diff options
author | Elio Maldonado <emaldona@redhat.com> | 2016-04-30 18:29:01 -0700 |
---|---|---|
committer | Elio Maldonado <emaldona@redhat.com> | 2016-04-30 18:29:01 -0700 |
commit | e5a08c5e3e9b91b5c1121b78ea416b623b08abbb (patch) | |
tree | 9cedad9ac626ea3d88f0f18442c0d51ec11e8cf7 | |
parent | c2257ed132e70966f30a5e3c273f762e5d643816 (diff) | |
download | nss-hg-e5a08c5e3e9b91b5c1121b78ea416b623b08abbb.tar.gz |
More sync. up with default branch plus latest from work in progress
-rw-r--r-- | lib/softoken/pkcs11c.c | 9 | ||||
-rw-r--r-- | lib/ssl/ssl.def | 1 | ||||
-rw-r--r-- | lib/ssl/ssl3con.c | 393 | ||||
-rw-r--r-- | lib/ssl/sslenum.c | 2 | ||||
-rw-r--r-- | lib/ssl/sslimpl.h | 11 | ||||
-rw-r--r-- | lib/ssl/sslinfo.c | 13 | ||||
-rw-r--r-- | lib/ssl/sslt.h | 21 | ||||
-rw-r--r-- | lib/ssl/tls13con.c | 63 | ||||
-rwxr-xr-x | tests/ssl/ssl.sh | 11 |
9 files changed, 331 insertions, 193 deletions
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c index d398e8462..e6d413d58 100644 --- a/lib/softoken/pkcs11c.c +++ b/lib/softoken/pkcs11c.c @@ -6084,7 +6084,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, int i; unsigned int outLen; unsigned char sha_out[SHA1_LENGTH]; - unsigned char key_block[NUM_MIXERS * MD5_LENGTH]; + unsigned char key_block[NUM_MIXERS * SFTK_MAX_MAC_LENGTH]; unsigned char key_block2[MD5_LENGTH]; PRBool isFIPS; HASH_HashType hashType; @@ -6530,6 +6530,13 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, } block_needed = 2 * (macSize + effKeySize + ((!ssl3_keys->bIsExport) * IVSize)); +#ifdef DEBUG + if (block_needed > sizeof key_block) { + PR_fprintf(PR_STDERR, + "ERROR: block_need=%d but key_block=%d\n ", + block_needed, key_block); + } +#endif PORT_Assert(block_needed <= sizeof key_block); if (block_needed > sizeof key_block) block_needed = sizeof key_block; diff --git a/lib/ssl/ssl.def b/lib/ssl/ssl.def index 366a73197..a5fe57d26 100644 --- a/lib/ssl/ssl.def +++ b/lib/ssl/ssl.def @@ -196,7 +196,6 @@ SSL_SetSignedCertTimestamps; ;+}; ;+NSS_3.23 { # NSS 3.23 release ;+ global: -SSL_ConfigServerCert; SSL_SetDowngradeCheckVersion; ;+ local: ;+*; diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 7711d3e5b..5e710bb66 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -107,6 +107,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around * bug 946147. */ @@ -116,6 +118,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, @@ -125,6 +129,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, @@ -154,6 +160,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { /* RSA */ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, @@ -302,6 +309,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = { {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0, SEC_OID_CAMELLIA_256_CBC}, {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0, SEC_OID_SEED_CBC}, {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8, SEC_OID_AES_128_GCM}, + {cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8, SEC_OID_AES_256_GCM}, {cipher_chacha20, calg_chacha20, 32,32, type_aead, 12, 0,16, 0, SEC_OID_CHACHA20_POLY1305}, {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0, 0}, }; @@ -338,144 +346,160 @@ static const ssl3KEADef kea_defs[] = /* must use ssl_LookupCipherSuiteDef to access */ static const ssl3CipherSuiteDef cipher_suite_defs[] = { -/* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ +/* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg prf_hash_alg */ +/* Note that the prf_hash_alg is the hash function used by the PRF, see sslimpl.h. */ - {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, - {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, - {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, - {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, - {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, - {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, - {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, + {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null, ssl_hash_none}, + {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa, ssl_hash_none}, + {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa, ssl_hash_none}, + {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa, ssl_hash_sha256}, + {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export, ssl_hash_none}, + {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa, ssl_hash_none}, + {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa, ssl_hash_none}, {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - cipher_rc2_40, mac_md5, kea_rsa_export}, + cipher_rc2_40, mac_md5, kea_rsa_export, ssl_hash_none}, #if 0 /* not implemented */ - {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, + {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa, ssl_hash_none}, {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, - cipher_des40, mac_sha, kea_rsa_export}, + cipher_des40, mac_sha, kea_rsa_export, ssl_hash_none}, #endif - {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, - {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, - {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, + {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa, ssl_hash_none}, + {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa, ssl_hash_none}, + {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss, ssl_hash_none}, {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, - cipher_3des, mac_sha, kea_dhe_dss}, - {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss}, + cipher_3des, mac_sha, kea_dhe_dss, ssl_hash_none}, + {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss, ssl_hash_none}, #if 0 /* not implemented */ {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - cipher_des40, mac_sha, kea_dh_dss_export}, - {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, - {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, + cipher_des40, mac_sha, kea_dh_dss_export, ssl_hash_none}, + {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss, ssl_hash_none}, + {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss, ssl_hash_none}, {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - cipher_des40, mac_sha, kea_dh_rsa_export}, - {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, - {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, + cipher_des40, mac_sha, kea_dh_rsa_export, ssl_hash_none}, + {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa, ssl_hash_none}, + {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa, ssl_hash_none}, {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - cipher_des40, mac_sha, kea_dh_dss_export}, + cipher_des40, mac_sha, kea_dh_dss_export, ssl_hash_none}, {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - cipher_des40, mac_sha, kea_dh_rsa_export}, + cipher_des40, mac_sha, kea_dh_rsa_export, ssl_hash_none}, #endif - {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, + {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa, ssl_hash_none}, {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - cipher_3des, mac_sha, kea_dhe_rsa}, + cipher_3des, mac_sha, kea_dhe_rsa, ssl_hash_none}, #if 0 - {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export}, + {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export, ssl_hash_none}, {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, - cipher_des40, mac_sha, kea_dh_anon_export}, - {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, - {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, + cipher_des40, mac_sha, kea_dh_anon_export, ssl_hash_none}, + {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon, ssl_hash_none}, + {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon, ssl_hash_none}, #endif /* New TLS cipher suites */ - {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, - {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, - {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, - {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, - {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa}, - {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, - {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, - {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, - {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, - {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa}, + {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa, ssl_hash_none}, + {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa, ssl_hash_sha256}, + {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss, ssl_hash_none}, + {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa, ssl_hash_none}, + {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa, ssl_hash_sha256}, + {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa, ssl_hash_none}, + {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa, ssl_hash_sha256}, + {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss, ssl_hash_none}, + {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa, ssl_hash_none}, + {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa, ssl_hash_sha256}, + {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256, hmac_sha256, kea_dhe_rsa, ssl_hash_sha384}, #if 0 - {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, - {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, - {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, - {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, - {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, - {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, + {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss, ssl_hash_none}, + {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa, ssl_hash_none}, + {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon, ssl_hash_none}, + {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss, ssl_hash_none}, + {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa, ssl_hash_none}, + {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon, ssl_hash_none}, #endif {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa}, - {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa}, + {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa, ssl_hash_none}, {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - cipher_camellia_128, mac_sha, kea_dhe_dss}, + cipher_camellia_128, mac_sha, kea_dhe_dss, ssl_hash_none}, {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - cipher_camellia_128, mac_sha, kea_dhe_rsa}, - {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa}, + cipher_camellia_128, mac_sha, kea_dhe_rsa, ssl_hash_none}, + {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa, ssl_hash_none}, {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - cipher_camellia_256, mac_sha, kea_dhe_dss}, + cipher_camellia_256, mac_sha, kea_dhe_dss, ssl_hash_none}, {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - cipher_camellia_256, mac_sha, kea_dhe_rsa}, + cipher_camellia_256, mac_sha, kea_dhe_rsa, ssl_hash_none}, {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, - cipher_des, mac_sha,kea_rsa_export_1024}, + cipher_des, mac_sha,kea_rsa_export_1024, ssl_hash_none}, {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, - cipher_rc4_56, mac_sha,kea_rsa_export_1024}, + cipher_rc4_56, mac_sha,kea_rsa_export_1024, ssl_hash_none}, - {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, - {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, + {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, ssl_hash_none}, + {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, ssl_hash_none}, - {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, - {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, - {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, - {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, ssl_hash_sha256}, + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, ssl_hash_sha256}, - {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss}, - {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss}, - {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss}, +#ifndef NSS_DISABLE_ECC + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, ssl_hash_sha256}, + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, ssl_hash_sha256}, + + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, ssl_hash_sha256}, + {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, ssl_hash_sha384}, + {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, ssl_hash_sha384}, + {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa}, + {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, ssl_hash_sha384}, +#endif /* NSS_DISABLE_ECC */ + + {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, ssl_hash_sha256}, + {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, ssl_hash_sha384}, + + {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, ssl_hash_sha384}, + {TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_dhe_rsa, ssl_hash_sha256}, + +#ifndef NSS_DISABLE_ECC + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_rsa, ssl_hash_sha256}, + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa, ssl_hash_sha256}, +#endif /* NSS_DISABLE_ECC */ - {TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_dhe_rsa}, + {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, ssl_hash_sha256}, + {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, ssl_hash_sha256}, #ifndef NSS_DISABLE_ECC - {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_rsa}, - {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa}, - - {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, - {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, - {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}, - {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa}, - {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa}, - - {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa}, - {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa}, - {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa}, - {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa}, - {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa}, - {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa}, - - {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa}, - {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa}, - {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa}, - {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa}, - {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa}, - - {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa}, - {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa}, - {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa}, - {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa}, - {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa}, - {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa}, + {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, ssl_hash_none}, + {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, ssl_hash_none}, + {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, ssl_hash_none}, + {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, ssl_hash_none}, + {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, ssl_hash_none}, + + {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none}, + {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none}, + {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none}, + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none}, + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa, ssl_hash_sha256}, + {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none}, + + {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa, ssl_hash_none}, + {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa, ssl_hash_none}, + {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa, ssl_hash_none}, + {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa, ssl_hash_none}, + {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa, ssl_hash_none}, + + {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa, ssl_hash_none}, + {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa, ssl_hash_none}, + {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa, ssl_hash_none}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa, ssl_hash_none}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa, ssl_hash_sha256}, + {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa, ssl_hash_none}, #if 0 - {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon}, - {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon}, - {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon}, - {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon}, - {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon}, + {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon, ssl_hash_none}, + {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon, ssl_hash_none}, + {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon, ssl_hash_none}, + {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon, ssl_hash_none}, + {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon, ssl_hash_none}, #endif - {TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_psk}, + {TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_psk, ssl_hash_sha256}, #endif /* NSS_DISABLE_ECC */ }; /* clang-format on */ @@ -533,6 +557,7 @@ static const SSLCipher2Mech alg2Mech[] = { #define mmech_md5_hmac CKM_MD5_HMAC #define mmech_sha_hmac CKM_SHA_1_HMAC #define mmech_sha256_hmac CKM_SHA256_HMAC +#define mmech_sha384_hmac CKM_SHA384_HMAC /* clang-format off */ static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ @@ -545,6 +570,7 @@ static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH, SEC_OID_HMAC_SHA1}, {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH, SEC_OID_HMAC_SHA256}, { mac_aead, mmech_invalid, 0, 0, 0 }, + {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH, SEC_OID_HMAC_SHA384} }; /* clang-format on */ @@ -741,10 +767,13 @@ ssl3_CipherSuiteAllowedForVersionRange( case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: case TLS_RSA_WITH_AES_256_CBC_SHA256: case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: case TLS_RSA_WITH_AES_128_CBC_SHA256: case TLS_RSA_WITH_AES_128_GCM_SHA256: + case TLS_RSA_WITH_AES_256_GCM_SHA384: case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: case TLS_RSA_WITH_NULL_SHA256: @@ -752,11 +781,15 @@ ssl3_CipherSuiteAllowedForVersionRange( case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: + case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: + case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and @@ -805,6 +838,9 @@ ssl_LookupCipherSuiteDef(ssl3CipherSuite suite) if (cipher_suite_defs[i].cipher_suite == suite) return &cipher_suite_defs[i]; } +#ifdef DEBUG + PR_fprintf(PR_STDERR, "*** ERROR: Can't find suite %04x\n", suite); +#endif PORT_Assert(PR_FALSE); /* We should never get here. */ PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); return NULL; @@ -2537,6 +2573,9 @@ ssl3_ComputeRecordMAC( case ssl_hmac_sha256: /* used with TLS */ hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); break; + case ssl_hmac_sha384: /* used with TLS */ + hashObj = HASH_GetRawHashObject(HASH_AlgSHA384); + break; default: break; } @@ -3854,6 +3893,31 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf) return SECSuccess; } +inline static CK_MECHANISM_TYPE +ssl3_GetPrfHashMechanism(sslSocket *ss) +{ + switch (ss->ssl3.hs.suite_def->prf_hash) { + case ssl_hash_sha384: + return CKM_SHA384; + case ssl_hash_sha256: + case ssl_hash_none: + /* ssl_hash_none is for pre-1.2 suites, which use SHA-256. */ + return CKM_SHA256; + default: + PORT_Assert(0); + } + return CKM_SHA256; +} + +inline static SSLHashType +ssl3_GetSuitePrfHash(sslSocket *ss) { + /* ssl_hash_none is for pre-1.2 suites, which use SHA-256. */ + if (ss->ssl3.hs.suite_def->prf_hash == ssl_hash_none) { + return ssl_hash_sha256; + } + return ss->ssl3.hs.suite_def->prf_hash; +} + /* This method completes the derivation of the MS from the PMS. ** ** 1. Derive the MS, if possible, else return an error. @@ -3977,7 +4041,7 @@ ssl3_ComputeMasterSecretInt(sslSocket *ss, PK11SymKey *pms, master_params.RandomInfo.pServerRandom = sr; master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; if (isTLS12) { - master_params.prfHashMechanism = CKM_SHA256; + master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS); } else { /* prfHashMechanism is not relevant with this PRF */ @@ -4220,7 +4284,7 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) if (isTLS12) { key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; - key_material_params.prfHashMechanism = CKM_SHA256; + key_material_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS); } else if (isTLS) { key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; @@ -4285,7 +4349,8 @@ loser: } /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in - * buffered messages in ss->ssl3.hs.messages. */ + * buffered messages in ss->ssl3.hs.messages. Called from + * ssl3_NegotiateCipherSuite() and ssl3_HandleServerHello. */ static SECStatus ssl3_InitHandshakeHashes(sslSocket *ss) { @@ -4296,9 +4361,18 @@ ssl3_InitHandshakeHashes(sslSocket *ss) if (ss->opt.bypassPKCS11) { PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { - /* If we ever support ciphersuites where the PRF hash isn't SHA-256 - * then this will need to be updated. */ - ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); + const SECOidData *hashOid = + SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); + + if (hashOid == NULL) { + PORT_Assert(hashOid == NULL); + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + return SECFailure; + } + + ss->ssl3.hs.sha_obj = HASH_GetRawHashObject( + HASH_GetHashTypeByOidTag(hashOid->offset)); + if (!ss->ssl3.hs.sha_obj) { ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); return SECFailure; @@ -4321,9 +4395,21 @@ ssl3_InitHandshakeHashes(sslSocket *ss) * that the master secret will wind up in ... */ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { - /* If we ever support ciphersuites where the PRF hash isn't SHA-256 - * then this will need to be updated. */ - ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256); + /* We support ciphersuites where the PRF hash isn't SHA-256 */ + /* determine the hash from the prf */ + const SECOidData *hash_oid = + SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); + + /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_hash) + * Convert that to the OidTag. We can then use that OidTag to create our + * PK11Context */ + PORT_Assert(hash_oid != NULL); + if (hash_oid == NULL) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + return SECFailure; + } + + ss->ssl3.hs.sha = PK11_CreateDigestContext(hash_oid->offset); if (ss->ssl3.hs.sha == NULL) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); return SECFailure; @@ -4643,6 +4729,11 @@ ssl3_AppendSignatureAndHashAlgorithm( sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash) { PRUint8 serialized[2]; + SECOidTag hashAlg = ssl3_TLSHashAlgorithmToOID(sigAndHash->hashAlg); + if (hashAlg == SEC_OID_UNKNOWN) { + PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); + return SECFailure; + } serialized[0] = (PRUint8)sigAndHash->hashAlg; serialized[1] = (PRUint8)sigAndHash->sigAlg; @@ -4758,7 +4849,17 @@ ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, } /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the - * SECOidTag used internally by NSS. */ + * SECOidTag used internally by NSS. + * + * See https://tools.ietf.org/html/whih#section-7.4.1.4.1 + * + * Note for reviewers: The above species + * { ssl_hash_sha224, SEC_OID_SHA224 } as one of the entries + * in which I haven't included as not recommended for TLS 1.3 + * https://tools.ietf.org/html/draft-ietf-tls-tls13-08 which + * we plan to support. We still need to work this out, see + * also Bug 1179338. + */ static const struct { SSLHashType tlsHash; SECOidTag oid; @@ -4981,11 +5082,11 @@ ssl3_ComputeHandshakeHashes(sslSocket *ss, ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, sizeof(hashes->u.raw)); - PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); + PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len)); /* If we ever support ciphersuites where the PRF hash isn't SHA-256 * then this will need to be updated. */ - hashes->hashAlg = ssl_hash_sha256; + hashes->hashAlg = ssl3_GetSuitePrfHash(ss); rv = SECSuccess; } else if (ss->opt.bypassPKCS11) { /* compute them without PKCS11 */ @@ -5093,9 +5194,8 @@ ssl3_ComputeHandshakeHashes(sslSocket *ss, rv = SECFailure; goto tls12_loser; } - /* If we ever support ciphersuites where the PRF hash isn't SHA-256 - * then this will need to be updated. */ - hashes->hashAlg = ssl_hash_sha256; + + hashes->hashAlg = ssl3_GetSuitePrfHash(ss); rv = SECSuccess; tls12_loser: @@ -6823,13 +6923,6 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); - rv = ssl3_InitHandshakeHashes(ss); - if (rv != SECSuccess) { - desc = internal_error; - errCode = PORT_GetError(); - goto alert_loser; - } - rv = ssl3_ConsumeHandshake( ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); if (rv != SECSuccess) { @@ -6918,6 +7011,14 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ss->ssl3.hs.kea_def = &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg]; + /* Now that we know what the cipher suite is, setup the handshake hash. */ + rv = ssl3_InitHandshakeHashes(ss); + if (rv != SECSuccess) { + desc = internal_error; + errCode = PORT_GetError(); + goto alert_loser; + } + if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { /* find selected compression method in our list. */ temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); @@ -7561,7 +7662,7 @@ ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, SSLSignType sigAlg; PRBool preferSha1 = PR_FALSE; PRBool supportsSha1 = PR_FALSE; - PRBool supportsSha256 = PR_FALSE; + PRBool supportsHandshakeHash = PR_FALSE; PRBool needBackupHash = PR_FALSE; unsigned int i; @@ -7580,20 +7681,28 @@ ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, goto done; } + switch (ss->ssl3.hs.suite_def->prf_hash) { + case ssl_hash_sha384: + case ssl_hash_sha256: + supportsHandshakeHash = PR_TRUE; + break; + default: + supportsHandshakeHash = PR_FALSE; + break; + } + /* Determine the server's hash support for that signature algorithm. */ for (i = 0; i < algorithms->len; i += 2) { if (algorithms->data[i + 1] == sigAlg) { if (algorithms->data[i] == ssl_hash_sha1) { supportsSha1 = PR_TRUE; - } else if (algorithms->data[i] == ssl_hash_sha256) { - supportsSha256 = PR_TRUE; } } } /* If either the server does not support SHA-256 or the client key prefers * SHA-1, leave the backup hash. */ - if (supportsSha1 && (preferSha1 || !supportsSha256)) { + if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) { needBackupHash = PR_TRUE; } @@ -8362,7 +8471,8 @@ ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites) ss->ssl3.hs.kea_def = &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg]; ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite; - return SECSuccess; + /* Now we've have a cipher suite, initialize the handshake hashes. */ + return ssl3_InitHandshakeHashes(ss); } } } @@ -8656,13 +8766,6 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3; ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; - rv = ssl3_InitHandshakeHashes(ss); - if (rv != SECSuccess) { - desc = internal_error; - errCode = PORT_GetError(); - goto alert_loser; - } - /* Generate the Server Random now so it is available * when we process the ClientKeyShare in TLS 1.3 */ rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); @@ -9439,13 +9542,6 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length, } ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; - rv = ssl3_InitHandshakeHashes(ss); - if (rv != SECSuccess) { - desc = internal_error; - errCode = PORT_GetError(); - goto alert_loser; - } - /* if we get a non-zero SID, just ignore it. */ if (length != total) { SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", @@ -10039,6 +10135,8 @@ ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, unsigned maxLen, PRUint32 *len) { unsigned int i; + /* We only track a single hash, the one that is the basis for the PRF. */ + SSLHashType suiteHashAlg = ssl3_GetSuitePrfHash(ss); PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2); if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) { @@ -10050,9 +10148,9 @@ ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; /* Note that we don't support a handshake hash with anything other than - * SHA-256, so asking for a signature from clients for something else - * would be inviting disaster. */ - if (alg->hashAlg == ssl_hash_sha256) { + * the PRF hash, so asking for a signature from clients for something + * else would be inviting disaster. */ + if (alg->hashAlg == suiteHashAlg) { buf[(*len)++] = (PRUint8)alg->hashAlg; buf[(*len)++] = (PRUint8)alg->sigAlg; } @@ -10122,6 +10220,7 @@ ssl3_SendCertificateRequest(sslSocket *ss) certTypesLength = sizeof certificate_types; length = 1 + certTypesLength + 2 + calen; + if (isTLS12) { rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), &sigAlgsLength); @@ -11567,7 +11666,7 @@ done: } static SECStatus -ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, +ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec, PRBool isServer, const SSL3Hashes *hashes, TLSFinished *tlsFinished) @@ -11590,7 +11689,7 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) { tls_mac_params.prfMechanism = CKM_TLS_PRF; } else { - tls_mac_params.prfMechanism = CKM_SHA256; + tls_mac_params.prfMechanism = ssl3_GetPrfHashMechanism(ss); } tls_mac_params.ulMacLength = 12; tls_mac_params.ulServerOrClient = isServer ? 1 : 2; @@ -11795,7 +11894,7 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags) isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender); if (isTLS && rv == SECSuccess) { - rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished); + rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished); } ssl_ReleaseSpecReadLock(ss); if (rv != SECSuccess) { @@ -11966,7 +12065,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); return SECFailure; } - rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, + rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer, hashes, &tlsFinished); if (!isServer) ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished; diff --git a/lib/ssl/sslenum.c b/lib/ssl/sslenum.c index 8c12c39a0..ffa85c04b 100644 --- a/lib/ssl/sslenum.c +++ b/lib/ssl/sslenum.c @@ -143,7 +143,7 @@ const PRUint16 SSL_ImplementedCiphers[] = { TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - /* ciphersuites with no encryption */ +/* ciphersuites with no encryption */ #ifndef NSS_DISABLE_ECC TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h index 8cd99e922..c00000fd6 100644 --- a/lib/ssl/sslimpl.h +++ b/lib/ssl/sslimpl.h @@ -57,6 +57,7 @@ typedef SSLMACAlgorithm SSL3MACAlgorithm; #define hmac_md5 ssl_hmac_md5 #define hmac_sha ssl_hmac_sha #define hmac_sha256 ssl_hmac_sha256 +#define hmac_sha384 ssl_hmac_sha384 #define mac_aead ssl_mac_aead #define SET_ERROR_CODE /* reminder */ @@ -314,9 +315,9 @@ typedef struct { } ssl3CipherSuiteCfg; #ifndef NSS_DISABLE_ECC -#define ssl_V3_SUITES_IMPLEMENTED 68 +#define ssl_V3_SUITES_IMPLEMENTED 75 #else -#define ssl_V3_SUITES_IMPLEMENTED 41 +#define ssl_V3_SUITES_IMPLEMENTED 44 #endif /* NSS_DISABLE_ECC */ #define MAX_DTLS_SRTP_CIPHER_SUITES 4 @@ -468,6 +469,7 @@ typedef enum { cipher_camellia_256, cipher_seed, cipher_aes_128_gcm, + cipher_aes_256_gcm, cipher_chacha20, cipher_missing /* reserved for no such supported cipher */ /* This enum must match ssl3_cipherName[] in ssl3con.c. */ @@ -718,6 +720,7 @@ typedef struct ssl3CipherSuiteDefStr { SSL3BulkCipher bulk_cipher_alg; SSL3MACAlgorithm mac_alg; SSL3KeyExchangeAlgorithm key_exchange_alg; + SSLHashType prf_hash; } ssl3CipherSuiteDef; /* @@ -834,6 +837,10 @@ struct TLSExtensionDataStr { SECItem signedCertTimestamps; }; +typedef enum { + sni_nametype_hostname +} SNINameType; + typedef SECStatus (*sslRestartTarget)(sslSocket *); /* diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c index ba9d0f040..fd2702863 100644 --- a/lib/ssl/sslinfo.c +++ b/lib/ssl/sslinfo.c @@ -191,6 +191,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, /* "mac algorithm" and size */ #define M_AEAD_128 "AEAD", ssl_mac_aead, 128 +#define M_SHA384 "SHA384", ssl_hmac_sha384, 384 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 #define M_SHA "SHA1", ssl_mac_sha, 160 #define M_MD5 "MD5", ssl_mac_md5, 128 @@ -285,7 +286,19 @@ static const SSLCipherSuiteInfo suiteInfo[] = { { 0, CS(ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, F_FIPS_STD, A_RSAS }, { 0, CS(ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, F_FIPS_STD, A_RSAS }, { 0, CS(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, F_NFIPS_STD, A_RSAS }, + { 0, CS(ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_RSAS }, + { 0, CS(ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_ECDSA }, + { 0, CS(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_ECDSA }, + { 0, CS(ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_RSAS }, + { 0, CS(ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAS }, #endif /* NSS_DISABLE_ECC */ + + { 0, CS(DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_DSA }, + { 0, CS(DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAS }, + { 0, CS(DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_DSA }, + { 0, CS(DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, F_FIPS_STD, A_DSA }, + { 0, CS(DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, F_FIPS_STD, A_DSA }, + { 0, CS(RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAD } }; #define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0])) diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h index 3e7701cf3..383c8c4bb 100644 --- a/lib/ssl/sslt.h +++ b/lib/ssl/sslt.h @@ -182,32 +182,13 @@ typedef struct SSLChannelInfoStr { const char* compressionMethodName; SSLCompressionMethod compressionMethod; - /* - * Any attributes that follow MUST NOT accessed directly using their - * names. Instead, you must use the accessor macros - * SSL_CHANNEL_INFO_FIELD_GET and SSL_CHANNEL_INFO_FIELD_SET, - * which check at runtime that the dynamically linked version of NSS - * supports the attribute. - * The names of the attributes must start with "UseMacroToAccess_". - * (Only internal NSS library code may access the attributes directly, - * but NSS tools MUST use the macros.) - */ - /* The following fields are added in NSS 3.21. * This field only has meaning in TLS < 1.3 and will be set to * PR_FALSE in TLS 1.3. */ - PRBool UseMacroToAccess_extendedMasterSecretUsed; + PRBool extendedMasterSecretUsed; } SSLChannelInfo; -/* Use these macros to access the entries in SSLChannelInfo that are named - * starting with "UseMacroToAccess_" */ -#define SSL_CHANNEL_INFO_FIELD_EXISTS(info, field) \ - ((info).length >= (offsetof(SSLChannelInfo, UseMacroToAccess_##field) + sizeof((info).UseMacroToAccess_##field))) - -#define SSL_CHANNEL_INFO_FIELD_GET(info,field) \ - (SSL_CHANNEL_INFO_FIELD_EXISTS(info,field) ? info.UseMacroToAccess_##field : -1) - /* Preliminary channel info */ #define ssl_preinfo_version (1U << 0) #define ssl_preinfo_cipher_suite (1U << 1) diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c index cf42e7576..8acd2f76b 100644 --- a/lib/ssl/tls13con.c +++ b/lib/ssl/tls13con.c @@ -231,21 +231,52 @@ tls13_CheckHsState(sslSocket *ss, int err, const char *error_name, SSLHashType tls13_GetHash(sslSocket *ss) { - /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ + /* All TLS 1.3 cipher suites must have an explict PRF hash. */ + PORT_Assert(ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none); + return ss->ssl3.hs.suite_def->prf_hash; +} + +unsigned int +tls13_GetHashSize(sslSocket *ss) +{ + switch (tls13_GetHash(ss)) { + case ssl_hash_sha256: + return 32; + case ssl_hash_sha384: + return 48; + default: + PORT_Assert(0); + return ssl_hash_sha256; + } return ssl_hash_sha256; } CK_MECHANISM_TYPE tls13_GetHkdfMechanism(sslSocket *ss) { - /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ + switch (tls13_GetHash(ss)) { + case ssl_hash_sha256: + return CKM_NSS_HKDF_SHA256; + case ssl_hash_sha384: + return CKM_NSS_HKDF_SHA384; + default: + /*PORT_Assert(0);*/ + return CKM_NSS_HKDF_SHA256; + } return CKM_NSS_HKDF_SHA256; } static CK_MECHANISM_TYPE tls13_GetHmacMechanism(sslSocket *ss) { - /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ + switch (tls13_GetHash(ss)) { + case ssl_hash_sha256: + return CKM_SHA256_HMAC; + case ssl_hash_sha384: + return CKM_SHA384_HMAC; + default: + PORT_Assert(0); + } return CKM_SHA256_HMAC; } @@ -384,11 +415,11 @@ tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid) wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; /* unwrap the "master secret" which becomes SS. */ - PORT_Assert(tls13_GetHash(ss) == ssl_hash_sha256); + PORT_Assert(tls13_GetHash(ss) == ssl_hash_sha256 || tls13_GetHash(ss) == ssl_hash_sha384); SS = PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE, - CKA_DERIVE, 32, + CKA_DERIVE, tls13_GetHashSize(ss), CKF_SIGN | CKF_VERIFY); PK11_FreeSymKey(wrapKey); if (!SS) { @@ -740,7 +771,6 @@ tls13_SendCertificateRequest(sslSocket *ss) PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; unsigned int sigAlgsLength = 0; int length; - PRUint8 suiteHashAlg; SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request", SSL_GETPID(), ss->fd)); @@ -749,10 +779,6 @@ tls13_SendCertificateRequest(sslSocket *ss) ss->ssl3.hs.certReqContext[0] = 0; ss->ssl3.hs.certReqContextLen = 1; - suiteHashAlg = ssl3_GetSuiteHashAlg(ss); - if (suiteHashAlg == -1) return SECFailure; - /* err set by AppendHandshake. */ - rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), &sigAlgsLength); if (rv != SECSuccess) { @@ -1344,13 +1370,8 @@ tls13_AddContextToHashes(sslSocket *ss, SSL3Hashes *hashes /* IN/OUT */, : server_cert_verify_string; unsigned int hashlength; - /* Double check that we are doing SHA-256 for the handshake hash.*/ - PORT_Assert(hashes->hashAlg == ssl_hash_sha256); - if (hashes->hashAlg != ssl_hash_sha256) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto loser; - } - PORT_Assert(hashes->len == 32); + /* Double check that we are doing the same hash.*/ + PORT_Assert(hashes->len == tls13_GetHashSize(ss)); ctx = PK11_CreateDigestContext(ssl3_TLSHashAlgorithmToOID(algorithm)); if (!ctx) { @@ -1603,6 +1624,10 @@ tls13_ComputeHandshakeHashes(sslSocket *ss, /* TODO(ekr@rtfm.com): This first clause is futureproofing for * 0-RTT. */ if (ss->ssl3.hs.hashType == handshake_hash_unknown) { +#if DEBUG + PR_fprintf(PR_STDERR, + "FAILURE: ss->ssl3.hs.hashType = handshake_hash_unknown\n"); +#endif PORT_Assert(0); } else { ctx = PK11_CloneContext(ss->ssl3.hs.sha); @@ -1624,8 +1649,8 @@ tls13_ComputeHandshakeHashes(sslSocket *ss, /* If we ever support ciphersuites where the PRF hash isn't SHA-256 * then this will need to be updated. */ - PORT_Assert(hashes->len == 32); - hashes->hashAlg = ssl_hash_sha256; + PORT_Assert(hashes->len == tls13_GetHashSize(ss)); + hashes->hashAlg = tls13_GetHash(ss); PK11_DestroyContext(ctx, PR_TRUE); return SECSuccess; diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 4143b67ef..4cfa60626 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -83,14 +83,21 @@ ssl_init() USER_NICKNAME=TestUser NORM_EXT="" + EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D" + EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027" + EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA:D001" + + NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B" + NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdefgijklmnvyz" + if [ -z "$NSS_DISABLE_ECC" ] ; then ECC_STRING=" - with ECC" # List of cipher suites to test, including ECC cipher suites. - CIPHER_SUITES="-c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" + CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}" else ECC_STRING="" # List of cipher suites to test, excluding ECC cipher suites. - CIPHER_SUITES="-c :0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2:CCAAcdefgijklmnvyz" + CIPHER_SUITES="-c ${NON_EC_SUITES}" fi if [ "${OS_ARCH}" != "WINNT" ]; then |