1 /*
2 * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7
8 #include "nssrenam.h"
9 #include "cert.h"
10 #include "secitem.h"
11 #include "sechash.h"
12 #include "cryptohi.h" /* for SGN_ funcs */
13 #include "keyhi.h" /* for SECKEY_ high level functions. */
14 #include "ssl.h"
15 #include "sslimpl.h"
16 #include "sslproto.h"
17 #include "ssl3prot.h"
18 #include "sslerr.h"
19 #include "pk11func.h"
20 #include "prinit.h"
21 #include "prtime.h" /* for PR_Now() */
22
23 #define XXX
24 static PRBool policyWasSet;
25
26 /* This ordered list is indexed by (SSL_CK_xx * 3) */
27 /* Second and third bytes are MSB and LSB of master key length. */
28 static const PRUint8 allCipherSuites[] = {
29 0, 0, 0,
30 SSL_CK_RC4_128_WITH_MD5, 0x00, 0x80,
31 SSL_CK_RC4_128_EXPORT40_WITH_MD5, 0x00, 0x80,
32 SSL_CK_RC2_128_CBC_WITH_MD5, 0x00, 0x80,
33 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, 0x00, 0x80,
34 SSL_CK_IDEA_128_CBC_WITH_MD5, 0x00, 0x80,
35 SSL_CK_DES_64_CBC_WITH_MD5, 0x00, 0x40,
36 SSL_CK_DES_192_EDE3_CBC_WITH_MD5, 0x00, 0xC0,
37 0, 0, 0
38 };
39
40 #define ssl2_NUM_SUITES_IMPLEMENTED 6
41
42 /* This list is sent back to the client when the client-hello message
43 * contains no overlapping ciphers, so the client can report what ciphers
44 * are supported by the server. Unlike allCipherSuites (above), this list
45 * is sorted by descending preference, not by cipherSuite number.
46 */
47 static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
48 SSL_CK_RC4_128_WITH_MD5, 0x00, 0x80,
49 SSL_CK_RC2_128_CBC_WITH_MD5, 0x00, 0x80,
50 SSL_CK_DES_192_EDE3_CBC_WITH_MD5, 0x00, 0xC0,
51 SSL_CK_DES_64_CBC_WITH_MD5, 0x00, 0x40,
52 SSL_CK_RC4_128_EXPORT40_WITH_MD5, 0x00, 0x80,
53 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, 0x00, 0x80
54 };
55
56 typedef struct ssl2SpecsStr {
57 PRUint8 nkm; /* do this many hashes to generate key material. */
58 PRUint8 nkd; /* size of readKey and writeKey in bytes. */
59 PRUint8 blockSize;
60 PRUint8 blockShift;
61 CK_MECHANISM_TYPE mechanism;
62 PRUint8 keyLen; /* cipher symkey size in bytes. */
63 PRUint8 pubLen; /* publicly reveal this many bytes of key. */
64 PRUint8 ivLen; /* length of IV data at *ca. */
65 } ssl2Specs;
66
67 static const ssl2Specs ssl_Specs[] = {
68 /* NONE */
69 { 0, 0, 0, 0, },
70 /* SSL_CK_RC4_128_WITH_MD5 */
71 { 2, 16, 1, 0, CKM_RC4, 16, 0, 0, },
72 /* SSL_CK_RC4_128_EXPORT40_WITH_MD5 */
73 { 2, 16, 1, 0, CKM_RC4, 16, 11, 0, },
74 /* SSL_CK_RC2_128_CBC_WITH_MD5 */
75 { 2, 16, 8, 3, CKM_RC2_CBC, 16, 0, 8, },
76 /* SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 */
77 { 2, 16, 8, 3, CKM_RC2_CBC, 16, 11, 8, },
78 /* SSL_CK_IDEA_128_CBC_WITH_MD5 */
79 { 0, 0, 0, 0, },
80 /* SSL_CK_DES_64_CBC_WITH_MD5 */
81 { 1, 8, 8, 3, CKM_DES_CBC, 8, 0, 8, },
82 /* SSL_CK_DES_192_EDE3_CBC_WITH_MD5 */
83 { 3, 24, 8, 3, CKM_DES3_CBC, 24, 0, 8, },
84 };
85
86 #define SET_ERROR_CODE /* reminder */
87 #define TEST_FOR_FAILURE /* reminder */
88
89 /*
90 ** Put a string tag in the library so that we can examine an executable
91 ** and see what kind of security it supports.
92 */
93 const char *ssl_version = "SECURITY_VERSION:"
94 " +us"
95 " +export"
96 #ifdef TRACE
97 " +trace"
98 #endif
99 #ifdef DEBUG
100 " +debug"
101 #endif
102 ;
103
104 const char * const ssl_cipherName[] = {
105 "unknown",
106 "RC4",
107 "RC4-Export",
108 "RC2-CBC",
109 "RC2-CBC-Export",
110 "IDEA-CBC",
111 "DES-CBC",
112 "DES-EDE3-CBC",
113 "unknown",
114 "unknown", /* was fortezza, NO LONGER USED */
115 };
116
117
118 /* bit-masks, showing which SSLv2 suites are allowed.
119 * lsb corresponds to first cipher suite in allCipherSuites[].
120 */
121 static PRUint16 allowedByPolicy; /* all off by default */
122 static PRUint16 maybeAllowedByPolicy; /* all off by default */
123 static PRUint16 chosenPreference = 0xff; /* all on by default */
124
125 /* bit values for the above two bit masks */
126 #define SSL_CB_RC4_128_WITH_MD5 (1 << SSL_CK_RC4_128_WITH_MD5)
127 #define SSL_CB_RC4_128_EXPORT40_WITH_MD5 (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
128 #define SSL_CB_RC2_128_CBC_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
129 #define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)
130 #define SSL_CB_IDEA_128_CBC_WITH_MD5 (1 << SSL_CK_IDEA_128_CBC_WITH_MD5)
131 #define SSL_CB_DES_64_CBC_WITH_MD5 (1 << SSL_CK_DES_64_CBC_WITH_MD5)
132 #define SSL_CB_DES_192_EDE3_CBC_WITH_MD5 (1 << SSL_CK_DES_192_EDE3_CBC_WITH_MD5)
133 #define SSL_CB_IMPLEMENTED \
134 (SSL_CB_RC4_128_WITH_MD5 | \
135 SSL_CB_RC4_128_EXPORT40_WITH_MD5 | \
136 SSL_CB_RC2_128_CBC_WITH_MD5 | \
137 SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 | \
138 SSL_CB_DES_64_CBC_WITH_MD5 | \
139 SSL_CB_DES_192_EDE3_CBC_WITH_MD5)
140
141
142 /* Construct a socket's list of cipher specs from the global default values.
143 */
144 static SECStatus
ssl2_ConstructCipherSpecs(sslSocket * ss)145 ssl2_ConstructCipherSpecs(sslSocket *ss)
146 {
147 PRUint8 * cs = NULL;
148 unsigned int allowed;
149 unsigned int count;
150 int ssl3_count = 0;
151 int final_count;
152 int i;
153 SECStatus rv;
154
155 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
156
157 count = 0;
158 PORT_Assert(ss != 0);
159 allowed = !ss->opt.enableSSL2 ? 0 :
160 (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
161 while (allowed) {
162 if (allowed & 1)
163 ++count;
164 allowed >>= 1;
165 }
166
167 /* Call ssl3_config_match_init() once here,
168 * instead of inside ssl3_ConstructV2CipherSpecsHack(),
169 * because the latter gets called twice below,
170 * and then again in ssl2_BeginClientHandshake().
171 */
172 ssl3_config_match_init(ss);
173
174 /* ask SSL3 how many cipher suites it has. */
175 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
176 if (rv < 0)
177 return rv;
178 count += ssl3_count;
179
180 /* Allocate memory to hold cipher specs */
181 if (count > 0)
182 cs = (PRUint8*) PORT_Alloc(count * 3);
183 else
184 PORT_SetError(SSL_ERROR_SSL_DISABLED);
185 if (cs == NULL)
186 return SECFailure;
187
188 if (ss->cipherSpecs != NULL) {
189 PORT_Free(ss->cipherSpecs);
190 }
191 ss->cipherSpecs = cs;
192 ss->sizeCipherSpecs = count * 3;
193
194 /* fill in cipher specs for SSL2 cipher suites */
195 allowed = !ss->opt.enableSSL2 ? 0 :
196 (ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
197 for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
198 const PRUint8 * hs = implementedCipherSuites + i;
199 int ok = allowed & (1U << hs[0]);
200 if (ok) {
201 cs[0] = hs[0];
202 cs[1] = hs[1];
203 cs[2] = hs[2];
204 cs += 3;
205 }
206 }
207
208 /* now have SSL3 add its suites onto the end */
209 rv = ssl3_ConstructV2CipherSpecsHack(ss, cs, &final_count);
210
211 /* adjust for any difference between first pass and second pass */
212 ss->sizeCipherSpecs -= (ssl3_count - final_count) * 3;
213
214 return rv;
215 }
216
217 /* This function is called immediately after ssl2_ConstructCipherSpecs()
218 ** at the beginning of a handshake. It detects cases where a protocol
219 ** (e.g. SSL2 or SSL3) is logically enabled, but all its cipher suites
220 ** for that protocol have been disabled. If such cases, it clears the
221 ** enable bit for the protocol. If no protocols remain enabled, or
222 ** if no cipher suites are found, it sets the error code and returns
223 ** SECFailure, otherwise it returns SECSuccess.
224 */
225 static SECStatus
ssl2_CheckConfigSanity(sslSocket * ss)226 ssl2_CheckConfigSanity(sslSocket *ss)
227 {
228 unsigned int allowed;
229 int ssl3CipherCount = 0;
230 SECStatus rv;
231
232 /* count the SSL2 and SSL3 enabled ciphers.
233 * if either is zero, clear the socket's enable for that protocol.
234 */
235 if (!ss->cipherSpecs)
236 goto disabled;
237
238 allowed = ss->allowedByPolicy & ss->chosenPreference;
239 if (! allowed)
240 ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
241
242 /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
243 /* Ask how many ssl3 CipherSuites were enabled. */
244 rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
245 if (rv != SECSuccess || ssl3CipherCount <= 0) {
246 /* SSL3/TLS not really enabled if no ciphers */
247 ss->vrange.min = SSL_LIBRARY_VERSION_NONE;
248 ss->vrange.max = SSL_LIBRARY_VERSION_NONE;
249 }
250
251 if (!ss->opt.enableSSL2 && SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
252 SSL_DBG(("%d: SSL[%d]: Can't handshake! all versions disabled.",
253 SSL_GETPID(), ss->fd));
254 disabled:
255 PORT_SetError(SSL_ERROR_SSL_DISABLED);
256 return SECFailure;
257 }
258 return SECSuccess;
259 }
260
261 /*
262 * Since this is a global (not per-socket) setting, we cannot use the
263 * HandshakeLock to protect this. Probably want a global lock.
264 */
265 SECStatus
ssl2_SetPolicy(PRInt32 which,PRInt32 policy)266 ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
267 {
268 PRUint32 bitMask;
269 SECStatus rv = SECSuccess;
270
271 which &= 0x000f;
272 bitMask = 1 << which;
273
274 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
275 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
276 return SECFailure;
277 }
278
279 if (policy == SSL_ALLOWED) {
280 allowedByPolicy |= bitMask;
281 maybeAllowedByPolicy |= bitMask;
282 } else if (policy == SSL_RESTRICTED) {
283 allowedByPolicy &= ~bitMask;
284 maybeAllowedByPolicy |= bitMask;
285 } else {
286 allowedByPolicy &= ~bitMask;
287 maybeAllowedByPolicy &= ~bitMask;
288 }
289 allowedByPolicy &= SSL_CB_IMPLEMENTED;
290 maybeAllowedByPolicy &= SSL_CB_IMPLEMENTED;
291
292 policyWasSet = PR_TRUE;
293 return rv;
294 }
295
296 SECStatus
ssl2_GetPolicy(PRInt32 which,PRInt32 * oPolicy)297 ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
298 {
299 PRUint32 bitMask;
300 PRInt32 policy;
301
302 which &= 0x000f;
303 bitMask = 1 << which;
304
305 /* Caller assures oPolicy is not null. */
306 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
307 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
308 *oPolicy = SSL_NOT_ALLOWED;
309 return SECFailure;
310 }
311
312 if (maybeAllowedByPolicy & bitMask) {
313 policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
314 } else {
315 policy = SSL_NOT_ALLOWED;
316 }
317
318 *oPolicy = policy;
319 return SECSuccess;
320 }
321
322 /*
323 * Since this is a global (not per-socket) setting, we cannot use the
324 * HandshakeLock to protect this. Probably want a global lock.
325 * Called from SSL_CipherPrefSetDefault in sslsock.c
326 * These changes have no effect on any sslSockets already created.
327 */
328 SECStatus
ssl2_CipherPrefSetDefault(PRInt32 which,PRBool enabled)329 ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
330 {
331 PRUint32 bitMask;
332
333 which &= 0x000f;
334 bitMask = 1 << which;
335
336 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
337 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
338 return SECFailure;
339 }
340
341 if (enabled)
342 chosenPreference |= bitMask;
343 else
344 chosenPreference &= ~bitMask;
345 chosenPreference &= SSL_CB_IMPLEMENTED;
346
347 return SECSuccess;
348 }
349
350 SECStatus
ssl2_CipherPrefGetDefault(PRInt32 which,PRBool * enabled)351 ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
352 {
353 PRBool rv = PR_FALSE;
354 PRUint32 bitMask;
355
356 which &= 0x000f;
357 bitMask = 1 << which;
358
359 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
360 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
361 *enabled = PR_FALSE;
362 return SECFailure;
363 }
364
365 rv = (PRBool)((chosenPreference & bitMask) != 0);
366 *enabled = rv;
367 return SECSuccess;
368 }
369
370 SECStatus
ssl2_CipherPrefSet(sslSocket * ss,PRInt32 which,PRBool enabled)371 ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled)
372 {
373 PRUint32 bitMask;
374
375 which &= 0x000f;
376 bitMask = 1 << which;
377
378 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
379 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
380 return SECFailure;
381 }
382
383 if (enabled)
384 ss->chosenPreference |= bitMask;
385 else
386 ss->chosenPreference &= ~bitMask;
387 ss->chosenPreference &= SSL_CB_IMPLEMENTED;
388
389 return SECSuccess;
390 }
391
392 SECStatus
ssl2_CipherPrefGet(sslSocket * ss,PRInt32 which,PRBool * enabled)393 ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
394 {
395 PRBool rv = PR_FALSE;
396 PRUint32 bitMask;
397
398 which &= 0x000f;
399 bitMask = 1 << which;
400
401 if (!(bitMask & SSL_CB_IMPLEMENTED)) {
402 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
403 *enabled = PR_FALSE;
404 return SECFailure;
405 }
406
407 rv = (PRBool)((ss->chosenPreference & bitMask) != 0);
408 *enabled = rv;
409 return SECSuccess;
410 }
411
412
413 /* copy global default policy into socket. */
414 void
ssl2_InitSocketPolicy(sslSocket * ss)415 ssl2_InitSocketPolicy(sslSocket *ss)
416 {
417 ss->allowedByPolicy = allowedByPolicy;
418 ss->maybeAllowedByPolicy = maybeAllowedByPolicy;
419 ss->chosenPreference = chosenPreference;
420 }
421
422
423 /************************************************************************/
424
425 /* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
426 */
427 static SECStatus
ssl2_CreateMAC(sslSecurityInfo * sec,SECItem * readKey,SECItem * writeKey,int cipherChoice)428 ssl2_CreateMAC(sslSecurityInfo *sec, SECItem *readKey, SECItem *writeKey,
429 int cipherChoice)
430 {
431 switch (cipherChoice) {
432
433 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
434 case SSL_CK_RC2_128_CBC_WITH_MD5:
435 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
436 case SSL_CK_RC4_128_WITH_MD5:
437 case SSL_CK_DES_64_CBC_WITH_MD5:
438 case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
439 sec->hash = HASH_GetHashObject(HASH_AlgMD5);
440 SECITEM_CopyItem(0, &sec->sendSecret, writeKey);
441 SECITEM_CopyItem(0, &sec->rcvSecret, readKey);
442 break;
443
444 default:
445 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
446 return SECFailure;
447 }
448 sec->hashcx = (*sec->hash->create)();
449 if (sec->hashcx == NULL)
450 return SECFailure;
451 return SECSuccess;
452 }
453
454 /************************************************************************
455 * All the Send functions below must acquire and release the socket's
456 * xmitBufLock.
457 */
458
459 /* Called from all the Send* functions below. */
460 static SECStatus
ssl2_GetSendBuffer(sslSocket * ss,unsigned int len)461 ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
462 {
463 SECStatus rv = SECSuccess;
464
465 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
466
467 if (len < 128) {
468 len = 128;
469 }
470 if (len > ss->sec.ci.sendBuf.space) {
471 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, len);
472 if (rv != SECSuccess) {
473 SSL_DBG(("%d: SSL[%d]: ssl2_GetSendBuffer failed, tried to get %d bytes",
474 SSL_GETPID(), ss->fd, len));
475 rv = SECFailure;
476 }
477 }
478 return rv;
479 }
480
481 /* Called from:
482 * ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
483 * ssl2_HandleRequestCertificate() <- ssl2_HandleMessage() <-
484 ssl_Do1stHandshake()
485 * ssl2_HandleMessage() <- ssl_Do1stHandshake()
486 * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
487 after ssl2_BeginClientHandshake()
488 * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake()
489 after ssl2_BeginServerHandshake()
490 *
491 * Acquires and releases the socket's xmitBufLock.
492 */
493 int
ssl2_SendErrorMessage(sslSocket * ss,int error)494 ssl2_SendErrorMessage(sslSocket *ss, int error)
495 {
496 int rv;
497 PRUint8 msg[SSL_HL_ERROR_HBYTES];
498
499 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
500
501 msg[0] = SSL_MT_ERROR;
502 msg[1] = MSB(error);
503 msg[2] = LSB(error);
504
505 ssl_GetXmitBufLock(ss); /***************************************/
506
507 SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));
508
509 ss->handshakeBegun = 1;
510 rv = (*ss->sec.send)(ss, msg, sizeof(msg), 0);
511 if (rv >= 0) {
512 rv = SECSuccess;
513 }
514 ssl_ReleaseXmitBufLock(ss); /***************************************/
515 return rv;
516 }
517
518 /* Called from ssl2_TryToFinish().
519 * Acquires and releases the socket's xmitBufLock.
520 */
521 static SECStatus
ssl2_SendClientFinishedMessage(sslSocket * ss)522 ssl2_SendClientFinishedMessage(sslSocket *ss)
523 {
524 SECStatus rv = SECSuccess;
525 int sent;
526 PRUint8 msg[1 + SSL_CONNECTIONID_BYTES];
527
528 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
529
530 ssl_GetXmitBufLock(ss); /***************************************/
531
532 if (ss->sec.ci.sentFinished == 0) {
533 ss->sec.ci.sentFinished = 1;
534
535 SSL_TRC(3, ("%d: SSL[%d]: sending client-finished",
536 SSL_GETPID(), ss->fd));
537
538 msg[0] = SSL_MT_CLIENT_FINISHED;
539 PORT_Memcpy(msg+1, ss->sec.ci.connectionID,
540 sizeof(ss->sec.ci.connectionID));
541
542 DUMP_MSG(29, (ss, msg, 1 + sizeof(ss->sec.ci.connectionID)));
543 sent = (*ss->sec.send)(ss, msg, 1 + sizeof(ss->sec.ci.connectionID), 0);
544 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
545 }
546 ssl_ReleaseXmitBufLock(ss); /***************************************/
547 return rv;
548 }
549
550 /* Called from
551 * ssl2_HandleClientSessionKeyMessage() <- ssl2_HandleClientHelloMessage()
552 * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake()
553 after ssl2_BeginServerHandshake()
554 * Acquires and releases the socket's xmitBufLock.
555 */
556 static SECStatus
ssl2_SendServerVerifyMessage(sslSocket * ss)557 ssl2_SendServerVerifyMessage(sslSocket *ss)
558 {
559 PRUint8 * msg;
560 int sendLen;
561 int sent;
562 SECStatus rv;
563
564 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
565
566 ssl_GetXmitBufLock(ss); /***************************************/
567
568 sendLen = 1 + SSL_CHALLENGE_BYTES;
569 rv = ssl2_GetSendBuffer(ss, sendLen);
570 if (rv != SECSuccess) {
571 goto done;
572 }
573
574 msg = ss->sec.ci.sendBuf.buf;
575 msg[0] = SSL_MT_SERVER_VERIFY;
576 PORT_Memcpy(msg+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
577
578 DUMP_MSG(29, (ss, msg, sendLen));
579 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
580
581 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
582
583 done:
584 ssl_ReleaseXmitBufLock(ss); /***************************************/
585 return rv;
586 }
587
588 /* Called from ssl2_TryToFinish().
589 * Acquires and releases the socket's xmitBufLock.
590 */
591 static SECStatus
ssl2_SendServerFinishedMessage(sslSocket * ss)592 ssl2_SendServerFinishedMessage(sslSocket *ss)
593 {
594 sslSessionID * sid;
595 PRUint8 * msg;
596 int sendLen, sent;
597 SECStatus rv = SECSuccess;
598
599 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
600
601 ssl_GetXmitBufLock(ss); /***************************************/
602
603 if (ss->sec.ci.sentFinished == 0) {
604 ss->sec.ci.sentFinished = 1;
605 PORT_Assert(ss->sec.ci.sid != 0);
606 sid = ss->sec.ci.sid;
607
608 SSL_TRC(3, ("%d: SSL[%d]: sending server-finished",
609 SSL_GETPID(), ss->fd));
610
611 sendLen = 1 + sizeof(sid->u.ssl2.sessionID);
612 rv = ssl2_GetSendBuffer(ss, sendLen);
613 if (rv != SECSuccess) {
614 goto done;
615 }
616
617 msg = ss->sec.ci.sendBuf.buf;
618 msg[0] = SSL_MT_SERVER_FINISHED;
619 PORT_Memcpy(msg+1, sid->u.ssl2.sessionID,
620 sizeof(sid->u.ssl2.sessionID));
621
622 DUMP_MSG(29, (ss, msg, sendLen));
623 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
624
625 if (sent < 0) {
626 /* If send failed, it is now a bogus session-id */
627 if (ss->sec.uncache)
628 (*ss->sec.uncache)(sid);
629 rv = (SECStatus)sent;
630 } else if (!ss->opt.noCache) {
631 /* Put the sid in session-id cache, (may already be there) */
632 (*ss->sec.cache)(sid);
633 rv = SECSuccess;
634 }
635 ssl_FreeSID(sid);
636 ss->sec.ci.sid = 0;
637 }
638 done:
639 ssl_ReleaseXmitBufLock(ss); /***************************************/
640 return rv;
641 }
642
643 /* Called from ssl2_ClientSetupSessionCypher() <-
644 * ssl2_HandleServerHelloMessage()
645 * after ssl2_BeginClientHandshake()
646 * Acquires and releases the socket's xmitBufLock.
647 */
648 static SECStatus
ssl2_SendSessionKeyMessage(sslSocket * ss,int cipher,int keySize,PRUint8 * ca,int caLen,PRUint8 * ck,int ckLen,PRUint8 * ek,int ekLen)649 ssl2_SendSessionKeyMessage(sslSocket *ss, int cipher, int keySize,
650 PRUint8 *ca, int caLen,
651 PRUint8 *ck, int ckLen,
652 PRUint8 *ek, int ekLen)
653 {
654 PRUint8 * msg;
655 int sendLen;
656 int sent;
657 SECStatus rv;
658
659 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
660
661 ssl_GetXmitBufLock(ss); /***************************************/
662
663 sendLen = SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen;
664 rv = ssl2_GetSendBuffer(ss, sendLen);
665 if (rv != SECSuccess)
666 goto done;
667
668 SSL_TRC(3, ("%d: SSL[%d]: sending client-session-key",
669 SSL_GETPID(), ss->fd));
670
671 msg = ss->sec.ci.sendBuf.buf;
672 msg[0] = SSL_MT_CLIENT_MASTER_KEY;
673 msg[1] = cipher;
674 msg[2] = MSB(keySize);
675 msg[3] = LSB(keySize);
676 msg[4] = MSB(ckLen);
677 msg[5] = LSB(ckLen);
678 msg[6] = MSB(ekLen);
679 msg[7] = LSB(ekLen);
680 msg[8] = MSB(caLen);
681 msg[9] = LSB(caLen);
682 PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES, ck, ckLen);
683 PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen, ek, ekLen);
684 PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen+ekLen, ca, caLen);
685
686 DUMP_MSG(29, (ss, msg, sendLen));
687 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
688 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
689 done:
690 ssl_ReleaseXmitBufLock(ss); /***************************************/
691 return rv;
692 }
693
694 /* Called from ssl2_TriggerNextMessage() <- ssl2_HandleMessage()
695 * Acquires and releases the socket's xmitBufLock.
696 */
697 static SECStatus
ssl2_SendCertificateRequestMessage(sslSocket * ss)698 ssl2_SendCertificateRequestMessage(sslSocket *ss)
699 {
700 PRUint8 * msg;
701 int sent;
702 int sendLen;
703 SECStatus rv;
704
705 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
706
707 ssl_GetXmitBufLock(ss); /***************************************/
708
709 sendLen = SSL_HL_REQUEST_CERTIFICATE_HBYTES + SSL_CHALLENGE_BYTES;
710 rv = ssl2_GetSendBuffer(ss, sendLen);
711 if (rv != SECSuccess)
712 goto done;
713
714 SSL_TRC(3, ("%d: SSL[%d]: sending certificate request",
715 SSL_GETPID(), ss->fd));
716
717 /* Generate random challenge for client to encrypt */
718 PK11_GenerateRandom(ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
719
720 msg = ss->sec.ci.sendBuf.buf;
721 msg[0] = SSL_MT_REQUEST_CERTIFICATE;
722 msg[1] = SSL_AT_MD5_WITH_RSA_ENCRYPTION;
723 PORT_Memcpy(msg + SSL_HL_REQUEST_CERTIFICATE_HBYTES,
724 ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
725
726 DUMP_MSG(29, (ss, msg, sendLen));
727 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
728 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
729 done:
730 ssl_ReleaseXmitBufLock(ss); /***************************************/
731 return rv;
732 }
733
734 /* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
735 * Acquires and releases the socket's xmitBufLock.
736 */
737 static int
ssl2_SendCertificateResponseMessage(sslSocket * ss,SECItem * cert,SECItem * encCode)738 ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert,
739 SECItem *encCode)
740 {
741 PRUint8 *msg;
742 int rv, sendLen;
743
744 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
745
746 ssl_GetXmitBufLock(ss); /***************************************/
747
748 sendLen = SSL_HL_CLIENT_CERTIFICATE_HBYTES + encCode->len + cert->len;
749 rv = ssl2_GetSendBuffer(ss, sendLen);
750 if (rv)
751 goto done;
752
753 SSL_TRC(3, ("%d: SSL[%d]: sending certificate response",
754 SSL_GETPID(), ss->fd));
755
756 msg = ss->sec.ci.sendBuf.buf;
757 msg[0] = SSL_MT_CLIENT_CERTIFICATE;
758 msg[1] = SSL_CT_X509_CERTIFICATE;
759 msg[2] = MSB(cert->len);
760 msg[3] = LSB(cert->len);
761 msg[4] = MSB(encCode->len);
762 msg[5] = LSB(encCode->len);
763 PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES, cert->data, cert->len);
764 PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES + cert->len,
765 encCode->data, encCode->len);
766
767 DUMP_MSG(29, (ss, msg, sendLen));
768 rv = (*ss->sec.send)(ss, msg, sendLen, 0);
769 if (rv >= 0) {
770 rv = SECSuccess;
771 }
772 done:
773 ssl_ReleaseXmitBufLock(ss); /***************************************/
774 return rv;
775 }
776
777 /********************************************************************
778 ** Send functions above this line must aquire & release the socket's
779 ** xmitBufLock.
780 ** All the ssl2_Send functions below this line are called vis ss->sec.send
781 ** and require that the caller hold the xmitBufLock.
782 */
783
784 /*
785 ** Called from ssl2_SendStream, ssl2_SendBlock, but not from ssl2_SendClear.
786 */
787 static SECStatus
ssl2_CalcMAC(PRUint8 * result,sslSecurityInfo * sec,const PRUint8 * data,unsigned int dataLen,unsigned int paddingLen)788 ssl2_CalcMAC(PRUint8 * result,
789 sslSecurityInfo * sec,
790 const PRUint8 * data,
791 unsigned int dataLen,
792 unsigned int paddingLen)
793 {
794 const PRUint8 * secret = sec->sendSecret.data;
795 unsigned int secretLen = sec->sendSecret.len;
796 unsigned long sequenceNumber = sec->sendSequence;
797 unsigned int nout;
798 PRUint8 seq[4];
799 PRUint8 padding[32];/* XXX max blocksize? */
800
801 if (!sec->hash || !sec->hash->length)
802 return SECSuccess;
803 if (!sec->hashcx)
804 return SECFailure;
805
806 /* Reset hash function */
807 (*sec->hash->begin)(sec->hashcx);
808
809 /* Feed hash the data */
810 (*sec->hash->update)(sec->hashcx, secret, secretLen);
811 (*sec->hash->update)(sec->hashcx, data, dataLen);
812 PORT_Memset(padding, paddingLen, paddingLen);
813 (*sec->hash->update)(sec->hashcx, padding, paddingLen);
814
815 seq[0] = (PRUint8) (sequenceNumber >> 24);
816 seq[1] = (PRUint8) (sequenceNumber >> 16);
817 seq[2] = (PRUint8) (sequenceNumber >> 8);
818 seq[3] = (PRUint8) (sequenceNumber);
819
820 PRINT_BUF(60, (0, "calc-mac secret:", secret, secretLen));
821 PRINT_BUF(60, (0, "calc-mac data:", data, dataLen));
822 PRINT_BUF(60, (0, "calc-mac padding:", padding, paddingLen));
823 PRINT_BUF(60, (0, "calc-mac seq:", seq, 4));
824
825 (*sec->hash->update)(sec->hashcx, seq, 4);
826
827 /* Get result */
828 (*sec->hash->end)(sec->hashcx, result, &nout, sec->hash->length);
829
830 return SECSuccess;
831 }
832
833 /*
834 ** Maximum transmission amounts. These are tiny bit smaller than they
835 ** need to be (they account for the MAC length plus some padding),
836 ** assuming the MAC is 16 bytes long and the padding is a max of 7 bytes
837 ** long. This gives an additional 9 bytes of slop to work within.
838 */
839 #define MAX_STREAM_CYPHER_LEN 0x7fe0
840 #define MAX_BLOCK_CYPHER_LEN 0x3fe0
841
842 /*
843 ** Send some data in the clear.
844 ** Package up data with the length header and send it.
845 **
846 ** Return count of bytes successfully written, or negative number (failure).
847 */
848 static PRInt32
ssl2_SendClear(sslSocket * ss,const PRUint8 * in,PRInt32 len,PRInt32 flags)849 ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
850 {
851 PRUint8 * out;
852 int rv;
853 int amount;
854 int count = 0;
855
856 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
857
858 SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
859 SSL_GETPID(), ss->fd, len));
860 PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
861
862 while (len) {
863 amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
864 if (amount + 2 > ss->sec.writeBuf.space) {
865 rv = sslBuffer_Grow(&ss->sec.writeBuf, amount + 2);
866 if (rv != SECSuccess) {
867 count = rv;
868 break;
869 }
870 }
871 out = ss->sec.writeBuf.buf;
872
873 /*
874 ** Construct message.
875 */
876 out[0] = 0x80 | MSB(amount);
877 out[1] = LSB(amount);
878 PORT_Memcpy(&out[2], in, amount);
879
880 /* Now send the data */
881 rv = ssl_DefSend(ss, out, amount + 2, flags & ~ssl_SEND_FLAG_MASK);
882 if (rv < 0) {
883 if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
884 rv = 0;
885 } else {
886 /* Return short write if some data already went out... */
887 if (count == 0)
888 count = rv;
889 break;
890 }
891 }
892
893 if ((unsigned)rv < (amount + 2)) {
894 /* Short write. Save the data and return. */
895 if (ssl_SaveWriteData(ss, out + rv, amount + 2 - rv)
896 == SECFailure) {
897 count = SECFailure;
898 } else {
899 count += amount;
900 ss->sec.sendSequence++;
901 }
902 break;
903 }
904
905 ss->sec.sendSequence++;
906 in += amount;
907 count += amount;
908 len -= amount;
909 }
910
911 return count;
912 }
913
914 /*
915 ** Send some data, when using a stream cipher. Stream ciphers have a
916 ** block size of 1. Package up the data with the length header
917 ** and send it.
918 */
919 static PRInt32
ssl2_SendStream(sslSocket * ss,const PRUint8 * in,PRInt32 len,PRInt32 flags)920 ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
921 {
922 PRUint8 * out;
923 int rv;
924 int count = 0;
925
926 int amount;
927 PRUint8 macLen;
928 int nout;
929 int buflen;
930
931 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
932
933 SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
934 SSL_GETPID(), ss->fd, len));
935 PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
936
937 while (len) {
938 ssl_GetSpecReadLock(ss); /*************************************/
939
940 macLen = ss->sec.hash->length;
941 amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
942 buflen = amount + 2 + macLen;
943 if (buflen > ss->sec.writeBuf.space) {
944 rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
945 if (rv != SECSuccess) {
946 goto loser;
947 }
948 }
949 out = ss->sec.writeBuf.buf;
950 nout = amount + macLen;
951 out[0] = 0x80 | MSB(nout);
952 out[1] = LSB(nout);
953
954 /* Calculate MAC */
955 rv = ssl2_CalcMAC(out+2, /* put MAC here */
956 &ss->sec,
957 in, amount, /* input addr & length */
958 0); /* no padding */
959 if (rv != SECSuccess)
960 goto loser;
961
962 /* Encrypt MAC */
963 rv = (*ss->sec.enc)(ss->sec.writecx, out+2, &nout, macLen, out+2, macLen);
964 if (rv) goto loser;
965
966 /* Encrypt data from caller */
967 rv = (*ss->sec.enc)(ss->sec.writecx, out+2+macLen, &nout, amount, in, amount);
968 if (rv) goto loser;
969
970 ssl_ReleaseSpecReadLock(ss); /*************************************/
971
972 PRINT_BUF(50, (ss, "encrypted data:", out, buflen));
973
974 rv = ssl_DefSend(ss, out, buflen, flags & ~ssl_SEND_FLAG_MASK);
975 if (rv < 0) {
976 if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
977 SSL_TRC(50, ("%d: SSL[%d]: send stream would block, "
978 "saving data", SSL_GETPID(), ss->fd));
979 rv = 0;
980 } else {
981 SSL_TRC(10, ("%d: SSL[%d]: send stream error %d",
982 SSL_GETPID(), ss->fd, PORT_GetError()));
983 /* Return short write if some data already went out... */
984 if (count == 0)
985 count = rv;
986 goto done;
987 }
988 }
989
990 if ((unsigned)rv < buflen) {
991 /* Short write. Save the data and return. */
992 if (ssl_SaveWriteData(ss, out + rv, buflen - rv) == SECFailure) {
993 count = SECFailure;
994 } else {
995 count += amount;
996 ss->sec.sendSequence++;
997 }
998 goto done;
999 }
1000
1001 ss->sec.sendSequence++;
1002 in += amount;
1003 count += amount;
1004 len -= amount;
1005 }
1006
1007 done:
1008 return count;
1009
1010 loser:
1011 ssl_ReleaseSpecReadLock(ss);
1012 return SECFailure;
1013 }
1014
1015 /*
1016 ** Send some data, when using a block cipher. Package up the data with
1017 ** the length header and send it.
1018 */
1019 /* XXX assumes blocksize is > 7 */
1020 static PRInt32
ssl2_SendBlock(sslSocket * ss,const PRUint8 * in,PRInt32 len,PRInt32 flags)1021 ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
1022 {
1023 PRUint8 * out; /* begining of output buffer. */
1024 PRUint8 * op; /* next output byte goes here. */
1025 int rv; /* value from funcs we called. */
1026 int count = 0; /* this function's return value. */
1027
1028 unsigned int hlen; /* output record hdr len, 2 or 3 */
1029 unsigned int macLen; /* MAC is this many bytes long. */
1030 int amount; /* of plaintext to go in record. */
1031 unsigned int padding; /* add this many padding byte. */
1032 int nout; /* ciphertext size after header. */
1033 int buflen; /* size of generated record. */
1034
1035 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
1036
1037 SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
1038 SSL_GETPID(), ss->fd, len));
1039 PRINT_BUF(50, (ss, "clear data:", in, len));
1040
1041 while (len) {
1042 ssl_GetSpecReadLock(ss); /*************************************/
1043
1044 macLen = ss->sec.hash->length;
1045 /* Figure out how much to send, including mac and padding */
1046 amount = PR_MIN( len, MAX_BLOCK_CYPHER_LEN );
1047 nout = amount + macLen;
1048 padding = nout & (ss->sec.blockSize - 1);
1049 if (padding) {
1050 hlen = 3;
1051 padding = ss->sec.blockSize - padding;
1052 nout += padding;
1053 } else {
1054 hlen = 2;
1055 }
1056 buflen = hlen + nout;
1057 if (buflen > ss->sec.writeBuf.space) {
1058 rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
1059 if (rv != SECSuccess) {
1060 goto loser;
1061 }
1062 }
1063 out = ss->sec.writeBuf.buf;
1064
1065 /* Construct header */
1066 op = out;
1067 if (padding) {
1068 *op++ = MSB(nout);
1069 *op++ = LSB(nout);
1070 *op++ = padding;
1071 } else {
1072 *op++ = 0x80 | MSB(nout);
1073 *op++ = LSB(nout);
1074 }
1075
1076 /* Calculate MAC */
1077 rv = ssl2_CalcMAC(op, /* MAC goes here. */
1078 &ss->sec,
1079 in, amount, /* intput addr, len */
1080 padding);
1081 if (rv != SECSuccess)
1082 goto loser;
1083 op += macLen;
1084
1085 /* Copy in the input data */
1086 /* XXX could eliminate the copy by folding it into the encryption */
1087 PORT_Memcpy(op, in, amount);
1088 op += amount;
1089 if (padding) {
1090 PORT_Memset(op, padding, padding);
1091 op += padding;
1092 }
1093
1094 /* Encrypt result */
1095 rv = (*ss->sec.enc)(ss->sec.writecx, out+hlen, &nout, buflen-hlen,
1096 out+hlen, op - (out + hlen));
1097 if (rv)
1098 goto loser;
1099
1100 ssl_ReleaseSpecReadLock(ss); /*************************************/
1101
1102 PRINT_BUF(50, (ss, "final xmit data:", out, op - out));
1103
1104 rv = ssl_DefSend(ss, out, op - out, flags & ~ssl_SEND_FLAG_MASK);
1105 if (rv < 0) {
1106 if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
1107 rv = 0;
1108 } else {
1109 SSL_TRC(10, ("%d: SSL[%d]: send block error %d",
1110 SSL_GETPID(), ss->fd, PORT_GetError()));
1111 /* Return short write if some data already went out... */
1112 if (count == 0)
1113 count = rv;
1114 goto done;
1115 }
1116 }
1117
1118 if (rv < (op - out)) {
1119 /* Short write. Save the data and return. */
1120 if (ssl_SaveWriteData(ss, out + rv, op - out - rv) == SECFailure) {
1121 count = SECFailure;
1122 } else {
1123 count += amount;
1124 ss->sec.sendSequence++;
1125 }
1126 goto done;
1127 }
1128
1129 ss->sec.sendSequence++;
1130 in += amount;
1131 count += amount;
1132 len -= amount;
1133 }
1134
1135 done:
1136 return count;
1137
1138 loser:
1139 ssl_ReleaseSpecReadLock(ss);
1140 return SECFailure;
1141 }
1142
1143 /*
1144 ** Called from: ssl2_HandleServerHelloMessage,
1145 ** ssl2_HandleClientSessionKeyMessage,
1146 ** ssl2_HandleClientHelloMessage,
1147 **
1148 */
1149 static void
ssl2_UseEncryptedSendFunc(sslSocket * ss)1150 ssl2_UseEncryptedSendFunc(sslSocket *ss)
1151 {
1152 ssl_GetXmitBufLock(ss);
1153 PORT_Assert(ss->sec.hashcx != 0);
1154
1155 ss->gs.encrypted = 1;
1156 ss->sec.send = (ss->sec.blockSize > 1) ? ssl2_SendBlock : ssl2_SendStream;
1157 ssl_ReleaseXmitBufLock(ss);
1158 }
1159
1160 /* Called while initializing socket in ssl_CreateSecurityInfo().
1161 ** This function allows us to keep the name of ssl2_SendClear static.
1162 */
1163 void
ssl2_UseClearSendFunc(sslSocket * ss)1164 ssl2_UseClearSendFunc(sslSocket *ss)
1165 {
1166 ss->sec.send = ssl2_SendClear;
1167 }
1168
1169 /************************************************************************
1170 ** END of Send functions. *
1171 *************************************************************************/
1172
1173 /***********************************************************************
1174 * For SSL3, this gathers in and handles records/messages until either
1175 * the handshake is complete or application data is available.
1176 *
1177 * For SSL2, this gathers in only the next SSLV2 record.
1178 *
1179 * Called from ssl_Do1stHandshake() via function pointer ss->handshake.
1180 * Caller must hold handshake lock.
1181 * This function acquires and releases the RecvBufLock.
1182 *
1183 * returns SECSuccess for success.
1184 * returns SECWouldBlock when that value is returned by ssl2_GatherRecord() or
1185 * ssl3_GatherCompleteHandshake().
1186 * returns SECFailure on all other errors.
1187 *
1188 * The gather functions called by ssl_GatherRecord1stHandshake are expected
1189 * to return values interpreted as follows:
1190 * 1 : the function completed without error.
1191 * 0 : the function read EOF.
1192 * -1 : read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
1193 * -2 : the function wants ssl_GatherRecord1stHandshake to be called again
1194 * immediately, by ssl_Do1stHandshake.
1195 *
1196 * This code is similar to, and easily confused with, DoRecv() in sslsecur.c
1197 *
1198 * This function is called from ssl_Do1stHandshake().
1199 * The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
1200 * ssl2_HandleMessage
1201 * ssl2_HandleVerifyMessage
1202 * ssl2_HandleServerHelloMessage
1203 * ssl2_BeginClientHandshake
1204 * ssl2_HandleClientSessionKeyMessage
1205 * ssl3_RestartHandshakeAfterCertReq
1206 * ssl3_RestartHandshakeAfterServerCert
1207 * ssl2_HandleClientHelloMessage
1208 * ssl2_BeginServerHandshake
1209 */
1210 SECStatus
ssl_GatherRecord1stHandshake(sslSocket * ss)1211 ssl_GatherRecord1stHandshake(sslSocket *ss)
1212 {
1213 int rv;
1214
1215 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1216
1217 ssl_GetRecvBufLock(ss);
1218
1219 /* The special case DTLS logic is needed here because the SSL/TLS
1220 * version wants to auto-detect SSL2 vs. SSL3 on the initial handshake
1221 * (ss->version == 0) but with DTLS it gets confused, so we force the
1222 * SSL3 version.
1223 */
1224 if ((ss->version >= SSL_LIBRARY_VERSION_3_0) || IS_DTLS(ss)) {
1225 /* Wait for handshake to complete, or application data to arrive. */
1226 rv = ssl3_GatherCompleteHandshake(ss, 0);
1227 } else {
1228 /* See if we have a complete record */
1229 rv = ssl2_GatherRecord(ss, 0);
1230 }
1231 SSL_TRC(10, ("%d: SSL[%d]: handshake gathering, rv=%d",
1232 SSL_GETPID(), ss->fd, rv));
1233
1234 ssl_ReleaseRecvBufLock(ss);
1235
1236 if (rv <= 0) {
1237 if (rv == SECWouldBlock) {
1238 /* Progress is blocked waiting for callback completion. */
1239 SSL_TRC(10, ("%d: SSL[%d]: handshake blocked (need %d)",
1240 SSL_GETPID(), ss->fd, ss->gs.remainder));
1241 return SECWouldBlock;
1242 }
1243 if (rv == 0) {
1244 /* EOF. Loser */
1245 PORT_SetError(PR_END_OF_FILE_ERROR);
1246 }
1247 return SECFailure; /* rv is < 0 here. */
1248 }
1249
1250 SSL_TRC(10, ("%d: SSL[%d]: got handshake record of %d bytes",
1251 SSL_GETPID(), ss->fd, ss->gs.recordLen));
1252
1253 ss->handshake = 0; /* makes ssl_Do1stHandshake call ss->nextHandshake.*/
1254 return SECSuccess;
1255 }
1256
1257 /************************************************************************/
1258
1259 /* Called from ssl2_ServerSetupSessionCypher()
1260 * ssl2_ClientSetupSessionCypher()
1261 */
1262 static SECStatus
ssl2_FillInSID(sslSessionID * sid,int cipher,PRUint8 * keyData,int keyLen,PRUint8 * ca,int caLen,int keyBits,int secretKeyBits,SSLSignType authAlgorithm,PRUint32 authKeyBits,SSLKEAType keaType,PRUint32 keaKeyBits)1263 ssl2_FillInSID(sslSessionID * sid,
1264 int cipher,
1265 PRUint8 *keyData,
1266 int keyLen,
1267 PRUint8 *ca,
1268 int caLen,
1269 int keyBits,
1270 int secretKeyBits,
1271 SSLSignType authAlgorithm,
1272 PRUint32 authKeyBits,
1273 SSLKEAType keaType,
1274 PRUint32 keaKeyBits)
1275 {
1276 PORT_Assert(sid->references == 1);
1277 PORT_Assert(sid->cached == never_cached);
1278 PORT_Assert(sid->u.ssl2.masterKey.data == 0);
1279 PORT_Assert(sid->u.ssl2.cipherArg.data == 0);
1280
1281 sid->version = SSL_LIBRARY_VERSION_2;
1282
1283 sid->u.ssl2.cipherType = cipher;
1284 sid->u.ssl2.masterKey.data = (PRUint8*) PORT_Alloc(keyLen);
1285 if (!sid->u.ssl2.masterKey.data) {
1286 return SECFailure;
1287 }
1288 PORT_Memcpy(sid->u.ssl2.masterKey.data, keyData, keyLen);
1289 sid->u.ssl2.masterKey.len = keyLen;
1290 sid->u.ssl2.keyBits = keyBits;
1291 sid->u.ssl2.secretKeyBits = secretKeyBits;
1292 sid->authAlgorithm = authAlgorithm;
1293 sid->authKeyBits = authKeyBits;
1294 sid->keaType = keaType;
1295 sid->keaKeyBits = keaKeyBits;
1296 sid->lastAccessTime = sid->creationTime = ssl_Time();
1297 sid->expirationTime = sid->creationTime + ssl_sid_timeout;
1298
1299 if (caLen) {
1300 sid->u.ssl2.cipherArg.data = (PRUint8*) PORT_Alloc(caLen);
1301 if (!sid->u.ssl2.cipherArg.data) {
1302 return SECFailure;
1303 }
1304 sid->u.ssl2.cipherArg.len = caLen;
1305 PORT_Memcpy(sid->u.ssl2.cipherArg.data, ca, caLen);
1306 }
1307 return SECSuccess;
1308 }
1309
1310 /*
1311 ** Construct session keys given the masterKey (tied to the session-id),
1312 ** the client's challenge and the server's nonce.
1313 **
1314 ** Called from ssl2_CreateSessionCypher() <-
1315 */
1316 static SECStatus
ssl2_ProduceKeys(sslSocket * ss,SECItem * readKey,SECItem * writeKey,SECItem * masterKey,PRUint8 * challenge,PRUint8 * nonce,int cipherType)1317 ssl2_ProduceKeys(sslSocket * ss,
1318 SECItem * readKey,
1319 SECItem * writeKey,
1320 SECItem * masterKey,
1321 PRUint8 * challenge,
1322 PRUint8 * nonce,
1323 int cipherType)
1324 {
1325 PK11Context * cx = 0;
1326 unsigned nkm = 0; /* number of hashes to generate key mat. */
1327 unsigned nkd = 0; /* size of readKey and writeKey. */
1328 unsigned part;
1329 unsigned i;
1330 unsigned off;
1331 SECStatus rv;
1332 PRUint8 countChar;
1333 PRUint8 km[3*16]; /* buffer for key material. */
1334
1335 readKey->data = 0;
1336 writeKey->data = 0;
1337
1338 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1339
1340 rv = SECSuccess;
1341 cx = PK11_CreateDigestContext(SEC_OID_MD5);
1342 if (cx == NULL) {
1343 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1344 return SECFailure;
1345 }
1346
1347 nkm = ssl_Specs[cipherType].nkm;
1348 nkd = ssl_Specs[cipherType].nkd;
1349
1350 readKey->data = (PRUint8*) PORT_Alloc(nkd);
1351 if (!readKey->data)
1352 goto loser;
1353 readKey->len = nkd;
1354
1355 writeKey->data = (PRUint8*) PORT_Alloc(nkd);
1356 if (!writeKey->data)
1357 goto loser;
1358 writeKey->len = nkd;
1359
1360 /* Produce key material */
1361 countChar = '0';
1362 for (i = 0, off = 0; i < nkm; i++, off += 16) {
1363 rv = PK11_DigestBegin(cx);
1364 rv |= PK11_DigestOp(cx, masterKey->data, masterKey->len);
1365 rv |= PK11_DigestOp(cx, &countChar, 1);
1366 rv |= PK11_DigestOp(cx, challenge, SSL_CHALLENGE_BYTES);
1367 rv |= PK11_DigestOp(cx, nonce, SSL_CONNECTIONID_BYTES);
1368 rv |= PK11_DigestFinal(cx, km+off, &part, MD5_LENGTH);
1369 if (rv != SECSuccess) {
1370 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1371 rv = SECFailure;
1372 goto loser;
1373 }
1374 countChar++;
1375 }
1376
1377 /* Produce keys */
1378 PORT_Memcpy(readKey->data, km, nkd);
1379 PORT_Memcpy(writeKey->data, km + nkd, nkd);
1380
1381 loser:
1382 PK11_DestroyContext(cx, PR_TRUE);
1383 return rv;
1384 }
1385
1386 /* Called from ssl2_ServerSetupSessionCypher()
1387 ** <- ssl2_HandleClientSessionKeyMessage()
1388 ** <- ssl2_HandleClientHelloMessage()
1389 ** and from ssl2_ClientSetupSessionCypher()
1390 ** <- ssl2_HandleServerHelloMessage()
1391 */
1392 static SECStatus
ssl2_CreateSessionCypher(sslSocket * ss,sslSessionID * sid,PRBool isClient)1393 ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
1394 {
1395 SECItem * rk = NULL;
1396 SECItem * wk = NULL;
1397 SECItem * param;
1398 SECStatus rv;
1399 int cipherType = sid->u.ssl2.cipherType;
1400 PK11SlotInfo * slot = NULL;
1401 CK_MECHANISM_TYPE mechanism;
1402 SECItem readKey;
1403 SECItem writeKey;
1404
1405 void *readcx = 0;
1406 void *writecx = 0;
1407 readKey.data = 0;
1408 writeKey.data = 0;
1409
1410 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1411 if (ss->sec.ci.sid == 0)
1412 goto sec_loser; /* don't crash if asserts are off */
1413
1414 /* Trying to cut down on all these switch statements that should be tables.
1415 * So, test cipherType once, here, and then use tables below.
1416 */
1417 switch (cipherType) {
1418 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
1419 case SSL_CK_RC4_128_WITH_MD5:
1420 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
1421 case SSL_CK_RC2_128_CBC_WITH_MD5:
1422 case SSL_CK_DES_64_CBC_WITH_MD5:
1423 case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
1424 break;
1425
1426 default:
1427 SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d",
1428 SSL_GETPID(), ss->fd, cipherType));
1429 PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT);
1430 goto sec_loser;
1431 }
1432
1433 rk = isClient ? &readKey : &writeKey;
1434 wk = isClient ? &writeKey : &readKey;
1435
1436 /* Produce the keys for this session */
1437 rv = ssl2_ProduceKeys(ss, &readKey, &writeKey, &sid->u.ssl2.masterKey,
1438 ss->sec.ci.clientChallenge, ss->sec.ci.connectionID,
1439 cipherType);
1440 if (rv != SECSuccess)
1441 goto loser;
1442 PRINT_BUF(7, (ss, "Session read-key: ", rk->data, rk->len));
1443 PRINT_BUF(7, (ss, "Session write-key: ", wk->data, wk->len));
1444
1445 PORT_Memcpy(ss->sec.ci.readKey, readKey.data, readKey.len);
1446 PORT_Memcpy(ss->sec.ci.writeKey, writeKey.data, writeKey.len);
1447 ss->sec.ci.keySize = readKey.len;
1448
1449 /* Setup the MAC */
1450 rv = ssl2_CreateMAC(&ss->sec, rk, wk, cipherType);
1451 if (rv != SECSuccess)
1452 goto loser;
1453
1454 /* First create the session key object */
1455 SSL_TRC(3, ("%d: SSL[%d]: using %s", SSL_GETPID(), ss->fd,
1456 ssl_cipherName[cipherType]));
1457
1458
1459 mechanism = ssl_Specs[cipherType].mechanism;
1460
1461 /* set destructer before we call loser... */
1462 ss->sec.destroy = (void (*)(void*, PRBool)) PK11_DestroyContext;
1463 slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg);
1464 if (slot == NULL)
1465 goto loser;
1466
1467 param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
1468 if (param == NULL)
1469 goto loser;
1470 readcx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
1471 CKA_DECRYPT, rk, param,
1472 ss->pkcs11PinArg);
1473 SECITEM_FreeItem(param, PR_TRUE);
1474 if (readcx == NULL)
1475 goto loser;
1476
1477 /* build the client context */
1478 param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
1479 if (param == NULL)
1480 goto loser;
1481 writecx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
1482 CKA_ENCRYPT, wk, param,
1483 ss->pkcs11PinArg);
1484 SECITEM_FreeItem(param,PR_TRUE);
1485 if (writecx == NULL)
1486 goto loser;
1487 PK11_FreeSlot(slot);
1488
1489 rv = SECSuccess;
1490 ss->sec.enc = (SSLCipher) PK11_CipherOp;
1491 ss->sec.dec = (SSLCipher) PK11_CipherOp;
1492 ss->sec.readcx = (void *) readcx;
1493 ss->sec.writecx = (void *) writecx;
1494 ss->sec.blockSize = ssl_Specs[cipherType].blockSize;
1495 ss->sec.blockShift = ssl_Specs[cipherType].blockShift;
1496 ss->sec.cipherType = sid->u.ssl2.cipherType;
1497 ss->sec.keyBits = sid->u.ssl2.keyBits;
1498 ss->sec.secretKeyBits = sid->u.ssl2.secretKeyBits;
1499 goto done;
1500
1501 loser:
1502 if (ss->sec.destroy) {
1503 if (readcx) (*ss->sec.destroy)(readcx, PR_TRUE);
1504 if (writecx) (*ss->sec.destroy)(writecx, PR_TRUE);
1505 }
1506 ss->sec.destroy = NULL;
1507 if (slot) PK11_FreeSlot(slot);
1508
1509 sec_loser:
1510 rv = SECFailure;
1511
1512 done:
1513 if (rk) {
1514 SECITEM_ZfreeItem(rk, PR_FALSE);
1515 }
1516 if (wk) {
1517 SECITEM_ZfreeItem(wk, PR_FALSE);
1518 }
1519 return rv;
1520 }
1521
1522 /*
1523 ** Setup the server ciphers given information from a CLIENT-MASTER-KEY
1524 ** message.
1525 ** "ss" pointer to the ssl-socket object
1526 ** "cipher" the cipher type to use
1527 ** "keyBits" the size of the final cipher key
1528 ** "ck" the clear-key data
1529 ** "ckLen" the number of bytes of clear-key data
1530 ** "ek" the encrypted-key data
1531 ** "ekLen" the number of bytes of encrypted-key data
1532 ** "ca" the cipher-arg data
1533 ** "caLen" the number of bytes of cipher-arg data
1534 **
1535 ** The MASTER-KEY is constructed by first decrypting the encrypted-key
1536 ** data. This produces the SECRET-KEY-DATA. The MASTER-KEY is composed by
1537 ** concatenating the clear-key data with the SECRET-KEY-DATA. This code
1538 ** checks to make sure that the client didn't send us an improper amount
1539 ** of SECRET-KEY-DATA (it restricts the length of that data to match the
1540 ** spec).
1541 **
1542 ** Called from ssl2_HandleClientSessionKeyMessage().
1543 */
1544 static SECStatus
ssl2_ServerSetupSessionCypher(sslSocket * ss,int cipher,unsigned int keyBits,PRUint8 * ck,unsigned int ckLen,PRUint8 * ek,unsigned int ekLen,PRUint8 * ca,unsigned int caLen)1545 ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
1546 PRUint8 *ck, unsigned int ckLen,
1547 PRUint8 *ek, unsigned int ekLen,
1548 PRUint8 *ca, unsigned int caLen)
1549 {
1550 PRUint8 * dk = NULL; /* decrypted master key */
1551 sslSessionID * sid;
1552 sslServerCerts * sc = ss->serverCerts + kt_rsa;
1553 PRUint8 * kbuf = 0; /* buffer for RSA decrypted data. */
1554 unsigned int ddLen; /* length of RSA decrypted data in kbuf */
1555 unsigned int keySize;
1556 unsigned int dkLen; /* decrypted key length in bytes */
1557 int modulusLen;
1558 SECStatus rv;
1559 PRUint16 allowed; /* cipher kinds enabled and allowed by policy */
1560 PRUint8 mkbuf[SSL_MAX_MASTER_KEY_BYTES];
1561
1562 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1563 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
1564 PORT_Assert((sc->SERVERKEY != 0));
1565 PORT_Assert((ss->sec.ci.sid != 0));
1566 sid = ss->sec.ci.sid;
1567
1568 /* Trying to cut down on all these switch statements that should be tables.
1569 * So, test cipherType once, here, and then use tables below.
1570 */
1571 switch (cipher) {
1572 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
1573 case SSL_CK_RC4_128_WITH_MD5:
1574 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
1575 case SSL_CK_RC2_128_CBC_WITH_MD5:
1576 case SSL_CK_DES_64_CBC_WITH_MD5:
1577 case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
1578 break;
1579
1580 default:
1581 SSL_DBG(("%d: SSL[%d]: ssl2_ServerSetupSessionCypher: unknown cipher=%d",
1582 SSL_GETPID(), ss->fd, cipher));
1583 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1584 goto loser;
1585 }
1586
1587 allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED;
1588 if (!(allowed & (1 << cipher))) {
1589 /* client chose a kind we don't allow! */
1590 SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d",
1591 SSL_GETPID(), ss->fd, cipher));
1592 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1593 goto loser;
1594 }
1595
1596 keySize = ssl_Specs[cipher].keyLen;
1597 if (keyBits != keySize * BPB) {
1598 SSL_DBG(("%d: SSL[%d]: invalid master secret key length=%d (bits)!",
1599 SSL_GETPID(), ss->fd, keyBits));
1600 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1601 goto loser;
1602 }
1603
1604 if (ckLen != ssl_Specs[cipher].pubLen) {
1605 SSL_DBG(("%d: SSL[%d]: invalid clear key length, ckLen=%d (bytes)!",
1606 SSL_GETPID(), ss->fd, ckLen));
1607 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1608 goto loser;
1609 }
1610
1611 if (caLen != ssl_Specs[cipher].ivLen) {
1612 SSL_DBG(("%d: SSL[%d]: invalid key args length, caLen=%d (bytes)!",
1613 SSL_GETPID(), ss->fd, caLen));
1614 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1615 goto loser;
1616 }
1617
1618 modulusLen = PK11_GetPrivateModulusLen(sc->SERVERKEY);
1619 if (modulusLen == -1) {
1620 /* XXX If the key is bad, then PK11_PubDecryptRaw will fail below. */
1621 modulusLen = ekLen;
1622 }
1623 if (ekLen > modulusLen || ekLen + ckLen < keySize) {
1624 SSL_DBG(("%d: SSL[%d]: invalid encrypted key length, ekLen=%d (bytes)!",
1625 SSL_GETPID(), ss->fd, ekLen));
1626 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1627 goto loser;
1628 }
1629
1630 /* allocate the buffer to hold the decrypted portion of the key. */
1631 kbuf = (PRUint8*)PORT_Alloc(modulusLen);
1632 if (!kbuf) {
1633 goto loser;
1634 }
1635 dkLen = keySize - ckLen;
1636 dk = kbuf + modulusLen - dkLen;
1637
1638 /* Decrypt encrypted half of the key.
1639 ** NOTE: PK11_PubDecryptRaw will barf on a non-RSA key. This is
1640 ** desired behavior here.
1641 */
1642 rv = PK11_PubDecryptRaw(sc->SERVERKEY, kbuf, &ddLen, modulusLen, ek, ekLen);
1643 if (rv != SECSuccess)
1644 goto hide_loser;
1645
1646 /* Is the length of the decrypted data (ddLen) the expected value? */
1647 if (modulusLen != ddLen)
1648 goto hide_loser;
1649
1650 /* Cheaply verify that PKCS#1 was used to format the encryption block */
1651 if ((kbuf[0] != 0x00) || (kbuf[1] != 0x02) || (dk[-1] != 0x00)) {
1652 SSL_DBG(("%d: SSL[%d]: strange encryption block",
1653 SSL_GETPID(), ss->fd));
1654 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1655 goto hide_loser;
1656 }
1657
1658 /* Make sure we're not subject to a version rollback attack. */
1659 if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
1660 static const PRUint8 threes[8] = { 0x03, 0x03, 0x03, 0x03,
1661 0x03, 0x03, 0x03, 0x03 };
1662
1663 if (PORT_Memcmp(dk - 8 - 1, threes, 8) == 0) {
1664 PORT_SetError(SSL_ERROR_BAD_CLIENT);
1665 goto hide_loser;
1666 }
1667 }
1668 if (0) {
1669 hide_loser:
1670 /* Defense against the Bleichenbacher attack.
1671 * Provide the client with NO CLUES that the decrypted master key
1672 * was erroneous. Don't send any error messages.
1673 * Instead, Generate a completely bogus master key .
1674 */
1675 PK11_GenerateRandom(dk, dkLen);
1676 }
1677
1678 /*
1679 ** Construct master key out of the pieces.
1680 */
1681 if (ckLen) {
1682 PORT_Memcpy(mkbuf, ck, ckLen);
1683 }
1684 PORT_Memcpy(mkbuf + ckLen, dk, dkLen);
1685
1686 /* Fill in session-id */
1687 rv = ssl2_FillInSID(sid, cipher, mkbuf, keySize, ca, caLen,
1688 keyBits, keyBits - (ckLen<<3),
1689 ss->sec.authAlgorithm, ss->sec.authKeyBits,
1690 ss->sec.keaType, ss->sec.keaKeyBits);
1691 if (rv != SECSuccess) {
1692 goto loser;
1693 }
1694
1695 /* Create session ciphers */
1696 rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
1697 if (rv != SECSuccess) {
1698 goto loser;
1699 }
1700
1701 SSL_TRC(1, ("%d: SSL[%d]: server, using %s cipher, clear=%d total=%d",
1702 SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
1703 ckLen<<3, keySize<<3));
1704 rv = SECSuccess;
1705 goto done;
1706
1707 loser:
1708 rv = SECFailure;
1709
1710 done:
1711 PORT_Free(kbuf);
1712 return rv;
1713 }
1714
1715 /************************************************************************/
1716
1717 /*
1718 ** Rewrite the incoming cipher specs, comparing to list of specs we support,
1719 ** (ss->cipherSpecs) and eliminating anything we don't support
1720 **
1721 * Note: Our list may contain SSL v3 ciphers.
1722 * We MUST NOT match on any of those.
1723 * Fortunately, this is easy to detect because SSLv3 ciphers have zero
1724 * in the first byte, and none of the SSLv2 ciphers do.
1725 *
1726 * Called from ssl2_HandleClientHelloMessage().
1727 * Returns the number of bytes of "qualified cipher specs",
1728 * which is typically a multiple of 3, but will be zero if there are none.
1729 */
1730 static int
ssl2_QualifyCypherSpecs(sslSocket * ss,PRUint8 * cs,int csLen)1731 ssl2_QualifyCypherSpecs(sslSocket *ss,
1732 PRUint8 * cs, /* cipher specs in client hello msg. */
1733 int csLen)
1734 {
1735 PRUint8 * ms;
1736 PRUint8 * hs;
1737 PRUint8 * qs;
1738 int mc;
1739 int hc;
1740 PRUint8 qualifiedSpecs[ssl2_NUM_SUITES_IMPLEMENTED * 3];
1741
1742 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1743 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
1744
1745 if (!ss->cipherSpecs) {
1746 SECStatus rv = ssl2_ConstructCipherSpecs(ss);
1747 if (rv != SECSuccess || !ss->cipherSpecs)
1748 return 0;
1749 }
1750
1751 PRINT_BUF(10, (ss, "specs from client:", cs, csLen));
1752 qs = qualifiedSpecs;
1753 ms = ss->cipherSpecs;
1754 for (mc = ss->sizeCipherSpecs; mc > 0; mc -= 3, ms += 3) {
1755 if (ms[0] == 0)
1756 continue;
1757 for (hs = cs, hc = csLen; hc > 0; hs += 3, hc -= 3) {
1758 if ((hs[0] == ms[0]) &&
1759 (hs[1] == ms[1]) &&
1760 (hs[2] == ms[2])) {
1761 /* Copy this cipher spec into the "keep" section */
1762 qs[0] = hs[0];
1763 qs[1] = hs[1];
1764 qs[2] = hs[2];
1765 qs += 3;
1766 break;
1767 }
1768 }
1769 }
1770 hc = qs - qualifiedSpecs;
1771 PRINT_BUF(10, (ss, "qualified specs from client:", qualifiedSpecs, hc));
1772 PORT_Memcpy(cs, qualifiedSpecs, hc);
1773 return hc;
1774 }
1775
1776 /*
1777 ** Pick the best cipher we can find, given the array of server cipher
1778 ** specs. Returns cipher number (e.g. SSL_CK_*), or -1 for no overlap.
1779 ** If successful, stores the master key size (bytes) in *pKeyLen.
1780 **
1781 ** This is correct only for the client side, but presently
1782 ** this function is only called from
1783 ** ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
1784 **
1785 ** Note that most servers only return a single cipher suite in their
1786 ** ServerHello messages. So, the code below for finding the "best" cipher
1787 ** suite usually has only one choice. The client and server should send
1788 ** their cipher suite lists sorted in descending order by preference.
1789 */
1790 static int
ssl2_ChooseSessionCypher(sslSocket * ss,int hc,PRUint8 * hs,int * pKeyLen)1791 ssl2_ChooseSessionCypher(sslSocket *ss,
1792 int hc, /* number of cs's in hs. */
1793 PRUint8 * hs, /* server hello's cipher suites. */
1794 int * pKeyLen) /* out: sym key size in bytes. */
1795 {
1796 PRUint8 * ms;
1797 unsigned int i;
1798 int bestKeySize;
1799 int bestRealKeySize;
1800 int bestCypher;
1801 int keySize;
1802 int realKeySize;
1803 PRUint8 * ohs = hs;
1804 const PRUint8 * preferred;
1805 static const PRUint8 noneSuch[3] = { 0, 0, 0 };
1806
1807 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
1808 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
1809
1810 if (!ss->cipherSpecs) {
1811 SECStatus rv = ssl2_ConstructCipherSpecs(ss);
1812 if (rv != SECSuccess || !ss->cipherSpecs)
1813 goto loser;
1814 }
1815
1816 if (!ss->preferredCipher) {
1817 unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference &
1818 SSL_CB_IMPLEMENTED;
1819 if (allowed) {
1820 preferred = implementedCipherSuites;
1821 for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
1822 if (0 != (allowed & (1U << preferred[0]))) {
1823 ss->preferredCipher = preferred;
1824 break;
1825 }
1826 preferred += 3;
1827 }
1828 }
1829 }
1830 preferred = ss->preferredCipher ? ss->preferredCipher : noneSuch;
1831 /*
1832 ** Scan list of ciphers received from peer and look for a match in
1833 ** our list.
1834 * Note: Our list may contain SSL v3 ciphers.
1835 * We MUST NOT match on any of those.
1836 * Fortunately, this is easy to detect because SSLv3 ciphers have zero
1837 * in the first byte, and none of the SSLv2 ciphers do.
1838 */
1839 bestKeySize = bestRealKeySize = 0;
1840 bestCypher = -1;
1841 while (--hc >= 0) {
1842 for (i = 0, ms = ss->cipherSpecs; i < ss->sizeCipherSpecs; i += 3, ms += 3) {
1843 if ((hs[0] == preferred[0]) &&
1844 (hs[1] == preferred[1]) &&
1845 (hs[2] == preferred[2]) &&
1846 hs[0] != 0) {
1847 /* Pick this cipher immediately! */
1848 *pKeyLen = (((hs[1] << 8) | hs[2]) + 7) >> 3;
1849 return hs[0];
1850 }
1851 if ((hs[0] == ms[0]) && (hs[1] == ms[1]) && (hs[2] == ms[2]) &&
1852 hs[0] != 0) {
1853 /* Found a match */
1854
1855 /* Use secret keySize to determine which cipher is best */
1856 realKeySize = (hs[1] << 8) | hs[2];
1857 switch (hs[0]) {
1858 case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
1859 case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
1860 keySize = 40;
1861 break;
1862 default:
1863 keySize = realKeySize;
1864 break;
1865 }
1866 if (keySize > bestKeySize) {
1867 bestCypher = hs[0];
1868 bestKeySize = keySize;
1869 bestRealKeySize = realKeySize;
1870 }
1871 }
1872 }
1873 hs += 3;
1874 }
1875 if (bestCypher < 0) {
1876 /*
1877 ** No overlap between server and client. Re-examine server list
1878 ** to see what kind of ciphers it does support so that we can set
1879 ** the error code appropriately.
1880 */
1881 if ((ohs[0] == SSL_CK_RC4_128_WITH_MD5) ||
1882 (ohs[0] == SSL_CK_RC2_128_CBC_WITH_MD5)) {
1883 PORT_SetError(SSL_ERROR_US_ONLY_SERVER);
1884 } else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
1885 (ohs[0] == SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)) {
1886 PORT_SetError(SSL_ERROR_EXPORT_ONLY_SERVER);
1887 } else {
1888 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
1889 }
1890 SSL_DBG(("%d: SSL[%d]: no cipher overlap", SSL_GETPID(), ss->fd));
1891 goto loser;
1892 }
1893 *pKeyLen = (bestRealKeySize + 7) >> 3;
1894 return bestCypher;
1895
1896 loser:
1897 return -1;
1898 }
1899
1900 static SECStatus
ssl2_ClientHandleServerCert(sslSocket * ss,PRUint8 * certData,int certLen)1901 ssl2_ClientHandleServerCert(sslSocket *ss, PRUint8 *certData, int certLen)
1902 {
1903 CERTCertificate *cert = NULL;
1904 SECItem certItem;
1905
1906 certItem.data = certData;
1907 certItem.len = certLen;
1908
1909 /* decode the certificate */
1910 cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
1911 PR_FALSE, PR_TRUE);
1912
1913 if (cert == NULL) {
1914 SSL_DBG(("%d: SSL[%d]: decode of server certificate fails",
1915 SSL_GETPID(), ss->fd));
1916 PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
1917 return SECFailure;
1918 }
1919
1920 #ifdef TRACE
1921 {
1922 if (ssl_trace >= 1) {
1923 char *issuer;
1924 char *subject;
1925 issuer = CERT_NameToAscii(&cert->issuer);
1926 subject = CERT_NameToAscii(&cert->subject);
1927 SSL_TRC(1,("%d: server certificate issuer: '%s'",
1928 SSL_GETPID(), issuer ? issuer : "OOPS"));
1929 SSL_TRC(1,("%d: server name: '%s'",
1930 SSL_GETPID(), subject ? subject : "OOPS"));
1931 PORT_Free(issuer);
1932 PORT_Free(subject);
1933 }
1934 }
1935 #endif
1936
1937 ss->sec.peerCert = cert;
1938 return SECSuccess;
1939 }
1940
1941
1942 /*
1943 * Format one block of data for public/private key encryption using
1944 * the rules defined in PKCS #1. SSL2 does this itself to handle the
1945 * rollback detection.
1946 */
1947 #define RSA_BLOCK_MIN_PAD_LEN 8
1948 #define RSA_BLOCK_FIRST_OCTET 0x00
1949 #define RSA_BLOCK_AFTER_PAD_OCTET 0x00
1950 #define RSA_BLOCK_PUBLIC_OCTET 0x02
1951 unsigned char *
ssl_FormatSSL2Block(unsigned modulusLen,SECItem * data)1952 ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
1953 {
1954 unsigned char *block;
1955 unsigned char *bp;
1956 int padLen;
1957 SECStatus rv;
1958 int i;
1959
1960 if (modulusLen < data->len + (3 + RSA_BLOCK_MIN_PAD_LEN)) {
1961 PORT_SetError(SEC_ERROR_BAD_KEY);
1962 return NULL;
1963 }
1964 block = (unsigned char *) PORT_Alloc(modulusLen);
1965 if (block == NULL)
1966 return NULL;
1967
1968 bp = block;
1969
1970 /*
1971 * All RSA blocks start with two octets:
1972 * 0x00 || BlockType
1973 */
1974 *bp++ = RSA_BLOCK_FIRST_OCTET;
1975 *bp++ = RSA_BLOCK_PUBLIC_OCTET;
1976
1977 /*
1978 * 0x00 || BT || Pad || 0x00 || ActualData
1979 * 1 1 padLen 1 data->len
1980 * Pad is all non-zero random bytes.
1981 */
1982 padLen = modulusLen - data->len - 3;
1983 PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
1984 rv = PK11_GenerateRandom(bp, padLen);
1985 if (rv == SECFailure) goto loser;
1986 /* replace all the 'zero' bytes */
1987 for (i = 0; i < padLen; i++) {
1988 while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
1989 rv = PK11_GenerateRandom(bp+i, 1);
1990 if (rv == SECFailure) goto loser;
1991 }
1992 }
1993 bp += padLen;
1994 *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
1995 PORT_Memcpy (bp, data->data, data->len);
1996
1997 return block;
1998 loser:
1999 if (block) PORT_Free(block);
2000 return NULL;
2001 }
2002
2003 /*
2004 ** Given the server's public key and cipher specs, generate a session key
2005 ** that is ready to use for encrypting/decrypting the byte stream. At
2006 ** the same time, generate the SSL_MT_CLIENT_MASTER_KEY message and
2007 ** send it to the server.
2008 **
2009 ** Called from ssl2_HandleServerHelloMessage()
2010 */
2011 static SECStatus
ssl2_ClientSetupSessionCypher(sslSocket * ss,PRUint8 * cs,int csLen)2012 ssl2_ClientSetupSessionCypher(sslSocket *ss, PRUint8 *cs, int csLen)
2013 {
2014 sslSessionID * sid;
2015 PRUint8 * ca; /* points to iv data, or NULL if none. */
2016 PRUint8 * ekbuf = 0;
2017 CERTCertificate * cert = 0;
2018 SECKEYPublicKey * serverKey = 0;
2019 unsigned modulusLen = 0;
2020 SECStatus rv;
2021 int cipher;
2022 int keyLen; /* cipher symkey size in bytes. */
2023 int ckLen; /* publicly reveal this many bytes of key. */
2024 int caLen; /* length of IV data at *ca. */
2025 int nc;
2026
2027 unsigned char *eblock; /* holds unencrypted PKCS#1 formatted key. */
2028 SECItem rek; /* holds portion of symkey to be encrypted. */
2029
2030 PRUint8 keyData[SSL_MAX_MASTER_KEY_BYTES];
2031 PRUint8 iv [8];
2032
2033 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2034
2035 eblock = NULL;
2036
2037 sid = ss->sec.ci.sid;
2038 PORT_Assert(sid != 0);
2039
2040 cert = ss->sec.peerCert;
2041
2042 serverKey = CERT_ExtractPublicKey(cert);
2043 if (!serverKey) {
2044 SSL_DBG(("%d: SSL[%d]: extract public key failed: error=%d",
2045 SSL_GETPID(), ss->fd, PORT_GetError()));
2046 PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
2047 rv = SECFailure;
2048 goto loser2;
2049 }
2050
2051 ss->sec.authAlgorithm = ssl_sign_rsa;
2052 ss->sec.keaType = ssl_kea_rsa;
2053 ss->sec.keaKeyBits = \
2054 ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
2055
2056 /* Choose a compatible cipher with the server */
2057 nc = csLen / 3;
2058 cipher = ssl2_ChooseSessionCypher(ss, nc, cs, &keyLen);
2059 if (cipher < 0) {
2060 /* ssl2_ChooseSessionCypher has set error code. */
2061 ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
2062 goto loser;
2063 }
2064
2065 /* Generate the random keys */
2066 PK11_GenerateRandom(keyData, sizeof(keyData));
2067
2068 /*
2069 ** Next, carve up the keys into clear and encrypted portions. The
2070 ** clear data is taken from the start of keyData and the encrypted
2071 ** portion from the remainder. Note that each of these portions is
2072 ** carved in half, one half for the read-key and one for the
2073 ** write-key.
2074 */
2075 ca = 0;
2076
2077 /* We know that cipher is a legit value here, because
2078 * ssl2_ChooseSessionCypher doesn't return bogus values.
2079 */
2080 ckLen = ssl_Specs[cipher].pubLen; /* cleartext key length. */
2081 caLen = ssl_Specs[cipher].ivLen; /* IV length. */
2082 if (caLen) {
2083 PORT_Assert(sizeof iv >= caLen);
2084 PK11_GenerateRandom(iv, caLen);
2085 ca = iv;
2086 }
2087
2088 /* Fill in session-id */
2089 rv = ssl2_FillInSID(sid, cipher, keyData, keyLen,
2090 ca, caLen, keyLen << 3, (keyLen - ckLen) << 3,
2091 ss->sec.authAlgorithm, ss->sec.authKeyBits,
2092 ss->sec.keaType, ss->sec.keaKeyBits);
2093 if (rv != SECSuccess) {
2094 goto loser;
2095 }
2096
2097 SSL_TRC(1, ("%d: SSL[%d]: client, using %s cipher, clear=%d total=%d",
2098 SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
2099 ckLen<<3, keyLen<<3));
2100
2101 /* Now setup read and write ciphers */
2102 rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
2103 if (rv != SECSuccess) {
2104 goto loser;
2105 }
2106
2107 /*
2108 ** Fill in the encryption buffer with some random bytes. Then
2109 ** copy in the portion of the session key we are encrypting.
2110 */
2111 modulusLen = SECKEY_PublicKeyStrength(serverKey);
2112 rek.data = keyData + ckLen;
2113 rek.len = keyLen - ckLen;
2114 eblock = ssl_FormatSSL2Block(modulusLen, &rek);
2115 if (eblock == NULL)
2116 goto loser;
2117
2118 /* Set up the padding for version 2 rollback detection. */
2119 /* XXX We should really use defines here */
2120 if (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
2121 PORT_Assert((modulusLen - rek.len) > 12);
2122 PORT_Memset(eblock + modulusLen - rek.len - 8 - 1, 0x03, 8);
2123 }
2124 ekbuf = (PRUint8*) PORT_Alloc(modulusLen);
2125 if (!ekbuf)
2126 goto loser;
2127 PRINT_BUF(10, (ss, "master key encryption block:",
2128 eblock, modulusLen));
2129
2130 /* Encrypt ekitem */
2131 rv = PK11_PubEncryptRaw(serverKey, ekbuf, eblock, modulusLen,
2132 ss->pkcs11PinArg);
2133 if (rv)
2134 goto loser;
2135
2136 /* Now we have everything ready to send */
2137 rv = ssl2_SendSessionKeyMessage(ss, cipher, keyLen << 3, ca, caLen,
2138 keyData, ckLen, ekbuf, modulusLen);
2139 if (rv != SECSuccess) {
2140 goto loser;
2141 }
2142 rv = SECSuccess;
2143 goto done;
2144
2145 loser:
2146 rv = SECFailure;
2147
2148 loser2:
2149 done:
2150 PORT_Memset(keyData, 0, sizeof(keyData));
2151 PORT_ZFree(ekbuf, modulusLen);
2152 PORT_ZFree(eblock, modulusLen);
2153 SECKEY_DestroyPublicKey(serverKey);
2154 return rv;
2155 }
2156
2157 /************************************************************************/
2158
2159 /*
2160 * Called from ssl2_HandleMessage in response to SSL_MT_SERVER_FINISHED message.
2161 * Caller holds recvBufLock and handshakeLock
2162 */
2163 static void
ssl2_ClientRegSessionID(sslSocket * ss,PRUint8 * s)2164 ssl2_ClientRegSessionID(sslSocket *ss, PRUint8 *s)
2165 {
2166 sslSessionID *sid = ss->sec.ci.sid;
2167
2168 /* Record entry in nonce cache */
2169 if (sid->peerCert == NULL) {
2170 PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
2171 sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
2172
2173 }
2174 if (!ss->opt.noCache)
2175 (*ss->sec.cache)(sid);
2176 }
2177
2178 /* Called from ssl2_HandleMessage() */
2179 static SECStatus
ssl2_TriggerNextMessage(sslSocket * ss)2180 ssl2_TriggerNextMessage(sslSocket *ss)
2181 {
2182 SECStatus rv;
2183
2184 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2185
2186 if ((ss->sec.ci.requiredElements & CIS_HAVE_CERTIFICATE) &&
2187 !(ss->sec.ci.sentElements & CIS_HAVE_CERTIFICATE)) {
2188 ss->sec.ci.sentElements |= CIS_HAVE_CERTIFICATE;
2189 rv = ssl2_SendCertificateRequestMessage(ss);
2190 return rv;
2191 }
2192 return SECSuccess;
2193 }
2194
2195 /* See if it's time to send our finished message, or if the handshakes are
2196 ** complete. Send finished message if appropriate.
2197 ** Returns SECSuccess unless anything goes wrong.
2198 **
2199 ** Called from ssl2_HandleMessage,
2200 ** ssl2_HandleVerifyMessage
2201 ** ssl2_HandleServerHelloMessage
2202 ** ssl2_HandleClientSessionKeyMessage
2203 */
2204 static SECStatus
ssl2_TryToFinish(sslSocket * ss)2205 ssl2_TryToFinish(sslSocket *ss)
2206 {
2207 SECStatus rv;
2208 char e, ef;
2209
2210 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2211
2212 e = ss->sec.ci.elements;
2213 ef = e | CIS_HAVE_FINISHED;
2214 if ((ef & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
2215 if (ss->sec.isServer) {
2216 /* Send server finished message if we already didn't */
2217 rv = ssl2_SendServerFinishedMessage(ss);
2218 } else {
2219 /* Send client finished message if we already didn't */
2220 rv = ssl2_SendClientFinishedMessage(ss);
2221 }
2222 if (rv != SECSuccess) {
2223 return rv;
2224 }
2225 if ((e & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
2226 /* Totally finished */
2227 ss->handshake = 0;
2228 return SECSuccess;
2229 }
2230 }
2231 return SECSuccess;
2232 }
2233
2234 /*
2235 ** Called from ssl2_HandleRequestCertificate
2236 */
2237 static SECStatus
ssl2_SignResponse(sslSocket * ss,SECKEYPrivateKey * key,SECItem * response)2238 ssl2_SignResponse(sslSocket *ss,
2239 SECKEYPrivateKey *key,
2240 SECItem *response)
2241 {
2242 SGNContext * sgn = NULL;
2243 PRUint8 * challenge;
2244 unsigned int len;
2245 SECStatus rv = SECFailure;
2246
2247 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2248
2249 challenge = ss->sec.ci.serverChallenge;
2250 len = ss->sec.ci.serverChallengeLen;
2251
2252 /* Sign the expected data... */
2253 sgn = SGN_NewContext(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,key);
2254 if (!sgn)
2255 goto done;
2256 rv = SGN_Begin(sgn);
2257 if (rv != SECSuccess)
2258 goto done;
2259 rv = SGN_Update(sgn, ss->sec.ci.readKey, ss->sec.ci.keySize);
2260 if (rv != SECSuccess)
2261 goto done;
2262 rv = SGN_Update(sgn, ss->sec.ci.writeKey, ss->sec.ci.keySize);
2263 if (rv != SECSuccess)
2264 goto done;
2265 rv = SGN_Update(sgn, challenge, len);
2266 if (rv != SECSuccess)
2267 goto done;
2268 rv = SGN_Update(sgn, ss->sec.peerCert->derCert.data,
2269 ss->sec.peerCert->derCert.len);
2270 if (rv != SECSuccess)
2271 goto done;
2272 rv = SGN_End(sgn, response);
2273 if (rv != SECSuccess)
2274 goto done;
2275
2276 done:
2277 SGN_DestroyContext(sgn, PR_TRUE);
2278 return rv == SECSuccess ? SECSuccess : SECFailure;
2279 }
2280
2281 /*
2282 ** Try to handle a request-certificate message. Get client's certificate
2283 ** and private key and sign a message for the server to see.
2284 ** Caller must hold handshakeLock
2285 **
2286 ** Called from ssl2_HandleMessage().
2287 */
2288 static int
ssl2_HandleRequestCertificate(sslSocket * ss)2289 ssl2_HandleRequestCertificate(sslSocket *ss)
2290 {
2291 CERTCertificate * cert = NULL; /* app-selected client cert. */
2292 SECKEYPrivateKey *key = NULL; /* priv key for cert. */
2293 SECStatus rv;
2294 SECItem response;
2295 int ret = 0;
2296 PRUint8 authType;
2297
2298
2299 /*
2300 * These things all need to be initialized before we can "goto loser".
2301 */
2302 response.data = NULL;
2303
2304 /* get challenge info from connectionInfo */
2305 authType = ss->sec.ci.authType;
2306
2307 if (authType != SSL_AT_MD5_WITH_RSA_ENCRYPTION) {
2308 SSL_TRC(7, ("%d: SSL[%d]: unsupported auth type 0x%x", SSL_GETPID(),
2309 ss->fd, authType));
2310 goto no_cert_error;
2311 }
2312
2313 /* Get certificate and private-key from client */
2314 if (!ss->getClientAuthData) {
2315 SSL_TRC(7, ("%d: SSL[%d]: client doesn't support client-auth",
2316 SSL_GETPID(), ss->fd));
2317 goto no_cert_error;
2318 }
2319 ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
2320 NULL, &cert, &key);
2321 if ( ret == SECWouldBlock ) {
2322 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
2323 ret = -1;
2324 goto loser;
2325 }
2326
2327 if (ret) {
2328 goto no_cert_error;
2329 }
2330
2331 /* check what the callback function returned */
2332 if ((!cert) || (!key)) {
2333 /* we are missing either the key or cert */
2334 if (cert) {
2335 /* got a cert, but no key - free it */
2336 CERT_DestroyCertificate(cert);
2337 cert = NULL;
2338 }
2339 if (key) {
2340 /* got a key, but no cert - free it */
2341 SECKEY_DestroyPrivateKey(key);
2342 key = NULL;
2343 }
2344 goto no_cert_error;
2345 }
2346
2347 rv = ssl2_SignResponse(ss, key, &response);
2348 if ( rv != SECSuccess ) {
2349 ret = -1;
2350 goto loser;
2351 }
2352
2353 /* Send response message */
2354 ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
2355
2356 /* Now, remember the cert we sent. But first, forget any previous one. */
2357 if (ss->sec.localCert) {
2358 CERT_DestroyCertificate(ss->sec.localCert);
2359 }
2360 ss->sec.localCert = CERT_DupCertificate(cert);
2361 PORT_Assert(!ss->sec.ci.sid->localCert);
2362 if (ss->sec.ci.sid->localCert) {
2363 CERT_DestroyCertificate(ss->sec.ci.sid->localCert);
2364 }
2365 ss->sec.ci.sid->localCert = cert;
2366 cert = NULL;
2367
2368 goto done;
2369
2370 no_cert_error:
2371 SSL_TRC(7, ("%d: SSL[%d]: no certificate (ret=%d)", SSL_GETPID(),
2372 ss->fd, ret));
2373 ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
2374
2375 loser:
2376 done:
2377 if ( cert ) {
2378 CERT_DestroyCertificate(cert);
2379 }
2380 if ( key ) {
2381 SECKEY_DestroyPrivateKey(key);
2382 }
2383 if ( response.data ) {
2384 PORT_Free(response.data);
2385 }
2386
2387 return ret;
2388 }
2389
2390 /*
2391 ** Called from ssl2_HandleMessage for SSL_MT_CLIENT_CERTIFICATE message.
2392 ** Caller must hold HandshakeLock and RecvBufLock, since cd and response
2393 ** are contained in the gathered input data.
2394 */
2395 static SECStatus
ssl2_HandleClientCertificate(sslSocket * ss,PRUint8 certType,PRUint8 * cd,unsigned int cdLen,PRUint8 * response,unsigned int responseLen)2396 ssl2_HandleClientCertificate(sslSocket * ss,
2397 PRUint8 certType, /* XXX unused */
2398 PRUint8 * cd,
2399 unsigned int cdLen,
2400 PRUint8 * response,
2401 unsigned int responseLen)
2402 {
2403 CERTCertificate *cert = NULL;
2404 SECKEYPublicKey *pubKey = NULL;
2405 VFYContext * vfy = NULL;
2406 SECItem * derCert;
2407 SECStatus rv = SECFailure;
2408 SECItem certItem;
2409 SECItem rep;
2410
2411 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2412 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
2413
2414 /* Extract the certificate */
2415 certItem.data = cd;
2416 certItem.len = cdLen;
2417
2418 cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
2419 PR_FALSE, PR_TRUE);
2420 if (cert == NULL) {
2421 goto loser;
2422 }
2423
2424 /* save the certificate, since the auth routine will need it */
2425 ss->sec.peerCert = cert;
2426
2427 /* Extract the public key */
2428 pubKey = CERT_ExtractPublicKey(cert);
2429 if (!pubKey)
2430 goto loser;
2431
2432 /* Verify the response data... */
2433 rep.data = response;
2434 rep.len = responseLen;
2435 /* SSL 2.0 only supports RSA certs, so we don't have to worry about
2436 * DSA here. */
2437 vfy = VFY_CreateContext(pubKey, &rep, SEC_OID_PKCS1_RSA_ENCRYPTION,
2438 ss->pkcs11PinArg);
2439 if (!vfy)
2440 goto loser;
2441 rv = VFY_Begin(vfy);
2442 if (rv)
2443 goto loser;
2444
2445 rv = VFY_Update(vfy, ss->sec.ci.readKey, ss->sec.ci.keySize);
2446 if (rv)
2447 goto loser;
2448 rv = VFY_Update(vfy, ss->sec.ci.writeKey, ss->sec.ci.keySize);
2449 if (rv)
2450 goto loser;
2451 rv = VFY_Update(vfy, ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
2452 if (rv)
2453 goto loser;
2454
2455 derCert = &ss->serverCerts[kt_rsa].serverCert->derCert;
2456 rv = VFY_Update(vfy, derCert->data, derCert->len);
2457 if (rv)
2458 goto loser;
2459 rv = VFY_End(vfy);
2460 if (rv)
2461 goto loser;
2462
2463 /* Now ask the server application if it likes the certificate... */
2464 rv = (SECStatus) (*ss->authCertificate)(ss->authCertificateArg,
2465 ss->fd, PR_TRUE, PR_TRUE);
2466 /* Hey, it liked it. */
2467 if (SECSuccess == rv)
2468 goto done;
2469
2470 loser:
2471 ss->sec.peerCert = NULL;
2472 CERT_DestroyCertificate(cert);
2473
2474 done:
2475 VFY_DestroyContext(vfy, PR_TRUE);
2476 SECKEY_DestroyPublicKey(pubKey);
2477 return rv;
2478 }
2479
2480 /*
2481 ** Handle remaining messages between client/server. Process finished
2482 ** messages from either side and any authentication requests.
2483 ** This should only be called for SSLv2 handshake messages,
2484 ** not for application data records.
2485 ** Caller must hold handshake lock.
2486 **
2487 ** Called from ssl_Do1stHandshake().
2488 **
2489 */
2490 static SECStatus
ssl2_HandleMessage(sslSocket * ss)2491 ssl2_HandleMessage(sslSocket *ss)
2492 {
2493 PRUint8 * data;
2494 PRUint8 * cid;
2495 unsigned len, certType, certLen, responseLen;
2496 int rv;
2497 int rv2;
2498
2499 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2500
2501 ssl_GetRecvBufLock(ss);
2502
2503 data = ss->gs.buf.buf + ss->gs.recordOffset;
2504
2505 if (ss->gs.recordLen < 1) {
2506 goto bad_peer;
2507 }
2508 SSL_TRC(3, ("%d: SSL[%d]: received %d message",
2509 SSL_GETPID(), ss->fd, data[0]));
2510 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
2511
2512 switch (data[0]) {
2513 case SSL_MT_CLIENT_FINISHED:
2514 if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
2515 SSL_DBG(("%d: SSL[%d]: dup client-finished message",
2516 SSL_GETPID(), ss->fd));
2517 goto bad_peer;
2518 }
2519
2520 /* See if nonce matches */
2521 len = ss->gs.recordLen - 1;
2522 cid = data + 1;
2523 if ((len != sizeof(ss->sec.ci.connectionID)) ||
2524 (PORT_Memcmp(ss->sec.ci.connectionID, cid, len) != 0)) {
2525 SSL_DBG(("%d: SSL[%d]: bad connection-id", SSL_GETPID(), ss->fd));
2526 PRINT_BUF(5, (ss, "sent connection-id",
2527 ss->sec.ci.connectionID,
2528 sizeof(ss->sec.ci.connectionID)));
2529 PRINT_BUF(5, (ss, "rcvd connection-id", cid, len));
2530 goto bad_peer;
2531 }
2532
2533 SSL_TRC(5, ("%d: SSL[%d]: got client finished, waiting for 0x%d",
2534 SSL_GETPID(), ss->fd,
2535 ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
2536 ss->sec.ci.elements |= CIS_HAVE_FINISHED;
2537 break;
2538
2539 case SSL_MT_SERVER_FINISHED:
2540 if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
2541 SSL_DBG(("%d: SSL[%d]: dup server-finished message",
2542 SSL_GETPID(), ss->fd));
2543 goto bad_peer;
2544 }
2545
2546 if (ss->gs.recordLen - 1 != SSL2_SESSIONID_BYTES) {
2547 SSL_DBG(("%d: SSL[%d]: bad server-finished message, len=%d",
2548 SSL_GETPID(), ss->fd, ss->gs.recordLen));
2549 goto bad_peer;
2550 }
2551 ssl2_ClientRegSessionID(ss, data+1);
2552 SSL_TRC(5, ("%d: SSL[%d]: got server finished, waiting for 0x%d",
2553 SSL_GETPID(), ss->fd,
2554 ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
2555 ss->sec.ci.elements |= CIS_HAVE_FINISHED;
2556 break;
2557
2558 case SSL_MT_REQUEST_CERTIFICATE:
2559 len = ss->gs.recordLen - 2;
2560 if ((len < SSL_MIN_CHALLENGE_BYTES) ||
2561 (len > SSL_MAX_CHALLENGE_BYTES)) {
2562 /* Bad challenge */
2563 SSL_DBG(("%d: SSL[%d]: bad cert request message: code len=%d",
2564 SSL_GETPID(), ss->fd, len));
2565 goto bad_peer;
2566 }
2567
2568 /* save auth request info */
2569 ss->sec.ci.authType = data[1];
2570 ss->sec.ci.serverChallengeLen = len;
2571 PORT_Memcpy(ss->sec.ci.serverChallenge, data + 2, len);
2572
2573 rv = ssl2_HandleRequestCertificate(ss);
2574 if (rv == SECWouldBlock) {
2575 SSL_TRC(3, ("%d: SSL[%d]: async cert request",
2576 SSL_GETPID(), ss->fd));
2577 /* someone is handling this asynchronously */
2578 ssl_ReleaseRecvBufLock(ss);
2579 return SECWouldBlock;
2580 }
2581 if (rv) {
2582 SET_ERROR_CODE
2583 goto loser;
2584 }
2585 break;
2586
2587 case SSL_MT_CLIENT_CERTIFICATE:
2588 if (!ss->authCertificate) {
2589 /* Server asked for authentication and can't handle it */
2590 PORT_SetError(SSL_ERROR_BAD_SERVER);
2591 goto loser;
2592 }
2593 if (ss->gs.recordLen < SSL_HL_CLIENT_CERTIFICATE_HBYTES) {
2594 SET_ERROR_CODE
2595 goto loser;
2596 }
2597 certType = data[1];
2598 certLen = (data[2] << 8) | data[3];
2599 responseLen = (data[4] << 8) | data[5];
2600 if (certType != SSL_CT_X509_CERTIFICATE) {
2601 PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
2602 goto loser;
2603 }
2604 if (certLen + responseLen + SSL_HL_CLIENT_CERTIFICATE_HBYTES
2605 > ss->gs.recordLen) {
2606 /* prevent overflow crash. */
2607 rv = SECFailure;
2608 } else
2609 rv = ssl2_HandleClientCertificate(ss, data[1],
2610 data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
2611 certLen,
2612 data + SSL_HL_CLIENT_CERTIFICATE_HBYTES + certLen,
2613 responseLen);
2614 if (rv) {
2615 rv2 = ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
2616 SET_ERROR_CODE
2617 goto loser;
2618 }
2619 ss->sec.ci.elements |= CIS_HAVE_CERTIFICATE;
2620 break;
2621
2622 case SSL_MT_ERROR:
2623 rv = (data[1] << 8) | data[2];
2624 SSL_TRC(2, ("%d: SSL[%d]: got error message, error=0x%x",
2625 SSL_GETPID(), ss->fd, rv));
2626
2627 /* Convert protocol error number into API error number */
2628 switch (rv) {
2629 case SSL_PE_NO_CYPHERS:
2630 rv = SSL_ERROR_NO_CYPHER_OVERLAP;
2631 break;
2632 case SSL_PE_NO_CERTIFICATE:
2633 rv = SSL_ERROR_NO_CERTIFICATE;
2634 break;
2635 case SSL_PE_BAD_CERTIFICATE:
2636 rv = SSL_ERROR_BAD_CERTIFICATE;
2637 break;
2638 case SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE:
2639 rv = SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
2640 break;
2641 default:
2642 goto bad_peer;
2643 }
2644 /* XXX make certificate-request optionally fail... */
2645 PORT_SetError(rv);
2646 goto loser;
2647
2648 default:
2649 SSL_DBG(("%d: SSL[%d]: unknown message %d",
2650 SSL_GETPID(), ss->fd, data[0]));
2651 goto loser;
2652 }
2653
2654 SSL_TRC(3, ("%d: SSL[%d]: handled %d message, required=0x%x got=0x%x",
2655 SSL_GETPID(), ss->fd, data[0],
2656 ss->sec.ci.requiredElements, ss->sec.ci.elements));
2657
2658 rv = ssl2_TryToFinish(ss);
2659 if (rv != SECSuccess)
2660 goto loser;
2661
2662 ss->gs.recordLen = 0;
2663 ssl_ReleaseRecvBufLock(ss);
2664
2665 if (ss->handshake == 0) {
2666 return SECSuccess;
2667 }
2668
2669 ss->handshake = ssl_GatherRecord1stHandshake;
2670 ss->nextHandshake = ssl2_HandleMessage;
2671 return ssl2_TriggerNextMessage(ss);
2672
2673 bad_peer:
2674 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER);
2675 /* FALL THROUGH */
2676
2677 loser:
2678 ssl_ReleaseRecvBufLock(ss);
2679 return SECFailure;
2680 }
2681
2682 /************************************************************************/
2683
2684 /* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage.
2685 */
2686 static SECStatus
ssl2_HandleVerifyMessage(sslSocket * ss)2687 ssl2_HandleVerifyMessage(sslSocket *ss)
2688 {
2689 PRUint8 * data;
2690 SECStatus rv;
2691
2692 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2693 ssl_GetRecvBufLock(ss);
2694
2695 data = ss->gs.buf.buf + ss->gs.recordOffset;
2696 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
2697 if ((ss->gs.recordLen != 1 + SSL_CHALLENGE_BYTES) ||
2698 (data[0] != SSL_MT_SERVER_VERIFY) ||
2699 NSS_SecureMemcmp(data+1, ss->sec.ci.clientChallenge,
2700 SSL_CHALLENGE_BYTES)) {
2701 /* Bad server */
2702 PORT_SetError(SSL_ERROR_BAD_SERVER);
2703 goto loser;
2704 }
2705 ss->sec.ci.elements |= CIS_HAVE_VERIFY;
2706
2707 SSL_TRC(5, ("%d: SSL[%d]: got server-verify, required=0x%d got=0x%x",
2708 SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
2709 ss->sec.ci.elements));
2710
2711 rv = ssl2_TryToFinish(ss);
2712 if (rv)
2713 goto loser;
2714
2715 ss->gs.recordLen = 0;
2716 ssl_ReleaseRecvBufLock(ss);
2717
2718 if (ss->handshake == 0) {
2719 return SECSuccess;
2720 }
2721 ss->handshake = ssl_GatherRecord1stHandshake;
2722 ss->nextHandshake = ssl2_HandleMessage;
2723 return SECSuccess;
2724
2725
2726 loser:
2727 ssl_ReleaseRecvBufLock(ss);
2728 return SECFailure;
2729 }
2730
2731 /* Not static because ssl2_GatherData() tests ss->nextHandshake for this value.
2732 * ICK!
2733 * Called from ssl_Do1stHandshake after ssl2_BeginClientHandshake()
2734 */
2735 SECStatus
ssl2_HandleServerHelloMessage(sslSocket * ss)2736 ssl2_HandleServerHelloMessage(sslSocket *ss)
2737 {
2738 sslSessionID * sid;
2739 PRUint8 * cert;
2740 PRUint8 * cs;
2741 PRUint8 * data;
2742 SECStatus rv;
2743 int needed, sidHit, certLen, csLen, cidLen, certType, err;
2744
2745 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2746
2747 if (!ss->opt.enableSSL2) {
2748 PORT_SetError(SSL_ERROR_SSL2_DISABLED);
2749 return SECFailure;
2750 }
2751
2752 ssl_GetRecvBufLock(ss);
2753
2754 PORT_Assert(ss->sec.ci.sid != 0);
2755 sid = ss->sec.ci.sid;
2756
2757 data = ss->gs.buf.buf + ss->gs.recordOffset;
2758 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
2759
2760 /* Make sure first message has some data and is the server hello message */
2761 if ((ss->gs.recordLen < SSL_HL_SERVER_HELLO_HBYTES)
2762 || (data[0] != SSL_MT_SERVER_HELLO)) {
2763 if ((data[0] == SSL_MT_ERROR) && (ss->gs.recordLen == 3)) {
2764 err = (data[1] << 8) | data[2];
2765 if (err == SSL_PE_NO_CYPHERS) {
2766 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
2767 goto loser;
2768 }
2769 }
2770 goto bad_server;
2771 }
2772
2773 sidHit = data[1];
2774 certType = data[2];
2775 ss->version = (data[3] << 8) | data[4];
2776 certLen = (data[5] << 8) | data[6];
2777 csLen = (data[7] << 8) | data[8];
2778 cidLen = (data[9] << 8) | data[10];
2779 cert = data + SSL_HL_SERVER_HELLO_HBYTES;
2780 cs = cert + certLen;
2781
2782 SSL_TRC(5,
2783 ("%d: SSL[%d]: server-hello, hit=%d vers=%x certLen=%d csLen=%d cidLen=%d",
2784 SSL_GETPID(), ss->fd, sidHit, ss->version, certLen,
2785 csLen, cidLen));
2786 if (ss->version != SSL_LIBRARY_VERSION_2) {
2787 if (ss->version < SSL_LIBRARY_VERSION_2) {
2788 SSL_TRC(3, ("%d: SSL[%d]: demoting self (%x) to server version (%x)",
2789 SSL_GETPID(), ss->fd, SSL_LIBRARY_VERSION_2,
2790 ss->version));
2791 } else {
2792 SSL_TRC(1, ("%d: SSL[%d]: server version is %x (we are %x)",
2793 SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
2794 /* server claims to be newer but does not follow protocol */
2795 PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
2796 goto loser;
2797 }
2798 }
2799
2800 if ((SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen + cidLen
2801 > ss->gs.recordLen)
2802 || (csLen % 3) != 0
2803 /* || cidLen < SSL_CONNECTIONID_BYTES || cidLen > 32 */
2804 ) {
2805 goto bad_server;
2806 }
2807
2808 /* Save connection-id.
2809 ** This code only saves the first 16 byte of the connectionID.
2810 ** If the connectionID is shorter than 16 bytes, it is zero-padded.
2811 */
2812 if (cidLen < sizeof ss->sec.ci.connectionID)
2813 memset(ss->sec.ci.connectionID, 0, sizeof ss->sec.ci.connectionID);
2814 cidLen = PR_MIN(cidLen, sizeof ss->sec.ci.connectionID);
2815 PORT_Memcpy(ss->sec.ci.connectionID, cs + csLen, cidLen);
2816
2817 /* See if session-id hit */
2818 needed = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED | CIS_HAVE_VERIFY;
2819 if (sidHit) {
2820 if (certLen || csLen) {
2821 /* Uh oh - bogus server */
2822 SSL_DBG(("%d: SSL[%d]: client, huh? hit=%d certLen=%d csLen=%d",
2823 SSL_GETPID(), ss->fd, sidHit, certLen, csLen));
2824 goto bad_server;
2825 }
2826
2827 /* Total winner. */
2828 SSL_TRC(1, ("%d: SSL[%d]: client, using nonce for peer=0x%08x "
2829 "port=0x%04x",
2830 SSL_GETPID(), ss->fd, ss->sec.ci.peer, ss->sec.ci.port));
2831 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
2832 ss->sec.authAlgorithm = sid->authAlgorithm;
2833 ss->sec.authKeyBits = sid->authKeyBits;
2834 ss->sec.keaType = sid->keaType;
2835 ss->sec.keaKeyBits = sid->keaKeyBits;
2836 rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
2837 if (rv != SECSuccess) {
2838 goto loser;
2839 }
2840 } else {
2841 if (certType != SSL_CT_X509_CERTIFICATE) {
2842 PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
2843 goto loser;
2844 }
2845 if (csLen == 0) {
2846 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
2847 SSL_DBG(("%d: SSL[%d]: no cipher overlap",
2848 SSL_GETPID(), ss->fd));
2849 goto loser;
2850 }
2851 if (certLen == 0) {
2852 SSL_DBG(("%d: SSL[%d]: client, huh? certLen=%d csLen=%d",
2853 SSL_GETPID(), ss->fd, certLen, csLen));
2854 goto bad_server;
2855 }
2856
2857 if (sid->cached != never_cached) {
2858 /* Forget our session-id - server didn't like it */
2859 SSL_TRC(7, ("%d: SSL[%d]: server forgot me, uncaching session-id",
2860 SSL_GETPID(), ss->fd));
2861 if (ss->sec.uncache)
2862 (*ss->sec.uncache)(sid);
2863 ssl_FreeSID(sid);
2864 ss->sec.ci.sid = sid = PORT_ZNew(sslSessionID);
2865 if (!sid) {
2866 goto loser;
2867 }
2868 sid->references = 1;
2869 sid->addr = ss->sec.ci.peer;
2870 sid->port = ss->sec.ci.port;
2871 }
2872
2873 /* decode the server's certificate */
2874 rv = ssl2_ClientHandleServerCert(ss, cert, certLen);
2875 if (rv != SECSuccess) {
2876 if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
2877 (void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
2878 }
2879 goto loser;
2880 }
2881
2882 /* Setup new session cipher */
2883 rv = ssl2_ClientSetupSessionCypher(ss, cs, csLen);
2884 if (rv != SECSuccess) {
2885 if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
2886 (void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
2887 }
2888 goto loser;
2889 }
2890 }
2891
2892 /* Build up final list of required elements */
2893 ss->sec.ci.elements = CIS_HAVE_MASTER_KEY;
2894 ss->sec.ci.requiredElements = needed;
2895
2896 if (!sidHit) {
2897 /* verify the server's certificate. if sidHit, don't check signatures */
2898 rv = (* ss->authCertificate)(ss->authCertificateArg, ss->fd,
2899 (PRBool)(!sidHit), PR_FALSE);
2900 if (rv) {
2901 if (ss->handleBadCert) {
2902 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
2903 if ( rv ) {
2904 if ( rv == SECWouldBlock ) {
2905 SSL_DBG(("%d: SSL[%d]: SSL2 bad cert handler returned "
2906 "SECWouldBlock", SSL_GETPID(), ss->fd));
2907 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
2908 rv = SECFailure;
2909 } else {
2910 /* cert is bad */
2911 SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
2912 SSL_GETPID(), ss->fd, PORT_GetError()));
2913 }
2914 goto loser;
2915 }
2916 /* cert is good */
2917 } else {
2918 SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
2919 SSL_GETPID(), ss->fd, PORT_GetError()));
2920 goto loser;
2921 }
2922 }
2923 }
2924 /*
2925 ** At this point we have a completed session key and our session
2926 ** cipher is setup and ready to go. Switch to encrypted write routine
2927 ** as all future message data is to be encrypted.
2928 */
2929 ssl2_UseEncryptedSendFunc(ss);
2930
2931 rv = ssl2_TryToFinish(ss);
2932 if (rv != SECSuccess)
2933 goto loser;
2934
2935 ss->gs.recordLen = 0;
2936
2937 ssl_ReleaseRecvBufLock(ss);
2938
2939 if (ss->handshake == 0) {
2940 return SECSuccess;
2941 }
2942
2943 SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
2944 SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
2945 ss->sec.ci.elements));
2946 ss->handshake = ssl_GatherRecord1stHandshake;
2947 ss->nextHandshake = ssl2_HandleVerifyMessage;
2948 return SECSuccess;
2949
2950 bad_server:
2951 PORT_SetError(SSL_ERROR_BAD_SERVER);
2952 /* FALL THROUGH */
2953
2954 loser:
2955 ssl_ReleaseRecvBufLock(ss);
2956 return SECFailure;
2957 }
2958
2959 /* Sends out the initial client Hello message on the connection.
2960 * Acquires and releases the socket's xmitBufLock.
2961 */
2962 SECStatus
ssl2_BeginClientHandshake(sslSocket * ss)2963 ssl2_BeginClientHandshake(sslSocket *ss)
2964 {
2965 sslSessionID *sid;
2966 PRUint8 *msg;
2967 PRUint8 *cp;
2968 PRUint8 *localCipherSpecs = NULL;
2969 unsigned int localCipherSize;
2970 unsigned int i;
2971 int sendLen, sidLen = 0;
2972 SECStatus rv;
2973 TLSExtensionData *xtnData;
2974
2975 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
2976
2977 ss->sec.isServer = 0;
2978 ss->sec.sendSequence = 0;
2979 ss->sec.rcvSequence = 0;
2980 ssl_ChooseSessionIDProcs(&ss->sec);
2981
2982 if (!ss->cipherSpecs) {
2983 rv = ssl2_ConstructCipherSpecs(ss);
2984 if (rv != SECSuccess)
2985 goto loser;
2986 }
2987
2988 /* count the SSL2 and SSL3 enabled ciphers.
2989 * if either is zero, clear the socket's enable for that protocol.
2990 */
2991 rv = ssl2_CheckConfigSanity(ss);
2992 if (rv != SECSuccess)
2993 goto loser;
2994
2995 /* Get peer name of server */
2996 rv = ssl_GetPeerInfo(ss);
2997 if (rv < 0) {
2998 #ifdef HPUX11
2999 /*
3000 * On some HP-UX B.11.00 systems, getpeername() occasionally
3001 * fails with ENOTCONN after a successful completion of
3002 * non-blocking connect. I found that if we do a write()
3003 * and then retry getpeername(), it will work.
3004 */
3005 if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
3006 char dummy;
3007 (void) PR_Write(ss->fd->lower, &dummy, 0);
3008 rv = ssl_GetPeerInfo(ss);
3009 if (rv < 0) {
3010 goto loser;
3011 }
3012 }
3013 #else
3014 goto loser;
3015 #endif
3016 }
3017
3018 SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
3019
3020 /* Try to find server in our session-id cache */
3021 if (ss->opt.noCache) {
3022 sid = NULL;
3023 } else {
3024 sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID,
3025 ss->url);
3026 }
3027 while (sid) { /* this isn't really a loop */
3028 PRBool sidVersionEnabled =
3029 (!SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) &&
3030 sid->version >= ss->vrange.min &&
3031 sid->version <= ss->vrange.max) ||
3032 (sid->version < SSL_LIBRARY_VERSION_3_0 && ss->opt.enableSSL2);
3033
3034 /* if we're not doing this SID's protocol any more, drop it. */
3035 if (!sidVersionEnabled) {
3036 if (ss->sec.uncache)
3037 ss->sec.uncache(sid);
3038 ssl_FreeSID(sid);
3039 sid = NULL;
3040 break;
3041 }
3042 if (sid->version < SSL_LIBRARY_VERSION_3_0) {
3043 /* If the cipher in this sid is not enabled, drop it. */
3044 for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
3045 if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
3046 break;
3047 }
3048 if (i >= ss->sizeCipherSpecs) {
3049 if (ss->sec.uncache)
3050 ss->sec.uncache(sid);
3051 ssl_FreeSID(sid);
3052 sid = NULL;
3053 break;
3054 }
3055 }
3056 sidLen = sizeof(sid->u.ssl2.sessionID);
3057 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl2.sessionID,
3058 sidLen));
3059 ss->version = sid->version;
3060 PORT_Assert(!ss->sec.localCert);
3061 if (ss->sec.localCert) {
3062 CERT_DestroyCertificate(ss->sec.localCert);
3063 }
3064 ss->sec.localCert = CERT_DupCertificate(sid->localCert);
3065 break; /* this isn't really a loop */
3066 }
3067 if (!sid) {
3068 sidLen = 0;
3069 sid = PORT_ZNew(sslSessionID);
3070 if (!sid) {
3071 goto loser;
3072 }
3073 sid->references = 1;
3074 sid->cached = never_cached;
3075 sid->addr = ss->sec.ci.peer;
3076 sid->port = ss->sec.ci.port;
3077 if (ss->peerID != NULL) {
3078 sid->peerID = PORT_Strdup(ss->peerID);
3079 }
3080 if (ss->url != NULL) {
3081 sid->urlSvrName = PORT_Strdup(ss->url);
3082 }
3083 }
3084 ss->sec.ci.sid = sid;
3085
3086 PORT_Assert(sid != NULL);
3087
3088 if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) &&
3089 !SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
3090 ss->gs.state = GS_INIT;
3091 ss->handshake = ssl_GatherRecord1stHandshake;
3092
3093 /* ssl3_SendClientHello will override this if it succeeds. */
3094 ss->version = SSL_LIBRARY_VERSION_3_0;
3095
3096 ssl_GetSSL3HandshakeLock(ss);
3097 ssl_GetXmitBufLock(ss);
3098 rv = ssl3_SendClientHello(ss, PR_FALSE);
3099 ssl_ReleaseXmitBufLock(ss);
3100 ssl_ReleaseSSL3HandshakeLock(ss);
3101
3102 return rv;
3103 }
3104 #if defined(NSS_ENABLE_ECC)
3105 /* ensure we don't neogtiate ECC cipher suites with SSL2 hello */
3106 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
3107 if (ss->cipherSpecs != NULL) {
3108 PORT_Free(ss->cipherSpecs);
3109 ss->cipherSpecs = NULL;
3110 ss->sizeCipherSpecs = 0;
3111 }
3112 #endif
3113
3114 if (!ss->cipherSpecs) {
3115 rv = ssl2_ConstructCipherSpecs(ss);
3116 if (rv < 0) {
3117 return rv;
3118 }
3119 }
3120 localCipherSpecs = ss->cipherSpecs;
3121 localCipherSize = ss->sizeCipherSpecs;
3122
3123 /* Add 3 for SCSV */
3124 sendLen = SSL_HL_CLIENT_HELLO_HBYTES + localCipherSize + 3 + sidLen +
3125 SSL_CHALLENGE_BYTES;
3126
3127 /* Generate challenge bytes for server */
3128 PK11_GenerateRandom(ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
3129
3130 ssl_GetXmitBufLock(ss); /***************************************/
3131
3132 rv = ssl2_GetSendBuffer(ss, sendLen);
3133 if (rv)
3134 goto unlock_loser;
3135
3136 /* Construct client-hello message */
3137 cp = msg = ss->sec.ci.sendBuf.buf;
3138 msg[0] = SSL_MT_CLIENT_HELLO;
3139 ss->clientHelloVersion = SSL3_ALL_VERSIONS_DISABLED(&ss->vrange) ?
3140 SSL_LIBRARY_VERSION_2 : ss->vrange.max;
3141
3142 msg[1] = MSB(ss->clientHelloVersion);
3143 msg[2] = LSB(ss->clientHelloVersion);
3144 /* Add 3 for SCSV */
3145 msg[3] = MSB(localCipherSize + 3);
3146 msg[4] = LSB(localCipherSize + 3);
3147 msg[5] = MSB(sidLen);
3148 msg[6] = LSB(sidLen);
3149 msg[7] = MSB(SSL_CHALLENGE_BYTES);
3150 msg[8] = LSB(SSL_CHALLENGE_BYTES);
3151 cp += SSL_HL_CLIENT_HELLO_HBYTES;
3152 PORT_Memcpy(cp, localCipherSpecs, localCipherSize);
3153 cp += localCipherSize;
3154 /*
3155 * Add SCSV. SSL 2.0 cipher suites are listed before SSL 3.0 cipher
3156 * suites in localCipherSpecs for compatibility with SSL 2.0 servers.
3157 * Since SCSV looks like an SSL 3.0 cipher suite, we can't add it at
3158 * the beginning.
3159 */
3160 cp[0] = 0x00;
3161 cp[1] = 0x00;
3162 cp[2] = 0xff;
3163 cp += 3;
3164 if (sidLen) {
3165 PORT_Memcpy(cp, sid->u.ssl2.sessionID, sidLen);
3166 cp += sidLen;
3167 }
3168 PORT_Memcpy(cp, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
3169
3170 /* Send it to the server */
3171 DUMP_MSG(29, (ss, msg, sendLen));
3172 ss->handshakeBegun = 1;
3173 rv = (*ss->sec.send)(ss, msg, sendLen, 0);
3174
3175 ssl_ReleaseXmitBufLock(ss); /***************************************/
3176
3177 if (rv < 0) {
3178 goto loser;
3179 }
3180
3181 rv = ssl3_StartHandshakeHash(ss, msg, sendLen);
3182 if (rv < 0) {
3183 goto loser;
3184 }
3185
3186 /*
3187 * Since we sent the SCSV, pretend we sent empty RI extension. We need
3188 * to record the extension has been advertised after ssl3_InitState has
3189 * been called, which ssl3_StartHandshakeHash took care for us above.
3190 */
3191 xtnData = &ss->xtnData;
3192 xtnData->advertised[xtnData->numAdvertised++] = ssl_renegotiation_info_xtn;
3193
3194 /* Setup to receive servers hello message */
3195 ssl_GetRecvBufLock(ss);
3196 ss->gs.recordLen = 0;
3197 ssl_ReleaseRecvBufLock(ss);
3198
3199 ss->handshake = ssl_GatherRecord1stHandshake;
3200 ss->nextHandshake = ssl2_HandleServerHelloMessage;
3201 return SECSuccess;
3202
3203 unlock_loser:
3204 ssl_ReleaseXmitBufLock(ss);
3205 loser:
3206 return SECFailure;
3207 }
3208
3209 /************************************************************************/
3210
3211 /* Handle the CLIENT-MASTER-KEY message.
3212 ** Acquires and releases RecvBufLock.
3213 ** Called from ssl2_HandleClientHelloMessage().
3214 */
3215 static SECStatus
ssl2_HandleClientSessionKeyMessage(sslSocket * ss)3216 ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
3217 {
3218 PRUint8 * data;
3219 unsigned int caLen;
3220 unsigned int ckLen;
3221 unsigned int ekLen;
3222 unsigned int keyBits;
3223 int cipher;
3224 SECStatus rv;
3225
3226
3227 ssl_GetRecvBufLock(ss);
3228
3229 data = ss->gs.buf.buf + ss->gs.recordOffset;
3230 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
3231
3232 if ((ss->gs.recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES)
3233 || (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
3234 goto bad_client;
3235 }
3236 cipher = data[1];
3237 keyBits = (data[2] << 8) | data[3];
3238 ckLen = (data[4] << 8) | data[5];
3239 ekLen = (data[6] << 8) | data[7];
3240 caLen = (data[8] << 8) | data[9];
3241
3242 SSL_TRC(5, ("%d: SSL[%d]: session-key, cipher=%d keyBits=%d ckLen=%d ekLen=%d caLen=%d",
3243 SSL_GETPID(), ss->fd, cipher, keyBits, ckLen, ekLen, caLen));
3244
3245 if (ss->gs.recordLen <
3246 SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen) {
3247 SSL_DBG(("%d: SSL[%d]: protocol size mismatch dataLen=%d",
3248 SSL_GETPID(), ss->fd, ss->gs.recordLen));
3249 goto bad_client;
3250 }
3251
3252 /* Use info from client to setup session key */
3253 rv = ssl2_ServerSetupSessionCypher(ss, cipher, keyBits,
3254 data + SSL_HL_CLIENT_MASTER_KEY_HBYTES, ckLen,
3255 data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen, ekLen,
3256 data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen, caLen);
3257 ss->gs.recordLen = 0; /* we're done with this record. */
3258
3259 ssl_ReleaseRecvBufLock(ss);
3260
3261 if (rv != SECSuccess) {
3262 goto loser;
3263 }
3264 ss->sec.ci.elements |= CIS_HAVE_MASTER_KEY;
3265 ssl2_UseEncryptedSendFunc(ss);
3266
3267 /* Send server verify message now that keys are established */
3268 rv = ssl2_SendServerVerifyMessage(ss);
3269 if (rv != SECSuccess)
3270 goto loser;
3271
3272 rv = ssl2_TryToFinish(ss);
3273 if (rv != SECSuccess)
3274 goto loser;
3275 if (ss->handshake == 0) {
3276 return SECSuccess;
3277 }
3278
3279 SSL_TRC(5, ("%d: SSL[%d]: server: waiting for elements=0x%d",
3280 SSL_GETPID(), ss->fd,
3281 ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
3282 ss->handshake = ssl_GatherRecord1stHandshake;
3283 ss->nextHandshake = ssl2_HandleMessage;
3284
3285 return ssl2_TriggerNextMessage(ss);
3286
3287 bad_client:
3288 ssl_ReleaseRecvBufLock(ss);
3289 PORT_SetError(SSL_ERROR_BAD_CLIENT);
3290 /* FALLTHROUGH */
3291
3292 loser:
3293 return SECFailure;
3294 }
3295
3296 /*
3297 ** Handle the initial hello message from the client
3298 **
3299 ** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
3300 */
3301 SECStatus
ssl2_HandleClientHelloMessage(sslSocket * ss)3302 ssl2_HandleClientHelloMessage(sslSocket *ss)
3303 {
3304 sslSessionID *sid;
3305 sslServerCerts * sc;
3306 CERTCertificate *serverCert;
3307 PRUint8 *msg;
3308 PRUint8 *data;
3309 PRUint8 *cs;
3310 PRUint8 *sd;
3311 PRUint8 *cert = NULL;
3312 PRUint8 *challenge;
3313 unsigned int challengeLen;
3314 SECStatus rv;
3315 int csLen;
3316 int sendLen;
3317 int sdLen;
3318 int certLen;
3319 int pid;
3320 int sent;
3321 int gotXmitBufLock = 0;
3322 #if defined(SOLARIS) && defined(i386)
3323 volatile PRUint8 hit;
3324 #else
3325 int hit;
3326 #endif
3327 PRUint8 csImpl[sizeof implementedCipherSuites];
3328
3329 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
3330
3331 sc = ss->serverCerts + kt_rsa;
3332 serverCert = sc->serverCert;
3333
3334 ssl_GetRecvBufLock(ss);
3335
3336
3337 data = ss->gs.buf.buf + ss->gs.recordOffset;
3338 DUMP_MSG(29, (ss, data, ss->gs.recordLen));
3339
3340 /* Make sure first message has some data and is the client hello message */
3341 if ((ss->gs.recordLen < SSL_HL_CLIENT_HELLO_HBYTES)
3342 || (data[0] != SSL_MT_CLIENT_HELLO)) {
3343 goto bad_client;
3344 }
3345
3346 /* Get peer name of client */
3347 rv = ssl_GetPeerInfo(ss);
3348 if (rv != SECSuccess) {
3349 goto loser;
3350 }
3351
3352 /* Examine version information */
3353 /*
3354 * See if this might be a V2 client hello asking to use the V3 protocol
3355 */
3356 if ((data[0] == SSL_MT_CLIENT_HELLO) &&
3357 (data[1] >= MSB(SSL_LIBRARY_VERSION_3_0)) &&
3358 !SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
3359 rv = ssl3_HandleV2ClientHello(ss, data, ss->gs.recordLen);
3360 if (rv != SECFailure) { /* Success */
3361 ss->handshake = NULL;
3362 ss->nextHandshake = ssl_GatherRecord1stHandshake;
3363 ss->securityHandshake = NULL;
3364 ss->gs.state = GS_INIT;
3365
3366 /* ssl3_HandleV3ClientHello has set ss->version,
3367 ** and has gotten us a brand new sid.
3368 */
3369 ss->sec.ci.sid->version = ss->version;
3370 }
3371 ssl_ReleaseRecvBufLock(ss);
3372 return rv;
3373 }
3374 /* Previously, there was a test here to see if SSL2 was enabled.
3375 ** If not, an error code was set, and SECFailure was returned,
3376 ** without sending any error code to the other end of the connection.
3377 ** That test has been removed. If SSL2 has been disabled, there
3378 ** should be no SSL2 ciphers enabled, and consequently, the code
3379 ** below should send the ssl2 error message SSL_PE_NO_CYPHERS.
3380 ** We now believe this is the correct thing to do, even when SSL2
3381 ** has been explicitly disabled by the application.
3382 */
3383
3384 /* Extract info from message */
3385 ss->version = (data[1] << 8) | data[2];
3386
3387 /* If some client thinks ssl v2 is 2.0 instead of 0.2, we'll allow it. */
3388 if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
3389 ss->version = SSL_LIBRARY_VERSION_2;
3390 }
3391
3392 csLen = (data[3] << 8) | data[4];
3393 sdLen = (data[5] << 8) | data[6];
3394 challengeLen = (data[7] << 8) | data[8];
3395 cs = data + SSL_HL_CLIENT_HELLO_HBYTES;
3396 sd = cs + csLen;
3397 challenge = sd + sdLen;
3398 PRINT_BUF(7, (ss, "server, client session-id value:", sd, sdLen));
3399
3400 if (!csLen || (csLen % 3) != 0 ||
3401 (sdLen != 0 && sdLen != SSL2_SESSIONID_BYTES) ||
3402 challengeLen < SSL_MIN_CHALLENGE_BYTES ||
3403 challengeLen > SSL_MAX_CHALLENGE_BYTES ||
3404 (unsigned)ss->gs.recordLen !=
3405 SSL_HL_CLIENT_HELLO_HBYTES + csLen + sdLen + challengeLen) {
3406 SSL_DBG(("%d: SSL[%d]: bad client hello message, len=%d should=%d",
3407 SSL_GETPID(), ss->fd, ss->gs.recordLen,
3408 SSL_HL_CLIENT_HELLO_HBYTES+csLen+sdLen+challengeLen));
3409 goto bad_client;
3410 }
3411
3412 SSL_TRC(3, ("%d: SSL[%d]: client version is %x",
3413 SSL_GETPID(), ss->fd, ss->version));
3414 if (ss->version != SSL_LIBRARY_VERSION_2) {
3415 if (ss->version > SSL_LIBRARY_VERSION_2) {
3416 /*
3417 ** Newer client than us. Things are ok because new clients
3418 ** are required to be backwards compatible with old servers.
3419 ** Change version number to our version number so that client
3420 ** knows whats up.
3421 */
3422 ss->version = SSL_LIBRARY_VERSION_2;
3423 } else {
3424 SSL_TRC(1, ("%d: SSL[%d]: client version is %x (we are %x)",
3425 SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
3426 PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
3427 goto loser;
3428 }
3429 }
3430
3431 /* Qualify cipher specs before returning them to client */
3432 csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
3433 if (csLen == 0) {
3434 /* no overlap, send client our list of supported SSL v2 ciphers. */
3435 cs = csImpl;
3436 csLen = sizeof implementedCipherSuites;
3437 PORT_Memcpy(cs, implementedCipherSuites, csLen);
3438 csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
3439 if (csLen == 0) {
3440 /* We don't support any SSL v2 ciphers! */
3441 ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
3442 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
3443 goto loser;
3444 }
3445 /* Since this handhsake is going to fail, don't cache it. */
3446 ss->opt.noCache = 1;
3447 }
3448
3449 /* Squirrel away the challenge for later */
3450 PORT_Memcpy(ss->sec.ci.clientChallenge, challenge, challengeLen);
3451
3452 /* Examine message and see if session-id is good */
3453 ss->sec.ci.elements = 0;
3454 if (sdLen > 0 && !ss->opt.noCache) {
3455 SSL_TRC(7, ("%d: SSL[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
3456 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
3457 ss->sec.ci.peer.pr_s6_addr32[1],
3458 ss->sec.ci.peer.pr_s6_addr32[2],
3459 ss->sec.ci.peer.pr_s6_addr32[3]));
3460 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sd, sdLen, ss->dbHandle);
3461 } else {
3462 sid = NULL;
3463 }
3464 if (sid) {
3465 /* Got a good session-id. Short cut! */
3466 SSL_TRC(1, ("%d: SSL[%d]: server, using session-id for 0x%08x (age=%d)",
3467 SSL_GETPID(), ss->fd, ss->sec.ci.peer,
3468 ssl_Time() - sid->creationTime));
3469 PRINT_BUF(1, (ss, "session-id value:", sd, sdLen));
3470 ss->sec.ci.sid = sid;
3471 ss->sec.ci.elements = CIS_HAVE_MASTER_KEY;
3472 hit = 1;
3473 certLen = 0;
3474 csLen = 0;
3475
3476 ss->sec.authAlgorithm = sid->authAlgorithm;
3477 ss->sec.authKeyBits = sid->authKeyBits;
3478 ss->sec.keaType = sid->keaType;
3479 ss->sec.keaKeyBits = sid->keaKeyBits;
3480
3481 rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
3482 if (rv != SECSuccess) {
3483 goto loser;
3484 }
3485 } else {
3486 SECItem * derCert = &serverCert->derCert;
3487
3488 SSL_TRC(7, ("%d: SSL[%d]: server, lookup nonce missed",
3489 SSL_GETPID(), ss->fd));
3490 if (!serverCert) {
3491 SET_ERROR_CODE
3492 goto loser;
3493 }
3494 hit = 0;
3495 sid = PORT_ZNew(sslSessionID);
3496 if (!sid) {
3497 goto loser;
3498 }
3499 sid->references = 1;
3500 sid->addr = ss->sec.ci.peer;
3501 sid->port = ss->sec.ci.port;
3502
3503 /* Invent a session-id */
3504 ss->sec.ci.sid = sid;
3505 PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL2_SESSIONID_BYTES-2);
3506
3507 pid = SSL_GETPID();
3508 sid->u.ssl2.sessionID[0] = MSB(pid);
3509 sid->u.ssl2.sessionID[1] = LSB(pid);
3510 cert = derCert->data;
3511 certLen = derCert->len;
3512
3513 /* pretend that server sids remember the local cert. */
3514 PORT_Assert(!sid->localCert);
3515 if (sid->localCert) {
3516 CERT_DestroyCertificate(sid->localCert);
3517 }
3518 sid->localCert = CERT_DupCertificate(serverCert);
3519
3520 ss->sec.authAlgorithm = ssl_sign_rsa;
3521 ss->sec.keaType = ssl_kea_rsa;
3522 ss->sec.keaKeyBits = \
3523 ss->sec.authKeyBits = ss->serverCerts[kt_rsa].serverKeyBits;
3524 }
3525
3526 /* server sids don't remember the local cert, so whether we found
3527 ** a sid or not, just "remember" we used the rsa server cert.
3528 */
3529 if (ss->sec.localCert) {
3530 CERT_DestroyCertificate(ss->sec.localCert);
3531 }
3532 ss->sec.localCert = CERT_DupCertificate(serverCert);
3533
3534 /* Build up final list of required elements */
3535 ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
3536 if (ss->opt.requestCertificate) {
3537 ss->sec.ci.requiredElements |= CIS_HAVE_CERTIFICATE;
3538 }
3539 ss->sec.ci.sentElements = 0;
3540
3541 /* Send hello message back to client */
3542 sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
3543 + SSL_CONNECTIONID_BYTES;
3544
3545 ssl_GetXmitBufLock(ss); gotXmitBufLock = 1;
3546 rv = ssl2_GetSendBuffer(ss, sendLen);
3547 if (rv != SECSuccess) {
3548 goto loser;
3549 }
3550
3551 SSL_TRC(3, ("%d: SSL[%d]: sending server-hello (%d)",
3552 SSL_GETPID(), ss->fd, sendLen));
3553
3554 msg = ss->sec.ci.sendBuf.buf;
3555 msg[0] = SSL_MT_SERVER_HELLO;
3556 msg[1] = hit;
3557 msg[2] = SSL_CT_X509_CERTIFICATE;
3558 msg[3] = MSB(ss->version);
3559 msg[4] = LSB(ss->version);
3560 msg[5] = MSB(certLen);
3561 msg[6] = LSB(certLen);
3562 msg[7] = MSB(csLen);
3563 msg[8] = LSB(csLen);
3564 msg[9] = MSB(SSL_CONNECTIONID_BYTES);
3565 msg[10] = LSB(SSL_CONNECTIONID_BYTES);
3566 if (certLen) {
3567 PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES, cert, certLen);
3568 }
3569 if (csLen) {
3570 PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen, cs, csLen);
3571 }
3572 PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen+csLen,
3573 ss->sec.ci.connectionID, SSL_CONNECTIONID_BYTES);
3574
3575 DUMP_MSG(29, (ss, msg, sendLen));
3576
3577 ss->handshakeBegun = 1;
3578 sent = (*ss->sec.send)(ss, msg, sendLen, 0);
3579 if (sent < 0) {
3580 goto loser;
3581 }
3582 ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
3583
3584 ss->gs.recordLen = 0;
3585 ss->handshake = ssl_GatherRecord1stHandshake;
3586 if (hit) {
3587 /* Old SID Session key is good. Go encrypted */
3588 ssl2_UseEncryptedSendFunc(ss);
3589
3590 /* Send server verify message now that keys are established */
3591 rv = ssl2_SendServerVerifyMessage(ss);
3592 if (rv != SECSuccess)
3593 goto loser;
3594
3595 ss->nextHandshake = ssl2_HandleMessage;
3596 ssl_ReleaseRecvBufLock(ss);
3597 rv = ssl2_TriggerNextMessage(ss);
3598 return rv;
3599 }
3600 ss->nextHandshake = ssl2_HandleClientSessionKeyMessage;
3601 ssl_ReleaseRecvBufLock(ss);
3602 return SECSuccess;
3603
3604 bad_client:
3605 PORT_SetError(SSL_ERROR_BAD_CLIENT);
3606 /* FALLTHROUGH */
3607
3608 loser:
3609 if (gotXmitBufLock) {
3610 ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
3611 }
3612 SSL_TRC(10, ("%d: SSL[%d]: server, wait for client-hello lossage",
3613 SSL_GETPID(), ss->fd));
3614 ssl_ReleaseRecvBufLock(ss);
3615 return SECFailure;
3616 }
3617
3618 SECStatus
ssl2_BeginServerHandshake(sslSocket * ss)3619 ssl2_BeginServerHandshake(sslSocket *ss)
3620 {
3621 SECStatus rv;
3622 sslServerCerts * rsaAuth = ss->serverCerts + kt_rsa;
3623
3624 ss->sec.isServer = 1;
3625 ssl_ChooseSessionIDProcs(&ss->sec);
3626 ss->sec.sendSequence = 0;
3627 ss->sec.rcvSequence = 0;
3628
3629 /* don't turn on SSL2 if we don't have an RSA key and cert */
3630 if (!rsaAuth->serverKeyPair || !rsaAuth->SERVERKEY ||
3631 !rsaAuth->serverCert) {
3632 ss->opt.enableSSL2 = PR_FALSE;
3633 }
3634
3635 if (!ss->cipherSpecs) {
3636 rv = ssl2_ConstructCipherSpecs(ss);
3637 if (rv != SECSuccess)
3638 goto loser;
3639 }
3640
3641 /* count the SSL2 and SSL3 enabled ciphers.
3642 * if either is zero, clear the socket's enable for that protocol.
3643 */
3644 rv = ssl2_CheckConfigSanity(ss);
3645 if (rv != SECSuccess)
3646 goto loser;
3647
3648 /*
3649 ** Generate connection-id. Always do this, even if things fail
3650 ** immediately. This way the random number generator is always
3651 ** rolling around, every time we get a connection.
3652 */
3653 PK11_GenerateRandom(ss->sec.ci.connectionID,
3654 sizeof(ss->sec.ci.connectionID));
3655
3656 ss->gs.recordLen = 0;
3657 ss->handshake = ssl_GatherRecord1stHandshake;
3658 ss->nextHandshake = ssl2_HandleClientHelloMessage;
3659 return SECSuccess;
3660
3661 loser:
3662 return SECFailure;
3663 }
3664
3665 /* This function doesn't really belong in this file.
3666 ** It's here to keep AIX compilers from optimizing it away,
3667 ** and not including it in the DSO.
3668 */
3669
3670 #include "nss.h"
3671 extern const char __nss_ssl_rcsid[];
3672 extern const char __nss_ssl_sccsid[];
3673
3674 PRBool
NSSSSL_VersionCheck(const char * importedVersion)3675 NSSSSL_VersionCheck(const char *importedVersion)
3676 {
3677 /*
3678 * This is the secret handshake algorithm.
3679 *
3680 * This release has a simple version compatibility
3681 * check algorithm. This release is not backward
3682 * compatible with previous major releases. It is
3683 * not compatible with future major, minor, or
3684 * patch releases.
3685 */
3686 volatile char c; /* force a reference that won't get optimized away */
3687
3688 c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0];
3689 return NSS_VersionCheck(importedVersion);
3690 }
3691
3692 const char *
NSSSSL_GetVersion(void)3693 NSSSSL_GetVersion(void)
3694 {
3695 return NSS_VERSION;
3696 }
3697