Miscellaneous cleanup of TLS 1.2 code.

net/third_party/nss/ssl/derive.c

 /*
  * Key Derivation that doesn't use PKCS11
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id$ */
 
 #include "ssl.h"        /* prereq to sslimpl.h */
 #include "certt.h"      /* prereq to sslimpl.h */
@@ skipping 64 matching lines @@
     const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
     unsigned char * key_block    = pwSpec->key_block;
     unsigned char * key_block2   = NULL;
     unsigned int    block_bytes  = 0;
     unsigned int    block_needed = 0;
     unsigned int    i;
     unsigned int    keySize;            /* actual    size of cipher keys */
     unsigned int    effKeySize;         /* effective size of cipher keys */
     unsigned int    macSize;            /* size of MAC secret */
     unsigned int    IVSize;             /* size of IV */
+    PRBool          explicitIV = PR_FALSE;
     SECStatus       rv    = SECFailure;
     SECStatus       status = SECSuccess;
     PRBool          isFIPS = PR_FALSE;
+    PRBool          isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2;
 
     SECItem         srcr;
     SECItem         crsr;
 
     unsigned char     srcrdata[SSL3_RANDOM_LENGTH * 2];
     unsigned char     crsrdata[SSL3_RANDOM_LENGTH * 2];
     PRUint64          md5buf[22];
     PRUint64          shabuf[40];
 
 #define md5Ctx ((MD5Context *)md5buf)
@@ skipping 11 matching lines @@
                                            pwSpec->msItem.len));
 
     /* figure out how much is needed */
     macSize    = pwSpec->mac_size;
     keySize    = cipher_def->key_size;
     effKeySize = cipher_def->secret_key_size;
     IVSize     = cipher_def->iv_size;
     if (keySize == 0) {
         effKeySize = IVSize = 0; /* only MACing */
     }
-    block_needed = 2 * (macSize + effKeySize + ((!isExport) * IVSize));
+    if (cipher_def->type == type_block &&
+        pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
+        /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
+        explicitIV = PR_TRUE;
+    }
+    block_needed =
+        2 * (macSize + effKeySize + ((!isExport && !explicitIV) * IVSize));
 
     /*
      * clear out our returned keys so we can recover on failure
      */
     pwSpec->client.write_key_item     = zed;
     pwSpec->client.write_mac_key_item = zed;
     pwSpec->server.write_key_item     = zed;
     pwSpec->server.write_mac_key_item = zed;
 
     /* initialize the server random, client random block */
@@ skipping 14 matching lines @@
     /*
      * generate the key material:
      */
     if (isTLS) {
         SECItem       keyblk;
 
         keyblk.type = siBuffer;
         keyblk.data = key_block;
         keyblk.len  = block_needed;
 
-        status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
-                          isFIPS);
+        if (isTLS12) {
+            status = TLS_P_hash(HASH_AlgSHA256, &pwSpec->msItem,
+                                "key expansion", &srcr, &keyblk, isFIPS);
+        } else {
+            status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
+                             isFIPS);
+        }
         if (status != SECSuccess) {
             goto key_and_mac_derive_fail;
         }
         block_bytes = keyblk.len;
     } else {
         /* key_block = 
          *     MD5(master_secret + SHA('A' + master_secret + 
          *                      ServerHello.random + ClientHello.random)) +
          *     MD5(master_secret + SHA('BB' + master_secret + 
          *                      ServerHello.random + ClientHello.random)) +
@@ skipping 67 matching lines @@
         i += keySize;
 
         /* 
         ** server_write_key[CipherSpec.key_material]
         */
         buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item, \
                     "Domestic Server Write Key");
         i += keySize;
 
         if (IVSize > 0) {
-            /* 
-            ** client_write_IV[CipherSpec.IV_size]
-            */
-            buildSSLKey(&key_block[i], IVSize, &pwSpec->client.write_iv_item, \
-                        "Domestic Client Write IV");
-            i += IVSize;
+            if (explicitIV) {
+                static unsigned char zero_block[32];
+                PORT_Assert(IVSize <= sizeof zero_block);
+                buildSSLKey(&zero_block[0], IVSize, \
+                            &pwSpec->client.write_iv_item, \
+                            "Domestic Client Write IV");
+                buildSSLKey(&zero_block[0], IVSize, \
+                            &pwSpec->server.write_iv_item, \
+                            "Domestic Server Write IV");
+            } else {
+                /* 
+                ** client_write_IV[CipherSpec.IV_size]
+                */
+                buildSSLKey(&key_block[i], IVSize, \
+                            &pwSpec->client.write_iv_item, \
+                            "Domestic Client Write IV");
+                i += IVSize;
 
-            /* 
-            ** server_write_IV[CipherSpec.IV_size]
-            */
-            buildSSLKey(&key_block[i], IVSize, &pwSpec->server.write_iv_item, \
-                        "Domestic Server Write IV");
-            i += IVSize;
+                /* 
+                ** server_write_IV[CipherSpec.IV_size]
+                */
+                buildSSLKey(&key_block[i], IVSize, \
+                            &pwSpec->server.write_iv_item, \
+                            "Domestic Server Write IV");
+                i += IVSize;
+            }
         }
         PORT_Assert(i <= block_bytes);
-
     } else if (!isTLS) { 
         /*
         ** Generate SSL3 Export write keys and IVs.
         */
         unsigned int    outLen;
 
         /*
         ** client_write_key[CipherSpec.key_material]
         ** final_client_write_key = MD5(client_write_key +
         **                   ClientHello.random + ServerHello.random);
@@ skipping 142 matching lines @@
     ssl3CipherSpec *      pwSpec,
     const unsigned char * cr,
     const unsigned char * sr,
     const SECItem *       pms,
     PRBool                isTLS,
     PRBool                isRSA)
 {
     unsigned char * key_block    = pwSpec->key_block;
     SECStatus       rv    = SECSuccess;
     PRBool          isFIPS = PR_FALSE;
+    PRBool          isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2;
 
     SECItem         crsr;
 
     unsigned char     crsrdata[SSL3_RANDOM_LENGTH * 2];
     PRUint64          md5buf[22];
     PRUint64          shabuf[40];
 
 #define md5Ctx ((MD5Context *)md5buf)
 #define shaCtx ((SHA1Context *)shabuf)
 
@@ skipping 15 matching lines @@
     PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH);
     PRINT_BUF(100, (NULL, "Master Secret CRSR", crsr.data, crsr.len));
 
     /* finally do the key gen */
     if (isTLS) {
         SECItem master = { siBuffer, NULL, 0 };
 
         master.data = key_block;
         master.len = SSL3_MASTER_SECRET_LENGTH;
 
-        rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
+        if (isTLS12) {
+            rv = TLS_P_hash(HASH_AlgSHA256, pms, "master secret", &crsr,
+                            &master, isFIPS);
+        } else {
+            rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
+        }
         if (rv != SECSuccess) {
             PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
         }
     } else {
         int i;
         unsigned int made = 0;
         for (i = 0; i < 3; i++) {
             unsigned int    outLen;
             unsigned char   sha_out[SHA1_LENGTH];
 
@@ skipping 390 matching lines @@
     if (srvPubkey) {
         SECKEY_DestroyPublicKey(srvPubkey);
         srvPubkey = NULL;
     }
 
 
     return rv;
 #endif /* NO_PKCS11_BYPASS */
 }