| OLD | NEW |
| 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
| 2 /* | 2 /* |
| 3 * SSL3 Protocol | 3 * SSL3 Protocol |
| 4 * | 4 * |
| 5 * ***** BEGIN LICENSE BLOCK ***** | 5 * ***** BEGIN LICENSE BLOCK ***** |
| 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 7 * | 7 * |
| 8 * The contents of this file are subject to the Mozilla Public License Version | 8 * The contents of this file are subject to the Mozilla Public License Version |
| 9 * 1.1 (the "License"); you may not use this file except in compliance with | 9 * 1.1 (the "License"); you may not use this file except in compliance with |
| 10 * the License. You may obtain a copy of the License at | 10 * the License. You may obtain a copy of the License at |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 79 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, | 79 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, |
| 80 PK11SlotInfo * serverKeySlot); | 80 PK11SlotInfo * serverKeySlot); |
| 81 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); | 81 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); |
| 82 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss); | 82 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss); |
| 83 static SECStatus ssl3_HandshakeFailure( sslSocket *ss); | 83 static SECStatus ssl3_HandshakeFailure( sslSocket *ss); |
| 84 static SECStatus ssl3_InitState( sslSocket *ss); | 84 static SECStatus ssl3_InitState( sslSocket *ss); |
| 85 static SECStatus ssl3_SendCertificate( sslSocket *ss); | 85 static SECStatus ssl3_SendCertificate( sslSocket *ss); |
| 86 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); | 86 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); |
| 87 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 87 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
| 88 static SECStatus ssl3_SendNextProto( sslSocket *ss); | 88 static SECStatus ssl3_SendNextProto( sslSocket *ss); |
| 89 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); |
| 89 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 90 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
| 90 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 91 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
| 91 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 92 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
| 92 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 93 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
| 93 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); | 94 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); |
| 94 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 95 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
| 95 const unsigned char *b, | 96 const unsigned char *b, |
| 96 unsigned int l); | 97 unsigned int l); |
| 97 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 98 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
| 98 | 99 |
| (...skipping 6133 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6232 | 6233 |
| 6233 /* XXX: If the server's certificate hasn't been authenticated by this | 6234 /* XXX: If the server's certificate hasn't been authenticated by this |
| 6234 * point, then we may be leaking this NPN message to an attacker. | 6235 * point, then we may be leaking this NPN message to an attacker. |
| 6235 */ | 6236 */ |
| 6236 if (!ss->firstHsDone) { | 6237 if (!ss->firstHsDone) { |
| 6237 rv = ssl3_SendNextProto(ss); | 6238 rv = ssl3_SendNextProto(ss); |
| 6238 if (rv != SECSuccess) { | 6239 if (rv != SECSuccess) { |
| 6239 goto loser; /* err code was set. */ | 6240 goto loser; /* err code was set. */ |
| 6240 } | 6241 } |
| 6241 } | 6242 } |
| 6243 rv = ssl3_SendEncryptedExtensions(ss); |
| 6244 if (rv != SECSuccess) { |
| 6245 goto loser; /* err code was set. */ |
| 6246 } |
| 6242 | 6247 |
| 6243 rv = ssl3_SendFinished(ss, 0); | 6248 rv = ssl3_SendFinished(ss, 0); |
| 6244 if (rv != SECSuccess) { | 6249 if (rv != SECSuccess) { |
| 6245 goto loser; /* err code was set. */ | 6250 goto loser; /* err code was set. */ |
| 6246 } | 6251 } |
| 6247 | 6252 |
| 6248 ssl_ReleaseXmitBufLock(ss); /*******************************/ | 6253 ssl_ReleaseXmitBufLock(ss); /*******************************/ |
| 6249 | 6254 |
| 6250 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) | 6255 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) |
| 6251 ss->ssl3.hs.ws = wait_new_session_ticket; | 6256 ss->ssl3.hs.ws = wait_new_session_ticket; |
| (...skipping 2596 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8848 if (rv != SECSuccess) { | 8853 if (rv != SECSuccess) { |
| 8849 return rv; /* error code set by AppendHandshake */ | 8854 return rv; /* error code set by AppendHandshake */ |
| 8850 } | 8855 } |
| 8851 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1); | 8856 rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1); |
| 8852 if (rv != SECSuccess) { | 8857 if (rv != SECSuccess) { |
| 8853 return rv; /* error code set by AppendHandshake */ | 8858 return rv; /* error code set by AppendHandshake */ |
| 8854 } | 8859 } |
| 8855 return rv; | 8860 return rv; |
| 8856 } | 8861 } |
| 8857 | 8862 |
| 8863 /* called from ssl3_SendClientSecondRound |
| 8864 * ssl3_HandleFinished |
| 8865 */ |
| 8866 static SECStatus |
| 8867 ssl3_SendEncryptedExtensions(sslSocket *ss) |
| 8868 { |
| 8869 static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; |
| 8870 /* This is the ASN.1 prefix for a P-256 public key. Specifically it's: |
| 8871 * SEQUENCE |
| 8872 * SEQUENCE |
| 8873 * OID id-ecPublicKey |
| 8874 * OID prime256v1 |
| 8875 * BIT STRING, length 66, 0 trailing bits: 0x04 |
| 8876 * |
| 8877 * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62 |
| 8878 * public key. Following that are the two field elements as 32-byte, |
| 8879 * big-endian numbers, as required by the Channel ID. */ |
| 8880 static const unsigned char P256_SPKI_PREFIX[] = { |
| 8881 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, |
| 8882 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, |
| 8883 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, |
| 8884 0x42, 0x00, 0x04 |
| 8885 }; |
| 8886 /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64 |
| 8887 * bytes of ECDSA signature. */ |
| 8888 static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64; |
| 8889 static const int CHANNEL_ID_LENGTH = 128; |
| 8890 |
| 8891 SECStatus rv = SECFailure; |
| 8892 SECItem *spki = NULL; |
| 8893 SSL3Hashes hashes; |
| 8894 const unsigned char *pub_bytes; |
| 8895 unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)]; |
| 8896 unsigned char digest[SHA256_LENGTH]; |
| 8897 SECItem digest_item; |
| 8898 unsigned char signature[64]; |
| 8899 SECItem signature_item; |
| 8900 SECKEYPrivateKey *channelID = NULL; |
| 8901 SECKEYPublicKey *channelIDPub = NULL; |
| 8902 |
| 8903 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 8904 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 8905 |
| 8906 if (ss->getChannelID == NULL || |
| 8907 !ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { |
| 8908 return SECSuccess; |
| 8909 } |
| 8910 |
| 8911 rv = ss->getChannelID(ss->getChannelIDArg, ss->fd, |
| 8912 &channelIDPub, &channelID); |
| 8913 if (rv != SECSuccess) { |
| 8914 PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); |
| 8915 goto loser; |
| 8916 } |
| 8917 |
| 8918 if (SECKEY_GetPrivateKeyType(channelID) != ecKey || |
| 8919 PK11_SignatureLen(channelID) != sizeof(signature)) { |
| 8920 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); |
| 8921 rv = SECFailure; |
| 8922 goto loser; |
| 8923 } |
| 8924 |
| 8925 ssl_GetSpecReadLock(ss); |
| 8926 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); |
| 8927 ssl_ReleaseSpecReadLock(ss); |
| 8928 |
| 8929 if (rv != SECSuccess) |
| 8930 goto loser; |
| 8931 |
| 8932 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, |
| 8933 2 + 2 + CHANNEL_ID_LENGTH); |
| 8934 if (rv != SECSuccess) |
| 8935 goto loser; /* error code set by AppendHandshakeHeader */ |
| 8936 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); |
| 8937 if (rv != SECSuccess) |
| 8938 goto loser; /* error code set by AppendHandshake */ |
| 8939 rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2); |
| 8940 if (rv != SECSuccess) |
| 8941 goto loser; /* error code set by AppendHandshake */ |
| 8942 |
| 8943 spki = SECKEY_EncodeDERSubjectPublicKeyInfo(channelIDPub); |
| 8944 |
| 8945 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || |
| 8946 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) { |
| 8947 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); |
| 8948 rv = SECFailure; |
| 8949 goto loser; |
| 8950 } |
| 8951 |
| 8952 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); |
| 8953 |
| 8954 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); |
| 8955 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes)); |
| 8956 |
| 8957 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, sizeof(signed_data)); |
| 8958 if (rv != SECSuccess) |
| 8959 goto loser; |
| 8960 |
| 8961 digest_item.data = digest; |
| 8962 digest_item.len = sizeof(digest); |
| 8963 |
| 8964 signature_item.data = signature; |
| 8965 signature_item.len = sizeof(signature); |
| 8966 |
| 8967 rv = PK11_Sign(channelID, &signature_item, &digest_item); |
| 8968 if (rv != SECSuccess) |
| 8969 goto loser; |
| 8970 |
| 8971 rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH); |
| 8972 if (rv != SECSuccess) |
| 8973 goto loser; |
| 8974 rv = ssl3_AppendHandshake(ss, signature, sizeof(signature)); |
| 8975 |
| 8976 loser: |
| 8977 if (spki) |
| 8978 SECITEM_FreeItem(spki, PR_TRUE); |
| 8979 if (channelID) |
| 8980 SECKEY_DestroyPrivateKey(channelID); |
| 8981 if (channelIDPub) |
| 8982 SECKEY_DestroyPublicKey(channelIDPub); |
| 8983 |
| 8984 return rv; |
| 8985 } |
| 8986 |
| 8858 /* called from ssl3_HandleServerHelloDone | 8987 /* called from ssl3_HandleServerHelloDone |
| 8859 * ssl3_HandleClientHello | 8988 * ssl3_HandleClientHello |
| 8860 * ssl3_HandleFinished | 8989 * ssl3_HandleFinished |
| 8861 */ | 8990 */ |
| 8862 static SECStatus | 8991 static SECStatus |
| 8863 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) | 8992 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) |
| 8864 { | 8993 { |
| 8865 ssl3CipherSpec *cwSpec; | 8994 ssl3CipherSpec *cwSpec; |
| 8866 PRBool isTLS; | 8995 PRBool isTLS; |
| 8867 PRBool isServer = ss->sec.isServer; | 8996 PRBool isServer = ss->sec.isServer; |
| (...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9098 } | 9227 } |
| 9099 /* If this thread is in SSL_SecureSend (trying to write some data) | 9228 /* If this thread is in SSL_SecureSend (trying to write some data) |
| 9100 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the | 9229 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the |
| 9101 ** last two handshake messages (change cipher spec and finished) | 9230 ** last two handshake messages (change cipher spec and finished) |
| 9102 ** will be sent in the same send/write call as the application data. | 9231 ** will be sent in the same send/write call as the application data. |
| 9103 */ | 9232 */ |
| 9104 if (ss->writerThread == PR_GetCurrentThread()) { | 9233 if (ss->writerThread == PR_GetCurrentThread()) { |
| 9105 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; | 9234 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
| 9106 } | 9235 } |
| 9107 | 9236 |
| 9108 » if (!isServer && !ss->firstHsDone) { | 9237 » if (!isServer) { |
| 9109 » rv = ssl3_SendNextProto(ss); | 9238 » if (!ss->firstHsDone) { |
| 9110 » if (rv != SECSuccess) { | 9239 » » rv = ssl3_SendNextProto(ss); |
| 9240 » » if (rv != SECSuccess) { |
| 9241 » » goto xmit_loser; /* err code was set. */ |
| 9242 » » } |
| 9243 » } |
| 9244 » rv = ssl3_SendEncryptedExtensions(ss); |
| 9245 » if (rv != SECSuccess) |
| 9111 goto xmit_loser; /* err code was set. */ | 9246 goto xmit_loser; /* err code was set. */ |
| 9112 } | |
| 9113 } | 9247 } |
| 9114 | 9248 |
| 9115 if (IS_DTLS(ss)) { | 9249 if (IS_DTLS(ss)) { |
| 9116 flags |= ssl_SEND_FLAG_NO_RETRANSMIT; | 9250 flags |= ssl_SEND_FLAG_NO_RETRANSMIT; |
| 9117 } | 9251 } |
| 9118 | 9252 |
| 9119 rv = ssl3_SendFinished(ss, flags); | 9253 rv = ssl3_SendFinished(ss, flags); |
| 9120 if (rv != SECSuccess) { | 9254 if (rv != SECSuccess) { |
| 9121 goto xmit_loser; /* err is set. */ | 9255 goto xmit_loser; /* err is set. */ |
| 9122 } | 9256 } |
| (...skipping 1302 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 10425 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 10559 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
| 10426 } | 10560 } |
| 10427 } | 10561 } |
| 10428 | 10562 |
| 10429 ss->ssl3.initialized = PR_FALSE; | 10563 ss->ssl3.initialized = PR_FALSE; |
| 10430 | 10564 |
| 10431 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 10565 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
| 10432 } | 10566 } |
| 10433 | 10567 |
| 10434 /* End of ssl3con.c */ | 10568 /* End of ssl3con.c */ |
| OLD | NEW |