OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
10 | 10 |
(...skipping 6834 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6845 loser: | 6845 loser: |
6846 PORT_SetError( errCode ); | 6846 PORT_SetError( errCode ); |
6847 return SECFailure; | 6847 return SECFailure; |
6848 | 6848 |
6849 no_memory: /* no-memory error has already been set. */ | 6849 no_memory: /* no-memory error has already been set. */ |
6850 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 6850 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
6851 return SECFailure; | 6851 return SECFailure; |
6852 } | 6852 } |
6853 | 6853 |
6854 | 6854 |
| 6855 /* |
| 6856 * Returns true if the client authentication key is an RSA or DSA key that |
| 6857 * may be able to sign only SHA-1 hashes. |
| 6858 */ |
| 6859 static PRBool |
| 6860 ssl3_ClientKeyPrefersSHA1(sslSocket *ss) |
| 6861 { |
| 6862 SECKEYPublicKey *pubk; |
| 6863 PRBool prefer_sha1 = PR_FALSE; |
| 6864 |
| 6865 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32) |
| 6866 /* If the key is in CAPI, assume conservatively that the CAPI service |
| 6867 * provider may be unable to sign SHA-256 hashes. |
| 6868 */ |
| 6869 if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) { |
| 6870 /* CAPI only supports RSA and DSA signatures, so we don't need to |
| 6871 * check the key type. */ |
| 6872 return PR_TRUE; |
| 6873 } |
| 6874 #endif /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */ |
| 6875 |
| 6876 /* If the key is a 1024-bit RSA or DSA key, assume conservatively that |
| 6877 * it may be unable to sign SHA-256 hashes. This is the case for older |
| 6878 * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and |
| 6879 * older, DSA key size is at most 1024 bits and the hash function must |
| 6880 * be SHA-1. |
| 6881 */ |
| 6882 pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); |
| 6883 if (pubk == NULL) { |
| 6884 return PR_FALSE; |
| 6885 } |
| 6886 if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) { |
| 6887 prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128; |
| 6888 } |
| 6889 SECKEY_DestroyPublicKey(pubk); |
| 6890 return prefer_sha1; |
| 6891 } |
| 6892 |
| 6893 /* Destroys the backup handshake hash context if we don't need it. */ |
| 6894 static void |
| 6895 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, |
| 6896 const SECItem *algorithms) |
| 6897 { |
| 6898 PRBool need_backup_hash = PR_FALSE; |
| 6899 unsigned int i; |
| 6900 |
| 6901 PORT_Assert(ss->ssl3.hs.md5); |
| 6902 if (ssl3_ClientKeyPrefersSHA1(ss)) { |
| 6903 /* Use SHA-1 if the server supports it. */ |
| 6904 for (i = 0; i < algorithms->len; i += 2) { |
| 6905 if (algorithms->data[i] == tls_hash_sha1 && |
| 6906 (algorithms->data[i+1] == tls_sig_rsa || |
| 6907 algorithms->data[i+1] == tls_sig_dsa)) { |
| 6908 need_backup_hash = PR_TRUE; |
| 6909 break; |
| 6910 } |
| 6911 } |
| 6912 } |
| 6913 if (!need_backup_hash) { |
| 6914 PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
| 6915 ss->ssl3.hs.md5 = NULL; |
| 6916 } |
| 6917 } |
| 6918 |
6855 typedef struct dnameNode { | 6919 typedef struct dnameNode { |
6856 struct dnameNode *next; | 6920 struct dnameNode *next; |
6857 SECItem name; | 6921 SECItem name; |
6858 } dnameNode; | 6922 } dnameNode; |
6859 | 6923 |
6860 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 6924 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
6861 * ssl3 Certificate Request message. | 6925 * ssl3 Certificate Request message. |
6862 * Caller must hold Handshake and RecvBuf locks. | 6926 * Caller must hold Handshake and RecvBuf locks. |
6863 */ | 6927 */ |
6864 static SECStatus | 6928 static SECStatus |
(...skipping 172 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7037 if (ss->ssl3.clientCertificate != NULL) { | 7101 if (ss->ssl3.clientCertificate != NULL) { |
7038 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 7102 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
7039 ss->ssl3.clientCertificate = NULL; | 7103 ss->ssl3.clientCertificate = NULL; |
7040 } | 7104 } |
7041 if (ss->ssl3.platformClientKey) { | 7105 if (ss->ssl3.platformClientKey) { |
7042 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 7106 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
7043 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 7107 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
7044 } | 7108 } |
7045 goto send_no_certificate; | 7109 goto send_no_certificate; |
7046 } | 7110 } |
7047 | 7111 » if (isTLS12) { |
7048 » if (isTLS12 && ss->ssl3.hs.md5) { | 7112 » » ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
7049 » » PRBool need_backup_hash = PR_FALSE; | |
7050 » » PRBool prefer_sha1 = PR_FALSE; | |
7051 #ifdef _WIN32 | |
7052 » » /* If the key is in CAPI, assume conservatively that the CAPI | |
7053 » » * service provider may be unable to sign SHA-256 hashes. | |
7054 » » */ | |
7055 » » if (ss->ssl3.platformClientKey->dwKeySpec != | |
7056 » » CERT_NCRYPT_KEY_SPEC) { | |
7057 » » /* CAPI only supports RSA and DSA signatures, so we don't | |
7058 » » * need to check the key type. */ | |
7059 » » prefer_sha1 = PR_TRUE; | |
7060 » » } | |
7061 #endif /* _WIN32 */ | |
7062 » » /* If the key is a 1024-bit RSA or DSA key, assume | |
7063 » » * conservatively that it may be unable to sign SHA-256 | |
7064 » » * hashes. This is the case for older Estonian ID cards that | |
7065 » » * have 1024-bit RSA keys. In FIPS 186-2 and older, DSA key | |
7066 » » * size is at most 1024 bits and the hash function must be | |
7067 » » * SHA-1. | |
7068 » » */ | |
7069 » » if (!prefer_sha1) { | |
7070 » » SECKEYPublicKey *pubk = | |
7071 » » » CERT_ExtractPublicKey(ss->ssl3.clientCertificate); | |
7072 » » if (pubk == NULL) { | |
7073 » » » errCode = SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE; | |
7074 » » » goto loser; | |
7075 » » } | |
7076 » » if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) { | |
7077 » » » prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128; | |
7078 » » } | |
7079 » » SECKEY_DestroyPublicKey(pubk); | |
7080 » » } | |
7081 » » /* Use SHA-1 if the server supports it. */ | |
7082 » » if (prefer_sha1) { | |
7083 » » for (i = 0; i < algorithms.len; i += 2) { | |
7084 » » » if (algorithms.data[i] == tls_hash_sha1 && | |
7085 » » » (algorithms.data[i+1] == tls_sig_rsa || | |
7086 » » » algorithms.data[i+1] == tls_sig_dsa)) { | |
7087 » » » need_backup_hash = PR_TRUE; | |
7088 » » » break; | |
7089 » » » } | |
7090 » » } | |
7091 » » } | |
7092 » » if (!need_backup_hash) { | |
7093 » » PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); | |
7094 » » ss->ssl3.hs.md5 = NULL; | |
7095 » » } | |
7096 } | 7113 } |
7097 break; /* not an error */ | 7114 break; /* not an error */ |
7098 } | 7115 } |
7099 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 7116 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
7100 /* check what the callback function returned */ | 7117 /* check what the callback function returned */ |
7101 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { | 7118 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) { |
7102 /* we are missing either the key or cert */ | 7119 /* we are missing either the key or cert */ |
7103 if (ss->ssl3.clientCertificate) { | 7120 if (ss->ssl3.clientCertificate) { |
7104 /* got a cert, but no key - free it */ | 7121 /* got a cert, but no key - free it */ |
7105 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 7122 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
(...skipping 16 matching lines...) Expand all Loading... |
7122 if (ss->ssl3.clientCertificate != NULL) { | 7139 if (ss->ssl3.clientCertificate != NULL) { |
7123 CERT_DestroyCertificate(ss->ssl3.clientCertificate); | 7140 CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
7124 ss->ssl3.clientCertificate = NULL; | 7141 ss->ssl3.clientCertificate = NULL; |
7125 } | 7142 } |
7126 if (ss->ssl3.clientPrivateKey != NULL) { | 7143 if (ss->ssl3.clientPrivateKey != NULL) { |
7127 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 7144 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
7128 ss->ssl3.clientPrivateKey = NULL; | 7145 ss->ssl3.clientPrivateKey = NULL; |
7129 } | 7146 } |
7130 goto send_no_certificate; | 7147 goto send_no_certificate; |
7131 } | 7148 } |
| 7149 if (isTLS12) { |
| 7150 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); |
| 7151 } |
7132 break; /* not an error */ | 7152 break; /* not an error */ |
7133 | 7153 |
7134 case SECFailure: | 7154 case SECFailure: |
7135 default: | 7155 default: |
7136 send_no_certificate: | 7156 send_no_certificate: |
7137 if (isTLS) { | 7157 if (isTLS) { |
7138 ss->ssl3.sendEmptyCert = PR_TRUE; | 7158 ss->ssl3.sendEmptyCert = PR_TRUE; |
7139 } else { | 7159 } else { |
7140 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); | 7160 (void)SSL3_SendAlert(ss, alert_warning, no_certificate); |
7141 } | 7161 } |
(...skipping 5229 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
12371 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 12391 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
12372 } | 12392 } |
12373 } | 12393 } |
12374 | 12394 |
12375 ss->ssl3.initialized = PR_FALSE; | 12395 ss->ssl3.initialized = PR_FALSE; |
12376 | 12396 |
12377 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 12397 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
12378 } | 12398 } |
12379 | 12399 |
12380 /* End of ssl3con.c */ | 12400 /* End of ssl3con.c */ |
OLD | NEW |