Bug 1414735 - Upgrade Firefox to NSS 3.35, r=franziskus UPGRADE_NSS_RELEASE

MozReview-Commit-ID: 6hDnHCWVeWz

--HG--
extra : rebase_source : 4bf98010c7afefe9bc0f2da240bb676bd82496b6
This commit is contained in:
Martin Thomson 2017-11-07 12:24:58 +11:00
parent 135158086d
commit 195dbda63e
43 changed files with 1006 additions and 502 deletions

View File

@ -1915,7 +1915,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
_USE_SYSTEM_NSS=1 )
if test -n "$_USE_SYSTEM_NSS"; then
AM_PATH_NSS(3.34, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
AM_PATH_NSS(3.35, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
fi
if test -n "$MOZ_SYSTEM_NSS"; then

View File

@ -75,7 +75,7 @@ namespace {
// 0 means no override 1->4 are 1.0, 1.1, 1.2, 1.3, 4->7 unused
// bits 3-5 (mask 0x38) specify the tls fallback limit
// 0 means no override, values 1->4 match prefs
// bit 6 (mask 0x40) specifies use of SSL_AltServerHelloType on handshake
// bit 6 (mask 0x40) specifies use of SSL_AltHandshakeType on handshake
enum {
kTLSProviderFlagMaxVersion10 = 0x01,
@ -94,7 +94,7 @@ static uint32_t getTLSProviderFlagFallbackLimit(uint32_t flags)
return (flags & 0x38) >> 3;
}
static bool getTLSProviderFlagAltServerHello(uint32_t flags)
static bool getTLSProviderFlagAltHandshake(uint32_t flags)
{
return (flags & 0x40);
}
@ -2601,13 +2601,13 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
}
}
// enabling alternative server hello
if (getTLSProviderFlagAltServerHello(infoObject->GetProviderTlsFlags())) {
// enabling alternative handshake
if (getTLSProviderFlagAltHandshake(infoObject->GetProviderTlsFlags())) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("[%p] nsSSLIOLayerSetOptions: Use AltServerHello\n", fd));
if (SECSuccess != SSL_UseAltServerHelloType(fd, PR_TRUE)) {
("[%p] nsSSLIOLayerSetOptions: Use AltHandshake\n", fd));
if (SECSuccess != SSL_UseAltHandshakeType(fd, PR_TRUE)) {
MOZ_LOG(gPIPNSSLog, LogLevel::Error,
("[%p] nsSSLIOLayerSetOptions: Use AltServerHello failed\n", fd));
("[%p] nsSSLIOLayerSetOptions: Use AltHandshake failed\n", fd));
// continue on default path
}
}

View File

@ -1 +1 @@
NSS_3_34_BETA1
de7e5e67e878

View File

@ -1,11 +0,0 @@
Functions changes summary: 0 Removed, 0 Changed, 4 Added functions
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
4 Added functions:
'function SECItem* SEC_CreateSignatureAlgorithmParameters(SECItem*, SECOidTag, SECOidTag, const SECItem*, const SECKEYPrivateKey*)' {SEC_CreateSignatureAlgorithmParameters@@NSS_3.34}
'function SECStatus SEC_DerSignDataWithAlgorithmID(SECItem*, const unsigned char*, int, SECKEYPrivateKey*, SECAlgorithmID*)' {SEC_DerSignDataWithAlgorithmID@@NSS_3.34}
'function SECStatus SEC_SignDataWithAlgorithmID(SECItem*, const unsigned char*, int, SECKEYPrivateKey*, SECAlgorithmID*)' {SEC_SignDataWithAlgorithmID@@NSS_3.34}
'function void SGN_NewContextWithAlgorithmID(SECAlgorithmID*, SECKEYPrivateKey*)' {SGN_NewContextWithAlgorithmID@@NSS_3.34}

View File

@ -1,15 +0,0 @@
Functions changes summary: 0 Removed, 1 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
1 function with some indirect sub-type change:
[C]'function SECStatus SSL_GetChannelInfo(SSLChannelInfo*, PRUintn)' at sslinfo.c:26:1 has some indirect sub-type changes:
parameter 1 of type 'SSLChannelInfo*' has sub-type changes:
in pointed to type 'typedef SSLChannelInfo' at sslt.h:288:1:
underlying type 'struct SSLChannelInfoStr' at sslt.h:229:1 changed:
type size changed from 896 to 960 bits
2 data member insertions:
'SSLNamedGroup SSLChannelInfoStr::originalKeaGroup', at offset 864 (in bits) at sslt.h:281:1
'PRBool SSLChannelInfoStr::resumed', at offset 896 (in bits) at sslt.h:284:1

View File

@ -1 +1 @@
NSS_3_33_BRANCH
NSS_3_34_BRANCH

View File

@ -252,7 +252,7 @@ PrintParameterUsage(void)
"%-20s The following values are valid:\n"
"%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
"-I", "", "");
fprintf(stderr, "%-20s Enable alternate content type for TLS 1.3 ServerHello\n", "-X alt-server-hello");
fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello");
}
static void
@ -1183,7 +1183,7 @@ run_client(void)
/* Alternate ServerHello content type (TLS 1.3 only) */
if (enableAltServerHello) {
rv = SSL_UseAltServerHelloType(s, PR_TRUE);
rv = SSL_UseAltHandshakeType(s, PR_TRUE);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling alternate ServerHello type");
error = 1;

View File

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

View File

@ -10,7 +10,7 @@
#include <cassert>
#include <vector>
std::vector<uint8_t> hex_string_to_bytes(std::string s) {
static inline std::vector<uint8_t> hex_string_to_bytes(std::string s) {
std::vector<uint8_t> bytes;
for (size_t i = 0; i < s.length(); i += 2) {
bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16));

View File

@ -11,6 +11,7 @@ CPPSRCS = \
pk11_chacha20poly1305_unittest.cc \
pk11_curve25519_unittest.cc \
pk11_ecdsa_unittest.cc \
pk11_encrypt_derive_unittest.cc \
pk11_export_unittest.cc \
pk11_pbkdf2_unittest.cc \
pk11_prf_unittest.cc \

View File

@ -16,6 +16,7 @@
'pk11_chacha20poly1305_unittest.cc',
'pk11_curve25519_unittest.cc',
'pk11_ecdsa_unittest.cc',
'pk11_encrypt_derive_unittest.cc',
'pk11_pbkdf2_unittest.cc',
'pk11_prf_unittest.cc',
'pk11_prng_unittest.cc',

View File

@ -40,12 +40,12 @@ SECStatus SSLInt_UpdateSSLv2ClientRandom(PRFileDesc *fd, uint8_t *rnd,
// Ensure we don't overrun hs.client_random.
rnd_len = PR_MIN(SSL3_RANDOM_LENGTH, rnd_len);
// Zero the client_random struct.
PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
// Zero the client_random.
PORT_Memset(ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
// Copy over the challenge bytes.
size_t offset = SSL3_RANDOM_LENGTH - rnd_len;
PORT_Memcpy(&ss->ssl3.hs.client_random.rand[offset], rnd, rnd_len);
PORT_Memcpy(ss->ssl3.hs.client_random + offset, rnd, rnd_len);
// Rehash the SSLv2 client hello message.
return ssl3_UpdateHandshakeHashes(ss, msg, msg_len);

View File

@ -14,6 +14,7 @@ CSRCS = \
CPPSRCS = \
ssl_0rtt_unittest.cc \
ssl_agent_unittest.cc \
ssl_alths_unittest.cc \
ssl_auth_unittest.cc \
ssl_cert_ext_unittest.cc \
ssl_ciphersuite_unittest.cc \

View File

@ -1079,10 +1079,6 @@ TEST_P(TlsBogusExtensionTest13, AddBogusExtensionHelloRetryRequest) {
Run(kTlsHandshakeHelloRetryRequest);
}
TEST_P(TlsBogusExtensionTest13, AddVersionExtensionServerHello) {
Run(kTlsHandshakeServerHello, ssl_tls13_supported_versions_xtn);
}
TEST_P(TlsBogusExtensionTest13, AddVersionExtensionEncryptedExtensions) {
Run(kTlsHandshakeEncryptedExtensions, ssl_tls13_supported_versions_xtn);
}

View File

@ -15,6 +15,7 @@
'selfencrypt_unittest.cc',
'ssl_0rtt_unittest.cc',
'ssl_agent_unittest.cc',
'ssl_alths_unittest.cc',
'ssl_auth_unittest.cc',
'ssl_cert_ext_unittest.cc',
'ssl_ciphersuite_unittest.cc',

View File

@ -11,7 +11,6 @@
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"
#include "ssl3prot.h"
extern "C" {
// This is not something that should make you happy.
@ -104,9 +103,9 @@ TEST_P(TlsConnectGeneric, CaptureAlertServer) {
auto alert_recorder = std::make_shared<TlsAlertRecorder>();
server_->SetPacketFilter(alert_recorder);
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
ConnectExpectAlert(server_, kTlsAlertDecodeError);
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
EXPECT_EQ(kTlsAlertIllegalParameter, alert_recorder->description());
EXPECT_EQ(kTlsAlertDecodeError, alert_recorder->description());
}
TEST_P(TlsConnectGenericPre13, CaptureAlertClient) {
@ -307,42 +306,6 @@ TEST_F(TlsConnectStreamTls13, NegotiateShortHeaders) {
Connect();
}
TEST_F(TlsConnectStreamTls13, ClientAltHandshakeType) {
client_->SetAltHandshakeTypeEnabled();
auto filter = std::make_shared<TlsHeaderRecorder>();
server_->SetPacketFilter(filter);
Connect();
ASSERT_EQ(kTlsHandshakeType, filter->header(0)->content_type());
}
TEST_F(TlsConnectStreamTls13, ServerAltHandshakeType) {
server_->SetAltHandshakeTypeEnabled();
auto filter = std::make_shared<TlsHeaderRecorder>();
server_->SetPacketFilter(filter);
Connect();
ASSERT_EQ(kTlsHandshakeType, filter->header(0)->content_type());
}
TEST_F(TlsConnectStreamTls13, BothAltHandshakeType) {
client_->SetAltHandshakeTypeEnabled();
server_->SetAltHandshakeTypeEnabled();
auto header_filter = std::make_shared<TlsHeaderRecorder>();
auto sh_filter = std::make_shared<TlsInspectorRecordHandshakeMessage>(
kTlsHandshakeServerHello);
std::vector<std::shared_ptr<PacketFilter>> filters = {header_filter,
sh_filter};
auto chained = std::make_shared<ChainedPacketFilter>(filters);
server_->SetPacketFilter(chained);
header_filter->SetAgent(server_.get());
header_filter->EnableDecryption();
Connect();
ASSERT_EQ(kTlsAltHandshakeType, header_filter->header(0)->content_type());
ASSERT_EQ(kTlsHandshakeType, header_filter->header(1)->content_type());
uint32_t ver;
ASSERT_TRUE(sh_filter->buffer().Read(0, 2, &ver));
ASSERT_EQ((uint32_t)(0x7a00 | TLS_1_3_DRAFT_VERSION), ver);
}
INSTANTIATE_TEST_CASE_P(
GenericStream, TlsConnectGeneric,
::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,

View File

@ -10,6 +10,8 @@
#include "databuffer.h"
#include "gtest_utils.h"
#include "tls_connect.h"
#include "tls_filter.h"
namespace nss_test {
@ -51,8 +53,8 @@ class TlsPaddingTest
<< " total length=" << plaintext_.len() << std::endl;
std::cerr << "Plaintext: " << plaintext_ << std::endl;
sslBuffer s;
s.buf = const_cast<unsigned char *>(
static_cast<const unsigned char *>(plaintext_.data()));
s.buf = const_cast<unsigned char*>(
static_cast<const unsigned char*>(plaintext_.data()));
s.len = plaintext_.len();
SECStatus rv = ssl_RemoveTLSCBCPadding(&s, kMacSize);
if (expect_success) {
@ -99,6 +101,75 @@ TEST_P(TlsPaddingTest, LastByteOfPadWrong) {
}
}
class RecordReplacer : public TlsRecordFilter {
public:
RecordReplacer(size_t size)
: TlsRecordFilter(), enabled_(false), size_(size) {}
PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& data,
DataBuffer* changed) override {
if (!enabled_) {
return KEEP;
}
EXPECT_EQ(kTlsApplicationDataType, header.content_type());
changed->Allocate(size_);
for (size_t i = 0; i < size_; ++i) {
changed->data()[i] = i & 0xff;
}
enabled_ = false;
return CHANGE;
}
void Enable() { enabled_ = true; }
private:
bool enabled_;
size_t size_;
};
TEST_F(TlsConnectStreamTls13, LargeRecord) {
EnsureTlsSetup();
const size_t record_limit = 16384;
auto replacer = std::make_shared<RecordReplacer>(record_limit);
client_->SetTlsRecordFilter(replacer);
replacer->EnableDecryption();
Connect();
replacer->Enable();
client_->SendData(10);
WAIT_(server_->received_bytes() == record_limit, 2000);
ASSERT_EQ(record_limit, server_->received_bytes());
}
TEST_F(TlsConnectStreamTls13, TooLargeRecord) {
EnsureTlsSetup();
const size_t record_limit = 16384;
auto replacer = std::make_shared<RecordReplacer>(record_limit + 1);
client_->SetTlsRecordFilter(replacer);
replacer->EnableDecryption();
Connect();
replacer->Enable();
ExpectAlert(server_, kTlsAlertRecordOverflow);
client_->SendData(10); // This is expanded.
uint8_t buf[record_limit + 2];
PRInt32 rv = PR_Read(server_->ssl_fd(), buf, sizeof(buf));
EXPECT_GT(0, rv);
EXPECT_EQ(SSL_ERROR_RX_RECORD_TOO_LONG, PORT_GetError());
// Read the server alert.
rv = PR_Read(client_->ssl_fd(), buf, sizeof(buf));
EXPECT_GT(0, rv);
EXPECT_EQ(SSL_ERROR_RECORD_OVERFLOW_ALERT, PORT_GetError());
}
const static size_t kContentSizesArr[] = {
1, kMacSize - 1, kMacSize, 30, 31, 32, 36, 256, 257, 287, 288};

View File

@ -387,7 +387,7 @@ void TlsAgent::SetShortHeadersEnabled() {
void TlsAgent::SetAltHandshakeTypeEnabled() {
EXPECT_TRUE(EnsureTlsSetup());
SECStatus rv = SSL_UseAltServerHelloType(ssl_fd(), true);
SECStatus rv = SSL_UseAltHandshakeType(ssl_fd(), PR_TRUE);
EXPECT_EQ(SECSuccess, rv);
}

View File

@ -363,6 +363,15 @@ PacketFilter::Action TlsInspectorReplaceHandshakeMessage::FilterHandshake(
return KEEP;
}
PacketFilter::Action TlsRecordRecorder::FilterRecord(
const TlsRecordHeader& header, const DataBuffer& input,
DataBuffer* output) {
if (!filter_ || (header.content_type() == ct_)) {
records_.push_back({header, input});
}
return KEEP;
}
PacketFilter::Action TlsConversationRecorder::FilterRecord(
const TlsRecordHeader& header, const DataBuffer& input,
DataBuffer* output) {

View File

@ -63,6 +63,11 @@ class TlsRecordHeader : public TlsVersioned {
uint64_t sequence_number_;
};
struct TlsRecord {
const TlsRecordHeader header;
const DataBuffer buffer;
};
// Abstract filter that operates on entire (D)TLS records.
class TlsRecordFilter : public PacketFilter {
public:
@ -221,6 +226,28 @@ class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
DataBuffer buffer_;
};
class TlsRecordRecorder : public TlsRecordFilter {
public:
TlsRecordRecorder(uint8_t ct) : filter_(true), ct_(ct), records_() {}
TlsRecordRecorder()
: filter_(false),
ct_(content_handshake), // dummy (<optional> is C++14)
records_() {}
virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
const DataBuffer& input,
DataBuffer* output);
size_t count() const { return records_.size(); }
void Clear() { records_.clear(); }
const TlsRecord& record(size_t i) const { return records_[i]; }
private:
bool filter_;
uint8_t ct_;
std::vector<TlsRecord> records_;
};
// Make a copy of the complete conversation.
class TlsConversationRecorder : public TlsRecordFilter {
public:
@ -246,12 +273,17 @@ class TlsHeaderRecorder : public TlsRecordFilter {
std::vector<TlsRecordHeader> headers_;
};
// Runs multiple packet filters in series.
typedef std::initializer_list<std::shared_ptr<PacketFilter>>
ChainedPacketFilterInit;
// Runs multiple packet filters in series.
class ChainedPacketFilter : public PacketFilter {
public:
ChainedPacketFilter() {}
ChainedPacketFilter(const std::vector<std::shared_ptr<PacketFilter>> filters)
: filters_(filters.begin(), filters.end()) {}
ChainedPacketFilter(ChainedPacketFilterInit il) : filters_(il) {}
virtual ~ChainedPacketFilter() {}
virtual PacketFilter::Action Filter(const DataBuffer& input,

View File

@ -8,6 +8,8 @@
#ifndef FREEBL_POLY1305_H_
#define FREEBL_POLY1305_H_
#include "stddef.h"
typedef unsigned char poly1305_state[512];
/* Poly1305Init sets up |state| so that it can be used to calculate an

View File

@ -22,9 +22,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.34" _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.35" _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 34
#define NSS_VMINOR 35
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE

View File

@ -421,11 +421,20 @@ static const struct mechanismList mechanisms[] = {
#endif
/* --------------------- Secret Key Operations ------------------------ */
{ CKM_GENERIC_SECRET_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE },
{ CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_GENERATE }, PR_FALSE },
{ CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE },
{ CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_GENERATE }, PR_FALSE },
{ CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE },
{ CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_AES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_CAMELLIA_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_CAMELLIA_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_SEED_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
{ CKM_SEED_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
/* ---------------------- SSL Key Derivations ------------------------- */
{ CKM_SSL3_PRE_MASTER_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_FALSE },
{ CKM_SSL3_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },

View File

@ -1524,8 +1524,7 @@ NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
maxout -= padoutlen;
}
/* now save the final block for the next decrypt or the final */
PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen -
context->blockSize],
PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen - context->blockSize],
context->blockSize);
context->padDataLength = context->blockSize;
ulEncryptedPartLen -= context->padDataLength;
@ -6241,6 +6240,43 @@ sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len,
return CKR_MECHANISM_INVALID;
}
/*
* Handle the derive from a block encryption cipher
*/
CK_RV
sftk_DeriveEncrypt(SFTKCipher encrypt, void *cipherInfo,
int blockSize, SFTKObject *key, CK_ULONG keySize,
unsigned char *data, CK_ULONG len)
{
/* large enough for a 512-bit key */
unsigned char tmpdata[SFTK_MAX_DERIVE_KEY_SIZE];
SECStatus rv;
unsigned int outLen;
CK_RV crv;
if ((len % blockSize) != 0) {
return CKR_MECHANISM_PARAM_INVALID;
}
if (len > SFTK_MAX_DERIVE_KEY_SIZE) {
return CKR_MECHANISM_PARAM_INVALID;
}
if (keySize && (len < keySize)) {
return CKR_MECHANISM_PARAM_INVALID;
}
if (keySize == 0) {
keySize = len;
}
rv = (*encrypt)(cipherInfo, &tmpdata, &outLen, len, data, len);
if (rv != SECSuccess) {
crv = sftk_MapCryptError(PORT_GetError());
return crv;
}
crv = sftk_forceAttribute(key, CKA_VALUE, tmpdata, keySize);
return crv;
}
/*
* SSL Key generation given pre master secret
*/
@ -6899,6 +6935,172 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
break;
}
case CKM_DES3_ECB_ENCRYPT_DATA:
case CKM_DES3_CBC_ENCRYPT_DATA: {
void *cipherInfo;
unsigned char des3key[MAX_DES3_KEY_SIZE];
CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr;
int mode;
unsigned char *iv;
unsigned char *data;
CK_ULONG len;
if (mechanism == CKM_DES3_ECB_ENCRYPT_DATA) {
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
pMechanism->pParameter;
mode = NSS_DES_EDE3;
iv = NULL;
data = stringPtr->pData;
len = stringPtr->ulLen;
} else {
mode = NSS_DES_EDE3_CBC;
desEncryptPtr =
(CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
pMechanism->pParameter;
iv = desEncryptPtr->iv;
data = desEncryptPtr->pData;
len = desEncryptPtr->length;
}
if (att->attrib.ulValueLen == 16) {
PORT_Memcpy(des3key, att->attrib.pValue, 16);
PORT_Memcpy(des3key + 16, des3key, 8);
} else if (att->attrib.ulValueLen == 24) {
PORT_Memcpy(des3key, att->attrib.pValue, 24);
} else {
crv = CKR_KEY_SIZE_RANGE;
break;
}
cipherInfo = DES_CreateContext(des3key, iv, mode, PR_TRUE);
PORT_Memset(des3key, 0, 24);
if (cipherInfo == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt,
cipherInfo, 8, key, keySize,
data, len);
DES_DestroyContext(cipherInfo, PR_TRUE);
break;
}
case CKM_AES_ECB_ENCRYPT_DATA:
case CKM_AES_CBC_ENCRYPT_DATA: {
void *cipherInfo;
CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
int mode;
unsigned char *iv;
unsigned char *data;
CK_ULONG len;
if (mechanism == CKM_AES_ECB_ENCRYPT_DATA) {
mode = NSS_AES;
iv = NULL;
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
data = stringPtr->pData;
len = stringPtr->ulLen;
} else {
aesEncryptPtr =
(CK_AES_CBC_ENCRYPT_DATA_PARAMS *)pMechanism->pParameter;
mode = NSS_AES_CBC;
iv = aesEncryptPtr->iv;
data = aesEncryptPtr->pData;
len = aesEncryptPtr->length;
}
cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue,
iv, mode, PR_TRUE,
att->attrib.ulValueLen, 16);
if (cipherInfo == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
crv = sftk_DeriveEncrypt((SFTKCipher)AES_Encrypt,
cipherInfo, 16, key, keySize,
data, len);
AES_DestroyContext(cipherInfo, PR_TRUE);
break;
}
case CKM_CAMELLIA_ECB_ENCRYPT_DATA:
case CKM_CAMELLIA_CBC_ENCRYPT_DATA: {
void *cipherInfo;
CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
int mode;
unsigned char *iv;
unsigned char *data;
CK_ULONG len;
if (mechanism == CKM_CAMELLIA_ECB_ENCRYPT_DATA) {
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
pMechanism->pParameter;
aesEncryptPtr = NULL;
mode = NSS_CAMELLIA;
data = stringPtr->pData;
len = stringPtr->ulLen;
iv = NULL;
} else {
stringPtr = NULL;
aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
pMechanism->pParameter;
mode = NSS_CAMELLIA_CBC;
iv = aesEncryptPtr->iv;
data = aesEncryptPtr->pData;
len = aesEncryptPtr->length;
}
cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue,
iv, mode, PR_TRUE,
att->attrib.ulValueLen);
if (cipherInfo == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
crv = sftk_DeriveEncrypt((SFTKCipher)Camellia_Encrypt,
cipherInfo, 16, key, keySize,
data, len);
Camellia_DestroyContext(cipherInfo, PR_TRUE);
break;
}
case CKM_SEED_ECB_ENCRYPT_DATA:
case CKM_SEED_CBC_ENCRYPT_DATA: {
void *cipherInfo;
CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
int mode;
unsigned char *iv;
unsigned char *data;
CK_ULONG len;
if (mechanism == CKM_SEED_ECB_ENCRYPT_DATA) {
mode = NSS_SEED;
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
pMechanism->pParameter;
aesEncryptPtr = NULL;
data = stringPtr->pData;
len = stringPtr->ulLen;
iv = NULL;
} else {
mode = NSS_SEED_CBC;
aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
pMechanism->pParameter;
iv = aesEncryptPtr->iv;
data = aesEncryptPtr->pData;
len = aesEncryptPtr->length;
}
cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue,
iv, mode, PR_TRUE);
if (cipherInfo == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
crv = sftk_DeriveEncrypt((SFTKCipher)SEED_Encrypt,
cipherInfo, 16, key, keySize,
data, len);
SEED_DestroyContext(cipherInfo, PR_TRUE);
break;
}
case CKM_CONCATENATE_BASE_AND_KEY: {
SFTKObject *newKey;

View File

@ -17,9 +17,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.34" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VERSION "3.35" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 34
#define SOFTOKEN_VMINOR 35
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_TRUE

View File

@ -9,6 +9,9 @@
#define _SOFTOKNT_H_
#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048
#define DES_BLOCK_SIZE 8 /* bytes */
#define MAX_DES3_KEY_SIZE 24 /* DES_BLOCK_SIZE * 3 */
#define SFTK_MAX_DERIVE_KEY_SIZE 64
/*
* FIPS 140-2 auditing

File diff suppressed because it is too large Load Diff

View File

@ -111,7 +111,7 @@ ssl_ECPubKey2NamedGroup(const SECKEYPublicKey *pubKey)
static SECStatus
ssl3_ComputeECDHKeyHash(SSLHashType hashAlg,
SECItem ec_params, SECItem server_ecpoint,
SSL3Random *client_rand, SSL3Random *server_rand,
PRUint8 *client_rand, PRUint8 *server_rand,
SSL3Hashes *hashes)
{
PRUint8 *hashBuf;
@ -597,8 +597,8 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
* check to make sure the hash is signed by right guy
*/
rv = ssl3_ComputeECDHKeyHash(hashAlg, ec_params, ec_point,
&ss->ssl3.hs.client_random,
&ss->ssl3.hs.server_random,
ss->ssl3.hs.client_random,
ss->ssl3.hs.server_random,
&hashes);
if (rv != SECSuccess) {
@ -711,8 +711,8 @@ ssl3_SendECDHServerKeyExchange(sslSocket *ss)
}
rv = ssl3_ComputeECDHKeyHash(hashAlg, ec_params,
pubKey->u.ec.publicValue,
&ss->ssl3.hs.client_random,
&ss->ssl3.hs.server_random,
ss->ssl3.hs.client_random,
ss->ssl3.hs.server_random,
&hashes);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);

View File

@ -802,7 +802,7 @@ ssl3_ClientHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData
}
PRUint32 ssl_ticket_lifetime = 2 * 24 * 60 * 60; /* 2 days in seconds */
#define TLS_EX_SESS_TICKET_VERSION (0x0106)
#define TLS_EX_SESS_TICKET_VERSION (0x0107)
/*
* Called from ssl3_SendNewSessionTicket, tls13_SendNewSessionTicket
@ -894,6 +894,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
+ 1 /* extendedMasterSecretUsed */
+ sizeof(ticket->ticket_lifetime_hint) /* ticket lifetime hint */
+ sizeof(ticket->flags) /* ticket flags */
+ 1 /* alt handshake type */
+ 1 + alpnSelection->len /* alpn value + length field */
+ 4; /* maxEarlyData */
@ -1040,6 +1041,11 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
if (rv != SECSuccess)
goto loser;
}
/* Alternative handshake type. */
rv = ssl3_AppendNumberToItem(
&plaintext, ss->sec.ci.sid->u.ssl3.altHandshakeType, 1);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext, ssl_max_early_data_size, 4);
if (rv != SECSuccess)
@ -1306,6 +1312,14 @@ ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
return SECFailure;
}
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
parsedTicket->altHandshakeType = temp;
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
@ -1370,6 +1384,7 @@ ssl_CreateSIDFromTicket(sslSocket *ss, const SECItem *rawTicket,
sid->u.ssl3.masterValid = PR_TRUE;
sid->u.ssl3.keys.resumable = PR_TRUE;
sid->u.ssl3.keys.extendedMasterSecretUsed = parsedTicket->extendedMasterSecretUsed;
sid->u.ssl3.altHandshakeType = parsedTicket->altHandshakeType;
/* Copy over client cert from session ticket if there is one. */
if (parsedTicket->peer_cert.data != NULL) {

View File

@ -395,7 +395,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
SSL3Ciphertext cText;
PRBool keepGoing = PR_TRUE;
SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
SSL_TRC(30, ("%d: SSL3[%d]: ssl3_GatherCompleteHandshake",
SSL_GETPID(), ss->fd));
/* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake,
* which requires the 1stHandshakeLock, which must be acquired before the
@ -508,7 +509,6 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
if (IS_DTLS(ss)) {
sslSequenceNumber seq_num;
cText.version = dtls_DTLSVersionToTLSVersion(cText.version);
/* DTLS sequence number */
PORT_Memcpy(&seq_num, &ss->gs.hdr[3], sizeof(seq_num));
cText.seq_num = PR_ntohll(seq_num);

View File

@ -151,9 +151,7 @@ typedef struct {
PRUint8 empty;
} SSL3HelloRequest;
typedef struct {
PRUint8 rand[SSL3_RANDOM_LENGTH];
} SSL3Random;
typedef PRUint8 SSL3Random[SSL3_RANDOM_LENGTH];
typedef struct {
PRUint8 id[32];

View File

@ -22,13 +22,12 @@ SEC_BEGIN_PROTOS
? ((SECStatus(*) arglist)SSL_GetExperimentalAPI(name))args \
: SECFailure)
/* Allow the ServerHello to be record type 24. Experiment to test:
* https://github.com/tlswg/tls13-spec/pull/1051
/* Make the TLS 1.3 handshake mimic TLS 1.2 session resumption.
* This will either become part of the standard or be disabled
* after we have tested it.
*/
#define SSL_UseAltServerHelloType(fd, enable) \
SSL_EXPERIMENTAL_API("SSL_UseAltServerHelloType", \
#define SSL_UseAltHandshakeType(fd, enable) \
SSL_EXPERIMENTAL_API("SSL_UseAltHandshakeType", \
(PRFileDesc * _fd, PRBool _enable), \
(fd, enable))

View File

@ -229,8 +229,6 @@ struct sslSocketOpsStr {
#define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
#define ssl_SEND_FLAG_NO_BUFFER 0x20000000
#define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */
#define ssl_SEND_FLAG_CAP_RECORD_VERSION \
0x04000000 /* TLS only */
#define ssl_SEND_FLAG_MASK 0x7f000000
/*
@ -500,6 +498,7 @@ struct ssl3CipherSpecStr {
sslSequenceNumber write_seq_num;
sslSequenceNumber read_seq_num;
SSL3ProtocolVersion version;
SSL3ProtocolVersion recordVersion;
ssl3KeyMaterial client;
ssl3KeyMaterial server;
SECItem msItem;
@ -609,6 +608,8 @@ struct sslSessionIDStr {
* Used for TLS 1.3. */
SECItem alpnSelection;
PRBool altHandshakeType;
/* This lock is lazily initialized by CacheSID when a sid is first
* cached. Before then, there is no need to lock anything because
* the sid isn't being shared by anything.
@ -886,7 +887,8 @@ typedef struct SSL3HandshakeStateStr {
ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
* we use for TLS 1.3 */
PRBool shortHeaders; /* Assigned if we are doing short headers. */
PRBool altHandshakeType; /* Assigned if we are doing the wrapped handshake. */
PRBool altHandshakeType; /* Alternative ServerHello content type. */
SECItem fakeSid; /* ... (server) the SID the client used. */
} SSL3HandshakeState;
/*
@ -1022,6 +1024,7 @@ typedef struct SessionTicketStr {
PRUint32 flags;
SECItem srvName; /* negotiated server name */
SECItem alpnSelection;
PRBool altHandshakeType;
PRUint32 maxEarlyData;
} SessionTicket;
@ -1653,6 +1656,10 @@ extern SECStatus ssl_ClientReadVersion(sslSocket *ss, PRUint8 **b,
extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
SSL3ProtocolVersion peerVersion,
PRBool allowLargerPeerVersion);
extern SECStatus ssl_ClientSetCipherSuite(sslSocket *ss,
SSL3ProtocolVersion version,
ssl3CipherSuite suite,
PRBool initHashes);
extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
@ -1826,6 +1833,7 @@ SECStatus ssl3_CompleteHandleCertificateRequest(
sslSocket *ss, const SSLSignatureScheme *signatureSchemes,
unsigned int signatureSchemeCount, CERTDistNames *ca_list);
SECStatus ssl3_SendServerHello(sslSocket *ss);
SECStatus ssl3_SendChangeCipherSpecsInt(sslSocket *ss);
SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss,
ssl3CipherSpec *spec,
SSL3Hashes *hashes,

View File

@ -468,9 +468,9 @@ SSL_ExportKeyingMaterial(PRFileDesc *fd,
return SECFailure;
}
i = 0;
PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
PORT_Memcpy(val + i, ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH);
i += SSL3_RANDOM_LENGTH;
PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH);
PORT_Memcpy(val + i, ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
i += SSL3_RANDOM_LENGTH;
if (hasContext) {
val[i++] = contextLen >> 8;

View File

@ -3875,7 +3875,7 @@ struct {
void *function;
} ssl_experimental_functions[] = {
#ifndef SSL_DISABLE_EXPERIMENTAL_API
EXP(UseAltServerHelloType),
EXP(UseAltHandshakeType),
#endif
{ "", NULL }
};

View File

@ -133,9 +133,6 @@ const char keylogLabelExporterSecret[] = "EXPORTER_SECRET";
? ss->ssl3.hs.client##name \
: ss->ssl3.hs.server##name)
const SSL3ProtocolVersion kTlsRecordVersion = SSL_LIBRARY_VERSION_TLS_1_0;
const SSL3ProtocolVersion kDtlsRecordVersion = SSL_LIBRARY_VERSION_TLS_1_1;
/* Belt and suspenders in case we ever add a TLS 1.4. */
PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <=
SSL_LIBRARY_VERSION_TLS_1_3);
@ -1728,7 +1725,9 @@ tls13_HandleHelloRetryRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
/* Version. */
rv = ssl_ClientReadVersion(ss, &b, &length, &version);
if (rv != SECSuccess) {
return SECFailure; /* alert already sent */
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST,
protocol_version);
return SECFailure;
}
if (version > ss->vrange.max || version < SSL_LIBRARY_VERSION_TLS_1_3) {
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST,
@ -1941,6 +1940,13 @@ tls13_SendServerHelloSequence(sslSocket *ss)
return rv; /* err code is set. */
}
if (ss->ssl3.hs.altHandshakeType) {
rv = ssl3_SendChangeCipherSpecsInt(ss);
if (rv != SECSuccess) {
return rv;
}
}
rv = tls13_SendEncryptedServerSequence(ss);
if (rv != SECSuccess) {
err = PORT_GetError();
@ -2704,27 +2710,61 @@ loser:
return SECFailure;
}
static SECStatus
tls13_SetupPendingCipherSpec(sslSocket *ss)
void
tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec)
{
const SSL3ProtocolVersion kTlsRecordVersion = SSL_LIBRARY_VERSION_TLS_1_0;
const SSL3ProtocolVersion kTlsAltRecordVersion = SSL_LIBRARY_VERSION_TLS_1_2;
const SSL3ProtocolVersion kDtlsRecordVersion = SSL_LIBRARY_VERSION_DTLS_1_0_WIRE;
/* Set the record version. */
if (IS_DTLS(ss)) {
spec->recordVersion = kDtlsRecordVersion;
} else if (spec->epoch == TrafficKeyEarlyApplicationData) {
/* For early data, the previous session determines the record type that
* is used (and not what this session might negotiate). */
if (ss->sec.ci.sid && ss->sec.ci.sid->u.ssl3.altHandshakeType) {
spec->recordVersion = kTlsAltRecordVersion;
} else {
spec->recordVersion = kTlsRecordVersion;
}
} else if (ss->ssl3.hs.altHandshakeType) {
spec->recordVersion = kTlsAltRecordVersion;
} else {
spec->recordVersion = kTlsRecordVersion;
}
SSL_TRC(10, ("%d: TLS13[%d]: Set record version to 0x%04x",
SSL_GETPID(), ss->fd, spec->recordVersion));
}
static SECStatus
tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
{
ssl3CipherSpec *pSpec;
ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite;
const ssl3BulkCipherDef *bulk = ssl_GetBulkCipherDef(
ssl_LookupCipherSuiteDef(suite));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
ssl_GetSpecWriteLock(ss); /*******************************/
pSpec = ss->ssl3.pwSpec;
/* Version isn't set when we send 0-RTT data. */
pSpec->version = PR_MAX(SSL_LIBRARY_VERSION_TLS_1_3, ss->version);
spec->version = PR_MAX(SSL_LIBRARY_VERSION_TLS_1_3, ss->version);
SSL_TRC(3, ("%d: TLS13[%d]: Set Pending Cipher Suite to 0x%04x",
SSL_GETPID(), ss->fd, suite));
pSpec->cipher_def = bulk;
ssl_ReleaseSpecWriteLock(ss); /*******************************/
spec->cipher_def = ssl_GetBulkCipherDef(ssl_LookupCipherSuiteDef(suite));
switch (spec->cipher_def->calg) {
case ssl_calg_aes_gcm:
spec->aead = tls13_AESGCM;
break;
case ssl_calg_chacha20:
spec->aead = tls13_ChaCha20Poly1305;
break;
default:
PORT_Assert(0);
return SECFailure;
break;
}
tls13_SetSpecRecordVersion(ss, spec);
return SECSuccess;
}
@ -2754,29 +2794,6 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type,
PR_APPEND_LINK(&spec->link, &ss->ssl3.hs.cipherSpecs);
ss->ssl3.pwSpec = ss->ssl3.prSpec = spec;
rv = tls13_SetupPendingCipherSpec(ss);
if (rv != SECSuccess)
return SECFailure;
switch (spec->cipher_def->calg) {
case calg_aes_gcm:
spec->aead = tls13_AESGCM;
break;
case calg_chacha20:
spec->aead = tls13_ChaCha20Poly1305;
break;
default:
PORT_Assert(0);
return SECFailure;
break;
}
rv = tls13_DeriveTrafficKeys(ss, spec, type, direction,
deleteSecret);
if (rv != SECSuccess) {
return SECFailure;
}
/* We use the epoch for cipher suite identification, so increment
* it in both TLS and DTLS. */
if ((*specp)->epoch == PR_UINT16_MAX) {
@ -2794,6 +2811,17 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type,
dtls_InitRecvdRecords(&spec->recvdRecords);
}
/* This depends on spec having a valid direction and epoch. */
rv = tls13_SetupPendingCipherSpec(ss, spec);
if (rv != SECSuccess)
return SECFailure;
rv = tls13_DeriveTrafficKeys(ss, spec, type, direction,
deleteSecret);
if (rv != SECSuccess) {
return SECFailure;
}
if (type == TrafficKeyEarlyApplicationData) {
spec->earlyDataRemaining =
ss->sec.ci.sid->u.ssl3.locked.sessionTicket.max_early_data_size;
@ -3745,6 +3773,14 @@ tls13_SendClientSecondRound(sslSocket *ss)
if (rv != SECSuccess) {
return SECFailure; /* Error code already set. */
}
} else if (ss->ssl3.hs.zeroRttState == ssl_0rtt_none &&
ss->ssl3.hs.altHandshakeType) {
ssl_GetXmitBufLock(ss); /*******************************/
rv = ssl3_SendChangeCipherSpecsInt(ss);
ssl_ReleaseXmitBufLock(ss); /*******************************/
if (rv != SECSuccess) {
return rv;
}
}
rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake,
@ -4046,7 +4082,8 @@ static const struct {
{ ssl_cert_status_xtn, ExtensionSendCertificate },
{ ssl_tls13_ticket_early_data_info_xtn, ExtensionNewSessionTicket },
{ ssl_tls13_cookie_xtn, ExtensionSendHrr },
{ ssl_tls13_short_header_xtn, ExtensionSendClear }
{ ssl_tls13_short_header_xtn, ExtensionSendClear },
{ ssl_tls13_supported_versions_xtn, ExtensionSendClear }
};
PRBool
@ -4239,9 +4276,8 @@ tls13_UnprotectRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *plaintext
return SECFailure;
}
/* Check the version number in the record */
if ((IS_DTLS(ss) && cText->version != kDtlsRecordVersion) ||
(!IS_DTLS(ss) && cText->version != kTlsRecordVersion)) {
/* Check the version number in the record. */
if (cText->version != crSpec->recordVersion) {
/* Do we need a better error here? */
SSL_TRC(3,
("%d: TLS13[%d]: record has bogus version",
@ -4364,8 +4400,21 @@ tls13_MaybeDo0RTTHandshake(sslSocket *ss)
ss->xtnData.nextProtoState = SSL_NEXT_PROTO_EARLY_VALUE;
rv = SECITEM_CopyItem(NULL, &ss->xtnData.nextProto,
&ss->sec.ci.sid->u.ssl3.alpnSelection);
if (rv != SECSuccess)
return rv;
if (rv != SECSuccess) {
return SECFailure;
}
}
/* If the alternative handshake type option is enabled and the last session
* had the alternative handshake type, then send CCS. */
if (ss->opt.enableAltHandshaketype &&
ss->sec.ci.sid->u.ssl3.altHandshakeType) {
ssl_GetXmitBufLock(ss);
rv = ssl3_SendChangeCipherSpecsInt(ss);
ssl_ReleaseXmitBufLock(ss);
if (rv != SECSuccess) {
return SECFailure;
}
}
/* Cipher suite already set in tls13_SetupClientHello. */
@ -4377,13 +4426,14 @@ tls13_MaybeDo0RTTHandshake(sslSocket *ss)
keylogLabelClientEarlyTrafficSecret,
NULL,
&ss->ssl3.hs.clientEarlyTrafficSecret);
if (rv != SECSuccess)
if (rv != SECSuccess) {
return SECFailure;
}
rv = tls13_SetCipherSpec(ss, TrafficKeyEarlyApplicationData,
CipherSpecWrite, PR_TRUE);
if (rv != SECSuccess) {
return rv;
return SECFailure;
}
return SECSuccess;
@ -4504,7 +4554,7 @@ tls13_EncodeAltDraftVersion(SSL3ProtocolVersion version)
{
#ifdef TLS_1_3_DRAFT_VERSION
if (version == SSL_LIBRARY_VERSION_TLS_1_3) {
return 0x7a00 | TLS_1_3_DRAFT_VERSION;
return 0x7e02;
}
#endif
return (PRUint16)version;
@ -4541,10 +4591,17 @@ tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supported_versions)
ss->version = version;
return SECSuccess;
}
if (ss->opt.enableAltHandshaketype && !IS_DTLS(ss) &&
if (ss->opt.enableAltHandshaketype &&
!IS_DTLS(ss) &&
supported == alt_wire) {
ss->version = version;
rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData,
ssl_tls13_supported_versions_xtn,
tls13_ServerSendSupportedVersionsXtn);
if (rv != SECSuccess) {
return SECFailure;
}
ss->ssl3.hs.altHandshakeType = PR_TRUE;
ss->version = version;
return SECSuccess;
}
}
@ -4555,13 +4612,13 @@ tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supported_versions)
}
SECStatus
SSLExp_UseAltServerHelloType(PRFileDesc *fd, PRBool enable)
SSLExp_UseAltHandshakeType(PRFileDesc *fd, PRBool enable)
{
sslSocket *ss;
ss = ssl_FindSocket(fd);
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in SSLExp_UseAltServerHelloType",
if (!ss || IS_DTLS(ss)) {
SSL_DBG(("%d: SSL[%d]: bad socket in SSLExp_UseAltHandshakeType",
SSL_GETPID(), fd));
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;

View File

@ -85,6 +85,7 @@ PRUint16 tls13_EncodeAltDraftVersion(SSL3ProtocolVersion version);
SECStatus tls13_NegotiateVersion(sslSocket *ss,
const TLSExtension *supported_versions);
SECStatus tls13_SendNewSessionTicket(sslSocket *ss);
SECStatus SSLExp_UseAltServerHelloType(PRFileDesc *fd, PRBool enable);
SECStatus SSLExp_UseAltHandshakeType(PRFileDesc *fd, PRBool enable);
void tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec);
#endif /* __tls13con_h_ */

View File

@ -873,7 +873,12 @@ tls13_ClientHandleTicketEarlyDataInfoXtn(const sslSocket *ss, TLSExtensionData *
/*
* struct {
* select (Handshake.msg_type) {
* case client_hello:
* ProtocolVersion versions<2..254>;
* case server_hello:
* ProtocolVersion version;
* };
* } SupportedVersions;
*/
PRInt32
@ -888,7 +893,7 @@ tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
return 0;
}
SSL_TRC(3, ("%d: TLS13[%d]: send supported_versions extension",
SSL_TRC(3, ("%d: TLS13[%d]: client send supported_versions extension",
SSL_GETPID(), ss->fd));
/* Extension type, extension len fiels, vector len field,
@ -941,6 +946,50 @@ tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
return extensions_len;
}
PRInt32
tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
PRBool append, PRUint32 maxBytes)
{
SECStatus rv;
PRInt32 extensions_len;
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
PORT_Assert(0); /* Can't happen. */
return SECSuccess;
}
if (!ss->ssl3.hs.altHandshakeType) {
PORT_Assert(0); /* Can't happen. */
return SECSuccess;
}
SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension",
SSL_GETPID(), ss->fd));
extensions_len = 2 + 2 + 2; /* type, len, version */
if (maxBytes < (PRUint32)extensions_len) {
PORT_Assert(0);
return 0;
}
if (append) {
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_supported_versions_xtn, 2);
if (rv != SECSuccess)
return -1;
rv = ssl3_ExtAppendHandshakeNumber(ss, 2, 2);
if (rv != SECSuccess)
return -1;
rv = ssl3_ExtAppendHandshakeNumber(
ss, tls13_EncodeAltDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3), 2);
if (rv != SECSuccess) {
return -1;
}
}
return extensions_len;
}
/*
* struct {
* opaque cookie<1..2^16-1>;

View File

@ -53,6 +53,10 @@ SECStatus tls13_ClientHandleTicketEarlyDataInfoXtn(
PRInt32 tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
PRBool append,
PRUint32 maxBytes);
PRInt32 tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
PRBool append,
PRUint32 maxBytes);
SECStatus tls13_ClientHandleHrrCookie(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data);
PRInt32 tls13_ClientSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData,

View File

@ -19,9 +19,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.34 Beta"
#define NSSUTIL_VERSION "3.35 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 34
#define NSSUTIL_VMINOR 35
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE

View File

@ -242,7 +242,7 @@ static int
pk11uri_CompareByPosition(const char *a, const char *b,
const char **attr_names, size_t num_attr_names)
{
int i, j;
size_t i, j;
for (i = 0; i < num_attr_names; i++) {
if (strcmp(a, attr_names[i]) == 0) {

View File

@ -789,7 +789,7 @@ unsigned int
NSS_SecureMemcmpZero(const void *mem, size_t n)
{
PRUint8 zero = 0;
int i;
size_t i;
for (i = 0; i < n; ++i) {
zero |= *(PRUint8 *)((uintptr_t)mem + i);
}

View File

@ -21,16 +21,17 @@
# Generate input to certutil
certscript() {
ca=n
while [ $# -gt 0 ]; do
case $1 in
sign) echo 0 ;;
kex) echo 2 ;;
ca) echo 5;echo 6 ;;
ca) echo 5;echo 6;ca=y ;;
esac; shift
done;
echo 9
echo n
echo ${ca:-n}
echo $ca
echo
echo n
}
@ -50,9 +51,9 @@ make_cert() {
p256) type_args='-q nistp256';type=ec ;;
p384) type_args='-q secp384r1';type=ec ;;
p521) type_args='-q secp521r1';type=ec ;;
rsa_ca) type_args='-g 1024';trust='CT,CT,CT';ca=y;type=rsa ;;
rsa_ca) type_args='-g 1024';trust='CT,CT,CT';type=rsa ;;
rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';ca=y;type=rsa ;;
rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';type=rsa ;;
rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;;
rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;;
ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;