search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 460926 A11y hierachy is broken on Ubuntu 8.10 (GNOME 2.24), r=Evan.Yan sr=roc
[wine-gecko.git] / security / nss / lib / ssl / ssl3con.c
blob5d91759a3d0dbef9898285d341b80f2dfdb351fe
1 /*
2 * SSL3 Protocol
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is the Netscape security libraries.
18 *
19 * The Initial Developer of the Original Code is
20 * Netscape Communications Corporation.
21 * Portions created by the Initial Developer are Copyright (C) 1994-2000
22 * the Initial Developer. All Rights Reserved.
23 *
24 * Contributor(s):
25 * Dr Stephen Henson <stephen.henson@gemplus.com>
26 * Dr Vipul Gupta <vipul.gupta@sun.com> and
27 * Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
28 *
29 * Alternatively, the contents of this file may be used under the terms of
30 * either the GNU General Public License Version 2 or later (the "GPL"), or
31 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
32 * in which case the provisions of the GPL or the LGPL are applicable instead
33 * of those above. If you wish to allow use of your version of this file only
34 * under the terms of either the GPL or the LGPL, and not to allow others to
35 * use your version of this file under the terms of the MPL, indicate your
36 * decision by deleting the provisions above and replace them with the notice
37 * and other provisions required by the GPL or the LGPL. If you do not delete
38 * the provisions above, a recipient may use your version of this file under
39 * the terms of any one of the MPL, the GPL or the LGPL.
40 *
41 * ***** END LICENSE BLOCK ***** */
42 /* $Id: ssl3con.c,v 1.113 2008/09/22 23:47:00 wtc%google.com Exp $ */
43
44 #include "cert.h"
45 #include "ssl.h"
46 #include "cryptohi.h" /* for DSAU_ stuff */
47 #include "keyhi.h"
48 #include "secder.h"
49 #include "secitem.h"
50
51 #include "sslimpl.h"
52 #include "sslproto.h"
53 #include "sslerr.h"
54 #include "prtime.h"
55 #include "prinrval.h"
56 #include "prerror.h"
57 #include "pratom.h"
58 #include "prthread.h"
59
60 #include "pk11func.h"
61 #include "secmod.h"
62 #include "blapi.h"
63
64 #include <stdio.h>
65
66 #ifndef PK11_SETATTRS
67 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
68 (x)->pValue=(v); (x)->ulValueLen = (l);
69 #endif
70
71 static void ssl3_CleanupPeerCerts(sslSocket *ss);
72 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
73 PK11SlotInfo * serverKeySlot);
74 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
75 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
76 static SECStatus ssl3_HandshakeFailure( sslSocket *ss);
77 static SECStatus ssl3_InitState( sslSocket *ss);
78 static SECStatus ssl3_SendCertificate( sslSocket *ss);
79 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
80 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
81 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
82 static SECStatus ssl3_SendServerHello( sslSocket *ss);
83 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
84 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
85 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss);
86 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, unsigned char *b,
87 unsigned int l);
88
89 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
90 int maxOutputLen, const unsigned char *input,
91 int inputLen);
92
93 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
94 #define MIN_SEND_BUF_LENGTH 4000
95
96 #define MAX_CIPHER_SUITES 20
97
98 /* This list of SSL3 cipher suites is sorted in descending order of
99 * precedence (desirability). It only includes cipher suites we implement.
100 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
101 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
102 */
103 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
104 /* cipher_suite policy enabled is_present*/
105 #ifdef NSS_ENABLE_ECC
106 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
107 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
108 #endif /* NSS_ENABLE_ECC */
109 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
110 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
111 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
112 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
113 #ifdef NSS_ENABLE_ECC
114 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
115 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
116 #endif /* NSS_ENABLE_ECC */
117 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
118 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
119
120 #ifdef NSS_ENABLE_ECC
121 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
122 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
123 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
124 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
125 #endif /* NSS_ENABLE_ECC */
126 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
127 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
128 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
129 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
130 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
131 #ifdef NSS_ENABLE_ECC
132 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
133 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
134 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
135 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
136 #endif /* NSS_ENABLE_ECC */
137 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
138 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
139 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
140 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
141
142 #ifdef NSS_ENABLE_ECC
143 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
144 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
145 #endif /* NSS_ENABLE_ECC */
146 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
147 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
148 #ifdef NSS_ENABLE_ECC
149 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
150 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
151 #endif /* NSS_ENABLE_ECC */
152 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
153 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
154
155
156 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
157 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
158 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
159 { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
160 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
161 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
162
163 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
164 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
165
166 #ifdef NSS_ENABLE_ECC
167 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
168 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
169 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
170 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
171 #endif /* NSS_ENABLE_ECC */
172 { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
173 { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
174
175 };
176
177 static const /*SSL3CompressionMethod*/ uint8 compressions [] = {
178 compression_null
179 };
180
181 static const int compressionMethodsCount =
182 sizeof(compressions) / sizeof(compressions[0]);
183
184 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
185 ct_RSA_sign,
186 ct_DSS_sign,
187 #ifdef NSS_ENABLE_ECC
188 ct_ECDSA_sign,
189 #endif /* NSS_ENABLE_ECC */
190 };
191
192
193 /*
194 * make sure there is room in the write buffer for padding and
195 * other compression and cryptographic expansions
196 */
197 #define SSL3_BUFFER_FUDGE 100
198
199 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
200
201
202 /* This is a hack to make sure we don't do double handshakes for US policy */
203 PRBool ssl3_global_policy_some_restricted = PR_FALSE;
204
205 /* This global item is used only in servers. It is is initialized by
206 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
207 */
208 CERTDistNames *ssl3_server_ca_list = NULL;
209 static SSL3Statistics ssl3stats;
210
211 /* indexed by SSL3BulkCipher */
212 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
213 /* cipher calg keySz secretSz type ivSz BlkSz keygen */
214 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null},
215 {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong},
216 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export},
217 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export},
218 {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong},
219 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export},
220 {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong},
221 {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong},
222 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export},
223 {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong},
224 {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong},
225 {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong},
226 {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong},
227 {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong},
228 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null},
229 };
230
231 static const ssl3KEADef kea_defs[] =
232 { /* indexed by SSL3KeyExchangeAlgorithm */
233 /* kea exchKeyType signKeyType is_limited limit tls_keygen */
234 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE},
235 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE},
236 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE},
237 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE},
238 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
239 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
240 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
241 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
242 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
243 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
244 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
245 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
246 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE},
247 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE},
248 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE },
249 #ifdef NSS_ENABLE_ECC
250 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
251 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
252 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
253 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
254 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE},
255 #endif /* NSS_ENABLE_ECC */
256 };
257
258 /* must use ssl_LookupCipherSuiteDef to access */
259 static const ssl3CipherSuiteDef cipher_suite_defs[] =
260 {
261 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */
262
263 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
264 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
265 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
266 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
267 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
268 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
269 {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
270 cipher_rc2_40, mac_md5, kea_rsa_export},
271 #if 0 /* not implemented */
272 {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa},
273 {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
274 cipher_des40, mac_sha, kea_rsa_export},
275 #endif
276 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa},
277 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa},
278 {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss},
279 {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
280 cipher_3des, mac_sha, kea_dhe_dss},
281 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss},
282 #if 0 /* not implemented */
283 {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
284 cipher_des40, mac_sha, kea_dh_dss_export},
285 {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss},
286 {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss},
287 {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
288 cipher_des40, mac_sha, kea_dh_rsa_export},
289 {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa},
290 {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa},
291 {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
292 cipher_des40, mac_sha, kea_dh_dss_export},
293 {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
294 cipher_des40, mac_sha, kea_dh_rsa_export},
295 #endif
296 {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa},
297 {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
298 cipher_3des, mac_sha, kea_dhe_rsa},
299 #if 0
300 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
301 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4, mac_md5, kea_dh_anon_export},
302 {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
303 cipher_des40, mac_sha, kea_dh_anon_export},
304 {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon},
305 {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon},
306 #endif
307
308
309 /* New TLS cipher suites */
310 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa},
311 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss},
312 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa},
313 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa},
314 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss},
315 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa},
316 #if 0
317 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss},
318 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa},
319 {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon},
320 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss},
321 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa},
322 {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon},
323 #endif
324
325 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
326 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
327 cipher_camellia_128, mac_sha, kea_dhe_dss},
328 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
329 cipher_camellia_128, mac_sha, kea_dhe_rsa},
330 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
331 {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
332 cipher_camellia_256, mac_sha, kea_dhe_dss},
333 {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
334 cipher_camellia_256, mac_sha, kea_dhe_rsa},
335
336 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
337 cipher_des, mac_sha,kea_rsa_export_1024},
338 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
339 cipher_rc4_56, mac_sha,kea_rsa_export_1024},
340
341 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
342 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
343
344 #ifdef NSS_ENABLE_ECC
345 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
346 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
347 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
348 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
349 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
350
351 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa},
352 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
353 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
354 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
355 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
356
357 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa},
358 {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa},
359 {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa},
360 {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa},
361 {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa},
362
363 {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa},
364 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa},
365 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa},
366 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa},
367 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa},
368
369 #if 0
370 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon},
371 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon},
372 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon},
373 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon},
374 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon},
375 #endif
376 #endif /* NSS_ENABLE_ECC */
377 };
378
379 static const CK_MECHANISM_TYPE kea_alg_defs[] = {
380 0x80000000L,
381 CKM_RSA_PKCS,
382 CKM_DH_PKCS_DERIVE,
383 CKM_KEA_KEY_DERIVE,
384 CKM_ECDH1_DERIVE
385 };
386
387 typedef struct SSLCipher2MechStr {
388 SSLCipherAlgorithm calg;
389 CK_MECHANISM_TYPE cmech;
390 } SSLCipher2Mech;
391
392 /* indexed by type SSLCipherAlgorithm */
393 static const SSLCipher2Mech alg2Mech[] = {
394 /* calg, cmech */
395 { calg_null , (CK_MECHANISM_TYPE)0x80000000L },
396 { calg_rc4 , CKM_RC4 },
397 { calg_rc2 , CKM_RC2_CBC },
398 { calg_des , CKM_DES_CBC },
399 { calg_3des , CKM_DES3_CBC },
400 { calg_idea , CKM_IDEA_CBC },
401 { calg_fortezza , CKM_SKIPJACK_CBC64 },
402 { calg_aes , CKM_AES_CBC },
403 { calg_camellia , CKM_CAMELLIA_CBC },
404 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
405 };
406
407 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L
408 #define mmech_md5 CKM_SSL3_MD5_MAC
409 #define mmech_sha CKM_SSL3_SHA1_MAC
410 #define mmech_md5_hmac CKM_MD5_HMAC
411 #define mmech_sha_hmac CKM_SHA_1_HMAC
412
413 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
414 /* mac mmech pad_size mac_size */
415 { mac_null, mmech_null, 0, 0 },
416 { mac_md5, mmech_md5, 48, MD5_LENGTH },
417 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
418 {hmac_md5, mmech_md5_hmac, 48, MD5_LENGTH },
419 {hmac_sha, mmech_sha_hmac, 40, SHA1_LENGTH},
420 };
421
422 /* indexed by SSL3BulkCipher */
423 const char * const ssl3_cipherName[] = {
424 "NULL",
425 "RC4",
426 "RC4-40",
427 "RC4-56",
428 "RC2-CBC",
429 "RC2-CBC-40",
430 "DES-CBC",
431 "3DES-EDE-CBC",
432 "DES-CBC-40",
433 "IDEA-CBC",
434 "AES-128",
435 "AES-256",
436 "Camellia-128",
437 "Camellia-256",
438 "missing"
439 };
440
441 #ifdef NSS_ENABLE_ECC
442 /* The ECCWrappedKeyInfo structure defines how various pieces of
443 * information are laid out within wrappedSymmetricWrappingkey
444 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is
445 * a 512-byte buffer (see sslimpl.h), the variable length field
446 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
447 *
448 * XXX For now, NSS only supports named elliptic curves of size 571 bits
449 * or smaller. The public value will fit within 145 bytes and EC params
450 * will fit within 12 bytes. We'll need to revisit this when NSS
451 * supports arbitrary curves.
452 */
453 #define MAX_EC_WRAPPED_KEY_BUFLEN 504
454
455 typedef struct ECCWrappedKeyInfoStr {
456 PRUint16 size; /* EC public key size in bits */
457 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
458 PRUint16 pubValueLen; /* length (in bytes) of EC public value */
459 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */
460 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
461 /* EC public-key params, the EC public value and the wrapped key */
462 } ECCWrappedKeyInfo;
463 #endif /* NSS_ENABLE_ECC */
464
465 #if defined(TRACE)
466
467 static char *
468 ssl3_DecodeHandshakeType(int msgType)
469 {
470 char * rv;
471 static char line[40];
472
473 switch(msgType) {
474 case hello_request: rv = "hello_request (0)"; break;
475 case client_hello: rv = "client_hello (1)"; break;
476 case server_hello: rv = "server_hello (2)"; break;
477 case certificate: rv = "certificate (11)"; break;
478 case server_key_exchange: rv = "server_key_exchange (12)"; break;
479 case certificate_request: rv = "certificate_request (13)"; break;
480 case server_hello_done: rv = "server_hello_done (14)"; break;
481 case certificate_verify: rv = "certificate_verify (15)"; break;
482 case client_key_exchange: rv = "client_key_exchange (16)"; break;
483 case finished: rv = "finished (20)"; break;
484 default:
485 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
486 rv = line;
487 }
488 return rv;
489 }
490
491 static char *
492 ssl3_DecodeContentType(int msgType)
493 {
494 char * rv;
495 static char line[40];
496
497 switch(msgType) {
498 case content_change_cipher_spec:
499 rv = "change_cipher_spec (20)"; break;
500 case content_alert: rv = "alert (21)"; break;
501 case content_handshake: rv = "handshake (22)"; break;
502 case content_application_data:
503 rv = "application_data (23)"; break;
504 default:
505 sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
506 rv = line;
507 }
508 return rv;
509 }
510
511 #endif
512
513 SSL3Statistics *
514 SSL_GetStatistics(void)
515 {
516 return &ssl3stats;
517 }
518
519 typedef struct tooLongStr {
520 #if defined(IS_LITTLE_ENDIAN)
521 PRInt32 low;
522 PRInt32 high;
523 #else
524 PRInt32 high;
525 PRInt32 low;
526 #endif
527 } tooLong;
528
529 void SSL_AtomicIncrementLong(long * x)
530 {
531 if ((sizeof *x) == sizeof(PRInt32)) {
532 PR_AtomicIncrement((PRInt32 *)x);
533 } else {
534 tooLong * tl = (tooLong *)x;
535 if (PR_AtomicIncrement(&tl->low) == 0)
536 PR_AtomicIncrement(&tl->high);
537 }
538 }
539
540 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
541 /* XXX This does a linear search. A binary search would be better. */
542 static const ssl3CipherSuiteDef *
543 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
544 {
545 int cipher_suite_def_len =
546 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
547 int i;
548
549 for (i = 0; i < cipher_suite_def_len; i++) {
550 if (cipher_suite_defs[i].cipher_suite == suite)
551 return &cipher_suite_defs[i];
552 }
553 PORT_Assert(PR_FALSE); /* We should never get here. */
554 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
555 return NULL;
556 }
557
558 /* Find the cipher configuration struct associate with suite */
559 /* XXX This does a linear search. A binary search would be better. */
560 static ssl3CipherSuiteCfg *
561 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
562 {
563 int i;
564
565 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
566 if (suites[i].cipher_suite == suite)
567 return &suites[i];
568 }
569 /* return NULL and let the caller handle it. */
570 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
571 return NULL;
572 }
573
574
575 /* Initialize the suite->isPresent value for config_match
576 * Returns count of enabled ciphers supported by extant tokens,
577 * regardless of policy or user preference.
578 * If this returns zero, the user cannot do SSL v3.
579 */
580 int
581 ssl3_config_match_init(sslSocket *ss)
582 {
583 ssl3CipherSuiteCfg * suite;
584 const ssl3CipherSuiteDef *cipher_def;
585 SSLCipherAlgorithm cipher_alg;
586 CK_MECHANISM_TYPE cipher_mech;
587 SSL3KEAType exchKeyType;
588 int i;
589 int numPresent = 0;
590 int numEnabled = 0;
591 PRBool isServer;
592 sslServerCerts *svrAuth;
593
594 PORT_Assert(ss);
595 if (!ss) {
596 PORT_SetError(SEC_ERROR_INVALID_ARGS);
597 return 0;
598 }
599 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
600 return 0;
601 }
602 isServer = (PRBool)(ss->sec.isServer != 0);
603
604 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
605 suite = &ss->cipherSuites[i];
606 if (suite->enabled) {
607 ++numEnabled;
608 /* We need the cipher defs to see if we have a token that can handle
609 * this cipher. It isn't part of the static definition.
610 */
611 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
612 if (!cipher_def) {
613 suite->isPresent = PR_FALSE;
614 continue;
615 }
616 cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
617 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg);
618 cipher_mech = alg2Mech[cipher_alg].cmech;
619 exchKeyType =
620 kea_defs[cipher_def->key_exchange_alg].exchKeyType;
621 #ifndef NSS_ENABLE_ECC
622 svrAuth = ss->serverCerts + exchKeyType;
623 #else
624 /* XXX SSLKEAType isn't really a good choice for
625 * indexing certificates. It doesn't work for
626 * (EC)DHE-* ciphers. Here we use a hack to ensure
627 * that the server uses an RSA cert for (EC)DHE-RSA.
628 */
629 switch (cipher_def->key_exchange_alg) {
630 case kea_ecdhe_rsa:
631 #if NSS_SERVER_DHE_IMPLEMENTED
632 /* XXX NSS does not yet implement the server side of _DHE_
633 * cipher suites. Correcting the computation for svrAuth,
634 * as the case below does, causes NSS SSL servers to begin to
635 * negotiate cipher suites they do not implement. So, until
636 * server side _DHE_ is implemented, keep this disabled.
637 */
638 case kea_dhe_rsa:
639 #endif
640 svrAuth = ss->serverCerts + kt_rsa;
641 break;
642 case kea_ecdh_ecdsa:
643 case kea_ecdh_rsa:
644 /*
645 * XXX We ought to have different indices for
646 * ECDSA- and RSA-signed EC certificates so
647 * we could support both key exchange mechanisms
648 * simultaneously. For now, both of them use
649 * whatever is in the certificate slot for kt_ecdh
650 */
651 default:
652 svrAuth = ss->serverCerts + exchKeyType;
653 break;
654 }
655 #endif /* NSS_ENABLE_ECC */
656
657 /* Mark the suites that are backed by real tokens, certs and keys */
658 suite->isPresent = (PRBool)
659 (((exchKeyType == kt_null) ||
660 ((!isServer || (svrAuth->serverKeyPair &&
661 svrAuth->SERVERKEY &&
662 svrAuth->serverCertChain)) &&
663 PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
664 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
665 if (suite->isPresent)
666 ++numPresent;
667 }
668 }
669 PORT_Assert(numPresent > 0 || numEnabled == 0);
670 if (numPresent <= 0) {
671 PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
672 }
673 return numPresent;
674 }
675
676
677 /* return PR_TRUE if suite matches policy and enabled state */
678 /* It would be a REALLY BAD THING (tm) if we ever permitted the use
679 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with
680 ** policy == SSL_NOT_ALLOWED, report no match.
681 */
682 /* adjust suite enabled to the availability of a token that can do the
683 * cipher suite. */
684 static PRBool
685 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
686 {
687 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
688 if (policy == SSL_NOT_ALLOWED || !enabled)
689 return PR_FALSE;
690 return (PRBool)(suite->enabled &&
691 suite->isPresent &&
692 suite->policy != SSL_NOT_ALLOWED &&
693 suite->policy <= policy);
694 }
695
696 /* return number of cipher suites that match policy and enabled state */
697 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
698 static int
699 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
700 {
701 int i, count = 0;
702
703 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
704 return 0;
705 }
706 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
707 if (config_match(&ss->cipherSuites[i], policy, enabled))
708 count++;
709 }
710 if (count <= 0) {
711 PORT_SetError(SSL_ERROR_SSL_DISABLED);
712 }
713 return count;
714 }
715
716 static PRBool
717 anyRestrictedEnabled(sslSocket *ss)
718 {
719 int i;
720
721 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
722 return PR_FALSE;
723 }
724 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
725 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
726 if (suite->policy == SSL_RESTRICTED &&
727 suite->enabled &&
728 suite->isPresent)
729 return PR_TRUE;
730 }
731 return PR_FALSE;
732 }
733
734 /*
735 * Null compression, mac and encryption functions
736 */
737
738 static SECStatus
739 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
740 const unsigned char *input, int inputLen)
741 {
742 *outputLen = inputLen;
743 if (input != output)
744 PORT_Memcpy(output, input, inputLen);
745 return SECSuccess;
746 }
747
748 /*
749 * SSL3 Utility functions
750 */
751
752 SECStatus
753 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion)
754 {
755 SSL3ProtocolVersion version;
756 SSL3ProtocolVersion maxVersion;
757
758 if (ss->opt.enableTLS) {
759 maxVersion = SSL_LIBRARY_VERSION_3_1_TLS;
760 } else if (ss->opt.enableSSL3) {
761 maxVersion = SSL_LIBRARY_VERSION_3_0;
762 } else {
763 /* what are we doing here? */
764 PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
765 PORT_SetError(SSL_ERROR_SSL_DISABLED);
766 return SECFailure;
767 }
768
769 ss->version = version = PR_MIN(maxVersion, peerVersion);
770
771 if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->opt.enableTLS) ||
772 (version == SSL_LIBRARY_VERSION_3_0 && ss->opt.enableSSL3)) {
773 return SECSuccess;
774 }
775
776 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
777 return SECFailure;
778
779 }
780
781 static SECStatus
782 ssl3_GetNewRandom(SSL3Random *random)
783 {
784 PRUint32 gmt = ssl_Time();
785 SECStatus rv;
786
787 random->rand[0] = (unsigned char)(gmt >> 24);
788 random->rand[1] = (unsigned char)(gmt >> 16);
789 random->rand[2] = (unsigned char)(gmt >> 8);
790 random->rand[3] = (unsigned char)(gmt);
791
792 /* first 4 bytes are reserverd for time */
793 rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
794 if (rv != SECSuccess) {
795 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
796 }
797 return rv;
798 }
799
800 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
801 SECStatus
802 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
803 PRBool isTLS)
804 {
805 SECStatus rv = SECFailure;
806 PRBool doDerEncode = PR_FALSE;
807 int signatureLen;
808 SECItem hashItem;
809
810 buf->data = NULL;
811 signatureLen = PK11_SignatureLen(key);
812 if (signatureLen <= 0) {
813 PORT_SetError(SEC_ERROR_INVALID_KEY);
814 goto done;
815 }
816
817 buf->len = (unsigned)signatureLen;
818 buf->data = (unsigned char *)PORT_Alloc(signatureLen);
819 if (!buf->data)
820 goto done; /* error code was set. */
821
822 switch (key->keyType) {
823 case rsaKey:
824 hashItem.data = hash->md5;
825 hashItem.len = sizeof(SSL3Hashes);
826 break;
827 case dsaKey:
828 doDerEncode = isTLS;
829 hashItem.data = hash->sha;
830 hashItem.len = sizeof(hash->sha);
831 break;
832 #ifdef NSS_ENABLE_ECC
833 case ecKey:
834 doDerEncode = PR_TRUE;
835 hashItem.data = hash->sha;
836 hashItem.len = sizeof(hash->sha);
837 break;
838 #endif /* NSS_ENABLE_ECC */
839 default:
840 PORT_SetError(SEC_ERROR_INVALID_KEY);
841 goto done;
842 }
843 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
844
845 rv = PK11_Sign(key, buf, &hashItem);
846 if (rv != SECSuccess) {
847 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
848 } else if (doDerEncode) {
849 SECItem derSig = {siBuffer, NULL, 0};
850
851 /* This also works for an ECDSA signature */
852 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
853 if (rv == SECSuccess) {
854 PORT_Free(buf->data); /* discard unencoded signature. */
855 *buf = derSig; /* give caller encoded signature. */
856 } else if (derSig.data) {
857 PORT_Free(derSig.data);
858 }
859 }
860
861 PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
862 done:
863 if (rv != SECSuccess && buf->data) {
864 PORT_Free(buf->data);
865 buf->data = NULL;
866 }
867 return rv;
868 }
869
870 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
871 SECStatus
872 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
873 SECItem *buf, PRBool isTLS, void *pwArg)
874 {
875 SECKEYPublicKey * key;
876 SECItem * signature = NULL;
877 SECStatus rv;
878 SECItem hashItem;
879 #ifdef NSS_ENABLE_ECC
880 unsigned int len;
881 #endif /* NSS_ENABLE_ECC */
882
883
884 PRINT_BUF(60, (NULL, "check signed hashes",
885 buf->data, buf->len));
886
887 key = CERT_ExtractPublicKey(cert);
888 if (key == NULL) {
889 /* CERT_ExtractPublicKey doesn't set error code */
890 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
891 return SECFailure;
892 }
893
894 switch (key->keyType) {
895 case rsaKey:
896 hashItem.data = hash->md5;
897 hashItem.len = sizeof(SSL3Hashes);
898 break;
899 case dsaKey:
900 hashItem.data = hash->sha;
901 hashItem.len = sizeof(hash->sha);
902 if (isTLS) {
903 signature = DSAU_DecodeDerSig(buf);
904 if (!signature) {
905 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
906 return SECFailure;
907 }
908 buf = signature;
909 }
910 break;
911
912 #ifdef NSS_ENABLE_ECC
913 case ecKey:
914 hashItem.data = hash->sha;
915 hashItem.len = sizeof(hash->sha);
916 /*
917 * ECDSA signatures always encode the integers r and s
918 * using ASN (unlike DSA where ASN encoding is used
919 * with TLS but not with SSL3)
920 */
921 len = SECKEY_SignatureLen(key);
922 if (len == 0) {
923 SECKEY_DestroyPublicKey(key);
924 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
925 return SECFailure;
926 }
927 signature = DSAU_DecodeDerSigToLen(buf, len);
928 if (!signature) {
929 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
930 return SECFailure;
931 }
932 buf = signature;
933 break;
934 #endif /* NSS_ENABLE_ECC */
935
936 default:
937 SECKEY_DestroyPublicKey(key);
938 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
939 return SECFailure;
940 }
941
942 PRINT_BUF(60, (NULL, "hash(es) to be verified",
943 hashItem.data, hashItem.len));
944
945 rv = PK11_Verify(key, buf, &hashItem, pwArg);
946 SECKEY_DestroyPublicKey(key);
947 if (signature) {
948 SECITEM_FreeItem(signature, PR_TRUE);
949 }
950 if (rv != SECSuccess) {
951 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
952 }
953 return rv;
954 }
955
956
957 /* Caller must set hiLevel error code. */
958 /* Called from ssl3_ComputeExportRSAKeyHash
959 * ssl3_ComputeDHKeyHash
960 * which are called from ssl3_HandleServerKeyExchange.
961 */
962 SECStatus
963 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen,
964 SSL3Hashes *hashes, PRBool bypassPKCS11)
965 {
966 SECStatus rv = SECSuccess;
967
968 if (bypassPKCS11) {
969 MD5_HashBuf (hashes->md5, hashBuf, bufLen);
970 SHA1_HashBuf(hashes->sha, hashBuf, bufLen);
971 } else {
972 rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen);
973 if (rv != SECSuccess) {
974 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
975 rv = SECFailure;
976 goto done;
977 }
978
979 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen);
980 if (rv != SECSuccess) {
981 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
982 rv = SECFailure;
983 }
984 }
985 done:
986 return rv;
987 }
988
989 /* Caller must set hiLevel error code.
990 ** Called from ssl3_SendServerKeyExchange and
991 ** ssl3_HandleServerKeyExchange.
992 */
993 static SECStatus
994 ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent,
995 SSL3Random *client_rand, SSL3Random *server_rand,
996 SSL3Hashes *hashes, PRBool bypassPKCS11)
997 {
998 PRUint8 * hashBuf;
999 PRUint8 * pBuf;
1000 SECStatus rv = SECSuccess;
1001 unsigned int bufLen;
1002 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1003
1004 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
1005 if (bufLen <= sizeof buf) {
1006 hashBuf = buf;
1007 } else {
1008 hashBuf = PORT_Alloc(bufLen);
1009 if (!hashBuf) {
1010 return SECFailure;
1011 }
1012 }
1013
1014 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1015 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1016 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1017 pBuf += SSL3_RANDOM_LENGTH;
1018 pBuf[0] = (PRUint8)(modulus.len >> 8);
1019 pBuf[1] = (PRUint8)(modulus.len);
1020 pBuf += 2;
1021 memcpy(pBuf, modulus.data, modulus.len);
1022 pBuf += modulus.len;
1023 pBuf[0] = (PRUint8)(publicExponent.len >> 8);
1024 pBuf[1] = (PRUint8)(publicExponent.len);
1025 pBuf += 2;
1026 memcpy(pBuf, publicExponent.data, publicExponent.len);
1027 pBuf += publicExponent.len;
1028 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1029
1030 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
1031
1032 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
1033 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH));
1034 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
1035
1036 if (hashBuf != buf && hashBuf != NULL)
1037 PORT_Free(hashBuf);
1038 return rv;
1039 }
1040
1041 /* Caller must set hiLevel error code. */
1042 /* Called from ssl3_HandleServerKeyExchange. */
1043 static SECStatus
1044 ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
1045 SSL3Random *client_rand, SSL3Random *server_rand,
1046 SSL3Hashes *hashes, PRBool bypassPKCS11)
1047 {
1048 PRUint8 * hashBuf;
1049 PRUint8 * pBuf;
1050 SECStatus rv = SECSuccess;
1051 unsigned int bufLen;
1052 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1053
1054 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
1055 if (bufLen <= sizeof buf) {
1056 hashBuf = buf;
1057 } else {
1058 hashBuf = PORT_Alloc(bufLen);
1059 if (!hashBuf) {
1060 return SECFailure;
1061 }
1062 }
1063
1064 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1065 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1066 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1067 pBuf += SSL3_RANDOM_LENGTH;
1068 pBuf[0] = (PRUint8)(dh_p.len >> 8);
1069 pBuf[1] = (PRUint8)(dh_p.len);
1070 pBuf += 2;
1071 memcpy(pBuf, dh_p.data, dh_p.len);
1072 pBuf += dh_p.len;
1073 pBuf[0] = (PRUint8)(dh_g.len >> 8);
1074 pBuf[1] = (PRUint8)(dh_g.len);
1075 pBuf += 2;
1076 memcpy(pBuf, dh_g.data, dh_g.len);
1077 pBuf += dh_g.len;
1078 pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
1079 pBuf[1] = (PRUint8)(dh_Ys.len);
1080 pBuf += 2;
1081 memcpy(pBuf, dh_Ys.data, dh_Ys.len);
1082 pBuf += dh_Ys.len;
1083 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1084
1085 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
1086
1087 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
1088 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
1089 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
1090
1091 if (hashBuf != buf && hashBuf != NULL)
1092 PORT_Free(hashBuf);
1093 return rv;
1094 }
1095
1096 static void
1097 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
1098 {
1099 num->low++;
1100 if (num->low == 0)
1101 num->high++;
1102 }
1103
1104 /* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
1105 static void
1106 ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
1107 {
1108 if (mat->write_key != NULL) {
1109 PK11_FreeSymKey(mat->write_key);
1110 mat->write_key = NULL;
1111 }
1112 if (mat->write_mac_key != NULL) {
1113 PK11_FreeSymKey(mat->write_mac_key);
1114 mat->write_mac_key = NULL;
1115 }
1116 if (mat->write_mac_context != NULL) {
1117 PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
1118 mat->write_mac_context = NULL;
1119 }
1120 }
1121
1122 /* Called from ssl3_SendChangeCipherSpecs() and
1123 ** ssl3_HandleChangeCipherSpecs()
1124 ** ssl3_DestroySSL3Info
1125 ** Caller must hold SpecWriteLock.
1126 */
1127 static void
1128 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec)
1129 {
1130 PRBool freeit = (PRBool)(!spec->bypassCiphers);
1131 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
1132 if (spec->destroy) {
1133 spec->destroy(spec->encodeContext, freeit);
1134 spec->destroy(spec->decodeContext, freeit);
1135 spec->encodeContext = NULL; /* paranoia */
1136 spec->decodeContext = NULL;
1137 }
1138 if (spec->master_secret != NULL) {
1139 PK11_FreeSymKey(spec->master_secret);
1140 spec->master_secret = NULL;
1141 }
1142 spec->msItem.data = NULL;
1143 spec->msItem.len = 0;
1144 ssl3_CleanupKeyMaterial(&spec->client);
1145 ssl3_CleanupKeyMaterial(&spec->server);
1146 spec->bypassCiphers = PR_FALSE;
1147 spec->destroy=NULL;
1148 }
1149
1150 /* Fill in the pending cipher spec with info from the selected ciphersuite.
1151 ** This is as much initialization as we can do without having key material.
1152 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
1153 ** Caller must hold the ssl3 handshake lock.
1154 ** Acquires & releases SpecWriteLock.
1155 */
1156 static SECStatus
1157 ssl3_SetupPendingCipherSpec(sslSocket *ss)
1158 {
1159 ssl3CipherSpec * pwSpec;
1160 ssl3CipherSpec * cwSpec;
1161 ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite;
1162 SSL3MACAlgorithm mac;
1163 SSL3BulkCipher cipher;
1164 SSL3KeyExchangeAlgorithm kea;
1165 const ssl3CipherSuiteDef *suite_def;
1166 PRBool isTLS;
1167
1168 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1169
1170 ssl_GetSpecWriteLock(ss); /*******************************/
1171
1172 pwSpec = ss->ssl3.pwSpec;
1173 PORT_Assert(pwSpec == ss->ssl3.prSpec);
1174
1175 /* This hack provides maximal interoperability with SSL 3 servers. */
1176 cwSpec = ss->ssl3.cwSpec;
1177 if (cwSpec->mac_def->mac == mac_null) {
1178 /* SSL records are not being MACed. */
1179 cwSpec->version = ss->version;
1180 }
1181
1182 pwSpec->version = ss->version;
1183 isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
1184
1185 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
1186 SSL_GETPID(), ss->fd, suite));
1187
1188 suite_def = ssl_LookupCipherSuiteDef(suite);
1189 if (suite_def == NULL) {
1190 ssl_ReleaseSpecWriteLock(ss);
1191 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */
1192 }
1193
1194
1195 cipher = suite_def->bulk_cipher_alg;
1196 kea = suite_def->key_exchange_alg;
1197 mac = suite_def->mac_alg;
1198 if (isTLS)
1199 mac += 2;
1200
1201 ss->ssl3.hs.suite_def = suite_def;
1202 ss->ssl3.hs.kea_def = &kea_defs[kea];
1203 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
1204
1205 pwSpec->cipher_def = &bulk_cipher_defs[cipher];
1206 PORT_Assert(pwSpec->cipher_def->cipher == cipher);
1207
1208 pwSpec->mac_def = &mac_defs[mac];
1209 PORT_Assert(pwSpec->mac_def->mac == mac);
1210
1211 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB;
1212 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
1213 ss->sec.cipherType = cipher;
1214
1215 pwSpec->encodeContext = NULL;
1216 pwSpec->decodeContext = NULL;
1217
1218 pwSpec->mac_size = pwSpec->mac_def->mac_size;
1219
1220 ssl_ReleaseSpecWriteLock(ss); /*******************************/
1221 return SECSuccess;
1222 }
1223
1224 /* Initialize encryption and MAC contexts for pending spec.
1225 * Master Secret already is derived in spec->msItem
1226 * Caller holds Spec write lock.
1227 */
1228 static SECStatus
1229 ssl3_InitPendingContextsBypass(sslSocket *ss)
1230 {
1231 ssl3CipherSpec * pwSpec;
1232 const ssl3BulkCipherDef *cipher_def;
1233 void * serverContext = NULL;
1234 void * clientContext = NULL;
1235 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
1236 int mode = 0;
1237 unsigned int optArg1 = 0;
1238 unsigned int optArg2 = 0;
1239 PRBool server_encrypts = ss->sec.isServer;
1240 CK_ULONG macLength;
1241 SSLCipherAlgorithm calg;
1242 SECStatus rv;
1243
1244 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1245
1246 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1247
1248 pwSpec = ss->ssl3.pwSpec;
1249 cipher_def = pwSpec->cipher_def;
1250 macLength = pwSpec->mac_size;
1251
1252 /* MAC setup is done when computing the mac, not here.
1253 * Now setup the crypto contexts.
1254 */
1255
1256 calg = cipher_def->calg;
1257
1258 serverContext = pwSpec->server.cipher_context;
1259 clientContext = pwSpec->client.cipher_context;
1260
1261 switch (calg) {
1262 case ssl_calg_null:
1263 pwSpec->encode = Null_Cipher;
1264 pwSpec->decode = Null_Cipher;
1265 pwSpec->destroy = NULL;
1266 goto success;
1267
1268 case ssl_calg_rc4:
1269 initFn = (BLapiInitContextFunc)RC4_InitContext;
1270 pwSpec->encode = (SSLCipher) RC4_Encrypt;
1271 pwSpec->decode = (SSLCipher) RC4_Decrypt;
1272 pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
1273 break;
1274 case ssl_calg_rc2:
1275 initFn = (BLapiInitContextFunc)RC2_InitContext;
1276 mode = NSS_RC2_CBC;
1277 optArg1 = cipher_def->key_size;
1278 pwSpec->encode = (SSLCipher) RC2_Encrypt;
1279 pwSpec->decode = (SSLCipher) RC2_Decrypt;
1280 pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
1281 break;
1282 case ssl_calg_des:
1283 initFn = (BLapiInitContextFunc)DES_InitContext;
1284 mode = NSS_DES_CBC;
1285 optArg1 = server_encrypts;
1286 pwSpec->encode = (SSLCipher) DES_Encrypt;
1287 pwSpec->decode = (SSLCipher) DES_Decrypt;
1288 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1289 break;
1290 case ssl_calg_3des:
1291 initFn = (BLapiInitContextFunc)DES_InitContext;
1292 mode = NSS_DES_EDE3_CBC;
1293 optArg1 = server_encrypts;
1294 pwSpec->encode = (SSLCipher) DES_Encrypt;
1295 pwSpec->decode = (SSLCipher) DES_Decrypt;
1296 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1297 break;
1298 case ssl_calg_aes:
1299 initFn = (BLapiInitContextFunc)AES_InitContext;
1300 mode = NSS_AES_CBC;
1301 optArg1 = server_encrypts;
1302 optArg2 = AES_BLOCK_SIZE;
1303 pwSpec->encode = (SSLCipher) AES_Encrypt;
1304 pwSpec->decode = (SSLCipher) AES_Decrypt;
1305 pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
1306 break;
1307
1308 case ssl_calg_camellia:
1309 initFn = (BLapiInitContextFunc)Camellia_InitContext;
1310 mode = NSS_CAMELLIA_CBC;
1311 optArg1 = server_encrypts;
1312 optArg2 = CAMELLIA_BLOCK_SIZE;
1313 pwSpec->encode = (SSLCipher) Camellia_Encrypt;
1314 pwSpec->decode = (SSLCipher) Camellia_Decrypt;
1315 pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext;
1316 break;
1317
1318 case ssl_calg_idea:
1319 case ssl_calg_fortezza :
1320 default:
1321 PORT_Assert(0);
1322 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1323 goto bail_out;
1324 }
1325 rv = (*initFn)(serverContext,
1326 pwSpec->server.write_key_item.data,
1327 pwSpec->server.write_key_item.len,
1328 pwSpec->server.write_iv_item.data,
1329 mode, optArg1, optArg2);
1330 if (rv != SECSuccess) {
1331 PORT_Assert(0);
1332 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1333 goto bail_out;
1334 }
1335
1336 if (calg == ssl_calg_des || calg == ssl_calg_3des || calg == ssl_calg_aes
1337 || calg == ssl_calg_camellia) {
1338 /* For block ciphers, if the server is encrypting, then the client
1339 * is decrypting, and vice versa.
1340 */
1341 optArg1 = !optArg1;
1342 }
1343
1344 rv = (*initFn)(clientContext,
1345 pwSpec->client.write_key_item.data,
1346 pwSpec->client.write_key_item.len,
1347 pwSpec->client.write_iv_item.data,
1348 mode, optArg1, optArg2);
1349 if (rv != SECSuccess) {
1350 PORT_Assert(0);
1351 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1352 goto bail_out;
1353 }
1354
1355 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
1356 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
1357
1358 success:
1359 return SECSuccess;
1360
1361 bail_out:
1362 return SECFailure;
1363 }
1364
1365 /* This function should probably be moved to pk11wrap and be named
1366 * PK11_ParamFromIVAndEffectiveKeyBits
1367 */
1368 static SECItem *
1369 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
1370 {
1371 SECItem * param = PK11_ParamFromIV(mtype, iv);
1372 if (param && param->data && param->len >= sizeof(CK_RC2_PARAMS)) {
1373 switch (mtype) {
1374 case CKM_RC2_KEY_GEN:
1375 case CKM_RC2_ECB:
1376 case CKM_RC2_CBC:
1377 case CKM_RC2_MAC:
1378 case CKM_RC2_MAC_GENERAL:
1379 case CKM_RC2_CBC_PAD:
1380 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
1381 default: break;
1382 }
1383 }
1384 return param;
1385 }
1386
1387 /* Initialize encryption and MAC contexts for pending spec.
1388 * Master Secret already is derived.
1389 * Caller holds Spec write lock.
1390 */
1391 static SECStatus
1392 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
1393 {
1394 ssl3CipherSpec * pwSpec;
1395 const ssl3BulkCipherDef *cipher_def;
1396 PK11Context * serverContext = NULL;
1397 PK11Context * clientContext = NULL;
1398 SECItem * param;
1399 CK_MECHANISM_TYPE mechanism;
1400 CK_MECHANISM_TYPE mac_mech;
1401 CK_ULONG macLength;
1402 CK_ULONG effKeyBits;
1403 SECItem iv;
1404 SECItem mac_param;
1405 SSLCipherAlgorithm calg;
1406
1407 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1408
1409 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1410
1411 pwSpec = ss->ssl3.pwSpec;
1412 cipher_def = pwSpec->cipher_def;
1413 macLength = pwSpec->mac_size;
1414
1415 /*
1416 ** Now setup the MAC contexts,
1417 ** crypto contexts are setup below.
1418 */
1419
1420 pwSpec->client.write_mac_context = NULL;
1421 pwSpec->server.write_mac_context = NULL;
1422 mac_mech = pwSpec->mac_def->mmech;
1423 mac_param.data = (unsigned char *)&macLength;
1424 mac_param.len = sizeof(macLength);
1425 mac_param.type = 0;
1426
1427 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
1428 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
1429 if (pwSpec->client.write_mac_context == NULL) {
1430 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1431 goto fail;
1432 }
1433 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
1434 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
1435 if (pwSpec->server.write_mac_context == NULL) {
1436 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1437 goto fail;
1438 }
1439
1440 /*
1441 ** Now setup the crypto contexts.
1442 */
1443
1444 calg = cipher_def->calg;
1445 PORT_Assert(alg2Mech[calg].calg == calg);
1446
1447 if (calg == calg_null) {
1448 pwSpec->encode = Null_Cipher;
1449 pwSpec->decode = Null_Cipher;
1450 pwSpec->destroy = NULL;
1451 return SECSuccess;
1452 }
1453 mechanism = alg2Mech[calg].cmech;
1454 effKeyBits = cipher_def->key_size * BPB;
1455
1456 /*
1457 * build the server context
1458 */
1459 iv.data = pwSpec->server.write_iv;
1460 iv.len = cipher_def->iv_size;
1461 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
1462 if (param == NULL) {
1463 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
1464 goto fail;
1465 }
1466 serverContext = PK11_CreateContextBySymKey(mechanism,
1467 (ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
1468 pwSpec->server.write_key, param);
1469 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
1470 if (iv.data)
1471 PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
1472 SECITEM_FreeItem(param, PR_TRUE);
1473 if (serverContext == NULL) {
1474 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1475 goto fail;
1476 }
1477
1478 /*
1479 * build the client context
1480 */
1481 iv.data = pwSpec->client.write_iv;
1482 iv.len = cipher_def->iv_size;
1483
1484 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
1485 if (param == NULL) {
1486 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
1487 goto fail;
1488 }
1489 clientContext = PK11_CreateContextBySymKey(mechanism,
1490 (ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
1491 pwSpec->client.write_key, param);
1492 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
1493 if (iv.data)
1494 PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
1495 SECITEM_FreeItem(param,PR_TRUE);
1496 if (clientContext == NULL) {
1497 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1498 goto fail;
1499 }
1500 pwSpec->encode = (SSLCipher) PK11_CipherOp;
1501 pwSpec->decode = (SSLCipher) PK11_CipherOp;
1502 pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
1503
1504 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
1505 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
1506
1507 serverContext = NULL;
1508 clientContext = NULL;
1509
1510 return SECSuccess;
1511
1512 fail:
1513 if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
1514 if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
1515 if (pwSpec->client.write_mac_context != NULL) {
1516 PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
1517 pwSpec->client.write_mac_context = NULL;
1518 }
1519 if (pwSpec->server.write_mac_context != NULL) {
1520 PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
1521 pwSpec->server.write_mac_context = NULL;
1522 }
1523
1524 return SECFailure;
1525 }
1526
1527 /* Complete the initialization of all keys, ciphers, MACs and their contexts
1528 * for the pending Cipher Spec.
1529 * Called from: ssl3_SendClientKeyExchange (for Full handshake)
1530 * ssl3_HandleRSAClientKeyExchange (for Full handshake)
1531 * ssl3_HandleServerHello (for session restart)
1532 * ssl3_HandleClientHello (for session restart)
1533 * Sets error code, but caller probably should override to disambiguate.
1534 * NULL pms means re-use old master_secret.
1535 *
1536 * This code is common to the bypass and PKCS11 execution paths.
1537 * For the bypass case, pms is NULL.
1538 */
1539 SECStatus
1540 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
1541 {
1542 ssl3CipherSpec * pwSpec;
1543 SECStatus rv;
1544
1545 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1546
1547 ssl_GetSpecWriteLock(ss); /**************************************/
1548
1549 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1550
1551 pwSpec = ss->ssl3.pwSpec;
1552
1553 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
1554 rv = ssl3_DeriveMasterSecret(ss, pms);
1555 if (rv != SECSuccess) {
1556 goto done; /* err code set by ssl3_DeriveMasterSecret */
1557 }
1558 }
1559 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
1560 /* Double Bypass succeeded in extracting the master_secret */
1561 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
1562 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
1563 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
1564 pwSpec->bypassCiphers = PR_TRUE;
1565 rv = ssl3_KeyAndMacDeriveBypass( pwSpec,
1566 (const unsigned char *)&ss->ssl3.hs.client_random,
1567 (const unsigned char *)&ss->ssl3.hs.server_random,
1568 isTLS,
1569 (PRBool)(kea_def->is_limited));
1570 if (rv == SECSuccess) {
1571 rv = ssl3_InitPendingContextsBypass(ss);
1572 }
1573 } else if (pwSpec->master_secret) {
1574 rv = ssl3_DeriveConnectionKeysPKCS11(ss);
1575 if (rv == SECSuccess) {
1576 rv = ssl3_InitPendingContextsPKCS11(ss);
1577 }
1578 } else {
1579 PORT_Assert(pwSpec->master_secret);
1580 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1581 rv = SECFailure;
1582 }
1583
1584 done:
1585 ssl_ReleaseSpecWriteLock(ss); /******************************/
1586 if (rv != SECSuccess)
1587 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
1588 return rv;
1589 }
1590
1591 /*
1592 * 60 bytes is 3 times the maximum length MAC size that is supported.
1593 */
1594 static const unsigned char mac_pad_1 [60] = {
1595 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1596 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1597 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1598 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1599 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1600 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1601 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1602 0x36, 0x36, 0x36, 0x36
1603 };
1604 static const unsigned char mac_pad_2 [60] = {
1605 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1606 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1607 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1608 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1609 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1610 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1611 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1612 0x5c, 0x5c, 0x5c, 0x5c
1613 };
1614
1615 /* Called from: ssl3_SendRecord()
1616 ** ssl3_HandleRecord()
1617 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
1618 */
1619 static SECStatus
1620 ssl3_ComputeRecordMAC(
1621 ssl3CipherSpec * spec,
1622 PRBool useServerMacKey,
1623 SSL3ContentType type,
1624 SSL3ProtocolVersion version,
1625 SSL3SequenceNumber seq_num,
1626 const SSL3Opaque * input,
1627 int inputLength,
1628 unsigned char * outbuf,
1629 unsigned int * outLength)
1630 {
1631 const ssl3MACDef * mac_def;
1632 SECStatus rv;
1633 PRBool isTLS;
1634 unsigned int tempLen;
1635 unsigned char temp[MAX_MAC_LENGTH];
1636
1637 temp[0] = (unsigned char)(seq_num.high >> 24);
1638 temp[1] = (unsigned char)(seq_num.high >> 16);
1639 temp[2] = (unsigned char)(seq_num.high >> 8);
1640 temp[3] = (unsigned char)(seq_num.high >> 0);
1641 temp[4] = (unsigned char)(seq_num.low >> 24);
1642 temp[5] = (unsigned char)(seq_num.low >> 16);
1643 temp[6] = (unsigned char)(seq_num.low >> 8);
1644 temp[7] = (unsigned char)(seq_num.low >> 0);
1645 temp[8] = type;
1646
1647 /* TLS MAC includes the record's version field, SSL's doesn't.
1648 ** We decide which MAC defintiion to use based on the version of
1649 ** the protocol that was negotiated when the spec became current,
1650 ** NOT based on the version value in the record itself.
1651 ** But, we use the record'v version value in the computation.
1652 */
1653 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
1654 temp[9] = MSB(inputLength);
1655 temp[10] = LSB(inputLength);
1656 tempLen = 11;
1657 isTLS = PR_FALSE;
1658 } else {
1659 /* New TLS hash includes version. */
1660 temp[9] = MSB(version);
1661 temp[10] = LSB(version);
1662 temp[11] = MSB(inputLength);
1663 temp[12] = LSB(inputLength);
1664 tempLen = 13;
1665 isTLS = PR_TRUE;
1666 }
1667
1668 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
1669 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
1670
1671 mac_def = spec->mac_def;
1672 if (mac_def->mac == mac_null) {
1673 *outLength = 0;
1674 return SECSuccess;
1675 }
1676 if (! spec->bypassCiphers) {
1677 PK11Context *mac_context =
1678 (useServerMacKey ? spec->server.write_mac_context
1679 : spec->client.write_mac_context);
1680 rv = PK11_DigestBegin(mac_context);
1681 rv |= PK11_DigestOp(mac_context, temp, tempLen);
1682 rv |= PK11_DigestOp(mac_context, input, inputLength);
1683 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
1684 } else {
1685 /* bypass version */
1686 const SECHashObject *hashObj = NULL;
1687 unsigned int pad_bytes = 0;
1688 PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS];
1689
1690 switch (mac_def->mac) {
1691 case ssl_mac_null:
1692 *outLength = 0;
1693 return SECSuccess;
1694 case ssl_mac_md5:
1695 pad_bytes = 48;
1696 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
1697 break;
1698 case ssl_mac_sha:
1699 pad_bytes = 40;
1700 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
1701 break;
1702 case ssl_hmac_md5: /* used with TLS */
1703 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
1704 break;
1705 case ssl_hmac_sha: /* used with TLS */
1706 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
1707 break;
1708 default:
1709 break;
1710 }
1711 if (!hashObj) {
1712 PORT_Assert(0);
1713 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1714 return SECFailure;
1715 }
1716
1717 if (!isTLS) {
1718 /* compute "inner" part of SSL3 MAC */
1719 hashObj->begin(write_mac_context);
1720 if (useServerMacKey)
1721 hashObj->update(write_mac_context,
1722 spec->server.write_mac_key_item.data,
1723 spec->server.write_mac_key_item.len);
1724 else
1725 hashObj->update(write_mac_context,
1726 spec->client.write_mac_key_item.data,
1727 spec->client.write_mac_key_item.len);
1728 hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
1729 hashObj->update(write_mac_context, temp, tempLen);
1730 hashObj->update(write_mac_context, input, inputLength);
1731 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
1732
1733 /* compute "outer" part of SSL3 MAC */
1734 hashObj->begin(write_mac_context);
1735 if (useServerMacKey)
1736 hashObj->update(write_mac_context,
1737 spec->server.write_mac_key_item.data,
1738 spec->server.write_mac_key_item.len);
1739 else
1740 hashObj->update(write_mac_context,
1741 spec->client.write_mac_key_item.data,
1742 spec->client.write_mac_key_item.len);
1743 hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
1744 hashObj->update(write_mac_context, temp, tempLen);
1745 hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
1746 rv = SECSuccess;
1747 } else { /* is TLS */
1748 #define cx ((HMACContext *)write_mac_context)
1749 if (useServerMacKey) {
1750 rv = HMAC_Init(cx, hashObj,
1751 spec->server.write_mac_key_item.data,
1752 spec->server.write_mac_key_item.len, PR_FALSE);
1753 } else {
1754 rv = HMAC_Init(cx, hashObj,
1755 spec->client.write_mac_key_item.data,
1756 spec->client.write_mac_key_item.len, PR_FALSE);
1757 }
1758 if (rv == SECSuccess) {
1759 HMAC_Begin(cx);
1760 HMAC_Update(cx, temp, tempLen);
1761 HMAC_Update(cx, input, inputLength);
1762 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
1763 HMAC_Destroy(cx, PR_FALSE);
1764 }
1765 #undef cx
1766 }
1767 }
1768
1769 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
1770
1771 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
1772
1773 if (rv != SECSuccess) {
1774 rv = SECFailure;
1775 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
1776 }
1777 return rv;
1778 }
1779
1780 static PRBool
1781 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
1782 PK11SlotInfo *slot = NULL;
1783 PRBool isPresent = PR_TRUE;
1784
1785 /* we only care if we are doing client auth */
1786 if (!sid || !sid->u.ssl3.clAuthValid) {
1787 return PR_TRUE;
1788 }
1789
1790 /* get the slot */
1791 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
1792 sid->u.ssl3.clAuthSlotID);
1793 if (slot == NULL ||
1794 !PK11_IsPresent(slot) ||
1795 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) ||
1796 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) ||
1797 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) ||
1798 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
1799 isPresent = PR_FALSE;
1800 }
1801 if (slot) {
1802 PK11_FreeSlot(slot);
1803 }
1804 return isPresent;
1805 }
1806
1807 static SECStatus
1808 ssl3_CompressMACEncryptRecord(sslSocket * ss,
1809 SSL3ContentType type,
1810 const SSL3Opaque * pIn,
1811 PRUint32 contentLen)
1812 {
1813 ssl3CipherSpec * cwSpec;
1814 const ssl3BulkCipherDef * cipher_def;
1815 sslBuffer * wrBuf = &ss->sec.writeBuf;
1816 SECStatus rv;
1817 PRUint32 macLen = 0;
1818 PRUint32 fragLen;
1819 PRUint32 p1Len, p2Len, oddLen = 0;
1820 PRInt32 cipherBytes = 0;
1821
1822 /*
1823 * null compression is easy to do
1824 PORT_Memcpy(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, pIn, contentLen);
1825 */
1826
1827 ssl_GetSpecReadLock(ss); /********************************/
1828
1829 cwSpec = ss->ssl3.cwSpec;
1830 cipher_def = cwSpec->cipher_def;
1831 /*
1832 * Add the MAC
1833 */
1834 rv = ssl3_ComputeRecordMAC( cwSpec, (PRBool)(ss->sec.isServer),
1835 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
1836 wrBuf->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen);
1837 if (rv != SECSuccess) {
1838 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
1839 goto spec_locked_loser;
1840 }
1841 p1Len = contentLen;
1842 p2Len = macLen;
1843 fragLen = contentLen + macLen; /* needs to be encrypted */
1844 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
1845
1846 /*
1847 * Pad the text (if we're doing a block cipher)
1848 * then Encrypt it
1849 */
1850 if (cipher_def->type == type_block) {
1851 unsigned char * pBuf;
1852 int padding_length;
1853 int i;
1854
1855 oddLen = contentLen % cipher_def->block_size;
1856 /* Assume blockSize is a power of two */
1857 padding_length = cipher_def->block_size - 1 -
1858 ((fragLen) & (cipher_def->block_size - 1));
1859 fragLen += padding_length + 1;
1860 PORT_Assert((fragLen % cipher_def->block_size) == 0);
1861
1862 /* Pad according to TLS rules (also acceptable to SSL3). */
1863 pBuf = &wrBuf->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1];
1864 for (i = padding_length + 1; i > 0; --i) {
1865 *pBuf-- = padding_length;
1866 }
1867 /* now, if contentLen is not a multiple of block size, fix it */
1868 p2Len = fragLen - p1Len;
1869 }
1870 if (p1Len < 256) {
1871 oddLen = p1Len;
1872 p1Len = 0;
1873 } else {
1874 p1Len -= oddLen;
1875 }
1876 if (oddLen) {
1877 p2Len += oddLen;
1878 PORT_Assert( (cipher_def->block_size < 2) || \
1879 (p2Len % cipher_def->block_size) == 0);
1880 memcpy(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
1881 pIn + p1Len, oddLen);
1882 }
1883 if (p1Len > 0) {
1884 rv = cwSpec->encode( cwSpec->encodeContext,
1885 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, /* output */
1886 &cipherBytes, /* actual outlen */
1887 p1Len, /* max outlen */
1888 pIn, p1Len); /* input, and inputlen */
1889 PORT_Assert(rv == SECSuccess && cipherBytes == p1Len);
1890 if (rv != SECSuccess || cipherBytes != p1Len) {
1891 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
1892 goto spec_locked_loser;
1893 }
1894 }
1895 if (p2Len > 0) {
1896 PRInt32 cipherBytesPart2 = -1;
1897 rv = cwSpec->encode( cwSpec->encodeContext,
1898 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
1899 &cipherBytesPart2, /* output and actual outLen */
1900 p2Len, /* max outlen */
1901 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
1902 p2Len); /* input and inputLen*/
1903 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len);
1904 if (rv != SECSuccess || cipherBytesPart2 != p2Len) {
1905 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
1906 goto spec_locked_loser;
1907 }
1908 cipherBytes += cipherBytesPart2;
1909 }
1910 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
1911
1912 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
1913
1914 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
1915 wrBuf->buf[0] = type;
1916 wrBuf->buf[1] = MSB(cwSpec->version);
1917 wrBuf->buf[2] = LSB(cwSpec->version);
1918 wrBuf->buf[3] = MSB(cipherBytes);
1919 wrBuf->buf[4] = LSB(cipherBytes);
1920
1921 ssl_ReleaseSpecReadLock(ss); /************************************/
1922
1923 return SECSuccess;
1924
1925 spec_locked_loser:
1926 ssl_ReleaseSpecReadLock(ss);
1927 return SECFailure;
1928 }
1929
1930 /* Process the plain text before sending it.
1931 * Returns the number of bytes of plaintext that were succesfully sent
1932 * plus the number of bytes of plaintext that were copied into the
1933 * output (write) buffer.
1934 * Returns SECFailure on a hard IO error, memory error, or crypto error.
1935 * Does NOT return SECWouldBlock.
1936 *
1937 * Notes on the use of the private ssl flags:
1938 * (no private SSL flags)
1939 * Attempt to make and send SSL records for all plaintext
1940 * If non-blocking and a send gets WOULD_BLOCK,
1941 * or if the pending (ciphertext) buffer is not empty,
1942 * then buffer remaining bytes of ciphertext into pending buf,
1943 * and continue to do that for all succssive records until all
1944 * bytes are used.
1945 * ssl_SEND_FLAG_FORCE_INTO_BUFFER
1946 * As above, except this suppresses all write attempts, and forces
1947 * all ciphertext into the pending ciphertext buffer.
1948 *
1949 */
1950 static PRInt32
1951 ssl3_SendRecord( sslSocket * ss,
1952 SSL3ContentType type,
1953 const SSL3Opaque * pIn, /* input buffer */
1954 PRInt32 nIn, /* bytes of input */
1955 PRInt32 flags)
1956 {
1957 sslBuffer * wrBuf = &ss->sec.writeBuf;
1958 SECStatus rv;
1959 PRInt32 totalSent = 0;
1960
1961 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
1962 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
1963 nIn));
1964 PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
1965
1966 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
1967
1968 if (ss->ssl3.initialized == PR_FALSE) {
1969 /* This can happen on a server if the very first incoming record
1970 ** looks like a defective ssl3 record (e.g. too long), and we're
1971 ** trying to send an alert.
1972 */
1973 PR_ASSERT(type == content_alert);
1974 rv = ssl3_InitState(ss);
1975 if (rv != SECSuccess) {
1976 return SECFailure; /* ssl3_InitState has set the error code. */
1977 }
1978 }
1979
1980 /* check for Token Presence */
1981 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
1982 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
1983 return SECFailure;
1984 }
1985
1986 while (nIn > 0) {
1987 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
1988
1989 if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) {
1990 PRInt32 newSpace = PR_MAX(wrBuf->space * 2, contentLen);
1991 newSpace = PR_MIN(newSpace, MAX_FRAGMENT_LENGTH);
1992 newSpace += SSL3_BUFFER_FUDGE;
1993 rv = sslBuffer_Grow(wrBuf, newSpace);
1994 if (rv != SECSuccess) {
1995 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
1996 SSL_GETPID(), ss->fd, newSpace));
1997 return SECFailure; /* sslBuffer_Grow set a memory error code. */
1998 }
1999 }
2000
2001 rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen);
2002 if (rv != SECSuccess)
2003 return SECFailure;
2004
2005 pIn += contentLen;
2006 nIn -= contentLen;
2007 PORT_Assert( nIn >= 0 );
2008
2009 PRINT_BUF(50, (ss, "send (encrypted) record data:", wrBuf->buf, wrBuf->len));
2010
2011 /* If there's still some previously saved ciphertext,
2012 * or the caller doesn't want us to send the data yet,
2013 * then add all our new ciphertext to the amount previously saved.
2014 */
2015 if ((ss->pendingBuf.len > 0) ||
2016 (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
2017
2018 rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len);
2019 if (rv != SECSuccess) {
2020 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
2021 return SECFailure;
2022 }
2023 wrBuf->len = 0; /* All cipher text is saved away. */
2024
2025 if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
2026 PRInt32 sent;
2027 ss->handshakeBegun = 1;
2028 sent = ssl_SendSavedWriteData(ss);
2029 if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
2030 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
2031 return SECFailure;
2032 }
2033 if (ss->pendingBuf.len) {
2034 flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER;
2035 }
2036 }
2037 } else if (wrBuf->len > 0) {
2038 PRInt32 sent;
2039 ss->handshakeBegun = 1;
2040 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len,
2041 flags & ~ssl_SEND_FLAG_MASK);
2042 if (sent < 0) {
2043 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
2044 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
2045 return SECFailure;
2046 }
2047 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
2048 sent = 0;
2049 }
2050 wrBuf->len -= sent;
2051 if (wrBuf->len) {
2052 /* now take all the remaining unsent new ciphertext and
2053 * append it to the buffer of previously unsent ciphertext.
2054 */
2055 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
2056 if (rv != SECSuccess) {
2057 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
2058 return SECFailure;
2059 }
2060 }
2061 }
2062 totalSent += contentLen;
2063 }
2064 return totalSent;
2065 }
2066
2067 #define SSL3_PENDING_HIGH_WATER 1024
2068
2069 /* Attempt to send the content of "in" in an SSL application_data record.
2070 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess.
2071 */
2072 int
2073 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
2074 PRInt32 len, PRInt32 flags)
2075 {
2076 PRInt32 totalSent = 0;
2077 PRInt32 discarded = 0;
2078
2079 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2080 if (len < 0 || !in) {
2081 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
2082 return SECFailure;
2083 }
2084
2085 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
2086 !ssl_SocketIsBlocking(ss)) {
2087 PORT_Assert(!ssl_SocketIsBlocking(ss));
2088 PORT_SetError(PR_WOULD_BLOCK_ERROR);
2089 return SECFailure;
2090 }
2091
2092 if (ss->appDataBuffered && len) {
2093 PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
2094 if (in[0] != (unsigned char)(ss->appDataBuffered)) {
2095 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
2096 return SECFailure;
2097 }
2098 in++;
2099 len--;
2100 discarded = 1;
2101 }
2102 while (len > totalSent) {
2103 PRInt32 sent, toSend;
2104
2105 if (totalSent > 0) {
2106 /*
2107 * The thread yield is intended to give the reader thread a
2108 * chance to get some cycles while the writer thread is in
2109 * the middle of a large application data write. (See
2110 * Bugzilla bug 127740, comment #1.)
2111 */
2112 ssl_ReleaseXmitBufLock(ss);
2113 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */
2114 ssl_GetXmitBufLock(ss);
2115 }
2116 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
2117 sent = ssl3_SendRecord(ss, content_application_data,
2118 in + totalSent, toSend, flags);
2119 if (sent < 0) {
2120 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
2121 PORT_Assert(ss->lastWriteBlocked);
2122 break;
2123 }
2124 return SECFailure; /* error code set by ssl3_SendRecord */
2125 }
2126 totalSent += sent;
2127 if (ss->pendingBuf.len) {
2128 /* must be a non-blocking socket */
2129 PORT_Assert(!ssl_SocketIsBlocking(ss));
2130 PORT_Assert(ss->lastWriteBlocked);
2131 break;
2132 }
2133 }
2134 if (ss->pendingBuf.len) {
2135 /* Must be non-blocking. */
2136 PORT_Assert(!ssl_SocketIsBlocking(ss));
2137 if (totalSent > 0) {
2138 ss->appDataBuffered = 0x100 | in[totalSent - 1];
2139 }
2140
2141 totalSent = totalSent + discarded - 1;
2142 if (totalSent <= 0) {
2143 PORT_SetError(PR_WOULD_BLOCK_ERROR);
2144 totalSent = SECFailure;
2145 }
2146 return totalSent;
2147 }
2148 ss->appDataBuffered = 0;
2149 return totalSent + discarded;
2150 }
2151
2152 /* Attempt to send the content of sendBuf buffer in an SSL handshake record.
2153 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
2154 * Always set sendBuf.len to 0, even when returning SECFailure.
2155 *
2156 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
2157 * ssl3_AppendHandshake(), ssl3_SendClientHello(),
2158 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
2159 * ssl3_SendFinished(),
2160 */
2161 static SECStatus
2162 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
2163 {
2164 PRInt32 rv = SECSuccess;
2165
2166 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2167 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2168
2169 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
2170 return rv;
2171
2172 /* only this flag is allowed */
2173 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER));
2174 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) {
2175 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2176 rv = SECFailure;
2177 } else {
2178 rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
2179 ss->sec.ci.sendBuf.len, flags);
2180 }
2181 if (rv < 0) {
2182 int err = PORT_GetError();
2183 PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
2184 if (err == PR_WOULD_BLOCK_ERROR) {
2185 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2186 }
2187 } else if (rv < ss->sec.ci.sendBuf.len) {
2188 /* short write should never happen */
2189 PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
2190 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2191 rv = SECFailure;
2192 } else {
2193 rv = SECSuccess;
2194 }
2195
2196 /* Whether we succeeded or failed, toss the old handshake data. */
2197 ss->sec.ci.sendBuf.len = 0;
2198 return rv;
2199 }
2200
2201 /*
2202 * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
2203 * the remote client sends a negative response to our certificate request.
2204 * Returns SECFailure if the application has required client auth.
2205 * SECSuccess otherwise.
2206 */
2207 static SECStatus
2208 ssl3_HandleNoCertificate(sslSocket *ss)
2209 {
2210 if (ss->sec.peerCert != NULL) {
2211 if (ss->sec.peerKey != NULL) {
2212 SECKEY_DestroyPublicKey(ss->sec.peerKey);
2213 ss->sec.peerKey = NULL;
2214 }
2215 CERT_DestroyCertificate(ss->sec.peerCert);
2216 ss->sec.peerCert = NULL;
2217 }
2218 ssl3_CleanupPeerCerts(ss);
2219
2220 /* If the server has required client-auth blindly but doesn't
2221 * actually look at the certificate it won't know that no
2222 * certificate was presented so we shutdown the socket to ensure
2223 * an error. We only do this if we haven't already completed the
2224 * first handshake because if we're redoing the handshake we
2225 * know the server is paying attention to the certificate.
2226 */
2227 if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
2228 (!ss->firstHsDone &&
2229 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
2230 PRFileDesc * lower;
2231
2232 ss->sec.uncache(ss->sec.ci.sid);
2233 SSL3_SendAlert(ss, alert_fatal, bad_certificate);
2234
2235 lower = ss->fd->lower;
2236 #ifdef _WIN32
2237 lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
2238 #else
2239 lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
2240 #endif
2241 PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
2242 return SECFailure;
2243 }
2244 return SECSuccess;
2245 }
2246
2247 /************************************************************************
2248 * Alerts
2249 */
2250
2251 /*
2252 ** Acquires both handshake and XmitBuf locks.
2253 ** Called from: ssl3_IllegalParameter <-
2254 ** ssl3_HandshakeFailure <-
2255 ** ssl3_HandleAlert <- ssl3_HandleRecord.
2256 ** ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
2257 ** ssl3_ConsumeHandshakeVariable <-
2258 ** ssl3_HandleHelloRequest <-
2259 ** ssl3_HandleServerHello <-
2260 ** ssl3_HandleServerKeyExchange <-
2261 ** ssl3_HandleCertificateRequest <-
2262 ** ssl3_HandleServerHelloDone <-
2263 ** ssl3_HandleClientHello <-
2264 ** ssl3_HandleV2ClientHello <-
2265 ** ssl3_HandleCertificateVerify <-
2266 ** ssl3_HandleClientKeyExchange <-
2267 ** ssl3_HandleCertificate <-
2268 ** ssl3_HandleFinished <-
2269 ** ssl3_HandleHandshakeMessage <-
2270 ** ssl3_HandleRecord <-
2271 **
2272 */
2273 SECStatus
2274 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
2275 {
2276 uint8 bytes[2];
2277 SECStatus rv;
2278
2279 SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
2280 SSL_GETPID(), ss->fd, level, desc));
2281
2282 bytes[0] = level;
2283 bytes[1] = desc;
2284
2285 ssl_GetSSL3HandshakeLock(ss);
2286 if (level == alert_fatal) {
2287 if (ss->sec.ci.sid) {
2288 ss->sec.uncache(ss->sec.ci.sid);
2289 }
2290 }
2291 ssl_GetXmitBufLock(ss);
2292 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
2293 if (rv == SECSuccess) {
2294 PRInt32 sent;
2295 sent = ssl3_SendRecord(ss, content_alert, bytes, 2,
2296 desc == no_certificate
2297 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
2298 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
2299 }
2300 ssl_ReleaseXmitBufLock(ss);
2301 ssl_ReleaseSSL3HandshakeLock(ss);
2302 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
2303 }
2304
2305 /*
2306 * Send illegal_parameter alert. Set generic error number.
2307 */
2308 static SECStatus
2309 ssl3_IllegalParameter(sslSocket *ss)
2310 {
2311 PRBool isTLS;
2312
2313 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
2314 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
2315 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
2316 : SSL_ERROR_BAD_SERVER );
2317 return SECFailure;
2318 }
2319
2320 /*
2321 * Send handshake_Failure alert. Set generic error number.
2322 */
2323 static SECStatus
2324 ssl3_HandshakeFailure(sslSocket *ss)
2325 {
2326 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
2327 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
2328 : SSL_ERROR_BAD_SERVER );
2329 return SECFailure;
2330 }
2331
2332 /*
2333 * Send handshake_Failure alert. Set generic error number.
2334 */
2335 static SECStatus
2336 ssl3_DecodeError(sslSocket *ss)
2337 {
2338 (void)SSL3_SendAlert(ss, alert_fatal,
2339 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error
2340 : illegal_parameter);
2341 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
2342 : SSL_ERROR_BAD_SERVER );
2343 return SECFailure;
2344 }
2345
2346 /* Called from ssl3_HandleRecord.
2347 ** Caller must hold both RecvBuf and Handshake locks.
2348 */
2349 static SECStatus
2350 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
2351 {
2352 SSL3AlertLevel level;
2353 SSL3AlertDescription desc;
2354 int error;
2355
2356 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
2357 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
2358
2359 SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
2360
2361 if (buf->len != 2) {
2362 (void)ssl3_DecodeError(ss);
2363 PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
2364 return SECFailure;
2365 }
2366 level = (SSL3AlertLevel)buf->buf[0];
2367 desc = (SSL3AlertDescription)buf->buf[1];
2368 buf->len = 0;
2369 SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
2370 SSL_GETPID(), ss->fd, level, desc));
2371
2372 switch (desc) {
2373 case close_notify: ss->recvdCloseNotify = 1;
2374 error = SSL_ERROR_CLOSE_NOTIFY_ALERT; break;
2375 case unexpected_message: error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
2376 break;
2377 case bad_record_mac: error = SSL_ERROR_BAD_MAC_ALERT; break;
2378 case decryption_failed: error = SSL_ERROR_DECRYPTION_FAILED_ALERT;
2379 break;
2380 case record_overflow: error = SSL_ERROR_RECORD_OVERFLOW_ALERT; break;
2381 case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
2382 break;
2383 case handshake_failure: error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
2384 break;
2385 case no_certificate: error = SSL_ERROR_NO_CERTIFICATE; break;
2386 case bad_certificate: error = SSL_ERROR_BAD_CERT_ALERT; break;
2387 case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
2388 case certificate_revoked: error = SSL_ERROR_REVOKED_CERT_ALERT; break;
2389 case certificate_expired: error = SSL_ERROR_EXPIRED_CERT_ALERT; break;
2390 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
2391 break;
2392 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
2393
2394 /* All alerts below are TLS only. */
2395 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break;
2396 case access_denied: error = SSL_ERROR_ACCESS_DENIED_ALERT; break;
2397 case decode_error: error = SSL_ERROR_DECODE_ERROR_ALERT; break;
2398 case decrypt_error: error = SSL_ERROR_DECRYPT_ERROR_ALERT; break;
2399 case export_restriction: error = SSL_ERROR_EXPORT_RESTRICTION_ALERT;
2400 break;
2401 case protocol_version: error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
2402 case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT;
2403 break;
2404 case internal_error: error = SSL_ERROR_INTERNAL_ERROR_ALERT; break;
2405 case user_canceled: error = SSL_ERROR_USER_CANCELED_ALERT; break;
2406 case no_renegotiation: error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
2407
2408 /* Alerts for TLS client hello extensions */
2409 case unsupported_extension:
2410 error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT; break;
2411 case certificate_unobtainable:
2412 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
2413 case unrecognized_name:
2414 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break;
2415 case bad_certificate_status_response:
2416 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
2417 case bad_certificate_hash_value:
2418 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break;
2419 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break;
2420 }
2421 if (level == alert_fatal) {
2422 ss->sec.uncache(ss->sec.ci.sid);
2423 if ((ss->ssl3.hs.ws == wait_server_hello) &&
2424 (desc == handshake_failure)) {
2425 /* XXX This is a hack. We're assuming that any handshake failure
2426 * XXX on the client hello is a failure to match ciphers.
2427 */
2428 error = SSL_ERROR_NO_CYPHER_OVERLAP;
2429 }
2430 PORT_SetError(error);
2431 return SECFailure;
2432 }
2433 if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
2434 /* I'm a server. I've requested a client cert. He hasn't got one. */
2435 SECStatus rv;
2436
2437 PORT_Assert(ss->sec.isServer);
2438 ss->ssl3.hs.ws = wait_client_key;
2439 rv = ssl3_HandleNoCertificate(ss);
2440 return rv;
2441 }
2442 return SECSuccess;
2443 }
2444
2445 /*
2446 * Change Cipher Specs
2447 * Called from ssl3_HandleServerHelloDone,
2448 * ssl3_HandleClientHello,
2449 * and ssl3_HandleFinished
2450 *
2451 * Acquires and releases spec write lock, to protect switching the current
2452 * and pending write spec pointers.
2453 */
2454
2455 static SECStatus
2456 ssl3_SendChangeCipherSpecs(sslSocket *ss)
2457 {
2458 uint8 change = change_cipher_spec_choice;
2459 ssl3CipherSpec * pwSpec;
2460 SECStatus rv;
2461 PRInt32 sent;
2462
2463 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
2464 SSL_GETPID(), ss->fd));
2465
2466 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2467 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2468
2469 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
2470 if (rv != SECSuccess) {
2471 return rv; /* error code set by ssl3_FlushHandshake */
2472 }
2473 sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
2474 ssl_SEND_FLAG_FORCE_INTO_BUFFER);
2475 if (sent < 0) {
2476 return (SECStatus)sent; /* error code set by ssl3_SendRecord */
2477 }
2478
2479 /* swap the pending and current write specs. */
2480 ssl_GetSpecWriteLock(ss); /**************************************/
2481 pwSpec = ss->ssl3.pwSpec;
2482 pwSpec->write_seq_num.high = 0;
2483 pwSpec->write_seq_num.low = 0;
2484
2485 ss->ssl3.pwSpec = ss->ssl3.cwSpec;
2486 ss->ssl3.cwSpec = pwSpec;
2487
2488 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
2489 SSL_GETPID(), ss->fd ));
2490
2491 /* We need to free up the contexts, keys and certs ! */
2492 /* If we are really through with the old cipher spec
2493 * (Both the read and write sides have changed) destroy it.
2494 */
2495 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
2496 ssl3_DestroyCipherSpec(ss->ssl3.pwSpec);
2497 }
2498 ssl_ReleaseSpecWriteLock(ss); /**************************************/
2499
2500 return SECSuccess;
2501 }
2502
2503 /* Called from ssl3_HandleRecord.
2504 ** Caller must hold both RecvBuf and Handshake locks.
2505 *
2506 * Acquires and releases spec write lock, to protect switching the current
2507 * and pending write spec pointers.
2508 */
2509 static SECStatus
2510 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
2511 {
2512 ssl3CipherSpec * prSpec;
2513 SSL3WaitState ws = ss->ssl3.hs.ws;
2514 SSL3ChangeCipherSpecChoice change;
2515
2516 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
2517 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
2518
2519 SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
2520 SSL_GETPID(), ss->fd));
2521
2522 if (ws != wait_change_cipher) {
2523 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
2524 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
2525 return SECFailure;
2526 }
2527
2528 if(buf->len != 1) {
2529 (void)ssl3_DecodeError(ss);
2530 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
2531 return SECFailure;
2532 }
2533 change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
2534 if (change != change_cipher_spec_choice) {
2535 /* illegal_parameter is correct here for both SSL3 and TLS. */
2536 (void)ssl3_IllegalParameter(ss);
2537 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
2538 return SECFailure;
2539 }
2540 buf->len = 0;
2541
2542 /* Swap the pending and current read specs. */
2543 ssl_GetSpecWriteLock(ss); /*************************************/
2544 prSpec = ss->ssl3.prSpec;
2545 prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
2546
2547 ss->ssl3.prSpec = ss->ssl3.crSpec;
2548 ss->ssl3.crSpec = prSpec;
2549 ss->ssl3.hs.ws = wait_finished;
2550
2551 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
2552 SSL_GETPID(), ss->fd ));
2553
2554 /* If we are really through with the old cipher prSpec
2555 * (Both the read and write sides have changed) destroy it.
2556 */
2557 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
2558 ssl3_DestroyCipherSpec(ss->ssl3.prSpec);
2559 }
2560 ssl_ReleaseSpecWriteLock(ss); /*************************************/
2561 return SECSuccess;
2562 }
2563
2564 /* This method uses PKCS11 to derive the MS from the PMS, where PMS
2565 ** is a PKCS11 symkey. This is used in all cases except the
2566 ** "triple bypass" with RSA key exchange.
2567 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec.
2568 */
2569 static SECStatus
2570 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
2571 {
2572 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
2573 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
2574 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
2575 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
2576 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
2577 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
2578 /*
2579 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
2580 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
2581 * data into a 48-byte value.
2582 */
2583 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
2584 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
2585 SECStatus rv = SECFailure;
2586 CK_MECHANISM_TYPE master_derive;
2587 CK_MECHANISM_TYPE key_derive;
2588 SECItem params;
2589 CK_FLAGS keyFlags;
2590 CK_VERSION pms_version;
2591 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
2592
2593 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2594 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
2595 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2596 if (isTLS) {
2597 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
2598 else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
2599 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
2600 keyFlags = CKF_SIGN | CKF_VERIFY;
2601 } else {
2602 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
2603 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
2604 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
2605 keyFlags = 0;
2606 }
2607
2608 if (pms || !pwSpec->master_secret) {
2609 master_params.pVersion = &pms_version;
2610 master_params.RandomInfo.pClientRandom = cr;
2611 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
2612 master_params.RandomInfo.pServerRandom = sr;
2613 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
2614
2615 params.data = (unsigned char *) &master_params;
2616 params.len = sizeof master_params;
2617 }
2618
2619 if (pms != NULL) {
2620 #if defined(TRACE)
2621 if (ssl_trace >= 100) {
2622 SECStatus extractRV = PK11_ExtractKeyValue(pms);
2623 if (extractRV == SECSuccess) {
2624 SECItem * keyData = PK11_GetKeyData(pms);
2625 if (keyData && keyData->data && keyData->len) {
2626 ssl_PrintBuf(ss, "Pre-Master Secret",
2627 keyData->data, keyData->len);
2628 }
2629 }
2630 }
2631 #endif
2632 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive,
2633 &params, key_derive, CKA_DERIVE, 0, keyFlags);
2634 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
2635 SSL3ProtocolVersion client_version;
2636 client_version = pms_version.major << 8 | pms_version.minor;
2637 if (client_version != ss->clientHelloVersion) {
2638 /* Destroy it. Version roll-back detected. */
2639 PK11_FreeSymKey(pwSpec->master_secret);
2640 pwSpec->master_secret = NULL;
2641 }
2642 }
2643 if (pwSpec->master_secret == NULL) {
2644 /* Generate a faux master secret in the same slot as the old one. */
2645 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
2646 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
2647
2648 PK11_FreeSlot(slot);
2649 if (fpms != NULL) {
2650 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
2651 master_derive, &params, key_derive,
2652 CKA_DERIVE, 0, keyFlags);
2653 PK11_FreeSymKey(fpms);
2654 }
2655 }
2656 }
2657 if (pwSpec->master_secret == NULL) {
2658 /* Generate a faux master secret from the internal slot. */
2659 PK11SlotInfo * slot = PK11_GetInternalSlot();
2660 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
2661
2662 PK11_FreeSlot(slot);
2663 if (fpms != NULL) {
2664 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
2665 master_derive, &params, key_derive,
2666 CKA_DERIVE, 0, keyFlags);
2667 if (pwSpec->master_secret == NULL) {
2668 pwSpec->master_secret = fpms; /* use the fpms as the master. */
2669 fpms = NULL;
2670 }
2671 }
2672 if (fpms) {
2673 PK11_FreeSymKey(fpms);
2674 }
2675 }
2676 if (pwSpec->master_secret == NULL) {
2677 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2678 return rv;
2679 }
2680 if (ss->opt.bypassPKCS11) {
2681 SECItem * keydata;
2682 /* In hope of doing a "double bypass",
2683 * need to extract the master secret's value from the key object
2684 * and store it raw in the sslSocket struct.
2685 */
2686 rv = PK11_ExtractKeyValue(pwSpec->master_secret);
2687 if (rv != SECSuccess) {
2688 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
2689 /* The double bypass failed.
2690 * Attempt to revert to an all PKCS#11, non-bypass method.
2691 * Do we need any unacquired locks here?
2692 */
2693 ss->opt.bypassPKCS11 = 0;
2694 rv = ssl3_NewHandshakeHashes(ss);
2695 if (rv == SECSuccess) {
2696 rv = ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
2697 ss->ssl3.hs.messages.len);
2698 }
2699 #endif
2700 return rv;
2701 }
2702 /* This returns the address of the secItem inside the key struct,
2703 * not a copy or a reference. So, there's no need to free it.
2704 */
2705 keydata = PK11_GetKeyData(pwSpec->master_secret);
2706 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
2707 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
2708 pwSpec->msItem.data = pwSpec->raw_master_secret;
2709 pwSpec->msItem.len = keydata->len;
2710 } else {
2711 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2712 return SECFailure;
2713 }
2714 }
2715 return SECSuccess;
2716 }
2717
2718
2719 /*
2720 * Derive encryption and MAC Keys (and IVs) from master secret
2721 * Sets a useful error code when returning SECFailure.
2722 *
2723 * Called only from ssl3_InitPendingCipherSpec(),
2724 * which in turn is called from
2725 * sendRSAClientKeyExchange (for Full handshake)
2726 * sendDHClientKeyExchange (for Full handshake)
2727 * ssl3_HandleClientKeyExchange (for Full handshake)
2728 * ssl3_HandleServerHello (for session restart)
2729 * ssl3_HandleClientHello (for session restart)
2730 * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
2731 * ssl3_InitPendingCipherSpec does that.
2732 *
2733 */
2734 static SECStatus
2735 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
2736 {
2737 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
2738 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
2739 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
2740 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
2741 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
2742 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
2743 /* following variables used in PKCS11 path */
2744 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
2745 PK11SlotInfo * slot = NULL;
2746 PK11SymKey * symKey = NULL;
2747 void * pwArg = ss->pkcs11PinArg;
2748 int keySize;
2749 CK_SSL3_KEY_MAT_PARAMS key_material_params;
2750 CK_SSL3_KEY_MAT_OUT returnedKeys;
2751 CK_MECHANISM_TYPE key_derive;
2752 CK_MECHANISM_TYPE bulk_mechanism;
2753 SSLCipherAlgorithm calg;
2754 SECItem params;
2755 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
2756
2757 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2758 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
2759 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2760
2761 if (!pwSpec->master_secret) {
2762 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2763 return SECFailure;
2764 }
2765 /*
2766 * generate the key material
2767 */
2768 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB;
2769 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
2770 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB;
2771
2772 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
2773 /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
2774
2775 key_material_params.RandomInfo.pClientRandom = cr;
2776 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
2777 key_material_params.RandomInfo.pServerRandom = sr;
2778 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
2779 key_material_params.pReturnedKeyMaterial = &returnedKeys;
2780
2781 returnedKeys.pIVClient = pwSpec->client.write_iv;
2782 returnedKeys.pIVServer = pwSpec->server.write_iv;
2783 keySize = cipher_def->key_size;
2784
2785 if (skipKeysAndIVs) {
2786 keySize = 0;
2787 key_material_params.ulKeySizeInBits = 0;
2788 key_material_params.ulIVSizeInBits = 0;
2789 returnedKeys.pIVClient = NULL;
2790 returnedKeys.pIVServer = NULL;
2791 }
2792
2793 calg = cipher_def->calg;
2794 PORT_Assert( alg2Mech[calg].calg == calg);
2795 bulk_mechanism = alg2Mech[calg].cmech;
2796
2797 params.data = (unsigned char *)&key_material_params;
2798 params.len = sizeof(key_material_params);
2799
2800 if (isTLS) {
2801 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
2802 } else {
2803 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
2804 }
2805
2806 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
2807 * DERIVE by DEFAULT */
2808 symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
2809 bulk_mechanism, CKA_ENCRYPT, keySize);
2810 if (!symKey) {
2811 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2812 return SECFailure;
2813 }
2814 /* we really should use the actual mac'ing mechanism here, but we
2815 * don't because these types are used to map keytype anyway and both
2816 * mac's map to the same keytype.
2817 */
2818 slot = PK11_GetSlotFromKey(symKey);
2819
2820 PK11_FreeSlot(slot); /* slot is held until the key is freed */
2821 pwSpec->client.write_mac_key =
2822 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
2823 CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
2824 if (pwSpec->client.write_mac_key == NULL ) {
2825 goto loser; /* loser sets err */
2826 }
2827 pwSpec->server.write_mac_key =
2828 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
2829 CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
2830 if (pwSpec->server.write_mac_key == NULL ) {
2831 goto loser; /* loser sets err */
2832 }
2833 if (!skipKeysAndIVs) {
2834 pwSpec->client.write_key =
2835 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
2836 bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
2837 if (pwSpec->client.write_key == NULL ) {
2838 goto loser; /* loser sets err */
2839 }
2840 pwSpec->server.write_key =
2841 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
2842 bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
2843 if (pwSpec->server.write_key == NULL ) {
2844 goto loser; /* loser sets err */
2845 }
2846 }
2847 PK11_FreeSymKey(symKey);
2848 return SECSuccess;
2849
2850
2851 loser:
2852 if (symKey) PK11_FreeSymKey(symKey);
2853 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2854 return SECFailure;
2855 }
2856
2857 static SECStatus
2858 ssl3_RestartHandshakeHashes(sslSocket *ss)
2859 {
2860 SECStatus rv = SECSuccess;
2861
2862 if (ss->opt.bypassPKCS11) {
2863 ss->ssl3.hs.messages.len = 0;
2864 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
2865 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
2866 } else {
2867 rv = PK11_DigestBegin(ss->ssl3.hs.md5);
2868 if (rv != SECSuccess) {
2869 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
2870 return rv;
2871 }
2872 rv = PK11_DigestBegin(ss->ssl3.hs.sha);
2873 if (rv != SECSuccess) {
2874 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
2875 return rv;
2876 }
2877 }
2878 return rv;
2879 }
2880
2881 static SECStatus
2882 ssl3_NewHandshakeHashes(sslSocket *ss)
2883 {
2884 PK11Context *md5 = NULL;
2885 PK11Context *sha = NULL;
2886
2887 /*
2888 * note: We should probably lookup an SSL3 slot for these
2889 * handshake hashes in hopes that we wind up with the same slots
2890 * that the master secret will wind up in ...
2891 */
2892 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
2893 if (ss->opt.bypassPKCS11) {
2894 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
2895 ss->ssl3.hs.messages.buf = NULL;
2896 ss->ssl3.hs.messages.space = 0;
2897 } else {
2898 ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
2899 ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
2900 if (md5 == NULL) {
2901 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
2902 goto loser;
2903 }
2904 if (sha == NULL) {
2905 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
2906 goto loser;
2907 }
2908 }
2909 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) {
2910 return SECSuccess;
2911 }
2912
2913 loser:
2914 if (md5 != NULL) {
2915 PK11_DestroyContext(md5, PR_TRUE);
2916 ss->ssl3.hs.md5 = NULL;
2917 }
2918 if (sha != NULL) {
2919 PK11_DestroyContext(sha, PR_TRUE);
2920 ss->ssl3.hs.sha = NULL;
2921 }
2922 return SECFailure;
2923
2924 }
2925
2926 /*
2927 * Handshake messages
2928 */
2929 /* Called from ssl3_AppendHandshake()
2930 ** ssl3_StartHandshakeHash()
2931 ** ssl3_HandleV2ClientHello()
2932 ** ssl3_HandleHandshakeMessage()
2933 ** Caller must hold the ssl3Handshake lock.
2934 */
2935 static SECStatus
2936 ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
2937 {
2938 SECStatus rv = SECSuccess;
2939
2940 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
2941
2942 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
2943
2944 if (ss->opt.bypassPKCS11) {
2945 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
2946 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
2947 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
2948 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
2949 #endif
2950 return rv;
2951 }
2952 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
2953 if (rv != SECSuccess) {
2954 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
2955 return rv;
2956 }
2957 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
2958 if (rv != SECSuccess) {
2959 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
2960 return rv;
2961 }
2962 return rv;
2963 }
2964
2965 /**************************************************************************
2966 * Append Handshake functions.
2967 * All these functions set appropriate error codes.
2968 * Most rely on ssl3_AppendHandshake to set the error code.
2969 **************************************************************************/
2970 SECStatus
2971 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
2972 {
2973 unsigned char * src = (unsigned char *)void_src;
2974 int room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
2975 SECStatus rv;
2976
2977 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
2978
2979 if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
2980 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
2981 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
2982 if (rv != SECSuccess)
2983 return rv; /* sslBuffer_Grow has set a memory error code. */
2984 room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
2985 }
2986
2987 PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
2988 rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
2989 if (rv != SECSuccess)
2990 return rv; /* error code set by ssl3_UpdateHandshakeHashes */
2991
2992 while (bytes > room) {
2993 if (room > 0)
2994 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src,
2995 room);
2996 ss->sec.ci.sendBuf.len += room;
2997 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
2998 if (rv != SECSuccess) {
2999 return rv; /* error code set by ssl3_FlushHandshake */
3000 }
3001 bytes -= room;
3002 src += room;
3003 room = ss->sec.ci.sendBuf.space;
3004 PORT_Assert(ss->sec.ci.sendBuf.len == 0);
3005 }
3006 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
3007 ss->sec.ci.sendBuf.len += bytes;
3008 return SECSuccess;
3009 }
3010
3011 SECStatus
3012 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
3013 {
3014 SECStatus rv;
3015 uint8 b[4];
3016 uint8 * p = b;
3017
3018 switch (lenSize) {
3019 case 4:
3020 *p++ = (num >> 24) & 0xff;
3021 case 3:
3022 *p++ = (num >> 16) & 0xff;
3023 case 2:
3024 *p++ = (num >> 8) & 0xff;
3025 case 1:
3026 *p = num & 0xff;
3027 }
3028 SSL_TRC(60, ("%d: number:", SSL_GETPID()));
3029 rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
3030 return rv; /* error code set by AppendHandshake, if applicable. */
3031 }
3032
3033 SECStatus
3034 ssl3_AppendHandshakeVariable(
3035 sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
3036 {
3037 SECStatus rv;
3038
3039 PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
3040 (bytes < (1L<<16) && lenSize == 2) ||
3041 (bytes < (1L<<24) && lenSize == 3));
3042
3043 SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
3044 rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
3045 if (rv != SECSuccess) {
3046 return rv; /* error code set by AppendHandshake, if applicable. */
3047 }
3048 SSL_TRC(60, ("data:"));
3049 rv = ssl3_AppendHandshake(ss, src, bytes);
3050 return rv; /* error code set by AppendHandshake, if applicable. */
3051 }
3052
3053 SECStatus
3054 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
3055 {
3056 SECStatus rv;
3057
3058 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
3059 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
3060 PRINT_BUF(60, (ss, "MD5 handshake hash:",
3061 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
3062 PRINT_BUF(95, (ss, "SHA handshake hash:",
3063 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
3064
3065 rv = ssl3_AppendHandshakeNumber(ss, t, 1);
3066 if (rv != SECSuccess) {
3067 return rv; /* error code set by AppendHandshake, if applicable. */
3068 }
3069 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
3070 return rv; /* error code set by AppendHandshake, if applicable. */
3071 }
3072
3073 /**************************************************************************
3074 * Consume Handshake functions.
3075 *
3076 * All data used in these functions is protected by two locks,
3077 * the RecvBufLock and the SSL3HandshakeLock
3078 **************************************************************************/
3079
3080 /* Read up the next "bytes" number of bytes from the (decrypted) input
3081 * stream "b" (which is *length bytes long). Copy them into buffer "v".
3082 * Reduces *length by bytes. Advances *b by bytes.
3083 *
3084 * If this function returns SECFailure, it has already sent an alert,
3085 * and has set a generic error code. The caller should probably
3086 * override the generic error code by setting another.
3087 */
3088 SECStatus
3089 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
3090 PRUint32 *length)
3091 {
3092 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3093 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3094
3095 if ((PRUint32)bytes > *length) {
3096 return ssl3_DecodeError(ss);
3097 }
3098 PORT_Memcpy(v, *b, bytes);
3099 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
3100 *b += bytes;
3101 *length -= bytes;
3102 return SECSuccess;
3103 }
3104
3105 /* Read up the next "bytes" number of bytes from the (decrypted) input
3106 * stream "b" (which is *length bytes long), and interpret them as an
3107 * integer in network byte order. Returns the received value.
3108 * Reduces *length by bytes. Advances *b by bytes.
3109 *
3110 * Returns SECFailure (-1) on failure.
3111 * This value is indistinguishable from the equivalent received value.
3112 * Only positive numbers are to be received this way.
3113 * Thus, the largest value that may be sent this way is 0x7fffffff.
3114 * On error, an alert has been sent, and a generic error code has been set.
3115 */
3116 PRInt32
3117 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
3118 PRUint32 *length)
3119 {
3120 uint8 *buf = *b;
3121 int i;
3122 PRInt32 num = 0;
3123
3124 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3125 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3126 PORT_Assert( bytes <= sizeof num);
3127
3128 if ((PRUint32)bytes > *length) {
3129 return ssl3_DecodeError(ss);
3130 }
3131 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
3132
3133 for (i = 0; i < bytes; i++)
3134 num = (num << 8) + buf[i];
3135 *b += bytes;
3136 *length -= bytes;
3137 return num;
3138 }
3139
3140 /* Read in two values from the incoming decrypted byte stream "b", which is
3141 * *length bytes long. The first value is a number whose size is "bytes"
3142 * bytes long. The second value is a byte-string whose size is the value
3143 * of the first number received. The latter byte-string, and its length,
3144 * is returned in the SECItem i.
3145 *
3146 * Returns SECFailure (-1) on failure.
3147 * On error, an alert has been sent, and a generic error code has been set.
3148 *
3149 * RADICAL CHANGE for NSS 3.11. All callers of this function make copies
3150 * of the data returned in the SECItem *i, so making a copy of it here
3151 * is simply wasteful. So, This function now just sets SECItem *i to
3152 * point to the values in the buffer **b.
3153 */
3154 SECStatus
3155 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
3156 SSL3Opaque **b, PRUint32 *length)
3157 {
3158 PRInt32 count;
3159
3160 PORT_Assert(bytes <= 3);
3161 i->len = 0;
3162 i->data = NULL;
3163 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
3164 if (count < 0) { /* Can't test for SECSuccess here. */
3165 return SECFailure;
3166 }
3167 if (count > 0) {
3168 if ((PRUint32)count > *length) {
3169 return ssl3_DecodeError(ss);
3170 }
3171 i->data = *b;
3172 i->len = count;
3173 *b += count;
3174 *length -= count;
3175 }
3176 return SECSuccess;
3177 }
3178
3179 /**************************************************************************
3180 * end of Consume Handshake functions.
3181 **************************************************************************/
3182
3183 /* Extract the hashes of handshake messages to this point.
3184 * Called from ssl3_SendCertificateVerify
3185 * ssl3_SendFinished
3186 * ssl3_HandleHandshakeMessage
3187 *
3188 * Caller must hold the SSL3HandshakeLock.
3189 * Caller must hold a read or write lock on the Spec R/W lock.
3190 * (There is presently no way to assert on a Read lock.)
3191 */
3192 static SECStatus
3193 ssl3_ComputeHandshakeHashes(sslSocket * ss,
3194 ssl3CipherSpec *spec, /* uses ->master_secret */
3195 SSL3Hashes * hashes, /* output goes here. */
3196 PRUint32 sender)
3197 {
3198 SECStatus rv = SECSuccess;
3199 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
3200 unsigned int outLength;
3201 SSL3Opaque md5_inner[MAX_MAC_LENGTH];
3202 SSL3Opaque sha_inner[MAX_MAC_LENGTH];
3203
3204 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3205
3206 if (ss->opt.bypassPKCS11) {
3207 /* compute them without PKCS11 */
3208 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
3209 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
3210
3211 #define md5cx ((MD5Context *)md5_cx)
3212 #define shacx ((SHA1Context *)sha_cx)
3213
3214 if (!spec->msItem.data) {
3215 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
3216 return SECFailure;
3217 }
3218
3219 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx);
3220 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
3221
3222 if (!isTLS) {
3223 /* compute hashes for SSL3. */
3224 unsigned char s[4];
3225
3226 s[0] = (unsigned char)(sender >> 24);
3227 s[1] = (unsigned char)(sender >> 16);
3228 s[2] = (unsigned char)(sender >> 8);
3229 s[3] = (unsigned char)sender;
3230
3231 if (sender != 0) {
3232 MD5_Update(md5cx, s, 4);
3233 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
3234 }
3235
3236 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
3237 mac_defs[mac_md5].pad_size));
3238
3239 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
3240 MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
3241 MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
3242
3243 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
3244
3245 if (sender != 0) {
3246 SHA1_Update(shacx, s, 4);
3247 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
3248 }
3249
3250 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
3251 mac_defs[mac_sha].pad_size));
3252
3253 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
3254 SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
3255 SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
3256
3257 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
3258 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
3259 mac_defs[mac_md5].pad_size));
3260 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
3261
3262 MD5_Begin(md5cx);
3263 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
3264 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
3265 MD5_Update(md5cx, md5_inner, MD5_LENGTH);
3266 }
3267 MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH);
3268
3269 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
3270
3271 if (!isTLS) {
3272 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
3273 mac_defs[mac_sha].pad_size));
3274 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
3275
3276 SHA1_Begin(shacx);
3277 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
3278 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
3279 SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
3280 }
3281 SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH);
3282
3283 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
3284
3285 rv = SECSuccess;
3286 #undef md5cx
3287 #undef shacx
3288 } else {
3289 /* compute hases with PKCS11 */
3290 PK11Context * md5;
3291 PK11Context * sha = NULL;
3292 unsigned char *md5StateBuf = NULL;
3293 unsigned char *shaStateBuf = NULL;
3294 unsigned int md5StateLen, shaStateLen;
3295 unsigned char md5StackBuf[256];
3296 unsigned char shaStackBuf[512];
3297
3298 if (!spec->master_secret) {
3299 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
3300 return SECFailure;
3301 }
3302
3303 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
3304 sizeof md5StackBuf, &md5StateLen);
3305 if (md5StateBuf == NULL) {
3306 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3307 goto loser;
3308 }
3309 md5 = ss->ssl3.hs.md5;
3310
3311 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
3312 sizeof shaStackBuf, &shaStateLen);
3313 if (shaStateBuf == NULL) {
3314 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3315 goto loser;
3316 }
3317 sha = ss->ssl3.hs.sha;
3318
3319 if (!isTLS) {
3320 /* compute hashes for SSL3. */
3321 unsigned char s[4];
3322
3323 s[0] = (unsigned char)(sender >> 24);
3324 s[1] = (unsigned char)(sender >> 16);
3325 s[2] = (unsigned char)(sender >> 8);
3326 s[3] = (unsigned char)sender;
3327
3328 if (sender != 0) {
3329 rv |= PK11_DigestOp(md5, s, 4);
3330 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
3331 }
3332
3333 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
3334 mac_defs[mac_md5].pad_size));
3335
3336 rv |= PK11_DigestKey(md5,spec->master_secret);
3337 rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
3338 rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
3339 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
3340 if (rv != SECSuccess) {
3341 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3342 rv = SECFailure;
3343 goto loser;
3344 }
3345
3346 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
3347
3348 if (sender != 0) {
3349 rv |= PK11_DigestOp(sha, s, 4);
3350 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
3351 }
3352
3353 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
3354 mac_defs[mac_sha].pad_size));
3355
3356 rv |= PK11_DigestKey(sha, spec->master_secret);
3357 rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
3358 rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
3359 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
3360 if (rv != SECSuccess) {
3361 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3362 rv = SECFailure;
3363 goto loser;
3364 }
3365
3366 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
3367
3368 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
3369 mac_defs[mac_md5].pad_size));
3370 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
3371
3372 rv |= PK11_DigestBegin(md5);
3373 rv |= PK11_DigestKey(md5, spec->master_secret);
3374 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
3375 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
3376 }
3377 rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH);
3378 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
3379 if (rv != SECSuccess) {
3380 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3381 rv = SECFailure;
3382 goto loser;
3383 }
3384
3385 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
3386
3387 if (!isTLS) {
3388 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
3389 mac_defs[mac_sha].pad_size));
3390 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
3391
3392 rv |= PK11_DigestBegin(sha);
3393 rv |= PK11_DigestKey(sha,spec->master_secret);
3394 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
3395 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
3396 }
3397 rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH);
3398 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
3399 if (rv != SECSuccess) {
3400 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3401 rv = SECFailure;
3402 goto loser;
3403 }
3404
3405 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
3406
3407 rv = SECSuccess;
3408
3409 loser:
3410 if (md5StateBuf) {
3411 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
3412 != SECSuccess)
3413 {
3414 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3415 rv = SECFailure;
3416 }
3417 if (md5StateBuf != md5StackBuf) {
3418 PORT_ZFree(md5StateBuf, md5StateLen);
3419 }
3420 }
3421 if (shaStateBuf) {
3422 if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
3423 != SECSuccess)
3424 {
3425 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3426 rv = SECFailure;
3427 }
3428 if (shaStateBuf != shaStackBuf) {
3429 PORT_ZFree(shaStateBuf, shaStateLen);
3430 }
3431 }
3432 }
3433 return rv;
3434 }
3435
3436 /*
3437 * SSL 2 based implementations pass in the initial outbound buffer
3438 * so that the handshake hash can contain the included information.
3439 *
3440 * Called from ssl2_BeginClientHandshake() in sslcon.c
3441 */
3442 SECStatus
3443 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
3444 {
3445 SECStatus rv;
3446
3447 ssl_GetSSL3HandshakeLock(ss); /**************************************/
3448
3449 rv = ssl3_InitState(ss);
3450 if (rv != SECSuccess) {
3451 goto done; /* ssl3_InitState has set the error code. */
3452 }
3453
3454 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
3455 PORT_Memcpy(
3456 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
3457 &ss->sec.ci.clientChallenge,
3458 SSL_CHALLENGE_BYTES);
3459
3460 rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
3461 /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
3462
3463 done:
3464 ssl_ReleaseSSL3HandshakeLock(ss); /**************************************/
3465 return rv;
3466 }
3467
3468 /**************************************************************************
3469 * end of Handshake Hash functions.
3470 * Begin Send and Handle functions for handshakes.
3471 **************************************************************************/
3472
3473 /* Called from ssl3_HandleHelloRequest(),
3474 * ssl3_HandleFinished() (for step-up)
3475 * ssl3_RedoHandshake()
3476 * ssl2_BeginClientHandshake (when resuming ssl3 session)
3477 */
3478 SECStatus
3479 ssl3_SendClientHello(sslSocket *ss)
3480 {
3481 sslSessionID * sid;
3482 ssl3CipherSpec * cwSpec;
3483 SECStatus rv;
3484 int i;
3485 int length;
3486 int num_suites;
3487 int actual_count = 0;
3488 PRInt32 total_exten_len = 0;
3489
3490 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
3491 ss->fd));
3492
3493 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3494 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3495
3496 rv = ssl3_InitState(ss);
3497 if (rv != SECSuccess) {
3498 return rv; /* ssl3_InitState has set the error code. */
3499 }
3500
3501 /* We might be starting a session renegotiation in which case we should
3502 * clear previous state.
3503 */
3504 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
3505
3506 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
3507 SSL_GETPID(), ss->fd ));
3508 rv = ssl3_RestartHandshakeHashes(ss);
3509 if (rv != SECSuccess) {
3510 return rv;
3511 }
3512
3513 /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
3514 * handles expired entries and other details.
3515 * XXX If we've been called from ssl2_BeginClientHandshake, then
3516 * this lookup is duplicative and wasteful.
3517 */
3518 sid = (ss->opt.noCache) ? NULL
3519 : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
3520
3521 /* We can't resume based on a different token. If the sid exists,
3522 * make sure the token that holds the master secret still exists ...
3523 * If we previously did client-auth, make sure that the token that holds
3524 * the private key still exists, is logged in, hasn't been removed, etc.
3525 */
3526 if (sid) {
3527 PRBool sidOK = PR_TRUE;
3528 if (sid->u.ssl3.keys.msIsWrapped) {
3529 /* Session key was wrapped, which means it was using PKCS11, */
3530 PK11SlotInfo *slot = NULL;
3531 if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
3532 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
3533 sid->u.ssl3.masterSlotID);
3534 }
3535 if (slot == NULL) {
3536 sidOK = PR_FALSE;
3537 } else {
3538 PK11SymKey *wrapKey = NULL;
3539 if (!PK11_IsPresent(slot) ||
3540 ((wrapKey = PK11_GetWrapKey(slot,
3541 sid->u.ssl3.masterWrapIndex,
3542 sid->u.ssl3.masterWrapMech,
3543 sid->u.ssl3.masterWrapSeries,
3544 ss->pkcs11PinArg)) == NULL) ) {
3545 sidOK = PR_FALSE;
3546 }
3547 if (wrapKey) PK11_FreeSymKey(wrapKey);
3548 PK11_FreeSlot(slot);
3549 slot = NULL;
3550 }
3551 }
3552 /* If we previously did client-auth, make sure that the token that
3553 ** holds the private key still exists, is logged in, hasn't been
3554 ** removed, etc.
3555 */
3556 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
3557 sidOK = PR_FALSE;
3558 }
3559
3560 if (!sidOK) {
3561 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
3562 (*ss->sec.uncache)(sid);
3563 ssl_FreeSID(sid);
3564 sid = NULL;
3565 }
3566 }
3567
3568 if (sid) {
3569 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
3570
3571 /* Are we attempting a stateless session resume? */
3572 if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
3573 sid->u.ssl3.sessionTicket.ticket.data)
3574 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
3575
3576 rv = ssl3_NegotiateVersion(ss, sid->version);
3577 if (rv != SECSuccess)
3578 return rv; /* error code was set */
3579
3580 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
3581 sid->u.ssl3.sessionIDLength));
3582
3583 ss->ssl3.policy = sid->u.ssl3.policy;
3584 } else {
3585 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
3586
3587 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS);
3588 if (rv != SECSuccess)
3589 return rv; /* error code was set */
3590
3591 sid = ssl3_NewSessionID(ss, PR_FALSE);
3592 if (!sid) {
3593 return SECFailure; /* memory error is set */
3594 }
3595 }
3596
3597 ssl_GetSpecWriteLock(ss);
3598 cwSpec = ss->ssl3.cwSpec;
3599 if (cwSpec->mac_def->mac == mac_null) {
3600 /* SSL records are not being MACed. */
3601 cwSpec->version = ss->version;
3602 }
3603 ssl_ReleaseSpecWriteLock(ss);
3604
3605 if (ss->sec.ci.sid != NULL) {
3606 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */
3607 }
3608 ss->sec.ci.sid = sid;
3609
3610 ss->sec.send = ssl3_SendApplicationData;
3611
3612 /* shouldn't get here if SSL3 is disabled, but ... */
3613 PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
3614 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
3615 PORT_SetError(SSL_ERROR_SSL_DISABLED);
3616 return SECFailure;
3617 }
3618
3619 /* how many suites does our PKCS11 support (regardless of policy)? */
3620 num_suites = ssl3_config_match_init(ss);
3621 if (!num_suites)
3622 return SECFailure; /* ssl3_config_match_init has set error code. */
3623
3624 if (ss->opt.enableTLS && ss->version > SSL_LIBRARY_VERSION_3_0) {
3625 PRUint32 maxBytes = 65535; /* 2^16 - 1 */
3626 PRInt32 extLen;
3627
3628 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
3629 if (extLen < 0) {
3630 return SECFailure;
3631 }
3632 maxBytes -= extLen;
3633 total_exten_len += extLen;
3634
3635 if (total_exten_len > 0)
3636 total_exten_len += 2;
3637 }
3638 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
3639 else { /* SSL3 only */
3640 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
3641 }
3642 #endif
3643
3644 /* how many suites are permitted by policy and user preference? */
3645 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
3646 if (!num_suites)
3647 return SECFailure; /* count_cipher_suites has set error code. */
3648
3649 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
3650 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
3651 2 + num_suites*sizeof(ssl3CipherSuite) +
3652 1 + compressionMethodsCount + total_exten_len;
3653
3654 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
3655 if (rv != SECSuccess) {
3656 return rv; /* err set by ssl3_AppendHandshake* */
3657 }
3658
3659 ss->clientHelloVersion = ss->version;
3660 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
3661 if (rv != SECSuccess) {
3662 return rv; /* err set by ssl3_AppendHandshake* */
3663 }
3664 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
3665 if (rv != SECSuccess) {
3666 return rv; /* err set by GetNewRandom. */
3667 }
3668 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
3669 SSL3_RANDOM_LENGTH);
3670 if (rv != SECSuccess) {
3671 return rv; /* err set by ssl3_AppendHandshake* */
3672 }
3673
3674 if (sid)
3675 rv = ssl3_AppendHandshakeVariable(
3676 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
3677 else
3678 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
3679 if (rv != SECSuccess) {
3680 return rv; /* err set by ssl3_AppendHandshake* */
3681 }
3682
3683 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
3684 if (rv != SECSuccess) {
3685 return rv; /* err set by ssl3_AppendHandshake* */
3686 }
3687
3688
3689 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
3690 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
3691 if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
3692 actual_count++;
3693 if (actual_count > num_suites) {
3694 /* set error card removal/insertion error */
3695 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
3696 return SECFailure;
3697 }
3698 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
3699 sizeof(ssl3CipherSuite));
3700 if (rv != SECSuccess) {
3701 return rv; /* err set by ssl3_AppendHandshake* */
3702 }
3703 }
3704 }
3705
3706 /* if cards were removed or inserted between count_cipher_suites and
3707 * generating our list, detect the error here rather than send it off to
3708 * the server.. */
3709 if (actual_count != num_suites) {
3710 /* Card removal/insertion error */
3711 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
3712 return SECFailure;
3713 }
3714
3715 rv = ssl3_AppendHandshakeNumber(ss, compressionMethodsCount, 1);
3716 if (rv != SECSuccess) {
3717 return rv; /* err set by ssl3_AppendHandshake* */
3718 }
3719 for (i = 0; i < compressionMethodsCount; i++) {
3720 rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
3721 if (rv != SECSuccess) {
3722 return rv; /* err set by ssl3_AppendHandshake* */
3723 }
3724 }
3725
3726 if (total_exten_len) {
3727 PRUint32 maxBytes = total_exten_len - 2;
3728 PRInt32 extLen;
3729
3730 rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
3731 if (rv != SECSuccess) {
3732 return rv; /* err set by AppendHandshake. */
3733 }
3734
3735 extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
3736 if (extLen < 0) {
3737 return SECFailure;
3738 }
3739 maxBytes -= extLen;
3740 PORT_Assert(!maxBytes);
3741 }
3742
3743
3744 rv = ssl3_FlushHandshake(ss, 0);
3745 if (rv != SECSuccess) {
3746 return rv; /* error code set by ssl3_FlushHandshake */
3747 }
3748
3749 ss->ssl3.hs.ws = wait_server_hello;
3750 return rv;
3751 }
3752
3753
3754 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
3755 * ssl3 Hello Request.
3756 * Caller must hold Handshake and RecvBuf locks.
3757 */
3758 static SECStatus
3759 ssl3_HandleHelloRequest(sslSocket *ss)
3760 {
3761 sslSessionID *sid = ss->sec.ci.sid;
3762 SECStatus rv;
3763
3764 SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
3765 SSL_GETPID(), ss->fd));
3766
3767 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3768 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3769
3770 if (ss->ssl3.hs.ws == wait_server_hello)
3771 return SECSuccess;
3772 if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
3773 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
3774 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
3775 return SECFailure;
3776 }
3777 if (sid) {
3778 ss->sec.uncache(sid);
3779 ssl_FreeSID(sid);
3780 ss->sec.ci.sid = NULL;
3781 }
3782
3783 ssl_GetXmitBufLock(ss);
3784 rv = ssl3_SendClientHello(ss);
3785 ssl_ReleaseXmitBufLock(ss);
3786
3787 return rv;
3788 }
3789
3790 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
3791
3792 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
3793 CKM_DES3_ECB,
3794 CKM_CAST5_ECB,
3795 CKM_DES_ECB,
3796 CKM_KEY_WRAP_LYNKS,
3797 CKM_IDEA_ECB,
3798 CKM_CAST3_ECB,
3799 CKM_CAST_ECB,
3800 CKM_RC5_ECB,
3801 CKM_RC2_ECB,
3802 CKM_CDMF_ECB,
3803 CKM_SKIPJACK_WRAP,
3804 CKM_SKIPJACK_CBC64,
3805 CKM_AES_ECB,
3806 CKM_CAMELLIA_ECB,
3807 UNKNOWN_WRAP_MECHANISM
3808 };
3809
3810 static int
3811 ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
3812 {
3813 const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
3814
3815 while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
3816 ++pMech;
3817 }
3818 return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
3819 : (pMech - wrapMechanismList);
3820 }
3821
3822 static PK11SymKey *
3823 ssl_UnwrapSymWrappingKey(
3824 SSLWrappedSymWrappingKey *pWswk,
3825 SECKEYPrivateKey * svrPrivKey,
3826 SSL3KEAType exchKeyType,
3827 CK_MECHANISM_TYPE masterWrapMech,
3828 void * pwArg)
3829 {
3830 PK11SymKey * unwrappedWrappingKey = NULL;
3831 SECItem wrappedKey;
3832 #ifdef NSS_ENABLE_ECC
3833 PK11SymKey * Ks;
3834 SECKEYPublicKey pubWrapKey;
3835 ECCWrappedKeyInfo *ecWrapped;
3836 #endif /* NSS_ENABLE_ECC */
3837
3838 /* found the wrapping key on disk. */
3839 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
3840 PORT_Assert(pWswk->exchKeyType == exchKeyType);
3841 if (pWswk->symWrapMechanism != masterWrapMech ||
3842 pWswk->exchKeyType != exchKeyType) {
3843 goto loser;
3844 }
3845 wrappedKey.type = siBuffer;
3846 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
3847 wrappedKey.len = pWswk->wrappedSymKeyLen;
3848 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
3849
3850 switch (exchKeyType) {
3851
3852 case kt_rsa:
3853 unwrappedWrappingKey =
3854 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
3855 masterWrapMech, CKA_UNWRAP, 0);
3856 break;
3857
3858 #ifdef NSS_ENABLE_ECC
3859 case kt_ecdh:
3860 /*
3861 * For kt_ecdh, we first create an EC public key based on
3862 * data stored with the wrappedSymmetricWrappingkey. Next,
3863 * we do an ECDH computation involving this public key and
3864 * the SSL server's (long-term) EC private key. The resulting
3865 * shared secret is treated the same way as Fortezza's Ks, i.e.,
3866 * it is used to recover the symmetric wrapping key.
3867 *
3868 * The data in wrappedSymmetricWrappingkey is laid out as defined
3869 * in the ECCWrappedKeyInfo structure.
3870 */
3871 ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey;
3872
3873 PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
3874 ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN);
3875
3876 if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
3877 ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) {
3878 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3879 goto loser;
3880 }
3881
3882 pubWrapKey.keyType = ecKey;
3883 pubWrapKey.u.ec.size = ecWrapped->size;
3884 pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen;
3885 pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var;
3886 pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen;
3887 pubWrapKey.u.ec.publicValue.data = ecWrapped->var +
3888 ecWrapped->encodedParamLen;
3889
3890 wrappedKey.len = ecWrapped->wrappedKeyLen;
3891 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
3892 ecWrapped->pubValueLen;
3893
3894 /* Derive Ks using ECDH */
3895 Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL,
3896 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
3897 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
3898 if (Ks == NULL) {
3899 goto loser;
3900 }
3901
3902 /* Use Ks to unwrap the wrapping key */
3903 unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL,
3904 &wrappedKey, masterWrapMech,
3905 CKA_UNWRAP, 0);
3906 PK11_FreeSymKey(Ks);
3907
3908 break;
3909 #endif
3910
3911 default:
3912 /* Assert? */
3913 SET_ERROR_CODE
3914 goto loser;
3915 }
3916 loser:
3917 return unwrappedWrappingKey;
3918 }
3919
3920 /* Each process sharing the server session ID cache has its own array of
3921 * SymKey pointers for the symmetric wrapping keys that are used to wrap
3922 * the master secrets. There is one key for each KEA type. These Symkeys
3923 * correspond to the wrapped SymKeys kept in the server session cache.
3924 */
3925
3926 typedef struct {
3927 PK11SymKey * symWrapKey[kt_kea_size];
3928 } ssl3SymWrapKey;
3929
3930 static PZLock * symWrapKeysLock = NULL;
3931 static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS];
3932
3933 SECStatus ssl_FreeSymWrapKeysLock(void)
3934 {
3935 if (symWrapKeysLock) {
3936 PZ_DestroyLock(symWrapKeysLock);
3937 symWrapKeysLock = NULL;
3938 return SECSuccess;
3939 }
3940 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
3941 return SECFailure;
3942 }
3943
3944 SECStatus
3945 SSL3_ShutdownServerCache(void)
3946 {
3947 int i, j;
3948
3949 if (!symWrapKeysLock)
3950 return SECSuccess; /* lock was never initialized */
3951 PZ_Lock(symWrapKeysLock);
3952 /* get rid of all symWrapKeys */
3953 for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
3954 for (j = 0; j < kt_kea_size; ++j) {
3955 PK11SymKey ** pSymWrapKey;
3956 pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
3957 if (*pSymWrapKey) {
3958 PK11_FreeSymKey(*pSymWrapKey);
3959 *pSymWrapKey = NULL;
3960 }
3961 }
3962 }
3963
3964 PZ_Unlock(symWrapKeysLock);
3965 ssl_FreeSessionCacheLocks();
3966 return SECSuccess;
3967 }
3968
3969 SECStatus ssl_InitSymWrapKeysLock(void)
3970 {
3971 symWrapKeysLock = PZ_NewLock(nssILockOther);
3972 return symWrapKeysLock ? SECSuccess : SECFailure;
3973 }
3974
3975 /* Try to get wrapping key for mechanism from in-memory array.
3976 * If that fails, look for one on disk.
3977 * If that fails, generate a new one, put the new one on disk,
3978 * Put the new key in the in-memory array.
3979 */
3980 static PK11SymKey *
3981 getWrappingKey( sslSocket * ss,
3982 PK11SlotInfo * masterSecretSlot,
3983 SSL3KEAType exchKeyType,
3984 CK_MECHANISM_TYPE masterWrapMech,
3985 void * pwArg)
3986 {
3987 SECKEYPrivateKey * svrPrivKey;
3988 SECKEYPublicKey * svrPubKey = NULL;
3989 PK11SymKey * unwrappedWrappingKey = NULL;
3990 PK11SymKey ** pSymWrapKey;
3991 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM;
3992 int length;
3993 int symWrapMechIndex;
3994 SECStatus rv;
3995 SECItem wrappedKey;
3996 SSLWrappedSymWrappingKey wswk;
3997
3998 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY;
3999 PORT_Assert(svrPrivKey != NULL);
4000 if (!svrPrivKey) {
4001 return NULL; /* why are we here?!? */
4002 }
4003
4004 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
4005 PORT_Assert(symWrapMechIndex >= 0);
4006 if (symWrapMechIndex < 0)
4007 return NULL; /* invalid masterWrapMech. */
4008
4009 pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
4010
4011 ssl_InitSessionCacheLocks(PR_TRUE);
4012
4013 PZ_Lock(symWrapKeysLock);
4014
4015 unwrappedWrappingKey = *pSymWrapKey;
4016 if (unwrappedWrappingKey != NULL) {
4017 if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
4018 unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
4019 goto done;
4020 }
4021 /* slot series has changed, so this key is no good any more. */
4022 PK11_FreeSymKey(unwrappedWrappingKey);
4023 *pSymWrapKey = unwrappedWrappingKey = NULL;
4024 }
4025
4026 /* Try to get wrapped SymWrapping key out of the (disk) cache. */
4027 /* Following call fills in wswk on success. */
4028 if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
4029 /* found the wrapped sym wrapping key on disk. */
4030 unwrappedWrappingKey =
4031 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
4032 masterWrapMech, pwArg);
4033 if (unwrappedWrappingKey) {
4034 goto install;
4035 }
4036 }
4037
4038 if (!masterSecretSlot) /* caller doesn't want to create a new one. */
4039 goto loser;
4040
4041 length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
4042 /* Zero length means fixed key length algorithm, or error.
4043 * It's ambiguous.
4044 */
4045 unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
4046 length, pwArg);
4047 if (!unwrappedWrappingKey) {
4048 goto loser;
4049 }
4050
4051 /* Prepare the buffer to receive the wrappedWrappingKey,
4052 * the symmetric wrapping key wrapped using the server's pub key.
4053 */
4054 PORT_Memset(&wswk, 0, sizeof wswk); /* eliminate UMRs. */
4055
4056 if (ss->serverCerts[exchKeyType].serverKeyPair) {
4057 svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey;
4058 }
4059 if (svrPubKey == NULL) {
4060 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
4061 goto loser;
4062 }
4063 wrappedKey.type = siBuffer;
4064 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey);
4065 wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
4066
4067 PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
4068 if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
4069 goto loser;
4070
4071 /* wrap symmetric wrapping key in server's public key. */
4072 switch (exchKeyType) {
4073 #ifdef NSS_ENABLE_ECC
4074 PK11SymKey * Ks = NULL;
4075 SECKEYPublicKey *pubWrapKey = NULL;
4076 SECKEYPrivateKey *privWrapKey = NULL;
4077 ECCWrappedKeyInfo *ecWrapped;
4078 #endif /* NSS_ENABLE_ECC */
4079
4080 case kt_rsa:
4081 asymWrapMechanism = CKM_RSA_PKCS;
4082 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
4083 unwrappedWrappingKey, &wrappedKey);
4084 break;
4085
4086 #ifdef NSS_ENABLE_ECC
4087 case kt_ecdh:
4088 /*
4089 * We generate an ephemeral EC key pair. Perform an ECDH
4090 * computation involving this ephemeral EC public key and
4091 * the SSL server's (long-term) EC private key. The resulting
4092 * shared secret is treated in the same way as Fortezza's Ks,
4093 * i.e., it is used to wrap the wrapping key. To facilitate
4094 * unwrapping in ssl_UnwrapWrappingKey, we also store all
4095 * relevant info about the ephemeral EC public key in
4096 * wswk.wrappedSymmetricWrappingkey and lay it out as
4097 * described in the ECCWrappedKeyInfo structure.
4098 */
4099 PORT_Assert(svrPubKey->keyType == ecKey);
4100 if (svrPubKey->keyType != ecKey) {
4101 /* something is wrong in sslsecur.c if this isn't an ecKey */
4102 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
4103 rv = SECFailure;
4104 goto ec_cleanup;
4105 }
4106
4107 privWrapKey = SECKEY_CreateECPrivateKey(
4108 &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL);
4109 if ((privWrapKey == NULL) || (pubWrapKey == NULL)) {
4110 rv = SECFailure;
4111 goto ec_cleanup;
4112 }
4113
4114 /* Set the key size in bits */
4115 if (pubWrapKey->u.ec.size == 0) {
4116 pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey);
4117 }
4118
4119 PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len +
4120 pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN);
4121 if (pubWrapKey->u.ec.DEREncodedParams.len +
4122 pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) {
4123 PORT_SetError(SEC_ERROR_INVALID_KEY);
4124 rv = SECFailure;
4125 goto ec_cleanup;
4126 }
4127
4128 /* Derive Ks using ECDH */
4129 Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL,
4130 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
4131 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
4132 if (Ks == NULL) {
4133 rv = SECFailure;
4134 goto ec_cleanup;
4135 }
4136
4137 ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey);
4138 ecWrapped->size = pubWrapKey->u.ec.size;
4139 ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len;
4140 PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data,
4141 pubWrapKey->u.ec.DEREncodedParams.len);
4142
4143 ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len;
4144 PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen,
4145 pubWrapKey->u.ec.publicValue.data,
4146 pubWrapKey->u.ec.publicValue.len);
4147
4148 wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN -
4149 (ecWrapped->encodedParamLen + ecWrapped->pubValueLen);
4150 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
4151 ecWrapped->pubValueLen;
4152
4153 /* wrap symmetricWrapping key with the local Ks */
4154 rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks,
4155 unwrappedWrappingKey, &wrappedKey);
4156
4157 if (rv != SECSuccess) {
4158 goto ec_cleanup;
4159 }
4160
4161 /* Write down the length of wrapped key in the buffer
4162 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
4163 */
4164 ecWrapped->wrappedKeyLen = wrappedKey.len;
4165
4166 ec_cleanup:
4167 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
4168 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
4169 if (Ks) PK11_FreeSymKey(Ks);
4170 asymWrapMechanism = masterWrapMech;
4171 break;
4172 #endif /* NSS_ENABLE_ECC */
4173
4174 default:
4175 rv = SECFailure;
4176 break;
4177 }
4178
4179 if (rv != SECSuccess) {
4180 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4181 goto loser;
4182 }
4183
4184 PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
4185
4186 wswk.symWrapMechanism = masterWrapMech;
4187 wswk.symWrapMechIndex = symWrapMechIndex;
4188 wswk.asymWrapMechanism = asymWrapMechanism;
4189 wswk.exchKeyType = exchKeyType;
4190 wswk.wrappedSymKeyLen = wrappedKey.len;
4191
4192 /* put it on disk. */
4193 /* If the wrapping key for this KEA type has already been set,
4194 * then abandon the value we just computed and
4195 * use the one we got from the disk.
4196 */
4197 if (ssl_SetWrappingKey(&wswk)) {
4198 /* somebody beat us to it. The original contents of our wswk
4199 * has been replaced with the content on disk. Now, discard
4200 * the key we just created and unwrap this new one.
4201 */
4202 PK11_FreeSymKey(unwrappedWrappingKey);
4203
4204 unwrappedWrappingKey =
4205 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
4206 masterWrapMech, pwArg);
4207 }
4208
4209 install:
4210 if (unwrappedWrappingKey) {
4211 *pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
4212 }
4213
4214 loser:
4215 done:
4216 PZ_Unlock(symWrapKeysLock);
4217 return unwrappedWrappingKey;
4218 }
4219
4220
4221 /* Called from ssl3_SendClientKeyExchange(). */
4222 /* Presently, this always uses PKCS11. There is no bypass for this. */
4223 static SECStatus
4224 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
4225 {
4226 PK11SymKey * pms = NULL;
4227 SECStatus rv = SECFailure;
4228 SECItem enc_pms = {siBuffer, NULL, 0};
4229 PRBool isTLS;
4230
4231 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4232 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4233
4234 /* Generate the pre-master secret ... */
4235 ssl_GetSpecWriteLock(ss);
4236 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4237
4238 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
4239 ssl_ReleaseSpecWriteLock(ss);
4240 if (pms == NULL) {
4241 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4242 goto loser;
4243 }
4244
4245 #if defined(TRACE)
4246 if (ssl_trace >= 100) {
4247 SECStatus extractRV = PK11_ExtractKeyValue(pms);
4248 if (extractRV == SECSuccess) {
4249 SECItem * keyData = PK11_GetKeyData(pms);
4250 if (keyData && keyData->data && keyData->len) {
4251 ssl_PrintBuf(ss, "Pre-Master Secret",
4252 keyData->data, keyData->len);
4253 }
4254 }
4255 }
4256 #endif
4257
4258 /* Get the wrapped (encrypted) pre-master secret, enc_pms */
4259 enc_pms.len = SECKEY_PublicKeyStrength(svrPubKey);
4260 enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
4261 if (enc_pms.data == NULL) {
4262 goto loser; /* err set by PORT_Alloc */
4263 }
4264
4265 /* wrap pre-master secret in server's public key. */
4266 rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
4267 if (rv != SECSuccess) {
4268 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4269 goto loser;
4270 }
4271
4272 rv = ssl3_InitPendingCipherSpec(ss, pms);
4273 PK11_FreeSymKey(pms); pms = NULL;
4274
4275 if (rv != SECSuccess) {
4276 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4277 goto loser;
4278 }
4279
4280 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
4281 isTLS ? enc_pms.len + 2 : enc_pms.len);
4282 if (rv != SECSuccess) {
4283 goto loser; /* err set by ssl3_AppendHandshake* */
4284 }
4285 if (isTLS) {
4286 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
4287 } else {
4288 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
4289 }
4290 if (rv != SECSuccess) {
4291 goto loser; /* err set by ssl3_AppendHandshake* */
4292 }
4293
4294 rv = SECSuccess;
4295
4296 loser:
4297 if (enc_pms.data != NULL) {
4298 PORT_Free(enc_pms.data);
4299 }
4300 if (pms != NULL) {
4301 PK11_FreeSymKey(pms);
4302 }
4303 return rv;
4304 }
4305
4306 /* Called from ssl3_SendClientKeyExchange(). */
4307 /* Presently, this always uses PKCS11. There is no bypass for this. */
4308 static SECStatus
4309 sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
4310 {
4311 PK11SymKey * pms = NULL;
4312 SECStatus rv = SECFailure;
4313 PRBool isTLS;
4314 CK_MECHANISM_TYPE target;
4315
4316 SECKEYDHParams dhParam; /* DH parameters */
4317 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */
4318 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */
4319
4320 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4321 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4322
4323 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4324
4325 /* Copy DH parameters from server key */
4326
4327 if (svrPubKey->keyType != dhKey) {
4328 PORT_SetError(SEC_ERROR_BAD_KEY);
4329 goto loser;
4330 }
4331 dhParam.prime.data = svrPubKey->u.dh.prime.data;
4332 dhParam.prime.len = svrPubKey->u.dh.prime.len;
4333 dhParam.base.data = svrPubKey->u.dh.base.data;
4334 dhParam.base.len = svrPubKey->u.dh.base.len;
4335
4336 /* Generate ephemeral DH keypair */
4337 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
4338 if (!privKey || !pubKey) {
4339 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
4340 rv = SECFailure;
4341 goto loser;
4342 }
4343 PRINT_BUF(50, (ss, "DH public value:",
4344 pubKey->u.dh.publicValue.data,
4345 pubKey->u.dh.publicValue.len));
4346
4347 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
4348 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
4349
4350 /* Determine the PMS */
4351
4352 pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
4353 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
4354
4355 if (pms == NULL) {
4356 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4357 goto loser;
4358 }
4359
4360 SECKEY_DestroyPrivateKey(privKey);
4361 privKey = NULL;
4362
4363 rv = ssl3_InitPendingCipherSpec(ss, pms);
4364 PK11_FreeSymKey(pms); pms = NULL;
4365
4366 if (rv != SECSuccess) {
4367 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4368 goto loser;
4369 }
4370
4371 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
4372 pubKey->u.dh.publicValue.len + 2);
4373 if (rv != SECSuccess) {
4374 goto loser; /* err set by ssl3_AppendHandshake* */
4375 }
4376 rv = ssl3_AppendHandshakeVariable(ss,
4377 pubKey->u.dh.publicValue.data,
4378 pubKey->u.dh.publicValue.len, 2);
4379 SECKEY_DestroyPublicKey(pubKey);
4380 pubKey = NULL;
4381
4382 if (rv != SECSuccess) {
4383 goto loser; /* err set by ssl3_AppendHandshake* */
4384 }
4385
4386 rv = SECSuccess;
4387
4388
4389 loser:
4390
4391 if(pms) PK11_FreeSymKey(pms);
4392 if(privKey) SECKEY_DestroyPrivateKey(privKey);
4393 if(pubKey) SECKEY_DestroyPublicKey(pubKey);
4394 return rv;
4395 }
4396
4397
4398
4399
4400
4401 /* Called from ssl3_HandleServerHelloDone(). */
4402 static SECStatus
4403 ssl3_SendClientKeyExchange(sslSocket *ss)
4404 {
4405 SECKEYPublicKey * serverKey = NULL;
4406 SECStatus rv = SECFailure;
4407 PRBool isTLS;
4408
4409 SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
4410 SSL_GETPID(), ss->fd));
4411
4412 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4413 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
4414
4415 if (ss->sec.peerKey == NULL) {
4416 serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
4417 if (serverKey == NULL) {
4418 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
4419 return SECFailure;
4420 }
4421 } else {
4422 serverKey = ss->sec.peerKey;
4423 ss->sec.peerKey = NULL; /* we're done with it now */
4424 }
4425
4426 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4427 /* enforce limits on kea key sizes. */
4428 if (ss->ssl3.hs.kea_def->is_limited) {
4429 int keyLen = SECKEY_PublicKeyStrength(serverKey); /* bytes */
4430
4431 if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
4432 if (isTLS)
4433 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
4434 else
4435 (void)ssl3_HandshakeFailure(ss);
4436 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
4437 goto loser;
4438 }
4439 }
4440
4441 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
4442 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
4443
4444 switch (ss->ssl3.hs.kea_def->exchKeyType) {
4445 case kt_rsa:
4446 rv = sendRSAClientKeyExchange(ss, serverKey);
4447 break;
4448
4449 case kt_dh:
4450 rv = sendDHClientKeyExchange(ss, serverKey);
4451 break;
4452
4453 #ifdef NSS_ENABLE_ECC
4454 case kt_ecdh:
4455 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
4456 break;
4457 #endif /* NSS_ENABLE_ECC */
4458
4459 default:
4460 /* got an unknown or unsupported Key Exchange Algorithm. */
4461 SEND_ALERT
4462 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
4463 break;
4464 }
4465
4466 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
4467 SSL_GETPID(), ss->fd));
4468
4469 loser:
4470 if (serverKey)
4471 SECKEY_DestroyPublicKey(serverKey);
4472 return rv; /* err code already set. */
4473 }
4474
4475 /* Called from ssl3_HandleServerHelloDone(). */
4476 static SECStatus
4477 ssl3_SendCertificateVerify(sslSocket *ss)
4478 {
4479 SECStatus rv = SECFailure;
4480 PRBool isTLS;
4481 SECItem buf = {siBuffer, NULL, 0};
4482 SSL3Hashes hashes;
4483
4484 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4485 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
4486
4487 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
4488 SSL_GETPID(), ss->fd));
4489
4490 ssl_GetSpecReadLock(ss);
4491 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
4492 ssl_ReleaseSpecReadLock(ss);
4493 if (rv != SECSuccess) {
4494 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
4495 }
4496
4497 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4498 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
4499 if (rv == SECSuccess) {
4500 PK11SlotInfo * slot;
4501 sslSessionID * sid = ss->sec.ci.sid;
4502
4503 /* Remember the info about the slot that did the signing.
4504 ** Later, when doing an SSL restart handshake, verify this.
4505 ** These calls are mere accessors, and can't fail.
4506 */
4507 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
4508 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot);
4509 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot);
4510 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
4511 sid->u.ssl3.clAuthValid = PR_TRUE;
4512 PK11_FreeSlot(slot);
4513 }
4514 /* If we're doing RSA key exchange, we're all done with the private key
4515 * here. Diffie-Hellman key exchanges need the client's
4516 * private key for the key exchange.
4517 */
4518 if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
4519 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
4520 ss->ssl3.clientPrivateKey = NULL;
4521 }
4522 if (rv != SECSuccess) {
4523 goto done; /* err code was set by ssl3_SignHashes */
4524 }
4525
4526 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
4527 if (rv != SECSuccess) {
4528 goto done; /* error code set by AppendHandshake */
4529 }
4530 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
4531 if (rv != SECSuccess) {
4532 goto done; /* error code set by AppendHandshake */
4533 }
4534
4535 done:
4536 if (buf.data)
4537 PORT_Free(buf.data);
4538 return rv;
4539 }
4540
4541 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
4542 * ssl3 ServerHello message.
4543 * Caller must hold Handshake and RecvBuf locks.
4544 */
4545 static SECStatus
4546 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
4547 {
4548 sslSessionID *sid = ss->sec.ci.sid;
4549 PRInt32 temp; /* allow for consume number failure */
4550 PRBool suite_found = PR_FALSE;
4551 int i;
4552 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
4553 SECStatus rv;
4554 SECItem sidBytes = {siBuffer, NULL, 0};
4555 PRBool sid_match;
4556 PRBool isTLS = PR_FALSE;
4557 SSL3AlertDescription desc = illegal_parameter;
4558 SSL3ProtocolVersion version;
4559
4560 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
4561 SSL_GETPID(), ss->fd));
4562 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4563 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4564
4565 rv = ssl3_InitState(ss);
4566 if (rv != SECSuccess) {
4567 errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
4568 goto alert_loser;
4569 }
4570 if (ss->ssl3.hs.ws != wait_server_hello) {
4571 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
4572 desc = unexpected_message;
4573 goto alert_loser;
4574 }
4575
4576 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
4577 if (temp < 0) {
4578 goto loser; /* alert has been sent */
4579 }
4580 version = (SSL3ProtocolVersion)temp;
4581
4582 /* this is appropriate since the negotiation is complete, and we only
4583 ** know SSL 3.x.
4584 */
4585 if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
4586 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
4587 : handshake_failure;
4588 goto alert_loser;
4589 }
4590
4591 rv = ssl3_NegotiateVersion(ss, version);
4592 if (rv != SECSuccess) {
4593 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
4594 : handshake_failure;
4595 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
4596 goto alert_loser;
4597 }
4598 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
4599
4600 rv = ssl3_ConsumeHandshake(
4601 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
4602 if (rv != SECSuccess) {
4603 goto loser; /* alert has been sent */
4604 }
4605
4606 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
4607 if (rv != SECSuccess) {
4608 goto loser; /* alert has been sent */
4609 }
4610 if (sidBytes.len > SSL3_SESSIONID_BYTES) {
4611 if (isTLS)
4612 desc = decode_error;
4613 goto alert_loser; /* malformed. */
4614 }
4615
4616 /* find selected cipher suite in our list. */
4617 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
4618 if (temp < 0) {
4619 goto loser; /* alert has been sent */
4620 }
4621 ssl3_config_match_init(ss);
4622 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
4623 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
4624 if ((temp == suite->cipher_suite) &&
4625 (config_match(suite, ss->ssl3.policy, PR_TRUE))) {
4626 suite_found = PR_TRUE;
4627 break; /* success */
4628 }
4629 }
4630 if (!suite_found) {
4631 desc = handshake_failure;
4632 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
4633 goto alert_loser;
4634 }
4635 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
4636 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
4637 PORT_Assert(ss->ssl3.hs.suite_def);
4638 if (!ss->ssl3.hs.suite_def) {
4639 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
4640 goto loser; /* we don't send alerts for our screw-ups. */
4641 }
4642
4643 /* find selected compression method in our list. */
4644 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
4645 if (temp < 0) {
4646 goto loser; /* alert has been sent */
4647 }
4648 suite_found = PR_FALSE;
4649 for (i = 0; i < compressionMethodsCount; i++) {
4650 if (temp == compressions[i]) {
4651 suite_found = PR_TRUE;
4652 break; /* success */
4653 }
4654 }
4655 if (!suite_found) {
4656 desc = handshake_failure;
4657 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
4658 goto alert_loser;
4659 }
4660 ss->ssl3.hs.compression = (SSL3CompressionMethod)temp;
4661
4662 /* Note that if !isTLS && length != 0, we do NOT goto alert_loser.
4663 * There are some old SSL 3.0 implementations that do send stuff
4664 * after the end of the server hello, and we deliberately ignore
4665 * such stuff in the interest of maximal interoperability (being
4666 * "generous in what you accept").
4667 */
4668 if (isTLS && length != 0) {
4669 SECItem extensions;
4670 rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length);
4671 if (rv != SECSuccess || length != 0)
4672 goto alert_loser;
4673 rv = ssl3_HandleHelloExtensions(ss, &extensions.data, &extensions.len);
4674 if (rv != SECSuccess)
4675 goto alert_loser;
4676 }
4677
4678 /* Any errors after this point are not "malformed" errors. */
4679 desc = handshake_failure;
4680
4681 /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
4682 * key exchange algorithm. */
4683 rv = ssl3_SetupPendingCipherSpec(ss);
4684 if (rv != SECSuccess) {
4685 goto alert_loser; /* error code is set. */
4686 }
4687
4688 /* We may or may not have sent a session id, we may get one back or
4689 * not and if so it may match the one we sent.
4690 * Attempt to restore the master secret to see if this is so...
4691 * Don't consider failure to find a matching SID an error.
4692 */
4693 sid_match = (PRBool)(sidBytes.len > 0 &&
4694 sidBytes.len == sid->u.ssl3.sessionIDLength &&
4695 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
4696
4697 if (sid_match &&
4698 sid->version == ss->version &&
4699 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
4700 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
4701
4702 SECItem wrappedMS; /* wrapped master secret. */
4703
4704 ss->sec.authAlgorithm = sid->authAlgorithm;
4705 ss->sec.authKeyBits = sid->authKeyBits;
4706 ss->sec.keaType = sid->keaType;
4707 ss->sec.keaKeyBits = sid->keaKeyBits;
4708
4709 /* 3 cases here:
4710 * a) key is wrapped (implies using PKCS11)
4711 * b) key is unwrapped, but we're still using PKCS11
4712 * c) key is unwrapped, and we're bypassing PKCS11.
4713 */
4714 if (sid->u.ssl3.keys.msIsWrapped) {
4715 PK11SlotInfo *slot;
4716 PK11SymKey * wrapKey; /* wrapping key */
4717 CK_FLAGS keyFlags = 0;
4718
4719 if (ss->opt.bypassPKCS11) {
4720 /* we cannot restart a non-bypass session in a
4721 ** bypass socket.
4722 */
4723 break;
4724 }
4725 /* unwrap master secret with PKCS11 */
4726 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
4727 sid->u.ssl3.masterSlotID);
4728 if (slot == NULL) {
4729 break; /* not considered an error. */
4730 }
4731 if (!PK11_IsPresent(slot)) {
4732 PK11_FreeSlot(slot);
4733 break; /* not considered an error. */
4734 }
4735 wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
4736 sid->u.ssl3.masterWrapMech,
4737 sid->u.ssl3.masterWrapSeries,
4738 ss->pkcs11PinArg);
4739 PK11_FreeSlot(slot);
4740 if (wrapKey == NULL) {
4741 break; /* not considered an error. */
4742 }
4743
4744 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
4745 keyFlags = CKF_SIGN | CKF_VERIFY;
4746 }
4747
4748 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
4749 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
4750 pwSpec->master_secret =
4751 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
4752 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
4753 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
4754 errCode = PORT_GetError();
4755 PK11_FreeSymKey(wrapKey);
4756 if (pwSpec->master_secret == NULL) {
4757 break; /* errorCode set just after call to UnwrapSymKey. */
4758 }
4759 } else if (ss->opt.bypassPKCS11) {
4760 /* MS is not wrapped */
4761 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
4762 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
4763 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
4764 pwSpec->msItem.data = pwSpec->raw_master_secret;
4765 pwSpec->msItem.len = wrappedMS.len;
4766 } else {
4767 /* We CAN restart a bypass session in a non-bypass socket. */
4768 /* need to import the raw master secret to session object */
4769 PK11SlotInfo *slot = PK11_GetInternalSlot();
4770 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
4771 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
4772 pwSpec->master_secret =
4773 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
4774 PK11_OriginUnwrap, CKA_ENCRYPT,
4775 &wrappedMS, NULL);
4776 PK11_FreeSlot(slot);
4777 if (pwSpec->master_secret == NULL) {
4778 break;
4779 }
4780 }
4781
4782 /* Got a Match */
4783 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
4784
4785 /* If we sent a session ticket, then this is a stateless resume. */
4786 if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
4787 sid->u.ssl3.sessionTicket.ticket.data != NULL)
4788 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
4789
4790 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn))
4791 ss->ssl3.hs.ws = wait_new_session_ticket;
4792 else
4793 ss->ssl3.hs.ws = wait_change_cipher;
4794
4795 ss->ssl3.hs.isResuming = PR_TRUE;
4796
4797 /* copy the peer cert from the SID */
4798 if (sid->peerCert != NULL) {
4799 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
4800 }
4801
4802
4803 /* NULL value for PMS signifies re-use of the old MS */
4804 rv = ssl3_InitPendingCipherSpec(ss, NULL);
4805 if (rv != SECSuccess) {
4806 goto alert_loser; /* err code was set */
4807 }
4808 return SECSuccess;
4809 } while (0);
4810
4811 if (sid_match)
4812 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
4813 else
4814 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
4815
4816 /* throw the old one away */
4817 sid->u.ssl3.keys.resumable = PR_FALSE;
4818 (*ss->sec.uncache)(sid);
4819 ssl_FreeSID(sid);
4820
4821 /* get a new sid */
4822 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
4823 if (sid == NULL) {
4824 goto alert_loser; /* memory error is set. */
4825 }
4826
4827 sid->version = ss->version;
4828 sid->u.ssl3.sessionIDLength = sidBytes.len;
4829 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
4830
4831 ss->ssl3.hs.isResuming = PR_FALSE;
4832 ss->ssl3.hs.ws = wait_server_cert;
4833 return SECSuccess;
4834
4835 alert_loser:
4836 (void)SSL3_SendAlert(ss, alert_fatal, desc);
4837
4838 loser:
4839 errCode = ssl_MapLowLevelError(errCode);
4840 return SECFailure;
4841 }
4842
4843 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
4844 * ssl3 ServerKeyExchange message.
4845 * Caller must hold Handshake and RecvBuf locks.
4846 */
4847 static SECStatus
4848 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
4849 {
4850 PRArenaPool * arena = NULL;
4851 SECKEYPublicKey *peerKey = NULL;
4852 PRBool isTLS;
4853 SECStatus rv;
4854 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
4855 SSL3AlertDescription desc = illegal_parameter;
4856 SSL3Hashes hashes;
4857 SECItem signature = {siBuffer, NULL, 0};
4858
4859 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
4860 SSL_GETPID(), ss->fd));
4861 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4862 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4863
4864 if (ss->ssl3.hs.ws != wait_server_key &&
4865 ss->ssl3.hs.ws != wait_server_cert) {
4866 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
4867 desc = unexpected_message;
4868 goto alert_loser;
4869 }
4870 if (ss->sec.peerCert == NULL) {
4871 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
4872 desc = unexpected_message;
4873 goto alert_loser;
4874 }
4875
4876 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
4877
4878 switch (ss->ssl3.hs.kea_def->exchKeyType) {
4879
4880 case kt_rsa: {
4881 SECItem modulus = {siBuffer, NULL, 0};
4882 SECItem exponent = {siBuffer, NULL, 0};
4883
4884 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
4885 if (rv != SECSuccess) {
4886 goto loser; /* malformed. */
4887 }
4888 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
4889 if (rv != SECSuccess) {
4890 goto loser; /* malformed. */
4891 }
4892 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
4893 if (rv != SECSuccess) {
4894 goto loser; /* malformed. */
4895 }
4896 if (length != 0) {
4897 if (isTLS)
4898 desc = decode_error;
4899 goto alert_loser; /* malformed. */
4900 }
4901
4902 /* failures after this point are not malformed handshakes. */
4903 /* TLS: send decrypt_error if signature failed. */
4904 desc = isTLS ? decrypt_error : handshake_failure;
4905
4906 /*
4907 * check to make sure the hash is signed by right guy
4908 */
4909 rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent,
4910 &ss->ssl3.hs.client_random,
4911 &ss->ssl3.hs.server_random,
4912 &hashes, ss->opt.bypassPKCS11);
4913 if (rv != SECSuccess) {
4914 errCode =
4915 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
4916 goto alert_loser;
4917 }
4918 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
4919 isTLS, ss->pkcs11PinArg);
4920 if (rv != SECSuccess) {
4921 errCode =
4922 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
4923 goto alert_loser;
4924 }
4925
4926 /*
4927 * we really need to build a new key here because we can no longer
4928 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
4929 * pkcs11 slots and ID's.
4930 */
4931 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
4932 if (arena == NULL) {
4933 goto no_memory;
4934 }
4935
4936 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
4937 if (peerKey == NULL) {
4938 PORT_FreeArena(arena, PR_FALSE);
4939 goto no_memory;
4940 }
4941
4942 peerKey->arena = arena;
4943 peerKey->keyType = rsaKey;
4944 peerKey->pkcs11Slot = NULL;
4945 peerKey->pkcs11ID = CK_INVALID_HANDLE;
4946 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) ||
4947 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
4948 {
4949 PORT_FreeArena(arena, PR_FALSE);
4950 goto no_memory;
4951 }
4952 ss->sec.peerKey = peerKey;
4953 ss->ssl3.hs.ws = wait_cert_request;
4954 return SECSuccess;
4955 }
4956
4957 case kt_dh: {
4958 SECItem dh_p = {siBuffer, NULL, 0};
4959 SECItem dh_g = {siBuffer, NULL, 0};
4960 SECItem dh_Ys = {siBuffer, NULL, 0};
4961
4962 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
4963 if (rv != SECSuccess) {
4964 goto loser; /* malformed. */
4965 }
4966 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
4967 if (rv != SECSuccess) {
4968 goto loser; /* malformed. */
4969 }
4970 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
4971 if (rv != SECSuccess) {
4972 goto loser; /* malformed. */
4973 }
4974 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
4975 if (rv != SECSuccess) {
4976 goto loser; /* malformed. */
4977 }
4978 if (length != 0) {
4979 if (isTLS)
4980 desc = decode_error;
4981 goto alert_loser; /* malformed. */
4982 }
4983
4984 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
4985 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
4986 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
4987
4988 /* failures after this point are not malformed handshakes. */
4989 /* TLS: send decrypt_error if signature failed. */
4990 desc = isTLS ? decrypt_error : handshake_failure;
4991
4992 /*
4993 * check to make sure the hash is signed by right guy
4994 */
4995 rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys,
4996 &ss->ssl3.hs.client_random,
4997 &ss->ssl3.hs.server_random,
4998 &hashes, ss->opt.bypassPKCS11);
4999 if (rv != SECSuccess) {
5000 errCode =
5001 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5002 goto alert_loser;
5003 }
5004 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
5005 isTLS, ss->pkcs11PinArg);
5006 if (rv != SECSuccess) {
5007 errCode =
5008 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5009 goto alert_loser;
5010 }
5011
5012 /*
5013 * we really need to build a new key here because we can no longer
5014 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
5015 * pkcs11 slots and ID's.
5016 */
5017 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
5018 if (arena == NULL) {
5019 goto no_memory;
5020 }
5021
5022 ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
5023 if (peerKey == NULL) {
5024 goto no_memory;
5025 }
5026
5027 peerKey->arena = arena;
5028 peerKey->keyType = dhKey;
5029 peerKey->pkcs11Slot = NULL;
5030 peerKey->pkcs11ID = CK_INVALID_HANDLE;
5031
5032 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) ||
5033 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) ||
5034 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys))
5035 {
5036 PORT_FreeArena(arena, PR_FALSE);
5037 goto no_memory;
5038 }
5039 ss->sec.peerKey = peerKey;
5040 ss->ssl3.hs.ws = wait_cert_request;
5041 return SECSuccess;
5042 }
5043
5044 #ifdef NSS_ENABLE_ECC
5045 case kt_ecdh:
5046 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
5047 return rv;
5048 #endif /* NSS_ENABLE_ECC */
5049
5050 default:
5051 desc = handshake_failure;
5052 errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
5053 break; /* goto alert_loser; */
5054 }
5055
5056 alert_loser:
5057 (void)SSL3_SendAlert(ss, alert_fatal, desc);
5058 loser:
5059 PORT_SetError( errCode );
5060 return SECFailure;
5061
5062 no_memory: /* no-memory error has already been set. */
5063 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5064 return SECFailure;
5065 }
5066
5067
5068 typedef struct dnameNode {
5069 struct dnameNode *next;
5070 SECItem name;
5071 } dnameNode;
5072
5073 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5074 * ssl3 Certificate Request message.
5075 * Caller must hold Handshake and RecvBuf locks.
5076 */
5077 static SECStatus
5078 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
5079 {
5080 PRArenaPool * arena = NULL;
5081 dnameNode * node;
5082 PRInt32 remaining;
5083 PRBool isTLS = PR_FALSE;
5084 int i;
5085 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
5086 int nnames = 0;
5087 SECStatus rv;
5088 SSL3AlertDescription desc = illegal_parameter;
5089 SECItem cert_types = {siBuffer, NULL, 0};
5090 CERTDistNames ca_list;
5091
5092 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
5093 SSL_GETPID(), ss->fd));
5094 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5095 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5096
5097 if (ss->ssl3.hs.ws != wait_cert_request &&
5098 ss->ssl3.hs.ws != wait_server_key) {
5099 desc = unexpected_message;
5100 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
5101 goto alert_loser;
5102 }
5103
5104 /* clean up anything left from previous handshake. */
5105 if (ss->ssl3.clientCertChain != NULL) {
5106 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
5107 ss->ssl3.clientCertChain = NULL;
5108 }
5109 if (ss->ssl3.clientCertificate != NULL) {
5110 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
5111 ss->ssl3.clientCertificate = NULL;
5112 }
5113 if (ss->ssl3.clientPrivateKey != NULL) {
5114 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5115 ss->ssl3.clientPrivateKey = NULL;
5116 }
5117
5118 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
5119 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
5120 if (rv != SECSuccess)
5121 goto loser; /* malformed, alert has been sent */
5122
5123 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
5124 if (arena == NULL)
5125 goto no_mem;
5126
5127 remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5128 if (remaining < 0)
5129 goto loser; /* malformed, alert has been sent */
5130
5131 if ((PRUint32)remaining > length)
5132 goto alert_loser;
5133
5134 ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
5135 if (node == NULL)
5136 goto no_mem;
5137
5138 while (remaining > 0) {
5139 PRInt32 len;
5140
5141 if (remaining < 2)
5142 goto alert_loser; /* malformed */
5143
5144 node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5145 if (len <= 0)
5146 goto loser; /* malformed, alert has been sent */
5147
5148 remaining -= 2;
5149 if (remaining < len)
5150 goto alert_loser; /* malformed */
5151
5152 node->name.data = b;
5153 b += len;
5154 length -= len;
5155 remaining -= len;
5156 nnames++;
5157 if (remaining <= 0)
5158 break; /* success */
5159
5160 node->next = PORT_ArenaZNew(arena, dnameNode);
5161 node = node->next;
5162 if (node == NULL)
5163 goto no_mem;
5164 }
5165
5166 ca_list.nnames = nnames;
5167 ca_list.names = PORT_ArenaNewArray(arena, SECItem, nnames);
5168 if (nnames > 0 && ca_list.names == NULL)
5169 goto no_mem;
5170
5171 for(i = 0, node = (dnameNode*)ca_list.head;
5172 i < nnames;
5173 i++, node = node->next) {
5174 ca_list.names[i] = node->name;
5175 }
5176
5177 if (length != 0)
5178 goto alert_loser; /* malformed */
5179
5180 desc = no_certificate;
5181 ss->ssl3.hs.ws = wait_hello_done;
5182
5183 if (ss->getClientAuthData == NULL) {
5184 rv = SECFailure; /* force it to send a no_certificate alert */
5185 } else {
5186 /* XXX Should pass cert_types in this call!! */
5187 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
5188 ss->fd, &ca_list,
5189 &ss->ssl3.clientCertificate,
5190 &ss->ssl3.clientPrivateKey);
5191 }
5192 switch (rv) {
5193 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
5194 ssl_SetAlwaysBlock(ss);
5195 break; /* not an error */
5196
5197 case SECSuccess:
5198 /* check what the callback function returned */
5199 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
5200 /* we are missing either the key or cert */
5201 if (ss->ssl3.clientCertificate) {
5202 /* got a cert, but no key - free it */
5203 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
5204 ss->ssl3.clientCertificate = NULL;
5205 }
5206 if (ss->ssl3.clientPrivateKey) {
5207 /* got a key, but no cert - free it */
5208 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5209 ss->ssl3.clientPrivateKey = NULL;
5210 }
5211 goto send_no_certificate;
5212 }
5213 /* Setting ssl3.clientCertChain non-NULL will cause
5214 * ssl3_HandleServerHelloDone to call SendCertificate.
5215 */
5216 ss->ssl3.clientCertChain = CERT_CertChainFromCert(
5217 ss->ssl3.clientCertificate,
5218 certUsageSSLClient, PR_FALSE);
5219 if (ss->ssl3.clientCertChain == NULL) {
5220 if (ss->ssl3.clientCertificate != NULL) {
5221 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
5222 ss->ssl3.clientCertificate = NULL;
5223 }
5224 if (ss->ssl3.clientPrivateKey != NULL) {
5225 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5226 ss->ssl3.clientPrivateKey = NULL;
5227 }
5228 goto send_no_certificate;
5229 }
5230 break; /* not an error */
5231
5232 case SECFailure:
5233 default:
5234 send_no_certificate:
5235 if (isTLS) {
5236 ss->ssl3.sendEmptyCert = PR_TRUE;
5237 } else {
5238 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
5239 }
5240 rv = SECSuccess;
5241 break;
5242 }
5243 goto done;
5244
5245 no_mem:
5246 rv = SECFailure;
5247 PORT_SetError(SEC_ERROR_NO_MEMORY);
5248 goto done;
5249
5250 alert_loser:
5251 if (isTLS && desc == illegal_parameter)
5252 desc = decode_error;
5253 (void)SSL3_SendAlert(ss, alert_fatal, desc);
5254 loser:
5255 PORT_SetError(errCode);
5256 rv = SECFailure;
5257 done:
5258 if (arena != NULL)
5259 PORT_FreeArena(arena, PR_FALSE);
5260 return rv;
5261 }
5262
5263 /*
5264 * attempt to restart the handshake after asynchronously handling
5265 * a request for the client's certificate.
5266 *
5267 * inputs:
5268 * cert Client cert chosen by application.
5269 * Note: ssl takes this reference, and does not bump the
5270 * reference count. The caller should drop its reference
5271 * without calling CERT_DestroyCert after calling this function.
5272 *
5273 * key Private key associated with cert. This function makes a
5274 * copy of the private key, so the caller remains responsible
5275 * for destroying its copy after this function returns.
5276 *
5277 * certChain DER-encoded certs, client cert and its signers.
5278 * Note: ssl takes this reference, and does not copy the chain.
5279 * The caller should drop its reference without destroying the
5280 * chain. SSL will free the chain when it is done with it.
5281 *
5282 * Return value: XXX
5283 *
5284 * XXX This code only works on the initial handshake on a connection, XXX
5285 * It does not work on a subsequent handshake (redo).
5286 *
5287 * Caller holds 1stHandshakeLock.
5288 */
5289 SECStatus
5290 ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
5291 CERTCertificate * cert,
5292 SECKEYPrivateKey * key,
5293 CERTCertificateList *certChain)
5294 {
5295 SECStatus rv = SECSuccess;
5296
5297 if (MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)) {
5298 /* XXX This code only works on the initial handshake on a connection,
5299 ** XXX It does not work on a subsequent handshake (redo).
5300 */
5301 if (ss->handshake != 0) {
5302 ss->handshake = ssl_GatherRecord1stHandshake;
5303 ss->ssl3.clientCertificate = cert;
5304 ss->ssl3.clientCertChain = certChain;
5305 if (key == NULL) {
5306 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
5307 ss->ssl3.clientPrivateKey = NULL;
5308 } else {
5309 ss->ssl3.clientPrivateKey = SECKEY_CopyPrivateKey(key);
5310 }
5311 ssl_GetRecvBufLock(ss);
5312 if (ss->ssl3.hs.msgState.buf != NULL) {
5313 rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
5314 }
5315 ssl_ReleaseRecvBufLock(ss);
5316 }
5317 }
5318 return rv;
5319 }
5320
5321
5322
5323 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5324 * ssl3 Server Hello Done message.
5325 * Caller must hold Handshake and RecvBuf locks.
5326 */
5327 static SECStatus
5328 ssl3_HandleServerHelloDone(sslSocket *ss)
5329 {
5330 SECStatus rv;
5331 SSL3WaitState ws = ss->ssl3.hs.ws;
5332 PRBool send_verify = PR_FALSE;
5333
5334 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
5335 SSL_GETPID(), ss->fd));
5336 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5337 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5338
5339 if (ws != wait_hello_done &&
5340 ws != wait_server_cert &&
5341 ws != wait_server_key &&
5342 ws != wait_cert_request) {
5343 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
5344 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
5345 return SECFailure;
5346 }
5347
5348 ssl_GetXmitBufLock(ss); /*******************************/
5349
5350 if (ss->ssl3.sendEmptyCert) {
5351 ss->ssl3.sendEmptyCert = PR_FALSE;
5352 rv = ssl3_SendEmptyCertificate(ss);
5353 /* Don't send verify */
5354 if (rv != SECSuccess) {
5355 goto loser; /* error code is set. */
5356 }
5357 } else
5358 if (ss->ssl3.clientCertChain != NULL &&
5359 ss->ssl3.clientPrivateKey != NULL) {
5360 send_verify = PR_TRUE;
5361 rv = ssl3_SendCertificate(ss);
5362 if (rv != SECSuccess) {
5363 goto loser; /* error code is set. */
5364 }
5365 }
5366
5367 rv = ssl3_SendClientKeyExchange(ss);
5368 if (rv != SECSuccess) {
5369 goto loser; /* err is set. */
5370 }
5371
5372 if (send_verify) {
5373 rv = ssl3_SendCertificateVerify(ss);
5374 if (rv != SECSuccess) {
5375 goto loser; /* err is set. */
5376 }
5377 }
5378 rv = ssl3_SendChangeCipherSpecs(ss);
5379 if (rv != SECSuccess) {
5380 goto loser; /* err code was set. */
5381 }
5382 rv = ssl3_SendFinished(ss, 0);
5383 if (rv != SECSuccess) {
5384 goto loser; /* err code was set. */
5385 }
5386
5387 ssl_ReleaseXmitBufLock(ss); /*******************************/
5388
5389 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn))
5390 ss->ssl3.hs.ws = wait_new_session_ticket;
5391 else
5392 ss->ssl3.hs.ws = wait_change_cipher;
5393 return SECSuccess;
5394
5395 loser:
5396 ssl_ReleaseXmitBufLock(ss);
5397 return rv;
5398 }
5399
5400 /*
5401 * Routines used by servers
5402 */
5403 static SECStatus
5404 ssl3_SendHelloRequest(sslSocket *ss)
5405 {
5406 SECStatus rv;
5407
5408 SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
5409 ss->fd));
5410
5411 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5412 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
5413
5414 rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
5415 if (rv != SECSuccess) {
5416 return rv; /* err set by AppendHandshake */
5417 }
5418 rv = ssl3_FlushHandshake(ss, 0);
5419 if (rv != SECSuccess) {
5420 return rv; /* error code set by ssl3_FlushHandshake */
5421 }
5422 ss->ssl3.hs.ws = wait_client_hello;
5423 return SECSuccess;
5424 }
5425
5426 /* Sets memory error when returning NULL.
5427 * Called from:
5428 * ssl3_SendClientHello()
5429 * ssl3_HandleServerHello()
5430 * ssl3_HandleClientHello()
5431 * ssl3_HandleV2ClientHello()
5432 */
5433 sslSessionID *
5434 ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
5435 {
5436 sslSessionID *sid;
5437
5438 sid = PORT_ZNew(sslSessionID);
5439 if (sid == NULL)
5440 return sid;
5441
5442 sid->peerID = (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
5443 sid->urlSvrName = (ss->url == NULL) ? NULL : PORT_Strdup(ss->url);
5444 sid->addr = ss->sec.ci.peer;
5445 sid->port = ss->sec.ci.port;
5446 sid->references = 1;
5447 sid->cached = never_cached;
5448 sid->version = ss->version;
5449
5450 sid->u.ssl3.keys.resumable = PR_TRUE;
5451 sid->u.ssl3.policy = SSL_ALLOWED;
5452 sid->u.ssl3.clientWriteKey = NULL;
5453 sid->u.ssl3.serverWriteKey = NULL;
5454
5455 if (is_server) {
5456 SECStatus rv;
5457 int pid = SSL_GETPID();
5458
5459 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
5460 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff;
5461 sid->u.ssl3.sessionID[1] = pid & 0xff;
5462 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
5463 SSL3_SESSIONID_BYTES -2);
5464 if (rv != SECSuccess) {
5465 ssl_FreeSID(sid);
5466 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
5467 return NULL;
5468 }
5469 }
5470 return sid;
5471 }
5472
5473 /* Called from: ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
5474 static SECStatus
5475 ssl3_SendServerHelloSequence(sslSocket *ss)
5476 {
5477 const ssl3KEADef *kea_def;
5478 SECStatus rv;
5479
5480 SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
5481 SSL_GETPID(), ss->fd));
5482
5483 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5484 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
5485
5486 rv = ssl3_SendServerHello(ss);
5487 if (rv != SECSuccess) {
5488 return rv; /* err code is set. */
5489 }
5490 rv = ssl3_SendCertificate(ss);
5491 if (rv != SECSuccess) {
5492 return rv; /* error code is set. */
5493 }
5494 /* We have to do this after the call to ssl3_SendServerHello,
5495 * because kea_def is set up by ssl3_SendServerHello().
5496 */
5497 kea_def = ss->ssl3.hs.kea_def;
5498 ss->ssl3.hs.usedStepDownKey = PR_FALSE;
5499
5500 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
5501 /* see if we can legally use the key in the cert. */
5502 int keyLen; /* bytes */
5503
5504 keyLen = PK11_GetPrivateModulusLen(
5505 ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
5506
5507 if (keyLen > 0 &&
5508 keyLen * BPB <= kea_def->key_size_limit ) {
5509 /* XXX AND cert is not signing only!! */
5510 /* just fall through and use it. */
5511 } else if (ss->stepDownKeyPair != NULL) {
5512 ss->ssl3.hs.usedStepDownKey = PR_TRUE;
5513 rv = ssl3_SendServerKeyExchange(ss);
5514 if (rv != SECSuccess) {
5515 return rv; /* err code was set. */
5516 }
5517 } else {
5518 #ifndef HACKED_EXPORT_SERVER
5519 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
5520 return rv;
5521 #endif
5522 }
5523 #ifdef NSS_ENABLE_ECC
5524 } else if ((kea_def->kea == kea_ecdhe_rsa) ||
5525 (kea_def->kea == kea_ecdhe_ecdsa)) {
5526 rv = ssl3_SendServerKeyExchange(ss);
5527 if (rv != SECSuccess) {
5528 return rv; /* err code was set. */
5529 }
5530 #endif /* NSS_ENABLE_ECC */
5531 }
5532
5533 if (ss->opt.requestCertificate) {
5534 rv = ssl3_SendCertificateRequest(ss);
5535 if (rv != SECSuccess) {
5536 return rv; /* err code is set. */
5537 }
5538 }
5539 rv = ssl3_SendServerHelloDone(ss);
5540 if (rv != SECSuccess) {
5541 return rv; /* err code is set. */
5542 }
5543
5544 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
5545 : wait_client_key;
5546 return SECSuccess;
5547 }
5548
5549 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5550 * ssl3 Client Hello message.
5551 * Caller must hold Handshake and RecvBuf locks.
5552 */
5553 static SECStatus
5554 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
5555 {
5556 sslSessionID * sid = NULL;
5557 PRInt32 tmp;
5558 unsigned int i;
5559 int j;
5560 SECStatus rv;
5561 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
5562 SSL3AlertDescription desc = illegal_parameter;
5563 SSL3ProtocolVersion version;
5564 SECItem sidBytes = {siBuffer, NULL, 0};
5565 SECItem suites = {siBuffer, NULL, 0};
5566 SECItem comps = {siBuffer, NULL, 0};
5567 PRBool haveSpecWriteLock = PR_FALSE;
5568 PRBool haveXmitBufLock = PR_FALSE;
5569
5570 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
5571 SSL_GETPID(), ss->fd));
5572
5573 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5574 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
5575
5576 /* Get peer name of client */
5577 rv = ssl_GetPeerInfo(ss);
5578 if (rv != SECSuccess) {
5579 return rv; /* error code is set. */
5580 }
5581
5582 /* We might be starting session renegotiation in which case we should
5583 * clear previous state.
5584 */
5585 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
5586 ss->statelessResume = PR_FALSE;
5587
5588 rv = ssl3_InitState(ss);
5589 if (rv != SECSuccess) {
5590 return rv; /* ssl3_InitState has set the error code. */
5591 }
5592
5593 if ((ss->ssl3.hs.ws != wait_client_hello) &&
5594 (ss->ssl3.hs.ws != idle_handshake)) {
5595 desc = unexpected_message;
5596 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
5597 goto alert_loser;
5598 }
5599
5600 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5601 if (tmp < 0)
5602 goto loser; /* malformed, alert already sent */
5603 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
5604 rv = ssl3_NegotiateVersion(ss, version);
5605 if (rv != SECSuccess) {
5606 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
5607 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
5608 goto alert_loser;
5609 }
5610
5611 /* grab the client random data. */
5612 rv = ssl3_ConsumeHandshake(
5613 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
5614 if (rv != SECSuccess) {
5615 goto loser; /* malformed */
5616 }
5617
5618 /* grab the client's SID, if present. */
5619 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
5620 if (rv != SECSuccess) {
5621 goto loser; /* malformed */
5622 }
5623
5624 /* grab the list of cipher suites. */
5625 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
5626 if (rv != SECSuccess) {
5627 goto loser; /* malformed */
5628 }
5629
5630 /* grab the list of compression methods. */
5631 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
5632 if (rv != SECSuccess) {
5633 goto loser; /* malformed */
5634 }
5635
5636 desc = handshake_failure;
5637
5638 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
5639 * we are restarting a previous session until extensions have been
5640 * parsed, since we might have received a SessionTicket extension.
5641 * Note: we allow extensions even when negotiating SSL3 for the sake
5642 * of interoperability (and backwards compatibility).
5643 */
5644
5645 if (length) {
5646 /* Get length of hello extensions */
5647 PRInt32 extension_length;
5648 extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5649 if (extension_length < 0) {
5650 goto loser; /* alert already sent */
5651 }
5652 if (extension_length != length) {
5653 ssl3_DecodeError(ss); /* send alert */
5654 goto loser;
5655 }
5656 rv = ssl3_HandleHelloExtensions(ss, &b, &length);
5657 if (rv != SECSuccess) {
5658 goto loser; /* malformed */
5659 }
5660 }
5661
5662 /* We do stateful resumes only if either of the following
5663 * conditions are satisfied: (1) the client does not support the
5664 * session ticket extension, or (2) the client support the session
5665 * ticket extension, but sent an empty ticket.
5666 */
5667 if (!ssl3_ExtensionNegotiated(ss, session_ticket_xtn) ||
5668 ss->xtnData.emptySessionTicket) {
5669 if (sidBytes.len > 0 && !ss->opt.noCache) {
5670 SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
5671 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
5672 ss->sec.ci.peer.pr_s6_addr32[1],
5673 ss->sec.ci.peer.pr_s6_addr32[2],
5674 ss->sec.ci.peer.pr_s6_addr32[3]));
5675 if (ssl_sid_lookup) {
5676 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data,
5677 sidBytes.len, ss->dbHandle);
5678 } else {
5679 errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
5680 goto loser;
5681 }
5682 }
5683 } else if (ss->statelessResume) {
5684 /* Fill in the client's session ID if doing a stateless resume.
5685 * (When doing stateless resumes, server echos client's SessionID.)
5686 */
5687 sid = ss->sec.ci.sid;
5688 PORT_Assert(sid != NULL); /* Should have already been filled in.*/
5689
5690 if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) {
5691 sid->u.ssl3.sessionIDLength = sidBytes.len;
5692 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data,
5693 sidBytes.len);
5694 sid->u.ssl3.sessionIDLength = sidBytes.len;
5695 } else {
5696 sid->u.ssl3.sessionIDLength = 0;
5697 }
5698 ss->sec.ci.sid = NULL;
5699 }
5700
5701 /* We only send a session ticket extension if the client supports
5702 * the extension and we are unable to do either a stateful or
5703 * stateless resume.
5704 *
5705 * TODO: send a session ticket if performing a stateful
5706 * resumption. (As per RFC4507, a server may issue a session
5707 * ticket while doing a (stateless or stateful) session resume,
5708 * but OpenSSL-0.9.8g does not accept session tickets while
5709 * resuming.)
5710 */
5711 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn) && sid == NULL) {
5712 ssl3_RegisterServerHelloExtensionSender(ss,
5713 session_ticket_xtn, ssl3_SendSessionTicketXtn);
5714 }
5715
5716 if (sid != NULL) {
5717 /* We've found a session cache entry for this client.
5718 * Now, if we're going to require a client-auth cert,
5719 * and we don't already have this client's cert in the session cache,
5720 * and this is the first handshake on this connection (not a redo),
5721 * then drop this old cache entry and start a new session.
5722 */
5723 if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
5724 ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
5725 (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
5726 ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE)
5727 && !ss->firstHsDone))) {
5728
5729 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
5730 ss->sec.uncache(sid);
5731 ssl_FreeSID(sid);
5732 sid = NULL;
5733 }
5734 }
5735
5736 #ifdef NSS_ENABLE_ECC
5737 /* Disable any ECC cipher suites for which we have no cert. */
5738 ssl3_FilterECCipherSuitesByServerCerts(ss);
5739 #endif
5740
5741 #ifdef PARANOID
5742 /* Look for a matching cipher suite. */
5743 j = ssl3_config_match_init(ss);
5744 if (j <= 0) { /* no ciphers are working/supported by PK11 */
5745 errCode = PORT_GetError(); /* error code is already set. */
5746 goto alert_loser;
5747 }
5748 #endif
5749
5750 /* If we already have a session for this client, be sure to pick the
5751 ** same cipher suite we picked before.
5752 ** This is not a loop, despite appearances.
5753 */
5754 if (sid) do {
5755 ssl3CipherSuiteCfg *suite = ss->cipherSuites;
5756 /* Find the entry for the cipher suite used in the cached session. */
5757 for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
5758 if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
5759 break;
5760 }
5761 PORT_Assert(j > 0);
5762 if (j <= 0)
5763 break;
5764 #ifdef PARANOID
5765 /* Double check that the cached cipher suite is still enabled,
5766 * implemented, and allowed by policy. Might have been disabled.
5767 * The product policy won't change during the process lifetime.
5768 * Implemented ("isPresent") shouldn't change for servers.
5769 */
5770 if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
5771 break;
5772 #else
5773 if (!suite->enabled)
5774 break;
5775 #endif
5776 /* Double check that the cached cipher suite is in the client's list */
5777 for (i = 0; i < suites.len; i += 2) {
5778 if ((suites.data[i] == MSB(suite->cipher_suite)) &&
5779 (suites.data[i + 1] == LSB(suite->cipher_suite))) {
5780
5781 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
5782 ss->ssl3.hs.suite_def =
5783 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
5784 goto suite_found;
5785 }
5786 }
5787 } while (0);
5788
5789 /* START A NEW SESSION */
5790
5791 #ifndef PARANOID
5792 /* Look for a matching cipher suite. */
5793 j = ssl3_config_match_init(ss);
5794 if (j <= 0) { /* no ciphers are working/supported by PK11 */
5795 errCode = PORT_GetError(); /* error code is already set. */
5796 goto alert_loser;
5797 }
5798 #endif
5799
5800 /* Select a cipher suite.
5801 ** NOTE: This suite selection algorithm should be the same as the one in
5802 ** ssl3_HandleV2ClientHello().
5803 */
5804 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
5805 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
5806 if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
5807 continue;
5808 for (i = 0; i < suites.len; i += 2) {
5809 if ((suites.data[i] == MSB(suite->cipher_suite)) &&
5810 (suites.data[i + 1] == LSB(suite->cipher_suite))) {
5811
5812 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
5813 ss->ssl3.hs.suite_def =
5814 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
5815 goto suite_found;
5816 }
5817 }
5818 }
5819 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
5820 goto alert_loser;
5821
5822 suite_found:
5823 /* Look for a matching compression algorithm. */
5824 for (i = 0; i < comps.len; i++) {
5825 for (j = 0; j < compressionMethodsCount; j++) {
5826 if (comps.data[i] == compressions[j]) {
5827 ss->ssl3.hs.compression =
5828 (SSL3CompressionMethod)compressions[j];
5829 goto compression_found;
5830 }
5831 }
5832 }
5833 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
5834 /* null compression must be supported */
5835 goto alert_loser;
5836
5837 compression_found:
5838 suites.data = NULL;
5839 comps.data = NULL;
5840
5841 ss->sec.send = ssl3_SendApplicationData;
5842
5843 /* If there are any failures while processing the old sid,
5844 * we don't consider them to be errors. Instead, We just behave
5845 * as if the client had sent us no sid to begin with, and make a new one.
5846 */
5847 if (sid != NULL) do {
5848 ssl3CipherSpec *pwSpec;
5849 SECItem wrappedMS; /* wrapped key */
5850
5851 if (sid->version != ss->version ||
5852 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) {
5853 break; /* not an error */
5854 }
5855
5856 if (ss->sec.ci.sid) {
5857 ss->sec.uncache(ss->sec.ci.sid);
5858 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but ... */
5859 if (ss->sec.ci.sid != sid) {
5860 ssl_FreeSID(ss->sec.ci.sid);
5861 }
5862 ss->sec.ci.sid = NULL;
5863 }
5864 /* we need to resurrect the master secret.... */
5865
5866 ssl_GetSpecWriteLock(ss); haveSpecWriteLock = PR_TRUE;
5867 pwSpec = ss->ssl3.pwSpec;
5868 if (sid->u.ssl3.keys.msIsWrapped) {
5869 PK11SymKey * wrapKey; /* wrapping key */
5870 CK_FLAGS keyFlags = 0;
5871 if (ss->opt.bypassPKCS11) {
5872 /* we cannot restart a non-bypass session in a
5873 ** bypass socket.
5874 */
5875 break;
5876 }
5877
5878 wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
5879 sid->u.ssl3.masterWrapMech,
5880 ss->pkcs11PinArg);
5881 if (!wrapKey) {
5882 /* we have a SID cache entry, but no wrapping key for it??? */
5883 break;
5884 }
5885
5886 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
5887 keyFlags = CKF_SIGN | CKF_VERIFY;
5888 }
5889
5890 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
5891 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
5892
5893 /* unwrap the master secret. */
5894 pwSpec->master_secret =
5895 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
5896 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
5897 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
5898 PK11_FreeSymKey(wrapKey);
5899 if (pwSpec->master_secret == NULL) {
5900 break; /* not an error */
5901 }
5902 } else if (ss->opt.bypassPKCS11) {
5903 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
5904 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
5905 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
5906 pwSpec->msItem.data = pwSpec->raw_master_secret;
5907 pwSpec->msItem.len = wrappedMS.len;
5908 } else {
5909 /* We CAN restart a bypass session in a non-bypass socket. */
5910 /* need to import the raw master secret to session object */
5911 PK11SlotInfo * slot;
5912 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
5913 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
5914 slot = PK11_GetInternalSlot();
5915 pwSpec->master_secret =
5916 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
5917 PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS,
5918 NULL);
5919 PK11_FreeSlot(slot);
5920 if (pwSpec->master_secret == NULL) {
5921 break; /* not an error */
5922 }
5923 }
5924 ss->sec.ci.sid = sid;
5925 if (sid->peerCert != NULL) {
5926 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
5927 }
5928
5929 /*
5930 * Old SID passed all tests, so resume this old session.
5931 *
5932 * XXX make sure compression still matches
5933 */
5934 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits );
5935 if (ss->statelessResume)
5936 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes );
5937 ss->ssl3.hs.isResuming = PR_TRUE;
5938
5939 ss->sec.authAlgorithm = sid->authAlgorithm;
5940 ss->sec.authKeyBits = sid->authKeyBits;
5941 ss->sec.keaType = sid->keaType;
5942 ss->sec.keaKeyBits = sid->keaKeyBits;
5943
5944 /* server sids don't remember the server cert we previously sent,
5945 ** but they do remember the kea type we originally used, so we
5946 ** can locate it again, provided that the current ssl socket
5947 ** has had its server certs configured the same as the previous one.
5948 */
5949 ss->sec.localCert =
5950 CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
5951
5952 ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
5953
5954 rv = ssl3_SendServerHello(ss);
5955 if (rv != SECSuccess) {
5956 errCode = PORT_GetError();
5957 goto loser;
5958 }
5959
5960 if (haveSpecWriteLock) {
5961 ssl_ReleaseSpecWriteLock(ss);
5962 haveSpecWriteLock = PR_FALSE;
5963 }
5964
5965 /* NULL value for PMS signifies re-use of the old MS */
5966 rv = ssl3_InitPendingCipherSpec(ss, NULL);
5967 if (rv != SECSuccess) {
5968 errCode = PORT_GetError();
5969 goto loser;
5970 }
5971
5972 rv = ssl3_SendChangeCipherSpecs(ss);
5973 if (rv != SECSuccess) {
5974 errCode = PORT_GetError();
5975 goto loser;
5976 }
5977 rv = ssl3_SendFinished(ss, 0);
5978 ss->ssl3.hs.ws = wait_change_cipher;
5979 if (rv != SECSuccess) {
5980 errCode = PORT_GetError();
5981 goto loser;
5982 }
5983
5984 if (haveXmitBufLock) {
5985 ssl_ReleaseXmitBufLock(ss);
5986 haveXmitBufLock = PR_FALSE;
5987 }
5988
5989 return SECSuccess;
5990 } while (0);
5991
5992 if (haveSpecWriteLock) {
5993 ssl_ReleaseSpecWriteLock(ss);
5994 haveSpecWriteLock = PR_FALSE;
5995 }
5996
5997 if (sid) { /* we had a sid, but it's no longer valid, free it */
5998 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
5999 ss->sec.uncache(sid);
6000 ssl_FreeSID(sid);
6001 sid = NULL;
6002 }
6003 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
6004
6005 sid = ssl3_NewSessionID(ss, PR_TRUE);
6006 if (sid == NULL) {
6007 errCode = PORT_GetError();
6008 goto loser; /* memory error is set. */
6009 }
6010 ss->sec.ci.sid = sid;
6011
6012 ss->ssl3.hs.isResuming = PR_FALSE;
6013 ssl_GetXmitBufLock(ss);
6014 rv = ssl3_SendServerHelloSequence(ss);
6015 ssl_ReleaseXmitBufLock(ss);
6016 if (rv != SECSuccess) {
6017 errCode = PORT_GetError();
6018 goto loser;
6019 }
6020
6021 if (haveXmitBufLock) {
6022 ssl_ReleaseXmitBufLock(ss);
6023 haveXmitBufLock = PR_FALSE;
6024 }
6025
6026 return SECSuccess;
6027
6028 alert_loser:
6029 if (haveSpecWriteLock) {
6030 ssl_ReleaseSpecWriteLock(ss);
6031 haveSpecWriteLock = PR_FALSE;
6032 }
6033 (void)SSL3_SendAlert(ss, alert_fatal, desc);
6034 /* FALLTHRU */
6035 loser:
6036 if (haveSpecWriteLock) {
6037 ssl_ReleaseSpecWriteLock(ss);
6038 haveSpecWriteLock = PR_FALSE;
6039 }
6040
6041 if (haveXmitBufLock) {
6042 ssl_ReleaseXmitBufLock(ss);
6043 haveXmitBufLock = PR_FALSE;
6044 }
6045
6046 PORT_SetError(errCode);
6047 return SECFailure;
6048 }
6049
6050 /*
6051 * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
6052 * in asking to use the V3 handshake.
6053 * Called from ssl2_HandleClientHelloMessage() in sslcon.c
6054 */
6055 SECStatus
6056 ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
6057 {
6058 sslSessionID * sid = NULL;
6059 unsigned char * suites;
6060 unsigned char * random;
6061 SSL3ProtocolVersion version;
6062 SECStatus rv;
6063 int i;
6064 int j;
6065 int sid_length;
6066 int suite_length;
6067 int rand_length;
6068 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
6069 SSL3AlertDescription desc = handshake_failure;
6070
6071 SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
6072
6073 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6074
6075 ssl_GetSSL3HandshakeLock(ss);
6076
6077 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
6078
6079 rv = ssl3_InitState(ss);
6080 if (rv != SECSuccess) {
6081 ssl_ReleaseSSL3HandshakeLock(ss);
6082 return rv; /* ssl3_InitState has set the error code. */
6083 }
6084
6085 if (ss->ssl3.hs.ws != wait_client_hello) {
6086 desc = unexpected_message;
6087 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
6088 goto loser; /* alert_loser */
6089 }
6090
6091 version = (buffer[1] << 8) | buffer[2];
6092 suite_length = (buffer[3] << 8) | buffer[4];
6093 sid_length = (buffer[5] << 8) | buffer[6];
6094 rand_length = (buffer[7] << 8) | buffer[8];
6095 ss->clientHelloVersion = version;
6096
6097 rv = ssl3_NegotiateVersion(ss, version);
6098 if (rv != SECSuccess) {
6099 /* send back which ever alert client will understand. */
6100 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
6101 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6102 goto alert_loser;
6103 }
6104
6105 /* if we get a non-zero SID, just ignore it. */
6106 if (length !=
6107 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
6108 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
6109 SSL_GETPID(), ss->fd, length,
6110 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
6111 rand_length));
6112 goto loser; /* malformed */ /* alert_loser */
6113 }
6114
6115 suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
6116 random = suites + suite_length + sid_length;
6117
6118 if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
6119 rand_length > SSL_MAX_CHALLENGE_BYTES) {
6120 goto loser; /* malformed */ /* alert_loser */
6121 }
6122
6123 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
6124
6125 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
6126 PORT_Memcpy(
6127 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
6128 random, rand_length);
6129
6130 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
6131 SSL3_RANDOM_LENGTH));
6132 #ifdef NSS_ENABLE_ECC
6133 /* Disable any ECC cipher suites for which we have no cert. */
6134 ssl3_FilterECCipherSuitesByServerCerts(ss);
6135 #endif
6136 i = ssl3_config_match_init(ss);
6137 if (i <= 0) {
6138 errCode = PORT_GetError(); /* error code is already set. */
6139 goto alert_loser;
6140 }
6141
6142 /* Select a cipher suite.
6143 ** NOTE: This suite selection algorithm should be the same as the one in
6144 ** ssl3_HandleClientHello().
6145 */
6146 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
6147 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
6148 if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
6149 continue;
6150 for (i = 0; i < suite_length; i += 3) {
6151 if ((suites[i] == 0) &&
6152 (suites[i+1] == MSB(suite->cipher_suite)) &&
6153 (suites[i+2] == LSB(suite->cipher_suite))) {
6154
6155 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
6156 ss->ssl3.hs.suite_def =
6157 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
6158 goto suite_found;
6159 }
6160 }
6161 }
6162 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6163 goto alert_loser;
6164
6165 suite_found:
6166
6167 ss->ssl3.hs.compression = compression_null;
6168 ss->sec.send = ssl3_SendApplicationData;
6169
6170 /* we don't even search for a cache hit here. It's just a miss. */
6171 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
6172 sid = ssl3_NewSessionID(ss, PR_TRUE);
6173 if (sid == NULL) {
6174 errCode = PORT_GetError();
6175 goto loser; /* memory error is set. */
6176 }
6177 ss->sec.ci.sid = sid;
6178 /* do not worry about memory leak of sid since it now belongs to ci */
6179
6180 /* We have to update the handshake hashes before we can send stuff */
6181 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
6182 if (rv != SECSuccess) {
6183 errCode = PORT_GetError();
6184 goto loser;
6185 }
6186
6187 ssl_GetXmitBufLock(ss);
6188 rv = ssl3_SendServerHelloSequence(ss);
6189 ssl_ReleaseXmitBufLock(ss);
6190 if (rv != SECSuccess) {
6191 errCode = PORT_GetError();
6192 goto loser;
6193 }
6194
6195 /* XXX_1 The call stack to here is:
6196 * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
6197 * ssl2_HandleClientHelloMessage returns whatever we return here.
6198 * ssl_Do1stHandshake will continue looping if it gets back either
6199 * SECSuccess or SECWouldBlock.
6200 * SECSuccess is preferable here. See XXX_1 in sslgathr.c.
6201 */
6202 ssl_ReleaseSSL3HandshakeLock(ss);
6203 return SECSuccess;
6204
6205 alert_loser:
6206 SSL3_SendAlert(ss, alert_fatal, desc);
6207 loser:
6208 ssl_ReleaseSSL3HandshakeLock(ss);
6209 PORT_SetError(errCode);
6210 return SECFailure;
6211 }
6212
6213 /* The negotiated version number has been already placed in ss->version.
6214 **
6215 ** Called from: ssl3_HandleClientHello (resuming session),
6216 ** ssl3_SendServerHelloSequence <- ssl3_HandleClientHello (new session),
6217 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
6218 */
6219 static SECStatus
6220 ssl3_SendServerHello(sslSocket *ss)
6221 {
6222 sslSessionID *sid;
6223 SECStatus rv;
6224 PRUint32 maxBytes = 65535;
6225 PRUint32 length;
6226 PRInt32 extensions_len = 0;
6227
6228 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
6229 ss->fd));
6230
6231 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6232 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6233 PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
6234
6235 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
6236 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
6237 return SECFailure;
6238 }
6239
6240 sid = ss->sec.ci.sid;
6241
6242 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
6243 &ss->xtnData.serverSenders[0]);
6244 if (extensions_len > 0)
6245 extensions_len += 2; /* Add sizeof total extension length */
6246
6247 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
6248 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
6249 sizeof(ssl3CipherSuite) + 1 + extensions_len;
6250 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
6251 if (rv != SECSuccess) {
6252 return rv; /* err set by AppendHandshake. */
6253 }
6254
6255 rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
6256 if (rv != SECSuccess) {
6257 return rv; /* err set by AppendHandshake. */
6258 }
6259 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
6260 if (rv != SECSuccess) {
6261 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
6262 return rv;
6263 }
6264 rv = ssl3_AppendHandshake(
6265 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
6266 if (rv != SECSuccess) {
6267 return rv; /* err set by AppendHandshake. */
6268 }
6269
6270 if (sid)
6271 rv = ssl3_AppendHandshakeVariable(
6272 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
6273 else
6274 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
6275 if (rv != SECSuccess) {
6276 return rv; /* err set by AppendHandshake. */
6277 }
6278
6279 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
6280 if (rv != SECSuccess) {
6281 return rv; /* err set by AppendHandshake. */
6282 }
6283 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
6284 if (rv != SECSuccess) {
6285 return rv; /* err set by AppendHandshake. */
6286 }
6287 if (extensions_len) {
6288 PRInt32 sent_len;
6289
6290 extensions_len -= 2;
6291 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
6292 if (rv != SECSuccess)
6293 return rv; /* err set by ssl3_SetupPendingCipherSpec */
6294 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
6295 &ss->xtnData.serverSenders[0]);
6296 PORT_Assert(sent_len == extensions_len);
6297 if (sent_len != extensions_len) {
6298 if (sent_len >= 0)
6299 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
6300 return SECFailure;
6301 }
6302 }
6303 rv = ssl3_SetupPendingCipherSpec(ss);
6304 if (rv != SECSuccess) {
6305 return rv; /* err set by ssl3_SetupPendingCipherSpec */
6306 }
6307
6308 return SECSuccess;
6309 }
6310
6311
6312 static SECStatus
6313 ssl3_SendServerKeyExchange(sslSocket *ss)
6314 {
6315 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
6316 SECStatus rv = SECFailure;
6317 int length;
6318 PRBool isTLS;
6319 SECItem signed_hash = {siBuffer, NULL, 0};
6320 SSL3Hashes hashes;
6321 SECKEYPublicKey * sdPub; /* public key for step-down */
6322
6323 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
6324 SSL_GETPID(), ss->fd));
6325
6326 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6327 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6328
6329 switch (kea_def->exchKeyType) {
6330 case kt_rsa:
6331 /* Perform SSL Step-Down here. */
6332 sdPub = ss->stepDownKeyPair->pubKey;
6333 PORT_Assert(sdPub != NULL);
6334 if (!sdPub) {
6335 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6336 return SECFailure;
6337 }
6338 rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus,
6339 sdPub->u.rsa.publicExponent,
6340 &ss->ssl3.hs.client_random,
6341 &ss->ssl3.hs.server_random,
6342 &hashes, ss->opt.bypassPKCS11);
6343 if (rv != SECSuccess) {
6344 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6345 return rv;
6346 }
6347
6348 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6349 rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY,
6350 &signed_hash, isTLS);
6351 if (rv != SECSuccess) {
6352 goto loser; /* ssl3_SignHashes has set err. */
6353 }
6354 if (signed_hash.data == NULL) {
6355 /* how can this happen and rv == SECSuccess ?? */
6356 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6357 goto loser;
6358 }
6359 length = 2 + sdPub->u.rsa.modulus.len +
6360 2 + sdPub->u.rsa.publicExponent.len +
6361 2 + signed_hash.len;
6362
6363 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
6364 if (rv != SECSuccess) {
6365 goto loser; /* err set by AppendHandshake. */
6366 }
6367
6368 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
6369 sdPub->u.rsa.modulus.len, 2);
6370 if (rv != SECSuccess) {
6371 goto loser; /* err set by AppendHandshake. */
6372 }
6373
6374 rv = ssl3_AppendHandshakeVariable(
6375 ss, sdPub->u.rsa.publicExponent.data,
6376 sdPub->u.rsa.publicExponent.len, 2);
6377 if (rv != SECSuccess) {
6378 goto loser; /* err set by AppendHandshake. */
6379 }
6380
6381 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
6382 signed_hash.len, 2);
6383 if (rv != SECSuccess) {
6384 goto loser; /* err set by AppendHandshake. */
6385 }
6386 PORT_Free(signed_hash.data);
6387 return SECSuccess;
6388
6389 #ifdef NSS_ENABLE_ECC
6390 case kt_ecdh: {
6391 rv = ssl3_SendECDHServerKeyExchange(ss);
6392 return rv;
6393 }
6394 #endif /* NSS_ENABLE_ECC */
6395
6396 case kt_dh:
6397 case kt_null:
6398 default:
6399 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
6400 break;
6401 }
6402 loser:
6403 if (signed_hash.data != NULL)
6404 PORT_Free(signed_hash.data);
6405 return SECFailure;
6406 }
6407
6408
6409 static SECStatus
6410 ssl3_SendCertificateRequest(sslSocket *ss)
6411 {
6412 SECItem * name;
6413 CERTDistNames *ca_list;
6414 const uint8 * certTypes;
6415 SECItem * names = NULL;
6416 SECStatus rv;
6417 int length;
6418 int i;
6419 int calen = 0;
6420 int nnames = 0;
6421 int certTypesLength;
6422
6423 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
6424 SSL_GETPID(), ss->fd));
6425
6426 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6427 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6428
6429 /* ssl3.ca_list is initialized to NULL, and never changed. */
6430 ca_list = ss->ssl3.ca_list;
6431 if (!ca_list) {
6432 ca_list = ssl3_server_ca_list;
6433 }
6434
6435 if (ca_list != NULL) {
6436 names = ca_list->names;
6437 nnames = ca_list->nnames;
6438 }
6439
6440 if (!nnames) {
6441 PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
6442 return SECFailure;
6443 }
6444
6445 for (i = 0, name = names; i < nnames; i++, name++) {
6446 calen += 2 + name->len;
6447 }
6448
6449 certTypes = certificate_types;
6450 certTypesLength = sizeof certificate_types;
6451
6452 length = 1 + certTypesLength + 2 + calen;
6453
6454 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
6455 if (rv != SECSuccess) {
6456 return rv; /* err set by AppendHandshake. */
6457 }
6458 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
6459 if (rv != SECSuccess) {
6460 return rv; /* err set by AppendHandshake. */
6461 }
6462 rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
6463 if (rv != SECSuccess) {
6464 return rv; /* err set by AppendHandshake. */
6465 }
6466 for (i = 0, name = names; i < nnames; i++, name++) {
6467 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
6468 if (rv != SECSuccess) {
6469 return rv; /* err set by AppendHandshake. */
6470 }
6471 }
6472
6473 return SECSuccess;
6474 }
6475
6476 static SECStatus
6477 ssl3_SendServerHelloDone(sslSocket *ss)
6478 {
6479 SECStatus rv;
6480
6481 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
6482 SSL_GETPID(), ss->fd));
6483
6484 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6485 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6486
6487 rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
6488 if (rv != SECSuccess) {
6489 return rv; /* err set by AppendHandshake. */
6490 }
6491 rv = ssl3_FlushHandshake(ss, 0);
6492 if (rv != SECSuccess) {
6493 return rv; /* error code set by ssl3_FlushHandshake */
6494 }
6495 return SECSuccess;
6496 }
6497
6498 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6499 * ssl3 Certificate Verify message
6500 * Caller must hold Handshake and RecvBuf locks.
6501 */
6502 static SECStatus
6503 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
6504 SSL3Hashes *hashes)
6505 {
6506 SECItem signed_hash = {siBuffer, NULL, 0};
6507 SECStatus rv;
6508 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
6509 SSL3AlertDescription desc = handshake_failure;
6510 PRBool isTLS;
6511
6512 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
6513 SSL_GETPID(), ss->fd));
6514 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6515 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6516
6517 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
6518 desc = unexpected_message;
6519 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
6520 goto alert_loser;
6521 }
6522
6523 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
6524 if (rv != SECSuccess) {
6525 goto loser; /* malformed. */
6526 }
6527
6528 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
6529
6530 /* XXX verify that the key & kea match */
6531 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
6532 isTLS, ss->pkcs11PinArg);
6533 if (rv != SECSuccess) {
6534 errCode = PORT_GetError();
6535 desc = isTLS ? decrypt_error : handshake_failure;
6536 goto alert_loser;
6537 }
6538
6539 signed_hash.data = NULL;
6540
6541 if (length != 0) {
6542 desc = isTLS ? decode_error : illegal_parameter;
6543 goto alert_loser; /* malformed */
6544 }
6545 ss->ssl3.hs.ws = wait_change_cipher;
6546 return SECSuccess;
6547
6548 alert_loser:
6549 SSL3_SendAlert(ss, alert_fatal, desc);
6550 loser:
6551 PORT_SetError(errCode);
6552 return SECFailure;
6553 }
6554
6555
6556 /* find a slot that is able to generate a PMS and wrap it with RSA.
6557 * Then generate and return the PMS.
6558 * If the serverKeySlot parameter is non-null, this function will use
6559 * that slot to do the job, otherwise it will find a slot.
6560 *
6561 * Called from ssl3_DeriveConnectionKeysPKCS11() (above)
6562 * sendRSAClientKeyExchange() (above)
6563 * ssl3_HandleRSAClientKeyExchange() (below)
6564 * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
6565 */
6566 static PK11SymKey *
6567 ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
6568 PK11SlotInfo * serverKeySlot)
6569 {
6570 PK11SymKey * pms = NULL;
6571 PK11SlotInfo * slot = serverKeySlot;
6572 void * pwArg = ss->pkcs11PinArg;
6573 SECItem param;
6574 CK_VERSION version;
6575 CK_MECHANISM_TYPE mechanism_array[3];
6576
6577 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6578
6579 if (slot == NULL) {
6580 SSLCipherAlgorithm calg;
6581 /* The specReadLock would suffice here, but we cannot assert on
6582 ** read locks. Also, all the callers who call with a non-null
6583 ** slot already hold the SpecWriteLock.
6584 */
6585 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
6586 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
6587
6588 calg = spec->cipher_def->calg;
6589 PORT_Assert(alg2Mech[calg].calg == calg);
6590
6591 /* First get an appropriate slot. */
6592 mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
6593 mechanism_array[1] = CKM_RSA_PKCS;
6594 mechanism_array[2] = alg2Mech[calg].cmech;
6595
6596 slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
6597 if (slot == NULL) {
6598 /* can't find a slot with all three, find a slot with the minimum */
6599 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
6600 if (slot == NULL) {
6601 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
6602 return pms; /* which is NULL */
6603 }
6604 }
6605 }
6606
6607 /* Generate the pre-master secret ... */
6608 version.major = MSB(ss->clientHelloVersion);
6609 version.minor = LSB(ss->clientHelloVersion);
6610
6611 param.data = (unsigned char *)&version;
6612 param.len = sizeof version;
6613
6614 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
6615 if (!serverKeySlot)
6616 PK11_FreeSlot(slot);
6617 if (pms == NULL) {
6618 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6619 }
6620 return pms;
6621 }
6622
6623 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
6624 * return any indication of failure of the Client Key Exchange message,
6625 * where that failure is caused by the content of the client's message.
6626 * This function must not return SECFailure for any reason that is directly
6627 * or indirectly caused by the content of the client's encrypted PMS.
6628 * We must not send an alert and also not drop the connection.
6629 * Instead, we generate a random PMS. This will cause a failure
6630 * in the processing the finished message, which is exactly where
6631 * the failure must occur.
6632 *
6633 * Called from ssl3_HandleClientKeyExchange
6634 */
6635 static SECStatus
6636 ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
6637 SSL3Opaque *b,
6638 PRUint32 length,
6639 SECKEYPrivateKey *serverKey)
6640 {
6641 PK11SymKey * pms;
6642 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
6643 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
6644 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
6645 unsigned int outLen = 0;
6646 PRBool isTLS = PR_FALSE;
6647 SECStatus rv;
6648 SECItem enc_pms;
6649 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
6650 SECItem pmsItem = {siBuffer, NULL, 0};
6651
6652 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6653 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6654
6655 enc_pms.data = b;
6656 enc_pms.len = length;
6657 pmsItem.data = rsaPmsBuf;
6658 pmsItem.len = sizeof rsaPmsBuf;
6659
6660 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
6661 PRInt32 kLen;
6662 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
6663 if (kLen < 0) {
6664 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6665 return SECFailure;
6666 }
6667 if ((unsigned)kLen < enc_pms.len) {
6668 enc_pms.len = kLen;
6669 }
6670 isTLS = PR_TRUE;
6671 } else {
6672 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
6673 }
6674
6675 if (ss->opt.bypassPKCS11) {
6676 /* TRIPLE BYPASS, get PMS directly from RSA decryption.
6677 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer,
6678 * then, check for version rollback attack, then
6679 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in
6680 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with
6681 * ss and NULL, so that it will use the MS we've already derived here.
6682 */
6683
6684 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen,
6685 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
6686 if (rv != SECSuccess) {
6687 /* triple bypass failed. Let's try for a double bypass. */
6688 goto double_bypass;
6689 } else if (ss->opt.detectRollBack) {
6690 SSL3ProtocolVersion client_version =
6691 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
6692 if (client_version != ss->clientHelloVersion) {
6693 /* Version roll-back detected. ensure failure. */
6694 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
6695 }
6696 }
6697 /* have PMS, build MS without PKCS11 */
6698 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS,
6699 PR_TRUE);
6700 if (rv != SECSuccess) {
6701 pwSpec->msItem.data = pwSpec->raw_master_secret;
6702 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH;
6703 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
6704 }
6705 rv = ssl3_InitPendingCipherSpec(ss, NULL);
6706 } else {
6707 double_bypass:
6708 /*
6709 * unwrap pms out of the incoming buffer
6710 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
6711 * the unwrap. Rather, it is the mechanism with which the
6712 * unwrapped pms will be used.
6713 */
6714 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
6715 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
6716 if (pms != NULL) {
6717 PRINT_BUF(60, (ss, "decrypted premaster secret:",
6718 PK11_GetKeyData(pms)->data,
6719 PK11_GetKeyData(pms)->len));
6720 } else {
6721 /* unwrap failed. Generate a bogus PMS and carry on. */
6722 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey);
6723
6724 ssl_GetSpecWriteLock(ss);
6725 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
6726 ssl_ReleaseSpecWriteLock(ss);
6727 PK11_FreeSlot(slot);
6728 }
6729
6730 if (pms == NULL) {
6731 /* last gasp. */
6732 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6733 return SECFailure;
6734 }
6735
6736 /* This step will derive the MS from the PMS, among other things. */
6737 rv = ssl3_InitPendingCipherSpec(ss, pms);
6738 PK11_FreeSymKey(pms);
6739 }
6740
6741 if (rv != SECSuccess) {
6742 SEND_ALERT
6743 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
6744 }
6745 return SECSuccess;
6746 }
6747
6748
6749 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6750 * ssl3 ClientKeyExchange message from the remote client
6751 * Caller must hold Handshake and RecvBuf locks.
6752 */
6753 static SECStatus
6754 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6755 {
6756 SECKEYPrivateKey *serverKey = NULL;
6757 SECStatus rv;
6758 const ssl3KEADef * kea_def;
6759 ssl3KeyPair *serverKeyPair = NULL;
6760 #ifdef NSS_ENABLE_ECC
6761 SECKEYPublicKey *serverPubKey = NULL;
6762 #endif /* NSS_ENABLE_ECC */
6763
6764 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
6765 SSL_GETPID(), ss->fd));
6766
6767 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6768 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6769
6770 if (ss->ssl3.hs.ws != wait_client_key) {
6771 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
6772 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
6773 return SECFailure;
6774 }
6775
6776 kea_def = ss->ssl3.hs.kea_def;
6777
6778 if (ss->ssl3.hs.usedStepDownKey) {
6779 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
6780 && kea_def->exchKeyType == kt_rsa
6781 && ss->stepDownKeyPair != NULL);
6782 if (!kea_def->is_limited ||
6783 kea_def->exchKeyType != kt_rsa ||
6784 ss->stepDownKeyPair == NULL) {
6785 /* shouldn't happen, don't use step down if it does */
6786 goto skip;
6787 }
6788 serverKeyPair = ss->stepDownKeyPair;
6789 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
6790 } else
6791 skip:
6792 #ifdef NSS_ENABLE_ECC
6793 /* XXX Using SSLKEAType to index server certifiates
6794 * does not work for (EC)DHE ciphers. Until we have
6795 * an indexing mechanism general enough for all key
6796 * exchange algorithms, we'll need to deal with each
6797 * one seprately.
6798 */
6799 if ((kea_def->kea == kea_ecdhe_rsa) ||
6800 (kea_def->kea == kea_ecdhe_ecdsa)) {
6801 if (ss->ephemeralECDHKeyPair != NULL) {
6802 serverKeyPair = ss->ephemeralECDHKeyPair;
6803 if (serverKeyPair->pubKey) {
6804 ss->sec.keaKeyBits =
6805 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
6806 }
6807 }
6808 } else
6809 #endif
6810 {
6811 sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
6812 serverKeyPair = sc->serverKeyPair;
6813 ss->sec.keaKeyBits = sc->serverKeyBits;
6814 }
6815
6816 if (serverKeyPair) {
6817 serverKey = serverKeyPair->privKey;
6818 }
6819
6820 if (serverKey == NULL) {
6821 SEND_ALERT
6822 PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
6823 return SECFailure;
6824 }
6825
6826 ss->sec.keaType = kea_def->exchKeyType;
6827
6828 switch (kea_def->exchKeyType) {
6829 case kt_rsa:
6830 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
6831 if (rv != SECSuccess) {
6832 SEND_ALERT
6833 return SECFailure; /* error code set */
6834 }
6835 break;
6836
6837
6838 #ifdef NSS_ENABLE_ECC
6839 case kt_ecdh:
6840 /* XXX We really ought to be able to store multiple
6841 * EC certs (a requirement if we wish to support both
6842 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
6843 * When we make that change, we'll need an index other
6844 * than kt_ecdh to pick the right EC certificate.
6845 */
6846 if (serverKeyPair) {
6847 serverPubKey = serverKeyPair->pubKey;
6848 }
6849 if (serverPubKey == NULL) {
6850 /* XXX Is this the right error code? */
6851 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
6852 return SECFailure;
6853 }
6854 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
6855 serverPubKey, serverKey);
6856 if (rv != SECSuccess) {
6857 return SECFailure; /* error code set */
6858 }
6859 break;
6860 #endif /* NSS_ENABLE_ECC */
6861
6862 default:
6863 (void) ssl3_HandshakeFailure(ss);
6864 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
6865 return SECFailure;
6866 }
6867 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
6868 return SECSuccess;
6869
6870 }
6871
6872 /* This is TLS's equivalent of sending a no_certificate alert. */
6873 static SECStatus
6874 ssl3_SendEmptyCertificate(sslSocket *ss)
6875 {
6876 SECStatus rv;
6877
6878 rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
6879 if (rv == SECSuccess) {
6880 rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
6881 }
6882 return rv; /* error, if any, set by functions called above. */
6883 }
6884
6885 SECStatus
6886 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6887 {
6888 SECStatus rv;
6889 NewSessionTicket session_ticket;
6890
6891 SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
6892 SSL_GETPID(), ss->fd));
6893
6894 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6895 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6896
6897 if (ss->ssl3.hs.ws != wait_new_session_ticket) {
6898 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
6899 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
6900 return SECFailure;
6901 }
6902
6903 session_ticket.received_timestamp = ssl_Time();
6904 if (length < 4) {
6905 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
6906 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
6907 return SECFailure;
6908 }
6909 session_ticket.ticket_lifetime_hint =
6910 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
6911
6912 rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2,
6913 &b, &length);
6914 if (length != 0 || rv != SECSuccess) {
6915 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
6916 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
6917 return SECFailure; /* malformed */
6918 }
6919
6920 rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket);
6921 if (rv != SECSuccess) {
6922 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
6923 PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT);
6924 return SECFailure;
6925 }
6926 ss->ssl3.hs.ws = wait_change_cipher;
6927 return SECSuccess;
6928 }
6929
6930 #ifdef NISCC_TEST
6931 static PRInt32 connNum = 0;
6932
6933 static SECStatus
6934 get_fake_cert(SECItem *pCertItem, int *pIndex)
6935 {
6936 PRFileDesc *cf;
6937 char * testdir;
6938 char * startat;
6939 char * stopat;
6940 const char *extension;
6941 int fileNum;
6942 PRInt32 numBytes = 0;
6943 PRStatus prStatus;
6944 PRFileInfo info;
6945 char cfn[100];
6946
6947 pCertItem->data = 0;
6948 if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
6949 return SECSuccess;
6950 }
6951 *pIndex = (NULL != strstr(testdir, "root"));
6952 extension = (strstr(testdir, "simple") ? "" : ".der");
6953 fileNum = PR_AtomicIncrement(&connNum) - 1;
6954 if ((startat = PR_GetEnv("START_AT")) != NULL) {
6955 fileNum += atoi(startat);
6956 }
6957 if ((stopat = PR_GetEnv("STOP_AT")) != NULL &&
6958 fileNum >= atoi(stopat)) {
6959 *pIndex = -1;
6960 return SECSuccess;
6961 }
6962 sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
6963 cf = PR_Open(cfn, PR_RDONLY, 0);
6964 if (!cf) {
6965 goto loser;
6966 }
6967 prStatus = PR_GetOpenFileInfo(cf, &info);
6968 if (prStatus != PR_SUCCESS) {
6969 PR_Close(cf);
6970 goto loser;
6971 }
6972 pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
6973 if (pCertItem) {
6974 numBytes = PR_Read(cf, pCertItem->data, info.size);
6975 }
6976 PR_Close(cf);
6977 if (numBytes != info.size) {
6978 SECITEM_FreeItem(pCertItem, PR_FALSE);
6979 PORT_SetError(SEC_ERROR_IO);
6980 goto loser;
6981 }
6982 fprintf(stderr, "using %s\n", cfn);
6983 return SECSuccess;
6984
6985 loser:
6986 fprintf(stderr, "failed to use %s\n", cfn);
6987 *pIndex = -1;
6988 return SECFailure;
6989 }
6990 #endif
6991
6992 /*
6993 * Used by both client and server.
6994 * Called from HandleServerHelloDone and from SendServerHelloSequence.
6995 */
6996 static SECStatus
6997 ssl3_SendCertificate(sslSocket *ss)
6998 {
6999 SECStatus rv;
7000 CERTCertificateList *certChain;
7001 int len = 0;
7002 int i;
7003 SSL3KEAType certIndex;
7004 #ifdef NISCC_TEST
7005 SECItem fakeCert;
7006 int ndex = -1;
7007 #endif
7008
7009 SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
7010 SSL_GETPID(), ss->fd));
7011
7012 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
7013 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
7014
7015 if (ss->sec.localCert)
7016 CERT_DestroyCertificate(ss->sec.localCert);
7017 if (ss->sec.isServer) {
7018 sslServerCerts * sc = NULL;
7019
7020 /* XXX SSLKEAType isn't really a good choice for
7021 * indexing certificates (it breaks when we deal
7022 * with (EC)DHE-* cipher suites. This hack ensures
7023 * the RSA cert is picked for (EC)DHE-RSA.
7024 * Revisit this when we add server side support
7025 * for ECDHE-ECDSA or client-side authentication
7026 * using EC certificates.
7027 */
7028 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
7029 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
7030 certIndex = kt_rsa;
7031 } else {
7032 certIndex = ss->ssl3.hs.kea_def->exchKeyType;
7033 }
7034 sc = ss->serverCerts + certIndex;
7035 certChain = sc->serverCertChain;
7036 ss->sec.authKeyBits = sc->serverKeyBits;
7037 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
7038 ss->sec.localCert = CERT_DupCertificate(sc->serverCert);
7039 } else {
7040 certChain = ss->ssl3.clientCertChain;
7041 ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
7042 }
7043
7044 #ifdef NISCC_TEST
7045 rv = get_fake_cert(&fakeCert, &ndex);
7046 #endif
7047
7048 if (certChain) {
7049 for (i = 0; i < certChain->len; i++) {
7050 #ifdef NISCC_TEST
7051 if (fakeCert.len > 0 && i == ndex) {
7052 len += fakeCert.len + 3;
7053 } else {
7054 len += certChain->certs[i].len + 3;
7055 }
7056 #else
7057 len += certChain->certs[i].len + 3;
7058 #endif
7059 }
7060 }
7061
7062 rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
7063 if (rv != SECSuccess) {
7064 return rv; /* err set by AppendHandshake. */
7065 }
7066 rv = ssl3_AppendHandshakeNumber(ss, len, 3);
7067 if (rv != SECSuccess) {
7068 return rv; /* err set by AppendHandshake. */
7069 }
7070 if (certChain) {
7071 for (i = 0; i < certChain->len; i++) {
7072 #ifdef NISCC_TEST
7073 if (fakeCert.len > 0 && i == ndex) {
7074 rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
7075 fakeCert.len, 3);
7076 SECITEM_FreeItem(&fakeCert, PR_FALSE);
7077 } else {
7078 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
7079 certChain->certs[i].len, 3);
7080 }
7081 #else
7082 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
7083 certChain->certs[i].len, 3);
7084 #endif
7085 if (rv != SECSuccess) {
7086 return rv; /* err set by AppendHandshake. */
7087 }
7088 }
7089 }
7090
7091 return SECSuccess;
7092 }
7093
7094 /* This is used to delete the CA certificates in the peer certificate chain
7095 * from the cert database after they've been validated.
7096 */
7097 static void
7098 ssl3_CleanupPeerCerts(sslSocket *ss)
7099 {
7100 PRArenaPool * arena = ss->ssl3.peerCertArena;
7101 ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
7102
7103 for (; certs; certs = certs->next) {
7104 CERT_DestroyCertificate(certs->cert);
7105 }
7106 if (arena) PORT_FreeArena(arena, PR_FALSE);
7107 ss->ssl3.peerCertArena = NULL;
7108 ss->ssl3.peerCertChain = NULL;
7109 }
7110
7111 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7112 * ssl3 Certificate message.
7113 * Caller must hold Handshake and RecvBuf locks.
7114 */
7115 static SECStatus
7116 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7117 {
7118 ssl3CertNode * c;
7119 ssl3CertNode * certs = NULL;
7120 PRArenaPool * arena = NULL;
7121 CERTCertificate *cert;
7122 PRInt32 remaining = 0;
7123 PRInt32 size;
7124 SECStatus rv;
7125 PRBool isServer = (PRBool)(!!ss->sec.isServer);
7126 PRBool trusted = PR_FALSE;
7127 PRBool isTLS;
7128 SSL3AlertDescription desc = bad_certificate;
7129 int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
7130 SECItem certItem;
7131
7132 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
7133 SSL_GETPID(), ss->fd));
7134 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7135 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7136
7137 if ((ss->ssl3.hs.ws != wait_server_cert) &&
7138 (ss->ssl3.hs.ws != wait_client_cert)) {
7139 desc = unexpected_message;
7140 errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
7141 goto alert_loser;
7142 }
7143
7144 if (ss->sec.peerCert != NULL) {
7145 if (ss->sec.peerKey) {
7146 SECKEY_DestroyPublicKey(ss->sec.peerKey);
7147 ss->sec.peerKey = NULL;
7148 }
7149 CERT_DestroyCertificate(ss->sec.peerCert);
7150 ss->sec.peerCert = NULL;
7151 }
7152
7153 ssl3_CleanupPeerCerts(ss);
7154 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
7155
7156 /* It is reported that some TLS client sends a Certificate message
7157 ** with a zero-length message body. We'll treat that case like a
7158 ** normal no_certificates message to maximize interoperability.
7159 */
7160 if (length) {
7161 remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
7162 if (remaining < 0)
7163 goto loser; /* fatal alert already sent by ConsumeHandshake. */
7164 if ((PRUint32)remaining > length)
7165 goto decode_loser;
7166 }
7167
7168 if (!remaining) {
7169 if (!(isTLS && isServer))
7170 goto alert_loser;
7171 /* This is TLS's version of a no_certificate alert. */
7172 /* I'm a server. I've requested a client cert. He hasn't got one. */
7173 rv = ssl3_HandleNoCertificate(ss);
7174 if (rv != SECSuccess) {
7175 errCode = PORT_GetError();
7176 goto loser;
7177 }
7178 goto cert_block;
7179 }
7180
7181 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
7182 if ( arena == NULL ) {
7183 goto loser; /* don't send alerts on memory errors */
7184 }
7185
7186 /* First get the peer cert. */
7187 remaining -= 3;
7188 if (remaining < 0)
7189 goto decode_loser;
7190
7191 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
7192 if (size <= 0)
7193 goto loser; /* fatal alert already sent by ConsumeHandshake. */
7194
7195 if (remaining < size)
7196 goto decode_loser;
7197
7198 certItem.data = b;
7199 certItem.len = size;
7200 b += size;
7201 length -= size;
7202 remaining -= size;
7203
7204 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
7205 PR_FALSE, PR_TRUE);
7206 if (ss->sec.peerCert == NULL) {
7207 /* We should report an alert if the cert was bad, but not if the
7208 * problem was just some local problem, like memory error.
7209 */
7210 goto ambiguous_err;
7211 }
7212
7213 /* Now get all of the CA certs. */
7214 while (remaining > 0) {
7215 remaining -= 3;
7216 if (remaining < 0)
7217 goto decode_loser;
7218
7219 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
7220 if (size <= 0)
7221 goto loser; /* fatal alert already sent by ConsumeHandshake. */
7222
7223 if (remaining < size)
7224 goto decode_loser;
7225
7226 certItem.data = b;
7227 certItem.len = size;
7228 b += size;
7229 length -= size;
7230 remaining -= size;
7231
7232 c = PORT_ArenaNew(arena, ssl3CertNode);
7233 if (c == NULL) {
7234 goto loser; /* don't send alerts on memory errors */
7235 }
7236
7237 c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
7238 PR_FALSE, PR_TRUE);
7239 if (c->cert == NULL) {
7240 goto ambiguous_err;
7241 }
7242
7243 if (c->cert->trust)
7244 trusted = PR_TRUE;
7245
7246 c->next = certs;
7247 certs = c;
7248 }
7249
7250 if (remaining != 0)
7251 goto decode_loser;
7252
7253 SECKEY_UpdateCertPQG(ss->sec.peerCert);
7254
7255 /*
7256 * Ask caller-supplied callback function to validate cert chain.
7257 */
7258 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
7259 PR_TRUE, isServer);
7260 if (rv) {
7261 errCode = PORT_GetError();
7262 if (!ss->handleBadCert) {
7263 goto bad_cert;
7264 }
7265 rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
7266 if ( rv ) {
7267 if ( rv == SECWouldBlock ) {
7268 /* someone will handle this connection asynchronously*/
7269 SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
7270 SSL_GETPID(), ss->fd));
7271 ss->ssl3.peerCertChain = certs;
7272 certs = NULL;
7273 ssl_SetAlwaysBlock(ss);
7274 goto cert_block;
7275 }
7276 /* cert is bad */
7277 goto bad_cert;
7278 }
7279 /* cert is good */
7280 }
7281
7282 /* start SSL Step Up, if appropriate */
7283 cert = ss->sec.peerCert;
7284 if (!isServer &&
7285 ssl3_global_policy_some_restricted &&
7286 ss->ssl3.policy == SSL_ALLOWED &&
7287 anyRestrictedEnabled(ss) &&
7288 SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
7289 PR_FALSE, /* checkSig */
7290 certUsageSSLServerWithStepUp,
7291 /*XXX*/ ss->authCertificateArg) ) {
7292 ss->ssl3.policy = SSL_RESTRICTED;
7293 ss->ssl3.hs.rehandshake = PR_TRUE;
7294 }
7295
7296 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
7297
7298 if (!ss->sec.isServer) {
7299 /* set the server authentication and key exchange types and sizes
7300 ** from the value in the cert. If the key exchange key is different,
7301 ** it will get fixed when we handle the server key exchange message.
7302 */
7303 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert);
7304 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
7305 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
7306 if (pubKey) {
7307 ss->sec.keaKeyBits = ss->sec.authKeyBits =
7308 SECKEY_PublicKeyStrengthInBits(pubKey);
7309 #ifdef NSS_ENABLE_ECC
7310 if (ss->sec.keaType == kt_ecdh) {
7311 /* Get authKeyBits from signing key.
7312 * XXX The code below uses a quick approximation of
7313 * key size based on cert->signatureWrap.signature.data
7314 * (which contains the DER encoded signature). The field
7315 * cert->signatureWrap.signature.len contains the
7316 * length of the encoded signature in bits.
7317 */
7318 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
7319 ss->sec.authKeyBits =
7320 cert->signatureWrap.signature.data[3]*8;
7321 if (cert->signatureWrap.signature.data[4] == 0x00)
7322 ss->sec.authKeyBits -= 8;
7323 /*
7324 * XXX: if cert is not signed by ecdsa we should
7325 * destroy pubKey and goto bad_cert
7326 */
7327 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
7328 ss->sec.authKeyBits = cert->signatureWrap.signature.len;
7329 /*
7330 * XXX: if cert is not signed by rsa we should
7331 * destroy pubKey and goto bad_cert
7332 */
7333 }
7334 }
7335 #endif /* NSS_ENABLE_ECC */
7336 SECKEY_DestroyPublicKey(pubKey);
7337 pubKey = NULL;
7338 }
7339 }
7340
7341 ss->ssl3.peerCertChain = certs; certs = NULL; arena = NULL;
7342
7343 cert_block:
7344 if (ss->sec.isServer) {
7345 ss->ssl3.hs.ws = wait_client_key;
7346 } else {
7347 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
7348 if (ss->ssl3.hs.kea_def->is_limited ||
7349 /* XXX OR server cert is signing only. */
7350 #ifdef NSS_ENABLE_ECC
7351 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
7352 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
7353 #endif /* NSS_ENABLE_ECC */
7354 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
7355 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
7356 }
7357 }
7358
7359 /* rv must normally be equal to SECSuccess here. If we called
7360 * handleBadCert, it can also be SECWouldBlock.
7361 */
7362 return rv;
7363
7364 ambiguous_err:
7365 errCode = PORT_GetError();
7366 switch (errCode) {
7367 case PR_OUT_OF_MEMORY_ERROR:
7368 case SEC_ERROR_BAD_DATABASE:
7369 case SEC_ERROR_NO_MEMORY:
7370 if (isTLS) {
7371 desc = internal_error;
7372 goto alert_loser;
7373 }
7374 goto loser;
7375 }
7376 /* fall through to bad_cert. */
7377
7378 bad_cert: /* caller has set errCode. */
7379 switch (errCode) {
7380 case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break;
7381 case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break;
7382 case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked; break;
7383 case SEC_ERROR_INADEQUATE_KEY_USAGE:
7384 case SEC_ERROR_INADEQUATE_CERT_TYPE:
7385 desc = certificate_unknown; break;
7386 case SEC_ERROR_UNTRUSTED_CERT:
7387 desc = isTLS ? access_denied : certificate_unknown; break;
7388 case SEC_ERROR_UNKNOWN_ISSUER:
7389 case SEC_ERROR_UNTRUSTED_ISSUER:
7390 desc = isTLS ? unknown_ca : certificate_unknown; break;
7391 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
7392 desc = isTLS ? unknown_ca : certificate_expired; break;
7393
7394 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
7395 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
7396 case SEC_ERROR_CA_CERT_INVALID:
7397 case SEC_ERROR_BAD_SIGNATURE:
7398 default: desc = bad_certificate; break;
7399 }
7400 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
7401 SSL_GETPID(), ss->fd, errCode));
7402
7403 goto alert_loser;
7404
7405 decode_loser:
7406 desc = isTLS ? decode_error : bad_certificate;
7407
7408 alert_loser:
7409 (void)SSL3_SendAlert(ss, alert_fatal, desc);
7410
7411 loser:
7412 ss->ssl3.peerCertChain = certs; certs = NULL; arena = NULL;
7413 ssl3_CleanupPeerCerts(ss);
7414
7415 if (ss->sec.peerCert != NULL) {
7416 CERT_DestroyCertificate(ss->sec.peerCert);
7417 ss->sec.peerCert = NULL;
7418 }
7419 (void)ssl_MapLowLevelError(errCode);
7420 return SECFailure;
7421 }
7422
7423
7424 /* restart an SSL connection that we stopped to run certificate dialogs
7425 ** XXX Need to document here how an application marks a cert to show that
7426 ** the application has accepted it (overridden CERT_VerifyCert).
7427 *
7428 * XXX This code only works on the initial handshake on a connection, XXX
7429 * It does not work on a subsequent handshake (redo).
7430 *
7431 * Return value: XXX
7432 *
7433 * Caller holds 1stHandshakeLock.
7434 */
7435 int
7436 ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
7437 {
7438 CERTCertificate * cert;
7439 int rv = SECSuccess;
7440
7441 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
7442 SET_ERROR_CODE
7443 return SECFailure;
7444 }
7445 if (!ss->ssl3.initialized) {
7446 SET_ERROR_CODE
7447 return SECFailure;
7448 }
7449
7450 cert = ss->sec.peerCert;
7451
7452 /* Permit step up if user decided to accept the cert */
7453 if (!ss->sec.isServer &&
7454 ssl3_global_policy_some_restricted &&
7455 ss->ssl3.policy == SSL_ALLOWED &&
7456 anyRestrictedEnabled(ss) &&
7457 (SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
7458 PR_FALSE, /* checksig */
7459 certUsageSSLServerWithStepUp,
7460 /*XXX*/ ss->authCertificateArg) )) {
7461 ss->ssl3.policy = SSL_RESTRICTED;
7462 ss->ssl3.hs.rehandshake = PR_TRUE;
7463 }
7464
7465 if (ss->handshake != NULL) {
7466 ss->handshake = ssl_GatherRecord1stHandshake;
7467 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
7468
7469 ssl_GetRecvBufLock(ss);
7470 if (ss->ssl3.hs.msgState.buf != NULL) {
7471 rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
7472 }
7473 ssl_ReleaseRecvBufLock(ss);
7474 }
7475
7476 return rv;
7477 }
7478
7479 static SECStatus
7480 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
7481 PRBool isServer,
7482 const SSL3Finished * hashes,
7483 TLSFinished * tlsFinished)
7484 {
7485 const char * label;
7486 unsigned int len;
7487 SECStatus rv;
7488
7489 label = isServer ? "server finished" : "client finished";
7490 len = 15;
7491
7492 if (spec->master_secret && !spec->bypassCiphers) {
7493 SECItem param = {siBuffer, NULL, 0};
7494 PK11Context *prf_context =
7495 PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN,
7496 spec->master_secret, &param);
7497 if (!prf_context)
7498 return SECFailure;
7499
7500 rv = PK11_DigestBegin(prf_context);
7501 rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
7502 rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
7503 rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data,
7504 &len, sizeof tlsFinished->verify_data);
7505 PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
7506
7507 PK11_DestroyContext(prf_context, PR_TRUE);
7508 } else {
7509 /* bypass PKCS11 */
7510 SECItem inData = { siBuffer, };
7511 SECItem outData = { siBuffer, };
7512 PRBool isFIPS = PR_FALSE;
7513
7514 inData.data = (unsigned char *)hashes->md5;
7515 inData.len = sizeof hashes[0];
7516 outData.data = tlsFinished->verify_data;
7517 outData.len = sizeof tlsFinished->verify_data;
7518 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
7519 PORT_Assert(rv != SECSuccess || \
7520 outData.len == sizeof tlsFinished->verify_data);
7521 }
7522 return rv;
7523 }
7524
7525 /* called from ssl3_HandleServerHelloDone
7526 * ssl3_HandleClientHello
7527 * ssl3_HandleFinished
7528 */
7529 static SECStatus
7530 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
7531 {
7532 ssl3CipherSpec *cwSpec;
7533 PRBool isTLS;
7534 PRBool isServer = ss->sec.isServer;
7535 SECStatus rv;
7536 SSL3Sender sender = isServer ? sender_server : sender_client;
7537 SSL3Finished hashes;
7538 TLSFinished tlsFinished;
7539
7540 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
7541
7542 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
7543 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
7544
7545 ssl_GetSpecReadLock(ss);
7546 cwSpec = ss->ssl3.cwSpec;
7547 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
7548 rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
7549 if (isTLS && rv == SECSuccess) {
7550 rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
7551 }
7552 ssl_ReleaseSpecReadLock(ss);
7553 if (rv != SECSuccess) {
7554 goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */
7555 }
7556
7557 if (isTLS) {
7558 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
7559 if (rv != SECSuccess)
7560 goto fail; /* err set by AppendHandshake. */
7561 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
7562 if (rv != SECSuccess)
7563 goto fail; /* err set by AppendHandshake. */
7564 } else {
7565 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes);
7566 if (rv != SECSuccess)
7567 goto fail; /* err set by AppendHandshake. */
7568 rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes);
7569 if (rv != SECSuccess)
7570 goto fail; /* err set by AppendHandshake. */
7571 }
7572 rv = ssl3_FlushHandshake(ss, flags);
7573 if (rv != SECSuccess) {
7574 goto fail; /* error code set by ssl3_FlushHandshake */
7575 }
7576 return SECSuccess;
7577
7578 fail:
7579 return rv;
7580 }
7581
7582 /* wrap the master secret, and put it into the SID.
7583 * Caller holds the Spec read lock.
7584 */
7585 SECStatus
7586 ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid,
7587 ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType)
7588 {
7589 PK11SymKey * wrappingKey = NULL;
7590 PK11SlotInfo * symKeySlot;
7591 void * pwArg = ss->pkcs11PinArg;
7592 SECStatus rv = SECFailure;
7593 PRBool isServer = ss->sec.isServer;
7594 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
7595 symKeySlot = PK11_GetSlotFromKey(spec->master_secret);
7596 if (!isServer) {
7597 int wrapKeyIndex;
7598 int incarnation;
7599
7600 /* these next few functions are mere accessors and don't fail. */
7601 sid->u.ssl3.masterWrapIndex = wrapKeyIndex =
7602 PK11_GetCurrentWrapIndex(symKeySlot);
7603 PORT_Assert(wrapKeyIndex == 0); /* array has only one entry! */
7604
7605 sid->u.ssl3.masterWrapSeries = incarnation =
7606 PK11_GetSlotSeries(symKeySlot);
7607 sid->u.ssl3.masterSlotID = PK11_GetSlotID(symKeySlot);
7608 sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
7609 sid->u.ssl3.masterValid = PR_TRUE;
7610 /* Get the default wrapping key, for wrapping the master secret before
7611 * placing it in the SID cache entry. */
7612 wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
7613 CKM_INVALID_MECHANISM, incarnation,
7614 pwArg);
7615 if (wrappingKey) {
7616 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
7617 } else {
7618 int keyLength;
7619 /* if the wrappingKey doesn't exist, attempt to create it.
7620 * Note: we intentionally ignore errors here. If we cannot
7621 * generate a wrapping key, it is not fatal to this SSL connection,
7622 * but we will not be able to restart this session.
7623 */
7624 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
7625 keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
7626 /* Zero length means fixed key length algorithm, or error.
7627 * It's ambiguous.
7628 */
7629 wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
7630 keyLength, pwArg);
7631 if (wrappingKey) {
7632 PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
7633 }
7634 }
7635 } else {
7636 /* server socket using session cache. */
7637 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
7638 if (mechanism != CKM_INVALID_MECHANISM) {
7639 wrappingKey =
7640 getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
7641 mechanism, pwArg);
7642 if (wrappingKey) {
7643 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
7644 }
7645 }
7646 }
7647
7648 sid->u.ssl3.masterWrapMech = mechanism;
7649 PK11_FreeSlot(symKeySlot);
7650
7651 if (wrappingKey) {
7652 SECItem wmsItem;
7653
7654 wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
7655 wmsItem.len = sizeof sid->u.ssl3.keys.wrapped_master_secret;
7656 rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
7657 spec->master_secret, &wmsItem);
7658 /* rv is examined below. */
7659 sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
7660 PK11_FreeSymKey(wrappingKey);
7661 }
7662 return rv;
7663 }
7664
7665 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7666 * ssl3 Finished message from the peer.
7667 * Caller must hold Handshake and RecvBuf locks.
7668 */
7669 static SECStatus
7670 ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
7671 const SSL3Hashes *hashes)
7672 {
7673 sslSessionID * sid = ss->sec.ci.sid;
7674 SECStatus rv = SECSuccess;
7675 PRBool isServer = ss->sec.isServer;
7676 PRBool isTLS;
7677 PRBool doStepUp;
7678 SSL3KEAType effectiveExchKeyType;
7679
7680 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7681 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7682
7683 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
7684 SSL_GETPID(), ss->fd));
7685
7686 if (ss->ssl3.hs.ws != wait_finished) {
7687 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7688 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
7689 return SECFailure;
7690 }
7691
7692 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
7693 if (isTLS) {
7694 TLSFinished tlsFinished;
7695
7696 if (length != sizeof tlsFinished) {
7697 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
7698 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
7699 return SECFailure;
7700 }
7701 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
7702 hashes, &tlsFinished);
7703 if (rv != SECSuccess ||
7704 0 != PORT_Memcmp(&tlsFinished, b, length)) {
7705 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
7706 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
7707 return SECFailure;
7708 }
7709 } else {
7710 if (length != sizeof(SSL3Hashes)) {
7711 (void)ssl3_IllegalParameter(ss);
7712 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
7713 return SECFailure;
7714 }
7715
7716 if (0 != PORT_Memcmp(hashes, b, length)) {
7717 (void)ssl3_HandshakeFailure(ss);
7718 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
7719 return SECFailure;
7720 }
7721 }
7722
7723 doStepUp = (PRBool)(!isServer && ss->ssl3.hs.rehandshake);
7724
7725 ssl_GetXmitBufLock(ss); /*************************************/
7726
7727 if ((isServer && !ss->ssl3.hs.isResuming) ||
7728 (!isServer && ss->ssl3.hs.isResuming)) {
7729 PRInt32 flags = 0;
7730
7731 /* Send a NewSessionTicket message if the client sent us
7732 * either an empty session ticket, or one that did not verify.
7733 * (Note that if either of these conditions was met, then the
7734 * server has sent a SessionTicket extension in the
7735 * ServerHello message.)
7736 */
7737 if (isServer && !ss->ssl3.hs.isResuming &&
7738 ssl3_ExtensionNegotiated(ss, session_ticket_xtn)) {
7739 rv = ssl3_SendNewSessionTicket(ss);
7740 if (rv != SECSuccess) {
7741 goto xmit_loser;
7742 }
7743 }
7744
7745 rv = ssl3_SendChangeCipherSpecs(ss);
7746 if (rv != SECSuccess) {
7747 goto xmit_loser; /* err is set. */
7748 }
7749 /* If this thread is in SSL_SecureSend (trying to write some data)
7750 ** or if it is going to step up,
7751 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
7752 ** last two handshake messages (change cipher spec and finished)
7753 ** will be sent in the same send/write call as the application data.
7754 */
7755 if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
7756 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
7757 }
7758 rv = ssl3_SendFinished(ss, flags);
7759 if (rv != SECSuccess) {
7760 goto xmit_loser; /* err is set. */
7761 }
7762 }
7763
7764 /* Optimization: don't cache this connection if we're going to step up. */
7765 if (doStepUp) {
7766 ssl_FreeSID(sid);
7767 ss->sec.ci.sid = sid = NULL;
7768 ss->ssl3.hs.rehandshake = PR_FALSE;
7769 rv = ssl3_SendClientHello(ss);
7770 xmit_loser:
7771 ssl_ReleaseXmitBufLock(ss);
7772 return rv; /* err code is set if appropriate. */
7773 }
7774
7775 ssl_ReleaseXmitBufLock(ss); /*************************************/
7776
7777 /* The first handshake is now completed. */
7778 ss->handshake = NULL;
7779 ss->firstHsDone = PR_TRUE;
7780 ss->gs.writeOffset = 0;
7781 ss->gs.readOffset = 0;
7782
7783 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
7784 effectiveExchKeyType = kt_rsa;
7785 } else {
7786 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
7787 }
7788
7789 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
7790 /* fill in the sid */
7791 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
7792 sid->u.ssl3.compression = ss->ssl3.hs.compression;
7793 sid->u.ssl3.policy = ss->ssl3.policy;
7794 #ifdef NSS_ENABLE_ECC
7795 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
7796 #endif
7797 sid->u.ssl3.exchKeyType = effectiveExchKeyType;
7798 sid->version = ss->version;
7799 sid->authAlgorithm = ss->sec.authAlgorithm;
7800 sid->authKeyBits = ss->sec.authKeyBits;
7801 sid->keaType = ss->sec.keaType;
7802 sid->keaKeyBits = ss->sec.keaKeyBits;
7803 sid->lastAccessTime = sid->creationTime = ssl_Time();
7804 sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
7805 sid->localCert = CERT_DupCertificate(ss->sec.localCert);
7806
7807 ssl_GetSpecReadLock(ss); /*************************************/
7808
7809 /* Copy the master secret (wrapped or unwrapped) into the sid */
7810 if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
7811 sid->u.ssl3.keys.wrapped_master_secret_len =
7812 ss->ssl3.crSpec->msItem.len;
7813 memcpy(sid->u.ssl3.keys.wrapped_master_secret,
7814 ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
7815 sid->u.ssl3.masterValid = PR_TRUE;
7816 sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
7817 rv = SECSuccess;
7818 } else {
7819 rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid,
7820 ss->ssl3.crSpec,
7821 effectiveExchKeyType);
7822 sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
7823 }
7824 ssl_ReleaseSpecReadLock(ss); /*************************************/
7825
7826 /* If the wrap failed, we don't cache the sid.
7827 * The connection continues normally however.
7828 */
7829 if (rv == SECSuccess) {
7830 (*ss->sec.cache)(sid);
7831 }
7832 }
7833 ss->ssl3.hs.ws = idle_handshake;
7834
7835 /* Do the handshake callback for sslv3 here. */
7836 if (ss->handshakeCallback != NULL) {
7837 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
7838 }
7839
7840 return SECSuccess;
7841 }
7842
7843 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
7844 * hanshake message.
7845 * Caller must hold Handshake and RecvBuf locks.
7846 */
7847 static SECStatus
7848 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7849 {
7850 SECStatus rv = SECSuccess;
7851 SSL3HandshakeType type = ss->ssl3.hs.msg_type;
7852 SSL3Hashes hashes; /* computed hashes are put here. */
7853 PRUint8 hdr[4];
7854
7855 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7856 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7857 /*
7858 * We have to compute the hashes before we update them with the
7859 * current message.
7860 */
7861 ssl_GetSpecReadLock(ss); /************************************/
7862 if((type == finished) || (type == certificate_verify)) {
7863 SSL3Sender sender = (SSL3Sender)0;
7864 ssl3CipherSpec *rSpec = ss->ssl3.prSpec;
7865
7866 if (type == finished) {
7867 sender = ss->sec.isServer ? sender_client : sender_server;
7868 rSpec = ss->ssl3.crSpec;
7869 }
7870 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
7871 }
7872 ssl_ReleaseSpecReadLock(ss); /************************************/
7873 if (rv != SECSuccess) {
7874 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/
7875 }
7876 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
7877 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
7878 PRINT_BUF(60, (ss, "MD5 handshake hash:",
7879 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
7880 PRINT_BUF(95, (ss, "SHA handshake hash:",
7881 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
7882
7883 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
7884 hdr[1] = (PRUint8)(length >> 16);
7885 hdr[2] = (PRUint8)(length >> 8);
7886 hdr[3] = (PRUint8)(length );
7887
7888 /* Start new handshake hashes when we start a new handshake */
7889 if (ss->ssl3.hs.msg_type == client_hello) {
7890 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
7891 SSL_GETPID(), ss->fd ));
7892 rv = ssl3_RestartHandshakeHashes(ss);
7893 if (rv != SECSuccess) {
7894 return rv;
7895 }
7896 }
7897 /* We should not include hello_request messages in the handshake hashes */
7898 if (ss->ssl3.hs.msg_type != hello_request) {
7899 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
7900 if (rv != SECSuccess) return rv; /* err code already set. */
7901 rv = ssl3_UpdateHandshakeHashes(ss, b, length);
7902 if (rv != SECSuccess) return rv; /* err code already set. */
7903 }
7904
7905 PORT_SetError(0); /* each message starts with no error. */
7906 switch (ss->ssl3.hs.msg_type) {
7907 case hello_request:
7908 if (length != 0) {
7909 (void)ssl3_DecodeError(ss);
7910 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
7911 return SECFailure;
7912 }
7913 if (ss->sec.isServer) {
7914 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7915 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
7916 return SECFailure;
7917 }
7918 rv = ssl3_HandleHelloRequest(ss);
7919 break;
7920 case client_hello:
7921 if (!ss->sec.isServer) {
7922 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7923 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
7924 return SECFailure;
7925 }
7926 rv = ssl3_HandleClientHello(ss, b, length);
7927 break;
7928 case server_hello:
7929 if (ss->sec.isServer) {
7930 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7931 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
7932 return SECFailure;
7933 }
7934 rv = ssl3_HandleServerHello(ss, b, length);
7935 break;
7936 case certificate:
7937 rv = ssl3_HandleCertificate(ss, b, length);
7938 break;
7939 case server_key_exchange:
7940 if (ss->sec.isServer) {
7941 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7942 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
7943 return SECFailure;
7944 }
7945 rv = ssl3_HandleServerKeyExchange(ss, b, length);
7946 break;
7947 case certificate_request:
7948 if (ss->sec.isServer) {
7949 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7950 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
7951 return SECFailure;
7952 }
7953 rv = ssl3_HandleCertificateRequest(ss, b, length);
7954 break;
7955 case server_hello_done:
7956 if (length != 0) {
7957 (void)ssl3_DecodeError(ss);
7958 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
7959 return SECFailure;
7960 }
7961 if (ss->sec.isServer) {
7962 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7963 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
7964 return SECFailure;
7965 }
7966 rv = ssl3_HandleServerHelloDone(ss);
7967 break;
7968 case certificate_verify:
7969 if (!ss->sec.isServer) {
7970 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7971 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
7972 return SECFailure;
7973 }
7974 rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
7975 break;
7976 case client_key_exchange:
7977 if (!ss->sec.isServer) {
7978 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7979 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
7980 return SECFailure;
7981 }
7982 rv = ssl3_HandleClientKeyExchange(ss, b, length);
7983 break;
7984 case new_session_ticket:
7985 if (ss->sec.isServer) {
7986 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7987 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
7988 return SECFailure;
7989 }
7990 rv = ssl3_HandleNewSessionTicket(ss, b, length);
7991 break;
7992 case finished:
7993 rv = ssl3_HandleFinished(ss, b, length, &hashes);
7994 break;
7995 default:
7996 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7997 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
7998 rv = SECFailure;
7999 }
8000 return rv;
8001 }
8002
8003 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
8004 * origBuf is the decrypted ssl record content.
8005 * Caller must hold the handshake and RecvBuf locks.
8006 */
8007 static SECStatus
8008 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
8009 {
8010 /*
8011 * There may be a partial handshake message already in the handshake
8012 * state. The incoming buffer may contain another portion, or a
8013 * complete message or several messages followed by another portion.
8014 *
8015 * Each message is made contiguous before being passed to the actual
8016 * message parser.
8017 */
8018 sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */
8019 SECStatus rv;
8020
8021 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8022 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
8023
8024 if (buf->buf == NULL) {
8025 *buf = *origBuf;
8026 }
8027 while (buf->len > 0) {
8028 if (ss->ssl3.hs.header_bytes < 4) {
8029 uint8 t;
8030 t = *(buf->buf++);
8031 buf->len--;
8032 if (ss->ssl3.hs.header_bytes++ == 0)
8033 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
8034 else
8035 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
8036 if (ss->ssl3.hs.header_bytes < 4)
8037 continue;
8038
8039 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */
8040 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
8041 (void)ssl3_DecodeError(ss);
8042 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
8043 return SECFailure;
8044 }
8045 #undef MAX_HANDSHAKE_MSG_LEN
8046
8047 /* If msg_len is zero, be sure we fall through,
8048 ** even if buf->len is zero.
8049 */
8050 if (ss->ssl3.hs.msg_len > 0)
8051 continue;
8052 }
8053
8054 /*
8055 * Header has been gathered and there is at least one byte of new
8056 * data available for this message. If it can be done right out
8057 * of the original buffer, then use it from there.
8058 */
8059 if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
8060 /* handle it from input buffer */
8061 rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
8062 if (rv == SECFailure) {
8063 /* This test wants to fall through on either
8064 * SECSuccess or SECWouldBlock.
8065 * ssl3_HandleHandshakeMessage MUST set the error code.
8066 */
8067 return rv;
8068 }
8069 buf->buf += ss->ssl3.hs.msg_len;
8070 buf->len -= ss->ssl3.hs.msg_len;
8071 ss->ssl3.hs.msg_len = 0;
8072 ss->ssl3.hs.header_bytes = 0;
8073 if (rv != SECSuccess) { /* return if SECWouldBlock. */
8074 return rv;
8075 }
8076 } else {
8077 /* must be copied to msg_body and dealt with from there */
8078 unsigned int bytes;
8079
8080 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
8081 bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
8082
8083 /* Grow the buffer if needed */
8084 rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
8085 if (rv != SECSuccess) {
8086 /* sslBuffer_Grow has set a memory error code. */
8087 return SECFailure;
8088 }
8089
8090 PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
8091 buf->buf, bytes);
8092 ss->ssl3.hs.msg_body.len += bytes;
8093 buf->buf += bytes;
8094 buf->len -= bytes;
8095
8096 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
8097
8098 /* if we have a whole message, do it */
8099 if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
8100 rv = ssl3_HandleHandshakeMessage(
8101 ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
8102 /*
8103 * XXX This appears to be wrong. This error handling
8104 * should clean up after a SECWouldBlock return, like the
8105 * error handling used 40 lines before/above this one,
8106 */
8107 if (rv != SECSuccess) {
8108 /* ssl3_HandleHandshakeMessage MUST set error code. */
8109 return rv;
8110 }
8111 ss->ssl3.hs.msg_body.len = 0;
8112 ss->ssl3.hs.msg_len = 0;
8113 ss->ssl3.hs.header_bytes = 0;
8114 } else {
8115 PORT_Assert(buf->len == 0);
8116 break;
8117 }
8118 }
8119 } /* end loop */
8120
8121 origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
8122 buf->buf = NULL; /* not a leak. */
8123 return SECSuccess;
8124 }
8125
8126 /* if cText is non-null, then decipher, check MAC, and decompress the
8127 * SSL record from cText->buf (typically gs->inbuf)
8128 * into databuf (typically gs->buf), and any previous contents of databuf
8129 * is lost. Then handle databuf according to its SSL record type,
8130 * unless it's an application record.
8131 *
8132 * If cText is NULL, then the ciphertext has previously been deciphered and
8133 * checked, and is already sitting in databuf. It is processed as an SSL
8134 * Handshake message.
8135 *
8136 * DOES NOT process the decrypted/decompressed application data.
8137 * On return, databuf contains the decrypted/decompressed record.
8138 *
8139 * Called from ssl3_GatherCompleteHandshake
8140 * ssl3_RestartHandshakeAfterCertReq
8141 * ssl3_RestartHandshakeAfterServerCert
8142 *
8143 * Caller must hold the RecvBufLock.
8144 *
8145 * This function aquires and releases the SSL3Handshake Lock, holding the
8146 * lock around any calls to functions that handle records other than
8147 * Application Data records.
8148 */
8149 SECStatus
8150 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
8151 {
8152 const ssl3BulkCipherDef *cipher_def;
8153 ssl3CipherSpec * crSpec;
8154 SECStatus rv;
8155 unsigned int hashBytes = MAX_MAC_LENGTH + 1;
8156 unsigned int padding_length;
8157 PRBool isTLS;
8158 PRBool padIsBad = PR_FALSE;
8159 SSL3ContentType rType;
8160 SSL3Opaque hash[MAX_MAC_LENGTH];
8161
8162 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8163
8164 if (!ss->ssl3.initialized) {
8165 ssl_GetSSL3HandshakeLock(ss);
8166 rv = ssl3_InitState(ss);
8167 ssl_ReleaseSSL3HandshakeLock(ss);
8168 if (rv != SECSuccess) {
8169 return rv; /* ssl3_InitState has set the error code. */
8170 }
8171 }
8172
8173 /* check for Token Presence */
8174 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
8175 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
8176 return SECFailure;
8177 }
8178
8179 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
8180 * This implies that databuf holds a previously deciphered SSL Handshake
8181 * message.
8182 */
8183 if (cText == NULL) {
8184 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
8185 SSL_GETPID(), ss->fd));
8186 rType = content_handshake;
8187 goto process_it;
8188 }
8189
8190 databuf->len = 0; /* filled in by decode call below. */
8191 if (databuf->space < MAX_FRAGMENT_LENGTH) {
8192 rv = sslBuffer_Grow(databuf, MAX_FRAGMENT_LENGTH + 2048);
8193 if (rv != SECSuccess) {
8194 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
8195 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
8196 /* sslBuffer_Grow has set a memory error code. */
8197 /* Perhaps we should send an alert. (but we have no memory!) */
8198 return SECFailure;
8199 }
8200 }
8201
8202 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len));
8203
8204 ssl_GetSpecReadLock(ss); /******************************************/
8205
8206 crSpec = ss->ssl3.crSpec;
8207 cipher_def = crSpec->cipher_def;
8208 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
8209
8210 if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) {
8211 ssl_ReleaseSpecReadLock(ss);
8212 SSL3_SendAlert(ss, alert_fatal, record_overflow);
8213 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
8214 return SECFailure;
8215 }
8216 /* decrypt from cText buf to databuf. */
8217 rv = crSpec->decode(
8218 crSpec->decodeContext, databuf->buf, (int *)&databuf->len,
8219 databuf->space, cText->buf->buf, cText->buf->len);
8220
8221 PRINT_BUF(80, (ss, "cleartext:", databuf->buf, databuf->len));
8222 if (rv != SECSuccess) {
8223 int err = ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
8224 ssl_ReleaseSpecReadLock(ss);
8225 SSL3_SendAlert(ss, alert_fatal,
8226 isTLS ? decryption_failed : bad_record_mac);
8227 PORT_SetError(err);
8228 return SECFailure;
8229 }
8230
8231 /* If it's a block cipher, check and strip the padding. */
8232 if (cipher_def->type == type_block) {
8233 padding_length = *(databuf->buf + databuf->len - 1);
8234 /* TLS permits padding to exceed the block size, up to 255 bytes. */
8235 if (padding_length + 1 + crSpec->mac_size > databuf->len)
8236 padIsBad = PR_TRUE;
8237 /* if TLS, check value of first padding byte. */
8238 else if (padding_length && isTLS &&
8239 padding_length !=
8240 *(databuf->buf + databuf->len - (padding_length + 1)))
8241 padIsBad = PR_TRUE;
8242 else
8243 databuf->len -= padding_length + 1;
8244 }
8245
8246 /* Remove the MAC. */
8247 if (databuf->len >= crSpec->mac_size)
8248 databuf->len -= crSpec->mac_size;
8249 else
8250 padIsBad = PR_TRUE; /* really macIsBad */
8251
8252 /* compute the MAC */
8253 rType = cText->type;
8254 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
8255 rType, cText->version, crSpec->read_seq_num,
8256 databuf->buf, databuf->len, hash, &hashBytes);
8257 if (rv != SECSuccess) {
8258 int err = ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
8259 ssl_ReleaseSpecReadLock(ss);
8260 SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
8261 PORT_SetError(err);
8262 return rv;
8263 }
8264
8265 /* Check the MAC */
8266 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad ||
8267 PORT_Memcmp(databuf->buf + databuf->len, hash, crSpec->mac_size) != 0) {
8268 /* must not hold spec lock when calling SSL3_SendAlert. */
8269 ssl_ReleaseSpecReadLock(ss);
8270 SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
8271 /* always log mac error, in case attacker can read server logs. */
8272 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
8273
8274 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
8275
8276 return SECFailure;
8277 }
8278
8279 ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
8280
8281 ssl_ReleaseSpecReadLock(ss); /*****************************************/
8282
8283 /*
8284 * The decrypted data is now in databuf.
8285 *
8286 * the null decompression routine is right here
8287 */
8288
8289 /*
8290 ** Having completed the decompression, check the length again.
8291 */
8292 if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
8293 SSL3_SendAlert(ss, alert_fatal, record_overflow);
8294 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
8295 return SECFailure;
8296 }
8297
8298 /* Application data records are processed by the caller of this
8299 ** function, not by this function.
8300 */
8301 if (rType == content_application_data) {
8302 return SECSuccess;
8303 }
8304
8305 /* It's a record that must be handled by ssl itself, not the application.
8306 */
8307 process_it:
8308 /* XXX Get the xmit lock here. Odds are very high that we'll be xmiting
8309 * data ang getting the xmit lock here prevents deadlocks.
8310 */
8311 ssl_GetSSL3HandshakeLock(ss);
8312
8313 /* All the functions called in this switch MUST set error code if
8314 ** they return SECFailure or SECWouldBlock.
8315 */
8316 switch (rType) {
8317 case content_change_cipher_spec:
8318 rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
8319 break;
8320 case content_alert:
8321 rv = ssl3_HandleAlert(ss, databuf);
8322 break;
8323 case content_handshake:
8324 rv = ssl3_HandleHandshake(ss, databuf);
8325 break;
8326 /*
8327 case content_application_data is handled before this switch
8328 */
8329 default:
8330 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
8331 SSL_GETPID(), ss->fd, cText->type));
8332 /* XXX Send an alert ??? */
8333 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
8334 rv = SECFailure;
8335 break;
8336 }
8337
8338 ssl_ReleaseSSL3HandshakeLock(ss);
8339 return rv;
8340
8341 }
8342
8343 /*
8344 * Initialization functions
8345 */
8346
8347 /* Called from ssl3_InitState, immediately below. */
8348 /* Caller must hold the SpecWriteLock. */
8349 static void
8350 ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
8351 {
8352 spec->cipher_def = &bulk_cipher_defs[cipher_null];
8353 PORT_Assert(spec->cipher_def->cipher == cipher_null);
8354 spec->mac_def = &mac_defs[mac_null];
8355 PORT_Assert(spec->mac_def->mac == mac_null);
8356 spec->encode = Null_Cipher;
8357 spec->decode = Null_Cipher;
8358 spec->destroy = NULL;
8359 spec->mac_size = 0;
8360 spec->master_secret = NULL;
8361 spec->bypassCiphers = PR_FALSE;
8362
8363 spec->msItem.data = NULL;
8364 spec->msItem.len = 0;
8365
8366 spec->client.write_key = NULL;
8367 spec->client.write_mac_key = NULL;
8368 spec->client.write_mac_context = NULL;
8369
8370 spec->server.write_key = NULL;
8371 spec->server.write_mac_key = NULL;
8372 spec->server.write_mac_context = NULL;
8373
8374 spec->write_seq_num.high = 0;
8375 spec->write_seq_num.low = 0;
8376
8377 spec->read_seq_num.high = 0;
8378 spec->read_seq_num.low = 0;
8379
8380 spec->version = ss->opt.enableTLS
8381 ? SSL_LIBRARY_VERSION_3_1_TLS
8382 : SSL_LIBRARY_VERSION_3_0;
8383 }
8384
8385 /* Called from: ssl3_SendRecord
8386 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
8387 ** ssl3_SendClientHello()
8388 ** ssl3_HandleServerHello()
8389 ** ssl3_HandleClientHello()
8390 ** ssl3_HandleV2ClientHello()
8391 ** ssl3_HandleRecord()
8392 **
8393 ** This function should perhaps acquire and release the SpecWriteLock.
8394 **
8395 **
8396 */
8397 static SECStatus
8398 ssl3_InitState(sslSocket *ss)
8399 {
8400 SECStatus rv;
8401 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
8402
8403 if (ss->ssl3.initialized)
8404 return SECSuccess; /* Function should be idempotent */
8405
8406 ss->ssl3.policy = SSL_ALLOWED;
8407
8408 ssl_GetSpecWriteLock(ss);
8409 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
8410 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
8411 ss->ssl3.hs.rehandshake = PR_FALSE;
8412 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
8413 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
8414
8415 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
8416 #ifdef NSS_ENABLE_ECC
8417 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
8418 #endif
8419 ssl_ReleaseSpecWriteLock(ss);
8420
8421 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8422
8423 rv = ssl3_NewHandshakeHashes(ss);
8424 if (rv == SECSuccess) {
8425 ss->ssl3.initialized = PR_TRUE;
8426 }
8427
8428 return rv;
8429 }
8430
8431 /* Returns a reference counted object that contains a key pair.
8432 * Or NULL on failure. Initial ref count is 1.
8433 * Uses the keys in the pair as input.
8434 */
8435 ssl3KeyPair *
8436 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
8437 {
8438 ssl3KeyPair * pair;
8439
8440 if (!privKey || !pubKey) {
8441 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
8442 return NULL;
8443 }
8444 pair = PORT_ZNew(ssl3KeyPair);
8445 if (!pair)
8446 return NULL; /* error code is set. */
8447 pair->refCount = 1;
8448 pair->privKey = privKey;
8449 pair->pubKey = pubKey;
8450 return pair; /* success */
8451 }
8452
8453 ssl3KeyPair *
8454 ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
8455 {
8456 PR_AtomicIncrement(&keyPair->refCount);
8457 return keyPair;
8458 }
8459
8460 void
8461 ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
8462 {
8463 PRInt32 newCount = PR_AtomicDecrement(&keyPair->refCount);
8464 if (!newCount) {
8465 if (keyPair->privKey)
8466 SECKEY_DestroyPrivateKey(keyPair->privKey);
8467 if (keyPair->pubKey)
8468 SECKEY_DestroyPublicKey( keyPair->pubKey);
8469 PORT_Free(keyPair);
8470 }
8471 }
8472
8473
8474
8475 /*
8476 * Creates the public and private RSA keys for SSL Step down.
8477 * Called from SSL_ConfigSecureServer in sslsecur.c
8478 */
8479 SECStatus
8480 ssl3_CreateRSAStepDownKeys(sslSocket *ss)
8481 {
8482 SECStatus rv = SECSuccess;
8483 SECKEYPrivateKey * privKey; /* RSA step down key */
8484 SECKEYPublicKey * pubKey; /* RSA step down key */
8485
8486 if (ss->stepDownKeyPair)
8487 ssl3_FreeKeyPair(ss->stepDownKeyPair);
8488 ss->stepDownKeyPair = NULL;
8489 #ifndef HACKED_EXPORT_SERVER
8490 /* Sigh, should have a get key strength call for private keys */
8491 if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
8492 EXPORT_RSA_KEY_LENGTH) {
8493 /* need to ask for the key size in bits */
8494 privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
8495 &pubKey, NULL);
8496 if (!privKey || !pubKey ||
8497 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
8498 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
8499 rv = SECFailure;
8500 }
8501 }
8502 #endif
8503 return rv;
8504 }
8505
8506
8507 /* record the export policy for this cipher suite */
8508 SECStatus
8509 ssl3_SetPolicy(ssl3CipherSuite which, int policy)
8510 {
8511 ssl3CipherSuiteCfg *suite;
8512
8513 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8514 if (suite == NULL) {
8515 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
8516 }
8517 suite->policy = policy;
8518
8519 if (policy == SSL_RESTRICTED) {
8520 ssl3_global_policy_some_restricted = PR_TRUE;
8521 }
8522
8523 return SECSuccess;
8524 }
8525
8526 SECStatus
8527 ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
8528 {
8529 ssl3CipherSuiteCfg *suite;
8530 PRInt32 policy;
8531 SECStatus rv;
8532
8533 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8534 if (suite) {
8535 policy = suite->policy;
8536 rv = SECSuccess;
8537 } else {
8538 policy = SSL_NOT_ALLOWED;
8539 rv = SECFailure; /* err code was set by Lookup. */
8540 }
8541 *oPolicy = policy;
8542 return rv;
8543 }
8544
8545 /* record the user preference for this suite */
8546 SECStatus
8547 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
8548 {
8549 ssl3CipherSuiteCfg *suite;
8550
8551 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8552 if (suite == NULL) {
8553 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
8554 }
8555 suite->enabled = enabled;
8556 return SECSuccess;
8557 }
8558
8559 /* return the user preference for this suite */
8560 SECStatus
8561 ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
8562 {
8563 ssl3CipherSuiteCfg *suite;
8564 PRBool pref;
8565 SECStatus rv;
8566
8567 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8568 if (suite) {
8569 pref = suite->enabled;
8570 rv = SECSuccess;
8571 } else {
8572 pref = SSL_NOT_ALLOWED;
8573 rv = SECFailure; /* err code was set by Lookup. */
8574 }
8575 *enabled = pref;
8576 return rv;
8577 }
8578
8579 SECStatus
8580 ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
8581 {
8582 ssl3CipherSuiteCfg *suite;
8583
8584 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
8585 if (suite == NULL) {
8586 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
8587 }
8588 suite->enabled = enabled;
8589 return SECSuccess;
8590 }
8591
8592 SECStatus
8593 ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
8594 {
8595 ssl3CipherSuiteCfg *suite;
8596 PRBool pref;
8597 SECStatus rv;
8598
8599 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
8600 if (suite) {
8601 pref = suite->enabled;
8602 rv = SECSuccess;
8603 } else {
8604 pref = SSL_NOT_ALLOWED;
8605 rv = SECFailure; /* err code was set by Lookup. */
8606 }
8607 *enabled = pref;
8608 return rv;
8609 }
8610
8611 /* copy global default policy into socket. */
8612 void
8613 ssl3_InitSocketPolicy(sslSocket *ss)
8614 {
8615 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
8616 }
8617
8618 /* ssl3_config_match_init must have already been called by
8619 * the caller of this function.
8620 */
8621 SECStatus
8622 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
8623 {
8624 int i, count = 0;
8625
8626 PORT_Assert(ss != 0);
8627 if (!ss) {
8628 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
8629 return SECFailure;
8630 }
8631 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
8632 *size = 0;
8633 return SECSuccess;
8634 }
8635 if (cs == NULL) {
8636 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
8637 return SECSuccess;
8638 }
8639
8640 /* ssl3_config_match_init was called by the caller of this function. */
8641 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
8642 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
8643 if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
8644 if (cs != NULL) {
8645 *cs++ = 0x00;
8646 *cs++ = (suite->cipher_suite >> 8) & 0xFF;
8647 *cs++ = suite->cipher_suite & 0xFF;
8648 }
8649 count++;
8650 }
8651 }
8652 *size = count;
8653 return SECSuccess;
8654 }
8655
8656 /*
8657 ** If ssl3 socket has completed the first handshake, and is in idle state,
8658 ** then start a new handshake.
8659 ** If flushCache is true, the SID cache will be flushed first, forcing a
8660 ** "Full" handshake (not a session restart handshake), to be done.
8661 **
8662 ** called from SSL_RedoHandshake(), which already holds the handshake locks.
8663 */
8664 SECStatus
8665 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
8666 {
8667 sslSessionID * sid = ss->sec.ci.sid;
8668 SECStatus rv;
8669
8670 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
8671
8672 if (!ss->firstHsDone ||
8673 ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
8674 ss->ssl3.initialized &&
8675 (ss->ssl3.hs.ws != idle_handshake))) {
8676 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
8677 return SECFailure;
8678 }
8679 if (sid && flushCache) {
8680 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */
8681 ssl_FreeSID(sid); /* dec ref count and free if zero. */
8682 ss->sec.ci.sid = NULL;
8683 }
8684
8685 ssl_GetXmitBufLock(ss); /**************************************/
8686
8687 /* start off a new handshake. */
8688 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
8689 : ssl3_SendClientHello(ss);
8690
8691 ssl_ReleaseXmitBufLock(ss); /**************************************/
8692 return rv;
8693 }
8694
8695 /* Called from ssl_DestroySocketContents() in sslsock.c */
8696 void
8697 ssl3_DestroySSL3Info(sslSocket *ss)
8698 {
8699
8700 if (ss->ssl3.clientCertificate != NULL)
8701 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
8702
8703 if (ss->ssl3.clientPrivateKey != NULL)
8704 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
8705
8706 if (ss->ssl3.peerCertArena != NULL)
8707 ssl3_CleanupPeerCerts(ss);
8708
8709 if (ss->ssl3.clientCertChain != NULL) {
8710 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
8711 ss->ssl3.clientCertChain = NULL;
8712 }
8713
8714 /* clean up handshake */
8715 if (ss->opt.bypassPKCS11) {
8716 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
8717 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
8718 }
8719 if (ss->ssl3.hs.md5) {
8720 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
8721 }
8722 if (ss->ssl3.hs.sha) {
8723 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
8724 }
8725 if (ss->ssl3.hs.messages.buf) {
8726 PORT_Free(ss->ssl3.hs.messages.buf);
8727 ss->ssl3.hs.messages.buf = NULL;
8728 ss->ssl3.hs.messages.len = 0;
8729 ss->ssl3.hs.messages.space = 0;
8730 }
8731
8732 /* free the SSL3Buffer (msg_body) */
8733 PORT_Free(ss->ssl3.hs.msg_body.buf);
8734
8735 /* free up the CipherSpecs */
8736 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0]);
8737 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1]);
8738
8739 ss->ssl3.initialized = PR_FALSE;
8740 }
8741
8742 /* End of ssl3con.c */
Wine Gecko package