1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
13 #include "cryptohi.h" /* for DSAU_ stuff */
30 #ifndef NO_PKCS11_BYPASS
34 /* This is a bodge to allow this code to be compiled against older NSS headers
35 * that don't contain the TLS 1.2 changes. */
36 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
37 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21)
38 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22)
39 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23)
40 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
43 /* This is a bodge to allow this code to be compiled against older NSS
45 #ifndef CKM_NSS_CHACHA20_POLY1305
46 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26)
48 typedef struct CK_NSS_AEAD_PARAMS {
49 CK_BYTE_PTR pIv; /* This is the nonce. */
59 #ifdef NSS_ENABLE_ZLIB
67 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
68 (x)->pValue=(v); (x)->ulValueLen = (l);
71 static SECStatus ssl3_AuthCertificate(sslSocket *ss);
72 static void ssl3_CleanupPeerCerts(sslSocket *ss);
73 static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
74 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
75 PK11SlotInfo * serverKeySlot);
76 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
77 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
78 static SECStatus ssl3_HandshakeFailure( sslSocket *ss);
79 static SECStatus ssl3_InitState( sslSocket *ss);
80 static SECStatus ssl3_SendCertificate( sslSocket *ss);
81 static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
82 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
83 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
84 static SECStatus ssl3_SendNextProto( sslSocket *ss);
85 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
86 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
87 static SECStatus ssl3_SendServerHello( sslSocket *ss);
88 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
89 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
90 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
91 const unsigned char *b,
93 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
94 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
96 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
97 int maxOutputLen, const unsigned char *input,
99 #ifndef NO_PKCS11_BYPASS
100 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
101 unsigned char *out, int *outlen, int maxout,
102 const unsigned char *in, int inlen,
103 const unsigned char *additionalData,
104 int additionalDataLen);
107 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
108 #define MIN_SEND_BUF_LENGTH 4000
110 /* This list of SSL3 cipher suites is sorted in descending order of
111 * precedence (desirability). It only includes cipher suites we implement.
112 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
113 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
115 * Important: See bug 946147 before enabling, reordering, or adding any cipher
116 * suites to this list.
118 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
119 /* cipher_suite policy enabled isPresent */
121 #ifdef NSS_ENABLE_ECC
122 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
123 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
124 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
125 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
126 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
129 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
130 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
131 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
132 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
133 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
134 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
135 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
136 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
137 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
138 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
139 #endif /* NSS_ENABLE_ECC */
141 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
142 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
143 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
144 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
145 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
146 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
147 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
148 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
149 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
150 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
151 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
152 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
153 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
154 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
156 #ifdef NSS_ENABLE_ECC
157 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
158 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
159 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
160 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
161 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
162 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
163 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
164 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
165 #endif /* NSS_ENABLE_ECC */
168 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
169 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
170 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
171 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
172 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
173 { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
174 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
175 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
176 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
177 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
178 { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
179 { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
181 /* 56-bit DES "domestic" cipher suites */
182 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
183 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
184 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
185 { SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
187 /* export ciphersuites with 1024-bit public key exchange keys */
188 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
189 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
191 /* export ciphersuites with 512-bit public key exchange keys */
192 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
193 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
195 /* ciphersuites with no encryption */
196 #ifdef NSS_ENABLE_ECC
197 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
198 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
199 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
200 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
201 #endif /* NSS_ENABLE_ECC */
202 { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
203 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
204 { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
207 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
210 void ssl3_CheckCipherSuiteOrderConsistency()
214 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
215 * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
217 PORT_Assert(SSL_NumImplementedCiphers >= PR_ARRAY_SIZE(cipherSuites));
219 for (i = 0; i < PR_ARRAY_SIZE(cipherSuites); ++i) {
220 PORT_Assert(SSL_ImplementedCiphers[i] == cipherSuites[i].cipher_suite);
225 /* This list of SSL3 compression methods is sorted in descending order of
226 * precedence (desirability). It only includes compression methods we
229 static const /*SSLCompressionMethod*/ PRUint8 compressions [] = {
230 #ifdef NSS_ENABLE_ZLIB
231 ssl_compression_deflate,
236 static const int compressionMethodsCount =
237 sizeof(compressions) / sizeof(compressions[0]);
239 /* compressionEnabled returns true iff the compression algorithm is enabled
240 * for the given SSL socket. */
242 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression)
244 switch (compression) {
245 case ssl_compression_null:
246 return PR_TRUE; /* Always enabled */
247 #ifdef NSS_ENABLE_ZLIB
248 case ssl_compression_deflate:
249 return ss->opt.enableDeflate;
256 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
258 #ifdef NSS_ENABLE_ECC
260 #endif /* NSS_ENABLE_ECC */
264 /* This block is the contents of the supported_signature_algorithms field of
265 * our TLS 1.2 CertificateRequest message, in wire format. See
266 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
268 * This block contains only sha256 entries because we only support TLS 1.2
269 * CertificateVerify messages that use the handshake hash. */
270 static const PRUint8 supported_signature_algorithms[] = {
271 tls_hash_sha256, tls_sig_rsa,
272 #ifdef NSS_ENABLE_ECC
273 tls_hash_sha256, tls_sig_ecdsa,
275 tls_hash_sha256, tls_sig_dsa,
278 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
281 /* This global item is used only in servers. It is is initialized by
282 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
284 CERTDistNames *ssl3_server_ca_list = NULL;
285 static SSL3Statistics ssl3stats;
287 /* indexed by SSL3BulkCipher */
288 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
289 /* |--------- Lengths --------| */
290 /* cipher calg k s type i b t n */
296 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
297 {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0},
298 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0},
299 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0},
300 {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0},
301 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0},
302 {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0},
303 {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0},
304 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0},
305 {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0},
306 {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0},
307 {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0},
308 {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0},
309 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
310 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
311 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
312 {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0},
313 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
316 static const ssl3KEADef kea_defs[] =
317 { /* indexed by SSL3KeyExchangeAlgorithm */
318 /* kea exchKeyType signKeyType is_limited limit tls_keygen */
319 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE},
320 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE},
321 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE},
322 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE},
323 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
324 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
325 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
326 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
327 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
328 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
329 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
330 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
331 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE},
332 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE},
333 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE },
334 #ifdef NSS_ENABLE_ECC
335 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
336 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
337 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
338 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
339 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE},
340 #endif /* NSS_ENABLE_ECC */
343 /* must use ssl_LookupCipherSuiteDef to access */
344 static const ssl3CipherSuiteDef cipher_suite_defs[] =
346 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */
348 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
349 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
350 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
351 {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa},
352 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
353 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
354 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
355 {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
356 cipher_rc2_40, mac_md5, kea_rsa_export},
357 #if 0 /* not implemented */
358 {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa},
359 {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
360 cipher_des40, mac_sha, kea_rsa_export},
362 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa},
363 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa},
364 {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss},
365 {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
366 cipher_3des, mac_sha, kea_dhe_dss},
367 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss},
368 #if 0 /* not implemented */
369 {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
370 cipher_des40, mac_sha, kea_dh_dss_export},
371 {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss},
372 {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss},
373 {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
374 cipher_des40, mac_sha, kea_dh_rsa_export},
375 {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa},
376 {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa},
377 {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
378 cipher_des40, mac_sha, kea_dh_dss_export},
379 {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
380 cipher_des40, mac_sha, kea_dh_rsa_export},
382 {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa},
383 {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
384 cipher_3des, mac_sha, kea_dhe_rsa},
386 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
387 {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
388 cipher_des40, mac_sha, kea_dh_anon_export},
389 {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon},
390 {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon},
394 /* New TLS cipher suites */
395 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa},
396 {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa},
397 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss},
398 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa},
399 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa},
400 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa},
401 {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa},
402 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss},
403 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa},
404 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa},
406 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss},
407 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa},
408 {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon},
409 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss},
410 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa},
411 {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon},
414 {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa},
416 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
417 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
418 cipher_camellia_128, mac_sha, kea_dhe_dss},
419 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
420 cipher_camellia_128, mac_sha, kea_dhe_rsa},
421 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
422 {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
423 cipher_camellia_256, mac_sha, kea_dhe_dss},
424 {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
425 cipher_camellia_256, mac_sha, kea_dhe_rsa},
427 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
428 cipher_des, mac_sha,kea_rsa_export_1024},
429 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
430 cipher_rc4_56, mac_sha,kea_rsa_export_1024},
432 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
433 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
435 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
436 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
437 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
438 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
439 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa},
440 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa},
442 #ifdef NSS_ENABLE_ECC
443 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
444 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
445 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
446 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
447 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
449 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa},
450 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
451 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
452 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
453 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa},
454 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
456 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa},
457 {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa},
458 {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa},
459 {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa},
460 {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa},
462 {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa},
463 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa},
464 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa},
465 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa},
466 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa},
467 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa},
470 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon},
471 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon},
472 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon},
473 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon},
474 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon},
476 #endif /* NSS_ENABLE_ECC */
479 static const CK_MECHANISM_TYPE kea_alg_defs[] = {
487 typedef struct SSLCipher2MechStr {
488 SSLCipherAlgorithm calg;
489 CK_MECHANISM_TYPE cmech;
492 /* indexed by type SSLCipherAlgorithm */
493 static const SSLCipher2Mech alg2Mech[] = {
495 { calg_null , (CK_MECHANISM_TYPE)0x80000000L },
496 { calg_rc4 , CKM_RC4 },
497 { calg_rc2 , CKM_RC2_CBC },
498 { calg_des , CKM_DES_CBC },
499 { calg_3des , CKM_DES3_CBC },
500 { calg_idea , CKM_IDEA_CBC },
501 { calg_fortezza , CKM_SKIPJACK_CBC64 },
502 { calg_aes , CKM_AES_CBC },
503 { calg_camellia , CKM_CAMELLIA_CBC },
504 { calg_seed , CKM_SEED_CBC },
505 { calg_aes_gcm , CKM_AES_GCM },
506 { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 },
507 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
510 #define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
511 #define mmech_md5 CKM_SSL3_MD5_MAC
512 #define mmech_sha CKM_SSL3_SHA1_MAC
513 #define mmech_md5_hmac CKM_MD5_HMAC
514 #define mmech_sha_hmac CKM_SHA_1_HMAC
515 #define mmech_sha256_hmac CKM_SHA256_HMAC
517 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
518 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
519 /* mac mmech pad_size mac_size */
520 { mac_null, mmech_invalid, 0, 0 },
521 { mac_md5, mmech_md5, 48, MD5_LENGTH },
522 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
523 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
524 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
525 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
526 { mac_aead, mmech_invalid, 0, 0 },
529 /* indexed by SSL3BulkCipher */
530 const char * const ssl3_cipherName[] = {
550 #ifdef NSS_ENABLE_ECC
551 /* The ECCWrappedKeyInfo structure defines how various pieces of
552 * information are laid out within wrappedSymmetricWrappingkey
553 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is
554 * a 512-byte buffer (see sslimpl.h), the variable length field
555 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
557 * XXX For now, NSS only supports named elliptic curves of size 571 bits
558 * or smaller. The public value will fit within 145 bytes and EC params
559 * will fit within 12 bytes. We'll need to revisit this when NSS
560 * supports arbitrary curves.
562 #define MAX_EC_WRAPPED_KEY_BUFLEN 504
564 typedef struct ECCWrappedKeyInfoStr {
565 PRUint16 size; /* EC public key size in bits */
566 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
567 PRUint16 pubValueLen; /* length (in bytes) of EC public value */
568 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */
569 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
570 /* EC public-key params, the EC public value and the wrapped key */
572 #endif /* NSS_ENABLE_ECC */
577 ssl3_DecodeHandshakeType(int msgType)
580 static char line[40];
583 case hello_request: rv = "hello_request (0)"; break;
584 case client_hello: rv = "client_hello (1)"; break;
585 case server_hello: rv = "server_hello (2)"; break;
586 case hello_verify_request: rv = "hello_verify_request (3)"; break;
587 case certificate: rv = "certificate (11)"; break;
588 case server_key_exchange: rv = "server_key_exchange (12)"; break;
589 case certificate_request: rv = "certificate_request (13)"; break;
590 case server_hello_done: rv = "server_hello_done (14)"; break;
591 case certificate_verify: rv = "certificate_verify (15)"; break;
592 case client_key_exchange: rv = "client_key_exchange (16)"; break;
593 case finished: rv = "finished (20)"; break;
595 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
602 ssl3_DecodeContentType(int msgType)
605 static char line[40];
608 case content_change_cipher_spec:
609 rv = "change_cipher_spec (20)"; break;
610 case content_alert: rv = "alert (21)"; break;
611 case content_handshake: rv = "handshake (22)"; break;
612 case content_application_data:
613 rv = "application_data (23)"; break;
615 sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
624 SSL_GetStatistics(void)
629 typedef struct tooLongStr {
630 #if defined(IS_LITTLE_ENDIAN)
639 void SSL_AtomicIncrementLong(long * x)
641 if ((sizeof *x) == sizeof(PRInt32)) {
642 PR_ATOMIC_INCREMENT((PRInt32 *)x);
644 tooLong * tl = (tooLong *)x;
645 if (PR_ATOMIC_INCREMENT(&tl->low) == 0)
646 PR_ATOMIC_INCREMENT(&tl->high);
651 ssl3_CipherSuiteAllowedForVersionRange(
652 ssl3CipherSuite cipherSuite,
653 const SSLVersionRange *vrange)
655 switch (cipherSuite) {
656 /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
657 * later. This set of cipher suites is similar to, but different from, the
658 * set of cipher suites considered exportable by SSL_IsExportCipherSuite.
660 case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
661 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
662 /* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
663 * SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented
664 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
665 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented
666 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
667 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented
668 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented
670 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
671 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
672 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
673 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
674 case TLS_RSA_WITH_AES_256_CBC_SHA256:
675 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
676 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
677 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
678 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
679 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
680 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
681 case TLS_RSA_WITH_AES_128_CBC_SHA256:
682 case TLS_RSA_WITH_AES_128_GCM_SHA256:
683 case TLS_RSA_WITH_NULL_SHA256:
684 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
690 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
691 /* XXX This does a linear search. A binary search would be better. */
692 static const ssl3CipherSuiteDef *
693 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
695 int cipher_suite_def_len =
696 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
699 for (i = 0; i < cipher_suite_def_len; i++) {
700 if (cipher_suite_defs[i].cipher_suite == suite)
701 return &cipher_suite_defs[i];
703 PORT_Assert(PR_FALSE); /* We should never get here. */
704 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
708 /* Find the cipher configuration struct associate with suite */
709 /* XXX This does a linear search. A binary search would be better. */
710 static ssl3CipherSuiteCfg *
711 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
715 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
716 if (suites[i].cipher_suite == suite)
719 /* return NULL and let the caller handle it. */
720 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
725 /* Initialize the suite->isPresent value for config_match
726 * Returns count of enabled ciphers supported by extant tokens,
727 * regardless of policy or user preference.
728 * If this returns zero, the user cannot do SSL v3.
731 ssl3_config_match_init(sslSocket *ss)
733 ssl3CipherSuiteCfg * suite;
734 const ssl3CipherSuiteDef *cipher_def;
735 SSLCipherAlgorithm cipher_alg;
736 CK_MECHANISM_TYPE cipher_mech;
737 SSL3KEAType exchKeyType;
742 sslServerCerts *svrAuth;
746 PORT_SetError(SEC_ERROR_INVALID_ARGS);
749 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
752 isServer = (PRBool)(ss->sec.isServer != 0);
754 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
755 suite = &ss->cipherSuites[i];
756 if (suite->enabled) {
758 /* We need the cipher defs to see if we have a token that can handle
759 * this cipher. It isn't part of the static definition.
761 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
763 suite->isPresent = PR_FALSE;
766 cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
767 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg);
768 cipher_mech = alg2Mech[cipher_alg].cmech;
770 kea_defs[cipher_def->key_exchange_alg].exchKeyType;
771 #ifndef NSS_ENABLE_ECC
772 svrAuth = ss->serverCerts + exchKeyType;
774 /* XXX SSLKEAType isn't really a good choice for
775 * indexing certificates. It doesn't work for
776 * (EC)DHE-* ciphers. Here we use a hack to ensure
777 * that the server uses an RSA cert for (EC)DHE-RSA.
779 switch (cipher_def->key_exchange_alg) {
781 #if NSS_SERVER_DHE_IMPLEMENTED
782 /* XXX NSS does not yet implement the server side of _DHE_
783 * cipher suites. Correcting the computation for svrAuth,
784 * as the case below does, causes NSS SSL servers to begin to
785 * negotiate cipher suites they do not implement. So, until
786 * server side _DHE_ is implemented, keep this disabled.
790 svrAuth = ss->serverCerts + kt_rsa;
795 * XXX We ought to have different indices for
796 * ECDSA- and RSA-signed EC certificates so
797 * we could support both key exchange mechanisms
798 * simultaneously. For now, both of them use
799 * whatever is in the certificate slot for kt_ecdh
802 svrAuth = ss->serverCerts + exchKeyType;
805 #endif /* NSS_ENABLE_ECC */
807 /* Mark the suites that are backed by real tokens, certs and keys */
808 suite->isPresent = (PRBool)
809 (((exchKeyType == kt_null) ||
810 ((!isServer || (svrAuth->serverKeyPair &&
811 svrAuth->SERVERKEY &&
812 svrAuth->serverCertChain)) &&
813 PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
814 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
815 if (suite->isPresent)
819 PORT_Assert(numPresent > 0 || numEnabled == 0);
820 if (numPresent <= 0) {
821 PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
827 /* return PR_TRUE if suite matches policy, enabled state and is applicable to
828 * the given version range. */
829 /* It would be a REALLY BAD THING (tm) if we ever permitted the use
830 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with
831 ** policy == SSL_NOT_ALLOWED, report no match.
833 /* adjust suite enabled to the availability of a token that can do the
836 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
837 const SSLVersionRange *vrange)
839 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
840 if (policy == SSL_NOT_ALLOWED || !enabled)
842 return (PRBool)(suite->enabled &&
844 suite->policy != SSL_NOT_ALLOWED &&
845 suite->policy <= policy &&
846 ssl3_CipherSuiteAllowedForVersionRange(
847 suite->cipher_suite, vrange));
850 /* return number of cipher suites that match policy, enabled state and are
851 * applicable for the configured protocol version range. */
852 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
854 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
858 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
861 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
862 if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
866 PORT_SetError(SSL_ERROR_SSL_DISABLED);
872 * Null compression, mac and encryption functions
876 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
877 const unsigned char *input, int inputLen)
879 if (inputLen > maxOutputLen) {
880 *outputLen = 0; /* Match PK11_CipherOp in setting outputLen */
881 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
884 *outputLen = inputLen;
886 PORT_Memcpy(output, input, inputLen);
891 * SSL3 Utility functions
894 /* allowLargerPeerVersion controls whether the function will select the
895 * highest enabled SSL version or fail when peerVersion is greater than the
896 * highest enabled version.
898 * If allowLargerPeerVersion is true, peerVersion is the peer's highest
899 * enabled version rather than the peer's selected version.
902 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion,
903 PRBool allowLargerPeerVersion)
905 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
906 PORT_SetError(SSL_ERROR_SSL_DISABLED);
910 if (peerVersion < ss->vrange.min ||
911 (peerVersion > ss->vrange.max && !allowLargerPeerVersion)) {
912 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
916 ss->version = PR_MIN(peerVersion, ss->vrange.max);
917 PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));
923 ssl3_GetNewRandom(SSL3Random *random)
927 /* first 4 bytes are reserverd for time */
928 rv = PK11_GenerateRandom(random->rand, SSL3_RANDOM_LENGTH);
929 if (rv != SECSuccess) {
930 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
935 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
937 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
940 SECStatus rv = SECFailure;
941 PRBool doDerEncode = PR_FALSE;
947 switch (key->keyType) {
949 hashItem.data = hash->u.raw;
950 hashItem.len = hash->len;
954 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
955 * In that case, we use just the SHA1 part. */
956 if (hash->hashAlg == SEC_OID_UNKNOWN) {
957 hashItem.data = hash->u.s.sha;
958 hashItem.len = sizeof(hash->u.s.sha);
960 hashItem.data = hash->u.raw;
961 hashItem.len = hash->len;
964 #ifdef NSS_ENABLE_ECC
966 doDerEncode = PR_TRUE;
967 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
968 * In that case, we use just the SHA1 part. */
969 if (hash->hashAlg == SEC_OID_UNKNOWN) {
970 hashItem.data = hash->u.s.sha;
971 hashItem.len = sizeof(hash->u.s.sha);
973 hashItem.data = hash->u.raw;
974 hashItem.len = hash->len;
977 #endif /* NSS_ENABLE_ECC */
979 PORT_SetError(SEC_ERROR_INVALID_KEY);
982 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
984 if (hash->hashAlg == SEC_OID_UNKNOWN) {
985 signatureLen = PK11_SignatureLen(key);
986 if (signatureLen <= 0) {
987 PORT_SetError(SEC_ERROR_INVALID_KEY);
991 buf->len = (unsigned)signatureLen;
992 buf->data = (unsigned char *)PORT_Alloc(signatureLen);
994 goto done; /* error code was set. */
996 rv = PK11_Sign(key, buf, &hashItem);
998 rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem);
1000 if (rv != SECSuccess) {
1001 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
1002 } else if (doDerEncode) {
1003 SECItem derSig = {siBuffer, NULL, 0};
1005 /* This also works for an ECDSA signature */
1006 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
1007 if (rv == SECSuccess) {
1008 PORT_Free(buf->data); /* discard unencoded signature. */
1009 *buf = derSig; /* give caller encoded signature. */
1010 } else if (derSig.data) {
1011 PORT_Free(derSig.data);
1015 PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
1017 if (rv != SECSuccess && buf->data) {
1018 PORT_Free(buf->data);
1024 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
1026 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
1027 SECItem *buf, PRBool isTLS, void *pwArg)
1029 SECKEYPublicKey * key;
1030 SECItem * signature = NULL;
1037 PRINT_BUF(60, (NULL, "check signed hashes",
1038 buf->data, buf->len));
1040 key = CERT_ExtractPublicKey(cert);
1042 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
1046 hashAlg = hash->hashAlg;
1047 switch (key->keyType) {
1049 encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION;
1050 hashItem.data = hash->u.raw;
1051 hashItem.len = hash->len;
1054 encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE;
1055 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
1056 * In that case, we use just the SHA1 part. */
1057 if (hash->hashAlg == SEC_OID_UNKNOWN) {
1058 hashItem.data = hash->u.s.sha;
1059 hashItem.len = sizeof(hash->u.s.sha);
1061 hashItem.data = hash->u.raw;
1062 hashItem.len = hash->len;
1064 /* Allow DER encoded DSA signatures in SSL 3.0 */
1065 if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
1066 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
1068 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1075 #ifdef NSS_ENABLE_ECC
1077 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
1078 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
1079 * In that case, we use just the SHA1 part.
1080 * ECDSA signatures always encode the integers r and s using ASN.1
1081 * (unlike DSA where ASN.1 encoding is used with TLS but not with
1082 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
1084 if (hash->hashAlg == SEC_OID_UNKNOWN) {
1085 hashAlg = SEC_OID_SHA1;
1086 hashItem.data = hash->u.s.sha;
1087 hashItem.len = sizeof(hash->u.s.sha);
1089 hashItem.data = hash->u.raw;
1090 hashItem.len = hash->len;
1093 #endif /* NSS_ENABLE_ECC */
1096 SECKEY_DestroyPublicKey(key);
1097 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
1101 PRINT_BUF(60, (NULL, "hash(es) to be verified",
1102 hashItem.data, hashItem.len));
1104 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) {
1105 /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded.
1106 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code
1107 * above always removes the DER encoding of DSA signatures when
1108 * present. Thus DSA signatures are always verified with PK11_Verify.
1110 rv = PK11_Verify(key, buf, &hashItem, pwArg);
1112 rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
1115 SECKEY_DestroyPublicKey(key);
1117 SECITEM_FreeItem(signature, PR_TRUE);
1119 if (rv != SECSuccess) {
1120 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1126 /* Caller must set hiLevel error code. */
1127 /* Called from ssl3_ComputeExportRSAKeyHash
1128 * ssl3_ComputeDHKeyHash
1129 * which are called from ssl3_HandleServerKeyExchange.
1131 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify
1132 * the pre-1.2, MD5/SHA1 combination hash.
1135 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
1136 PRUint8 * hashBuf, unsigned int bufLen,
1137 SSL3Hashes *hashes, PRBool bypassPKCS11)
1139 SECStatus rv = SECSuccess;
1141 #ifndef NO_PKCS11_BYPASS
1143 if (hashAlg == SEC_OID_UNKNOWN) {
1144 MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
1145 SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
1146 hashes->len = MD5_LENGTH + SHA1_LENGTH;
1147 } else if (hashAlg == SEC_OID_SHA1) {
1148 SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
1149 hashes->len = SHA1_LENGTH;
1150 } else if (hashAlg == SEC_OID_SHA256) {
1151 SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
1152 hashes->len = SHA256_LENGTH;
1153 } else if (hashAlg == SEC_OID_SHA384) {
1154 SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
1155 hashes->len = SHA384_LENGTH;
1156 } else if (hashAlg == SEC_OID_SHA512) {
1157 SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
1158 hashes->len = SHA512_LENGTH;
1160 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1166 if (hashAlg == SEC_OID_UNKNOWN) {
1167 rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
1168 if (rv != SECSuccess) {
1169 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1174 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
1175 if (rv != SECSuccess) {
1176 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
1179 hashes->len = MD5_LENGTH + SHA1_LENGTH;
1181 hashes->len = HASH_ResultLenByOidTag(hashAlg);
1182 if (hashes->len > sizeof(hashes->u.raw)) {
1183 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1187 rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen);
1188 if (rv != SECSuccess) {
1189 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
1194 hashes->hashAlg = hashAlg;
1200 /* Caller must set hiLevel error code.
1201 ** Called from ssl3_SendServerKeyExchange and
1202 ** ssl3_HandleServerKeyExchange.
1205 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg,
1206 SECItem modulus, SECItem publicExponent,
1207 SSL3Random *client_rand, SSL3Random *server_rand,
1208 SSL3Hashes *hashes, PRBool bypassPKCS11)
1212 SECStatus rv = SECSuccess;
1213 unsigned int bufLen;
1214 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1216 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
1217 if (bufLen <= sizeof buf) {
1220 hashBuf = PORT_Alloc(bufLen);
1226 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1227 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1228 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1229 pBuf += SSL3_RANDOM_LENGTH;
1230 pBuf[0] = (PRUint8)(modulus.len >> 8);
1231 pBuf[1] = (PRUint8)(modulus.len);
1233 memcpy(pBuf, modulus.data, modulus.len);
1234 pBuf += modulus.len;
1235 pBuf[0] = (PRUint8)(publicExponent.len >> 8);
1236 pBuf[1] = (PRUint8)(publicExponent.len);
1238 memcpy(pBuf, publicExponent.data, publicExponent.len);
1239 pBuf += publicExponent.len;
1240 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1242 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1245 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
1246 if (hashAlg == SEC_OID_UNKNOWN) {
1247 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result",
1248 hashes->u.s.md5, MD5_LENGTH));
1249 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result",
1250 hashes->u.s.sha, SHA1_LENGTH));
1252 PRINT_BUF(95, (NULL, "RSAkey hash: result",
1253 hashes->u.raw, hashes->len));
1256 if (hashBuf != buf && hashBuf != NULL)
1261 /* Caller must set hiLevel error code. */
1262 /* Called from ssl3_HandleServerKeyExchange. */
1264 ssl3_ComputeDHKeyHash(SECOidTag hashAlg,
1265 SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
1266 SSL3Random *client_rand, SSL3Random *server_rand,
1267 SSL3Hashes *hashes, PRBool bypassPKCS11)
1271 SECStatus rv = SECSuccess;
1272 unsigned int bufLen;
1273 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1275 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
1276 if (bufLen <= sizeof buf) {
1279 hashBuf = PORT_Alloc(bufLen);
1285 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1286 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1287 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1288 pBuf += SSL3_RANDOM_LENGTH;
1289 pBuf[0] = (PRUint8)(dh_p.len >> 8);
1290 pBuf[1] = (PRUint8)(dh_p.len);
1292 memcpy(pBuf, dh_p.data, dh_p.len);
1294 pBuf[0] = (PRUint8)(dh_g.len >> 8);
1295 pBuf[1] = (PRUint8)(dh_g.len);
1297 memcpy(pBuf, dh_g.data, dh_g.len);
1299 pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
1300 pBuf[1] = (PRUint8)(dh_Ys.len);
1302 memcpy(pBuf, dh_Ys.data, dh_Ys.len);
1304 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1306 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1309 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
1310 if (hashAlg == SEC_OID_UNKNOWN) {
1311 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result",
1312 hashes->u.s.md5, MD5_LENGTH));
1313 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result",
1314 hashes->u.s.sha, SHA1_LENGTH));
1316 PRINT_BUF(95, (NULL, "DHkey hash: result",
1317 hashes->u.raw, hashes->len));
1320 if (hashBuf != buf && hashBuf != NULL)
1326 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
1333 /* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
1335 ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
1337 if (mat->write_key != NULL) {
1338 PK11_FreeSymKey(mat->write_key);
1339 mat->write_key = NULL;
1341 if (mat->write_mac_key != NULL) {
1342 PK11_FreeSymKey(mat->write_mac_key);
1343 mat->write_mac_key = NULL;
1345 if (mat->write_mac_context != NULL) {
1346 PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
1347 mat->write_mac_context = NULL;
1351 /* Called from ssl3_SendChangeCipherSpecs() and
1352 ** ssl3_HandleChangeCipherSpecs()
1353 ** ssl3_DestroySSL3Info
1354 ** Caller must hold SpecWriteLock.
1357 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName)
1359 PRBool freeit = (PRBool)(!spec->bypassCiphers);
1360 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
1361 if (spec->destroy) {
1362 spec->destroy(spec->encodeContext, freeit);
1363 spec->destroy(spec->decodeContext, freeit);
1364 spec->encodeContext = NULL; /* paranoia */
1365 spec->decodeContext = NULL;
1367 if (spec->destroyCompressContext && spec->compressContext) {
1368 spec->destroyCompressContext(spec->compressContext, 1);
1369 spec->compressContext = NULL;
1371 if (spec->destroyDecompressContext && spec->decompressContext) {
1372 spec->destroyDecompressContext(spec->decompressContext, 1);
1373 spec->decompressContext = NULL;
1375 if (freeSrvName && spec->srvVirtName.data) {
1376 SECITEM_FreeItem(&spec->srvVirtName, PR_FALSE);
1378 if (spec->master_secret != NULL) {
1379 PK11_FreeSymKey(spec->master_secret);
1380 spec->master_secret = NULL;
1382 spec->msItem.data = NULL;
1383 spec->msItem.len = 0;
1384 ssl3_CleanupKeyMaterial(&spec->client);
1385 ssl3_CleanupKeyMaterial(&spec->server);
1386 spec->bypassCiphers = PR_FALSE;
1388 spec->destroyCompressContext = NULL;
1389 spec->destroyDecompressContext = NULL;
1392 /* Fill in the pending cipher spec with info from the selected ciphersuite.
1393 ** This is as much initialization as we can do without having key material.
1394 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
1395 ** Caller must hold the ssl3 handshake lock.
1396 ** Acquires & releases SpecWriteLock.
1399 ssl3_SetupPendingCipherSpec(sslSocket *ss)
1401 ssl3CipherSpec * pwSpec;
1402 ssl3CipherSpec * cwSpec;
1403 ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite;
1404 SSL3MACAlgorithm mac;
1405 SSL3BulkCipher cipher;
1406 SSL3KeyExchangeAlgorithm kea;
1407 const ssl3CipherSuiteDef *suite_def;
1410 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1412 ssl_GetSpecWriteLock(ss); /*******************************/
1414 pwSpec = ss->ssl3.pwSpec;
1415 PORT_Assert(pwSpec == ss->ssl3.prSpec);
1417 /* This hack provides maximal interoperability with SSL 3 servers. */
1418 cwSpec = ss->ssl3.cwSpec;
1419 if (cwSpec->mac_def->mac == mac_null) {
1420 /* SSL records are not being MACed. */
1421 cwSpec->version = ss->version;
1424 pwSpec->version = ss->version;
1425 isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
1427 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
1428 SSL_GETPID(), ss->fd, suite));
1430 suite_def = ssl_LookupCipherSuiteDef(suite);
1431 if (suite_def == NULL) {
1432 ssl_ReleaseSpecWriteLock(ss);
1433 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */
1437 /* Double-check that we did not pick an RC4 suite */
1438 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
1439 (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
1440 (suite_def->bulk_cipher_alg != cipher_rc4_56));
1443 cipher = suite_def->bulk_cipher_alg;
1444 kea = suite_def->key_exchange_alg;
1445 mac = suite_def->mac_alg;
1446 if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS)
1449 ss->ssl3.hs.suite_def = suite_def;
1450 ss->ssl3.hs.kea_def = &kea_defs[kea];
1451 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
1453 pwSpec->cipher_def = &bulk_cipher_defs[cipher];
1454 PORT_Assert(pwSpec->cipher_def->cipher == cipher);
1456 pwSpec->mac_def = &mac_defs[mac];
1457 PORT_Assert(pwSpec->mac_def->mac == mac);
1459 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB;
1460 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
1461 ss->sec.cipherType = cipher;
1463 pwSpec->encodeContext = NULL;
1464 pwSpec->decodeContext = NULL;
1466 pwSpec->mac_size = pwSpec->mac_def->mac_size;
1468 pwSpec->compression_method = ss->ssl3.hs.compression;
1469 pwSpec->compressContext = NULL;
1470 pwSpec->decompressContext = NULL;
1472 ssl_ReleaseSpecWriteLock(ss); /*******************************/
1476 #ifdef NSS_ENABLE_ZLIB
1477 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
1480 ssl3_MapZlibError(int zlib_error)
1482 switch (zlib_error) {
1491 ssl3_DeflateInit(void *void_context)
1493 z_stream *context = void_context;
1494 context->zalloc = NULL;
1495 context->zfree = NULL;
1496 context->opaque = NULL;
1498 return ssl3_MapZlibError(deflateInit(context, Z_DEFAULT_COMPRESSION));
1502 ssl3_InflateInit(void *void_context)
1504 z_stream *context = void_context;
1505 context->zalloc = NULL;
1506 context->zfree = NULL;
1507 context->opaque = NULL;
1508 context->next_in = NULL;
1509 context->avail_in = 0;
1511 return ssl3_MapZlibError(inflateInit(context));
1515 ssl3_DeflateCompress(void *void_context, unsigned char *out, int *out_len,
1516 int maxout, const unsigned char *in, int inlen)
1518 z_stream *context = void_context;
1525 context->next_in = (unsigned char*) in;
1526 context->avail_in = inlen;
1527 context->next_out = out;
1528 context->avail_out = maxout;
1529 if (deflate(context, Z_SYNC_FLUSH) != Z_OK) {
1532 if (context->avail_out == 0) {
1533 /* We ran out of space! */
1534 SSL_TRC(3, ("%d: SSL3[%d] Ran out of buffer while compressing",
1539 *out_len = maxout - context->avail_out;
1544 ssl3_DeflateDecompress(void *void_context, unsigned char *out, int *out_len,
1545 int maxout, const unsigned char *in, int inlen)
1547 z_stream *context = void_context;
1554 context->next_in = (unsigned char*) in;
1555 context->avail_in = inlen;
1556 context->next_out = out;
1557 context->avail_out = maxout;
1558 if (inflate(context, Z_SYNC_FLUSH) != Z_OK) {
1559 PORT_SetError(SSL_ERROR_DECOMPRESSION_FAILURE);
1563 *out_len = maxout - context->avail_out;
1568 ssl3_DestroyCompressContext(void *void_context, PRBool unused)
1570 deflateEnd(void_context);
1571 PORT_Free(void_context);
1576 ssl3_DestroyDecompressContext(void *void_context, PRBool unused)
1578 inflateEnd(void_context);
1579 PORT_Free(void_context);
1583 #endif /* NSS_ENABLE_ZLIB */
1585 /* Initialize the compression functions and contexts for the given
1588 ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec)
1590 /* Setup the compression functions */
1591 switch (pwSpec->compression_method) {
1592 case ssl_compression_null:
1593 pwSpec->compressor = NULL;
1594 pwSpec->decompressor = NULL;
1595 pwSpec->compressContext = NULL;
1596 pwSpec->decompressContext = NULL;
1597 pwSpec->destroyCompressContext = NULL;
1598 pwSpec->destroyDecompressContext = NULL;
1600 #ifdef NSS_ENABLE_ZLIB
1601 case ssl_compression_deflate:
1602 pwSpec->compressor = ssl3_DeflateCompress;
1603 pwSpec->decompressor = ssl3_DeflateDecompress;
1604 pwSpec->compressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1605 pwSpec->decompressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1606 pwSpec->destroyCompressContext = ssl3_DestroyCompressContext;
1607 pwSpec->destroyDecompressContext = ssl3_DestroyDecompressContext;
1608 ssl3_DeflateInit(pwSpec->compressContext);
1609 ssl3_InflateInit(pwSpec->decompressContext);
1611 #endif /* NSS_ENABLE_ZLIB */
1614 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1621 #ifndef NO_PKCS11_BYPASS
1622 /* Initialize encryption contexts for pending spec.
1623 * MAC contexts are set up when computing the mac, not here.
1624 * Master Secret already is derived in spec->msItem
1625 * Caller holds Spec write lock.
1628 ssl3_InitPendingContextsBypass(sslSocket *ss)
1630 ssl3CipherSpec * pwSpec;
1631 const ssl3BulkCipherDef *cipher_def;
1632 void * serverContext = NULL;
1633 void * clientContext = NULL;
1634 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
1636 unsigned int optArg1 = 0;
1637 unsigned int optArg2 = 0;
1638 PRBool server_encrypts = ss->sec.isServer;
1639 SSLCipherAlgorithm calg;
1642 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1643 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
1644 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1646 pwSpec = ss->ssl3.pwSpec;
1647 cipher_def = pwSpec->cipher_def;
1649 calg = cipher_def->calg;
1651 if (calg == ssl_calg_aes_gcm) {
1652 pwSpec->encode = NULL;
1653 pwSpec->decode = NULL;
1654 pwSpec->destroy = NULL;
1655 pwSpec->encodeContext = NULL;
1656 pwSpec->decodeContext = NULL;
1657 pwSpec->aead = ssl3_AESGCMBypass;
1658 ssl3_InitCompressionContext(pwSpec);
1662 serverContext = pwSpec->server.cipher_context;
1663 clientContext = pwSpec->client.cipher_context;
1667 pwSpec->encode = Null_Cipher;
1668 pwSpec->decode = Null_Cipher;
1669 pwSpec->destroy = NULL;
1673 initFn = (BLapiInitContextFunc)RC4_InitContext;
1674 pwSpec->encode = (SSLCipher) RC4_Encrypt;
1675 pwSpec->decode = (SSLCipher) RC4_Decrypt;
1676 pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
1679 initFn = (BLapiInitContextFunc)RC2_InitContext;
1681 optArg1 = cipher_def->key_size;
1682 pwSpec->encode = (SSLCipher) RC2_Encrypt;
1683 pwSpec->decode = (SSLCipher) RC2_Decrypt;
1684 pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
1687 initFn = (BLapiInitContextFunc)DES_InitContext;
1689 optArg1 = server_encrypts;
1690 pwSpec->encode = (SSLCipher) DES_Encrypt;
1691 pwSpec->decode = (SSLCipher) DES_Decrypt;
1692 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1695 initFn = (BLapiInitContextFunc)DES_InitContext;
1696 mode = NSS_DES_EDE3_CBC;
1697 optArg1 = server_encrypts;
1698 pwSpec->encode = (SSLCipher) DES_Encrypt;
1699 pwSpec->decode = (SSLCipher) DES_Decrypt;
1700 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1703 initFn = (BLapiInitContextFunc)AES_InitContext;
1705 optArg1 = server_encrypts;
1706 optArg2 = AES_BLOCK_SIZE;
1707 pwSpec->encode = (SSLCipher) AES_Encrypt;
1708 pwSpec->decode = (SSLCipher) AES_Decrypt;
1709 pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
1712 case ssl_calg_camellia:
1713 initFn = (BLapiInitContextFunc)Camellia_InitContext;
1714 mode = NSS_CAMELLIA_CBC;
1715 optArg1 = server_encrypts;
1716 optArg2 = CAMELLIA_BLOCK_SIZE;
1717 pwSpec->encode = (SSLCipher) Camellia_Encrypt;
1718 pwSpec->decode = (SSLCipher) Camellia_Decrypt;
1719 pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext;
1723 initFn = (BLapiInitContextFunc)SEED_InitContext;
1724 mode = NSS_SEED_CBC;
1725 optArg1 = server_encrypts;
1726 optArg2 = SEED_BLOCK_SIZE;
1727 pwSpec->encode = (SSLCipher) SEED_Encrypt;
1728 pwSpec->decode = (SSLCipher) SEED_Decrypt;
1729 pwSpec->destroy = (SSLDestroy) SEED_DestroyContext;
1733 case ssl_calg_fortezza :
1736 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1739 rv = (*initFn)(serverContext,
1740 pwSpec->server.write_key_item.data,
1741 pwSpec->server.write_key_item.len,
1742 pwSpec->server.write_iv_item.data,
1743 mode, optArg1, optArg2);
1744 if (rv != SECSuccess) {
1746 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1754 case ssl_calg_camellia:
1756 /* For block ciphers, if the server is encrypting, then the client
1757 * is decrypting, and vice versa.
1761 /* kill warnings. */
1766 case ssl_calg_fortezza:
1767 case ssl_calg_aes_gcm:
1771 rv = (*initFn)(clientContext,
1772 pwSpec->client.write_key_item.data,
1773 pwSpec->client.write_key_item.len,
1774 pwSpec->client.write_iv_item.data,
1775 mode, optArg1, optArg2);
1776 if (rv != SECSuccess) {
1778 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1782 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
1783 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
1785 ssl3_InitCompressionContext(pwSpec);
1795 /* This function should probably be moved to pk11wrap and be named
1796 * PK11_ParamFromIVAndEffectiveKeyBits
1799 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
1801 SECItem * param = PK11_ParamFromIV(mtype, iv);
1802 if (param && param->data && param->len >= sizeof(CK_RC2_PARAMS)) {
1804 case CKM_RC2_KEY_GEN:
1808 case CKM_RC2_MAC_GENERAL:
1809 case CKM_RC2_CBC_PAD:
1810 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
1817 /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
1818 * which is included in the MAC or AEAD additional data) to |out| and returns
1819 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1820 * definition of the AEAD additional data.
1822 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
1823 * pseudo-header defintiion to use should be decided based on the version of
1824 * the protocol that was negotiated when the cipher spec became current, NOT
1825 * based on the version value in the record itself, and the decision is passed
1826 * to this function as the |includesVersion| argument. But, the |version|
1827 * argument should be the record's version value.
1830 ssl3_BuildRecordPseudoHeader(unsigned char *out,
1831 SSL3SequenceNumber seq_num,
1832 SSL3ContentType type,
1833 PRBool includesVersion,
1834 SSL3ProtocolVersion version,
1838 out[0] = (unsigned char)(seq_num.high >> 24);
1839 out[1] = (unsigned char)(seq_num.high >> 16);
1840 out[2] = (unsigned char)(seq_num.high >> 8);
1841 out[3] = (unsigned char)(seq_num.high >> 0);
1842 out[4] = (unsigned char)(seq_num.low >> 24);
1843 out[5] = (unsigned char)(seq_num.low >> 16);
1844 out[6] = (unsigned char)(seq_num.low >> 8);
1845 out[7] = (unsigned char)(seq_num.low >> 0);
1848 /* SSL3 MAC doesn't include the record's version field. */
1849 if (!includesVersion) {
1850 out[9] = MSB(length);
1851 out[10] = LSB(length);
1855 /* TLS MAC and AEAD additional data include version. */
1857 SSL3ProtocolVersion dtls_version;
1859 dtls_version = dtls_TLSVersionToDTLSVersion(version);
1860 out[9] = MSB(dtls_version);
1861 out[10] = LSB(dtls_version);
1863 out[9] = MSB(version);
1864 out[10] = LSB(version);
1866 out[11] = MSB(length);
1867 out[12] = LSB(length);
1871 typedef SECStatus (*PK11CryptFcn)(
1872 PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param,
1873 unsigned char *out, unsigned int *outLen, unsigned int maxLen,
1874 const unsigned char *in, unsigned int inLen);
1876 static PK11CryptFcn pk11_encrypt = NULL;
1877 static PK11CryptFcn pk11_decrypt = NULL;
1879 static PRCallOnceType resolvePK11CryptOnce;
1882 ssl3_ResolvePK11CryptFunctions(void)
1885 /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and
1886 * PK11_Decrypt functions at run time. */
1887 void *handle = dlopen(NULL, RTLD_LAZY);
1889 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1892 pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt");
1893 pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt");
1897 /* On other platforms we use our own copy of NSS. PK11_Encrypt and
1898 * PK11_Decrypt are known to be available. */
1899 pk11_encrypt = PK11_Encrypt;
1900 pk11_decrypt = PK11_Decrypt;
1906 * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access
1907 * to the AES GCM implementation in the NSS softoken. So the presence of
1908 * these two functions implies the NSS version supports AES GCM.
1911 ssl3_HasGCMSupport(void)
1913 (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions);
1914 return pk11_encrypt != NULL;
1917 /* On this socket, disable the GCM cipher suites */
1919 ssl3_DisableGCMSuites(sslSocket * ss)
1923 for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) {
1924 const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i];
1925 if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) {
1926 SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite,
1928 PORT_Assert(rv == SECSuccess); /* else is coding error */
1935 ssl3_AESGCM(ssl3KeyMaterial *keys,
1940 const unsigned char *in,
1942 const unsigned char *additionalData,
1943 int additionalDataLen)
1946 SECStatus rv = SECFailure;
1947 unsigned char nonce[12];
1948 unsigned int uOutLen;
1949 CK_GCM_PARAMS gcmParams;
1951 static const int tagSize = 16;
1952 static const int explicitNonceLen = 8;
1954 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
1955 * nonce is formed. */
1956 memcpy(nonce, keys->write_iv, 4);
1958 memcpy(nonce + 4, in, explicitNonceLen);
1959 in += explicitNonceLen;
1960 inlen -= explicitNonceLen;
1963 if (maxout < explicitNonceLen) {
1964 PORT_SetError(SEC_ERROR_INPUT_LEN);
1967 /* Use the 64-bit sequence number as the explicit nonce. */
1968 memcpy(nonce + 4, additionalData, explicitNonceLen);
1969 memcpy(out, additionalData, explicitNonceLen);
1970 out += explicitNonceLen;
1971 maxout -= explicitNonceLen;
1972 *outlen = explicitNonceLen;
1975 param.type = siBuffer;
1976 param.data = (unsigned char *) &gcmParams;
1977 param.len = sizeof(gcmParams);
1978 gcmParams.pIv = nonce;
1979 gcmParams.ulIvLen = sizeof(nonce);
1980 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
1981 gcmParams.ulAADLen = additionalDataLen;
1982 gcmParams.ulTagBits = tagSize * 8;
1985 rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen,
1988 rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen,
1991 *outlen += (int) uOutLen;
1996 #ifndef NO_PKCS11_BYPASS
1998 ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
2003 const unsigned char *in,
2005 const unsigned char *additionalData,
2006 int additionalDataLen)
2008 SECStatus rv = SECFailure;
2009 unsigned char nonce[12];
2010 unsigned int uOutLen;
2012 CK_GCM_PARAMS gcmParams;
2014 static const int tagSize = 16;
2015 static const int explicitNonceLen = 8;
2017 /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
2018 * nonce is formed. */
2019 PORT_Assert(keys->write_iv_item.len == 4);
2020 if (keys->write_iv_item.len != 4) {
2021 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2024 memcpy(nonce, keys->write_iv_item.data, 4);
2026 memcpy(nonce + 4, in, explicitNonceLen);
2027 in += explicitNonceLen;
2028 inlen -= explicitNonceLen;
2031 if (maxout < explicitNonceLen) {
2032 PORT_SetError(SEC_ERROR_INPUT_LEN);
2035 /* Use the 64-bit sequence number as the explicit nonce. */
2036 memcpy(nonce + 4, additionalData, explicitNonceLen);
2037 memcpy(out, additionalData, explicitNonceLen);
2038 out += explicitNonceLen;
2039 maxout -= explicitNonceLen;
2040 *outlen = explicitNonceLen;
2043 gcmParams.pIv = nonce;
2044 gcmParams.ulIvLen = sizeof(nonce);
2045 gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
2046 gcmParams.ulAADLen = additionalDataLen;
2047 gcmParams.ulTagBits = tagSize * 8;
2049 cx = (AESContext *)keys->cipher_context;
2050 rv = AES_InitContext(cx, keys->write_key_item.data,
2051 keys->write_key_item.len,
2052 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
2054 if (rv != SECSuccess) {
2058 rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen);
2060 rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen);
2062 AES_DestroyContext(cx, PR_FALSE);
2063 *outlen += (int) uOutLen;
2070 ssl3_ChaCha20Poly1305(
2071 ssl3KeyMaterial *keys,
2076 const unsigned char *in,
2078 const unsigned char *additionalData,
2079 int additionalDataLen)
2082 SECStatus rv = SECFailure;
2083 unsigned int uOutLen;
2084 CK_NSS_AEAD_PARAMS aeadParams;
2085 static const int tagSize = 16;
2087 param.type = siBuffer;
2088 param.len = sizeof(aeadParams);
2089 param.data = (unsigned char *) &aeadParams;
2090 memset(&aeadParams, 0, sizeof(aeadParams));
2091 aeadParams.pIv = (unsigned char *) additionalData;
2092 aeadParams.ulIvLen = 8;
2093 aeadParams.pAAD = (unsigned char *) additionalData;
2094 aeadParams.ulAADLen = additionalDataLen;
2095 aeadParams.ulTagLen = tagSize;
2098 rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m,
2099 out, &uOutLen, maxout, in, inlen);
2101 rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m,
2102 out, &uOutLen, maxout, in, inlen);
2104 *outlen = (int) uOutLen;
2109 /* Initialize encryption and MAC contexts for pending spec.
2110 * Master Secret already is derived.
2111 * Caller holds Spec write lock.
2114 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
2116 ssl3CipherSpec * pwSpec;
2117 const ssl3BulkCipherDef *cipher_def;
2118 PK11Context * serverContext = NULL;
2119 PK11Context * clientContext = NULL;
2121 CK_MECHANISM_TYPE mechanism;
2122 CK_MECHANISM_TYPE mac_mech;
2124 CK_ULONG effKeyBits;
2127 SSLCipherAlgorithm calg;
2129 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2130 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
2131 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2133 pwSpec = ss->ssl3.pwSpec;
2134 cipher_def = pwSpec->cipher_def;
2135 macLength = pwSpec->mac_size;
2136 calg = cipher_def->calg;
2137 PORT_Assert(alg2Mech[calg].calg == calg);
2139 pwSpec->client.write_mac_context = NULL;
2140 pwSpec->server.write_mac_context = NULL;
2142 if (calg == calg_aes_gcm || calg == calg_chacha20) {
2143 pwSpec->encode = NULL;
2144 pwSpec->decode = NULL;
2145 pwSpec->destroy = NULL;
2146 pwSpec->encodeContext = NULL;
2147 pwSpec->decodeContext = NULL;
2148 if (calg == calg_aes_gcm) {
2149 pwSpec->aead = ssl3_AESGCM;
2151 pwSpec->aead = ssl3_ChaCha20Poly1305;
2157 ** Now setup the MAC contexts,
2158 ** crypto contexts are setup below.
2161 mac_mech = pwSpec->mac_def->mmech;
2162 mac_param.data = (unsigned char *)&macLength;
2163 mac_param.len = sizeof(macLength);
2166 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
2167 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
2168 if (pwSpec->client.write_mac_context == NULL) {
2169 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2172 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
2173 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
2174 if (pwSpec->server.write_mac_context == NULL) {
2175 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2180 ** Now setup the crypto contexts.
2183 if (calg == calg_null) {
2184 pwSpec->encode = Null_Cipher;
2185 pwSpec->decode = Null_Cipher;
2186 pwSpec->destroy = NULL;
2189 mechanism = alg2Mech[calg].cmech;
2190 effKeyBits = cipher_def->key_size * BPB;
2193 * build the server context
2195 iv.data = pwSpec->server.write_iv;
2196 iv.len = cipher_def->iv_size;
2197 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
2198 if (param == NULL) {
2199 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
2202 serverContext = PK11_CreateContextBySymKey(mechanism,
2203 (ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
2204 pwSpec->server.write_key, param);
2205 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
2207 PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
2208 SECITEM_FreeItem(param, PR_TRUE);
2209 if (serverContext == NULL) {
2210 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2215 * build the client context
2217 iv.data = pwSpec->client.write_iv;
2218 iv.len = cipher_def->iv_size;
2220 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
2221 if (param == NULL) {
2222 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
2225 clientContext = PK11_CreateContextBySymKey(mechanism,
2226 (ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
2227 pwSpec->client.write_key, param);
2228 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
2230 PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
2231 SECITEM_FreeItem(param,PR_TRUE);
2232 if (clientContext == NULL) {
2233 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2236 pwSpec->encode = (SSLCipher) PK11_CipherOp;
2237 pwSpec->decode = (SSLCipher) PK11_CipherOp;
2238 pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
2240 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
2241 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
2243 serverContext = NULL;
2244 clientContext = NULL;
2246 ssl3_InitCompressionContext(pwSpec);
2251 if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
2252 if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
2253 if (pwSpec->client.write_mac_context != NULL) {
2254 PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
2255 pwSpec->client.write_mac_context = NULL;
2257 if (pwSpec->server.write_mac_context != NULL) {
2258 PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
2259 pwSpec->server.write_mac_context = NULL;
2265 /* Complete the initialization of all keys, ciphers, MACs and their contexts
2266 * for the pending Cipher Spec.
2267 * Called from: ssl3_SendClientKeyExchange (for Full handshake)
2268 * ssl3_HandleRSAClientKeyExchange (for Full handshake)
2269 * ssl3_HandleServerHello (for session restart)
2270 * ssl3_HandleClientHello (for session restart)
2271 * Sets error code, but caller probably should override to disambiguate.
2272 * NULL pms means re-use old master_secret.
2274 * This code is common to the bypass and PKCS11 execution paths.
2275 * For the bypass case, pms is NULL.
2278 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
2280 ssl3CipherSpec * pwSpec;
2281 ssl3CipherSpec * cwSpec;
2284 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2286 ssl_GetSpecWriteLock(ss); /**************************************/
2288 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2290 pwSpec = ss->ssl3.pwSpec;
2291 cwSpec = ss->ssl3.cwSpec;
2293 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
2294 rv = ssl3_DeriveMasterSecret(ss, pms);
2295 if (rv != SECSuccess) {
2296 goto done; /* err code set by ssl3_DeriveMasterSecret */
2299 #ifndef NO_PKCS11_BYPASS
2300 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
2301 /* Double Bypass succeeded in extracting the master_secret */
2302 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
2303 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
2304 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
2305 pwSpec->bypassCiphers = PR_TRUE;
2306 rv = ssl3_KeyAndMacDeriveBypass( pwSpec,
2307 (const unsigned char *)&ss->ssl3.hs.client_random,
2308 (const unsigned char *)&ss->ssl3.hs.server_random,
2310 (PRBool)(kea_def->is_limited));
2311 if (rv == SECSuccess) {
2312 rv = ssl3_InitPendingContextsBypass(ss);
2316 if (pwSpec->master_secret) {
2317 rv = ssl3_DeriveConnectionKeysPKCS11(ss);
2318 if (rv == SECSuccess) {
2319 rv = ssl3_InitPendingContextsPKCS11(ss);
2322 PORT_Assert(pwSpec->master_secret);
2323 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2326 if (rv != SECSuccess) {
2330 /* Generic behaviors -- common to all crypto methods */
2332 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
2334 if (cwSpec->epoch == PR_UINT16_MAX) {
2335 /* The problem here is that we have rehandshaked too many
2336 * times (you are not allowed to wrap the epoch). The
2337 * spec says you should be discarding the connection
2338 * and start over, so not much we can do here. */
2339 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2343 /* The sequence number has the high 16 bits as the epoch. */
2344 pwSpec->epoch = cwSpec->epoch + 1;
2345 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high =
2346 pwSpec->epoch << 16;
2348 dtls_InitRecvdRecords(&pwSpec->recvdRecords);
2350 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;
2353 ssl_ReleaseSpecWriteLock(ss); /******************************/
2354 if (rv != SECSuccess)
2355 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2360 * 60 bytes is 3 times the maximum length MAC size that is supported.
2362 static const unsigned char mac_pad_1 [60] = {
2363 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2364 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2365 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2366 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2367 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2368 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2369 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2370 0x36, 0x36, 0x36, 0x36
2372 static const unsigned char mac_pad_2 [60] = {
2373 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2374 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2375 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2376 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2377 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2378 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2379 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2380 0x5c, 0x5c, 0x5c, 0x5c
2383 /* Called from: ssl3_SendRecord()
2384 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
2387 ssl3_ComputeRecordMAC(
2388 ssl3CipherSpec * spec,
2389 PRBool useServerMacKey,
2390 const unsigned char *header,
2391 unsigned int headerLen,
2392 const SSL3Opaque * input,
2394 unsigned char * outbuf,
2395 unsigned int * outLength)
2397 const ssl3MACDef * mac_def;
2400 PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
2401 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
2403 mac_def = spec->mac_def;
2404 if (mac_def->mac == mac_null) {
2408 #ifndef NO_PKCS11_BYPASS
2409 if (spec->bypassCiphers) {
2410 /* bypass version */
2411 const SECHashObject *hashObj = NULL;
2412 unsigned int pad_bytes = 0;
2413 PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS];
2415 switch (mac_def->mac) {
2421 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
2425 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
2427 case ssl_hmac_md5: /* used with TLS */
2428 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
2430 case ssl_hmac_sha: /* used with TLS */
2431 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
2433 case ssl_hmac_sha256: /* used with TLS */
2434 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
2441 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2445 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2446 unsigned int tempLen;
2447 unsigned char temp[MAX_MAC_LENGTH];
2449 /* compute "inner" part of SSL3 MAC */
2450 hashObj->begin(write_mac_context);
2451 if (useServerMacKey)
2452 hashObj->update(write_mac_context,
2453 spec->server.write_mac_key_item.data,
2454 spec->server.write_mac_key_item.len);
2456 hashObj->update(write_mac_context,
2457 spec->client.write_mac_key_item.data,
2458 spec->client.write_mac_key_item.len);
2459 hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
2460 hashObj->update(write_mac_context, header, headerLen);
2461 hashObj->update(write_mac_context, input, inputLength);
2462 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
2464 /* compute "outer" part of SSL3 MAC */
2465 hashObj->begin(write_mac_context);
2466 if (useServerMacKey)
2467 hashObj->update(write_mac_context,
2468 spec->server.write_mac_key_item.data,
2469 spec->server.write_mac_key_item.len);
2471 hashObj->update(write_mac_context,
2472 spec->client.write_mac_key_item.data,
2473 spec->client.write_mac_key_item.len);
2474 hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
2475 hashObj->update(write_mac_context, temp, tempLen);
2476 hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
2478 } else { /* is TLS */
2479 #define cx ((HMACContext *)write_mac_context)
2480 if (useServerMacKey) {
2481 rv = HMAC_Init(cx, hashObj,
2482 spec->server.write_mac_key_item.data,
2483 spec->server.write_mac_key_item.len, PR_FALSE);
2485 rv = HMAC_Init(cx, hashObj,
2486 spec->client.write_mac_key_item.data,
2487 spec->client.write_mac_key_item.len, PR_FALSE);
2489 if (rv == SECSuccess) {
2491 HMAC_Update(cx, header, headerLen);
2492 HMAC_Update(cx, input, inputLength);
2493 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
2494 HMAC_Destroy(cx, PR_FALSE);
2501 PK11Context *mac_context =
2502 (useServerMacKey ? spec->server.write_mac_context
2503 : spec->client.write_mac_context);
2504 rv = PK11_DigestBegin(mac_context);
2505 rv |= PK11_DigestOp(mac_context, header, headerLen);
2506 rv |= PK11_DigestOp(mac_context, input, inputLength);
2507 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
2510 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
2512 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
2514 if (rv != SECSuccess) {
2516 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2521 /* Called from: ssl3_HandleRecord()
2522 * Caller must already hold the SpecReadLock. (wish we could assert that!)
2525 * originalLen >= inputLen >= MAC size
2528 ssl3_ComputeRecordMACConstantTime(
2529 ssl3CipherSpec * spec,
2530 PRBool useServerMacKey,
2531 const unsigned char *header,
2532 unsigned int headerLen,
2533 const SSL3Opaque * input,
2536 unsigned char * outbuf,
2537 unsigned int * outLen)
2539 CK_MECHANISM_TYPE macType;
2540 CK_NSS_MAC_CONSTANT_TIME_PARAMS params;
2541 SECItem param, inputItem, outputItem;
2545 PORT_Assert(inputLen >= spec->mac_size);
2546 PORT_Assert(originalLen >= inputLen);
2548 if (spec->bypassCiphers) {
2549 /* This function doesn't support PKCS#11 bypass. We fallback on the
2550 * non-constant time version. */
2554 if (spec->mac_def->mac == mac_null) {
2559 macType = CKM_NSS_HMAC_CONSTANT_TIME;
2560 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2561 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
2564 params.macAlg = spec->mac_def->mmech;
2565 params.ulBodyTotalLen = originalLen;
2566 params.pHeader = (unsigned char *) header; /* const cast */
2567 params.ulHeaderLen = headerLen;
2569 param.data = (unsigned char*) ¶ms;
2570 param.len = sizeof(params);
2573 inputItem.data = (unsigned char *) input;
2574 inputItem.len = inputLen;
2577 outputItem.data = outbuf;
2578 outputItem.len = *outLen;
2579 outputItem.type = 0;
2581 key = spec->server.write_mac_key;
2582 if (!useServerMacKey) {
2583 key = spec->client.write_mac_key;
2586 rv = PK11_SignWithSymKey(key, macType, ¶m, &outputItem, &inputItem);
2587 if (rv != SECSuccess) {
2588 if (PORT_GetError() == SEC_ERROR_INVALID_ALGORITHM) {
2594 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2598 PORT_Assert(outputItem.len == (unsigned)spec->mac_size);
2599 *outLen = outputItem.len;
2604 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
2605 * length already. */
2606 inputLen -= spec->mac_size;
2607 return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
2608 input, inputLen, outbuf, outLen);
2612 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
2613 PK11SlotInfo *slot = NULL;
2614 PRBool isPresent = PR_TRUE;
2616 /* we only care if we are doing client auth */
2617 /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
2618 * used, u.ssl3.clAuthValid will be false and this function will always
2619 * return PR_TRUE. */
2620 if (!sid || !sid->u.ssl3.clAuthValid) {
2625 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
2626 sid->u.ssl3.clAuthSlotID);
2628 !PK11_IsPresent(slot) ||
2629 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) ||
2630 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) ||
2631 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) ||
2632 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
2633 isPresent = PR_FALSE;
2636 PK11_FreeSlot(slot);
2641 /* Caller must hold the spec read lock. */
2643 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
2646 PRBool capRecordVersion,
2647 SSL3ContentType type,
2648 const SSL3Opaque * pIn,
2649 PRUint32 contentLen,
2652 const ssl3BulkCipherDef * cipher_def;
2654 PRUint32 macLen = 0;
2656 PRUint32 p1Len, p2Len, oddLen = 0;
2659 int cipherBytes = 0;
2660 unsigned char pseudoHeader[13];
2661 unsigned int pseudoHeaderLen;
2663 cipher_def = cwSpec->cipher_def;
2664 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
2666 if (cipher_def->type == type_block &&
2667 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
2668 /* Prepend the per-record explicit IV using technique 2b from
2669 * RFC 4346 section 6.2.3.2: The IV is a cryptographically
2670 * strong random number XORed with the CBC residue from the previous
2673 ivLen = cipher_def->iv_size;
2674 if (ivLen > wrBuf->space - headerLen) {
2675 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2678 rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen);
2679 if (rv != SECSuccess) {
2680 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
2683 rv = cwSpec->encode( cwSpec->encodeContext,
2684 wrBuf->buf + headerLen,
2685 &cipherBytes, /* output and actual outLen */
2686 ivLen, /* max outlen */
2687 wrBuf->buf + headerLen,
2688 ivLen); /* input and inputLen*/
2689 if (rv != SECSuccess || cipherBytes != ivLen) {
2690 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2695 if (cwSpec->compressor) {
2697 rv = cwSpec->compressor(
2698 cwSpec->compressContext,
2699 wrBuf->buf + headerLen + ivLen, &outlen,
2700 wrBuf->space - headerLen - ivLen, pIn, contentLen);
2701 if (rv != SECSuccess)
2703 pIn = wrBuf->buf + headerLen + ivLen;
2704 contentLen = outlen;
2707 pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
2708 pseudoHeader, cwSpec->write_seq_num, type,
2709 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
2710 isDTLS, contentLen);
2711 PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
2712 if (cipher_def->type == type_aead) {
2713 const int nonceLen = cipher_def->explicit_nonce_size;
2714 const int tagLen = cipher_def->tag_size;
2716 if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
2717 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2721 cipherBytes = contentLen;
2723 isServer ? &cwSpec->server : &cwSpec->client,
2724 PR_FALSE, /* do encrypt */
2725 wrBuf->buf + headerLen, /* output */
2726 &cipherBytes, /* out len */
2727 wrBuf->space - headerLen, /* max out */
2728 pIn, contentLen, /* input */
2729 pseudoHeader, pseudoHeaderLen);
2730 if (rv != SECSuccess) {
2731 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2738 rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
2739 pseudoHeader, pseudoHeaderLen, pIn, contentLen,
2740 wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
2741 if (rv != SECSuccess) {
2742 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2747 fragLen = contentLen + macLen; /* needs to be encrypted */
2748 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
2751 * Pad the text (if we're doing a block cipher)
2754 if (cipher_def->type == type_block) {
2755 unsigned char * pBuf;
2759 oddLen = contentLen % cipher_def->block_size;
2760 /* Assume blockSize is a power of two */
2761 padding_length = cipher_def->block_size - 1 -
2762 ((fragLen) & (cipher_def->block_size - 1));
2763 fragLen += padding_length + 1;
2764 PORT_Assert((fragLen % cipher_def->block_size) == 0);
2766 /* Pad according to TLS rules (also acceptable to SSL3). */
2767 pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
2768 for (i = padding_length + 1; i > 0; --i) {
2769 *pBuf-- = padding_length;
2771 /* now, if contentLen is not a multiple of block size, fix it */
2772 p2Len = fragLen - p1Len;
2782 PORT_Assert( (cipher_def->block_size < 2) || \
2783 (p2Len % cipher_def->block_size) == 0);
2784 memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len,
2788 int cipherBytesPart1 = -1;
2789 rv = cwSpec->encode( cwSpec->encodeContext,
2790 wrBuf->buf + headerLen + ivLen, /* output */
2791 &cipherBytesPart1, /* actual outlen */
2792 p1Len, /* max outlen */
2793 pIn, p1Len); /* input, and inputlen */
2794 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
2795 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
2796 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2799 cipherBytes += cipherBytesPart1;
2802 int cipherBytesPart2 = -1;
2803 rv = cwSpec->encode( cwSpec->encodeContext,
2804 wrBuf->buf + headerLen + ivLen + p1Len,
2805 &cipherBytesPart2, /* output and actual outLen */
2806 p2Len, /* max outlen */
2807 wrBuf->buf + headerLen + ivLen + p1Len,
2808 p2Len); /* input and inputLen*/
2809 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
2810 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
2811 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2814 cipherBytes += cipherBytesPart2;
2818 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
2820 wrBuf->len = cipherBytes + headerLen;
2821 wrBuf->buf[0] = type;
2823 SSL3ProtocolVersion version;
2825 version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
2826 wrBuf->buf[1] = MSB(version);
2827 wrBuf->buf[2] = LSB(version);
2828 wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24);
2829 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
2830 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8);
2831 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0);
2832 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24);
2833 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16);
2834 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8);
2835 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0);
2836 wrBuf->buf[11] = MSB(cipherBytes);
2837 wrBuf->buf[12] = LSB(cipherBytes);
2839 SSL3ProtocolVersion version = cwSpec->version;
2841 if (capRecordVersion) {
2842 version = PR_MIN(SSL_LIBRARY_VERSION_TLS_1_0, version);
2844 wrBuf->buf[1] = MSB(version);
2845 wrBuf->buf[2] = LSB(version);
2846 wrBuf->buf[3] = MSB(cipherBytes);
2847 wrBuf->buf[4] = LSB(cipherBytes);
2850 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
2855 /* Process the plain text before sending it.
2856 * Returns the number of bytes of plaintext that were successfully sent
2857 * plus the number of bytes of plaintext that were copied into the
2858 * output (write) buffer.
2859 * Returns SECFailure on a hard IO error, memory error, or crypto error.
2860 * Does NOT return SECWouldBlock.
2862 * Notes on the use of the private ssl flags:
2863 * (no private SSL flags)
2864 * Attempt to make and send SSL records for all plaintext
2865 * If non-blocking and a send gets WOULD_BLOCK,
2866 * or if the pending (ciphertext) buffer is not empty,
2867 * then buffer remaining bytes of ciphertext into pending buf,
2868 * and continue to do that for all succssive records until all
2870 * ssl_SEND_FLAG_FORCE_INTO_BUFFER
2871 * As above, except this suppresses all write attempts, and forces
2872 * all ciphertext into the pending ciphertext buffer.
2873 * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
2874 * Forces the use of the provided epoch
2875 * ssl_SEND_FLAG_CAP_RECORD_VERSION
2876 * Caps the record layer version number of TLS ClientHello to { 3, 1 }
2877 * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
2878 * ClientHello.client_version and use the record layer version number
2879 * (TLSPlaintext.version) instead when negotiating protocol versions. In
2880 * addition, if the record layer version number of ClientHello is { 3, 2 }
2881 * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
2882 * some F5 BIG-IP servers hang if a record containing a ClientHello has a
2883 * version greater than { 3, 1 } and a length greater than 255. Set this
2884 * flag to work around such servers.
2887 ssl3_SendRecord( sslSocket * ss,
2888 DTLSEpoch epoch, /* DTLS only */
2889 SSL3ContentType type,
2890 const SSL3Opaque * pIn, /* input buffer */
2891 PRInt32 nIn, /* bytes of input */
2894 sslBuffer * wrBuf = &ss->sec.writeBuf;
2896 PRInt32 totalSent = 0;
2897 PRBool capRecordVersion;
2899 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
2900 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
2902 PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
2904 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2906 capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
2908 if (capRecordVersion) {
2909 /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the
2910 * TLS initial ClientHello. */
2911 PORT_Assert(!IS_DTLS(ss));
2912 PORT_Assert(!ss->firstHsDone);
2913 PORT_Assert(type == content_handshake);
2914 PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
2917 if (ss->ssl3.initialized == PR_FALSE) {
2918 /* This can happen on a server if the very first incoming record
2919 ** looks like a defective ssl3 record (e.g. too long), and we're
2920 ** trying to send an alert.
2922 PR_ASSERT(type == content_alert);
2923 rv = ssl3_InitState(ss);
2924 if (rv != SECSuccess) {
2925 return SECFailure; /* ssl3_InitState has set the error code. */
2929 /* check for Token Presence */
2930 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
2931 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
2936 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
2937 unsigned int spaceNeeded;
2938 unsigned int numRecords;
2940 ssl_GetSpecReadLock(ss); /********************************/
2942 if (nIn > 1 && ss->opt.cbcRandomIV &&
2943 ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 &&
2944 type == content_application_data &&
2945 ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {
2946 /* We will split the first byte of the record into its own record,
2947 * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h
2954 spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE);
2955 if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
2956 ss->ssl3.cwSpec->cipher_def->type == type_block) {
2957 spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size;
2959 if (spaceNeeded > wrBuf->space) {
2960 rv = sslBuffer_Grow(wrBuf, spaceNeeded);
2961 if (rv != SECSuccess) {
2962 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
2963 SSL_GETPID(), ss->fd, spaceNeeded));
2964 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
2968 if (numRecords == 2) {
2969 sslBuffer secondRecord;
2971 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2972 ss->sec.isServer, IS_DTLS(ss),
2973 capRecordVersion, type, pIn,
2975 if (rv != SECSuccess)
2976 goto spec_locked_loser;
2978 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
2979 wrBuf->buf, wrBuf->len));
2981 secondRecord.buf = wrBuf->buf + wrBuf->len;
2982 secondRecord.len = 0;
2983 secondRecord.space = wrBuf->space - wrBuf->len;
2985 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2986 ss->sec.isServer, IS_DTLS(ss),
2987 capRecordVersion, type,
2988 pIn + 1, contentLen - 1,
2990 if (rv == SECSuccess) {
2991 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
2992 secondRecord.buf, secondRecord.len));
2993 wrBuf->len += secondRecord.len;
2997 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
3004 rv = dtls_CompressMACEncryptRecord(ss, epoch,
3005 !!(flags & ssl_SEND_FLAG_USE_EPOCH),
3010 if (rv == SECSuccess) {
3011 PRINT_BUF(50, (ss, "send (encrypted) record data:",
3012 wrBuf->buf, wrBuf->len));
3017 ssl_ReleaseSpecReadLock(ss); /************************************/
3019 if (rv != SECSuccess)
3024 PORT_Assert( nIn >= 0 );
3026 /* If there's still some previously saved ciphertext,
3027 * or the caller doesn't want us to send the data yet,
3028 * then add all our new ciphertext to the amount previously saved.
3030 if ((ss->pendingBuf.len > 0) ||
3031 (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
3033 rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len);
3034 if (rv != SECSuccess) {
3035 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
3038 wrBuf->len = 0; /* All cipher text is saved away. */
3040 if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
3042 ss->handshakeBegun = 1;
3043 sent = ssl_SendSavedWriteData(ss);
3044 if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
3045 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
3048 if (ss->pendingBuf.len) {
3049 flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER;
3052 } else if (wrBuf->len > 0) {
3054 ss->handshakeBegun = 1;
3055 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len,
3056 flags & ~ssl_SEND_FLAG_MASK);
3058 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
3059 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
3062 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
3068 /* DTLS just says no in this case. No buffering */
3069 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
3072 /* now take all the remaining unsent new ciphertext and
3073 * append it to the buffer of previously unsent ciphertext.
3075 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
3076 if (rv != SECSuccess) {
3077 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
3082 totalSent += contentLen;
3087 #define SSL3_PENDING_HIGH_WATER 1024
3089 /* Attempt to send the content of "in" in an SSL application_data record.
3090 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess.
3093 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
3094 PRInt32 len, PRInt32 flags)
3096 PRInt32 totalSent = 0;
3097 PRInt32 discarded = 0;
3099 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3100 /* These flags for internal use only */
3101 PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
3102 ssl_SEND_FLAG_NO_RETRANSMIT)));
3103 if (len < 0 || !in) {
3104 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
3108 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
3109 !ssl_SocketIsBlocking(ss)) {
3110 PORT_Assert(!ssl_SocketIsBlocking(ss));
3111 PORT_SetError(PR_WOULD_BLOCK_ERROR);
3115 if (ss->appDataBuffered && len) {
3116 PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
3117 if (in[0] != (unsigned char)(ss->appDataBuffered)) {
3118 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
3125 while (len > totalSent) {
3126 PRInt32 sent, toSend;
3128 if (totalSent > 0) {
3130 * The thread yield is intended to give the reader thread a
3131 * chance to get some cycles while the writer thread is in
3132 * the middle of a large application data write. (See
3133 * Bugzilla bug 127740, comment #1.)
3135 ssl_ReleaseXmitBufLock(ss);
3136 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */
3137 ssl_GetXmitBufLock(ss);
3139 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
3141 * Note that the 0 epoch is OK because flags will never require
3142 * its use, as guaranteed by the PORT_Assert above.
3144 sent = ssl3_SendRecord(ss, 0, content_application_data,
3145 in + totalSent, toSend, flags);
3147 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
3148 PORT_Assert(ss->lastWriteBlocked);
3151 return SECFailure; /* error code set by ssl3_SendRecord */
3154 if (ss->pendingBuf.len) {
3155 /* must be a non-blocking socket */
3156 PORT_Assert(!ssl_SocketIsBlocking(ss));
3157 PORT_Assert(ss->lastWriteBlocked);
3161 if (ss->pendingBuf.len) {
3162 /* Must be non-blocking. */
3163 PORT_Assert(!ssl_SocketIsBlocking(ss));
3164 if (totalSent > 0) {
3165 ss->appDataBuffered = 0x100 | in[totalSent - 1];
3168 totalSent = totalSent + discarded - 1;
3169 if (totalSent <= 0) {
3170 PORT_SetError(PR_WOULD_BLOCK_ERROR);
3171 totalSent = SECFailure;
3175 ss->appDataBuffered = 0;
3176 return totalSent + discarded;
3179 /* Attempt to send buffered handshake messages.
3180 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
3181 * Always set sendBuf.len to 0, even when returning SECFailure.
3183 * Depending on whether we are doing DTLS or not, this either calls
3185 * - ssl3_FlushHandshakeMessages if non-DTLS
3186 * - dtls_FlushHandshakeMessages if DTLS
3188 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
3189 * ssl3_AppendHandshake(), ssl3_SendClientHello(),
3190 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
3191 * ssl3_SendFinished(),
3194 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
3197 return dtls_FlushHandshakeMessages(ss, flags);
3199 return ssl3_FlushHandshakeMessages(ss, flags);
3203 /* Attempt to send the content of sendBuf buffer in an SSL handshake record.
3204 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
3205 * Always set sendBuf.len to 0, even when returning SECFailure.
3207 * Called from ssl3_FlushHandshake
3210 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
3212 static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER |
3213 ssl_SEND_FLAG_CAP_RECORD_VERSION;
3214 PRInt32 rv = SECSuccess;
3216 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3217 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3219 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
3222 /* only these flags are allowed */
3223 PORT_Assert(!(flags & ~allowedFlags));
3224 if ((flags & ~allowedFlags) != 0) {
3225 PORT_SetError(SEC_ERROR_INVALID_ARGS);
3228 rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
3229 ss->sec.ci.sendBuf.len, flags);
3232 int err = PORT_GetError();
3233 PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
3234 if (err == PR_WOULD_BLOCK_ERROR) {
3235 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3237 } else if (rv < ss->sec.ci.sendBuf.len) {
3238 /* short write should never happen */
3239 PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
3240 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3246 /* Whether we succeeded or failed, toss the old handshake data. */
3247 ss->sec.ci.sendBuf.len = 0;
3252 * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
3253 * the remote client sends a negative response to our certificate request.
3254 * Returns SECFailure if the application has required client auth.
3255 * SECSuccess otherwise.
3258 ssl3_HandleNoCertificate(sslSocket *ss)
3260 if (ss->sec.peerCert != NULL) {
3261 if (ss->sec.peerKey != NULL) {
3262 SECKEY_DestroyPublicKey(ss->sec.peerKey);
3263 ss->sec.peerKey = NULL;
3265 CERT_DestroyCertificate(ss->sec.peerCert);
3266 ss->sec.peerCert = NULL;
3268 ssl3_CleanupPeerCerts(ss);
3270 /* If the server has required client-auth blindly but doesn't
3271 * actually look at the certificate it won't know that no
3272 * certificate was presented so we shutdown the socket to ensure
3273 * an error. We only do this if we haven't already completed the
3274 * first handshake because if we're redoing the handshake we
3275 * know the server is paying attention to the certificate.
3277 if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
3278 (!ss->firstHsDone &&
3279 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
3282 if (ss->sec.uncache)
3283 ss->sec.uncache(ss->sec.ci.sid);
3284 SSL3_SendAlert(ss, alert_fatal, bad_certificate);
3286 lower = ss->fd->lower;
3288 lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
3290 lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
3292 PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
3298 /************************************************************************
3303 ** Acquires both handshake and XmitBuf locks.
3304 ** Called from: ssl3_IllegalParameter <-
3305 ** ssl3_HandshakeFailure <-
3306 ** ssl3_HandleAlert <- ssl3_HandleRecord.
3307 ** ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
3308 ** ssl3_ConsumeHandshakeVariable <-
3309 ** ssl3_HandleHelloRequest <-
3310 ** ssl3_HandleServerHello <-
3311 ** ssl3_HandleServerKeyExchange <-
3312 ** ssl3_HandleCertificateRequest <-
3313 ** ssl3_HandleServerHelloDone <-
3314 ** ssl3_HandleClientHello <-
3315 ** ssl3_HandleV2ClientHello <-
3316 ** ssl3_HandleCertificateVerify <-
3317 ** ssl3_HandleClientKeyExchange <-
3318 ** ssl3_HandleCertificate <-
3319 ** ssl3_HandleFinished <-
3320 ** ssl3_HandleHandshakeMessage <-
3321 ** ssl3_HandleRecord <-
3325 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
3330 SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
3331 SSL_GETPID(), ss->fd, level, desc));
3336 ssl_GetSSL3HandshakeLock(ss);
3337 if (level == alert_fatal) {
3338 if (!ss->opt.noCache && ss->sec.ci.sid && ss->sec.uncache) {
3339 ss->sec.uncache(ss->sec.ci.sid);
3342 ssl_GetXmitBufLock(ss);
3343 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3344 if (rv == SECSuccess) {
3346 sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2,
3347 desc == no_certificate
3348 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
3349 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
3351 ssl_ReleaseXmitBufLock(ss);
3352 ssl_ReleaseSSL3HandshakeLock(ss);
3353 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
3357 * Send illegal_parameter alert. Set generic error number.
3360 ssl3_IllegalParameter(sslSocket *ss)
3362 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
3363 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3364 : SSL_ERROR_BAD_SERVER );
3369 * Send handshake_Failure alert. Set generic error number.
3372 ssl3_HandshakeFailure(sslSocket *ss)
3374 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
3375 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3376 : SSL_ERROR_BAD_SERVER );
3381 ssl3_SendAlertForCertError(sslSocket * ss, PRErrorCode errCode)
3383 SSL3AlertDescription desc = bad_certificate;
3384 PRBool isTLS = ss->version >= SSL_LIBRARY_VERSION_3_1_TLS;
3387 case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break;
3388 case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break;
3389 case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked; break;
3390 case SEC_ERROR_INADEQUATE_KEY_USAGE:
3391 case SEC_ERROR_INADEQUATE_CERT_TYPE:
3392 desc = certificate_unknown; break;
3393 case SEC_ERROR_UNTRUSTED_CERT:
3394 desc = isTLS ? access_denied : certificate_unknown; break;
3395 case SEC_ERROR_UNKNOWN_ISSUER:
3396 case SEC_ERROR_UNTRUSTED_ISSUER:
3397 desc = isTLS ? unknown_ca : certificate_unknown; break;
3398 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
3399 desc = isTLS ? unknown_ca : certificate_expired; break;
3401 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
3402 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
3403 case SEC_ERROR_CA_CERT_INVALID:
3404 case SEC_ERROR_BAD_SIGNATURE:
3405 default: desc = bad_certificate; break;
3407 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
3408 SSL_GETPID(), ss->fd, errCode));
3410 (void) SSL3_SendAlert(ss, alert_fatal, desc);
3415 * Send decode_error alert. Set generic error number.
3418 ssl3_DecodeError(sslSocket *ss)
3420 (void)SSL3_SendAlert(ss, alert_fatal,
3421 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error
3422 : illegal_parameter);
3423 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3424 : SSL_ERROR_BAD_SERVER );
3428 /* Called from ssl3_HandleRecord.
3429 ** Caller must hold both RecvBuf and Handshake locks.
3432 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
3434 SSL3AlertLevel level;
3435 SSL3AlertDescription desc;
3438 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3439 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3441 SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
3443 if (buf->len != 2) {
3444 (void)ssl3_DecodeError(ss);
3445 PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
3448 level = (SSL3AlertLevel)buf->buf[0];
3449 desc = (SSL3AlertDescription)buf->buf[1];
3451 SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
3452 SSL_GETPID(), ss->fd, level, desc));
3455 case close_notify: ss->recvdCloseNotify = 1;
3456 error = SSL_ERROR_CLOSE_NOTIFY_ALERT; break;
3457 case unexpected_message: error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
3459 case bad_record_mac: error = SSL_ERROR_BAD_MAC_ALERT; break;
3460 case decryption_failed_RESERVED:
3461 error = SSL_ERROR_DECRYPTION_FAILED_ALERT;
3463 case record_overflow: error = SSL_ERROR_RECORD_OVERFLOW_ALERT; break;
3464 case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
3466 case handshake_failure: error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
3468 case no_certificate: error = SSL_ERROR_NO_CERTIFICATE; break;
3469 case bad_certificate: error = SSL_ERROR_BAD_CERT_ALERT; break;
3470 case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
3471 case certificate_revoked: error = SSL_ERROR_REVOKED_CERT_ALERT; break;
3472 case certificate_expired: error = SSL_ERROR_EXPIRED_CERT_ALERT; break;
3473 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
3475 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
3476 case inappropriate_fallback:
3477 error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
3480 /* All alerts below are TLS only. */
3481 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break;
3482 case access_denied: error = SSL_ERROR_ACCESS_DENIED_ALERT; break;
3483 case decode_error: error = SSL_ERROR_DECODE_ERROR_ALERT; break;
3484 case decrypt_error: error = SSL_ERROR_DECRYPT_ERROR_ALERT; break;
3485 case export_restriction: error = SSL_ERROR_EXPORT_RESTRICTION_ALERT;
3487 case protocol_version: error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
3488 case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT;
3490 case internal_error: error = SSL_ERROR_INTERNAL_ERROR_ALERT; break;
3491 case user_canceled: error = SSL_ERROR_USER_CANCELED_ALERT; break;
3492 case no_renegotiation: error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
3494 /* Alerts for TLS client hello extensions */
3495 case unsupported_extension:
3496 error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT; break;
3497 case certificate_unobtainable:
3498 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
3499 case unrecognized_name:
3500 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break;
3501 case bad_certificate_status_response:
3502 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
3503 case bad_certificate_hash_value:
3504 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break;
3505 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break;
3507 if (level == alert_fatal) {
3508 if (!ss->opt.noCache) {
3509 if (ss->sec.uncache)
3510 ss->sec.uncache(ss->sec.ci.sid);
3512 if ((ss->ssl3.hs.ws == wait_server_hello) &&
3513 (desc == handshake_failure)) {
3514 /* XXX This is a hack. We're assuming that any handshake failure
3515 * XXX on the client hello is a failure to match ciphers.
3517 error = SSL_ERROR_NO_CYPHER_OVERLAP;
3519 PORT_SetError(error);
3522 if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
3523 /* I'm a server. I've requested a client cert. He hasn't got one. */
3526 PORT_Assert(ss->sec.isServer);
3527 ss->ssl3.hs.ws = wait_client_key;
3528 rv = ssl3_HandleNoCertificate(ss);
3535 * Change Cipher Specs
3536 * Called from ssl3_HandleServerHelloDone,
3537 * ssl3_HandleClientHello,
3538 * and ssl3_HandleFinished
3540 * Acquires and releases spec write lock, to protect switching the current
3541 * and pending write spec pointers.
3545 ssl3_SendChangeCipherSpecs(sslSocket *ss)
3547 PRUint8 change = change_cipher_spec_choice;
3548 ssl3CipherSpec * pwSpec;
3552 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
3553 SSL_GETPID(), ss->fd));
3555 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3556 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3558 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3559 if (rv != SECSuccess) {
3560 return rv; /* error code set by ssl3_FlushHandshake */
3563 sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1,
3564 ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3566 return (SECStatus)sent; /* error code set by ssl3_SendRecord */
3569 rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
3570 if (rv != SECSuccess) {
3575 /* swap the pending and current write specs. */
3576 ssl_GetSpecWriteLock(ss); /**************************************/
3577 pwSpec = ss->ssl3.pwSpec;
3579 ss->ssl3.pwSpec = ss->ssl3.cwSpec;
3580 ss->ssl3.cwSpec = pwSpec;
3582 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
3583 SSL_GETPID(), ss->fd ));
3585 /* We need to free up the contexts, keys and certs ! */
3586 /* If we are really through with the old cipher spec
3587 * (Both the read and write sides have changed) destroy it.
3589 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
3591 ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
3593 /* With DTLS, we need to set a holddown timer in case the final
3594 * message got lost */
3595 ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS;
3596 dtls_StartTimer(ss, dtls_FinishedTimerCb);
3599 ssl_ReleaseSpecWriteLock(ss); /**************************************/
3604 /* Called from ssl3_HandleRecord.
3605 ** Caller must hold both RecvBuf and Handshake locks.
3607 * Acquires and releases spec write lock, to protect switching the current
3608 * and pending write spec pointers.
3611 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
3613 ssl3CipherSpec * prSpec;
3614 SSL3WaitState ws = ss->ssl3.hs.ws;
3615 SSL3ChangeCipherSpecChoice change;
3617 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3618 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3620 SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
3621 SSL_GETPID(), ss->fd));
3623 if (ws != wait_change_cipher) {
3625 /* Ignore this because it's out of order. */
3626 SSL_TRC(3, ("%d: SSL3[%d]: discard out of order "
3627 "DTLS change_cipher_spec",
3628 SSL_GETPID(), ss->fd));
3632 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
3633 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
3638 (void)ssl3_DecodeError(ss);
3639 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
3642 change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
3643 if (change != change_cipher_spec_choice) {
3644 /* illegal_parameter is correct here for both SSL3 and TLS. */
3645 (void)ssl3_IllegalParameter(ss);
3646 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
3651 /* Swap the pending and current read specs. */
3652 ssl_GetSpecWriteLock(ss); /*************************************/
3653 prSpec = ss->ssl3.prSpec;
3655 ss->ssl3.prSpec = ss->ssl3.crSpec;
3656 ss->ssl3.crSpec = prSpec;
3657 ss->ssl3.hs.ws = wait_finished;
3659 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
3660 SSL_GETPID(), ss->fd ));
3662 /* If we are really through with the old cipher prSpec
3663 * (Both the read and write sides have changed) destroy it.
3665 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
3666 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/);
3668 ssl_ReleaseSpecWriteLock(ss); /*************************************/
3672 /* This method uses PKCS11 to derive the MS from the PMS, where PMS
3673 ** is a PKCS11 symkey. This is used in all cases except the
3674 ** "triple bypass" with RSA key exchange.
3675 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec.
3678 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
3680 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3681 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
3682 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3683 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3684 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3685 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3687 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3689 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
3690 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
3691 * data into a 48-byte value.
3693 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
3694 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
3695 SECStatus rv = SECFailure;
3696 CK_MECHANISM_TYPE master_derive;
3697 CK_MECHANISM_TYPE key_derive;
3700 CK_VERSION pms_version;
3701 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
3703 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3704 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3705 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3707 if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
3708 else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
3709 key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3710 keyFlags = CKF_SIGN | CKF_VERIFY;
3712 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
3713 else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
3714 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3715 keyFlags = CKF_SIGN | CKF_VERIFY;
3717 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
3718 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
3719 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3723 if (pms || !pwSpec->master_secret) {
3725 master_params.pVersion = NULL;
3727 master_params.pVersion = &pms_version;
3729 master_params.RandomInfo.pClientRandom = cr;
3730 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
3731 master_params.RandomInfo.pServerRandom = sr;
3732 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
3734 params.data = (unsigned char *) &master_params;
3735 params.len = sizeof master_params;
3740 if (ssl_trace >= 100) {
3741 SECStatus extractRV = PK11_ExtractKeyValue(pms);
3742 if (extractRV == SECSuccess) {
3743 SECItem * keyData = PK11_GetKeyData(pms);
3744 if (keyData && keyData->data && keyData->len) {
3745 ssl_PrintBuf(ss, "Pre-Master Secret",
3746 keyData->data, keyData->len);
3751 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive,
3752 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags);
3753 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
3754 SSL3ProtocolVersion client_version;
3755 client_version = pms_version.major << 8 | pms_version.minor;
3758 client_version = dtls_DTLSVersionToTLSVersion(client_version);
3761 if (client_version != ss->clientHelloVersion) {
3762 /* Destroy it. Version roll-back detected. */
3763 PK11_FreeSymKey(pwSpec->master_secret);
3764 pwSpec->master_secret = NULL;
3767 if (pwSpec->master_secret == NULL) {
3768 /* Generate a faux master secret in the same slot as the old one. */
3769 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
3770 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
3772 PK11_FreeSlot(slot);
3774 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
3775 master_derive, ¶ms, key_derive,
3776 CKA_DERIVE, 0, keyFlags);
3777 PK11_FreeSymKey(fpms);
3781 if (pwSpec->master_secret == NULL) {
3782 /* Generate a faux master secret from the internal slot. */
3783 PK11SlotInfo * slot = PK11_GetInternalSlot();
3784 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
3786 PK11_FreeSlot(slot);
3788 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
3789 master_derive, ¶ms, key_derive,
3790 CKA_DERIVE, 0, keyFlags);
3791 if (pwSpec->master_secret == NULL) {
3792 pwSpec->master_secret = fpms; /* use the fpms as the master. */
3797 PK11_FreeSymKey(fpms);
3800 if (pwSpec->master_secret == NULL) {
3801 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3804 #ifndef NO_PKCS11_BYPASS
3805 if (ss->opt.bypassPKCS11) {
3807 /* In hope of doing a "double bypass",
3808 * need to extract the master secret's value from the key object
3809 * and store it raw in the sslSocket struct.
3811 rv = PK11_ExtractKeyValue(pwSpec->master_secret);
3812 if (rv != SECSuccess) {
3815 /* This returns the address of the secItem inside the key struct,
3816 * not a copy or a reference. So, there's no need to free it.
3818 keydata = PK11_GetKeyData(pwSpec->master_secret);
3819 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
3820 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
3821 pwSpec->msItem.data = pwSpec->raw_master_secret;
3822 pwSpec->msItem.len = keydata->len;
3824 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3834 * Derive encryption and MAC Keys (and IVs) from master secret
3835 * Sets a useful error code when returning SECFailure.
3837 * Called only from ssl3_InitPendingCipherSpec(),
3838 * which in turn is called from
3839 * sendRSAClientKeyExchange (for Full handshake)
3840 * sendDHClientKeyExchange (for Full handshake)
3841 * ssl3_HandleClientKeyExchange (for Full handshake)
3842 * ssl3_HandleServerHello (for session restart)
3843 * ssl3_HandleClientHello (for session restart)
3844 * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
3845 * ssl3_InitPendingCipherSpec does that.
3849 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
3851 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3852 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
3853 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3854 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3855 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3856 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3858 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3859 /* following variables used in PKCS11 path */
3860 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
3861 PK11SlotInfo * slot = NULL;
3862 PK11SymKey * symKey = NULL;
3863 void * pwArg = ss->pkcs11PinArg;
3865 CK_SSL3_KEY_MAT_PARAMS key_material_params;
3866 CK_SSL3_KEY_MAT_OUT returnedKeys;
3867 CK_MECHANISM_TYPE key_derive;
3868 CK_MECHANISM_TYPE bulk_mechanism;
3869 SSLCipherAlgorithm calg;
3871 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
3873 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3874 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3875 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3877 if (!pwSpec->master_secret) {
3878 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3882 * generate the key material
3884 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB;
3885 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
3886 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB;
3887 if (cipher_def->type == type_block &&
3888 pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
3889 /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
3890 key_material_params.ulIVSizeInBits = 0;
3891 memset(pwSpec->client.write_iv, 0, cipher_def->iv_size);
3892 memset(pwSpec->server.write_iv, 0, cipher_def->iv_size);
3895 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
3897 key_material_params.RandomInfo.pClientRandom = cr;
3898 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
3899 key_material_params.RandomInfo.pServerRandom = sr;
3900 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
3901 key_material_params.pReturnedKeyMaterial = &returnedKeys;
3903 returnedKeys.pIVClient = pwSpec->client.write_iv;
3904 returnedKeys.pIVServer = pwSpec->server.write_iv;
3905 keySize = cipher_def->key_size;
3907 if (skipKeysAndIVs) {
3909 key_material_params.ulKeySizeInBits = 0;
3910 key_material_params.ulIVSizeInBits = 0;
3911 returnedKeys.pIVClient = NULL;
3912 returnedKeys.pIVServer = NULL;
3915 calg = cipher_def->calg;
3916 PORT_Assert( alg2Mech[calg].calg == calg);
3917 bulk_mechanism = alg2Mech[calg].cmech;
3919 params.data = (unsigned char *)&key_material_params;
3920 params.len = sizeof(key_material_params);
3923 key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3925 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3927 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3930 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
3931 * DERIVE by DEFAULT */
3932 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms,
3933 bulk_mechanism, CKA_ENCRYPT, keySize);
3935 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3938 /* we really should use the actual mac'ing mechanism here, but we
3939 * don't because these types are used to map keytype anyway and both
3940 * mac's map to the same keytype.
3942 slot = PK11_GetSlotFromKey(symKey);
3944 PK11_FreeSlot(slot); /* slot is held until the key is freed */
3945 pwSpec->client.write_mac_key =
3946 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3947 CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
3948 if (pwSpec->client.write_mac_key == NULL ) {
3949 goto loser; /* loser sets err */
3951 pwSpec->server.write_mac_key =
3952 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3953 CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
3954 if (pwSpec->server.write_mac_key == NULL ) {
3955 goto loser; /* loser sets err */
3957 if (!skipKeysAndIVs) {
3958 pwSpec->client.write_key =
3959 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3960 bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
3961 if (pwSpec->client.write_key == NULL ) {
3962 goto loser; /* loser sets err */
3964 pwSpec->server.write_key =
3965 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3966 bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
3967 if (pwSpec->server.write_key == NULL ) {
3968 goto loser; /* loser sets err */
3971 PK11_FreeSymKey(symKey);
3976 if (symKey) PK11_FreeSymKey(symKey);
3977 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3981 /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
3982 * buffered messages in ss->ssl3.hs.messages. */
3984 ssl3_InitHandshakeHashes(sslSocket *ss)
3986 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
3988 PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown);
3989 #ifndef NO_PKCS11_BYPASS
3990 if (ss->opt.bypassPKCS11) {
3991 PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
3992 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
3993 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
3994 * then this will need to be updated. */
3995 ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
3996 if (!ss->ssl3.hs.sha_obj) {
3997 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4000 ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
4001 ss->ssl3.hs.hashType = handshake_hash_single;
4002 ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
4004 ss->ssl3.hs.hashType = handshake_hash_combo;
4005 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
4006 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
4011 PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
4013 * note: We should probably lookup an SSL3 slot for these
4014 * handshake hashes in hopes that we wind up with the same slots
4015 * that the master secret will wind up in ...
4017 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
4018 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4019 * then this will need to be updated. */
4020 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
4021 if (ss->ssl3.hs.sha == NULL) {
4022 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4025 ss->ssl3.hs.hashType = handshake_hash_single;
4027 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
4028 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4032 /* Create a backup SHA-1 hash for a potential client auth
4035 * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
4036 * handshake hash function (SHA-256). If the server or the client
4037 * does not support SHA-256 as a signature hash, we can either
4038 * maintain a backup SHA-1 handshake hash or buffer all handshake
4041 if (!ss->sec.isServer) {
4042 ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
4043 if (ss->ssl3.hs.backupHash == NULL) {
4044 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4048 if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) {
4049 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4054 /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
4055 * created successfully. */
4056 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
4057 if (ss->ssl3.hs.md5 == NULL) {
4058 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4061 ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
4062 if (ss->ssl3.hs.sha == NULL) {
4063 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
4064 ss->ssl3.hs.md5 = NULL;
4065 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4068 ss->ssl3.hs.hashType = handshake_hash_combo;
4070 if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
4071 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4074 if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
4075 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4081 if (ss->ssl3.hs.messages.len > 0) {
4082 if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
4083 ss->ssl3.hs.messages.len) !=
4087 PORT_Free(ss->ssl3.hs.messages.buf);
4088 ss->ssl3.hs.messages.buf = NULL;
4089 ss->ssl3.hs.messages.len = 0;
4090 ss->ssl3.hs.messages.space = 0;
4097 ssl3_RestartHandshakeHashes(sslSocket *ss)
4099 SECStatus rv = SECSuccess;
4101 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
4102 SSL_GETPID(), ss->fd ));
4103 ss->ssl3.hs.hashType = handshake_hash_unknown;
4104 ss->ssl3.hs.messages.len = 0;
4105 #ifndef NO_PKCS11_BYPASS
4106 ss->ssl3.hs.sha_obj = NULL;
4107 ss->ssl3.hs.sha_clone = NULL;
4109 if (ss->ssl3.hs.md5) {
4110 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
4111 ss->ssl3.hs.md5 = NULL;
4113 if (ss->ssl3.hs.sha) {
4114 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
4115 ss->ssl3.hs.sha = NULL;
4121 * Handshake messages
4123 /* Called from ssl3_InitHandshakeHashes()
4124 ** ssl3_AppendHandshake()
4125 ** ssl3_StartHandshakeHash()
4126 ** ssl3_HandleV2ClientHello()
4127 ** ssl3_HandleHandshakeMessage()
4128 ** Caller must hold the ssl3Handshake lock.
4131 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
4134 SECStatus rv = SECSuccess;
4136 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4138 /* We need to buffer the handshake messages until we have established
4139 * which handshake hash function to use. */
4140 if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
4141 return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
4144 PRINT_BUF(90, (NULL, "handshake hash input:", b, l));
4146 #ifndef NO_PKCS11_BYPASS
4147 if (ss->opt.bypassPKCS11) {
4148 if (ss->ssl3.hs.hashType == handshake_hash_single) {
4149 ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
4151 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
4152 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
4157 if (ss->ssl3.hs.hashType == handshake_hash_single) {
4158 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
4159 if (rv != SECSuccess) {
4160 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4163 if (ss->ssl3.hs.backupHash) {
4164 rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l);
4165 if (rv != SECSuccess) {
4166 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4171 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
4172 if (rv != SECSuccess) {
4173 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4176 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
4177 if (rv != SECSuccess) {
4178 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4185 /**************************************************************************
4186 * Append Handshake functions.
4187 * All these functions set appropriate error codes.
4188 * Most rely on ssl3_AppendHandshake to set the error code.
4189 **************************************************************************/
4191 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
4193 unsigned char * src = (unsigned char *)void_src;
4194 int room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
4197 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
4201 if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
4202 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
4203 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
4204 if (rv != SECSuccess)
4205 return rv; /* sslBuffer_Grow has set a memory error code. */
4206 room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
4209 PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
4210 rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
4211 if (rv != SECSuccess)
4212 return rv; /* error code set by ssl3_UpdateHandshakeHashes */
4214 while (bytes > room) {
4216 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src,
4218 ss->sec.ci.sendBuf.len += room;
4219 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
4220 if (rv != SECSuccess) {
4221 return rv; /* error code set by ssl3_FlushHandshake */
4225 room = ss->sec.ci.sendBuf.space;
4226 PORT_Assert(ss->sec.ci.sendBuf.len == 0);
4228 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
4229 ss->sec.ci.sendBuf.len += bytes;
4234 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
4242 *p++ = (num >> 24) & 0xff;
4244 *p++ = (num >> 16) & 0xff;
4246 *p++ = (num >> 8) & 0xff;
4250 SSL_TRC(60, ("%d: number:", SSL_GETPID()));
4251 rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
4252 return rv; /* error code set by AppendHandshake, if applicable. */
4256 ssl3_AppendHandshakeVariable(
4257 sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
4261 PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
4262 (bytes < (1L<<16) && lenSize == 2) ||
4263 (bytes < (1L<<24) && lenSize == 3));
4265 SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
4266 rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
4267 if (rv != SECSuccess) {
4268 return rv; /* error code set by AppendHandshake, if applicable. */
4270 SSL_TRC(60, ("data:"));
4271 rv = ssl3_AppendHandshake(ss, src, bytes);
4272 return rv; /* error code set by AppendHandshake, if applicable. */
4276 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
4280 /* If we already have a message in place, we need to enqueue it.
4281 * This empties the buffer. This is a convenient place to call
4282 * dtls_StageHandshakeMessage to mark the message boundary.
4285 rv = dtls_StageHandshakeMessage(ss);
4286 if (rv != SECSuccess) {
4291 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
4292 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
4294 rv = ssl3_AppendHandshakeNumber(ss, t, 1);
4295 if (rv != SECSuccess) {
4296 return rv; /* error code set by AppendHandshake, if applicable. */
4298 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
4299 if (rv != SECSuccess) {
4300 return rv; /* error code set by AppendHandshake, if applicable. */
4304 /* Note that we make an unfragmented message here. We fragment in the
4305 * transmission code, if necessary */
4306 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2);
4307 if (rv != SECSuccess) {
4308 return rv; /* error code set by AppendHandshake, if applicable. */
4310 ss->ssl3.hs.sendMessageSeq++;
4312 /* 0 is the fragment offset, because it's not fragmented yet */
4313 rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
4314 if (rv != SECSuccess) {
4315 return rv; /* error code set by AppendHandshake, if applicable. */
4318 /* Fragment length -- set to the packet length because not fragmented */
4319 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
4320 if (rv != SECSuccess) {
4321 return rv; /* error code set by AppendHandshake, if applicable. */
4325 return rv; /* error code set by AppendHandshake, if applicable. */
4328 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
4329 * |sigAndHash| to the current handshake message. */
4331 ssl3_AppendSignatureAndHashAlgorithm(
4332 sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash)
4334 unsigned char serialized[2];
4336 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
4337 if (serialized[0] == 0) {
4338 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
4342 serialized[1] = sigAndHash->sigAlg;
4344 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
4347 /**************************************************************************
4348 * Consume Handshake functions.
4350 * All data used in these functions is protected by two locks,
4351 * the RecvBufLock and the SSL3HandshakeLock
4352 **************************************************************************/
4354 /* Read up the next "bytes" number of bytes from the (decrypted) input
4355 * stream "b" (which is *length bytes long). Copy them into buffer "v".
4356 * Reduces *length by bytes. Advances *b by bytes.
4358 * If this function returns SECFailure, it has already sent an alert,
4359 * and has set a generic error code. The caller should probably
4360 * override the generic error code by setting another.
4363 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
4366 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4367 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4369 if ((PRUint32)bytes > *length) {
4370 return ssl3_DecodeError(ss);
4372 PORT_Memcpy(v, *b, bytes);
4373 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
4379 /* Read up the next "bytes" number of bytes from the (decrypted) input
4380 * stream "b" (which is *length bytes long), and interpret them as an
4381 * integer in network byte order. Returns the received value.
4382 * Reduces *length by bytes. Advances *b by bytes.
4384 * Returns SECFailure (-1) on failure.
4385 * This value is indistinguishable from the equivalent received value.
4386 * Only positive numbers are to be received this way.
4387 * Thus, the largest value that may be sent this way is 0x7fffffff.
4388 * On error, an alert has been sent, and a generic error code has been set.
4391 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
4398 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4399 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4400 PORT_Assert( bytes <= sizeof num);
4402 if ((PRUint32)bytes > *length) {
4403 return ssl3_DecodeError(ss);
4405 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
4407 for (i = 0; i < bytes; i++)
4408 num = (num << 8) + buf[i];
4414 /* Read in two values from the incoming decrypted byte stream "b", which is
4415 * *length bytes long. The first value is a number whose size is "bytes"
4416 * bytes long. The second value is a byte-string whose size is the value
4417 * of the first number received. The latter byte-string, and its length,
4418 * is returned in the SECItem i.
4420 * Returns SECFailure (-1) on failure.
4421 * On error, an alert has been sent, and a generic error code has been set.
4423 * RADICAL CHANGE for NSS 3.11. All callers of this function make copies
4424 * of the data returned in the SECItem *i, so making a copy of it here
4425 * is simply wasteful. So, This function now just sets SECItem *i to
4426 * point to the values in the buffer **b.
4429 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
4430 SSL3Opaque **b, PRUint32 *length)
4434 PORT_Assert(bytes <= 3);
4437 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
4438 if (count < 0) { /* Can't test for SECSuccess here. */
4442 if ((PRUint32)count > *length) {
4443 return ssl3_DecodeError(ss);
4453 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
4454 * SECOidTag used internally by NSS. */
4455 static const struct {
4458 } tlsHashOIDMap[] = {
4459 { tls_hash_md5, SEC_OID_MD5 },
4460 { tls_hash_sha1, SEC_OID_SHA1 },
4461 { tls_hash_sha224, SEC_OID_SHA224 },
4462 { tls_hash_sha256, SEC_OID_SHA256 },
4463 { tls_hash_sha384, SEC_OID_SHA384 },
4464 { tls_hash_sha512, SEC_OID_SHA512 }
4467 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value.
4468 * If the hash is not recognised, SEC_OID_UNKNOWN is returned.
4470 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4472 ssl3_TLSHashAlgorithmToOID(int hashFunc)
4476 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4477 if (hashFunc == tlsHashOIDMap[i].tlsHash) {
4478 return tlsHashOIDMap[i].oid;
4481 return SEC_OID_UNKNOWN;
4484 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm
4485 * identifier. If the hash is not recognised, zero is returned.
4487 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4489 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid)
4493 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4494 if (oid == tlsHashOIDMap[i].oid) {
4495 return tlsHashOIDMap[i].tlsHash;
4501 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm
4502 * identifier for a given KeyType. */
4504 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType,
4505 TLSSignatureAlgorithm *out)
4515 *out = tls_sig_ecdsa;
4518 PORT_SetError(SEC_ERROR_INVALID_KEY);
4523 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature
4524 * algorithm identifier for the given certificate. */
4526 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert,
4527 TLSSignatureAlgorithm *out)
4529 SECKEYPublicKey *key;
4532 key = CERT_ExtractPublicKey(cert);
4534 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
4538 keyType = key->keyType;
4539 SECKEY_DestroyPublicKey(key);
4540 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out);
4543 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature
4544 * algorithm identifier in |sigAndHash| is consistent with the public key in
4545 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called
4546 * and SECFailure is returned. */
4548 ssl3_CheckSignatureAndHashAlgorithmConsistency(
4549 const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert)
4552 TLSSignatureAlgorithm sigAlg;
4554 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg);
4555 if (rv != SECSuccess) {
4558 if (sigAlg != sigAndHash->sigAlg) {
4559 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
4565 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm
4566 * structure from |b| and puts the resulting value into |out|. |b| and |length|
4567 * are updated accordingly.
4569 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4571 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
4574 SSL3SignatureAndHashAlgorithm *out)
4576 unsigned char bytes[2];
4579 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
4580 if (rv != SECSuccess) {
4584 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]);
4585 if (out->hashAlg == SEC_OID_UNKNOWN) {
4586 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
4590 out->sigAlg = bytes[1];
4594 /**************************************************************************
4595 * end of Consume Handshake functions.
4596 **************************************************************************/
4598 /* Extract the hashes of handshake messages to this point.
4599 * Called from ssl3_SendCertificateVerify
4601 * ssl3_HandleHandshakeMessage
4603 * Caller must hold the SSL3HandshakeLock.
4604 * Caller must hold a read or write lock on the Spec R/W lock.
4605 * (There is presently no way to assert on a Read lock.)
4608 ssl3_ComputeHandshakeHashes(sslSocket * ss,
4609 ssl3CipherSpec *spec, /* uses ->master_secret */
4610 SSL3Hashes * hashes, /* output goes here. */
4613 SECStatus rv = SECSuccess;
4614 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
4615 unsigned int outLength;
4616 SSL3Opaque md5_inner[MAX_MAC_LENGTH];
4617 SSL3Opaque sha_inner[MAX_MAC_LENGTH];
4619 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4620 hashes->hashAlg = SEC_OID_UNKNOWN;
4622 #ifndef NO_PKCS11_BYPASS
4623 if (ss->opt.bypassPKCS11 &&
4624 ss->ssl3.hs.hashType == handshake_hash_single) {
4625 /* compute them without PKCS11 */
4626 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
4628 if (!spec->msItem.data) {
4629 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4633 ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
4634 ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
4635 sizeof(hashes->u.raw));
4637 PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
4639 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4640 * then this will need to be updated. */
4641 hashes->hashAlg = SEC_OID_SHA256;
4643 } else if (ss->opt.bypassPKCS11) {
4644 /* compute them without PKCS11 */
4645 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
4646 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
4648 #define md5cx ((MD5Context *)md5_cx)
4649 #define shacx ((SHA1Context *)sha_cx)
4651 if (!spec->msItem.data) {
4652 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4656 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx);
4657 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
4660 /* compute hashes for SSL3. */
4663 s[0] = (unsigned char)(sender >> 24);
4664 s[1] = (unsigned char)(sender >> 16);
4665 s[2] = (unsigned char)(sender >> 8);
4666 s[3] = (unsigned char)sender;
4669 MD5_Update(md5cx, s, 4);
4670 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
4673 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
4674 mac_defs[mac_md5].pad_size));
4676 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
4677 MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
4678 MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
4680 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
4683 SHA1_Update(shacx, s, 4);
4684 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
4687 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
4688 mac_defs[mac_sha].pad_size));
4690 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
4691 SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
4692 SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
4694 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
4695 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4696 mac_defs[mac_md5].pad_size));
4697 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
4700 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
4701 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
4702 MD5_Update(md5cx, md5_inner, MD5_LENGTH);
4704 MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH);
4706 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4709 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4710 mac_defs[mac_sha].pad_size));
4711 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
4714 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
4715 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
4716 SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
4718 SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4720 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH));
4722 hashes->len = MD5_LENGTH + SHA1_LENGTH;
4728 if (ss->ssl3.hs.hashType == handshake_hash_single) {
4729 /* compute hashes with PKCS11 */
4731 unsigned int stateLen;
4732 unsigned char stackBuf[1024];
4733 unsigned char *stateBuf = NULL;
4735 if (!spec->master_secret) {
4736 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4740 h = ss->ssl3.hs.sha;
4741 stateBuf = PK11_SaveContextAlloc(h, stackBuf,
4742 sizeof(stackBuf), &stateLen);
4743 if (stateBuf == NULL) {
4744 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4747 rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
4748 sizeof(hashes->u.raw));
4749 if (rv != SECSuccess) {
4750 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4754 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4755 * then this will need to be updated. */
4756 hashes->hashAlg = SEC_OID_SHA256;
4761 if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
4762 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4765 if (stateBuf != stackBuf) {
4766 PORT_ZFree(stateBuf, stateLen);
4770 /* compute hashes with PKCS11 */
4772 PK11Context * sha = NULL;
4773 unsigned char *md5StateBuf = NULL;
4774 unsigned char *shaStateBuf = NULL;
4775 unsigned int md5StateLen, shaStateLen;
4776 unsigned char md5StackBuf[256];
4777 unsigned char shaStackBuf[512];
4779 if (!spec->master_secret) {
4780 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4784 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
4785 sizeof md5StackBuf, &md5StateLen);
4786 if (md5StateBuf == NULL) {
4787 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4790 md5 = ss->ssl3.hs.md5;
4792 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
4793 sizeof shaStackBuf, &shaStateLen);
4794 if (shaStateBuf == NULL) {
4795 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4798 sha = ss->ssl3.hs.sha;
4801 /* compute hashes for SSL3. */
4804 s[0] = (unsigned char)(sender >> 24);
4805 s[1] = (unsigned char)(sender >> 16);
4806 s[2] = (unsigned char)(sender >> 8);
4807 s[3] = (unsigned char)sender;
4810 rv |= PK11_DigestOp(md5, s, 4);
4811 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
4814 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
4815 mac_defs[mac_md5].pad_size));
4817 rv |= PK11_DigestKey(md5,spec->master_secret);
4818 rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
4819 rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
4820 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4821 if (rv != SECSuccess) {
4822 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4827 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
4830 rv |= PK11_DigestOp(sha, s, 4);
4831 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
4834 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
4835 mac_defs[mac_sha].pad_size));
4837 rv |= PK11_DigestKey(sha, spec->master_secret);
4838 rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
4839 rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
4840 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4841 if (rv != SECSuccess) {
4842 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4847 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
4849 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4850 mac_defs[mac_md5].pad_size));
4851 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
4853 rv |= PK11_DigestBegin(md5);
4854 rv |= PK11_DigestKey(md5, spec->master_secret);
4855 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
4856 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
4858 rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH);
4859 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4860 if (rv != SECSuccess) {
4861 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4866 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4869 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4870 mac_defs[mac_sha].pad_size));
4871 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
4873 rv |= PK11_DigestBegin(sha);
4874 rv |= PK11_DigestKey(sha,spec->master_secret);
4875 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
4876 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
4878 rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4879 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4880 if (rv != SECSuccess) {
4881 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4886 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH));
4888 hashes->len = MD5_LENGTH + SHA1_LENGTH;
4893 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
4896 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4899 if (md5StateBuf != md5StackBuf) {
4900 PORT_ZFree(md5StateBuf, md5StateLen);
4904 if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
4907 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4910 if (shaStateBuf != shaStackBuf) {
4911 PORT_ZFree(shaStateBuf, shaStateLen);
4919 ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
4920 SSL3Hashes * hashes) /* output goes here. */
4922 SECStatus rv = SECSuccess;
4924 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4925 PORT_Assert( !ss->sec.isServer );
4926 PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
4928 rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
4929 sizeof(hashes->u.raw));
4930 if (rv != SECSuccess) {
4931 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4935 hashes->hashAlg = SEC_OID_SHA1;
4938 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
4939 ss->ssl3.hs.backupHash = NULL;
4944 * SSL 2 based implementations pass in the initial outbound buffer
4945 * so that the handshake hash can contain the included information.
4947 * Called from ssl2_BeginClientHandshake() in sslcon.c
4950 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
4954 ssl_GetSSL3HandshakeLock(ss); /**************************************/
4956 rv = ssl3_InitState(ss);
4957 if (rv != SECSuccess) {
4958 goto done; /* ssl3_InitState has set the error code. */
4960 rv = ssl3_RestartHandshakeHashes(ss);
4961 if (rv != SECSuccess) {
4965 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
4967 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
4968 &ss->sec.ci.clientChallenge,
4969 SSL_CHALLENGE_BYTES);
4971 rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
4972 /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
4975 ssl_ReleaseSSL3HandshakeLock(ss); /**************************************/
4979 /**************************************************************************
4980 * end of Handshake Hash functions.
4981 * Begin Send and Handle functions for handshakes.
4982 **************************************************************************/
4984 /* Called from ssl3_HandleHelloRequest(),
4985 * ssl3_RedoHandshake()
4986 * ssl2_BeginClientHandshake (when resuming ssl3 session)
4987 * dtls_HandleHelloVerifyRequest(with resending=PR_TRUE)
4990 ssl3_SendClientHello(sslSocket *ss, PRBool resending)
4993 ssl3CipherSpec * cwSpec;
4998 int actual_count = 0;
4999 PRBool isTLS = PR_FALSE;
5000 PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE;
5001 PRInt32 total_exten_len = 0;
5002 unsigned paddingExtensionLen;
5003 unsigned numCompressionMethods;
5006 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
5009 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5010 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
5012 rv = ssl3_InitState(ss);
5013 if (rv != SECSuccess) {
5014 return rv; /* ssl3_InitState has set the error code. */
5016 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
5017 PORT_Assert(IS_DTLS(ss) || !resending);
5019 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
5020 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
5022 /* We might be starting a session renegotiation in which case we should
5023 * clear previous state.
5025 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
5027 rv = ssl3_RestartHandshakeHashes(ss);
5028 if (rv != SECSuccess) {
5033 * During a renegotiation, ss->clientHelloVersion will be used again to
5034 * work around a Windows SChannel bug. Ensure that it is still enabled.
5036 if (ss->firstHsDone) {
5037 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
5038 PORT_SetError(SSL_ERROR_SSL_DISABLED);
5042 if (ss->clientHelloVersion < ss->vrange.min ||
5043 ss->clientHelloVersion > ss->vrange.max) {
5044 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
5049 /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
5050 * handles expired entries and other details.
5051 * XXX If we've been called from ssl2_BeginClientHandshake, then
5052 * this lookup is duplicative and wasteful.
5054 sid = (ss->opt.noCache) ? NULL
5055 : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
5057 /* We can't resume based on a different token. If the sid exists,
5058 * make sure the token that holds the master secret still exists ...
5059 * If we previously did client-auth, make sure that the token that holds
5060 * the private key still exists, is logged in, hasn't been removed, etc.
5063 PRBool sidOK = PR_TRUE;
5064 if (sid->u.ssl3.keys.msIsWrapped) {
5065 /* Session key was wrapped, which means it was using PKCS11, */
5066 PK11SlotInfo *slot = NULL;
5067 if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
5068 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
5069 sid->u.ssl3.masterSlotID);
5074 PK11SymKey *wrapKey = NULL;
5075 if (!PK11_IsPresent(slot) ||
5076 ((wrapKey = PK11_GetWrapKey(slot,
5077 sid->u.ssl3.masterWrapIndex,
5078 sid->u.ssl3.masterWrapMech,
5079 sid->u.ssl3.masterWrapSeries,
5080 ss->pkcs11PinArg)) == NULL) ) {
5083 if (wrapKey) PK11_FreeSymKey(wrapKey);
5084 PK11_FreeSlot(slot);
5088 /* If we previously did client-auth, make sure that the token that
5089 ** holds the private key still exists, is logged in, hasn't been
5092 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
5096 /* TLS 1.0 (RFC 2246) Appendix E says:
5097 * Whenever a client already knows the highest protocol known to
5098 * a server (for example, when resuming a session), it should
5099 * initiate the connection in that native protocol.
5100 * So we pass sid->version to ssl3_NegotiateVersion() here, except
5101 * when renegotiating.
5103 * Windows SChannel compares the client_version inside the RSA
5104 * EncryptedPreMasterSecret of a renegotiation with the
5105 * client_version of the initial ClientHello rather than the
5106 * ClientHello in the renegotiation. To work around this bug, we
5107 * continue to use the client_version used in the initial
5108 * ClientHello when renegotiating.
5111 if (ss->firstHsDone) {
5113 * The client_version of the initial ClientHello is still
5114 * available in ss->clientHelloVersion. Ensure that
5115 * sid->version is bounded within
5116 * [ss->vrange.min, ss->clientHelloVersion], otherwise we
5119 if (sid->version >= ss->vrange.min &&
5120 sid->version <= ss->clientHelloVersion) {
5121 ss->version = ss->clientHelloVersion;
5126 if (ssl3_NegotiateVersion(ss, sid->version,
5127 PR_FALSE) != SECSuccess) {
5134 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
5135 if (ss->sec.uncache)
5136 (*ss->sec.uncache)(sid);
5143 requestingResume = PR_TRUE;
5144 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
5146 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
5147 sid->u.ssl3.sessionIDLength));
5149 ss->ssl3.policy = sid->u.ssl3.policy;
5151 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
5154 * Windows SChannel compares the client_version inside the RSA
5155 * EncryptedPreMasterSecret of a renegotiation with the
5156 * client_version of the initial ClientHello rather than the
5157 * ClientHello in the renegotiation. To work around this bug, we
5158 * continue to use the client_version used in the initial
5159 * ClientHello when renegotiating.
5161 if (ss->firstHsDone) {
5162 ss->version = ss->clientHelloVersion;
5164 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
5166 if (rv != SECSuccess)
5167 return rv; /* error code was set */
5170 sid = ssl3_NewSessionID(ss, PR_FALSE);
5172 return SECFailure; /* memory error is set */
5176 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
5177 ssl_GetSpecWriteLock(ss);
5178 cwSpec = ss->ssl3.cwSpec;
5179 if (cwSpec->mac_def->mac == mac_null) {
5180 /* SSL records are not being MACed. */
5181 cwSpec->version = ss->version;
5183 ssl_ReleaseSpecWriteLock(ss);
5185 if (ss->sec.ci.sid != NULL) {
5186 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */
5188 ss->sec.ci.sid = sid;
5190 ss->sec.send = ssl3_SendApplicationData;
5192 /* shouldn't get here if SSL3 is disabled, but ... */
5193 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
5194 PR_NOT_REACHED("No versions of SSL 3.0 or later are enabled");
5195 PORT_SetError(SSL_ERROR_SSL_DISABLED);
5199 /* how many suites does our PKCS11 support (regardless of policy)? */
5200 num_suites = ssl3_config_match_init(ss);
5202 return SECFailure; /* ssl3_config_match_init has set error code. */
5204 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV,
5205 * only if TLS is disabled.
5207 if (!ss->firstHsDone && !isTLS) {
5208 /* Must set this before calling Hello Extension Senders,
5209 * to suppress sending of empty RI extension.
5211 ss->ssl3.hs.sendingSCSV = PR_TRUE;
5214 /* When we attempt session resumption (only), we must lock the sid to
5215 * prevent races with other resumption connections that receive a
5216 * NewSessionTicket that will cause the ticket in the sid to be replaced.
5217 * Once we've copied the session ticket into our ClientHello message, it
5218 * is OK for the ticket to change, so we just need to make sure we hold
5219 * the lock across the calls to ssl3_CallHelloExtensionSenders.
5221 if (sid->u.ssl3.lock) {
5222 NSSRWLock_LockRead(sid->u.ssl3.lock);
5225 if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
5226 PRUint32 maxBytes = 65535; /* 2^16 - 1 */
5229 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
5231 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5235 total_exten_len += extLen;
5237 if (total_exten_len > 0)
5238 total_exten_len += 2;
5241 #if defined(NSS_ENABLE_ECC)
5242 if (!total_exten_len || !isTLS) {
5243 /* not sending the elliptic_curves and ec_point_formats extensions */
5244 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
5249 ssl3_DisableNonDTLSSuites(ss);
5252 if (!ssl3_HasGCMSupport()) {
5253 ssl3_DisableGCMSuites(ss);
5256 /* how many suites are permitted by policy and user preference? */
5257 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
5259 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5260 return SECFailure; /* count_cipher_suites has set error code. */
5263 fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume ||
5264 ss->version < sid->version);
5265 /* make room for SCSV */
5266 if (ss->ssl3.hs.sendingSCSV) {
5273 /* count compression methods */
5274 numCompressionMethods = 0;
5275 for (i = 0; i < compressionMethodsCount; i++) {
5276 if (compressionEnabled(ss, compressions[i]))
5277 numCompressionMethods++;
5280 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
5281 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
5282 2 + num_suites*sizeof(ssl3CipherSuite) +
5283 1 + numCompressionMethods + total_exten_len;
5285 length += 1 + ss->ssl3.hs.cookieLen;
5288 /* A padding extension may be included to ensure that the record containing
5289 * the ClientHello doesn't have a length between 256 and 511 bytes
5290 * (inclusive). Initial, ClientHello records with such lengths trigger bugs
5293 * This is not done for DTLS nor for renegotiation. */
5294 if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) {
5295 paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
5296 total_exten_len += paddingExtensionLen;
5297 length += paddingExtensionLen;
5299 paddingExtensionLen = 0;
5302 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
5303 if (rv != SECSuccess) {
5304 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5305 return rv; /* err set by ssl3_AppendHandshake* */
5308 if (ss->firstHsDone) {
5309 /* The client hello version must stay unchanged to work around
5310 * the Windows SChannel bug described above. */
5311 PORT_Assert(ss->version == ss->clientHelloVersion);
5313 ss->clientHelloVersion = ss->version;
5317 version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
5318 rv = ssl3_AppendHandshakeNumber(ss, version, 2);
5320 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
5322 if (rv != SECSuccess) {
5323 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5324 return rv; /* err set by ssl3_AppendHandshake* */
5327 if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
5328 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
5329 if (rv != SECSuccess) {
5330 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5331 return rv; /* err set by GetNewRandom. */
5334 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
5335 SSL3_RANDOM_LENGTH);
5336 if (rv != SECSuccess) {
5337 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5338 return rv; /* err set by ssl3_AppendHandshake* */
5342 rv = ssl3_AppendHandshakeVariable(
5343 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
5345 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
5346 if (rv != SECSuccess) {
5347 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5348 return rv; /* err set by ssl3_AppendHandshake* */
5352 rv = ssl3_AppendHandshakeVariable(
5353 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
5354 if (rv != SECSuccess) {
5355 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5356 return rv; /* err set by ssl3_AppendHandshake* */
5360 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
5361 if (rv != SECSuccess) {
5362 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5363 return rv; /* err set by ssl3_AppendHandshake* */
5366 if (ss->ssl3.hs.sendingSCSV) {
5367 /* Add the actual SCSV */
5368 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
5369 sizeof(ssl3CipherSuite));
5370 if (rv != SECSuccess) {
5371 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5372 return rv; /* err set by ssl3_AppendHandshake* */
5377 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
5378 sizeof(ssl3CipherSuite));
5379 if (rv != SECSuccess) {
5380 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5381 return rv; /* err set by ssl3_AppendHandshake* */
5385 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
5386 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
5387 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
5389 if (actual_count > num_suites) {
5390 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5391 /* set error card removal/insertion error */
5392 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5395 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
5396 sizeof(ssl3CipherSuite));
5397 if (rv != SECSuccess) {
5398 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5399 return rv; /* err set by ssl3_AppendHandshake* */
5404 /* if cards were removed or inserted between count_cipher_suites and
5405 * generating our list, detect the error here rather than send it off to
5407 if (actual_count != num_suites) {
5408 /* Card removal/insertion error */
5409 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5410 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5414 rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
5415 if (rv != SECSuccess) {
5416 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5417 return rv; /* err set by ssl3_AppendHandshake* */
5419 for (i = 0; i < compressionMethodsCount; i++) {
5420 if (!compressionEnabled(ss, compressions[i]))
5422 rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
5423 if (rv != SECSuccess) {
5424 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5425 return rv; /* err set by ssl3_AppendHandshake* */
5429 if (total_exten_len) {
5430 PRUint32 maxBytes = total_exten_len - 2;
5433 rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
5434 if (rv != SECSuccess) {
5435 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5436 return rv; /* err set by AppendHandshake. */
5439 extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
5441 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5446 extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
5448 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5453 PORT_Assert(!maxBytes);
5456 if (sid->u.ssl3.lock) {
5457 NSSRWLock_UnlockRead(sid->u.ssl3.lock);
5460 if (ss->xtnData.sentSessionTicketInClientHello) {
5461 SSL_AtomicIncrementLong(&ssl3stats.sch_sid_stateless_resumes);
5464 if (ss->ssl3.hs.sendingSCSV) {
5465 /* Since we sent the SCSV, pretend we sent empty RI extension. */
5466 TLSExtensionData *xtnData = &ss->xtnData;
5467 xtnData->advertised[xtnData->numAdvertised++] =
5468 ssl_renegotiation_info_xtn;
5472 if (!ss->firstHsDone && !IS_DTLS(ss)) {
5473 flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
5475 rv = ssl3_FlushHandshake(ss, flags);
5476 if (rv != SECSuccess) {
5477 return rv; /* error code set by ssl3_FlushHandshake */
5480 ss->ssl3.hs.ws = wait_server_hello;
5485 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5486 * ssl3 Hello Request.
5487 * Caller must hold Handshake and RecvBuf locks.
5490 ssl3_HandleHelloRequest(sslSocket *ss)
5492 sslSessionID *sid = ss->sec.ci.sid;
5495 SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
5496 SSL_GETPID(), ss->fd));
5498 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5499 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5501 if (ss->ssl3.hs.ws == wait_server_hello)
5503 if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
5504 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
5505 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
5508 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
5509 ssl_GetXmitBufLock(ss);
5510 rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
5511 ssl_ReleaseXmitBufLock(ss);
5512 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
5517 if (ss->sec.uncache)
5518 ss->sec.uncache(sid);
5520 ss->sec.ci.sid = NULL;
5524 dtls_RehandshakeCleanup(ss);
5527 ssl_GetXmitBufLock(ss);
5528 rv = ssl3_SendClientHello(ss, PR_FALSE);
5529 ssl_ReleaseXmitBufLock(ss);
5534 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
5536 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
5552 UNKNOWN_WRAP_MECHANISM
5556 ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
5558 const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
5560 while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
5563 return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
5564 : (pMech - wrapMechanismList);
5568 ssl_UnwrapSymWrappingKey(
5569 SSLWrappedSymWrappingKey *pWswk,
5570 SECKEYPrivateKey * svrPrivKey,
5571 SSL3KEAType exchKeyType,
5572 CK_MECHANISM_TYPE masterWrapMech,
5575 PK11SymKey * unwrappedWrappingKey = NULL;
5577 #ifdef NSS_ENABLE_ECC
5579 SECKEYPublicKey pubWrapKey;
5580 ECCWrappedKeyInfo *ecWrapped;
5581 #endif /* NSS_ENABLE_ECC */
5583 /* found the wrapping key on disk. */
5584 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
5585 PORT_Assert(pWswk->exchKeyType == exchKeyType);
5586 if (pWswk->symWrapMechanism != masterWrapMech ||
5587 pWswk->exchKeyType != exchKeyType) {
5590 wrappedKey.type = siBuffer;
5591 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
5592 wrappedKey.len = pWswk->wrappedSymKeyLen;
5593 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
5595 switch (exchKeyType) {
5598 unwrappedWrappingKey =
5599 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
5600 masterWrapMech, CKA_UNWRAP, 0);
5603 #ifdef NSS_ENABLE_ECC
5606 * For kt_ecdh, we first create an EC public key based on
5607 * data stored with the wrappedSymmetricWrappingkey. Next,
5608 * we do an ECDH computation involving this public key and
5609 * the SSL server's (long-term) EC private key. The resulting
5610 * shared secret is treated the same way as Fortezza's Ks, i.e.,
5611 * it is used to recover the symmetric wrapping key.
5613 * The data in wrappedSymmetricWrappingkey is laid out as defined
5614 * in the ECCWrappedKeyInfo structure.
5616 ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey;
5618 PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
5619 ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN);
5621 if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
5622 ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) {
5623 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5627 pubWrapKey.keyType = ecKey;
5628 pubWrapKey.u.ec.size = ecWrapped->size;
5629 pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen;
5630 pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var;
5631 pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen;
5632 pubWrapKey.u.ec.publicValue.data = ecWrapped->var +
5633 ecWrapped->encodedParamLen;
5635 wrappedKey.len = ecWrapped->wrappedKeyLen;
5636 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
5637 ecWrapped->pubValueLen;
5639 /* Derive Ks using ECDH */
5640 Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL,
5641 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
5642 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
5647 /* Use Ks to unwrap the wrapping key */
5648 unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL,
5649 &wrappedKey, masterWrapMech,
5651 PK11_FreeSymKey(Ks);
5662 return unwrappedWrappingKey;
5665 /* Each process sharing the server session ID cache has its own array of
5666 * SymKey pointers for the symmetric wrapping keys that are used to wrap
5667 * the master secrets. There is one key for each KEA type. These Symkeys
5668 * correspond to the wrapped SymKeys kept in the server session cache.
5672 PK11SymKey * symWrapKey[kt_kea_size];
5675 static PZLock * symWrapKeysLock = NULL;
5676 static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS];
5678 SECStatus ssl_FreeSymWrapKeysLock(void)
5680 if (symWrapKeysLock) {
5681 PZ_DestroyLock(symWrapKeysLock);
5682 symWrapKeysLock = NULL;
5685 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
5690 SSL3_ShutdownServerCache(void)
5694 if (!symWrapKeysLock)
5695 return SECSuccess; /* lock was never initialized */
5696 PZ_Lock(symWrapKeysLock);
5697 /* get rid of all symWrapKeys */
5698 for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
5699 for (j = 0; j < kt_kea_size; ++j) {
5700 PK11SymKey ** pSymWrapKey;
5701 pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
5703 PK11_FreeSymKey(*pSymWrapKey);
5704 *pSymWrapKey = NULL;
5709 PZ_Unlock(symWrapKeysLock);
5713 SECStatus ssl_InitSymWrapKeysLock(void)
5715 symWrapKeysLock = PZ_NewLock(nssILockOther);
5716 return symWrapKeysLock ? SECSuccess : SECFailure;
5719 /* Try to get wrapping key for mechanism from in-memory array.
5720 * If that fails, look for one on disk.
5721 * If that fails, generate a new one, put the new one on disk,
5722 * Put the new key in the in-memory array.
5725 getWrappingKey( sslSocket * ss,
5726 PK11SlotInfo * masterSecretSlot,
5727 SSL3KEAType exchKeyType,
5728 CK_MECHANISM_TYPE masterWrapMech,
5731 SECKEYPrivateKey * svrPrivKey;
5732 SECKEYPublicKey * svrPubKey = NULL;
5733 PK11SymKey * unwrappedWrappingKey = NULL;
5734 PK11SymKey ** pSymWrapKey;
5735 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM;
5737 int symWrapMechIndex;
5740 SSLWrappedSymWrappingKey wswk;
5741 #ifdef NSS_ENABLE_ECC
5742 PK11SymKey * Ks = NULL;
5743 SECKEYPublicKey *pubWrapKey = NULL;
5744 SECKEYPrivateKey *privWrapKey = NULL;
5745 ECCWrappedKeyInfo *ecWrapped;
5746 #endif /* NSS_ENABLE_ECC */
5748 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY;
5749 PORT_Assert(svrPrivKey != NULL);
5751 return NULL; /* why are we here?!? */
5754 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
5755 PORT_Assert(symWrapMechIndex >= 0);
5756 if (symWrapMechIndex < 0)
5757 return NULL; /* invalid masterWrapMech. */
5759 pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
5761 ssl_InitSessionCacheLocks();
5763 PZ_Lock(symWrapKeysLock);
5765 unwrappedWrappingKey = *pSymWrapKey;
5766 if (unwrappedWrappingKey != NULL) {
5767 if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
5768 unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
5771 /* slot series has changed, so this key is no good any more. */
5772 PK11_FreeSymKey(unwrappedWrappingKey);
5773 *pSymWrapKey = unwrappedWrappingKey = NULL;
5776 /* Try to get wrapped SymWrapping key out of the (disk) cache. */
5777 /* Following call fills in wswk on success. */
5778 if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
5779 /* found the wrapped sym wrapping key on disk. */
5780 unwrappedWrappingKey =
5781 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
5782 masterWrapMech, pwArg);
5783 if (unwrappedWrappingKey) {
5788 if (!masterSecretSlot) /* caller doesn't want to create a new one. */
5791 length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
5792 /* Zero length means fixed key length algorithm, or error.
5795 unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
5797 if (!unwrappedWrappingKey) {
5801 /* Prepare the buffer to receive the wrappedWrappingKey,
5802 * the symmetric wrapping key wrapped using the server's pub key.
5804 PORT_Memset(&wswk, 0, sizeof wswk); /* eliminate UMRs. */
5806 if (ss->serverCerts[exchKeyType].serverKeyPair) {
5807 svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey;
5809 if (svrPubKey == NULL) {
5810 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5813 wrappedKey.type = siBuffer;
5814 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey);
5815 wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
5817 PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
5818 if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
5821 /* wrap symmetric wrapping key in server's public key. */
5822 switch (exchKeyType) {
5824 asymWrapMechanism = CKM_RSA_PKCS;
5825 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
5826 unwrappedWrappingKey, &wrappedKey);
5829 #ifdef NSS_ENABLE_ECC
5832 * We generate an ephemeral EC key pair. Perform an ECDH
5833 * computation involving this ephemeral EC public key and
5834 * the SSL server's (long-term) EC private key. The resulting
5835 * shared secret is treated in the same way as Fortezza's Ks,
5836 * i.e., it is used to wrap the wrapping key. To facilitate
5837 * unwrapping in ssl_UnwrapWrappingKey, we also store all
5838 * relevant info about the ephemeral EC public key in
5839 * wswk.wrappedSymmetricWrappingkey and lay it out as
5840 * described in the ECCWrappedKeyInfo structure.
5842 PORT_Assert(svrPubKey->keyType == ecKey);
5843 if (svrPubKey->keyType != ecKey) {
5844 /* something is wrong in sslsecur.c if this isn't an ecKey */
5845 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5850 privWrapKey = SECKEY_CreateECPrivateKey(
5851 &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL);
5852 if ((privWrapKey == NULL) || (pubWrapKey == NULL)) {
5857 /* Set the key size in bits */
5858 if (pubWrapKey->u.ec.size == 0) {
5859 pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey);
5862 PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len +
5863 pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN);
5864 if (pubWrapKey->u.ec.DEREncodedParams.len +
5865 pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) {
5866 PORT_SetError(SEC_ERROR_INVALID_KEY);
5871 /* Derive Ks using ECDH */
5872 Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL,
5873 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
5874 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
5880 ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey);
5881 ecWrapped->size = pubWrapKey->u.ec.size;
5882 ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len;
5883 PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data,
5884 pubWrapKey->u.ec.DEREncodedParams.len);
5886 ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len;
5887 PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen,
5888 pubWrapKey->u.ec.publicValue.data,
5889 pubWrapKey->u.ec.publicValue.len);
5891 wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN -
5892 (ecWrapped->encodedParamLen + ecWrapped->pubValueLen);
5893 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
5894 ecWrapped->pubValueLen;
5896 /* wrap symmetricWrapping key with the local Ks */
5897 rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks,
5898 unwrappedWrappingKey, &wrappedKey);
5900 if (rv != SECSuccess) {
5904 /* Write down the length of wrapped key in the buffer
5905 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
5907 ecWrapped->wrappedKeyLen = wrappedKey.len;
5910 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
5911 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
5912 if (Ks) PK11_FreeSymKey(Ks);
5913 asymWrapMechanism = masterWrapMech;
5915 #endif /* NSS_ENABLE_ECC */
5922 if (rv != SECSuccess) {
5923 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
5927 PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
5929 wswk.symWrapMechanism = masterWrapMech;
5930 wswk.symWrapMechIndex = symWrapMechIndex;
5931 wswk.asymWrapMechanism = asymWrapMechanism;
5932 wswk.exchKeyType = exchKeyType;
5933 wswk.wrappedSymKeyLen = wrappedKey.len;
5935 /* put it on disk. */
5936 /* If the wrapping key for this KEA type has already been set,
5937 * then abandon the value we just computed and
5938 * use the one we got from the disk.
5940 if (ssl_SetWrappingKey(&wswk)) {
5941 /* somebody beat us to it. The original contents of our wswk
5942 * has been replaced with the content on disk. Now, discard
5943 * the key we just created and unwrap this new one.
5945 PK11_FreeSymKey(unwrappedWrappingKey);
5947 unwrappedWrappingKey =
5948 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
5949 masterWrapMech, pwArg);
5953 if (unwrappedWrappingKey) {
5954 *pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
5959 PZ_Unlock(symWrapKeysLock);
5960 return unwrappedWrappingKey;
5963 /* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2|
5964 * bytes to |out|. */
5966 hexEncode(char *out, const unsigned char *in, unsigned int length)
5968 static const char hextable[] = "0123456789abcdef";
5971 for (i = 0; i < length; i++) {
5972 *(out++) = hextable[in[i] >> 4];
5973 *(out++) = hextable[in[i] & 15];
5977 /* Called from ssl3_SendClientKeyExchange(). */
5978 /* Presently, this always uses PKCS11. There is no bypass for this. */
5980 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
5982 PK11SymKey * pms = NULL;
5983 SECStatus rv = SECFailure;
5984 SECItem enc_pms = {siBuffer, NULL, 0};
5987 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5988 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
5990 /* Generate the pre-master secret ... */
5991 ssl_GetSpecWriteLock(ss);
5992 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
5994 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
5995 ssl_ReleaseSpecWriteLock(ss);
5997 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6001 /* Get the wrapped (encrypted) pre-master secret, enc_pms */
6002 enc_pms.len = SECKEY_PublicKeyStrength(svrPubKey);
6003 enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
6004 if (enc_pms.data == NULL) {
6005 goto loser; /* err set by PORT_Alloc */
6008 /* wrap pre-master secret in server's public key. */
6009 rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
6010 if (rv != SECSuccess) {
6011 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6015 if (ssl_keylog_iob) {
6016 SECStatus extractRV = PK11_ExtractKeyValue(pms);
6017 if (extractRV == SECSuccess) {
6018 SECItem * keyData = PK11_GetKeyData(pms);
6019 if (keyData && keyData->data && keyData->len) {
6021 if (ssl_trace >= 100) {
6022 ssl_PrintBuf(ss, "Pre-Master Secret",
6023 keyData->data, keyData->len);
6026 if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {
6027 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
6029 /* There could be multiple, concurrent writers to the
6030 * keylog, so we have to do everything in a single call to
6032 char buf[4 + 8*2 + 1 + 48*2 + 1];
6034 strcpy(buf, "RSA ");
6035 hexEncode(buf + 4, enc_pms.data, 8);
6037 hexEncode(buf + 21, keyData->data, 48);
6038 buf[sizeof(buf) - 1] = '\n';
6040 fwrite(buf, sizeof(buf), 1, ssl_keylog_iob);
6041 fflush(ssl_keylog_iob);
6047 rv = ssl3_InitPendingCipherSpec(ss, pms);
6048 PK11_FreeSymKey(pms); pms = NULL;
6050 if (rv != SECSuccess) {
6051 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6055 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
6056 isTLS ? enc_pms.len + 2 : enc_pms.len);
6057 if (rv != SECSuccess) {
6058 goto loser; /* err set by ssl3_AppendHandshake* */
6061 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
6063 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
6065 if (rv != SECSuccess) {
6066 goto loser; /* err set by ssl3_AppendHandshake* */
6072 if (enc_pms.data != NULL) {
6073 PORT_Free(enc_pms.data);
6076 PK11_FreeSymKey(pms);
6081 /* Called from ssl3_SendClientKeyExchange(). */
6082 /* Presently, this always uses PKCS11. There is no bypass for this. */
6084 sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
6086 PK11SymKey * pms = NULL;
6087 SECStatus rv = SECFailure;
6089 CK_MECHANISM_TYPE target;
6091 SECKEYDHParams dhParam; /* DH parameters */
6092 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */
6093 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */
6095 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6096 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6098 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6100 /* Copy DH parameters from server key */
6102 if (svrPubKey->keyType != dhKey) {
6103 PORT_SetError(SEC_ERROR_BAD_KEY);
6106 dhParam.prime.data = svrPubKey->u.dh.prime.data;
6107 dhParam.prime.len = svrPubKey->u.dh.prime.len;
6108 dhParam.base.data = svrPubKey->u.dh.base.data;
6109 dhParam.base.len = svrPubKey->u.dh.base.len;
6111 /* Generate ephemeral DH keypair */
6112 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
6113 if (!privKey || !pubKey) {
6114 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
6118 PRINT_BUF(50, (ss, "DH public value:",
6119 pubKey->u.dh.publicValue.data,
6120 pubKey->u.dh.publicValue.len));
6122 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
6123 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
6125 /* Determine the PMS */
6127 pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
6128 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
6131 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6135 SECKEY_DestroyPrivateKey(privKey);
6138 rv = ssl3_InitPendingCipherSpec(ss, pms);
6139 PK11_FreeSymKey(pms); pms = NULL;
6141 if (rv != SECSuccess) {
6142 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6146 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
6147 pubKey->u.dh.publicValue.len + 2);
6148 if (rv != SECSuccess) {
6149 goto loser; /* err set by ssl3_AppendHandshake* */
6151 rv = ssl3_AppendHandshakeVariable(ss,
6152 pubKey->u.dh.publicValue.data,
6153 pubKey->u.dh.publicValue.len, 2);
6154 SECKEY_DestroyPublicKey(pubKey);
6157 if (rv != SECSuccess) {
6158 goto loser; /* err set by ssl3_AppendHandshake* */
6166 if(pms) PK11_FreeSymKey(pms);
6167 if(privKey) SECKEY_DestroyPrivateKey(privKey);
6168 if(pubKey) SECKEY_DestroyPublicKey(pubKey);
6176 /* Called from ssl3_HandleServerHelloDone(). */
6178 ssl3_SendClientKeyExchange(sslSocket *ss)
6180 SECKEYPublicKey * serverKey = NULL;
6181 SECStatus rv = SECFailure;
6184 SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
6185 SSL_GETPID(), ss->fd));
6187 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6188 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6190 if (ss->sec.peerKey == NULL) {
6191 serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
6192 if (serverKey == NULL) {
6193 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
6197 serverKey = ss->sec.peerKey;
6198 ss->sec.peerKey = NULL; /* we're done with it now */
6201 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6202 /* enforce limits on kea key sizes. */
6203 if (ss->ssl3.hs.kea_def->is_limited) {
6204 int keyLen = SECKEY_PublicKeyStrength(serverKey); /* bytes */
6206 if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
6208 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
6210 (void)ssl3_HandshakeFailure(ss);
6211 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
6216 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
6217 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
6219 switch (ss->ssl3.hs.kea_def->exchKeyType) {
6221 rv = sendRSAClientKeyExchange(ss, serverKey);
6225 rv = sendDHClientKeyExchange(ss, serverKey);
6228 #ifdef NSS_ENABLE_ECC
6230 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
6232 #endif /* NSS_ENABLE_ECC */
6235 /* got an unknown or unsupported Key Exchange Algorithm. */
6237 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
6241 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
6242 SSL_GETPID(), ss->fd));
6246 SECKEY_DestroyPublicKey(serverKey);
6247 return rv; /* err code already set. */
6250 /* Called from ssl3_HandleServerHelloDone(). */
6252 ssl3_SendCertificateVerify(sslSocket *ss)
6254 SECStatus rv = SECFailure;
6257 SECItem buf = {siBuffer, NULL, 0};
6261 SSL3SignatureAndHashAlgorithm sigAndHash;
6263 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6264 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6266 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
6267 SSL_GETPID(), ss->fd));
6269 ssl_GetSpecReadLock(ss);
6270 if (ss->ssl3.hs.hashType == handshake_hash_single &&
6271 ss->ssl3.hs.backupHash) {
6272 rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
6273 PORT_Assert(!ss->ssl3.hs.backupHash);
6275 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
6277 ssl_ReleaseSpecReadLock(ss);
6278 if (rv != SECSuccess) {
6279 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
6282 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6283 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
6284 if (ss->ssl3.platformClientKey) {
6285 #ifdef NSS_PLATFORM_CLIENT_AUTH
6286 keyType = CERT_GetCertKeyType(
6287 &ss->ssl3.clientCertificate->subjectPublicKeyInfo);
6288 rv = ssl3_PlatformSignHashes(
6289 &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType);
6290 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
6291 ss->ssl3.platformClientKey = (PlatformKey)NULL;
6292 #endif /* NSS_PLATFORM_CLIENT_AUTH */
6294 keyType = ss->ssl3.clientPrivateKey->keyType;
6295 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
6296 if (rv == SECSuccess) {
6297 PK11SlotInfo * slot;
6298 sslSessionID * sid = ss->sec.ci.sid;
6300 /* Remember the info about the slot that did the signing.
6301 ** Later, when doing an SSL restart handshake, verify this.
6302 ** These calls are mere accessors, and can't fail.
6304 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
6305 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot);
6306 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot);
6307 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
6308 sid->u.ssl3.clAuthValid = PR_TRUE;
6309 PK11_FreeSlot(slot);
6311 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
6312 ss->ssl3.clientPrivateKey = NULL;
6314 if (rv != SECSuccess) {
6315 goto done; /* err code was set by ssl3_SignHashes */
6318 len = buf.len + 2 + (isTLS12 ? 2 : 0);
6320 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
6321 if (rv != SECSuccess) {
6322 goto done; /* error code set by AppendHandshake */
6325 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
6326 &sigAndHash.sigAlg);
6327 if (rv != SECSuccess) {
6330 sigAndHash.hashAlg = hashes.hashAlg;
6332 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
6333 if (rv != SECSuccess) {
6334 goto done; /* err set by AppendHandshake. */
6337 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
6338 if (rv != SECSuccess) {
6339 goto done; /* error code set by AppendHandshake */
6344 PORT_Free(buf.data);
6348 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6349 * ssl3 ServerHello message.
6350 * Caller must hold Handshake and RecvBuf locks.
6353 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6355 sslSessionID *sid = ss->sec.ci.sid;
6356 PRInt32 temp; /* allow for consume number failure */
6357 PRBool suite_found = PR_FALSE;
6359 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
6361 SECItem sidBytes = {siBuffer, NULL, 0};
6363 PRBool isTLS = PR_FALSE;
6364 SSL3AlertDescription desc = illegal_parameter;
6365 SSL3ProtocolVersion version;
6367 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
6368 SSL_GETPID(), ss->fd));
6369 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6370 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6371 PORT_Assert( ss->ssl3.initialized );
6373 if (ss->ssl3.hs.ws != wait_server_hello) {
6374 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
6375 desc = unexpected_message;
6379 /* clean up anything left from previous handshake. */
6380 if (ss->ssl3.clientCertChain != NULL) {
6381 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
6382 ss->ssl3.clientCertChain = NULL;
6384 if (ss->ssl3.clientCertificate != NULL) {
6385 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
6386 ss->ssl3.clientCertificate = NULL;
6388 if (ss->ssl3.clientPrivateKey != NULL) {
6389 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
6390 ss->ssl3.clientPrivateKey = NULL;
6392 #ifdef NSS_PLATFORM_CLIENT_AUTH
6393 if (ss->ssl3.platformClientKey) {
6394 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
6395 ss->ssl3.platformClientKey = (PlatformKey)NULL;
6397 #endif /* NSS_PLATFORM_CLIENT_AUTH */
6399 if (ss->ssl3.channelID != NULL) {
6400 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
6401 ss->ssl3.channelID = NULL;
6403 if (ss->ssl3.channelIDPub != NULL) {
6404 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
6405 ss->ssl3.channelIDPub = NULL;
6408 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
6410 goto loser; /* alert has been sent */
6412 version = (SSL3ProtocolVersion)temp;
6415 /* RFC 4347 required that you verify that the server versions
6416 * match (Section 4.2.1) in the HelloVerifyRequest and the
6419 * RFC 6347 suggests (SHOULD) that servers always use 1.0
6420 * in HelloVerifyRequest and allows the versions not to match,
6421 * especially when 1.2 is being negotiated.
6423 * Therefore we do not check for matching here.
6425 version = dtls_DTLSVersionToTLSVersion(version);
6426 if (version == 0) { /* Insane version number */
6431 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
6432 if (rv != SECSuccess) {
6433 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
6434 : handshake_failure;
6435 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6438 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
6440 rv = ssl3_InitHandshakeHashes(ss);
6441 if (rv != SECSuccess) {
6442 desc = internal_error;
6443 errCode = PORT_GetError();
6447 rv = ssl3_ConsumeHandshake(
6448 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
6449 if (rv != SECSuccess) {
6450 goto loser; /* alert has been sent */
6453 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
6454 if (rv != SECSuccess) {
6455 goto loser; /* alert has been sent */
6457 if (sidBytes.len > SSL3_SESSIONID_BYTES) {
6459 desc = decode_error;
6460 goto alert_loser; /* malformed. */
6463 /* find selected cipher suite in our list. */
6464 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
6466 goto loser; /* alert has been sent */
6468 ssl3_config_match_init(ss);
6469 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
6470 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
6471 if (temp == suite->cipher_suite) {
6472 SSLVersionRange vrange = {ss->version, ss->version};
6473 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
6474 /* config_match already checks whether the cipher suite is
6475 * acceptable for the version, but the check is repeated here
6476 * in order to give a more precise error code. */
6477 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) {
6478 desc = handshake_failure;
6479 errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
6483 break; /* failure */
6486 suite_found = PR_TRUE;
6487 break; /* success */
6491 desc = handshake_failure;
6492 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6495 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
6496 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
6497 PORT_Assert(ss->ssl3.hs.suite_def);
6498 if (!ss->ssl3.hs.suite_def) {
6499 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
6500 goto loser; /* we don't send alerts for our screw-ups. */
6503 /* find selected compression method in our list. */
6504 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
6506 goto loser; /* alert has been sent */
6508 suite_found = PR_FALSE;
6509 for (i = 0; i < compressionMethodsCount; i++) {
6510 if (temp == compressions[i]) {
6511 if (!compressionEnabled(ss, compressions[i])) {
6512 break; /* failure */
6514 suite_found = PR_TRUE;
6515 break; /* success */
6519 desc = handshake_failure;
6520 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
6523 ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
6525 /* Note that if !isTLS and the extra stuff is not extensions, we
6526 * do NOT goto alert_loser.
6527 * There are some old SSL 3.0 implementations that do send stuff
6528 * after the end of the server hello, and we deliberately ignore
6529 * such stuff in the interest of maximal interoperability (being
6530 * "generous in what you accept").
6531 * Update: Starting in NSS 3.12.6, we handle the renegotiation_info
6532 * extension in SSL 3.0.
6536 rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length);
6537 if (rv != SECSuccess || length != 0) {
6541 rv = ssl3_HandleHelloExtensions(ss, &extensions.data,
6543 if (rv != SECSuccess)
6547 if ((ss->opt.requireSafeNegotiation ||
6548 (ss->firstHsDone && (ss->peerRequestedProtection ||
6549 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN))) &&
6550 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
6551 desc = handshake_failure;
6552 errCode = ss->firstHsDone ? SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
6553 : SSL_ERROR_UNSAFE_NEGOTIATION;
6557 /* Any errors after this point are not "malformed" errors. */
6558 desc = handshake_failure;
6560 /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
6561 * key exchange algorithm. */
6562 rv = ssl3_SetupPendingCipherSpec(ss);
6563 if (rv != SECSuccess) {
6564 goto alert_loser; /* error code is set. */
6567 /* We may or may not have sent a session id, we may get one back or
6568 * not and if so it may match the one we sent.
6569 * Attempt to restore the master secret to see if this is so...
6570 * Don't consider failure to find a matching SID an error.
6572 sid_match = (PRBool)(sidBytes.len > 0 &&
6573 sidBytes.len == sid->u.ssl3.sessionIDLength &&
6574 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
6577 sid->version == ss->version &&
6578 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
6579 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
6581 SECItem wrappedMS; /* wrapped master secret. */
6583 ss->sec.authAlgorithm = sid->authAlgorithm;
6584 ss->sec.authKeyBits = sid->authKeyBits;
6585 ss->sec.keaType = sid->keaType;
6586 ss->sec.keaKeyBits = sid->keaKeyBits;
6589 * a) key is wrapped (implies using PKCS11)
6590 * b) key is unwrapped, but we're still using PKCS11
6591 * c) key is unwrapped, and we're bypassing PKCS11.
6593 if (sid->u.ssl3.keys.msIsWrapped) {
6595 PK11SymKey * wrapKey; /* wrapping key */
6596 CK_FLAGS keyFlags = 0;
6598 #ifndef NO_PKCS11_BYPASS
6599 if (ss->opt.bypassPKCS11) {
6600 /* we cannot restart a non-bypass session in a
6606 /* unwrap master secret with PKCS11 */
6607 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
6608 sid->u.ssl3.masterSlotID);
6610 break; /* not considered an error. */
6612 if (!PK11_IsPresent(slot)) {
6613 PK11_FreeSlot(slot);
6614 break; /* not considered an error. */
6616 wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
6617 sid->u.ssl3.masterWrapMech,
6618 sid->u.ssl3.masterWrapSeries,
6620 PK11_FreeSlot(slot);
6621 if (wrapKey == NULL) {
6622 break; /* not considered an error. */
6625 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
6626 keyFlags = CKF_SIGN | CKF_VERIFY;
6629 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6630 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6631 pwSpec->master_secret =
6632 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
6633 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
6634 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
6635 errCode = PORT_GetError();
6636 PK11_FreeSymKey(wrapKey);
6637 if (pwSpec->master_secret == NULL) {
6638 break; /* errorCode set just after call to UnwrapSymKey. */
6640 #ifndef NO_PKCS11_BYPASS
6641 } else if (ss->opt.bypassPKCS11) {
6642 /* MS is not wrapped */
6643 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6644 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6645 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
6646 pwSpec->msItem.data = pwSpec->raw_master_secret;
6647 pwSpec->msItem.len = wrappedMS.len;
6650 /* We CAN restart a bypass session in a non-bypass socket. */
6651 /* need to import the raw master secret to session object */
6652 PK11SlotInfo *slot = PK11_GetInternalSlot();
6653 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6654 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6655 pwSpec->master_secret =
6656 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
6657 PK11_OriginUnwrap, CKA_ENCRYPT,
6659 PK11_FreeSlot(slot);
6660 if (pwSpec->master_secret == NULL) {
6666 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
6668 /* If we sent a session ticket, then this is a stateless resume. */
6669 if (ss->xtnData.sentSessionTicketInClientHello)
6670 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
6672 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
6673 ss->ssl3.hs.ws = wait_new_session_ticket;
6675 ss->ssl3.hs.ws = wait_change_cipher;
6677 ss->ssl3.hs.isResuming = PR_TRUE;
6679 /* copy the peer cert from the SID */
6680 if (sid->peerCert != NULL) {
6681 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
6682 ssl3_CopyPeerCertsFromSID(ss, sid);
6685 /* NULL value for PMS signifies re-use of the old MS */
6686 rv = ssl3_InitPendingCipherSpec(ss, NULL);
6687 if (rv != SECSuccess) {
6688 goto alert_loser; /* err code was set */
6694 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
6696 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
6698 /* throw the old one away */
6699 sid->u.ssl3.keys.resumable = PR_FALSE;
6700 if (ss->sec.uncache)
6701 (*ss->sec.uncache)(sid);
6705 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
6707 goto alert_loser; /* memory error is set. */
6710 sid->version = ss->version;
6711 sid->u.ssl3.sessionIDLength = sidBytes.len;
6712 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
6714 /* Copy Signed Certificate Timestamps, if any. */
6715 if (ss->xtnData.signedCertTimestamps.data) {
6716 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
6717 &ss->xtnData.signedCertTimestamps);
6718 if (rv != SECSuccess)
6722 ss->ssl3.hs.isResuming = PR_FALSE;
6723 ss->ssl3.hs.ws = wait_server_cert;
6726 /* Clean up the temporary pointer to the handshake buffer. */
6727 ss->xtnData.signedCertTimestamps.data = NULL;
6728 ss->xtnData.signedCertTimestamps.len = 0;
6730 /* If we will need a ChannelID key then we make the callback now. This
6731 * allows the handshake to be restarted cleanly if the callback returns
6733 if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
6734 rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
6735 &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
6736 if (rv == SECWouldBlock) {
6737 ssl3_SetAlwaysBlock(ss);
6740 if (rv != SECSuccess ||
6741 ss->ssl3.channelIDPub == NULL ||
6742 ss->ssl3.channelID == NULL) {
6743 PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
6744 desc = internal_error;
6752 (void)SSL3_SendAlert(ss, alert_fatal, desc);
6755 /* Clean up the temporary pointer to the handshake buffer. */
6756 ss->xtnData.signedCertTimestamps.data = NULL;
6757 ss->xtnData.signedCertTimestamps.len = 0;
6758 errCode = ssl_MapLowLevelError(errCode);
6762 /* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned,
6763 * big-endian integer is > 1 */
6765 ssl3_BigIntGreaterThanOne(const SECItem* mpint) {
6766 unsigned char firstNonZeroByte = 0;
6769 for (i = 0; i < mpint->len; i++) {
6770 if (mpint->data[i]) {
6771 firstNonZeroByte = mpint->data[i];
6776 if (firstNonZeroByte == 0)
6778 if (firstNonZeroByte > 1)
6781 /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte
6782 * is followed by another byte. */
6783 return (i < mpint->len - 1);
6786 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6787 * ssl3 ServerKeyExchange message.
6788 * Caller must hold Handshake and RecvBuf locks.
6791 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6793 PLArenaPool * arena = NULL;
6794 SECKEYPublicKey *peerKey = NULL;
6795 PRBool isTLS, isTLS12;
6797 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
6798 SSL3AlertDescription desc = illegal_parameter;
6800 SECItem signature = {siBuffer, NULL, 0};
6801 SSL3SignatureAndHashAlgorithm sigAndHash;
6803 sigAndHash.hashAlg = SEC_OID_UNKNOWN;
6805 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
6806 SSL_GETPID(), ss->fd));
6807 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6808 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6810 if (ss->ssl3.hs.ws != wait_server_key &&
6811 ss->ssl3.hs.ws != wait_server_cert) {
6812 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
6813 desc = unexpected_message;
6816 if (ss->sec.peerCert == NULL) {
6817 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
6818 desc = unexpected_message;
6822 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
6823 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
6825 switch (ss->ssl3.hs.kea_def->exchKeyType) {
6828 SECItem modulus = {siBuffer, NULL, 0};
6829 SECItem exponent = {siBuffer, NULL, 0};
6831 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
6832 if (rv != SECSuccess) {
6833 goto loser; /* malformed. */
6835 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
6836 if (rv != SECSuccess) {
6837 goto loser; /* malformed. */
6840 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6842 if (rv != SECSuccess) {
6843 goto loser; /* malformed or unsupported. */
6845 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6846 &sigAndHash, ss->sec.peerCert);
6847 if (rv != SECSuccess) {
6851 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
6852 if (rv != SECSuccess) {
6853 goto loser; /* malformed. */
6857 desc = decode_error;
6858 goto alert_loser; /* malformed. */
6861 /* failures after this point are not malformed handshakes. */
6862 /* TLS: send decrypt_error if signature failed. */
6863 desc = isTLS ? decrypt_error : handshake_failure;
6866 * check to make sure the hash is signed by right guy
6868 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
6869 &ss->ssl3.hs.client_random,
6870 &ss->ssl3.hs.server_random,
6871 &hashes, ss->opt.bypassPKCS11);
6872 if (rv != SECSuccess) {
6874 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6877 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
6878 isTLS, ss->pkcs11PinArg);
6879 if (rv != SECSuccess) {
6881 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6886 * we really need to build a new key here because we can no longer
6887 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
6888 * pkcs11 slots and ID's.
6890 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
6891 if (arena == NULL) {
6895 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
6896 if (peerKey == NULL) {
6897 PORT_FreeArena(arena, PR_FALSE);
6901 peerKey->arena = arena;
6902 peerKey->keyType = rsaKey;
6903 peerKey->pkcs11Slot = NULL;
6904 peerKey->pkcs11ID = CK_INVALID_HANDLE;
6905 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) ||
6906 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
6908 PORT_FreeArena(arena, PR_FALSE);
6911 ss->sec.peerKey = peerKey;
6912 ss->ssl3.hs.ws = wait_cert_request;
6917 SECItem dh_p = {siBuffer, NULL, 0};
6918 SECItem dh_g = {siBuffer, NULL, 0};
6919 SECItem dh_Ys = {siBuffer, NULL, 0};
6921 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
6922 if (rv != SECSuccess) {
6923 goto loser; /* malformed. */
6925 if (dh_p.len < 512/8) {
6926 errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
6929 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
6930 if (rv != SECSuccess) {
6931 goto loser; /* malformed. */
6933 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
6935 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
6936 if (rv != SECSuccess) {
6937 goto loser; /* malformed. */
6939 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
6942 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6944 if (rv != SECSuccess) {
6945 goto loser; /* malformed or unsupported. */
6947 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6948 &sigAndHash, ss->sec.peerCert);
6949 if (rv != SECSuccess) {
6953 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
6954 if (rv != SECSuccess) {
6955 goto loser; /* malformed. */
6959 desc = decode_error;
6960 goto alert_loser; /* malformed. */
6963 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
6964 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
6965 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
6967 /* failures after this point are not malformed handshakes. */
6968 /* TLS: send decrypt_error if signature failed. */
6969 desc = isTLS ? decrypt_error : handshake_failure;
6972 * check to make sure the hash is signed by right guy
6974 rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
6975 &ss->ssl3.hs.client_random,
6976 &ss->ssl3.hs.server_random,
6977 &hashes, ss->opt.bypassPKCS11);
6978 if (rv != SECSuccess) {
6980 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6983 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
6984 isTLS, ss->pkcs11PinArg);
6985 if (rv != SECSuccess) {
6987 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6992 * we really need to build a new key here because we can no longer
6993 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
6994 * pkcs11 slots and ID's.
6996 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
6997 if (arena == NULL) {
7001 ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
7002 if (peerKey == NULL) {
7006 peerKey->arena = arena;
7007 peerKey->keyType = dhKey;
7008 peerKey->pkcs11Slot = NULL;
7009 peerKey->pkcs11ID = CK_INVALID_HANDLE;
7011 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) ||
7012 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) ||
7013 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys))
7015 PORT_FreeArena(arena, PR_FALSE);
7018 ss->sec.peerKey = peerKey;
7019 ss->ssl3.hs.ws = wait_cert_request;
7023 #ifdef NSS_ENABLE_ECC
7025 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
7027 #endif /* NSS_ENABLE_ECC */
7030 desc = handshake_failure;
7031 errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
7032 break; /* goto alert_loser; */
7036 (void)SSL3_SendAlert(ss, alert_fatal, desc);
7038 PORT_SetError( errCode );
7041 no_memory: /* no-memory error has already been set. */
7042 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
7048 * Returns the TLS signature algorithm for the client authentication key and
7049 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes.
7052 ssl3_ExtractClientKeyInfo(sslSocket *ss,
7053 TLSSignatureAlgorithm *sigAlg,
7056 SECStatus rv = SECSuccess;
7057 SECKEYPublicKey *pubk;
7059 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
7065 rv = ssl3_TLSSignatureAlgorithmForKeyType(pubk->keyType, sigAlg);
7066 if (rv != SECSuccess) {
7070 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32)
7071 /* If the key is in CAPI, assume conservatively that the CAPI service
7072 * provider may be unable to sign SHA-256 hashes.
7074 if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
7075 /* CAPI only supports RSA and DSA signatures, so we don't need to
7076 * check the key type. */
7077 *preferSha1 = PR_TRUE;
7080 #endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */
7082 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
7083 * it may be unable to sign SHA-256 hashes. This is the case for older
7084 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
7085 * older, DSA key size is at most 1024 bits and the hash function must
7088 if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
7089 *preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
7091 *preferSha1 = PR_FALSE;
7096 SECKEY_DestroyPublicKey(pubk);
7100 /* Destroys the backup handshake hash context if we don't need it. Note that
7101 * this function selects the hash algorithm for client authentication
7102 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
7103 * to determine whether to use SHA-1 or SHA-256. */
7105 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
7106 const SECItem *algorithms)
7109 TLSSignatureAlgorithm sigAlg;
7111 PRBool supportsSha1 = PR_FALSE;
7112 PRBool supportsSha256 = PR_FALSE;
7113 PRBool needBackupHash = PR_FALSE;
7116 #ifndef NO_PKCS11_BYPASS
7117 /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
7118 if (ss->opt.bypassPKCS11) {
7119 PORT_Assert(!ss->ssl3.hs.backupHash);
7123 PORT_Assert(ss->ssl3.hs.backupHash);
7125 /* Determine the key's signature algorithm and whether it prefers SHA-1. */
7126 rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
7127 if (rv != SECSuccess) {
7131 /* Determine the server's hash support for that signature algorithm. */
7132 for (i = 0; i < algorithms->len; i += 2) {
7133 if (algorithms->data[i+1] == sigAlg) {
7134 if (algorithms->data[i] == tls_hash_sha1) {
7135 supportsSha1 = PR_TRUE;
7136 } else if (algorithms->data[i] == tls_hash_sha256) {
7137 supportsSha256 = PR_TRUE;
7142 /* If either the server does not support SHA-256 or the client key prefers
7143 * SHA-1, leave the backup hash. */
7144 if (supportsSha1 && (preferSha1 || !supportsSha256)) {
7145 needBackupHash = PR_TRUE;
7149 if (!needBackupHash) {
7150 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
7151 ss->ssl3.hs.backupHash = NULL;
7155 typedef struct dnameNode {
7156 struct dnameNode *next;
7160 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7161 * ssl3 Certificate Request message.
7162 * Caller must hold Handshake and RecvBuf locks.
7165 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7167 PLArenaPool * arena = NULL;
7170 PRBool isTLS = PR_FALSE;
7171 PRBool isTLS12 = PR_FALSE;
7173 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
7176 SSL3AlertDescription desc = illegal_parameter;
7177 SECItem cert_types = {siBuffer, NULL, 0};
7178 SECItem algorithms = {siBuffer, NULL, 0};
7179 CERTDistNames ca_list;
7180 #ifdef NSS_PLATFORM_CLIENT_AUTH
7181 CERTCertList * platform_cert_list = NULL;
7182 CERTCertListNode * certNode = NULL;
7183 #endif /* NSS_PLATFORM_CLIENT_AUTH */
7185 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
7186 SSL_GETPID(), ss->fd));
7187 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7188 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7190 if (ss->ssl3.hs.ws != wait_cert_request &&
7191 ss->ssl3.hs.ws != wait_server_key) {
7192 desc = unexpected_message;
7193 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
7197 PORT_Assert(ss->ssl3.clientCertChain == NULL);
7198 PORT_Assert(ss->ssl3.clientCertificate == NULL);
7199 PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
7200 PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
7202 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
7203 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
7204 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
7205 if (rv != SECSuccess)
7206 goto loser; /* malformed, alert has been sent */
7208 PORT_Assert(!ss->requestedCertTypes);
7209 ss->requestedCertTypes = &cert_types;
7212 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
7213 if (rv != SECSuccess)
7214 goto loser; /* malformed, alert has been sent */
7215 /* An empty or odd-length value is invalid.
7216 * SignatureAndHashAlgorithm
7217 * supported_signature_algorithms<2..2^16-2>;
7219 if (algorithms.len == 0 || (algorithms.len & 1) != 0)
7223 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
7227 remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
7229 goto loser; /* malformed, alert has been sent */
7231 if ((PRUint32)remaining > length)
7234 ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
7238 while (remaining > 0) {
7242 goto alert_loser; /* malformed */
7244 node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
7246 goto loser; /* malformed, alert has been sent */
7249 if (remaining < len)
7250 goto alert_loser; /* malformed */
7252 node->name.data = b;
7258 break; /* success */
7260 node->next = PORT_ArenaZNew(arena, dnameNode);
7266 ca_list.nnames = nnames;
7267 ca_list.names = PORT_ArenaNewArray(arena, SECItem, nnames);
7268 if (nnames > 0 && ca_list.names == NULL)
7271 for(i = 0, node = (dnameNode*)ca_list.head;
7273 i++, node = node->next) {
7274 ca_list.names[i] = node->name;
7278 goto alert_loser; /* malformed */
7280 desc = no_certificate;
7281 ss->ssl3.hs.ws = wait_hello_done;
7283 #ifdef NSS_PLATFORM_CLIENT_AUTH
7284 if (ss->getPlatformClientAuthData != NULL) {
7285 /* XXX Should pass cert_types and algorithms in this call!! */
7286 rv = (SECStatus)(*ss->getPlatformClientAuthData)(
7287 ss->getPlatformClientAuthDataArg,
7289 &platform_cert_list,
7290 (void**)&ss->ssl3.platformClientKey,
7291 &ss->ssl3.clientCertificate,
7292 &ss->ssl3.clientPrivateKey);
7295 if (ss->getClientAuthData != NULL) {
7296 /* XXX Should pass cert_types and algorithms in this call!! */
7297 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
7299 &ss->ssl3.clientCertificate,
7300 &ss->ssl3.clientPrivateKey);
7302 rv = SECFailure; /* force it to send a no_certificate alert */
7306 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
7307 ssl3_SetAlwaysBlock(ss);
7308 break; /* not an error */
7311 #ifdef NSS_PLATFORM_CLIENT_AUTH
7312 if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
7313 !ss->ssl3.platformClientKey) {
7314 if (platform_cert_list) {
7315 CERT_DestroyCertList(platform_cert_list);
7316 platform_cert_list = NULL;
7318 if (ss->ssl3.platformClientKey) {
7319 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
7320 ss->ssl3.platformClientKey = (PlatformKey)NULL;
7322 /* Fall through to NSS client auth check */
7324 certNode = CERT_LIST_HEAD(platform_cert_list);
7325 ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert);
7327 /* Setting ssl3.clientCertChain non-NULL will cause
7328 * ssl3_HandleServerHelloDone to call SendCertificate.
7329 * Note: clientCertChain should include the EE cert as
7330 * clientCertificate is ignored during the actual sending
7332 ss->ssl3.clientCertChain =
7333 hack_NewCertificateListFromCertList(platform_cert_list);
7334 CERT_DestroyCertList(platform_cert_list);
7335 platform_cert_list = NULL;
7336 if (ss->ssl3.clientCertChain == NULL) {
7337 if (ss->ssl3.clientCertificate != NULL) {
7338 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7339 ss->ssl3.clientCertificate = NULL;
7341 if (ss->ssl3.platformClientKey) {
7342 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
7343 ss->ssl3.platformClientKey = (PlatformKey)NULL;
7345 goto send_no_certificate;
7347 if (ss->ssl3.hs.hashType == handshake_hash_single) {
7348 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
7350 break; /* not an error */
7352 #endif /* NSS_PLATFORM_CLIENT_AUTH */
7353 /* check what the callback function returned */
7354 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
7355 /* we are missing either the key or cert */
7356 if (ss->ssl3.clientCertificate) {
7357 /* got a cert, but no key - free it */
7358 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7359 ss->ssl3.clientCertificate = NULL;
7361 if (ss->ssl3.clientPrivateKey) {
7362 /* got a key, but no cert - free it */
7363 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7364 ss->ssl3.clientPrivateKey = NULL;
7366 goto send_no_certificate;
7368 /* Setting ssl3.clientCertChain non-NULL will cause
7369 * ssl3_HandleServerHelloDone to call SendCertificate.
7371 ss->ssl3.clientCertChain = CERT_CertChainFromCert(
7372 ss->ssl3.clientCertificate,
7373 certUsageSSLClient, PR_FALSE);
7374 if (ss->ssl3.clientCertChain == NULL) {
7375 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7376 ss->ssl3.clientCertificate = NULL;
7377 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7378 ss->ssl3.clientPrivateKey = NULL;
7379 goto send_no_certificate;
7381 if (ss->ssl3.hs.hashType == handshake_hash_single) {
7382 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
7384 break; /* not an error */
7388 send_no_certificate:
7390 ss->ssl3.sendEmptyCert = PR_TRUE;
7392 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
7401 PORT_SetError(SEC_ERROR_NO_MEMORY);
7405 if (isTLS && desc == illegal_parameter)
7406 desc = decode_error;
7407 (void)SSL3_SendAlert(ss, alert_fatal, desc);
7409 PORT_SetError(errCode);
7412 ss->requestedCertTypes = NULL;
7414 PORT_FreeArena(arena, PR_FALSE);
7415 #ifdef NSS_PLATFORM_CLIENT_AUTH
7416 if (platform_cert_list)
7417 CERT_DestroyCertList(platform_cert_list);
7423 * attempt to restart the handshake after asynchronously handling
7424 * a request for the client's certificate.
7427 * cert Client cert chosen by application.
7428 * Note: ssl takes this reference, and does not bump the
7429 * reference count. The caller should drop its reference
7430 * without calling CERT_DestroyCert after calling this function.
7432 * key Private key associated with cert. This function takes
7433 * ownership of the private key, so the caller should drop its
7434 * reference without destroying the private key after this
7437 * certChain DER-encoded certs, client cert and its signers.
7438 * Note: ssl takes this reference, and does not copy the chain.
7439 * The caller should drop its reference without destroying the
7440 * chain. SSL will free the chain when it is done with it.
7444 * XXX This code only works on the initial handshake on a connection, XXX
7445 * It does not work on a subsequent handshake (redo).
7447 * Caller holds 1stHandshakeLock.
7450 ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
7451 CERTCertificate * cert,
7452 SECKEYPrivateKey * key,
7453 CERTCertificateList *certChain)
7455 SECStatus rv = SECSuccess;
7457 /* XXX This code only works on the initial handshake on a connection,
7458 ** XXX It does not work on a subsequent handshake (redo).
7460 if (ss->handshake != 0) {
7461 ss->handshake = ssl_GatherRecord1stHandshake;
7462 ss->ssl3.clientCertificate = cert;
7463 ss->ssl3.clientPrivateKey = key;
7464 ss->ssl3.clientCertChain = certChain;
7465 if (!cert || !key || !certChain) {
7466 /* we are missing the key, cert, or cert chain */
7467 if (ss->ssl3.clientCertificate) {
7468 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7469 ss->ssl3.clientCertificate = NULL;
7471 if (ss->ssl3.clientPrivateKey) {
7472 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7473 ss->ssl3.clientPrivateKey = NULL;
7475 if (ss->ssl3.clientCertChain != NULL) {
7476 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
7477 ss->ssl3.clientCertChain = NULL;
7479 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) {
7480 ss->ssl3.sendEmptyCert = PR_TRUE;
7482 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
7487 CERT_DestroyCertificate(cert);
7490 SECKEY_DestroyPrivateKey(key);
7493 CERT_DestroyCertificateList(certChain);
7495 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
7502 ssl3_CheckFalseStart(sslSocket *ss)
7504 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7505 PORT_Assert( !ss->ssl3.hs.authCertificatePending );
7506 PORT_Assert( !ss->ssl3.hs.canFalseStart );
7508 if (!ss->canFalseStartCallback) {
7509 SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
7510 SSL_GETPID(), ss->fd));
7512 PRBool maybeFalseStart;
7515 /* An attacker can control the selected ciphersuite so we only wish to
7516 * do False Start in the case that the selected ciphersuite is
7517 * sufficiently strong that the attack can gain no advantage.
7518 * Therefore we always require an 80-bit cipher. */
7519 ssl_GetSpecReadLock(ss);
7520 maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
7521 ssl_ReleaseSpecReadLock(ss);
7523 if (!maybeFalseStart) {
7524 SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
7525 SSL_GETPID(), ss->fd));
7527 rv = (ss->canFalseStartCallback)(ss->fd,
7528 ss->canFalseStartCallbackData,
7529 &ss->ssl3.hs.canFalseStart);
7530 if (rv == SECSuccess) {
7531 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
7532 SSL_GETPID(), ss->fd,
7533 ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
7535 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
7536 SSL_GETPID(), ss->fd,
7537 PR_ErrorToName(PR_GetError())));
7543 ss->ssl3.hs.canFalseStart = PR_FALSE;
7548 ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
7552 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7554 switch (ss->ssl3.hs.ws) {
7555 case wait_new_session_ticket:
7558 case wait_change_cipher:
7559 result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
7569 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
7571 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7572 * ssl3 Server Hello Done message.
7573 * Caller must hold Handshake and RecvBuf locks.
7576 ssl3_HandleServerHelloDone(sslSocket *ss)
7579 SSL3WaitState ws = ss->ssl3.hs.ws;
7581 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
7582 SSL_GETPID(), ss->fd));
7583 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7584 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7586 if (ws != wait_hello_done &&
7587 ws != wait_server_cert &&
7588 ws != wait_server_key &&
7589 ws != wait_cert_request) {
7590 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7591 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
7595 rv = ssl3_SendClientSecondRound(ss);
7600 /* Called from ssl3_HandleServerHelloDone and ssl3_AuthCertificateComplete.
7602 * Caller must hold Handshake and RecvBuf locks.
7605 ssl3_SendClientSecondRound(sslSocket *ss)
7608 PRBool sendClientCert;
7610 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7611 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7613 sendClientCert = !ss->ssl3.sendEmptyCert &&
7614 ss->ssl3.clientCertChain != NULL &&
7615 (ss->ssl3.platformClientKey ||
7616 ss->ssl3.clientPrivateKey != NULL);
7618 if (!sendClientCert &&
7619 ss->ssl3.hs.hashType == handshake_hash_single &&
7620 ss->ssl3.hs.backupHash) {
7621 /* Don't need the backup handshake hash. */
7622 PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
7623 ss->ssl3.hs.backupHash = NULL;
7626 /* We must wait for the server's certificate to be authenticated before
7627 * sending the client certificate in order to disclosing the client
7628 * certificate to an attacker that does not have a valid cert for the
7629 * domain we are connecting to.
7631 * XXX: We should do the same for the NPN extension, but for that we
7632 * need an option to give the application the ability to leak the NPN
7633 * information to get better performance.
7635 * During the initial handshake on a connection, we never send/receive
7636 * application data until we have authenticated the server's certificate;
7637 * i.e. we have fully authenticated the handshake before using the cipher
7638 * specs agreed upon for that handshake. During a renegotiation, we may
7639 * continue sending and receiving application data during the handshake
7640 * interleaved with the handshake records. If we were to send the client's
7641 * second round for a renegotiation before the server's certificate was
7642 * authenticated, then the application data sent/received after this point
7643 * would be using cipher spec that hadn't been authenticated. By waiting
7644 * until the server's certificate has been authenticated during
7645 * renegotiations, we ensure that renegotiations have the same property
7646 * as initial handshakes; i.e. we have fully authenticated the handshake
7647 * before using the cipher specs agreed upon for that handshake for
7650 if (ss->ssl3.hs.restartTarget) {
7651 PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget");
7652 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
7655 if (ss->ssl3.hs.authCertificatePending &&
7656 (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
7657 SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
7658 " certificate authentication is still pending.",
7659 SSL_GETPID(), ss->fd));
7660 ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
7661 return SECWouldBlock;
7664 ssl_GetXmitBufLock(ss); /*******************************/
7666 if (ss->ssl3.sendEmptyCert) {
7667 ss->ssl3.sendEmptyCert = PR_FALSE;
7668 rv = ssl3_SendEmptyCertificate(ss);
7669 /* Don't send verify */
7670 if (rv != SECSuccess) {
7671 goto loser; /* error code is set. */
7673 } else if (sendClientCert) {
7674 rv = ssl3_SendCertificate(ss);
7675 if (rv != SECSuccess) {
7676 goto loser; /* error code is set. */
7680 rv = ssl3_SendClientKeyExchange(ss);
7681 if (rv != SECSuccess) {
7682 goto loser; /* err is set. */
7685 if (sendClientCert) {
7686 rv = ssl3_SendCertificateVerify(ss);
7687 if (rv != SECSuccess) {
7688 goto loser; /* err is set. */
7692 rv = ssl3_SendChangeCipherSpecs(ss);
7693 if (rv != SECSuccess) {
7694 goto loser; /* err code was set. */
7697 /* This must be done after we've set ss->ssl3.cwSpec in
7698 * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
7699 * from cwSpec. This must be done before we call ssl3_CheckFalseStart
7700 * because the false start callback (if any) may need the information from
7701 * the functions that depend on this being set.
7703 ss->enoughFirstHsDone = PR_TRUE;
7705 if (!ss->firstHsDone) {
7706 /* XXX: If the server's certificate hasn't been authenticated by this
7707 * point, then we may be leaking this NPN message to an attacker.
7709 rv = ssl3_SendNextProto(ss);
7710 if (rv != SECSuccess) {
7711 goto loser; /* err code was set. */
7715 rv = ssl3_SendEncryptedExtensions(ss);
7716 if (rv != SECSuccess) {
7717 goto loser; /* err code was set. */
7720 if (!ss->firstHsDone) {
7721 if (ss->opt.enableFalseStart) {
7722 if (!ss->ssl3.hs.authCertificatePending) {
7723 /* When we fix bug 589047, we will need to know whether we are
7724 * false starting before we try to flush the client second
7725 * round to the network. With that in mind, we purposefully
7726 * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
7727 * which includes a call to ssl3_FlushHandshake, so that
7728 * no application develops a reliance on such flushing being
7729 * done before its false start callback is called.
7731 ssl_ReleaseXmitBufLock(ss);
7732 rv = ssl3_CheckFalseStart(ss);
7733 ssl_GetXmitBufLock(ss);
7734 if (rv != SECSuccess) {
7738 /* The certificate authentication and the server's Finished
7739 * message are racing each other. If the certificate
7740 * authentication wins, then we will try to false start in
7741 * ssl3_AuthCertificateComplete.
7743 SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
7744 " certificate authentication is still pending.",
7745 SSL_GETPID(), ss->fd));
7750 rv = ssl3_SendFinished(ss, 0);
7751 if (rv != SECSuccess) {
7752 goto loser; /* err code was set. */
7755 ssl_ReleaseXmitBufLock(ss); /*******************************/
7757 if (!ss->ssl3.hs.isResuming &&
7758 ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
7759 /* If we are negotiating ChannelID on a full handshake then we record
7760 * the handshake hashes in |sid| at this point. They will be needed in
7761 * the event that we resume this session and use ChannelID on the
7762 * resumption handshake. */
7764 SECItem *originalHandshakeHash =
7765 &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
7766 PORT_Assert(ss->sec.ci.sid->cached == never_cached);
7768 ssl_GetSpecReadLock(ss);
7769 PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
7770 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
7771 ssl_ReleaseSpecReadLock(ss);
7772 if (rv != SECSuccess) {
7776 PORT_Assert(originalHandshakeHash->len == 0);
7777 originalHandshakeHash->data = PORT_Alloc(hashes.len);
7778 if (!originalHandshakeHash->data)
7780 originalHandshakeHash->len = hashes.len;
7781 memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len);
7784 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
7785 ss->ssl3.hs.ws = wait_new_session_ticket;
7787 ss->ssl3.hs.ws = wait_change_cipher;
7789 PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
7794 ssl_ReleaseXmitBufLock(ss);
7799 * Routines used by servers
7802 ssl3_SendHelloRequest(sslSocket *ss)
7806 SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
7809 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7810 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
7812 rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
7813 if (rv != SECSuccess) {
7814 return rv; /* err set by AppendHandshake */
7816 rv = ssl3_FlushHandshake(ss, 0);
7817 if (rv != SECSuccess) {
7818 return rv; /* error code set by ssl3_FlushHandshake */
7820 ss->ssl3.hs.ws = wait_client_hello;
7826 * ssl3_HandleClientHello()
7828 static SECComparison
7829 ssl3_ServerNameCompare(const SECItem *name1, const SECItem *name2)
7831 if (!name1 != !name2) {
7837 if (name1->type != name2->type) {
7840 return SECITEM_CompareItem(name1, name2);
7843 /* Sets memory error when returning NULL.
7845 * ssl3_SendClientHello()
7846 * ssl3_HandleServerHello()
7847 * ssl3_HandleClientHello()
7848 * ssl3_HandleV2ClientHello()
7851 ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
7855 sid = PORT_ZNew(sslSessionID);
7860 const SECItem * srvName;
7861 SECStatus rv = SECSuccess;
7863 ssl_GetSpecReadLock(ss); /********************************/
7864 srvName = &ss->ssl3.prSpec->srvVirtName;
7865 if (srvName->len && srvName->data) {
7866 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName, srvName);
7868 ssl_ReleaseSpecReadLock(ss); /************************************/
7869 if (rv != SECSuccess) {
7874 sid->peerID = (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
7875 sid->urlSvrName = (ss->url == NULL) ? NULL : PORT_Strdup(ss->url);
7876 sid->addr = ss->sec.ci.peer;
7877 sid->port = ss->sec.ci.port;
7878 sid->references = 1;
7879 sid->cached = never_cached;
7880 sid->version = ss->version;
7882 sid->u.ssl3.keys.resumable = PR_TRUE;
7883 sid->u.ssl3.policy = SSL_ALLOWED;
7884 sid->u.ssl3.clientWriteKey = NULL;
7885 sid->u.ssl3.serverWriteKey = NULL;
7889 int pid = SSL_GETPID();
7891 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
7892 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff;
7893 sid->u.ssl3.sessionID[1] = pid & 0xff;
7894 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
7895 SSL3_SESSIONID_BYTES -2);
7896 if (rv != SECSuccess) {
7898 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
7905 /* Called from: ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
7907 ssl3_SendServerHelloSequence(sslSocket *ss)
7909 const ssl3KEADef *kea_def;
7912 SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
7913 SSL_GETPID(), ss->fd));
7915 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7916 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
7918 rv = ssl3_SendServerHello(ss);
7919 if (rv != SECSuccess) {
7920 return rv; /* err code is set. */
7922 rv = ssl3_SendCertificate(ss);
7923 if (rv != SECSuccess) {
7924 return rv; /* error code is set. */
7926 rv = ssl3_SendCertificateStatus(ss);
7927 if (rv != SECSuccess) {
7928 return rv; /* error code is set. */
7930 /* We have to do this after the call to ssl3_SendServerHello,
7931 * because kea_def is set up by ssl3_SendServerHello().
7933 kea_def = ss->ssl3.hs.kea_def;
7934 ss->ssl3.hs.usedStepDownKey = PR_FALSE;
7936 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
7937 /* see if we can legally use the key in the cert. */
7938 int keyLen; /* bytes */
7940 keyLen = PK11_GetPrivateModulusLen(
7941 ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
7944 keyLen * BPB <= kea_def->key_size_limit ) {
7945 /* XXX AND cert is not signing only!! */
7946 /* just fall through and use it. */
7947 } else if (ss->stepDownKeyPair != NULL) {
7948 ss->ssl3.hs.usedStepDownKey = PR_TRUE;
7949 rv = ssl3_SendServerKeyExchange(ss);
7950 if (rv != SECSuccess) {
7951 return rv; /* err code was set. */
7954 #ifndef HACKED_EXPORT_SERVER
7955 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
7959 #ifdef NSS_ENABLE_ECC
7960 } else if ((kea_def->kea == kea_ecdhe_rsa) ||
7961 (kea_def->kea == kea_ecdhe_ecdsa)) {
7962 rv = ssl3_SendServerKeyExchange(ss);
7963 if (rv != SECSuccess) {
7964 return rv; /* err code was set. */
7966 #endif /* NSS_ENABLE_ECC */
7969 if (ss->opt.requestCertificate) {
7970 rv = ssl3_SendCertificateRequest(ss);
7971 if (rv != SECSuccess) {
7972 return rv; /* err code is set. */
7975 rv = ssl3_SendServerHelloDone(ss);
7976 if (rv != SECSuccess) {
7977 return rv; /* err code is set. */
7980 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
7985 /* An empty TLS Renegotiation Info (RI) extension */
7986 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00};
7988 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7989 * ssl3 Client Hello message.
7990 * Caller must hold Handshake and RecvBuf locks.
7993 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7995 sslSessionID * sid = NULL;
8000 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
8001 SSL3AlertDescription desc = illegal_parameter;
8002 SSL3AlertLevel level = alert_fatal;
8003 SSL3ProtocolVersion version;
8004 SECItem sidBytes = {siBuffer, NULL, 0};
8005 SECItem cookieBytes = {siBuffer, NULL, 0};
8006 SECItem suites = {siBuffer, NULL, 0};
8007 SECItem comps = {siBuffer, NULL, 0};
8008 PRBool haveSpecWriteLock = PR_FALSE;
8009 PRBool haveXmitBufLock = PR_FALSE;
8011 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
8012 SSL_GETPID(), ss->fd));
8014 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8015 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
8016 PORT_Assert( ss->ssl3.initialized );
8018 /* Get peer name of client */
8019 rv = ssl_GetPeerInfo(ss);
8020 if (rv != SECSuccess) {
8021 return rv; /* error code is set. */
8024 /* Clearing the handshake pointers so that ssl_Do1stHandshake won't
8025 * call ssl2_HandleMessage.
8027 * The issue here is that TLS ordinarily starts out in
8028 * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility
8029 * code paths. That function zeroes these next pointers. But with DTLS,
8030 * we don't even try to do the v2 ClientHello so we skip that function
8031 * and need to reset these values here.
8034 ss->nextHandshake = 0;
8035 ss->securityHandshake = 0;
8038 /* We might be starting session renegotiation in which case we should
8039 * clear previous state.
8041 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8042 ss->statelessResume = PR_FALSE;
8044 if ((ss->ssl3.hs.ws != wait_client_hello) &&
8045 (ss->ssl3.hs.ws != idle_handshake)) {
8046 desc = unexpected_message;
8047 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
8050 if (ss->ssl3.hs.ws == idle_handshake &&
8051 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
8052 desc = no_renegotiation;
8053 level = alert_warning;
8054 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
8059 dtls_RehandshakeCleanup(ss);
8062 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
8064 goto loser; /* malformed, alert already sent */
8066 /* Translate the version */
8068 ss->clientHelloVersion = version =
8069 dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
8071 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
8074 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8075 if (rv != SECSuccess) {
8076 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
8077 : handshake_failure;
8078 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8082 rv = ssl3_InitHandshakeHashes(ss);
8083 if (rv != SECSuccess) {
8084 desc = internal_error;
8085 errCode = PORT_GetError();
8089 /* grab the client random data. */
8090 rv = ssl3_ConsumeHandshake(
8091 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
8092 if (rv != SECSuccess) {
8093 goto loser; /* malformed */
8096 /* grab the client's SID, if present. */
8097 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
8098 if (rv != SECSuccess) {
8099 goto loser; /* malformed */
8102 /* grab the client's cookie, if present. */
8104 rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length);
8105 if (rv != SECSuccess) {
8106 goto loser; /* malformed */
8110 /* grab the list of cipher suites. */
8111 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
8112 if (rv != SECSuccess) {
8113 goto loser; /* malformed */
8116 /* If the ClientHello version is less than our maximum version, check for a
8117 * TLS_FALLBACK_SCSV and reject the connection if found. */
8118 if (ss->vrange.max > ss->clientHelloVersion) {
8119 for (i = 0; i + 1 < suites.len; i += 2) {
8120 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8121 if (suite_i != TLS_FALLBACK_SCSV)
8123 desc = inappropriate_fallback;
8124 errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
8129 /* grab the list of compression methods. */
8130 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
8131 if (rv != SECSuccess) {
8132 goto loser; /* malformed */
8135 desc = handshake_failure;
8137 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
8138 * we are restarting a previous session until extensions have been
8139 * parsed, since we might have received a SessionTicket extension.
8140 * Note: we allow extensions even when negotiating SSL3 for the sake
8141 * of interoperability (and backwards compatibility).
8145 /* Get length of hello extensions */
8146 PRInt32 extension_length;
8147 extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
8148 if (extension_length < 0) {
8149 goto loser; /* alert already sent */
8151 if (extension_length != length) {
8152 ssl3_DecodeError(ss); /* send alert */
8155 rv = ssl3_HandleHelloExtensions(ss, &b, &length);
8156 if (rv != SECSuccess) {
8157 goto loser; /* malformed */
8160 if (!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8161 /* If we didn't receive an RI extension, look for the SCSV,
8162 * and if found, treat it just like an empty RI extension
8163 * by processing a local copy of an empty RI extension.
8165 for (i = 0; i + 1 < suites.len; i += 2) {
8166 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8167 if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
8168 SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
8169 PRUint32 L2 = sizeof emptyRIext;
8170 (void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
8175 if (ss->firstHsDone &&
8176 (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN ||
8177 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_TRANSITIONAL) &&
8178 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8179 desc = no_renegotiation;
8180 level = alert_warning;
8181 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
8184 if ((ss->opt.requireSafeNegotiation ||
8185 (ss->firstHsDone && ss->peerRequestedProtection)) &&
8186 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8187 desc = handshake_failure;
8188 errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
8192 /* We do stateful resumes only if either of the following
8193 * conditions are satisfied: (1) the client does not support the
8194 * session ticket extension, or (2) the client support the session
8195 * ticket extension, but sent an empty ticket.
8197 if (!ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) ||
8198 ss->xtnData.emptySessionTicket) {
8199 if (sidBytes.len > 0 && !ss->opt.noCache) {
8200 SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
8201 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
8202 ss->sec.ci.peer.pr_s6_addr32[1],
8203 ss->sec.ci.peer.pr_s6_addr32[2],
8204 ss->sec.ci.peer.pr_s6_addr32[3]));
8205 if (ssl_sid_lookup) {
8206 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data,
8207 sidBytes.len, ss->dbHandle);
8209 errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
8213 } else if (ss->statelessResume) {
8214 /* Fill in the client's session ID if doing a stateless resume.
8215 * (When doing stateless resumes, server echos client's SessionID.)
8217 sid = ss->sec.ci.sid;
8218 PORT_Assert(sid != NULL); /* Should have already been filled in.*/
8220 if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) {
8221 sid->u.ssl3.sessionIDLength = sidBytes.len;
8222 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data,
8224 sid->u.ssl3.sessionIDLength = sidBytes.len;
8226 sid->u.ssl3.sessionIDLength = 0;
8228 ss->sec.ci.sid = NULL;
8231 /* We only send a session ticket extension if the client supports
8232 * the extension and we are unable to do either a stateful or
8235 * TODO: send a session ticket if performing a stateful
8236 * resumption. (As per RFC4507, a server may issue a session
8237 * ticket while doing a (stateless or stateful) session resume,
8238 * but OpenSSL-0.9.8g does not accept session tickets while
8241 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) {
8242 ssl3_RegisterServerHelloExtensionSender(ss,
8243 ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
8247 /* We've found a session cache entry for this client.
8248 * Now, if we're going to require a client-auth cert,
8249 * and we don't already have this client's cert in the session cache,
8250 * and this is the first handshake on this connection (not a redo),
8251 * then drop this old cache entry and start a new session.
8253 if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
8254 ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
8255 (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
8256 ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE)
8257 && !ss->firstHsDone))) {
8259 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
8260 if (ss->sec.uncache)
8261 ss->sec.uncache(sid);
8267 #ifdef NSS_ENABLE_ECC
8268 /* Disable any ECC cipher suites for which we have no cert. */
8269 ssl3_FilterECCipherSuitesByServerCerts(ss);
8273 ssl3_DisableNonDTLSSuites(ss);
8276 if (!ssl3_HasGCMSupport()) {
8277 ssl3_DisableGCMSuites(ss);
8281 /* Look for a matching cipher suite. */
8282 j = ssl3_config_match_init(ss);
8283 if (j <= 0) { /* no ciphers are working/supported by PK11 */
8284 errCode = PORT_GetError(); /* error code is already set. */
8289 /* If we already have a session for this client, be sure to pick the
8290 ** same cipher suite and compression method we picked before.
8291 ** This is not a loop, despite appearances.
8294 ssl3CipherSuiteCfg *suite;
8296 SSLVersionRange vrange = {ss->version, ss->version};
8299 /* Check that the cached compression method is still enabled. */
8300 if (!compressionEnabled(ss, sid->u.ssl3.compression))
8303 /* Check that the cached compression method is in the client's list */
8304 for (i = 0; i < comps.len; i++) {
8305 if (comps.data[i] == sid->u.ssl3.compression)
8311 suite = ss->cipherSuites;
8312 /* Find the entry for the cipher suite used in the cached session. */
8313 for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
8314 if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
8321 /* Double check that the cached cipher suite is still enabled,
8322 * implemented, and allowed by policy. Might have been disabled.
8323 * The product policy won't change during the process lifetime.
8324 * Implemented ("isPresent") shouldn't change for servers.
8326 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange))
8329 if (!suite->enabled)
8332 /* Double check that the cached cipher suite is in the client's list */
8333 for (i = 0; i + 1 < suites.len; i += 2) {
8334 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8335 if (suite_i == suite->cipher_suite) {
8336 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8337 ss->ssl3.hs.suite_def =
8338 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8340 /* Use the cached compression method. */
8341 ss->ssl3.hs.compression = sid->u.ssl3.compression;
8342 goto compression_found;
8347 /* START A NEW SESSION */
8350 /* Look for a matching cipher suite. */
8351 j = ssl3_config_match_init(ss);
8352 if (j <= 0) { /* no ciphers are working/supported by PK11 */
8353 errCode = PORT_GetError(); /* error code is already set. */
8358 /* Select a cipher suite.
8360 ** NOTE: This suite selection algorithm should be the same as the one in
8361 ** ssl3_HandleV2ClientHello().
8363 ** If TLS 1.0 is enabled, we could handle the case where the client
8364 ** offered TLS 1.1 but offered only export cipher suites by choosing TLS
8365 ** 1.0 and selecting one of those export cipher suites. However, a secure
8366 ** TLS 1.1 client should not have export cipher suites enabled at all,
8367 ** and a TLS 1.1 client should definitely not be offering *only* export
8368 ** cipher suites. Therefore, we refuse to negotiate export cipher suites
8369 ** with any client that indicates support for TLS 1.1 or higher when we
8370 ** (the server) have TLS 1.1 support enabled.
8372 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
8373 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
8374 SSLVersionRange vrange = {ss->version, ss->version};
8375 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
8378 for (i = 0; i + 1 < suites.len; i += 2) {
8379 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8380 if (suite_i == suite->cipher_suite) {
8381 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8382 ss->ssl3.hs.suite_def =
8383 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8388 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8392 /* Select a compression algorithm. */
8393 for (i = 0; i < comps.len; i++) {
8394 if (!compressionEnabled(ss, comps.data[i]))
8396 for (j = 0; j < compressionMethodsCount; j++) {
8397 if (comps.data[i] == compressions[j]) {
8398 ss->ssl3.hs.compression =
8399 (SSLCompressionMethod)compressions[j];
8400 goto compression_found;
8404 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
8405 /* null compression must be supported */
8412 ss->sec.send = ssl3_SendApplicationData;
8414 /* If there are any failures while processing the old sid,
8415 * we don't consider them to be errors. Instead, We just behave
8416 * as if the client had sent us no sid to begin with, and make a new one.
8418 if (sid != NULL) do {
8419 ssl3CipherSpec *pwSpec;
8420 SECItem wrappedMS; /* wrapped key */
8422 if (sid->version != ss->version ||
8423 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite ||
8424 sid->u.ssl3.compression != ss->ssl3.hs.compression) {
8425 break; /* not an error */
8428 if (ss->sec.ci.sid) {
8429 if (ss->sec.uncache)
8430 ss->sec.uncache(ss->sec.ci.sid);
8431 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ... */
8432 if (ss->sec.ci.sid != sid) {
8433 ssl_FreeSID(ss->sec.ci.sid);
8435 ss->sec.ci.sid = NULL;
8437 /* we need to resurrect the master secret.... */
8439 ssl_GetSpecWriteLock(ss); haveSpecWriteLock = PR_TRUE;
8440 pwSpec = ss->ssl3.pwSpec;
8441 if (sid->u.ssl3.keys.msIsWrapped) {
8442 PK11SymKey * wrapKey; /* wrapping key */
8443 CK_FLAGS keyFlags = 0;
8444 #ifndef NO_PKCS11_BYPASS
8445 if (ss->opt.bypassPKCS11) {
8446 /* we cannot restart a non-bypass session in a
8453 wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
8454 sid->u.ssl3.masterWrapMech,
8457 /* we have a SID cache entry, but no wrapping key for it??? */
8461 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
8462 keyFlags = CKF_SIGN | CKF_VERIFY;
8465 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8466 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
8468 /* unwrap the master secret. */
8469 pwSpec->master_secret =
8470 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
8471 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
8472 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
8473 PK11_FreeSymKey(wrapKey);
8474 if (pwSpec->master_secret == NULL) {
8475 break; /* not an error */
8477 #ifndef NO_PKCS11_BYPASS
8478 } else if (ss->opt.bypassPKCS11) {
8479 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8480 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
8481 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
8482 pwSpec->msItem.data = pwSpec->raw_master_secret;
8483 pwSpec->msItem.len = wrappedMS.len;
8486 /* We CAN restart a bypass session in a non-bypass socket. */
8487 /* need to import the raw master secret to session object */
8488 PK11SlotInfo * slot;
8489 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8490 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
8491 slot = PK11_GetInternalSlot();
8492 pwSpec->master_secret =
8493 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
8494 PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS,
8496 PK11_FreeSlot(slot);
8497 if (pwSpec->master_secret == NULL) {
8498 break; /* not an error */
8501 ss->sec.ci.sid = sid;
8502 if (sid->peerCert != NULL) {
8503 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
8504 ssl3_CopyPeerCertsFromSID(ss, sid);
8508 * Old SID passed all tests, so resume this old session.
8510 * XXX make sure compression still matches
8512 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits );
8513 if (ss->statelessResume)
8514 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes );
8515 ss->ssl3.hs.isResuming = PR_TRUE;
8517 ss->sec.authAlgorithm = sid->authAlgorithm;
8518 ss->sec.authKeyBits = sid->authKeyBits;
8519 ss->sec.keaType = sid->keaType;
8520 ss->sec.keaKeyBits = sid->keaKeyBits;
8522 /* server sids don't remember the server cert we previously sent,
8523 ** but they do remember the kea type we originally used, so we
8524 ** can locate it again, provided that the current ssl socket
8525 ** has had its server certs configured the same as the previous one.
8528 CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
8530 /* Copy cached name in to pending spec */
8532 sid->version > SSL_LIBRARY_VERSION_3_0 &&
8533 sid->u.ssl3.srvName.len && sid->u.ssl3.srvName.data) {
8534 /* Set server name from sid */
8535 SECItem *sidName = &sid->u.ssl3.srvName;
8536 SECItem *pwsName = &ss->ssl3.pwSpec->srvVirtName;
8537 if (pwsName->data) {
8538 SECITEM_FreeItem(pwsName, PR_FALSE);
8540 rv = SECITEM_CopyItem(NULL, pwsName, sidName);
8541 if (rv != SECSuccess) {
8542 errCode = PORT_GetError();
8543 desc = internal_error;
8548 /* Clean up sni name array */
8549 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn) &&
8550 ss->xtnData.sniNameArr) {
8551 PORT_Free(ss->xtnData.sniNameArr);
8552 ss->xtnData.sniNameArr = NULL;
8553 ss->xtnData.sniNameArrSize = 0;
8556 ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
8558 rv = ssl3_SendServerHello(ss);
8559 if (rv != SECSuccess) {
8560 errCode = PORT_GetError();
8564 if (haveSpecWriteLock) {
8565 ssl_ReleaseSpecWriteLock(ss);
8566 haveSpecWriteLock = PR_FALSE;
8569 /* NULL value for PMS signifies re-use of the old MS */
8570 rv = ssl3_InitPendingCipherSpec(ss, NULL);
8571 if (rv != SECSuccess) {
8572 errCode = PORT_GetError();
8576 rv = ssl3_SendChangeCipherSpecs(ss);
8577 if (rv != SECSuccess) {
8578 errCode = PORT_GetError();
8581 rv = ssl3_SendFinished(ss, 0);
8582 ss->ssl3.hs.ws = wait_change_cipher;
8583 if (rv != SECSuccess) {
8584 errCode = PORT_GetError();
8588 if (haveXmitBufLock) {
8589 ssl_ReleaseXmitBufLock(ss);
8590 haveXmitBufLock = PR_FALSE;
8596 if (haveSpecWriteLock) {
8597 ssl_ReleaseSpecWriteLock(ss);
8598 haveSpecWriteLock = PR_FALSE;
8601 if (sid) { /* we had a sid, but it's no longer valid, free it */
8602 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
8603 if (ss->sec.uncache)
8604 ss->sec.uncache(sid);
8608 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
8610 if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) {
8612 if (ss->sniSocketConfig) do { /* not a loop */
8613 ret = SSL_SNI_SEND_ALERT;
8614 /* If extension is negotiated, the len of names should > 0. */
8615 if (ss->xtnData.sniNameArrSize) {
8616 /* Calling client callback to reconfigure the socket. */
8617 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd,
8618 ss->xtnData.sniNameArr,
8619 ss->xtnData.sniNameArrSize,
8620 ss->sniSocketConfigArg);
8622 if (ret <= SSL_SNI_SEND_ALERT) {
8623 /* Application does not know the name or was not able to
8624 * properly reconfigure the socket. */
8625 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8626 desc = unrecognized_name;
8628 } else if (ret == SSL_SNI_CURRENT_CONFIG_IS_USED) {
8629 SECStatus rv = SECSuccess;
8630 SECItem * cwsName, *pwsName;
8632 ssl_GetSpecWriteLock(ss); /*******************************/
8633 pwsName = &ss->ssl3.pwSpec->srvVirtName;
8634 cwsName = &ss->ssl3.cwSpec->srvVirtName;
8635 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8636 /* not allow name change on the 2d HS */
8637 if (ss->firstHsDone) {
8638 if (ssl3_ServerNameCompare(pwsName, cwsName)) {
8639 ssl_ReleaseSpecWriteLock(ss); /******************/
8640 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8641 desc = handshake_failure;
8642 ret = SSL_SNI_SEND_ALERT;
8647 if (pwsName->data) {
8648 SECITEM_FreeItem(pwsName, PR_FALSE);
8650 if (cwsName->data) {
8651 rv = SECITEM_CopyItem(NULL, pwsName, cwsName);
8653 ssl_ReleaseSpecWriteLock(ss); /**************************/
8654 if (rv != SECSuccess) {
8655 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8656 desc = internal_error;
8657 ret = SSL_SNI_SEND_ALERT;
8660 } else if (ret < ss->xtnData.sniNameArrSize) {
8661 /* Application has configured new socket info. Lets check it
8662 * and save the name. */
8664 SECItem * name = &ss->xtnData.sniNameArr[ret];
8665 int configedCiphers;
8668 /* get rid of the old name and save the newly picked. */
8669 /* This code is protected by ssl3HandshakeLock. */
8670 ssl_GetSpecWriteLock(ss); /*******************************/
8671 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8672 /* not allow name change on the 2d HS */
8673 if (ss->firstHsDone) {
8674 SECItem *cwsName = &ss->ssl3.cwSpec->srvVirtName;
8675 if (ssl3_ServerNameCompare(name, cwsName)) {
8676 ssl_ReleaseSpecWriteLock(ss); /******************/
8677 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8678 desc = handshake_failure;
8679 ret = SSL_SNI_SEND_ALERT;
8684 pwsName = &ss->ssl3.pwSpec->srvVirtName;
8685 if (pwsName->data) {
8686 SECITEM_FreeItem(pwsName, PR_FALSE);
8688 rv = SECITEM_CopyItem(NULL, pwsName, name);
8689 ssl_ReleaseSpecWriteLock(ss); /***************************/
8690 if (rv != SECSuccess) {
8691 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8692 desc = internal_error;
8693 ret = SSL_SNI_SEND_ALERT;
8696 configedCiphers = ssl3_config_match_init(ss);
8697 if (configedCiphers <= 0) {
8698 /* no ciphers are working/supported */
8699 errCode = PORT_GetError();
8700 desc = handshake_failure;
8701 ret = SSL_SNI_SEND_ALERT;
8704 /* Need to tell the client that application has picked
8705 * the name from the offered list and reconfigured the socket.
8707 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn,
8708 ssl3_SendServerNameXtn);
8710 /* Callback returned index outside of the boundary. */
8711 PORT_Assert(ret < ss->xtnData.sniNameArrSize);
8712 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8713 desc = internal_error;
8714 ret = SSL_SNI_SEND_ALERT;
8718 /* Free sniNameArr. The data that each SECItem in the array
8719 * points into is the data from the input buffer "b". It will
8720 * not be available outside the scope of this or it's child
8722 if (ss->xtnData.sniNameArr) {
8723 PORT_Free(ss->xtnData.sniNameArr);
8724 ss->xtnData.sniNameArr = NULL;
8725 ss->xtnData.sniNameArrSize = 0;
8727 if (ret <= SSL_SNI_SEND_ALERT) {
8728 /* desc and errCode should be set. */
8732 #ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8733 else if (ss->firstHsDone) {
8734 /* Check that we don't have the name is current spec
8735 * if this extension was not negotiated on the 2d hs. */
8736 PRBool passed = PR_TRUE;
8737 ssl_GetSpecReadLock(ss); /*******************************/
8738 if (ss->ssl3.cwSpec->srvVirtName.data) {
8741 ssl_ReleaseSpecReadLock(ss); /***************************/
8743 errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8744 desc = handshake_failure;
8750 sid = ssl3_NewSessionID(ss, PR_TRUE);
8752 errCode = PORT_GetError();
8753 goto loser; /* memory error is set. */
8755 ss->sec.ci.sid = sid;
8757 ss->ssl3.hs.isResuming = PR_FALSE;
8758 ssl_GetXmitBufLock(ss);
8759 rv = ssl3_SendServerHelloSequence(ss);
8760 ssl_ReleaseXmitBufLock(ss);
8761 if (rv != SECSuccess) {
8762 errCode = PORT_GetError();
8766 if (haveXmitBufLock) {
8767 ssl_ReleaseXmitBufLock(ss);
8768 haveXmitBufLock = PR_FALSE;
8774 if (haveSpecWriteLock) {
8775 ssl_ReleaseSpecWriteLock(ss);
8776 haveSpecWriteLock = PR_FALSE;
8778 (void)SSL3_SendAlert(ss, level, desc);
8781 if (haveSpecWriteLock) {
8782 ssl_ReleaseSpecWriteLock(ss);
8783 haveSpecWriteLock = PR_FALSE;
8786 if (haveXmitBufLock) {
8787 ssl_ReleaseXmitBufLock(ss);
8788 haveXmitBufLock = PR_FALSE;
8791 PORT_SetError(errCode);
8796 * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
8797 * in asking to use the V3 handshake.
8798 * Called from ssl2_HandleClientHelloMessage() in sslcon.c
8801 ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
8803 sslSessionID * sid = NULL;
8804 unsigned char * suites;
8805 unsigned char * random;
8806 SSL3ProtocolVersion version;
8813 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
8814 SSL3AlertDescription desc = handshake_failure;
8816 SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
8818 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8820 ssl_GetSSL3HandshakeLock(ss);
8822 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8824 rv = ssl3_InitState(ss);
8825 if (rv != SECSuccess) {
8826 ssl_ReleaseSSL3HandshakeLock(ss);
8827 return rv; /* ssl3_InitState has set the error code. */
8829 rv = ssl3_RestartHandshakeHashes(ss);
8830 if (rv != SECSuccess) {
8831 ssl_ReleaseSSL3HandshakeLock(ss);
8835 if (ss->ssl3.hs.ws != wait_client_hello) {
8836 desc = unexpected_message;
8837 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
8838 goto loser; /* alert_loser */
8841 version = (buffer[1] << 8) | buffer[2];
8842 suite_length = (buffer[3] << 8) | buffer[4];
8843 sid_length = (buffer[5] << 8) | buffer[6];
8844 rand_length = (buffer[7] << 8) | buffer[8];
8845 ss->clientHelloVersion = version;
8847 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8848 if (rv != SECSuccess) {
8849 /* send back which ever alert client will understand. */
8850 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
8851 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8855 rv = ssl3_InitHandshakeHashes(ss);
8856 if (rv != SECSuccess) {
8857 desc = internal_error;
8858 errCode = PORT_GetError();
8862 /* if we get a non-zero SID, just ignore it. */
8864 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
8865 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
8866 SSL_GETPID(), ss->fd, length,
8867 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
8869 goto loser; /* malformed */ /* alert_loser */
8872 suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
8873 random = suites + suite_length + sid_length;
8875 if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
8876 rand_length > SSL_MAX_CHALLENGE_BYTES) {
8877 goto loser; /* malformed */ /* alert_loser */
8880 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
8882 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
8884 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
8885 random, rand_length);
8887 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
8888 SSL3_RANDOM_LENGTH));
8889 #ifdef NSS_ENABLE_ECC
8890 /* Disable any ECC cipher suites for which we have no cert. */
8891 ssl3_FilterECCipherSuitesByServerCerts(ss);
8893 i = ssl3_config_match_init(ss);
8895 errCode = PORT_GetError(); /* error code is already set. */
8899 /* Select a cipher suite.
8901 ** NOTE: This suite selection algorithm should be the same as the one in
8902 ** ssl3_HandleClientHello().
8904 ** See the comments about export cipher suites in ssl3_HandleClientHello().
8906 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
8907 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
8908 SSLVersionRange vrange = {ss->version, ss->version};
8909 if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
8912 for (i = 0; i+2 < suite_length; i += 3) {
8913 PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
8914 if (suite_i == suite->cipher_suite) {
8915 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8916 ss->ssl3.hs.suite_def =
8917 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8922 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8927 /* Look for the SCSV, and if found, treat it just like an empty RI
8928 * extension by processing a local copy of an empty RI extension.
8930 for (i = 0; i+2 < suite_length; i += 3) {
8931 PRUint32 suite_i = (suites[i] << 16) | (suites[i+1] << 8) | suites[i+2];
8932 if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
8933 SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
8934 PRUint32 L2 = sizeof emptyRIext;
8935 (void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
8940 if (ss->opt.requireSafeNegotiation &&
8941 !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8942 desc = handshake_failure;
8943 errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
8947 ss->ssl3.hs.compression = ssl_compression_null;
8948 ss->sec.send = ssl3_SendApplicationData;
8950 /* we don't even search for a cache hit here. It's just a miss. */
8951 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
8952 sid = ssl3_NewSessionID(ss, PR_TRUE);
8954 errCode = PORT_GetError();
8955 goto loser; /* memory error is set. */
8957 ss->sec.ci.sid = sid;
8958 /* do not worry about memory leak of sid since it now belongs to ci */
8960 /* We have to update the handshake hashes before we can send stuff */
8961 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
8962 if (rv != SECSuccess) {
8963 errCode = PORT_GetError();
8967 ssl_GetXmitBufLock(ss);
8968 rv = ssl3_SendServerHelloSequence(ss);
8969 ssl_ReleaseXmitBufLock(ss);
8970 if (rv != SECSuccess) {
8971 errCode = PORT_GetError();
8975 /* XXX_1 The call stack to here is:
8976 * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
8977 * ssl2_HandleClientHelloMessage returns whatever we return here.
8978 * ssl_Do1stHandshake will continue looping if it gets back either
8979 * SECSuccess or SECWouldBlock.
8980 * SECSuccess is preferable here. See XXX_1 in sslgathr.c.
8982 ssl_ReleaseSSL3HandshakeLock(ss);
8986 SSL3_SendAlert(ss, alert_fatal, desc);
8988 ssl_ReleaseSSL3HandshakeLock(ss);
8989 PORT_SetError(errCode);
8993 /* The negotiated version number has been already placed in ss->version.
8995 ** Called from: ssl3_HandleClientHello (resuming session),
8996 ** ssl3_SendServerHelloSequence <- ssl3_HandleClientHello (new session),
8997 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
9000 ssl3_SendServerHello(sslSocket *ss)
9004 PRUint32 maxBytes = 65535;
9006 PRInt32 extensions_len = 0;
9007 SSL3ProtocolVersion version;
9009 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
9012 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9013 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9016 PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
9018 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
9019 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
9023 PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0));
9025 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) {
9026 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
9031 sid = ss->sec.ci.sid;
9033 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
9034 &ss->xtnData.serverSenders[0]);
9035 if (extensions_len > 0)
9036 extensions_len += 2; /* Add sizeof total extension length */
9038 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
9039 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
9040 sizeof(ssl3CipherSuite) + 1 + extensions_len;
9041 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
9042 if (rv != SECSuccess) {
9043 return rv; /* err set by AppendHandshake. */
9047 version = dtls_TLSVersionToDTLSVersion(ss->version);
9049 version = ss->version;
9052 rv = ssl3_AppendHandshakeNumber(ss, version, 2);
9053 if (rv != SECSuccess) {
9054 return rv; /* err set by AppendHandshake. */
9056 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
9057 if (rv != SECSuccess) {
9058 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
9061 rv = ssl3_AppendHandshake(
9062 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
9063 if (rv != SECSuccess) {
9064 return rv; /* err set by AppendHandshake. */
9068 rv = ssl3_AppendHandshakeVariable(
9069 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
9071 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
9072 if (rv != SECSuccess) {
9073 return rv; /* err set by AppendHandshake. */
9076 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
9077 if (rv != SECSuccess) {
9078 return rv; /* err set by AppendHandshake. */
9080 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
9081 if (rv != SECSuccess) {
9082 return rv; /* err set by AppendHandshake. */
9084 if (extensions_len) {
9087 extensions_len -= 2;
9088 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
9089 if (rv != SECSuccess)
9090 return rv; /* err set by ssl3_SetupPendingCipherSpec */
9091 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
9092 &ss->xtnData.serverSenders[0]);
9093 PORT_Assert(sent_len == extensions_len);
9094 if (sent_len != extensions_len) {
9096 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
9100 rv = ssl3_SetupPendingCipherSpec(ss);
9101 if (rv != SECSuccess) {
9102 return rv; /* err set by ssl3_SetupPendingCipherSpec */
9108 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing
9109 * elements of the handshake. (The negotiated cipher suite determines the
9110 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always
9111 * used. With TLS 1.2, a client may advertise its support for signature and
9112 * hash combinations. */
9114 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
9115 SSL3SignatureAndHashAlgorithm* out)
9117 TLSSignatureAlgorithm sigAlg;
9119 /* hashPreference expresses our preferences for hash algorithms, most
9120 * preferable first. */
9121 static const PRUint8 hashPreference[] = {
9128 switch (ss->ssl3.hs.kea_def->kea) {
9130 case kea_rsa_export:
9131 case kea_rsa_export_1024:
9133 case kea_dh_rsa_export:
9135 case kea_dhe_rsa_export:
9139 sigAlg = tls_sig_rsa;
9142 case kea_dh_dss_export:
9144 case kea_dhe_dss_export:
9145 sigAlg = tls_sig_dsa;
9147 case kea_ecdh_ecdsa:
9148 case kea_ecdhe_ecdsa:
9149 sigAlg = tls_sig_ecdsa;
9152 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9155 out->sigAlg = sigAlg;
9157 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) {
9158 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
9160 out->hashAlg = SEC_OID_UNKNOWN;
9164 if (ss->ssl3.hs.numClientSigAndHash == 0) {
9165 /* If the client didn't provide any signature_algorithms extension then
9166 * we can assume that they support SHA-1:
9167 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
9168 out->hashAlg = SEC_OID_SHA1;
9172 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) {
9173 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
9174 const SSL3SignatureAndHashAlgorithm* sh =
9175 &ss->ssl3.hs.clientSigAndHash[j];
9176 if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) {
9177 out->hashAlg = sh->hashAlg;
9183 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
9189 ssl3_SendServerKeyExchange(sslSocket *ss)
9191 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
9192 SECStatus rv = SECFailure;
9195 SECItem signed_hash = {siBuffer, NULL, 0};
9197 SECKEYPublicKey * sdPub; /* public key for step-down */
9198 SSL3SignatureAndHashAlgorithm sigAndHash;
9200 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
9201 SSL_GETPID(), ss->fd));
9203 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9204 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9206 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
9210 switch (kea_def->exchKeyType) {
9212 /* Perform SSL Step-Down here. */
9213 sdPub = ss->stepDownKeyPair->pubKey;
9214 PORT_Assert(sdPub != NULL);
9216 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9219 rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg,
9220 sdPub->u.rsa.modulus,
9221 sdPub->u.rsa.publicExponent,
9222 &ss->ssl3.hs.client_random,
9223 &ss->ssl3.hs.server_random,
9224 &hashes, ss->opt.bypassPKCS11);
9225 if (rv != SECSuccess) {
9226 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9230 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
9231 rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY,
9232 &signed_hash, isTLS);
9233 if (rv != SECSuccess) {
9234 goto loser; /* ssl3_SignHashes has set err. */
9236 if (signed_hash.data == NULL) {
9237 /* how can this happen and rv == SECSuccess ?? */
9238 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9241 length = 2 + sdPub->u.rsa.modulus.len +
9242 2 + sdPub->u.rsa.publicExponent.len +
9243 2 + signed_hash.len;
9245 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
9246 if (rv != SECSuccess) {
9247 goto loser; /* err set by AppendHandshake. */
9250 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
9251 sdPub->u.rsa.modulus.len, 2);
9252 if (rv != SECSuccess) {
9253 goto loser; /* err set by AppendHandshake. */
9256 rv = ssl3_AppendHandshakeVariable(
9257 ss, sdPub->u.rsa.publicExponent.data,
9258 sdPub->u.rsa.publicExponent.len, 2);
9259 if (rv != SECSuccess) {
9260 goto loser; /* err set by AppendHandshake. */
9263 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
9264 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
9265 if (rv != SECSuccess) {
9266 goto loser; /* err set by AppendHandshake. */
9270 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
9271 signed_hash.len, 2);
9272 if (rv != SECSuccess) {
9273 goto loser; /* err set by AppendHandshake. */
9275 PORT_Free(signed_hash.data);
9278 #ifdef NSS_ENABLE_ECC
9280 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
9283 #endif /* NSS_ENABLE_ECC */
9288 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9292 if (signed_hash.data != NULL)
9293 PORT_Free(signed_hash.data);
9299 ssl3_SendCertificateRequest(sslSocket *ss)
9303 CERTDistNames *ca_list;
9304 const PRUint8 *certTypes;
9305 const PRUint8 *sigAlgs;
9306 SECItem * names = NULL;
9312 int certTypesLength;
9315 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
9316 SSL_GETPID(), ss->fd));
9318 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9319 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9321 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
9323 /* ssl3.ca_list is initialized to NULL, and never changed. */
9324 ca_list = ss->ssl3.ca_list;
9326 ca_list = ssl3_server_ca_list;
9329 if (ca_list != NULL) {
9330 names = ca_list->names;
9331 nnames = ca_list->nnames;
9334 for (i = 0, name = names; i < nnames; i++, name++) {
9335 calen += 2 + name->len;
9338 certTypes = certificate_types;
9339 certTypesLength = sizeof certificate_types;
9340 sigAlgs = supported_signature_algorithms;
9341 sigAlgsLength = sizeof supported_signature_algorithms;
9343 length = 1 + certTypesLength + 2 + calen;
9345 length += 2 + sigAlgsLength;
9348 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
9349 if (rv != SECSuccess) {
9350 return rv; /* err set by AppendHandshake. */
9352 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
9353 if (rv != SECSuccess) {
9354 return rv; /* err set by AppendHandshake. */
9357 rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2);
9358 if (rv != SECSuccess) {
9359 return rv; /* err set by AppendHandshake. */
9362 rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
9363 if (rv != SECSuccess) {
9364 return rv; /* err set by AppendHandshake. */
9366 for (i = 0, name = names; i < nnames; i++, name++) {
9367 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
9368 if (rv != SECSuccess) {
9369 return rv; /* err set by AppendHandshake. */
9377 ssl3_SendServerHelloDone(sslSocket *ss)
9381 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
9382 SSL_GETPID(), ss->fd));
9384 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9385 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9387 rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
9388 if (rv != SECSuccess) {
9389 return rv; /* err set by AppendHandshake. */
9391 rv = ssl3_FlushHandshake(ss, 0);
9392 if (rv != SECSuccess) {
9393 return rv; /* error code set by ssl3_FlushHandshake */
9398 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
9399 * ssl3 Certificate Verify message
9400 * Caller must hold Handshake and RecvBuf locks.
9403 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
9406 SECItem signed_hash = {siBuffer, NULL, 0};
9408 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
9409 SSL3AlertDescription desc = handshake_failure;
9410 PRBool isTLS, isTLS12;
9411 SSL3SignatureAndHashAlgorithm sigAndHash;
9413 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
9414 SSL_GETPID(), ss->fd));
9415 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9416 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9418 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
9419 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
9421 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
9422 desc = unexpected_message;
9423 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
9428 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
9430 if (rv != SECSuccess) {
9431 goto loser; /* malformed or unsupported. */
9433 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
9434 &sigAndHash, ss->sec.peerCert);
9435 if (rv != SECSuccess) {
9436 errCode = PORT_GetError();
9437 desc = decrypt_error;
9441 /* We only support CertificateVerify messages that use the handshake
9443 if (sigAndHash.hashAlg != hashes->hashAlg) {
9444 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM;
9445 desc = decrypt_error;
9450 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
9451 if (rv != SECSuccess) {
9452 goto loser; /* malformed. */
9455 /* XXX verify that the key & kea match */
9456 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
9457 isTLS, ss->pkcs11PinArg);
9458 if (rv != SECSuccess) {
9459 errCode = PORT_GetError();
9460 desc = isTLS ? decrypt_error : handshake_failure;
9464 signed_hash.data = NULL;
9467 desc = isTLS ? decode_error : illegal_parameter;
9468 goto alert_loser; /* malformed */
9470 ss->ssl3.hs.ws = wait_change_cipher;
9474 SSL3_SendAlert(ss, alert_fatal, desc);
9476 PORT_SetError(errCode);
9481 /* find a slot that is able to generate a PMS and wrap it with RSA.
9482 * Then generate and return the PMS.
9483 * If the serverKeySlot parameter is non-null, this function will use
9484 * that slot to do the job, otherwise it will find a slot.
9486 * Called from ssl3_DeriveConnectionKeysPKCS11() (above)
9487 * sendRSAClientKeyExchange() (above)
9488 * ssl3_HandleRSAClientKeyExchange() (below)
9489 * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
9492 ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
9493 PK11SlotInfo * serverKeySlot)
9495 PK11SymKey * pms = NULL;
9496 PK11SlotInfo * slot = serverKeySlot;
9497 void * pwArg = ss->pkcs11PinArg;
9500 CK_MECHANISM_TYPE mechanism_array[3];
9502 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9505 SSLCipherAlgorithm calg;
9506 /* The specReadLock would suffice here, but we cannot assert on
9507 ** read locks. Also, all the callers who call with a non-null
9508 ** slot already hold the SpecWriteLock.
9510 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
9511 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
9513 calg = spec->cipher_def->calg;
9514 PORT_Assert(alg2Mech[calg].calg == calg);
9516 /* First get an appropriate slot. */
9517 mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
9518 mechanism_array[1] = CKM_RSA_PKCS;
9519 mechanism_array[2] = alg2Mech[calg].cmech;
9521 slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
9523 /* can't find a slot with all three, find a slot with the minimum */
9524 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
9526 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
9527 return pms; /* which is NULL */
9532 /* Generate the pre-master secret ... */
9534 SSL3ProtocolVersion temp;
9536 temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
9537 version.major = MSB(temp);
9538 version.minor = LSB(temp);
9540 version.major = MSB(ss->clientHelloVersion);
9541 version.minor = LSB(ss->clientHelloVersion);
9544 param.data = (unsigned char *)&version;
9545 param.len = sizeof version;
9547 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg);
9549 PK11_FreeSlot(slot);
9551 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9556 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
9557 * return any indication of failure of the Client Key Exchange message,
9558 * where that failure is caused by the content of the client's message.
9559 * This function must not return SECFailure for any reason that is directly
9560 * or indirectly caused by the content of the client's encrypted PMS.
9561 * We must not send an alert and also not drop the connection.
9562 * Instead, we generate a random PMS. This will cause a failure
9563 * in the processing the finished message, which is exactly where
9564 * the failure must occur.
9566 * Called from ssl3_HandleClientKeyExchange
9569 ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
9572 SECKEYPrivateKey *serverKey)
9575 #ifndef NO_PKCS11_BYPASS
9576 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
9577 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
9578 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
9579 unsigned int outLen = 0;
9581 PRBool isTLS = PR_FALSE;
9584 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
9585 SECItem pmsItem = {siBuffer, NULL, 0};
9587 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9588 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9589 PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec );
9592 enc_pms.len = length;
9593 pmsItem.data = rsaPmsBuf;
9594 pmsItem.len = sizeof rsaPmsBuf;
9596 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
9598 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
9600 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9603 if ((unsigned)kLen < enc_pms.len) {
9608 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
9611 #ifndef NO_PKCS11_BYPASS
9612 if (ss->opt.bypassPKCS11) {
9613 /* TRIPLE BYPASS, get PMS directly from RSA decryption.
9614 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer,
9615 * then, check for version rollback attack, then
9616 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in
9617 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with
9618 * ss and NULL, so that it will use the MS we've already derived here.
9621 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen,
9622 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
9623 if (rv != SECSuccess) {
9624 /* triple bypass failed. Let's try for a double bypass. */
9626 } else if (ss->opt.detectRollBack) {
9627 SSL3ProtocolVersion client_version =
9628 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
9631 client_version = dtls_DTLSVersionToTLSVersion(client_version);
9634 if (client_version != ss->clientHelloVersion) {
9635 /* Version roll-back detected. ensure failure. */
9636 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
9639 /* have PMS, build MS without PKCS11 */
9640 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS,
9642 if (rv != SECSuccess) {
9643 pwSpec->msItem.data = pwSpec->raw_master_secret;
9644 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH;
9645 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
9647 rv = ssl3_InitPendingCipherSpec(ss, NULL);
9651 #ifndef NO_PKCS11_BYPASS
9655 * unwrap pms out of the incoming buffer
9656 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
9657 * the unwrap. Rather, it is the mechanism with which the
9658 * unwrapped pms will be used.
9660 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
9661 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
9663 PRINT_BUF(60, (ss, "decrypted premaster secret:",
9664 PK11_GetKeyData(pms)->data,
9665 PK11_GetKeyData(pms)->len));
9667 /* unwrap failed. Generate a bogus PMS and carry on. */
9668 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey);
9670 ssl_GetSpecWriteLock(ss);
9671 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
9672 ssl_ReleaseSpecWriteLock(ss);
9673 PK11_FreeSlot(slot);
9678 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9682 /* This step will derive the MS from the PMS, among other things. */
9683 rv = ssl3_InitPendingCipherSpec(ss, pms);
9684 PK11_FreeSymKey(pms);
9687 if (rv != SECSuccess) {
9689 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
9695 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
9696 * ssl3 ClientKeyExchange message from the remote client
9697 * Caller must hold Handshake and RecvBuf locks.
9700 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
9702 SECKEYPrivateKey *serverKey = NULL;
9704 const ssl3KEADef *kea_def;
9705 ssl3KeyPair *serverKeyPair = NULL;
9706 #ifdef NSS_ENABLE_ECC
9707 SECKEYPublicKey *serverPubKey = NULL;
9708 #endif /* NSS_ENABLE_ECC */
9710 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
9711 SSL_GETPID(), ss->fd));
9713 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9714 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9716 if (ss->ssl3.hs.ws != wait_client_key) {
9717 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
9718 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
9722 kea_def = ss->ssl3.hs.kea_def;
9724 if (ss->ssl3.hs.usedStepDownKey) {
9725 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
9726 && kea_def->exchKeyType == kt_rsa
9727 && ss->stepDownKeyPair != NULL);
9728 if (!kea_def->is_limited ||
9729 kea_def->exchKeyType != kt_rsa ||
9730 ss->stepDownKeyPair == NULL) {
9731 /* shouldn't happen, don't use step down if it does */
9734 serverKeyPair = ss->stepDownKeyPair;
9735 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
9738 #ifdef NSS_ENABLE_ECC
9739 /* XXX Using SSLKEAType to index server certifiates
9740 * does not work for (EC)DHE ciphers. Until we have
9741 * an indexing mechanism general enough for all key
9742 * exchange algorithms, we'll need to deal with each
9745 if ((kea_def->kea == kea_ecdhe_rsa) ||
9746 (kea_def->kea == kea_ecdhe_ecdsa)) {
9747 if (ss->ephemeralECDHKeyPair != NULL) {
9748 serverKeyPair = ss->ephemeralECDHKeyPair;
9749 if (serverKeyPair->pubKey) {
9750 ss->sec.keaKeyBits =
9751 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
9757 sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
9758 serverKeyPair = sc->serverKeyPair;
9759 ss->sec.keaKeyBits = sc->serverKeyBits;
9762 if (serverKeyPair) {
9763 serverKey = serverKeyPair->privKey;
9766 if (serverKey == NULL) {
9768 PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
9772 ss->sec.keaType = kea_def->exchKeyType;
9774 switch (kea_def->exchKeyType) {
9776 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
9777 if (rv != SECSuccess) {
9779 return SECFailure; /* error code set */
9784 #ifdef NSS_ENABLE_ECC
9786 /* XXX We really ought to be able to store multiple
9787 * EC certs (a requirement if we wish to support both
9788 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
9789 * When we make that change, we'll need an index other
9790 * than kt_ecdh to pick the right EC certificate.
9792 if (serverKeyPair) {
9793 serverPubKey = serverKeyPair->pubKey;
9795 if (serverPubKey == NULL) {
9796 /* XXX Is this the right error code? */
9797 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
9800 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
9801 serverPubKey, serverKey);
9802 if (rv != SECSuccess) {
9803 return SECFailure; /* error code set */
9806 #endif /* NSS_ENABLE_ECC */
9809 (void) ssl3_HandshakeFailure(ss);
9810 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9813 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
9818 /* This is TLS's equivalent of sending a no_certificate alert. */
9820 ssl3_SendEmptyCertificate(sslSocket *ss)
9824 rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
9825 if (rv == SECSuccess) {
9826 rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
9828 return rv; /* error, if any, set by functions called above. */
9832 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
9837 SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
9838 SSL_GETPID(), ss->fd));
9840 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9841 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9843 PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
9844 PORT_Assert(!ss->ssl3.hs.receivedNewSessionTicket);
9846 if (ss->ssl3.hs.ws != wait_new_session_ticket) {
9847 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
9848 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
9852 /* RFC5077 Section 3.3: "The client MUST NOT treat the ticket as valid
9853 * until it has verified the server's Finished message." See the comment in
9854 * ssl3_FinishHandshake for more details.
9856 ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time();
9858 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9859 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9862 ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
9863 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
9865 rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
9866 if (length != 0 || rv != SECSuccess) {
9867 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9868 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9869 return SECFailure; /* malformed */
9871 rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
9873 if (rv != SECSuccess) {
9876 ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
9878 ss->ssl3.hs.ws = wait_change_cipher;
9883 static PRInt32 connNum = 0;
9886 get_fake_cert(SECItem *pCertItem, int *pIndex)
9892 const char *extension;
9894 PRInt32 numBytes = 0;
9899 pCertItem->data = 0;
9900 if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
9903 *pIndex = (NULL != strstr(testdir, "root"));
9904 extension = (strstr(testdir, "simple") ? "" : ".der");
9905 fileNum = PR_ATOMIC_INCREMENT(&connNum) - 1;
9906 if ((startat = PR_GetEnv("START_AT")) != NULL) {
9907 fileNum += atoi(startat);
9909 if ((stopat = PR_GetEnv("STOP_AT")) != NULL &&
9910 fileNum >= atoi(stopat)) {
9914 sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
9915 cf = PR_Open(cfn, PR_RDONLY, 0);
9919 prStatus = PR_GetOpenFileInfo(cf, &info);
9920 if (prStatus != PR_SUCCESS) {
9924 pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
9926 numBytes = PR_Read(cf, pCertItem->data, info.size);
9929 if (numBytes != info.size) {
9930 SECITEM_FreeItem(pCertItem, PR_FALSE);
9931 PORT_SetError(SEC_ERROR_IO);
9934 fprintf(stderr, "using %s\n", cfn);
9938 fprintf(stderr, "failed to use %s\n", cfn);
9945 * Used by both client and server.
9946 * Called from HandleServerHelloDone and from SendServerHelloSequence.
9949 ssl3_SendCertificate(sslSocket *ss)
9952 CERTCertificateList *certChain;
9955 SSL3KEAType certIndex;
9961 SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
9962 SSL_GETPID(), ss->fd));
9964 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9965 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9967 if (ss->sec.localCert)
9968 CERT_DestroyCertificate(ss->sec.localCert);
9969 if (ss->sec.isServer) {
9970 sslServerCerts * sc = NULL;
9972 /* XXX SSLKEAType isn't really a good choice for
9973 * indexing certificates (it breaks when we deal
9974 * with (EC)DHE-* cipher suites. This hack ensures
9975 * the RSA cert is picked for (EC)DHE-RSA.
9976 * Revisit this when we add server side support
9977 * for ECDHE-ECDSA or client-side authentication
9978 * using EC certificates.
9980 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
9981 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
9984 certIndex = ss->ssl3.hs.kea_def->exchKeyType;
9986 sc = ss->serverCerts + certIndex;
9987 certChain = sc->serverCertChain;
9988 ss->sec.authKeyBits = sc->serverKeyBits;
9989 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
9990 ss->sec.localCert = CERT_DupCertificate(sc->serverCert);
9992 certChain = ss->ssl3.clientCertChain;
9993 ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
9997 rv = get_fake_cert(&fakeCert, &ndex);
10001 for (i = 0; i < certChain->len; i++) {
10003 if (fakeCert.len > 0 && i == ndex) {
10004 len += fakeCert.len + 3;
10006 len += certChain->certs[i].len + 3;
10009 len += certChain->certs[i].len + 3;
10014 rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
10015 if (rv != SECSuccess) {
10016 return rv; /* err set by AppendHandshake. */
10018 rv = ssl3_AppendHandshakeNumber(ss, len, 3);
10019 if (rv != SECSuccess) {
10020 return rv; /* err set by AppendHandshake. */
10023 for (i = 0; i < certChain->len; i++) {
10025 if (fakeCert.len > 0 && i == ndex) {
10026 rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
10028 SECITEM_FreeItem(&fakeCert, PR_FALSE);
10030 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
10031 certChain->certs[i].len, 3);
10034 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
10035 certChain->certs[i].len, 3);
10037 if (rv != SECSuccess) {
10038 return rv; /* err set by AppendHandshake. */
10047 * Used by server only.
10048 * single-stapling, send only a single cert status
10051 ssl3_SendCertificateStatus(sslSocket *ss)
10055 SECItemArray *statusToSend = NULL;
10056 SSL3KEAType certIndex;
10058 SSL_TRC(3, ("%d: SSL3[%d]: send certificate status handshake",
10059 SSL_GETPID(), ss->fd));
10061 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10062 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10063 PORT_Assert( ss->sec.isServer);
10065 if (!ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn))
10068 /* Use certStatus based on the cert being used. */
10069 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
10070 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
10071 certIndex = kt_rsa;
10073 certIndex = ss->ssl3.hs.kea_def->exchKeyType;
10075 if (ss->certStatusArray[certIndex] && ss->certStatusArray[certIndex]->len) {
10076 statusToSend = ss->certStatusArray[certIndex];
10081 /* Use the array's first item only (single stapling) */
10082 len = 1 + statusToSend->items[0].len + 3;
10084 rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len);
10085 if (rv != SECSuccess) {
10086 return rv; /* err set by AppendHandshake. */
10088 rv = ssl3_AppendHandshakeNumber(ss, 1 /*ocsp*/, 1);
10089 if (rv != SECSuccess)
10090 return rv; /* err set by AppendHandshake. */
10092 rv = ssl3_AppendHandshakeVariable(ss,
10093 statusToSend->items[0].data,
10094 statusToSend->items[0].len,
10096 if (rv != SECSuccess)
10097 return rv; /* err set by AppendHandshake. */
10102 /* This is used to delete the CA certificates in the peer certificate chain
10103 * from the cert database after they've been validated.
10106 ssl3_CleanupPeerCerts(sslSocket *ss)
10108 PLArenaPool * arena = ss->ssl3.peerCertArena;
10109 ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
10111 for (; certs; certs = certs->next) {
10112 CERT_DestroyCertificate(certs->cert);
10114 if (arena) PORT_FreeArena(arena, PR_FALSE);
10115 ss->ssl3.peerCertArena = NULL;
10116 ss->ssl3.peerCertChain = NULL;
10120 ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
10122 PLArenaPool *arena;
10123 ssl3CertNode *lastCert = NULL;
10124 ssl3CertNode *certs = NULL;
10127 if (!sid->peerCertChain[0])
10129 PORT_Assert(!ss->ssl3.peerCertArena);
10130 PORT_Assert(!ss->ssl3.peerCertChain);
10131 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
10132 for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
10133 ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
10134 c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
10137 lastCert->next = c;
10143 ss->ssl3.peerCertChain = certs;
10147 ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
10150 ssl3CertNode *c = certs;
10151 for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
10152 PORT_Assert(!sid->peerCertChain[i]);
10153 sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
10157 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
10158 * ssl3 CertificateStatus message.
10159 * Caller must hold Handshake and RecvBuf locks.
10160 * This is always called before ssl3_HandleCertificate, even if the Certificate
10161 * message is sent first.
10164 ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
10166 PRInt32 status, len;
10168 if (ss->ssl3.hs.ws != wait_certificate_status) {
10169 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
10170 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS);
10174 PORT_Assert(!ss->sec.isServer);
10176 /* Consume the CertificateStatusType enum */
10177 status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
10178 if (status != 1 /* ocsp */) {
10182 len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10183 if (len != length) {
10187 #define MAX_CERTSTATUS_LEN 0x1ffff /* 128k - 1 */
10188 if (length > MAX_CERTSTATUS_LEN)
10190 #undef MAX_CERTSTATUS_LEN
10192 /* Array size 1, because we currently implement single-stapling only */
10193 SECITEM_AllocArray(NULL, &ss->sec.ci.sid->peerCertStatus, 1);
10194 if (!ss->sec.ci.sid->peerCertStatus.items)
10197 ss->sec.ci.sid->peerCertStatus.items[0].data = PORT_Alloc(length);
10199 if (!ss->sec.ci.sid->peerCertStatus.items[0].data) {
10200 SECITEM_FreeArray(&ss->sec.ci.sid->peerCertStatus, PR_FALSE);
10204 PORT_Memcpy(ss->sec.ci.sid->peerCertStatus.items[0].data, b, length);
10205 ss->sec.ci.sid->peerCertStatus.items[0].len = length;
10206 ss->sec.ci.sid->peerCertStatus.items[0].type = siBuffer;
10208 return ssl3_AuthCertificate(ss);
10211 return ssl3_DecodeError(ss);
10214 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
10215 * ssl3 Certificate message.
10216 * Caller must hold Handshake and RecvBuf locks.
10219 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
10222 ssl3CertNode * lastCert = NULL;
10223 PRInt32 remaining = 0;
10226 PRBool isServer = (PRBool)(!!ss->sec.isServer);
10228 SSL3AlertDescription desc;
10229 int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
10232 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
10233 SSL_GETPID(), ss->fd));
10234 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
10235 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
10237 if ((ss->ssl3.hs.ws != wait_server_cert) &&
10238 (ss->ssl3.hs.ws != wait_client_cert)) {
10239 desc = unexpected_message;
10240 errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
10244 if (ss->sec.peerCert != NULL) {
10245 if (ss->sec.peerKey) {
10246 SECKEY_DestroyPublicKey(ss->sec.peerKey);
10247 ss->sec.peerKey = NULL;
10249 CERT_DestroyCertificate(ss->sec.peerCert);
10250 ss->sec.peerCert = NULL;
10253 ssl3_CleanupPeerCerts(ss);
10254 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
10256 /* It is reported that some TLS client sends a Certificate message
10257 ** with a zero-length message body. We'll treat that case like a
10258 ** normal no_certificates message to maximize interoperability.
10261 remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10263 goto loser; /* fatal alert already sent by ConsumeHandshake. */
10264 if ((PRUint32)remaining > length)
10269 if (!(isTLS && isServer)) {
10270 desc = bad_certificate;
10273 /* This is TLS's version of a no_certificate alert. */
10274 /* I'm a server. I've requested a client cert. He hasn't got one. */
10275 rv = ssl3_HandleNoCertificate(ss);
10276 if (rv != SECSuccess) {
10277 errCode = PORT_GetError();
10280 ss->ssl3.hs.ws = wait_client_key;
10284 ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
10285 if (ss->ssl3.peerCertArena == NULL) {
10286 goto loser; /* don't send alerts on memory errors */
10289 /* First get the peer cert. */
10294 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10296 goto loser; /* fatal alert already sent by ConsumeHandshake. */
10298 if (remaining < size)
10302 certItem.len = size;
10307 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
10308 PR_FALSE, PR_TRUE);
10309 if (ss->sec.peerCert == NULL) {
10310 /* We should report an alert if the cert was bad, but not if the
10311 * problem was just some local problem, like memory error.
10313 goto ambiguous_err;
10316 /* Now get all of the CA certs. */
10317 while (remaining > 0) {
10322 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10324 goto loser; /* fatal alert already sent by ConsumeHandshake. */
10326 if (remaining < size)
10330 certItem.len = size;
10335 c = PORT_ArenaNew(ss->ssl3.peerCertArena, ssl3CertNode);
10337 goto loser; /* don't send alerts on memory errors */
10340 c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
10341 PR_FALSE, PR_TRUE);
10342 if (c->cert == NULL) {
10343 goto ambiguous_err;
10348 lastCert->next = c;
10350 ss->ssl3.peerCertChain = c;
10355 if (remaining != 0)
10358 SECKEY_UpdateCertPQG(ss->sec.peerCert);
10360 if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) {
10361 ss->ssl3.hs.ws = wait_certificate_status;
10364 rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
10370 errCode = PORT_GetError();
10372 case PR_OUT_OF_MEMORY_ERROR:
10373 case SEC_ERROR_BAD_DATABASE:
10374 case SEC_ERROR_NO_MEMORY:
10376 desc = internal_error;
10381 ssl3_SendAlertForCertError(ss, errCode);
10385 desc = isTLS ? decode_error : bad_certificate;
10388 (void)SSL3_SendAlert(ss, alert_fatal, desc);
10391 (void)ssl_MapLowLevelError(errCode);
10396 ssl3_AuthCertificate(sslSocket *ss)
10399 PRBool isServer = (PRBool)(!!ss->sec.isServer);
10402 ss->ssl3.hs.authCertificatePending = PR_FALSE;
10405 * Ask caller-supplied callback function to validate cert chain.
10407 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
10408 PR_TRUE, isServer);
10410 errCode = PORT_GetError();
10411 if (rv != SECWouldBlock) {
10412 if (ss->handleBadCert) {
10413 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
10417 if (rv == SECWouldBlock) {
10418 if (ss->sec.isServer) {
10419 errCode = SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS;
10424 ss->ssl3.hs.authCertificatePending = PR_TRUE;
10428 if (rv != SECSuccess) {
10429 ssl3_SendAlertForCertError(ss, errCode);
10434 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
10435 ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
10437 if (!ss->sec.isServer) {
10438 CERTCertificate *cert = ss->sec.peerCert;
10440 /* set the server authentication and key exchange types and sizes
10441 ** from the value in the cert. If the key exchange key is different,
10442 ** it will get fixed when we handle the server key exchange message.
10444 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert);
10445 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
10446 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
10448 ss->sec.keaKeyBits = ss->sec.authKeyBits =
10449 SECKEY_PublicKeyStrengthInBits(pubKey);
10450 #ifdef NSS_ENABLE_ECC
10451 if (ss->sec.keaType == kt_ecdh) {
10452 /* Get authKeyBits from signing key.
10453 * XXX The code below uses a quick approximation of
10454 * key size based on cert->signatureWrap.signature.data
10455 * (which contains the DER encoded signature). The field
10456 * cert->signatureWrap.signature.len contains the
10457 * length of the encoded signature in bits.
10459 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
10460 ss->sec.authKeyBits =
10461 cert->signatureWrap.signature.data[3]*8;
10462 if (cert->signatureWrap.signature.data[4] == 0x00)
10463 ss->sec.authKeyBits -= 8;
10465 * XXX: if cert is not signed by ecdsa we should
10466 * destroy pubKey and goto bad_cert
10468 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
10469 ss->sec.authKeyBits = cert->signatureWrap.signature.len;
10471 * XXX: if cert is not signed by rsa we should
10472 * destroy pubKey and goto bad_cert
10476 #endif /* NSS_ENABLE_ECC */
10477 SECKEY_DestroyPublicKey(pubKey);
10481 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
10482 if (ss->ssl3.hs.kea_def->is_limited ||
10483 /* XXX OR server cert is signing only. */
10484 #ifdef NSS_ENABLE_ECC
10485 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
10486 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
10487 #endif /* NSS_ENABLE_ECC */
10488 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
10489 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
10492 ss->ssl3.hs.ws = wait_client_key;
10495 PORT_Assert(rv == SECSuccess);
10496 if (rv != SECSuccess) {
10497 errCode = SEC_ERROR_LIBRARY_FAILURE;
10505 (void)ssl_MapLowLevelError(errCode);
10509 static SECStatus ssl3_FinishHandshake(sslSocket *ss);
10512 ssl3_AlwaysFail(sslSocket * ss)
10514 PORT_SetError(PR_INVALID_STATE_ERROR);
10518 /* Caller must hold 1stHandshakeLock.
10521 ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
10525 PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
10527 if (ss->sec.isServer) {
10528 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS);
10532 ssl_GetRecvBufLock(ss);
10533 ssl_GetSSL3HandshakeLock(ss);
10535 if (!ss->ssl3.hs.authCertificatePending) {
10536 PORT_SetError(PR_INVALID_STATE_ERROR);
10541 ss->ssl3.hs.authCertificatePending = PR_FALSE;
10544 ss->ssl3.hs.restartTarget = ssl3_AlwaysFail;
10545 ssl3_SendAlertForCertError(ss, error);
10547 } else if (ss->ssl3.hs.restartTarget != NULL) {
10548 sslRestartTarget target = ss->ssl3.hs.restartTarget;
10549 ss->ssl3.hs.restartTarget = NULL;
10551 if (target == ssl3_FinishHandshake) {
10552 SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
10553 " with peer's finished message", SSL_GETPID(), ss->fd));
10557 /* Even if we blocked here, we have accomplished enough to claim
10558 * success. Any remaining work will be taken care of by subsequent
10559 * calls to SSL_ForceHandshake/PR_Send/PR_Read/etc.
10561 if (rv == SECWouldBlock) {
10565 SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
10566 " peer's finished message", SSL_GETPID(), ss->fd));
10568 PORT_Assert(!ss->ssl3.hs.isResuming);
10569 PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
10571 if (ss->opt.enableFalseStart &&
10572 !ss->firstHsDone &&
10573 !ss->ssl3.hs.isResuming &&
10574 ssl3_WaitingForStartOfServerSecondRound(ss)) {
10575 /* ssl3_SendClientSecondRound deferred the false start check because
10576 * certificate authentication was pending, so we do it now if we still
10577 * haven't received any of the server's second round yet.
10579 rv = ssl3_CheckFalseStart(ss);
10586 ssl_ReleaseSSL3HandshakeLock(ss);
10587 ssl_ReleaseRecvBufLock(ss);
10593 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
10595 const SSL3Hashes * hashes,
10596 TLSFinished * tlsFinished)
10598 const char * label;
10602 label = isServer ? "server finished" : "client finished";
10605 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
10606 hashes->len, tlsFinished->verify_data,
10607 sizeof tlsFinished->verify_data);
10612 /* The calling function must acquire and release the appropriate
10613 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
10614 * ss->ssl3.crSpec).
10617 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
10618 unsigned int labelLen, const unsigned char *val, unsigned int valLen,
10619 unsigned char *out, unsigned int outLen)
10621 SECStatus rv = SECSuccess;
10623 if (spec->master_secret && !spec->bypassCiphers) {
10624 SECItem param = {siBuffer, NULL, 0};
10625 CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL;
10626 PK11Context *prf_context;
10627 unsigned int retLen;
10629 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
10630 mech = CKM_NSS_TLS_PRF_GENERAL_SHA256;
10632 prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN,
10633 spec->master_secret, ¶m);
10637 rv = PK11_DigestBegin(prf_context);
10638 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
10639 rv |= PK11_DigestOp(prf_context, val, valLen);
10640 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
10641 PORT_Assert(rv != SECSuccess || retLen == outLen);
10643 PK11_DestroyContext(prf_context, PR_TRUE);
10645 /* bypass PKCS11 */
10646 #ifdef NO_PKCS11_BYPASS
10647 PORT_Assert(spec->master_secret);
10648 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
10651 SECItem inData = { siBuffer, };
10652 SECItem outData = { siBuffer, };
10653 PRBool isFIPS = PR_FALSE;
10655 inData.data = (unsigned char *) val;
10656 inData.len = valLen;
10657 outData.data = out;
10658 outData.len = outLen;
10659 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
10660 rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData,
10663 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
10665 PORT_Assert(rv != SECSuccess || outData.len == outLen);
10671 /* called from ssl3_SendClientSecondRound
10672 * ssl3_HandleFinished
10675 ssl3_SendNextProto(sslSocket *ss)
10679 static const unsigned char padding[32] = {0};
10681 if (ss->ssl3.nextProto.len == 0 ||
10682 ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
10686 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10687 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10689 padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32);
10691 rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len +
10693 if (rv != SECSuccess) {
10694 return rv; /* error code set by AppendHandshakeHeader */
10696 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data,
10697 ss->ssl3.nextProto.len, 1);
10698 if (rv != SECSuccess) {
10699 return rv; /* error code set by AppendHandshake */
10701 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
10702 if (rv != SECSuccess) {
10703 return rv; /* error code set by AppendHandshake */
10708 /* called from ssl3_SendFinished
10710 * This function is simply a debugging aid and therefore does not return a
10713 ssl3_RecordKeyLog(sslSocket *ss)
10717 char buf[14 /* "CLIENT_RANDOM " */ +
10718 SSL3_RANDOM_LENGTH*2 /* client_random */ +
10720 48*2 /* master secret */ +
10724 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10726 if (!ssl_keylog_iob)
10729 rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
10730 if (rv != SECSuccess)
10733 ssl_GetSpecReadLock(ss);
10735 /* keyData does not need to be freed. */
10736 keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
10737 if (!keyData || !keyData->data || keyData->len != 48) {
10738 ssl_ReleaseSpecReadLock(ss);
10742 /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
10744 /* There could be multiple, concurrent writers to the
10745 * keylog, so we have to do everything in a single call to
10748 memcpy(buf, "CLIENT_RANDOM ", 14);
10750 hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
10751 j += SSL3_RANDOM_LENGTH*2;
10753 hexEncode(buf + j, keyData->data, 48);
10757 PORT_Assert(j == sizeof(buf));
10759 ssl_ReleaseSpecReadLock(ss);
10761 if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
10763 fflush(ssl_keylog_iob);
10767 /* called from ssl3_SendClientSecondRound
10768 * ssl3_HandleFinished
10771 ssl3_SendEncryptedExtensions(sslSocket *ss)
10773 static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
10774 static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
10775 /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
10778 * OID id-ecPublicKey
10780 * BIT STRING, length 66, 0 trailing bits: 0x04
10782 * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
10783 * public key. Following that are the two field elements as 32-byte,
10784 * big-endian numbers, as required by the Channel ID. */
10785 static const unsigned char P256_SPKI_PREFIX[] = {
10786 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
10787 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
10788 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
10791 /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
10792 * bytes of ECDSA signature. */
10793 static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
10794 static const int CHANNEL_ID_LENGTH = 128;
10796 SECStatus rv = SECFailure;
10797 SECItem *spki = NULL;
10799 const unsigned char *pub_bytes;
10800 unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
10801 sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
10802 sizeof(SSL3Hashes)*2];
10803 size_t signed_data_len;
10804 unsigned char digest[SHA256_LENGTH];
10805 SECItem digest_item;
10806 unsigned char signature[64];
10807 SECItem signature_item;
10809 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10810 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10812 if (ss->ssl3.channelID == NULL)
10815 PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn));
10817 if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
10818 PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
10819 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
10824 ssl_GetSpecReadLock(ss);
10825 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
10826 ssl_ReleaseSpecReadLock(ss);
10828 if (rv != SECSuccess)
10831 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
10832 2 + 2 + CHANNEL_ID_LENGTH);
10833 if (rv != SECSuccess)
10834 goto loser; /* error code set by AppendHandshakeHeader */
10835 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
10836 if (rv != SECSuccess)
10837 goto loser; /* error code set by AppendHandshake */
10838 rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
10839 if (rv != SECSuccess)
10840 goto loser; /* error code set by AppendHandshake */
10842 spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
10844 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
10845 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) {
10846 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
10851 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
10853 signed_data_len = 0;
10854 memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC,
10855 sizeof(CHANNEL_ID_MAGIC));
10856 signed_data_len += sizeof(CHANNEL_ID_MAGIC);
10857 if (ss->ssl3.hs.isResuming) {
10858 SECItem *originalHandshakeHash =
10859 &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
10860 PORT_Assert(originalHandshakeHash->len > 0);
10862 memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC,
10863 sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
10864 signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
10865 memcpy(signed_data + signed_data_len, originalHandshakeHash->data,
10866 originalHandshakeHash->len);
10867 signed_data_len += originalHandshakeHash->len;
10869 memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len);
10870 signed_data_len += hashes.len;
10872 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len);
10873 if (rv != SECSuccess)
10876 digest_item.data = digest;
10877 digest_item.len = sizeof(digest);
10879 signature_item.data = signature;
10880 signature_item.len = sizeof(signature);
10882 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
10883 if (rv != SECSuccess)
10886 rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
10887 if (rv != SECSuccess)
10889 rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
10893 SECITEM_FreeItem(spki, PR_TRUE);
10894 if (ss->ssl3.channelID) {
10895 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
10896 ss->ssl3.channelID = NULL;
10898 if (ss->ssl3.channelIDPub) {
10899 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
10900 ss->ssl3.channelIDPub = NULL;
10906 /* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake
10907 * after a ChannelID callback returned SECWouldBlock. At this point we have
10908 * processed the server's ServerHello but not yet any further messages. We will
10909 * always get a message from the server after a ServerHello so either they are
10910 * waiting in the buffer or we'll get network I/O. */
10912 ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
10913 SECKEYPublicKey *channelIDPub,
10914 SECKEYPrivateKey *channelID)
10916 if (ss->handshake == 0) {
10917 SECKEY_DestroyPublicKey(channelIDPub);
10918 SECKEY_DestroyPrivateKey(channelID);
10919 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
10923 if (channelIDPub == NULL ||
10924 channelID == NULL) {
10926 SECKEY_DestroyPublicKey(channelIDPub);
10928 SECKEY_DestroyPrivateKey(channelID);
10929 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
10933 if (ss->ssl3.channelID)
10934 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
10935 if (ss->ssl3.channelIDPub)
10936 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
10938 ss->handshake = ssl_GatherRecord1stHandshake;
10939 ss->ssl3.channelID = channelID;
10940 ss->ssl3.channelIDPub = channelIDPub;
10945 /* called from ssl3_SendClientSecondRound
10946 * ssl3_HandleClientHello
10947 * ssl3_HandleFinished
10950 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
10952 ssl3CipherSpec *cwSpec;
10954 PRBool isServer = ss->sec.isServer;
10956 SSL3Sender sender = isServer ? sender_server : sender_client;
10958 TLSFinished tlsFinished;
10960 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
10962 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10963 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10965 ssl_GetSpecReadLock(ss);
10966 cwSpec = ss->ssl3.cwSpec;
10967 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
10968 rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
10969 if (isTLS && rv == SECSuccess) {
10970 rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
10972 ssl_ReleaseSpecReadLock(ss);
10973 if (rv != SECSuccess) {
10974 goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */
10979 ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
10981 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
10982 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
10983 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
10984 if (rv != SECSuccess)
10985 goto fail; /* err set by AppendHandshake. */
10986 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
10987 if (rv != SECSuccess)
10988 goto fail; /* err set by AppendHandshake. */
10991 ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s;
10993 ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s;
10994 PORT_Assert(hashes.len == sizeof hashes.u.s);
10995 ss->ssl3.hs.finishedBytes = sizeof hashes.u.s;
10996 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s);
10997 if (rv != SECSuccess)
10998 goto fail; /* err set by AppendHandshake. */
10999 rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s);
11000 if (rv != SECSuccess)
11001 goto fail; /* err set by AppendHandshake. */
11003 rv = ssl3_FlushHandshake(ss, flags);
11004 if (rv != SECSuccess) {
11005 goto fail; /* error code set by ssl3_FlushHandshake */
11008 ssl3_RecordKeyLog(ss);
11016 /* wrap the master secret, and put it into the SID.
11017 * Caller holds the Spec read lock.
11020 ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid,
11021 ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType)
11023 PK11SymKey * wrappingKey = NULL;
11024 PK11SlotInfo * symKeySlot;
11025 void * pwArg = ss->pkcs11PinArg;
11026 SECStatus rv = SECFailure;
11027 PRBool isServer = ss->sec.isServer;
11028 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
11029 symKeySlot = PK11_GetSlotFromKey(spec->master_secret);
11034 /* these next few functions are mere accessors and don't fail. */
11035 sid->u.ssl3.masterWrapIndex = wrapKeyIndex =
11036 PK11_GetCurrentWrapIndex(symKeySlot);
11037 PORT_Assert(wrapKeyIndex == 0); /* array has only one entry! */
11039 sid->u.ssl3.masterWrapSeries = incarnation =
11040 PK11_GetSlotSeries(symKeySlot);
11041 sid->u.ssl3.masterSlotID = PK11_GetSlotID(symKeySlot);
11042 sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
11043 sid->u.ssl3.masterValid = PR_TRUE;
11044 /* Get the default wrapping key, for wrapping the master secret before
11045 * placing it in the SID cache entry. */
11046 wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
11047 CKM_INVALID_MECHANISM, incarnation,
11050 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
11053 /* if the wrappingKey doesn't exist, attempt to create it.
11054 * Note: we intentionally ignore errors here. If we cannot
11055 * generate a wrapping key, it is not fatal to this SSL connection,
11056 * but we will not be able to restart this session.
11058 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
11059 keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
11060 /* Zero length means fixed key length algorithm, or error.
11063 wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
11066 PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
11070 /* server socket using session cache. */
11071 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
11072 if (mechanism != CKM_INVALID_MECHANISM) {
11074 getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
11077 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
11082 sid->u.ssl3.masterWrapMech = mechanism;
11083 PK11_FreeSlot(symKeySlot);
11088 wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
11089 wmsItem.len = sizeof sid->u.ssl3.keys.wrapped_master_secret;
11090 rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
11091 spec->master_secret, &wmsItem);
11092 /* rv is examined below. */
11093 sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
11094 PK11_FreeSymKey(wrappingKey);
11099 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
11100 * ssl3 Finished message from the peer.
11101 * Caller must hold Handshake and RecvBuf locks.
11104 ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
11105 const SSL3Hashes *hashes)
11107 sslSessionID * sid = ss->sec.ci.sid;
11108 SECStatus rv = SECSuccess;
11109 PRBool isServer = ss->sec.isServer;
11111 SSL3KEAType effectiveExchKeyType;
11113 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11114 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11116 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
11117 SSL_GETPID(), ss->fd));
11119 if (ss->ssl3.hs.ws != wait_finished) {
11120 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11121 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
11125 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
11127 TLSFinished tlsFinished;
11129 if (length != sizeof tlsFinished) {
11130 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
11131 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
11134 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
11135 hashes, &tlsFinished);
11137 ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
11139 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
11140 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
11141 if (rv != SECSuccess ||
11142 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
11143 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
11144 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
11148 if (length != sizeof(SSL3Finished)) {
11149 (void)ssl3_IllegalParameter(ss);
11150 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
11155 ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s;
11157 ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s;
11158 PORT_Assert(hashes->len == sizeof hashes->u.s);
11159 ss->ssl3.hs.finishedBytes = sizeof hashes->u.s;
11160 if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) {
11161 (void)ssl3_HandshakeFailure(ss);
11162 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
11167 ssl_GetXmitBufLock(ss); /*************************************/
11169 if ((isServer && !ss->ssl3.hs.isResuming) ||
11170 (!isServer && ss->ssl3.hs.isResuming)) {
11173 /* Send a NewSessionTicket message if the client sent us
11174 * either an empty session ticket, or one that did not verify.
11175 * (Note that if either of these conditions was met, then the
11176 * server has sent a SessionTicket extension in the
11177 * ServerHello message.)
11179 if (isServer && !ss->ssl3.hs.isResuming &&
11180 ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
11181 /* RFC 5077 Section 3.3: "In the case of a full handshake, the
11182 * server MUST verify the client's Finished message before sending
11183 * the ticket." Presumably, this also means that the client's
11184 * certificate, if any, must be verified beforehand too.
11186 rv = ssl3_SendNewSessionTicket(ss);
11187 if (rv != SECSuccess) {
11192 rv = ssl3_SendChangeCipherSpecs(ss);
11193 if (rv != SECSuccess) {
11194 goto xmit_loser; /* err is set. */
11196 /* If this thread is in SSL_SecureSend (trying to write some data)
11197 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
11198 ** last two handshake messages (change cipher spec and finished)
11199 ** will be sent in the same send/write call as the application data.
11201 if (ss->writerThread == PR_GetCurrentThread()) {
11202 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
11206 if (!ss->firstHsDone) {
11207 rv = ssl3_SendNextProto(ss);
11208 if (rv != SECSuccess) {
11209 goto xmit_loser; /* err code was set. */
11212 rv = ssl3_SendEncryptedExtensions(ss);
11213 if (rv != SECSuccess)
11214 goto xmit_loser; /* err code was set. */
11218 flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
11221 rv = ssl3_SendFinished(ss, flags);
11222 if (rv != SECSuccess) {
11223 goto xmit_loser; /* err is set. */
11228 ssl_ReleaseXmitBufLock(ss); /*************************************/
11229 if (rv != SECSuccess) {
11233 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
11234 effectiveExchKeyType = kt_rsa;
11236 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
11239 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
11240 /* fill in the sid */
11241 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
11242 sid->u.ssl3.compression = ss->ssl3.hs.compression;
11243 sid->u.ssl3.policy = ss->ssl3.policy;
11244 #ifdef NSS_ENABLE_ECC
11245 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
11247 sid->u.ssl3.exchKeyType = effectiveExchKeyType;
11248 sid->version = ss->version;
11249 sid->authAlgorithm = ss->sec.authAlgorithm;
11250 sid->authKeyBits = ss->sec.authKeyBits;
11251 sid->keaType = ss->sec.keaType;
11252 sid->keaKeyBits = ss->sec.keaKeyBits;
11253 sid->lastAccessTime = sid->creationTime = ssl_Time();
11254 sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
11255 sid->localCert = CERT_DupCertificate(ss->sec.localCert);
11257 ssl_GetSpecReadLock(ss); /*************************************/
11259 /* Copy the master secret (wrapped or unwrapped) into the sid */
11260 if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
11261 sid->u.ssl3.keys.wrapped_master_secret_len =
11262 ss->ssl3.crSpec->msItem.len;
11263 memcpy(sid->u.ssl3.keys.wrapped_master_secret,
11264 ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
11265 sid->u.ssl3.masterValid = PR_TRUE;
11266 sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
11269 rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid,
11271 effectiveExchKeyType);
11272 sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
11274 ssl_ReleaseSpecReadLock(ss); /*************************************/
11276 /* If the wrap failed, we don't cache the sid.
11277 * The connection continues normally however.
11279 ss->ssl3.hs.cacheSID = rv == SECSuccess;
11282 if (ss->ssl3.hs.authCertificatePending) {
11283 if (ss->ssl3.hs.restartTarget) {
11284 PR_NOT_REACHED("ssl3_HandleFinished: unexpected restartTarget");
11285 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
11289 ss->ssl3.hs.restartTarget = ssl3_FinishHandshake;
11290 return SECWouldBlock;
11293 rv = ssl3_FinishHandshake(ss);
11297 /* The return type is SECStatus instead of void because this function needs
11298 * to have type sslRestartTarget.
11301 ssl3_FinishHandshake(sslSocket * ss)
11303 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11304 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11305 PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
11307 /* The first handshake is now completed. */
11308 ss->handshake = NULL;
11310 /* RFC 5077 Section 3.3: "The client MUST NOT treat the ticket as valid
11311 * until it has verified the server's Finished message." When the server
11312 * sends a NewSessionTicket in a resumption handshake, we must wait until
11313 * the handshake is finished (we have verified the server's Finished
11314 * AND the server's certificate) before we update the ticket in the sid.
11316 * This must be done before we call (*ss->sec.cache)(ss->sec.ci.sid)
11317 * because CacheSID requires the session ticket to already be set, and also
11318 * because of the lazy lock creation scheme used by CacheSID and
11319 * ssl3_SetSIDSessionTicket.
11321 if (ss->ssl3.hs.receivedNewSessionTicket) {
11322 PORT_Assert(!ss->sec.isServer);
11323 ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ss->ssl3.hs.newSessionTicket);
11324 /* The sid took over the ticket data */
11325 PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
11326 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
11329 if (ss->ssl3.hs.cacheSID && ss->sec.isServer) {
11330 PORT_Assert(ss->sec.ci.sid->cached == never_cached);
11331 (*ss->sec.cache)(ss->sec.ci.sid);
11332 ss->ssl3.hs.cacheSID = PR_FALSE;
11335 ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
11336 ss->ssl3.hs.ws = idle_handshake;
11338 ssl_FinishHandshake(ss);
11343 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
11344 * hanshake message.
11345 * Caller must hold Handshake and RecvBuf locks.
11348 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
11350 SECStatus rv = SECSuccess;
11351 SSL3HandshakeType type = ss->ssl3.hs.msg_type;
11352 SSL3Hashes hashes; /* computed hashes are put here. */
11354 PRUint8 dtlsData[8];
11356 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11357 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11359 * We have to compute the hashes before we update them with the
11362 ssl_GetSpecReadLock(ss); /************************************/
11363 if((type == finished) || (type == certificate_verify)) {
11364 SSL3Sender sender = (SSL3Sender)0;
11365 ssl3CipherSpec *rSpec = ss->ssl3.prSpec;
11367 if (type == finished) {
11368 sender = ss->sec.isServer ? sender_client : sender_server;
11369 rSpec = ss->ssl3.crSpec;
11371 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
11373 ssl_ReleaseSpecReadLock(ss); /************************************/
11374 if (rv != SECSuccess) {
11375 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/
11377 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
11378 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
11380 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
11381 hdr[1] = (PRUint8)(length >> 16);
11382 hdr[2] = (PRUint8)(length >> 8);
11383 hdr[3] = (PRUint8)(length );
11385 /* Start new handshake hashes when we start a new handshake */
11386 if (ss->ssl3.hs.msg_type == client_hello) {
11387 rv = ssl3_RestartHandshakeHashes(ss);
11388 if (rv != SECSuccess) {
11392 /* We should not include hello_request and hello_verify_request messages
11393 * in the handshake hashes */
11394 if ((ss->ssl3.hs.msg_type != hello_request) &&
11395 (ss->ssl3.hs.msg_type != hello_verify_request)) {
11396 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
11397 if (rv != SECSuccess) return rv; /* err code already set. */
11399 /* Extra data to simulate a complete DTLS handshake fragment */
11401 /* Sequence number */
11402 dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq);
11403 dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq);
11405 /* Fragment offset */
11410 /* Fragment length */
11411 dtlsData[5] = (PRUint8)(length >> 16);
11412 dtlsData[6] = (PRUint8)(length >> 8);
11413 dtlsData[7] = (PRUint8)(length );
11415 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData,
11417 if (rv != SECSuccess) return rv; /* err code already set. */
11420 /* The message body */
11421 rv = ssl3_UpdateHandshakeHashes(ss, b, length);
11422 if (rv != SECSuccess) return rv; /* err code already set. */
11425 PORT_SetError(0); /* each message starts with no error. */
11427 if (ss->ssl3.hs.ws == wait_certificate_status &&
11428 ss->ssl3.hs.msg_type != certificate_status) {
11429 /* If we negotiated the certificate_status extension then we deferred
11430 * certificate validation until we get the CertificateStatus messsage.
11431 * But the CertificateStatus message is optional. If the server did
11432 * not send it then we need to validate the certificate now. If the
11433 * server does send the CertificateStatus message then we will
11434 * authenticate the certificate in ssl3_HandleCertificateStatus.
11436 rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
11437 PORT_Assert(rv != SECWouldBlock);
11438 if (rv != SECSuccess) {
11443 switch (ss->ssl3.hs.msg_type) {
11444 case hello_request:
11446 (void)ssl3_DecodeError(ss);
11447 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
11450 if (ss->sec.isServer) {
11451 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11452 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
11455 rv = ssl3_HandleHelloRequest(ss);
11458 if (!ss->sec.isServer) {
11459 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11460 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
11463 rv = ssl3_HandleClientHello(ss, b, length);
11466 if (ss->sec.isServer) {
11467 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11468 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
11471 rv = ssl3_HandleServerHello(ss, b, length);
11473 case hello_verify_request:
11474 if (!IS_DTLS(ss) || ss->sec.isServer) {
11475 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11476 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
11479 rv = dtls_HandleHelloVerifyRequest(ss, b, length);
11482 rv = ssl3_HandleCertificate(ss, b, length);
11484 case certificate_status:
11485 rv = ssl3_HandleCertificateStatus(ss, b, length);
11487 case server_key_exchange:
11488 if (ss->sec.isServer) {
11489 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11490 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
11493 rv = ssl3_HandleServerKeyExchange(ss, b, length);
11495 case certificate_request:
11496 if (ss->sec.isServer) {
11497 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11498 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
11501 rv = ssl3_HandleCertificateRequest(ss, b, length);
11503 case server_hello_done:
11505 (void)ssl3_DecodeError(ss);
11506 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
11509 if (ss->sec.isServer) {
11510 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11511 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
11514 rv = ssl3_HandleServerHelloDone(ss);
11516 case certificate_verify:
11517 if (!ss->sec.isServer) {
11518 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11519 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
11522 rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
11524 case client_key_exchange:
11525 if (!ss->sec.isServer) {
11526 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11527 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
11530 rv = ssl3_HandleClientKeyExchange(ss, b, length);
11532 case new_session_ticket:
11533 if (ss->sec.isServer) {
11534 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11535 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
11538 rv = ssl3_HandleNewSessionTicket(ss, b, length);
11541 rv = ssl3_HandleFinished(ss, b, length, &hashes);
11544 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11545 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
11549 if (IS_DTLS(ss) && (rv != SECFailure)) {
11550 /* Increment the expected sequence number */
11551 ss->ssl3.hs.recvMessageSeq++;
11557 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
11558 * origBuf is the decrypted ssl record content.
11559 * Caller must hold the handshake and RecvBuf locks.
11562 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
11565 * There may be a partial handshake message already in the handshake
11566 * state. The incoming buffer may contain another portion, or a
11567 * complete message or several messages followed by another portion.
11569 * Each message is made contiguous before being passed to the actual
11572 sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */
11575 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11576 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11578 if (buf->buf == NULL) {
11581 while (buf->len > 0) {
11582 if (ss->ssl3.hs.header_bytes < 4) {
11586 if (ss->ssl3.hs.header_bytes++ == 0)
11587 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
11589 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
11590 if (ss->ssl3.hs.header_bytes < 4)
11593 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */
11594 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
11595 (void)ssl3_DecodeError(ss);
11596 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
11599 #undef MAX_HANDSHAKE_MSG_LEN
11601 /* If msg_len is zero, be sure we fall through,
11602 ** even if buf->len is zero.
11604 if (ss->ssl3.hs.msg_len > 0)
11609 * Header has been gathered and there is at least one byte of new
11610 * data available for this message. If it can be done right out
11611 * of the original buffer, then use it from there.
11613 if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
11614 /* handle it from input buffer */
11615 rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
11616 if (rv == SECFailure) {
11617 /* This test wants to fall through on either
11618 * SECSuccess or SECWouldBlock.
11619 * ssl3_HandleHandshakeMessage MUST set the error code.
11623 buf->buf += ss->ssl3.hs.msg_len;
11624 buf->len -= ss->ssl3.hs.msg_len;
11625 ss->ssl3.hs.msg_len = 0;
11626 ss->ssl3.hs.header_bytes = 0;
11627 if (rv != SECSuccess) { /* return if SECWouldBlock. */
11631 /* must be copied to msg_body and dealt with from there */
11632 unsigned int bytes;
11634 PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len);
11635 bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
11637 /* Grow the buffer if needed */
11638 rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
11639 if (rv != SECSuccess) {
11640 /* sslBuffer_Grow has set a memory error code. */
11644 PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
11646 ss->ssl3.hs.msg_body.len += bytes;
11650 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
11652 /* if we have a whole message, do it */
11653 if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
11654 rv = ssl3_HandleHandshakeMessage(
11655 ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
11656 if (rv == SECFailure) {
11657 /* This test wants to fall through on either
11658 * SECSuccess or SECWouldBlock.
11659 * ssl3_HandleHandshakeMessage MUST set error code.
11663 ss->ssl3.hs.msg_body.len = 0;
11664 ss->ssl3.hs.msg_len = 0;
11665 ss->ssl3.hs.header_bytes = 0;
11666 if (rv != SECSuccess) { /* return if SECWouldBlock. */
11670 PORT_Assert(buf->len == 0);
11676 origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
11677 buf->buf = NULL; /* not a leak. */
11681 /* These macros return the given value with the MSB copied to all the other
11682 * bits. They use the fact that arithmetic shift shifts-in the sign bit.
11683 * However, this is not ensured by the C standard so you may need to replace
11684 * them with something else for odd compilers. */
11685 #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
11686 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
11688 /* SECStatusToMask returns, in constant time, a mask value of all ones if
11689 * rv == SECSuccess. Otherwise it returns zero. */
11690 static unsigned int
11691 SECStatusToMask(SECStatus rv)
11694 /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results
11695 * in the MSB being set to one iff it was zero before. */
11696 good = rv ^ SECSuccess;
11698 return DUPLICATE_MSB_TO_ALL(good);
11701 /* ssl_ConstantTimeGE returns 0xff if a>=b and 0x00 otherwise. */
11702 static unsigned char
11703 ssl_ConstantTimeGE(unsigned int a, unsigned int b)
11706 return DUPLICATE_MSB_TO_ALL(~a);
11709 /* ssl_ConstantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */
11710 static unsigned char
11711 ssl_ConstantTimeEQ8(unsigned char a, unsigned char b)
11713 unsigned int c = a ^ b;
11715 return DUPLICATE_MSB_TO_ALL_8(c);
11719 ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
11720 unsigned int blockSize,
11721 unsigned int macSize)
11723 unsigned int paddingLength, good, t;
11724 const unsigned int overhead = 1 /* padding length byte */ + macSize;
11726 /* These lengths are all public so we can test them in non-constant
11728 if (overhead > plaintext->len) {
11732 paddingLength = plaintext->buf[plaintext->len-1];
11733 /* SSLv3 padding bytes are random and cannot be checked. */
11734 t = plaintext->len;
11735 t -= paddingLength+overhead;
11736 /* If len >= paddingLength+overhead then the MSB of t is zero. */
11737 good = DUPLICATE_MSB_TO_ALL(~t);
11738 /* SSLv3 requires that the padding is minimal. */
11739 t = blockSize - (paddingLength+1);
11740 good &= DUPLICATE_MSB_TO_ALL(~t);
11741 plaintext->len -= good & (paddingLength+1);
11742 return (good & SECSuccess) | (~good & SECFailure);
11746 ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize)
11748 unsigned int paddingLength, good, t, toCheck, i;
11749 const unsigned int overhead = 1 /* padding length byte */ + macSize;
11751 /* These lengths are all public so we can test them in non-constant
11753 if (overhead > plaintext->len) {
11757 paddingLength = plaintext->buf[plaintext->len-1];
11758 t = plaintext->len;
11759 t -= paddingLength+overhead;
11760 /* If len >= paddingLength+overhead then the MSB of t is zero. */
11761 good = DUPLICATE_MSB_TO_ALL(~t);
11763 /* The padding consists of a length byte at the end of the record and then
11764 * that many bytes of padding, all with the same value as the length byte.
11765 * Thus, with the length byte included, there are paddingLength+1 bytes of
11768 * We can't check just |paddingLength+1| bytes because that leaks
11769 * decrypted information. Therefore we always have to check the maximum
11770 * amount of padding possible. (Again, the length of the record is
11771 * public information so we can use it.) */
11772 toCheck = 255; /* maximum amount of padding. */
11773 if (toCheck > plaintext->len-1) {
11774 toCheck = plaintext->len-1;
11777 for (i = 0; i < toCheck; i++) {
11778 unsigned int t = paddingLength - i;
11779 /* If i <= paddingLength then the MSB of t is zero and mask is
11780 * 0xff. Otherwise, mask is 0. */
11781 unsigned char mask = DUPLICATE_MSB_TO_ALL(~t);
11782 unsigned char b = plaintext->buf[plaintext->len-1-i];
11783 /* The final |paddingLength+1| bytes should all have the value
11784 * |paddingLength|. Therefore the XOR should be zero. */
11785 good &= ~(mask&(paddingLength ^ b));
11788 /* If any of the final |paddingLength+1| bytes had the wrong value,
11789 * one or more of the lower eight bits of |good| will be cleared. We
11790 * AND the bottom 8 bits together and duplicate the result to all the
11795 good <<= sizeof(good)*8-1;
11796 good = DUPLICATE_MSB_TO_ALL(good);
11798 plaintext->len -= good & (paddingLength+1);
11799 return (good & SECSuccess) | (~good & SECFailure);
11803 * originalLength >= macSize
11804 * macSize <= MAX_MAC_LENGTH
11805 * plaintext->len >= macSize
11808 ssl_CBCExtractMAC(sslBuffer *plaintext,
11809 unsigned int originalLength,
11811 unsigned int macSize)
11813 unsigned char rotatedMac[MAX_MAC_LENGTH];
11814 /* macEnd is the index of |plaintext->buf| just after the end of the
11816 unsigned macEnd = plaintext->len;
11817 unsigned macStart = macEnd - macSize;
11818 /* scanStart contains the number of bytes that we can ignore because
11819 * the MAC's position can only vary by 255 bytes. */
11820 unsigned scanStart = 0;
11821 unsigned i, j, divSpoiler;
11822 unsigned char rotateOffset;
11824 if (originalLength > macSize + 255 + 1)
11825 scanStart = originalLength - (macSize + 255 + 1);
11827 /* divSpoiler contains a multiple of macSize that is used to cause the
11828 * modulo operation to be constant time. Without this, the time varies
11829 * based on the amount of padding when running on Intel chips at least.
11831 * The aim of right-shifting macSize is so that the compiler doesn't
11832 * figure out that it can remove divSpoiler as that would require it
11833 * to prove that macSize is always even, which I hope is beyond it. */
11834 divSpoiler = macSize >> 1;
11835 divSpoiler <<= (sizeof(divSpoiler)-1)*8;
11836 rotateOffset = (divSpoiler + macStart - scanStart) % macSize;
11838 memset(rotatedMac, 0, macSize);
11839 for (i = scanStart; i < originalLength;) {
11840 for (j = 0; j < macSize && i < originalLength; i++, j++) {
11841 unsigned char macStarted = ssl_ConstantTimeGE(i, macStart);
11842 unsigned char macEnded = ssl_ConstantTimeGE(i, macEnd);
11843 unsigned char b = 0;
11844 b = plaintext->buf[i];
11845 rotatedMac[j] |= b & macStarted & ~macEnded;
11849 /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
11850 * we could line-align |rotatedMac| and rotate in place. */
11851 memset(out, 0, macSize);
11852 for (i = 0; i < macSize; i++) {
11853 unsigned char offset =
11854 (divSpoiler + macSize - rotateOffset + i) % macSize;
11855 for (j = 0; j < macSize; j++) {
11856 out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset);
11861 /* if cText is non-null, then decipher, check MAC, and decompress the
11862 * SSL record from cText->buf (typically gs->inbuf)
11863 * into databuf (typically gs->buf), and any previous contents of databuf
11864 * is lost. Then handle databuf according to its SSL record type,
11865 * unless it's an application record.
11867 * If cText is NULL, then the ciphertext has previously been deciphered and
11868 * checked, and is already sitting in databuf. It is processed as an SSL
11869 * Handshake message.
11871 * DOES NOT process the decrypted/decompressed application data.
11872 * On return, databuf contains the decrypted/decompressed record.
11874 * Called from ssl3_GatherCompleteHandshake
11875 * ssl3_RestartHandshakeAfterCertReq
11877 * Caller must hold the RecvBufLock.
11879 * This function aquires and releases the SSL3Handshake Lock, holding the
11880 * lock around any calls to functions that handle records other than
11881 * Application Data records.
11884 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
11886 const ssl3BulkCipherDef *cipher_def;
11887 ssl3CipherSpec * crSpec;
11889 unsigned int hashBytes = MAX_MAC_LENGTH + 1;
11891 SSL3ContentType rType;
11892 SSL3Opaque hash[MAX_MAC_LENGTH];
11893 SSL3Opaque givenHashBuf[MAX_MAC_LENGTH];
11894 SSL3Opaque *givenHash;
11895 sslBuffer *plaintext;
11896 sslBuffer temp_buf;
11897 PRUint64 dtls_seq_num;
11898 unsigned int ivLen = 0;
11899 unsigned int originalLen = 0;
11901 unsigned int minLength;
11902 unsigned char header[13];
11903 unsigned int headerLen;
11905 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11907 if (!ss->ssl3.initialized) {
11908 ssl_GetSSL3HandshakeLock(ss);
11909 rv = ssl3_InitState(ss);
11910 ssl_ReleaseSSL3HandshakeLock(ss);
11911 if (rv != SECSuccess) {
11912 return rv; /* ssl3_InitState has set the error code. */
11916 /* check for Token Presence */
11917 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
11918 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
11922 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
11923 * This implies that databuf holds a previously deciphered SSL Handshake
11926 if (cText == NULL) {
11927 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
11928 SSL_GETPID(), ss->fd));
11929 rType = content_handshake;
11933 ssl_GetSpecReadLock(ss); /******************************************/
11935 crSpec = ss->ssl3.crSpec;
11936 cipher_def = crSpec->cipher_def;
11939 * DTLS relevance checks:
11940 * Note that this code currently ignores all out-of-epoch packets,
11941 * which means we lose some in the case of rehandshake +
11942 * loss/reordering. Since DTLS is explicitly unreliable, this
11943 * seems like a good tradeoff for implementation effort and is
11944 * consistent with the guidance of RFC 6347 Sections 4.1 and 4.2.4.1
11947 DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff;
11949 if (crSpec->epoch != epoch) {
11950 ssl_ReleaseSpecReadLock(ss);
11951 SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet "
11952 "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
11953 /* Silently drop the packet */
11954 databuf->len = 0; /* Needed to ensure data not left around */
11958 dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) |
11959 ((PRUint64)cText->seq_num.low);
11961 if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num) != 0) {
11962 ssl_ReleaseSpecReadLock(ss);
11963 SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting "
11964 "potentially replayed packet", SSL_GETPID(), ss->fd));
11965 /* Silently drop the packet */
11966 databuf->len = 0; /* Needed to ensure data not left around */
11972 minLength = crSpec->mac_size;
11973 if (cipher_def->type == type_block) {
11974 /* CBC records have a padding length byte at the end. */
11976 if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
11977 /* With >= TLS 1.1, CBC records have an explicit IV. */
11978 minLength += cipher_def->iv_size;
11980 } else if (cipher_def->type == type_aead) {
11981 minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
11984 /* We can perform this test in variable time because the record's total
11985 * length and the ciphersuite are both public knowledge. */
11986 if (cText->buf->len < minLength) {
11987 goto decrypt_loser;
11990 if (cipher_def->type == type_block &&
11991 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
11992 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
11993 * "The receiver decrypts the entire GenericBlockCipher structure and
11994 * then discards the first cipher block corresponding to the IV
11995 * component." Instead, we decrypt the first cipher block and then
11996 * discard it before decrypting the rest.
11998 SSL3Opaque iv[MAX_IV_LENGTH];
12001 ivLen = cipher_def->iv_size;
12002 if (ivLen < 8 || ivLen > sizeof(iv)) {
12003 ssl_ReleaseSpecReadLock(ss);
12004 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
12008 PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen));
12010 /* The decryption result is garbage, but since we just throw away
12011 * the block it doesn't matter. The decryption of the next block
12012 * depends only on the ciphertext of the IV block.
12014 rv = crSpec->decode(crSpec->decodeContext, iv, &decoded,
12015 sizeof(iv), cText->buf->buf, ivLen);
12017 good &= SECStatusToMask(rv);
12020 /* If we will be decompressing the buffer we need to decrypt somewhere
12021 * other than into databuf */
12022 if (crSpec->decompressor) {
12023 temp_buf.buf = NULL;
12024 temp_buf.space = 0;
12025 plaintext = &temp_buf;
12027 plaintext = databuf;
12030 plaintext->len = 0; /* filled in by decode call below. */
12031 if (plaintext->space < MAX_FRAGMENT_LENGTH) {
12032 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048);
12033 if (rv != SECSuccess) {
12034 ssl_ReleaseSpecReadLock(ss);
12035 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
12036 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
12037 /* sslBuffer_Grow has set a memory error code. */
12038 /* Perhaps we should send an alert. (but we have no memory!) */
12043 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen,
12044 cText->buf->len - ivLen));
12046 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
12048 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
12049 ssl_ReleaseSpecReadLock(ss);
12050 SSL3_SendAlert(ss, alert_fatal, record_overflow);
12051 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
12055 rType = cText->type;
12056 if (cipher_def->type == type_aead) {
12057 /* XXX For many AEAD ciphers, the plaintext is shorter than the
12058 * ciphertext by a fixed byte count, but it is not true in general.
12059 * Each AEAD cipher should provide a function that returns the
12060 * plaintext length for a given ciphertext. */
12061 unsigned int decryptedLen =
12062 cText->buf->len - cipher_def->explicit_nonce_size -
12063 cipher_def->tag_size;
12064 headerLen = ssl3_BuildRecordPseudoHeader(
12065 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
12066 rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
12067 PORT_Assert(headerLen <= sizeof(header));
12069 ss->sec.isServer ? &crSpec->client : &crSpec->server,
12070 PR_TRUE, /* do decrypt */
12071 plaintext->buf, /* out */
12072 (int*) &plaintext->len, /* outlen */
12073 plaintext->space, /* maxout */
12074 cText->buf->buf, /* in */
12075 cText->buf->len, /* inlen */
12076 header, headerLen);
12077 if (rv != SECSuccess) {
12081 if (cipher_def->type == type_block &&
12082 ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
12083 goto decrypt_loser;
12086 /* decrypt from cText buf to plaintext. */
12087 rv = crSpec->decode(
12088 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
12089 plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
12090 if (rv != SECSuccess) {
12091 goto decrypt_loser;
12094 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
12096 originalLen = plaintext->len;
12098 /* If it's a block cipher, check and strip the padding. */
12099 if (cipher_def->type == type_block) {
12100 const unsigned int blockSize = cipher_def->block_size;
12101 const unsigned int macSize = crSpec->mac_size;
12104 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
12105 plaintext, blockSize, macSize));
12107 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
12108 plaintext, macSize));
12112 /* compute the MAC */
12113 headerLen = ssl3_BuildRecordPseudoHeader(
12114 header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
12115 rType, isTLS, cText->version, IS_DTLS(ss),
12116 plaintext->len - crSpec->mac_size);
12117 PORT_Assert(headerLen <= sizeof(header));
12118 if (cipher_def->type == type_block) {
12119 rv = ssl3_ComputeRecordMACConstantTime(
12120 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
12121 plaintext->buf, plaintext->len, originalLen,
12124 ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
12126 givenHash = givenHashBuf;
12128 /* plaintext->len will always have enough space to remove the MAC
12129 * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
12130 * plaintext->len if the result has enough space for the MAC and we
12131 * tested the unadjusted size against minLength, above. */
12132 plaintext->len -= crSpec->mac_size;
12134 /* This is safe because we checked the minLength above. */
12135 plaintext->len -= crSpec->mac_size;
12137 rv = ssl3_ComputeRecordMAC(
12138 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
12139 plaintext->buf, plaintext->len, hash, &hashBytes);
12141 /* We can read the MAC directly from the record because its location
12142 * is public when a stream cipher is used. */
12143 givenHash = plaintext->buf + plaintext->len;
12146 good &= SECStatusToMask(rv);
12148 if (hashBytes != (unsigned)crSpec->mac_size ||
12149 NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
12150 /* We're allowed to leak whether or not the MAC check was correct */
12157 /* must not hold spec lock when calling SSL3_SendAlert. */
12158 ssl_ReleaseSpecReadLock(ss);
12160 SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
12162 if (!IS_DTLS(ss)) {
12163 SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
12164 /* always log mac error, in case attacker can read server logs. */
12165 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
12168 /* Silently drop the packet */
12169 databuf->len = 0; /* Needed to ensure data not left around */
12174 if (!IS_DTLS(ss)) {
12175 ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
12177 dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num);
12180 ssl_ReleaseSpecReadLock(ss); /*****************************************/
12183 * The decrypted data is now in plaintext.
12186 /* possibly decompress the record. If we aren't using compression then
12187 * plaintext == databuf and so the uncompressed data is already in
12189 if (crSpec->decompressor) {
12190 if (databuf->space < plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION) {
12191 rv = sslBuffer_Grow(
12192 databuf, plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION);
12193 if (rv != SECSuccess) {
12194 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
12195 SSL_GETPID(), ss->fd,
12196 plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION));
12197 /* sslBuffer_Grow has set a memory error code. */
12198 /* Perhaps we should send an alert. (but we have no memory!) */
12199 PORT_Free(plaintext->buf);
12204 rv = crSpec->decompressor(crSpec->decompressContext,
12206 (int*) &databuf->len,
12211 if (rv != SECSuccess) {
12212 int err = ssl_MapLowLevelError(SSL_ERROR_DECOMPRESSION_FAILURE);
12213 SSL3_SendAlert(ss, alert_fatal,
12214 isTLS ? decompression_failure : bad_record_mac);
12216 /* There appears to be a bug with (at least) Apache + OpenSSL where
12217 * resumed SSLv3 connections don't actually use compression. See
12218 * comments 93-95 of
12219 * https://bugzilla.mozilla.org/show_bug.cgi?id=275744
12221 * So, if we get a decompression error, and the record appears to
12222 * be already uncompressed, then we return a more specific error
12223 * code to hopefully save somebody some debugging time in the
12226 if (plaintext->len >= 4) {
12227 unsigned int len = ((unsigned int) plaintext->buf[1] << 16) |
12228 ((unsigned int) plaintext->buf[2] << 8) |
12229 (unsigned int) plaintext->buf[3];
12230 if (len == plaintext->len - 4) {
12231 /* This appears to be uncompressed already */
12232 err = SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD;
12236 PORT_Free(plaintext->buf);
12237 PORT_SetError(err);
12241 PORT_Free(plaintext->buf);
12245 ** Having completed the decompression, check the length again.
12247 if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
12248 SSL3_SendAlert(ss, alert_fatal, record_overflow);
12249 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
12253 /* Application data records are processed by the caller of this
12254 ** function, not by this function.
12256 if (rType == content_application_data) {
12257 if (ss->firstHsDone)
12259 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
12260 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
12264 /* It's a record that must be handled by ssl itself, not the application.
12267 /* XXX Get the xmit lock here. Odds are very high that we'll be xmiting
12268 * data ang getting the xmit lock here prevents deadlocks.
12270 ssl_GetSSL3HandshakeLock(ss);
12272 /* All the functions called in this switch MUST set error code if
12273 ** they return SECFailure or SECWouldBlock.
12276 case content_change_cipher_spec:
12277 rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
12279 case content_alert:
12280 rv = ssl3_HandleAlert(ss, databuf);
12282 case content_handshake:
12283 if (!IS_DTLS(ss)) {
12284 rv = ssl3_HandleHandshake(ss, databuf);
12286 rv = dtls_HandleHandshake(ss, databuf);
12290 case content_application_data is handled before this switch
12293 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
12294 SSL_GETPID(), ss->fd, cText->type));
12295 /* XXX Send an alert ??? */
12296 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
12301 ssl_ReleaseSSL3HandshakeLock(ss);
12306 * Initialization functions
12309 /* Called from ssl3_InitState, immediately below. */
12310 /* Caller must hold the SpecWriteLock. */
12312 ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
12314 spec->cipher_def = &bulk_cipher_defs[cipher_null];
12315 PORT_Assert(spec->cipher_def->cipher == cipher_null);
12316 spec->mac_def = &mac_defs[mac_null];
12317 PORT_Assert(spec->mac_def->mac == mac_null);
12318 spec->encode = Null_Cipher;
12319 spec->decode = Null_Cipher;
12320 spec->destroy = NULL;
12321 spec->compressor = NULL;
12322 spec->decompressor = NULL;
12323 spec->destroyCompressContext = NULL;
12324 spec->destroyDecompressContext = NULL;
12325 spec->mac_size = 0;
12326 spec->master_secret = NULL;
12327 spec->bypassCiphers = PR_FALSE;
12329 spec->msItem.data = NULL;
12330 spec->msItem.len = 0;
12332 spec->client.write_key = NULL;
12333 spec->client.write_mac_key = NULL;
12334 spec->client.write_mac_context = NULL;
12336 spec->server.write_key = NULL;
12337 spec->server.write_mac_key = NULL;
12338 spec->server.write_mac_context = NULL;
12340 spec->write_seq_num.high = 0;
12341 spec->write_seq_num.low = 0;
12343 spec->read_seq_num.high = 0;
12344 spec->read_seq_num.low = 0;
12347 dtls_InitRecvdRecords(&spec->recvdRecords);
12349 spec->version = ss->vrange.max;
12352 /* Called from: ssl3_SendRecord
12353 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
12354 ** ssl3_SendClientHello()
12355 ** ssl3_HandleV2ClientHello()
12356 ** ssl3_HandleRecord()
12358 ** This function should perhaps acquire and release the SpecWriteLock.
12363 ssl3_InitState(sslSocket *ss)
12365 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
12367 if (ss->ssl3.initialized)
12368 return SECSuccess; /* Function should be idempotent */
12370 ss->ssl3.policy = SSL_ALLOWED;
12372 ssl_GetSpecWriteLock(ss);
12373 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
12374 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
12375 ss->ssl3.hs.sendingSCSV = PR_FALSE;
12376 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
12377 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
12379 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
12380 #ifdef NSS_ENABLE_ECC
12381 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss);
12383 ssl_ReleaseSpecWriteLock(ss);
12385 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
12388 ss->ssl3.hs.sendMessageSeq = 0;
12389 ss->ssl3.hs.recvMessageSeq = 0;
12390 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
12391 ss->ssl3.hs.rtRetries = 0;
12392 ss->ssl3.hs.recvdHighWater = -1;
12393 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
12394 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
12397 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
12398 ss->ssl3.hs.messages.buf = NULL;
12399 ss->ssl3.hs.messages.space = 0;
12401 ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
12402 PORT_Memset(&ss->ssl3.hs.newSessionTicket, 0,
12403 sizeof(ss->ssl3.hs.newSessionTicket));
12405 ss->ssl3.initialized = PR_TRUE;
12409 /* Returns a reference counted object that contains a key pair.
12410 * Or NULL on failure. Initial ref count is 1.
12411 * Uses the keys in the pair as input.
12414 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
12416 ssl3KeyPair * pair;
12418 if (!privKey || !pubKey) {
12419 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
12422 pair = PORT_ZNew(ssl3KeyPair);
12424 return NULL; /* error code is set. */
12425 pair->refCount = 1;
12426 pair->privKey = privKey;
12427 pair->pubKey = pubKey;
12428 return pair; /* success */
12432 ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
12434 PR_ATOMIC_INCREMENT(&keyPair->refCount);
12439 ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
12441 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount);
12443 if (keyPair->privKey)
12444 SECKEY_DestroyPrivateKey(keyPair->privKey);
12445 if (keyPair->pubKey)
12446 SECKEY_DestroyPublicKey( keyPair->pubKey);
12447 PORT_Free(keyPair);
12454 * Creates the public and private RSA keys for SSL Step down.
12455 * Called from SSL_ConfigSecureServer in sslsecur.c
12458 ssl3_CreateRSAStepDownKeys(sslSocket *ss)
12460 SECStatus rv = SECSuccess;
12461 SECKEYPrivateKey * privKey; /* RSA step down key */
12462 SECKEYPublicKey * pubKey; /* RSA step down key */
12464 if (ss->stepDownKeyPair)
12465 ssl3_FreeKeyPair(ss->stepDownKeyPair);
12466 ss->stepDownKeyPair = NULL;
12467 #ifndef HACKED_EXPORT_SERVER
12468 /* Sigh, should have a get key strength call for private keys */
12469 if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
12470 EXPORT_RSA_KEY_LENGTH) {
12471 /* need to ask for the key size in bits */
12472 privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
12474 if (!privKey || !pubKey ||
12475 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
12476 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
12485 /* record the export policy for this cipher suite */
12487 ssl3_SetPolicy(ssl3CipherSuite which, int policy)
12489 ssl3CipherSuiteCfg *suite;
12491 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12492 if (suite == NULL) {
12493 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12495 suite->policy = policy;
12501 ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
12503 ssl3CipherSuiteCfg *suite;
12507 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12509 policy = suite->policy;
12512 policy = SSL_NOT_ALLOWED;
12513 rv = SECFailure; /* err code was set by Lookup. */
12519 /* record the user preference for this suite */
12521 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
12523 ssl3CipherSuiteCfg *suite;
12525 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12526 if (suite == NULL) {
12527 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12529 suite->enabled = enabled;
12533 /* return the user preference for this suite */
12535 ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
12537 ssl3CipherSuiteCfg *suite;
12541 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12543 pref = suite->enabled;
12546 pref = SSL_NOT_ALLOWED;
12547 rv = SECFailure; /* err code was set by Lookup. */
12554 ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
12556 ssl3CipherSuiteCfg *suite;
12558 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
12559 if (suite == NULL) {
12560 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12562 suite->enabled = enabled;
12567 ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
12569 ssl3CipherSuiteCfg *suite;
12573 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
12575 pref = suite->enabled;
12578 pref = SSL_NOT_ALLOWED;
12579 rv = SECFailure; /* err code was set by Lookup. */
12586 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int len)
12588 /* |i| iterates over |ciphers| while |done| and |j| iterate over
12589 * |ss->cipherSuites|. */
12590 unsigned int i, done;
12592 for (i = done = 0; i < len; i++) {
12593 PRUint16 id = ciphers[i];
12594 unsigned int existingIndex, j;
12595 PRBool found = PR_FALSE;
12597 for (j = done; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
12598 if (ss->cipherSuites[j].cipher_suite == id) {
12609 if (existingIndex != done) {
12610 const ssl3CipherSuiteCfg temp = ss->cipherSuites[done];
12611 ss->cipherSuites[done] = ss->cipherSuites[existingIndex];
12612 ss->cipherSuites[existingIndex] = temp;
12617 /* Disable all cipher suites that weren't included. */
12618 for (; done < ssl_V3_SUITES_IMPLEMENTED; done++) {
12619 ss->cipherSuites[done].enabled = 0;
12625 /* copy global default policy into socket. */
12627 ssl3_InitSocketPolicy(sslSocket *ss)
12629 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
12633 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
12634 unsigned char *out,
12635 unsigned int *outLen,
12636 unsigned int outLenMax) {
12640 SECStatus rv = SECFailure;
12644 ssl_GetSSL3HandshakeLock(ss);
12646 ssl_GetSpecReadLock(ss);
12647 isTLS = (PRBool)(ss->ssl3.cwSpec->version > SSL_LIBRARY_VERSION_3_0);
12648 ssl_ReleaseSpecReadLock(ss);
12650 /* The tls-unique channel binding is the first Finished structure in the
12651 * handshake. In the case of a resumption, that's the server's Finished.
12652 * Otherwise, it's the client's Finished. */
12653 len = ss->ssl3.hs.finishedBytes;
12655 /* Sending or receiving a Finished message will set finishedBytes to a
12656 * non-zero value. */
12658 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
12662 /* If we are in the middle of a renegotiation then the channel binding
12663 * value is poorly defined and depends on the direction that it will be
12664 * used on. Therefore we simply return an error in this case. */
12665 if (ss->firstHsDone && ss->ssl3.hs.ws != idle_handshake) {
12666 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
12670 /* If resuming, then we want the second Finished value in the array, which
12671 * is the server's */
12672 if (ss->ssl3.hs.isResuming)
12676 if (outLenMax < len) {
12677 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
12682 memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len);
12684 memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len);
12690 ssl_ReleaseSSL3HandshakeLock(ss);
12694 /* ssl3_config_match_init must have already been called by
12695 * the caller of this function.
12698 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
12702 PORT_Assert(ss != 0);
12704 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
12707 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
12712 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
12716 /* ssl3_config_match_init was called by the caller of this function. */
12717 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
12718 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
12719 if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) {
12722 *cs++ = (suite->cipher_suite >> 8) & 0xFF;
12723 *cs++ = suite->cipher_suite & 0xFF;
12733 ** If ssl3 socket has completed the first handshake, and is in idle state,
12734 ** then start a new handshake.
12735 ** If flushCache is true, the SID cache will be flushed first, forcing a
12736 ** "Full" handshake (not a session restart handshake), to be done.
12738 ** called from SSL_RedoHandshake(), which already holds the handshake locks.
12741 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
12743 sslSessionID * sid = ss->sec.ci.sid;
12746 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
12748 if (!ss->firstHsDone ||
12749 ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
12750 ss->ssl3.initialized &&
12751 (ss->ssl3.hs.ws != idle_handshake))) {
12752 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
12757 dtls_RehandshakeCleanup(ss);
12760 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
12761 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
12764 if (sid && flushCache) {
12765 if (ss->sec.uncache)
12766 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */
12767 ssl_FreeSID(sid); /* dec ref count and free if zero. */
12768 ss->sec.ci.sid = NULL;
12771 ssl_GetXmitBufLock(ss); /**************************************/
12773 /* start off a new handshake. */
12774 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
12775 : ssl3_SendClientHello(ss, PR_FALSE);
12777 ssl_ReleaseXmitBufLock(ss); /**************************************/
12781 /* Called from ssl_DestroySocketContents() in sslsock.c */
12783 ssl3_DestroySSL3Info(sslSocket *ss)
12786 if (ss->ssl3.clientCertificate != NULL)
12787 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
12789 if (ss->ssl3.clientPrivateKey != NULL)
12790 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
12791 #ifdef NSS_PLATFORM_CLIENT_AUTH
12792 if (ss->ssl3.platformClientKey)
12793 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
12794 #endif /* NSS_PLATFORM_CLIENT_AUTH */
12796 if (ss->ssl3.channelID)
12797 SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
12798 if (ss->ssl3.channelIDPub)
12799 SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
12801 if (ss->ssl3.peerCertArena != NULL)
12802 ssl3_CleanupPeerCerts(ss);
12804 if (ss->ssl3.clientCertChain != NULL) {
12805 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
12806 ss->ssl3.clientCertChain = NULL;
12809 /* clean up handshake */
12810 #ifndef NO_PKCS11_BYPASS
12811 if (ss->opt.bypassPKCS11) {
12812 if (ss->ssl3.hs.hashType == handshake_hash_combo) {
12813 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
12814 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
12815 } else if (ss->ssl3.hs.hashType == handshake_hash_single) {
12816 ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE);
12820 if (ss->ssl3.hs.md5) {
12821 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
12823 if (ss->ssl3.hs.sha) {
12824 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
12826 if (ss->ssl3.hs.clientSigAndHash) {
12827 PORT_Free(ss->ssl3.hs.clientSigAndHash);
12829 if (ss->ssl3.hs.messages.buf) {
12830 PORT_Free(ss->ssl3.hs.messages.buf);
12831 ss->ssl3.hs.messages.buf = NULL;
12832 ss->ssl3.hs.messages.len = 0;
12833 ss->ssl3.hs.messages.space = 0;
12836 /* free the SSL3Buffer (msg_body) */
12837 PORT_Free(ss->ssl3.hs.msg_body.buf);
12839 SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
12841 /* free up the CipherSpecs */
12842 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
12843 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
12845 /* Destroy the DTLS data */
12847 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
12848 if (ss->ssl3.hs.recvdFragments.buf) {
12849 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
12853 ss->ssl3.initialized = PR_FALSE;
12855 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
12858 /* End of ssl3con.c */
projects / platform / framework / web / crosswalk.git / blob