Miscellaneous cleanup of TLS 1.2 code.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id$ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
@@ skipping 51 matching lines @@
 static SECStatus ssl3_SendCertificate(       sslSocket *ss);
 static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
 static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
 static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
 static SECStatus ssl3_SendServerHello(       sslSocket *ss);
 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
-static SECStatus ssl3_NewHandshakeHashes(    sslSocket *ss);
 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
                                              const unsigned char *b,
                                              unsigned int l);
 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 static int       ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
 
 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
                              int maxOutputLen, const unsigned char *input,
                              int inputLen);
 
@@ skipping 982 matching lines @@
             hashes->len = MD5_LENGTH + SHA1_LENGTH;
         } else if (hashAlg == SEC_OID_SHA1) {
             SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
             hashes->len = SHA1_LENGTH;
         } else if (hashAlg == SEC_OID_SHA256) {
             SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
             hashes->len = SHA256_LENGTH;
         } else if (hashAlg == SEC_OID_SHA384) {
             SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
             hashes->len = SHA384_LENGTH;
+        } else if (hashAlg == SEC_OID_SHA512) {
+            SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
+            hashes->len = SHA512_LENGTH;
         } else {
             PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
             return SECFailure;
         }
     } else 
 #endif
     {
         if (hashAlg == SEC_OID_UNKNOWN) {
             rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
             if (rv != SECSuccess) {
@@ skipping 443 matching lines @@
     default:
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 
     return SECSuccess;
 }
 
 #ifndef NO_PKCS11_BYPASS
-/* Initialize encryption and MAC contexts for pending spec.
+/* Initialize encryption contexts for pending spec.
+ * MAC contexts are set up when computing the mac, not here.
  * Master Secret already is derived in spec->msItem
  * Caller holds Spec write lock.
  */
 static SECStatus
 ssl3_InitPendingContextsBypass(sslSocket *ss)
 {
       ssl3CipherSpec  *  pwSpec;
       const ssl3BulkCipherDef *cipher_def;
       void *             serverContext = NULL;
       void *             clientContext = NULL;
       BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
       int                mode     = 0;
       unsigned int       optArg1  = 0;
       unsigned int       optArg2  = 0;
       PRBool             server_encrypts = ss->sec.isServer;
-      CK_ULONG           macLength;
       SSLCipherAlgorithm calg;
       SSLCompressionMethod compression_method;
       SECStatus          rv;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
-    macLength     = pwSpec->mac_size;
-
-    /* MAC setup is done when computing the mac, not here.
-     * Now setup the crypto contexts.
-     */
 
     calg = cipher_def->calg;
     compression_method = pwSpec->compression_method;
 
     serverContext = pwSpec->server.cipher_context;
     clientContext = pwSpec->client.cipher_context;
 
     switch (calg) {
     case ssl_calg_null:
         pwSpec->encode  = Null_Cipher;
@@ skipping 1872 matching lines @@
     }
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         SECItem * keydata;
         /* In hope of doing a "double bypass", 
          * need to extract the master secret's value from the key object 
          * and store it raw in the sslSocket struct.
          */
         rv = PK11_ExtractKeyValue(pwSpec->master_secret);
         if (rv != SECSuccess) {
-#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)

[wtc, 2013/06/15 19:40:55]

I don't think this code is used by any NSS user. I removed this code so that
ss->ssl3.hs.messages is used for only one purpose, which simplifies our logic.

-            /* The double bypass failed.  
-             * Attempt to revert to an all PKCS#11, non-bypass method.
-             * Do we need any unacquired locks here?
-             */
-            ss->opt.bypassPKCS11 = 0;
-            rv = ssl3_NewHandshakeHashes(ss);
-            if (rv == SECSuccess) {
-                rv = ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, 
-                                                    ss->ssl3.hs.messages.len);
-            }
-#endif
             return rv;
         } 
         /* This returns the address of the secItem inside the key struct,
          * not a copy or a reference.  So, there's no need to free it.
          */
         keydata = PK11_GetKeyData(pwSpec->master_secret);
         if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
             memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
             pwSpec->msItem.data = pwSpec->raw_master_secret;
             pwSpec->msItem.len  = keydata->len;
@@ skipping 149 matching lines @@
     PK11_FreeSymKey(symKey);
     return SECSuccess;
 
 
 loser:
     if (symKey) PK11_FreeSymKey(symKey);
     ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
     return SECFailure;
 }
 
-/* ssl3_InitTLS12HandshakeHash creates a handshake hash context for TLS 1.2,
- * if needed, and hashes in any buffered messages in ss->ssl3.hs.messages. */
+/* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
+ * buffered messages in ss->ssl3.hs.messages. */
 static SECStatus
-ssl3_InitTLS12HandshakeHash(sslSocket *ss)
+ssl3_InitHandshakeHashes(sslSocket *ss)
 {
-    if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2 &&
-        ss->ssl3.hs.tls12_handshake_hash == NULL) {
-        /* If we ever support ciphersuites where the PRF hash isn't SHA-256
-         * then this will need to be updated. */
-        ss->ssl3.hs.tls12_handshake_hash =
-            PK11_CreateDigestContext(SEC_OID_SHA256);
-        if (!ss->ssl3.hs.tls12_handshake_hash ||
-            PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash) != SECSuccess) {
-            ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-            return SECFailure;
+    PK11Context *md5  = NULL;
+    PK11Context *sha  = NULL;
+
+    SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
+
+    PORT_Assert(ss->ssl3.hs.hashType == HANDSHAKE_HASH_UNKNOWN);
+#ifndef NO_PKCS11_BYPASS
+    if (ss->opt.bypassPKCS11) {
+        PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
+        if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+            /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+             * then this will need to be updated. */
+            ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
+            if (!ss->ssl3.hs.sha_obj) {
+                ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+                return SECFailure;
+            }
+            ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
+            ss->ssl3.hs.hashType = HANDSHAKE_HASH_SINGLE;
+            ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
+        } else {
+            ss->ssl3.hs.hashType = HANDSHAKE_HASH_COMBO;
+            MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
+            SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
+        }
+    } else
+#endif
+    {
+        PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
+        /*
+         * note: We should probably lookup an SSL3 slot for these
+         * handshake hashes in hopes that we wind up with the same slots
+         * that the master secret will wind up in ...
+         */
+        if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+            /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+             * then this will need to be updated. */
+            ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA256);
+            if (sha == NULL) {
+                ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+                goto loser;
+            }
+            ss->ssl3.hs.hashType = HANDSHAKE_HASH_SINGLE;
+
+            if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+                return SECFailure;
+            }
+        } else {
+            ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
+            ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
+            if (md5 == NULL) {
+                ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+                goto loser;

[agl, 2013/06/17 14:01:14]

Several error paths in this function return directly - presumably
ss->ssl3.hs.[md5|sha] will be deleted when the ss object is destroyed. However,
here we have an explicit cleanup. It seems that handling of errors should be
uniform in this function.

[wtc, 2013/06/17 20:05:16]

You are right. I was also unhappy with how I handled errors in this function.
It was influenced by the original code in ssl3_NewHandshakeHashes.

I've now removed the |loser| label. Now the function always returns directly.
The only property I try to maintain is that either ss->ssl3.hs.[md5|sha] are
both NULL, or they are both created successfully. Strictly speaking, this
invariant is not necessary because ss->ssl3.hs.[md5|sha] will be deleted when
the ss object is destroyed. I just wanted the ss object to be less confusing
when it is not created successfully.

+            }
+            if (sha == NULL) {
+                ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+                goto loser;
+            }
+            ss->ssl3.hs.hashType = HANDSHAKE_HASH_COMBO;
+
+            if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+                return SECFailure;
+            }
+            if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+                return SECFailure;
+            }
         }
     }
 
-    if (ss->ssl3.hs.tls12_handshake_hash && ss->ssl3.hs.messages.len > 0) {
-        if (PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash,
-                          ss->ssl3.hs.messages.buf,
-                          ss->ssl3.hs.messages.len) != SECSuccess) {
-            ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+    if (ss->ssl3.hs.messages.len > 0) {
+        if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
+                                       ss->ssl3.hs.messages.len) !=
+            SECSuccess) {
             return SECFailure;
         }
-    }
-
-    if (ss->ssl3.hs.messages.buf && !ss->opt.bypassPKCS11) {
         PORT_Free(ss->ssl3.hs.messages.buf);
         ss->ssl3.hs.messages.buf = NULL;
         ss->ssl3.hs.messages.len = 0;
         ss->ssl3.hs.messages.space = 0;
     }
 
     return SECSuccess;
+
+loser:
+    if (md5 != NULL) {
+       PK11_DestroyContext(md5, PR_TRUE);
+       ss->ssl3.hs.md5 = NULL;
+    }
+    if (sha != NULL) {
+       PK11_DestroyContext(sha, PR_TRUE);
+       ss->ssl3.hs.sha = NULL;
+    }
+    return SECFailure;
 }
 
 static SECStatus 
 ssl3_RestartHandshakeHashes(sslSocket *ss)
 {
     SECStatus rv = SECSuccess;
 
+    SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
+            SSL_GETPID(), ss->fd ));
+    ss->ssl3.hs.hashType = HANDSHAKE_HASH_UNKNOWN;
     ss->ssl3.hs.messages.len = 0;
 #ifndef NO_PKCS11_BYPASS
-    if (ss->opt.bypassPKCS11) {
-        MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
-        SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
-    } else 
+    ss->ssl3.hs.sha_obj = NULL;
+    ss->ssl3.hs.sha_clone = NULL;
 #endif
-    {
-        if (ss->ssl3.hs.tls12_handshake_hash) {
-            rv = PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash);
-            if (rv != SECSuccess) {
-                ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-                return rv;
-            }
-        }
-        rv = PK11_DigestBegin(ss->ssl3.hs.md5);
-        if (rv != SECSuccess) {
-            ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-            return rv;
-        }
-        rv = PK11_DigestBegin(ss->ssl3.hs.sha);
-        if (rv != SECSuccess) {
-            ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-            return rv;
-        }
+    if (ss->ssl3.hs.md5) {
+        PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
+        ss->ssl3.hs.md5 = NULL;
+    }
+    if (ss->ssl3.hs.sha) {
+        PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
+        ss->ssl3.hs.sha = NULL;
     }
     return rv;
 }
 
-static SECStatus
-ssl3_NewHandshakeHashes(sslSocket *ss)

[wtc, 2013/06/15 19:40:55]

After I removed the NSS_SURVIVE_DOUBLE_BYPASS_FAILURE code, ssl3_InitState
becomes the only caller of ssl3_NewHandshakeHashes.

I moved the code in ssl3_NewHandshakeHashes that creates the handshake hash
contexts to ssl3_InitHandshakeHashes (formerly named
ssl3_InitTLS12HandshakeHash).
This left only three lines that initializes ss->ssl3.hs.messages (lines
3726-3728). I moved them to ssl3_InitState.

-{
-    PK11Context *md5  = NULL;
-    PK11Context *sha  = NULL;
-
-    /*
-     * note: We should probably lookup an SSL3 slot for these
-     * handshake hashes in hopes that we wind up with the same slots
-     * that the master secret will wind up in ...
-     */
-    SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
-    PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
-    ss->ssl3.hs.messages.buf = NULL;
-    ss->ssl3.hs.messages.space = 0;
-
-    ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
-    ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
-    ss->ssl3.hs.tls12_handshake_hash = NULL;
-    if (md5 == NULL) {
-        ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-        goto loser;
-    }
-    if (sha == NULL) {
-        ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-        goto loser;
-    }
-    if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) {

[wtc, 2013/06/15 19:40:55]

Note that ssl3_NewHandshakeHashes calls ssl3_RestartHandshakeHashes,
which results in ssl3_RestartHandshakeHashes being called twice in some
places. So I removed this ssl3_RestartHandshakeHashes call. This requires
adding ssl3_RestartHandshakeHashes calls to some other places.

-        return SECSuccess;
-    }
-
-loser:
-    if (md5 != NULL) {
-        PK11_DestroyContext(md5, PR_TRUE);
-        ss->ssl3.hs.md5 = NULL;
-    }
-    if (sha != NULL) {
-        PK11_DestroyContext(sha, PR_TRUE);
-        ss->ssl3.hs.sha = NULL;
-    }
-    return SECFailure;
-
-}
-
 /*
  * Handshake messages
  */
-/* Called from  ssl3_AppendHandshake()
+/* Called from  ssl3_InitHandshakeHashes()
+**              ssl3_AppendHandshake()
 **              ssl3_StartHandshakeHash()
 **              ssl3_HandleV2ClientHello()
 **              ssl3_HandleHandshakeMessage()
 ** Caller must hold the ssl3Handshake lock.
 */
 static SECStatus
 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
                            unsigned int l)
 {
     SECStatus  rv = SECSuccess;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
-    PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
+    /* We need to buffer the handshake messages until we have established
+     * which handshake hash function to use. */
+    if (ss->ssl3.hs.hashType == HANDSHAKE_HASH_UNKNOWN) {
+        return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
+    }
 
-    if ((ss->version == 0 || ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) &&
-        !ss->opt.bypassPKCS11 &&
-        ss->ssl3.hs.tls12_handshake_hash == NULL) {
-        /* For TLS 1.2 connections we need to buffer the handshake messages
-         * until we have established which PRF hash function to use. */
-        rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
-        if (rv != SECSuccess) {
-            return rv;
-        }
-    }
+    PRINT_BUF(90, (NULL, "handshake hash input:", b, l));
 
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
-        MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
-        SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
-#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
-        rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
-#endif
+        if (ss->ssl3.hs.hashType == HANDSHAKE_HASH_SINGLE) {
+            ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
+        } else {
+            MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
+            SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
+        }
         return rv;
     }
 #endif
-    if (ss->ssl3.hs.tls12_handshake_hash) {
-        rv = PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, b, l);
+    if (ss->ssl3.hs.hashType == HANDSHAKE_HASH_SINGLE) {
+        rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             return rv;
         }
     } else {
         rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
             return rv;
         }
@@ skipping 107 matching lines @@
      */
     if (IS_DTLS(ss)) {
         rv = dtls_StageHandshakeMessage(ss);
         if (rv != SECSuccess) {
             return rv;
         }
     }
 
     SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
         SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
-    PRINT_BUF(60, (ss, "MD5 handshake hash:",
-                  (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
-    PRINT_BUF(95, (ss, "SHA handshake hash:",
-                  (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));

[wtc, 2013/06/15 19:40:55]

These two PRINT_BUF statements are broken because the MD5 and SHA hashes
are not at the beginning of ss->ssl3.hs.md5_cx and ss->ssl3.hs.sha_cx.
I just deleted them rather than trying to fix them.

 
     rv = ssl3_AppendHandshakeNumber(ss, t, 1);
     if (rv != SECSuccess) {
         return rv;      /* error code set by AppendHandshake, if applicable. */
     }
     rv = ssl3_AppendHandshakeNumber(ss, length, 3);
     if (rv != SECSuccess) {
         return rv;      /* error code set by AppendHandshake, if applicable. */
     }
 
@@ skipping 327 matching lines @@
     SECStatus     rv        = SECSuccess;
     PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
     unsigned int  outLength;
     SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
     SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     hashes->hashAlg = SEC_OID_UNKNOWN;
 
 #ifndef NO_PKCS11_BYPASS
-    if (ss->opt.bypassPKCS11) {
+    if (ss->opt.bypassPKCS11 &&
+        ss->ssl3.hs.hashType == HANDSHAKE_HASH_SINGLE) {
+        /* compute them without PKCS11 */
+        PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
+
+        if (!spec->msItem.data) {
+            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
+            return SECFailure;
+        }
+
+        ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
+        ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
+                                 sizeof(hashes->u.raw));
+
+        PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
+
+        /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+         * then this will need to be updated. */
+        hashes->hashAlg = SEC_OID_SHA256;
+        rv = SECSuccess;
+    } else if (ss->opt.bypassPKCS11) {
         /* compute them without PKCS11 */
         PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
         PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
 
 #define md5cx ((MD5Context *)md5_cx)
 #define shacx ((SHA1Context *)sha_cx)
 
         if (!spec->msItem.data) {
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
             return SECFailure;
@@ skipping 64 matching lines @@
         SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH);
 
         PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH));
 
         hashes->len = MD5_LENGTH + SHA1_LENGTH;
         rv = SECSuccess;
 #undef md5cx
 #undef shacx
     } else 
 #endif
-    if (ss->ssl3.hs.tls12_handshake_hash) {
+    if (ss->ssl3.hs.hashType == HANDSHAKE_HASH_SINGLE) {
+        /* compute hashes with PKCS11 */
         PK11Context *h;
         unsigned int  stateLen;
         unsigned char stackBuf[1024];
         unsigned char *stateBuf = NULL;
 
         if (!spec->master_secret) {
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
             return SECFailure;
         }
 
-        h = ss->ssl3.hs.tls12_handshake_hash;
+        h = ss->ssl3.hs.sha;
         stateBuf = PK11_SaveContextAlloc(h, stackBuf,
                                          sizeof(stackBuf), &stateLen);
         if (stateBuf == NULL) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             goto tls12_loser;
         }
         rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
                                sizeof(hashes->u.raw));
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             rv = SECFailure;
             goto tls12_loser;
         }
         /* If we ever support ciphersuites where the PRF hash isn't SHA-256
          * then this will need to be updated. */
         hashes->hashAlg = SEC_OID_SHA256;
         rv = SECSuccess;
 
 tls12_loser:
         if (stateBuf) {
-            if (PK11_RestoreContext(ss->ssl3.hs.tls12_handshake_hash, stateBuf,
-                                    stateLen) != SECSuccess) {
+            if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
                 rv = SECFailure;
             }
             if (stateBuf != stackBuf) {
                 PORT_ZFree(stateBuf, stateLen);
             }
         }
     } else {
-        /* compute hases with PKCS11 */
+        /* compute hashes with PKCS11 */
         PK11Context * md5;
         PK11Context * sha       = NULL;
         unsigned char *md5StateBuf = NULL;
         unsigned char *shaStateBuf = NULL;
         unsigned int  md5StateLen, shaStateLen;
         unsigned char md5StackBuf[256];
         unsigned char shaStackBuf[512];
 
         if (!spec->master_secret) {
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
@@ skipping 144 matching lines @@
 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
 {
     SECStatus rv;
 
     ssl_GetSSL3HandshakeLock(ss);  /**************************************/
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         goto done;              /* ssl3_InitState has set the error code. */
     }
+    rv = ssl3_RestartHandshakeHashes(ss);
+    if (rv != SECSuccess) {
+        goto done;
+    }
 
     PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
     PORT_Memcpy(
         &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
         &ss->sec.ci.clientChallenge,
         SSL_CHALLENGE_BYTES);
 
     rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
     /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
 
@@ skipping 39 matching lines @@
         return rv;              /* ssl3_InitState has set the error code. */
     }
     ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
     PORT_Assert(IS_DTLS(ss) || !resending);
 
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
-    SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
-            SSL_GETPID(), ss->fd ));
     rv = ssl3_RestartHandshakeHashes(ss);
     if (rv != SECSuccess) {
         return rv;
     }
 
     /*
      * During a renegotiation, ss->clientHelloVersion will be used again to
      * work around a Windows SChannel bug. Ensure that it is still enabled.
      */
     if (ss->firstHsDone) {
@@ skipping 1249 matching lines @@
     SECItem       sidBytes      = {siBuffer, NULL, 0};
     PRBool        sid_match;
     PRBool        isTLS         = PR_FALSE;
     SSL3AlertDescription desc   = illegal_parameter;
     SSL3ProtocolVersion version;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
         SSL_GETPID(), ss->fd));
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->ssl3.initialized );
 
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-        errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
-        goto alert_loser;
-    }
     if (ss->ssl3.hs.ws != wait_server_hello) {
         errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
         desc    = unexpected_message;
         goto alert_loser;
     }
 
     /* clean up anything left from previous handshake. */
     if (ss->ssl3.clientCertChain != NULL) {
        CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
        ss->ssl3.clientCertChain = NULL;
@@ skipping 47 matching lines @@
 
     rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
 
-    rv = ssl3_InitTLS12HandshakeHash(ss);
+    rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
         desc = internal_error;
         errCode = PORT_GetError();
         goto alert_loser;
     }
 
     rv = ssl3_ConsumeHandshake(
         ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
     if (rv != SECSuccess) {
         goto loser;     /* alert has been sent */
@@ skipping 1317 matching lines @@
     SECItem             suites   = {siBuffer, NULL, 0};
     SECItem             comps    = {siBuffer, NULL, 0};
     PRBool              haveSpecWriteLock = PR_FALSE;
     PRBool              haveXmitBufLock   = PR_FALSE;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
         SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->ssl3.initialized );
 
     /* Get peer name of client */
     rv = ssl_GetPeerInfo(ss);
     if (rv != SECSuccess) {
         return rv;              /* error code is set. */
     }
 
     /* Clearing the handshake pointers so that ssl_Do1stHandshake won't
      * call ssl2_HandleMessage.
      *
      * The issue here is that TLS ordinarily starts out in
      * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility
      * code paths. That function zeroes these next pointers. But with DTLS,
      * we don't even try to do the v2 ClientHello so we skip that function
      * and need to reset these values here.
      */
     if (IS_DTLS(ss)) {
         ss->nextHandshake     = 0;
         ss->securityHandshake = 0;
     }
 
     /* We might be starting session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
     ss->statelessResume = PR_FALSE;
 
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-        return rv;              /* ssl3_InitState has set the error code. */
-    }
-
     if ((ss->ssl3.hs.ws != wait_client_hello) &&
         (ss->ssl3.hs.ws != idle_handshake)) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
         goto alert_loser;
     }
     if (ss->ssl3.hs.ws == idle_handshake  &&
         ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
         desc    = no_renegotiation;
         level   = alert_warning;
@@ skipping 18 matching lines @@
     }
 
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
 
-    rv = ssl3_InitTLS12HandshakeHash(ss);
+    rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
         desc = internal_error;
         errCode = PORT_GetError();
         goto alert_loser;
     }
 
     /* grab the client random data. */
     rv = ssl3_ConsumeHandshake(
         ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
     if (rv != SECSuccess) {
@@ skipping 707 matching lines @@
 
     ssl_GetSSL3HandshakeLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         ssl_ReleaseSSL3HandshakeLock(ss);
         return rv;              /* ssl3_InitState has set the error code. */
     }
+    rv = ssl3_RestartHandshakeHashes(ss);
+    if (rv != SECSuccess) {
+        ssl_ReleaseSSL3HandshakeLock(ss);
+        return rv;
+    }
 
     if (ss->ssl3.hs.ws != wait_client_hello) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
         goto loser;     /* alert_loser */
     }
 
     version      = (buffer[1] << 8) | buffer[2];
     suite_length = (buffer[3] << 8) | buffer[4];
     sid_length   = (buffer[5] << 8) | buffer[6];
     rand_length  = (buffer[7] << 8) | buffer[8];
     ss->clientHelloVersion = version;
 
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
         /* send back which ever alert client will understand. */
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
 
-    rv = ssl3_InitTLS12HandshakeHash(ss);
+    rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
         desc = internal_error;
         errCode = PORT_GetError();
         goto alert_loser;
     }
 
     /* if we get a non-zero SID, just ignore it. */
     if (length !=
         SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
         SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
@@ skipping 710 matching lines @@
     unsigned int      outLen = 0;
 #endif
     PRBool            isTLS  = PR_FALSE;
     SECStatus         rv;
     SECItem           enc_pms;
     unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
     SECItem           pmsItem = {siBuffer, NULL, 0};
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec );
 
     enc_pms.data = b;
     enc_pms.len  = length;
     pmsItem.data = rsaPmsBuf;
     pmsItem.len  = sizeof rsaPmsBuf;
 
     if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
         PRInt32 kLen;
         kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
         if (kLen < 0) {
@@ skipping 1008 matching lines @@
         rv = SECFailure;
 #else
         SECItem inData  = { siBuffer, };
         SECItem outData = { siBuffer, };
         PRBool isFIPS   = PR_FALSE;
 
         inData.data  = (unsigned char *) val;
         inData.len   = valLen;
         outData.data = out;
         outData.len  = outLen;
-        rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
+        if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+            rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData,
+                            &outData, isFIPS);
+        } else {
+            rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
+        }
         PORT_Assert(rv != SECSuccess || outData.len == outLen);
 #endif
     }
     return rv;
 }
 
 /* called from ssl3_HandleServerHelloDone
  */
 static SECStatus
 ssl3_SendNextProto(sslSocket *ss)
@@ skipping 653 matching lines @@
             rSpec  = ss->ssl3.crSpec;
         }
         rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
     }
     ssl_ReleaseSpecReadLock(ss); /************************************/
     if (rv != SECSuccess) {
         return rv;      /* error code was set by ssl3_ComputeHandshakeHashes*/
     }
     SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
                 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
-    PRINT_BUF(60, (ss, "MD5 handshake hash:",
-              (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
-    PRINT_BUF(95, (ss, "SHA handshake hash:",
-              (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));

[wtc, 2013/06/15 19:40:55]

These two PRINT_BUF statements are also broken and are removed.

 
     hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
     hdr[1] = (PRUint8)(length >> 16);
     hdr[2] = (PRUint8)(length >>  8);
     hdr[3] = (PRUint8)(length      );
 
     /* Start new handshake hashes when we start a new handshake */
     if (ss->ssl3.hs.msg_type == client_hello) {
-        SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
-                SSL_GETPID(), ss->fd ));
         rv = ssl3_RestartHandshakeHashes(ss);
         if (rv != SECSuccess) {
             return rv;
         }
     }
     /* We should not include hello_request and hello_verify_request messages
      * in the handshake hashes */
     if ((ss->ssl3.hs.msg_type != hello_request) &&
         (ss->ssl3.hs.msg_type != hello_verify_request)) {
         rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
@@ skipping 932 matching lines @@
 
     spec->epoch                    = 0;
     dtls_InitRecvdRecords(&spec->recvdRecords);
 
     spec->version                  = ss->vrange.max;
 }
 
 /* Called from: ssl3_SendRecord
 **              ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
 **              ssl3_SendClientHello()
-**              ssl3_HandleServerHello()
-**              ssl3_HandleClientHello()
 **              ssl3_HandleV2ClientHello()
 **              ssl3_HandleRecord()
 **
 ** This function should perhaps acquire and release the SpecWriteLock.
 **
 **
 */
 static SECStatus
 ssl3_InitState(sslSocket *ss)
 {
-    SECStatus    rv;
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ss->ssl3.initialized)
         return SECSuccess;      /* Function should be idempotent */
 
     ss->ssl3.policy = SSL_ALLOWED;
 
     ssl_GetSpecWriteLock(ss);
     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
     ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
@@ skipping 12 matching lines @@
     if (IS_DTLS(ss)) {
         ss->ssl3.hs.sendMessageSeq = 0;
         ss->ssl3.hs.recvMessageSeq = 0;
         ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
         ss->ssl3.hs.rtRetries = 0;
         ss->ssl3.hs.recvdHighWater = -1;
         PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
         dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
     }
 
-    rv = ssl3_NewHandshakeHashes(ss);
-    if (rv == SECSuccess) {
-        ss->ssl3.initialized = PR_TRUE;
-    }
+    PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
+    ss->ssl3.hs.messages.buf = NULL;
+    ss->ssl3.hs.messages.space = 0;
 
-    return rv;
+    ss->ssl3.initialized = PR_TRUE;
+    return SECSuccess;
 }
 
 /* Returns a reference counted object that contains a key pair.
  * Or NULL on failure.  Initial ref count is 1.
  * Uses the keys in the pair as input.
  */
 ssl3KeyPair *
 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
 {
     ssl3KeyPair * pair;
@@ skipping 345 matching lines @@
         ssl3_CleanupPeerCerts(ss);
 
     if (ss->ssl3.clientCertChain != NULL) {
        CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
        ss->ssl3.clientCertChain = NULL;
     }
 
     /* clean up handshake */
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
-        SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
-        MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
+        if (ss->ssl3.hs.hashType == HANDSHAKE_HASH_COMBO) {
+            SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
+            MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
+        } else if (ss->ssl3.hs.hashType == HANDSHAKE_HASH_SINGLE) {
+            ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE);
+        }
     } 
 #endif
     if (ss->ssl3.hs.md5) {
         PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
     }
     if (ss->ssl3.hs.sha) {
         PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
     }
-    if (ss->ssl3.hs.tls12_handshake_hash) {
-        PK11_DestroyContext(ss->ssl3.hs.tls12_handshake_hash,PR_TRUE);
-    }
     if (ss->ssl3.hs.clientSigAndHash) {
         PORT_Free(ss->ssl3.hs.clientSigAndHash);
     }
     if (ss->ssl3.hs.messages.buf) {
         PORT_Free(ss->ssl3.hs.messages.buf);
         ss->ssl3.hs.messages.buf = NULL;
         ss->ssl3.hs.messages.len = 0;
         ss->ssl3.hs.messages.space = 0;
     }
 
@@ skipping 11 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */