OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * ***** BEGIN LICENSE BLOCK ***** | 5 * ***** BEGIN LICENSE BLOCK ***** |
6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
7 * | 7 * |
8 * The contents of this file are subject to the Mozilla Public License Version | 8 * The contents of this file are subject to the Mozilla Public License Version |
9 * 1.1 (the "License"); you may not use this file except in compliance with | 9 * 1.1 (the "License"); you may not use this file except in compliance with |
10 * the License. You may obtain a copy of the License at | 10 * the License. You may obtain a copy of the License at |
(...skipping 24 matching lines...) Expand all Loading... |
35 * under the terms of either the GPL or the LGPL, and not to allow others to | 35 * under the terms of either the GPL or the LGPL, and not to allow others to |
36 * use your version of this file under the terms of the MPL, indicate your | 36 * use your version of this file under the terms of the MPL, indicate your |
37 * decision by deleting the provisions above and replace them with the notice | 37 * decision by deleting the provisions above and replace them with the notice |
38 * and other provisions required by the GPL or the LGPL. If you do not delete | 38 * and other provisions required by the GPL or the LGPL. If you do not delete |
39 * the provisions above, a recipient may use your version of this file under | 39 * the provisions above, a recipient may use your version of this file under |
40 * the terms of any one of the MPL, the GPL or the LGPL. | 40 * the terms of any one of the MPL, the GPL or the LGPL. |
41 * | 41 * |
42 * ***** END LICENSE BLOCK ***** */ | 42 * ***** END LICENSE BLOCK ***** */ |
43 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */ | 43 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */ |
44 | 44 |
| 45 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
| 46 |
45 #include "cert.h" | 47 #include "cert.h" |
46 #include "ssl.h" | 48 #include "ssl.h" |
47 #include "cryptohi.h" /* for DSAU_ stuff */ | 49 #include "cryptohi.h" /* for DSAU_ stuff */ |
48 #include "keyhi.h" | 50 #include "keyhi.h" |
49 #include "secder.h" | 51 #include "secder.h" |
50 #include "secitem.h" | 52 #include "secitem.h" |
51 | 53 |
52 #include "sslimpl.h" | 54 #include "sslimpl.h" |
53 #include "sslproto.h" | 55 #include "sslproto.h" |
54 #include "sslerr.h" | 56 #include "sslerr.h" |
(...skipping 30 matching lines...) Expand all Loading... |
85 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 87 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
86 static SECStatus ssl3_SendNextProto( sslSocket *ss); | 88 static SECStatus ssl3_SendNextProto( sslSocket *ss); |
87 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 89 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
88 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 90 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
89 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 91 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
90 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 92 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
91 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); | 93 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); |
92 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 94 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
93 const unsigned char *b, | 95 const unsigned char *b, |
94 unsigned int l); | 96 unsigned int l); |
| 97 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
95 | 98 |
96 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 99 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
97 int maxOutputLen, const unsigned char *input, | 100 int maxOutputLen, const unsigned char *input, |
98 int inputLen); | 101 int inputLen); |
99 | 102 |
100 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 103 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
101 #define MIN_SEND_BUF_LENGTH 4000 | 104 #define MIN_SEND_BUF_LENGTH 4000 |
102 | 105 |
103 #define MAX_CIPHER_SUITES 20 | 106 #define MAX_CIPHER_SUITES 20 |
104 | 107 |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
214 } | 217 } |
215 | 218 |
216 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { | 219 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { |
217 ct_RSA_sign, | 220 ct_RSA_sign, |
218 ct_DSS_sign, | 221 ct_DSS_sign, |
219 #ifdef NSS_ENABLE_ECC | 222 #ifdef NSS_ENABLE_ECC |
220 ct_ECDSA_sign, | 223 ct_ECDSA_sign, |
221 #endif /* NSS_ENABLE_ECC */ | 224 #endif /* NSS_ENABLE_ECC */ |
222 }; | 225 }; |
223 | 226 |
224 #ifdef NSS_ENABLE_ZLIB | |
225 /* | |
226 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a | |
227 * maximum TLS record payload of 2**14 bytes, that's 29 bytes. | |
228 */ | |
229 #define SSL3_COMPRESSION_MAX_EXPANSION 29 | |
230 #else /* !NSS_ENABLE_ZLIB */ | |
231 #define SSL3_COMPRESSION_MAX_EXPANSION 0 | |
232 #endif | |
233 | |
234 /* | |
235 * make sure there is room in the write buffer for padding and | |
236 * other compression and cryptographic expansions. | |
237 */ | |
238 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION | |
239 | |
240 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ | 227 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ |
241 | 228 |
242 | 229 |
243 /* This global item is used only in servers. It is is initialized by | 230 /* This global item is used only in servers. It is is initialized by |
244 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 231 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
245 */ | 232 */ |
246 CERTDistNames *ssl3_server_ca_list = NULL; | 233 CERTDistNames *ssl3_server_ca_list = NULL; |
247 static SSL3Statistics ssl3stats; | 234 static SSL3Statistics ssl3stats; |
248 | 235 |
249 /* indexed by SSL3BulkCipher */ | 236 /* indexed by SSL3BulkCipher */ |
(...skipping 260 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
510 static char * | 497 static char * |
511 ssl3_DecodeHandshakeType(int msgType) | 498 ssl3_DecodeHandshakeType(int msgType) |
512 { | 499 { |
513 char * rv; | 500 char * rv; |
514 static char line[40]; | 501 static char line[40]; |
515 | 502 |
516 switch(msgType) { | 503 switch(msgType) { |
517 case hello_request: rv = "hello_request (0)"; break; | 504 case hello_request: rv = "hello_request (0)"; break; |
518 case client_hello: rv = "client_hello (1)"; break; | 505 case client_hello: rv = "client_hello (1)"; break; |
519 case server_hello: rv = "server_hello (2)"; break; | 506 case server_hello: rv = "server_hello (2)"; break; |
| 507 case hello_verify_request: rv = "hello_verify_request (3)"; break; |
520 case certificate: rv = "certificate (11)"; break; | 508 case certificate: rv = "certificate (11)"; break; |
521 case server_key_exchange: rv = "server_key_exchange (12)"; break; | 509 case server_key_exchange: rv = "server_key_exchange (12)"; break; |
522 case certificate_request: rv = "certificate_request (13)"; break; | 510 case certificate_request: rv = "certificate_request (13)"; break; |
523 case server_hello_done: rv = "server_hello_done (14)"; break; | 511 case server_hello_done: rv = "server_hello_done (14)"; break; |
524 case certificate_verify: rv = "certificate_verify (15)"; break; | 512 case certificate_verify: rv = "certificate_verify (15)"; break; |
525 case client_key_exchange: rv = "client_key_exchange (16)"; break; | 513 case client_key_exchange: rv = "client_key_exchange (16)"; break; |
526 case finished: rv = "finished (20)"; break; | 514 case finished: rv = "finished (20)"; break; |
527 default: | 515 default: |
528 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); | 516 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); |
529 rv = line; | 517 rv = line; |
(...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
649 if (suite->enabled) { | 637 if (suite->enabled) { |
650 ++numEnabled; | 638 ++numEnabled; |
651 /* We need the cipher defs to see if we have a token that can handle | 639 /* We need the cipher defs to see if we have a token that can handle |
652 * this cipher. It isn't part of the static definition. | 640 * this cipher. It isn't part of the static definition. |
653 */ | 641 */ |
654 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); | 642 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); |
655 if (!cipher_def) { | 643 if (!cipher_def) { |
656 suite->isPresent = PR_FALSE; | 644 suite->isPresent = PR_FALSE; |
657 continue; | 645 continue; |
658 } | 646 } |
659 » cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg; | 647 » cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg; |
660 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); | 648 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); |
661 cipher_mech = alg2Mech[cipher_alg].cmech; | 649 cipher_mech = alg2Mech[cipher_alg].cmech; |
662 exchKeyType = | 650 exchKeyType = |
663 kea_defs[cipher_def->key_exchange_alg].exchKeyType; | 651 kea_defs[cipher_def->key_exchange_alg].exchKeyType; |
664 #ifndef NSS_ENABLE_ECC | 652 #ifndef NSS_ENABLE_ECC |
665 svrAuth = ss->serverCerts + exchKeyType; | 653 svrAuth = ss->serverCerts + exchKeyType; |
666 #else | 654 #else |
667 /* XXX SSLKEAType isn't really a good choice for | 655 /* XXX SSLKEAType isn't really a good choice for |
668 * indexing certificates. It doesn't work for | 656 * indexing certificates. It doesn't work for |
669 * (EC)DHE-* ciphers. Here we use a hack to ensure | 657 * (EC)DHE-* ciphers. Here we use a hack to ensure |
(...skipping 471 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1141 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); | 1129 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); |
1142 mat->write_mac_context = NULL; | 1130 mat->write_mac_context = NULL; |
1143 } | 1131 } |
1144 } | 1132 } |
1145 | 1133 |
1146 /* Called from ssl3_SendChangeCipherSpecs() and | 1134 /* Called from ssl3_SendChangeCipherSpecs() and |
1147 ** ssl3_HandleChangeCipherSpecs() | 1135 ** ssl3_HandleChangeCipherSpecs() |
1148 ** ssl3_DestroySSL3Info | 1136 ** ssl3_DestroySSL3Info |
1149 ** Caller must hold SpecWriteLock. | 1137 ** Caller must hold SpecWriteLock. |
1150 */ | 1138 */ |
1151 static void | 1139 void |
1152 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) | 1140 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) |
1153 { | 1141 { |
1154 PRBool freeit = (PRBool)(!spec->bypassCiphers); | 1142 PRBool freeit = (PRBool)(!spec->bypassCiphers); |
1155 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! *
/ | 1143 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! *
/ |
1156 if (spec->destroy) { | 1144 if (spec->destroy) { |
1157 spec->destroy(spec->encodeContext, freeit); | 1145 spec->destroy(spec->encodeContext, freeit); |
1158 spec->destroy(spec->decodeContext, freeit); | 1146 spec->destroy(spec->decodeContext, freeit); |
1159 spec->encodeContext = NULL; /* paranoia */ | 1147 spec->encodeContext = NULL; /* paranoia */ |
1160 spec->decodeContext = NULL; | 1148 spec->decodeContext = NULL; |
1161 } | 1149 } |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1221 | 1209 |
1222 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", | 1210 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", |
1223 SSL_GETPID(), ss->fd, suite)); | 1211 SSL_GETPID(), ss->fd, suite)); |
1224 | 1212 |
1225 suite_def = ssl_LookupCipherSuiteDef(suite); | 1213 suite_def = ssl_LookupCipherSuiteDef(suite); |
1226 if (suite_def == NULL) { | 1214 if (suite_def == NULL) { |
1227 ssl_ReleaseSpecWriteLock(ss); | 1215 ssl_ReleaseSpecWriteLock(ss); |
1228 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ | 1216 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ |
1229 } | 1217 } |
1230 | 1218 |
| 1219 if (IS_DTLS(ss)) { |
| 1220 /* Double-check that we did not pick an RC4 suite */ |
| 1221 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && |
| 1222 (suite_def->bulk_cipher_alg != cipher_rc4_40) && |
| 1223 (suite_def->bulk_cipher_alg != cipher_rc4_56)); |
| 1224 } |
1231 | 1225 |
1232 cipher = suite_def->bulk_cipher_alg; | 1226 cipher = suite_def->bulk_cipher_alg; |
1233 kea = suite_def->key_exchange_alg; | 1227 kea = suite_def->key_exchange_alg; |
1234 mac = suite_def->mac_alg; | 1228 mac = suite_def->mac_alg; |
1235 if (isTLS) | 1229 if (isTLS) |
1236 mac += 2; | 1230 mac += 2; |
1237 | 1231 |
1238 ss->ssl3.hs.suite_def = suite_def; | 1232 ss->ssl3.hs.suite_def = suite_def; |
1239 ss->ssl3.hs.kea_def = &kea_defs[kea]; | 1233 ss->ssl3.hs.kea_def = &kea_defs[kea]; |
1240 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); | 1234 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); |
(...skipping 506 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1747 * Sets error code, but caller probably should override to disambiguate. | 1741 * Sets error code, but caller probably should override to disambiguate. |
1748 * NULL pms means re-use old master_secret. | 1742 * NULL pms means re-use old master_secret. |
1749 * | 1743 * |
1750 * This code is common to the bypass and PKCS11 execution paths. | 1744 * This code is common to the bypass and PKCS11 execution paths. |
1751 * For the bypass case, pms is NULL. | 1745 * For the bypass case, pms is NULL. |
1752 */ | 1746 */ |
1753 SECStatus | 1747 SECStatus |
1754 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) | 1748 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) |
1755 { | 1749 { |
1756 ssl3CipherSpec * pwSpec; | 1750 ssl3CipherSpec * pwSpec; |
| 1751 ssl3CipherSpec * cwSpec; |
1757 SECStatus rv; | 1752 SECStatus rv; |
1758 | 1753 |
1759 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1754 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1760 | 1755 |
1761 ssl_GetSpecWriteLock(ss); /**************************************/ | 1756 ssl_GetSpecWriteLock(ss); /**************************************/ |
1762 | 1757 |
1763 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 1758 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
1764 | 1759 |
1765 pwSpec = ss->ssl3.pwSpec; | 1760 pwSpec = ss->ssl3.pwSpec; |
| 1761 cwSpec = ss->ssl3.cwSpec; |
1766 | 1762 |
1767 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { | 1763 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { |
1768 rv = ssl3_DeriveMasterSecret(ss, pms); | 1764 rv = ssl3_DeriveMasterSecret(ss, pms); |
1769 if (rv != SECSuccess) { | 1765 if (rv != SECSuccess) { |
1770 goto done; /* err code set by ssl3_DeriveMasterSecret */ | 1766 goto done; /* err code set by ssl3_DeriveMasterSecret */ |
1771 } | 1767 } |
1772 } | 1768 } |
1773 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { | 1769 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { |
1774 /* Double Bypass succeeded in extracting the master_secret */ | 1770 /* Double Bypass succeeded in extracting the master_secret */ |
1775 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 1771 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
(...skipping 11 matching lines...) Expand all Loading... |
1787 } else if (pwSpec->master_secret) { | 1783 } else if (pwSpec->master_secret) { |
1788 rv = ssl3_DeriveConnectionKeysPKCS11(ss); | 1784 rv = ssl3_DeriveConnectionKeysPKCS11(ss); |
1789 if (rv == SECSuccess) { | 1785 if (rv == SECSuccess) { |
1790 rv = ssl3_InitPendingContextsPKCS11(ss); | 1786 rv = ssl3_InitPendingContextsPKCS11(ss); |
1791 } | 1787 } |
1792 } else { | 1788 } else { |
1793 PORT_Assert(pwSpec->master_secret); | 1789 PORT_Assert(pwSpec->master_secret); |
1794 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 1790 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1795 rv = SECFailure; | 1791 rv = SECFailure; |
1796 } | 1792 } |
| 1793 if (rv != SECSuccess) { |
| 1794 goto done; |
| 1795 } |
| 1796 |
| 1797 /* Generic behaviors -- common to all crypto methods */ |
| 1798 if (!IS_DTLS(ss)) { |
| 1799 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0; |
| 1800 } else { |
| 1801 if (cwSpec->epoch == PR_UINT16_MAX) { |
| 1802 /* The problem here is that we have rehandshaked too many |
| 1803 * times (you are not allowed to wrap the epoch). The |
| 1804 * spec says you should be discarding the connection |
| 1805 * and start over, so not much we can do here. */ |
| 1806 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1807 rv = SECFailure; |
| 1808 goto done; |
| 1809 } |
| 1810 /* The sequence number has the high 16 bits as the epoch. */ |
| 1811 pwSpec->epoch = cwSpec->epoch + 1; |
| 1812 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = |
| 1813 pwSpec->epoch << 16; |
| 1814 |
| 1815 dtls_InitRecvdRecords(&pwSpec->recvdRecords); |
| 1816 } |
| 1817 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0; |
1797 | 1818 |
1798 done: | 1819 done: |
1799 ssl_ReleaseSpecWriteLock(ss); /******************************/ | 1820 ssl_ReleaseSpecWriteLock(ss); /******************************/ |
1800 if (rv != SECSuccess) | 1821 if (rv != SECSuccess) |
1801 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 1822 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
1802 return rv; | 1823 return rv; |
1803 } | 1824 } |
1804 | 1825 |
1805 /* | 1826 /* |
1806 * 60 bytes is 3 times the maximum length MAC size that is supported. | 1827 * 60 bytes is 3 times the maximum length MAC size that is supported. |
(...skipping 20 matching lines...) Expand all Loading... |
1827 }; | 1848 }; |
1828 | 1849 |
1829 /* Called from: ssl3_SendRecord() | 1850 /* Called from: ssl3_SendRecord() |
1830 ** ssl3_HandleRecord() | 1851 ** ssl3_HandleRecord() |
1831 ** Caller must already hold the SpecReadLock. (wish we could assert that!) | 1852 ** Caller must already hold the SpecReadLock. (wish we could assert that!) |
1832 */ | 1853 */ |
1833 static SECStatus | 1854 static SECStatus |
1834 ssl3_ComputeRecordMAC( | 1855 ssl3_ComputeRecordMAC( |
1835 ssl3CipherSpec * spec, | 1856 ssl3CipherSpec * spec, |
1836 PRBool useServerMacKey, | 1857 PRBool useServerMacKey, |
| 1858 PRBool isDTLS, |
1837 SSL3ContentType type, | 1859 SSL3ContentType type, |
1838 SSL3ProtocolVersion version, | 1860 SSL3ProtocolVersion version, |
1839 SSL3SequenceNumber seq_num, | 1861 SSL3SequenceNumber seq_num, |
1840 const SSL3Opaque * input, | 1862 const SSL3Opaque * input, |
1841 int inputLength, | 1863 int inputLength, |
1842 unsigned char * outbuf, | 1864 unsigned char * outbuf, |
1843 unsigned int * outLength) | 1865 unsigned int * outLength) |
1844 { | 1866 { |
1845 const ssl3MACDef * mac_def; | 1867 const ssl3MACDef * mac_def; |
1846 SECStatus rv; | 1868 SECStatus rv; |
(...skipping 17 matching lines...) Expand all Loading... |
1864 ** NOT based on the version value in the record itself. | 1886 ** NOT based on the version value in the record itself. |
1865 ** But, we use the record'v version value in the computation. | 1887 ** But, we use the record'v version value in the computation. |
1866 */ | 1888 */ |
1867 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 1889 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
1868 temp[9] = MSB(inputLength); | 1890 temp[9] = MSB(inputLength); |
1869 temp[10] = LSB(inputLength); | 1891 temp[10] = LSB(inputLength); |
1870 tempLen = 11; | 1892 tempLen = 11; |
1871 isTLS = PR_FALSE; | 1893 isTLS = PR_FALSE; |
1872 } else { | 1894 } else { |
1873 /* New TLS hash includes version. */ | 1895 /* New TLS hash includes version. */ |
1874 » temp[9] = MSB(version); | 1896 » if (isDTLS) { |
1875 » temp[10] = LSB(version); | 1897 » SSL3ProtocolVersion dtls_version; |
| 1898 |
| 1899 » dtls_version = dtls_TLSVersionToDTLSVersion(version); |
| 1900 » temp[9] = MSB(dtls_version); |
| 1901 » temp[10] = LSB(dtls_version); |
| 1902 } else { |
| 1903 » temp[9] = MSB(version); |
| 1904 » temp[10] = LSB(version); |
| 1905 } |
1876 temp[11] = MSB(inputLength); | 1906 temp[11] = MSB(inputLength); |
1877 temp[12] = LSB(inputLength); | 1907 temp[12] = LSB(inputLength); |
1878 tempLen = 13; | 1908 tempLen = 13; |
1879 isTLS = PR_TRUE; | 1909 isTLS = PR_TRUE; |
1880 } | 1910 } |
1881 | 1911 |
1882 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | 1912 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
1883 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 1913 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
1884 | 1914 |
1885 mac_def = spec->mac_def; | 1915 mac_def = spec->mac_def; |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2015 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { | 2045 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { |
2016 isPresent = PR_FALSE; | 2046 isPresent = PR_FALSE; |
2017 } | 2047 } |
2018 if (slot) { | 2048 if (slot) { |
2019 PK11_FreeSlot(slot); | 2049 PK11_FreeSlot(slot); |
2020 } | 2050 } |
2021 return isPresent; | 2051 return isPresent; |
2022 } | 2052 } |
2023 | 2053 |
2024 /* Caller must hold the spec read lock. */ | 2054 /* Caller must hold the spec read lock. */ |
2025 static SECStatus | 2055 SECStatus |
2026 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, | 2056 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, |
2027 PRBool isServer, | 2057 PRBool isServer, |
| 2058 PRBool isDTLS, |
2028 SSL3ContentType type, | 2059 SSL3ContentType type, |
2029 const SSL3Opaque * pIn, | 2060 const SSL3Opaque * pIn, |
2030 PRUint32 contentLen, | 2061 PRUint32 contentLen, |
2031 sslBuffer * wrBuf) | 2062 sslBuffer * wrBuf) |
2032 { | 2063 { |
2033 const ssl3BulkCipherDef * cipher_def; | 2064 const ssl3BulkCipherDef * cipher_def; |
2034 SECStatus rv; | 2065 SECStatus rv; |
2035 PRUint32 macLen = 0; | 2066 PRUint32 macLen = 0; |
2036 PRUint32 fragLen; | 2067 PRUint32 fragLen; |
2037 PRUint32 p1Len, p2Len, oddLen = 0; | 2068 PRUint32 p1Len, p2Len, oddLen = 0; |
| 2069 PRUint16 headerLen; |
2038 int ivLen = 0; | 2070 int ivLen = 0; |
2039 int cipherBytes = 0; | 2071 int cipherBytes = 0; |
2040 | 2072 |
2041 cipher_def = cwSpec->cipher_def; | 2073 cipher_def = cwSpec->cipher_def; |
| 2074 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; |
2042 | 2075 |
2043 if (cipher_def->type == type_block && | 2076 if (cipher_def->type == type_block && |
2044 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 2077 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
2045 /* Prepend the per-record explicit IV using technique 2b from | 2078 /* Prepend the per-record explicit IV using technique 2b from |
2046 * RFC 4346 section 6.2.3.2: The IV is a cryptographically | 2079 * RFC 4346 section 6.2.3.2: The IV is a cryptographically |
2047 * strong random number XORed with the CBC residue from the previous | 2080 * strong random number XORed with the CBC residue from the previous |
2048 * record. | 2081 * record. |
2049 */ | 2082 */ |
2050 ivLen = cipher_def->iv_size; | 2083 ivLen = cipher_def->iv_size; |
2051 » if (ivLen > wrBuf->space - SSL3_RECORD_HEADER_LENGTH) { | 2084 » if (ivLen > wrBuf->space - headerLen) { |
2052 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2085 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2053 return SECFailure; | 2086 return SECFailure; |
2054 } | 2087 } |
2055 » rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen); | 2088 » rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen); |
2056 if (rv != SECSuccess) { | 2089 if (rv != SECSuccess) { |
2057 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); | 2090 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); |
2058 return rv; | 2091 return rv; |
2059 } | 2092 } |
2060 rv = cwSpec->encode( cwSpec->encodeContext, | 2093 rv = cwSpec->encode( cwSpec->encodeContext, |
2061 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | 2094 » wrBuf->buf + headerLen, |
2062 &cipherBytes, /* output and actual outLen */ | 2095 &cipherBytes, /* output and actual outLen */ |
2063 ivLen, /* max outlen */ | 2096 ivLen, /* max outlen */ |
2064 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | 2097 » wrBuf->buf + headerLen, |
2065 ivLen); /* input and inputLen*/ | 2098 ivLen); /* input and inputLen*/ |
2066 if (rv != SECSuccess || cipherBytes != ivLen) { | 2099 if (rv != SECSuccess || cipherBytes != ivLen) { |
2067 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2100 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2068 return SECFailure; | 2101 return SECFailure; |
2069 } | 2102 } |
2070 } | 2103 } |
2071 | 2104 |
2072 if (cwSpec->compressor) { | 2105 if (cwSpec->compressor) { |
2073 int outlen; | 2106 int outlen; |
2074 rv = cwSpec->compressor( | 2107 rv = cwSpec->compressor( |
2075 cwSpec->compressContext, | 2108 cwSpec->compressContext, |
2076 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, &outlen, | 2109 » wrBuf->buf + headerLen + ivLen, &outlen, |
2077 » wrBuf->space - SSL3_RECORD_HEADER_LENGTH - ivLen, pIn, contentLen); | 2110 » wrBuf->space - headerLen - ivLen, pIn, contentLen); |
2078 if (rv != SECSuccess) | 2111 if (rv != SECSuccess) |
2079 return rv; | 2112 return rv; |
2080 » pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen; | 2113 » pIn = wrBuf->buf + headerLen + ivLen; |
2081 contentLen = outlen; | 2114 contentLen = outlen; |
2082 } | 2115 } |
2083 | 2116 |
2084 /* | 2117 /* |
2085 * Add the MAC | 2118 * Add the MAC |
2086 */ | 2119 */ |
2087 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, | 2120 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
2088 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 2121 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
2089 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + contentLen, &macLen); | 2122 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
2090 if (rv != SECSuccess) { | 2123 if (rv != SECSuccess) { |
2091 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2124 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2092 return SECFailure; | 2125 return SECFailure; |
2093 } | 2126 } |
2094 p1Len = contentLen; | 2127 p1Len = contentLen; |
2095 p2Len = macLen; | 2128 p2Len = macLen; |
2096 fragLen = contentLen + macLen; /* needs to be encrypted */ | 2129 fragLen = contentLen + macLen; /* needs to be encrypted */ |
2097 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 2130 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
2098 | 2131 |
2099 /* | 2132 /* |
2100 * Pad the text (if we're doing a block cipher) | 2133 * Pad the text (if we're doing a block cipher) |
2101 * then Encrypt it | 2134 * then Encrypt it |
2102 */ | 2135 */ |
2103 if (cipher_def->type == type_block) { | 2136 if (cipher_def->type == type_block) { |
2104 unsigned char * pBuf; | 2137 unsigned char * pBuf; |
2105 int padding_length; | 2138 int padding_length; |
2106 int i; | 2139 int i; |
2107 | 2140 |
2108 oddLen = contentLen % cipher_def->block_size; | 2141 oddLen = contentLen % cipher_def->block_size; |
2109 /* Assume blockSize is a power of two */ | 2142 /* Assume blockSize is a power of two */ |
2110 padding_length = cipher_def->block_size - 1 - | 2143 padding_length = cipher_def->block_size - 1 - |
2111 ((fragLen) & (cipher_def->block_size - 1)); | 2144 ((fragLen) & (cipher_def->block_size - 1)); |
2112 fragLen += padding_length + 1; | 2145 fragLen += padding_length + 1; |
2113 PORT_Assert((fragLen % cipher_def->block_size) == 0); | 2146 PORT_Assert((fragLen % cipher_def->block_size) == 0); |
2114 | 2147 |
2115 /* Pad according to TLS rules (also acceptable to SSL3). */ | 2148 /* Pad according to TLS rules (also acceptable to SSL3). */ |
2116 » pBuf = &wrBuf->buf[SSL3_RECORD_HEADER_LENGTH + ivLen + fragLen - 1]; | 2149 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; |
2117 for (i = padding_length + 1; i > 0; --i) { | 2150 for (i = padding_length + 1; i > 0; --i) { |
2118 *pBuf-- = padding_length; | 2151 *pBuf-- = padding_length; |
2119 } | 2152 } |
2120 /* now, if contentLen is not a multiple of block size, fix it */ | 2153 /* now, if contentLen is not a multiple of block size, fix it */ |
2121 p2Len = fragLen - p1Len; | 2154 p2Len = fragLen - p1Len; |
2122 } | 2155 } |
2123 if (p1Len < 256) { | 2156 if (p1Len < 256) { |
2124 oddLen = p1Len; | 2157 oddLen = p1Len; |
2125 p1Len = 0; | 2158 p1Len = 0; |
2126 } else { | 2159 } else { |
2127 p1Len -= oddLen; | 2160 p1Len -= oddLen; |
2128 } | 2161 } |
2129 if (oddLen) { | 2162 if (oddLen) { |
2130 p2Len += oddLen; | 2163 p2Len += oddLen; |
2131 PORT_Assert( (cipher_def->block_size < 2) || \ | 2164 PORT_Assert( (cipher_def->block_size < 2) || \ |
2132 (p2Len % cipher_def->block_size) == 0); | 2165 (p2Len % cipher_def->block_size) == 0); |
2133 » memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2166 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); |
2134 » pIn + p1Len, oddLen); | |
2135 } | 2167 } |
2136 if (p1Len > 0) { | 2168 if (p1Len > 0) { |
2137 int cipherBytesPart1 = -1; | 2169 int cipherBytesPart1 = -1; |
2138 rv = cwSpec->encode( cwSpec->encodeContext, | 2170 rv = cwSpec->encode( cwSpec->encodeContext, |
2139 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, /* output */ | 2171 » wrBuf->buf + headerLen + ivLen, /* output */ |
2140 &cipherBytesPart1, /* actual outlen */ | 2172 &cipherBytesPart1, /* actual outlen */ |
2141 p1Len, /* max outlen */ | 2173 p1Len, /* max outlen */ |
2142 pIn, p1Len); /* input, and inputlen */ | 2174 pIn, p1Len); /* input, and inputlen */ |
2143 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | 2175 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
2144 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | 2176 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
2145 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2177 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2146 return SECFailure; | 2178 return SECFailure; |
2147 } | 2179 } |
2148 cipherBytes += cipherBytesPart1; | 2180 cipherBytes += cipherBytesPart1; |
2149 } | 2181 } |
2150 if (p2Len > 0) { | 2182 if (p2Len > 0) { |
2151 int cipherBytesPart2 = -1; | 2183 int cipherBytesPart2 = -1; |
2152 rv = cwSpec->encode( cwSpec->encodeContext, | 2184 rv = cwSpec->encode( cwSpec->encodeContext, |
2153 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2185 » wrBuf->buf + headerLen + ivLen + p1Len, |
2154 &cipherBytesPart2, /* output and actual outLen */ | 2186 &cipherBytesPart2, /* output and actual outLen */ |
2155 p2Len, /* max outlen */ | 2187 p2Len, /* max outlen */ |
2156 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2188 » wrBuf->buf + headerLen + ivLen + p1Len, |
2157 p2Len); /* input and inputLen*/ | 2189 p2Len); /* input and inputLen*/ |
2158 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | 2190 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
2159 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | 2191 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
2160 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2192 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2161 return SECFailure; | 2193 return SECFailure; |
2162 } | 2194 } |
2163 cipherBytes += cipherBytesPart2; | 2195 cipherBytes += cipherBytesPart2; |
2164 } | 2196 } |
2165 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2197 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
2166 | 2198 |
| 2199 wrBuf->len = cipherBytes + headerLen; |
| 2200 wrBuf->buf[0] = type; |
| 2201 if (isDTLS) { |
| 2202 SSL3ProtocolVersion version; |
| 2203 |
| 2204 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); |
| 2205 wrBuf->buf[1] = MSB(version); |
| 2206 wrBuf->buf[2] = LSB(version); |
| 2207 wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24); |
| 2208 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16); |
| 2209 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8); |
| 2210 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0); |
| 2211 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24); |
| 2212 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16); |
| 2213 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8); |
| 2214 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0); |
| 2215 wrBuf->buf[11] = MSB(cipherBytes); |
| 2216 wrBuf->buf[12] = LSB(cipherBytes); |
| 2217 } else { |
| 2218 wrBuf->buf[1] = MSB(cwSpec->version); |
| 2219 wrBuf->buf[2] = LSB(cwSpec->version); |
| 2220 wrBuf->buf[3] = MSB(cipherBytes); |
| 2221 wrBuf->buf[4] = LSB(cipherBytes); |
| 2222 } |
| 2223 |
2167 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); | 2224 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); |
2168 | 2225 |
2169 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH; | |
2170 wrBuf->buf[0] = type; | |
2171 wrBuf->buf[1] = MSB(cwSpec->version); | |
2172 wrBuf->buf[2] = LSB(cwSpec->version); | |
2173 wrBuf->buf[3] = MSB(cipherBytes); | |
2174 wrBuf->buf[4] = LSB(cipherBytes); | |
2175 | |
2176 return SECSuccess; | 2226 return SECSuccess; |
2177 } | 2227 } |
2178 | 2228 |
2179 /* Process the plain text before sending it. | 2229 /* Process the plain text before sending it. |
2180 * Returns the number of bytes of plaintext that were successfully sent | 2230 * Returns the number of bytes of plaintext that were successfully sent |
2181 * plus the number of bytes of plaintext that were copied into the | 2231 * plus the number of bytes of plaintext that were copied into the |
2182 * output (write) buffer. | 2232 * output (write) buffer. |
2183 * Returns SECFailure on a hard IO error, memory error, or crypto error. | 2233 * Returns SECFailure on a hard IO error, memory error, or crypto error. |
2184 * Does NOT return SECWouldBlock. | 2234 * Does NOT return SECWouldBlock. |
2185 * | 2235 * |
2186 * Notes on the use of the private ssl flags: | 2236 * Notes on the use of the private ssl flags: |
2187 * (no private SSL flags) | 2237 * (no private SSL flags) |
2188 * Attempt to make and send SSL records for all plaintext | 2238 * Attempt to make and send SSL records for all plaintext |
2189 * If non-blocking and a send gets WOULD_BLOCK, | 2239 * If non-blocking and a send gets WOULD_BLOCK, |
2190 * or if the pending (ciphertext) buffer is not empty, | 2240 * or if the pending (ciphertext) buffer is not empty, |
2191 * then buffer remaining bytes of ciphertext into pending buf, | 2241 * then buffer remaining bytes of ciphertext into pending buf, |
2192 * and continue to do that for all succssive records until all | 2242 * and continue to do that for all succssive records until all |
2193 * bytes are used. | 2243 * bytes are used. |
2194 * ssl_SEND_FLAG_FORCE_INTO_BUFFER | 2244 * ssl_SEND_FLAG_FORCE_INTO_BUFFER |
2195 * As above, except this suppresses all write attempts, and forces | 2245 * As above, except this suppresses all write attempts, and forces |
2196 * all ciphertext into the pending ciphertext buffer. | 2246 * all ciphertext into the pending ciphertext buffer. |
| 2247 * ssl_SEND_FLAG_USE_EPOCH (for DTLS) |
| 2248 * Forces the use of the provided epoch |
2197 * | 2249 * |
2198 */ | 2250 */ |
2199 static PRInt32 | 2251 PRInt32 |
2200 ssl3_SendRecord( sslSocket * ss, | 2252 ssl3_SendRecord( sslSocket * ss, |
| 2253 DTLSEpoch epoch, /* DTLS only */ |
2201 SSL3ContentType type, | 2254 SSL3ContentType type, |
2202 const SSL3Opaque * pIn, /* input buffer */ | 2255 const SSL3Opaque * pIn, /* input buffer */ |
2203 PRInt32 nIn, /* bytes of input */ | 2256 PRInt32 nIn, /* bytes of input */ |
2204 PRInt32 flags) | 2257 PRInt32 flags) |
2205 { | 2258 { |
2206 sslBuffer * wrBuf = &ss->sec.writeBuf; | 2259 sslBuffer * wrBuf = &ss->sec.writeBuf; |
2207 SECStatus rv; | 2260 SECStatus rv; |
2208 PRInt32 totalSent = 0; | 2261 PRInt32 totalSent = 0; |
2209 | 2262 |
2210 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", | 2263 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2262 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", | 2315 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", |
2263 SSL_GETPID(), ss->fd, spaceNeeded)); | 2316 SSL_GETPID(), ss->fd, spaceNeeded)); |
2264 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ | 2317 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ |
2265 } | 2318 } |
2266 } | 2319 } |
2267 | 2320 |
2268 if (numRecords == 2) { | 2321 if (numRecords == 2) { |
2269 sslBuffer secondRecord; | 2322 sslBuffer secondRecord; |
2270 | 2323 |
2271 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2324 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2272 » ss->sec.isServer, type, pIn, 1, | 2325 » » » » » ss->sec.isServer, IS_DTLS(ss), |
2273 » wrBuf); | 2326 » » » » » type, pIn, 1, wrBuf); |
2274 if (rv != SECSuccess) | 2327 if (rv != SECSuccess) |
2275 goto spec_locked_loser; | 2328 goto spec_locked_loser; |
2276 | 2329 |
2277 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", | 2330 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", |
2278 wrBuf->buf, wrBuf->len)); | 2331 wrBuf->buf, wrBuf->len)); |
2279 | 2332 |
2280 secondRecord.buf = wrBuf->buf + wrBuf->len; | 2333 secondRecord.buf = wrBuf->buf + wrBuf->len; |
2281 secondRecord.len = 0; | 2334 secondRecord.len = 0; |
2282 secondRecord.space = wrBuf->space - wrBuf->len; | 2335 secondRecord.space = wrBuf->space - wrBuf->len; |
2283 | 2336 |
2284 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2337 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2285 » ss->sec.isServer, type, pIn + 1, | 2338 » ss->sec.isServer, IS_DTLS(ss), |
2286 » contentLen - 1, &secondRecord); | 2339 » » » » » type, pIn + 1, contentLen - 1, |
| 2340 » &secondRecord); |
2287 if (rv == SECSuccess) { | 2341 if (rv == SECSuccess) { |
2288 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", | 2342 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", |
2289 secondRecord.buf, secondRecord.len)); | 2343 secondRecord.buf, secondRecord.len)); |
2290 wrBuf->len += secondRecord.len; | 2344 wrBuf->len += secondRecord.len; |
2291 } | 2345 } |
2292 } else { | 2346 } else { |
2293 » rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2347 » if (!IS_DTLS(ss)) { |
2294 » ss->sec.isServer, type, pIn, | 2348 » » rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2295 » contentLen, wrBuf); | 2349 » » » » » » ss->sec.isServer, |
| 2350 » » » » » » IS_DTLS(ss), |
| 2351 » » » » » » type, pIn, |
| 2352 » » » » » » contentLen, wrBuf); |
| 2353 » } else { |
| 2354 » » rv = dtls_CompressMACEncryptRecord(ss, epoch, |
| 2355 » » » » » » !!(flags & ssl_SEND_FLAG_USE_
EPOCH), |
| 2356 » » » » » » type, pIn, |
| 2357 » » » » » » contentLen, wrBuf); |
| 2358 » } |
| 2359 |
2296 if (rv == SECSuccess) { | 2360 if (rv == SECSuccess) { |
2297 PRINT_BUF(50, (ss, "send (encrypted) record data:", | 2361 PRINT_BUF(50, (ss, "send (encrypted) record data:", |
2298 wrBuf->buf, wrBuf->len)); | 2362 wrBuf->buf, wrBuf->len)); |
2299 } | 2363 } |
2300 } | 2364 } |
2301 | 2365 |
2302 spec_locked_loser: | 2366 spec_locked_loser: |
2303 ssl_ReleaseSpecReadLock(ss); /************************************/ | 2367 ssl_ReleaseSpecReadLock(ss); /************************************/ |
2304 | 2368 |
2305 if (rv != SECSuccess) | 2369 if (rv != SECSuccess) |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2343 if (sent < 0) { | 2407 if (sent < 0) { |
2344 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { | 2408 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { |
2345 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); | 2409 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); |
2346 return SECFailure; | 2410 return SECFailure; |
2347 } | 2411 } |
2348 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ | 2412 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ |
2349 sent = 0; | 2413 sent = 0; |
2350 } | 2414 } |
2351 wrBuf->len -= sent; | 2415 wrBuf->len -= sent; |
2352 if (wrBuf->len) { | 2416 if (wrBuf->len) { |
| 2417 if (IS_DTLS(ss)) { |
| 2418 /* DTLS just says no in this case. No buffering */ |
| 2419 PR_SetError(PR_WOULD_BLOCK_ERROR, 0); |
| 2420 return SECFailure; |
| 2421 } |
2353 /* now take all the remaining unsent new ciphertext and | 2422 /* now take all the remaining unsent new ciphertext and |
2354 * append it to the buffer of previously unsent ciphertext. | 2423 * append it to the buffer of previously unsent ciphertext. |
2355 */ | 2424 */ |
2356 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); | 2425 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); |
2357 if (rv != SECSuccess) { | 2426 if (rv != SECSuccess) { |
2358 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ | 2427 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ |
2359 return SECFailure; | 2428 return SECFailure; |
2360 } | 2429 } |
2361 } | 2430 } |
2362 } | 2431 } |
2363 totalSent += contentLen; | 2432 totalSent += contentLen; |
2364 } | 2433 } |
2365 return totalSent; | 2434 return totalSent; |
2366 } | 2435 } |
2367 | 2436 |
2368 #define SSL3_PENDING_HIGH_WATER 1024 | 2437 #define SSL3_PENDING_HIGH_WATER 1024 |
2369 | 2438 |
2370 /* Attempt to send the content of "in" in an SSL application_data record. | 2439 /* Attempt to send the content of "in" in an SSL application_data record. |
2371 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. | 2440 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. |
2372 */ | 2441 */ |
2373 int | 2442 int |
2374 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, | 2443 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, |
2375 PRInt32 len, PRInt32 flags) | 2444 PRInt32 len, PRInt32 flags) |
2376 { | 2445 { |
2377 PRInt32 totalSent = 0; | 2446 PRInt32 totalSent = 0; |
2378 PRInt32 discarded = 0; | 2447 PRInt32 discarded = 0; |
2379 | 2448 |
2380 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2449 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
| 2450 /* These flags for internal use only */ |
| 2451 PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH | |
| 2452 ssl_SEND_FLAG_NO_RETRANSMIT))); |
2381 if (len < 0 || !in) { | 2453 if (len < 0 || !in) { |
2382 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 2454 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
2383 return SECFailure; | 2455 return SECFailure; |
2384 } | 2456 } |
2385 | 2457 |
2386 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && | 2458 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && |
2387 !ssl_SocketIsBlocking(ss)) { | 2459 !ssl_SocketIsBlocking(ss)) { |
2388 PORT_Assert(!ssl_SocketIsBlocking(ss)); | 2460 PORT_Assert(!ssl_SocketIsBlocking(ss)); |
2389 PORT_SetError(PR_WOULD_BLOCK_ERROR); | 2461 PORT_SetError(PR_WOULD_BLOCK_ERROR); |
2390 return SECFailure; | 2462 return SECFailure; |
(...skipping 17 matching lines...) Expand all Loading... |
2408 * The thread yield is intended to give the reader thread a | 2480 * The thread yield is intended to give the reader thread a |
2409 * chance to get some cycles while the writer thread is in | 2481 * chance to get some cycles while the writer thread is in |
2410 * the middle of a large application data write. (See | 2482 * the middle of a large application data write. (See |
2411 * Bugzilla bug 127740, comment #1.) | 2483 * Bugzilla bug 127740, comment #1.) |
2412 */ | 2484 */ |
2413 ssl_ReleaseXmitBufLock(ss); | 2485 ssl_ReleaseXmitBufLock(ss); |
2414 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ | 2486 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ |
2415 ssl_GetXmitBufLock(ss); | 2487 ssl_GetXmitBufLock(ss); |
2416 } | 2488 } |
2417 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); | 2489 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); |
2418 » sent = ssl3_SendRecord(ss, content_application_data, | 2490 » /* |
| 2491 » * Note that the 0 epoch is OK because flags will never require |
| 2492 » * its use, as guaranteed by the PORT_Assert above. |
| 2493 » */ |
| 2494 » sent = ssl3_SendRecord(ss, 0, content_application_data, |
2419 in + totalSent, toSend, flags); | 2495 in + totalSent, toSend, flags); |
2420 if (sent < 0) { | 2496 if (sent < 0) { |
2421 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { | 2497 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { |
2422 PORT_Assert(ss->lastWriteBlocked); | 2498 PORT_Assert(ss->lastWriteBlocked); |
2423 break; | 2499 break; |
2424 } | 2500 } |
2425 return SECFailure; /* error code set by ssl3_SendRecord */ | 2501 return SECFailure; /* error code set by ssl3_SendRecord */ |
2426 } | 2502 } |
2427 totalSent += sent; | 2503 totalSent += sent; |
2428 if (ss->pendingBuf.len) { | 2504 if (ss->pendingBuf.len) { |
(...skipping 14 matching lines...) Expand all Loading... |
2443 if (totalSent <= 0) { | 2519 if (totalSent <= 0) { |
2444 PORT_SetError(PR_WOULD_BLOCK_ERROR); | 2520 PORT_SetError(PR_WOULD_BLOCK_ERROR); |
2445 totalSent = SECFailure; | 2521 totalSent = SECFailure; |
2446 } | 2522 } |
2447 return totalSent; | 2523 return totalSent; |
2448 } | 2524 } |
2449 ss->appDataBuffered = 0; | 2525 ss->appDataBuffered = 0; |
2450 return totalSent + discarded; | 2526 return totalSent + discarded; |
2451 } | 2527 } |
2452 | 2528 |
2453 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. | 2529 /* Attempt to send buffered handshake messages. |
2454 * This function returns SECSuccess or SECFailure, never SECWouldBlock. | 2530 * This function returns SECSuccess or SECFailure, never SECWouldBlock. |
2455 * Always set sendBuf.len to 0, even when returning SECFailure. | 2531 * Always set sendBuf.len to 0, even when returning SECFailure. |
2456 * | 2532 * |
| 2533 * Depending on whether we are doing DTLS or not, this either calls |
| 2534 * |
| 2535 * - ssl3_FlushHandshakeMessages if non-DTLS |
| 2536 * - dtls_FlushHandshakeMessages if DTLS |
| 2537 * |
2457 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), | 2538 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), |
2458 * ssl3_AppendHandshake(), ssl3_SendClientHello(), | 2539 * ssl3_AppendHandshake(), ssl3_SendClientHello(), |
2459 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), | 2540 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), |
2460 * ssl3_SendFinished(), | 2541 * ssl3_SendFinished(), |
2461 */ | 2542 */ |
2462 static SECStatus | 2543 static SECStatus |
2463 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) | 2544 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) |
2464 { | 2545 { |
| 2546 if (IS_DTLS(ss)) { |
| 2547 return dtls_FlushHandshakeMessages(ss, flags); |
| 2548 } else { |
| 2549 return ssl3_FlushHandshakeMessages(ss, flags); |
| 2550 } |
| 2551 } |
| 2552 |
| 2553 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. |
| 2554 * This function returns SECSuccess or SECFailure, never SECWouldBlock. |
| 2555 * Always set sendBuf.len to 0, even when returning SECFailure. |
| 2556 * |
| 2557 * Called from ssl3_FlushHandshake |
| 2558 */ |
| 2559 static SECStatus |
| 2560 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) |
| 2561 { |
2465 PRInt32 rv = SECSuccess; | 2562 PRInt32 rv = SECSuccess; |
2466 | 2563 |
2467 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2564 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2468 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2565 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2469 | 2566 |
2470 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) | 2567 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) |
2471 return rv; | 2568 return rv; |
2472 | 2569 |
2473 /* only this flag is allowed */ | 2570 /* only this flag is allowed */ |
2474 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); | 2571 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); |
2475 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { | 2572 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { |
2476 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2573 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2477 rv = SECFailure; | 2574 rv = SECFailure; |
2478 } else { | 2575 } else { |
2479 » rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf, | 2576 » rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf, |
2480 ss->sec.ci.sendBuf.len, flags); | 2577 ss->sec.ci.sendBuf.len, flags); |
2481 } | 2578 } |
2482 if (rv < 0) { | 2579 if (rv < 0) { |
2483 int err = PORT_GetError(); | 2580 int err = PORT_GetError(); |
2484 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); | 2581 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); |
2485 if (err == PR_WOULD_BLOCK_ERROR) { | 2582 if (err == PR_WOULD_BLOCK_ERROR) { |
2486 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2583 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2487 } | 2584 } |
2488 } else if (rv < ss->sec.ci.sendBuf.len) { | 2585 } else if (rv < ss->sec.ci.sendBuf.len) { |
2489 /* short write should never happen */ | 2586 /* short write should never happen */ |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2586 ssl_GetSSL3HandshakeLock(ss); | 2683 ssl_GetSSL3HandshakeLock(ss); |
2587 if (level == alert_fatal) { | 2684 if (level == alert_fatal) { |
2588 if (ss->sec.ci.sid) { | 2685 if (ss->sec.ci.sid) { |
2589 ss->sec.uncache(ss->sec.ci.sid); | 2686 ss->sec.uncache(ss->sec.ci.sid); |
2590 } | 2687 } |
2591 } | 2688 } |
2592 ssl_GetXmitBufLock(ss); | 2689 ssl_GetXmitBufLock(ss); |
2593 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2690 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2594 if (rv == SECSuccess) { | 2691 if (rv == SECSuccess) { |
2595 PRInt32 sent; | 2692 PRInt32 sent; |
2596 » sent = ssl3_SendRecord(ss, content_alert, bytes, 2, | 2693 » sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2, |
2597 desc == no_certificate | 2694 desc == no_certificate |
2598 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); | 2695 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); |
2599 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; | 2696 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; |
2600 } | 2697 } |
2601 ssl_ReleaseXmitBufLock(ss); | 2698 ssl_ReleaseXmitBufLock(ss); |
2602 ssl_ReleaseSSL3HandshakeLock(ss); | 2699 ssl_ReleaseSSL3HandshakeLock(ss); |
2603 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ | 2700 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ |
2604 } | 2701 } |
2605 | 2702 |
2606 /* | 2703 /* |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2660 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", | 2757 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", |
2661 SSL_GETPID(), ss->fd, errCode)); | 2758 SSL_GETPID(), ss->fd, errCode)); |
2662 | 2759 |
2663 (void) SSL3_SendAlert(ss, alert_fatal, desc); | 2760 (void) SSL3_SendAlert(ss, alert_fatal, desc); |
2664 } | 2761 } |
2665 | 2762 |
2666 | 2763 |
2667 /* | 2764 /* |
2668 * Send handshake_Failure alert. Set generic error number. | 2765 * Send handshake_Failure alert. Set generic error number. |
2669 */ | 2766 */ |
2670 static SECStatus | 2767 SECStatus |
2671 ssl3_DecodeError(sslSocket *ss) | 2768 ssl3_DecodeError(sslSocket *ss) |
2672 { | 2769 { |
2673 (void)SSL3_SendAlert(ss, alert_fatal, | 2770 (void)SSL3_SendAlert(ss, alert_fatal, |
2674 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error | 2771 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error |
2675 : illegal_parameter); | 2772 : illegal_parameter); |
2676 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT | 2773 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
2677 : SSL_ERROR_BAD_SERVER ); | 2774 : SSL_ERROR_BAD_SERVER ); |
2678 return SECFailure; | 2775 return SECFailure; |
2679 } | 2776 } |
2680 | 2777 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2748 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; | 2845 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; |
2749 case unrecognized_name: | 2846 case unrecognized_name: |
2750 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; | 2847 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; |
2751 case bad_certificate_status_response: | 2848 case bad_certificate_status_response: |
2752 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; | 2849 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; |
2753 case bad_certificate_hash_value: | 2850 case bad_certificate_hash_value: |
2754 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; | 2851 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; |
2755 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; | 2852 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; |
2756 } | 2853 } |
2757 if (level == alert_fatal) { | 2854 if (level == alert_fatal) { |
2758 » ss->sec.uncache(ss->sec.ci.sid); | 2855 » if (!ss->opt.noCache) |
| 2856 » ss->sec.uncache(ss->sec.ci.sid); |
2759 if ((ss->ssl3.hs.ws == wait_server_hello) && | 2857 if ((ss->ssl3.hs.ws == wait_server_hello) && |
2760 (desc == handshake_failure)) { | 2858 (desc == handshake_failure)) { |
2761 /* XXX This is a hack. We're assuming that any handshake failure | 2859 /* XXX This is a hack. We're assuming that any handshake failure |
2762 * XXX on the client hello is a failure to match ciphers. | 2860 * XXX on the client hello is a failure to match ciphers. |
2763 */ | 2861 */ |
2764 error = SSL_ERROR_NO_CYPHER_OVERLAP; | 2862 error = SSL_ERROR_NO_CYPHER_OVERLAP; |
2765 } | 2863 } |
2766 PORT_SetError(error); | 2864 PORT_SetError(error); |
2767 return SECFailure; | 2865 return SECFailure; |
2768 } | 2866 } |
(...skipping 30 matching lines...) Expand all Loading... |
2799 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", | 2897 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", |
2800 SSL_GETPID(), ss->fd)); | 2898 SSL_GETPID(), ss->fd)); |
2801 | 2899 |
2802 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2900 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2803 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2901 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2804 | 2902 |
2805 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2903 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2806 if (rv != SECSuccess) { | 2904 if (rv != SECSuccess) { |
2807 return rv; /* error code set by ssl3_FlushHandshake */ | 2905 return rv; /* error code set by ssl3_FlushHandshake */ |
2808 } | 2906 } |
2809 sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1, | 2907 if (!IS_DTLS(ss)) { |
2810 ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2908 » sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1, |
2811 if (sent < 0) { | 2909 » » » ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2812 » return (SECStatus)sent;»/* error code set by ssl3_SendRecord */ | 2910 » if (sent < 0) { |
| 2911 » return (SECStatus)sent;» /* error code set by ssl3_SendRecord */ |
| 2912 » } |
| 2913 } else { |
| 2914 » rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1); |
| 2915 » if (rv != SECSuccess) { |
| 2916 » return rv; |
| 2917 » } |
2813 } | 2918 } |
2814 | 2919 |
2815 /* swap the pending and current write specs. */ | 2920 /* swap the pending and current write specs. */ |
2816 ssl_GetSpecWriteLock(ss); /**************************************/ | 2921 ssl_GetSpecWriteLock(ss); /**************************************/ |
2817 pwSpec = ss->ssl3.pwSpec; | 2922 pwSpec = ss->ssl3.pwSpec; |
2818 pwSpec->write_seq_num.high = 0; | |
2819 pwSpec->write_seq_num.low = 0; | |
2820 | 2923 |
2821 ss->ssl3.pwSpec = ss->ssl3.cwSpec; | 2924 ss->ssl3.pwSpec = ss->ssl3.cwSpec; |
2822 ss->ssl3.cwSpec = pwSpec; | 2925 ss->ssl3.cwSpec = pwSpec; |
2823 | 2926 |
2824 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", | 2927 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", |
2825 SSL_GETPID(), ss->fd )); | 2928 SSL_GETPID(), ss->fd )); |
2826 | 2929 |
2827 /* We need to free up the contexts, keys and certs ! */ | 2930 /* We need to free up the contexts, keys and certs ! */ |
2828 /* If we are really through with the old cipher spec | 2931 /* If we are really through with the old cipher spec |
2829 * (Both the read and write sides have changed) destroy it. | 2932 * (Both the read and write sides have changed) destroy it. |
2830 */ | 2933 */ |
2831 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { | 2934 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { |
2832 » ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/); | 2935 » if (!IS_DTLS(ss)) { |
| 2936 » ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/); |
| 2937 » } else { |
| 2938 » /* With DTLS, we need to set a holddown timer in case the final |
| 2939 » * message got lost */ |
| 2940 » ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS; |
| 2941 » dtls_StartTimer(ss, dtls_FinishedTimerCb); |
| 2942 » } |
2833 } | 2943 } |
2834 ssl_ReleaseSpecWriteLock(ss); /**************************************/ | 2944 ssl_ReleaseSpecWriteLock(ss); /**************************************/ |
2835 | 2945 |
2836 return SECSuccess; | 2946 return SECSuccess; |
2837 } | 2947 } |
2838 | 2948 |
2839 /* Called from ssl3_HandleRecord. | 2949 /* Called from ssl3_HandleRecord. |
2840 ** Caller must hold both RecvBuf and Handshake locks. | 2950 ** Caller must hold both RecvBuf and Handshake locks. |
2841 * | 2951 * |
2842 * Acquires and releases spec write lock, to protect switching the current | 2952 * Acquires and releases spec write lock, to protect switching the current |
(...skipping 28 matching lines...) Expand all Loading... |
2871 /* illegal_parameter is correct here for both SSL3 and TLS. */ | 2981 /* illegal_parameter is correct here for both SSL3 and TLS. */ |
2872 (void)ssl3_IllegalParameter(ss); | 2982 (void)ssl3_IllegalParameter(ss); |
2873 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); | 2983 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); |
2874 return SECFailure; | 2984 return SECFailure; |
2875 } | 2985 } |
2876 buf->len = 0; | 2986 buf->len = 0; |
2877 | 2987 |
2878 /* Swap the pending and current read specs. */ | 2988 /* Swap the pending and current read specs. */ |
2879 ssl_GetSpecWriteLock(ss); /*************************************/ | 2989 ssl_GetSpecWriteLock(ss); /*************************************/ |
2880 prSpec = ss->ssl3.prSpec; | 2990 prSpec = ss->ssl3.prSpec; |
2881 prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0; | |
2882 | 2991 |
2883 ss->ssl3.prSpec = ss->ssl3.crSpec; | 2992 ss->ssl3.prSpec = ss->ssl3.crSpec; |
2884 ss->ssl3.crSpec = prSpec; | 2993 ss->ssl3.crSpec = prSpec; |
2885 | 2994 |
2886 if (ss->sec.isServer && | 2995 if (ss->sec.isServer && |
2887 ss->opt.requestCertificate && | 2996 ss->opt.requestCertificate && |
2888 ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 2997 ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
2889 ss->ssl3.hs.ws = wait_client_cert; | 2998 ss->ssl3.hs.ws = wait_client_cert; |
2890 } else { | 2999 } else { |
2891 ss->ssl3.hs.ws = wait_finished; | 3000 ss->ssl3.hs.ws = wait_finished; |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2974 keyData->data, keyData->len); | 3083 keyData->data, keyData->len); |
2975 } | 3084 } |
2976 } | 3085 } |
2977 } | 3086 } |
2978 #endif | 3087 #endif |
2979 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, | 3088 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, |
2980 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); | 3089 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); |
2981 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { | 3090 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { |
2982 SSL3ProtocolVersion client_version; | 3091 SSL3ProtocolVersion client_version; |
2983 client_version = pms_version.major << 8 | pms_version.minor; | 3092 client_version = pms_version.major << 8 | pms_version.minor; |
| 3093 |
| 3094 if (IS_DTLS(ss)) { |
| 3095 client_version = dtls_DTLSVersionToTLSVersion(client_version); |
| 3096 } |
| 3097 |
2984 if (client_version != ss->clientHelloVersion) { | 3098 if (client_version != ss->clientHelloVersion) { |
2985 /* Destroy it. Version roll-back detected. */ | 3099 /* Destroy it. Version roll-back detected. */ |
2986 PK11_FreeSymKey(pwSpec->master_secret); | 3100 PK11_FreeSymKey(pwSpec->master_secret); |
2987 pwSpec->master_secret = NULL; | 3101 pwSpec->master_secret = NULL; |
2988 } | 3102 } |
2989 } | 3103 } |
2990 if (pwSpec->master_secret == NULL) { | 3104 if (pwSpec->master_secret == NULL) { |
2991 /* Generate a faux master secret in the same slot as the old one. */ | 3105 /* Generate a faux master secret in the same slot as the old one. */ |
2992 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); | 3106 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); |
2993 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); | 3107 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); |
(...skipping 404 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3398 SSL_TRC(60, ("data:")); | 3512 SSL_TRC(60, ("data:")); |
3399 rv = ssl3_AppendHandshake(ss, src, bytes); | 3513 rv = ssl3_AppendHandshake(ss, src, bytes); |
3400 return rv; /* error code set by AppendHandshake, if applicable. */ | 3514 return rv; /* error code set by AppendHandshake, if applicable. */ |
3401 } | 3515 } |
3402 | 3516 |
3403 SECStatus | 3517 SECStatus |
3404 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) | 3518 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) |
3405 { | 3519 { |
3406 SECStatus rv; | 3520 SECStatus rv; |
3407 | 3521 |
| 3522 /* If we already have a message in place, we need to enqueue it. |
| 3523 * This empties the buffer. This is a convenient place to call |
| 3524 * dtls_StageHandshakeMessage to mark the message boundary. |
| 3525 */ |
| 3526 if (IS_DTLS(ss)) { |
| 3527 rv = dtls_StageHandshakeMessage(ss); |
| 3528 if (rv != SECSuccess) { |
| 3529 return rv; |
| 3530 } |
| 3531 } |
| 3532 |
3408 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", | 3533 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", |
3409 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); | 3534 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); |
3410 PRINT_BUF(60, (ss, "MD5 handshake hash:", | 3535 PRINT_BUF(60, (ss, "MD5 handshake hash:", |
3411 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); | 3536 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); |
3412 PRINT_BUF(95, (ss, "SHA handshake hash:", | 3537 PRINT_BUF(95, (ss, "SHA handshake hash:", |
3413 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); | 3538 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); |
3414 | 3539 |
3415 rv = ssl3_AppendHandshakeNumber(ss, t, 1); | 3540 rv = ssl3_AppendHandshakeNumber(ss, t, 1); |
3416 if (rv != SECSuccess) { | 3541 if (rv != SECSuccess) { |
3417 return rv; /* error code set by AppendHandshake, if applicable. */ | 3542 return rv; /* error code set by AppendHandshake, if applicable. */ |
3418 } | 3543 } |
3419 rv = ssl3_AppendHandshakeNumber(ss, length, 3); | 3544 rv = ssl3_AppendHandshakeNumber(ss, length, 3); |
| 3545 if (rv != SECSuccess) { |
| 3546 return rv; /* error code set by AppendHandshake, if applicable. */ |
| 3547 } |
| 3548 |
| 3549 if (IS_DTLS(ss)) { |
| 3550 /* Note that we make an unfragmented message here. We fragment in the |
| 3551 * transmission code, if necessary */ |
| 3552 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2); |
| 3553 if (rv != SECSuccess) { |
| 3554 return rv; /* error code set by AppendHandshake, if applicable. */ |
| 3555 } |
| 3556 ss->ssl3.hs.sendMessageSeq++; |
| 3557 |
| 3558 /* 0 is the fragment offset, because it's not fragmented yet */ |
| 3559 rv = ssl3_AppendHandshakeNumber(ss, 0, 3); |
| 3560 if (rv != SECSuccess) { |
| 3561 return rv; /* error code set by AppendHandshake, if applicable. */ |
| 3562 } |
| 3563 |
| 3564 /* Fragment length -- set to the packet length because not fragmented */ |
| 3565 rv = ssl3_AppendHandshakeNumber(ss, length, 3); |
| 3566 if (rv != SECSuccess) { |
| 3567 return rv; /* error code set by AppendHandshake, if applicable. */ |
| 3568 } |
| 3569 } |
| 3570 |
3420 return rv; /* error code set by AppendHandshake, if applicable. */ | 3571 return rv; /* error code set by AppendHandshake, if applicable. */ |
3421 } | 3572 } |
3422 | 3573 |
3423 /************************************************************************** | 3574 /************************************************************************** |
3424 * Consume Handshake functions. | 3575 * Consume Handshake functions. |
3425 * | 3576 * |
3426 * All data used in these functions is protected by two locks, | 3577 * All data used in these functions is protected by two locks, |
3427 * the RecvBufLock and the SSL3HandshakeLock | 3578 * the RecvBufLock and the SSL3HandshakeLock |
3428 **************************************************************************/ | 3579 **************************************************************************/ |
3429 | 3580 |
(...skipping 386 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3816 } | 3967 } |
3817 | 3968 |
3818 /************************************************************************** | 3969 /************************************************************************** |
3819 * end of Handshake Hash functions. | 3970 * end of Handshake Hash functions. |
3820 * Begin Send and Handle functions for handshakes. | 3971 * Begin Send and Handle functions for handshakes. |
3821 **************************************************************************/ | 3972 **************************************************************************/ |
3822 | 3973 |
3823 /* Called from ssl3_HandleHelloRequest(), | 3974 /* Called from ssl3_HandleHelloRequest(), |
3824 * ssl3_RedoHandshake() | 3975 * ssl3_RedoHandshake() |
3825 * ssl2_BeginClientHandshake (when resuming ssl3 session) | 3976 * ssl2_BeginClientHandshake (when resuming ssl3 session) |
| 3977 * dtls_HandleHelloVerifyRequest(with resending=PR_TRUE) |
3826 */ | 3978 */ |
3827 SECStatus | 3979 SECStatus |
3828 ssl3_SendClientHello(sslSocket *ss) | 3980 ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
3829 { | 3981 { |
3830 sslSessionID * sid; | 3982 sslSessionID * sid; |
3831 ssl3CipherSpec * cwSpec; | 3983 ssl3CipherSpec * cwSpec; |
3832 SECStatus rv; | 3984 SECStatus rv; |
3833 int i; | 3985 int i; |
3834 int length; | 3986 int length; |
3835 int num_suites; | 3987 int num_suites; |
3836 int actual_count = 0; | 3988 int actual_count = 0; |
3837 PRBool isTLS = PR_FALSE; | 3989 PRBool isTLS = PR_FALSE; |
3838 PRInt32 total_exten_len = 0; | 3990 PRInt32 total_exten_len = 0; |
3839 unsigned numCompressionMethods; | 3991 unsigned numCompressionMethods; |
3840 | 3992 |
3841 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), | 3993 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), |
3842 ss->fd)); | 3994 ss->fd)); |
3843 | 3995 |
3844 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 3996 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
3845 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 3997 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
3846 | 3998 |
3847 rv = ssl3_InitState(ss); | 3999 rv = ssl3_InitState(ss); |
3848 if (rv != SECSuccess) { | 4000 if (rv != SECSuccess) { |
3849 return rv; /* ssl3_InitState has set the error code. */ | 4001 return rv; /* ssl3_InitState has set the error code. */ |
3850 } | 4002 } |
3851 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ | 4003 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ |
| 4004 PORT_Assert(IS_DTLS(ss) || !resending); |
3852 | 4005 |
3853 /* We might be starting a session renegotiation in which case we should | 4006 /* We might be starting a session renegotiation in which case we should |
3854 * clear previous state. | 4007 * clear previous state. |
3855 */ | 4008 */ |
3856 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 4009 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
3857 | 4010 |
3858 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", | 4011 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
3859 SSL_GETPID(), ss->fd )); | 4012 SSL_GETPID(), ss->fd )); |
3860 rv = ssl3_RestartHandshakeHashes(ss); | 4013 rv = ssl3_RestartHandshakeHashes(ss); |
3861 if (rv != SECSuccess) { | 4014 if (rv != SECSuccess) { |
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4001 total_exten_len += 2; | 4154 total_exten_len += 2; |
4002 } | 4155 } |
4003 | 4156 |
4004 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B) | 4157 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B) |
4005 if (!total_exten_len || !isTLS) { | 4158 if (!total_exten_len || !isTLS) { |
4006 /* not sending the elliptic_curves and ec_point_formats extensions */ | 4159 /* not sending the elliptic_curves and ec_point_formats extensions */ |
4007 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ | 4160 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ |
4008 } | 4161 } |
4009 #endif | 4162 #endif |
4010 | 4163 |
| 4164 if (IS_DTLS(ss)) { |
| 4165 ssl3_DisableNonDTLSSuites(ss); |
| 4166 } |
| 4167 |
4011 /* how many suites are permitted by policy and user preference? */ | 4168 /* how many suites are permitted by policy and user preference? */ |
4012 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); | 4169 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
4013 if (!num_suites) | 4170 if (!num_suites) |
4014 return SECFailure; /* count_cipher_suites has set error code. */ | 4171 return SECFailure; /* count_cipher_suites has set error code. */ |
4015 if (ss->ssl3.hs.sendingSCSV) { | 4172 if (ss->ssl3.hs.sendingSCSV) { |
4016 ++num_suites; /* make room for SCSV */ | 4173 ++num_suites; /* make room for SCSV */ |
4017 } | 4174 } |
4018 | 4175 |
4019 /* count compression methods */ | 4176 /* count compression methods */ |
4020 numCompressionMethods = 0; | 4177 numCompressionMethods = 0; |
4021 for (i = 0; i < compressionMethodsCount; i++) { | 4178 for (i = 0; i < compressionMethodsCount; i++) { |
4022 if (compressionEnabled(ss, compressions[i])) | 4179 if (compressionEnabled(ss, compressions[i])) |
4023 numCompressionMethods++; | 4180 numCompressionMethods++; |
4024 } | 4181 } |
4025 | 4182 |
4026 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + | 4183 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + |
4027 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + | 4184 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + |
4028 2 + num_suites*sizeof(ssl3CipherSuite) + | 4185 2 + num_suites*sizeof(ssl3CipherSuite) + |
4029 1 + numCompressionMethods + total_exten_len; | 4186 1 + numCompressionMethods + total_exten_len; |
| 4187 if (IS_DTLS(ss)) { |
| 4188 length += 1 + ss->ssl3.hs.cookieLen; |
| 4189 } |
4030 | 4190 |
4031 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); | 4191 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); |
4032 if (rv != SECSuccess) { | 4192 if (rv != SECSuccess) { |
4033 return rv; /* err set by ssl3_AppendHandshake* */ | 4193 return rv; /* err set by ssl3_AppendHandshake* */ |
4034 } | 4194 } |
4035 | 4195 |
4036 ss->clientHelloVersion = ss->version; | 4196 ss->clientHelloVersion = ss->version; |
4037 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); | 4197 if (IS_DTLS(ss)) { |
| 4198 » PRUint16 version; |
| 4199 |
| 4200 » version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); |
| 4201 » rv = ssl3_AppendHandshakeNumber(ss, version, 2); |
| 4202 } else { |
| 4203 » rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); |
| 4204 } |
4038 if (rv != SECSuccess) { | 4205 if (rv != SECSuccess) { |
4039 return rv; /* err set by ssl3_AppendHandshake* */ | 4206 return rv; /* err set by ssl3_AppendHandshake* */ |
4040 } | 4207 } |
4041 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); | 4208 |
4042 if (rv != SECSuccess) { | 4209 if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */ |
4043 » return rv;» /* err set by GetNewRandom. */ | 4210 » rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); |
| 4211 » if (rv != SECSuccess) { |
| 4212 » return rv;» /* err set by GetNewRandom. */ |
| 4213 » } |
4044 } | 4214 } |
4045 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, | 4215 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, |
4046 SSL3_RANDOM_LENGTH); | 4216 SSL3_RANDOM_LENGTH); |
4047 if (rv != SECSuccess) { | 4217 if (rv != SECSuccess) { |
4048 return rv; /* err set by ssl3_AppendHandshake* */ | 4218 return rv; /* err set by ssl3_AppendHandshake* */ |
4049 } | 4219 } |
4050 | 4220 |
4051 if (sid) | 4221 if (sid) |
4052 rv = ssl3_AppendHandshakeVariable( | 4222 rv = ssl3_AppendHandshakeVariable( |
4053 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); | 4223 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); |
4054 else | 4224 else |
4055 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | 4225 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); |
4056 if (rv != SECSuccess) { | 4226 if (rv != SECSuccess) { |
4057 return rv; /* err set by ssl3_AppendHandshake* */ | 4227 return rv; /* err set by ssl3_AppendHandshake* */ |
4058 } | 4228 } |
4059 | 4229 |
| 4230 if (IS_DTLS(ss)) { |
| 4231 rv = ssl3_AppendHandshakeVariable( |
| 4232 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1); |
| 4233 if (rv != SECSuccess) { |
| 4234 return rv; /* err set by ssl3_AppendHandshake* */ |
| 4235 } |
| 4236 } |
| 4237 |
4060 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); | 4238 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); |
4061 if (rv != SECSuccess) { | 4239 if (rv != SECSuccess) { |
4062 return rv; /* err set by ssl3_AppendHandshake* */ | 4240 return rv; /* err set by ssl3_AppendHandshake* */ |
4063 } | 4241 } |
4064 | 4242 |
4065 if (ss->ssl3.hs.sendingSCSV) { | 4243 if (ss->ssl3.hs.sendingSCSV) { |
4066 /* Add the actual SCSV */ | 4244 /* Add the actual SCSV */ |
4067 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, | 4245 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, |
4068 sizeof(ssl3CipherSuite)); | 4246 sizeof(ssl3CipherSuite)); |
4069 if (rv != SECSuccess) { | 4247 if (rv != SECSuccess) { |
(...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4173 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); | 4351 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
4174 return SECFailure; | 4352 return SECFailure; |
4175 } | 4353 } |
4176 | 4354 |
4177 if (sid) { | 4355 if (sid) { |
4178 ss->sec.uncache(sid); | 4356 ss->sec.uncache(sid); |
4179 ssl_FreeSID(sid); | 4357 ssl_FreeSID(sid); |
4180 ss->sec.ci.sid = NULL; | 4358 ss->sec.ci.sid = NULL; |
4181 } | 4359 } |
4182 | 4360 |
| 4361 if (IS_DTLS(ss)) { |
| 4362 dtls_RehandshakeCleanup(ss); |
| 4363 } |
| 4364 |
4183 ssl_GetXmitBufLock(ss); | 4365 ssl_GetXmitBufLock(ss); |
4184 rv = ssl3_SendClientHello(ss); | 4366 rv = ssl3_SendClientHello(ss, PR_FALSE); |
4185 ssl_ReleaseXmitBufLock(ss); | 4367 ssl_ReleaseXmitBufLock(ss); |
4186 | 4368 |
4187 return rv; | 4369 return rv; |
4188 } | 4370 } |
4189 | 4371 |
4190 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff | 4372 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff |
4191 | 4373 |
4192 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { | 4374 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { |
4193 CKM_DES3_ECB, | 4375 CKM_DES3_ECB, |
4194 CKM_CAST5_ECB, | 4376 CKM_CAST5_ECB, |
(...skipping 834 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5029 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 5211 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
5030 } | 5212 } |
5031 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 5213 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5032 | 5214 |
5033 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 5215 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
5034 if (temp < 0) { | 5216 if (temp < 0) { |
5035 goto loser; /* alert has been sent */ | 5217 goto loser; /* alert has been sent */ |
5036 } | 5218 } |
5037 version = (SSL3ProtocolVersion)temp; | 5219 version = (SSL3ProtocolVersion)temp; |
5038 | 5220 |
| 5221 if (IS_DTLS(ss)) { |
| 5222 /* RFC 4347 required that you verify that the server versions |
| 5223 * match (Section 4.2.1) in the HelloVerifyRequest and the |
| 5224 * ServerHello. |
| 5225 * |
| 5226 * RFC 6347 suggests (SHOULD) that servers always use 1.0 |
| 5227 * in HelloVerifyRequest and allows the versions not to match, |
| 5228 * especially when 1.2 is being negotiated. |
| 5229 * |
| 5230 * Therefore we do not check for matching here. |
| 5231 */ |
| 5232 version = dtls_DTLSVersionToTLSVersion(version); |
| 5233 if (version == 0) { /* Insane version number */ |
| 5234 goto alert_loser; |
| 5235 } |
| 5236 } |
| 5237 |
5039 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); | 5238 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
5040 if (rv != SECSuccess) { | 5239 if (rv != SECSuccess) { |
5041 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 5240 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
5042 : handshake_failure; | 5241 : handshake_failure; |
5043 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 5242 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
5044 goto alert_loser; | 5243 goto alert_loser; |
5045 } | 5244 } |
5046 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 5245 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
5047 | 5246 |
5048 rv = ssl3_ConsumeHandshake( | 5247 rv = ssl3_ConsumeHandshake( |
(...skipping 1208 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6257 sslSessionID * sid = NULL; | 6456 sslSessionID * sid = NULL; |
6258 PRInt32 tmp; | 6457 PRInt32 tmp; |
6259 unsigned int i; | 6458 unsigned int i; |
6260 int j; | 6459 int j; |
6261 SECStatus rv; | 6460 SECStatus rv; |
6262 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; | 6461 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; |
6263 SSL3AlertDescription desc = illegal_parameter; | 6462 SSL3AlertDescription desc = illegal_parameter; |
6264 SSL3AlertLevel level = alert_fatal; | 6463 SSL3AlertLevel level = alert_fatal; |
6265 SSL3ProtocolVersion version; | 6464 SSL3ProtocolVersion version; |
6266 SECItem sidBytes = {siBuffer, NULL, 0}; | 6465 SECItem sidBytes = {siBuffer, NULL, 0}; |
| 6466 SECItem cookieBytes = {siBuffer, NULL, 0}; |
6267 SECItem suites = {siBuffer, NULL, 0}; | 6467 SECItem suites = {siBuffer, NULL, 0}; |
6268 SECItem comps = {siBuffer, NULL, 0}; | 6468 SECItem comps = {siBuffer, NULL, 0}; |
6269 PRBool haveSpecWriteLock = PR_FALSE; | 6469 PRBool haveSpecWriteLock = PR_FALSE; |
6270 PRBool haveXmitBufLock = PR_FALSE; | 6470 PRBool haveXmitBufLock = PR_FALSE; |
6271 | 6471 |
6272 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", | 6472 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", |
6273 SSL_GETPID(), ss->fd)); | 6473 SSL_GETPID(), ss->fd)); |
6274 | 6474 |
6275 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 6475 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
6276 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 6476 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
6277 | 6477 |
6278 /* Get peer name of client */ | 6478 /* Get peer name of client */ |
6279 rv = ssl_GetPeerInfo(ss); | 6479 rv = ssl_GetPeerInfo(ss); |
6280 if (rv != SECSuccess) { | 6480 if (rv != SECSuccess) { |
6281 return rv; /* error code is set. */ | 6481 return rv; /* error code is set. */ |
6282 } | 6482 } |
6283 | 6483 |
| 6484 /* Clearing the handshake pointers so that ssl_Do1stHandshake won't |
| 6485 * call ssl2_HandleMessage. |
| 6486 * |
| 6487 * The issue here is that TLS ordinarily starts out in |
| 6488 * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility |
| 6489 * code paths. That function zeroes these next pointers. But with DTLS, |
| 6490 * we don't even try to do the v2 ClientHello so we skip that function |
| 6491 * and need to reset these values here. |
| 6492 */ |
| 6493 if (IS_DTLS(ss)) { |
| 6494 ss->nextHandshake = 0; |
| 6495 ss->securityHandshake = 0; |
| 6496 } |
| 6497 |
6284 /* We might be starting session renegotiation in which case we should | 6498 /* We might be starting session renegotiation in which case we should |
6285 * clear previous state. | 6499 * clear previous state. |
6286 */ | 6500 */ |
6287 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 6501 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
6288 ss->statelessResume = PR_FALSE; | 6502 ss->statelessResume = PR_FALSE; |
6289 | 6503 |
6290 rv = ssl3_InitState(ss); | 6504 rv = ssl3_InitState(ss); |
6291 if (rv != SECSuccess) { | 6505 if (rv != SECSuccess) { |
6292 return rv; /* ssl3_InitState has set the error code. */ | 6506 return rv; /* ssl3_InitState has set the error code. */ |
6293 } | 6507 } |
6294 | 6508 |
6295 if ((ss->ssl3.hs.ws != wait_client_hello) && | 6509 if ((ss->ssl3.hs.ws != wait_client_hello) && |
6296 (ss->ssl3.hs.ws != idle_handshake)) { | 6510 (ss->ssl3.hs.ws != idle_handshake)) { |
6297 desc = unexpected_message; | 6511 desc = unexpected_message; |
6298 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; | 6512 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; |
6299 goto alert_loser; | 6513 goto alert_loser; |
6300 } | 6514 } |
6301 if (ss->ssl3.hs.ws == idle_handshake && | 6515 if (ss->ssl3.hs.ws == idle_handshake && |
6302 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 6516 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
6303 desc = no_renegotiation; | 6517 desc = no_renegotiation; |
6304 level = alert_warning; | 6518 level = alert_warning; |
6305 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; | 6519 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; |
6306 goto alert_loser; | 6520 goto alert_loser; |
6307 } | 6521 } |
6308 | 6522 |
| 6523 if (IS_DTLS(ss)) { |
| 6524 dtls_RehandshakeCleanup(ss); |
| 6525 } |
| 6526 |
6309 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 6527 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
6310 if (tmp < 0) | 6528 if (tmp < 0) |
6311 goto loser; /* malformed, alert already sent */ | 6529 goto loser; /* malformed, alert already sent */ |
6312 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | 6530 |
| 6531 /* Translate the version */ |
| 6532 if (IS_DTLS(ss)) { |
| 6533 » ss->clientHelloVersion = version = |
| 6534 » dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp); |
| 6535 } else { |
| 6536 » ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; |
| 6537 } |
| 6538 |
6313 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 6539 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
6314 if (rv != SECSuccess) { | 6540 if (rv != SECSuccess) { |
6315 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 6541 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
6316 : handshake_failure; | 6542 : handshake_failure; |
6317 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 6543 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
6318 goto alert_loser; | 6544 goto alert_loser; |
6319 } | 6545 } |
6320 | 6546 |
6321 /* grab the client random data. */ | 6547 /* grab the client random data. */ |
6322 rv = ssl3_ConsumeHandshake( | 6548 rv = ssl3_ConsumeHandshake( |
6323 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); | 6549 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); |
6324 if (rv != SECSuccess) { | 6550 if (rv != SECSuccess) { |
6325 goto loser; /* malformed */ | 6551 goto loser; /* malformed */ |
6326 } | 6552 } |
6327 | 6553 |
6328 /* grab the client's SID, if present. */ | 6554 /* grab the client's SID, if present. */ |
6329 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 6555 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
6330 if (rv != SECSuccess) { | 6556 if (rv != SECSuccess) { |
6331 goto loser; /* malformed */ | 6557 goto loser; /* malformed */ |
6332 } | 6558 } |
6333 | 6559 |
| 6560 /* grab the client's cookie, if present. */ |
| 6561 if (IS_DTLS(ss)) { |
| 6562 rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length); |
| 6563 if (rv != SECSuccess) { |
| 6564 goto loser; /* malformed */ |
| 6565 } |
| 6566 } |
| 6567 |
6334 /* grab the list of cipher suites. */ | 6568 /* grab the list of cipher suites. */ |
6335 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); | 6569 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); |
6336 if (rv != SECSuccess) { | 6570 if (rv != SECSuccess) { |
6337 goto loser; /* malformed */ | 6571 goto loser; /* malformed */ |
6338 } | 6572 } |
6339 | 6573 |
6340 /* grab the list of compression methods. */ | 6574 /* grab the list of compression methods. */ |
6341 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); | 6575 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); |
6342 if (rv != SECSuccess) { | 6576 if (rv != SECSuccess) { |
6343 goto loser; /* malformed */ | 6577 goto loser; /* malformed */ |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6472 ssl_FreeSID(sid); | 6706 ssl_FreeSID(sid); |
6473 sid = NULL; | 6707 sid = NULL; |
6474 } | 6708 } |
6475 } | 6709 } |
6476 | 6710 |
6477 #ifdef NSS_ENABLE_ECC | 6711 #ifdef NSS_ENABLE_ECC |
6478 /* Disable any ECC cipher suites for which we have no cert. */ | 6712 /* Disable any ECC cipher suites for which we have no cert. */ |
6479 ssl3_FilterECCipherSuitesByServerCerts(ss); | 6713 ssl3_FilterECCipherSuitesByServerCerts(ss); |
6480 #endif | 6714 #endif |
6481 | 6715 |
| 6716 if (IS_DTLS(ss)) { |
| 6717 ssl3_DisableNonDTLSSuites(ss); |
| 6718 } |
| 6719 |
6482 #ifdef PARANOID | 6720 #ifdef PARANOID |
6483 /* Look for a matching cipher suite. */ | 6721 /* Look for a matching cipher suite. */ |
6484 j = ssl3_config_match_init(ss); | 6722 j = ssl3_config_match_init(ss); |
6485 if (j <= 0) { /* no ciphers are working/supported by PK11 */ | 6723 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
6486 errCode = PORT_GetError(); /* error code is already set. */ | 6724 errCode = PORT_GetError(); /* error code is already set. */ |
6487 goto alert_loser; | 6725 goto alert_loser; |
6488 } | 6726 } |
6489 #endif | 6727 #endif |
6490 | 6728 |
6491 /* If we already have a session for this client, be sure to pick the | 6729 /* If we already have a session for this client, be sure to pick the |
(...skipping 667 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7159 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) | 7397 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) |
7160 */ | 7398 */ |
7161 static SECStatus | 7399 static SECStatus |
7162 ssl3_SendServerHello(sslSocket *ss) | 7400 ssl3_SendServerHello(sslSocket *ss) |
7163 { | 7401 { |
7164 sslSessionID *sid; | 7402 sslSessionID *sid; |
7165 SECStatus rv; | 7403 SECStatus rv; |
7166 PRUint32 maxBytes = 65535; | 7404 PRUint32 maxBytes = 65535; |
7167 PRUint32 length; | 7405 PRUint32 length; |
7168 PRInt32 extensions_len = 0; | 7406 PRInt32 extensions_len = 0; |
| 7407 SSL3ProtocolVersion version; |
7169 | 7408 |
7170 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), | 7409 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), |
7171 ss->fd)); | 7410 ss->fd)); |
7172 | 7411 |
7173 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 7412 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
7174 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 7413 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
7175 PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); | |
7176 | 7414 |
7177 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { | 7415 if (!IS_DTLS(ss)) { |
7178 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 7416 » PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); |
7179 » return SECFailure; | 7417 |
| 7418 » if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { |
| 7419 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); |
| 7420 » return SECFailure; |
| 7421 » } |
| 7422 } else { |
| 7423 » PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0)); |
| 7424 |
| 7425 » if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) { |
| 7426 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); |
| 7427 » return SECFailure; |
| 7428 » } |
7180 } | 7429 } |
7181 | 7430 |
7182 sid = ss->sec.ci.sid; | 7431 sid = ss->sec.ci.sid; |
7183 | 7432 |
7184 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, | 7433 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, |
7185 &ss->xtnData.serverSenders[0]); | 7434 &ss->xtnData.serverSenders[0]); |
7186 if (extensions_len > 0) | 7435 if (extensions_len > 0) |
7187 extensions_len += 2; /* Add sizeof total extension length */ | 7436 extensions_len += 2; /* Add sizeof total extension length */ |
7188 | 7437 |
7189 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + | 7438 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + |
7190 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + | 7439 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + |
7191 sizeof(ssl3CipherSuite) + 1 + extensions_len; | 7440 sizeof(ssl3CipherSuite) + 1 + extensions_len; |
7192 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); | 7441 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); |
7193 if (rv != SECSuccess) { | 7442 if (rv != SECSuccess) { |
7194 return rv; /* err set by AppendHandshake. */ | 7443 return rv; /* err set by AppendHandshake. */ |
7195 } | 7444 } |
7196 | 7445 |
7197 rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2); | 7446 if (IS_DTLS(ss)) { |
| 7447 » version = dtls_TLSVersionToDTLSVersion(ss->version); |
| 7448 } else { |
| 7449 » version = ss->version; |
| 7450 } |
| 7451 |
| 7452 rv = ssl3_AppendHandshakeNumber(ss, version, 2); |
7198 if (rv != SECSuccess) { | 7453 if (rv != SECSuccess) { |
7199 return rv; /* err set by AppendHandshake. */ | 7454 return rv; /* err set by AppendHandshake. */ |
7200 } | 7455 } |
7201 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); | 7456 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); |
7202 if (rv != SECSuccess) { | 7457 if (rv != SECSuccess) { |
7203 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); | 7458 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); |
7204 return rv; | 7459 return rv; |
7205 } | 7460 } |
7206 rv = ssl3_AppendHandshake( | 7461 rv = ssl3_AppendHandshake( |
7207 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); | 7462 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7372 ca_list = ss->ssl3.ca_list; | 7627 ca_list = ss->ssl3.ca_list; |
7373 if (!ca_list) { | 7628 if (!ca_list) { |
7374 ca_list = ssl3_server_ca_list; | 7629 ca_list = ssl3_server_ca_list; |
7375 } | 7630 } |
7376 | 7631 |
7377 if (ca_list != NULL) { | 7632 if (ca_list != NULL) { |
7378 names = ca_list->names; | 7633 names = ca_list->names; |
7379 nnames = ca_list->nnames; | 7634 nnames = ca_list->nnames; |
7380 } | 7635 } |
7381 | 7636 |
7382 if (!nnames) { | 7637 /* There used to be a test here to require a CA, but there |
7383 » PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA); | 7638 * are cases where you want to have no CAs offered. */ |
7384 » return SECFailure; | |
7385 } | |
7386 | |
7387 for (i = 0, name = names; i < nnames; i++, name++) { | 7639 for (i = 0, name = names; i < nnames; i++, name++) { |
7388 calen += 2 + name->len; | 7640 calen += 2 + name->len; |
7389 } | 7641 } |
7390 | 7642 |
7391 certTypes = certificate_types; | 7643 certTypes = certificate_types; |
7392 certTypesLength = sizeof certificate_types; | 7644 certTypesLength = sizeof certificate_types; |
7393 | 7645 |
7394 length = 1 + certTypesLength + 2 + calen; | 7646 length = 1 + certTypesLength + 2 + calen; |
7395 | 7647 |
7396 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); | 7648 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7544 /* can't find a slot with all three, find a slot with the minimum */ | 7796 /* can't find a slot with all three, find a slot with the minimum */ |
7545 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); | 7797 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); |
7546 if (slot == NULL) { | 7798 if (slot == NULL) { |
7547 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); | 7799 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); |
7548 return pms; /* which is NULL */ | 7800 return pms; /* which is NULL */ |
7549 } | 7801 } |
7550 } | 7802 } |
7551 } | 7803 } |
7552 | 7804 |
7553 /* Generate the pre-master secret ... */ | 7805 /* Generate the pre-master secret ... */ |
7554 version.major = MSB(ss->clientHelloVersion); | 7806 if (IS_DTLS(ss)) { |
7555 version.minor = LSB(ss->clientHelloVersion); | 7807 » SSL3ProtocolVersion temp; |
| 7808 |
| 7809 » temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); |
| 7810 » version.major = MSB(temp); |
| 7811 » version.minor = LSB(temp); |
| 7812 } else { |
| 7813 » version.major = MSB(ss->clientHelloVersion); |
| 7814 » version.minor = LSB(ss->clientHelloVersion); |
| 7815 } |
7556 | 7816 |
7557 param.data = (unsigned char *)&version; | 7817 param.data = (unsigned char *)&version; |
7558 param.len = sizeof version; | 7818 param.len = sizeof version; |
7559 | 7819 |
7560 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); | 7820 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); |
7561 if (!serverKeySlot) | 7821 if (!serverKeySlot) |
7562 PK11_FreeSlot(slot); | 7822 PK11_FreeSlot(slot); |
7563 if (pms == NULL) { | 7823 if (pms == NULL) { |
7564 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 7824 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
7565 } | 7825 } |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7628 */ | 7888 */ |
7629 | 7889 |
7630 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, | 7890 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, |
7631 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); | 7891 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); |
7632 if (rv != SECSuccess) { | 7892 if (rv != SECSuccess) { |
7633 /* triple bypass failed. Let's try for a double bypass. */ | 7893 /* triple bypass failed. Let's try for a double bypass. */ |
7634 goto double_bypass; | 7894 goto double_bypass; |
7635 } else if (ss->opt.detectRollBack) { | 7895 } else if (ss->opt.detectRollBack) { |
7636 SSL3ProtocolVersion client_version = | 7896 SSL3ProtocolVersion client_version = |
7637 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; | 7897 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; |
| 7898 |
| 7899 if (IS_DTLS(ss)) { |
| 7900 client_version = dtls_DTLSVersionToTLSVersion(client_version); |
| 7901 } |
| 7902 |
7638 if (client_version != ss->clientHelloVersion) { | 7903 if (client_version != ss->clientHelloVersion) { |
7639 /* Version roll-back detected. ensure failure. */ | 7904 /* Version roll-back detected. ensure failure. */ |
7640 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); | 7905 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); |
7641 } | 7906 } |
7642 } | 7907 } |
7643 /* have PMS, build MS without PKCS11 */ | 7908 /* have PMS, build MS without PKCS11 */ |
7644 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, | 7909 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, |
7645 PR_TRUE); | 7910 PR_TRUE); |
7646 if (rv != SECSuccess) { | 7911 if (rv != SECSuccess) { |
7647 pwSpec->msItem.data = pwSpec->raw_master_secret; | 7912 pwSpec->msItem.data = pwSpec->raw_master_secret; |
(...skipping 1196 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8844 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; | 9109 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
8845 } | 9110 } |
8846 | 9111 |
8847 if (!isServer && !ss->firstHsDone) { | 9112 if (!isServer && !ss->firstHsDone) { |
8848 rv = ssl3_SendNextProto(ss); | 9113 rv = ssl3_SendNextProto(ss); |
8849 if (rv != SECSuccess) { | 9114 if (rv != SECSuccess) { |
8850 goto xmit_loser; /* err code was set. */ | 9115 goto xmit_loser; /* err code was set. */ |
8851 } | 9116 } |
8852 } | 9117 } |
8853 | 9118 |
| 9119 if (IS_DTLS(ss)) { |
| 9120 flags |= ssl_SEND_FLAG_NO_RETRANSMIT; |
| 9121 } |
| 9122 |
8854 rv = ssl3_SendFinished(ss, flags); | 9123 rv = ssl3_SendFinished(ss, flags); |
8855 if (rv != SECSuccess) { | 9124 if (rv != SECSuccess) { |
8856 goto xmit_loser; /* err is set. */ | 9125 goto xmit_loser; /* err is set. */ |
8857 } | 9126 } |
8858 } | 9127 } |
8859 | 9128 |
8860 xmit_loser: | 9129 xmit_loser: |
8861 ssl_ReleaseXmitBufLock(ss); /*************************************/ | 9130 ssl_ReleaseXmitBufLock(ss); /*************************************/ |
8862 if (rv != SECSuccess) { | 9131 if (rv != SECSuccess) { |
8863 return rv; | 9132 return rv; |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8973 ss->ssl3.hs.pending_cert_msg.len); | 9242 ss->ssl3.hs.pending_cert_msg.len); |
8974 SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); | 9243 SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); |
8975 } | 9244 } |
8976 return rv; | 9245 return rv; |
8977 } | 9246 } |
8978 | 9247 |
8979 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 | 9248 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 |
8980 * hanshake message. | 9249 * hanshake message. |
8981 * Caller must hold Handshake and RecvBuf locks. | 9250 * Caller must hold Handshake and RecvBuf locks. |
8982 */ | 9251 */ |
8983 static SECStatus | 9252 SECStatus |
8984 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 9253 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
8985 { | 9254 { |
8986 SECStatus rv = SECSuccess; | 9255 SECStatus rv = SECSuccess; |
8987 SSL3HandshakeType type = ss->ssl3.hs.msg_type; | 9256 SSL3HandshakeType type = ss->ssl3.hs.msg_type; |
8988 SSL3Hashes hashes; /* computed hashes are put here. */ | 9257 SSL3Hashes hashes; /* computed hashes are put here. */ |
8989 PRUint8 hdr[4]; | 9258 PRUint8 hdr[4]; |
| 9259 PRUint8 dtlsData[8]; |
8990 | 9260 |
8991 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9261 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
8992 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 9262 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
8993 /* | 9263 /* |
8994 * We have to compute the hashes before we update them with the | 9264 * We have to compute the hashes before we update them with the |
8995 * current message. | 9265 * current message. |
8996 */ | 9266 */ |
8997 ssl_GetSpecReadLock(ss); /************************************/ | 9267 ssl_GetSpecReadLock(ss); /************************************/ |
8998 if((type == finished) || (type == certificate_verify)) { | 9268 if((type == finished) || (type == certificate_verify)) { |
8999 SSL3Sender sender = (SSL3Sender)0; | 9269 SSL3Sender sender = (SSL3Sender)0; |
(...skipping 25 matching lines...) Expand all Loading... |
9025 | 9295 |
9026 /* Start new handshake hashes when we start a new handshake */ | 9296 /* Start new handshake hashes when we start a new handshake */ |
9027 if (ss->ssl3.hs.msg_type == client_hello) { | 9297 if (ss->ssl3.hs.msg_type == client_hello) { |
9028 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", | 9298 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
9029 SSL_GETPID(), ss->fd )); | 9299 SSL_GETPID(), ss->fd )); |
9030 rv = ssl3_RestartHandshakeHashes(ss); | 9300 rv = ssl3_RestartHandshakeHashes(ss); |
9031 if (rv != SECSuccess) { | 9301 if (rv != SECSuccess) { |
9032 return rv; | 9302 return rv; |
9033 } | 9303 } |
9034 } | 9304 } |
9035 /* We should not include hello_request messages in the handshake hashes */ | 9305 /* We should not include hello_request and hello_verify_request messages |
9036 if (ss->ssl3.hs.msg_type != hello_request) { | 9306 * in the handshake hashes */ |
| 9307 if ((ss->ssl3.hs.msg_type != hello_request) && |
| 9308 » (ss->ssl3.hs.msg_type != hello_verify_request)) { |
9037 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); | 9309 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); |
9038 if (rv != SECSuccess) return rv; /* err code already set. */ | 9310 if (rv != SECSuccess) return rv; /* err code already set. */ |
| 9311 |
| 9312 /* Extra data to simulate a complete DTLS handshake fragment */ |
| 9313 if (IS_DTLS(ss)) { |
| 9314 /* Sequence number */ |
| 9315 dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq); |
| 9316 dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq); |
| 9317 |
| 9318 /* Fragment offset */ |
| 9319 dtlsData[2] = 0; |
| 9320 dtlsData[3] = 0; |
| 9321 dtlsData[4] = 0; |
| 9322 |
| 9323 /* Fragment length */ |
| 9324 dtlsData[5] = (PRUint8)(length >> 16); |
| 9325 dtlsData[6] = (PRUint8)(length >> 8); |
| 9326 dtlsData[7] = (PRUint8)(length ); |
| 9327 |
| 9328 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData, |
| 9329 sizeof(dtlsData)); |
| 9330 if (rv != SECSuccess) return rv; /* err code already set. */ |
| 9331 } |
| 9332 |
| 9333 /* The message body */ |
9039 rv = ssl3_UpdateHandshakeHashes(ss, b, length); | 9334 rv = ssl3_UpdateHandshakeHashes(ss, b, length); |
9040 if (rv != SECSuccess) return rv; /* err code already set. */ | 9335 if (rv != SECSuccess) return rv; /* err code already set. */ |
9041 } | 9336 } |
9042 | 9337 |
9043 PORT_SetError(0); /* each message starts with no error. */ | 9338 PORT_SetError(0); /* each message starts with no error. */ |
9044 switch (ss->ssl3.hs.msg_type) { | 9339 switch (ss->ssl3.hs.msg_type) { |
9045 case hello_request: | 9340 case hello_request: |
9046 if (length != 0) { | 9341 if (length != 0) { |
9047 (void)ssl3_DecodeError(ss); | 9342 (void)ssl3_DecodeError(ss); |
9048 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); | 9343 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); |
(...skipping 15 matching lines...) Expand all Loading... |
9064 rv = ssl3_HandleClientHello(ss, b, length); | 9359 rv = ssl3_HandleClientHello(ss, b, length); |
9065 break; | 9360 break; |
9066 case server_hello: | 9361 case server_hello: |
9067 if (ss->sec.isServer) { | 9362 if (ss->sec.isServer) { |
9068 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9363 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9069 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); | 9364 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); |
9070 return SECFailure; | 9365 return SECFailure; |
9071 } | 9366 } |
9072 rv = ssl3_HandleServerHello(ss, b, length); | 9367 rv = ssl3_HandleServerHello(ss, b, length); |
9073 break; | 9368 break; |
| 9369 case hello_verify_request: |
| 9370 if (!IS_DTLS(ss) || ss->sec.isServer) { |
| 9371 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 9372 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST); |
| 9373 return SECFailure; |
| 9374 } |
| 9375 rv = dtls_HandleHelloVerifyRequest(ss, b, length); |
| 9376 break; |
9074 case certificate: | 9377 case certificate: |
9075 if (ss->ssl3.hs.may_get_cert_status) { | 9378 if (ss->ssl3.hs.may_get_cert_status) { |
9076 /* If we might get a CertificateStatus then we want to postpone the | 9379 /* If we might get a CertificateStatus then we want to postpone the |
9077 * processing of the Certificate message until after we have | 9380 * processing of the Certificate message until after we have |
9078 * processed the CertificateStatus */ | 9381 * processed the CertificateStatus */ |
9079 if (ss->ssl3.hs.pending_cert_msg.data || | 9382 if (ss->ssl3.hs.pending_cert_msg.data || |
9080 ss->ssl3.hs.ws != wait_server_cert) { | 9383 ss->ssl3.hs.ws != wait_server_cert) { |
9081 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9384 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9082 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); | 9385 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); |
9083 return SECFailure; | 9386 return SECFailure; |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9162 rv = ssl3_HandleNewSessionTicket(ss, b, length); | 9465 rv = ssl3_HandleNewSessionTicket(ss, b, length); |
9163 break; | 9466 break; |
9164 case finished: | 9467 case finished: |
9165 rv = ssl3_HandleFinished(ss, b, length, &hashes); | 9468 rv = ssl3_HandleFinished(ss, b, length, &hashes); |
9166 break; | 9469 break; |
9167 default: | 9470 default: |
9168 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9471 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9169 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); | 9472 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); |
9170 rv = SECFailure; | 9473 rv = SECFailure; |
9171 } | 9474 } |
| 9475 |
| 9476 if (IS_DTLS(ss) && (rv == SECSuccess)) { |
| 9477 /* Increment the expected sequence number */ |
| 9478 ss->ssl3.hs.recvMessageSeq++; |
| 9479 } |
| 9480 |
9172 return rv; | 9481 return rv; |
9173 } | 9482 } |
9174 | 9483 |
9175 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. | 9484 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. |
9176 * origBuf is the decrypted ssl record content. | 9485 * origBuf is the decrypted ssl record content. |
9177 * Caller must hold the handshake and RecvBuf locks. | 9486 * Caller must hold the handshake and RecvBuf locks. |
9178 */ | 9487 */ |
9179 static SECStatus | 9488 static SECStatus |
9180 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) | 9489 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) |
9181 { | 9490 { |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9324 ssl3CipherSpec * crSpec; | 9633 ssl3CipherSpec * crSpec; |
9325 SECStatus rv; | 9634 SECStatus rv; |
9326 unsigned int hashBytes = MAX_MAC_LENGTH + 1; | 9635 unsigned int hashBytes = MAX_MAC_LENGTH + 1; |
9327 unsigned int padding_length; | 9636 unsigned int padding_length; |
9328 PRBool isTLS; | 9637 PRBool isTLS; |
9329 PRBool padIsBad = PR_FALSE; | 9638 PRBool padIsBad = PR_FALSE; |
9330 SSL3ContentType rType; | 9639 SSL3ContentType rType; |
9331 SSL3Opaque hash[MAX_MAC_LENGTH]; | 9640 SSL3Opaque hash[MAX_MAC_LENGTH]; |
9332 sslBuffer *plaintext; | 9641 sslBuffer *plaintext; |
9333 sslBuffer temp_buf; | 9642 sslBuffer temp_buf; |
| 9643 PRUint64 dtls_seq_num; |
9334 unsigned int ivLen = 0; | 9644 unsigned int ivLen = 0; |
9335 | 9645 |
9336 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9646 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
9337 | 9647 |
9338 if (!ss->ssl3.initialized) { | 9648 if (!ss->ssl3.initialized) { |
9339 ssl_GetSSL3HandshakeLock(ss); | 9649 ssl_GetSSL3HandshakeLock(ss); |
9340 rv = ssl3_InitState(ss); | 9650 rv = ssl3_InitState(ss); |
9341 ssl_ReleaseSSL3HandshakeLock(ss); | 9651 ssl_ReleaseSSL3HandshakeLock(ss); |
9342 if (rv != SECSuccess) { | 9652 if (rv != SECSuccess) { |
9343 return rv; /* ssl3_InitState has set the error code. */ | 9653 return rv; /* ssl3_InitState has set the error code. */ |
(...skipping 15 matching lines...) Expand all Loading... |
9359 SSL_GETPID(), ss->fd)); | 9669 SSL_GETPID(), ss->fd)); |
9360 rType = content_handshake; | 9670 rType = content_handshake; |
9361 goto process_it; | 9671 goto process_it; |
9362 } | 9672 } |
9363 | 9673 |
9364 ssl_GetSpecReadLock(ss); /******************************************/ | 9674 ssl_GetSpecReadLock(ss); /******************************************/ |
9365 | 9675 |
9366 crSpec = ss->ssl3.crSpec; | 9676 crSpec = ss->ssl3.crSpec; |
9367 cipher_def = crSpec->cipher_def; | 9677 cipher_def = crSpec->cipher_def; |
9368 | 9678 |
| 9679 /* |
| 9680 * DTLS relevance checks: |
| 9681 * Note that this code currently ignores all out-of-epoch packets, |
| 9682 * which means we lose some in the case of rehandshake + |
| 9683 * loss/reordering. Since DTLS is explicitly unreliable, this |
| 9684 * seems like a good tradeoff for implementation effort and is |
| 9685 * consistent with the guidance of RFC 6347 Sections 4.1 and 4.2.4.1 |
| 9686 */ |
| 9687 if (IS_DTLS(ss)) { |
| 9688 DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff; |
| 9689 |
| 9690 if (crSpec->epoch != epoch) { |
| 9691 ssl_ReleaseSpecReadLock(ss); |
| 9692 SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet " |
| 9693 "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch)); |
| 9694 /* Silently drop the packet */ |
| 9695 databuf->len = 0; /* Needed to ensure data not left around */ |
| 9696 return SECSuccess; |
| 9697 } |
| 9698 |
| 9699 dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) | |
| 9700 ((PRUint64)cText->seq_num.low); |
| 9701 |
| 9702 if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num) != 0) { |
| 9703 ssl_ReleaseSpecReadLock(ss); |
| 9704 SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting " |
| 9705 "potentially replayed packet", SSL_GETPID(), ss->fd)); |
| 9706 /* Silently drop the packet */ |
| 9707 databuf->len = 0; /* Needed to ensure data not left around */ |
| 9708 return SECSuccess; |
| 9709 } |
| 9710 } |
| 9711 |
9369 if (cipher_def->type == type_block && | 9712 if (cipher_def->type == type_block && |
9370 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 9713 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
9371 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | 9714 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states |
9372 * "The receiver decrypts the entire GenericBlockCipher structure and | 9715 * "The receiver decrypts the entire GenericBlockCipher structure and |
9373 * then discards the first cipher block corresponding to the IV | 9716 * then discards the first cipher block corresponding to the IV |
9374 * component." Instead, we decrypt the first cipher block and then | 9717 * component." Instead, we decrypt the first cipher block and then |
9375 * discard it before decrypting the rest. | 9718 * discard it before decrypting the rest. |
9376 */ | 9719 */ |
9377 SSL3Opaque iv[MAX_IV_LENGTH]; | 9720 SSL3Opaque iv[MAX_IV_LENGTH]; |
9378 int decoded; | 9721 int decoded; |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9480 | 9823 |
9481 /* Remove the MAC. */ | 9824 /* Remove the MAC. */ |
9482 if (plaintext->len >= crSpec->mac_size) | 9825 if (plaintext->len >= crSpec->mac_size) |
9483 plaintext->len -= crSpec->mac_size; | 9826 plaintext->len -= crSpec->mac_size; |
9484 else | 9827 else |
9485 padIsBad = PR_TRUE; /* really macIsBad */ | 9828 padIsBad = PR_TRUE; /* really macIsBad */ |
9486 | 9829 |
9487 /* compute the MAC */ | 9830 /* compute the MAC */ |
9488 rType = cText->type; | 9831 rType = cText->type; |
9489 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer), | 9832 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer), |
9490 » rType, cText->version, crSpec->read_seq_num, | 9833 IS_DTLS(ss), rType, cText->version, |
| 9834 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
9491 plaintext->buf, plaintext->len, hash, &hashBytes); | 9835 plaintext->buf, plaintext->len, hash, &hashBytes); |
9492 if (rv != SECSuccess) { | 9836 if (rv != SECSuccess) { |
9493 padIsBad = PR_TRUE; /* really macIsBad */ | 9837 padIsBad = PR_TRUE; /* really macIsBad */ |
9494 } | 9838 } |
9495 | 9839 |
9496 /* Check the MAC */ | 9840 /* Check the MAC */ |
9497 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || | 9841 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || |
9498 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash, | 9842 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash, |
9499 crSpec->mac_size) != 0) { | 9843 crSpec->mac_size) != 0) { |
9500 /* must not hold spec lock when calling SSL3_SendAlert. */ | 9844 /* must not hold spec lock when calling SSL3_SendAlert. */ |
9501 ssl_ReleaseSpecReadLock(ss); | 9845 ssl_ReleaseSpecReadLock(ss); |
9502 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | |
9503 /* always log mac error, in case attacker can read server logs. */ | |
9504 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
9505 | 9846 |
9506 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); | 9847 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); |
9507 | 9848 |
9508 » return SECFailure; | 9849 » if (!IS_DTLS(ss)) { |
| 9850 » SSL3_SendAlert(ss, alert_fatal, bad_record_mac); |
| 9851 » /* always log mac error, in case attacker can read server logs. */ |
| 9852 » PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
| 9853 » return SECFailure; |
| 9854 » } else { |
| 9855 » /* Silently drop the packet */ |
| 9856 databuf->len = 0; /* Needed to ensure data not left around */ |
| 9857 » return SECSuccess; |
| 9858 » } |
9509 } | 9859 } |
9510 | 9860 |
9511 | 9861 if (!IS_DTLS(ss)) { |
9512 | 9862 » ssl3_BumpSequenceNumber(&crSpec->read_seq_num); |
9513 ssl3_BumpSequenceNumber(&crSpec->read_seq_num); | 9863 } else { |
| 9864 » dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num); |
| 9865 } |
9514 | 9866 |
9515 ssl_ReleaseSpecReadLock(ss); /*****************************************/ | 9867 ssl_ReleaseSpecReadLock(ss); /*****************************************/ |
9516 | 9868 |
9517 /* | 9869 /* |
9518 * The decrypted data is now in plaintext. | 9870 * The decrypted data is now in plaintext. |
9519 */ | 9871 */ |
9520 | 9872 |
9521 /* possibly decompress the record. If we aren't using compression then | 9873 /* possibly decompress the record. If we aren't using compression then |
9522 * plaintext == databuf and so the uncompressed data is already in | 9874 * plaintext == databuf and so the uncompressed data is already in |
9523 * databuf. */ | 9875 * databuf. */ |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9608 ** they return SECFailure or SECWouldBlock. | 9960 ** they return SECFailure or SECWouldBlock. |
9609 */ | 9961 */ |
9610 switch (rType) { | 9962 switch (rType) { |
9611 case content_change_cipher_spec: | 9963 case content_change_cipher_spec: |
9612 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); | 9964 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); |
9613 break; | 9965 break; |
9614 case content_alert: | 9966 case content_alert: |
9615 rv = ssl3_HandleAlert(ss, databuf); | 9967 rv = ssl3_HandleAlert(ss, databuf); |
9616 break; | 9968 break; |
9617 case content_handshake: | 9969 case content_handshake: |
9618 » rv = ssl3_HandleHandshake(ss, databuf); | 9970 » if (!IS_DTLS(ss)) { |
| 9971 » rv = ssl3_HandleHandshake(ss, databuf); |
| 9972 » } else { |
| 9973 » rv = dtls_HandleHandshake(ss, databuf); |
| 9974 » } |
9619 break; | 9975 break; |
9620 /* | 9976 /* |
9621 case content_application_data is handled before this switch | 9977 case content_application_data is handled before this switch |
9622 */ | 9978 */ |
9623 default: | 9979 default: |
9624 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", | 9980 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", |
9625 SSL_GETPID(), ss->fd, cText->type)); | 9981 SSL_GETPID(), ss->fd, cText->type)); |
9626 /* XXX Send an alert ??? */ | 9982 /* XXX Send an alert ??? */ |
9627 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); | 9983 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); |
9628 rv = SECFailure; | 9984 rv = SECFailure; |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9668 spec->server.write_key = NULL; | 10024 spec->server.write_key = NULL; |
9669 spec->server.write_mac_key = NULL; | 10025 spec->server.write_mac_key = NULL; |
9670 spec->server.write_mac_context = NULL; | 10026 spec->server.write_mac_context = NULL; |
9671 | 10027 |
9672 spec->write_seq_num.high = 0; | 10028 spec->write_seq_num.high = 0; |
9673 spec->write_seq_num.low = 0; | 10029 spec->write_seq_num.low = 0; |
9674 | 10030 |
9675 spec->read_seq_num.high = 0; | 10031 spec->read_seq_num.high = 0; |
9676 spec->read_seq_num.low = 0; | 10032 spec->read_seq_num.low = 0; |
9677 | 10033 |
| 10034 spec->epoch = 0; |
| 10035 dtls_InitRecvdRecords(&spec->recvdRecords); |
| 10036 |
9678 spec->version = ss->vrange.max; | 10037 spec->version = ss->vrange.max; |
9679 } | 10038 } |
9680 | 10039 |
9681 /* Called from: ssl3_SendRecord | 10040 /* Called from: ssl3_SendRecord |
9682 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() | 10041 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() |
9683 ** ssl3_SendClientHello() | 10042 ** ssl3_SendClientHello() |
9684 ** ssl3_HandleServerHello() | 10043 ** ssl3_HandleServerHello() |
9685 ** ssl3_HandleClientHello() | 10044 ** ssl3_HandleClientHello() |
9686 ** ssl3_HandleV2ClientHello() | 10045 ** ssl3_HandleV2ClientHello() |
9687 ** ssl3_HandleRecord() | 10046 ** ssl3_HandleRecord() |
(...skipping 21 matching lines...) Expand all Loading... |
9709 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); | 10068 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); |
9710 | 10069 |
9711 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; | 10070 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; |
9712 #ifdef NSS_ENABLE_ECC | 10071 #ifdef NSS_ENABLE_ECC |
9713 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK; | 10072 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK; |
9714 #endif | 10073 #endif |
9715 ssl_ReleaseSpecWriteLock(ss); | 10074 ssl_ReleaseSpecWriteLock(ss); |
9716 | 10075 |
9717 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 10076 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
9718 | 10077 |
| 10078 if (IS_DTLS(ss)) { |
| 10079 ss->ssl3.hs.sendMessageSeq = 0; |
| 10080 ss->ssl3.hs.recvMessageSeq = 0; |
| 10081 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS; |
| 10082 ss->ssl3.hs.rtRetries = 0; |
| 10083 |
| 10084 /* Have to allocate this because ssl_FreeSocket relocates |
| 10085 * this structure in DEBUG mode */ |
| 10086 if (!(ss->ssl3.hs.lastMessageFlight = PORT_New(PRCList))) |
| 10087 return SECFailure; |
| 10088 ss->ssl3.hs.recvdHighWater = -1; |
| 10089 PR_INIT_CLIST(ss->ssl3.hs.lastMessageFlight); |
| 10090 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */ |
| 10091 } |
| 10092 |
9719 rv = ssl3_NewHandshakeHashes(ss); | 10093 rv = ssl3_NewHandshakeHashes(ss); |
9720 if (rv == SECSuccess) { | 10094 if (rv == SECSuccess) { |
9721 ss->ssl3.initialized = PR_TRUE; | 10095 ss->ssl3.initialized = PR_TRUE; |
9722 } | 10096 } |
9723 | 10097 |
9724 return rv; | 10098 return rv; |
9725 } | 10099 } |
9726 | 10100 |
9727 /* Returns a reference counted object that contains a key pair. | 10101 /* Returns a reference counted object that contains a key pair. |
9728 * Or NULL on failure. Initial ref count is 1. | 10102 * Or NULL on failure. Initial ref count is 1. |
(...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9961 | 10335 |
9962 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 10336 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
9963 | 10337 |
9964 if (!ss->firstHsDone || | 10338 if (!ss->firstHsDone || |
9965 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && | 10339 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && |
9966 ss->ssl3.initialized && | 10340 ss->ssl3.initialized && |
9967 (ss->ssl3.hs.ws != idle_handshake))) { | 10341 (ss->ssl3.hs.ws != idle_handshake))) { |
9968 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); | 10342 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
9969 return SECFailure; | 10343 return SECFailure; |
9970 } | 10344 } |
| 10345 |
| 10346 if (IS_DTLS(ss)) { |
| 10347 dtls_RehandshakeCleanup(ss); |
| 10348 } |
| 10349 |
9971 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 10350 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
9972 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); | 10351 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
9973 return SECFailure; | 10352 return SECFailure; |
9974 } | 10353 } |
9975 if (sid && flushCache) { | 10354 if (sid && flushCache) { |
9976 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ | 10355 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ |
9977 ssl_FreeSID(sid); /* dec ref count and free if zero. */ | 10356 ssl_FreeSID(sid); /* dec ref count and free if zero. */ |
9978 ss->sec.ci.sid = NULL; | 10357 ss->sec.ci.sid = NULL; |
9979 } | 10358 } |
9980 | 10359 |
9981 ssl_GetXmitBufLock(ss); /**************************************/ | 10360 ssl_GetXmitBufLock(ss); /**************************************/ |
9982 | 10361 |
9983 /* start off a new handshake. */ | 10362 /* start off a new handshake. */ |
9984 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) | 10363 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) |
9985 : ssl3_SendClientHello(ss); | 10364 : ssl3_SendClientHello(ss, PR_FALSE); |
9986 | 10365 |
9987 ssl_ReleaseXmitBufLock(ss); /**************************************/ | 10366 ssl_ReleaseXmitBufLock(ss); /**************************************/ |
9988 return rv; | 10367 return rv; |
9989 } | 10368 } |
9990 | 10369 |
9991 /* Called from ssl_DestroySocketContents() in sslsock.c */ | 10370 /* Called from ssl_DestroySocketContents() in sslsock.c */ |
9992 void | 10371 void |
9993 ssl3_DestroySSL3Info(sslSocket *ss) | 10372 ssl3_DestroySSL3Info(sslSocket *ss) |
9994 { | 10373 { |
9995 | 10374 |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
10035 SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); | 10414 SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); |
10036 } | 10415 } |
10037 | 10416 |
10038 /* free the SSL3Buffer (msg_body) */ | 10417 /* free the SSL3Buffer (msg_body) */ |
10039 PORT_Free(ss->ssl3.hs.msg_body.buf); | 10418 PORT_Free(ss->ssl3.hs.msg_body.buf); |
10040 | 10419 |
10041 /* free up the CipherSpecs */ | 10420 /* free up the CipherSpecs */ |
10042 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); | 10421 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); |
10043 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 10422 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
10044 | 10423 |
| 10424 /* Destroy the DTLS data */ |
| 10425 if (IS_DTLS(ss)) { |
| 10426 if (ss->ssl3.hs.lastMessageFlight) { |
| 10427 dtls_FreeHandshakeMessages(ss->ssl3.hs.lastMessageFlight); |
| 10428 PORT_Free(ss->ssl3.hs.lastMessageFlight); |
| 10429 } |
| 10430 if (ss->ssl3.hs.recvdFragments.buf) { |
| 10431 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
| 10432 } |
| 10433 } |
| 10434 |
10045 ss->ssl3.initialized = PR_FALSE; | 10435 ss->ssl3.initialized = PR_FALSE; |
10046 | 10436 |
10047 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 10437 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
10048 } | 10438 } |
10049 | 10439 |
10050 /* End of ssl3con.c */ | 10440 /* End of ssl3con.c */ |
OLD | NEW |