diff options
author | Wan-Teh Chang <wtc@google.com> | 2013-06-05 12:41:28 -0700 |
---|---|---|
committer | Wan-Teh Chang <wtc@google.com> | 2013-06-05 12:41:28 -0700 |
commit | 5e832185af1237d2aa25001c80f63ec58f147a1e (patch) | |
tree | 7f5f0e116cede71e2b1fbdffb742b3f48681ce6b | |
parent | 79e86c648856901e58022a42f87dfe38f3dad2ed (diff) | |
download | nss-hg-5e832185af1237d2aa25001c80f63ec58f147a1e.tar.gz |
Bug 480514: Implement the new HMAC-SHA256 cipher suites specified in RFC
5246 and RFC 5289. Do not generate client_write_IV and server_write_IV
in TLS 1.1+. Do not downgrade to TLS 1.1 silently when SSL_BYPASS_PKCS11
mode is requested. Instead, silently turn off PKCS #11 bypass if TLS 1.2
is enabled. r=agl.
-rw-r--r-- | lib/ssl/ssl3con.c | 41 | ||||
-rw-r--r-- | lib/ssl/ssl3ecc.c | 4 | ||||
-rw-r--r-- | lib/ssl/sslenum.c | 9 | ||||
-rw-r--r-- | lib/ssl/sslimpl.h | 5 | ||||
-rw-r--r-- | lib/ssl/sslinfo.c | 8 | ||||
-rw-r--r-- | lib/ssl/sslproto.h | 8 | ||||
-rw-r--r-- | lib/ssl/sslsock.c | 35 | ||||
-rw-r--r-- | lib/ssl/sslt.h | 3 | ||||
-rwxr-xr-x | tests/ssl/ssl.sh | 4 | ||||
-rw-r--r-- | tests/ssl/sslcov.txt | 5 | ||||
-rw-r--r-- | tests/ssl/sslstress.txt | 2 |
11 files changed, 98 insertions, 26 deletions
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 44bdc9396..844fc6bf9 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -86,6 +86,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -93,17 +94,21 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { #endif /* NSS_ENABLE_ECC */ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, #endif /* NSS_ENABLE_ECC */ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -116,6 +121,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -148,6 +154,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, }; @@ -271,6 +278,7 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, + {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, @@ -315,11 +323,15 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = /* New TLS cipher suites */ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, + {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, + {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa}, {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, + {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, + {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa}, #if 0 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, @@ -361,6 +373,7 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa}, {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa}, {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa}, + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa}, {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa}, {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa}, @@ -373,6 +386,7 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa}, {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa}, {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa}, {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa}, #if 0 @@ -419,14 +433,17 @@ static const SSLCipher2Mech alg2Mech[] = { #define mmech_sha CKM_SSL3_SHA1_MAC #define mmech_md5_hmac CKM_MD5_HMAC #define mmech_sha_hmac CKM_SHA_1_HMAC +#define mmech_sha256_hmac CKM_SHA256_HMAC static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ + /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ /* mac mmech pad_size mac_size */ { mac_null, mmech_null, 0, 0 }, { mac_md5, mmech_md5, 48, MD5_LENGTH }, { mac_sha, mmech_sha, 40, SHA1_LENGTH}, - {hmac_md5, mmech_md5_hmac, 48, MD5_LENGTH }, - {hmac_sha, mmech_sha_hmac, 40, SHA1_LENGTH}, + {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, + {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, + {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, }; /* indexed by SSL3BulkCipher */ @@ -569,6 +586,14 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite, * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented */ return version <= SSL_LIBRARY_VERSION_TLS_1_0; + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: + case TLS_RSA_WITH_AES_256_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_RSA_WITH_AES_128_CBC_SHA256: + case TLS_RSA_WITH_NULL_SHA256: + return version >= SSL_LIBRARY_VERSION_TLS_1_2; default: return PR_TRUE; } @@ -1323,7 +1348,7 @@ ssl3_SetupPendingCipherSpec(sslSocket *ss) cipher = suite_def->bulk_cipher_alg; kea = suite_def->key_exchange_alg; mac = suite_def->mac_alg; - if (isTLS) + if (mac <= ssl_mac_sha && isTLS) mac += 2; ss->ssl3.hs.suite_def = suite_def; @@ -2049,6 +2074,9 @@ ssl3_ComputeRecordMAC( case ssl_hmac_sha: /* used with TLS */ hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); break; + case ssl_hmac_sha256: /* used with TLS */ + hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); + break; default: break; } @@ -3495,6 +3523,13 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB; key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB; key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB; + if (cipher_def->type == type_block && + pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { + /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ + key_material_params.ulIVSizeInBits = 0; + memset(pwSpec->client.write_iv, 0, cipher_def->iv_size); + memset(pwSpec->server.write_iv, 0, cipher_def->iv_size); + } key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c index 52969980d..f0d65d00c 100644 --- a/lib/ssl/ssl3ecc.c +++ b/lib/ssl/ssl3ecc.c @@ -895,6 +895,7 @@ static const ssl3CipherSuite ecdh_rsa_suites[] = { static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, @@ -904,6 +905,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { static const ssl3CipherSuite ecdhe_rsa_suites[] = { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, @@ -914,11 +916,13 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = { static const ssl3CipherSuite ecSuites[] = { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, diff --git a/lib/ssl/sslenum.c b/lib/ssl/sslenum.c index 8f0dba669..b460f2631 100644 --- a/lib/ssl/sslenum.c +++ b/lib/ssl/sslenum.c @@ -25,6 +25,8 @@ * * If new ECC cipher suites are added, also update the ssl3CipherSuite arrays * in ssl3ecc.c. + * + * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. */ const PRUint16 SSL_ImplementedCiphers[] = { /* 256-bit */ @@ -35,6 +37,7 @@ const PRUint16 SSL_ImplementedCiphers[] = { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, #ifdef NSS_ENABLE_ECC TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, @@ -42,18 +45,22 @@ const PRUint16 SSL_ImplementedCiphers[] = { #endif /* NSS_ENABLE_ECC */ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA256, /* 128-bit */ #ifdef NSS_ENABLE_ECC TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, #endif /* NSS_ENABLE_ECC */ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, #ifdef NSS_ENABLE_ECC TLS_ECDH_RSA_WITH_RC4_128_SHA, @@ -66,6 +73,7 @@ const PRUint16 SSL_ImplementedCiphers[] = { SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA256, /* 112-bit 3DES */ #ifdef NSS_ENABLE_ECC @@ -103,6 +111,7 @@ const PRUint16 SSL_ImplementedCiphers[] = { TLS_ECDH_ECDSA_WITH_NULL_SHA, #endif /* NSS_ENABLE_ECC */ SSL_RSA_WITH_NULL_SHA, + TLS_RSA_WITH_NULL_SHA256, SSL_RSA_WITH_NULL_MD5, /* SSL2 cipher suites. */ diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h index e44b23b23..15aa6a7cf 100644 --- a/lib/ssl/sslimpl.h +++ b/lib/ssl/sslimpl.h @@ -60,6 +60,7 @@ typedef SSLSignType SSL3SignType; #define mac_sha ssl_mac_sha #define hmac_md5 ssl_hmac_md5 #define hmac_sha ssl_hmac_sha +#define hmac_sha256 ssl_hmac_sha256 #define SET_ERROR_CODE /* reminder */ #define SEND_ALERT /* reminder */ @@ -279,9 +280,9 @@ typedef struct { } ssl3CipherSuiteCfg; #ifdef NSS_ENABLE_ECC -#define ssl_V3_SUITES_IMPLEMENTED 50 +#define ssl_V3_SUITES_IMPLEMENTED 57 #else -#define ssl_V3_SUITES_IMPLEMENTED 30 +#define ssl_V3_SUITES_IMPLEMENTED 35 #endif /* NSS_ENABLE_ECC */ #define MAX_DTLS_SRTP_CIPHER_SUITES 4 diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c index 505e1db30..9f2597e39 100644 --- a/lib/ssl/sslinfo.c +++ b/lib/ssl/sslinfo.c @@ -127,6 +127,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) #define B_40 128, 40, 40 #define B_0 0, 0, 0 +#define M_SHA256 "SHA256", ssl_hmac_sha256, 256 #define M_SHA "SHA1", ssl_mac_sha, 160 #define M_MD5 "MD5", ssl_mac_md5, 128 @@ -134,20 +135,24 @@ static const SSLCipherSuiteInfo suiteInfo[] = { /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */ {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, +{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, +{0,CS(TLS_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_RSA, C_AES, B_256, M_SHA256, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA, 1, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, +{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, {0,CS(SSL_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(SSL_RSA_WITH_RC4_128_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, }, +{0,CS(TLS_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_RSA, C_AES, B_128, M_SHA256, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_RSA, C_AES, B_128, M_SHA, 1, 0, 0, }, {0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, @@ -164,6 +169,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 1, 0, }, {0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, }, {0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5, 0, 1, 0, }, +{0,CS(TLS_RSA_WITH_NULL_SHA256), S_RSA, K_RSA, C_NULL,B_0, M_SHA256, 0, 1, 0, }, {0,CS(SSL_RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL,B_0, M_SHA, 0, 1, 0, }, {0,CS(SSL_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5, 0, 1, 0, }, @@ -179,6 +185,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDHE, C_3DES, B_3DES, M_SHA, 1, 0, 0, }, {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, }, +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, }, {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, }, @@ -191,6 +198,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDHE, C_3DES, B_3DES, M_SHA, 1, 0, 0, }, {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, }, +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, }, #endif /* NSS_ENABLE_ECC */ diff --git a/lib/ssl/sslproto.h b/lib/ssl/sslproto.h index 4b8baf29e..b037887ac 100644 --- a/lib/ssl/sslproto.h +++ b/lib/ssl/sslproto.h @@ -133,6 +133,9 @@ #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 #define TLS_DH_ANON_WITH_AES_256_CBC_SHA 0x003A +#define TLS_RSA_WITH_NULL_SHA256 0x003B +#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C +#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042 @@ -147,6 +150,8 @@ #define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063 #define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x0065 #define TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066 +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 #define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085 @@ -196,6 +201,9 @@ #define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 +#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 +#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 + /* Netscape "experimental" cipher suites. */ #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c index 7bc7ed420..2733f5e9d 100644 --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c @@ -30,8 +30,8 @@ struct cipherPolicyStr { typedef struct cipherPolicyStr cipherPolicy; /* This table contains two preconfigured policies: Export and France. -** It is used only by the functions SSL_SetDomesticPolicy, -** SSL_SetExportPolicy, and SSL_SetFrancyPolicy. +** It is used only by the functions NSS_SetDomesticPolicy, +** NSS_SetExportPolicy, and NSS_SetFrancePolicy. ** Order of entries is not important. */ static cipherPolicy ssl_ciphers[] = { /* Export France */ @@ -54,14 +54,19 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, + { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, + { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, @@ -81,6 +86,7 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, @@ -91,6 +97,7 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, #endif /* NSS_ENABLE_ECC */ { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } @@ -775,28 +782,20 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) rv = SECFailure; } else { if (PR_FALSE != on) { - /* TLS 1.2 isn't supported in bypass mode. */ - if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { - /* If the user requested a minimum version of TLS 1.2 then - * we don't silently downgrade. */ - PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); - rv = SECFailure; - break; - } - if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { - ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; - } - if (PR_SUCCESS == SSL_BypassSetup() ) { + /* PKCS#11 bypass is not supported with TLS 1.2. */ + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { + ss->opt.bypassPKCS11 = PR_FALSE; + } else if (PR_SUCCESS == SSL_BypassSetup() ) { #ifdef NO_PKCS11_BYPASS - ss->opt.bypassPKCS11 = PR_FALSE; + ss->opt.bypassPKCS11 = PR_FALSE; #else - ss->opt.bypassPKCS11 = on; + ss->opt.bypassPKCS11 = on; #endif } else { rv = SECFailure; } } else { - ss->opt.bypassPKCS11 = PR_FALSE; + ss->opt.bypassPKCS11 = PR_FALSE; } } break; diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h index 3c0df147e..613983f31 100644 --- a/lib/ssl/sslt.h +++ b/lib/ssl/sslt.h @@ -88,7 +88,8 @@ typedef enum { ssl_mac_md5 = 1, ssl_mac_sha = 2, ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ - ssl_hmac_sha = 4 /* TLS HMAC version of mac_sha */ + ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ + ssl_hmac_sha256 = 5 } SSLMACAlgorithm; typedef enum { diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 83b3dc582..3dbaea5b8 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -88,8 +88,8 @@ ssl_init() ECC_STRING="" fi - CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz" - CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz" + CSHORT="-c ABCDEF:003B:003C:003D:0041:0084cdefgijklmnvyz" + CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:003B:003C:003D:0041:0084cdefgijklmnvyz" if [ "${OS_ARCH}" != "WINNT" ]; then ulimit -n 1000 # make sure we have enough file descriptors diff --git a/tests/ssl/sslcov.txt b/tests/ssl/sslcov.txt index 959e1bba5..a69c5b6e6 100644 --- a/tests/ssl/sslcov.txt +++ b/tests/ssl/sslcov.txt @@ -84,6 +84,9 @@ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA noECC TLS12 z TLS12_RSA_WITH_NULL_SHA + noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 + noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 + noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 # # ECC ciphers (TLS) # @@ -149,3 +152,5 @@ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 diff --git a/tests/ssl/sslstress.txt b/tests/ssl/sslstress.txt index 5cecfb739..457abd271 100644 --- a/tests/ssl/sslstress.txt +++ b/tests/ssl/sslstress.txt @@ -36,9 +36,11 @@ # ############################ ECC ciphers ############################ # ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA + ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) # # add client auth versions here... |