3_config_match_init has set error code. */ 5184 5185 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, 5186 * only if TLS is disabled. 5187 */ 5188 if (!ss->firstHsDone && !isTLS) { 5189 /* Must set this before calling Hello Extension Senders, 5190 * to suppress sending of empty RI extension. 5191 */ 5192 ss->ssl3.hs.sendingSCSV = PR_TRUE; 5193 } 5194 5195 if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) { 5196 PRUint32 maxBytes = 65535; /* 2^16 - 1 */ 5197 PRInt32 extLen; 5198 5199 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL); 5200 if (extLen < 0) { 5201 return SECFailure; 5202 } 5203 maxBytes -= extLen; 5204 total_exten_len += extLen; 5205 5206 if (total_exten_len > 0) 5207 total_exten_len += 2; 5208 } 5209 5210 #if defined(NSS_ENABLE_ECC) 5211 if (!total_exten_len || !isTLS) { 5212 /* not sending the elliptic_curves and ec_point_formats extensions */ 5213 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ 5214 } 5215 #endif 5216 5217 if (IS_DTLS(ss)) { 5218 ssl3_DisableNonDTLSSuites(ss); 5219 } 5220 5221 if (!ssl3_HasGCMSupport()) { 5222 ssl3_DisableGCMSuites(ss); 5223 } 5224 5225 /* how many suites are permitted by policy and user preference? */ 5226 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); 5227 if (!num_suites) 5228 return SECFailure; /* count_cipher_suites has set error code. */ 5229 5230 fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume || 5231 ss->version < sid->version); 5232 /* make room for SCSV */ 5233 if (ss->ssl3.hs.sendingSCSV) { 5234 ++num_suites; 5235 } 5236 if (fallbackSCSV) { 5237 ++num_suites; 5238 } 5239 5240 /* count compression methods */ 5241 numCompressionMethods = 0; 5242 for (i = 0; i < compressionMethodsCount; i++) { 5243 if (compressionEnabled(ss, compressions[i])) 5244 numCompressionMethods++; 5245 } 5246 5247 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 5248 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + 5249 2 + num_suites*sizeof(ssl3CipherSuite) + 5250 1 + numCompressionMethods + total_exten_len; 5251 if (IS_DTLS(ss)) { 5252 length += 1 + ss->ssl3.hs.cookieLen; 5253 } 5254 5255 /* A padding extension may be included to ensure that the record containing 5256 * the ClientHello doesn't have a length between 256 and 511 bytes 5257 * (inclusive). Initial, ClientHello records with such lengths trigger bugs 5258 * in F5 devices. 5259 * 5260 * This is not done for DTLS nor for renegotiation. */ 5261 if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) { 5262 paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length); 5263 total_exten_len += paddingExtensionLen; 5264 length += paddingExtensionLen; 5265 } else { 5266 paddingExtensionLen = 0; 5267 } 5268 5269 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); 5270 if (rv != SECSuccess) { 5271 return rv; /* err set by ssl3_AppendHandshake* */ 5272 } 5273 5274 if (ss->firstHsDone) { 5275 /* The client hello version must stay unchanged to work around 5276 * the Windows SChannel bug described above. */ 5277 PORT_Assert(ss->version == ss->clientHelloVersion); 5278 } 5279 ss->clientHelloVersion = ss->version; 5280 if (IS_DTLS(ss)) { 5281 PRUint16 version; 5282 5283 version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); 5284 rv = ssl3_AppendHandshakeNumber(ss, version, 2); 5285 } else { 5286 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); 5287 } 5288 if (rv != SECSuccess) { 5289 return rv; /* err set by ssl3_AppendHandshake* */ 5290 } 5291 5292 if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */ 5293 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); 5294 if (rv != SECSuccess) { 5295 return rv; /* err set by GetNewRandom. */ 5296 } 5297 } 5298 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, 5299 SSL3_RANDOM_LENGTH); 5300 if (rv != SECSuccess) { 5301 return rv; /* err set by ssl3_AppendHandshake* */ 5302 } 5303 5304 if (sid) 5305 rv = ssl3_AppendHandshakeVariable( 5306 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); 5307 else 5308 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 5309 if (rv != SECSuccess) { 5310 return rv; /* err set by ssl3_AppendHandshake* */ 5311 } 5312 5313 if (IS_DTLS(ss)) { 5314 rv = ssl3_AppendHandshakeVariable( 5315 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1); 5316 if (rv != SECSuccess) { 5317 return rv; /* err set by ssl3_AppendHandshake* */ 5318 } 5319 } 5320 5321 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); 5322 if (rv != SECSuccess) { 5323 return rv; /* err set by ssl3_AppendHandshake* */ 5324 } 5325 5326 if (ss->ssl3.hs.sendingSCSV) { 5327 /* Add the actual SCSV */ 5328 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, 5329 sizeof(ssl3CipherSuite)); 5330 if (rv != SECSuccess) { 5331 return rv; /* err set by ssl3_AppendHandshake* */ 5332 } 5333 actual_count++; 5334 } 5335 if (fallbackSCSV) { 5336 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, 5337 sizeof(ssl3CipherSuite)); 5338 if (rv != SECSuccess) { 5339 return rv; /* err set by ssl3_AppendHandshake* */ 5340 } 5341 actual_count++; 5342 } 5343 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 5344 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 5345 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { 5346 actual_count++; 5347 if (actual_count > num_suites) { 5348 /* set error card removal/insertion error */ 5349 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 5350 return SECFailure; 5351 } 5352 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite, 5353 sizeof(ssl3CipherSuite)); 5354 if (rv != SECSuccess) { 5355 return rv; /* err set by ssl3_AppendHandshake* */ 5356 } 5357 } 5358 } 5359 5360 /* if cards were removed or inserted between count_cipher_suites and 5361 * generating our list, detect the error here rather than send it off to 5362 * the server.. */ 5363 if (actual_count != num_suites) { 5364 /* Card removal/insertion error */ 5365 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 5366 return SECFailure; 5367 } 5368 5369 rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1); 5370 if (rv != SECSuccess) { 5371 return rv; /* err set by ssl3_AppendHandshake* */ 5372 } 5373 for (i = 0; i < compressionMethodsCount; i++) { 5374 if (!compressionEnabled(ss, compressions[i])) 5375 continue; 5376 rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1); 5377 if (rv != SECSuccess) { 5378 return rv; /* err set by ssl3_AppendHandshake* */ 5379 } 5380 } 5381 5382 if (total_exten_len) { 5383 PRUint32 maxBytes = total_exten_len - 2; 5384 PRInt32 extLen; 5385 5386 rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2); 5387 if (rv != SECSuccess) { 5388 return rv; /* err set by AppendHandshake. */ 5389 } 5390 5391 extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL); 5392 if (extLen < 0) { 5393 return SECFailure; 5394 } 5395 maxBytes -= extLen; 5396 5397 extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes); 5398 if (extLen < 0) { 5399 return SECFailure; 5400 } 5401 maxBytes -= extLen; 5402 5403 PORT_Assert(!maxBytes); 5404 } 5405 if (ss->ssl3.hs.sendingSCSV) { 5406 /* Since we sent the SCSV, pretend we sent empty RI extension. */ 5407 TLSExtensionData *xtnData = &ss->xtnData; 5408 xtnData->advertised[xtnData->numAdvertised++] = 5409 ssl_renegotiation_info_xtn; 5410 } 5411 5412 flags = 0; 5413 if (!ss->firstHsDone && !IS_DTLS(ss)) { 5414 flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION; 5415 } 5416 rv = ssl3_FlushHandshake(ss, flags); 5417 if (rv != SECSuccess) { 5418 return rv; /* error code set by ssl3_FlushHandshake */ 5419 } 5420 5421 ss->ssl3.hs.ws = wait_server_hello; 5422 return rv; 5423 } 5424 5425 5426 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 5427 * ssl3 Hello Request. 5428 * Caller must hold Handshake and RecvBuf locks. 5429 */ 5430 static SECStatus 5431 ssl3_HandleHelloRequest(sslSocket *ss) 5432 { 5433 sslSessionID *sid = ss->sec.ci.sid; 5434 SECStatus rv; 5435 5436 SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake", 5437 SSL_GETPID(), ss->fd)); 5438 5439 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 5440 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 5441 5442 if (ss->ssl3.hs.ws == wait_server_hello) 5443 return SECSuccess; 5444 if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) { 5445 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 5446 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST); 5447 return SECFailure; 5448 } 5449 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { 5450 ssl_GetXmitBufLock(ss); 5451 rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation); 5452 ssl_ReleaseXmitBufLock(ss); 5453 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); 5454 return SECFailure; 5455 } 5456 5457 if (sid) { 5458 if (ss->sec.uncache) 5459 ss->sec.uncache(sid); 5460 ssl_FreeSID(sid); 5461 ss->sec.ci.sid = NULL; 5462 } 5463 5464 if (IS_DTLS(ss)) { 5465 dtls_RehandshakeCleanup(ss); 5466 } 5467 5468 ssl_GetXmitBufLock(ss); 5469 rv = ssl3_SendClientHello(ss, PR_FALSE); 5470 ssl_ReleaseXmitBufLock(ss); 5471 5472 return rv; 5473 } 5474 5475 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff 5476 5477 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { 5478 CKM_DES3_ECB, 5479 CKM_CAST5_ECB, 5480 CKM_DES_ECB, 5481 CKM_KEY_WRAP_LYNKS, 5482 CKM_IDEA_ECB, 5483 CKM_CAST3_ECB, 5484 CKM_CAST_ECB, 5485 CKM_RC5_ECB, 5486 CKM_RC2_ECB, 5487 CKM_CDMF_ECB, 5488 CKM_SKIPJACK_WRAP, 5489 CKM_SKIPJACK_CBC64, 5490 CKM_AES_ECB, 5491 CKM_CAMELLIA_ECB, 5492 CKM_SEED_ECB, 5493 UNKNOWN_WRAP_MECHANISM 5494 }; 5495 5496 static int 5497 ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech) 5498 { 5499 const CK_MECHANISM_TYPE *pMech = wrapMechanismList; 5500 5501 while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) { 5502 ++pMech; 5503 } 5504 return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1 5505 : (pMech - wrapMechanismList); 5506 } 5507 5508 static PK11SymKey * 5509 ssl_UnwrapSymWrappingKey( 5510 SSLWrappedSymWrappingKey *pWswk, 5511 SECKEYPrivateKey * svrPrivKey, 5512 SSL3KEAType exchKeyType, 5513 CK_MECHANISM_TYPE masterWrapMech, 5514 void * pwArg) 5515 { 5516 PK11SymKey * unwrappedWrappingKey = NULL; 5517 SECItem wrappedKey; 5518 #ifdef NSS_ENABLE_ECC 5519 PK11SymKey * Ks; 5520 SECKEYPublicKey pubWrapKey; 5521 ECCWrappedKeyInfo *ecWrapped; 5522 #endif /* NSS_ENABLE_ECC */ 5523 5524 /* found the wrapping key on disk. */ 5525 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech); 5526 PORT_Assert(pWswk->exchKeyType == exchKeyType); 5527 if (pWswk->symWrapMechanism != masterWrapMech || 5528 pWswk->exchKeyType != exchKeyType) { 5529 goto loser; 5530 } 5531 wrappedKey.type = siBuffer; 5532 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey; 5533 wrappedKey.len = pWswk->wrappedSymKeyLen; 5534 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey); 5535 5536 switch (exchKeyType) { 5537 5538 case kt_rsa: 5539 unwrappedWrappingKey = 5540 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, 5541 masterWrapMech, CKA_UNWRAP, 0); 5542 break; 5543 5544 #ifdef NSS_ENABLE_ECC 5545 case kt_ecdh: 5546 /* 5547 * For kt_ecdh, we first create an EC public key based on 5548 * data stored with the wrappedSymmetricWrappingkey. Next, 5549 * we do an ECDH computation involving this public key and 5550 * the SSL server's (long-term) EC private key. The resulting 5551 * shared secret is treated the same way as Fortezza's Ks, i.e., 5552 * it is used to recover the symmetric wrapping key. 5553 * 5554 * The data in wrappedSymmetricWrappingkey is laid out as defined 5555 * in the ECCWrappedKeyInfo structure. 5556 */ 5557 ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey; 5558 5559 PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen + 5560 ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN); 5561 5562 if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen + 5563 ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) { 5564 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 5565 goto loser; 5566 } 5567 5568 pubWrapKey.keyType = ecKey; 5569 pubWrapKey.u.ec.size = ecWrapped->size; 5570 pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen; 5571 pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var; 5572 pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen; 5573 pubWrapKey.u.ec.publicValue.data = ecWrapped->var + 5574 ecWrapped->encodedParamLen; 5575 5576 wrappedKey.len = ecWrapped->wrappedKeyLen; 5577 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen + 5578 ecWrapped->pubValueLen; 5579 5580 /* Derive Ks using ECDH */ 5581 Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL, 5582 NULL, CKM_ECDH1_DERIVE, masterWrapMech, 5583 CKA_DERIVE, 0, CKD_NULL, NULL, NULL); 5584 if (Ks == NULL) { 5585 goto loser; 5586 } 5587 5588 /* Use Ks to unwrap the wrapping key */ 5589 unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL, 5590 &wrappedKey, masterWrapMech, 5591 CKA_UNWRAP, 0); 5592 PK11_FreeSymKey(Ks); 5593 5594 break; 5595 #endif 5596 5597 default: 5598 /* Assert? */ 5599 SET_ERROR_CODE 5600 goto loser; 5601 } 5602 loser: 5603 return unwrappedWrappingKey; 5604 } 5605 5606 /* Each process sharing the server session ID cache has its own array of 5607 * SymKey pointers for the symmetric wrapping keys that are used to wrap 5608 * the master secrets. There is one key for each KEA type. These Symkeys 5609 * correspond to the wrapped SymKeys kept in the server session cache. 5610 */ 5611 5612 typedef struct { 5613 PK11SymKey * symWrapKey[kt_kea_size]; 5614 } ssl3SymWrapKey; 5615 5616 static PZLock * symWrapKeysLock = NULL; 5617 static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS]; 5618 5619 SECStatus ssl_FreeSymWrapKeysLock(void) 5620 { 5621 if (symWrapKeysLock) { 5622 PZ_DestroyLock(symWrapKeysLock); 5623 symWrapKeysLock = NULL; 5624 return SECSuccess; 5625 } 5626 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 5627 return SECFailure; 5628 } 5629 5630 SECStatus 5631 SSL3_ShutdownServerCache(void) 5632 { 5633 int i, j; 5634 5635 if (!symWrapKeysLock) 5636 return SECSuccess; /* lock was never initialized */ 5637 PZ_Lock(symWrapKeysLock); 5638 /* get rid of all symWrapKeys */ 5639 for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) { 5640 for (j = 0; j < kt_kea_size; ++j) { 5641 PK11SymKey ** pSymWrapKey; 5642 pSymWrapKey = &symWrapKeys[i].symWrapKey[j]; 5643 if (*pSymWrapKey) { 5644 PK11_FreeSymKey(*pSymWrapKey); 5645 *pSymWrapKey = NULL; 5646 } 5647 } 5648 } 5649 5650 PZ_Unlock(symWrapKeysLock); 5651 return SECSuccess; 5652 } 5653 5654 SECStatus ssl_InitSymWrapKeysLock(void) 5655 { 5656 symWrapKeysLock = PZ_NewLock(nssILockOther); 5657 return symWrapKeysLock ? SECSuccess : SECFailure; 5658 } 5659 5660 /* Try to get wrapping key for mechanism from in-memory array. 5661 * If that fails, look for one on disk. 5662 * If that fails, generate a new one, put the new one on disk, 5663 * Put the new key in the in-memory array. 5664 */ 5665 static PK11SymKey * 5666 getWrappingKey( sslSocket * ss, 5667 PK11SlotInfo * masterSecretSlot, 5668 SSL3KEAType exchKeyType, 5669 CK_MECHANISM_TYPE masterWrapMech, 5670 void * pwArg) 5671 { 5672 SECKEYPrivateKey * svrPrivKey; 5673 SECKEYPublicKey * svrPubKey = NULL; 5674 PK11SymKey * unwrappedWrappingKey = NULL; 5675 PK11SymKey ** pSymWrapKey; 5676 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM; 5677 int length; 5678 int symWrapMechIndex; 5679 SECStatus rv; 5680 SECItem wrappedKey; 5681 SSLWrappedSymWrappingKey wswk; 5682 #ifdef NSS_ENABLE_ECC 5683 PK11SymKey * Ks = NULL; 5684 SECKEYPublicKey *pubWrapKey = NULL; 5685 SECKEYPrivateKey *privWrapKey = NULL; 5686 ECCWrappedKeyInfo *ecWrapped; 5687 #endif /* NSS_ENABLE_ECC */ 5688 5689 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY; 5690 PORT_Assert(svrPrivKey != NULL); 5691 if (!svrPrivKey) { 5692 return NULL; /* why are we here?!? */ 5693 } 5694 5695 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech); 5696 PORT_Assert(symWrapMechIndex >= 0); 5697 if (symWrapMechIndex < 0) 5698 return NULL; /* invalid masterWrapMech. */ 5699 5700 pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType]; 5701 5702 ssl_InitSessionCacheLocks(); 5703 5704 PZ_Lock(symWrapKeysLock); 5705 5706 unwrappedWrappingKey = *pSymWrapKey; 5707 if (unwrappedWrappingKey != NULL) { 5708 if (PK11_VerifyKeyOK(unwrappedWrappingKey)) { 5709 unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey); 5710 goto done; 5711 } 5712 /* slot series has changed, so this key is no good any more. */ 5713 PK11_FreeSymKey(unwrappedWrappingKey); 5714 *pSymWrapKey = unwrappedWrappingKey = NULL; 5715 } 5716 5717 /* Try to get wrapped SymWrapping key out of the (disk) cache. */ 5718 /* Following call fills in wswk on success. */ 5719 if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) { 5720 /* found the wrapped sym wrapping key on disk. */ 5721 unwrappedWrappingKey = 5722 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType, 5723 masterWrapMech, pwArg); 5724 if (unwrappedWrappingKey) { 5725 goto install; 5726 } 5727 } 5728 5729 if (!masterSecretSlot) /* caller doesn't want to create a new one. */ 5730 goto loser; 5731 5732 length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech); 5733 /* Zero length means fixed key length algorithm, or error. 5734 * It's ambiguous. 5735 */ 5736 unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL, 5737 length, pwArg); 5738 if (!unwrappedWrappingKey) { 5739 goto loser; 5740 } 5741 5742 /* Prepare the buffer to receive the wrappedWrappingKey, 5743 * the symmetric wrapping key wrapped using the server's pub key. 5744 */ 5745 PORT_Memset(&wswk, 0, sizeof wswk); /* eliminate UMRs. */ 5746 5747 if (ss->serverCerts[exchKeyType].serverKeyPair) { 5748 svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey; 5749 } 5750 if (svrPubKey == NULL) { 5751 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 5752 goto loser; 5753 } 5754 wrappedKey.type = siBuffer; 5755 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey); 5756 wrappedKey.data = wswk.wrappedSymmetricWrappingkey; 5757 5758 PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey); 5759 if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey) 5760 goto loser; 5761 5762 /* wrap symmetric wrapping key in server's public key. */ 5763 switch (exchKeyType) { 5764 case kt_rsa: 5765 asymWrapMechanism = CKM_RSA_PKCS; 5766 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey, 5767 unwrappedWrappingKey, &wrappedKey); 5768 break; 5769 5770 #ifdef NSS_ENABLE_ECC 5771 case kt_ecdh: 5772 /* 5773 * We generate an ephemeral EC key pair. Perform an ECDH 5774 * computation involving this ephemeral EC public key and 5775 * the SSL server's (long-term) EC private key. The resulting 5776 * shared secret is treated in the same way as Fortezza's Ks, 5777 * i.e., it is used to wrap the wrapping key. To facilitate 5778 * unwrapping in ssl_UnwrapWrappingKey, we also store all 5779 * relevant info about the ephemeral EC public key in 5780 * wswk.wrappedSymmetricWrappingkey and lay it out as 5781 * described in the ECCWrappedKeyInfo structure. 5782 */ 5783 PORT_Assert(svrPubKey->keyType == ecKey); 5784 if (svrPubKey->keyType != ecKey) { 5785 /* something is wrong in sslsecur.c if this isn't an ecKey */ 5786 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 5787 rv = SECFailure; 5788 goto ec_cleanup; 5789 } 5790 5791 privWrapKey = SECKEY_CreateECPrivateKey( 5792 &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL); 5793 if ((privWrapKey == NULL) || (pubWrapKey == NULL)) { 5794 rv = SECFailure; 5795 goto ec_cleanup; 5796 } 5797 5798 /* Set the key size in bits */ 5799 if (pubWrapKey->u.ec.size == 0) { 5800 pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey); 5801 } 5802 5803 PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len + 5804 pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN); 5805 if (pubWrapKey->u.ec.DEREncodedParams.len + 5806 pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) { 5807 PORT_SetError(SEC_ERROR_INVALID_KEY); 5808 rv = SECFailure; 5809 goto ec_cleanup; 5810 } 5811 5812 /* Derive Ks using ECDH */ 5813 Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL, 5814 NULL, CKM_ECDH1_DERIVE, masterWrapMech, 5815 CKA_DERIVE, 0, CKD_NULL, NULL, NULL); 5816 if (Ks == NULL) { 5817 rv = SECFailure; 5818 goto ec_cleanup; 5819 } 5820 5821 ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey); 5822 ecWrapped->size = pubWrapKey->u.ec.size; 5823 ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len; 5824 PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data, 5825 pubWrapKey->u.ec.DEREncodedParams.len); 5826 5827 ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len; 5828 PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen, 5829 pubWrapKey->u.ec.publicValue.data, 5830 pubWrapKey->u.ec.publicValue.len); 5831 5832 wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN - 5833 (ecWrapped->encodedParamLen + ecWrapped->pubValueLen); 5834 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen + 5835 ecWrapped->pubValueLen; 5836 5837 /* wrap symmetricWrapping key with the local Ks */ 5838 rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks, 5839 unwrappedWrappingKey, &wrappedKey); 5840 5841 if (rv != SECSuccess) { 5842 goto ec_cleanup; 5843 } 5844 5845 /* Write down the length of wrapped key in the buffer 5846 * wswk.wrappedSymmetricWrappingkey at the appropriate offset 5847 */ 5848 ecWrapped->wrappedKeyLen = wrappedKey.len; 5849 5850 ec_cleanup: 5851 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey); 5852 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey); 5853 if (Ks) PK11_FreeSymKey(Ks); 5854 asymWrapMechanism = masterWrapMech; 5855 break; 5856 #endif /* NSS_ENABLE_ECC */ 5857 5858 default: 5859 rv = SECFailure; 5860 break; 5861 } 5862 5863 if (rv != SECSuccess) { 5864 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 5865 goto loser; 5866 } 5867 5868 PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM); 5869 5870 wswk.symWrapMechanism = masterWrapMech; 5871 wswk.symWrapMechIndex = symWrapMechIndex; 5872 wswk.asymWrapMechanism = asymWrapMechanism; 5873 wswk.exchKeyType = exchKeyType; 5874 wswk.wrappedSymKeyLen = wrappedKey.len; 5875 5876 /* put it on disk. */ 5877 /* If the wrapping key for this KEA type has already been set, 5878 * then abandon the value we just computed and 5879 * use the one we got from the disk. 5880 */ 5881 if (ssl_SetWrappingKey(&wswk)) { 5882 /* somebody beat us to it. The original contents of our wswk 5883 * has been replaced with the content on disk. Now, discard 5884 * the key we just created and unwrap this new one. 5885 */ 5886 PK11_FreeSymKey(unwrappedWrappingKey); 5887 5888 unwrappedWrappingKey = 5889 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType, 5890 masterWrapMech, pwArg); 5891 } 5892 5893 install: 5894 if (unwrappedWrappingKey) { 5895 *pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey); 5896 } 5897 5898 loser: 5899 done: 5900 PZ_Unlock(symWrapKeysLock); 5901 return unwrappedWrappingKey; 5902 } 5903 5904 /* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2| 5905 * bytes to |out|. */ 5906 static void 5907 hexEncode(char *out, const unsigned char *in, unsigned int length) 5908 { 5909 static const char hextable[] = "0123456789abcdef"; 5910 unsigned int i; 5911 5912 for (i = 0; i < length; i++) { 5913 *(out++) = hextable[in[i] >> 4]; 5914 *(out++) = hextable[in[i] & 15]; 5915 } 5916 } 5917 5918 /* Called from ssl3_SendClientKeyExchange(). */ 5919 /* Presently, this always uses PKCS11. There is no bypass for this. */ 5920 static SECStatus 5921 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) 5922 { 5923 PK11SymKey * pms = NULL; 5924 SECStatus rv = SECFailure; 5925 SECItem enc_pms = {siBuffer, NULL, 0}; 5926 PRBool isTLS; 5927 5928 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 5929 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 5930 5931 /* Generate the pre-master secret ... */ 5932 ssl_GetSpecWriteLock(ss); 5933 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 5934 5935 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL); 5936 ssl_ReleaseSpecWriteLock(ss); 5937 if (pms == NULL) { 5938 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 5939 goto loser; 5940 } 5941 5942 /* Get the wrapped (encrypted) pre-master secret, enc_pms */ 5943 enc_pms.len = SECKEY_PublicKeyStrength(svrPubKey); 5944 enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len); 5945 if (enc_pms.data == NULL) { 5946 goto loser; /* err set by PORT_Alloc */ 5947 } 5948 5949 /* wrap pre-master secret in server's public key. */ 5950 rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms); 5951 if (rv != SECSuccess) { 5952 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 5953 goto loser; 5954 } 5955 5956 if (ssl_keylog_iob) { 5957 SECStatus extractRV = PK11_ExtractKeyValue(pms); 5958 if (extractRV == SECSuccess) { 5959 SECItem * keyData = PK11_GetKeyData(pms); 5960 if (keyData && keyData->data && keyData->len) { 5961 #ifdef TRACE 5962 if (ssl_trace >= 100) { 5963 ssl_PrintBuf(ss, "Pre-Master Secret", 5964 keyData->data, keyData->len); 5965 } 5966 #endif 5967 if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) { 5968 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */ 5969 5970 /* There could be multiple, concurrent writers to the 5971 * keylog, so we have to do everything in a single call to 5972 * fwrite. */ 5973 char buf[4 + 8*2 + 1 + 48*2 + 1]; 5974 5975 strcpy(buf, "RSA "); 5976 hexEncode(buf + 4, enc_pms.data, 8); 5977 buf[20] = ' '; 5978 hexEncode(buf + 21, keyData->data, 48); 5979 buf[sizeof(buf) - 1] = '\n'; 5980 5981 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob); 5982 fflush(ssl_keylog_iob); 5983 } 5984 } 5985 } 5986 } 5987 5988 rv = ssl3_InitPendingCipherSpec(ss, pms); 5989 PK11_FreeSymKey(pms); pms = NULL; 5990 5991 if (rv != SECSuccess) { 5992 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 5993 goto loser; 5994 } 5995 5996 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 5997 isTLS ? enc_pms.len + 2 : enc_pms.len); 5998 if (rv != SECSuccess) { 5999 goto loser; /* err set by ssl3_AppendHandshake* */ 6000 } 6001 if (isTLS) { 6002 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2); 6003 } else { 6004 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len); 6005 } 6006 if (rv != SECSuccess) { 6007 goto loser; /* err set by ssl3_AppendHandshake* */ 6008 } 6009 6010 rv = SECSuccess; 6011 6012 loser: 6013 if (enc_pms.data != NULL) { 6014 PORT_Free(enc_pms.data); 6015 } 6016 if (pms != NULL) { 6017 PK11_FreeSymKey(pms); 6018 } 6019 return rv; 6020 } 6021 6022 /* Called from ssl3_SendClientKeyExchange(). */ 6023 /* Presently, this always uses PKCS11. There is no bypass for this. */ 6024 static SECStatus 6025 sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) 6026 { 6027 PK11SymKey * pms = NULL; 6028 SECStatus rv = SECFailure; 6029 PRBool isTLS; 6030 CK_MECHANISM_TYPE target; 6031 6032 SECKEYDHParams dhParam; /* DH parameters */ 6033 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */ 6034 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */ 6035 6036 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6037 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 6038 6039 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 6040 6041 /* Copy DH parameters from server key */ 6042 6043 if (svrPubKey->keyType != dhKey) { 6044 PORT_SetError(SEC_ERROR_BAD_KEY); 6045 goto loser; 6046 } 6047 dhParam.prime.data = svrPubKey->u.dh.prime.data; 6048 dhParam.prime.len = svrPubKey->u.dh.prime.len; 6049 dhParam.base.data = svrPubKey->u.dh.base.data; 6050 dhParam.base.len = svrPubKey->u.dh.base.len; 6051 6052 /* Generate ephemeral DH keypair */ 6053 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL); 6054 if (!privKey || !pubKey) { 6055 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); 6056 rv = SECFailure; 6057 goto loser; 6058 } 6059 PRINT_BUF(50, (ss, "DH public value:", 6060 pubKey->u.dh.publicValue.data, 6061 pubKey->u.dh.publicValue.len)); 6062 6063 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; 6064 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH; 6065 6066 /* Determine the PMS */ 6067 6068 pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL, 6069 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL); 6070 6071 if (pms == NULL) { 6072 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 6073 goto loser; 6074 } 6075 6076 SECKEY_DestroyPrivateKey(privKey); 6077 privKey = NULL; 6078 6079 rv = ssl3_InitPendingCipherSpec(ss, pms); 6080 PK11_FreeSymKey(pms); pms = NULL; 6081 6082 if (rv != SECSuccess) { 6083 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 6084 goto loser; 6085 } 6086 6087 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 6088 pubKey->u.dh.publicValue.len + 2); 6089 if (rv != SECSuccess) { 6090 goto loser; /* err set by ssl3_AppendHandshake* */ 6091 } 6092 rv = ssl3_AppendHandshakeVariable(ss, 6093 pubKey->u.dh.publicValue.data, 6094 pubKey->u.dh.publicValue.len, 2); 6095 SECKEY_DestroyPublicKey(pubKey); 6096 pubKey = NULL; 6097 6098 if (rv != SECSuccess) { 6099 goto loser; /* err set by ssl3_AppendHandshake* */ 6100 } 6101 6102 rv = SECSuccess; 6103 6104 6105 loser: 6106 6107 if(pms) PK11_FreeSymKey(pms); 6108 if(privKey) SECKEY_DestroyPrivateKey(privKey); 6109 if(pubKey) SECKEY_DestroyPublicKey(pubKey); 6110 return rv; 6111 } 6112 6113 6114 6115 6116 6117 /* Called from ssl3_HandleServerHelloDone(). */ 6118 static SECStatus 6119 ssl3_SendClientKeyExchange(sslSocket *ss) 6120 { 6121 SECKEYPublicKey * serverKey = NULL; 6122 SECStatus rv = SECFailure; 6123 PRBool isTLS; 6124 6125 SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake", 6126 SSL_GETPID(), ss->fd)); 6127 6128 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 6129 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 6130 6131 if (ss->sec.peerKey == NULL) { 6132 serverKey = CERT_ExtractPublicKey(ss->sec.peerCert); 6133 if (serverKey == NULL) { 6134 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 6135 return SECFailure; 6136 } 6137 } else { 6138 serverKey = ss->sec.peerKey; 6139 ss->sec.peerKey = NULL; /* we're done with it now */ 6140 } 6141 6142 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 6143 /* enforce limits on kea key sizes. */ 6144 if (ss->ssl3.hs.kea_def->is_limited) { 6145 int keyLen = SECKEY_PublicKeyStrength(serverKey); /* bytes */ 6146 6147 if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) { 6148 if (isTLS) 6149 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction); 6150 else 6151 (void)ssl3_HandshakeFailure(ss); 6152 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); 6153 goto loser; 6154 } 6155 } 6156 6157 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; 6158 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey); 6159 6160 switch (ss->ssl3.hs.kea_def->exchKeyType) { 6161 case kt_rsa: 6162 rv = sendRSAClientKeyExchange(ss, serverKey); 6163 break; 6164 6165 case kt_dh: 6166 rv = sendDHClientKeyExchange(ss, serverKey); 6167 break; 6168 6169 #ifdef NSS_ENABLE_ECC 6170 case kt_ecdh: 6171 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey); 6172 break; 6173 #endif /* NSS_ENABLE_ECC */ 6174 6175 default: 6176 /* got an unknown or unsupported Key Exchange Algorithm. */ 6177 SEND_ALERT 6178 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 6179 break; 6180 } 6181 6182 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange", 6183 SSL_GETPID(), ss->fd)); 6184 6185 loser: 6186 if (serverKey) 6187 SECKEY_DestroyPublicKey(serverKey); 6188 return rv; /* err code already set. */ 6189 } 6190 6191 /* Called from ssl3_HandleServerHelloDone(). */ 6192 static SECStatus 6193 ssl3_SendCertificateVerify(sslSocket *ss) 6194 { 6195 SECStatus rv = SECFailure; 6196 PRBool isTLS; 6197 PRBool isTLS12; 6198 SECItem buf = {siBuffer, NULL, 0}; 6199 SSL3Hashes hashes; 6200 KeyType keyType; 6201 unsigned int len; 6202 SSL3SignatureAndHashAlgorithm sigAndHash; 6203 6204 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 6205 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 6206 6207 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", 6208 SSL_GETPID(), ss->fd)); 6209 6210 ssl_GetSpecReadLock(ss); 6211 /* In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the handshake hash 6212 * function (SHA-256). If the server or the client does not support SHA-256 6213 * as a signature hash, we can either maintain a backup SHA-1 handshake 6214 * hash or buffer all handshake messages. 6215 */ 6216 if (ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { 6217 rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes); 6218 PORT_Assert(ss->ssl3.hs.md5 == NULL); 6219 } else { 6220 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); 6221 } 6222 ssl_ReleaseSpecReadLock(ss); 6223 if (rv != SECSuccess) { 6224 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ 6225 } 6226 6227 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 6228 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); 6229 if (ss->ssl3.platformClientKey) { 6230 #ifdef NSS_PLATFORM_CLIENT_AUTH 6231 keyType = CERT_GetCertKeyType( 6232 &ss->ssl3.clientCertificate->subjectPublicKeyInfo); 6233 rv = ssl3_PlatformSignHashes( 6234 &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType); 6235 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 6236 ss->ssl3.platformClientKey = (PlatformKey)NULL; 6237 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 6238 } else { 6239 keyType = ss->ssl3.clientPrivateKey->keyType; 6240 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); 6241 if (rv == SECSuccess) { 6242 PK11SlotInfo * slot; 6243 sslSessionID * sid = ss->sec.ci.sid; 6244 6245 /* Remember the info about the slot that did the signing. 6246 ** Later, when doing an SSL restart handshake, verify this. 6247 ** These calls are mere accessors, and can't fail. 6248 */ 6249 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); 6250 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); 6251 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); 6252 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); 6253 sid->u.ssl3.clAuthValid = PR_TRUE; 6254 PK11_FreeSlot(slot); 6255 } 6256 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 6257 ss->ssl3.clientPrivateKey = NULL; 6258 } 6259 if (rv != SECSuccess) { 6260 goto done; /* err code was set by ssl3_SignHashes */ 6261 } 6262 6263 len = buf.len + 2 + (isTLS12 ? 2 : 0); 6264 6265 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); 6266 if (rv != SECSuccess) { 6267 goto done; /* error code set by AppendHandshake */ 6268 } 6269 if (isTLS12) { 6270 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, 6271 &sigAndHash.sigAlg); 6272 if (rv != SECSuccess) { 6273 goto done; 6274 } 6275 sigAndHash.hashAlg = hashes.hashAlg; 6276 6277 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); 6278 if (rv != SECSuccess) { 6279 goto done; /* err set by AppendHandshake. */ 6280 } 6281 } 6282 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); 6283 if (rv != SECSuccess) { 6284 goto done; /* error code set by AppendHandshake */ 6285 } 6286 6287 done: 6288 if (buf.data) 6289 PORT_Free(buf.data); 6290 return rv; 6291 } 6292 6293 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 6294 * ssl3 ServerHello message. 6295 * Caller must hold Handshake and RecvBuf locks. 6296 */ 6297 static SECStatus 6298 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 6299 { 6300 sslSessionID *sid = ss->sec.ci.sid; 6301 PRInt32 temp; /* allow for consume number failure */ 6302 PRBool suite_found = PR_FALSE; 6303 int i; 6304 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO; 6305 SECStatus rv; 6306 SECItem sidBytes = {siBuffer, NULL, 0}; 6307 PRBool sid_match; 6308 PRBool isTLS = PR_FALSE; 6309 SSL3AlertDescription desc = illegal_parameter; 6310 SSL3ProtocolVersion version; 6311 6312 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake", 6313 SSL_GETPID(), ss->fd)); 6314 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 6315 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6316 PORT_Assert( ss->ssl3.initialized ); 6317 6318 if (ss->ssl3.hs.ws != wait_server_hello) { 6319 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO; 6320 desc = unexpected_message; 6321 goto alert_loser; 6322 } 6323 6324 /* clean up anything left from previous handshake. */ 6325 if (ss->ssl3.clientCertChain != NULL) { 6326 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); 6327 ss->ssl3.clientCertChain = NULL; 6328 } 6329 if (ss->ssl3.clientCertificate != NULL) { 6330 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 6331 ss->ssl3.clientCertificate = NULL; 6332 } 6333 if (ss->ssl3.clientPrivateKey != NULL) { 6334 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 6335 ss->ssl3.clientPrivateKey = NULL; 6336 } 6337 #ifdef NSS_PLATFORM_CLIENT_AUTH 6338 if (ss->ssl3.platformClientKey) { 6339 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 6340 ss->ssl3.platformClientKey = (PlatformKey)NULL; 6341 } 6342 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 6343 6344 if (ss->ssl3.channelID != NULL) { 6345 SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 6346 ss->ssl3.channelID = NULL; 6347 } 6348 if (ss->ssl3.channelIDPub != NULL) { 6349 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 6350 ss->ssl3.channelIDPub = NULL; 6351 } 6352 6353 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 6354 if (temp < 0) { 6355 goto loser; /* alert has been sent */ 6356 } 6357 version = (SSL3ProtocolVersion)temp; 6358 6359 if (IS_DTLS(ss)) { 6360 /* RFC 4347 required that you verify that the server versions 6361 * match (Section 4.2.1) in the HelloVerifyRequest and the 6362 * ServerHello. 6363 * 6364 * RFC 6347 suggests (SHOULD) that servers always use 1.0 6365 * in HelloVerifyRequest and allows the versions not to match, 6366 * especially when 1.2 is being negotiated. 6367 * 6368 * Therefore we do not check for matching here. 6369 */ 6370 version = dtls_DTLSVersionToTLSVersion(version); 6371 if (version == 0) { /* Insane version number */ 6372 goto alert_loser; 6373 } 6374 } 6375 6376 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); 6377 if (rv != SECSuccess) { 6378 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 6379 : handshake_failure; 6380 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 6381 goto alert_loser; 6382 } 6383 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); 6384 6385 rv = ssl3_InitHandshakeHashes(ss); 6386 if (rv != SECSuccess) { 6387 desc = internal_error; 6388 errCode = PORT_GetError(); 6389 goto alert_loser; 6390 } 6391 6392 rv = ssl3_ConsumeHandshake( 6393 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); 6394 if (rv != SECSuccess) { 6395 goto loser; /* alert has been sent */ 6396 } 6397 6398 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 6399 if (rv != SECSuccess) { 6400 goto loser; /* alert has been sent */ 6401 } 6402 if (sidBytes.len > SSL3_SESSIONID_BYTES) { 6403 if (isTLS) 6404 desc = decode_error; 6405 goto alert_loser; /* malformed. */ 6406 } 6407 6408 /* find selected cipher suite in our list. */ 6409 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 6410 if (temp < 0) { 6411 goto loser; /* alert has been sent */ 6412 } 6413 ssl3_config_match_init(ss); 6414 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 6415 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 6416 if (temp == suite->cipher_suite) { 6417 SSLVersionRange vrange = {ss->version, ss->version}; 6418 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { 6419 /* config_match already checks whether the cipher suite is 6420 * acceptable for the version, but the check is repeated here 6421 * in order to give a more precise error code. */ 6422 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) { 6423 desc = handshake_failure; 6424 errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; 6425 goto alert_loser; 6426 } 6427 6428 break; /* failure */ 6429 } 6430 6431 suite_found = PR_TRUE; 6432 break; /* success */ 6433 } 6434 } 6435 if (!suite_found) { 6436 desc = handshake_failure; 6437 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 6438 goto alert_loser; 6439 } 6440 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp; 6441 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp); 6442 PORT_Assert(ss->ssl3.hs.suite_def); 6443 if (!ss->ssl3.hs.suite_def) { 6444 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE); 6445 goto loser; /* we don't send alerts for our screw-ups. */ 6446 } 6447 6448 /* find selected compression method in our list. */ 6449 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); 6450 if (temp < 0) { 6451 goto loser; /* alert has been sent */ 6452 } 6453 suite_found = PR_FALSE; 6454 for (i = 0; i < compressionMethodsCount; i++) { 6455 if (temp == compressions[i]) { 6456 if (!compressionEnabled(ss, compressions[i])) { 6457 break; /* failure */ 6458 } 6459 suite_found = PR_TRUE; 6460 break; /* success */ 6461 } 6462 } 6463 if (!suite_found) { 6464 desc = handshake_failure; 6465 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; 6466 goto alert_loser; 6467 } 6468 ss->ssl3.hs.compression = (SSLCompressionMethod)temp; 6469 6470 /* Note that if !isTLS and the extra stuff is not extensions, we 6471 * do NOT goto alert_loser. 6472 * There are some old SSL 3.0 implementations that do send stuff 6473 * after the end of the server hello, and we deliberately ignore 6474 * such stuff in the interest of maximal interoperability (being 6475 * "generous in what you accept"). 6476 * Update: Starting in NSS 3.12.6, we handle the renegotiation_info 6477 * extension in SSL 3.0. 6478 */ 6479 if (length != 0) { 6480 SECItem extensions; 6481 rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length); 6482 if (rv != SECSuccess || length != 0) { 6483 if (isTLS) 6484 goto alert_loser; 6485 } else { 6486 rv = ssl3_HandleHelloExtensions(ss, &extensions.data, 6487 &extensions.len); 6488 if (rv != SECSuccess) 6489 goto alert_loser; 6490 } 6491 } 6492 if ((ss->opt.requireSafeNegotiation || 6493 (ss->firstHsDone && (ss->peerRequestedProtection || 6494 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN))) && 6495 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) { 6496 desc = handshake_failure; 6497 errCode = ss->firstHsDone ? SSL_ERROR_RENEGOTIATION_NOT_ALLOWED 6498 : SSL_ERROR_UNSAFE_NEGOTIATION; 6499 goto alert_loser; 6500 } 6501 6502 /* Any errors after this point are not "malformed" errors. */ 6503 desc = handshake_failure; 6504 6505 /* we need to call ssl3_SetupPendingCipherSpec here so we can check the 6506 * key exchange algorithm. */ 6507 rv = ssl3_SetupPendingCipherSpec(ss); 6508 if (rv != SECSuccess) { 6509 goto alert_loser; /* error code is set. */ 6510 } 6511 6512 /* We may or may not have sent a session id, we may get one back or 6513 * not and if so it may match the one we sent. 6514 * Attempt to restore the master secret to see if this is so... 6515 * Don't consider failure to find a matching SID an error. 6516 */ 6517 sid_match = (PRBool)(sidBytes.len > 0 && 6518 sidBytes.len == sid->u.ssl3.sessionIDLength && 6519 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len)); 6520 6521 if (sid_match && 6522 sid->version == ss->version && 6523 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do { 6524 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; 6525 6526 SECItem wrappedMS; /* wrapped master secret. */ 6527 6528 ss->sec.authAlgorithm = sid->authAlgorithm; 6529 ss->sec.authKeyBits = sid->authKeyBits; 6530 ss->sec.keaType = sid->keaType; 6531 ss->sec.keaKeyBits = sid->keaKeyBits; 6532 6533 /* 3 cases here: 6534 * a) key is wrapped (implies using PKCS11) 6535 * b) key is unwrapped, but we're still using PKCS11 6536 * c) key is unwrapped, and we're bypassing PKCS11. 6537 */ 6538 if (sid->u.ssl3.keys.msIsWrapped) { 6539 PK11SlotInfo *slot; 6540 PK11SymKey * wrapKey; /* wrapping key */ 6541 CK_FLAGS keyFlags = 0; 6542 6543 #ifndef NO_PKCS11_BYPASS 6544 if (ss->opt.bypassPKCS11) { 6545 /* we cannot restart a non-bypass session in a 6546 ** bypass socket. 6547 */ 6548 break; 6549 } 6550 #endif 6551 /* unwrap master secret with PKCS11 */ 6552 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, 6553 sid->u.ssl3.masterSlotID); 6554 if (slot == NULL) { 6555 break; /* not considered an error. */ 6556 } 6557 if (!PK11_IsPresent(slot)) { 6558 PK11_FreeSlot(slot); 6559 break; /* not considered an error. */ 6560 } 6561 wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex, 6562 sid->u.ssl3.masterWrapMech, 6563 sid->u.ssl3.masterWrapSeries, 6564 ss->pkcs11PinArg); 6565 PK11_FreeSlot(slot); 6566 if (wrapKey == NULL) { 6567 break; /* not considered an error. */ 6568 } 6569 6570 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ 6571 keyFlags = CKF_SIGN | CKF_VERIFY; 6572 } 6573 6574 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 6575 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 6576 pwSpec->master_secret = 6577 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 6578 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE, 6579 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags); 6580 errCode = PORT_GetError(); 6581 PK11_FreeSymKey(wrapKey); 6582 if (pwSpec->master_secret == NULL) { 6583 break; /* errorCode set just after call to UnwrapSymKey. */ 6584 } 6585 #ifndef NO_PKCS11_BYPASS 6586 } else if (ss->opt.bypassPKCS11) { 6587 /* MS is not wrapped */ 6588 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 6589 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 6590 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); 6591 pwSpec->msItem.data = pwSpec->raw_master_secret; 6592 pwSpec->msItem.len = wrappedMS.len; 6593 #endif 6594 } else { 6595 /* We CAN restart a bypass session in a non-bypass socket. */ 6596 /* need to import the raw master secret to session object */ 6597 PK11SlotInfo *slot = PK11_GetInternalSlot(); 6598 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 6599 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 6600 pwSpec->master_secret = 6601 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 6602 PK11_OriginUnwrap, CKA_ENCRYPT, 6603 &wrappedMS, NULL); 6604 PK11_FreeSlot(slot); 6605 if (pwSpec->master_secret == NULL) { 6606 break; 6607 } 6608 } 6609 6610 /* Got a Match */ 6611 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits ); 6612 6613 /* If we sent a session ticket, then this is a stateless resume. */ 6614 if (sid->version > SSL_LIBRARY_VERSION_3_0 && 6615 sid->u.ssl3.sessionTicket.ticket.data != NULL) 6616 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes ); 6617 6618 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) 6619 ss->ssl3.hs.ws = wait_new_session_ticket; 6620 else 6621 ss->ssl3.hs.ws = wait_change_cipher; 6622 6623 ss->ssl3.hs.isResuming = PR_TRUE; 6624 6625 /* copy the peer cert from the SID */ 6626 if (sid->peerCert != NULL) { 6627 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); 6628 ssl3_CopyPeerCertsFromSID(ss, sid); 6629 } 6630 6631 /* NULL value for PMS signifies re-use of the old MS */ 6632 rv = ssl3_InitPendingCipherSpec(ss, NULL); 6633 if (rv != SECSuccess) { 6634 goto alert_loser; /* err code was set */ 6635 } 6636 goto winner; 6637 } while (0); 6638 6639 if (sid_match) 6640 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); 6641 else 6642 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses ); 6643 6644 /* throw the old one away */ 6645 sid->u.ssl3.keys.resumable = PR_FALSE; 6646 if (ss->sec.uncache) 6647 (*ss->sec.uncache)(sid); 6648 ssl_FreeSID(sid); 6649 6650 /* get a new sid */ 6651 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); 6652 if (sid == NULL) { 6653 goto alert_loser; /* memory error is set. */ 6654 } 6655 6656 sid->version = ss->version; 6657 sid->u.ssl3.sessionIDLength = sidBytes.len; 6658 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); 6659 6660 /* Copy Signed Certificate Timestamps, if any. */ 6661 if (ss->xtnData.signedCertTimestamps.data) { 6662 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, 6663 &ss->xtnData.signedCertTimestamps); 6664 if (rv != SECSuccess) 6665 goto loser; 6666 } 6667 6668 ss->ssl3.hs.isResuming = PR_FALSE; 6669 ss->ssl3.hs.ws = wait_server_cert; 6670 6671 winner: 6672 /* Clean up the temporary pointer to the handshake buffer. */ 6673 ss->xtnData.signedCertTimestamps.data = NULL; 6674 ss->xtnData.signedCertTimestamps.len = 0; 6675 6676 /* If we will need a ChannelID key then we make the callback now. This 6677 * allows the handshake to be restarted cleanly if the callback returns 6678 * SECWouldBlock. */ 6679 if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { 6680 rv = ss->getChannelID(ss->getChannelIDArg, ss->fd, 6681 &ss->ssl3.channelIDPub, &ss->ssl3.channelID); 6682 if (rv == SECWouldBlock) { 6683 ssl3_SetAlwaysBlock(ss); 6684 return rv; 6685 } 6686 if (rv != SECSuccess || 6687 ss->ssl3.channelIDPub == NULL || 6688 ss->ssl3.channelID == NULL) { 6689 PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); 6690 desc = internal_error; 6691 goto alert_loser; 6692 } 6693 } 6694 6695 return SECSuccess; 6696 6697 alert_loser: 6698 (void)SSL3_SendAlert(ss, alert_fatal, desc); 6699 6700 loser: 6701 /* Clean up the temporary pointer to the handshake buffer. */ 6702 ss->xtnData.signedCertTimestamps.data = NULL; 6703 ss->xtnData.signedCertTimestamps.len = 0; 6704 errCode = ssl_MapLowLevelError(errCode); 6705 return SECFailure; 6706 } 6707 6708 /* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned, 6709 * big-endian integer is > 1 */ 6710 static PRBool 6711 ssl3_BigIntGreaterThanOne(const SECItem* mpint) { 6712 unsigned char firstNonZeroByte = 0; 6713 unsigned int i; 6714 6715 for (i = 0; i < mpint->len; i++) { 6716 if (mpint->data[i]) { 6717 firstNonZeroByte = mpint->data[i]; 6718 break; 6719 } 6720 } 6721 6722 if (firstNonZeroByte == 0) 6723 return PR_FALSE; 6724 if (firstNonZeroByte > 1) 6725 return PR_TRUE; 6726 6727 /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte 6728 * is followed by another byte. */ 6729 return (i < mpint->len - 1); 6730 } 6731 6732 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 6733 * ssl3 ServerKeyExchange message. 6734 * Caller must hold Handshake and RecvBuf locks. 6735 */ 6736 static SECStatus 6737 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 6738 { 6739 PLArenaPool * arena = NULL; 6740 SECKEYPublicKey *peerKey = NULL; 6741 PRBool isTLS, isTLS12; 6742 SECStatus rv; 6743 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; 6744 SSL3AlertDescription desc = illegal_parameter; 6745 SSL3Hashes hashes; 6746 SECItem signature = {siBuffer, NULL, 0}; 6747 SSL3SignatureAndHashAlgorithm sigAndHash; 6748 6749 sigAndHash.hashAlg = SEC_OID_UNKNOWN; 6750 6751 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", 6752 SSL_GETPID(), ss->fd)); 6753 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 6754 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6755 6756 if (ss->ssl3.hs.ws != wait_server_key && 6757 ss->ssl3.hs.ws != wait_server_cert) { 6758 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; 6759 desc = unexpected_message; 6760 goto alert_loser; 6761 } 6762 if (ss->sec.peerCert == NULL) { 6763 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; 6764 desc = unexpected_message; 6765 goto alert_loser; 6766 } 6767 6768 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 6769 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); 6770 6771 switch (ss->ssl3.hs.kea_def->exchKeyType) { 6772 6773 case kt_rsa: { 6774 SECItem modulus = {siBuffer, NULL, 0}; 6775 SECItem exponent = {siBuffer, NULL, 0}; 6776 6777 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); 6778 if (rv != SECSuccess) { 6779 goto loser; /* malformed. */ 6780 } 6781 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); 6782 if (rv != SECSuccess) { 6783 goto loser; /* malformed. */ 6784 } 6785 if (isTLS12) { 6786 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, 6787 &sigAndHash); 6788 if (rv != SECSuccess) { 6789 goto loser; /* malformed or unsupported. */ 6790 } 6791 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( 6792 &sigAndHash, ss->sec.peerCert); 6793 if (rv != SECSuccess) { 6794 goto loser; 6795 } 6796 } 6797 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 6798 if (rv != SECSuccess) { 6799 goto loser; /* malformed. */ 6800 } 6801 if (length != 0) { 6802 if (isTLS) 6803 desc = decode_error; 6804 goto alert_loser; /* malformed. */ 6805 } 6806 6807 /* failures after this point are not malformed handshakes. */ 6808 /* TLS: send decrypt_error if signature failed. */ 6809 desc = isTLS ? decrypt_error : handshake_failure; 6810 6811 /* 6812 * check to make sure the hash is signed by right guy 6813 */ 6814 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent, 6815 &ss->ssl3.hs.client_random, 6816 &ss->ssl3.hs.server_random, 6817 &hashes, ss->opt.bypassPKCS11); 6818 if (rv != SECSuccess) { 6819 errCode = 6820 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6821 goto alert_loser; 6822 } 6823 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 6824 isTLS, ss->pkcs11PinArg); 6825 if (rv != SECSuccess) { 6826 errCode = 6827 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6828 goto alert_loser; 6829 } 6830 6831 /* 6832 * we really need to build a new key here because we can no longer 6833 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate 6834 * pkcs11 slots and ID's. 6835 */ 6836 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 6837 if (arena == NULL) { 6838 goto no_memory; 6839 } 6840 6841 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); 6842 if (peerKey == NULL) { 6843 PORT_FreeArena(arena, PR_FALSE); 6844 goto no_memory; 6845 } 6846 6847 peerKey->arena = arena; 6848 peerKey->keyType = rsaKey; 6849 peerKey->pkcs11Slot = NULL; 6850 peerKey->pkcs11ID = CK_INVALID_HANDLE; 6851 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) || 6852 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent)) 6853 { 6854 PORT_FreeArena(arena, PR_FALSE); 6855 goto no_memory; 6856 } 6857 ss->sec.peerKey = peerKey; 6858 ss->ssl3.hs.ws = wait_cert_request; 6859 return SECSuccess; 6860 } 6861 6862 case kt_dh: { 6863 SECItem dh_p = {siBuffer, NULL, 0}; 6864 SECItem dh_g = {siBuffer, NULL, 0}; 6865 SECItem dh_Ys = {siBuffer, NULL, 0}; 6866 6867 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); 6868 if (rv != SECSuccess) { 6869 goto loser; /* malformed. */ 6870 } 6871 if (dh_p.len < 512/8) { 6872 errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; 6873 goto alert_loser; 6874 } 6875 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length); 6876 if (rv != SECSuccess) { 6877 goto loser; /* malformed. */ 6878 } 6879 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) 6880 goto alert_loser; 6881 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); 6882 if (rv != SECSuccess) { 6883 goto loser; /* malformed. */ 6884 } 6885 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) 6886 goto alert_loser; 6887 if (isTLS12) { 6888 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, 6889 &sigAndHash); 6890 if (rv != SECSuccess) { 6891 goto loser; /* malformed or unsupported. */ 6892 } 6893 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( 6894 &sigAndHash, ss->sec.peerCert); 6895 if (rv != SECSuccess) { 6896 goto loser; 6897 } 6898 } 6899 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 6900 if (rv != SECSuccess) { 6901 goto loser; /* malformed. */ 6902 } 6903 if (length != 0) { 6904 if (isTLS) 6905 desc = decode_error; 6906 goto alert_loser; /* malformed. */ 6907 } 6908 6909 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); 6910 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); 6911 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); 6912 6913 /* failures after this point are not malformed handshakes. */ 6914 /* TLS: send decrypt_error if signature failed. */ 6915 desc = isTLS ? decrypt_error : handshake_failure; 6916 6917 /* 6918 * check to make sure the hash is signed by right guy 6919 */ 6920 rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys, 6921 &ss->ssl3.hs.client_random, 6922 &ss->ssl3.hs.server_random, 6923 &hashes, ss->opt.bypassPKCS11); 6924 if (rv != SECSuccess) { 6925 errCode = 6926 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6927 goto alert_loser; 6928 } 6929 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 6930 isTLS, ss->pkcs11PinArg); 6931 if (rv != SECSuccess) { 6932 errCode = 6933 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6934 goto alert_loser; 6935 } 6936 6937 /* 6938 * we really need to build a new key here because we can no longer 6939 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate 6940 * pkcs11 slots and ID's. 6941 */ 6942 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 6943 if (arena == NULL) { 6944 goto no_memory; 6945 } 6946 6947 ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); 6948 if (peerKey == NULL) { 6949 goto no_memory; 6950 } 6951 6952 peerKey->arena = arena; 6953 peerKey->keyType = dhKey; 6954 peerKey->pkcs11Slot = NULL; 6955 peerKey->pkcs11ID = CK_INVALID_HANDLE; 6956 6957 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) || 6958 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) || 6959 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys)) 6960 { 6961 PORT_FreeArena(arena, PR_FALSE); 6962 goto no_memory; 6963 } 6964 ss->sec.peerKey = peerKey; 6965 ss->ssl3.hs.ws = wait_cert_request; 6966 return SECSuccess; 6967 } 6968 6969 #ifdef NSS_ENABLE_ECC 6970 case kt_ecdh: 6971 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length); 6972 return rv; 6973 #endif /* NSS_ENABLE_ECC */ 6974 6975 default: 6976 desc = handshake_failure; 6977 errCode = SEC_ERROR_UNSUPPORTED_KEYALG; 6978 break; /* goto alert_loser; */ 6979 } 6980 6981 alert_loser: 6982 (void)SSL3_SendAlert(ss, alert_fatal, desc); 6983 loser: 6984 PORT_SetError( errCode ); 6985 return SECFailure; 6986 6987 no_memory: /* no-memory error has already been set. */ 6988 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6989 return SECFailure; 6990 } 6991 6992 6993 /* 6994 * Returns the TLS signature algorithm for the client authentication key and 6995 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes. 6996 */ 6997 static SECStatus 6998 ssl3_ExtractClientKeyInfo(sslSocket *ss, 6999 TLSSignatureAlgorithm *sigAlg, 7000 PRBool *preferSha1) 7001 { 7002 SECStatus rv = SECSuccess; 7003 SECKEYPublicKey *pubk; 7004 7005 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); 7006 if (pubk == NULL) { 7007 rv = SECFailure; 7008 goto done; 7009 } 7010 7011 rv = ssl3_TLSSignatureAlgorithmForKeyType(pubk->keyType, sigAlg); 7012 if (rv != SECSuccess) { 7013 goto done; 7014 } 7015 7016 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) 7017 /* If the key is in CAPI, assume conservatively that the CAPI service 7018 * provider may be unable to sign SHA-256 hashes. 7019 */ 7020 if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { 7021 /* CAPI only supports RSA and DSA signatures, so we don't need to 7022 * check the key type. */ 7023 *preferSha1 = PR_TRUE; 7024 goto done; 7025 } 7026 #endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ 7027 7028 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that 7029 * it may be unable to sign SHA-256 hashes. This is the case for older 7030 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and 7031 * older, DSA key size is at most 1024 bits and the hash function must 7032 * be SHA-1. 7033 */ 7034 if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) { 7035 *preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128; 7036 } else { 7037 *preferSha1 = PR_FALSE; 7038 } 7039 7040 done: 7041 if (pubk) 7042 SECKEY_DestroyPublicKey(pubk); 7043 return rv; 7044 } 7045 7046 /* Destroys the backup handshake hash context if we don't need it. Note that 7047 * this function selects the hash algorithm for client authentication 7048 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash 7049 * to determine whether to use SHA-1 or SHA-256. */ 7050 static void 7051 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, 7052 const SECItem *algorithms) 7053 { 7054 SECStatus rv; 7055 TLSSignatureAlgorithm sigAlg; 7056 PRBool preferSha1; 7057 PRBool supportsSha1 = PR_FALSE; 7058 PRBool supportsSha256 = PR_FALSE; 7059 PRBool needBackupHash = PR_FALSE; 7060 unsigned int i; 7061 7062 PORT_Assert(ss->ssl3.hs.md5); 7063 7064 /* Determine the key's signature algorithm and whether it prefers SHA-1. */ 7065 rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); 7066 if (rv != SECSuccess) { 7067 goto done; 7068 } 7069 7070 /* Determine the server's hash support for that signature algorithm. */ 7071 for (i = 0; i < algorithms->len; i += 2) { 7072 if (algorithms->data[i+1] == sigAlg) { 7073 if (algorithms->data[i] == tls_hash_sha1) { 7074 supportsSha1 = PR_TRUE; 7075 } else if (algorithms->data[i] == tls_hash_sha256) { 7076 supportsSha256 = PR_TRUE; 7077 } 7078 } 7079 } 7080 7081 /* If either the server does not support SHA-256 or the client key prefers 7082 * SHA-1, leave the backup hash. */ 7083 if (supportsSha1 && (preferSha1 || !supportsSha256)) { 7084 needBackupHash = PR_TRUE; 7085 } 7086 7087 done: 7088 if (!needBackupHash) { 7089 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); 7090 ss->ssl3.hs.md5 = NULL; 7091 } 7092 } 7093 7094 typedef struct dnameNode { 7095 struct dnameNode *next; 7096 SECItem name; 7097 } dnameNode; 7098 7099 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 7100 * ssl3 Certificate Request message. 7101 * Caller must hold Handshake and RecvBuf locks. 7102 */ 7103 static SECStatus 7104 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 7105 { 7106 PLArenaPool * arena = NULL; 7107 dnameNode * node; 7108 PRInt32 remaining; 7109 PRBool isTLS = PR_FALSE; 7110 PRBool isTLS12 = PR_FALSE; 7111 int i; 7112 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST; 7113 int nnames = 0; 7114 SECStatus rv; 7115 SSL3AlertDescription desc = illegal_parameter; 7116 SECItem cert_types = {siBuffer, NULL, 0}; 7117 SECItem algorithms = {siBuffer, NULL, 0}; 7118 CERTDistNames ca_list; 7119 #ifdef NSS_PLATFORM_CLIENT_AUTH 7120 CERTCertList * platform_cert_list = NULL; 7121 CERTCertListNode * certNode = NULL; 7122 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 7123 7124 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake", 7125 SSL_GETPID(), ss->fd)); 7126 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7127 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7128 7129 if (ss->ssl3.hs.ws != wait_cert_request && 7130 ss->ssl3.hs.ws != wait_server_key) { 7131 desc = unexpected_message; 7132 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST; 7133 goto alert_loser; 7134 } 7135 7136 PORT_Assert(ss->ssl3.clientCertChain == NULL); 7137 PORT_Assert(ss->ssl3.clientCertificate == NULL); 7138 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); 7139 PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL); 7140 7141 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 7142 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); 7143 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length); 7144 if (rv != SECSuccess) 7145 goto loser; /* malformed, alert has been sent */ 7146 7147 PORT_Assert(!ss->requestedCertTypes); 7148 ss->requestedCertTypes = &cert_types; 7149 7150 if (isTLS12) { 7151 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length); 7152 if (rv != SECSuccess) 7153 goto loser; /* malformed, alert has been sent */ 7154 /* An empty or odd-length value is invalid. 7155 * SignatureAndHashAlgorithm 7156 * supported_signature_algorithms<2..2^16-2>; 7157 */ 7158 if (algorithms.len == 0 || (algorithms.len & 1) != 0) 7159 goto alert_loser; 7160 } 7161 7162 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 7163 if (arena == NULL) 7164 goto no_mem; 7165 7166 remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 7167 if (remaining < 0) 7168 goto loser; /* malformed, alert has been sent */ 7169 7170 if ((PRUint32)remaining > length) 7171 goto alert_loser; 7172 7173 ca_list.head = node = PORT_ArenaZNew(arena, dnameNode); 7174 if (node == NULL) 7175 goto no_mem; 7176 7177 while (remaining > 0) { 7178 PRInt32 len; 7179 7180 if (remaining < 2) 7181 goto alert_loser; /* malformed */ 7182 7183 node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 7184 if (len <= 0) 7185 goto loser; /* malformed, alert has been sent */ 7186 7187 remaining -= 2; 7188 if (remaining < len) 7189 goto alert_loser; /* malformed */ 7190 7191 node->name.data = b; 7192 b += len; 7193 length -= len; 7194 remaining -= len; 7195 nnames++; 7196 if (remaining <= 0) 7197 break; /* success */ 7198 7199 node->next = PORT_ArenaZNew(arena, dnameNode); 7200 node = node->next; 7201 if (node == NULL) 7202 goto no_mem; 7203 } 7204 7205 ca_list.nnames = nnames; 7206 ca_list.names = PORT_ArenaNewArray(arena, SECItem, nnames); 7207 if (nnames > 0 && ca_list.names == NULL) 7208 goto no_mem; 7209 7210 for(i = 0, node = (dnameNode*)ca_list.head; 7211 i < nnames; 7212 i++, node = node->next) { 7213 ca_list.names[i] = node->name; 7214 } 7215 7216 if (length != 0) 7217 goto alert_loser; /* malformed */ 7218 7219 desc = no_certificate; 7220 ss->ssl3.hs.ws = wait_hello_done; 7221 7222 #ifdef NSS_PLATFORM_CLIENT_AUTH 7223 if (ss->getPlatformClientAuthData != NULL) { 7224 /* XXX Should pass cert_types and algorithms in this call!! */ 7225 rv = (SECStatus)(*ss->getPlatformClientAuthData)( 7226 ss->getPlatformClientAuthDataArg, 7227 ss->fd, &ca_list, 7228 &platform_cert_list, 7229 (void**)&ss->ssl3.platformClientKey, 7230 &ss->ssl3.clientCertificate, 7231 &ss->ssl3.clientPrivateKey); 7232 } else 7233 #endif 7234 if (ss->getClientAuthData != NULL) { 7235 /* XXX Should pass cert_types and algorithms in this call!! */ 7236 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg, 7237 ss->fd, &ca_list, 7238 &ss->ssl3.clientCertificate, 7239 &ss->ssl3.clientPrivateKey); 7240 } else { 7241 rv = SECFailure; /* force it to send a no_certificate alert */ 7242 } 7243 7244 switch (rv) { 7245 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ 7246 ssl3_SetAlwaysBlock(ss); 7247 break; /* not an error */ 7248 7249 case SECSuccess: 7250 #ifdef NSS_PLATFORM_CLIENT_AUTH 7251 if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) || 7252 !ss->ssl3.platformClientKey) { 7253 if (platform_cert_list) { 7254 CERT_DestroyCertList(platform_cert_list); 7255 platform_cert_list = NULL; 7256 } 7257 if (ss->ssl3.platformClientKey) { 7258 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 7259 ss->ssl3.platformClientKey = (PlatformKey)NULL; 7260 } 7261 /* Fall through to NSS client auth check */ 7262 } else { 7263 certNode = CERT_LIST_HEAD(platform_cert_list); 7264 ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert); 7265 7266 /* Setting ssl3.clientCertChain non-NULL will cause 7267 * ssl3_HandleServerHelloDone to call SendCertificate. 7268 * Note: clientCertChain should include the EE cert as 7269 * clientCertificate is ignored during the actual sending 7270 */ 7271 ss->ssl3.clientCertChain = 7272 hack_NewCertificateListFromCertList(platform_cert_list); 7273 CERT_DestroyCertList(platform_cert_list); 7274 platform_cert_list = NULL; 7275 if (ss->ssl3.clientCertChain == NULL) { 7276 if (ss->ssl3.clientCertificate != NULL) { 7277 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 7278 ss->ssl3.clientCertificate = NULL; 7279 } 7280 if (ss->ssl3.platformClientKey) { 7281 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 7282 ss->ssl3.platformClientKey = (PlatformKey)NULL; 7283 } 7284 goto send_no_certificate; 7285 } 7286 if (isTLS12) { 7287 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); 7288 } 7289 break; /* not an error */ 7290 } 7291 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 7292 /* check what the callback function returned */ 7293 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { 7294 /* we are missing either the key or cert */ 7295 if (ss->ssl3.clientCertificate) { 7296 /* got a cert, but no key - free it */ 7297 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 7298 ss->ssl3.clientCertificate = NULL; 7299 } 7300 if (ss->ssl3.clientPrivateKey) { 7301 /* got a key, but no cert - free it */ 7302 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 7303 ss->ssl3.clientPrivateKey = NULL; 7304 } 7305 goto send_no_certificate; 7306 } 7307 /* Setting ssl3.clientCertChain non-NULL will cause 7308 * ssl3_HandleServerHelloDone to call SendCertificate. 7309 */ 7310 ss->ssl3.clientCertChain = CERT_CertChainFromCert( 7311 ss->ssl3.clientCertificate, 7312 certUsageSSLClient, PR_FALSE); 7313 if (ss->ssl3.clientCertChain == NULL) { 7314 if (ss->ssl3.clientCertificate != NULL) { 7315 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 7316 ss->ssl3.clientCertificate = NULL; 7317 } 7318 if (ss->ssl3.clientPrivateKey != NULL) { 7319 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 7320 ss->ssl3.clientPrivateKey = NULL; 7321 } 7322 goto send_no_certificate; 7323 } 7324 if (isTLS12) { 7325 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); 7326 } 7327 break; /* not an error */ 7328 7329 case SECFailure: 7330 default: 7331 send_no_certificate: 7332 if (isTLS) { 7333 ss->ssl3.sendEmptyCert = PR_TRUE; 7334 } else { 7335 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); 7336 } 7337 rv = SECSuccess; 7338 break; 7339 } 7340 goto done; 7341 7342 no_mem: 7343 rv = SECFailure; 7344 PORT_SetError(SEC_ERROR_NO_MEMORY); 7345 goto done; 7346 7347 alert_loser: 7348 if (isTLS && desc == illegal_parameter) 7349 desc = decode_error; 7350 (void)SSL3_SendAlert(ss, alert_fatal, desc); 7351 loser: 7352 PORT_SetError(errCode); 7353 rv = SECFailure; 7354 done: 7355 ss->requestedCertTypes = NULL; 7356 if (arena != NULL) 7357 PORT_FreeArena(arena, PR_FALSE); 7358 #ifdef NSS_PLATFORM_CLIENT_AUTH 7359 if (platform_cert_list) 7360 CERT_DestroyCertList(platform_cert_list); 7361 #endif 7362 return rv; 7363 } 7364 7365 /* 7366 * attempt to restart the handshake after asynchronously handling 7367 * a request for the client's certificate. 7368 * 7369 * inputs: 7370 * cert Client cert chosen by application. 7371 * Note: ssl takes this reference, and does not bump the 7372 * reference count. The caller should drop its reference 7373 * without calling CERT_DestroyCert after calling this function. 7374 * 7375 * key Private key associated with cert. This function takes 7376 * ownership of the private key, so the caller should drop its 7377 * reference without destroying the private key after this 7378 * function returns. 7379 * 7380 * certChain DER-encoded certs, client cert and its signers. 7381 * Note: ssl takes this reference, and does not copy the chain. 7382 * The caller should drop its reference without destroying the 7383 * chain. SSL will free the chain when it is done with it. 7384 * 7385 * Return value: XXX 7386 * 7387 * XXX This code only works on the initial handshake on a connection, XXX 7388 * It does not work on a subsequent handshake (redo). 7389 * 7390 * Caller holds 1stHandshakeLock. 7391 */ 7392 SECStatus 7393 ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, 7394 CERTCertificate * cert, 7395 SECKEYPrivateKey * key, 7396 CERTCertificateList *certChain) 7397 { 7398 SECStatus rv = SECSuccess; 7399 7400 /* XXX This code only works on the initial handshake on a connection, 7401 ** XXX It does not work on a subsequent handshake (redo). 7402 */ 7403 if (ss->handshake != 0) { 7404 ss->handshake = ssl_GatherRecord1stHandshake; 7405 ss->ssl3.clientCertificate = cert; 7406 ss->ssl3.clientPrivateKey = key; 7407 ss->ssl3.clientCertChain = certChain; 7408 if (!cert || !key || !certChain) { 7409 /* we are missing the key, cert, or cert chain */ 7410 if (ss->ssl3.clientCertificate) { 7411 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 7412 ss->ssl3.clientCertificate = NULL; 7413 } 7414 if (ss->ssl3.clientPrivateKey) { 7415 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 7416 ss->ssl3.clientPrivateKey = NULL; 7417 } 7418 if (ss->ssl3.clientCertChain != NULL) { 7419 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); 7420 ss->ssl3.clientCertChain = NULL; 7421 } 7422 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { 7423 ss->ssl3.sendEmptyCert = PR_TRUE; 7424 } else { 7425 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); 7426 } 7427 } 7428 } else { 7429 if (cert) { 7430 CERT_DestroyCertificate(cert); 7431 } 7432 if (key) { 7433 SECKEY_DestroyPrivateKey(key); 7434 } 7435 if (certChain) { 7436 CERT_DestroyCertificateList(certChain); 7437 } 7438 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 7439 rv = SECFailure; 7440 } 7441 return rv; 7442 } 7443 7444 static SECStatus 7445 ssl3_CheckFalseStart(sslSocket *ss) 7446 { 7447 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7448 PORT_Assert( !ss->ssl3.hs.authCertificatePending ); 7449 PORT_Assert( !ss->ssl3.hs.canFalseStart ); 7450 7451 if (!ss->canFalseStartCallback) { 7452 SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start", 7453 SSL_GETPID(), ss->fd)); 7454 } else { 7455 PRBool maybeFalseStart; 7456 SECStatus rv; 7457 7458 /* An attacker can control the selected ciphersuite so we only wish to 7459 * do False Start in the case that the selected ciphersuite is 7460 * sufficiently strong that the attack can gain no advantage. 7461 * Therefore we always require an 80-bit cipher. */ 7462 ssl_GetSpecReadLock(ss); 7463 maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10; 7464 ssl_ReleaseSpecReadLock(ss); 7465 7466 if (!maybeFalseStart) { 7467 SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher", 7468 SSL_GETPID(), ss->fd)); 7469 } else { 7470 rv = (ss->canFalseStartCallback)(ss->fd, 7471 ss->canFalseStartCallbackData, 7472 &ss->ssl3.hs.canFalseStart); 7473 if (rv == SECSuccess) { 7474 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s", 7475 SSL_GETPID(), ss->fd, 7476 ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE")); 7477 } else { 7478 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)", 7479 SSL_GETPID(), ss->fd, 7480 PR_ErrorToName(PR_GetError()))); 7481 } 7482 return rv; 7483 } 7484 } 7485 7486 ss->ssl3.hs.canFalseStart = PR_FALSE; 7487 return SECSuccess; 7488 } 7489 7490 PRBool 7491 ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss) 7492 { 7493 PRBool result; 7494 7495 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7496 7497 switch (ss->ssl3.hs.ws) { 7498 case wait_new_session_ticket: 7499 result = PR_TRUE; 7500 break; 7501 case wait_change_cipher: 7502 result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn); 7503 break; 7504 default: 7505 result = PR_FALSE; 7506 break; 7507 } 7508 7509 return result; 7510 } 7511 7512 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss); 7513 7514 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 7515 * ssl3 Server Hello Done message. 7516 * Caller must hold Handshake and RecvBuf locks. 7517 */ 7518 static SECStatus 7519 ssl3_HandleServerHelloDone(sslSocket *ss) 7520 { 7521 SECStatus rv; 7522 SSL3WaitState ws = ss->ssl3.hs.ws; 7523 7524 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake", 7525 SSL_GETPID(), ss->fd)); 7526 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7527 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7528 7529 if (ws != wait_hello_done && 7530 ws != wait_server_cert && 7531 ws != wait_server_key && 7532 ws != wait_cert_request) { 7533 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 7534 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); 7535 return SECFailure; 7536 } 7537 7538 rv = ssl3_SendClientSecondRound(ss); 7539 7540 return rv; 7541 } 7542 7543 /* Called from ssl3_HandleServerHelloDone and ssl3_AuthCertificateComplete. 7544 * 7545 * Caller must hold Handshake and RecvBuf locks. 7546 */ 7547 static SECStatus 7548 ssl3_SendClientSecondRound(sslSocket *ss) 7549 { 7550 SECStatus rv; 7551 PRBool sendClientCert; 7552 7553 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7554 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7555 7556 sendClientCert = !ss->ssl3.sendEmptyCert && 7557 ss->ssl3.clientCertChain != NULL && 7558 (ss->ssl3.platformClientKey || 7559 ss->ssl3.clientPrivateKey != NULL); 7560 7561 if (!sendClientCert && 7562 ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) { 7563 /* Don't need the backup handshake hash. */ 7564 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); 7565 ss->ssl3.hs.md5 = NULL; 7566 } 7567 7568 /* We must wait for the server's certificate to be authenticated before 7569 * sending the client certificate in order to disclosing the client 7570 * certificate to an attacker that does not have a valid cert for the 7571 * domain we are connecting to. 7572 * 7573 * XXX: We should do the same for the NPN extension, but for that we 7574 * need an option to give the application the ability to leak the NPN 7575 * information to get better performance. 7576 * 7577 * During the initial handshake on a connection, we never send/receive 7578 * application data until we have authenticated the server's certificate; 7579 * i.e. we have fully authenticated the handshake before using the cipher 7580 * specs agreed upon for that handshake. During a renegotiation, we may 7581 * continue sending and receiving application data during the handshake 7582 * interleaved with the handshake records. If we were to send the client's 7583 * second round for a renegotiation before the server's certificate was 7584 * authenticated, then the application data sent/received after this point 7585 * would be using cipher spec that hadn't been authenticated. By waiting 7586 * until the server's certificate has been authenticated during 7587 * renegotiations, we ensure that renegotiations have the same property 7588 * as initial handshakes; i.e. we have fully authenticated the handshake 7589 * before using the cipher specs agreed upon for that handshake for 7590 * application data. 7591 */ 7592 if (ss->ssl3.hs.restartTarget) { 7593 PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget"); 7594 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 7595 return SECFailure; 7596 } 7597 if (ss->ssl3.hs.authCertificatePending && 7598 (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) { 7599 SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because" 7600 " certificate authentication is still pending.", 7601 SSL_GETPID(), ss->fd)); 7602 ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound; 7603 return SECWouldBlock; 7604 } 7605 7606 ssl_GetXmitBufLock(ss); /*******************************/ 7607 7608 if (ss->ssl3.sendEmptyCert) { 7609 ss->ssl3.sendEmptyCert = PR_FALSE; 7610 rv = ssl3_SendEmptyCertificate(ss); 7611 /* Don't send verify */ 7612 if (rv != SECSuccess) { 7613 goto loser; /* error code is set. */ 7614 } 7615 } else if (sendClientCert) { 7616 rv = ssl3_SendCertificate(ss); 7617 if (rv != SECSuccess) { 7618 goto loser; /* error code is set. */ 7619 } 7620 } 7621 7622 rv = ssl3_SendClientKeyExchange(ss); 7623 if (rv != SECSuccess) { 7624 goto loser; /* err is set. */ 7625 } 7626 7627 if (sendClientCert) { 7628 rv = ssl3_SendCertificateVerify(ss); 7629 if (rv != SECSuccess) { 7630 goto loser; /* err is set. */ 7631 } 7632 } 7633 7634 rv = ssl3_SendChangeCipherSpecs(ss); 7635 if (rv != SECSuccess) { 7636 goto loser; /* err code was set. */ 7637 } 7638 7639 /* This must be done after we've set ss->ssl3.cwSpec in 7640 * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information 7641 * from cwSpec. This must be done before we call ssl3_CheckFalseStart 7642 * because the false start callback (if any) may need the information from 7643 * the functions that depend on this being set. 7644 */ 7645 ss->enoughFirstHsDone = PR_TRUE; 7646 7647 if (!ss->firstHsDone) { 7648 /* XXX: If the server's certificate hasn't been authenticated by this 7649 * point, then we may be leaking this NPN message to an attacker. 7650 */ 7651 rv = ssl3_SendNextProto(ss); 7652 if (rv != SECSuccess) { 7653 goto loser; /* err code was set. */ 7654 } 7655 } 7656 7657 rv = ssl3_SendEncryptedExtensions(ss); 7658 if (rv != SECSuccess) { 7659 goto loser; /* err code was set. */ 7660 } 7661 7662 if (!ss->firstHsDone) { 7663 if (ss->opt.enableFalseStart) { 7664 if (!ss->ssl3.hs.authCertificatePending) { 7665 /* When we fix bug 589047, we will need to know whether we are 7666 * false starting before we try to flush the client second 7667 * round to the network. With that in mind, we purposefully 7668 * call ssl3_CheckFalseStart before calling ssl3_SendFinished, 7669 * which includes a call to ssl3_FlushHandshake, so that 7670 * no application develops a reliance on such flushing being 7671 * done before its false start callback is called. 7672 */ 7673 ssl_ReleaseXmitBufLock(ss); 7674 rv = ssl3_CheckFalseStart(ss); 7675 ssl_GetXmitBufLock(ss); 7676 if (rv != SECSuccess) { 7677 goto loser; 7678 } 7679 } else { 7680 /* The certificate authentication and the server's Finished 7681 * message are racing each other. If the certificate 7682 * authentication wins, then we will try to false start in 7683 * ssl3_AuthCertificateComplete. 7684 */ 7685 SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because" 7686 " certificate authentication is still pending.", 7687 SSL_GETPID(), ss->fd)); 7688 } 7689 } 7690 } 7691 7692 rv = ssl3_SendFinished(ss, 0); 7693 if (rv != SECSuccess) { 7694 goto loser; /* err code was set. */ 7695 } 7696 7697 ssl_ReleaseXmitBufLock(ss); /*******************************/ 7698 7699 if (!ss->ssl3.hs.isResuming && 7700 ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { 7701 /* If we are negotiating ChannelID on a full handshake then we record 7702 * the handshake hashes in |sid| at this point. They will be needed in 7703 * the event that we resume this session and use ChannelID on the 7704 * resumption handshake. */ 7705 SSL3Hashes hashes; 7706 SECItem *originalHandshakeHash = 7707 &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; 7708 PORT_Assert(ss->sec.ci.sid->cached == never_cached); 7709 7710 ssl_GetSpecReadLock(ss); 7711 PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0); 7712 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); 7713 ssl_ReleaseSpecReadLock(ss); 7714 if (rv != SECSuccess) { 7715 return rv; 7716 } 7717 7718 PORT_Assert(originalHandshakeHash->len == 0); 7719 originalHandshakeHash->data = PORT_Alloc(hashes.len); 7720 if (!originalHandshakeHash->data) 7721 return SECFailure; 7722 originalHandshakeHash->len = hashes.len; 7723 memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len); 7724 } 7725 7726 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) 7727 ss->ssl3.hs.ws = wait_new_session_ticket; 7728 else 7729 ss->ssl3.hs.ws = wait_change_cipher; 7730 7731 PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss)); 7732 7733 return SECSuccess; 7734 7735 loser: 7736 ssl_ReleaseXmitBufLock(ss); 7737 return rv; 7738 } 7739 7740 /* 7741 * Routines used by servers 7742 */ 7743 static SECStatus 7744 ssl3_SendHelloRequest(sslSocket *ss) 7745 { 7746 SECStatus rv; 7747 7748 SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(), 7749 ss->fd)); 7750 7751 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7752 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 7753 7754 rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0); 7755 if (rv != SECSuccess) { 7756 return rv; /* err set by AppendHandshake */ 7757 } 7758 rv = ssl3_FlushHandshake(ss, 0); 7759 if (rv != SECSuccess) { 7760 return rv; /* error code set by ssl3_FlushHandshake */ 7761 } 7762 ss->ssl3.hs.ws = wait_client_hello; 7763 return SECSuccess; 7764 } 7765 7766 /* 7767 * Called from: 7768 * ssl3_HandleClientHello() 7769 */ 7770 static SECComparison 7771 ssl3_ServerNameCompare(const SECItem *name1, const SECItem *name2) 7772 { 7773 if (!name1 != !name2) { 7774 return SECLessThan; 7775 } 7776 if (!name1) { 7777 return SECEqual; 7778 } 7779 if (name1->type != name2->type) { 7780 return SECLessThan; 7781 } 7782 return SECITEM_CompareItem(name1, name2); 7783 } 7784 7785 /* Sets memory error when returning NULL. 7786 * Called from: 7787 * ssl3_SendClientHello() 7788 * ssl3_HandleServerHello() 7789 * ssl3_HandleClientHello() 7790 * ssl3_HandleV2ClientHello() 7791 */ 7792 sslSessionID * 7793 ssl3_NewSessionID(sslSocket *ss, PRBool is_server) 7794 { 7795 sslSessionID *sid; 7796 7797 sid = PORT_ZNew(sslSessionID); 7798 if (sid == NULL) 7799 return sid; 7800 7801 if (is_server) { 7802 const SECItem * srvName; 7803 SECStatus rv = SECSuccess; 7804 7805 ssl_GetSpecReadLock(ss); /********************************/ 7806 srvName = &ss->ssl3.prSpec->srvVirtName; 7807 if (srvName->len && srvName->data) { 7808 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName, srvName); 7809 } 7810 ssl_ReleaseSpecReadLock(ss); /************************************/ 7811 if (rv != SECSuccess) { 7812 PORT_Free(sid); 7813 return NULL; 7814 } 7815 } 7816 sid->peerID = (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID); 7817 sid->urlSvrName = (ss->url == NULL) ? NULL : PORT_Strdup(ss->url); 7818 sid->addr = ss->sec.ci.peer; 7819 sid->port = ss->sec.ci.port; 7820 sid->references = 1; 7821 sid->cached = never_cached; 7822 sid->version = ss->version; 7823 7824 sid->u.ssl3.keys.resumable = PR_TRUE; 7825 sid->u.ssl3.policy = SSL_ALLOWED; 7826 sid->u.ssl3.clientWriteKey = NULL; 7827 sid->u.ssl3.serverWriteKey = NULL; 7828 7829 if (is_server) { 7830 SECStatus rv; 7831 int pid = SSL_GETPID(); 7832 7833 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; 7834 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff; 7835 sid->u.ssl3.sessionID[1] = pid & 0xff; 7836 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2, 7837 SSL3_SESSIONID_BYTES -2); 7838 if (rv != SECSuccess) { 7839 ssl_FreeSID(sid); 7840 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 7841 return NULL; 7842 } 7843 } 7844 return sid; 7845 } 7846 7847 /* Called from: ssl3_HandleClientHello, ssl3_HandleV2ClientHello */ 7848 static SECStatus 7849 ssl3_SendServerHelloSequence(sslSocket *ss) 7850 { 7851 const ssl3KEADef *kea_def; 7852 SECStatus rv; 7853 7854 SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence", 7855 SSL_GETPID(), ss->fd)); 7856 7857 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 7858 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 7859 7860 rv = ssl3_SendServerHello(ss); 7861 if (rv != SECSuccess) { 7862 return rv; /* err code is set. */ 7863 } 7864 rv = ssl3_SendCertificate(ss); 7865 if (rv != SECSuccess) { 7866 return rv; /* error code is set. */ 7867 } 7868 rv = ssl3_SendCertificateStatus(ss); 7869 if (rv != SECSuccess) { 7870 return rv; /* error code is set. */ 7871 } 7872 /* We have to do this after the call to ssl3_SendServerHello, 7873 * because kea_def is set up by ssl3_SendServerHello(). 7874 */ 7875 kea_def = ss->ssl3.hs.kea_def; 7876 ss->ssl3.hs.usedStepDownKey = PR_FALSE; 7877 7878 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { 7879 /* see if we can legally use the key in the cert. */ 7880 int keyLen; /* bytes */ 7881 7882 keyLen = PK11_GetPrivateModulusLen( 7883 ss->serverCerts[kea_def->exchKeyType].SERVERKEY); 7884 7885 if (keyLen > 0 && 7886 keyLen * BPB <= kea_def->key_size_limit ) { 7887 /* XXX AND cert is not signing only!! */ 7888 /* just fall through and use it. */ 7889 } else if (ss->stepDownKeyPair != NULL) { 7890 ss->ssl3.hs.usedStepDownKey = PR_TRUE; 7891 rv = ssl3_SendServerKeyExchange(ss); 7892 if (rv != SECSuccess) { 7893 return rv; /* err code was set. */ 7894 } 7895 } else { 7896 #ifndef HACKED_EXPORT_SERVER 7897 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); 7898 return rv; 7899 #endif 7900 } 7901 #ifdef NSS_ENABLE_ECC 7902 } else if ((kea_def->kea == kea_ecdhe_rsa) || 7903 (kea_def->kea == kea_ecdhe_ecdsa)) { 7904 rv = ssl3_SendServerKeyExchange(ss); 7905 if (rv != SECSuccess) { 7906 return rv; /* err code was set. */ 7907 } 7908 #endif /* NSS_ENABLE_ECC */ 7909 } 7910 7911 if (ss->opt.requestCertificate) { 7912 rv = ssl3_SendCertificateRequest(ss); 7913 if (rv != SECSuccess) { 7914 return rv; /* err code is set. */ 7915 } 7916 } 7917 rv = ssl3_SendServerHelloDone(ss); 7918 if (rv != SECSuccess) { 7919 return rv; /* err code is set. */ 7920 } 7921 7922 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert 7923 : wait_client_key; 7924 return SECSuccess; 7925 } 7926 7927 /* An empty TLS Renegotiation Info (RI) extension */ 7928 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00}; 7929 7930 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 7931 * ssl3 Client Hello message. 7932 * Caller must hold Handshake and RecvBuf locks. 7933 */ 7934 static SECStatus 7935 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 7936 { 7937 sslSessionID * sid = NULL; 7938 PRInt32 tmp; 7939 unsigned int i; 7940 int j; 7941 SECStatus rv; 7942 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; 7943 SSL3AlertDescription desc = illegal_parameter; 7944 SSL3AlertLevel level = alert_fatal; 7945 SSL3ProtocolVersion version; 7946 SECItem sidBytes = {siBuffer, NULL, 0}; 7947 SECItem cookieBytes = {siBuffer, NULL, 0}; 7948 SECItem suites = {siBuffer, NULL, 0}; 7949 SECItem comps = {siBuffer, NULL, 0}; 7950 PRBool haveSpecWriteLock = PR_FALSE; 7951 PRBool haveXmitBufLock = PR_FALSE; 7952 7953 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", 7954 SSL_GETPID(), ss->fd)); 7955 7956 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 7957 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 7958 PORT_Assert( ss->ssl3.initialized ); 7959 7960 /* Get peer name of client */ 7961 rv = ssl_GetPeerInfo(ss); 7962 if (rv != SECSuccess) { 7963 return rv; /* error code is set. */ 7964 } 7965 7966 /* Clearing the handshake pointers so that ssl_Do1stHandshake won't 7967 * call ssl2_HandleMessage. 7968 * 7969 * The issue here is that TLS ordinarily starts out in 7970 * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility 7971 * code paths. That function zeroes these next pointers. But with DTLS, 7972 * we don't even try to do the v2 ClientHello so we skip that function 7973 * and need to reset these values here. 7974 */ 7975 if (IS_DTLS(ss)) { 7976 ss->nextHandshake = 0; 7977 ss->securityHandshake = 0; 7978 } 7979 7980 /* We might be starting session renegotiation in which case we should 7981 * clear previous state. 7982 */ 7983 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 7984 ss->statelessResume = PR_FALSE; 7985 7986 if ((ss->ssl3.hs.ws != wait_client_hello) && 7987 (ss->ssl3.hs.ws != idle_handshake)) { 7988 desc = unexpected_message; 7989 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; 7990 goto alert_loser; 7991 } 7992 if (ss->ssl3.hs.ws == idle_handshake && 7993 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { 7994 desc = no_renegotiation; 7995 level = alert_warning; 7996 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; 7997 goto alert_loser; 7998 } 7999 8000 if (IS_DTLS(ss)) { 8001 dtls_RehandshakeCleanup(ss); 8002 } 8003 8004 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 8005 if (tmp < 0) 8006 goto loser; /* malformed, alert already sent */ 8007 8008 /* Translate the version */ 8009 if (IS_DTLS(ss)) { 8010 ss->clientHelloVersion = version = 8011 dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp); 8012 } else { 8013 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; 8014 } 8015 8016 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); 8017 if (rv != SECSuccess) { 8018 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 8019 : handshake_failure; 8020 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 8021 goto alert_loser; 8022 } 8023 8024 rv = ssl3_InitHandshakeHashes(ss); 8025 if (rv != SECSuccess) { 8026 desc = internal_error; 8027 errCode = PORT_GetError(); 8028 goto alert_loser; 8029 } 8030 8031 /* grab the client random data. */ 8032 rv = ssl3_ConsumeHandshake( 8033 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); 8034 if (rv != SECSuccess) { 8035 goto loser; /* malformed */ 8036 } 8037 8038 /* grab the client's SID, if present. */ 8039 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 8040 if (rv != SECSuccess) { 8041 goto loser; /* malformed */ 8042 } 8043 8044 /* grab the client's cookie, if present. */ 8045 if (IS_DTLS(ss)) { 8046 rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length); 8047 if (rv != SECSuccess) { 8048 goto loser; /* malformed */ 8049 } 8050 } 8051 8052 /* grab the list of cipher suites. */ 8053 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); 8054 if (rv != SECSuccess) { 8055 goto loser; /* malformed */ 8056 } 8057 8058 /* If the ClientHello version is less than our maximum version, check for a 8059 * TLS_FALLBACK_SCSV and reject the connection if found. */ 8060 if (ss->vrange.max > ss->clientHelloVersion) { 8061 for (i = 0; i + 1 < suites.len; i += 2) { 8062 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; 8063 if (suite_i != TLS_FALLBACK_SCSV) 8064 continue; 8065 desc = inappropriate_fallback; 8066 errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; 8067 goto alert_loser; 8068 } 8069 } 8070 8071 /* grab the list of compression methods. */ 8072 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); 8073 if (rv != SECSuccess) { 8074 goto loser; /* malformed */ 8075 } 8076 8077 desc = handshake_failure; 8078 8079 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if 8080 * we are restarting a previous session until extensions have been 8081 * parsed, since we might have received a SessionTicket extension. 8082 * Note: we allow extensions even when negotiating SSL3 for the sake 8083 * of interoperability (and backwards compatibility). 8084 */ 8085 8086 if (length) { 8087 /* Get length of hello extensions */ 8088 PRInt32 extension_length; 8089 extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 8090 if (extension_length < 0) { 8091 goto loser; /* alert already sent */ 8092 } 8093 if (extension_length != length) { 8094 ssl3_DecodeError(ss); /* send alert */ 8095 goto loser; 8096 } 8097 rv = ssl3_HandleHelloExtensions(ss, &b, &length); 8098 if (rv != SECSuccess) { 8099 goto loser; /* malformed */ 8100 } 8101 } 8102 if (!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) { 8103 /* If we didn't receive an RI extension, look for the SCSV, 8104 * and if found, treat it just like an empty RI extension 8105 * by processing a local copy of an empty RI extension. 8106 */ 8107 for (i = 0; i + 1 < suites.len; i += 2) { 8108 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; 8109 if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) { 8110 SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext; 8111 PRUint32 L2 = sizeof emptyRIext; 8112 (void)ssl3_HandleHelloExtensions(ss, &b2, &L2); 8113 break; 8114 } 8115 } 8116 } 8117 if (ss->firstHsDone && 8118 (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN || 8119 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_TRANSITIONAL) && 8120 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) { 8121 desc = no_renegotiation; 8122 level = alert_warning; 8123 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; 8124 goto alert_loser; 8125 } 8126 if ((ss->opt.requireSafeNegotiation || 8127 (ss->firstHsDone && ss->peerRequestedProtection)) && 8128 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) { 8129 desc = handshake_failure; 8130 errCode = SSL_ERROR_UNSAFE_NEGOTIATION; 8131 goto alert_loser; 8132 } 8133 8134 /* We do stateful resumes only if either of the following 8135 * conditions are satisfied: (1) the client does not support the 8136 * session ticket extension, or (2) the client support the session 8137 * ticket extension, but sent an empty ticket. 8138 */ 8139 if (!ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) || 8140 ss->xtnData.emptySessionTicket) { 8141 if (sidBytes.len > 0 && !ss->opt.noCache) { 8142 SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x", 8143 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0], 8144 ss->sec.ci.peer.pr_s6_addr32[1], 8145 ss->sec.ci.peer.pr_s6_addr32[2], 8146 ss->sec.ci.peer.pr_s6_addr32[3])); 8147 if (ssl_sid_lookup) { 8148 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data, 8149 sidBytes.len, ss->dbHandle); 8150 } else { 8151 errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED; 8152 goto loser; 8153 } 8154 } 8155 } else if (ss->statelessResume) { 8156 /* Fill in the client's session ID if doing a stateless resume. 8157 * (When doing stateless resumes, server echos client's SessionID.) 8158 */ 8159 sid = ss->sec.ci.sid; 8160 PORT_Assert(sid != NULL); /* Should have already been filled in.*/ 8161 8162 if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) { 8163 sid->u.ssl3.sessionIDLength = sidBytes.len; 8164 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, 8165 sidBytes.len); 8166 sid->u.ssl3.sessionIDLength = sidBytes.len; 8167 } else { 8168 sid->u.ssl3.sessionIDLength = 0; 8169 } 8170 ss->sec.ci.sid = NULL; 8171 } 8172 8173 /* We only send a session ticket extension if the client supports 8174 * the extension and we are unable to do either a stateful or 8175 * stateless resume. 8176 * 8177 * TODO: send a session ticket if performing a stateful 8178 * resumption. (As per RFC4507, a server may issue a session 8179 * ticket while doing a (stateless or stateful) session resume, 8180 * but OpenSSL-0.9.8g does not accept session tickets while 8181 * resuming.) 8182 */ 8183 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) { 8184 ssl3_RegisterServerHelloExtensionSender(ss, 8185 ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn); 8186 } 8187 8188 if (sid != NULL) { 8189 /* We've found a session cache entry for this client. 8190 * Now, if we're going to require a client-auth cert, 8191 * and we don't already have this client's cert in the session cache, 8192 * and this is the first handshake on this connection (not a redo), 8193 * then drop this old cache entry and start a new session. 8194 */ 8195 if ((sid->peerCert == NULL) && ss->opt.requestCertificate && 8196 ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) || 8197 (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) || 8198 ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 8199 && !ss->firstHsDone))) { 8200 8201 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok ); 8202 if (ss->sec.uncache) 8203 ss->sec.uncache(sid); 8204 ssl_FreeSID(sid); 8205 sid = NULL; 8206 } 8207 } 8208 8209 #ifdef NSS_ENABLE_ECC 8210 /* Disable any ECC cipher suites for which we have no cert. */ 8211 ssl3_FilterECCipherSuitesByServerCerts(ss); 8212 #endif 8213 8214 if (IS_DTLS(ss)) { 8215 ssl3_DisableNonDTLSSuites(ss); 8216 } 8217 8218 if (!ssl3_HasGCMSupport()) { 8219 ssl3_DisableGCMSuites(ss); 8220 } 8221 8222 #ifdef PARANOID 8223 /* Look for a matching cipher suite. */ 8224 j = ssl3_config_match_init(ss); 8225 if (j <= 0) { /* no ciphers are working/supported by PK11 */ 8226 errCode = PORT_GetError(); /* error code is already set. */ 8227 goto alert_loser; 8228 } 8229 #endif 8230 8231 /* If we already have a session for this client, be sure to pick the 8232 ** same cipher suite and compression method we picked before. 8233 ** This is not a loop, despite appearances. 8234 */ 8235 if (sid) do { 8236 ssl3CipherSuiteCfg *suite; 8237 #ifdef PARANOID 8238 SSLVersionRange vrange = {ss->version, ss->version}; 8239 #endif 8240 8241 /* Check that the cached compression method is still enabled. */ 8242 if (!compressionEnabled(ss, sid->u.ssl3.compression)) 8243 break; 8244 8245 /* Check that the cached compression method is in the client's list */ 8246 for (i = 0; i < comps.len; i++) { 8247 if (comps.data[i] == sid->u.ssl3.compression) 8248 break; 8249 } 8250 if (i == comps.len) 8251 break; 8252 8253 suite = ss->cipherSuites; 8254 /* Find the entry for the cipher suite used in the cached session. */ 8255 for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) { 8256 if (suite->cipher_suite == sid->u.ssl3.cipherSuite) 8257 break; 8258 } 8259 PORT_Assert(j > 0); 8260 if (j <= 0) 8261 break; 8262 #ifdef PARANOID 8263 /* Double check that the cached cipher suite is still enabled, 8264 * implemented, and allowed by policy. Might have been disabled. 8265 * The product policy won't change during the process lifetime. 8266 * Implemented ("isPresent") shouldn't change for servers. 8267 */ 8268 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) 8269 break; 8270 #else 8271 if (!suite->enabled) 8272 break; 8273 #endif 8274 /* Double check that the cached cipher suite is in the client's list */ 8275 for (i = 0; i + 1 < suites.len; i += 2) { 8276 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; 8277 if (suite_i == suite->cipher_suite) { 8278 ss->ssl3.hs.cipher_suite = suite->cipher_suite; 8279 ss->ssl3.hs.suite_def = 8280 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); 8281 8282 /* Use the cached compression method. */ 8283 ss->ssl3.hs.compression = sid->u.ssl3.compression; 8284 goto compression_found; 8285 } 8286 } 8287 } while (0); 8288 8289 /* START A NEW SESSION */ 8290 8291 #ifndef PARANOID 8292 /* Look for a matching cipher suite. */ 8293 j = ssl3_config_match_init(ss); 8294 if (j <= 0) { /* no ciphers are working/supported by PK11 */ 8295 errCode = PORT_GetError(); /* error code is already set. */ 8296 goto alert_loser; 8297 } 8298 #endif 8299 8300 /* Select a cipher suite. 8301 ** 8302 ** NOTE: This suite selection algorithm should be the same as the one in 8303 ** ssl3_HandleV2ClientHello(). 8304 ** 8305 ** If TLS 1.0 is enabled, we could handle the case where the client 8306 ** offered TLS 1.1 but offered only export cipher suites by choosing TLS 8307 ** 1.0 and selecting one of those export cipher suites. However, a secure 8308 ** TLS 1.1 client should not have export cipher suites enabled at all, 8309 ** and a TLS 1.1 client should definitely not be offering *only* export 8310 ** cipher suites. Therefore, we refuse to negotiate export cipher suites 8311 ** with any client that indicates support for TLS 1.1 or higher when we 8312 ** (the server) have TLS 1.1 support enabled. 8313 */ 8314 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { 8315 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; 8316 SSLVersionRange vrange = {ss->version, ss->version}; 8317 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { 8318 continue; 8319 } 8320 for (i = 0; i + 1 < suites.len; i += 2) { 8321 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; 8322 if (suite_i == suite->cipher_suite) { 8323 ss->ssl3.hs.cipher_suite = suite->cipher_suite; 8324 ss->ssl3.hs.suite_def = 8325 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); 8326 goto suite_found; 8327 } 8328 } 8329 } 8330 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 8331 goto alert_loser; 8332 8333 suite_found: 8334 /* Look for a matching compression algorithm. */ 8335 for (i = 0; i < comps.len; i++) { 8336 if (!compressionEnabled(ss, comps.data[i])) 8337 continue; 8338 for (j = 0; j < compressionMethodsCount; j++) { 8339 if (comps.data[i] == compressions[j]) { 8340 ss->ssl3.hs.compression = 8341 (SSLCompressionMethod)compressions[j]; 8342 goto compression_found; 8343 } 8344 } 8345 } 8346 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; 8347 /* null compression must be supported */ 8348 goto alert_loser; 8349 8350 compression_found: 8351 suites.data = NULL; 8352 comps.data = NULL; 8353 8354 ss->sec.send = ssl3_SendApplicationData; 8355 8356 /* If there are any failures while processing the old sid, 8357 * we don't consider them to be errors. Instead, We just behave 8358 * as if the client had sent us no sid to begin with, and make a new one. 8359 */ 8360 if (sid != NULL) do { 8361 ssl3CipherSpec *pwSpec; 8362 SECItem wrappedMS; /* wrapped key */ 8363 8364 if (sid->version != ss->version || 8365 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite || 8366 sid->u.ssl3.compression != ss->ssl3.hs.compression) { 8367 break; /* not an error */ 8368 } 8369 8370 if (ss->sec.ci.sid) { 8371 if (ss->sec.uncache) 8372 ss->sec.uncache(ss->sec.ci.sid); 8373 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ... */ 8374 if (ss->sec.ci.sid != sid) { 8375 ssl_FreeSID(ss->sec.ci.sid); 8376 } 8377 ss->sec.ci.sid = NULL; 8378 } 8379 /* we need to resurrect the master secret.... */ 8380 8381 ssl_GetSpecWriteLock(ss); haveSpecWriteLock = PR_TRUE; 8382 pwSpec = ss->ssl3.pwSpec; 8383 if (sid->u.ssl3.keys.msIsWrapped) { 8384 PK11SymKey * wrapKey; /* wrapping key */ 8385 CK_FLAGS keyFlags = 0; 8386 #ifndef NO_PKCS11_BYPASS 8387 if (ss->opt.bypassPKCS11) { 8388 /* we cannot restart a non-bypass session in a 8389 ** bypass socket. 8390 */ 8391 break; 8392 } 8393 #endif 8394 8395 wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType, 8396 sid->u.ssl3.masterWrapMech, 8397 ss->pkcs11PinArg); 8398 if (!wrapKey) { 8399 /* we have a SID cache entry, but no wrapping key for it??? */ 8400 break; 8401 } 8402 8403 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ 8404 keyFlags = CKF_SIGN | CKF_VERIFY; 8405 } 8406 8407 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 8408 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 8409 8410 /* unwrap the master secret. */ 8411 pwSpec->master_secret = 8412 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 8413 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE, 8414 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags); 8415 PK11_FreeSymKey(wrapKey); 8416 if (pwSpec->master_secret == NULL) { 8417 break; /* not an error */ 8418 } 8419 #ifndef NO_PKCS11_BYPASS 8420 } else if (ss->opt.bypassPKCS11) { 8421 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 8422 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 8423 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); 8424 pwSpec->msItem.data = pwSpec->raw_master_secret; 8425 pwSpec->msItem.len = wrappedMS.len; 8426 #endif 8427 } else { 8428 /* We CAN restart a bypass session in a non-bypass socket. */ 8429 /* need to import the raw master secret to session object */ 8430 PK11SlotInfo * slot; 8431 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; 8432 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; 8433 slot = PK11_GetInternalSlot(); 8434 pwSpec->master_secret = 8435 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 8436 PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS, 8437 NULL); 8438 PK11_FreeSlot(slot); 8439 if (pwSpec->master_secret == NULL) { 8440 break; /* not an error */ 8441 } 8442 } 8443 ss->sec.ci.sid = sid; 8444 if (sid->peerCert != NULL) { 8445 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); 8446 ssl3_CopyPeerCertsFromSID(ss, sid); 8447 } 8448 8449 /* 8450 * Old SID passed all tests, so resume this old session. 8451 * 8452 * XXX make sure compression still matches 8453 */ 8454 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits ); 8455 if (ss->statelessResume) 8456 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes ); 8457 ss->ssl3.hs.isResuming = PR_TRUE; 8458 8459 ss->sec.authAlgorithm = sid->authAlgorithm; 8460 ss->sec.authKeyBits = sid->authKeyBits; 8461 ss->sec.keaType = sid->keaType; 8462 ss->sec.keaKeyBits = sid->keaKeyBits; 8463 8464 /* server sids don't remember the server cert we previously sent, 8465 ** but they do remember the kea type we originally used, so we 8466 ** can locate it again, provided that the current ssl socket 8467 ** has had its server certs configured the same as the previous one. 8468 */ 8469 ss->sec.localCert = 8470 CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert); 8471 8472 /* Copy cached name in to pending spec */ 8473 if (sid != NULL && 8474 sid->version > SSL_LIBRARY_VERSION_3_0 && 8475 sid->u.ssl3.srvName.len && sid->u.ssl3.srvName.data) { 8476 /* Set server name from sid */ 8477 SECItem *sidName = &sid->u.ssl3.srvName; 8478 SECItem *pwsName = &ss->ssl3.pwSpec->srvVirtName; 8479 if (pwsName->data) { 8480 SECITEM_FreeItem(pwsName, PR_FALSE); 8481 } 8482 rv = SECITEM_CopyItem(NULL, pwsName, sidName); 8483 if (rv != SECSuccess) { 8484 errCode = PORT_GetError(); 8485 desc = internal_error; 8486 goto alert_loser; 8487 } 8488 } 8489 8490 /* Clean up sni name array */ 8491 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn) && 8492 ss->xtnData.sniNameArr) { 8493 PORT_Free(ss->xtnData.sniNameArr); 8494 ss->xtnData.sniNameArr = NULL; 8495 ss->xtnData.sniNameArrSize = 0; 8496 } 8497 8498 ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE; 8499 8500 rv = ssl3_SendServerHello(ss); 8501 if (rv != SECSuccess) { 8502 errCode = PORT_GetError(); 8503 goto loser; 8504 } 8505 8506 if (haveSpecWriteLock) { 8507 ssl_ReleaseSpecWriteLock(ss); 8508 haveSpecWriteLock = PR_FALSE; 8509 } 8510 8511 /* NULL value for PMS signifies re-use of the old MS */ 8512 rv = ssl3_InitPendingCipherSpec(ss, NULL); 8513 if (rv != SECSuccess) { 8514 errCode = PORT_GetError(); 8515 goto loser; 8516 } 8517 8518 rv = ssl3_SendChangeCipherSpecs(ss); 8519 if (rv != SECSuccess) { 8520 errCode = PORT_GetError(); 8521 goto loser; 8522 } 8523 rv = ssl3_SendFinished(ss, 0); 8524 ss->ssl3.hs.ws = wait_change_cipher; 8525 if (rv != SECSuccess) { 8526 errCode = PORT_GetError(); 8527 goto loser; 8528 } 8529 8530 if (haveXmitBufLock) { 8531 ssl_ReleaseXmitBufLock(ss); 8532 haveXmitBufLock = PR_FALSE; 8533 } 8534 8535 return SECSuccess; 8536 } while (0); 8537 8538 if (haveSpecWriteLock) { 8539 ssl_ReleaseSpecWriteLock(ss); 8540 haveSpecWriteLock = PR_FALSE; 8541 } 8542 8543 if (sid) { /* we had a sid, but it's no longer valid, free it */ 8544 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok ); 8545 if (ss->sec.uncache) 8546 ss->sec.uncache(sid); 8547 ssl_FreeSID(sid); 8548 sid = NULL; 8549 } 8550 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); 8551 8552 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { 8553 int ret = 0; 8554 if (ss->sniSocketConfig) do { /* not a loop */ 8555 ret = SSL_SNI_SEND_ALERT; 8556 /* If extension is negotiated, the len of names should > 0. */ 8557 if (ss->xtnData.sniNameArrSize) { 8558 /* Calling client callback to reconfigure the socket. */ 8559 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd, 8560 ss->xtnData.sniNameArr, 8561 ss->xtnData.sniNameArrSize, 8562 ss->sniSocketConfigArg); 8563 } 8564 if (ret <= SSL_SNI_SEND_ALERT) { 8565 /* Application does not know the name or was not able to 8566 * properly reconfigure the socket. */ 8567 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; 8568 desc = unrecognized_name; 8569 break; 8570 } else if (ret == SSL_SNI_CURRENT_CONFIG_IS_USED) { 8571 SECStatus rv = SECSuccess; 8572 SECItem * cwsName, *pwsName; 8573 8574 ssl_GetSpecWriteLock(ss); /*******************************/ 8575 pwsName = &ss->ssl3.pwSpec->srvVirtName; 8576 cwsName = &ss->ssl3.cwSpec->srvVirtName; 8577 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS 8578 /* not allow name change on the 2d HS */ 8579 if (ss->firstHsDone) { 8580 if (ssl3_ServerNameCompare(pwsName, cwsName)) { 8581 ssl_ReleaseSpecWriteLock(ss); /******************/ 8582 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; 8583 desc = handshake_failure; 8584 ret = SSL_SNI_SEND_ALERT; 8585 break; 8586 } 8587 } 8588 #endif 8589 if (pwsName->data) { 8590 SECITEM_FreeItem(pwsName, PR_FALSE); 8591 } 8592 if (cwsName->data) { 8593 rv = SECITEM_CopyItem(NULL, pwsName, cwsName); 8594 } 8595 ssl_ReleaseSpecWriteLock(ss); /**************************/ 8596 if (rv != SECSuccess) { 8597 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; 8598 desc = internal_error; 8599 ret = SSL_SNI_SEND_ALERT; 8600 break; 8601 } 8602 } else if (ret < ss->xtnData.sniNameArrSize) { 8603 /* Application has configured new socket info. Lets check it 8604 * and save the name. */ 8605 SECStatus rv; 8606 SECItem * name = &ss->xtnData.sniNameArr[ret]; 8607 int configedCiphers; 8608 SECItem * pwsName; 8609 8610 /* get rid of the old name and save the newly picked. */ 8611 /* This code is protected by ssl3HandshakeLock. */ 8612 ssl_GetSpecWriteLock(ss); /*******************************/ 8613 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS 8614 /* not allow name change on the 2d HS */ 8615 if (ss->firstHsDone) { 8616 SECItem *cwsName = &ss->ssl3.cwSpec->srvVirtName; 8617 if (ssl3_ServerNameCompare(name, cwsName)) { 8618 ssl_ReleaseSpecWriteLock(ss); /******************/ 8619 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; 8620 desc = handshake_failure; 8621 ret = SSL_SNI_SEND_ALERT; 8622 break; 8623 } 8624 } 8625 #endif 8626 pwsName = &ss->ssl3.pwSpec->srvVirtName; 8627 if (pwsName->data) { 8628 SECITEM_FreeItem(pwsName, PR_FALSE); 8629 } 8630 rv = SECITEM_CopyItem(NULL, pwsName, name); 8631 ssl_ReleaseSpecWriteLock(ss); /***************************/ 8632 if (rv != SECSuccess) { 8633 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; 8634 desc = internal_error; 8635 ret = SSL_SNI_SEND_ALERT; 8636 break; 8637 } 8638 configedCiphers = ssl3_config_match_init(ss); 8639 if (configedCiphers <= 0) { 8640 /* no ciphers are working/supported */ 8641 errCode = PORT_GetError(); 8642 desc = handshake_failure; 8643 ret = SSL_SNI_SEND_ALERT; 8644 break; 8645 } 8646 /* Need to tell the client that application has picked 8647 * the name from the offered list and reconfigured the socket. 8648 */ 8649 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn, 8650 ssl3_SendServerNameXtn); 8651 } else { 8652 /* Callback returned index outside of the boundary. */ 8653 PORT_Assert(ret < ss->xtnData.sniNameArrSize); 8654 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT; 8655 desc = internal_error; 8656 ret = SSL_SNI_SEND_ALERT; 8657 break; 8658 } 8659 } while (0); 8660 /* Free sniNameArr. The data that each SECItem in the array 8661 * points into is the data from the input buffer "b". It will 8662 * not be available outside the scope of this or it's child 8663 * functions.*/ 8664 if (ss->xtnData.sniNameArr) { 8665 PORT_Free(ss->xtnData.sniNameArr); 8666 ss->xtnData.sniNameArr = NULL; 8667 ss->xtnData.sniNameArrSize = 0; 8668 } 8669 if (ret <= SSL_SNI_SEND_ALERT) { 8670 /* desc and errCode should be set. */ 8671 goto alert_loser; 8672 } 8673 } 8674 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS 8675 else if (ss->firstHsDone) { 8676 /* Check that we don't have the name is current spec 8677 * if this extension was not negotiated on the 2d hs. */ 8678 PRBool passed = PR_TRUE; 8679 ssl_GetSpecReadLock(ss); /*******************************/ 8680 if (ss->ssl3.cwSpec->srvVirtName.data) { 8681 passed = PR_FALSE; 8682 } 8683 ssl_ReleaseSpecReadLock(ss); /***************************/ 8684 if (!passed) { 8685 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; 8686 desc = handshake_failure; 8687 goto alert_loser; 8688 } 8689 } 8690 #endif 8691 8692 sid = ssl3_NewSessionID(ss, PR_TRUE); 8693 if (sid == NULL) { 8694 errCode = PORT_GetError(); 8695 goto loser; /* memory error is set. */ 8696 } 8697 ss->sec.ci.sid = sid; 8698 8699 ss->ssl3.hs.isResuming = PR_FALSE; 8700 ssl_GetXmitBufLock(ss); 8701 rv = ssl3_SendServerHelloSequence(ss); 8702 ssl_ReleaseXmitBufLock(ss); 8703 if (rv != SECSuccess) { 8704 errCode = PORT_GetError(); 8705 goto loser; 8706 } 8707 8708 if (haveXmitBufLock) { 8709 ssl_ReleaseXmitBufLock(ss); 8710 haveXmitBufLock = PR_FALSE; 8711 } 8712 8713 return SECSuccess; 8714 8715 alert_loser: 8716 if (haveSpecWriteLock) { 8717 ssl_ReleaseSpecWriteLock(ss); 8718 haveSpecWriteLock = PR_FALSE; 8719 } 8720 (void)SSL3_SendAlert(ss, level, desc); 8721 /* FALLTHRU */ 8722 loser: 8723 if (haveSpecWriteLock) { 8724 ssl_ReleaseSpecWriteLock(ss); 8725 haveSpecWriteLock = PR_FALSE; 8726 } 8727 8728 if (haveXmitBufLock) { 8729 ssl_ReleaseXmitBufLock(ss); 8730 haveXmitBufLock = PR_FALSE; 8731 } 8732 8733 PORT_SetError(errCode); 8734 return SECFailure; 8735 } 8736 8737 /* 8738 * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes 8739 * in asking to use the V3 handshake. 8740 * Called from ssl2_HandleClientHelloMessage() in sslcon.c 8741 */ 8742 SECStatus 8743 ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) 8744 { 8745 sslSessionID * sid = NULL; 8746 unsigned char * suites; 8747 unsigned char * random; 8748 SSL3ProtocolVersion version; 8749 SECStatus rv; 8750 int i; 8751 int j; 8752 int sid_length; 8753 int suite_length; 8754 int rand_length; 8755 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; 8756 SSL3AlertDescription desc = handshake_failure; 8757 8758 SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd)); 8759 8760 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 8761 8762 ssl_GetSSL3HandshakeLock(ss); 8763 8764 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 8765 8766 rv = ssl3_InitState(ss); 8767 if (rv != SECSuccess) { 8768 ssl_ReleaseSSL3HandshakeLock(ss); 8769 return rv; /* ssl3_InitState has set the error code. */ 8770 } 8771 rv = ssl3_RestartHandshakeHashes(ss); 8772 if (rv != SECSuccess) { 8773 ssl_ReleaseSSL3HandshakeLock(ss); 8774 return rv; 8775 } 8776 8777 if (ss->ssl3.hs.ws != wait_client_hello) { 8778 desc = unexpected_message; 8779 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; 8780 goto loser; /* alert_loser */ 8781 } 8782 8783 version = (buffer[1] << 8) | buffer[2]; 8784 suite_length = (buffer[3] << 8) | buffer[4]; 8785 sid_length = (buffer[5] << 8) | buffer[6]; 8786 rand_length = (buffer[7] << 8) | buffer[8]; 8787 ss->clientHelloVersion = version; 8788 8789 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); 8790 if (rv != SECSuccess) { 8791 /* send back which ever alert client will understand. */ 8792 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure; 8793 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 8794 goto alert_loser; 8795 } 8796 8797 rv = ssl3_InitHandshakeHashes(ss); 8798 if (rv != SECSuccess) { 8799 desc = internal_error; 8800 errCode = PORT_GetError(); 8801 goto alert_loser; 8802 } 8803 8804 /* if we get a non-zero SID, just ignore it. */ 8805 if (length != 8806 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { 8807 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", 8808 SSL_GETPID(), ss->fd, length, 8809 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + 8810 rand_length)); 8811 goto loser; /* malformed */ /* alert_loser */ 8812 } 8813 8814 suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES; 8815 random = suites + suite_length + sid_length; 8816 8817 if (rand_length < SSL_MIN_CHALLENGE_BYTES || 8818 rand_length > SSL_MAX_CHALLENGE_BYTES) { 8819 goto loser; /* malformed */ /* alert_loser */ 8820 } 8821 8822 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH); 8823 8824 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH); 8825 PORT_Memcpy( 8826 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length], 8827 random, rand_length); 8828 8829 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0], 8830 SSL3_RANDOM_LENGTH)); 8831 #ifdef NSS_ENABLE_ECC 8832 /* Disable any ECC cipher suites for which we have no cert. */ 8833 ssl3_FilterECCipherSuitesByServerCerts(ss); 8834 #endif 8835 i = ssl3_config_match_init(ss); 8836 if (i <= 0) { 8837 errCode = PORT_GetError(); /* error code is already set. */ 8838 goto alert_loser; 8839 } 8840 8841 /* Select a cipher suite. 8842 ** 8843 ** NOTE: This suite selection algorithm should be the same as the one in 8844 ** ssl3_HandleClientHello(). 8845 ** 8846 ** See the comments about export cipher suites in ssl3_HandleClientHello(). 8847 */ 8848 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { 8849 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; 8850 SSLVersionRange vrange = {ss->version, ss->version}; 8851 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { 8852 continue; 8853 } 8854 for (i = 0; i+2 < suite_length; i += 3) { 8855 PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2]; 8856 if (suite_i == suite->cipher_suite) { 8857 ss->ssl3.hs.cipher_suite = suite->cipher_suite; 8858 ss->ssl3.hs.suite_def = 8859 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); 8860 goto suite_found; 8861 } 8862 } 8863 } 8864 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 8865 goto alert_loser; 8866 8867 suite_found: 8868 8869 /* Look for the SCSV, and if found, treat it just like an empty RI 8870 * extension by processing a local copy of an empty RI extension. 8871 */ 8872 for (i = 0; i+2 < suite_length; i += 3) { 8873 PRUint32 suite_i = (suites[i] << 16) | (suites[i+1] << 8) | suites[i+2]; 8874 if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) { 8875 SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext; 8876 PRUint32 L2 = sizeof emptyRIext; 8877 (void)ssl3_HandleHelloExtensions(ss, &b2, &L2); 8878 break; 8879 } 8880 } 8881 8882 if (ss->opt.requireSafeNegotiation && 8883 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) { 8884 desc = handshake_failure; 8885 errCode = SSL_ERROR_UNSAFE_NEGOTIATION; 8886 goto alert_loser; 8887 } 8888 8889 ss->ssl3.hs.compression = ssl_compression_null; 8890 ss->sec.send = ssl3_SendApplicationData; 8891 8892 /* we don't even search for a cache hit here. It's just a miss. */ 8893 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); 8894 sid = ssl3_NewSessionID(ss, PR_TRUE); 8895 if (sid == NULL) { 8896 errCode = PORT_GetError(); 8897 goto loser; /* memory error is set. */ 8898 } 8899 ss->sec.ci.sid = sid; 8900 /* do not worry about memory leak of sid since it now belongs to ci */ 8901 8902 /* We have to update the handshake hashes before we can send stuff */ 8903 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length); 8904 if (rv != SECSuccess) { 8905 errCode = PORT_GetError(); 8906 goto loser; 8907 } 8908 8909 ssl_GetXmitBufLock(ss); 8910 rv = ssl3_SendServerHelloSequence(ss); 8911 ssl_ReleaseXmitBufLock(ss); 8912 if (rv != SECSuccess) { 8913 errCode = PORT_GetError(); 8914 goto loser; 8915 } 8916 8917 /* XXX_1 The call stack to here is: 8918 * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here. 8919 * ssl2_HandleClientHelloMessage returns whatever we return here. 8920 * ssl_Do1stHandshake will continue looping if it gets back either 8921 * SECSuccess or SECWouldBlock. 8922 * SECSuccess is preferable here. See XXX_1 in sslgathr.c. 8923 */ 8924 ssl_ReleaseSSL3HandshakeLock(ss); 8925 return SECSuccess; 8926 8927 alert_loser: 8928 SSL3_SendAlert(ss, alert_fatal, desc); 8929 loser: 8930 ssl_ReleaseSSL3HandshakeLock(ss); 8931 PORT_SetError(errCode); 8932 return SECFailure; 8933 } 8934 8935 /* The negotiated version number has been already placed in ss->version. 8936 ** 8937 ** Called from: ssl3_HandleClientHello (resuming session), 8938 ** ssl3_SendServerHelloSequence <- ssl3_HandleClientHello (new session), 8939 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) 8940 */ 8941 static SECStatus 8942 ssl3_SendServerHello(sslSocket *ss) 8943 { 8944 sslSessionID *sid; 8945 SECStatus rv; 8946 PRUint32 maxBytes = 65535; 8947 PRUint32 length; 8948 PRInt32 extensions_len = 0; 8949 SSL3ProtocolVersion version; 8950 8951 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), 8952 ss->fd)); 8953 8954 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 8955 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 8956 8957 if (!IS_DTLS(ss)) { 8958 PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); 8959 8960 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { 8961 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 8962 return SECFailure; 8963 } 8964 } else { 8965 PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0)); 8966 8967 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) { 8968 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 8969 return SECFailure; 8970 } 8971 } 8972 8973 sid = ss->sec.ci.sid; 8974 8975 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, 8976 &ss->xtnData.serverSenders[0]); 8977 if (extensions_len > 0) 8978 extensions_len += 2; /* Add sizeof total extension length */ 8979 8980 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + 8981 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + 8982 sizeof(ssl3CipherSuite) + 1 + extensions_len; 8983 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); 8984 if (rv != SECSuccess) { 8985 return rv; /* err set by AppendHandshake. */ 8986 } 8987 8988 if (IS_DTLS(ss)) { 8989 version = dtls_TLSVersionToDTLSVersion(ss->version); 8990 } else { 8991 version = ss->version; 8992 } 8993 8994 rv = ssl3_AppendHandshakeNumber(ss, version, 2); 8995 if (rv != SECSuccess) { 8996 return rv; /* err set by AppendHandshake. */ 8997 } 8998 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); 8999 if (rv != SECSuccess) { 9000 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 9001 return rv; 9002 } 9003 rv = ssl3_AppendHandshake( 9004 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); 9005 if (rv != SECSuccess) { 9006 return rv; /* err set by AppendHandshake. */ 9007 } 9008 9009 if (sid) 9010 rv = ssl3_AppendHandshakeVariable( 9011 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); 9012 else 9013 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 9014 if (rv != SECSuccess) { 9015 return rv; /* err set by AppendHandshake. */ 9016 } 9017 9018 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2); 9019 if (rv != SECSuccess) { 9020 return rv; /* err set by AppendHandshake. */ 9021 } 9022 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1); 9023 if (rv != SECSuccess) { 9024 return rv; /* err set by AppendHandshake. */ 9025 } 9026 if (extensions_len) { 9027 PRInt32 sent_len; 9028 9029 extensions_len -= 2; 9030 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2); 9031 if (rv != SECSuccess) 9032 return rv; /* err set by ssl3_SetupPendingCipherSpec */ 9033 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len, 9034 &ss->xtnData.serverSenders[0]); 9035 PORT_Assert(sent_len == extensions_len); 9036 if (sent_len != extensions_len) { 9037 if (sent_len >= 0) 9038 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 9039 return SECFailure; 9040 } 9041 } 9042 rv = ssl3_SetupPendingCipherSpec(ss); 9043 if (rv != SECSuccess) { 9044 return rv; /* err set by ssl3_SetupPendingCipherSpec */ 9045 } 9046 9047 return SECSuccess; 9048 } 9049 9050 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing 9051 * elements of the handshake. (The negotiated cipher suite determines the 9052 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always 9053 * used. With TLS 1.2, a client may advertise its support for signature and 9054 * hash combinations. */ 9055 static SECStatus 9056 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, 9057 SSL3SignatureAndHashAlgorithm* out) 9058 { 9059 TLSSignatureAlgorithm sigAlg; 9060 unsigned int i, j; 9061 /* hashPreference expresses our preferences for hash algorithms, most 9062 * preferable first. */ 9063 static const PRUint8 hashPreference[] = { 9064 tls_hash_sha256, 9065 tls_hash_sha384, 9066 tls_hash_sha512, 9067 tls_hash_sha1, 9068 }; 9069 9070 switch (ss->ssl3.hs.kea_def->kea) { 9071 case kea_rsa: 9072 case kea_rsa_export: 9073 case kea_rsa_export_1024: 9074 case kea_dh_rsa: 9075 case kea_dh_rsa_export: 9076 case kea_dhe_rsa: 9077 case kea_dhe_rsa_export: 9078 case kea_rsa_fips: 9079 case kea_ecdh_rsa: 9080 case kea_ecdhe_rsa: 9081 sigAlg = tls_sig_rsa; 9082 break; 9083 case kea_dh_dss: 9084 case kea_dh_dss_export: 9085 case kea_dhe_dss: 9086 case kea_dhe_dss_export: 9087 sigAlg = tls_sig_dsa; 9088 break; 9089 case kea_ecdh_ecdsa: 9090 case kea_ecdhe_ecdsa: 9091 sigAlg = tls_sig_ecdsa; 9092 break; 9093 default: 9094 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 9095 return SECFailure; 9096 } 9097 out->sigAlg = sigAlg; 9098 9099 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) { 9100 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and 9101 * prior. */ 9102 out->hashAlg = SEC_OID_UNKNOWN; 9103 return SECSuccess; 9104 } 9105 9106 if (ss->ssl3.hs.numClientSigAndHash == 0) { 9107 /* If the client didn't provide any signature_algorithms extension then 9108 * we can assume that they support SHA-1: 9109 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 9110 out->hashAlg = SEC_OID_SHA1; 9111 return SECSuccess; 9112 } 9113 9114 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) { 9115 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { 9116 const SSL3SignatureAndHashAlgorithm* sh = 9117 &ss->ssl3.hs.clientSigAndHash[j]; 9118 if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) { 9119 out->hashAlg = sh->hashAlg; 9120 return SECSuccess; 9121 } 9122 } 9123 } 9124 9125 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); 9126 return SECFailure; 9127 } 9128 9129 9130 static SECStatus 9131 ssl3_SendServerKeyExchange(sslSocket *ss) 9132 { 9133 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 9134 SECStatus rv = SECFailure; 9135 int length; 9136 PRBool isTLS; 9137 SECItem signed_hash = {siBuffer, NULL, 0}; 9138 SSL3Hashes hashes; 9139 SECKEYPublicKey * sdPub; /* public key for step-down */ 9140 SSL3SignatureAndHashAlgorithm sigAndHash; 9141 9142 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", 9143 SSL_GETPID(), ss->fd)); 9144 9145 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 9146 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 9147 9148 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { 9149 return SECFailure; 9150 } 9151 9152 switch (kea_def->exchKeyType) { 9153 case kt_rsa: 9154 /* Perform SSL Step-Down here. */ 9155 sdPub = ss->stepDownKeyPair->pubKey; 9156 PORT_Assert(sdPub != NULL); 9157 if (!sdPub) { 9158 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 9159 return SECFailure; 9160 } 9161 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, 9162 sdPub->u.rsa.modulus, 9163 sdPub->u.rsa.publicExponent, 9164 &ss->ssl3.hs.client_random, 9165 &ss->ssl3.hs.server_random, 9166 &hashes, ss->opt.bypassPKCS11); 9167 if (rv != SECSuccess) { 9168 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 9169 return rv; 9170 } 9171 9172 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 9173 rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY, 9174 &signed_hash, isTLS); 9175 if (rv != SECSuccess) { 9176 goto loser; /* ssl3_SignHashes has set err. */ 9177 } 9178 if (signed_hash.data == NULL) { 9179 /* how can this happen and rv == SECSuccess ?? */ 9180 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 9181 goto loser; 9182 } 9183 length = 2 + sdPub->u.rsa.modulus.len + 9184 2 + sdPub->u.rsa.publicExponent.len + 9185 2 + signed_hash.len; 9186 9187 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); 9188 if (rv != SECSuccess) { 9189 goto loser; /* err set by AppendHandshake. */ 9190 } 9191 9192 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data, 9193 sdPub->u.rsa.modulus.len, 2); 9194 if (rv != SECSuccess) { 9195 goto loser; /* err set by AppendHandshake. */ 9196 } 9197 9198 rv = ssl3_AppendHandshakeVariable( 9199 ss, sdPub->u.rsa.publicExponent.data, 9200 sdPub->u.rsa.publicExponent.len, 2); 9201 if (rv != SECSuccess) { 9202 goto loser; /* err set by AppendHandshake. */ 9203 } 9204 9205 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { 9206 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); 9207 if (rv != SECSuccess) { 9208 goto loser; /* err set by AppendHandshake. */ 9209 } 9210 } 9211 9212 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, 9213 signed_hash.len, 2); 9214 if (rv != SECSuccess) { 9215 goto loser; /* err set by AppendHandshake. */ 9216 } 9217 PORT_Free(signed_hash.data); 9218 return SECSuccess; 9219 9220 #ifdef NSS_ENABLE_ECC 9221 case kt_ecdh: { 9222 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); 9223 return rv; 9224 } 9225 #endif /* NSS_ENABLE_ECC */ 9226 9227 case kt_dh: 9228 case kt_null: 9229 default: 9230 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 9231 break; 9232 } 9233 loser: 9234 if (signed_hash.data != NULL) 9235 PORT_Free(signed_hash.data); 9236 return SECFailure; 9237 } 9238 9239 9240 static SECStatus 9241 ssl3_SendCertificateRequest(sslSocket *ss) 9242 { 9243 PRBool isTLS12; 9244 SECItem * name; 9245 CERTDistNames *ca_list; 9246 const PRUint8 *certTypes; 9247 const PRUint8 *sigAlgs; 9248 SECItem * names = NULL; 9249 SECStatus rv; 9250 int length; 9251 int i; 9252 int calen = 0; 9253 int nnames = 0; 9254 int certTypesLength; 9255 int sigAlgsLength; 9256 9257 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", 9258 SSL_GETPID(), ss->fd)); 9259 9260 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 9261 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 9262 9263 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); 9264 9265 /* ssl3.ca_list is initialized to NULL, and never changed. */ 9266 ca_list = ss->ssl3.ca_list; 9267 if (!ca_list) { 9268 ca_list = ssl3_server_ca_list; 9269 } 9270 9271 if (ca_list != NULL) { 9272 names = ca_list->names; 9273 nnames = ca_list->nnames; 9274 } 9275 9276 for (i = 0, name = names; i < nnames; i++, name++) { 9277 calen += 2 + name->len; 9278 } 9279 9280 certTypes = certificate_types; 9281 certTypesLength = sizeof certificate_types; 9282 sigAlgs = supported_signature_algorithms; 9283 sigAlgsLength = sizeof supported_signature_algorithms; 9284 9285 length = 1 + certTypesLength + 2 + calen; 9286 if (isTLS12) { 9287 length += 2 + sigAlgsLength; 9288 } 9289 9290 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); 9291 if (rv != SECSuccess) { 9292 return rv; /* err set by AppendHandshake. */ 9293 } 9294 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1); 9295 if (rv != SECSuccess) { 9296 return rv; /* err set by AppendHandshake. */ 9297 } 9298 if (isTLS12) { 9299 rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2); 9300 if (rv != SECSuccess) { 9301 return rv; /* err set by AppendHandshake. */ 9302 } 9303 } 9304 rv = ssl3_AppendHandshakeNumber(ss, calen, 2); 9305 if (rv != SECSuccess) { 9306 return rv; /* err set by AppendHandshake. */ 9307 } 9308 for (i = 0, name = names; i < nnames; i++, name++) { 9309 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2); 9310 if (rv != SECSuccess) { 9311 return rv; /* err set by AppendHandshake. */ 9312 } 9313 } 9314 9315 return SECSuccess; 9316 } 9317 9318 static SECStatus 9319 ssl3_SendServerHelloDone(sslSocket *ss) 9320 { 9321 SECStatus rv; 9322 9323 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake", 9324 SSL_GETPID(), ss->fd)); 9325 9326 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 9327 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 9328 9329 rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0); 9330 if (rv != SECSuccess) { 9331 return rv; /* err set by AppendHandshake. */ 9332 } 9333 rv = ssl3_FlushHandshake(ss, 0); 9334 if (rv != SECSuccess) { 9335 return rv; /* error code set by ssl3_FlushHandshake */ 9336 } 9337 return SECSuccess; 9338 } 9339 9340 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 9341 * ssl3 Certificate Verify message 9342 * Caller must hold Handshake and RecvBuf locks. 9343 */ 9344 static SECStatus 9345 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, 9346 SSL3Hashes *hashes) 9347 { 9348 SECItem signed_hash = {siBuffer, NULL, 0}; 9349 SECStatus rv; 9350 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; 9351 SSL3AlertDescription desc = handshake_failure; 9352 PRBool isTLS, isTLS12; 9353 SSL3SignatureAndHashAlgorithm sigAndHash; 9354 9355 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", 9356 SSL_GETPID(), ss->fd)); 9357 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 9358 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 9359 9360 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 9361 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); 9362 9363 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { 9364 desc = unexpected_message; 9365 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; 9366 goto alert_loser; 9367 } 9368 9369 if (isTLS12) { 9370 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, 9371 &sigAndHash); 9372 if (rv != SECSuccess) { 9373 goto loser; /* malformed or unsupported. */ 9374 } 9375 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( 9376 &sigAndHash, ss->sec.peerCert); 9377 if (rv != SECSuccess) { 9378 errCode = PORT_GetError(); 9379 desc = decrypt_error; 9380 goto alert_loser; 9381 } 9382 9383 /* We only support CertificateVerify messages that use the handshake 9384 * hash. */ 9385 if (sigAndHash.hashAlg != hashes->hashAlg) { 9386 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; 9387 desc = decrypt_error; 9388 goto alert_loser; 9389 } 9390 } 9391 9392 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); 9393 if (rv != SECSuccess) { 9394 goto loser; /* malformed. */ 9395 } 9396 9397 /* XXX verify that the key & kea match */ 9398 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, 9399 isTLS, ss->pkcs11PinArg); 9400 if (rv != SECSuccess) { 9401 errCode = PORT_GetError(); 9402 desc = isTLS ? decrypt_error : handshake_failure; 9403 goto alert_loser; 9404 } 9405 9406 signed_hash.data = NULL; 9407 9408 if (length != 0) { 9409 desc = isTLS ? decode_error : illegal_parameter; 9410 goto alert_loser; /* malformed */ 9411 } 9412 ss->ssl3.hs.ws = wait_change_cipher; 9413 return SECSuccess; 9414 9415 alert_loser: 9416 SSL3_SendAlert(ss, alert_fatal, desc); 9417 loser: 9418 PORT_SetError(errCode); 9419 return SECFailure; 9420 } 9421 9422 9423 /* find a slot that is able to generate a PMS and wrap it with RSA. 9424 * Then generate and return the PMS. 9425 * If the serverKeySlot parameter is non-null, this function will use 9426 * that slot to do the job, otherwise it will find a slot. 9427 * 9428 * Called from ssl3_DeriveConnectionKeysPKCS11() (above) 9429 * sendRSAClientKeyExchange() (above) 9430 * ssl3_HandleRSAClientKeyExchange() (below) 9431 * Caller must hold the SpecWriteLock, the SSL3HandshakeLock 9432 */ 9433 static PK11SymKey * 9434 ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, 9435 PK11SlotInfo * serverKeySlot) 9436 { 9437 PK11SymKey * pms = NULL; 9438 PK11SlotInfo * slot = serverKeySlot; 9439 void * pwArg = ss->pkcs11PinArg; 9440 SECItem param; 9441 CK_VERSION version; 9442 CK_MECHANISM_TYPE mechanism_array[3]; 9443 9444 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 9445 9446 if (slot == NULL) { 9447 SSLCipherAlgorithm calg; 9448 /* The specReadLock would suffice here, but we cannot assert on 9449 ** read locks. Also, all the callers who call with a non-null 9450 ** slot already hold the SpecWriteLock. 9451 */ 9452 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 9453 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 9454 9455 calg = spec->cipher_def->calg; 9456 PORT_Assert(alg2Mech[calg].calg == calg); 9457 9458 /* First get an appropriate slot. */ 9459 mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN; 9460 mechanism_array[1] = CKM_RSA_PKCS; 9461 mechanism_array[2] = alg2Mech[calg].cmech; 9462 9463 slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg); 9464 if (slot == NULL) { 9465 /* can't find a slot with all three, find a slot with the minimum */ 9466 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); 9467 if (slot == NULL) { 9468 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); 9469 return pms; /* which is NULL */ 9470 } 9471 } 9472 } 9473 9474 /* Generate the pre-master secret ... */ 9475 if (IS_DTLS(ss)) { 9476 SSL3ProtocolVersion temp; 9477 9478 temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); 9479 version.major = MSB(temp); 9480 version.minor = LSB(temp); 9481 } else { 9482 version.major = MSB(ss->clientHelloVersion); 9483 version.minor = LSB(ss->clientHelloVersion); 9484 } 9485 9486 param.data = (unsigned char *)&version; 9487 param.len = sizeof version; 9488 9489 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); 9490 if (!serverKeySlot) 9491 PK11_FreeSlot(slot); 9492 if (pms == NULL) { 9493 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 9494 } 9495 return pms; 9496 } 9497 9498 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER 9499 * return any indication of failure of the Client Key Exchange message, 9500 * where that failure is caused by the content of the client's message. 9501 * This function must not return SECFailure for any reason that is directly 9502 * or indirectly caused by the content of the client's encrypted PMS. 9503 * We must not send an alert and also not drop the connection. 9504 * Instead, we generate a random PMS. This will cause a failure 9505 * in the processing the finished message, which is exactly where 9506 * the failure must occur. 9507 * 9508 * Called from ssl3_HandleClientKeyExchange 9509 */ 9510 static SECStatus 9511 ssl3_HandleRSAClientKeyExchange(sslSocket *ss, 9512 SSL3Opaque *b, 9513 PRUint32 length, 9514 SECKEYPrivateKey *serverKey) 9515 { 9516 PK11SymKey * pms; 9517 #ifndef NO_PKCS11_BYPASS 9518 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 9519 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 9520 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 9521 unsigned int outLen = 0; 9522 #endif 9523 PRBool isTLS = PR_FALSE; 9524 SECStatus rv; 9525 SECItem enc_pms; 9526 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; 9527 SECItem pmsItem = {siBuffer, NULL, 0}; 9528 9529 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 9530 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 9531 PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec ); 9532 9533 enc_pms.data = b; 9534 enc_pms.len = length; 9535 pmsItem.data = rsaPmsBuf; 9536 pmsItem.len = sizeof rsaPmsBuf; 9537 9538 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ 9539 PRInt32 kLen; 9540 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len); 9541 if (kLen < 0) { 9542 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 9543 return SECFailure; 9544 } 9545 if ((unsigned)kLen < enc_pms.len) { 9546 enc_pms.len = kLen; 9547 } 9548 isTLS = PR_TRUE; 9549 } else { 9550 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0); 9551 } 9552 9553 #ifndef NO_PKCS11_BYPASS 9554 if (ss->opt.bypassPKCS11) { 9555 /* TRIPLE BYPASS, get PMS directly from RSA decryption. 9556 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, 9557 * then, check for version rollback attack, then 9558 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in 9559 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with 9560 * ss and NULL, so that it will use the MS we've already derived here. 9561 */ 9562 9563 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 9564 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); 9565 if (rv != SECSuccess) { 9566 /* triple bypass failed. Let's try for a double bypass. */ 9567 goto double_bypass; 9568 } else if (ss->opt.detectRollBack) { 9569 SSL3ProtocolVersion client_version = 9570 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; 9571 9572 if (IS_DTLS(ss)) { 9573 client_version = dtls_DTLSVersionToTLSVersion(client_version); 9574 } 9575 9576 if (client_version != ss->clientHelloVersion) { 9577 /* Version roll-back detected. ensure failure. */ 9578 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); 9579 } 9580 } 9581 /* have PMS, build MS without PKCS11 */ 9582 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 9583 PR_TRUE); 9584 if (rv != SECSuccess) { 9585 pwSpec->msItem.data = pwSpec->raw_master_secret; 9586 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; 9587 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len); 9588 } 9589 rv = ssl3_InitPendingCipherSpec(ss, NULL); 9590 } else 9591 #endif 9592 { 9593 #ifndef NO_PKCS11_BYPASS 9594 double_bypass: 9595 #endif 9596 /* 9597 * unwrap pms out of the incoming buffer 9598 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do 9599 * the unwrap. Rather, it is the mechanism with which the 9600 * unwrapped pms will be used. 9601 */ 9602 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms, 9603 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); 9604 if (pms != NULL) { 9605 PRINT_BUF(60, (ss, "decrypted premaster secret:", 9606 PK11_GetKeyData(pms)->data, 9607 PK11_GetKeyData(pms)->len)); 9608 } else { 9609 /* unwrap failed. Generate a bogus PMS and carry on. */ 9610 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey); 9611 9612 ssl_GetSpecWriteLock(ss); 9613 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); 9614 ssl_ReleaseSpecWriteLock(ss); 9615 PK11_FreeSlot(slot); 9616 } 9617 9618 if (pms == NULL) { 9619 /* last gasp. */ 9620 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 9621 return SECFailure; 9622 } 9623 9624 /* This step will derive the MS from the PMS, among other things. */ 9625 rv = ssl3_InitPendingCipherSpec(ss, pms); 9626 PK11_FreeSymKey(pms); 9627 } 9628 9629 if (rv != SECSuccess) { 9630 SEND_ALERT 9631 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ 9632 } 9633 return SECSuccess; 9634 } 9635 9636 9637 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 9638 * ssl3 ClientKeyExchange message from the remote client 9639 * Caller must hold Handshake and RecvBuf locks. 9640 */ 9641 static SECStatus 9642 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 9643 { 9644 SECKEYPrivateKey *serverKey = NULL; 9645 SECStatus rv; 9646 const ssl3KEADef *kea_def; 9647 ssl3KeyPair *serverKeyPair = NULL; 9648 #ifdef NSS_ENABLE_ECC 9649 SECKEYPublicKey *serverPubKey = NULL; 9650 #endif /* NSS_ENABLE_ECC */ 9651 9652 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", 9653 SSL_GETPID(), ss->fd)); 9654 9655 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 9656 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 9657 9658 if (ss->ssl3.hs.ws != wait_client_key) { 9659 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 9660 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); 9661 return SECFailure; 9662 } 9663 9664 kea_def = ss->ssl3.hs.kea_def; 9665 9666 if (ss->ssl3.hs.usedStepDownKey) { 9667 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */ 9668 && kea_def->exchKeyType == kt_rsa 9669 && ss->stepDownKeyPair != NULL); 9670 if (!kea_def->is_limited || 9671 kea_def->exchKeyType != kt_rsa || 9672 ss->stepDownKeyPair == NULL) { 9673 /* shouldn't happen, don't use step down if it does */ 9674 goto skip; 9675 } 9676 serverKeyPair = ss->stepDownKeyPair; 9677 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; 9678 } else 9679 skip: 9680 #ifdef NSS_ENABLE_ECC 9681 /* XXX Using SSLKEAType to index server certifiates 9682 * does not work for (EC)DHE ciphers. Until we have 9683 * an indexing mechanism general enough for all key 9684 * exchange algorithms, we'll need to deal with each 9685 * one seprately. 9686 */ 9687 if ((kea_def->kea == kea_ecdhe_rsa) || 9688 (kea_def->kea == kea_ecdhe_ecdsa)) { 9689 if (ss->ephemeralECDHKeyPair != NULL) { 9690 serverKeyPair = ss->ephemeralECDHKeyPair; 9691 if (serverKeyPair->pubKey) { 9692 ss->sec.keaKeyBits = 9693 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey); 9694 } 9695 } 9696 } else 9697 #endif 9698 { 9699 sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType; 9700 serverKeyPair = sc->serverKeyPair; 9701 ss->sec.keaKeyBits = sc->serverKeyBits; 9702 } 9703 9704 if (serverKeyPair) { 9705 serverKey = serverKeyPair->privKey; 9706 } 9707 9708 if (serverKey == NULL) { 9709 SEND_ALERT 9710 PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG); 9711 return SECFailure; 9712 } 9713 9714 ss->sec.keaType = kea_def->exchKeyType; 9715 9716 switch (kea_def->exchKeyType) { 9717 case kt_rsa: 9718 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey); 9719 if (rv != SECSuccess) { 9720 SEND_ALERT 9721 return SECFailure; /* error code set */ 9722 } 9723 break; 9724 9725 9726 #ifdef NSS_ENABLE_ECC 9727 case kt_ecdh: 9728 /* XXX We really ought to be able to store multiple 9729 * EC certs (a requirement if we wish to support both 9730 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently). 9731 * When we make that change, we'll need an index other 9732 * than kt_ecdh to pick the right EC certificate. 9733 */ 9734 if (serverKeyPair) { 9735 serverPubKey = serverKeyPair->pubKey; 9736 } 9737 if (serverPubKey == NULL) { 9738 /* XXX Is this the right error code? */ 9739 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 9740 return SECFailure; 9741 } 9742 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length, 9743 serverPubKey, serverKey); 9744 if (rv != SECSuccess) { 9745 return SECFailure; /* error code set */ 9746 } 9747 break; 9748 #endif /* NSS_ENABLE_ECC */ 9749 9750 default: 9751 (void) ssl3_HandshakeFailure(ss); 9752 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 9753 return SECFailure; 9754 } 9755 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher; 9756 return SECSuccess; 9757 9758 } 9759 9760 /* This is TLS's equivalent of sending a no_certificate alert. */ 9761 static SECStatus 9762 ssl3_SendEmptyCertificate(sslSocket *ss) 9763 { 9764 SECStatus rv; 9765 9766 rv = ssl3_AppendHandshakeHeader(ss, certificate, 3); 9767 if (rv == SECSuccess) { 9768 rv = ssl3_AppendHandshakeNumber(ss, 0, 3); 9769 } 9770 return rv; /* error, if any, set by functions called above. */ 9771 } 9772 9773 SECStatus 9774 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 9775 { 9776 SECStatus rv; 9777 NewSessionTicket session_ticket; 9778 9779 SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake", 9780 SSL_GETPID(), ss->fd)); 9781 9782 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 9783 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 9784 9785 if (ss->ssl3.hs.ws != wait_new_session_ticket) { 9786 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 9787 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); 9788 return SECFailure; 9789 } 9790 9791 session_ticket.received_timestamp = ssl_Time(); 9792 if (length < 4) { 9793 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 9794 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 9795 return SECFailure; 9796 } 9797 session_ticket.ticket_lifetime_hint = 9798 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length); 9799 9800 rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2, 9801 &b, &length); 9802 if (length != 0 || rv != SECSuccess) { 9803 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 9804 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 9805 return SECFailure; /* malformed */ 9806 } 9807 9808 rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket); 9809 if (rv != SECSuccess) { 9810 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 9811 PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT); 9812 return SECFailure; 9813 } 9814 ss->ssl3.hs.ws = wait_change_cipher; 9815 return SECSuccess; 9816 } 9817 9818 #ifdef NISCC_TEST 9819 static PRInt32 connNum = 0; 9820 9821 static SECStatus 9822 get_fake_cert(SECItem *pCertItem, int *pIndex) 9823 { 9824 PRFileDesc *cf; 9825 char * testdir; 9826 char * startat; 9827 char * stopat; 9828 const char *extension; 9829 int fileNum; 9830 PRInt32 numBytes = 0; 9831 PRStatus prStatus; 9832 PRFileInfo info; 9833 char cfn[100]; 9834 9835 pCertItem->data = 0; 9836 if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) { 9837 return SECSuccess; 9838 } 9839 *pIndex = (NULL != strstr(testdir, "root")); 9840 extension = (strstr(testdir, "simple") ? "" : ".der"); 9841 fileNum = PR_ATOMIC_INCREMENT(&connNum) - 1; 9842 if ((startat = PR_GetEnv("START_AT")) != NULL) { 9843 fileNum += atoi(startat); 9844 } 9845 if ((stopat = PR_GetEnv("STOP_AT")) != NULL && 9846 fileNum >= atoi(stopat)) { 9847 *pIndex = -1; 9848 return SECSuccess; 9849 } 9850 sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension); 9851 cf = PR_Open(cfn, PR_RDONLY, 0); 9852 if (!cf) { 9853 goto loser; 9854 } 9855 prStatus = PR_GetOpenFileInfo(cf, &info); 9856 if (prStatus != PR_SUCCESS) { 9857 PR_Close(cf); 9858 goto loser; 9859 } 9860 pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size); 9861 if (pCertItem) { 9862 numBytes = PR_Read(cf, pCertItem->data, info.size); 9863 } 9864 PR_Close(cf); 9865 if (numBytes != info.size) { 9866 SECITEM_FreeItem(pCertItem, PR_FALSE); 9867 PORT_SetError(SEC_ERROR_IO); 9868 goto loser; 9869 } 9870 fprintf(stderr, "using %s\n", cfn); 9871 return SECSuccess; 9872 9873 loser: 9874 fprintf(stderr, "failed to use %s\n", cfn); 9875 *pIndex = -1; 9876 return SECFailure; 9877 } 9878 #endif 9879 9880 /* 9881 * Used by both client and server. 9882 * Called from HandleServerHelloDone and from SendServerHelloSequence. 9883 */ 9884 static SECStatus 9885 ssl3_SendCertificate(sslSocket *ss) 9886 { 9887 SECStatus rv; 9888 CERTCertificateList *certChain; 9889 int len = 0; 9890 int i; 9891 SSL3KEAType certIndex; 9892 #ifdef NISCC_TEST 9893 SECItem fakeCert; 9894 int ndex = -1; 9895 #endif 9896 9897 SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake", 9898 SSL_GETPID(), ss->fd)); 9899 9900 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 9901 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 9902 9903 if (ss->sec.localCert) 9904 CERT_DestroyCertificate(ss->sec.localCert); 9905 if (ss->sec.isServer) { 9906 sslServerCerts * sc = NULL; 9907 9908 /* XXX SSLKEAType isn't really a good choice for 9909 * indexing certificates (it breaks when we deal 9910 * with (EC)DHE-* cipher suites. This hack ensures 9911 * the RSA cert is picked for (EC)DHE-RSA. 9912 * Revisit this when we add server side support 9913 * for ECDHE-ECDSA or client-side authentication 9914 * using EC certificates. 9915 */ 9916 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) || 9917 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) { 9918 certIndex = kt_rsa; 9919 } else { 9920 certIndex = ss->ssl3.hs.kea_def->exchKeyType; 9921 } 9922 sc = ss->serverCerts + certIndex; 9923 certChain = sc->serverCertChain; 9924 ss->sec.authKeyBits = sc->serverKeyBits; 9925 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; 9926 ss->sec.localCert = CERT_DupCertificate(sc->serverCert); 9927 } else { 9928 certChain = ss->ssl3.clientCertChain; 9929 ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate); 9930 } 9931 9932 #ifdef NISCC_TEST 9933 rv = get_fake_cert(&fakeCert, &ndex); 9934 #endif 9935 9936 if (certChain) { 9937 for (i = 0; i < certChain->len; i++) { 9938 #ifdef NISCC_TEST 9939 if (fakeCert.len > 0 && i == ndex) { 9940 len += fakeCert.len + 3; 9941 } else { 9942 len += certChain->certs[i].len + 3; 9943 } 9944 #else 9945 len += certChain->certs[i].len + 3; 9946 #endif 9947 } 9948 } 9949 9950 rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3); 9951 if (rv != SECSuccess) { 9952 return rv; /* err set by AppendHandshake. */ 9953 } 9954 rv = ssl3_AppendHandshakeNumber(ss, len, 3); 9955 if (rv != SECSuccess) { 9956 return rv; /* err set by AppendHandshake. */ 9957 } 9958 if (certChain) { 9959 for (i = 0; i < certChain->len; i++) { 9960 #ifdef NISCC_TEST 9961 if (fakeCert.len > 0 && i == ndex) { 9962 rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data, 9963 fakeCert.len, 3); 9964 SECITEM_FreeItem(&fakeCert, PR_FALSE); 9965 } else { 9966 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data, 9967 certChain->certs[i].len, 3); 9968 } 9969 #else 9970 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data, 9971 certChain->certs[i].len, 3); 9972 #endif 9973 if (rv != SECSuccess) { 9974 return rv; /* err set by AppendHandshake. */ 9975 } 9976 } 9977 } 9978 9979 return SECSuccess; 9980 } 9981 9982 /* 9983 * Used by server only. 9984 * single-stapling, send only a single cert status 9985 */ 9986 static SECStatus 9987 ssl3_SendCertificateStatus(sslSocket *ss) 9988 { 9989 SECStatus rv; 9990 int len = 0; 9991 SECItemArray *statusToSend = NULL; 9992 SSL3KEAType certIndex; 9993 9994 SSL_TRC(3, ("%d: SSL3[%d]: send certificate status handshake", 9995 SSL_GETPID(), ss->fd)); 9996 9997 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 9998 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 9999 PORT_Assert( ss->sec.isServer); 10000 10001 if (!ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) 10002 return SECSuccess; 10003 10004 /* Use certStatus based on the cert being used. */ 10005 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) || 10006 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) { 10007 certIndex = kt_rsa; 10008 } else { 10009 certIndex = ss->ssl3.hs.kea_def->exchKeyType; 10010 } 10011 if (ss->certStatusArray[certIndex] && ss->certStatusArray[certIndex]->len) { 10012 statusToSend = ss->certStatusArray[certIndex]; 10013 } 10014 if (!statusToSend) 10015 return SECSuccess; 10016 10017 /* Use the array's first item only (single stapling) */ 10018 len = 1 + statusToSend->items[0].len + 3; 10019 10020 rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len); 10021 if (rv != SECSuccess) { 10022 return rv; /* err set by AppendHandshake. */ 10023 } 10024 rv = ssl3_AppendHandshakeNumber(ss, 1 /*ocsp*/, 1); 10025 if (rv != SECSuccess) 10026 return rv; /* err set by AppendHandshake. */ 10027 10028 rv = ssl3_AppendHandshakeVariable(ss, 10029 statusToSend->items[0].data, 10030 statusToSend->items[0].len, 10031 3); 10032 if (rv != SECSuccess) 10033 return rv; /* err set by AppendHandshake. */ 10034 10035 return SECSuccess; 10036 } 10037 10038 /* This is used to delete the CA certificates in the peer certificate chain 10039 * from the cert database after they've been validated. 10040 */ 10041 static void 10042 ssl3_CleanupPeerCerts(sslSocket *ss) 10043 { 10044 PLArenaPool * arena = ss->ssl3.peerCertArena; 10045 ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain; 10046 10047 for (; certs; certs = certs->next) { 10048 CERT_DestroyCertificate(certs->cert); 10049 } 10050 if (arena) PORT_FreeArena(arena, PR_FALSE); 10051 ss->ssl3.peerCertArena = NULL; 10052 ss->ssl3.peerCertChain = NULL; 10053 } 10054 10055 static void 10056 ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid) 10057 { 10058 PLArenaPool *arena; 10059 ssl3CertNode *lastCert = NULL; 10060 ssl3CertNode *certs = NULL; 10061 int i; 10062 10063 if (!sid->peerCertChain[0]) 10064 return; 10065 PORT_Assert(!ss->ssl3.peerCertArena); 10066 PORT_Assert(!ss->ssl3.peerCertChain); 10067 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 10068 for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { 10069 ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode); 10070 c->cert = CERT_DupCertificate(sid->peerCertChain[i]); 10071 c->next = NULL; 10072 if (lastCert) { 10073 lastCert->next = c; 10074 } else { 10075 certs = c; 10076 } 10077 lastCert = c; 10078 } 10079 ss->ssl3.peerCertChain = certs; 10080 } 10081 10082 static void 10083 ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid) 10084 { 10085 int i = 0; 10086 ssl3CertNode *c = certs; 10087 for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) { 10088 PORT_Assert(!sid->peerCertChain[i]); 10089 sid->peerCertChain[i] = CERT_DupCertificate(c->cert); 10090 } 10091 } 10092 10093 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 10094 * ssl3 CertificateStatus message. 10095 * Caller must hold Handshake and RecvBuf locks. 10096 * This is always called before ssl3_HandleCertificate, even if the Certificate 10097 * message is sent first. 10098 */ 10099 static SECStatus 10100 ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 10101 { 10102 PRInt32 status, len; 10103 10104 if (ss->ssl3.hs.ws != wait_certificate_status) { 10105 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 10106 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS); 10107 return SECFailure; 10108 } 10109 10110 PORT_Assert(!ss->sec.isServer); 10111 10112 /* Consume the CertificateStatusType enum */ 10113 status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); 10114 if (status != 1 /* ocsp */) { 10115 goto format_loser; 10116 } 10117 10118 len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 10119 if (len != length) { 10120 goto format_loser; 10121 } 10122 10123 #define MAX_CERTSTATUS_LEN 0x1ffff /* 128k - 1 */ 10124 if (length > MAX_CERTSTATUS_LEN) 10125 goto format_loser; 10126 #undef MAX_CERTSTATUS_LEN 10127 10128 /* Array size 1, because we currently implement single-stapling only */ 10129 SECITEM_AllocArray(NULL, &ss->sec.ci.sid->peerCertStatus, 1); 10130 if (!ss->sec.ci.sid->peerCertStatus.items) 10131 return SECFailure; 10132 10133 ss->sec.ci.sid->peerCertStatus.items[0].data = PORT_Alloc(length); 10134 10135 if (!ss->sec.ci.sid->peerCertStatus.items[0].data) { 10136 SECITEM_FreeArray(&ss->sec.ci.sid->peerCertStatus, PR_FALSE); 10137 return SECFailure; 10138 } 10139 10140 PORT_Memcpy(ss->sec.ci.sid->peerCertStatus.items[0].data, b, length); 10141 ss->sec.ci.sid->peerCertStatus.items[0].len = length; 10142 ss->sec.ci.sid->peerCertStatus.items[0].type = siBuffer; 10143 10144 return ssl3_AuthCertificate(ss); 10145 10146 format_loser: 10147 return ssl3_DecodeError(ss); 10148 } 10149 10150 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 10151 * ssl3 Certificate message. 10152 * Caller must hold Handshake and RecvBuf locks. 10153 */ 10154 static SECStatus 10155 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 10156 { 10157 ssl3CertNode * c; 10158 ssl3CertNode * lastCert = NULL; 10159 PRInt32 remaining = 0; 10160 PRInt32 size; 10161 SECStatus rv; 10162 PRBool isServer = (PRBool)(!!ss->sec.isServer); 10163 PRBool isTLS; 10164 SSL3AlertDescription desc; 10165 int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE; 10166 SECItem certItem; 10167 10168 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake", 10169 SSL_GETPID(), ss->fd)); 10170 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 10171 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 10172 10173 if ((ss->ssl3.hs.ws != wait_server_cert) && 10174 (ss->ssl3.hs.ws != wait_client_cert)) { 10175 desc = unexpected_message; 10176 errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE; 10177 goto alert_loser; 10178 } 10179 10180 if (ss->sec.peerCert != NULL) { 10181 if (ss->sec.peerKey) { 10182 SECKEY_DestroyPublicKey(ss->sec.peerKey); 10183 ss->sec.peerKey = NULL; 10184 } 10185 CERT_DestroyCertificate(ss->sec.peerCert); 10186 ss->sec.peerCert = NULL; 10187 } 10188 10189 ssl3_CleanupPeerCerts(ss); 10190 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 10191 10192 /* It is reported that some TLS client sends a Certificate message 10193 ** with a zero-length message body. We'll treat that case like a 10194 ** normal no_certificates message to maximize interoperability. 10195 */ 10196 if (length) { 10197 remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 10198 if (remaining < 0) 10199 goto loser; /* fatal alert already sent by ConsumeHandshake. */ 10200 if ((PRUint32)remaining > length) 10201 goto decode_loser; 10202 } 10203 10204 if (!remaining) { 10205 if (!(isTLS && isServer)) { 10206 desc = bad_certificate; 10207 goto alert_loser; 10208 } 10209 /* This is TLS's version of a no_certificate alert. */ 10210 /* I'm a server. I've requested a client cert. He hasn't got one. */ 10211 rv = ssl3_HandleNoCertificate(ss); 10212 if (rv != SECSuccess) { 10213 errCode = PORT_GetError(); 10214 goto loser; 10215 } 10216 ss->ssl3.hs.ws = wait_client_key; 10217 return SECSuccess; 10218 } 10219 10220 ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 10221 if (ss->ssl3.peerCertArena == NULL) { 10222 goto loser; /* don't send alerts on memory errors */ 10223 } 10224 10225 /* First get the peer cert. */ 10226 remaining -= 3; 10227 if (remaining < 0) 10228 goto decode_loser; 10229 10230 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 10231 if (size <= 0) 10232 goto loser; /* fatal alert already sent by ConsumeHandshake. */ 10233 10234 if (remaining < size) 10235 goto decode_loser; 10236 10237 certItem.data = b; 10238 certItem.len = size; 10239 b += size; 10240 length -= size; 10241 remaining -= size; 10242 10243 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL, 10244 PR_FALSE, PR_TRUE); 10245 if (ss->sec.peerCert == NULL) { 10246 /* We should report an alert if the cert was bad, but not if the 10247 * problem was just some local problem, like memory error. 10248 */ 10249 goto ambiguous_err; 10250 } 10251 10252 /* Now get all of the CA certs. */ 10253 while (remaining > 0) { 10254 remaining -= 3; 10255 if (remaining < 0) 10256 goto decode_loser; 10257 10258 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 10259 if (size <= 0) 10260 goto loser; /* fatal alert already sent by ConsumeHandshake. */ 10261 10262 if (remaining < size) 10263 goto decode_loser; 10264 10265 certItem.data = b; 10266 certItem.len = size; 10267 b += size; 10268 length -= size; 10269 remaining -= size; 10270 10271 c = PORT_ArenaNew(ss->ssl3.peerCertArena, ssl3CertNode); 10272 if (c == NULL) { 10273 goto loser; /* don't send alerts on memory errors */ 10274 } 10275 10276 c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL, 10277 PR_FALSE, PR_TRUE); 10278 if (c->cert == NULL) { 10279 goto ambiguous_err; 10280 } 10281 10282 c->next = NULL; 10283 if (lastCert) { 10284 lastCert->next = c; 10285 } else { 10286 ss->ssl3.peerCertChain = c; 10287 } 10288 lastCert = c; 10289 } 10290 10291 if (remaining != 0) 10292 goto decode_loser; 10293 10294 SECKEY_UpdateCertPQG(ss->sec.peerCert); 10295 10296 if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) { 10297 ss->ssl3.hs.ws = wait_certificate_status; 10298 rv = SECSuccess; 10299 } else { 10300 rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */ 10301 } 10302 10303 return rv; 10304 10305 ambiguous_err: 10306 errCode = PORT_GetError(); 10307 switch (errCode) { 10308 case PR_OUT_OF_MEMORY_ERROR: 10309 case SEC_ERROR_BAD_DATABASE: 10310 case SEC_ERROR_NO_MEMORY: 10311 if (isTLS) { 10312 desc = internal_error; 10313 goto alert_loser; 10314 } 10315 goto loser; 10316 } 10317 ssl3_SendAlertForCertError(ss, errCode); 10318 goto loser; 10319 10320 decode_loser: 10321 desc = isTLS ? decode_error : bad_certificate; 10322 10323 alert_loser: 10324 (void)SSL3_SendAlert(ss, alert_fatal, desc); 10325 10326 loser: 10327 (void)ssl_MapLowLevelError(errCode); 10328 return SECFailure; 10329 } 10330 10331 static SECStatus 10332 ssl3_AuthCertificate(sslSocket *ss) 10333 { 10334 SECStatus rv; 10335 PRBool isServer = (PRBool)(!!ss->sec.isServer); 10336 int errCode; 10337 10338 ss->ssl3.hs.authCertificatePending = PR_FALSE; 10339 10340 /* 10341 * Ask caller-supplied callback function to validate cert chain. 10342 */ 10343 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, 10344 PR_TRUE, isServer); 10345 if (rv) { 10346 errCode = PORT_GetError(); 10347 if (rv != SECWouldBlock) { 10348 if (ss->handleBadCert) { 10349 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd); 10350 } 10351 } 10352 10353 if (rv == SECWouldBlock) { 10354 if (ss->sec.isServer) { 10355 errCode = SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS; 10356 rv = SECFailure; 10357 goto loser; 10358 } 10359 10360 ss->ssl3.hs.authCertificatePending = PR_TRUE; 10361 rv = SECSuccess; 10362 } 10363 10364 if (rv != SECSuccess) { 10365 ssl3_SendAlertForCertError(ss, errCode); 10366 goto loser; 10367 } 10368 } 10369 10370 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); 10371 ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid); 10372 10373 if (!ss->sec.isServer) { 10374 CERTCertificate *cert = ss->sec.peerCert; 10375 10376 /* set the server authentication and key exchange types and sizes 10377 ** from the value in the cert. If the key exchange key is different, 10378 ** it will get fixed when we handle the server key exchange message. 10379 */ 10380 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); 10381 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; 10382 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; 10383 if (pubKey) { 10384 ss->sec.keaKeyBits = ss->sec.authKeyBits = 10385 SECKEY_PublicKeyStrengthInBits(pubKey); 10386 #ifdef NSS_ENABLE_ECC 10387 if (ss->sec.keaType == kt_ecdh) { 10388 /* Get authKeyBits from signing key. 10389 * XXX The code below uses a quick approximation of 10390 * key size based on cert->signatureWrap.signature.data 10391 * (which contains the DER encoded signature). The field 10392 * cert->signatureWrap.signature.len contains the 10393 * length of the encoded signature in bits. 10394 */ 10395 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) { 10396 ss->sec.authKeyBits = 10397 cert->signatureWrap.signature.data[3]*8; 10398 if (cert->signatureWrap.signature.data[4] == 0x00) 10399 ss->sec.authKeyBits -= 8; 10400 /* 10401 * XXX: if cert is not signed by ecdsa we should 10402 * destroy pubKey and goto bad_cert 10403 */ 10404 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) { 10405 ss->sec.authKeyBits = cert->signatureWrap.signature.len; 10406 /* 10407 * XXX: if cert is not signed by rsa we should 10408 * destroy pubKey and goto bad_cert 10409 */ 10410 } 10411 } 10412 #endif /* NSS_ENABLE_ECC */ 10413 SECKEY_DestroyPublicKey(pubKey); 10414 pubKey = NULL; 10415 } 10416 10417 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */ 10418 if (ss->ssl3.hs.kea_def->is_limited || 10419 /* XXX OR server cert is signing only. */ 10420 #ifdef NSS_ENABLE_ECC 10421 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || 10422 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || 10423 #endif /* NSS_ENABLE_ECC */ 10424 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) { 10425 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */ 10426 } 10427 } else { 10428 ss->ssl3.hs.ws = wait_client_key; 10429 } 10430 10431 PORT_Assert(rv == SECSuccess); 10432 if (rv != SECSuccess) { 10433 errCode = SEC_ERROR_LIBRARY_FAILURE; 10434 rv = SECFailure; 10435 goto loser; 10436 } 10437 10438 return rv; 10439 10440 loser: 10441 (void)ssl_MapLowLevelError(errCode); 10442 return SECFailure; 10443 } 10444 10445 static SECStatus ssl3_FinishHandshake(sslSocket *ss); 10446 10447 static SECStatus 10448 ssl3_AlwaysFail(sslSocket * ss) 10449 { 10450 PORT_SetError(PR_INVALID_STATE_ERROR); 10451 return SECFailure; 10452 } 10453 10454 /* Caller must hold 1stHandshakeLock. 10455 */ 10456 SECStatus 10457 ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error) 10458 { 10459 SECStatus rv; 10460 10461 PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss)); 10462 10463 if (ss->sec.isServer) { 10464 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS); 10465 return SECFailure; 10466 } 10467 10468 ssl_GetRecvBufLock(ss); 10469 ssl_GetSSL3HandshakeLock(ss); 10470 10471 if (!ss->ssl3.hs.authCertificatePending) { 10472 PORT_SetError(PR_INVALID_STATE_ERROR); 10473 rv = SECFailure; 10474 goto done; 10475 } 10476 10477 ss->ssl3.hs.authCertificatePending = PR_FALSE; 10478 10479 if (error != 0) { 10480 ss->ssl3.hs.restartTarget = ssl3_AlwaysFail; 10481 ssl3_SendAlertForCertError(ss, error); 10482 rv = SECSuccess; 10483 } else if (ss->ssl3.hs.restartTarget != NULL) { 10484 sslRestartTarget target = ss->ssl3.hs.restartTarget; 10485 ss->ssl3.hs.restartTarget = NULL; 10486 10487 if (target == ssl3_FinishHandshake) { 10488 SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race" 10489 " with peer's finished message", SSL_GETPID(), ss->fd)); 10490 } 10491 10492 rv = target(ss); 10493 /* Even if we blocked here, we have accomplished enough to claim 10494 * success. Any remaining work will be taken care of by subsequent 10495 * calls to SSL_ForceHandshake/PR_Send/PR_Read/etc. 10496 */ 10497 if (rv == SECWouldBlock) { 10498 rv = SECSuccess; 10499 } 10500 } else { 10501 SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with" 10502 " peer's finished message", SSL_GETPID(), ss->fd)); 10503 10504 PORT_Assert(!ss->firstHsDone); 10505 PORT_Assert(!ss->sec.isServer); 10506 PORT_Assert(!ss->ssl3.hs.isResuming); 10507 PORT_Assert(ss->ssl3.hs.ws != idle_handshake); 10508 10509 if (ss->opt.enableFalseStart && 10510 !ss->firstHsDone && 10511 !ss->sec.isServer && 10512 !ss->ssl3.hs.isResuming && 10513 ssl3_WaitingForStartOfServerSecondRound(ss)) { 10514 /* ssl3_SendClientSecondRound deferred the false start check because 10515 * certificate authentication was pending, so we do it now if we still 10516 * haven't received any of the server's second round yet. 10517 */ 10518 rv = ssl3_CheckFalseStart(ss); 10519 } else { 10520 rv = SECSuccess; 10521 } 10522 } 10523 10524 done: 10525 ssl_ReleaseSSL3HandshakeLock(ss); 10526 ssl_ReleaseRecvBufLock(ss); 10527 10528 return rv; 10529 } 10530 10531 static SECStatus 10532 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, 10533 PRBool isServer, 10534 const SSL3Hashes * hashes, 10535 TLSFinished * tlsFinished) 10536 { 10537 const char * label; 10538 unsigned int len; 10539 SECStatus rv; 10540 10541 label = isServer ? "server finished" : "client finished"; 10542 len = 15; 10543 10544 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, 10545 hashes->len, tlsFinished->verify_data, 10546 sizeof tlsFinished->verify_data); 10547 10548 return rv; 10549 } 10550 10551 /* The calling function must acquire and release the appropriate 10552 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for 10553 * ss->ssl3.crSpec). 10554 */ 10555 SECStatus 10556 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, 10557 unsigned int labelLen, const unsigned char *val, unsigned int valLen, 10558 unsigned char *out, unsigned int outLen) 10559 { 10560 SECStatus rv = SECSuccess; 10561 10562 if (spec->master_secret && !spec->bypassCiphers) { 10563 SECItem param = {siBuffer, NULL, 0}; 10564 CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL; 10565 PK11Context *prf_context; 10566 unsigned int retLen; 10567 10568 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { 10569 mech = CKM_NSS_TLS_PRF_GENERAL_SHA256; 10570 } 10571 prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN, 10572 spec->master_secret, ¶m); 10573 if (!prf_context) 10574 return SECFailure; 10575 10576 rv = PK11_DigestBegin(prf_context); 10577 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); 10578 rv |= PK11_DigestOp(prf_context, val, valLen); 10579 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen); 10580 PORT_Assert(rv != SECSuccess || retLen == outLen); 10581 10582 PK11_DestroyContext(prf_context, PR_TRUE); 10583 } else { 10584 /* bypass PKCS11 */ 10585 #ifdef NO_PKCS11_BYPASS 10586 PORT_Assert(spec->master_secret); 10587 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 10588 rv = SECFailure; 10589 #else 10590 SECItem inData = { siBuffer, }; 10591 SECItem outData = { siBuffer, }; 10592 PRBool isFIPS = PR_FALSE; 10593 10594 inData.data = (unsigned char *) val; 10595 inData.len = valLen; 10596 outData.data = out; 10597 outData.len = outLen; 10598 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { 10599 rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData, 10600 &outData, isFIPS); 10601 } else { 10602 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); 10603 } 10604 PORT_Assert(rv != SECSuccess || outData.len == outLen); 10605 #endif 10606 } 10607 return rv; 10608 } 10609 10610 /* called from ssl3_HandleServerHelloDone 10611 */ 10612 static SECStatus 10613 ssl3_SendNextProto(sslSocket *ss) 10614 { 10615 SECStatus rv; 10616 int padding_len; 10617 static const unsigned char padding[32] = {0}; 10618 10619 if (ss->ssl3.nextProto.len == 0 || 10620 ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) { 10621 return SECSuccess; 10622 } 10623 10624 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 10625 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 10626 10627 padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32); 10628 10629 rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len + 10630 2 + padding_len); 10631 if (rv != SECSuccess) { 10632 return rv; /* error code set by AppendHandshakeHeader */ 10633 } 10634 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data, 10635 ss->ssl3.nextProto.len, 1); 10636 if (rv != SECSuccess) { 10637 return rv; /* error code set by AppendHandshake */ 10638 } 10639 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1); 10640 if (rv != SECSuccess) { 10641 return rv; /* error code set by AppendHandshake */ 10642 } 10643 return rv; 10644 } 10645 10646 /* called from ssl3_SendFinished 10647 * 10648 * This function is simply a debugging aid and therefore does not return a 10649 * SECStatus. */ 10650 static void 10651 ssl3_RecordKeyLog(sslSocket *ss) 10652 { 10653 SECStatus rv; 10654 SECItem *keyData; 10655 char buf[14 /* "CLIENT_RANDOM " */ + 10656 SSL3_RANDOM_LENGTH*2 /* client_random */ + 10657 1 /* " " */ + 10658 48*2 /* master secret */ + 10659 1 /* new line */]; 10660 unsigned int j; 10661 10662 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 10663 10664 if (!ssl_keylog_iob) 10665 return; 10666 10667 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret); 10668 if (rv != SECSuccess) 10669 return; 10670 10671 ssl_GetSpecReadLock(ss); 10672 10673 /* keyData does not need to be freed. */ 10674 keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret); 10675 if (!keyData || !keyData->data || keyData->len != 48) { 10676 ssl_ReleaseSpecReadLock(ss); 10677 return; 10678 } 10679 10680 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */ 10681 10682 /* There could be multiple, concurrent writers to the 10683 * keylog, so we have to do everything in a single call to 10684 * fwrite. */ 10685 10686 memcpy(buf, "CLIENT_RANDOM ", 14); 10687 j = 14; 10688 hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH); 10689 j += SSL3_RANDOM_LENGTH*2; 10690 buf[j++] = ' '; 10691 hexEncode(buf + j, keyData->data, 48); 10692 j += 48*2; 10693 buf[j++] = '\n'; 10694 10695 PORT_Assert(j == sizeof(buf)); 10696 10697 ssl_ReleaseSpecReadLock(ss); 10698 10699 if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1) 10700 return; 10701 fflush(ssl_keylog_iob); 10702 return; 10703 } 10704 10705 /* called from ssl3_SendClientSecondRound 10706 * ssl3_HandleFinished 10707 */ 10708 static SECStatus 10709 ssl3_SendEncryptedExtensions(sslSocket *ss) 10710 { 10711 static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; 10712 static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption"; 10713 /* This is the ASN.1 prefix for a P-256 public key. Specifically it's: 10714 * SEQUENCE 10715 * SEQUENCE 10716 * OID id-ecPublicKey 10717 * OID prime256v1 10718 * BIT STRING, length 66, 0 trailing bits: 0x04 10719 * 10720 * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62 10721 * public key. Following that are the two field elements as 32-byte, 10722 * big-endian numbers, as required by the Channel ID. */ 10723 static const unsigned char P256_SPKI_PREFIX[] = { 10724 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 10725 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 10726 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 10727 0x42, 0x00, 0x04 10728 }; 10729 /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64 10730 * bytes of ECDSA signature. */ 10731 static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64; 10732 static const int CHANNEL_ID_LENGTH = 128; 10733 10734 SECStatus rv = SECFailure; 10735 SECItem *spki = NULL; 10736 SSL3Hashes hashes; 10737 const unsigned char *pub_bytes; 10738 unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + 10739 sizeof(CHANNEL_ID_RESUMPTION_MAGIC) + 10740 sizeof(SSL3Hashes)*2]; 10741 size_t signed_data_len; 10742 unsigned char digest[SHA256_LENGTH]; 10743 SECItem digest_item; 10744 unsigned char signature[64]; 10745 SECItem signature_item; 10746 10747 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 10748 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 10749 10750 if (ss->ssl3.channelID == NULL) 10751 return SECSuccess; 10752 10753 PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)); 10754 10755 if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey || 10756 PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) { 10757 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); 10758 rv = SECFailure; 10759 goto loser; 10760 } 10761 10762 ssl_GetSpecReadLock(ss); 10763 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); 10764 ssl_ReleaseSpecReadLock(ss); 10765 10766 if (rv != SECSuccess) 10767 goto loser; 10768 10769 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, 10770 2 + 2 + CHANNEL_ID_LENGTH); 10771 if (rv != SECSuccess) 10772 goto loser; /* error code set by AppendHandshakeHeader */ 10773 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 10774 if (rv != SECSuccess) 10775 goto loser; /* error code set by AppendHandshake */ 10776 rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2); 10777 if (rv != SECSuccess) 10778 goto loser; /* error code set by AppendHandshake */ 10779 10780 spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub); 10781 10782 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || 10783 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) { 10784 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); 10785 rv = SECFailure; 10786 goto loser; 10787 } 10788 10789 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); 10790 10791 signed_data_len = 0; 10792 memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC, 10793 sizeof(CHANNEL_ID_MAGIC)); 10794 signed_data_len += sizeof(CHANNEL_ID_MAGIC); 10795 if (ss->ssl3.hs.isResuming) { 10796 SECItem *originalHandshakeHash = 10797 &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; 10798 PORT_Assert(originalHandshakeHash->len > 0); 10799 10800 memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC, 10801 sizeof(CHANNEL_ID_RESUMPTION_MAGIC)); 10802 signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC); 10803 memcpy(signed_data + signed_data_len, originalHandshakeHash->data, 10804 originalHandshakeHash->len); 10805 signed_data_len += originalHandshakeHash->len; 10806 } 10807 memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len); 10808 signed_data_len += hashes.len; 10809 10810 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len); 10811 if (rv != SECSuccess) 10812 goto loser; 10813 10814 digest_item.data = digest; 10815 digest_item.len = sizeof(digest); 10816 10817 signature_item.data = signature; 10818 signature_item.len = sizeof(signature); 10819 10820 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); 10821 if (rv != SECSuccess) 10822 goto loser; 10823 10824 rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH); 10825 if (rv != SECSuccess) 10826 goto loser; 10827 rv = ssl3_AppendHandshake(ss, signature, sizeof(signature)); 10828 10829 loser: 10830 if (spki) 10831 SECITEM_FreeItem(spki, PR_TRUE); 10832 if (ss->ssl3.channelID) { 10833 SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 10834 ss->ssl3.channelID = NULL; 10835 } 10836 if (ss->ssl3.channelIDPub) { 10837 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 10838 ss->ssl3.channelIDPub = NULL; 10839 } 10840 10841 return rv; 10842 } 10843 10844 /* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake 10845 * after a ChannelID callback returned SECWouldBlock. At this point we have 10846 * processed the server's ServerHello but not yet any further messages. We will 10847 * always get a message from the server after a ServerHello so either they are 10848 * waiting in the buffer or we'll get network I/O. */ 10849 SECStatus 10850 ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss, 10851 SECKEYPublicKey *channelIDPub, 10852 SECKEYPrivateKey *channelID) 10853 { 10854 if (ss->handshake == 0) { 10855 SECKEY_DestroyPublicKey(channelIDPub); 10856 SECKEY_DestroyPrivateKey(channelID); 10857 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 10858 return SECFailure; 10859 } 10860 10861 if (channelIDPub == NULL || 10862 channelID == NULL) { 10863 if (channelIDPub) 10864 SECKEY_DestroyPublicKey(channelIDPub); 10865 if (channelID) 10866 SECKEY_DestroyPrivateKey(channelID); 10867 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 10868 return SECFailure; 10869 } 10870 10871 if (ss->ssl3.channelID) 10872 SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 10873 if (ss->ssl3.channelIDPub) 10874 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 10875 10876 ss->handshake = ssl_GatherRecord1stHandshake; 10877 ss->ssl3.channelID = channelID; 10878 ss->ssl3.channelIDPub = channelIDPub; 10879 10880 return SECSuccess; 10881 } 10882 10883 /* called from ssl3_HandleServerHelloDone 10884 * ssl3_HandleClientHello 10885 * ssl3_HandleFinished 10886 */ 10887 static SECStatus 10888 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) 10889 { 10890 ssl3CipherSpec *cwSpec; 10891 PRBool isTLS; 10892 PRBool isServer = ss->sec.isServer; 10893 SECStatus rv; 10894 SSL3Sender sender = isServer ? sender_server : sender_client; 10895 SSL3Hashes hashes; 10896 TLSFinished tlsFinished; 10897 10898 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd)); 10899 10900 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 10901 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 10902 10903 ssl_GetSpecReadLock(ss); 10904 cwSpec = ss->ssl3.cwSpec; 10905 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); 10906 rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender); 10907 if (isTLS && rv == SECSuccess) { 10908 rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished); 10909 } 10910 ssl_ReleaseSpecReadLock(ss); 10911 if (rv != SECSuccess) { 10912 goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */ 10913 } 10914 10915 if (isTLS) { 10916 if (isServer) 10917 ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished; 10918 else 10919 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; 10920 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; 10921 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); 10922 if (rv != SECSuccess) 10923 goto fail; /* err set by AppendHandshake. */ 10924 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); 10925 if (rv != SECSuccess) 10926 goto fail; /* err set by AppendHandshake. */ 10927 } else { 10928 if (isServer) 10929 ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s; 10930 else 10931 ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s; 10932 PORT_Assert(hashes.len == sizeof hashes.u.s); 10933 ss->ssl3.hs.finishedBytes = sizeof hashes.u.s; 10934 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s); 10935 if (rv != SECSuccess) 10936 goto fail; /* err set by AppendHandshake. */ 10937 rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s); 10938 if (rv != SECSuccess) 10939 goto fail; /* err set by AppendHandshake. */ 10940 } 10941 rv = ssl3_FlushHandshake(ss, flags); 10942 if (rv != SECSuccess) { 10943 goto fail; /* error code set by ssl3_FlushHandshake */ 10944 } 10945 10946 ssl3_RecordKeyLog(ss); 10947 10948 return SECSuccess; 10949 10950 fail: 10951 return rv; 10952 } 10953 10954 /* wrap the master secret, and put it into the SID. 10955 * Caller holds the Spec read lock. 10956 */ 10957 SECStatus 10958 ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid, 10959 ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType) 10960 { 10961 PK11SymKey * wrappingKey = NULL; 10962 PK11SlotInfo * symKeySlot; 10963 void * pwArg = ss->pkcs11PinArg; 10964 SECStatus rv = SECFailure; 10965 PRBool isServer = ss->sec.isServer; 10966 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; 10967 symKeySlot = PK11_GetSlotFromKey(spec->master_secret); 10968 if (!isServer) { 10969 int wrapKeyIndex; 10970 int incarnation; 10971 10972 /* these next few functions are mere accessors and don't fail. */ 10973 sid->u.ssl3.masterWrapIndex = wrapKeyIndex = 10974 PK11_GetCurrentWrapIndex(symKeySlot); 10975 PORT_Assert(wrapKeyIndex == 0); /* array has only one entry! */ 10976 10977 sid->u.ssl3.masterWrapSeries = incarnation = 10978 PK11_GetSlotSeries(symKeySlot); 10979 sid->u.ssl3.masterSlotID = PK11_GetSlotID(symKeySlot); 10980 sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot); 10981 sid->u.ssl3.masterValid = PR_TRUE; 10982 /* Get the default wrapping key, for wrapping the master secret before 10983 * placing it in the SID cache entry. */ 10984 wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex, 10985 CKM_INVALID_MECHANISM, incarnation, 10986 pwArg); 10987 if (wrappingKey) { 10988 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */ 10989 } else { 10990 int keyLength; 10991 /* if the wrappingKey doesn't exist, attempt to create it. 10992 * Note: we intentionally ignore errors here. If we cannot 10993 * generate a wrapping key, it is not fatal to this SSL connection, 10994 * but we will not be able to restart this session. 10995 */ 10996 mechanism = PK11_GetBestWrapMechanism(symKeySlot); 10997 keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism); 10998 /* Zero length means fixed key length algorithm, or error. 10999 * It's ambiguous. 11000 */ 11001 wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL, 11002 keyLength, pwArg); 11003 if (wrappingKey) { 11004 PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey); 11005 } 11006 } 11007 } else { 11008 /* server socket using session cache. */ 11009 mechanism = PK11_GetBestWrapMechanism(symKeySlot); 11010 if (mechanism != CKM_INVALID_MECHANISM) { 11011 wrappingKey = 11012 getWrappingKey(ss, symKeySlot, effectiveExchKeyType, 11013 mechanism, pwArg); 11014 if (wrappingKey) { 11015 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */ 11016 } 11017 } 11018 } 11019 11020 sid->u.ssl3.masterWrapMech = mechanism; 11021 PK11_FreeSlot(symKeySlot); 11022 11023 if (wrappingKey) { 11024 SECItem wmsItem; 11025 11026 wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret; 11027 wmsItem.len = sizeof sid->u.ssl3.keys.wrapped_master_secret; 11028 rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey, 11029 spec->master_secret, &wmsItem); 11030 /* rv is examined below. */ 11031 sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len; 11032 PK11_FreeSymKey(wrappingKey); 11033 } 11034 return rv; 11035 } 11036 11037 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 11038 * ssl3 Finished message from the peer. 11039 * Caller must hold Handshake and RecvBuf locks. 11040 */ 11041 static SECStatus 11042 ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, 11043 const SSL3Hashes *hashes) 11044 { 11045 sslSessionID * sid = ss->sec.ci.sid; 11046 SECStatus rv = SECSuccess; 11047 PRBool isServer = ss->sec.isServer; 11048 PRBool isTLS; 11049 SSL3KEAType effectiveExchKeyType; 11050 11051 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 11052 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 11053 11054 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake", 11055 SSL_GETPID(), ss->fd)); 11056 11057 if (ss->ssl3.hs.ws != wait_finished) { 11058 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11059 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED); 11060 return SECFailure; 11061 } 11062 11063 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0); 11064 if (isTLS) { 11065 TLSFinished tlsFinished; 11066 11067 if (length != sizeof tlsFinished) { 11068 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 11069 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); 11070 return SECFailure; 11071 } 11072 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, 11073 hashes, &tlsFinished); 11074 if (!isServer) 11075 ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished; 11076 else 11077 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; 11078 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; 11079 if (rv != SECSuccess || 11080 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { 11081 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); 11082 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 11083 return SECFailure; 11084 } 11085 } else { 11086 if (length != sizeof(SSL3Finished)) { 11087 (void)ssl3_IllegalParameter(ss); 11088 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); 11089 return SECFailure; 11090 } 11091 11092 if (!isServer) 11093 ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s; 11094 else 11095 ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s; 11096 PORT_Assert(hashes->len == sizeof hashes->u.s); 11097 ss->ssl3.hs.finishedBytes = sizeof hashes->u.s; 11098 if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) { 11099 (void)ssl3_HandshakeFailure(ss); 11100 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 11101 return SECFailure; 11102 } 11103 } 11104 11105 ssl_GetXmitBufLock(ss); /*************************************/ 11106 11107 if ((isServer && !ss->ssl3.hs.isResuming) || 11108 (!isServer && ss->ssl3.hs.isResuming)) { 11109 PRInt32 flags = 0; 11110 11111 /* Send a NewSessionTicket message if the client sent us 11112 * either an empty session ticket, or one that did not verify. 11113 * (Note that if either of these conditions was met, then the 11114 * server has sent a SessionTicket extension in the 11115 * ServerHello message.) 11116 */ 11117 if (isServer && !ss->ssl3.hs.isResuming && 11118 ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) { 11119 rv = ssl3_SendNewSessionTicket(ss); 11120 if (rv != SECSuccess) { 11121 goto xmit_loser; 11122 } 11123 } 11124 11125 rv = ssl3_SendChangeCipherSpecs(ss); 11126 if (rv != SECSuccess) { 11127 goto xmit_loser; /* err is set. */ 11128 } 11129 /* If this thread is in SSL_SecureSend (trying to write some data) 11130 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the 11131 ** last two handshake messages (change cipher spec and finished) 11132 ** will be sent in the same send/write call as the application data. 11133 */ 11134 if (ss->writerThread == PR_GetCurrentThread()) { 11135 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; 11136 } 11137 11138 if (!isServer) { 11139 if (!ss->firstHsDone) { 11140 rv = ssl3_SendNextProto(ss); 11141 if (rv != SECSuccess) { 11142 goto xmit_loser; /* err code was set. */ 11143 } 11144 } 11145 rv = ssl3_SendEncryptedExtensions(ss); 11146 if (rv != SECSuccess) 11147 goto xmit_loser; /* err code was set. */ 11148 } 11149 11150 if (IS_DTLS(ss)) { 11151 flags |= ssl_SEND_FLAG_NO_RETRANSMIT; 11152 } 11153 11154 rv = ssl3_SendFinished(ss, flags); 11155 if (rv != SECSuccess) { 11156 goto xmit_loser; /* err is set. */ 11157 } 11158 } 11159 11160 xmit_loser: 11161 ssl_ReleaseXmitBufLock(ss); /*************************************/ 11162 if (rv != SECSuccess) { 11163 return rv; 11164 } 11165 11166 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { 11167 effectiveExchKeyType = kt_rsa; 11168 } else { 11169 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; 11170 } 11171 11172 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) { 11173 /* fill in the sid */ 11174 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; 11175 sid->u.ssl3.compression = ss->ssl3.hs.compression; 11176 sid->u.ssl3.policy = ss->ssl3.policy; 11177 #ifdef NSS_ENABLE_ECC 11178 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; 11179 #endif 11180 sid->u.ssl3.exchKeyType = effectiveExchKeyType; 11181 sid->version = ss->version; 11182 sid->authAlgorithm = ss->sec.authAlgorithm; 11183 sid->authKeyBits = ss->sec.authKeyBits; 11184 sid->keaType = ss->sec.keaType; 11185 sid->keaKeyBits = ss->sec.keaKeyBits; 11186 sid->lastAccessTime = sid->creationTime = ssl_Time(); 11187 sid->expirationTime = sid->creationTime + ssl3_sid_timeout; 11188 sid->localCert = CERT_DupCertificate(ss->sec.localCert); 11189 11190 ssl_GetSpecReadLock(ss); /*************************************/ 11191 11192 /* Copy the master secret (wrapped or unwrapped) into the sid */ 11193 if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) { 11194 sid->u.ssl3.keys.wrapped_master_secret_len = 11195 ss->ssl3.crSpec->msItem.len; 11196 memcpy(sid->u.ssl3.keys.wrapped_master_secret, 11197 ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len); 11198 sid->u.ssl3.masterValid = PR_TRUE; 11199 sid->u.ssl3.keys.msIsWrapped = PR_FALSE; 11200 rv = SECSuccess; 11201 } else { 11202 rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid, 11203 ss->ssl3.crSpec, 11204 effectiveExchKeyType); 11205 sid->u.ssl3.keys.msIsWrapped = PR_TRUE; 11206 } 11207 ssl_ReleaseSpecReadLock(ss); /*************************************/ 11208 11209 /* If the wrap failed, we don't cache the sid. 11210 * The connection continues normally however. 11211 */ 11212 ss->ssl3.hs.cacheSID = rv == SECSuccess; 11213 } 11214 11215 if (ss->ssl3.hs.authCertificatePending) { 11216 if (ss->ssl3.hs.restartTarget) { 11217 PR_NOT_REACHED("ssl3_HandleFinished: unexpected restartTarget"); 11218 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 11219 return SECFailure; 11220 } 11221 11222 ss->ssl3.hs.restartTarget = ssl3_FinishHandshake; 11223 return SECWouldBlock; 11224 } 11225 11226 rv = ssl3_FinishHandshake(ss); 11227 return rv; 11228 } 11229 11230 /* The return type is SECStatus instead of void because this function needs 11231 * to have type sslRestartTarget. 11232 */ 11233 SECStatus 11234 ssl3_FinishHandshake(sslSocket * ss) 11235 { 11236 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 11237 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 11238 PORT_Assert( ss->ssl3.hs.restartTarget == NULL ); 11239 11240 /* The first handshake is now completed. */ 11241 ss->handshake = NULL; 11242 11243 if (ss->ssl3.hs.cacheSID && ss->sec.isServer) { 11244 (*ss->sec.cache)(ss->sec.ci.sid); 11245 ss->ssl3.hs.cacheSID = PR_FALSE; 11246 } 11247 11248 ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */ 11249 ss->ssl3.hs.ws = idle_handshake; 11250 11251 ssl_FinishHandshake(ss); 11252 11253 return SECSuccess; 11254 } 11255 11256 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 11257 * hanshake message. 11258 * Caller must hold Handshake and RecvBuf locks. 11259 */ 11260 SECStatus 11261 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 11262 { 11263 SECStatus rv = SECSuccess; 11264 SSL3HandshakeType type = ss->ssl3.hs.msg_type; 11265 SSL3Hashes hashes; /* computed hashes are put here. */ 11266 PRUint8 hdr[4]; 11267 PRUint8 dtlsData[8]; 11268 11269 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 11270 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 11271 /* 11272 * We have to compute the hashes before we update them with the 11273 * current message. 11274 */ 11275 ssl_GetSpecReadLock(ss); /************************************/ 11276 if((type == finished) || (type == certificate_verify)) { 11277 SSL3Sender sender = (SSL3Sender)0; 11278 ssl3CipherSpec *rSpec = ss->ssl3.prSpec; 11279 11280 if (type == finished) { 11281 sender = ss->sec.isServer ? sender_client : sender_server; 11282 rSpec = ss->ssl3.crSpec; 11283 } 11284 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); 11285 } 11286 ssl_ReleaseSpecReadLock(ss); /************************************/ 11287 if (rv != SECSuccess) { 11288 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ 11289 } 11290 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(), 11291 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type))); 11292 11293 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; 11294 hdr[1] = (PRUint8)(length >> 16); 11295 hdr[2] = (PRUint8)(length >> 8); 11296 hdr[3] = (PRUint8)(length ); 11297 11298 /* Start new handshake hashes when we start a new handshake */ 11299 if (ss->ssl3.hs.msg_type == client_hello) { 11300 rv = ssl3_RestartHandshakeHashes(ss); 11301 if (rv != SECSuccess) { 11302 return rv; 11303 } 11304 } 11305 /* We should not include hello_request and hello_verify_request messages 11306 * in the handshake hashes */ 11307 if ((ss->ssl3.hs.msg_type != hello_request) && 11308 (ss->ssl3.hs.msg_type != hello_verify_request)) { 11309 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); 11310 if (rv != SECSuccess) return rv; /* err code already set. */ 11311 11312 /* Extra data to simulate a complete DTLS handshake fragment */ 11313 if (IS_DTLS(ss)) { 11314 /* Sequence number */ 11315 dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq); 11316 dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq); 11317 11318 /* Fragment offset */ 11319 dtlsData[2] = 0; 11320 dtlsData[3] = 0; 11321 dtlsData[4] = 0; 11322 11323 /* Fragment length */ 11324 dtlsData[5] = (PRUint8)(length >> 16); 11325 dtlsData[6] = (PRUint8)(length >> 8); 11326 dtlsData[7] = (PRUint8)(length ); 11327 11328 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData, 11329 sizeof(dtlsData)); 11330 if (rv != SECSuccess) return rv; /* err code already set. */ 11331 } 11332 11333 /* The message body */ 11334 rv = ssl3_UpdateHandshakeHashes(ss, b, length); 11335 if (rv != SECSuccess) return rv; /* err code already set. */ 11336 } 11337 11338 PORT_SetError(0); /* each message starts with no error. */ 11339 11340 if (ss->ssl3.hs.ws == wait_certificate_status && 11341 ss->ssl3.hs.msg_type != certificate_status) { 11342 /* If we negotiated the certificate_status extension then we deferred 11343 * certificate validation until we get the CertificateStatus messsage. 11344 * But the CertificateStatus message is optional. If the server did 11345 * not send it then we need to validate the certificate now. If the 11346 * server does send the CertificateStatus message then we will 11347 * authenticate the certificate in ssl3_HandleCertificateStatus. 11348 */ 11349 rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */ 11350 PORT_Assert(rv != SECWouldBlock); 11351 if (rv != SECSuccess) { 11352 return rv; 11353 } 11354 } 11355 11356 switch (ss->ssl3.hs.msg_type) { 11357 case hello_request: 11358 if (length != 0) { 11359 (void)ssl3_DecodeError(ss); 11360 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); 11361 return SECFailure; 11362 } 11363 if (ss->sec.isServer) { 11364 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11365 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST); 11366 return SECFailure; 11367 } 11368 rv = ssl3_HandleHelloRequest(ss); 11369 break; 11370 case client_hello: 11371 if (!ss->sec.isServer) { 11372 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11373 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO); 11374 return SECFailure; 11375 } 11376 rv = ssl3_HandleClientHello(ss, b, length); 11377 break; 11378 case server_hello: 11379 if (ss->sec.isServer) { 11380 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11381 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); 11382 return SECFailure; 11383 } 11384 rv = ssl3_HandleServerHello(ss, b, length); 11385 break; 11386 case hello_verify_request: 11387 if (!IS_DTLS(ss) || ss->sec.isServer) { 11388 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11389 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST); 11390 return SECFailure; 11391 } 11392 rv = dtls_HandleHelloVerifyRequest(ss, b, length); 11393 break; 11394 case certificate: 11395 rv = ssl3_HandleCertificate(ss, b, length); 11396 break; 11397 case certificate_status: 11398 rv = ssl3_HandleCertificateStatus(ss, b, length); 11399 break; 11400 case server_key_exchange: 11401 if (ss->sec.isServer) { 11402 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11403 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); 11404 return SECFailure; 11405 } 11406 rv = ssl3_HandleServerKeyExchange(ss, b, length); 11407 break; 11408 case certificate_request: 11409 if (ss->sec.isServer) { 11410 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11411 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); 11412 return SECFailure; 11413 } 11414 rv = ssl3_HandleCertificateRequest(ss, b, length); 11415 break; 11416 case server_hello_done: 11417 if (length != 0) { 11418 (void)ssl3_DecodeError(ss); 11419 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE); 11420 return SECFailure; 11421 } 11422 if (ss->sec.isServer) { 11423 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11424 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); 11425 return SECFailure; 11426 } 11427 rv = ssl3_HandleServerHelloDone(ss); 11428 break; 11429 case certificate_verify: 11430 if (!ss->sec.isServer) { 11431 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11432 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY); 11433 return SECFailure; 11434 } 11435 rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes); 11436 break; 11437 case client_key_exchange: 11438 if (!ss->sec.isServer) { 11439 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11440 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); 11441 return SECFailure; 11442 } 11443 rv = ssl3_HandleClientKeyExchange(ss, b, length); 11444 break; 11445 case new_session_ticket: 11446 if (ss->sec.isServer) { 11447 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11448 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET); 11449 return SECFailure; 11450 } 11451 rv = ssl3_HandleNewSessionTicket(ss, b, length); 11452 break; 11453 case finished: 11454 rv = ssl3_HandleFinished(ss, b, length, &hashes); 11455 break; 11456 default: 11457 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 11458 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); 11459 rv = SECFailure; 11460 } 11461 11462 if (IS_DTLS(ss) && (rv != SECFailure)) { 11463 /* Increment the expected sequence number */ 11464 ss->ssl3.hs.recvMessageSeq++; 11465 } 11466 11467 return rv; 11468 } 11469 11470 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. 11471 * origBuf is the decrypted ssl record content. 11472 * Caller must hold the handshake and RecvBuf locks. 11473 */ 11474 static SECStatus 11475 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) 11476 { 11477 /* 11478 * There may be a partial handshake message already in the handshake 11479 * state. The incoming buffer may contain another portion, or a 11480 * complete message or several messages followed by another portion. 11481 * 11482 * Each message is made contiguous before being passed to the actual 11483 * message parser. 11484 */ 11485 sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */ 11486 SECStatus rv; 11487 11488 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 11489 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 11490 11491 if (buf->buf == NULL) { 11492 *buf = *origBuf; 11493 } 11494 while (buf->len > 0) { 11495 if (ss->ssl3.hs.header_bytes < 4) { 11496 PRUint8 t; 11497 t = *(buf->buf++); 11498 buf->len--; 11499 if (ss->ssl3.hs.header_bytes++ == 0) 11500 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t; 11501 else 11502 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t; 11503 if (ss->ssl3.hs.header_bytes < 4) 11504 continue; 11505 11506 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ 11507 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { 11508 (void)ssl3_DecodeError(ss); 11509 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 11510 return SECFailure; 11511 } 11512 #undef MAX_HANDSHAKE_MSG_LEN 11513 11514 /* If msg_len is zero, be sure we fall through, 11515 ** even if buf->len is zero. 11516 */ 11517 if (ss->ssl3.hs.msg_len > 0) 11518 continue; 11519 } 11520 11521 /* 11522 * Header has been gathered and there is at least one byte of new 11523 * data available for this message. If it can be done right out 11524 * of the original buffer, then use it from there. 11525 */ 11526 if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) { 11527 /* handle it from input buffer */ 11528 rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len); 11529 if (rv == SECFailure) { 11530 /* This test wants to fall through on either 11531 * SECSuccess or SECWouldBlock. 11532 * ssl3_HandleHandshakeMessage MUST set the error code. 11533 */ 11534 return rv; 11535 } 11536 buf->buf += ss->ssl3.hs.msg_len; 11537 buf->len -= ss->ssl3.hs.msg_len; 11538 ss->ssl3.hs.msg_len = 0; 11539 ss->ssl3.hs.header_bytes = 0; 11540 if (rv != SECSuccess) { /* return if SECWouldBlock. */ 11541 return rv; 11542 } 11543 } else { 11544 /* must be copied to msg_body and dealt with from there */ 11545 unsigned int bytes; 11546 11547 PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len); 11548 bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len); 11549 11550 /* Grow the buffer if needed */ 11551 rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len); 11552 if (rv != SECSuccess) { 11553 /* sslBuffer_Grow has set a memory error code. */ 11554 return SECFailure; 11555 } 11556 11557 PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len, 11558 buf->buf, bytes); 11559 ss->ssl3.hs.msg_body.len += bytes; 11560 buf->buf += bytes; 11561 buf->len -= bytes; 11562 11563 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len); 11564 11565 /* if we have a whole message, do it */ 11566 if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) { 11567 rv = ssl3_HandleHandshakeMessage( 11568 ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len); 11569 if (rv == SECFailure) { 11570 /* This test wants to fall through on either 11571 * SECSuccess or SECWouldBlock. 11572 * ssl3_HandleHandshakeMessage MUST set error code. 11573 */ 11574 return rv; 11575 } 11576 ss->ssl3.hs.msg_body.len = 0; 11577 ss->ssl3.hs.msg_len = 0; 11578 ss->ssl3.hs.header_bytes = 0; 11579 if (rv != SECSuccess) { /* return if SECWouldBlock. */ 11580 return rv; 11581 } 11582 } else { 11583 PORT_Assert(buf->len == 0); 11584 break; 11585 } 11586 } 11587 } /* end loop */ 11588 11589 origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */ 11590 buf->buf = NULL; /* not a leak. */ 11591 return SECSuccess; 11592 } 11593 11594 /* These macros return the given value with the MSB copied to all the other 11595 * bits. They use the fact that arithmetic shift shifts-in the sign bit. 11596 * However, this is not ensured by the C standard so you may need to replace 11597 * them with something else for odd compilers. */ 11598 #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) ) 11599 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) 11600 11601 /* SECStatusToMask returns, in constant time, a mask value of all ones if 11602 * rv == SECSuccess. Otherwise it returns zero. */ 11603 static unsigned int 11604 SECStatusToMask(SECStatus rv) 11605 { 11606 unsigned int good; 11607 /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results 11608 * in the MSB being set to one iff it was zero before. */ 11609 good = rv ^ SECSuccess; 11610 good--; 11611 return DUPLICATE_MSB_TO_ALL(good); 11612 } 11613 11614 /* ssl_ConstantTimeGE returns 0xff if a>=b and 0x00 otherwise. */ 11615 static unsigned char 11616 ssl_ConstantTimeGE(unsigned int a, unsigned int b) 11617 { 11618 a -= b; 11619 return DUPLICATE_MSB_TO_ALL(~a); 11620 } 11621 11622 /* ssl_ConstantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */ 11623 static unsigned char 11624 ssl_ConstantTimeEQ8(unsigned char a, unsigned char b) 11625 { 11626 unsigned int c = a ^ b; 11627 c--; 11628 return DUPLICATE_MSB_TO_ALL_8(c); 11629 } 11630 11631 static SECStatus 11632 ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext, 11633 unsigned int blockSize, 11634 unsigned int macSize) 11635 { 11636 unsigned int paddingLength, good, t; 11637 const unsigned int overhead = 1 /* padding length byte */ + macSize; 11638 11639 /* These lengths are all public so we can test them in non-constant 11640 * time. */ 11641 if (overhead > plaintext->len) { 11642 return SECFailure; 11643 } 11644 11645 paddingLength = plaintext->buf[plaintext->len-1]; 11646 /* SSLv3 padding bytes are random and cannot be checked. */ 11647 t = plaintext->len; 11648 t -= paddingLength+overhead; 11649 /* If len >= paddingLength+overhead then the MSB of t is zero. */ 11650 good = DUPLICATE_MSB_TO_ALL(~t); 11651 /* SSLv3 requires that the padding is minimal. */ 11652 t = blockSize - (paddingLength+1); 11653 good &= DUPLICATE_MSB_TO_ALL(~t); 11654 plaintext->len -= good & (paddingLength+1); 11655 return (good & SECSuccess) | (~good & SECFailure); 11656 } 11657 11658 static SECStatus 11659 ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize) 11660 { 11661 unsigned int paddingLength, good, t, toCheck, i; 11662 const unsigned int overhead = 1 /* padding length byte */ + macSize; 11663 11664 /* These lengths are all public so we can test them in non-constant 11665 * time. */ 11666 if (overhead > plaintext->len) { 11667 return SECFailure; 11668 } 11669 11670 paddingLength = plaintext->buf[plaintext->len-1]; 11671 t = plaintext->len; 11672 t -= paddingLength+overhead; 11673 /* If len >= paddingLength+overhead then the MSB of t is zero. */ 11674 good = DUPLICATE_MSB_TO_ALL(~t); 11675 11676 /* The padding consists of a length byte at the end of the record and then 11677 * that many bytes of padding, all with the same value as the length byte. 11678 * Thus, with the length byte included, there are paddingLength+1 bytes of 11679 * padding. 11680 * 11681 * We can't check just |paddingLength+1| bytes because that leaks 11682 * decrypted information. Therefore we always have to check the maximum 11683 * amount of padding possible. (Again, the length of the record is 11684 * public information so we can use it.) */ 11685 toCheck = 255; /* maximum amount of padding. */ 11686 if (toCheck > plaintext->len-1) { 11687 toCheck = plaintext->len-1; 11688 } 11689 11690 for (i = 0; i < toCheck; i++) { 11691 unsigned int t = paddingLength - i; 11692 /* If i <= paddingLength then the MSB of t is zero and mask is 11693 * 0xff. Otherwise, mask is 0. */ 11694 unsigned char mask = DUPLICATE_MSB_TO_ALL(~t); 11695 unsigned char b = plaintext->buf[plaintext->len-1-i]; 11696 /* The final |paddingLength+1| bytes should all have the value 11697 * |paddingLength|. Therefore the XOR should be zero. */ 11698 good &= ~(mask&(paddingLength ^ b)); 11699 } 11700 11701 /* If any of the final |paddingLength+1| bytes had the wrong value, 11702 * one or more of the lower eight bits of |good| will be cleared. We 11703 * AND the bottom 8 bits together and duplicate the result to all the 11704 * bits. */ 11705 good &= good >> 4; 11706 good &= good >> 2; 11707 good &= good >> 1; 11708 good <<= sizeof(good)*8-1; 11709 good = DUPLICATE_MSB_TO_ALL(good); 11710 11711 plaintext->len -= good & (paddingLength+1); 11712 return (good & SECSuccess) | (~good & SECFailure); 11713 } 11714 11715 /* On entry: 11716 * originalLength >= macSize 11717 * macSize <= MAX_MAC_LENGTH 11718 * plaintext->len >= macSize 11719 */ 11720 static void 11721 ssl_CBCExtractMAC(sslBuffer *plaintext, 11722 unsigned int originalLength, 11723 SSL3Opaque* out, 11724 unsigned int macSize) 11725 { 11726 unsigned char rotatedMac[MAX_MAC_LENGTH]; 11727 /* macEnd is the index of |plaintext->buf| just after the end of the 11728 * MAC. */ 11729 unsigned macEnd = plaintext->len; 11730 unsigned macStart = macEnd - macSize; 11731 /* scanStart contains the number of bytes that we can ignore because 11732 * the MAC's position can only vary by 255 bytes. */ 11733 unsigned scanStart = 0; 11734 unsigned i, j, divSpoiler; 11735 unsigned char rotateOffset; 11736 11737 if (originalLength > macSize + 255 + 1) 11738 scanStart = originalLength - (macSize + 255 + 1); 11739 11740 /* divSpoiler contains a multiple of macSize that is used to cause the 11741 * modulo operation to be constant time. Without this, the time varies 11742 * based on the amount of padding when running on Intel chips at least. 11743 * 11744 * The aim of right-shifting macSize is so that the compiler doesn't 11745 * figure out that it can remove divSpoiler as that would require it 11746 * to prove that macSize is always even, which I hope is beyond it. */ 11747 divSpoiler = macSize >> 1; 11748 divSpoiler <<= (sizeof(divSpoiler)-1)*8; 11749 rotateOffset = (divSpoiler + macStart - scanStart) % macSize; 11750 11751 memset(rotatedMac, 0, macSize); 11752 for (i = scanStart; i < originalLength;) { 11753 for (j = 0; j < macSize && i < originalLength; i++, j++) { 11754 unsigned char macStarted = ssl_ConstantTimeGE(i, macStart); 11755 unsigned char macEnded = ssl_ConstantTimeGE(i, macEnd); 11756 unsigned char b = 0; 11757 b = plaintext->buf[i]; 11758 rotatedMac[j] |= b & macStarted & ~macEnded; 11759 } 11760 } 11761 11762 /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line 11763 * we could line-align |rotatedMac| and rotate in place. */ 11764 memset(out, 0, macSize); 11765 for (i = 0; i < macSize; i++) { 11766 unsigned char offset = 11767 (divSpoiler + macSize - rotateOffset + i) % macSize; 11768 for (j = 0; j < macSize; j++) { 11769 out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset); 11770 } 11771 } 11772 } 11773 11774 /* if cText is non-null, then decipher, check MAC, and decompress the 11775 * SSL record from cText->buf (typically gs->inbuf) 11776 * into databuf (typically gs->buf), and any previous contents of databuf 11777 * is lost. Then handle databuf according to its SSL record type, 11778 * unless it's an application record. 11779 * 11780 * If cText is NULL, then the ciphertext has previously been deciphered and 11781 * checked, and is already sitting in databuf. It is processed as an SSL 11782 * Handshake message. 11783 * 11784 * DOES NOT process the decrypted/decompressed application data. 11785 * On return, databuf contains the decrypted/decompressed record. 11786 * 11787 * Called from ssl3_GatherCompleteHandshake 11788 * ssl3_RestartHandshakeAfterCertReq 11789 * 11790 * Caller must hold the RecvBufLock. 11791 * 11792 * This function aquires and releases the SSL3Handshake Lock, holding the 11793 * lock around any calls to functions that handle records other than 11794 * Application Data records. 11795 */ 11796 SECStatus 11797 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) 11798 { 11799 const ssl3BulkCipherDef *cipher_def; 11800 ssl3CipherSpec * crSpec; 11801 SECStatus rv; 11802 unsigned int hashBytes = MAX_MAC_LENGTH + 1; 11803 PRBool isTLS; 11804 SSL3ContentType rType; 11805 SSL3Opaque hash[MAX_MAC_LENGTH]; 11806 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; 11807 SSL3Opaque *givenHash; 11808 sslBuffer *plaintext; 11809 sslBuffer temp_buf; 11810 PRUint64 dtls_seq_num; 11811 unsigned int ivLen = 0; 11812 unsigned int originalLen = 0; 11813 unsigned int good; 11814 unsigned int minLength; 11815 unsigned char header[13]; 11816 unsigned int headerLen; 11817 11818 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 11819 11820 if (!ss->ssl3.initialized) { 11821 ssl_GetSSL3HandshakeLock(ss); 11822 rv = ssl3_InitState(ss); 11823 ssl_ReleaseSSL3HandshakeLock(ss); 11824 if (rv != SECSuccess) { 11825 return rv; /* ssl3_InitState has set the error code. */ 11826 } 11827 } 11828 11829 /* check for Token Presence */ 11830 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) { 11831 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 11832 return SECFailure; 11833 } 11834 11835 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX(). 11836 * This implies that databuf holds a previously deciphered SSL Handshake 11837 * message. 11838 */ 11839 if (cText == NULL) { 11840 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake", 11841 SSL_GETPID(), ss->fd)); 11842 rType = content_handshake; 11843 goto process_it; 11844 } 11845 11846 ssl_GetSpecReadLock(ss); /******************************************/ 11847 11848 crSpec = ss->ssl3.crSpec; 11849 cipher_def = crSpec->cipher_def; 11850 11851 /* 11852 * DTLS relevance checks: 11853 * Note that this code currently ignores all out-of-epoch packets, 11854 * which means we lose some in the case of rehandshake + 11855 * loss/reordering. Since DTLS is explicitly unreliable, this 11856 * seems like a good tradeoff for implementation effort and is 11857 * consistent with the guidance of RFC 6347 Sections 4.1 and 4.2.4.1 11858 */ 11859 if (IS_DTLS(ss)) { 11860 DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff; 11861 11862 if (crSpec->epoch != epoch) { 11863 ssl_ReleaseSpecReadLock(ss); 11864 SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet " 11865 "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch)); 11866 /* Silently drop the packet */ 11867 databuf->len = 0; /* Needed to ensure data not left around */ 11868 return SECSuccess; 11869 } 11870 11871 dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) | 11872 ((PRUint64)cText->seq_num.low); 11873 11874 if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num) != 0) { 11875 ssl_ReleaseSpecReadLock(ss); 11876 SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting " 11877 "potentially replayed packet", SSL_GETPID(), ss->fd)); 11878 /* Silently drop the packet */ 11879 databuf->len = 0; /* Needed to ensure data not left around */ 11880 return SECSuccess; 11881 } 11882 } 11883 11884 good = ~0U; 11885 minLength = crSpec->mac_size; 11886 if (cipher_def->type == type_block) { 11887 /* CBC records have a padding length byte at the end. */ 11888 minLength++; 11889 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { 11890 /* With >= TLS 1.1, CBC records have an explicit IV. */ 11891 minLength += cipher_def->iv_size; 11892 } 11893 } else if (cipher_def->type == type_aead) { 11894 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; 11895 } 11896 11897 /* We can perform this test in variable time because the record's total 11898 * length and the ciphersuite are both public knowledge. */ 11899 if (cText->buf->len < minLength) { 11900 goto decrypt_loser; 11901 } 11902 11903 if (cipher_def->type == type_block && 11904 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { 11905 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states 11906 * "The receiver decrypts the entire GenericBlockCipher structure and 11907 * then discards the first cipher block corresponding to the IV 11908 * component." Instead, we decrypt the first cipher block and then 11909 * discard it before decrypting the rest. 11910 */ 11911 SSL3Opaque iv[MAX_IV_LENGTH]; 11912 int decoded; 11913 11914 ivLen = cipher_def->iv_size; 11915 if (ivLen < 8 || ivLen > sizeof(iv)) { 11916 ssl_ReleaseSpecReadLock(ss); 11917 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 11918 return SECFailure; 11919 } 11920 11921 PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen)); 11922 11923 /* The decryption result is garbage, but since we just throw away 11924 * the block it doesn't matter. The decryption of the next block 11925 * depends only on the ciphertext of the IV block. 11926 */ 11927 rv = crSpec->decode(crSpec->decodeContext, iv, &decoded, 11928 sizeof(iv), cText->buf->buf, ivLen); 11929 11930 good &= SECStatusToMask(rv); 11931 } 11932 11933 /* If we will be decompressing the buffer we need to decrypt somewhere 11934 * other than into databuf */ 11935 if (crSpec->decompressor) { 11936 temp_buf.buf = NULL; 11937 temp_buf.space = 0; 11938 plaintext = &temp_buf; 11939 } else { 11940 plaintext = databuf; 11941 } 11942 11943 plaintext->len = 0; /* filled in by decode call below. */ 11944 if (plaintext->space < MAX_FRAGMENT_LENGTH) { 11945 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); 11946 if (rv != SECSuccess) { 11947 ssl_ReleaseSpecReadLock(ss); 11948 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", 11949 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); 11950 /* sslBuffer_Grow has set a memory error code. */ 11951 /* Perhaps we should send an alert. (but we have no memory!) */ 11952 return SECFailure; 11953 } 11954 } 11955 11956 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen, 11957 cText->buf->len - ivLen)); 11958 11959 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); 11960 11961 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { 11962 ssl_ReleaseSpecReadLock(ss); 11963 SSL3_SendAlert(ss, alert_fatal, record_overflow); 11964 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 11965 return SECFailure; 11966 } 11967 11968 rType = cText->type; 11969 if (cipher_def->type == type_aead) { 11970 /* XXX For many AEAD ciphers, the plaintext is shorter than the 11971 * ciphertext by a fixed byte count, but it is not true in general. 11972 * Each AEAD cipher should provide a function that returns the 11973 * plaintext length for a given ciphertext. */ 11974 unsigned int decryptedLen = 11975 cText->buf->len - cipher_def->explicit_nonce_size - 11976 cipher_def->tag_size; 11977 headerLen = ssl3_BuildRecordPseudoHeader( 11978 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, 11979 rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen); 11980 PORT_Assert(headerLen <= sizeof(header)); 11981 rv = crSpec->aead( 11982 ss->sec.isServer ? &crSpec->client : &crSpec->server, 11983 PR_TRUE, /* do decrypt */ 11984 plaintext->buf, /* out */ 11985 (int*) &plaintext->len, /* outlen */ 11986 plaintext->space, /* maxout */ 11987 cText->buf->buf, /* in */ 11988 cText->buf->len, /* inlen */ 11989 header, headerLen); 11990 if (rv != SECSuccess) { 11991 good = 0; 11992 } 11993 } else { 11994 if (cipher_def->type == type_block && 11995 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { 11996 goto decrypt_loser; 11997 } 11998 11999 /* decrypt from cText buf to plaintext. */ 12000 rv = crSpec->decode( 12001 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, 12002 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); 12003 if (rv != SECSuccess) { 12004 goto decrypt_loser; 12005 } 12006 12007 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); 12008 12009 originalLen = plaintext->len; 12010 12011 /* If it's a block cipher, check and strip the padding. */ 12012 if (cipher_def->type == type_block) { 12013 const unsigned int blockSize = cipher_def->block_size; 12014 const unsigned int macSize = crSpec->mac_size; 12015 12016 if (!isTLS) { 12017 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( 12018 plaintext, blockSize, macSize)); 12019 } else { 12020 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( 12021 plaintext, macSize)); 12022 } 12023 } 12024 12025 /* compute the MAC */ 12026 headerLen = ssl3_BuildRecordPseudoHeader( 12027 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, 12028 rType, isTLS, cText->version, IS_DTLS(ss), 12029 plaintext->len - crSpec->mac_size); 12030 PORT_Assert(headerLen <= sizeof(header)); 12031 if (cipher_def->type == type_block) { 12032 rv = ssl3_ComputeRecordMACConstantTime( 12033 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, 12034 plaintext->buf, plaintext->len, originalLen, 12035 hash, &hashBytes); 12036 12037 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, 12038 crSpec->mac_size); 12039 givenHash = givenHashBuf; 12040 12041 /* plaintext->len will always have enough space to remove the MAC 12042 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust 12043 * plaintext->len if the result has enough space for the MAC and we 12044 * tested the unadjusted size against minLength, above. */ 12045 plaintext->len -= crSpec->mac_size; 12046 } else { 12047 /* This is safe because we checked the minLength above. */ 12048 plaintext->len -= crSpec->mac_size; 12049 12050 rv = ssl3_ComputeRecordMAC( 12051 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, 12052 plaintext->buf, plaintext->len, hash, &hashBytes); 12053 12054 /* We can read the MAC directly from the record because its location 12055 * is public when a stream cipher is used. */ 12056 givenHash = plaintext->buf + plaintext->len; 12057 } 12058 12059 good &= SECStatusToMask(rv); 12060 12061 if (hashBytes != (unsigned)crSpec->mac_size || 12062 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { 12063 /* We're allowed to leak whether or not the MAC check was correct */ 12064 good = 0; 12065 } 12066 } 12067 12068 if (good == 0) { 12069 decrypt_loser: 12070 /* must not hold spec lock when calling SSL3_SendAlert. */ 12071 ssl_ReleaseSpecReadLock(ss); 12072 12073 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); 12074 12075 if (!IS_DTLS(ss)) { 12076 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); 12077 /* always log mac error, in case attacker can read server logs. */ 12078 PORT_SetError(SSL_ERROR_BAD_MAC_READ); 12079 return SECFailure; 12080 } else { 12081 /* Silently drop the packet */ 12082 databuf->len = 0; /* Needed to ensure data not left around */ 12083 return SECSuccess; 12084 } 12085 } 12086 12087 if (!IS_DTLS(ss)) { 12088 ssl3_BumpSequenceNumber(&crSpec->read_seq_num); 12089 } else { 12090 dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num); 12091 } 12092 12093 ssl_ReleaseSpecReadLock(ss); /*****************************************/ 12094 12095 /* 12096 * The decrypted data is now in plaintext. 12097 */ 12098 12099 /* possibly decompress the record. If we aren't using compression then 12100 * plaintext == databuf and so the uncompressed data is already in 12101 * databuf. */ 12102 if (crSpec->decompressor) { 12103 if (databuf->space < plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION) { 12104 rv = sslBuffer_Grow( 12105 databuf, plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION); 12106 if (rv != SECSuccess) { 12107 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", 12108 SSL_GETPID(), ss->fd, 12109 plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION)); 12110 /* sslBuffer_Grow has set a memory error code. */ 12111 /* Perhaps we should send an alert. (but we have no memory!) */ 12112 PORT_Free(plaintext->buf); 12113 return SECFailure; 12114 } 12115 } 12116 12117 rv = crSpec->decompressor(crSpec->decompressContext, 12118 databuf->buf, 12119 (int*) &databuf->len, 12120 databuf->space, 12121 plaintext->buf, 12122 plaintext->len); 12123 12124 if (rv != SECSuccess) { 12125 int err = ssl_MapLowLevelError(SSL_ERROR_DECOMPRESSION_FAILURE); 12126 SSL3_SendAlert(ss, alert_fatal, 12127 isTLS ? decompression_failure : bad_record_mac); 12128 12129 /* There appears to be a bug with (at least) Apache + OpenSSL where 12130 * resumed SSLv3 connections don't actually use compression. See 12131 * comments 93-95 of 12132 * https://bugzilla.mozilla.org/show_bug.cgi?id=275744 12133 * 12134 * So, if we get a decompression error, and the record appears to 12135 * be already uncompressed, then we return a more specific error 12136 * code to hopefully save somebody some debugging time in the 12137 * future. 12138 */ 12139 if (plaintext->len >= 4) { 12140 unsigned int len = ((unsigned int) plaintext->buf[1] << 16) | 12141 ((unsigned int) plaintext->buf[2] << 8) | 12142 (unsigned int) plaintext->buf[3]; 12143 if (len == plaintext->len - 4) { 12144 /* This appears to be uncompressed already */ 12145 err = SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD; 12146 } 12147 } 12148 12149 PORT_Free(plaintext->buf); 12150 PORT_SetError(err); 12151 return SECFailure; 12152 } 12153 12154 PORT_Free(plaintext->buf); 12155 } 12156 12157 /* 12158 ** Having completed the decompression, check the length again. 12159 */ 12160 if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) { 12161 SSL3_SendAlert(ss, alert_fatal, record_overflow); 12162 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); 12163 return SECFailure; 12164 } 12165 12166 /* Application data records are processed by the caller of this 12167 ** function, not by this function. 12168 */ 12169 if (rType == content_application_data) { 12170 if (ss->firstHsDone) 12171 return SECSuccess; 12172 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 12173 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA); 12174 return SECFailure; 12175 } 12176 12177 /* It's a record that must be handled by ssl itself, not the application. 12178 */ 12179 process_it: 12180 /* XXX Get the xmit lock here. Odds are very high that we'll be xmiting 12181 * data ang getting the xmit lock here prevents deadlocks. 12182 */ 12183 ssl_GetSSL3HandshakeLock(ss); 12184 12185 /* All the functions called in this switch MUST set error code if 12186 ** they return SECFailure or SECWouldBlock. 12187 */ 12188 switch (rType) { 12189 case content_change_cipher_spec: 12190 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); 12191 break; 12192 case content_alert: 12193 rv = ssl3_HandleAlert(ss, databuf); 12194 break; 12195 case content_handshake: 12196 if (!IS_DTLS(ss)) { 12197 rv = ssl3_HandleHandshake(ss, databuf); 12198 } else { 12199 rv = dtls_HandleHandshake(ss, databuf); 12200 } 12201 break; 12202 /* 12203 case content_application_data is handled before this switch 12204 */ 12205 default: 12206 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", 12207 SSL_GETPID(), ss->fd, cText->type)); 12208 /* XXX Send an alert ??? */ 12209 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); 12210 rv = SECFailure; 12211 break; 12212 } 12213 12214 ssl_ReleaseSSL3HandshakeLock(ss); 12215 return rv; 12216 } 12217 12218 /* 12219 * Initialization functions 12220 */ 12221 12222 /* Called from ssl3_InitState, immediately below. */ 12223 /* Caller must hold the SpecWriteLock. */ 12224 static void 12225 ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec) 12226 { 12227 spec->cipher_def = &bulk_cipher_defs[cipher_null]; 12228 PORT_Assert(spec->cipher_def->cipher == cipher_null); 12229 spec->mac_def = &mac_defs[mac_null]; 12230 PORT_Assert(spec->mac_def->mac == mac_null); 12231 spec->encode = Null_Cipher; 12232 spec->decode = Null_Cipher; 12233 spec->destroy = NULL; 12234 spec->compressor = NULL; 12235 spec->decompressor = NULL; 12236 spec->destroyCompressContext = NULL; 12237 spec->destroyDecompressContext = NULL; 12238 spec->mac_size = 0; 12239 spec->master_secret = NULL; 12240 spec->bypassCiphers = PR_FALSE; 12241 12242 spec->msItem.data = NULL; 12243 spec->msItem.len = 0; 12244 12245 spec->client.write_key = NULL; 12246 spec->client.write_mac_key = NULL; 12247 spec->client.write_mac_context = NULL; 12248 12249 spec->server.write_key = NULL; 12250 spec->server.write_mac_key = NULL; 12251 spec->server.write_mac_context = NULL; 12252 12253 spec->write_seq_num.high = 0; 12254 spec->write_seq_num.low = 0; 12255 12256 spec->read_seq_num.high = 0; 12257 spec->read_seq_num.low = 0; 12258 12259 spec->epoch = 0; 12260 dtls_InitRecvdRecords(&spec->recvdRecords); 12261 12262 spec->version = ss->vrange.max; 12263 } 12264 12265 /* Called from: ssl3_SendRecord 12266 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() 12267 ** ssl3_SendClientHello() 12268 ** ssl3_HandleV2ClientHello() 12269 ** ssl3_HandleRecord() 12270 ** 12271 ** This function should perhaps acquire and release the SpecWriteLock. 12272 ** 12273 ** 12274 */ 12275 static SECStatus 12276 ssl3_InitState(sslSocket *ss) 12277 { 12278 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 12279 12280 if (ss->ssl3.initialized) 12281 return SECSuccess; /* Function should be idempotent */ 12282 12283 ss->ssl3.policy = SSL_ALLOWED; 12284 12285 ssl_GetSpecWriteLock(ss); 12286 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; 12287 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; 12288 ss->ssl3.hs.sendingSCSV = PR_FALSE; 12289 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); 12290 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); 12291 12292 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; 12293 #ifdef NSS_ENABLE_ECC 12294 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss); 12295 #endif 12296 ssl_ReleaseSpecWriteLock(ss); 12297 12298 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 12299 12300 if (IS_DTLS(ss)) { 12301 ss->ssl3.hs.sendMessageSeq = 0; 12302 ss->ssl3.hs.recvMessageSeq = 0; 12303 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS; 12304 ss->ssl3.hs.rtRetries = 0; 12305 ss->ssl3.hs.recvdHighWater = -1; 12306 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); 12307 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */ 12308 } 12309 12310 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); 12311 ss->ssl3.hs.messages.buf = NULL; 12312 ss->ssl3.hs.messages.space = 0; 12313 12314 ss->ssl3.initialized = PR_TRUE; 12315 return SECSuccess; 12316 } 12317 12318 /* Returns a reference counted object that contains a key pair. 12319 * Or NULL on failure. Initial ref count is 1. 12320 * Uses the keys in the pair as input. 12321 */ 12322 ssl3KeyPair * 12323 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey) 12324 { 12325 ssl3KeyPair * pair; 12326 12327 if (!privKey || !pubKey) { 12328 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 12329 return NULL; 12330 } 12331 pair = PORT_ZNew(ssl3KeyPair); 12332 if (!pair) 12333 return NULL; /* error code is set. */ 12334 pair->refCount = 1; 12335 pair->privKey = privKey; 12336 pair->pubKey = pubKey; 12337 return pair; /* success */ 12338 } 12339 12340 ssl3KeyPair * 12341 ssl3_GetKeyPairRef(ssl3KeyPair * keyPair) 12342 { 12343 PR_ATOMIC_INCREMENT(&keyPair->refCount); 12344 return keyPair; 12345 } 12346 12347 void 12348 ssl3_FreeKeyPair(ssl3KeyPair * keyPair) 12349 { 12350 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); 12351 if (!newCount) { 12352 if (keyPair->privKey) 12353 SECKEY_DestroyPrivateKey(keyPair->privKey); 12354 if (keyPair->pubKey) 12355 SECKEY_DestroyPublicKey( keyPair->pubKey); 12356 PORT_Free(keyPair); 12357 } 12358 } 12359 12360 12361 12362 /* 12363 * Creates the public and private RSA keys for SSL Step down. 12364 * Called from SSL_ConfigSecureServer in sslsecur.c 12365 */ 12366 SECStatus 12367 ssl3_CreateRSAStepDownKeys(sslSocket *ss) 12368 { 12369 SECStatus rv = SECSuccess; 12370 SECKEYPrivateKey * privKey; /* RSA step down key */ 12371 SECKEYPublicKey * pubKey; /* RSA step down key */ 12372 12373 if (ss->stepDownKeyPair) 12374 ssl3_FreeKeyPair(ss->stepDownKeyPair); 12375 ss->stepDownKeyPair = NULL; 12376 #ifndef HACKED_EXPORT_SERVER 12377 /* Sigh, should have a get key strength call for private keys */ 12378 if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) > 12379 EXPORT_RSA_KEY_LENGTH) { 12380 /* need to ask for the key size in bits */ 12381 privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB, 12382 &pubKey, NULL); 12383 if (!privKey || !pubKey || 12384 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) { 12385 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); 12386 rv = SECFailure; 12387 } 12388 } 12389 #endif 12390 return rv; 12391 } 12392 12393 12394 /* record the export policy for this cipher suite */ 12395 SECStatus 12396 ssl3_SetPolicy(ssl3CipherSuite which, int policy) 12397 { 12398 ssl3CipherSuiteCfg *suite; 12399 12400 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 12401 if (suite == NULL) { 12402 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ 12403 } 12404 suite->policy = policy; 12405 12406 return SECSuccess; 12407 } 12408 12409 SECStatus 12410 ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy) 12411 { 12412 ssl3CipherSuiteCfg *suite; 12413 PRInt32 policy; 12414 SECStatus rv; 12415 12416 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 12417 if (suite) { 12418 policy = suite->policy; 12419 rv = SECSuccess; 12420 } else { 12421 policy = SSL_NOT_ALLOWED; 12422 rv = SECFailure; /* err code was set by Lookup. */ 12423 } 12424 *oPolicy = policy; 12425 return rv; 12426 } 12427 12428 /* record the user preference for this suite */ 12429 SECStatus 12430 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) 12431 { 12432 ssl3CipherSuiteCfg *suite; 12433 12434 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 12435 if (suite == NULL) { 12436 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ 12437 } 12438 suite->enabled = enabled; 12439 return SECSuccess; 12440 } 12441 12442 /* return the user preference for this suite */ 12443 SECStatus 12444 ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled) 12445 { 12446 ssl3CipherSuiteCfg *suite; 12447 PRBool pref; 12448 SECStatus rv; 12449 12450 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); 12451 if (suite) { 12452 pref = suite->enabled; 12453 rv = SECSuccess; 12454 } else { 12455 pref = SSL_NOT_ALLOWED; 12456 rv = SECFailure; /* err code was set by Lookup. */ 12457 } 12458 *enabled = pref; 12459 return rv; 12460 } 12461 12462 SECStatus 12463 ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled) 12464 { 12465 ssl3CipherSuiteCfg *suite; 12466 12467 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites); 12468 if (suite == NULL) { 12469 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */ 12470 } 12471 suite->enabled = enabled; 12472 return SECSuccess; 12473 } 12474 12475 SECStatus 12476 ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled) 12477 { 12478 ssl3CipherSuiteCfg *suite; 12479 PRBool pref; 12480 SECStatus rv; 12481 12482 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites); 12483 if (suite) { 12484 pref = suite->enabled; 12485 rv = SECSuccess; 12486 } else { 12487 pref = SSL_NOT_ALLOWED; 12488 rv = SECFailure; /* err code was set by Lookup. */ 12489 } 12490 *enabled = pref; 12491 return rv; 12492 } 12493 12494 SECStatus 12495 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int len) 12496 { 12497 /* |i| iterates over |ciphers| while |done| and |j| iterate over 12498 * |ss->cipherSuites|. */ 12499 unsigned int i, done; 12500 12501 for (i = done = 0; i < len; i++) { 12502 PRUint16 id = ciphers[i]; 12503 unsigned int existingIndex, j; 12504 PRBool found = PR_FALSE; 12505 12506 for (j = done; j < ssl_V3_SUITES_IMPLEMENTED; j++) { 12507 if (ss->cipherSuites[j].cipher_suite == id) { 12508 existingIndex = j; 12509 found = PR_TRUE; 12510 break; 12511 } 12512 } 12513 12514 if (!found) { 12515 continue; 12516 } 12517 12518 if (existingIndex != done) { 12519 const ssl3CipherSuiteCfg temp = ss->cipherSuites[done]; 12520 ss->cipherSuites[done] = ss->cipherSuites[existingIndex]; 12521 ss->cipherSuites[existingIndex] = temp; 12522 } 12523 done++; 12524 } 12525 12526 /* Disable all cipher suites that weren't included. */ 12527 for (; done < ssl_V3_SUITES_IMPLEMENTED; done++) { 12528 ss->cipherSuites[done].enabled = 0; 12529 } 12530 12531 return SECSuccess; 12532 } 12533 12534 /* copy global default policy into socket. */ 12535 void 12536 ssl3_InitSocketPolicy(sslSocket *ss) 12537 { 12538 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); 12539 } 12540 12541 SECStatus 12542 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, 12543 unsigned char *out, 12544 unsigned int *outLen, 12545 unsigned int outLenMax) { 12546 PRBool isTLS; 12547 int index = 0; 12548 unsigned int len; 12549 SECStatus rv = SECFailure; 12550 12551 *outLen = 0; 12552 12553 ssl_GetSSL3HandshakeLock(ss); 12554 12555 ssl_GetSpecReadLock(ss); 12556 isTLS = (PRBool)(ss->ssl3.cwSpec->version > SSL_LIBRARY_VERSION_3_0); 12557 ssl_ReleaseSpecReadLock(ss); 12558 12559 /* The tls-unique channel binding is the first Finished structure in the 12560 * handshake. In the case of a resumption, that's the server's Finished. 12561 * Otherwise, it's the client's Finished. */ 12562 len = ss->ssl3.hs.finishedBytes; 12563 12564 /* Sending or receiving a Finished message will set finishedBytes to a 12565 * non-zero value. */ 12566 if (len == 0) { 12567 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); 12568 goto loser; 12569 } 12570 12571 /* If we are in the middle of a renegotiation then the channel binding 12572 * value is poorly defined and depends on the direction that it will be 12573 * used on. Therefore we simply return an error in this case. */ 12574 if (ss->firstHsDone && ss->ssl3.hs.ws != idle_handshake) { 12575 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); 12576 goto loser; 12577 } 12578 12579 /* If resuming, then we want the second Finished value in the array, which 12580 * is the server's */ 12581 if (ss->ssl3.hs.isResuming) 12582 index = 1; 12583 12584 *outLen = len; 12585 if (outLenMax < len) { 12586 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 12587 goto loser; 12588 } 12589 12590 if (isTLS) { 12591 memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len); 12592 } else { 12593 memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len); 12594 } 12595 12596 rv = SECSuccess; 12597 12598 loser: 12599 ssl_ReleaseSSL3HandshakeLock(ss); 12600 return rv; 12601 } 12602 12603 /* ssl3_config_match_init must have already been called by 12604 * the caller of this function. 12605 */ 12606 SECStatus 12607 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) 12608 { 12609 int i, count = 0; 12610 12611 PORT_Assert(ss != 0); 12612 if (!ss) { 12613 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 12614 return SECFailure; 12615 } 12616 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { 12617 *size = 0; 12618 return SECSuccess; 12619 } 12620 if (cs == NULL) { 12621 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); 12622 return SECSuccess; 12623 } 12624 12625 /* ssl3_config_match_init was called by the caller of this function. */ 12626 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 12627 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 12628 if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) { 12629 if (cs != NULL) { 12630 *cs++ = 0x00; 12631 *cs++ = (suite->cipher_suite >> 8) & 0xFF; 12632 *cs++ = suite->cipher_suite & 0xFF; 12633 } 12634 count++; 12635 } 12636 } 12637 *size = count; 12638 return SECSuccess; 12639 } 12640 12641 /* 12642 ** If ssl3 socket has completed the first handshake, and is in idle state, 12643 ** then start a new handshake. 12644 ** If flushCache is true, the SID cache will be flushed first, forcing a 12645 ** "Full" handshake (not a session restart handshake), to be done. 12646 ** 12647 ** called from SSL_RedoHandshake(), which already holds the handshake locks. 12648 */ 12649 SECStatus 12650 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache) 12651 { 12652 sslSessionID * sid = ss->sec.ci.sid; 12653 SECStatus rv; 12654 12655 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 12656 12657 if (!ss->firstHsDone || 12658 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && 12659 ss->ssl3.initialized && 12660 (ss->ssl3.hs.ws != idle_handshake))) { 12661 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); 12662 return SECFailure; 12663 } 12664 12665 if (IS_DTLS(ss)) { 12666 dtls_RehandshakeCleanup(ss); 12667 } 12668 12669 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { 12670 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); 12671 return SECFailure; 12672 } 12673 if (sid && flushCache) { 12674 if (ss->sec.uncache) 12675 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ 12676 ssl_FreeSID(sid); /* dec ref count and free if zero. */ 12677 ss->sec.ci.sid = NULL; 12678 } 12679 12680 ssl_GetXmitBufLock(ss); /**************************************/ 12681 12682 /* start off a new handshake. */ 12683 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) 12684 : ssl3_SendClientHello(ss, PR_FALSE); 12685 12686 ssl_ReleaseXmitBufLock(ss); /**************************************/ 12687 return rv; 12688 } 12689 12690 /* Called from ssl_DestroySocketContents() in sslsock.c */ 12691 void 12692 ssl3_DestroySSL3Info(sslSocket *ss) 12693 { 12694 12695 if (ss->ssl3.clientCertificate != NULL) 12696 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 12697 12698 if (ss->ssl3.clientPrivateKey != NULL) 12699 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 12700 #ifdef NSS_PLATFORM_CLIENT_AUTH 12701 if (ss->ssl3.platformClientKey) 12702 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 12703 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 12704 12705 if (ss->ssl3.channelID) 12706 SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 12707 if (ss->ssl3.channelIDPub) 12708 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 12709 12710 if (ss->ssl3.peerCertArena != NULL) 12711 ssl3_CleanupPeerCerts(ss); 12712 12713 if (ss->ssl3.clientCertChain != NULL) { 12714 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); 12715 ss->ssl3.clientCertChain = NULL; 12716 } 12717 12718 /* clean up handshake */ 12719 #ifndef NO_PKCS11_BYPASS 12720 if (ss->opt.bypassPKCS11) { 12721 if (ss->ssl3.hs.hashType == handshake_hash_combo) { 12722 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); 12723 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); 12724 } else if (ss->ssl3.hs.hashType == handshake_hash_single) { 12725 ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE); 12726 } 12727 } 12728 #endif 12729 if (ss->ssl3.hs.md5) { 12730 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); 12731 } 12732 if (ss->ssl3.hs.sha) { 12733 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); 12734 } 12735 if (ss->ssl3.hs.clientSigAndHash) { 12736 PORT_Free(ss->ssl3.hs.clientSigAndHash); 12737 } 12738 if (ss->ssl3.hs.messages.buf) { 12739 PORT_Free(ss->ssl3.hs.messages.buf); 12740 ss->ssl3.hs.messages.buf = NULL; 12741 ss->ssl3.hs.messages.len = 0; 12742 ss->ssl3.hs.messages.space = 0; 12743 } 12744 12745 /* free the SSL3Buffer (msg_body) */ 12746 PORT_Free(ss->ssl3.hs.msg_body.buf); 12747 12748 /* free up the CipherSpecs */ 12749 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); 12750 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); 12751 12752 /* Destroy the DTLS data */ 12753 if (IS_DTLS(ss)) { 12754 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); 12755 if (ss->ssl3.hs.recvdFragments.buf) { 12756 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 12757 } 12758 } 12759 12760 ss->ssl3.initialized = PR_FALSE; 12761 12762 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 12763 } 12764 12765 /* End of ssl3con.c */ 12766
