diff options
| author | Tim Taubert <ttaubert@mozilla.com> | 2016-09-16 13:42:56 -0700 |
|---|---|---|
| committer | Tim Taubert <ttaubert@mozilla.com> | 2016-09-16 13:42:56 -0700 |
| commit | 6c214486e9ef0f7b8653dea24689e5491de959b6 (patch) | |
| tree | 7d4d3f1347d05853217823b9b9710268e4193081 | |
| parent | 6efedbcb0d51f696cdb7a5d44f781e69e3ca5802 (diff) | |
| download | nss-hg-6c214486e9ef0f7b8653dea24689e5491de959b6.tar.gz | |
Bug 1303224 - Remove the PKCS#11 bypass r=franziskus,mt
| -rw-r--r-- | automation/taskcluster/graph/src/extend.js | 14 | ||||
| -rwxr-xr-x | automation/taskcluster/scripts/run_scan_build.sh | 2 | ||||
| -rw-r--r-- | cmd/selfserv/selfserv.c | 84 | ||||
| -rw-r--r-- | cmd/strsclnt/strsclnt.c | 17 | ||||
| -rw-r--r-- | cmd/tstclnt/tstclnt.c | 19 | ||||
| -rw-r--r-- | coreconf/config.mk | 5 | ||||
| -rw-r--r-- | lib/freebl/loader.c | 17 | ||||
| -rw-r--r-- | lib/ssl/Makefile | 5 | ||||
| -rw-r--r-- | lib/ssl/config.mk | 10 | ||||
| -rw-r--r-- | lib/ssl/derive.c | 716 | ||||
| -rw-r--r-- | lib/ssl/manifest.mn | 1 | ||||
| -rw-r--r-- | lib/ssl/ssl.h | 30 | ||||
| -rw-r--r-- | lib/ssl/ssl3con.c | 1112 | ||||
| -rw-r--r-- | lib/ssl/ssl3ecc.c | 26 | ||||
| -rw-r--r-- | lib/ssl/ssl3ext.c | 446 | ||||
| -rw-r--r-- | lib/ssl/sslimpl.h | 41 | ||||
| -rw-r--r-- | lib/ssl/sslsnce.c | 86 | ||||
| -rw-r--r-- | lib/ssl/sslsock.c | 96 | ||||
| -rwxr-xr-x | tests/all.sh | 18 | ||||
| -rwxr-xr-x | tests/ssl/ssl.sh | 6 |
20 files changed, 330 insertions, 2421 deletions
diff --git a/automation/taskcluster/graph/src/extend.js b/automation/taskcluster/graph/src/extend.js index 8c6c230c7..5827468e5 100644 --- a/automation/taskcluster/graph/src/extend.js +++ b/automation/taskcluster/graph/src/extend.js @@ -209,12 +209,6 @@ async function scheduleLinux(name, base) { })); queue.scheduleTask(merge(extra_base, { - name: `${name} w/ NSS_NO_PKCS11_BYPASS=1`, - env: {NSS_NO_PKCS11_BYPASS: "1"}, - symbol: "noPkcs11Bypass" - })); - - queue.scheduleTask(merge(extra_base, { name: `${name} w/ NSS_DISABLE_LIBPKIX=1`, env: {NSS_DISABLE_LIBPKIX: "1"}, symbol: "noLibpkix" @@ -279,14 +273,6 @@ async function scheduleWindows(name, base) { ] })); - // Extra builds. - let extra_base = merge({group: "Builds"}, build_base); - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ NSS_NO_PKCS11_BYPASS=1`, - env: {NSS_NO_PKCS11_BYPASS: "1"}, - symbol: "noPkcs11Bypass" - })); - return queue.submit(); } diff --git a/automation/taskcluster/scripts/run_scan_build.sh b/automation/taskcluster/scripts/run_scan_build.sh index 25b133d88..95382c8e4 100755 --- a/automation/taskcluster/scripts/run_scan_build.sh +++ b/automation/taskcluster/scripts/run_scan_build.sh @@ -23,7 +23,7 @@ cd nss && make nss_build_all # we run scan-build on these folders declare -a scan=("lib/ssl" "lib/freebl") # corresponds to the number of errors that are expected in the |scan| folder -declare -a ignore=(1 0) +declare -a ignore=(0 0) for i in "${scan[@]}" do diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index 03615d184..2e50907ec 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -178,8 +178,6 @@ PrintParameterUsage() " All versions are enabled by default.\n" " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" " Example: \"-V ssl3:\" enables SSL 3 and newer.\n" - "-B bypasses the PKCS11 layer for SSL encryption and MACing\n" - "-q checks for bypassability\n" "-D means disable Nagle delays in TCP\n" "-R means disable detection of rollback from TLS to SSL3\n" "-a configure server for SNI.\n" @@ -795,9 +793,7 @@ static SSLVersionRange enabledVersions; PRBool disableRollBack = PR_FALSE; PRBool NoReuse = PR_FALSE; PRBool hasSidCache = PR_FALSE; -PRBool bypassPKCS11 = PR_FALSE; PRBool disableLocking = PR_FALSE; -PRBool testbypass = PR_FALSE; PRBool enableSessionTickets = PR_FALSE; PRBool enableCompression = PR_FALSE; PRBool failedToNegotiateName = PR_FALSE; @@ -1860,12 +1856,6 @@ server_main( if (rv != SECSuccess) { errExit("error enabling RollBack detection "); } - if (bypassPKCS11) { - rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE); - if (rv != SECSuccess) { - errExit("error enabling PKCS11 bypass "); - } - } if (disableLocking) { rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, PR_TRUE); if (rv != SECSuccess) { @@ -2208,7 +2198,6 @@ main(int argc, char **argv) PRBool debugCache = PR_FALSE; /* bug 90518 */ char emptyString[] = { "" }; char *certPrefix = emptyString; - PRUint32 protos = 0; SSL3Statistics *ssl3stats; PRUint32 i; secuPWData pwdata = { PW_NONE, 0 }; @@ -2225,10 +2214,10 @@ main(int argc, char **argv) /* please keep this list of options in ASCII collating sequence. ** numbers, then capital letters, then lower case, alphabetical. - ** XXX: 'E' and 'x' were used in the past, please leave some - ** time before resuing those. */ + ** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed + ** in 3.28, please leave some time before resuing those. */ optstate = PL_CreateOptState(argc, argv, - "2:A:BC:DGH:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:yz"); + "2:A:C:DGH:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++optionsFound; switch (optstate->option) { @@ -2240,10 +2229,6 @@ main(int argc, char **argv) ocspStaplingCA = PORT_Strdup(optstate->value); break; - case 'B': - bypassPKCS11 = PR_TRUE; - break; - case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); @@ -2403,10 +2388,6 @@ main(int argc, char **argv) port = PORT_Atoi(optstate->value); break; - case 'q': - testbypass = PR_TRUE; - break; - case 'r': ++requestCert; break; @@ -2658,32 +2639,6 @@ main(int argc, char **argv) PORT_Free(cstringSaved); } - if (testbypass) { - const PRUint16 *cipherSuites = SSL_ImplementedCiphers; - int i = SSL_NumImplementedCiphers; - PRBool enabled; - - for (i = 0; i < SSL_NumImplementedCiphers; i++, cipherSuites++) { - if (SSL_CipherPrefGetDefault(*cipherSuites, &enabled) == SECSuccess && - enabled) - savecipher(*cipherSuites); - } - protos = 0; - if (enabledVersions.min <= SSL_LIBRARY_VERSION_3_0 && - enabledVersions.max >= SSL_LIBRARY_VERSION_3_0) { - protos |= SSL_CBP_SSL3; - } - if (enabledVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 && - enabledVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0) { - protos |= SSL_CBP_TLS1_0; - } - /* TLS 1.1 has the same SSL Bypass mode requirements as TLS 1.0 */ - if (enabledVersions.min <= SSL_LIBRARY_VERSION_TLS_1_1 && - enabledVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1) { - protos |= SSL_CBP_TLS1_0; - } - } - certStatusArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!certStatusArena) errExit("cannot allocate certStatusArena"); @@ -2700,16 +2655,6 @@ main(int argc, char **argv) nickName); exit(11); } - if (testbypass) { - PRBool bypassOK; - if (SSL_CanBypass(cert[kt_rsa], privKey[kt_rsa], protos, cipherlist, - nciphers, &bypassOK, &pwdata) != SECSuccess) { - SECU_PrintError(progName, "Bypass test failed %s\n", nickName); - exit(14); - } - fprintf(stderr, "selfserv: %s can%s bypass\n", nickName, - bypassOK ? "" : "not"); - } setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_rsa], kt_rsa, &pwdata); } @@ -2727,16 +2672,6 @@ main(int argc, char **argv) dsaNickName); exit(11); } - if (testbypass) { - PRBool bypassOK; - if (SSL_CanBypass(cert[ssl_kea_dh], privKey[ssl_kea_dh], protos, cipherlist, - nciphers, &bypassOK, &pwdata) != SECSuccess) { - SECU_PrintError(progName, "Bypass test failed %s\n", nickName); - exit(14); - } - fprintf(stderr, "selfserv: %s can%s bypass\n", nickName, - bypassOK ? "" : "not"); - } setupCertStatus(certStatusArena, ocspStaplingMode, cert[ssl_kea_dh], ssl_kea_dh, &pwdata); } @@ -2754,24 +2689,11 @@ main(int argc, char **argv) ecNickName); exit(11); } - if (testbypass) { - PRBool bypassOK; - if (SSL_CanBypass(cert[kt_ecdh], privKey[kt_ecdh], protos, cipherlist, - nciphers, &bypassOK, &pwdata) != SECSuccess) { - SECU_PrintError(progName, "Bypass test failed %s\n", ecNickName); - exit(15); - } - fprintf(stderr, "selfserv: %s can%s bypass\n", ecNickName, - bypassOK ? "" : "not"); - } setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_ecdh], kt_ecdh, &pwdata); } #endif /* NSS_DISABLE_ECC */ - if (testbypass) - goto cleanup; - if (configureWeakDHE > 0) { fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n"); rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE); diff --git a/cmd/strsclnt/strsclnt.c b/cmd/strsclnt/strsclnt.c index 6e380b7d4..209dcca96 100644 --- a/cmd/strsclnt/strsclnt.c +++ b/cmd/strsclnt/strsclnt.c @@ -112,7 +112,6 @@ static SSL3Statistics *ssl3stats; static int failed_already = 0; static SSLVersionRange enabledVersions; -static PRBool bypassPKCS11 = PR_FALSE; static PRBool disableLocking = PR_FALSE; static PRBool ignoreErrors = PR_FALSE; static PRBool enableSessionTickets = PR_FALSE; @@ -159,7 +158,6 @@ Usage(const char *progName) " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" " Example: \"-V ssl3:\" enables SSL 3 and newer.\n" " -U means enable throttling up threads\n" - " -B bypasses the PKCS11 layer for SSL encryption and MACing\n" " -T enable the cert_status extension (OCSP stapling)\n" " -u enable TLS Session Ticket extension\n" " -z enable compression\n" @@ -1174,13 +1172,6 @@ client_main( } } - if (bypassPKCS11) { - rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1); - if (rv < 0) { - errExit("SSL_OptionSet SSL_BYPASS_PKCS11"); - } - } - if (disableLocking) { rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, 1); if (rv < 0) { @@ -1322,14 +1313,12 @@ main(int argc, char **argv) progName = strrchr(tmp, '\\'); progName = progName ? progName + 1 : tmp; + /* XXX: 'B' was used in the past but removed in 3.28, + * please leave some time before resuing it. */ optstate = PL_CreateOptState(argc, argv, - "BC:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z"); + "C:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { - case 'B': - bypassPKCS11 = PR_TRUE; - break; - case 'C': cipherString = optstate->value; break; diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c index 525332023..862cd7b81 100644 --- a/cmd/tstclnt/tstclnt.c +++ b/cmd/tstclnt/tstclnt.c @@ -214,8 +214,6 @@ PrintParameterUsage(void) fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", "-n nickname"); fprintf(stderr, - "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B"); - fprintf(stderr, "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n" "%-20s All versions are enabled by default.\n" "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3\n" @@ -902,7 +900,6 @@ main(int argc, char **argv) int npds; int override = 0; SSLVersionRange enabledVersions; - int bypassPKCS11 = 0; int disableLocking = 0; int enableSessionTickets = 0; int enableCompression = 0; @@ -959,8 +956,10 @@ main(int argc, char **argv) SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions); + /* XXX: 'B' was used in the past but removed in 3.28, + * please leave some time before resuing it. */ optstate = PL_CreateOptState(argc, argv, - "46BCDFGHKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z"); + "46CDFGHKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -979,10 +978,6 @@ main(int argc, char **argv) Usage(progName); break; - case 'B': - bypassPKCS11 = 1; - break; - case 'C': ++dumpServerChain; break; @@ -1399,14 +1394,6 @@ main(int argc, char **argv) goto done; } - /* enable PKCS11 bypass */ - rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling PKCS11 bypass"); - error = 1; - goto done; - } - /* disable SSL socket locking */ rv = SSL_OptionSet(s, SSL_NO_LOCKS, disableLocking); if (rv != SECSuccess) { diff --git a/coreconf/config.mk b/coreconf/config.mk index e359153c3..db1985d4a 100644 --- a/coreconf/config.mk +++ b/coreconf/config.mk @@ -212,8 +212,3 @@ DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES # exported symbols, which causes problem when NSS is built as part of Mozilla. # So we add a NSS_SSL_ENABLE_ZLIB variable to allow Mozilla to turn this off. NSS_SSL_ENABLE_ZLIB = 1 - -# Allow disabling PKCS11 bypass. -ifdef NSS_NO_PKCS11_BYPASS -DEFINES += -DNO_PKCS11_BYPASS -endif diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c index 5958af8dc..3239d73a6 100644 --- a/lib/freebl/loader.c +++ b/lib/freebl/loader.c @@ -813,21 +813,16 @@ BL_Unload(void) * from NSS_Shutdown. */ char *disableUnload = NULL; vector = NULL; - /* If an SSL socket is configured with SSL_BYPASS_PKCS11, but the application - * never does a handshake on it, BL_Unload will be called even though freebl - * was never loaded. So, don't assert blLib. */ - if (blLib) { - disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); - if (!disableUnload) { + disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); + if (!disableUnload) { #ifdef DEBUG - PRStatus status = PR_UnloadLibrary(blLib); - PORT_Assert(PR_SUCCESS == status); + PRStatus status = PR_UnloadLibrary(blLib); + PORT_Assert(PR_SUCCESS == status); #else - PR_UnloadLibrary(blLib); + PR_UnloadLibrary(blLib); #endif - } - blLib = NULL; } + blLib = NULL; loadFreeBLOnce = pristineCallOnce; } diff --git a/lib/ssl/Makefile b/lib/ssl/Makefile index 80c33ab2c..24fccc590 100644 --- a/lib/ssl/Makefile +++ b/lib/ssl/Makefile @@ -63,8 +63,3 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### export:: private_export - -ifndef NSS_NO_PKCS11_BYPASS -# indicates dependency on freebl static lib -$(SHARED_LIBRARY): $(CRYPTOLIB) -endif diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk index 7e2f9b3ee..c8b053cab 100644 --- a/lib/ssl/config.mk +++ b/lib/ssl/config.mk @@ -7,16 +7,6 @@ ifdef NISCC_TEST DEFINES += -DNISCC_TEST endif -ifdef NSS_NO_PKCS11_BYPASS -DEFINES += -DNO_PKCS11_BYPASS -else -CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) - -EXTRA_LIBS += \ - $(CRYPTOLIB) \ - $(NULL) -endif - ifeq (,$(filter-out WIN%,$(OS_TARGET))) # don't want the 32 in the shared library name diff --git a/lib/ssl/derive.c b/lib/ssl/derive.c deleted file mode 100644 index 86b1c1c6b..000000000 --- a/lib/ssl/derive.c +++ /dev/null @@ -1,716 +0,0 @@ -/* - * Key Derivation that doesn't use PKCS11 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ssl.h" /* prereq to sslimpl.h */ -#include "certt.h" /* prereq to sslimpl.h */ -#include "keythi.h" /* prereq to sslimpl.h */ -#include "sslimpl.h" -#ifndef NO_PKCS11_BYPASS -#include "blapi.h" -#endif - -#include "keyhi.h" -#include "pk11func.h" -#include "secasn1.h" -#include "cert.h" -#include "secmodt.h" - -#include "sslproto.h" -#include "sslerr.h" - -#ifndef NO_PKCS11_BYPASS -/* make this a macro! */ -#ifdef NOT_A_MACRO -static void -buildSSLKey(unsigned char *keyBlock, unsigned int keyLen, SECItem *result, - const char *label) -{ - result->type = siBuffer; - result->data = keyBlock; - result->len = keyLen; - PRINT_BUF(100, (NULL, label, keyBlock, keyLen)); -} -#else -#define buildSSLKey(keyBlock, keyLen, result, label) \ - { \ - (result)->type = siBuffer; \ - (result)->data = keyBlock; \ - (result)->len = keyLen; \ - PRINT_BUF(100, (NULL, label, keyBlock, keyLen)); \ - } -#endif - -/* - * SSL Key generation given pre master secret - */ -#ifndef NUM_MIXERS -#define NUM_MIXERS 9 -#endif -static const char *const mixers[NUM_MIXERS] = { - "A", - "BB", - "CCC", - "DDDD", - "EEEEE", - "FFFFFF", - "GGGGGGG", - "HHHHHHHH", - "IIIIIIIII" -}; - -SECStatus -ssl3_KeyAndMacDeriveBypass( - ssl3CipherSpec *pwSpec, - const unsigned char *cr, - const unsigned char *sr, - PRBool isTLS, - HASH_HashType tls12HashType) -{ - const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; - unsigned char *key_block = pwSpec->key_block; - unsigned int block_needed = 0; - unsigned int i; - unsigned int keySize; /* actual size of cipher keys */ - unsigned int effKeySize; /* effective size of cipher keys */ - unsigned int macSize; /* size of MAC secret */ - unsigned int IVSize; /* size of IV */ - PRBool explicitIV = PR_FALSE; - SECStatus rv = SECFailure; - SECStatus status = SECSuccess; - PRBool isFIPS = PR_FALSE; - PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2; - - SECItem srcr; - - unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2]; - PRUint64 md5buf[22]; - PRUint64 shabuf[40]; - -#define md5Ctx ((MD5Context *)md5buf) -#define shaCtx ((SHA1Context *)shabuf) - - static const SECItem zed = { siBuffer, NULL, 0 }; - - if (pwSpec->msItem.data == NULL || - pwSpec->msItem.len != SSL3_MASTER_SECRET_LENGTH) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return rv; - } - - PRINT_BUF(100, (NULL, "Master Secret", pwSpec->msItem.data, - pwSpec->msItem.len)); - - /* figure out how much is needed */ - macSize = pwSpec->mac_size; - keySize = cipher_def->key_size; - effKeySize = cipher_def->secret_key_size; - IVSize = cipher_def->iv_size; - if (keySize == 0) { - effKeySize = IVSize = 0; /* only MACing */ - } - if (cipher_def->type == type_block && - pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { - /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ - explicitIV = PR_TRUE; - } - block_needed = - 2 * (macSize + effKeySize + ((!explicitIV) * IVSize)); - - /* - * clear out our returned keys so we can recover on failure - */ - pwSpec->client.write_key_item = zed; - pwSpec->client.write_mac_key_item = zed; - pwSpec->server.write_key_item = zed; - pwSpec->server.write_mac_key_item = zed; - - /* initialize the server random, client random block */ - srcr.type = siBuffer; - srcr.data = srcrdata; - srcr.len = sizeof srcrdata; - PORT_Memcpy(srcrdata, sr, SSL3_RANDOM_LENGTH); - PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, cr, SSL3_RANDOM_LENGTH); - - /* - * generate the key material: - */ - if (isTLS) { - SECItem keyblk; - - keyblk.type = siBuffer; - keyblk.data = key_block; - keyblk.len = block_needed; - - if (isTLS12) { - status = TLS_P_hash(tls12HashType, &pwSpec->msItem, - "key expansion", &srcr, &keyblk, isFIPS); - } else { - status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk, - isFIPS); - } - if (status != SECSuccess) { - goto key_and_mac_derive_fail; - } - } else { - /* key_block = - * MD5(master_secret + SHA('A' + master_secret + - * ServerHello.random + ClientHello.random)) + - * MD5(master_secret + SHA('BB' + master_secret + - * ServerHello.random + ClientHello.random)) + - * MD5(master_secret + SHA('CCC' + master_secret + - * ServerHello.random + ClientHello.random)) + - * [...]; - */ - unsigned int made = 0; - for (i = 0; made < block_needed && i < NUM_MIXERS; ++i) { - unsigned int outLen; - unsigned char sha_out[SHA1_LENGTH]; - - SHA1_Begin(shaCtx); - SHA1_Update(shaCtx, (unsigned char *)(mixers[i]), i + 1); - SHA1_Update(shaCtx, pwSpec->msItem.data, pwSpec->msItem.len); - SHA1_Update(shaCtx, srcr.data, srcr.len); - SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH); - PORT_Assert(outLen == SHA1_LENGTH); - - MD5_Begin(md5Ctx); - MD5_Update(md5Ctx, pwSpec->msItem.data, pwSpec->msItem.len); - MD5_Update(md5Ctx, sha_out, outLen); - MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH); - PORT_Assert(outLen == MD5_LENGTH); - made += MD5_LENGTH; - } - } - - i = 0; /* now shows how much consumed */ - - /* - * The key_block is partitioned as follows: - * client_write_MAC_secret[CipherSpec.hash_size] - */ - buildSSLKey(&key_block[i], macSize, &pwSpec->client.write_mac_key_item, - "Client Write MAC Secret"); - i += macSize; - - /* - * server_write_MAC_secret[CipherSpec.hash_size] - */ - buildSSLKey(&key_block[i], macSize, &pwSpec->server.write_mac_key_item, - "Server Write MAC Secret"); - i += macSize; - - if (!keySize) { - /* only MACing */ - buildSSLKey(NULL, 0, &pwSpec->client.write_key_item, - "Client Write Key (MAC only)"); - buildSSLKey(NULL, 0, &pwSpec->server.write_key_item, - "Server Write Key (MAC only)"); - buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item, - "Client Write IV (MAC only)"); - buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item, - "Server Write IV (MAC only)"); - } else { - /* - ** Generate Domestic write keys and IVs. - ** client_write_key[CipherSpec.key_material] - */ - buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item, - "Domestic Client Write Key"); - i += keySize; - - /* - ** server_write_key[CipherSpec.key_material] - */ - buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item, - "Domestic Server Write Key"); - i += keySize; - - if (IVSize > 0) { - if (explicitIV) { - static unsigned char zero_block[32]; - PORT_Assert(IVSize <= sizeof zero_block); - buildSSLKey(&zero_block[0], IVSize, - &pwSpec->client.write_iv_item, - "Domestic Client Write IV"); - buildSSLKey(&zero_block[0], IVSize, - &pwSpec->server.write_iv_item, - "Domestic Server Write IV"); - } else { - /* - ** client_write_IV[CipherSpec.IV_size] - */ - buildSSLKey(&key_block[i], IVSize, - &pwSpec->client.write_iv_item, - "Domestic Client Write IV"); - i += IVSize; - - /* - ** server_write_IV[CipherSpec.IV_size] - */ - buildSSLKey(&key_block[i], IVSize, - &pwSpec->server.write_iv_item, - "Domestic Server Write IV"); - } - } - } - rv = SECSuccess; - -key_and_mac_derive_fail: - - MD5_DestroyContext(md5Ctx, PR_FALSE); - SHA1_DestroyContext(shaCtx, PR_FALSE); - - if (rv != SECSuccess) { - PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); - } - - return rv; -} - -/* derive the Master Secret from the PMS */ -/* Presently, this is only done wtih RSA PMS, and only on the server side, - * so isRSA is always true. - */ -SECStatus -ssl3_MasterSecretDeriveBypass( - ssl3CipherSpec *pwSpec, - const unsigned char *cr, - const unsigned char *sr, - const SECItem *pms, - PRBool isTLS, - HASH_HashType tls12HashType, - PRBool isRSA) -{ - unsigned char *key_block = pwSpec->key_block; - SECStatus rv = SECSuccess; - PRBool isFIPS = PR_FALSE; - PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2; - - SECItem crsr; - - unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2]; - PRUint64 md5buf[22]; - PRUint64 shabuf[40]; - -#define md5Ctx ((MD5Context *)md5buf) -#define shaCtx ((SHA1Context *)shabuf) - - /* first do the consistancy checks */ - if (isRSA) { - PORT_Assert(pms->len == SSL3_RSA_PMS_LENGTH); - if (pms->len != SSL3_RSA_PMS_LENGTH) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - /* caller must test PMS version for rollback */ - } - - /* initialize the client random, server random block */ - crsr.type = siBuffer; - crsr.data = crsrdata; - crsr.len = sizeof crsrdata; - PORT_Memcpy(crsrdata, cr, SSL3_RANDOM_LENGTH); - PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH); - PRINT_BUF(100, (NULL, "Master Secret CRSR", crsr.data, crsr.len)); - - /* finally do the key gen */ - if (isTLS) { - SECItem master = { siBuffer, NULL, 0 }; - - master.data = key_block; - master.len = SSL3_MASTER_SECRET_LENGTH; - - if (isTLS12) { - rv = TLS_P_hash(tls12HashType, pms, "master secret", &crsr, - &master, isFIPS); - } else { - rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS); - } - if (rv != SECSuccess) { - PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); - } - } else { - int i; - unsigned int made = 0; - for (i = 0; i < 3; i++) { - unsigned int outLen; - unsigned char sha_out[SHA1_LENGTH]; - - SHA1_Begin(shaCtx); - SHA1_Update(shaCtx, (unsigned char *)mixers[i], i + 1); - SHA1_Update(shaCtx, pms->data, pms->len); - SHA1_Update(shaCtx, crsr.data, crsr.len); - SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH); - PORT_Assert(outLen == SHA1_LENGTH); - - MD5_Begin(md5Ctx); - MD5_Update(md5Ctx, pms->data, pms->len); - MD5_Update(md5Ctx, sha_out, outLen); - MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH); - PORT_Assert(outLen == MD5_LENGTH); - made += outLen; - } - } - - /* store the results */ - PORT_Memcpy(pwSpec->raw_master_secret, key_block, - SSL3_MASTER_SECRET_LENGTH); - pwSpec->msItem.data = pwSpec->raw_master_secret; - pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; - PRINT_BUF(100, (NULL, "Master Secret", pwSpec->msItem.data, - pwSpec->msItem.len)); - - return rv; -} - -static SECStatus -ssl_canExtractMS(PK11SymKey *pms, PRBool isTLS, PRBool isDH, PRBool *pcbp) -{ - SECStatus rv; - PK11SymKey *ms = NULL; - SECItem params = { siBuffer, NULL, 0 }; - CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; - unsigned char rand[SSL3_RANDOM_LENGTH]; - CK_VERSION pms_version; - CK_MECHANISM_TYPE master_derive; - CK_MECHANISM_TYPE key_derive; - CK_FLAGS keyFlags; - - if (pms == NULL) - return (SECFailure); - - PORT_Memset(rand, 0, SSL3_RANDOM_LENGTH); - - if (isTLS) { - if (isDH) - master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; - else - master_derive = CKM_TLS_MASTER_KEY_DERIVE; - key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; - keyFlags = CKF_SIGN | CKF_VERIFY; - } else { - if (isDH) - master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; - else - master_derive = CKM_SSL3_MASTER_KEY_DERIVE; - key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; - keyFlags = 0; - } - - master_params.pVersion = &pms_version; - master_params.RandomInfo.pClientRandom = rand; - master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; - master_params.RandomInfo.pServerRandom = rand; - master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; - - params.data = (unsigned char *)&master_params; - params.len = sizeof master_params; - - ms = PK11_DeriveWithFlags(pms, master_derive, ¶ms, key_derive, - CKA_DERIVE, 0, keyFlags); - if (ms == NULL) - return (SECFailure); - - rv = PK11_ExtractKeyValue(ms); - *pcbp = (rv == SECSuccess); - PK11_FreeSymKey(ms); - - return (rv); -} -#endif /* !NO_PKCS11_BYPASS */ - -/* Check the key exchange algorithm for each cipher in the list to see if - * a master secret key can be extracted. If the KEA will use keys from the - * specified cert make sure the extract operation is attempted from the slot - * where the private key resides. - * If MS can be extracted for all ciphers, (*pcanbypass) is set to TRUE and - * SECSuccess is returned. In all other cases but one (*pcanbypass) is - * set to FALSE and SECFailure is returned. - * In that last case Derive() has been called successfully but the MS is null, - * CanBypass sets (*pcanbypass) to FALSE and returns SECSuccess indicating the - * arguments were all valid but the slot cannot be bypassed. - */ - -/* XXX Add SSL_CBP_TLS1_1 and test it in protocolmask when setting isTLS. */ - -SECStatus -SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, - PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, - PRBool *pcanbypass, void *pwArg) -{ -#ifdef NO_PKCS11_BYPASS - if (!pcanbypass) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - *pcanbypass = PR_FALSE; - return SECSuccess; -#else - SECStatus rv = SECFailure; - int i; - PRUint16 suite; - PK11SymKey *pms = NULL; - SECKEYPublicKey *srvPubkey = NULL; - KeyType privKeytype; - PK11SlotInfo *slot = NULL; - SECItem param; - CK_VERSION version; - CK_MECHANISM_TYPE mechanism_array[2]; - SECItem enc_pms = { siBuffer, NULL, 0 }; - PRBool isTLS = PR_FALSE; - SSLCipherSuiteInfo csdef; - PRBool testrsa = PR_FALSE; - PRBool testecdh = PR_FALSE; - PRBool testecdhe = PR_FALSE; - SECKEYECParams ecParams = { siBuffer, NULL, 0 }; - - if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - srvPubkey = CERT_ExtractPublicKey(cert); - if (!srvPubkey) - return SECFailure; - - *pcanbypass = PR_TRUE; - - /* determine which KEAs to test */ - /* 0 (TLS_NULL_WITH_NULL_NULL) is used as a list terminator because - * SSL3 and TLS specs forbid negotiating that cipher suite number. - */ - for (i = 0; i < nsuites && (suite = *ciphersuites++) != 0; i++) { - /* skip cipher suites NSS doesn't support */ - if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) - continue; - switch (csdef.keaType) { - case ssl_kea_rsa: - testrsa = PR_TRUE; - break; - case ssl_kea_ecdh: - if (strcmp(csdef.keaTypeName, "ECDHE") == 0) /* ephemeral? */ - testecdhe = PR_TRUE; - else - testecdh = PR_TRUE; - break; - case ssl_kea_dh: - /* this is actually DHE */ - default: - continue; - } - } - - /* For each protocol try to derive and extract an MS. - * Failure of function any function except MS extract means - * continue with the next cipher test. Stop testing when the list is - * exhausted or when the first MS extract--not derive--fails. - */ - privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey); - protocolmask &= SSL_CBP_SSL3 | SSL_CBP_TLS1_0; - while (protocolmask) { - if (protocolmask & SSL_CBP_SSL3) { - isTLS = PR_FALSE; - protocolmask ^= SSL_CBP_SSL3; - } else { - isTLS = PR_TRUE; - protocolmask ^= SSL_CBP_TLS1_0; - } - - for (; privKeytype == rsaKey && testrsa;) { - /* TLS_RSA */ - unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; - unsigned int outLen = 0; - CK_MECHANISM_TYPE target; - SECStatus irv; - - mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN; - mechanism_array[1] = CKM_RSA_PKCS; - - slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); - if (slot == NULL) { - PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); - break; - } - - /* Generate the pre-master secret ... (client side) */ - version.major = 3 /*MSB(clientHelloVersion)*/; - version.minor = 0 /*LSB(clientHelloVersion)*/; - param.data = (unsigned char *)&version; - param.len = sizeof version; - pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); - PK11_FreeSlot(slot); - if (!pms) - break; - /* now wrap it */ - enc_pms.len = SECKEY_PublicKeyStrength(srvPubkey); - enc_pms.data = (unsigned char *)PORT_Alloc(enc_pms.len); - if (enc_pms.data == NULL) { - PORT_SetError(PR_OUT_OF_MEMORY_ERROR); - break; - } - irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms); - if (irv != SECSuccess) - break; - PK11_FreeSymKey(pms); - pms = NULL; - /* now do the server side--check the triple bypass first */ - rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen, - sizeof rsaPmsBuf, - (unsigned char *)enc_pms.data, - enc_pms.len); - /* if decrypt worked we're done with the RSA test */ - if (rv == SECSuccess) { - *pcanbypass = PR_TRUE; - break; - } - /* check for fallback to double bypass */ - target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE - : CKM_SSL3_MASTER_KEY_DERIVE; - pms = PK11_PubUnwrapSymKey(srvPrivkey, &enc_pms, - target, CKA_DERIVE, 0); - rv = ssl_canExtractMS(pms, isTLS, PR_FALSE, pcanbypass); - if (rv == SECSuccess && *pcanbypass == PR_FALSE) - goto done; - break; - } - - /* Check for NULL to avoid double free. - * SECItem_FreeItem sets data NULL in secitem.c#265 - */ - if (enc_pms.data != NULL) { - SECITEM_FreeItem(&enc_pms, PR_FALSE); - } - for (; (privKeytype == ecKey && (testecdh || testecdhe)) || - (privKeytype == rsaKey && testecdhe);) { - CK_MECHANISM_TYPE target; - SECKEYPublicKey *keapub = NULL; - SECKEYPrivateKey *keapriv; - SECKEYPublicKey *cpub = NULL; /* client's ephemeral ECDH keys */ - SECKEYPrivateKey *cpriv = NULL; - SECKEYECParams *pecParams = NULL; - - if (privKeytype == ecKey && testecdhe) { - /* TLS_ECDHE_ECDSA */ - pecParams = &srvPubkey->u.ec.DEREncodedParams; - } else if (privKeytype == rsaKey && testecdhe) { - /* TLS_ECDHE_RSA */ - const sslNamedGroupDef *ecGroup; - int serverKeyStrengthInBits; - int signatureKeyStrength; - int requiredECCbits; - - /* find a curve of equivalent strength to the RSA key's */ - requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey); - if (requiredECCbits < 0) - break; - requiredECCbits *= BPB; - serverKeyStrengthInBits = srvPubkey->u.rsa.modulus.len; - if (srvPubkey->u.rsa.modulus.data[0] == 0) { - serverKeyStrengthInBits--; - } - /* convert to strength in bits */ - serverKeyStrengthInBits *= BPB; - - signatureKeyStrength = - SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits); - - if (requiredECCbits > signatureKeyStrength) - requiredECCbits = signatureKeyStrength; - - ecGroup = ssl_GetECGroupWithStrength(NULL, requiredECCbits); - rv = ssl_NamedGroup2ECParams(NULL, ecGroup, &ecParams); - if (rv == SECFailure) { - break; - } - pecParams = &ecParams; - } - - if (testecdhe) { - /* generate server's ephemeral keys */ - keapriv = SECKEY_CreateECPrivateKey(pecParams, &keapub, NULL); - if (!keapriv || !keapub) { - if (keapriv) - SECKEY_DestroyPrivateKey(keapriv); - if (keapub) - SECKEY_DestroyPublicKey(keapub); - PORT_SetError(SEC_ERROR_KEYGEN_FAIL); - rv = SECFailure; - goto done; - } - } else { - /* TLS_ECDH_ECDSA */ - keapub = srvPubkey; - keapriv = srvPrivkey; - pecParams = &srvPubkey->u.ec.DEREncodedParams; - } - - /* perform client side ops */ - /* generate a pair of ephemeral keys using server's parms */ - cpriv = SECKEY_CreateECPrivateKey(pecParams, &cpub, NULL); - if (!cpriv || !cpub) { - if (testecdhe) { - SECKEY_DestroyPrivateKey(keapriv); - SECKEY_DestroyPublicKey(keapub); - } - PORT_SetError(SEC_ERROR_KEYGEN_FAIL); - rv = SECFailure; - goto done; - } - /* now do the server side */ - /* determine the PMS using client's public value */ - target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE_DH - : CKM_SSL3_MASTER_KEY_DERIVE_DH; - pms = PK11_PubDeriveWithKDF(keapriv, cpub, PR_FALSE, NULL, NULL, - CKM_ECDH1_DERIVE, - target, - CKA_DERIVE, 0, CKD_NULL, NULL, NULL); - rv = ssl_canExtractMS(pms, isTLS, PR_TRUE, pcanbypass); - SECKEY_DestroyPrivateKey(cpriv); - SECKEY_DestroyPublicKey(cpub); - if (testecdhe) { - SECKEY_DestroyPrivateKey(keapriv); - SECKEY_DestroyPublicKey(keapub); - } - if (rv == SECSuccess && *pcanbypass == PR_FALSE) - goto done; - break; - } - /* Check for NULL to avoid double free. */ - if (ecParams.data != NULL) { - PORT_Free(ecParams.data); - ecParams.data = NULL; - } - if (pms) - PK11_FreeSymKey(pms); - } - - /* *pcanbypass has been set */ - rv = SECSuccess; - -done: - if (pms) - PK11_FreeSymKey(pms); - - /* Check for NULL to avoid double free. - * SECItem_FreeItem sets data NULL in secitem.c#265 - */ - if (enc_pms.data != NULL) { - SECITEM_FreeItem(&enc_pms, PR_FALSE); - } - if (ecParams.data != NULL) { - PORT_Free(ecParams.data); - ecParams.data = NULL; - } - - if (srvPubkey) { - SECKEY_DestroyPublicKey(srvPubkey); - srvPubkey = NULL; - } - - return rv; -#endif /* NO_PKCS11_BYPASS */ -} diff --git a/lib/ssl/manifest.mn b/lib/ssl/manifest.mn index bde2de374..3c113cd28 100644 --- a/lib/ssl/manifest.mn +++ b/lib/ssl/manifest.mn @@ -18,7 +18,6 @@ MODULE = nss MAPFILE = $(OBJDIR)/ssl.def CSRCS = \ - derive.c \ dtlscon.c \ prelib.c \ ssl3con.c \ diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h index 5bbd0ffdf..5418a5c78 100644 --- a/lib/ssl/ssl.h +++ b/lib/ssl/ssl.h @@ -103,7 +103,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); #define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */ #define SSL_NO_STEP_DOWN 15 /* (unsupported, deprecated, off) */ -#define SSL_BYPASS_PKCS11 16 /* use PKCS#11 for pub key only */ +#define SSL_BYPASS_PKCS11 16 /* (unsupported, deprecated, off) */ #define SSL_NO_LOCKS 17 /* Don't use locks for protection */ #define SSL_ENABLE_SESSION_TICKETS 18 /* Enable TLS SessionTicket */ /* extension (off by default) */ @@ -1215,31 +1215,11 @@ SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd, */ SSL_IMPORT CERTCertificate *SSL_LocalCertificate(PRFileDesc *fd); -/* Test an SSL configuration to see if SSL_BYPASS_PKCS11 can be turned on. -** Check the key exchange algorithm for each cipher in the list to see if -** a master secret key can be extracted after being derived with the mechanism -** required by the protocolmask argument. If the KEA will use keys from the -** specified cert make sure the extract operation is attempted from the slot -** where the private key resides. -** If MS can be extracted for all ciphers, (*pcanbypass) is set to TRUE and -** SECSuccess is returned. In all other cases but one (*pcanbypass) is -** set to FALSE and SECFailure is returned. -** In that last case Derive() has been called successfully but the MS is null, -** CanBypass sets (*pcanbypass) to FALSE and returns SECSuccess indicating the -** arguments were all valid but the slot cannot be bypassed. -** -** Note: A TRUE return code from CanBypass means "Your configuration will perform -** NO WORSE with the bypass enabled than without"; it does NOT mean that every -** cipher suite listed will work properly with the selected protocols. -** -** Caveat: If export cipher suites are included in the argument list Canbypass -** will return FALSE. -**/ - -/* protocol mask bits */ -#define SSL_CBP_SSL3 0x0001 /* test SSL v3 mechanisms */ -#define SSL_CBP_TLS1_0 0x0002 /* test TLS v1.0 mechanisms */ +#define SSL_CBP_SSL3 0x0001 /* (deprecated) */ +#define SSL_CBP_TLS1_0 0x0002 /* (deprecated) */ +/* DEPRECATED: The PKCS#11 bypass has been removed. +** This function will now always return false. */ SSL_IMPORT SECStatus SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *privKey, PRUint32 protocolmask, diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 83e582fed..d284eabbc 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -48,7 +48,7 @@ static void ssl3_CleanupPeerCerts(sslSocket *ss); static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, PK11SlotInfo *serverKeySlot); static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); -static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss); +static SECStatus ssl3_DeriveConnectionKeys(sslSocket *ss); static SECStatus ssl3_HandshakeFailure(sslSocket *ss); static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); @@ -73,13 +73,6 @@ static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, const unsigned char *input, int inputLen); -#ifndef NO_PKCS11_BYPASS -static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, - unsigned char *out, int *outlen, int maxout, - const unsigned char *in, int inlen, - const unsigned char *additionalData, - int additionalDataLen); -#endif static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType); static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash); @@ -1314,60 +1307,34 @@ ssl3_VerifySignedHashes(sslSocket *ss, SignatureScheme scheme, SSL3Hashes *hash, SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg, PRUint8 *hashBuf, unsigned int bufLen, - SSL3Hashes *hashes, PRBool bypassPKCS11) + SSL3Hashes *hashes) { SECStatus rv; SECOidTag hashOID; -#ifndef NO_PKCS11_BYPASS - if (bypassPKCS11) { - if (hashAlg == ssl_hash_none) { - MD5_HashBuf(hashes->u.s.md5, hashBuf, bufLen); - SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); - hashes->len = MD5_LENGTH + SHA1_LENGTH; - } else if (hashAlg == ssl_hash_sha1) { - SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); - hashes->len = SHA1_LENGTH; - } else if (hashAlg == ssl_hash_sha256) { - SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); - hashes->len = SHA256_LENGTH; - } else if (hashAlg == ssl_hash_sha384) { - SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); - hashes->len = SHA384_LENGTH; - } else if (hashAlg == ssl_hash_sha512) { - SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen); - hashes->len = SHA512_LENGTH; - } else { - PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); + if (hashAlg == ssl_hash_none) { + rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); + if (rv != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); + return rv; + } + rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); + if (rv != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); + return rv; + } + hashes->len = MD5_LENGTH + SHA1_LENGTH; + } else { + hashOID = ssl3_HashTypeToOID(hashAlg); + hashes->len = HASH_ResultLenByOidTag(hashOID); + if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) { + ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); return SECFailure; } - } else -#endif - { - if (hashAlg == ssl_hash_none) { - rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); - return rv; - } - rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); - return rv; - } - hashes->len = MD5_LENGTH + SHA1_LENGTH; - } else { - hashOID = ssl3_HashTypeToOID(hashAlg); - hashes->len = HASH_ResultLenByOidTag(hashOID); - if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) { - ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); - return SECFailure; - } - rv = PK11_HashBuf(hashOID, hashes->u.raw, hashBuf, bufLen); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); - return rv; - } + rv = PK11_HashBuf(hashOID, hashes->u.raw, hashBuf, bufLen); + if (rv != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + return rv; } } hashes->hashAlg = hashAlg; @@ -1425,8 +1392,7 @@ ssl3_ComputeDHKeyHash(sslSocket *ss, SSLHashType hashAlg, SSL3Hashes *hashes, pBuf += dh_Ys.len; PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); - rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, - ss->opt.bypassPKCS11); + rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes); PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); if (rv == SECSuccess) { @@ -1472,12 +1438,13 @@ ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat) void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) { - PRBool freeit = (PRBool)(!spec->bypassCiphers); /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */ - if (spec->destroy) { - spec->destroy(spec->encodeContext, freeit); - spec->destroy(spec->decodeContext, freeit); - spec->encodeContext = NULL; /* paranoia */ + if (spec->encodeContext) { + PK11_DestroyContext(spec->encodeContext, PR_TRUE); + spec->encodeContext = NULL; + } + if (spec->decodeContext) { + PK11_DestroyContext(spec->decodeContext, PR_TRUE); spec->decodeContext = NULL; } if (spec->destroyCompressContext && spec->compressContext) { @@ -1496,8 +1463,6 @@ ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) spec->msItem.len = 0; ssl3_CleanupKeyMaterial(&spec->client); ssl3_CleanupKeyMaterial(&spec->server); - spec->bypassCiphers = PR_FALSE; - spec->destroy = NULL; spec->destroyCompressContext = NULL; spec->destroyDecompressContext = NULL; } @@ -1728,181 +1693,6 @@ ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec) return SECSuccess; } -#ifndef NO_PKCS11_BYPASS -/* Initialize encryption contexts for pending spec. - * MAC contexts are set up when computing the mac, not here. - * Master Secret already is derived in spec->msItem - * Caller holds Spec write lock. - */ -static SECStatus -ssl3_InitPendingContextsBypass(sslSocket *ss) -{ - ssl3CipherSpec *pwSpec; - const ssl3BulkCipherDef *cipher_def; - void *serverContext = NULL; - void *clientContext = NULL; - BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; - int mode = 0; - unsigned int optArg1 = 0; - unsigned int optArg2 = 0; - PRBool server_encrypts = ss->sec.isServer; - SSLCipherAlgorithm calg; - SECStatus rv; - - PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); - PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); - - pwSpec = ss->ssl3.pwSpec; - cipher_def = pwSpec->cipher_def; - - calg = cipher_def->calg; - - if (calg == ssl_calg_aes_gcm) { - pwSpec->encode = NULL; - pwSpec->decode = NULL; - pwSpec->destroy = NULL; - pwSpec->encodeContext = NULL; - pwSpec->decodeContext = NULL; - pwSpec->aead = ssl3_AESGCMBypass; - ssl3_InitCompressionContext(pwSpec); - return SECSuccess; - } - - serverContext = pwSpec->server.cipher_context; - clientContext = pwSpec->client.cipher_context; - - switch (calg) { - case ssl_calg_null: - pwSpec->encode = Null_Cipher; - pwSpec->decode = Null_Cipher; - pwSpec->destroy = NULL; - goto success; - - case ssl_calg_rc4: - initFn = (BLapiInitContextFunc)RC4_InitContext; - pwSpec->encode = (SSLCipher)RC4_Encrypt; - pwSpec->decode = (SSLCipher)RC4_Decrypt; - pwSpec->destroy = (SSLDestroy)RC4_DestroyContext; - break; - case ssl_calg_rc2: - initFn = (BLapiInitContextFunc)RC2_InitContext; - mode = NSS_RC2_CBC; - optArg1 = cipher_def->key_size; - pwSpec->encode = (SSLCipher)RC2_Encrypt; - pwSpec->decode = (SSLCipher)RC2_Decrypt; - pwSpec->destroy = (SSLDestroy)RC2_DestroyContext; - break; - case ssl_calg_des: - initFn = (BLapiInitContextFunc)DES_InitContext; - mode = NSS_DES_CBC; - optArg1 = server_encrypts; - pwSpec->encode = (SSLCipher)DES_Encrypt; - pwSpec->decode = (SSLCipher)DES_Decrypt; - pwSpec->destroy = (SSLDestroy)DES_DestroyContext; - break; - case ssl_calg_3des: - initFn = (BLapiInitContextFunc)DES_InitContext; - mode = NSS_DES_EDE3_CBC; - optArg1 = server_encrypts; - pwSpec->encode = (SSLCipher)DES_Encrypt; - pwSpec->decode = (SSLCipher)DES_Decrypt; - pwSpec->destroy = (SSLDestroy)DES_DestroyContext; - break; - case ssl_calg_aes: - initFn = (BLapiInitContextFunc)AES_InitContext; - mode = NSS_AES_CBC; - optArg1 = server_encrypts; - optArg2 = AES_BLOCK_SIZE; - pwSpec->encode = (SSLCipher)AES_Encrypt; - pwSpec->decode = (SSLCipher)AES_Decrypt; - pwSpec->destroy = (SSLDestroy)AES_DestroyContext; - break; - - case ssl_calg_camellia: - initFn = (BLapiInitContextFunc)Camellia_InitContext; - mode = NSS_CAMELLIA_CBC; - optArg1 = server_encrypts; - optArg2 = CAMELLIA_BLOCK_SIZE; - pwSpec->encode = (SSLCipher)Camellia_Encrypt; - pwSpec->decode = (SSLCipher)Camellia_Decrypt; - pwSpec->destroy = (SSLDestroy)Camellia_DestroyContext; - break; - - case ssl_calg_seed: - initFn = (BLapiInitContextFunc)SEED_InitContext; - mode = NSS_SEED_CBC; - optArg1 = server_encrypts; - optArg2 = SEED_BLOCK_SIZE; - pwSpec->encode = (SSLCipher)SEED_Encrypt; - pwSpec->decode = (SSLCipher)SEED_Decrypt; - pwSpec->destroy = (SSLDestroy)SEED_DestroyContext; - break; - - case ssl_calg_idea: - case ssl_calg_fortezza: - default: - PORT_Assert(0); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - goto bail_out; - } - rv = (*initFn)(serverContext, - pwSpec->server.write_key_item.data, - pwSpec->server.write_key_item.len, - pwSpec->server.write_iv_item.data, - mode, optArg1, optArg2); - if (rv != SECSuccess) { - PORT_Assert(0); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - goto bail_out; - } - - switch (calg) { - case ssl_calg_des: - case ssl_calg_3des: - case ssl_calg_aes: - case ssl_calg_camellia: - case ssl_calg_seed: - /* For block ciphers, if the server is encrypting, then the client - * is decrypting, and vice versa. - */ - optArg1 = !optArg1; - break; - /* kill warnings. */ - case ssl_calg_null: - case ssl_calg_rc4: - case ssl_calg_rc2: - case ssl_calg_idea: - case ssl_calg_fortezza: - case ssl_calg_aes_gcm: - case ssl_calg_chacha20: - break; - } - - rv = (*initFn)(clientContext, - pwSpec->client.write_key_item.data, - pwSpec->client.write_key_item.len, - pwSpec->client.write_iv_item.data, - mode, optArg1, optArg2); - if (rv != SECSuccess) { - PORT_Assert(0); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - goto bail_out; - } - - pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext; - pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext; - - ssl3_InitCompressionContext(pwSpec); - -success: - return SECSuccess; - -bail_out: - return SECFailure; -} -#endif - /* This function should probably be moved to pk11wrap and be named * PK11_ParamFromIVAndEffectiveKeyBits */ @@ -2043,80 +1833,6 @@ ssl3_AESGCM(ssl3KeyMaterial *keys, return rv; } -#ifndef NO_PKCS11_BYPASS -static SECStatus -ssl3_AESGCMBypass(ssl3KeyMaterial *keys, - PRBool doDecrypt, - unsigned char *out, - int *outlen, - int maxout, - const unsigned char *in, - int inlen, - const unsigned char *additionalData, - int additionalDataLen) -{ - SECStatus rv = SECFailure; - unsigned char nonce[12]; - unsigned int uOutLen; - AESContext *cx; - CK_GCM_PARAMS gcmParams; - - const int tagSize = bulk_cipher_defs[cipher_aes_128_gcm].tag_size; - const int explicitNonceLen = - bulk_cipher_defs[cipher_aes_128_gcm].explicit_nonce_size; - - /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the - * nonce is formed. */ - PORT_Assert(keys->write_iv_item.len == 4); - if (keys->write_iv_item.len != 4) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - memcpy(nonce, keys->write_iv_item.data, 4); - if (doDecrypt) { - memcpy(nonce + 4, in, explicitNonceLen); - in += explicitNonceLen; - inlen -= explicitNonceLen; - *outlen = 0; - } else { - if (maxout < explicitNonceLen) { - PORT_SetError(SEC_ERROR_INPUT_LEN); - return SECFailure; - } - /* Use the 64-bit sequence number as the explicit nonce. */ - memcpy(nonce + 4, additionalData, explicitNonceLen); - memcpy(out, additionalData, explicitNonceLen); - out += explicitNonceLen; - maxout -= explicitNonceLen; - *outlen = explicitNonceLen; - } - - gcmParams.pIv = nonce; - gcmParams.ulIvLen = sizeof(nonce); - gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ - gcmParams.ulAADLen = additionalDataLen; - gcmParams.ulTagBits = tagSize * 8; - - cx = (AESContext *)keys->cipher_context; - rv = AES_InitContext(cx, keys->write_key_item.data, - keys->write_key_item.len, - (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, - AES_BLOCK_SIZE); - if (rv != SECSuccess) { - return rv; - } - if (doDecrypt) { - rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); - } else { - rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); - } - AES_DestroyContext(cx, PR_FALSE); - *outlen += (int)uOutLen; - - return rv; -} -#endif - static SECStatus ssl3_ChaCha20Poly1305(ssl3KeyMaterial *keys, PRBool doDecrypt, unsigned char *out, int *outlen, int maxout, @@ -2171,7 +1887,7 @@ ssl3_ChaCha20Poly1305(ssl3KeyMaterial *keys, PRBool doDecrypt, * Caller holds Spec write lock. */ static SECStatus -ssl3_InitPendingContextsPKCS11(sslSocket *ss) +ssl3_InitPendingContexts(sslSocket *ss) { ssl3CipherSpec *pwSpec; const ssl3BulkCipherDef *cipher_def; @@ -2202,7 +1918,6 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) if (cipher_def->type == type_aead) { pwSpec->encode = NULL; pwSpec->decode = NULL; - pwSpec->destroy = NULL; pwSpec->encodeContext = NULL; pwSpec->decodeContext = NULL; switch (calg) { @@ -2249,7 +1964,6 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) if (calg == calg_null) { pwSpec->encode = Null_Cipher; pwSpec->decode = Null_Cipher; - pwSpec->destroy = NULL; return SECSuccess; } mechanism = ssl3_Alg2Mech(calg); @@ -2303,7 +2017,6 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) } pwSpec->encode = (SSLCipher)PK11_CipherOp; pwSpec->decode = (SSLCipher)PK11_CipherOp; - pwSpec->destroy = (SSLDestroy)PK11_DestroyContext; pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext; pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext; @@ -2332,23 +2045,6 @@ fail: return SECFailure; } -/* Returns whether we can bypass PKCS#11 for a given cipher algorithm. - * - * We do not support PKCS#11 bypass for ChaCha20/Poly1305. - */ -#ifndef NO_PKCS11_BYPASS -static PRBool -ssl3_CanBypassCipher(SSLCipherAlgorithm calg) -{ - switch (calg) { - case calg_chacha20: - return PR_FALSE; - default: - return PR_TRUE; - } -} -#endif - HASH_HashType ssl3_GetTls12HashType(sslSocket *ss) { @@ -2369,26 +2065,6 @@ ssl3_GetTls12HashType(sslSocket *ss) return HASH_AlgSHA256; } -#ifndef NO_PKCS11_BYPASS -typedef void (*hash_clone_func)(void *, void *); - -static hash_clone_func -ssl3_GetTls12BypassHashCloneFunc(sslSocket *ss) -{ - switch (ss->ssl3.hs.suite_def->prf_hash) { - case ssl_hash_sha384: - return (hash_clone_func)SHA384_Clone; - case ssl_hash_sha256: - case ssl_hash_none: - /* ssl_hash_none is for pre-1.2 suites, which use SHA-256. */ - return (hash_clone_func)SHA256_Clone; - default: - PORT_Assert(0); - } - return (hash_clone_func)SHA256_Clone; -} -#endif - /* Complete the initialization of all keys, ciphers, MACs and their contexts * for the pending Cipher Spec. * Called from: ssl3_SendClientKeyExchange (for Full handshake) @@ -2398,12 +2074,8 @@ ssl3_GetTls12BypassHashCloneFunc(sslSocket *ss) * Sets error code, but caller probably should override to disambiguate. * NULL pms means re-use old master_secret. * - * This code is common to the bypass and PKCS11 execution paths. For - * the bypass case, pms is NULL. If the old master secret is reused, - * pms is NULL and the master secret is already in either - * pwSpec->msItem.len (the bypass case) or pwSpec->master_secret. - * - * For the bypass case, pms is NULL. + * If the old master secret is reused, pms is NULL and the master secret is + * already in pwSpec->master_secret. */ SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) @@ -2427,27 +2099,10 @@ ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) goto done; /* err code set by ssl3_DeriveMasterSecret */ } } -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data && - ssl3_CanBypassCipher(ss->ssl3.pwSpec->cipher_def->calg)) { - /* Double Bypass succeeded in extracting the master_secret */ - PRBool isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0); - HASH_HashType hashType = ssl3_GetTls12HashType(ss); - pwSpec->bypassCiphers = PR_TRUE; - rv = ssl3_KeyAndMacDeriveBypass(pwSpec, - (const unsigned char *)&ss->ssl3.hs.client_random, - (const unsigned char *)&ss->ssl3.hs.server_random, - isTLS, - hashType); + if (pwSpec->master_secret) { + rv = ssl3_DeriveConnectionKeys(ss); if (rv == SECSuccess) { - rv = ssl3_InitPendingContextsBypass(ss); - } - } else -#endif - if (pwSpec->master_secret) { - rv = ssl3_DeriveConnectionKeysPKCS11(ss); - if (rv == SECSuccess) { - rv = ssl3_InitPendingContextsPKCS11(ss); + rv = ssl3_InitPendingContexts(ss); } } else { PORT_Assert(pwSpec->master_secret); @@ -2535,111 +2190,14 @@ ssl3_ComputeRecordMAC( *outLength = 0; return SECSuccess; } -#ifndef NO_PKCS11_BYPASS - if (spec->bypassCiphers) { - /* bypass version */ - const SECHashObject *hashObj = NULL; - unsigned int pad_bytes = 0; - PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS]; - - switch (mac_def->mac) { - case ssl_mac_null: - *outLength = 0; - return SECSuccess; - case ssl_mac_md5: - pad_bytes = 48; - hashObj = HASH_GetRawHashObject(HASH_AlgMD5); - break; - case ssl_mac_sha: - pad_bytes = 40; - hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); - break; - case ssl_hmac_md5: /* used with TLS */ - hashObj = HASH_GetRawHashObject(HASH_AlgMD5); - break; - case ssl_hmac_sha: /* used with TLS */ - hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); - break; - case ssl_hmac_sha256: /* used with TLS */ - hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); - break; - case ssl_hmac_sha384: /* used with TLS */ - hashObj = HASH_GetRawHashObject(HASH_AlgSHA384); - break; - default: - break; - } - if (!hashObj) { - PORT_Assert(0); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - if (spec->version == SSL_LIBRARY_VERSION_3_0) { - unsigned int tempLen; - unsigned char temp[MAX_MAC_LENGTH]; - - /* compute "inner" part of SSL3 MAC */ - hashObj->begin(write_mac_context); - if (useServerMacKey) - hashObj->update(write_mac_context, - spec->server.write_mac_key_item.data, - spec->server.write_mac_key_item.len); - else - hashObj->update(write_mac_context, - spec->client.write_mac_key_item.data, - spec->client.write_mac_key_item.len); - hashObj->update(write_mac_context, mac_pad_1, pad_bytes); - hashObj->update(write_mac_context, header, headerLen); - hashObj->update(write_mac_context, input, inputLength); - hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); - - /* compute "outer" part of SSL3 MAC */ - hashObj->begin(write_mac_context); - if (useServerMacKey) - hashObj->update(write_mac_context, - spec->server.write_mac_key_item.data, - spec->server.write_mac_key_item.len); - else - hashObj->update(write_mac_context, - spec->client.write_mac_key_item.data, - spec->client.write_mac_key_item.len); - hashObj->update(write_mac_context, mac_pad_2, pad_bytes); - hashObj->update(write_mac_context, temp, tempLen); - hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size); - rv = SECSuccess; - } else { /* is TLS */ -#define cx ((HMACContext *)write_mac_context) - if (useServerMacKey) { - rv = HMAC_Init(cx, hashObj, - spec->server.write_mac_key_item.data, - spec->server.write_mac_key_item.len, PR_FALSE); - } else { - rv = HMAC_Init(cx, hashObj, - spec->client.write_mac_key_item.data, - spec->client.write_mac_key_item.len, PR_FALSE); - } - if (rv == SECSuccess) { - HMAC_Begin(cx); - HMAC_Update(cx, header, headerLen); - HMAC_Update(cx, input, inputLength); - rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); - HMAC_Destroy(cx, PR_FALSE); - } -#undef cx - } - } else -#endif - { - PK11Context *mac_context = - (useServerMacKey ? spec->server.write_mac_context - : spec->client.write_mac_context); - rv = PK11_DigestBegin(mac_context); - rv |= PK11_DigestOp(mac_context, header, headerLen); - rv |= PK11_DigestOp(mac_context, input, inputLength); - rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); - } + PK11Context *mac_context = + (useServerMacKey ? spec->server.write_mac_context + : spec->client.write_mac_context); + rv = PK11_DigestBegin(mac_context); + rv |= PK11_DigestOp(mac_context, header, headerLen); + rv |= PK11_DigestOp(mac_context, input, inputLength); + rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength)); @@ -2678,12 +2236,6 @@ ssl3_ComputeRecordMACConstantTime( PORT_Assert(inputLen >= spec->mac_size); PORT_Assert(originalLen >= inputLen); - if (spec->bypassCiphers) { - /* This function doesn't support PKCS#11 bypass. We fallback on the - * non-constant time version. */ - goto fallback; - } - if (spec->mac_def->mac == mac_null) { *outLen = 0; return SECSuccess; @@ -2719,7 +2271,12 @@ ssl3_ComputeRecordMACConstantTime( rv = PK11_SignWithSymKey(key, macType, ¶m, &outputItem, &inputItem); if (rv != SECSuccess) { if (PORT_GetError() == SEC_ERROR_INVALID_ALGORITHM) { - goto fallback; + /* ssl3_ComputeRecordMAC() expects the MAC to have been removed + * from the input length already. */ + return ssl3_ComputeRecordMAC(spec, useServerMacKey, + header, headerLen, + input, inputLen - spec->mac_size, + outbuf, outLen); } *outLen = 0; @@ -2732,13 +2289,6 @@ ssl3_ComputeRecordMACConstantTime( *outLen = outputItem.len; return rv; - -fallback: - /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the - * length already. */ - inputLen -= spec->mac_size; - return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, - input, inputLen, outbuf, outLen); } static PRBool @@ -4200,32 +3750,6 @@ ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) return rv; } -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - SECItem *keydata; - /* In hope of doing a "double bypass", - * need to extract the master secret's value from the key object - * and store it raw in the sslSocket struct. - */ - rv = PK11_ExtractKeyValue(pwSpec->master_secret); - if (rv != SECSuccess) { - return rv; - } - /* This returns the address of the secItem inside the key struct, - * not a copy or a reference. So, there's no need to free it. - */ - keydata = PK11_GetKeyData(pwSpec->master_secret); - if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) { - memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len); - pwSpec->msItem.data = pwSpec->raw_master_secret; - pwSpec->msItem.len = keydata->len; - } else { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - } -#endif - return SECSuccess; } @@ -4245,7 +3769,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) * */ static SECStatus -ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) +ssl3_DeriveConnectionKeys(sslSocket *ss) { ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; unsigned char *cr = (unsigned char *)&ss->ssl3.hs.client_random; @@ -4253,7 +3777,6 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) PRBool isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0); PRBool isTLS12 = (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); - /* following variables used in PKCS11 path */ const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; PK11SlotInfo *slot = NULL; PK11SymKey *symKey = NULL; @@ -4390,38 +3913,7 @@ ssl3_InitHandshakeHashes(sslSocket *ss) PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); if (ss->version == SSL_LIBRARY_VERSION_TLS_1_2) { ss->ssl3.hs.hashType = handshake_hash_record; - } else -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { - const SECOidData *hashOid = - SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); - - if (hashOid == NULL) { - PORT_Assert(hashOid == NULL); - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); - return SECFailure; - } - - ss->ssl3.hs.sha_obj = HASH_GetRawHashObject( - HASH_GetHashTypeByOidTag(hashOid->offset)); - - if (!ss->ssl3.hs.sha_obj) { - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); - return SECFailure; - } - ss->ssl3.hs.sha_clone = ssl3_GetTls12BypassHashCloneFunc(ss); - ss->ssl3.hs.hashType = handshake_hash_single; - ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx); - } else { - ss->ssl3.hs.hashType = handshake_hash_combo; - MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); - SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); - } - } else -#endif - { + } else { PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha); /* * note: We should probably lookup an SSL3 slot for these @@ -4502,10 +3994,6 @@ ssl3_RestartHandshakeHashes(sslSocket *ss) SSL_GETPID(), ss->fd)); ss->ssl3.hs.hashType = handshake_hash_unknown; ss->ssl3.hs.messages.len = 0; -#ifndef NO_PKCS11_BYPASS - ss->ssl3.hs.sha_obj = NULL; - ss->ssl3.hs.sha_clone = NULL; -#endif if (ss->ssl3.hs.md5) { PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); ss->ssl3.hs.md5 = NULL; @@ -4552,18 +4040,6 @@ ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, unsigned int l PRINT_BUF(90, (NULL, "handshake hash input:", b, l)); -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - if (ss->ssl3.hs.hashType == handshake_hash_single) { - PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); - ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l); - } else if (ss->ssl3.hs.hashType == handshake_hash_combo) { - MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); - SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); - } - return rv; - } -#endif if (ss->ssl3.hs.hashType == handshake_hash_single) { PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); @@ -5109,35 +4585,9 @@ ssl_ConsumeSignatureScheme(sslSocket *ss, SSL3Opaque **b, * end of Consume Handshake functions. **************************************************************************/ -#ifndef NO_PKCS11_BYPASS static SECStatus -ssl3_ComputeBypassHandshakeHash(unsigned char *buf, unsigned int len, - SSLHashType hashAlg, SSL3Hashes *hashes) -{ - const SECHashObject *h_obj = NULL; - PRUint64 h_cx[MAX_MAC_CONTEXT_LLONGS]; - const SECOidData *hashOid = - SECOID_FindOIDByMechanism(ssl3_GetHashMechanismByHashType(hashAlg)); - - if (hashOid) { - h_obj = HASH_GetRawHashObject(HASH_GetHashTypeByOidTag(hashOid->offset)); - } - if (!h_obj) { - ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); - return SECFailure; - } - h_obj->begin(h_cx); - h_obj->update(h_cx, buf, len); - h_obj->end(h_cx, hashes->u.raw, &hashes->len, sizeof(hashes->u.raw)); - PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len)); - hashes->hashAlg = hashAlg; - return SECSuccess; -} -#endif - -static SECStatus -ssl3_ComputePkcs11HandshakeHash(unsigned char *buf, unsigned int len, - SSLHashType hashAlg, SSL3Hashes *hashes) +ssl3_ComputeHandshakeHash(unsigned char *buf, unsigned int len, + SSLHashType hashAlg, SSL3Hashes *hashes) { SECStatus rv = SECFailure; PK11Context *hashContext = PK11_CreateDigestContext( @@ -5190,115 +4640,7 @@ ssl3_ComputeHandshakeHashes(sslSocket *ss, hashes->hashAlg = ssl_hash_none; -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11 && - ss->ssl3.hs.hashType == handshake_hash_single) { - /* compute them without PKCS11 */ - PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; - - ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); - ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, - sizeof(hashes->u.raw)); - - PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len)); - - /* If we ever support ciphersuites where the PRF hash isn't SHA-256 - * then this will need to be updated. */ - hashes->hashAlg = ssl3_GetSuitePrfHash(ss); - rv = SECSuccess; - } else if (ss->opt.bypassPKCS11 && - ss->ssl3.hs.hashType == handshake_hash_record) { - rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf, - ss->ssl3.hs.messages.len, - ssl3_GetSuitePrfHash(ss), - hashes); - } else if (ss->opt.bypassPKCS11) { /* TLS 1.1 or lower */ - /* compute them without PKCS11 */ - PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; - PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; - -#define md5cx ((MD5Context *)md5_cx) -#define shacx ((SHA1Context *)sha_cx) - - MD5_Clone(md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); - SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx); - - if (!isTLS) { - /* compute hashes for SSL3. */ - unsigned char s[4]; - - if (!spec->msItem.data) { - PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); - return SECFailure; - } - - s[0] = (unsigned char)(sender >> 24); - s[1] = (unsigned char)(sender >> 16); - s[2] = (unsigned char)(sender >> 8); - s[3] = (unsigned char)sender; - - if (sender != 0) { - MD5_Update(md5cx, s, 4); - PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4)); - } - - PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, - mac_defs[mac_md5].pad_size)); - - MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); - MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size); - MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH); - - PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength)); - - if (sender != 0) { - SHA1_Update(shacx, s, 4); - PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4)); - } - - PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, - mac_defs[mac_sha].pad_size)); - - SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); - SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size); - SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH); - - PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); - PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, - mac_defs[mac_md5].pad_size)); - PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)); - - MD5_Begin(md5cx); - MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); - MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); - MD5_Update(md5cx, md5_inner, MD5_LENGTH); - } - MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH); - - PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH)); - - if (!isTLS) { - PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, - mac_defs[mac_sha].pad_size)); - PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)); - - SHA1_Begin(shacx); - SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); - SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); - SHA1_Update(shacx, sha_inner, SHA1_LENGTH); - } - SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH); - - PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)); - - hashes->len = MD5_LENGTH + SHA1_LENGTH; - rv = SECSuccess; -#undef md5cx -#undef shacx - } else -#endif - if (ss->ssl3.hs.hashType == handshake_hash_single) { - /* compute hashes with PKCS11 */ + if (ss->ssl3.hs.hashType == handshake_hash_single) { PK11Context *h; unsigned int stateLen; unsigned char stackBuf[1024]; @@ -5333,12 +4675,11 @@ ssl3_ComputeHandshakeHashes(sslSocket *ss, } } } else if (ss->ssl3.hs.hashType == handshake_hash_record) { - rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf, - ss->ssl3.hs.messages.len, - ssl3_GetSuitePrfHash(ss), - hashes); + rv = ssl3_ComputeHandshakeHash(ss->ssl3.hs.messages.buf, + ss->ssl3.hs.messages.len, + ssl3_GetSuitePrfHash(ss), + hashes); } else { - /* compute hashes with PKCS11 */ PK11Context *md5; PK11Context *sha = NULL; unsigned char *md5StateBuf = NULL; @@ -5602,9 +4943,8 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type) if (sid) { PRBool sidOK = PR_TRUE; if (sid->u.ssl3.keys.msIsWrapped) { - /* Session key was wrapped, which means it was using PKCS11, */ PK11SlotInfo *slot = NULL; - if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) { + if (sid->u.ssl3.masterValid) { slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, sid->u.ssl3.masterSlotID); } @@ -6593,7 +5933,6 @@ hexEncode(char *out, const unsigned char *in, unsigned int length) #endif /* Called from ssl3_SendClientKeyExchange(). */ -/* Presently, this always uses PKCS11. There is no bypass for this. */ static SECStatus ssl3_SendRSAClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey) { @@ -6731,7 +6070,6 @@ ssl_AppendPaddedDHKeyShare(sslSocket *ss, SECKEYPublicKey *pubKey, } /* Called from ssl3_SendClientKeyExchange(). */ -/* Presently, this always uses PKCS11. There is no bypass for this. */ static SECStatus ssl3_SendDHClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey) { @@ -7041,18 +6379,9 @@ ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey) } if (ss->ssl3.hs.hashType == handshake_hash_record && hashAlg != ssl3_GetSuitePrfHash(ss)) { -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf, - ss->ssl3.hs.messages.len, - hashAlg, &hashes); - } else -#endif - { - rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf, - ss->ssl3.hs.messages.len, - hashAlg, &hashes); - } + rv = ssl3_ComputeHandshakeHash(ss->ssl3.hs.messages.buf, + ss->ssl3.hs.messages.len, + hashAlg, &hashes); if (rv != SECSuccess) { ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); goto done; @@ -7471,25 +6800,12 @@ ssl3_HandleServerHelloPart2(sslSocket *ss, const SECItem *sidBytes, ss->sec.keaType = sid->keaType; ss->sec.keaKeyBits = sid->keaKeyBits; - /* 3 cases here: - * a) key is wrapped (implies using PKCS11) - * b) key is unwrapped, but we're still using PKCS11 - * c) key is unwrapped, and we're bypassing PKCS11. - */ if (sid->u.ssl3.keys.msIsWrapped) { PK11SlotInfo *slot; PK11SymKey *wrapKey; /* wrapping key */ CK_FLAGS keyFlags = 0; -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - /* we cannot restart a non-bypass session in a - ** bypass socket. - */ - break; - } -#endif - /* unwrap master secret with PKCS11 */ + /* unwrap master secret */ slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, sid->u.ssl3.masterSlotID); if (slot == NULL) { @@ -7524,17 +6840,7 @@ ssl3_HandleServerHelloPart2(sslSocket *ss, const SECItem *sidBytes, if (pwSpec->master_secret == NULL) { break; /* errorCode set just after call to UnwrapSymKey. */ } -#ifndef NO_PKCS11_BYPASS - } else if (ss->opt.bypassPKCS11) { - /* MS is not wrapped */ - wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; - wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; - memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); - pwSpec->msItem.data = pwSpec->raw_master_secret; - pwSpec->msItem.len = wrappedMS.len; -#endif } else { - /* We CAN restart a bypass session in a non-bypass socket. */ /* need to import the raw master secret to session object */ PK11SlotInfo *slot = PK11_GetInternalSlot(); wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; @@ -9391,14 +8697,6 @@ compression_found: if (sid->u.ssl3.keys.msIsWrapped) { PK11SymKey *wrapKey; /* wrapping key */ CK_FLAGS keyFlags = 0; -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - /* we cannot restart a non-bypass session in a - ** bypass socket. - */ - break; - } -#endif wrapKey = ssl3_GetWrappingKey(ss, NULL, serverCert, sid->u.ssl3.masterWrapMech, @@ -9424,16 +8722,7 @@ compression_found: if (pwSpec->master_secret == NULL) { break; /* not an error */ } -#ifndef NO_PKCS11_BYPASS - } else if (ss->opt.bypassPKCS11) { - wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; - wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; - memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); - pwSpec->msItem.data = pwSpec->raw_master_secret; - pwSpec->msItem.len = wrappedMS.len; -#endif } else { - /* We CAN restart a bypass session in a non-bypass socket. */ /* need to import the raw master secret to session object */ PK11SlotInfo *slot; wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; @@ -10327,15 +9616,14 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, goto alert_loser; } - if (ss->ssl3.hs.hashType != handshake_hash_record) { - if (!hashes) { - PORT_Assert(0); - desc = internal_error; - errCode = SEC_ERROR_LIBRARY_FAILURE; - goto alert_loser; - } - hashesForVerify = hashes; - } else { + if (!hashes) { + PORT_Assert(0); + desc = internal_error; + errCode = SEC_ERROR_LIBRARY_FAILURE; + goto alert_loser; + } + + if (ss->ssl3.hs.hashType == handshake_hash_record) { rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme); if (rv != SECSuccess) { goto loser; /* malformed or unsupported. */ @@ -10351,18 +9639,9 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, hashAlg = ssl_SignatureSchemeToHashType(sigScheme); if (hashes->u.pointer_to_hash_input.data) { -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11 && hashes->u.pointer_to_hash_input.data) { - rv = ssl3_ComputeBypassHandshakeHash(hashes->u.pointer_to_hash_input.data, - hashes->u.pointer_to_hash_input.len, - hashAlg, &localHashes); - } else -#endif - { - rv = ssl3_ComputePkcs11HandshakeHash(hashes->u.pointer_to_hash_input.data, - hashes->u.pointer_to_hash_input.len, - hashAlg, &localHashes); - } + rv = ssl3_ComputeHandshakeHash(hashes->u.pointer_to_hash_input.data, + hashes->u.pointer_to_hash_input.len, + hashAlg, &localHashes); } else { rv = SECFailure; } @@ -10374,6 +9653,8 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, desc = decrypt_error; goto alert_loser; } + } else { + hashesForVerify = hashes; } rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); @@ -10410,7 +9691,7 @@ loser: * If the serverKeySlot parameter is non-null, this function will use * that slot to do the job, otherwise it will find a slot. * - * Called from ssl3_DeriveConnectionKeysPKCS11() (above) + * Called from ssl3_DeriveConnectionKeys() (above) * ssl3_SendRSAClientKeyExchange() (above) * ssl3_HandleRSAClientKeyExchange() (below) * Caller must hold the SpecWriteLock, the SSL3HandshakeLock @@ -10497,17 +9778,11 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, PRUint32 length, sslKeyPair *serverKeyPair) { -#ifndef NO_PKCS11_BYPASS - unsigned char *cr = (unsigned char *)&ss->ssl3.hs.client_random; - unsigned char *sr = (unsigned char *)&ss->ssl3.hs.server_random; - ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; - unsigned int outLen = 0; - PRBool isTLS = PR_FALSE; - SECItem pmsItem = { siBuffer, NULL, 0 }; - unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; -#endif SECStatus rv; SECItem enc_pms; + PK11SymKey *tmpPms[2] = { NULL, NULL }; + PK11SlotInfo *slot; + int useFauxPms = 0; PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); @@ -10515,10 +9790,6 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, enc_pms.data = b; enc_pms.len = length; -#ifndef NO_PKCS11_BYPASS - pmsItem.data = rsaPmsBuf; - pmsItem.len = sizeof rsaPmsBuf; -#endif if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ PRInt32 kLen; @@ -10530,149 +9801,91 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, if ((unsigned)kLen < enc_pms.len) { enc_pms.len = kLen; } -#ifndef NO_PKCS11_BYPASS - isTLS = PR_TRUE; -#endif } -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - /* We have not implemented a tls_ExtendedMasterKeyDeriveBypass - * and will not negotiate this extension in bypass mode. This - * assert just double-checks that. - */ - PORT_Assert( - !ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)); - - /* TRIPLE BYPASS, get PMS directly from RSA decryption. - * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, - * then, check for version rollback attack, then - * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in - * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with - * ss and NULL, so that it will use the MS we've already derived here. - */ - - rv = PK11_PrivDecryptPKCS1(serverKeyPair->privKey, rsaPmsBuf, &outLen, - sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); - if (rv != SECSuccess) { - /* triple bypass failed. Let's try for a double bypass. */ - goto double_bypass; - } else if (ss->opt.detectRollBack) { - SSL3ProtocolVersion client_version = - (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; - - if (IS_DTLS(ss)) { - client_version = dtls_DTLSVersionToTLSVersion(client_version); - } - - if (client_version != ss->clientHelloVersion) { - /* Version roll-back detected. ensure failure. */ - rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); - } - } - /* have PMS, build MS without PKCS11 */ - rv = ssl3_MasterSecretDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, - ssl3_GetTls12HashType(ss), PR_TRUE); - if (rv != SECSuccess) { - pwSpec->msItem.data = pwSpec->raw_master_secret; - pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; - PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len); - } - rv = ssl3_InitPendingCipherSpec(ss, NULL); - } else -#endif - { - PK11SymKey *tmpPms[2] = { NULL, NULL }; - PK11SlotInfo *slot; - int useFauxPms = 0; #define currentPms tmpPms[!useFauxPms] #define unusedPms tmpPms[useFauxPms] #define realPms tmpPms[1] #define fauxPms tmpPms[0] -#ifndef NO_PKCS11_BYPASS - double_bypass: -#endif + /* + * Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1 + * as we can within the constraints of the PKCS#11 interface. + * + * 1. Unconditionally generate a bogus PMS (what RFC 5246 + * calls R). + * 2. Attempt the RSA decryption to recover the PMS (what + * RFC 5246 calls M). + * 3. Set PMS = (M == NULL) ? R : M + * 4. Use ssl3_ComputeMasterSecret(PMS) to attempt to derive + * the MS from PMS. This includes performing the version + * check and length check. + * 5. If either the initial RSA decryption failed or + * ssl3_ComputeMasterSecret(PMS) failed, then discard + * M and set PMS = R. Else, discard R and set PMS = M. + * + * We do two derivations here because we can't rely on having + * a function that only performs the PMS version and length + * check. The only redundant cost is that this runs the PRF, + * which isn't necessary here. + */ - /* - * Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1 - * as we can within the constraints of the PKCS#11 interface. - * - * 1. Unconditionally generate a bogus PMS (what RFC 5246 - * calls R). - * 2. Attempt the RSA decryption to recover the PMS (what - * RFC 5246 calls M). - * 3. Set PMS = (M == NULL) ? R : M - * 4. Use ssl3_ComputeMasterSecret(PMS) to attempt to derive - * the MS from PMS. This includes performing the version - * check and length check. - * 5. If either the initial RSA decryption failed or - * ssl3_ComputeMasterSecret(PMS) failed, then discard - * M and set PMS = R. Else, discard R and set PMS = M. - * - * We do two derivations here because we can't rely on having - * a function that only performs the PMS version and length - * check. The only redundant cost is that this runs the PRF, - * which isn't necessary here. - */ + /* Generate the bogus PMS (R) */ + slot = PK11_GetSlotFromPrivateKey(serverKeyPair->privKey); + if (!slot) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } - /* Generate the bogus PMS (R) */ - slot = PK11_GetSlotFromPrivateKey(serverKeyPair->privKey); + if (!PK11_DoesMechanism(slot, CKM_SSL3_MASTER_KEY_DERIVE)) { + PK11_FreeSlot(slot); + slot = PK11_GetBestSlot(CKM_SSL3_MASTER_KEY_DERIVE, NULL); if (!slot) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } + } - if (!PK11_DoesMechanism(slot, CKM_SSL3_MASTER_KEY_DERIVE)) { - PK11_FreeSlot(slot); - slot = PK11_GetBestSlot(CKM_SSL3_MASTER_KEY_DERIVE, NULL); - if (!slot) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - } - - ssl_GetSpecWriteLock(ss); - fauxPms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); - ssl_ReleaseSpecWriteLock(ss); - PK11_FreeSlot(slot); - - if (fauxPms == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - return SECFailure; - } + ssl_GetSpecWriteLock(ss); + fauxPms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot); + ssl_ReleaseSpecWriteLock(ss); + PK11_FreeSlot(slot); - /* - * unwrap pms out of the incoming buffer - * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do - * the unwrap. Rather, it is the mechanism with which the - * unwrapped pms will be used. - */ - realPms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms, - CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); - /* Temporarily use the PMS if unwrapping the real PMS fails. */ - useFauxPms |= (realPms == NULL); + if (fauxPms == NULL) { + ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); + return SECFailure; + } - /* Attempt to derive the MS from the PMS. This is the only way to - * check the version field in the RSA PMS. If this fails, we - * then use the faux PMS in place of the PMS. Note that this - * operation should never fail if we are using the faux PMS - * since it is correctly formatted. */ - rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL); + /* + * unwrap pms out of the incoming buffer + * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do + * the unwrap. Rather, it is the mechanism with which the + * unwrapped pms will be used. + */ + realPms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms, + CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); + /* Temporarily use the PMS if unwrapping the real PMS fails. */ + useFauxPms |= (realPms == NULL); - /* If we succeeded, then select the true PMS and discard the - * FPMS. Else, select the FPMS and select the true PMS */ - useFauxPms |= (rv != SECSuccess); + /* Attempt to derive the MS from the PMS. This is the only way to + * check the version field in the RSA PMS. If this fails, we + * then use the faux PMS in place of the PMS. Note that this + * operation should never fail if we are using the faux PMS + * since it is correctly formatted. */ + rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL); - if (unusedPms) { - PK11_FreeSymKey(unusedPms); - } + /* If we succeeded, then select the true PMS and discard the + * FPMS. Else, select the FPMS and select the true PMS */ + useFauxPms |= (rv != SECSuccess); - /* This step will derive the MS from the PMS, among other things. */ - rv = ssl3_InitPendingCipherSpec(ss, currentPms); - PK11_FreeSymKey(currentPms); + if (unusedPms) { + PK11_FreeSymKey(unusedPms); } + /* This step will derive the MS from the PMS, among other things. */ + rv = ssl3_InitPendingCipherSpec(ss, currentPms); + PK11_FreeSymKey(currentPms); + if (rv != SECSuccess) { (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ @@ -11698,7 +10911,7 @@ ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec, PK11Context *prf_context; unsigned int retLen; - if (!spec->master_secret || spec->bypassCiphers) { + if (!spec->master_secret) { const char *label = isServer ? "server finished" : "client finished"; unsigned int len = 15; HASH_HashType hashType = ssl3_GetTls12HashType(ss); @@ -11743,7 +10956,7 @@ ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, { SECStatus rv = SECSuccess; - if (spec->master_secret && !spec->bypassCiphers) { + if (spec->master_secret) { SECItem param = { siBuffer, NULL, 0 }; CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL; PK11Context *prf_context; @@ -11765,28 +10978,9 @@ ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, PK11_DestroyContext(prf_context, PR_TRUE); } else { -/* bypass PKCS11 */ -#ifdef NO_PKCS11_BYPASS PORT_Assert(spec->master_secret); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); rv = SECFailure; -#else - SECItem inData = { siBuffer }; - SECItem outData = { siBuffer }; - PRBool isFIPS = PR_FALSE; - - inData.data = (unsigned char *)val; - inData.len = valLen; - outData.data = out; - outData.len = outLen; - if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { - rv = TLS_P_hash(tls12HashType, &spec->msItem, label, &inData, - &outData, isFIPS); - } else { - rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); - } - PORT_Assert(rv != SECSuccess || outData.len == outLen); -#endif } return rv; } @@ -13455,14 +12649,12 @@ ssl3_InitCipherSpec(ssl3CipherSpec *spec) PORT_Assert(spec->mac_def->mac == mac_null); spec->encode = Null_Cipher; spec->decode = Null_Cipher; - spec->destroy = NULL; spec->compressor = NULL; spec->decompressor = NULL; spec->destroyCompressContext = NULL; spec->destroyDecompressContext = NULL; spec->mac_size = 0; spec->master_secret = NULL; - spec->bypassCiphers = PR_FALSE; spec->msItem.data = NULL; spec->msItem.len = 0; @@ -13813,17 +13005,7 @@ ssl3_DestroySSL3Info(sslSocket *ss) ss->ssl3.clientCertChain = NULL; } -/* clean up handshake */ -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - if (ss->ssl3.hs.hashType == handshake_hash_combo) { - SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); - MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); - } else if (ss->ssl3.hs.hashType == handshake_hash_single) { - ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE); - } - } -#endif + /* clean up handshake */ if (ss->ssl3.hs.md5) { PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); } diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c index 974e69fae..373f4978c 100644 --- a/lib/ssl/ssl3ecc.c +++ b/lib/ssl/ssl3ecc.c @@ -118,7 +118,7 @@ static SECStatus ssl3_ComputeECDHKeyHash(SSLHashType hashAlg, SECItem ec_params, SECItem server_ecpoint, SSL3Random *client_rand, SSL3Random *server_rand, - SSL3Hashes *hashes, PRBool bypassPKCS11) + SSL3Hashes *hashes) { PRUint8 *hashBuf; PRUint8 *pBuf; @@ -153,8 +153,7 @@ ssl3_ComputeECDHKeyHash(SSLHashType hashAlg, pBuf += server_ecpoint.len; PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); - rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, - bypassPKCS11); + rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes); PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen)); PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", @@ -408,19 +407,16 @@ ssl_GetECGroupWithStrength(sslSocket *ss, unsigned int requiredECCbits) { int i; + PORT_Assert(ss); + for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { - const sslNamedGroupDef *group; - if (ss) { - group = ss->namedGroupPreferences[i]; - } else { - group = &ssl_named_groups[i]; - } - if (!group || group->keaType != ssl_kea_ecdh || - group->bits < requiredECCbits) { - continue; + const sslNamedGroupDef *group = ss->namedGroupPreferences[i]; + if (group && group->keaType == ssl_kea_ecdh && + group->bits >= requiredECCbits) { + return group; } - return group; } + PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); return NULL; } @@ -607,7 +603,7 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) rv = ssl3_ComputeECDHKeyHash(hashAlg, ec_params, ec_point, &ss->ssl3.hs.client_random, &ss->ssl3.hs.server_random, - &hashes, ss->opt.bypassPKCS11); + &hashes); if (rv != SECSuccess) { errCode = @@ -721,7 +717,7 @@ ssl3_SendECDHServerKeyExchange(sslSocket *ss) pubKey->u.ec.publicValue, &ss->ssl3.hs.client_random, &ss->ssl3.hs.server_random, - &hashes, ss->opt.bypassPKCS11); + &hashes); if (rv != SECSuccess) { ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); goto loser; diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c index 8238545fa..6aed0dccc 100644 --- a/lib/ssl/ssl3ext.c +++ b/lib/ssl/ssl3ext.c @@ -14,23 +14,13 @@ #include "sslproto.h" #include "sslimpl.h" #include "pk11pub.h" -#ifdef NO_PKCS11_BYPASS #include "blapit.h" -#else -#include "blapi.h" -#endif #include "prinit.h" static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; -static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; -static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; +static PK11SymKey *session_ticket_enc_key = NULL; +static PK11SymKey *session_ticket_mac_key = NULL; -#ifndef NO_PKCS11_BYPASS -static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; -static unsigned char session_ticket_mac_key[SHA256_LENGTH]; - -static PRBool session_ticket_keys_initialized = PR_FALSE; -#endif static PRCallOnceType generate_session_keys_once; /* forward static function declarations */ @@ -40,13 +30,8 @@ static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes); static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize); -static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, - PK11SymKey **aes_key, PK11SymKey **mac_key); -#ifndef NO_PKCS11_BYPASS -static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, - PRUint32 *aes_key_length, const unsigned char **mac_key, - PRUint32 *mac_key_length); -#endif +static SECStatus ssl3_GetSessionTicketKeys(sslSocket *ss, + PK11SymKey **aes_key, PK11SymKey **mac_key); static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes); static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, @@ -185,13 +170,13 @@ ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) SECStatus ssl3_SessionTicketShutdown(void *appData, void *nssData) { - if (session_ticket_enc_key_pkcs11) { - PK11_FreeSymKey(session_ticket_enc_key_pkcs11); - session_ticket_enc_key_pkcs11 = NULL; + if (session_ticket_enc_key) { + PK11_FreeSymKey(session_ticket_enc_key); + session_ticket_enc_key = NULL; } - if (session_ticket_mac_key_pkcs11) { - PK11_FreeSymKey(session_ticket_mac_key_pkcs11); - session_ticket_mac_key_pkcs11 = NULL; + if (session_ticket_mac_key) { + PK11_FreeSymKey(session_ticket_mac_key); + session_ticket_mac_key = NULL; } PORT_Memset(&generate_session_keys_once, 0, sizeof(generate_session_keys_once)); @@ -199,7 +184,7 @@ ssl3_SessionTicketShutdown(void *appData, void *nssData) } static PRStatus -ssl3_GenerateSessionTicketKeysPKCS11(void *data) +ssl3_GenerateSessionTicketKeys(void *data) { SECStatus rv; sslSocket *ss = (sslSocket *)data; @@ -225,9 +210,9 @@ ssl3_GenerateSessionTicketKeysPKCS11(void *data) /* Get a copy of the session keys from shared memory. */ PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, sizeof(SESS_TICKET_KEY_NAME_PREFIX)); - if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, - ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], - &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) + if (!ssl_GetSessionTicketKeys(svrPrivKey, svrPubKey, ss->pkcs11PinArg, + &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], + &session_ticket_enc_key, &session_ticket_mac_key)) return PR_FAILURE; rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); @@ -242,58 +227,22 @@ loser: } static SECStatus -ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, - PK11SymKey **mac_key) +ssl3_GetSessionTicketKeys(sslSocket *ss, PK11SymKey **aes_key, + PK11SymKey **mac_key) { if (PR_CallOnceWithArg(&generate_session_keys_once, - ssl3_GenerateSessionTicketKeysPKCS11, ss) != + ssl3_GenerateSessionTicketKeys, ss) != PR_SUCCESS) return SECFailure; - if (session_ticket_enc_key_pkcs11 == NULL || - session_ticket_mac_key_pkcs11 == NULL) - return SECFailure; - - *aes_key = session_ticket_enc_key_pkcs11; - *mac_key = session_ticket_mac_key_pkcs11; - return SECSuccess; -} - -#ifndef NO_PKCS11_BYPASS -static PRStatus -ssl3_GenerateSessionTicketKeys(void) -{ - PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, - sizeof(SESS_TICKET_KEY_NAME_PREFIX)); - - if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], - session_ticket_enc_key, session_ticket_mac_key)) - return PR_FAILURE; - - session_ticket_keys_initialized = PR_TRUE; - return PR_SUCCESS; -} - -static SECStatus -ssl3_GetSessionTicketKeys(const unsigned char **aes_key, - PRUint32 *aes_key_length, const unsigned char **mac_key, - PRUint32 *mac_key_length) -{ - if (PR_CallOnce(&generate_session_keys_once, - ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) - return SECFailure; - - if (!session_ticket_keys_initialized) + if (session_ticket_enc_key == NULL || + session_ticket_mac_key == NULL) return SECFailure; *aes_key = session_ticket_enc_key; - *aes_key_length = sizeof(session_ticket_enc_key); *mac_key = session_ticket_mac_key; - *mac_key_length = sizeof(session_ticket_mac_key); - return SECSuccess; } -#endif /* Table of handlers for received TLS hello extensions, one per extension. * In the second generation, this table will be dynamic, and functions @@ -1239,6 +1188,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss, PRUint32 ciphertext_length; SECItem ticket_buf = { 0, NULL, 0 }; SECItem ticket_tmp = { 0, NULL, 0 }; + SECItem macParam = { 0, NULL, 0 }; PRBool ms_is_wrapped; unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; SECItem ms_item = { 0, NULL, 0 }; @@ -1247,23 +1197,12 @@ ssl3_EncodeSessionTicket(sslSocket *ss, PRUint32 cert_length = 0; PRUint8 length_buf[4]; PRUint32 now; - PK11SymKey *aes_key_pkcs11 = NULL; - PK11SymKey *mac_key_pkcs11 = NULL; -#ifndef NO_PKCS11_BYPASS - const unsigned char *aes_key = NULL; - const unsigned char *mac_key = NULL; - PRUint32 aes_key_length; - PRUint32 mac_key_length; - PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; - AESContext *aes_ctx; - const SECHashObject *hashObj = NULL; - PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; - HMACContext *hmac_ctx = NULL; -#endif + PK11SymKey *aes_key = NULL; + PK11SymKey *mac_key = NULL; CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; - PK11Context *aes_ctx_pkcs11; + PK11Context *aes_ctx; CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; - PK11Context *hmac_ctx_pkcs11 = NULL; + PK11Context *hmac_ctx = NULL; unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; unsigned int computed_mac_length; unsigned char iv[AES_BLOCK_SIZE]; @@ -1293,16 +1232,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss, if (rv != SECSuccess) goto loser; -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, - &mac_key, &mac_key_length); - } else -#endif - { - rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, - &mac_key_pkcs11); - } + rv = ssl3_GetSessionTicketKeys(ss, &aes_key, &mac_key); if (rv != SECSuccess) goto loser; @@ -1520,98 +1450,49 @@ ssl3_EncodeSessionTicket(sslSocket *ss, goto loser; } -/* Generate encrypted portion of ticket. */ -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - PORT_Assert(aes_key); - - aes_ctx = (AESContext *)aes_ctx_buf; - rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, - NSS_AES_CBC, 1, AES_BLOCK_SIZE); - if (rv != SECSuccess) - goto loser; - - rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, - ciphertext.len, plaintext_item.data, - plaintext_item.len); - if (rv != SECSuccess) - goto loser; - } else -#endif - { - PORT_Assert(aes_key_pkcs11); - aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, - CKA_ENCRYPT, aes_key_pkcs11, &ivItem); - if (!aes_ctx_pkcs11) - goto loser; + /* Generate encrypted portion of ticket. */ + PORT_Assert(aes_key); + aes_ctx = PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, aes_key, &ivItem); + if (!aes_ctx) + goto loser; - rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, - (int *)&ciphertext.len, ciphertext.len, - plaintext_item.data, plaintext_item.len); - PK11_Finalize(aes_ctx_pkcs11); - PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); - if (rv != SECSuccess) - goto loser; - } + rv = PK11_CipherOp(aes_ctx, ciphertext.data, + (int *)&ciphertext.len, ciphertext.len, + plaintext_item.data, plaintext_item.len); + PK11_Finalize(aes_ctx); + PK11_DestroyContext(aes_ctx, PR_TRUE); + if (rv != SECSuccess) + goto loser; /* Convert ciphertext length to network order. */ length_buf[0] = (ciphertext.len >> 8) & 0xff; length_buf[1] = (ciphertext.len) & 0xff; -/* Compute MAC. */ -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - PORT_Assert(mac_key); - - hmac_ctx = (HMACContext *)hmac_ctx_buf; - hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); - if (HMAC_Init(hmac_ctx, hashObj, mac_key, - mac_key_length, PR_FALSE) != SECSuccess) { - goto loser; - } - - HMAC_Begin(hmac_ctx); - HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); - HMAC_Update(hmac_ctx, iv, sizeof(iv)); - HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); - HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); - if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, - sizeof(computed_mac)) != SECSuccess) { - goto loser; - } - } else -#endif - { - SECItem macParam; - PORT_Assert(mac_key_pkcs11); - macParam.data = NULL; - macParam.len = 0; - hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, - CKA_SIGN, mac_key_pkcs11, &macParam); - if (!hmac_ctx_pkcs11) - goto loser; + /* Compute MAC. */ + PORT_Assert(mac_key); + hmac_ctx = PK11_CreateContextBySymKey(macMech, CKA_SIGN, mac_key, &macParam); + if (!hmac_ctx) + goto loser; - rv = PK11_DigestBegin(hmac_ctx_pkcs11); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, - SESS_TICKET_KEY_NAME_LEN); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, - &computed_mac_length, sizeof(computed_mac)); - if (rv != SECSuccess) - goto loser; - } + rv = PK11_DigestBegin(hmac_ctx); + if (rv != SECSuccess) + goto loser; + rv = PK11_DigestOp(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); + if (rv != SECSuccess) + goto loser; + rv = PK11_DigestOp(hmac_ctx, iv, sizeof(iv)); + if (rv != SECSuccess) + goto loser; + rv = PK11_DigestOp(hmac_ctx, (unsigned char *)length_buf, 2); + if (rv != SECSuccess) + goto loser; + rv = PK11_DigestOp(hmac_ctx, ciphertext.data, ciphertext.len); + if (rv != SECSuccess) + goto loser; + rv = PK11_DigestFinal(hmac_ctx, computed_mac, + &computed_mac_length, sizeof(computed_mac)); + if (rv != SECSuccess) + goto loser; ticket_length = +SESS_TICKET_KEY_NAME_LEN /* key_name */ @@ -1652,13 +1533,8 @@ ssl3_EncodeSessionTicket(sslSocket *ss, ticket_buf.data = NULL; loser: -#ifndef NO_PKCS11_BYPASS if (hmac_ctx) { - HMAC_Destroy(hmac_ctx, PR_FALSE); - } -#endif - if (hmac_ctx_pkcs11) { - PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); + PK11_DestroyContext(hmac_ctx, PR_TRUE); } if (plaintext_item.data) { SECITEM_FreeItem(&plaintext_item, PR_FALSE); @@ -1704,22 +1580,11 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) EncryptedSessionTicket enc_session_ticket; unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; unsigned int computed_mac_length; -#ifndef NO_PKCS11_BYPASS - const SECHashObject *hashObj; - const unsigned char *aes_key = NULL; - const unsigned char *mac_key = NULL; - PRUint32 aes_key_length; - PRUint32 mac_key_length; - PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; - HMACContext *hmac_ctx; - PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; - AESContext *aes_ctx; -#endif - PK11SymKey *aes_key_pkcs11 = NULL; - PK11SymKey *mac_key_pkcs11 = NULL; - PK11Context *hmac_ctx_pkcs11; + PK11SymKey *aes_key = NULL; + PK11SymKey *mac_key = NULL; + PK11Context *hmac_ctx; CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; - PK11Context *aes_ctx_pkcs11; + PK11Context *aes_ctx; CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; unsigned char *padding; PRUint32 padding_length; @@ -1728,7 +1593,9 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) PRInt32 temp; SECItem cert_item; PRInt8 nameType = TLS_STE_NO_SERVER_NAME; + SECItem macParam = { siBuffer, NULL, 0 }; SECItem alpn_item; + SECItem ivItem; /* Turn off stateless session resumption if the client sends a * SessionTicket extension, even if the extension turns out to be @@ -1749,17 +1616,8 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) return SECSuccess; /* Pretend it isn't there */ } -/* Get session ticket keys. */ -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, - &mac_key, &mac_key_length); - } else -#endif - { - rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, - &mac_key_pkcs11); - } + /* Get session ticket keys. */ + rv = ssl3_GetSessionTicketKeys(ss, &aes_key, &mac_key); if (rv != SECSuccess) { SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", SSL_GETPID(), ss->fd)); @@ -1776,61 +1634,37 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) goto no_ticket; } -/* Verify the MAC on the ticket. MAC verification may also + /* Verify the MAC on the ticket. MAC verification may also * fail if the MAC key has been recently refreshed. */ -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - PORT_Assert(mac_key); - hmac_ctx = (HMACContext *)hmac_ctx_buf; - hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); - if (HMAC_Init(hmac_ctx, hashObj, mac_key, - sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) - goto no_ticket; - HMAC_Begin(hmac_ctx); - HMAC_Update(hmac_ctx, extension_data.data, - extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); - rv = HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, - sizeof(computed_mac)); - HMAC_Destroy(hmac_ctx, PR_FALSE); - if (rv != SECSuccess) { - goto no_ticket; - } - } else -#endif - { - SECItem macParam; - PORT_Assert(mac_key_pkcs11); - macParam.data = NULL; - macParam.len = 0; - hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, - CKA_SIGN, mac_key_pkcs11, &macParam); - if (!hmac_ctx_pkcs11) { - SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", - SSL_GETPID(), ss->fd, PORT_GetError())); - goto no_ticket; - } else { - SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", - SSL_GETPID(), ss->fd)); - } - rv = PK11_DigestBegin(hmac_ctx_pkcs11); - if (rv != SECSuccess) { - PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); - goto no_ticket; - } - rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, - extension_data.len - - TLS_EX_SESS_TICKET_MAC_LENGTH); - if (rv != SECSuccess) { - PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); - goto no_ticket; - } - rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, - &computed_mac_length, sizeof(computed_mac)); - PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); - if (rv != SECSuccess) - goto no_ticket; + PORT_Assert(mac_key); + hmac_ctx = PK11_CreateContextBySymKey(macMech, CKA_SIGN, mac_key, &macParam); + if (!hmac_ctx) { + SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", + SSL_GETPID(), ss->fd, PORT_GetError())); + goto no_ticket; + } else { + SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", + SSL_GETPID(), ss->fd)); + } + rv = PK11_DigestBegin(hmac_ctx); + if (rv != SECSuccess) { + PK11_DestroyContext(hmac_ctx, PR_TRUE); + goto no_ticket; + } + rv = PK11_DigestOp(hmac_ctx, extension_data.data, + extension_data.len - + TLS_EX_SESS_TICKET_MAC_LENGTH); + if (rv != SECSuccess) { + PK11_DestroyContext(hmac_ctx, PR_TRUE); + goto no_ticket; } + rv = PK11_DigestFinal(hmac_ctx, computed_mac, + &computed_mac_length, sizeof(computed_mac)); + PK11_DestroyContext(hmac_ctx, PR_TRUE); + if (rv != SECSuccess) + goto no_ticket; + if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, computed_mac_length) != 0) { @@ -1849,50 +1683,26 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) decrypted_state = SECITEM_AllocItem(NULL, NULL, enc_session_ticket.encrypted_state.len); -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11) { - PORT_Assert(aes_key); - aes_ctx = (AESContext *)aes_ctx_buf; - rv = AES_InitContext(aes_ctx, aes_key, - sizeof(session_ticket_enc_key), enc_session_ticket.iv, - NSS_AES_CBC, 0, AES_BLOCK_SIZE); - if (rv != SECSuccess) { - SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", - SSL_GETPID(), ss->fd)); - goto no_ticket; - } - - rv = AES_Decrypt(aes_ctx, decrypted_state->data, - &decrypted_state->len, decrypted_state->len, - enc_session_ticket.encrypted_state.data, - enc_session_ticket.encrypted_state.len); - if (rv != SECSuccess) - goto no_ticket; - } else -#endif - { - SECItem ivItem; - PORT_Assert(aes_key_pkcs11); - ivItem.data = enc_session_ticket.iv; - ivItem.len = AES_BLOCK_SIZE; - aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, - CKA_DECRYPT, aes_key_pkcs11, &ivItem); - if (!aes_ctx_pkcs11) { - SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", - SSL_GETPID(), ss->fd)); - goto no_ticket; - } - - rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, - (int *)&decrypted_state->len, decrypted_state->len, - enc_session_ticket.encrypted_state.data, - enc_session_ticket.encrypted_state.len); - PK11_Finalize(aes_ctx_pkcs11); - PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); - if (rv != SECSuccess) - goto no_ticket; + PORT_Assert(aes_key); + ivItem.data = enc_session_ticket.iv; + ivItem.len = AES_BLOCK_SIZE; + aes_ctx = PK11_CreateContextBySymKey(cipherMech, CKA_DECRYPT, + aes_key, &ivItem); + if (!aes_ctx) { + SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", + SSL_GETPID(), ss->fd)); + goto no_ticket; } + rv = PK11_CipherOp(aes_ctx, decrypted_state->data, + (int *)&decrypted_state->len, decrypted_state->len, + enc_session_ticket.encrypted_state.data, + enc_session_ticket.encrypted_state.len); + PK11_Finalize(aes_ctx); + PK11_DestroyContext(aes_ctx, PR_TRUE); + if (rv != SECSuccess) + goto no_ticket; + /* Check padding. */ padding_length = (PRUint32)decrypted_state->data[decrypted_state->len - 1]; @@ -2109,12 +1919,6 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) goto no_ticket; sid->u.ssl3.locked.sessionTicket.flags = parsed_session_ticket->flags; -/* Copy master secret. */ -#ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11 && - parsed_session_ticket->ms_is_wrapped) - goto no_ticket; -#endif if (parsed_session_ticket->ms_length > sizeof(sid->u.ssl3.keys.wrapped_master_secret)) goto no_ticket; @@ -2972,15 +2776,6 @@ ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, return 0; } -#ifndef NO_PKCS11_BYPASS - /* Extended MS can only be used w/o bypass mode */ - if (ss->opt.bypassPKCS11) { - PORT_Assert(0); - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); - return -1; - } -#endif - /* Always send the extension in this function, since the * client always sends it and this function is only called on * the server if we negotiated the extension. */ @@ -3020,15 +2815,6 @@ ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, PRUint16 ex_type, return SECSuccess; } -#ifndef NO_PKCS11_BYPASS - /* Extended MS can only be used w/o bypass mode */ - if (ss->opt.bypassPKCS11) { - PORT_Assert(0); - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); - return SECFailure; - } -#endif - if (data->len != 0) { SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension", SSL_GETPID(), ss->fd)); diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h index 4f19dfaa9..389b0382e 100644 --- a/lib/ssl/sslimpl.h +++ b/lib/ssl/sslimpl.h @@ -316,7 +316,6 @@ typedef struct sslOptionsStr { unsigned int noCache : 1; unsigned int fdx : 1; unsigned int detectRollBack : 1; - unsigned int bypassPKCS11 : 1; unsigned int noLocks : 1; unsigned int enableSessionTickets : 1; unsigned int enableDeflate : 1; @@ -534,7 +533,6 @@ typedef struct { SSLCipher encode; SSLCipher decode; SSLAEADCipher aead; - SSLDestroy destroy; void *encodeContext; void *decodeContext; SSLCompressor compressor; /* Don't name these fields compress */ @@ -544,7 +542,6 @@ typedef struct { void *compressContext; SSLDestroy destroyDecompressContext; void *decompressContext; - PRBool bypassCiphers; /* did double bypass (at least) */ PK11SymKey *master_secret; sslSequenceNumber write_seq_num; sslSequenceNumber read_seq_num; @@ -884,20 +881,6 @@ typedef struct SSL3HandshakeStateStr { /* This group of members is used for handshake running hashes. */ SSL3HandshakeHashType hashType; sslBuffer messages; /* Accumulated handshake messages */ -#ifndef NO_PKCS11_BYPASS - /* Bypass mode: - * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for - * MD5 and |sha_cx| for SHA-1. - * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support - * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */ - PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; - PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; - const SECHashObject *sha_obj; - /* The function prototype of sha_obj->clone() does not match the prototype - * of the freebl <HASH>_Clone functions, so we need a dedicated function - * pointer for the <HASH>_Clone function. */ - void (*sha_clone)(void *dest, void *src); -#endif /* PKCS #11 mode: * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and * |sha| for SHA-1. @@ -1639,14 +1622,6 @@ extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version); -extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec *pwSpec, - const unsigned char *cr, const unsigned char *sr, - PRBool isTLS, HASH_HashType tls12HashType); -extern SECStatus ssl3_MasterSecretDeriveBypass(ssl3CipherSpec *pwSpec, - const unsigned char *cr, const unsigned char *sr, - const SECItem *pms, PRBool isTLS, - HASH_HashType tls12HashType, PRBool isRSA); - /* These functions are called from secnav, even though they're "private". */ extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss, @@ -1734,8 +1709,6 @@ extern SECStatus ssl_NamedGroup2ECParams(PLArenaPool *arena, extern const sslNamedGroupDef *ssl_ECPubKey2NamedGroup( const SECKEYPublicKey *pubKey); -extern const sslNamedGroupDef *ssl_GetECGroupWithStrength(sslSocket *ss, - unsigned int requiredECCbits); extern const sslNamedGroupDef *ssl_GetECGroupForServerSocket(sslSocket *ss); extern void ssl_FilterSupportedGroups(sslSocket *ss); @@ -1781,8 +1754,8 @@ SECStatus tls13_EncodeECDHEKeyShareKEX(sslSocket *ss, extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg, PRUint8 *hashBuf, - unsigned int bufLen, SSL3Hashes *hashes, - PRBool bypassPKCS11); + unsigned int bufLen, + SSL3Hashes *hashes); extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName); extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms); extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src, @@ -1865,12 +1838,10 @@ extern void ssl3_SetSIDSessionTicket(sslSessionID *sid, SECStatus ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket_input, SECItem *ticket_data); -extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName, - unsigned char *encKey, unsigned char *macKey); -extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, - SECKEYPublicKey *svrPubKey, void *pwArg, - unsigned char *keyName, PK11SymKey **aesKey, - PK11SymKey **macKey); +extern PRBool ssl_GetSessionTicketKeys(SECKEYPrivateKey *svrPrivKey, + SECKEYPublicKey *svrPubKey, void *pwArg, + unsigned char *keyName, PK11SymKey **aesKey, + PK11SymKey **macKey); extern SECStatus ssl3_SessionTicketShutdown(void *appData, void *nssData); /* Tell clients to consider tickets valid for this long. */ diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c index 59c341647..4a4005c2d 100644 --- a/lib/ssl/sslsnce.c +++ b/lib/ssl/sslsnce.c @@ -35,8 +35,8 @@ * certCacheEntry certCacheData[numCertCacheEntries]; * SSLWrappedSymWrappingKey keyCacheData[ssl_auth_size][SSL_NUM_WRAP_MECHS]; * PRUint8 keyNameSuffix[SESS_TICKET_KEY_VAR_NAME_LEN] - * encKeyCacheEntry ticketEncKey; // Wrapped in non-bypass mode - * encKeyCacheEntry ticketMacKey; // Wrapped in non-bypass mode + * encKeyCacheEntry ticketEncKey; // Wrapped + * encKeyCacheEntry ticketMacKey; // Wrapped * PRBool ticketKeysValid; * sidCacheLock srvNameCacheLock; * srvNameCacheEntry srvNameData[ numSrvNameCacheEntries ]; @@ -53,12 +53,8 @@ #include "pk11func.h" #include "base64.h" #include "keyhi.h" -#ifdef NO_PKCS11_BYPASS #include "blapit.h" #include "sechash.h" -#else -#include "blapi.h" -#endif #include <stdio.h> @@ -396,12 +392,8 @@ CacheSrvName(cacheDesc *cache, SECItem *name, sidCacheEntry *sce) snce.type = name->type; snce.nameLen = name->len; PORT_Memcpy(snce.name, name->data, snce.nameLen); -#ifdef NO_PKCS11_BYPASS HASH_HashBuf(HASH_AlgSHA256, snce.nameHash, name->data, name->len); -#else - SHA256_HashBuf(snce.nameHash, (unsigned char *)name->data, - name->len); -#endif + /* get index of the next name */ ndx = Get32BitNameHash(name); /* get lock on cert cache */ @@ -1829,10 +1821,10 @@ loser: } PRBool -ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, - SECKEYPublicKey *svrPubKey, void *pwArg, - unsigned char *keyName, PK11SymKey **aesKey, - PK11SymKey **macKey) +ssl_GetSessionTicketKeys(SECKEYPrivateKey *svrPrivKey, + SECKEYPublicKey *svrPubKey, void *pwArg, + unsigned char *keyName, PK11SymKey **aesKey, + PK11SymKey **macKey) { PRUint32 now = 0; PRBool rv = PR_FALSE; @@ -1867,70 +1859,6 @@ loser: return rv; } -PRBool -ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey, - unsigned char *macKey) -{ - PRBool rv = PR_FALSE; - PRUint32 now = 0; - cacheDesc *cache = &globalCache; - PRUint8 ticketMacKey[SHA256_LENGTH], ticketEncKey[AES_256_KEY_LENGTH]; - PRUint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN]; - PRUint8 *ticketMacKeyPtr, *ticketEncKeyPtr, *ticketKeyNameSuffix; - PRBool cacheIsEnabled = PR_TRUE; - - if (!cache->cacheMem) { /* cache is uninitialized */ - cacheIsEnabled = PR_FALSE; - ticketKeyNameSuffix = ticketKeyNameSuffixLocal; - ticketEncKeyPtr = ticketEncKey; - ticketMacKeyPtr = ticketMacKey; - } else { - /* these values have constant memory locations in the cache. - * Ok to reference them without holding the lock. */ - ticketKeyNameSuffix = cache->ticketKeyNameSuffix; - ticketEncKeyPtr = cache->ticketEncKey->bytes; - ticketMacKeyPtr = cache->ticketMacKey->bytes; - } - - if (cacheIsEnabled) { - /* Grab lock if initialized. */ - now = LockSidCacheLock(cache->keyCacheLock, now); - if (!now) - return rv; - } - /* Going to regenerate keys on every call if cache was not - * initialized. */ - if (!cacheIsEnabled || !*(cache->ticketKeysValid)) { - if (PK11_GenerateRandom(ticketKeyNameSuffix, - SESS_TICKET_KEY_VAR_NAME_LEN) != - SECSuccess) - goto loser; - if (PK11_GenerateRandom(ticketEncKeyPtr, - AES_256_KEY_LENGTH) != SECSuccess) - goto loser; - if (PK11_GenerateRandom(ticketMacKeyPtr, - SHA256_LENGTH) != SECSuccess) - goto loser; - if (cacheIsEnabled) { - *(cache->ticketKeysValid) = 1; - } - } - - rv = PR_TRUE; - -loser: - if (cacheIsEnabled) { - UnlockSidCacheLock(cache->keyCacheLock); - } - if (rv) { - PORT_Memcpy(keyName, ticketKeyNameSuffix, - SESS_TICKET_KEY_VAR_NAME_LEN); - PORT_Memcpy(encKey, ticketEncKeyPtr, AES_256_KEY_LENGTH); - PORT_Memcpy(macKey, ticketMacKeyPtr, SHA256_LENGTH); - } - return rv; -} - /* The caller passes in the new value it wants * to set. This code tests the wrapped sym key entry in the shared memory. * If it is uninitialized, this function writes the caller's value into diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c index 0138fd5e2..8e005706a 100644 --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c @@ -15,9 +15,6 @@ #include "sslproto.h" #include "nspr.h" #include "private/pprio.h" -#ifndef NO_PKCS11_BYPASS -#include "blapi.h" -#endif #include "nss.h" #include "pk11pqg.h" @@ -65,7 +62,6 @@ static sslOptions ssl_defaults = { PR_FALSE, /* noCache */ PR_FALSE, /* fdx */ PR_TRUE, /* detectRollBack */ - PR_FALSE, /* bypassPKCS11 */ PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ @@ -501,39 +497,6 @@ SSL_Enable(PRFileDesc *fd, int which, PRBool on) return SSL_OptionSet(fd, which, on); } -#ifndef NO_PKCS11_BYPASS -static const PRCallOnceType pristineCallOnce; -static PRCallOnceType setupBypassOnce; - -static SECStatus -SSL_BypassShutdown(void *appData, void *nssData) -{ - /* unload freeBL shared library from memory */ - BL_Unload(); - setupBypassOnce = pristineCallOnce; - return SECSuccess; -} - -static PRStatus -SSL_BypassRegisterShutdown(void) -{ - SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); - PORT_Assert(SECSuccess == rv); - return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; -} -#endif - -static PRStatus -SSL_BypassSetup(void) -{ -#ifdef NO_PKCS11_BYPASS - /* Guarantee binary compatibility */ - return PR_SUCCESS; -#else - return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); -#endif -} - static PRBool ssl_VersionIsSupportedByPolicy( SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version); @@ -724,24 +687,6 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) break; case SSL_BYPASS_PKCS11: - if (ss->handshakeBegun) { - PORT_SetError(PR_INVALID_STATE_ERROR); - rv = SECFailure; - } else { - if (PR_FALSE != on) { - if (PR_SUCCESS == SSL_BypassSetup()) { -#ifdef NO_PKCS11_BYPASS - ss->opt.bypassPKCS11 = PR_FALSE; -#else - ss->opt.bypassPKCS11 = on; -#endif - } else { - rv = SECFailure; - } - } else { - ss->opt.bypassPKCS11 = PR_FALSE; - } - } break; case SSL_NO_LOCKS: @@ -911,7 +856,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) on = PR_FALSE; break; case SSL_BYPASS_PKCS11: - on = ss->opt.bypassPKCS11; + on = PR_FALSE; break; case SSL_NO_LOCKS: on = ss->opt.noLocks; @@ -1031,7 +976,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) on = PR_FALSE; break; case SSL_BYPASS_PKCS11: - on = ssl_defaults.bypassPKCS11; + on = PR_FALSE; break; case SSL_NO_LOCKS: on = ssl_defaults.noLocks; @@ -1185,19 +1130,6 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) break; case SSL_BYPASS_PKCS11: - if (PR_FALSE != on) { - if (PR_SUCCESS == SSL_BypassSetup()) { -#ifdef NO_PKCS11_BYPASS - ssl_defaults.bypassPKCS11 = PR_FALSE; -#else - ssl_defaults.bypassPKCS11 = on; -#endif - } else { - return SECFailure; - } - } else { - ssl_defaults.bypassPKCS11 = PR_FALSE; - } break; case SSL_NO_LOCKS: @@ -3512,14 +3444,6 @@ ssl_SetDefaultsFromEnvironment(void) } } #endif -#ifndef NO_PKCS11_BYPASS - ev = PR_GetEnvSecure("SSLBYPASS"); - if (ev && ev[0]) { - ssl_defaults.bypassPKCS11 = (ev[0] == '1'); - SSL_TRACE(("SSL: bypass default set to %d", - ssl_defaults.bypassPKCS11)); - } -#endif /* NO_PKCS11_BYPASS */ ev = PR_GetEnvSecure("SSLFORCELOCKS"); if (ev && ev[0] == '1') { ssl_force_locks = PR_TRUE; @@ -3806,3 +3730,19 @@ loser: PORT_Free(ss); return NULL; } + +/** + * DEPRECATED: Will always return false. + */ +SECStatus +SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, + PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, + PRBool *pcanbypass, void *pwArg) +{ + if (!pcanbypass) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + *pcanbypass = PR_FALSE; + return SECSuccess; +} diff --git a/tests/all.sh b/tests/all.sh index 8aae7cc09..89922cf24 100755 --- a/tests/all.sh +++ b/tests/all.sh @@ -164,11 +164,7 @@ run_cycle_pkix() TESTS="${ALL_TESTS}" TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit" - - echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null - RET=$? - NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"` - [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass" + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` run_tests } @@ -211,10 +207,7 @@ run_cycle_upgrade_db() TESTS="${ALL_TESTS}" TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits chains" - echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null - RET=$? - NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"` - [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass" + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` run_tests @@ -242,10 +235,7 @@ run_cycle_shared_db() TESTS="${ALL_TESTS}" TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits" - echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null - RET=$? - NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"` - [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass" + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` run_tests @@ -288,7 +278,7 @@ TESTS=${NSS_TESTS:-$tests} ALL_TESTS=${TESTS} -nss_ssl_tests="crl bypass_normal normal_bypass fips_normal normal_fips iopr policy" +nss_ssl_tests="crl fips_normal normal_fips iopr policy" NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}" nss_ssl_run="cov auth stapling stress" diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 35305f8a4..73e988de7 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -1222,9 +1222,6 @@ ssl_run_tests() "normal") SERVER_OPTIONS= ;; - "bypass") - SERVER_OPTIONS="-B -s" - ;; "fips") SERVER_OPTIONS= ssl_set_fips server on @@ -1239,9 +1236,6 @@ ssl_run_tests() "normal") CLIENT_OPTIONS= ;; - "bypass") - CLIENT_OPTIONS="-B -s" - ;; "fips") SERVER_OPTIONS= ssl_set_fips client on |