Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(182)

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 10424013: Support TLS Channel IDs in NSS (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Update patch file before committing. Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * ***** BEGIN LICENSE BLOCK ***** 5 * ***** BEGIN LICENSE BLOCK *****
6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
7 * 7 *
8 * The contents of this file are subject to the Mozilla Public License Version 8 * The contents of this file are subject to the Mozilla Public License Version
9 * 1.1 (the "License"); you may not use this file except in compliance with 9 * 1.1 (the "License"); you may not use this file except in compliance with
10 * the License. You may obtain a copy of the License at 10 * the License. You may obtain a copy of the License at
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
79 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, 79 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
80 PK11SlotInfo * serverKeySlot); 80 PK11SlotInfo * serverKeySlot);
81 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); 81 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
82 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss); 82 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
83 static SECStatus ssl3_HandshakeFailure( sslSocket *ss); 83 static SECStatus ssl3_HandshakeFailure( sslSocket *ss);
84 static SECStatus ssl3_InitState( sslSocket *ss); 84 static SECStatus ssl3_InitState( sslSocket *ss);
85 static SECStatus ssl3_SendCertificate( sslSocket *ss); 85 static SECStatus ssl3_SendCertificate( sslSocket *ss);
86 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); 86 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
87 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); 87 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
88 static SECStatus ssl3_SendNextProto( sslSocket *ss); 88 static SECStatus ssl3_SendNextProto( sslSocket *ss);
89 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
89 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); 90 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
90 static SECStatus ssl3_SendServerHello( sslSocket *ss); 91 static SECStatus ssl3_SendServerHello( sslSocket *ss);
91 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); 92 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
92 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); 93 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
93 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); 94 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss);
94 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, 95 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
95 const unsigned char *b, 96 const unsigned char *b,
96 unsigned int l); 97 unsigned int l);
97 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); 98 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
98 99
(...skipping 6133 matching lines...) Expand 10 before | Expand all | Expand 10 after
6232 6233
6233 /* XXX: If the server's certificate hasn't been authenticated by this 6234 /* XXX: If the server's certificate hasn't been authenticated by this
6234 * point, then we may be leaking this NPN message to an attacker. 6235 * point, then we may be leaking this NPN message to an attacker.
6235 */ 6236 */
6236 if (!ss->firstHsDone) { 6237 if (!ss->firstHsDone) {
6237 rv = ssl3_SendNextProto(ss); 6238 rv = ssl3_SendNextProto(ss);
6238 if (rv != SECSuccess) { 6239 if (rv != SECSuccess) {
6239 goto loser; /* err code was set. */ 6240 goto loser; /* err code was set. */
6240 } 6241 }
6241 } 6242 }
6243 rv = ssl3_SendEncryptedExtensions(ss);
6244 if (rv != SECSuccess) {
6245 goto loser; /* err code was set. */
6246 }
6242 6247
6243 rv = ssl3_SendFinished(ss, 0); 6248 rv = ssl3_SendFinished(ss, 0);
6244 if (rv != SECSuccess) { 6249 if (rv != SECSuccess) {
6245 goto loser; /* err code was set. */ 6250 goto loser; /* err code was set. */
6246 } 6251 }
6247 6252
6248 ssl_ReleaseXmitBufLock(ss); /*******************************/ 6253 ssl_ReleaseXmitBufLock(ss); /*******************************/
6249 6254
6250 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) 6255 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
6251 ss->ssl3.hs.ws = wait_new_session_ticket; 6256 ss->ssl3.hs.ws = wait_new_session_ticket;
(...skipping 2596 matching lines...) Expand 10 before | Expand all | Expand 10 after
8848 if (rv != SECSuccess) { 8853 if (rv != SECSuccess) {
8849 return rv; /* error code set by AppendHandshake */ 8854 return rv; /* error code set by AppendHandshake */
8850 } 8855 }
8851 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1); 8856 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
8852 if (rv != SECSuccess) { 8857 if (rv != SECSuccess) {
8853 return rv; /* error code set by AppendHandshake */ 8858 return rv; /* error code set by AppendHandshake */
8854 } 8859 }
8855 return rv; 8860 return rv;
8856 } 8861 }
8857 8862
8863 /* called from ssl3_SendClientSecondRound
8864 * ssl3_HandleFinished
8865 */
8866 static SECStatus
8867 ssl3_SendEncryptedExtensions(sslSocket *ss)
8868 {
8869 static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
8870 /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
8871 * SEQUENCE
8872 * SEQUENCE
8873 * OID id-ecPublicKey
8874 * OID prime256v1
8875 * BIT STRING, length 66, 0 trailing bits: 0x04
8876 *
8877 * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
8878 * public key. Following that are the two field elements as 32-byte,
8879 * big-endian numbers, as required by the Channel ID. */
8880 static const unsigned char P256_SPKI_PREFIX[] = {
8881 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
8882 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
8883 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
8884 0x42, 0x00, 0x04
8885 };
8886 /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
8887 * bytes of ECDSA signature. */
8888 static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
8889 static const int CHANNEL_ID_LENGTH = 128;
8890
8891 SECStatus rv = SECFailure;
8892 SECItem *spki = NULL;
8893 SSL3Hashes hashes;
8894 const unsigned char *pub_bytes;
8895 unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
8896 unsigned char digest[SHA256_LENGTH];
8897 SECItem digest_item;
8898 unsigned char signature[64];
8899 SECItem signature_item;
8900 SECKEYPrivateKey *channelID = NULL;
8901 SECKEYPublicKey *channelIDPub = NULL;
8902
8903 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
8904 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
8905
8906 if (ss->getChannelID == NULL ||
8907 !ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
8908 return SECSuccess;
8909 }
8910
8911 rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
8912 &channelIDPub, &channelID);
8913 if (rv != SECSuccess) {
8914 PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
8915 goto loser;
8916 }
8917
8918 if (SECKEY_GetPrivateKeyType(channelID) != ecKey ||
8919 PK11_SignatureLen(channelID) != sizeof(signature)) {
8920 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
8921 rv = SECFailure;
8922 goto loser;
8923 }
8924
8925 ssl_GetSpecReadLock(ss);
8926 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
8927 ssl_ReleaseSpecReadLock(ss);
8928
8929 if (rv != SECSuccess)
8930 goto loser;
8931
8932 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
8933 2 + 2 + CHANNEL_ID_LENGTH);
8934 if (rv != SECSuccess)
8935 goto loser; /* error code set by AppendHandshakeHeader */
8936 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
8937 if (rv != SECSuccess)
8938 goto loser; /* error code set by AppendHandshake */
8939 rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
8940 if (rv != SECSuccess)
8941 goto loser; /* error code set by AppendHandshake */
8942
8943 spki = SECKEY_EncodeDERSubjectPublicKeyInfo(channelIDPub);
8944
8945 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
8946 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
8947 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
8948 rv = SECFailure;
8949 goto loser;
8950 }
8951
8952 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
8953
8954 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
8955 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes));
8956
8957 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, sizeof(signed_data));
8958 if (rv != SECSuccess)
8959 goto loser;
8960
8961 digest_item.data = digest;
8962 digest_item.len = sizeof(digest);
8963
8964 signature_item.data = signature;
8965 signature_item.len = sizeof(signature);
8966
8967 rv = PK11_Sign(channelID, &signature_item, &digest_item);
8968 if (rv != SECSuccess)
8969 goto loser;
8970
8971 rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
8972 if (rv != SECSuccess)
8973 goto loser;
8974 rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
8975
8976 loser:
8977 if (spki)
8978 SECITEM_FreeItem(spki, PR_TRUE);
8979 if (channelID)
8980 SECKEY_DestroyPrivateKey(channelID);
8981 if (channelIDPub)
8982 SECKEY_DestroyPublicKey(channelIDPub);
8983
8984 return rv;
8985 }
8986
8858 /* called from ssl3_HandleServerHelloDone 8987 /* called from ssl3_HandleServerHelloDone
8859 * ssl3_HandleClientHello 8988 * ssl3_HandleClientHello
8860 * ssl3_HandleFinished 8989 * ssl3_HandleFinished
8861 */ 8990 */
8862 static SECStatus 8991 static SECStatus
8863 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) 8992 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
8864 { 8993 {
8865 ssl3CipherSpec *cwSpec; 8994 ssl3CipherSpec *cwSpec;
8866 PRBool isTLS; 8995 PRBool isTLS;
8867 PRBool isServer = ss->sec.isServer; 8996 PRBool isServer = ss->sec.isServer;
(...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after
9098 } 9227 }
9099 /* If this thread is in SSL_SecureSend (trying to write some data) 9228 /* If this thread is in SSL_SecureSend (trying to write some data)
9100 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the 9229 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
9101 ** last two handshake messages (change cipher spec and finished) 9230 ** last two handshake messages (change cipher spec and finished)
9102 ** will be sent in the same send/write call as the application data. 9231 ** will be sent in the same send/write call as the application data.
9103 */ 9232 */
9104 if (ss->writerThread == PR_GetCurrentThread()) { 9233 if (ss->writerThread == PR_GetCurrentThread()) {
9105 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; 9234 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
9106 } 9235 }
9107 9236
9108 » if (!isServer && !ss->firstHsDone) { 9237 » if (!isServer) {
9109 » rv = ssl3_SendNextProto(ss); 9238 » if (!ss->firstHsDone) {
9110 » if (rv != SECSuccess) { 9239 » » rv = ssl3_SendNextProto(ss);
9240 » » if (rv != SECSuccess) {
9241 » » goto xmit_loser; /* err code was set. */
9242 » » }
9243 » }
9244 » rv = ssl3_SendEncryptedExtensions(ss);
9245 » if (rv != SECSuccess)
9111 goto xmit_loser; /* err code was set. */ 9246 goto xmit_loser; /* err code was set. */
9112 }
9113 } 9247 }
9114 9248
9115 if (IS_DTLS(ss)) { 9249 if (IS_DTLS(ss)) {
9116 flags |= ssl_SEND_FLAG_NO_RETRANSMIT; 9250 flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
9117 } 9251 }
9118 9252
9119 rv = ssl3_SendFinished(ss, flags); 9253 rv = ssl3_SendFinished(ss, flags);
9120 if (rv != SECSuccess) { 9254 if (rv != SECSuccess) {
9121 goto xmit_loser; /* err is set. */ 9255 goto xmit_loser; /* err is set. */
9122 } 9256 }
(...skipping 1302 matching lines...) Expand 10 before | Expand all | Expand 10 after
10425 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 10559 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
10426 } 10560 }
10427 } 10561 }
10428 10562
10429 ss->ssl3.initialized = PR_FALSE; 10563 ss->ssl3.initialized = PR_FALSE;
10430 10564
10431 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 10565 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
10432 } 10566 }
10433 10567
10434 /* End of ssl3con.c */ 10568 /* End of ssl3con.c */
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698