1 /*
2 * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is the Netscape security libraries.
18 *
19 * The Initial Developer of the Original Code is
20 * Netscape Communications Corporation.
21 * Portions created by the Initial Developer are Copyright (C) 1994-2000
22 * the Initial Developer. All Rights Reserved.
23 *
24 * Contributor(s):
25 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either the GNU General Public License Version 2 or later (the "GPL"), or
29 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
40 /* $Id: sslcon.c,v 1.37 2009/10/16 17:45:35 wtc%google.com Exp $ */
41
42 #include "nssrenam.h"
43 #include "cert.h"
44 #include "secitem.h"
45 #include "sechash.h"
46 #include "cryptohi.h" /* for SGN_ funcs */
47 #include "keyhi.h" /* for SECKEY_ high level functions. */
48 #include "ssl.h"
49 #include "sslimpl.h"
50 #include "sslproto.h"
51 #include "ssl3prot.h"
52 #include "sslerr.h"
53 #include "pk11func.h"
54 #include "prinit.h"
55 #include "prtime.h" /* for PR_Now() */
56
57 #define XXX
58 static PRBool policyWasSet;
59
60 /* This ordered list is indexed by (SSL_CK_xx * 3) */
61 /* Second and third bytes are MSB and LSB of master key length. */
62 static const PRUint8 allCipherSuites[] = {
63 0, 0, 0,
64 SSL_CK_RC4_128_WITH_MD5, 0x00, 0x80,
65 SSL_CK_RC4_128_EXPORT40_WITH_MD5, 0x00, 0x80,
66 SSL_CK_RC2_128_CBC_WITH_MD5, 0x00, 0x80,
67 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, 0x00, 0x80,
68 SSL_CK_IDEA_128_CBC_WITH_MD5, 0x00, 0x80,
69 SSL_CK_DES_64_CBC_WITH_MD5, 0x00, 0x40,
70 SSL_CK_DES_192_EDE3_CBC_WITH_MD5, 0x00, 0xC0,
71 0, 0, 0
72 };
73
74 #define ssl2_NUM_SUITES_IMPLEMENTED 6
75
76 /* This list is sent back to the client when the client-hello message
77 * contains no overlapping ciphers, so the client can report what ciphers
78 * are supported by the server. Unlike allCipherSuites (above), this list
79 * is sorted by descending preference, not by cipherSuite number.
80 */
81 static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
82 SSL_CK_RC4_128_WITH_MD5, 0x00, 0x80,
83 SSL_CK_RC2_128_CBC_WITH_MD5, 0x00, 0x80,
84 SSL_CK_DES_192_EDE3_CBC_WITH_MD5, 0x00, 0xC0,
85 SSL_CK_DES_64_CBC_WITH_MD5, 0x00, 0x40,
86 SSL_CK_RC4_128_EXPORT40_WITH_MD5, 0x00, 0x80,
87 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, 0x00, 0x80
88 };
89
90 typedef struct ssl2SpecsStr {
91 PRUint8 nkm; /* do this many hashes to generate key material. */
92 PRUint8 nkd; /* size of readKey and writeKey in bytes. */
93 PRUint8 blockSize;
94 PRUint8 blockShift;
95 CK_MECHANISM_TYPE mechanism;
96 PRUint8 keyLen; /* cipher symkey size in bytes. */
97 PRUint8 pubLen; /* publicly reveal this many bytes of key. */
98 PRUint8 ivLen; /* length of IV data at *ca. */
99 } ssl2Specs;
100
101 static const ssl2Specs ssl_Specs[] = {
102 /* NONE */
103 { 0, 0, 0, 0, },
104 /* SSL_CK_RC4_128_WITH_MD5 */
105 { 2, 16, 1, 0, CKM_RC4, 16, 0, 0, },
106 /* SSL_CK_RC4_128_EXPORT40_WITH_MD5 */
107 { 2, 16, 1, 0, CKM_RC4, 16, 11, 0, },
108 /* SSL_CK_RC2_128_CBC_WITH_MD5 */
109 { 2, 16, 8, 3, CKM_RC2_CBC, 16, 0, 8, },
110 /* SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 */
111 { 2, 16, 8, 3, CKM_RC2_CBC, 16, 11, 8, },
112 /* SSL_CK_IDEA_128_CBC_WITH_MD5 */
113 { 0, 0, 0, 0, },
114 /* SSL_CK_DES_64_CBC_WITH_MD5 */
115 { 1, 8, 8, 3, CKM_DES_CBC, 8, 0, 8, },
116 /* SSL_CK_DES_192_EDE3_CBC_WITH_MD5 */
117 { 3, 24, 8, 3, CKM_DES3_CBC, 24, 0, 8, },
118 };
119
120 #define SET_ERROR_CODE /* reminder */
121 #define TEST_FOR_FAILURE /* reminder */
122
123 /*
124 ** Put a string tag in the library so that we can examine an executable
125 ** and see what kind of security it supports.
126 */
127 const char *ssl_version = "SECURITY_VERSION:"
128 " +us"
129 " +export"
130 #ifdef TRACE
131 " +trace"
132 #endif
133 #ifdef DEBUG
134 " +debug"
135 #endif
136 ;
137
138 const char * const ssl_cipherName[] = {
139 "unknown",
140 "RC4",
141 "RC4-Export",
142 "RC2-CBC",
143 "RC2-CBC-Export",
144 "IDEA-CBC",
145 "DES-CBC",
146 "DES-EDE3-CBC",
147 "unknown",
148 "unknown", /* was fortezza, NO LONGER USED */
149 };
150
151
152 /* bit-masks, showing which SSLv2 suites are allowed.
153 * lsb corresponds to first cipher suite in allCipherSuites[].
154 */
155 static PRUint16 allowedByPolicy; /* all off by default */
156 static PRUint16 maybeAllowedByPolicy; /* all off by default */
157 static PRUint16 chosenPreference = 0xff; /* all on by default */
158
159 /* bit values for the above two bit masks */
160 #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5)
161 #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
162 #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
163 #define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)
164 #define SSL_CB_IDEA_128_CBC_WITH_MD5 (1 << SSL_CK_IDEA_128_CBC_WITH_MD5)
165 #define SSL_CB_DES_64_CBC_WITH_MD5 (1 << SSL_CK_DES_64_CBC_WITH_MD5)
166 #define SSL_CB_DES_192_EDE3_CBC_WITH_MD5 (1 << SSL_CK_DES_192_EDE3_CBC_WITH_MD5)
167 #define SSL_CB_IMPLEMENTED \
168 (SSL_CB_RC4_128_WITH_MD5 | \
169 SSL_CB_RC4_128_EXPORT40_WITH_MD5 | \
170 SSL_CB_RC2_128_CBC_WITH_MD5 | \
171 SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 | \
172 SSL_CB_DES_64_CBC_WITH_MD5 | \
173 SSL_CB_DES_192_EDE3_CBC_WITH_MD5)
174
175
176 /* Construct a socket's list of cipher specs from the global default values.
177 */
178 static SECStatus
ssl2_ConstructCipherSpecs(sslSocket * ss)179 ssl2_ConstructCipherSpecs(sslSocket *ss)
180 {
181 PRUint8 * cs = NULL;
182 unsigned int allowed;
183 unsigned int count;
184 int ssl3_count = 0;
185 int final_count;
186 int i;
187 SECStatus rv;
188
189 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
190
191 count = 0;
192 PORT_Assert(ss != 0);
193 allowed = !ss->opt.enableSSL2 ? 0 :
194 (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
195 while (allowed) {
196 if (allowed & 1)
197 ++count;
198 allowed >>= 1;
199 }
200
201 /* Call ssl3_config_match_init() once here,
202 * instead of inside ssl3_ConstructV2CipherSpecsHack(),
203 * because the latter gets called twice below,
204 * and then again in ssl2_BeginClientHandshake().
205 */
206 ssl3_config_match_init(ss);
207
208 /* ask SSL3 how many cipher suites it has. */
209 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
210 if (rv < 0)
211 return rv;
212 count += ssl3_count;
213
214 /* Allocate memory to hold cipher specs */
215 if (count > 0)
216 cs = (PRUint8*) PORT_Alloc(count * 3);
217 else
218 PORT_SetError(SSL_ERROR_SSL_DISABLED);
219 if (cs == NULL)
220 return SECFailure;
221
222 if (ss->cipherSpecs != NULL) {
223 PORT_Free(ss->cipherSpecs);
224 }
225 ss->cipherSpecs = cs;
226 ss->sizeCipherSpecs = count * 3;
227
228 /* fill in cipher specs for SSL2 cipher suites */
229 allowed = !ss->opt.enableSSL2 ? 0 :
230 (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
231 for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
232 const PRUint8 * hs = implementedCipherSuites + i;
233 int ok = allowed & (1U << hs[0]);
234 if (ok) {
235 cs[0] = hs[0];
236 cs[1] = hs[1];
237 cs[2] = hs[2];
238 cs += 3;
239 }
240 }
241
242 /* now have SSL3 add its suites onto the end */
243 rv = ssl3_ConstructV2CipherSpecsHack(ss, cs, &final_count);
244
245 /* adjust for any difference between first pass and second pass */
246 ss->sizeCipherSpecs -= (ssl3_count - final_count) * 3;
247
248 return rv;
249 }
250
251 /* This function is called immediately after ssl2_ConstructCipherSpecs()
252 ** at the beginning of a handshake. It detects cases where a protocol
253 ** (e.g. SSL2 or SSL3) is logically enabled, but all its cipher suites
254 ** for that protocol have been disabled. If such cases, it clears the
255 ** enable bit for the protocol. If no protocols remain enabled, or
256 ** if no cipher suites are found, it sets the error code and returns
257 ** SECFailure, otherwise it returns SECSuccess.
258 */
259 static SECStatus
ssl2_CheckConfigSanity(sslSocket * ss)260 ssl2_CheckConfigSanity(sslSocket *ss)
261 {
262 unsigned int allowed;
263 int ssl3CipherCount = 0;
264 SECStatus rv;
265
266 /* count the SSL2 and SSL3 enabled ciphers.
267 * if either is zero, clear the socket's enable for that protocol.
268 */
269 if (!ss->cipherSpecs)
270 goto disabled;
271
272 allowed = ss->allowedByPolicy & ss->chosenPreference;
273 if (! allowed)
274 ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
275
276 /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
277 /* Ask how many ssl3 CipherSuites were enabled. */
278 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
279 if (rv != SECSuccess || ssl3CipherCount <= 0) {
280 ss->opt.enableSSL3 = PR_FALSE; /* not really enabled if no ciphers */
281 ss->opt.enableTLS = PR_FALSE;
282 }
283
284 if (!ss->opt.enableSSL2 && !ss->opt.enableSSL3 && !ss->opt.enableTLS) {
285 SSL_DBG(("%d: SSL[%d]: Can't handshake! both v2 and v3 disabled.",
286 SSL_GETPID(), ss->fd));
287 disabled:
288 PORT_SetError(SSL_ERROR_SSL_DISABLED);
289 return SECFailure;
290 }
291 return SECSuccess;
292 }
293
294 /*
295 * Since this is a global (not per-socket) setting, we cannot use the
296 * HandshakeLock to protect this. Probably want a global lock.
297 */
298 SECStatus
ssl2_SetPolicy(PRInt32 which,PRInt32 policy)299 ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
300 {
301 PRUint32 bitMask;
302 SECStatus rv = SECSuccess;
303
304 which &= 0x000f;
305 bitMask = 1 << which;
306
307 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
308 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
309 return SECFailure;
310 }
311
312 if (policy == SSL_ALLOWED) {
313 allowedByPolicy |= bitMask;
314 maybeAllowedByPolicy |= bitMask;
315 } else if (policy == SSL_RESTRICTED) {
316 allowedByPolicy &= ~bitMask;
317 maybeAllowedByPolicy |= bitMask;
318 } else {
319 allowedByPolicy &= ~bitMask;
320 maybeAllowedByPolicy &= ~bitMask;
321 }
322 allowedByPolicy &= SSL_CB_IMPLEMENTED;
323 maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED;
324
325 policyWasSet = PR_TRUE;
326 return rv;
327 }
328
329 SECStatus
ssl2_GetPolicy(PRInt32 which,PRInt32 * oPolicy)330 ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
331 {
332 PRUint32 bitMask;
333 PRInt32 policy;
334
335 which &= 0x000f;
336 bitMask = 1 << which;
337
338 /* Caller assures oPolicy is not null. */
339 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
340 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
341 *oPolicy = SSL_NOT_ALLOWED;
342 return SECFailure;
343 }
344
345 if (maybeAllowedByPolicy & bitMask) {
346 policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
347 } else {
348 policy = SSL_NOT_ALLOWED;
349 }
350
351 *oPolicy = policy;
352 return SECSuccess;
353 }
354
355 /*
356 * Since this is a global (not per-socket) setting, we cannot use the
357 * HandshakeLock to protect this. Probably want a global lock.
358 * Called from SSL_CipherPrefSetDefault in sslsock.c
359 * These changes have no effect on any sslSockets already created.
360 */
361 SECStatus
ssl2_CipherPrefSetDefault(PRInt32 which,PRBool enabled)362 ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
363 {
364 PRUint32 bitMask;
365
366 which &= 0x000f;
367 bitMask = 1 << which;
368
369 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
370 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
371 return SECFailure;
372 }
373
374 if (enabled)
375 chosenPreference |= bitMask;
376 else
377 chosenPreference &= ~bitMask;
378 chosenPreference &= SSL_CB_IMPLEMENTED;
379
380 return SECSuccess;
381 }
382
383 SECStatus
ssl2_CipherPrefGetDefault(PRInt32 which,PRBool * enabled)384 ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
385 {
386 PRBool rv = PR_FALSE;
387 PRUint32 bitMask;
388
389 which &= 0x000f;
390 bitMask = 1 << which;
391
392 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
393 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
394 *enabled = PR_FALSE;
395 return SECFailure;
396 }
397
398 rv = (PRBool)((chosenPreference & bitMask) != 0);
399 *enabled = rv;
400 return SECSuccess;
401 }
402
403 SECStatus
ssl2_CipherPrefSet(sslSocket * ss,PRInt32 which,PRBool enabled)404 ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled)
405 {
406 PRUint32 bitMask;
407
408 which &= 0x000f;
409 bitMask = 1 << which;
410
411 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
412 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
413 return SECFailure;
414 }
415
416 if (enabled)
417 ss->chosenPreference |= bitMask;
418 else
419 ss->chosenPreference &= ~bitMask;
420 ss->chosenPreference &= SSL_CB_IMPLEMENTED;
421
422 return SECSuccess;
423 }
424
425 SECStatus
ssl2_CipherPrefGet(sslSocket * ss,PRInt32 which,PRBool * enabled)426 ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
427 {
428 PRBool rv = PR_FALSE;
429 PRUint32 bitMask;
430
431 which &= 0x000f;
432 bitMask = 1 << which;
433
434 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
435 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
436 *enabled = PR_FALSE;
437 return SECFailure;
438 }
439
440 rv = (PRBool)((ss->chosenPreference & bitMask) != 0);
441 *enabled = rv;
442 return SECSuccess;
443 }
444
445
446 /* copy global default policy into socket. */
447 void
ssl2_InitSocketPolicy(sslSocket * ss)448 ssl2_InitSocketPolicy(sslSocket *ss)
449 {
450 ss->allowedByPolicy = allowedByPolicy;
451 ss->maybeAllowedByPolicy = maybeAllowedByPolicy;
452 ss->chosenPreference = chosenPreference;
453 }
454
455
456 /************************************************************************/
457
458 /* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
459 */
460 static SECStatus
ssl2_CreateMAC(sslSecurityInfo * sec,SECItem * readKey,SECItem * writeKey,int cipherChoice)461 ssl2_CreateMAC(sslSecurityInfo *sec, SECItem *readKey, SECItem *writeKey,
462 int cipherChoice)
463 {
464 switch (cipherChoice) {
465
466 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
467 case SSL_CK_RC2_128_CBC_WITH_MD5:
468 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
469 case SSL_CK_RC4_128_WITH_MD5:
470 case SSL_CK_DES_64_CBC_WITH_MD5:
471 case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
472 sec->hash = HASH_GetHashObject(HASH_AlgMD5);
473 SECITEM_CopyItem(0, &sec->sendSecret, writeKey);
474 SECITEM_CopyItem(0, &sec->rcvSecret, readKey);
475 break;
476
477 default:
478 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
479 return SECFailure;
480 }
481 sec->hashcx = (*sec->hash->create)();
482 if (sec->hashcx == NULL)
483 return SECFailure;
484 return SECSuccess;
485 }
486
487 /************************************************************************
488 * All the Send functions below must acquire and release the socket's
489 * xmitBufLock.
490 */
491
492 /* Called from all the Send* functions below. */
493 static SECStatus
ssl2_GetSendBuffer(sslSocket * ss,unsigned int len)494 ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
495 {
496 SECStatus rv = SECSuccess;
497
498 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
499
500 if (len < 128) {
501 len = 128;
502 }
503 if (len > ss->sec.ci.sendBuf.space) {
504 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, len);
505 if (rv != SECSuccess) {
506 SSL_DBG(("%d: SSL[%d]: ssl2_GetSendBuffer failed, tried to get %d bytes",
507 SSL_GETPID(), ss->fd, len));
508 rv = SECFailure;
509 }
510 }
511 return rv;
512 }
513
514 /* Called from:
515 * ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
516 * ssl2_HandleRequestCertificate() <- ssl2_HandleMessage() <-
517 ssl_Do1stHandshake()
518 * ssl2_HandleMessage() <- ssl_Do1stHandshake()
519 * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
520 after ssl2_BeginClientHandshake()
521 * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
522 * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake()
523 after ssl2_BeginServerHandshake()
524 *
525 * Acquires and releases the socket's xmitBufLock.
526 */
527 int
ssl2_SendErrorMessage(sslSocket * ss,int error)528 ssl2_SendErrorMessage(sslSocket *ss, int error)
529 {
530 int rv;
531 PRUint8 msg[SSL_HL_ERROR_HBYTES];
532
533 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
534
535 msg[0] = SSL_MT_ERROR;
536 msg[1] = MSB(error);
537 msg[2] = LSB(error);
538
539 ssl_GetXmitBufLock(ss); /***************************************/
540
541 SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));
542
543 ss->handshakeBegun = 1;
544 rv = (*ss->sec.send)(ss, msg, sizeof(msg), 0);
545 if (rv >= 0) {
546 rv = SECSuccess;
547 }
548 ssl_ReleaseXmitBufLock(ss); /***************************************/
549 return rv;
550 }
551
552 /* Called from ssl2_TryToFinish().
553 * Acquires and releases the socket's xmitBufLock.
554 */
555 static SECStatus
ssl2_SendClientFinishedMessage(sslSocket * ss)556 ssl2_SendClientFinishedMessage(sslSocket *ss)
557 {
558 SECStatus rv = SECSuccess;
559 int sent;
560 PRUint8 msg[1 + SSL_CONNECTIONID_BYTES];
561
562 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
563
564 ssl_GetXmitBufLock(ss); /***************************************/
565
566 if (ss->sec.ci.sentFinished == 0) {
567 ss->sec.ci.sentFinished = 1;
568
569 SSL_TRC(3, ("%d: SSL[%d]: sending client-finished",
570 SSL_GETPID(), ss->fd));
571
572 msg[0] = SSL_MT_CLIENT_FINISHED;
573 PORT_Memcpy(msg+1, ss->sec.ci.connectionID,
574 sizeof(ss->sec.ci.connectionID));
575
576 DUMP_MSG(29, (ss, msg, 1 + sizeof(ss->sec.ci.connectionID)));
577 sent = (*ss->sec.send)(ss, msg, 1 + sizeof(ss->sec.ci.connectionID), 0);
578 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
579 }
580 ssl_ReleaseXmitBufLock(ss); /***************************************/
581 return rv;
582 }
583
584 /* Called from
585 * ssl2_HandleClientSessionKeyMessage() <- ssl2_HandleClientHelloMessage()
586 * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake()
587 after ssl2_BeginServerHandshake()
588 * Acquires and releases the socket's xmitBufLock.
589 */
590 static SECStatus
ssl2_SendServerVerifyMessage(sslSocket * ss)591 ssl2_SendServerVerifyMessage(sslSocket *ss)
592 {
593 PRUint8 * msg;
594 int sendLen;
595 int sent;
596 SECStatus rv;
597
598 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
599
600 ssl_GetXmitBufLock(ss); /***************************************/
601
602 sendLen = 1 + SSL_CHALLENGE_BYTES;
603 rv = ssl2_GetSendBuffer(ss, sendLen);
604 if (rv != SECSuccess) {
605 goto done;
606 }
607
608 msg = ss->sec.ci.sendBuf.buf;
609 msg[0] = SSL_MT_SERVER_VERIFY;
610 PORT_Memcpy(msg+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
611
612 DUMP_MSG(29, (ss, msg, sendLen));
613 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
614
615 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
616
617 done:
618 ssl_ReleaseXmitBufLock(ss); /***************************************/
619 return rv;
620 }
621
622 /* Called from ssl2_TryToFinish().
623 * Acquires and releases the socket's xmitBufLock.
624 */
625 static SECStatus
ssl2_SendServerFinishedMessage(sslSocket * ss)626 ssl2_SendServerFinishedMessage(sslSocket *ss)
627 {
628 sslSessionID * sid;
629 PRUint8 * msg;
630 int sendLen, sent;
631 SECStatus rv = SECSuccess;
632
633 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
634
635 ssl_GetXmitBufLock(ss); /***************************************/
636
637 if (ss->sec.ci.sentFinished == 0) {
638 ss->sec.ci.sentFinished = 1;
639 PORT_Assert(ss->sec.ci.sid != 0);
640 sid = ss->sec.ci.sid;
641
642 SSL_TRC(3, ("%d: SSL[%d]: sending server-finished",
643 SSL_GETPID(), ss->fd));
644
645 sendLen = 1 + sizeof(sid->u.ssl2.sessionID);
646 rv = ssl2_GetSendBuffer(ss, sendLen);
647 if (rv != SECSuccess) {
648 goto done;
649 }
650
651 msg = ss->sec.ci.sendBuf.buf;
652 msg[0] = SSL_MT_SERVER_FINISHED;
653 PORT_Memcpy(msg+1, sid->u.ssl2.sessionID,
654 sizeof(sid->u.ssl2.sessionID));
655
656 DUMP_MSG(29, (ss, msg, sendLen));
657 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
658
659 if (sent < 0) {
660 /* If send failed, it is now a bogus session-id */
661 (*ss->sec.uncache)(sid);
662 rv = (SECStatus)sent;
663 } else if (!ss->opt.noCache) {
664 /* Put the sid in session-id cache, (may already be there) */
665 (*ss->sec.cache)(sid);
666 rv = SECSuccess;
667 }
668 ssl_FreeSID(sid);
669 ss->sec.ci.sid = 0;
670 }
671 done:
672 ssl_ReleaseXmitBufLock(ss); /***************************************/
673 return rv;
674 }
675
676 /* Called from ssl2_ClientSetupSessionCypher() <-
677 * ssl2_HandleServerHelloMessage()
678 * after ssl2_BeginClientHandshake()
679 * Acquires and releases the socket's xmitBufLock.
680 */
681 static SECStatus
ssl2_SendSessionKeyMessage(sslSocket * ss,int cipher,int keySize,PRUint8 * ca,int caLen,PRUint8 * ck,int ckLen,PRUint8 * ek,int ekLen)682 ssl2_SendSessionKeyMessage(sslSocket *ss, int cipher, int keySize,
683 PRUint8 *ca, int caLen,
684 PRUint8 *ck, int ckLen,
685 PRUint8 *ek, int ekLen)
686 {
687 PRUint8 * msg;
688 int sendLen;
689 int sent;
690 SECStatus rv;
691
692 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
693
694 ssl_GetXmitBufLock(ss); /***************************************/
695
696 sendLen = SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen;
697 rv = ssl2_GetSendBuffer(ss, sendLen);
698 if (rv != SECSuccess)
699 goto done;
700
701 SSL_TRC(3, ("%d: SSL[%d]: sending client-session-key",
702 SSL_GETPID(), ss->fd));
703
704 msg = ss->sec.ci.sendBuf.buf;
705 msg[0] = SSL_MT_CLIENT_MASTER_KEY;
706 msg[1] = cipher;
707 msg[2] = MSB(keySize);
708 msg[3] = LSB(keySize);
709 msg[4] = MSB(ckLen);
710 msg[5] = LSB(ckLen);
711 msg[6] = MSB(ekLen);
712 msg[7] = LSB(ekLen);
713 msg[8] = MSB(caLen);
714 msg[9] = LSB(caLen);
715 PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES, ck, ckLen);
716 PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen, ek, ekLen);
717 PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen+ekLen, ca, caLen);
718
719 DUMP_MSG(29, (ss, msg, sendLen));
720 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
721 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
722 done:
723 ssl_ReleaseXmitBufLock(ss); /***************************************/
724 return rv;
725 }
726
727 /* Called from ssl2_TriggerNextMessage() <- ssl2_HandleMessage()
728 * Acquires and releases the socket's xmitBufLock.
729 */
730 static SECStatus
ssl2_SendCertificateRequestMessage(sslSocket * ss)731 ssl2_SendCertificateRequestMessage(sslSocket *ss)
732 {
733 PRUint8 * msg;
734 int sent;
735 int sendLen;
736 SECStatus rv;
737
738 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
739
740 ssl_GetXmitBufLock(ss); /***************************************/
741
742 sendLen = SSL_HL_REQUEST_CERTIFICATE_HBYTES + SSL_CHALLENGE_BYTES;
743 rv = ssl2_GetSendBuffer(ss, sendLen);
744 if (rv != SECSuccess)
745 goto done;
746
747 SSL_TRC(3, ("%d: SSL[%d]: sending certificate request",
748 SSL_GETPID(), ss->fd));
749
750 /* Generate random challenge for client to encrypt */
751 PK11_GenerateRandom(ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
752
753 msg = ss->sec.ci.sendBuf.buf;
754 msg[0] = SSL_MT_REQUEST_CERTIFICATE;
755 msg[1] = SSL_AT_MD5_WITH_RSA_ENCRYPTION;
756 PORT_Memcpy(msg + SSL_HL_REQUEST_CERTIFICATE_HBYTES,
757 ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
758
759 DUMP_MSG(29, (ss, msg, sendLen));
760 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
761 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
762 done:
763 ssl_ReleaseXmitBufLock(ss); /***************************************/
764 return rv;
765 }
766
767 /* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
768 * ssl2_RestartHandshakeAfterCertReq() <- (application)
769 * Acquires and releases the socket's xmitBufLock.
770 */
771 static int
ssl2_SendCertificateResponseMessage(sslSocket * ss,SECItem * cert,SECItem * encCode)772 ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert,
773 SECItem *encCode)
774 {
775 PRUint8 *msg;
776 int rv, sendLen;
777
778 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
779
780 ssl_GetXmitBufLock(ss); /***************************************/
781
782 sendLen = SSL_HL_CLIENT_CERTIFICATE_HBYTES + encCode->len + cert->len;
783 rv = ssl2_GetSendBuffer(ss, sendLen);
784 if (rv)
785 goto done;
786
787 SSL_TRC(3, ("%d: SSL[%d]: sending certificate response",
788 SSL_GETPID(), ss->fd));
789
790 msg = ss->sec.ci.sendBuf.buf;
791 msg[0] = SSL_MT_CLIENT_CERTIFICATE;
792 msg[1] = SSL_CT_X509_CERTIFICATE;
793 msg[2] = MSB(cert->len);
794 msg[3] = LSB(cert->len);
795 msg[4] = MSB(encCode->len);
796 msg[5] = LSB(encCode->len);
797 PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES, cert->data, cert->len);
798 PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES + cert->len,
799 encCode->data, encCode->len);
800
801 DUMP_MSG(29, (ss, msg, sendLen));
802 rv = (*ss->sec.send)(ss, msg, sendLen, 0);
803 if (rv >= 0) {
804 rv = SECSuccess;
805 }
806 done:
807 ssl_ReleaseXmitBufLock(ss); /***************************************/
808 return rv;
809 }
810
811 /********************************************************************
812 ** Send functions above this line must aquire & release the socket's
813 ** xmitBufLock.
814 ** All the ssl2_Send functions below this line are called vis ss->sec.send
815 ** and require that the caller hold the xmitBufLock.
816 */
817
818 /*
819 ** Called from ssl2_SendStream, ssl2_SendBlock, but not from ssl2_SendClear.
820 */
821 static SECStatus
ssl2_CalcMAC(PRUint8 * result,sslSecurityInfo * sec,const PRUint8 * data,unsigned int dataLen,unsigned int paddingLen)822 ssl2_CalcMAC(PRUint8 * result,
823 sslSecurityInfo * sec,
824 const PRUint8 * data,
825 unsigned int dataLen,
826 unsigned int paddingLen)
827 {
828 const PRUint8 * secret = sec->sendSecret.data;
829 unsigned int secretLen = sec->sendSecret.len;
830 unsigned long sequenceNumber = sec->sendSequence;
831 unsigned int nout;
832 PRUint8 seq[4];
833 PRUint8 padding[32];/* XXX max blocksize? */
834
835 if (!sec->hash || !sec->hash->length)
836 return SECSuccess;
837 if (!sec->hashcx)
838 return SECFailure;
839
840 /* Reset hash function */
841 (*sec->hash->begin)(sec->hashcx);
842
843 /* Feed hash the data */
844 (*sec->hash->update)(sec->hashcx, secret, secretLen);
845 (*sec->hash->update)(sec->hashcx, data, dataLen);
846 PORT_Memset(padding, paddingLen, paddingLen);
847 (*sec->hash->update)(sec->hashcx, padding, paddingLen);
848
849 seq[0] = (PRUint8) (sequenceNumber >> 24);
850 seq[1] = (PRUint8) (sequenceNumber >> 16);
851 seq[2] = (PRUint8) (sequenceNumber >> 8);
852 seq[3] = (PRUint8) (sequenceNumber);
853
854 PRINT_BUF(60, (0, "calc-mac secret:", secret, secretLen));
855 PRINT_BUF(60, (0, "calc-mac data:", data, dataLen));
856 PRINT_BUF(60, (0, "calc-mac padding:", padding, paddingLen));
857 PRINT_BUF(60, (0, "calc-mac seq:", seq, 4));
858
859 (*sec->hash->update)(sec->hashcx, seq, 4);
860
861 /* Get result */
862 (*sec->hash->end)(sec->hashcx, result, &nout, sec->hash->length);
863
864 return SECSuccess;
865 }
866
867 /*
868 ** Maximum transmission amounts. These are tiny bit smaller than they
869 ** need to be (they account for the MAC length plus some padding),
870 ** assuming the MAC is 16 bytes long and the padding is a max of 7 bytes
871 ** long. This gives an additional 9 bytes of slop to work within.
872 */
873 #define MAX_STREAM_CYPHER_LEN 0x7fe0
874 #define MAX_BLOCK_CYPHER_LEN 0x3fe0
875
876 /*
877 ** Send some data in the clear.
878 ** Package up data with the length header and send it.
879 **
880 ** Return count of bytes successfully written, or negative number (failure).
881 */
882 static PRInt32
ssl2_SendClear(sslSocket * ss,const PRUint8 * in,PRInt32 len,PRInt32 flags)883 ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
884 {
885 PRUint8 * out;
886 int rv;
887 int amount;
888 int count = 0;
889
890 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
891
892 SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
893 SSL_GETPID(), ss->fd, len));
894 PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
895
896 while (len) {
897 amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
898 if (amount + 2 > ss->sec.writeBuf.space) {
899 rv = sslBuffer_Grow(&ss->sec.writeBuf, amount + 2);
900 if (rv != SECSuccess) {
901 count = rv;
902 break;
903 }
904 }
905 out = ss->sec.writeBuf.buf;
906
907 /*
908 ** Construct message.
909 */
910 out[0] = 0x80 | MSB(amount);
911 out[1] = LSB(amount);
912 PORT_Memcpy(&out[2], in, amount);
913
914 /* Now send the data */
915 rv = ssl_DefSend(ss, out, amount + 2, flags & ~ssl_SEND_FLAG_MASK);
916 if (rv < 0) {
917 if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
918 rv = 0;
919 } else {
920 /* Return short write if some data already went out... */
921 if (count == 0)
922 count = rv;
923 break;
924 }
925 }
926
927 if ((unsigned)rv < (amount + 2)) {
928 /* Short write. Save the data and return. */
929 if (ssl_SaveWriteData(ss, out + rv, amount + 2 - rv)
930 == SECFailure) {
931 count = SECFailure;
932 } else {
933 count += amount;
934 ss->sec.sendSequence++;
935 }
936 break;
937 }
938
939 ss->sec.sendSequence++;
940 in += amount;
941 count += amount;
942 len -= amount;
943 }
944
945 return count;
946 }
947
948 /*
949 ** Send some data, when using a stream cipher. Stream ciphers have a
950 ** block size of 1. Package up the data with the length header
951 ** and send it.
952 */
953 static PRInt32
ssl2_SendStream(sslSocket * ss,const PRUint8 * in,PRInt32 len,PRInt32 flags)954 ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
955 {
956 PRUint8 * out;
957 int rv;
958 int count = 0;
959
960 int amount;
961 PRUint8 macLen;
962 int nout;
963 int buflen;
964
965 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
966
967 SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
968 SSL_GETPID(), ss->fd, len));
969 PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
970
971 while (len) {
972 ssl_GetSpecReadLock(ss); /*************************************/
973
974 macLen = ss->sec.hash->length;
975 amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
976 buflen = amount + 2 + macLen;
977 if (buflen > ss->sec.writeBuf.space) {
978 rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
979 if (rv != SECSuccess) {
980 goto loser;
981 }
982 }
983 out = ss->sec.writeBuf.buf;
984 nout = amount + macLen;
985 out[0] = 0x80 | MSB(nout);
986 out[1] = LSB(nout);
987
988 /* Calculate MAC */
989 rv = ssl2_CalcMAC(out+2, /* put MAC here */
990 &ss->sec,
991 in, amount, /* input addr & length */
992 0); /* no padding */
993 if (rv != SECSuccess)
994 goto loser;
995
996 /* Encrypt MAC */
997 rv = (*ss->sec.enc)(ss->sec.writecx, out+2, &nout, macLen, out+2, macLen);
998 if (rv) goto loser;
999
1000 /* Encrypt data from caller */
1001 rv = (*ss->sec.enc)(ss->sec.writecx, out+2+macLen, &nout, amount, in, amount);
1002 if (rv) goto loser;
1003
1004 ssl_ReleaseSpecReadLock(ss); /*************************************/
1005
1006 PRINT_BUF(50, (ss, "encrypted data:", out, buflen));
1007
1008 rv = ssl_DefSend(ss, out, buflen, flags & ~ssl_SEND_FLAG_MASK);
1009 if (rv < 0) {
1010 if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
1011 SSL_TRC(50, ("%d: SSL[%d]: send stream would block, "
1012 "saving data", SSL_GETPID(), ss->fd));
1013 rv = 0;
1014 } else {
1015 SSL_TRC(10, ("%d: SSL[%d]: send stream error %d",
1016 SSL_GETPID(), ss->fd, PORT_GetError()));
1017 /* Return short write if some data already went out... */
1018 if (count == 0)
1019 count = rv;
1020 goto done;
1021 }
1022 }
1023
1024 if ((unsigned)rv < buflen) {
1025 /* Short write. Save the data and return. */
1026 if (ssl_SaveWriteData(ss, out + rv, buflen - rv) == SECFailure) {
1027 count = SECFailure;
1028 } else {
1029 count += amount;
1030 ss->sec.sendSequence++;
1031 }
1032 goto done;
1033 }
1034
1035 ss->sec.sendSequence++;
1036 in += amount;
1037 count += amount;
1038 len -= amount;
1039 }
1040
1041 done:
1042 return count;
1043
1044 loser:
1045 ssl_ReleaseSpecReadLock(ss);
1046 return SECFailure;
1047 }
1048
1049 /*
1050 ** Send some data, when using a block cipher. Package up the data with
1051 ** the length header and send it.
1052 */
1053 /* XXX assumes blocksize is > 7 */
1054 static PRInt32
ssl2_SendBlock(sslSocket * ss,const PRUint8 * in,PRInt32 len,PRInt32 flags)1055 ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
1056 {
1057 PRUint8 * out; /* begining of output buffer. */
1058 PRUint8 * op; /* next output byte goes here. */
1059 int rv; /* value from funcs we called. */
1060 int count = 0; /* this function's return value. */
1061
1062 unsigned int hlen; /* output record hdr len, 2 or 3 */
1063 unsigned int macLen; /* MAC is this many bytes long. */
1064 int amount; /* of plaintext to go in record. */
1065 unsigned int padding; /* add this many padding byte. */
1066 int nout; /* ciphertext size after header. */
1067 int buflen; /* size of generated record. */
1068
1069 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
1070
1071 SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
1072 SSL_GETPID(), ss->fd, len));
1073 PRINT_BUF(50, (ss, "clear data:", in, len));
1074
1075 while (len) {
1076 ssl_GetSpecReadLock(ss); /*************************************/
1077
1078 macLen = ss->sec.hash->length;
1079 /* Figure out how much to send, including mac and padding */
1080 amount = PR_MIN( len, MAX_BLOCK_CYPHER_LEN );
1081 nout = amount + macLen;
1082 padding = nout & (ss->sec.blockSize - 1);
1083 if (padding) {
1084 hlen = 3;
1085 padding = ss->sec.blockSize - padding;
1086 nout += padding;
1087 } else {
1088 hlen = 2;
1089 }
1090 buflen = hlen + nout;
1091 if (buflen > ss->sec.writeBuf.space) {
1092 rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
1093 if (rv != SECSuccess) {
1094 goto loser;
1095 }
1096 }
1097 out = ss->sec.writeBuf.buf;
1098
1099 /* Construct header */
1100 op = out;
1101 if (padding) {
1102 *op++ = MSB(nout);
1103 *op++ = LSB(nout);
1104 *op++ = padding;
1105 } else {
1106 *op++ = 0x80 | MSB(nout);
1107 *op++ = LSB(nout);
1108 }
1109
1110 /* Calculate MAC */
1111 rv = ssl2_CalcMAC(op, /* MAC goes here. */
1112 &ss->sec,
1113 in, amount, /* intput addr, len */
1114 padding);
1115 if (rv != SECSuccess)
1116 goto loser;
1117 op += macLen;
1118
1119 /* Copy in the input data */
1120 /* XXX could eliminate the copy by folding it into the encryption */
1121 PORT_Memcpy(op, in, amount);
1122 op += amount;
1123 if (padding) {
1124 PORT_Memset(op, padding, padding);
1125 op += padding;
1126 }
1127
1128 /* Encrypt result */
1129 rv = (*ss->sec.enc)(ss->sec.writecx, out+hlen, &nout, buflen-hlen,
1130 out+hlen, op - (out + hlen));
1131 if (rv)
1132 goto loser;
1133
1134 ssl_ReleaseSpecReadLock(ss); /*************************************/
1135
1136 PRINT_BUF(50, (ss, "final xmit data:", out, op - out));
1137
1138 rv = ssl_DefSend(ss, out, op - out, flags & ~ssl_SEND_FLAG_MASK);
1139 if (rv < 0) {
1140 if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
1141 rv = 0;
1142 } else {
1143 SSL_TRC(10, ("%d: SSL[%d]: send block error %d",
1144 SSL_GETPID(), ss->fd, PORT_GetError()));
1145 /* Return short write if some data already went out... */
1146 if (count == 0)
1147 count = rv;
1148 goto done;
1149 }
1150 }
1151
1152 if (rv < (op - out)) {
1153 /* Short write. Save the data and return. */
1154 if (ssl_SaveWriteData(ss, out + rv, op - out - rv) == SECFailure) {
1155 count = SECFailure;
1156 } else {
1157 count += amount;
1158 ss->sec.sendSequence++;
1159 }
1160 goto done;
1161 }
1162
1163 ss->sec.sendSequence++;
1164 in += amount;
1165 count += amount;
1166 len -= amount;
1167 }
1168
1169 done:
1170 return count;
1171
1172 loser:
1173 ssl_ReleaseSpecReadLock(ss);
1174 return SECFailure;
1175 }
1176
1177 /*
1178 ** Called from: ssl2_HandleServerHelloMessage,
1179 ** ssl2_HandleClientSessionKeyMessage,
1180 ** ssl2_RestartHandshakeAfterServerCert,
1181 ** ssl2_HandleClientHelloMessage,
1182 **
1183 */
1184 static void
ssl2_UseEncryptedSendFunc(sslSocket * ss)1185 ssl2_UseEncryptedSendFunc(sslSocket *ss)
1186 {
1187 ssl_GetXmitBufLock(ss);
1188 PORT_Assert(ss->sec.hashcx != 0);
1189
1190 ss->gs.encrypted = 1;
1191 ss->sec.send = (ss->sec.blockSize > 1) ? ssl2_SendBlock : ssl2_SendStream;
1192 ssl_ReleaseXmitBufLock(ss);
1193 }
1194
1195 /* Called while initializing socket in ssl_CreateSecurityInfo().
1196 ** This function allows us to keep the name of ssl2_SendClear static.
1197 */
1198 void
ssl2_UseClearSendFunc(sslSocket * ss)1199 ssl2_UseClearSendFunc(sslSocket *ss)
1200 {
1201 ss->sec.send = ssl2_SendClear;
1202 }
1203
1204 /************************************************************************
1205 ** END of Send functions. *
1206 *************************************************************************/
1207
1208 /***********************************************************************
1209 * For SSL3, this gathers in and handles records/messages until either
1210 * the handshake is complete or application data is available.
1211 *
1212 * For SSL2, this gathers in only the next SSLV2 record.
1213 *
1214 * Called from ssl_Do1stHandshake() via function pointer ss->handshake.
1215 * Caller must hold handshake lock.
1216 * This function acquires and releases the RecvBufLock.
1217 *
1218 * returns SECSuccess for success.
1219 * returns SECWouldBlock when that value is returned by ssl2_GatherRecord() or
1220 * ssl3_GatherCompleteHandshake().
1221 * returns SECFailure on all other errors.
1222 *
1223 * The gather functions called by ssl_GatherRecord1stHandshake are expected
1224 * to return values interpreted as follows:
1225 * 1 : the function completed without error.
1226 * 0 : the function read EOF.
1227 * -1 : read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
1228 * -2 : the function wants ssl_GatherRecord1stHandshake to be called again
1229 * immediately, by ssl_Do1stHandshake.
1230 *
1231 * This code is similar to, and easily confused with, DoRecv() in sslsecur.c
1232 *
1233 * This function is called from ssl_Do1stHandshake().
1234 * The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
1235 * ssl2_HandleMessage
1236 * ssl2_HandleVerifyMessage
1237 * ssl2_HandleServerHelloMessage
1238 * ssl2_BeginClientHandshake
1239 * ssl2_HandleClientSessionKeyMessage
1240 * ssl2_RestartHandshakeAfterCertReq
1241 * ssl3_RestartHandshakeAfterCertReq
1242 * ssl2_RestartHandshakeAfterServerCert
1243 * ssl3_RestartHandshakeAfterServerCert
1244 * ssl2_HandleClientHelloMessage
1245 * ssl2_BeginServerHandshake
1246 */
1247 SECStatus
ssl_GatherRecord1stHandshake(sslSocket * ss)1248 ssl_GatherRecord1stHandshake(sslSocket *ss)
1249 {
1250 int rv;
1251
1252 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1253
1254 ssl_GetRecvBufLock(ss);
1255
1256 if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
1257 /* Wait for handshake to complete, or application data to arrive. */
1258 rv = ssl3_GatherCompleteHandshake(ss, 0);
1259 } else {
1260 /* See if we have a complete record */
1261 rv = ssl2_GatherRecord(ss, 0);
1262 }
1263 SSL_TRC(10, ("%d: SSL[%d]: handshake gathering, rv=%d",
1264 SSL_GETPID(), ss->fd, rv));
1265
1266 ssl_ReleaseRecvBufLock(ss);
1267
1268 if (rv <= 0) {
1269 if (rv == SECWouldBlock) {
1270 /* Progress is blocked waiting for callback completion. */
1271 SSL_TRC(10, ("%d: SSL[%d]: handshake blocked (need %d)",
1272 SSL_GETPID(), ss->fd, ss->gs.remainder));
1273 return SECWouldBlock;
1274 }
1275 if (rv == 0) {
1276 /* EOF. Loser */
1277 PORT_SetError(PR_END_OF_FILE_ERROR);
1278 }
1279 return SECFailure; /* rv is < 0 here. */
1280 }
1281
1282 SSL_TRC(10, ("%d: SSL[%d]: got handshake record of %d bytes",
1283 SSL_GETPID(), ss->fd, ss->gs.recordLen));
1284
1285 ss->handshake = 0; /* makes ssl_Do1stHandshake call ss->nextHandshake.*/
1286 return SECSuccess;
1287 }
1288
1289 /************************************************************************/
1290
1291 /* Called from ssl2_ServerSetupSessionCypher()
1292 * ssl2_ClientSetupSessionCypher()
1293 */
1294 static SECStatus
ssl2_FillInSID(sslSessionID * sid,int cipher,PRUint8 * keyData,int keyLen,PRUint8 * ca,int caLen,int keyBits,int secretKeyBits,SSLSignType authAlgorithm,PRUint32 authKeyBits,SSLKEAType keaType,PRUint32 keaKeyBits)1295 ssl2_FillInSID(sslSessionID * sid,
1296 int cipher,
1297 PRUint8 *keyData,
1298 int keyLen,
1299 PRUint8 *ca,
1300 int caLen,
1301 int keyBits,
1302 int secretKeyBits,
1303 SSLSignType authAlgorithm,
1304 PRUint32 authKeyBits,
1305 SSLKEAType keaType,
1306 PRUint32 keaKeyBits)
1307 {
1308 PORT_Assert(sid->references == 1);
1309 PORT_Assert(sid->cached == never_cached);
1310 PORT_Assert(sid->u.ssl2.masterKey.data == 0);
1311 PORT_Assert(sid->u.ssl2.cipherArg.data == 0);
1312
1313 sid->version = SSL_LIBRARY_VERSION_2;
1314
1315 sid->u.ssl2.cipherType = cipher;
1316 sid->u.ssl2.masterKey.data = (PRUint8*) PORT_Alloc(keyLen);
1317 if (!sid->u.ssl2.masterKey.data) {
1318 return SECFailure;
1319 }
1320 PORT_Memcpy(sid->u.ssl2.masterKey.data, keyData, keyLen);
1321 sid->u.ssl2.masterKey.len = keyLen;
1322 sid->u.ssl2.keyBits = keyBits;
1323 sid->u.ssl2.secretKeyBits = secretKeyBits;
1324 sid->authAlgorithm = authAlgorithm;
1325 sid->authKeyBits = authKeyBits;
1326 sid->keaType = keaType;
1327 sid->keaKeyBits = keaKeyBits;
1328 sid->lastAccessTime = sid->creationTime = ssl_Time();
1329 sid->expirationTime = sid->creationTime + ssl_sid_timeout;
1330
1331 if (caLen) {
1332 sid->u.ssl2.cipherArg.data = (PRUint8*) PORT_Alloc(caLen);
1333 if (!sid->u.ssl2.cipherArg.data) {
1334 return SECFailure;
1335 }
1336 sid->u.ssl2.cipherArg.len = caLen;
1337 PORT_Memcpy(sid->u.ssl2.cipherArg.data, ca, caLen);
1338 }
1339 return SECSuccess;
1340 }
1341
1342 /*
1343 ** Construct session keys given the masterKey (tied to the session-id),
1344 ** the client's challenge and the server's nonce.
1345 **
1346 ** Called from ssl2_CreateSessionCypher() <-
1347 */
1348 static SECStatus
ssl2_ProduceKeys(sslSocket * ss,SECItem * readKey,SECItem * writeKey,SECItem * masterKey,PRUint8 * challenge,PRUint8 * nonce,int cipherType)1349 ssl2_ProduceKeys(sslSocket * ss,
1350 SECItem * readKey,
1351 SECItem * writeKey,
1352 SECItem * masterKey,
1353 PRUint8 * challenge,
1354 PRUint8 * nonce,
1355 int cipherType)
1356 {
1357 PK11Context * cx = 0;
1358 unsigned nkm = 0; /* number of hashes to generate key mat. */
1359 unsigned nkd = 0; /* size of readKey and writeKey. */
1360 unsigned part;
1361 unsigned i;
1362 unsigned off;
1363 SECStatus rv;
1364 PRUint8 countChar;
1365 PRUint8 km[3*16]; /* buffer for key material. */
1366
1367 readKey->data = 0;
1368 writeKey->data = 0;
1369
1370 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1371
1372 rv = SECSuccess;
1373 cx = PK11_CreateDigestContext(SEC_OID_MD5);
1374 if (cx == NULL) {
1375 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1376 return SECFailure;
1377 }
1378
1379 nkm = ssl_Specs[cipherType].nkm;
1380 nkd = ssl_Specs[cipherType].nkd;
1381
1382 readKey->data = (PRUint8*) PORT_Alloc(nkd);
1383 if (!readKey->data)
1384 goto loser;
1385 readKey->len = nkd;
1386
1387 writeKey->data = (PRUint8*) PORT_Alloc(nkd);
1388 if (!writeKey->data)
1389 goto loser;
1390 writeKey->len = nkd;
1391
1392 /* Produce key material */
1393 countChar = '0';
1394 for (i = 0, off = 0; i < nkm; i++, off += 16) {
1395 rv = PK11_DigestBegin(cx);
1396 rv |= PK11_DigestOp(cx, masterKey->data, masterKey->len);
1397 rv |= PK11_DigestOp(cx, &countChar, 1);
1398 rv |= PK11_DigestOp(cx, challenge, SSL_CHALLENGE_BYTES);
1399 rv |= PK11_DigestOp(cx, nonce, SSL_CONNECTIONID_BYTES);
1400 rv |= PK11_DigestFinal(cx, km+off, &part, MD5_LENGTH);
1401 if (rv != SECSuccess) {
1402 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1403 rv = SECFailure;
1404 goto loser;
1405 }
1406 countChar++;
1407 }
1408
1409 /* Produce keys */
1410 PORT_Memcpy(readKey->data, km, nkd);
1411 PORT_Memcpy(writeKey->data, km + nkd, nkd);
1412
1413 loser:
1414 PK11_DestroyContext(cx, PR_TRUE);
1415 return rv;
1416 }
1417
1418 /* Called from ssl2_ServerSetupSessionCypher()
1419 ** <- ssl2_HandleClientSessionKeyMessage()
1420 ** <- ssl2_HandleClientHelloMessage()
1421 ** and from ssl2_ClientSetupSessionCypher()
1422 ** <- ssl2_HandleServerHelloMessage()
1423 */
1424 static SECStatus
ssl2_CreateSessionCypher(sslSocket * ss,sslSessionID * sid,PRBool isClient)1425 ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
1426 {
1427 SECItem * rk = NULL;
1428 SECItem * wk = NULL;
1429 SECItem * param;
1430 SECStatus rv;
1431 int cipherType = sid->u.ssl2.cipherType;
1432 PK11SlotInfo * slot = NULL;
1433 CK_MECHANISM_TYPE mechanism;
1434 SECItem readKey;
1435 SECItem writeKey;
1436
1437 void *readcx = 0;
1438 void *writecx = 0;
1439 readKey.data = 0;
1440 writeKey.data = 0;
1441
1442 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1443 if((ss->sec.ci.sid == 0))
1444 goto sec_loser; /* don't crash if asserts are off */
1445
1446 /* Trying to cut down on all these switch statements that should be tables.
1447 * So, test cipherType once, here, and then use tables below.
1448 */
1449 switch (cipherType) {
1450 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
1451 case SSL_CK_RC4_128_WITH_MD5:
1452 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
1453 case SSL_CK_RC2_128_CBC_WITH_MD5:
1454 case SSL_CK_DES_64_CBC_WITH_MD5:
1455 case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
1456 break;
1457
1458 default:
1459 SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d",
1460 SSL_GETPID(), ss->fd, cipherType));
1461 PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT);
1462 goto sec_loser;
1463 }
1464
1465 rk = isClient ? &readKey : &writeKey;
1466 wk = isClient ? &writeKey : &readKey;
1467
1468 /* Produce the keys for this session */
1469 rv = ssl2_ProduceKeys(ss, &readKey, &writeKey, &sid->u.ssl2.masterKey,
1470 ss->sec.ci.clientChallenge, ss->sec.ci.connectionID,
1471 cipherType);
1472 if (rv != SECSuccess)
1473 goto loser;
1474 PRINT_BUF(7, (ss, "Session read-key: ", rk->data, rk->len));
1475 PRINT_BUF(7, (ss, "Session write-key: ", wk->data, wk->len));
1476
1477 PORT_Memcpy(ss->sec.ci.readKey, readKey.data, readKey.len);
1478 PORT_Memcpy(ss->sec.ci.writeKey, writeKey.data, writeKey.len);
1479 ss->sec.ci.keySize = readKey.len;
1480
1481 /* Setup the MAC */
1482 rv = ssl2_CreateMAC(&ss->sec, rk, wk, cipherType);
1483 if (rv != SECSuccess)
1484 goto loser;
1485
1486 /* First create the session key object */
1487 SSL_TRC(3, ("%d: SSL[%d]: using %s", SSL_GETPID(), ss->fd,
1488 ssl_cipherName[cipherType]));
1489
1490
1491 mechanism = ssl_Specs[cipherType].mechanism;
1492
1493 /* set destructer before we call loser... */
1494 ss->sec.destroy = (void (*)(void*, PRBool)) PK11_DestroyContext;
1495 slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg);
1496 if (slot == NULL)
1497 goto loser;
1498
1499 param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
1500 if (param == NULL)
1501 goto loser;
1502 readcx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
1503 CKA_DECRYPT, rk, param,
1504 ss->pkcs11PinArg);
1505 SECITEM_FreeItem(param, PR_TRUE);
1506 if (readcx == NULL)
1507 goto loser;
1508
1509 /* build the client context */
1510 param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
1511 if (param == NULL)
1512 goto loser;
1513 writecx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
1514 CKA_ENCRYPT, wk, param,
1515 ss->pkcs11PinArg);
1516 SECITEM_FreeItem(param,PR_TRUE);
1517 if (writecx == NULL)
1518 goto loser;
1519 PK11_FreeSlot(slot);
1520
1521 rv = SECSuccess;
1522 ss->sec.enc = (SSLCipher) PK11_CipherOp;
1523 ss->sec.dec = (SSLCipher) PK11_CipherOp;
1524 ss->sec.readcx = (void *) readcx;
1525 ss->sec.writecx = (void *) writecx;
1526 ss->sec.blockSize = ssl_Specs[cipherType].blockSize;
1527 ss->sec.blockShift = ssl_Specs[cipherType].blockShift;
1528 ss->sec.cipherType = sid->u.ssl2.cipherType;
1529 ss->sec.keyBits = sid->u.ssl2.keyBits;
1530 ss->sec.secretKeyBits = sid->u.ssl2.secretKeyBits;
1531 goto done;
1532
1533 loser:
1534 if (ss->sec.destroy) {
1535 if (readcx) (*ss->sec.destroy)(readcx, PR_TRUE);
1536 if (writecx) (*ss->sec.destroy)(writecx, PR_TRUE);
1537 }
1538 ss->sec.destroy = NULL;
1539 if (slot) PK11_FreeSlot(slot);
1540
1541 sec_loser:
1542 rv = SECFailure;
1543
1544 done:
1545 if (rk) {
1546 SECITEM_ZfreeItem(rk, PR_FALSE);
1547 }
1548 if (wk) {
1549 SECITEM_ZfreeItem(wk, PR_FALSE);
1550 }
1551 return rv;
1552 }
1553
1554 /*
1555 ** Setup the server ciphers given information from a CLIENT-MASTER-KEY
1556 ** message.
1557 ** "ss" pointer to the ssl-socket object
1558 ** "cipher" the cipher type to use
1559 ** "keyBits" the size of the final cipher key
1560 ** "ck" the clear-key data
1561 ** "ckLen" the number of bytes of clear-key data
1562 ** "ek" the encrypted-key data
1563 ** "ekLen" the number of bytes of encrypted-key data
1564 ** "ca" the cipher-arg data
1565 ** "caLen" the number of bytes of cipher-arg data
1566 **
1567 ** The MASTER-KEY is constructed by first decrypting the encrypted-key
1568 ** data. This produces the SECRET-KEY-DATA. The MASTER-KEY is composed by
1569 ** concatenating the clear-key data with the SECRET-KEY-DATA. This code
1570 ** checks to make sure that the client didn't send us an improper amount
1571 ** of SECRET-KEY-DATA (it restricts the length of that data to match the
1572 ** spec).
1573 **
1574 ** Called from ssl2_HandleClientSessionKeyMessage().
1575 */
1576 static SECStatus
ssl2_ServerSetupSessionCypher(sslSocket * ss,int cipher,unsigned int keyBits,PRUint8 * ck,unsigned int ckLen,PRUint8 * ek,unsigned int ekLen,PRUint8 * ca,unsigned int caLen)1577 ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
1578 PRUint8 *ck, unsigned int ckLen,
1579 PRUint8 *ek, unsigned int ekLen,
1580 PRUint8 *ca, unsigned int caLen)
1581 {
1582 PRUint8 * dk = NULL; /* decrypted master key */
1583 sslSessionID * sid;
1584 sslServerCerts * sc = ss->serverCerts + kt_rsa;
1585 PRUint8 * kbuf = 0; /* buffer for RSA decrypted data. */
1586 unsigned int ddLen; /* length of RSA decrypted data in kbuf */
1587 unsigned int keySize;
1588 unsigned int dkLen; /* decrypted key length in bytes */
1589 int modulusLen;
1590 SECStatus rv;
1591 PRUint16 allowed; /* cipher kinds enabled and allowed by policy */
1592 PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES];
1593
1594 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1595 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
1596 PORT_Assert((sc->SERVERKEY != 0));
1597 PORT_Assert((ss->sec.ci.sid != 0));
1598 sid = ss->sec.ci.sid;
1599
1600 /* Trying to cut down on all these switch statements that should be tables.
1601 * So, test cipherType once, here, and then use tables below.
1602 */
1603 switch (cipher) {
1604 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
1605 case SSL_CK_RC4_128_WITH_MD5:
1606 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
1607 case SSL_CK_RC2_128_CBC_WITH_MD5:
1608 case SSL_CK_DES_64_CBC_WITH_MD5:
1609 case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
1610 break;
1611
1612 default:
1613 SSL_DBG(("%d: SSL[%d]: ssl2_ServerSetupSessionCypher: unknown cipher=%d",
1614 SSL_GETPID(), ss->fd, cipher));
1615 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1616 goto loser;
1617 }
1618
1619 allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED;
1620 if (!(allowed & (1 << cipher))) {
1621 /* client chose a kind we don't allow! */
1622 SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d",
1623 SSL_GETPID(), ss->fd, cipher));
1624 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1625 goto loser;
1626 }
1627
1628 keySize = ssl_Specs[cipher].keyLen;
1629 if (keyBits != keySize * BPB) {
1630 SSL_DBG(("%d: SSL[%d]: invalid master secret key length=%d (bits)!",
1631 SSL_GETPID(), ss->fd, keyBits));
1632 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1633 goto loser;
1634 }
1635
1636 if (ckLen != ssl_Specs[cipher].pubLen) {
1637 SSL_DBG(("%d: SSL[%d]: invalid clear key length, ckLen=%d (bytes)!",
1638 SSL_GETPID(), ss->fd, ckLen));
1639 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1640 goto loser;
1641 }
1642
1643 if (caLen != ssl_Specs[cipher].ivLen) {
1644 SSL_DBG(("%d: SSL[%d]: invalid key args length, caLen=%d (bytes)!",
1645 SSL_GETPID(), ss->fd, caLen));
1646 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1647 goto loser;
1648 }
1649
1650 modulusLen = PK11_GetPrivateModulusLen(sc->SERVERKEY);
1651 if (modulusLen == -1) {
1652 /* XXX If the key is bad, then PK11_PubDecryptRaw will fail below. */
1653 modulusLen = ekLen;
1654 }
1655 if (ekLen > modulusLen || ekLen + ckLen < keySize) {
1656 SSL_DBG(("%d: SSL[%d]: invalid encrypted key length, ekLen=%d (bytes)!",
1657 SSL_GETPID(), ss->fd, ekLen));
1658 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1659 goto loser;
1660 }
1661
1662 /* allocate the buffer to hold the decrypted portion of the key. */
1663 kbuf = (PRUint8*)PORT_Alloc(modulusLen);
1664 if (!kbuf) {
1665 goto loser;
1666 }
1667 dkLen = keySize - ckLen;
1668 dk = kbuf + modulusLen - dkLen;
1669
1670 /* Decrypt encrypted half of the key.
1671 ** NOTE: PK11_PubDecryptRaw will barf on a non-RSA key. This is
1672 ** desired behavior here.
1673 */
1674 rv = PK11_PubDecryptRaw(sc->SERVERKEY, kbuf, &ddLen, modulusLen, ek, ekLen);
1675 if (rv != SECSuccess)
1676 goto hide_loser;
1677
1678 /* Is the length of the decrypted data (ddLen) the expected value? */
1679 if (modulusLen != ddLen)
1680 goto hide_loser;
1681
1682 /* Cheaply verify that PKCS#1 was used to format the encryption block */
1683 if ((kbuf[0] != 0x00) || (kbuf[1] != 0x02) || (dk[-1] != 0x00)) {
1684 SSL_DBG(("%d: SSL[%d]: strange encryption block",
1685 SSL_GETPID(), ss->fd));
1686 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1687 goto hide_loser;
1688 }
1689
1690 /* Make sure we're not subject to a version rollback attack. */
1691 if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
1692 static const PRUint8 threes[8] = { 0x03, 0x03, 0x03, 0x03,
1693 0x03, 0x03, 0x03, 0x03 };
1694
1695 if (PORT_Memcmp(dk - 8 - 1, threes, 8) == 0) {
1696 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1697 goto hide_loser;
1698 }
1699 }
1700 if (0) {
1701 hide_loser:
1702 /* Defense against the Bleichenbacher attack.
1703 * Provide the client with NO CLUES that the decrypted master key
1704 * was erroneous. Don't send any error messages.
1705 * Instead, Generate a completely bogus master key .
1706 */
1707 PK11_GenerateRandom(dk, dkLen);
1708 }
1709
1710 /*
1711 ** Construct master key out of the pieces.
1712 */
1713 if (ckLen) {
1714 PORT_Memcpy(mkbuf, ck, ckLen);
1715 }
1716 PORT_Memcpy(mkbuf + ckLen, dk, dkLen);
1717
1718 /* Fill in session-id */
1719 rv = ssl2_FillInSID(sid, cipher, mkbuf, keySize, ca, caLen,
1720 keyBits, keyBits - (ckLen<<3),
1721 ss->sec.authAlgorithm, ss->sec.authKeyBits,
1722 ss->sec.keaType, ss->sec.keaKeyBits);
1723 if (rv != SECSuccess) {
1724 goto loser;
1725 }
1726
1727 /* Create session ciphers */
1728 rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
1729 if (rv != SECSuccess) {
1730 goto loser;
1731 }
1732
1733 SSL_TRC(1, ("%d: SSL[%d]: server, using %s cipher, clear=%d total=%d",
1734 SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
1735 ckLen<<3, keySize<<3));
1736 rv = SECSuccess;
1737 goto done;
1738
1739 loser:
1740 rv = SECFailure;
1741
1742 done:
1743 PORT_Free(kbuf);
1744 return rv;
1745 }
1746
1747 /************************************************************************/
1748
1749 /*
1750 ** Rewrite the incoming cipher specs, comparing to list of specs we support,
1751 ** (ss->cipherSpecs) and eliminating anything we don't support
1752 **
1753 * Note: Our list may contain SSL v3 ciphers.
1754 * We MUST NOT match on any of those.
1755 * Fortunately, this is easy to detect because SSLv3 ciphers have zero
1756 * in the first byte, and none of the SSLv2 ciphers do.
1757 *
1758 * Called from ssl2_HandleClientHelloMessage().
1759 * Returns the number of bytes of "qualified cipher specs",
1760 * which is typically a multiple of 3, but will be zero if there are none.
1761 */
1762 static int
ssl2_QualifyCypherSpecs(sslSocket * ss,PRUint8 * cs,int csLen)1763 ssl2_QualifyCypherSpecs(sslSocket *ss,
1764 PRUint8 * cs, /* cipher specs in client hello msg. */
1765 int csLen)
1766 {
1767 PRUint8 * ms;
1768 PRUint8 * hs;
1769 PRUint8 * qs;
1770 int mc;
1771 int hc;
1772 PRUint8 qualifiedSpecs[ssl2_NUM_SUITES_IMPLEMENTED * 3];
1773
1774 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1775 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
1776
1777 if (!ss->cipherSpecs) {
1778 SECStatus rv = ssl2_ConstructCipherSpecs(ss);
1779 if (rv != SECSuccess || !ss->cipherSpecs)
1780 return 0;
1781 }
1782
1783 PRINT_BUF(10, (ss, "specs from client:", cs, csLen));
1784 qs = qualifiedSpecs;
1785 ms = ss->cipherSpecs;
1786 for (mc = ss->sizeCipherSpecs; mc > 0; mc -= 3, ms += 3) {
1787 if (ms[0] == 0)
1788 continue;
1789 for (hs = cs, hc = csLen; hc > 0; hs += 3, hc -= 3) {
1790 if ((hs[0] == ms[0]) &&
1791 (hs[1] == ms[1]) &&
1792 (hs[2] == ms[2])) {
1793 /* Copy this cipher spec into the "keep" section */
1794 qs[0] = hs[0];
1795 qs[1] = hs[1];
1796 qs[2] = hs[2];
1797 qs += 3;
1798 break;
1799 }
1800 }
1801 }
1802 hc = qs - qualifiedSpecs;
1803 PRINT_BUF(10, (ss, "qualified specs from client:", qualifiedSpecs, hc));
1804 PORT_Memcpy(cs, qualifiedSpecs, hc);
1805 return hc;
1806 }
1807
1808 /*
1809 ** Pick the best cipher we can find, given the array of server cipher
1810 ** specs. Returns cipher number (e.g. SSL_CK_*), or -1 for no overlap.
1811 ** If successful, stores the master key size (bytes) in *pKeyLen.
1812 **
1813 ** This is correct only for the client side, but presently
1814 ** this function is only called from
1815 ** ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
1816 **
1817 ** Note that most servers only return a single cipher suite in their
1818 ** ServerHello messages. So, the code below for finding the "best" cipher
1819 ** suite usually has only one choice. The client and server should send
1820 ** their cipher suite lists sorted in descending order by preference.
1821 */
1822 static int
ssl2_ChooseSessionCypher(sslSocket * ss,int hc,PRUint8 * hs,int * pKeyLen)1823 ssl2_ChooseSessionCypher(sslSocket *ss,
1824 int hc, /* number of cs's in hs. */
1825 PRUint8 * hs, /* server hello's cipher suites. */
1826 int * pKeyLen) /* out: sym key size in bytes. */
1827 {
1828 PRUint8 * ms;
1829 unsigned int i;
1830 int bestKeySize;
1831 int bestRealKeySize;
1832 int bestCypher;
1833 int keySize;
1834 int realKeySize;
1835 PRUint8 * ohs = hs;
1836 const PRUint8 * preferred;
1837 static const PRUint8 noneSuch[3] = { 0, 0, 0 };
1838
1839 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1840 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
1841
1842 if (!ss->cipherSpecs) {
1843 SECStatus rv = ssl2_ConstructCipherSpecs(ss);
1844 if (rv != SECSuccess || !ss->cipherSpecs)
1845 goto loser;
1846 }
1847
1848 if (!ss->preferredCipher) {
1849 unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference &
1850 SSL_CB_IMPLEMENTED;
1851 if (allowed) {
1852 preferred = implementedCipherSuites;
1853 for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
1854 if (0 != (allowed & (1U << preferred[0]))) {
1855 ss->preferredCipher = preferred;
1856 break;
1857 }
1858 preferred += 3;
1859 }
1860 }
1861 }
1862 preferred = ss->preferredCipher ? ss->preferredCipher : noneSuch;
1863 /*
1864 ** Scan list of ciphers recieved from peer and look for a match in
1865 ** our list.
1866 * Note: Our list may contain SSL v3 ciphers.
1867 * We MUST NOT match on any of those.
1868 * Fortunately, this is easy to detect because SSLv3 ciphers have zero
1869 * in the first byte, and none of the SSLv2 ciphers do.
1870 */
1871 bestKeySize = bestRealKeySize = 0;
1872 bestCypher = -1;
1873 while (--hc >= 0) {
1874 for (i = 0, ms = ss->cipherSpecs; i < ss->sizeCipherSpecs; i += 3, ms += 3) {
1875 if ((hs[0] == preferred[0]) &&
1876 (hs[1] == preferred[1]) &&
1877 (hs[2] == preferred[2]) &&
1878 hs[0] != 0) {
1879 /* Pick this cipher immediately! */
1880 *pKeyLen = (((hs[1] << 8) | hs[2]) + 7) >> 3;
1881 return hs[0];
1882 }
1883 if ((hs[0] == ms[0]) && (hs[1] == ms[1]) && (hs[2] == ms[2]) &&
1884 hs[0] != 0) {
1885 /* Found a match */
1886
1887 /* Use secret keySize to determine which cipher is best */
1888 realKeySize = (hs[1] << 8) | hs[2];
1889 switch (hs[0]) {
1890 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
1891 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
1892 keySize = 40;
1893 break;
1894 default:
1895 keySize = realKeySize;
1896 break;
1897 }
1898 if (keySize > bestKeySize) {
1899 bestCypher = hs[0];
1900 bestKeySize = keySize;
1901 bestRealKeySize = realKeySize;
1902 }
1903 }
1904 }
1905 hs += 3;
1906 }
1907 if (bestCypher < 0) {
1908 /*
1909 ** No overlap between server and client. Re-examine server list
1910 ** to see what kind of ciphers it does support so that we can set
1911 ** the error code appropriately.
1912 */
1913 if ((ohs[0] == SSL_CK_RC4_128_WITH_MD5) ||
1914 (ohs[0] == SSL_CK_RC2_128_CBC_WITH_MD5)) {
1915 PORT_SetError(SSL_ERROR_US_ONLY_SERVER);
1916 } else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
1917 (ohs[0] == SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)) {
1918 PORT_SetError(SSL_ERROR_EXPORT_ONLY_SERVER);
1919 } else {
1920 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
1921 }
1922 SSL_DBG(("%d: SSL[%d]: no cipher overlap", SSL_GETPID(), ss->fd));
1923 goto loser;
1924 }
1925 *pKeyLen = (bestRealKeySize + 7) >> 3;
1926 return bestCypher;
1927
1928 loser:
1929 return -1;
1930 }
1931
1932 static SECStatus
ssl2_ClientHandleServerCert(sslSocket * ss,PRUint8 * certData,int certLen)1933 ssl2_ClientHandleServerCert(sslSocket *ss, PRUint8 *certData, int certLen)
1934 {
1935 CERTCertificate *cert = NULL;
1936 SECItem certItem;
1937
1938 certItem.data = certData;
1939 certItem.len = certLen;
1940
1941 /* decode the certificate */
1942 cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
1943 PR_FALSE, PR_TRUE);
1944
1945 if (cert == NULL) {
1946 SSL_DBG(("%d: SSL[%d]: decode of server certificate fails",
1947 SSL_GETPID(), ss->fd));
1948 PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
1949 return SECFailure;
1950 }
1951
1952 #ifdef TRACE
1953 {
1954 if (ssl_trace >= 1) {
1955 char *issuer;
1956 char *subject;
1957 issuer = CERT_NameToAscii(&cert->issuer);
1958 subject = CERT_NameToAscii(&cert->subject);
1959 SSL_TRC(1,("%d: server certificate issuer: '%s'",
1960 SSL_GETPID(), issuer ? issuer : "OOPS"));
1961 SSL_TRC(1,("%d: server name: '%s'",
1962 SSL_GETPID(), subject ? subject : "OOPS"));
1963 PORT_Free(issuer);
1964 PORT_Free(subject);
1965 }
1966 }
1967 #endif
1968
1969 ss->sec.peerCert = cert;
1970 return SECSuccess;
1971 }
1972
1973
1974 /*
1975 * Format one block of data for public/private key encryption using
1976 * the rules defined in PKCS #1. SSL2 does this itself to handle the
1977 * rollback detection.
1978 */
1979 #define RSA_BLOCK_MIN_PAD_LEN 8
1980 #define RSA_BLOCK_FIRST_OCTET 0x00
1981 #define RSA_BLOCK_AFTER_PAD_OCTET 0x00
1982 #define RSA_BLOCK_PUBLIC_OCTET 0x02
1983 unsigned char *
ssl_FormatSSL2Block(unsigned modulusLen,SECItem * data)1984 ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
1985 {
1986 unsigned char *block;
1987 unsigned char *bp;
1988 int padLen;
1989 SECStatus rv;
1990 int i;
1991
1992 if (modulusLen < data->len + (3 + RSA_BLOCK_MIN_PAD_LEN)) {
1993 PORT_SetError(SEC_ERROR_BAD_KEY);
1994 return NULL;
1995 }
1996 block = (unsigned char *) PORT_Alloc(modulusLen);
1997 if (block == NULL)
1998 return NULL;
1999
2000 bp = block;
2001
2002 /*
2003 * All RSA blocks start with two octets:
2004 * 0x00 || BlockType
2005 */
2006 *bp++ = RSA_BLOCK_FIRST_OCTET;
2007 *bp++ = RSA_BLOCK_PUBLIC_OCTET;
2008
2009 /*
2010 * 0x00 || BT || Pad || 0x00 || ActualData
2011 * 1 1 padLen 1 data->len
2012 * Pad is all non-zero random bytes.
2013 */
2014 padLen = modulusLen - data->len - 3;
2015 PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
2016 rv = PK11_GenerateRandom(bp, padLen);
2017 if (rv == SECFailure) goto loser;
2018 /* replace all the 'zero' bytes */
2019 for (i = 0; i < padLen; i++) {
2020 while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
2021 rv = PK11_GenerateRandom(bp+i, 1);
2022 if (rv == SECFailure) goto loser;
2023 }
2024 }
2025 bp += padLen;
2026 *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
2027 PORT_Memcpy (bp, data->data, data->len);
2028
2029 return block;
2030 loser:
2031 if (block) PORT_Free(block);
2032 return NULL;
2033 }
2034
2035 /*
2036 ** Given the server's public key and cipher specs, generate a session key
2037 ** that is ready to use for encrypting/decrypting the byte stream. At
2038 ** the same time, generate the SSL_MT_CLIENT_MASTER_KEY message and
2039 ** send it to the server.
2040 **
2041 ** Called from ssl2_HandleServerHelloMessage()
2042 */
2043 static SECStatus
ssl2_ClientSetupSessionCypher(sslSocket * ss,PRUint8 * cs,int csLen)2044 ssl2_ClientSetupSessionCypher(sslSocket *ss, PRUint8 *cs, int csLen)
2045 {
2046 sslSessionID * sid;
2047 PRUint8 * ca; /* points to iv data, or NULL if none. */
2048 PRUint8 * ekbuf = 0;
2049 CERTCertificate * cert = 0;
2050 SECKEYPublicKey * serverKey = 0;
2051 unsigned modulusLen = 0;
2052 SECStatus rv;
2053 int cipher;
2054 int keyLen; /* cipher symkey size in bytes. */
2055 int ckLen; /* publicly reveal this many bytes of key. */
2056 int caLen; /* length of IV data at *ca. */
2057 int nc;
2058
2059 unsigned char *eblock; /* holds unencrypted PKCS#1 formatted key. */
2060 SECItem rek; /* holds portion of symkey to be encrypted. */
2061
2062 PRUint8 keyData[SSL_MAX_MASTER_KEY_BYTES];
2063 PRUint8 iv [8];
2064
2065 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2066
2067 eblock = NULL;
2068
2069 sid = ss->sec.ci.sid;
2070 PORT_Assert(sid != 0);
2071
2072 cert = ss->sec.peerCert;
2073
2074 serverKey = CERT_ExtractPublicKey(cert);
2075 if (!serverKey) {
2076 SSL_DBG(("%d: SSL[%d]: extract public key failed: error=%d",
2077 SSL_GETPID(), ss->fd, PORT_GetError()));
2078 PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
2079 rv = SECFailure;
2080 goto loser2;
2081 }
2082
2083 ss->sec.authAlgorithm = ssl_sign_rsa;
2084 ss->sec.keaType = ssl_kea_rsa;
2085 ss->sec.keaKeyBits = \
2086 ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
2087
2088 /* Choose a compatible cipher with the server */
2089 nc = csLen / 3;
2090 cipher = ssl2_ChooseSessionCypher(ss, nc, cs, &keyLen);
2091 if (cipher < 0) {
2092 /* ssl2_ChooseSessionCypher has set error code. */
2093 ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
2094 goto loser;
2095 }
2096
2097 /* Generate the random keys */
2098 PK11_GenerateRandom(keyData, sizeof(keyData));
2099
2100 /*
2101 ** Next, carve up the keys into clear and encrypted portions. The
2102 ** clear data is taken from the start of keyData and the encrypted
2103 ** portion from the remainder. Note that each of these portions is
2104 ** carved in half, one half for the read-key and one for the
2105 ** write-key.
2106 */
2107 ca = 0;
2108
2109 /* We know that cipher is a legit value here, because
2110 * ssl2_ChooseSessionCypher doesn't return bogus values.
2111 */
2112 ckLen = ssl_Specs[cipher].pubLen; /* cleartext key length. */
2113 caLen = ssl_Specs[cipher].ivLen; /* IV length. */
2114 if (caLen) {
2115 PORT_Assert(sizeof iv >= caLen);
2116 PK11_GenerateRandom(iv, caLen);
2117 ca = iv;
2118 }
2119
2120 /* Fill in session-id */
2121 rv = ssl2_FillInSID(sid, cipher, keyData, keyLen,
2122 ca, caLen, keyLen << 3, (keyLen - ckLen) << 3,
2123 ss->sec.authAlgorithm, ss->sec.authKeyBits,
2124 ss->sec.keaType, ss->sec.keaKeyBits);
2125 if (rv != SECSuccess) {
2126 goto loser;
2127 }
2128
2129 SSL_TRC(1, ("%d: SSL[%d]: client, using %s cipher, clear=%d total=%d",
2130 SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
2131 ckLen<<3, keyLen<<3));
2132
2133 /* Now setup read and write ciphers */
2134 rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
2135 if (rv != SECSuccess) {
2136 goto loser;
2137 }
2138
2139 /*
2140 ** Fill in the encryption buffer with some random bytes. Then
2141 ** copy in the portion of the session key we are encrypting.
2142 */
2143 modulusLen = SECKEY_PublicKeyStrength(serverKey);
2144 rek.data = keyData + ckLen;
2145 rek.len = keyLen - ckLen;
2146 eblock = ssl_FormatSSL2Block(modulusLen, &rek);
2147 if (eblock == NULL)
2148 goto loser;
2149
2150 /* Set up the padding for version 2 rollback detection. */
2151 /* XXX We should really use defines here */
2152 if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
2153 PORT_Assert((modulusLen - rek.len) > 12);
2154 PORT_Memset(eblock + modulusLen - rek.len - 8 - 1, 0x03, 8);
2155 }
2156 ekbuf = (PRUint8*) PORT_Alloc(modulusLen);
2157 if (!ekbuf)
2158 goto loser;
2159 PRINT_BUF(10, (ss, "master key encryption block:",
2160 eblock, modulusLen));
2161
2162 /* Encrypt ekitem */
2163 rv = PK11_PubEncryptRaw(serverKey, ekbuf, eblock, modulusLen,
2164 ss->pkcs11PinArg);
2165 if (rv)
2166 goto loser;
2167
2168 /* Now we have everything ready to send */
2169 rv = ssl2_SendSessionKeyMessage(ss, cipher, keyLen << 3, ca, caLen,
2170 keyData, ckLen, ekbuf, modulusLen);
2171 if (rv != SECSuccess) {
2172 goto loser;
2173 }
2174 rv = SECSuccess;
2175 goto done;
2176
2177 loser:
2178 rv = SECFailure;
2179
2180 loser2:
2181 done:
2182 PORT_Memset(keyData, 0, sizeof(keyData));
2183 PORT_ZFree(ekbuf, modulusLen);
2184 PORT_ZFree(eblock, modulusLen);
2185 SECKEY_DestroyPublicKey(serverKey);
2186 return rv;
2187 }
2188
2189 /************************************************************************/
2190
2191 /*
2192 * Called from ssl2_HandleMessage in response to SSL_MT_SERVER_FINISHED message.
2193 * Caller holds recvBufLock and handshakeLock
2194 */
2195 static void
ssl2_ClientRegSessionID(sslSocket * ss,PRUint8 * s)2196 ssl2_ClientRegSessionID(sslSocket *ss, PRUint8 *s)
2197 {
2198 sslSessionID *sid = ss->sec.ci.sid;
2199
2200 /* Record entry in nonce cache */
2201 if (sid->peerCert == NULL) {
2202 PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
2203 sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
2204
2205 }
2206 if (!ss->opt.noCache)
2207 (*ss->sec.cache)(sid);
2208 }
2209
2210 /* Called from ssl2_HandleMessage() */
2211 static SECStatus
ssl2_TriggerNextMessage(sslSocket * ss)2212 ssl2_TriggerNextMessage(sslSocket *ss)
2213 {
2214 SECStatus rv;
2215
2216 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2217
2218 if ((ss->sec.ci.requiredElements & CIS_HAVE_CERTIFICATE) &&
2219 !(ss->sec.ci.sentElements & CIS_HAVE_CERTIFICATE)) {
2220 ss->sec.ci.sentElements |= CIS_HAVE_CERTIFICATE;
2221 rv = ssl2_SendCertificateRequestMessage(ss);
2222 return rv;
2223 }
2224 return SECSuccess;
2225 }
2226
2227 /* See if it's time to send our finished message, or if the handshakes are
2228 ** complete. Send finished message if appropriate.
2229 ** Returns SECSuccess unless anything goes wrong.
2230 **
2231 ** Called from ssl2_HandleMessage,
2232 ** ssl2_HandleVerifyMessage
2233 ** ssl2_HandleServerHelloMessage
2234 ** ssl2_HandleClientSessionKeyMessage
2235 ** ssl2_RestartHandshakeAfterCertReq
2236 ** ssl2_RestartHandshakeAfterServerCert
2237 */
2238 static SECStatus
ssl2_TryToFinish(sslSocket * ss)2239 ssl2_TryToFinish(sslSocket *ss)
2240 {
2241 SECStatus rv;
2242 char e, ef;
2243
2244 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2245
2246 e = ss->sec.ci.elements;
2247 ef = e | CIS_HAVE_FINISHED;
2248 if ((ef & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
2249 if (ss->sec.isServer) {
2250 /* Send server finished message if we already didn't */
2251 rv = ssl2_SendServerFinishedMessage(ss);
2252 } else {
2253 /* Send client finished message if we already didn't */
2254 rv = ssl2_SendClientFinishedMessage(ss);
2255 }
2256 if (rv != SECSuccess) {
2257 return rv;
2258 }
2259 if ((e & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
2260 /* Totally finished */
2261 ss->handshake = 0;
2262 return SECSuccess;
2263 }
2264 }
2265 return SECSuccess;
2266 }
2267
2268 /*
2269 ** Called from ssl2_HandleRequestCertificate
2270 ** ssl2_RestartHandshakeAfterCertReq
2271 */
2272 static SECStatus
ssl2_SignResponse(sslSocket * ss,SECKEYPrivateKey * key,SECItem * response)2273 ssl2_SignResponse(sslSocket *ss,
2274 SECKEYPrivateKey *key,
2275 SECItem *response)
2276 {
2277 SGNContext * sgn = NULL;
2278 PRUint8 * challenge;
2279 unsigned int len;
2280 SECStatus rv = SECFailure;
2281
2282 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2283
2284 challenge = ss->sec.ci.serverChallenge;
2285 len = ss->sec.ci.serverChallengeLen;
2286
2287 /* Sign the expected data... */
2288 sgn = SGN_NewContext(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,key);
2289 if (!sgn)
2290 goto done;
2291 rv = SGN_Begin(sgn);
2292 if (rv != SECSuccess)
2293 goto done;
2294 rv = SGN_Update(sgn, ss->sec.ci.readKey, ss->sec.ci.keySize);
2295 if (rv != SECSuccess)
2296 goto done;
2297 rv = SGN_Update(sgn, ss->sec.ci.writeKey, ss->sec.ci.keySize);
2298 if (rv != SECSuccess)
2299 goto done;
2300 rv = SGN_Update(sgn, challenge, len);
2301 if (rv != SECSuccess)
2302 goto done;
2303 rv = SGN_Update(sgn, ss->sec.peerCert->derCert.data,
2304 ss->sec.peerCert->derCert.len);
2305 if (rv != SECSuccess)
2306 goto done;
2307 rv = SGN_End(sgn, response);
2308 if (rv != SECSuccess)
2309 goto done;
2310
2311 done:
2312 SGN_DestroyContext(sgn, PR_TRUE);
2313 return rv == SECSuccess ? SECSuccess : SECFailure;
2314 }
2315
2316 /*
2317 ** Try to handle a request-certificate message. Get client's certificate
2318 ** and private key and sign a message for the server to see.
2319 ** Caller must hold handshakeLock
2320 **
2321 ** Called from ssl2_HandleMessage().
2322 */
2323 static int
ssl2_HandleRequestCertificate(sslSocket * ss)2324 ssl2_HandleRequestCertificate(sslSocket *ss)
2325 {
2326 CERTCertificate * cert = NULL; /* app-selected client cert. */
2327 SECKEYPrivateKey *key = NULL; /* priv key for cert. */
2328 SECStatus rv;
2329 SECItem response;
2330 int ret = 0;
2331 PRUint8 authType;
2332
2333
2334 /*
2335 * These things all need to be initialized before we can "goto loser".
2336 */
2337 response.data = NULL;
2338
2339 /* get challenge info from connectionInfo */
2340 authType = ss->sec.ci.authType;
2341
2342 if (authType != SSL_AT_MD5_WITH_RSA_ENCRYPTION) {
2343 SSL_TRC(7, ("%d: SSL[%d]: unsupported auth type 0x%x", SSL_GETPID(),
2344 ss->fd, authType));
2345 goto no_cert_error;
2346 }
2347
2348 /* Get certificate and private-key from client */
2349 if (!ss->getClientAuthData) {
2350 SSL_TRC(7, ("%d: SSL[%d]: client doesn't support client-auth",
2351 SSL_GETPID(), ss->fd));
2352 goto no_cert_error;
2353 }
2354 ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
2355 NULL, &cert, &key);
2356 if ( ret == SECWouldBlock ) {
2357 ssl_SetAlwaysBlock(ss);
2358 goto done;
2359 }
2360
2361 if (ret) {
2362 goto no_cert_error;
2363 }
2364
2365 /* check what the callback function returned */
2366 if ((!cert) || (!key)) {
2367 /* we are missing either the key or cert */
2368 if (cert) {
2369 /* got a cert, but no key - free it */
2370 CERT_DestroyCertificate(cert);
2371 cert = NULL;
2372 }
2373 if (key) {
2374 /* got a key, but no cert - free it */
2375 SECKEY_DestroyPrivateKey(key);
2376 key = NULL;
2377 }
2378 goto no_cert_error;
2379 }
2380
2381 rv = ssl2_SignResponse(ss, key, &response);
2382 if ( rv != SECSuccess ) {
2383 ret = -1;
2384 goto loser;
2385 }
2386
2387 /* Send response message */
2388 ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
2389
2390 /* Now, remember the cert we sent. But first, forget any previous one. */
2391 if (ss->sec.localCert) {
2392 CERT_DestroyCertificate(ss->sec.localCert);
2393 }
2394 ss->sec.localCert = CERT_DupCertificate(cert);
2395 PORT_Assert(!ss->sec.ci.sid->localCert);
2396 if (ss->sec.ci.sid->localCert) {
2397 CERT_DestroyCertificate(ss->sec.ci.sid->localCert);
2398 }
2399 ss->sec.ci.sid->localCert = cert;
2400 cert = NULL;
2401
2402 goto done;
2403
2404 no_cert_error:
2405 SSL_TRC(7, ("%d: SSL[%d]: no certificate (ret=%d)", SSL_GETPID(),
2406 ss->fd, ret));
2407 ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
2408
2409 loser:
2410 done:
2411 if ( cert ) {
2412 CERT_DestroyCertificate(cert);
2413 }
2414 if ( key ) {
2415 SECKEY_DestroyPrivateKey(key);
2416 }
2417 if ( response.data ) {
2418 PORT_Free(response.data);
2419 }
2420
2421 return ret;
2422 }
2423
2424 /*
2425 ** Called from ssl2_HandleMessage for SSL_MT_CLIENT_CERTIFICATE message.
2426 ** Caller must hold HandshakeLock and RecvBufLock, since cd and response
2427 ** are contained in the gathered input data.
2428 */
2429 static SECStatus
ssl2_HandleClientCertificate(sslSocket * ss,PRUint8 certType,PRUint8 * cd,unsigned int cdLen,PRUint8 * response,unsigned int responseLen)2430 ssl2_HandleClientCertificate(sslSocket * ss,
2431 PRUint8 certType, /* XXX unused */
2432 PRUint8 * cd,
2433 unsigned int cdLen,
2434 PRUint8 * response,
2435 unsigned int responseLen)
2436 {
2437 CERTCertificate *cert = NULL;
2438 SECKEYPublicKey *pubKey = NULL;
2439 VFYContext * vfy = NULL;
2440 SECItem * derCert;
2441 SECStatus rv = SECFailure;
2442 SECItem certItem;
2443 SECItem rep;
2444
2445 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2446 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
2447
2448 /* Extract the certificate */
2449 certItem.data = cd;
2450 certItem.len = cdLen;
2451
2452 cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
2453 PR_FALSE, PR_TRUE);
2454 if (cert == NULL) {
2455 goto loser;
2456 }
2457
2458 /* save the certificate, since the auth routine will need it */
2459 ss->sec.peerCert = cert;
2460
2461 /* Extract the public key */
2462 pubKey = CERT_ExtractPublicKey(cert);
2463 if (!pubKey)
2464 goto loser;
2465
2466 /* Verify the response data... */
2467 rep.data = response;
2468 rep.len = responseLen;
2469 /* SSL 2.0 only supports RSA certs, so we don't have to worry about
2470 * DSA here. */
2471 vfy = VFY_CreateContext(pubKey, &rep, SEC_OID_PKCS1_RSA_ENCRYPTION,
2472 ss->pkcs11PinArg);
2473 if (!vfy)
2474 goto loser;
2475 rv = VFY_Begin(vfy);
2476 if (rv)
2477 goto loser;
2478
2479 rv = VFY_Update(vfy, ss->sec.ci.readKey, ss->sec.ci.keySize);
2480 if (rv)
2481 goto loser;
2482 rv = VFY_Update(vfy, ss->sec.ci.writeKey, ss->sec.ci.keySize);
2483 if (rv)
2484 goto loser;
2485 rv = VFY_Update(vfy, ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
2486 if (rv)
2487 goto loser;
2488
2489 derCert = &ss->serverCerts[kt_rsa].serverCert->derCert;
2490 rv = VFY_Update(vfy, derCert->data, derCert->len);
2491 if (rv)
2492 goto loser;
2493 rv = VFY_End(vfy);
2494 if (rv)
2495 goto loser;
2496
2497 /* Now ask the server application if it likes the certificate... */
2498 rv = (SECStatus) (*ss->authCertificate)(ss->authCertificateArg,
2499 ss->fd, PR_TRUE, PR_TRUE);
2500 /* Hey, it liked it. */
2501 if (SECSuccess == rv)
2502 goto done;
2503
2504 loser:
2505 ss->sec.peerCert = NULL;
2506 CERT_DestroyCertificate(cert);
2507
2508 done:
2509 VFY_DestroyContext(vfy, PR_TRUE);
2510 SECKEY_DestroyPublicKey(pubKey);
2511 return rv;
2512 }
2513
2514 /*
2515 ** Handle remaining messages between client/server. Process finished
2516 ** messages from either side and any authentication requests.
2517 ** This should only be called for SSLv2 handshake messages,
2518 ** not for application data records.
2519 ** Caller must hold handshake lock.
2520 **
2521 ** Called from ssl_Do1stHandshake().
2522 **
2523 */
2524 static SECStatus
ssl2_HandleMessage(sslSocket * ss)2525 ssl2_HandleMessage(sslSocket *ss)
2526 {
2527 PRUint8 * data;
2528 PRUint8 * cid;
2529 unsigned len, certType, certLen, responseLen;
2530 int rv;
2531 int rv2;
2532
2533 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2534
2535 ssl_GetRecvBufLock(ss);
2536
2537 data = ss->gs.buf.buf + ss->gs.recordOffset;
2538
2539 if (ss->gs.recordLen < 1) {
2540 goto bad_peer;
2541 }
2542 SSL_TRC(3, ("%d: SSL[%d]: received %d message",
2543 SSL_GETPID(), ss->fd, data[0]));
2544 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
2545
2546 switch (data[0]) {
2547 case SSL_MT_CLIENT_FINISHED:
2548 if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
2549 SSL_DBG(("%d: SSL[%d]: dup client-finished message",
2550 SSL_GETPID(), ss->fd));
2551 goto bad_peer;
2552 }
2553
2554 /* See if nonce matches */
2555 len = ss->gs.recordLen - 1;
2556 cid = data + 1;
2557 if ((len != sizeof(ss->sec.ci.connectionID)) ||
2558 (PORT_Memcmp(ss->sec.ci.connectionID, cid, len) != 0)) {
2559 SSL_DBG(("%d: SSL[%d]: bad connection-id", SSL_GETPID(), ss->fd));
2560 PRINT_BUF(5, (ss, "sent connection-id",
2561 ss->sec.ci.connectionID,
2562 sizeof(ss->sec.ci.connectionID)));
2563 PRINT_BUF(5, (ss, "rcvd connection-id", cid, len));
2564 goto bad_peer;
2565 }
2566
2567 SSL_TRC(5, ("%d: SSL[%d]: got client finished, waiting for 0x%d",
2568 SSL_GETPID(), ss->fd,
2569 ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
2570 ss->sec.ci.elements |= CIS_HAVE_FINISHED;
2571 break;
2572
2573 case SSL_MT_SERVER_FINISHED:
2574 if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
2575 SSL_DBG(("%d: SSL[%d]: dup server-finished message",
2576 SSL_GETPID(), ss->fd));
2577 goto bad_peer;
2578 }
2579
2580 if (ss->gs.recordLen - 1 != SSL2_SESSIONID_BYTES) {
2581 SSL_DBG(("%d: SSL[%d]: bad server-finished message, len=%d",
2582 SSL_GETPID(), ss->fd, ss->gs.recordLen));
2583 goto bad_peer;
2584 }
2585 ssl2_ClientRegSessionID(ss, data+1);
2586 SSL_TRC(5, ("%d: SSL[%d]: got server finished, waiting for 0x%d",
2587 SSL_GETPID(), ss->fd,
2588 ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
2589 ss->sec.ci.elements |= CIS_HAVE_FINISHED;
2590 break;
2591
2592 case SSL_MT_REQUEST_CERTIFICATE:
2593 len = ss->gs.recordLen - 2;
2594 if ((len < SSL_MIN_CHALLENGE_BYTES) ||
2595 (len > SSL_MAX_CHALLENGE_BYTES)) {
2596 /* Bad challenge */
2597 SSL_DBG(("%d: SSL[%d]: bad cert request message: code len=%d",
2598 SSL_GETPID(), ss->fd, len));
2599 goto bad_peer;
2600 }
2601
2602 /* save auth request info */
2603 ss->sec.ci.authType = data[1];
2604 ss->sec.ci.serverChallengeLen = len;
2605 PORT_Memcpy(ss->sec.ci.serverChallenge, data + 2, len);
2606
2607 rv = ssl2_HandleRequestCertificate(ss);
2608 if (rv == SECWouldBlock) {
2609 SSL_TRC(3, ("%d: SSL[%d]: async cert request",
2610 SSL_GETPID(), ss->fd));
2611 /* someone is handling this asynchronously */
2612 ssl_ReleaseRecvBufLock(ss);
2613 return SECWouldBlock;
2614 }
2615 if (rv) {
2616 SET_ERROR_CODE
2617 goto loser;
2618 }
2619 break;
2620
2621 case SSL_MT_CLIENT_CERTIFICATE:
2622 if (!ss->authCertificate) {
2623 /* Server asked for authentication and can't handle it */
2624 PORT_SetError(SSL_ERROR_BAD_SERVER);
2625 goto loser;
2626 }
2627 if (ss->gs.recordLen < SSL_HL_CLIENT_CERTIFICATE_HBYTES) {
2628 SET_ERROR_CODE
2629 goto loser;
2630 }
2631 certType = data[1];
2632 certLen = (data[2] << 8) | data[3];
2633 responseLen = (data[4] << 8) | data[5];
2634 if (certType != SSL_CT_X509_CERTIFICATE) {
2635 PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
2636 goto loser;
2637 }
2638 if (certLen + responseLen + SSL_HL_CLIENT_CERTIFICATE_HBYTES
2639 > ss->gs.recordLen) {
2640 /* prevent overflow crash. */
2641 rv = SECFailure;
2642 } else
2643 rv = ssl2_HandleClientCertificate(ss, data[1],
2644 data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
2645 certLen,
2646 data + SSL_HL_CLIENT_CERTIFICATE_HBYTES + certLen,
2647 responseLen);
2648 if (rv) {
2649 rv2 = ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
2650 SET_ERROR_CODE
2651 goto loser;
2652 }
2653 ss->sec.ci.elements |= CIS_HAVE_CERTIFICATE;
2654 break;
2655
2656 case SSL_MT_ERROR:
2657 rv = (data[1] << 8) | data[2];
2658 SSL_TRC(2, ("%d: SSL[%d]: got error message, error=0x%x",
2659 SSL_GETPID(), ss->fd, rv));
2660
2661 /* Convert protocol error number into API error number */
2662 switch (rv) {
2663 case SSL_PE_NO_CYPHERS:
2664 rv = SSL_ERROR_NO_CYPHER_OVERLAP;
2665 break;
2666 case SSL_PE_NO_CERTIFICATE:
2667 rv = SSL_ERROR_NO_CERTIFICATE;
2668 break;
2669 case SSL_PE_BAD_CERTIFICATE:
2670 rv = SSL_ERROR_BAD_CERTIFICATE;
2671 break;
2672 case SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE:
2673 rv = SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
2674 break;
2675 default:
2676 goto bad_peer;
2677 }
2678 /* XXX make certificate-request optionally fail... */
2679 PORT_SetError(rv);
2680 goto loser;
2681
2682 default:
2683 SSL_DBG(("%d: SSL[%d]: unknown message %d",
2684 SSL_GETPID(), ss->fd, data[0]));
2685 goto loser;
2686 }
2687
2688 SSL_TRC(3, ("%d: SSL[%d]: handled %d message, required=0x%x got=0x%x",
2689 SSL_GETPID(), ss->fd, data[0],
2690 ss->sec.ci.requiredElements, ss->sec.ci.elements));
2691
2692 rv = ssl2_TryToFinish(ss);
2693 if (rv != SECSuccess)
2694 goto loser;
2695
2696 ss->gs.recordLen = 0;
2697 ssl_ReleaseRecvBufLock(ss);
2698
2699 if (ss->handshake == 0) {
2700 return SECSuccess;
2701 }
2702
2703 ss->handshake = ssl_GatherRecord1stHandshake;
2704 ss->nextHandshake = ssl2_HandleMessage;
2705 return ssl2_TriggerNextMessage(ss);
2706
2707 bad_peer:
2708 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER);
2709 /* FALL THROUGH */
2710
2711 loser:
2712 ssl_ReleaseRecvBufLock(ss);
2713 return SECFailure;
2714 }
2715
2716 /************************************************************************/
2717
2718 /* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or
2719 ** ssl2_RestartHandshakeAfterServerCert.
2720 */
2721 static SECStatus
ssl2_HandleVerifyMessage(sslSocket * ss)2722 ssl2_HandleVerifyMessage(sslSocket *ss)
2723 {
2724 PRUint8 * data;
2725 SECStatus rv;
2726
2727 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2728 ssl_GetRecvBufLock(ss);
2729
2730 data = ss->gs.buf.buf + ss->gs.recordOffset;
2731 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
2732 if ((ss->gs.recordLen != 1 + SSL_CHALLENGE_BYTES) ||
2733 (data[0] != SSL_MT_SERVER_VERIFY) ||
2734 NSS_SecureMemcmp(data+1, ss->sec.ci.clientChallenge,
2735 SSL_CHALLENGE_BYTES)) {
2736 /* Bad server */
2737 PORT_SetError(SSL_ERROR_BAD_SERVER);
2738 goto loser;
2739 }
2740 ss->sec.ci.elements |= CIS_HAVE_VERIFY;
2741
2742 SSL_TRC(5, ("%d: SSL[%d]: got server-verify, required=0x%d got=0x%x",
2743 SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
2744 ss->sec.ci.elements));
2745
2746 rv = ssl2_TryToFinish(ss);
2747 if (rv)
2748 goto loser;
2749
2750 ss->gs.recordLen = 0;
2751 ssl_ReleaseRecvBufLock(ss);
2752
2753 if (ss->handshake == 0) {
2754 return SECSuccess;
2755 }
2756 ss->handshake = ssl_GatherRecord1stHandshake;
2757 ss->nextHandshake = ssl2_HandleMessage;
2758 return SECSuccess;
2759
2760
2761 loser:
2762 ssl_ReleaseRecvBufLock(ss);
2763 return SECFailure;
2764 }
2765
2766 /* Not static because ssl2_GatherData() tests ss->nextHandshake for this value.
2767 * ICK!
2768 * Called from ssl_Do1stHandshake after ssl2_BeginClientHandshake()
2769 */
2770 SECStatus
ssl2_HandleServerHelloMessage(sslSocket * ss)2771 ssl2_HandleServerHelloMessage(sslSocket *ss)
2772 {
2773 sslSessionID * sid;
2774 PRUint8 * cert;
2775 PRUint8 * cs;
2776 PRUint8 * data;
2777 SECStatus rv;
2778 int needed, sidHit, certLen, csLen, cidLen, certType, err;
2779
2780 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2781
2782 if (!ss->opt.enableSSL2) {
2783 PORT_SetError(SSL_ERROR_SSL2_DISABLED);
2784 return SECFailure;
2785 }
2786
2787 ssl_GetRecvBufLock(ss);
2788
2789 PORT_Assert(ss->sec.ci.sid != 0);
2790 sid = ss->sec.ci.sid;
2791
2792 data = ss->gs.buf.buf + ss->gs.recordOffset;
2793 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
2794
2795 /* Make sure first message has some data and is the server hello message */
2796 if ((ss->gs.recordLen < SSL_HL_SERVER_HELLO_HBYTES)
2797 || (data[0] != SSL_MT_SERVER_HELLO)) {
2798 if ((data[0] == SSL_MT_ERROR) && (ss->gs.recordLen == 3)) {
2799 err = (data[1] << 8) | data[2];
2800 if (err == SSL_PE_NO_CYPHERS) {
2801 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
2802 goto loser;
2803 }
2804 }
2805 goto bad_server;
2806 }
2807
2808 sidHit = data[1];
2809 certType = data[2];
2810 ss->version = (data[3] << 8) | data[4];
2811 certLen = (data[5] << 8) | data[6];
2812 csLen = (data[7] << 8) | data[8];
2813 cidLen = (data[9] << 8) | data[10];
2814 cert = data + SSL_HL_SERVER_HELLO_HBYTES;
2815 cs = cert + certLen;
2816
2817 SSL_TRC(5,
2818 ("%d: SSL[%d]: server-hello, hit=%d vers=%x certLen=%d csLen=%d cidLen=%d",
2819 SSL_GETPID(), ss->fd, sidHit, ss->version, certLen,
2820 csLen, cidLen));
2821 if (ss->version != SSL_LIBRARY_VERSION_2) {
2822 if (ss->version < SSL_LIBRARY_VERSION_2) {
2823 SSL_TRC(3, ("%d: SSL[%d]: demoting self (%x) to server version (%x)",
2824 SSL_GETPID(), ss->fd, SSL_LIBRARY_VERSION_2,
2825 ss->version));
2826 } else {
2827 SSL_TRC(1, ("%d: SSL[%d]: server version is %x (we are %x)",
2828 SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
2829 /* server claims to be newer but does not follow protocol */
2830 PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
2831 goto loser;
2832 }
2833 }
2834
2835 if ((SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen + cidLen
2836 > ss->gs.recordLen)
2837 || (csLen % 3) != 0
2838 /* || cidLen < SSL_CONNECTIONID_BYTES || cidLen > 32 */
2839 ) {
2840 goto bad_server;
2841 }
2842
2843 /* Save connection-id.
2844 ** This code only saves the first 16 byte of the connectionID.
2845 ** If the connectionID is shorter than 16 bytes, it is zero-padded.
2846 */
2847 if (cidLen < sizeof ss->sec.ci.connectionID)
2848 memset(ss->sec.ci.connectionID, 0, sizeof ss->sec.ci.connectionID);
2849 cidLen = PR_MIN(cidLen, sizeof ss->sec.ci.connectionID);
2850 PORT_Memcpy(ss->sec.ci.connectionID, cs + csLen, cidLen);
2851
2852 /* See if session-id hit */
2853 needed = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED | CIS_HAVE_VERIFY;
2854 if (sidHit) {
2855 if (certLen || csLen) {
2856 /* Uh oh - bogus server */
2857 SSL_DBG(("%d: SSL[%d]: client, huh? hit=%d certLen=%d csLen=%d",
2858 SSL_GETPID(), ss->fd, sidHit, certLen, csLen));
2859 goto bad_server;
2860 }
2861
2862 /* Total winner. */
2863 SSL_TRC(1, ("%d: SSL[%d]: client, using nonce for peer=0x%08x "
2864 "port=0x%04x",
2865 SSL_GETPID(), ss->fd, ss->sec.ci.peer, ss->sec.ci.port));
2866 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
2867 ss->sec.authAlgorithm = sid->authAlgorithm;
2868 ss->sec.authKeyBits = sid->authKeyBits;
2869 ss->sec.keaType = sid->keaType;
2870 ss->sec.keaKeyBits = sid->keaKeyBits;
2871 rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
2872 if (rv != SECSuccess) {
2873 goto loser;
2874 }
2875 } else {
2876 if (certType != SSL_CT_X509_CERTIFICATE) {
2877 PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
2878 goto loser;
2879 }
2880 if (csLen == 0) {
2881 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
2882 SSL_DBG(("%d: SSL[%d]: no cipher overlap",
2883 SSL_GETPID(), ss->fd));
2884 goto loser;
2885 }
2886 if (certLen == 0) {
2887 SSL_DBG(("%d: SSL[%d]: client, huh? certLen=%d csLen=%d",
2888 SSL_GETPID(), ss->fd, certLen, csLen));
2889 goto bad_server;
2890 }
2891
2892 if (sid->cached != never_cached) {
2893 /* Forget our session-id - server didn't like it */
2894 SSL_TRC(7, ("%d: SSL[%d]: server forgot me, uncaching session-id",
2895 SSL_GETPID(), ss->fd));
2896 (*ss->sec.uncache)(sid);
2897 ssl_FreeSID(sid);
2898 ss->sec.ci.sid = sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
2899 if (!sid) {
2900 goto loser;
2901 }
2902 sid->references = 1;
2903 sid->addr = ss->sec.ci.peer;
2904 sid->port = ss->sec.ci.port;
2905 }
2906
2907 /* decode the server's certificate */
2908 rv = ssl2_ClientHandleServerCert(ss, cert, certLen);
2909 if (rv != SECSuccess) {
2910 if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
2911 (void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
2912 }
2913 goto loser;
2914 }
2915
2916 /* Setup new session cipher */
2917 rv = ssl2_ClientSetupSessionCypher(ss, cs, csLen);
2918 if (rv != SECSuccess) {
2919 if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
2920 (void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
2921 }
2922 goto loser;
2923 }
2924 }
2925
2926 /* Build up final list of required elements */
2927 ss->sec.ci.elements = CIS_HAVE_MASTER_KEY;
2928 ss->sec.ci.requiredElements = needed;
2929
2930 if (!sidHit) {
2931 /* verify the server's certificate. if sidHit, don't check signatures */
2932 rv = (* ss->authCertificate)(ss->authCertificateArg, ss->fd,
2933 (PRBool)(!sidHit), PR_FALSE);
2934 if (rv) {
2935 if (ss->handleBadCert) {
2936 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
2937 if ( rv ) {
2938 if ( rv == SECWouldBlock ) {
2939 /* someone will handle this connection asynchronously*/
2940
2941 SSL_DBG(("%d: SSL[%d]: go to async cert handler",
2942 SSL_GETPID(), ss->fd));
2943 ssl_ReleaseRecvBufLock(ss);
2944 ssl_SetAlwaysBlock(ss);
2945 return SECWouldBlock;
2946 }
2947 /* cert is bad */
2948 SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
2949 SSL_GETPID(), ss->fd, PORT_GetError()));
2950 goto loser;
2951
2952 }
2953 /* cert is good */
2954 } else {
2955 SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
2956 SSL_GETPID(), ss->fd, PORT_GetError()));
2957 goto loser;
2958 }
2959 }
2960 }
2961 /*
2962 ** At this point we have a completed session key and our session
2963 ** cipher is setup and ready to go. Switch to encrypted write routine
2964 ** as all future message data is to be encrypted.
2965 */
2966 ssl2_UseEncryptedSendFunc(ss);
2967
2968 rv = ssl2_TryToFinish(ss);
2969 if (rv != SECSuccess)
2970 goto loser;
2971
2972 ss->gs.recordLen = 0;
2973
2974 ssl_ReleaseRecvBufLock(ss);
2975
2976 if (ss->handshake == 0) {
2977 return SECSuccess;
2978 }
2979
2980 SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
2981 SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
2982 ss->sec.ci.elements));
2983 ss->handshake = ssl_GatherRecord1stHandshake;
2984 ss->nextHandshake = ssl2_HandleVerifyMessage;
2985 return SECSuccess;
2986
2987 bad_server:
2988 PORT_SetError(SSL_ERROR_BAD_SERVER);
2989 /* FALL THROUGH */
2990
2991 loser:
2992 ssl_ReleaseRecvBufLock(ss);
2993 return SECFailure;
2994 }
2995
2996 /* Sends out the initial client Hello message on the connection.
2997 * Acquires and releases the socket's xmitBufLock.
2998 */
2999 SECStatus
ssl2_BeginClientHandshake(sslSocket * ss)3000 ssl2_BeginClientHandshake(sslSocket *ss)
3001 {
3002 sslSessionID *sid;
3003 PRUint8 *msg;
3004 PRUint8 *cp;
3005 PRUint8 *localCipherSpecs = NULL;
3006 unsigned int localCipherSize;
3007 unsigned int i;
3008 int sendLen, sidLen = 0;
3009 SECStatus rv;
3010
3011 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
3012
3013 ss->sec.isServer = 0;
3014 ss->sec.sendSequence = 0;
3015 ss->sec.rcvSequence = 0;
3016 ssl_ChooseSessionIDProcs(&ss->sec);
3017
3018 if (!ss->cipherSpecs) {
3019 rv = ssl2_ConstructCipherSpecs(ss);
3020 if (rv != SECSuccess)
3021 goto loser;
3022 }
3023
3024 /* count the SSL2 and SSL3 enabled ciphers.
3025 * if either is zero, clear the socket's enable for that protocol.
3026 */
3027 rv = ssl2_CheckConfigSanity(ss);
3028 if (rv != SECSuccess)
3029 goto loser;
3030
3031 /* Get peer name of server */
3032 rv = ssl_GetPeerInfo(ss);
3033 if (rv < 0) {
3034 #ifdef HPUX11
3035 /*
3036 * On some HP-UX B.11.00 systems, getpeername() occasionally
3037 * fails with ENOTCONN after a successful completion of
3038 * non-blocking connect. I found that if we do a write()
3039 * and then retry getpeername(), it will work.
3040 */
3041 if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
3042 char dummy;
3043 (void) PR_Write(ss->fd->lower, &dummy, 0);
3044 rv = ssl_GetPeerInfo(ss);
3045 if (rv < 0) {
3046 goto loser;
3047 }
3048 }
3049 #else
3050 goto loser;
3051 #endif
3052 }
3053
3054 SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
3055
3056 /* Try to find server in our session-id cache */
3057 if (ss->opt.noCache) {
3058 sid = NULL;
3059 } else {
3060 sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID,
3061 ss->url);
3062 }
3063 while (sid) { /* this isn't really a loop */
3064 /* if we're not doing this SID's protocol any more, drop it. */
3065 if (((sid->version < SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL2) ||
3066 ((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL3) ||
3067 ((sid->version > SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableTLS)) {
3068 ss->sec.uncache(sid);
3069 ssl_FreeSID(sid);
3070 sid = NULL;
3071 break;
3072 }
3073 if (ss->opt.enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
3074 /* If the cipher in this sid is not enabled, drop it. */
3075 for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
3076 if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
3077 break;
3078 }
3079 if (i >= ss->sizeCipherSpecs) {
3080 ss->sec.uncache(sid);
3081 ssl_FreeSID(sid);
3082 sid = NULL;
3083 break;
3084 }
3085 }
3086 sidLen = sizeof(sid->u.ssl2.sessionID);
3087 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl2.sessionID,
3088 sidLen));
3089 ss->version = sid->version;
3090 PORT_Assert(!ss->sec.localCert);
3091 if (ss->sec.localCert) {
3092 CERT_DestroyCertificate(ss->sec.localCert);
3093 }
3094 ss->sec.localCert = CERT_DupCertificate(sid->localCert);
3095 break; /* this isn't really a loop */
3096 }
3097 if (!sid) {
3098 sidLen = 0;
3099 sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
3100 if (!sid) {
3101 goto loser;
3102 }
3103 sid->references = 1;
3104 sid->cached = never_cached;
3105 sid->addr = ss->sec.ci.peer;
3106 sid->port = ss->sec.ci.port;
3107 if (ss->peerID != NULL) {
3108 sid->peerID = PORT_Strdup(ss->peerID);
3109 }
3110 if (ss->url != NULL) {
3111 sid->urlSvrName = PORT_Strdup(ss->url);
3112 }
3113 }
3114 ss->sec.ci.sid = sid;
3115
3116 PORT_Assert(sid != NULL);
3117
3118 if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) &&
3119 (ss->opt.enableSSL3 || ss->opt.enableTLS)) {
3120
3121 ss->gs.state = GS_INIT;
3122 ss->handshake = ssl_GatherRecord1stHandshake;
3123
3124 /* ssl3_SendClientHello will override this if it succeeds. */
3125 ss->version = SSL_LIBRARY_VERSION_3_0;
3126
3127 ssl_GetXmitBufLock(ss); /***************************************/
3128 ssl_GetSSL3HandshakeLock(ss);
3129 rv = ssl3_SendClientHello(ss);
3130 ssl_ReleaseSSL3HandshakeLock(ss);
3131 ssl_ReleaseXmitBufLock(ss); /***************************************/
3132
3133 return rv;
3134 }
3135 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
3136 /* ensure we don't neogtiate ECC cipher suites with SSL2 hello */
3137 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
3138 if (ss->cipherSpecs != NULL) {
3139 PORT_Free(ss->cipherSpecs);
3140 ss->cipherSpecs = NULL;
3141 ss->sizeCipherSpecs = 0;
3142 }
3143 #endif
3144
3145 if (!ss->cipherSpecs) {
3146 rv = ssl2_ConstructCipherSpecs(ss);
3147 if (rv < 0) {
3148 return rv;
3149 }
3150 }
3151 localCipherSpecs = ss->cipherSpecs;
3152 localCipherSize = ss->sizeCipherSpecs;
3153
3154 sendLen = SSL_HL_CLIENT_HELLO_HBYTES + localCipherSize + sidLen +
3155 SSL_CHALLENGE_BYTES;
3156
3157 /* Generate challenge bytes for server */
3158 PK11_GenerateRandom(ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
3159
3160 ssl_GetXmitBufLock(ss); /***************************************/
3161
3162 rv = ssl2_GetSendBuffer(ss, sendLen);
3163 if (rv)
3164 goto unlock_loser;
3165
3166 /* Construct client-hello message */
3167 cp = msg = ss->sec.ci.sendBuf.buf;
3168 msg[0] = SSL_MT_CLIENT_HELLO;
3169 if ( ss->opt.enableTLS ) {
3170 ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_1_TLS;
3171 } else if ( ss->opt.enableSSL3 ) {
3172 ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_0;
3173 } else {
3174 ss->clientHelloVersion = SSL_LIBRARY_VERSION_2;
3175 }
3176
3177 msg[1] = MSB(ss->clientHelloVersion);
3178 msg[2] = LSB(ss->clientHelloVersion);
3179 msg[3] = MSB(localCipherSize);
3180 msg[4] = LSB(localCipherSize);
3181 msg[5] = MSB(sidLen);
3182 msg[6] = LSB(sidLen);
3183 msg[7] = MSB(SSL_CHALLENGE_BYTES);
3184 msg[8] = LSB(SSL_CHALLENGE_BYTES);
3185 cp += SSL_HL_CLIENT_HELLO_HBYTES;
3186 PORT_Memcpy(cp, localCipherSpecs, localCipherSize);
3187 cp += localCipherSize;
3188 if (sidLen) {
3189 PORT_Memcpy(cp, sid->u.ssl2.sessionID, sidLen);
3190 cp += sidLen;
3191 }
3192 PORT_Memcpy(cp, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
3193
3194 /* Send it to the server */
3195 DUMP_MSG(29, (ss, msg, sendLen));
3196 ss->handshakeBegun = 1;
3197 rv = (*ss->sec.send)(ss, msg, sendLen, 0);
3198
3199 ssl_ReleaseXmitBufLock(ss); /***************************************/
3200
3201 if (rv < 0) {
3202 goto loser;
3203 }
3204
3205 rv = ssl3_StartHandshakeHash(ss, msg, sendLen);
3206 if (rv < 0) {
3207 goto loser;
3208 }
3209
3210 /* Setup to receive servers hello message */
3211 ssl_GetRecvBufLock(ss);
3212 ss->gs.recordLen = 0;
3213 ssl_ReleaseRecvBufLock(ss);
3214
3215 ss->handshake = ssl_GatherRecord1stHandshake;
3216 ss->nextHandshake = ssl2_HandleServerHelloMessage;
3217 return SECSuccess;
3218
3219 unlock_loser:
3220 ssl_ReleaseXmitBufLock(ss);
3221 loser:
3222 return SECFailure;
3223 }
3224
3225 /************************************************************************/
3226
3227 /* Handle the CLIENT-MASTER-KEY message.
3228 ** Acquires and releases RecvBufLock.
3229 ** Called from ssl2_HandleClientHelloMessage().
3230 */
3231 static SECStatus
ssl2_HandleClientSessionKeyMessage(sslSocket * ss)3232 ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
3233 {
3234 PRUint8 * data;
3235 unsigned int caLen;
3236 unsigned int ckLen;
3237 unsigned int ekLen;
3238 unsigned int keyBits;
3239 int cipher;
3240 SECStatus rv;
3241
3242
3243 ssl_GetRecvBufLock(ss);
3244
3245 data = ss->gs.buf.buf + ss->gs.recordOffset;
3246 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
3247
3248 if ((ss->gs.recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES)
3249 || (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
3250 goto bad_client;
3251 }
3252 cipher = data[1];
3253 keyBits = (data[2] << 8) | data[3];
3254 ckLen = (data[4] << 8) | data[5];
3255 ekLen = (data[6] << 8) | data[7];
3256 caLen = (data[8] << 8) | data[9];
3257
3258 SSL_TRC(5, ("%d: SSL[%d]: session-key, cipher=%d keyBits=%d ckLen=%d ekLen=%d caLen=%d",
3259 SSL_GETPID(), ss->fd, cipher, keyBits, ckLen, ekLen, caLen));
3260
3261 if (ss->gs.recordLen <
3262 SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen) {
3263 SSL_DBG(("%d: SSL[%d]: protocol size mismatch dataLen=%d",
3264 SSL_GETPID(), ss->fd, ss->gs.recordLen));
3265 goto bad_client;
3266 }
3267
3268 /* Use info from client to setup session key */
3269 rv = ssl2_ServerSetupSessionCypher(ss, cipher, keyBits,
3270 data + SSL_HL_CLIENT_MASTER_KEY_HBYTES, ckLen,
3271 data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen, ekLen,
3272 data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen, caLen);
3273 ss->gs.recordLen = 0; /* we're done with this record. */
3274
3275 ssl_ReleaseRecvBufLock(ss);
3276
3277 if (rv != SECSuccess) {
3278 goto loser;
3279 }
3280 ss->sec.ci.elements |= CIS_HAVE_MASTER_KEY;
3281 ssl2_UseEncryptedSendFunc(ss);
3282
3283 /* Send server verify message now that keys are established */
3284 rv = ssl2_SendServerVerifyMessage(ss);
3285 if (rv != SECSuccess)
3286 goto loser;
3287
3288 rv = ssl2_TryToFinish(ss);
3289 if (rv != SECSuccess)
3290 goto loser;
3291 if (ss->handshake == 0) {
3292 return SECSuccess;
3293 }
3294
3295 SSL_TRC(5, ("%d: SSL[%d]: server: waiting for elements=0x%d",
3296 SSL_GETPID(), ss->fd,
3297 ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
3298 ss->handshake = ssl_GatherRecord1stHandshake;
3299 ss->nextHandshake = ssl2_HandleMessage;
3300
3301 return ssl2_TriggerNextMessage(ss);
3302
3303 bad_client:
3304 ssl_ReleaseRecvBufLock(ss);
3305 PORT_SetError(SSL_ERROR_BAD_CLIENT);
3306 /* FALLTHROUGH */
3307
3308 loser:
3309 return SECFailure;
3310 }
3311
3312 /*
3313 * attempt to restart the handshake after asynchronously handling
3314 * a request for the client's certificate.
3315 *
3316 * inputs:
3317 * cert Client cert chosen by application.
3318 * key Private key associated with cert.
3319 *
3320 * XXX: need to make ssl2 and ssl3 versions of this function agree on whether
3321 * they take the reference, or bump the ref count!
3322 *
3323 * Return value: XXX
3324 *
3325 * Caller holds 1stHandshakeLock.
3326 */
3327 int
ssl2_RestartHandshakeAfterCertReq(sslSocket * ss,CERTCertificate * cert,SECKEYPrivateKey * key)3328 ssl2_RestartHandshakeAfterCertReq(sslSocket * ss,
3329 CERTCertificate * cert,
3330 SECKEYPrivateKey * key)
3331 {
3332 int ret;
3333 SECStatus rv = SECSuccess;
3334 SECItem response;
3335
3336 if (ss->version >= SSL_LIBRARY_VERSION_3_0)
3337 return SECFailure;
3338
3339 response.data = NULL;
3340
3341 /* generate error if no cert or key */
3342 if ( ( cert == NULL ) || ( key == NULL ) ) {
3343 goto no_cert;
3344 }
3345
3346 /* generate signed response to the challenge */
3347 rv = ssl2_SignResponse(ss, key, &response);
3348 if ( rv != SECSuccess ) {
3349 goto no_cert;
3350 }
3351
3352 /* Send response message */
3353 ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
3354 if (ret) {
3355 goto no_cert;
3356 }
3357
3358 /* try to finish the handshake */
3359 ret = ssl2_TryToFinish(ss);
3360 if (ret) {
3361 goto loser;
3362 }
3363
3364 /* done with handshake */
3365 if (ss->handshake == 0) {
3366 ret = SECSuccess;
3367 goto done;
3368 }
3369
3370 /* continue handshake */
3371 ssl_GetRecvBufLock(ss);
3372 ss->gs.recordLen = 0;
3373 ssl_ReleaseRecvBufLock(ss);
3374
3375 ss->handshake = ssl_GatherRecord1stHandshake;
3376 ss->nextHandshake = ssl2_HandleMessage;
3377 ret = ssl2_TriggerNextMessage(ss);
3378 goto done;
3379
3380 no_cert:
3381 /* no cert - send error */
3382 ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
3383 goto done;
3384
3385 loser:
3386 ret = SECFailure;
3387 done:
3388 /* free allocated data */
3389 if ( response.data ) {
3390 PORT_Free(response.data);
3391 }
3392
3393 return ret;
3394 }
3395
3396
3397 /* restart an SSL connection that we stopped to run certificate dialogs
3398 ** XXX Need to document here how an application marks a cert to show that
3399 ** the application has accepted it (overridden CERT_VerifyCert).
3400 *
3401 * Return value: XXX
3402 *
3403 * Caller holds 1stHandshakeLock.
3404 */
3405 int
ssl2_RestartHandshakeAfterServerCert(sslSocket * ss)3406 ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
3407 {
3408 int rv = SECSuccess;
3409
3410 if (ss->version >= SSL_LIBRARY_VERSION_3_0)
3411 return SECFailure;
3412
3413 /* SSL 2
3414 ** At this point we have a completed session key and our session
3415 ** cipher is setup and ready to go. Switch to encrypted write routine
3416 ** as all future message data is to be encrypted.
3417 */
3418 ssl2_UseEncryptedSendFunc(ss);
3419
3420 rv = ssl2_TryToFinish(ss);
3421 if (rv == SECSuccess && ss->handshake != NULL) {
3422 /* handshake is not yet finished. */
3423
3424 SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
3425 SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
3426 ss->sec.ci.elements));
3427
3428 ssl_GetRecvBufLock(ss);
3429 ss->gs.recordLen = 0; /* mark it all used up. */
3430 ssl_ReleaseRecvBufLock(ss);
3431
3432 ss->handshake = ssl_GatherRecord1stHandshake;
3433 ss->nextHandshake = ssl2_HandleVerifyMessage;
3434 }
3435
3436 return rv;
3437 }
3438
3439 /*
3440 ** Handle the initial hello message from the client
3441 **
3442 ** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
3443 */
3444 SECStatus
ssl2_HandleClientHelloMessage(sslSocket * ss)3445 ssl2_HandleClientHelloMessage(sslSocket *ss)
3446 {
3447 sslSessionID *sid;
3448 sslServerCerts * sc;
3449 CERTCertificate *serverCert;
3450 PRUint8 *msg;
3451 PRUint8 *data;
3452 PRUint8 *cs;
3453 PRUint8 *sd;
3454 PRUint8 *cert = NULL;
3455 PRUint8 *challenge;
3456 unsigned int challengeLen;
3457 SECStatus rv;
3458 int csLen;
3459 int sendLen;
3460 int sdLen;
3461 int certLen;
3462 int pid;
3463 int sent;
3464 int gotXmitBufLock = 0;
3465 #if defined(SOLARIS) && defined(i386)
3466 volatile PRUint8 hit;
3467 #else
3468 int hit;
3469 #endif
3470 PRUint8 csImpl[sizeof implementedCipherSuites];
3471
3472 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
3473
3474 sc = ss->serverCerts + kt_rsa;
3475 serverCert = sc->serverCert;
3476
3477 ssl_GetRecvBufLock(ss);
3478
3479
3480 data = ss->gs.buf.buf + ss->gs.recordOffset;
3481 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
3482
3483 /* Make sure first message has some data and is the client hello message */
3484 if ((ss->gs.recordLen < SSL_HL_CLIENT_HELLO_HBYTES)
3485 || (data[0] != SSL_MT_CLIENT_HELLO)) {
3486 goto bad_client;
3487 }
3488
3489 /* Get peer name of client */
3490 rv = ssl_GetPeerInfo(ss);
3491 if (rv != SECSuccess) {
3492 goto loser;
3493 }
3494
3495 /* Examine version information */
3496 /*
3497 * See if this might be a V2 client hello asking to use the V3 protocol
3498 */
3499 if ((data[0] == SSL_MT_CLIENT_HELLO) &&
3500 (data[1] >= MSB(SSL_LIBRARY_VERSION_3_0)) &&
3501 (ss->opt.enableSSL3 || ss->opt.enableTLS)) {
3502 rv = ssl3_HandleV2ClientHello(ss, data, ss->gs.recordLen);
3503 if (rv != SECFailure) { /* Success */
3504 ss->handshake = NULL;
3505 ss->nextHandshake = ssl_GatherRecord1stHandshake;
3506 ss->securityHandshake = NULL;
3507 ss->gs.state = GS_INIT;
3508
3509 /* ssl3_HandleV3ClientHello has set ss->version,
3510 ** and has gotten us a brand new sid.
3511 */
3512 ss->sec.ci.sid->version = ss->version;
3513 }
3514 ssl_ReleaseRecvBufLock(ss);
3515 return rv;
3516 }
3517 /* Previously, there was a test here to see if SSL2 was enabled.
3518 ** If not, an error code was set, and SECFailure was returned,
3519 ** without sending any error code to the other end of the connection.
3520 ** That test has been removed. If SSL2 has been disabled, there
3521 ** should be no SSL2 ciphers enabled, and consequently, the code
3522 ** below should send the ssl2 error message SSL_PE_NO_CYPHERS.
3523 ** We now believe this is the correct thing to do, even when SSL2
3524 ** has been explicitly disabled by the application.
3525 */
3526
3527 /* Extract info from message */
3528 ss->version = (data[1] << 8) | data[2];
3529
3530 /* If some client thinks ssl v2 is 2.0 instead of 0.2, we'll allow it. */
3531 if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
3532 ss->version = SSL_LIBRARY_VERSION_2;
3533 }
3534
3535 csLen = (data[3] << 8) | data[4];
3536 sdLen = (data[5] << 8) | data[6];
3537 challengeLen = (data[7] << 8) | data[8];
3538 cs = data + SSL_HL_CLIENT_HELLO_HBYTES;
3539 sd = cs + csLen;
3540 challenge = sd + sdLen;
3541 PRINT_BUF(7, (ss, "server, client session-id value:", sd, sdLen));
3542
3543 if (!csLen || (csLen % 3) != 0 ||
3544 (sdLen != 0 && sdLen != SSL2_SESSIONID_BYTES) ||
3545 challengeLen < SSL_MIN_CHALLENGE_BYTES ||
3546 challengeLen > SSL_MAX_CHALLENGE_BYTES ||
3547 (unsigned)ss->gs.recordLen !=
3548 SSL_HL_CLIENT_HELLO_HBYTES + csLen + sdLen + challengeLen) {
3549 SSL_DBG(("%d: SSL[%d]: bad client hello message, len=%d should=%d",
3550 SSL_GETPID(), ss->fd, ss->gs.recordLen,
3551 SSL_HL_CLIENT_HELLO_HBYTES+csLen+sdLen+challengeLen));
3552 goto bad_client;
3553 }
3554
3555 SSL_TRC(3, ("%d: SSL[%d]: client version is %x",
3556 SSL_GETPID(), ss->fd, ss->version));
3557 if (ss->version != SSL_LIBRARY_VERSION_2) {
3558 if (ss->version > SSL_LIBRARY_VERSION_2) {
3559 /*
3560 ** Newer client than us. Things are ok because new clients
3561 ** are required to be backwards compatible with old servers.
3562 ** Change version number to our version number so that client
3563 ** knows whats up.
3564 */
3565 ss->version = SSL_LIBRARY_VERSION_2;
3566 } else {
3567 SSL_TRC(1, ("%d: SSL[%d]: client version is %x (we are %x)",
3568 SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
3569 PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
3570 goto loser;
3571 }
3572 }
3573
3574 /* Qualify cipher specs before returning them to client */
3575 csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
3576 if (csLen == 0) {
3577 /* no overlap, send client our list of supported SSL v2 ciphers. */
3578 cs = csImpl;
3579 csLen = sizeof implementedCipherSuites;
3580 PORT_Memcpy(cs, implementedCipherSuites, csLen);
3581 csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
3582 if (csLen == 0) {
3583 /* We don't support any SSL v2 ciphers! */
3584 ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
3585 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
3586 goto loser;
3587 }
3588 /* Since this handhsake is going to fail, don't cache it. */
3589 ss->opt.noCache = 1;
3590 }
3591
3592 /* Squirrel away the challenge for later */
3593 PORT_Memcpy(ss->sec.ci.clientChallenge, challenge, challengeLen);
3594
3595 /* Examine message and see if session-id is good */
3596 ss->sec.ci.elements = 0;
3597 if (sdLen > 0 && !ss->opt.noCache) {
3598 SSL_TRC(7, ("%d: SSL[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
3599 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
3600 ss->sec.ci.peer.pr_s6_addr32[1],
3601 ss->sec.ci.peer.pr_s6_addr32[2],
3602 ss->sec.ci.peer.pr_s6_addr32[3]));
3603 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sd, sdLen, ss->dbHandle);
3604 } else {
3605 sid = NULL;
3606 }
3607 if (sid) {
3608 /* Got a good session-id. Short cut! */
3609 SSL_TRC(1, ("%d: SSL[%d]: server, using session-id for 0x%08x (age=%d)",
3610 SSL_GETPID(), ss->fd, ss->sec.ci.peer,
3611 ssl_Time() - sid->creationTime));
3612 PRINT_BUF(1, (ss, "session-id value:", sd, sdLen));
3613 ss->sec.ci.sid = sid;
3614 ss->sec.ci.elements = CIS_HAVE_MASTER_KEY;
3615 hit = 1;
3616 certLen = 0;
3617 csLen = 0;
3618
3619 ss->sec.authAlgorithm = sid->authAlgorithm;
3620 ss->sec.authKeyBits = sid->authKeyBits;
3621 ss->sec.keaType = sid->keaType;
3622 ss->sec.keaKeyBits = sid->keaKeyBits;
3623
3624 rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
3625 if (rv != SECSuccess) {
3626 goto loser;
3627 }
3628 } else {
3629 SECItem * derCert = &serverCert->derCert;
3630
3631 SSL_TRC(7, ("%d: SSL[%d]: server, lookup nonce missed",
3632 SSL_GETPID(), ss->fd));
3633 if (!serverCert) {
3634 SET_ERROR_CODE
3635 goto loser;
3636 }
3637 hit = 0;
3638 sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
3639 if (!sid) {
3640 goto loser;
3641 }
3642 sid->references = 1;
3643 sid->addr = ss->sec.ci.peer;
3644 sid->port = ss->sec.ci.port;
3645
3646 /* Invent a session-id */
3647 ss->sec.ci.sid = sid;
3648 PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL2_SESSIONID_BYTES-2);
3649
3650 pid = SSL_GETPID();
3651 sid->u.ssl2.sessionID[0] = MSB(pid);
3652 sid->u.ssl2.sessionID[1] = LSB(pid);
3653 cert = derCert->data;
3654 certLen = derCert->len;
3655
3656 /* pretend that server sids remember the local cert. */
3657 PORT_Assert(!sid->localCert);
3658 if (sid->localCert) {
3659 CERT_DestroyCertificate(sid->localCert);
3660 }
3661 sid->localCert = CERT_DupCertificate(serverCert);
3662
3663 ss->sec.authAlgorithm = ssl_sign_rsa;
3664 ss->sec.keaType = ssl_kea_rsa;
3665 ss->sec.keaKeyBits = \
3666 ss->sec.authKeyBits = ss->serverCerts[kt_rsa].serverKeyBits;
3667 }
3668
3669 /* server sids don't remember the local cert, so whether we found
3670 ** a sid or not, just "remember" we used the rsa server cert.
3671 */
3672 if (ss->sec.localCert) {
3673 CERT_DestroyCertificate(ss->sec.localCert);
3674 }
3675 ss->sec.localCert = CERT_DupCertificate(serverCert);
3676
3677 /* Build up final list of required elements */
3678 ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
3679 if (ss->opt.requestCertificate) {
3680 ss->sec.ci.requiredElements |= CIS_HAVE_CERTIFICATE;
3681 }
3682 ss->sec.ci.sentElements = 0;
3683
3684 /* Send hello message back to client */
3685 sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
3686 + SSL_CONNECTIONID_BYTES;
3687
3688 ssl_GetXmitBufLock(ss); gotXmitBufLock = 1;
3689 rv = ssl2_GetSendBuffer(ss, sendLen);
3690 if (rv != SECSuccess) {
3691 goto loser;
3692 }
3693
3694 SSL_TRC(3, ("%d: SSL[%d]: sending server-hello (%d)",
3695 SSL_GETPID(), ss->fd, sendLen));
3696
3697 msg = ss->sec.ci.sendBuf.buf;
3698 msg[0] = SSL_MT_SERVER_HELLO;
3699 msg[1] = hit;
3700 msg[2] = SSL_CT_X509_CERTIFICATE;
3701 msg[3] = MSB(ss->version);
3702 msg[4] = LSB(ss->version);
3703 msg[5] = MSB(certLen);
3704 msg[6] = LSB(certLen);
3705 msg[7] = MSB(csLen);
3706 msg[8] = LSB(csLen);
3707 msg[9] = MSB(SSL_CONNECTIONID_BYTES);
3708 msg[10] = LSB(SSL_CONNECTIONID_BYTES);
3709 if (certLen) {
3710 PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES, cert, certLen);
3711 }
3712 if (csLen) {
3713 PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen, cs, csLen);
3714 }
3715 PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen+csLen,
3716 ss->sec.ci.connectionID, SSL_CONNECTIONID_BYTES);
3717
3718 DUMP_MSG(29, (ss, msg, sendLen));
3719
3720 ss->handshakeBegun = 1;
3721 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
3722 if (sent < 0) {
3723 goto loser;
3724 }
3725 ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
3726
3727 ss->gs.recordLen = 0;
3728 ss->handshake = ssl_GatherRecord1stHandshake;
3729 if (hit) {
3730 /* Old SID Session key is good. Go encrypted */
3731 ssl2_UseEncryptedSendFunc(ss);
3732
3733 /* Send server verify message now that keys are established */
3734 rv = ssl2_SendServerVerifyMessage(ss);
3735 if (rv != SECSuccess)
3736 goto loser;
3737
3738 ss->nextHandshake = ssl2_HandleMessage;
3739 ssl_ReleaseRecvBufLock(ss);
3740 rv = ssl2_TriggerNextMessage(ss);
3741 return rv;
3742 }
3743 ss->nextHandshake = ssl2_HandleClientSessionKeyMessage;
3744 ssl_ReleaseRecvBufLock(ss);
3745 return SECSuccess;
3746
3747 bad_client:
3748 PORT_SetError(SSL_ERROR_BAD_CLIENT);
3749 /* FALLTHROUGH */
3750
3751 loser:
3752 if (gotXmitBufLock) {
3753 ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
3754 }
3755 SSL_TRC(10, ("%d: SSL[%d]: server, wait for client-hello lossage",
3756 SSL_GETPID(), ss->fd));
3757 ssl_ReleaseRecvBufLock(ss);
3758 return SECFailure;
3759 }
3760
3761 SECStatus
ssl2_BeginServerHandshake(sslSocket * ss)3762 ssl2_BeginServerHandshake(sslSocket *ss)
3763 {
3764 SECStatus rv;
3765 sslServerCerts * rsaAuth = ss->serverCerts + kt_rsa;
3766
3767 ss->sec.isServer = 1;
3768 ssl_ChooseSessionIDProcs(&ss->sec);
3769 ss->sec.sendSequence = 0;
3770 ss->sec.rcvSequence = 0;
3771
3772 /* don't turn on SSL2 if we don't have an RSA key and cert */
3773 if (!rsaAuth->serverKeyPair || !rsaAuth->SERVERKEY ||
3774 !rsaAuth->serverCert) {
3775 ss->opt.enableSSL2 = PR_FALSE;
3776 }
3777
3778 if (!ss->cipherSpecs) {
3779 rv = ssl2_ConstructCipherSpecs(ss);
3780 if (rv != SECSuccess)
3781 goto loser;
3782 }
3783
3784 /* count the SSL2 and SSL3 enabled ciphers.
3785 * if either is zero, clear the socket's enable for that protocol.
3786 */
3787 rv = ssl2_CheckConfigSanity(ss);
3788 if (rv != SECSuccess)
3789 goto loser;
3790
3791 /*
3792 ** Generate connection-id. Always do this, even if things fail
3793 ** immediately. This way the random number generator is always
3794 ** rolling around, every time we get a connection.
3795 */
3796 PK11_GenerateRandom(ss->sec.ci.connectionID,
3797 sizeof(ss->sec.ci.connectionID));
3798
3799 ss->gs.recordLen = 0;
3800 ss->handshake = ssl_GatherRecord1stHandshake;
3801 ss->nextHandshake = ssl2_HandleClientHelloMessage;
3802 return SECSuccess;
3803
3804 loser:
3805 return SECFailure;
3806 }
3807
3808 /* This function doesn't really belong in this file.
3809 ** It's here to keep AIX compilers from optimizing it away,
3810 ** and not including it in the DSO.
3811 */
3812
3813 #include "nss.h"
3814 extern const char __nss_ssl_rcsid[];
3815 extern const char __nss_ssl_sccsid[];
3816
3817 PRBool
NSSSSL_VersionCheck(const char * importedVersion)3818 NSSSSL_VersionCheck(const char *importedVersion)
3819 {
3820 /*
3821 * This is the secret handshake algorithm.
3822 *
3823 * This release has a simple version compatibility
3824 * check algorithm. This release is not backward
3825 * compatible with previous major releases. It is
3826 * not compatible with future major, minor, or
3827 * patch releases.
3828 */
3829 volatile char c; /* force a reference that won't get optimized away */
3830
3831 c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0];
3832 return NSS_VersionCheck(importedVersion);
3833 }
3834