| /* |
| * Key Derivation that doesn't use PKCS11 |
| * |
| * This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| #include "ssl.h" /* prereq to sslimpl.h */ |
| #include "certt.h" /* prereq to sslimpl.h */ |
| #include "keythi.h" /* prereq to sslimpl.h */ |
| #include "sslimpl.h" |
| #ifndef NO_PKCS11_BYPASS |
| #include "blapi.h" |
| #endif |
| |
| #include "keyhi.h" |
| #include "pk11func.h" |
| #include "secasn1.h" |
| #include "cert.h" |
| #include "secmodt.h" |
| |
| #include "sslproto.h" |
| #include "sslerr.h" |
| |
| #ifndef NO_PKCS11_BYPASS |
| /* make this a macro! */ |
| #ifdef NOT_A_MACRO |
| static void |
| buildSSLKey(unsigned char *keyBlock, unsigned int keyLen, SECItem *result, |
| const char *label) |
| { |
| result->type = siBuffer; |
| result->data = keyBlock; |
| result->len = keyLen; |
| PRINT_BUF(100, (NULL, label, keyBlock, keyLen)); |
| } |
| #else |
| #define buildSSLKey(keyBlock, keyLen, result, label) \ |
| { \ |
| (result)->type = siBuffer; \ |
| (result)->data = keyBlock; \ |
| (result)->len = keyLen; \ |
| PRINT_BUF(100, (NULL, label, keyBlock, keyLen)); \ |
| } |
| #endif |
| |
| /* |
| * SSL Key generation given pre master secret |
| */ |
| #ifndef NUM_MIXERS |
| #define NUM_MIXERS 9 |
| #endif |
| static const char *const mixers[NUM_MIXERS] = { |
| "A", |
| "BB", |
| "CCC", |
| "DDDD", |
| "EEEEE", |
| "FFFFFF", |
| "GGGGGGG", |
| "HHHHHHHH", |
| "IIIIIIIII" |
| }; |
| |
| SECStatus |
| ssl3_KeyAndMacDeriveBypass( |
| ssl3CipherSpec *pwSpec, |
| const unsigned char *cr, |
| const unsigned char *sr, |
| PRBool isTLS, |
| PRBool isExport) |
| { |
| const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; |
| unsigned char *key_block = pwSpec->key_block; |
| unsigned char *key_block2 = NULL; |
| unsigned int block_bytes = 0; |
| unsigned int block_needed = 0; |
| unsigned int i; |
| unsigned int keySize; /* actual size of cipher keys */ |
| unsigned int effKeySize; /* effective size of cipher keys */ |
| unsigned int macSize; /* size of MAC secret */ |
| unsigned int IVSize; /* size of IV */ |
| PRBool explicitIV = PR_FALSE; |
| SECStatus rv = SECFailure; |
| SECStatus status = SECSuccess; |
| PRBool isFIPS = PR_FALSE; |
| PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2; |
| |
| SECItem srcr; |
| SECItem crsr; |
| |
| unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2]; |
| unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2]; |
| PRUint64 md5buf[22]; |
| PRUint64 shabuf[40]; |
| |
| #define md5Ctx ((MD5Context *)md5buf) |
| #define shaCtx ((SHA1Context *)shabuf) |
| |
| static const SECItem zed = { siBuffer, NULL, 0 }; |
| |
| if (pwSpec->msItem.data == NULL || |
| pwSpec->msItem.len != SSL3_MASTER_SECRET_LENGTH) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return rv; |
| } |
| |
| PRINT_BUF(100, (NULL, "Master Secret", pwSpec->msItem.data, |
| pwSpec->msItem.len)); |
| |
| /* figure out how much is needed */ |
| macSize = pwSpec->mac_size; |
| keySize = cipher_def->key_size; |
| effKeySize = cipher_def->secret_key_size; |
| IVSize = cipher_def->iv_size; |
| if (keySize == 0) { |
| effKeySize = IVSize = 0; /* only MACing */ |
| } |
| if (cipher_def->type == type_block && |
| pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
| /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */ |
| explicitIV = PR_TRUE; |
| } |
| block_needed = |
| 2 * (macSize + effKeySize + ((!isExport && !explicitIV) * IVSize)); |
| |
| /* |
| * clear out our returned keys so we can recover on failure |
| */ |
| pwSpec->client.write_key_item = zed; |
| pwSpec->client.write_mac_key_item = zed; |
| pwSpec->server.write_key_item = zed; |
| pwSpec->server.write_mac_key_item = zed; |
| |
| /* initialize the server random, client random block */ |
| srcr.type = siBuffer; |
| srcr.data = srcrdata; |
| srcr.len = sizeof srcrdata; |
| PORT_Memcpy(srcrdata, sr, SSL3_RANDOM_LENGTH); |
| PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, cr, SSL3_RANDOM_LENGTH); |
| |
| /* initialize the client random, server random block */ |
| crsr.type = siBuffer; |
| crsr.data = crsrdata; |
| crsr.len = sizeof crsrdata; |
| PORT_Memcpy(crsrdata, cr, SSL3_RANDOM_LENGTH); |
| PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH); |
| PRINT_BUF(100, (NULL, "Key & MAC CRSR", crsr.data, crsr.len)); |
| |
| /* |
| * generate the key material: |
| */ |
| if (isTLS) { |
| SECItem keyblk; |
| |
| keyblk.type = siBuffer; |
| keyblk.data = key_block; |
| keyblk.len = block_needed; |
| |
| if (isTLS12) { |
| status = TLS_P_hash(HASH_AlgSHA256, &pwSpec->msItem, |
| "key expansion", &srcr, &keyblk, isFIPS); |
| } else { |
| status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk, |
| isFIPS); |
| } |
| if (status != SECSuccess) { |
| goto key_and_mac_derive_fail; |
| } |
| block_bytes = keyblk.len; |
| } else { |
| /* key_block = |
| * MD5(master_secret + SHA('A' + master_secret + |
| * ServerHello.random + ClientHello.random)) + |
| * MD5(master_secret + SHA('BB' + master_secret + |
| * ServerHello.random + ClientHello.random)) + |
| * MD5(master_secret + SHA('CCC' + master_secret + |
| * ServerHello.random + ClientHello.random)) + |
| * [...]; |
| */ |
| unsigned int made = 0; |
| for (i = 0; made < block_needed && i < NUM_MIXERS; ++i) { |
| unsigned int outLen; |
| unsigned char sha_out[SHA1_LENGTH]; |
| |
| SHA1_Begin(shaCtx); |
| SHA1_Update(shaCtx, (unsigned char *)(mixers[i]), i + 1); |
| SHA1_Update(shaCtx, pwSpec->msItem.data, pwSpec->msItem.len); |
| SHA1_Update(shaCtx, srcr.data, srcr.len); |
| SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH); |
| PORT_Assert(outLen == SHA1_LENGTH); |
| |
| MD5_Begin(md5Ctx); |
| MD5_Update(md5Ctx, pwSpec->msItem.data, pwSpec->msItem.len); |
| MD5_Update(md5Ctx, sha_out, outLen); |
| MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH); |
| PORT_Assert(outLen == MD5_LENGTH); |
| made += MD5_LENGTH; |
| } |
| block_bytes = made; |
| } |
| PORT_Assert(block_bytes >= block_needed); |
| PORT_Assert(block_bytes <= sizeof pwSpec->key_block); |
| PRINT_BUF(100, (NULL, "key block", key_block, block_bytes)); |
| |
| /* |
| * Put the key material where it goes. |
| */ |
| key_block2 = key_block + block_bytes; |
| i = 0; /* now shows how much consumed */ |
| |
| /* |
| * The key_block is partitioned as follows: |
| * client_write_MAC_secret[CipherSpec.hash_size] |
| */ |
| buildSSLKey(&key_block[i], macSize, &pwSpec->client.write_mac_key_item, |
| "Client Write MAC Secret"); |
| i += macSize; |
| |
| /* |
| * server_write_MAC_secret[CipherSpec.hash_size] |
| */ |
| buildSSLKey(&key_block[i], macSize, &pwSpec->server.write_mac_key_item, |
| "Server Write MAC Secret"); |
| i += macSize; |
| |
| if (!keySize) { |
| /* only MACing */ |
| buildSSLKey(NULL, 0, &pwSpec->client.write_key_item, |
| "Client Write Key (MAC only)"); |
| buildSSLKey(NULL, 0, &pwSpec->server.write_key_item, |
| "Server Write Key (MAC only)"); |
| buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item, |
| "Client Write IV (MAC only)"); |
| buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item, |
| "Server Write IV (MAC only)"); |
| } else if (!isExport) { |
| /* |
| ** Generate Domestic write keys and IVs. |
| ** client_write_key[CipherSpec.key_material] |
| */ |
| buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item, |
| "Domestic Client Write Key"); |
| i += keySize; |
| |
| /* |
| ** server_write_key[CipherSpec.key_material] |
| */ |
| buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item, |
| "Domestic Server Write Key"); |
| i += keySize; |
| |
| if (IVSize > 0) { |
| if (explicitIV) { |
| static unsigned char zero_block[32]; |
| PORT_Assert(IVSize <= sizeof zero_block); |
| buildSSLKey(&zero_block[0], IVSize, |
| &pwSpec->client.write_iv_item, |
| "Domestic Client Write IV"); |
| buildSSLKey(&zero_block[0], IVSize, |
| &pwSpec->server.write_iv_item, |
| "Domestic Server Write IV"); |
| } else { |
| /* |
| ** client_write_IV[CipherSpec.IV_size] |
| */ |
| buildSSLKey(&key_block[i], IVSize, |
| &pwSpec->client.write_iv_item, |
| "Domestic Client Write IV"); |
| i += IVSize; |
| |
| /* |
| ** server_write_IV[CipherSpec.IV_size] |
| */ |
| buildSSLKey(&key_block[i], IVSize, |
| &pwSpec->server.write_iv_item, |
| "Domestic Server Write IV"); |
| i += IVSize; |
| } |
| } |
| PORT_Assert(i <= block_bytes); |
| } else if (!isTLS) { |
| /* |
| ** Generate SSL3 Export write keys and IVs. |
| */ |
| unsigned int outLen; |
| |
| /* |
| ** client_write_key[CipherSpec.key_material] |
| ** final_client_write_key = MD5(client_write_key + |
| ** ClientHello.random + ServerHello.random); |
| */ |
| MD5_Begin(md5Ctx); |
| MD5_Update(md5Ctx, &key_block[i], effKeySize); |
| MD5_Update(md5Ctx, crsr.data, crsr.len); |
| MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH); |
| i += effKeySize; |
| buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, |
| "SSL3 Export Client Write Key"); |
| key_block2 += keySize; |
| |
| /* |
| ** server_write_key[CipherSpec.key_material] |
| ** final_server_write_key = MD5(server_write_key + |
| ** ServerHello.random + ClientHello.random); |
| */ |
| MD5_Begin(md5Ctx); |
| MD5_Update(md5Ctx, &key_block[i], effKeySize); |
| MD5_Update(md5Ctx, srcr.data, srcr.len); |
| MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH); |
| i += effKeySize; |
| buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, |
| "SSL3 Export Server Write Key"); |
| key_block2 += keySize; |
| PORT_Assert(i <= block_bytes); |
| |
| if (IVSize) { |
| /* |
| ** client_write_IV = |
| ** MD5(ClientHello.random + ServerHello.random); |
| */ |
| MD5_Begin(md5Ctx); |
| MD5_Update(md5Ctx, crsr.data, crsr.len); |
| MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH); |
| buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item, |
| "SSL3 Export Client Write IV"); |
| key_block2 += IVSize; |
| |
| /* |
| ** server_write_IV = |
| ** MD5(ServerHello.random + ClientHello.random); |
| */ |
| MD5_Begin(md5Ctx); |
| MD5_Update(md5Ctx, srcr.data, srcr.len); |
| MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH); |
| buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item, |
| "SSL3 Export Server Write IV"); |
| key_block2 += IVSize; |
| } |
| |
| PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block); |
| } else { |
| /* |
| ** Generate TLS Export write keys and IVs. |
| */ |
| SECItem secret; |
| SECItem keyblk; |
| |
| secret.type = siBuffer; |
| keyblk.type = siBuffer; |
| /* |
| ** client_write_key[CipherSpec.key_material] |
| ** final_client_write_key = PRF(client_write_key, |
| ** "client write key", |
| ** client_random + server_random); |
| */ |
| secret.data = &key_block[i]; |
| secret.len = effKeySize; |
| i += effKeySize; |
| keyblk.data = key_block2; |
| keyblk.len = keySize; |
| status = TLS_PRF(&secret, "client write key", &crsr, &keyblk, isFIPS); |
| if (status != SECSuccess) { |
| goto key_and_mac_derive_fail; |
| } |
| buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, |
| "TLS Export Client Write Key"); |
| key_block2 += keySize; |
| |
| /* |
| ** server_write_key[CipherSpec.key_material] |
| ** final_server_write_key = PRF(server_write_key, |
| ** "server write key", |
| ** client_random + server_random); |
| */ |
| secret.data = &key_block[i]; |
| secret.len = effKeySize; |
| i += effKeySize; |
| keyblk.data = key_block2; |
| keyblk.len = keySize; |
| status = TLS_PRF(&secret, "server write key", &crsr, &keyblk, isFIPS); |
| if (status != SECSuccess) { |
| goto key_and_mac_derive_fail; |
| } |
| buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, |
| "TLS Export Server Write Key"); |
| key_block2 += keySize; |
| |
| /* |
| ** iv_block = PRF("", "IV block", client_random + server_random); |
| ** client_write_IV[SecurityParameters.IV_size] |
| ** server_write_IV[SecurityParameters.IV_size] |
| */ |
| if (IVSize) { |
| secret.data = NULL; |
| secret.len = 0; |
| keyblk.data = key_block2; |
| keyblk.len = 2 * IVSize; |
| status = TLS_PRF(&secret, "IV block", &crsr, &keyblk, isFIPS); |
| if (status != SECSuccess) { |
| goto key_and_mac_derive_fail; |
| } |
| buildSSLKey(key_block2, IVSize, |
| &pwSpec->client.write_iv_item, |
| "TLS Export Client Write IV"); |
| buildSSLKey(key_block2 + IVSize, IVSize, |
| &pwSpec->server.write_iv_item, |
| "TLS Export Server Write IV"); |
| key_block2 += 2 * IVSize; |
| } |
| PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block); |
| } |
| rv = SECSuccess; |
| |
| key_and_mac_derive_fail: |
| |
| MD5_DestroyContext(md5Ctx, PR_FALSE); |
| SHA1_DestroyContext(shaCtx, PR_FALSE); |
| |
| if (rv != SECSuccess) { |
| PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| } |
| |
| return rv; |
| } |
| |
| /* derive the Master Secret from the PMS */ |
| /* Presently, this is only done wtih RSA PMS, and only on the server side, |
| * so isRSA is always true. |
| */ |
| SECStatus |
| ssl3_MasterSecretDeriveBypass( |
| ssl3CipherSpec *pwSpec, |
| const unsigned char *cr, |
| const unsigned char *sr, |
| const SECItem *pms, |
| PRBool isTLS, |
| PRBool isRSA) |
| { |
| unsigned char *key_block = pwSpec->key_block; |
| SECStatus rv = SECSuccess; |
| PRBool isFIPS = PR_FALSE; |
| PRBool isTLS12 = pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2; |
| |
| SECItem crsr; |
| |
| unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2]; |
| PRUint64 md5buf[22]; |
| PRUint64 shabuf[40]; |
| |
| #define md5Ctx ((MD5Context *)md5buf) |
| #define shaCtx ((SHA1Context *)shabuf) |
| |
| /* first do the consistancy checks */ |
| if (isRSA) { |
| PORT_Assert(pms->len == SSL3_RSA_PMS_LENGTH); |
| if (pms->len != SSL3_RSA_PMS_LENGTH) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| /* caller must test PMS version for rollback */ |
| } |
| |
| /* initialize the client random, server random block */ |
| crsr.type = siBuffer; |
| crsr.data = crsrdata; |
| crsr.len = sizeof crsrdata; |
| PORT_Memcpy(crsrdata, cr, SSL3_RANDOM_LENGTH); |
| PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH); |
| PRINT_BUF(100, (NULL, "Master Secret CRSR", crsr.data, crsr.len)); |
| |
| /* finally do the key gen */ |
| if (isTLS) { |
| SECItem master = { siBuffer, NULL, 0 }; |
| |
| master.data = key_block; |
| master.len = SSL3_MASTER_SECRET_LENGTH; |
| |
| if (isTLS12) { |
| rv = TLS_P_hash(HASH_AlgSHA256, pms, "master secret", &crsr, |
| &master, isFIPS); |
| } else { |
| rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS); |
| } |
| if (rv != SECSuccess) { |
| PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| } |
| } else { |
| int i; |
| unsigned int made = 0; |
| for (i = 0; i < 3; i++) { |
| unsigned int outLen; |
| unsigned char sha_out[SHA1_LENGTH]; |
| |
| SHA1_Begin(shaCtx); |
| SHA1_Update(shaCtx, (unsigned char *)mixers[i], i + 1); |
| SHA1_Update(shaCtx, pms->data, pms->len); |
| SHA1_Update(shaCtx, crsr.data, crsr.len); |
| SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH); |
| PORT_Assert(outLen == SHA1_LENGTH); |
| |
| MD5_Begin(md5Ctx); |
| MD5_Update(md5Ctx, pms->data, pms->len); |
| MD5_Update(md5Ctx, sha_out, outLen); |
| MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH); |
| PORT_Assert(outLen == MD5_LENGTH); |
| made += outLen; |
| } |
| } |
| |
| /* store the results */ |
| PORT_Memcpy(pwSpec->raw_master_secret, key_block, |
| SSL3_MASTER_SECRET_LENGTH); |
| pwSpec->msItem.data = pwSpec->raw_master_secret; |
| pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; |
| PRINT_BUF(100, (NULL, "Master Secret", pwSpec->msItem.data, |
| pwSpec->msItem.len)); |
| |
| return rv; |
| } |
| |
| static SECStatus |
| ssl_canExtractMS(PK11SymKey *pms, PRBool isTLS, PRBool isDH, PRBool *pcbp) |
| { |
| SECStatus rv; |
| PK11SymKey *ms = NULL; |
| SECItem params = { siBuffer, NULL, 0 }; |
| CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; |
| unsigned char rand[SSL3_RANDOM_LENGTH]; |
| CK_VERSION pms_version; |
| CK_MECHANISM_TYPE master_derive; |
| CK_MECHANISM_TYPE key_derive; |
| CK_FLAGS keyFlags; |
| |
| if (pms == NULL) |
| return (SECFailure); |
| |
| PORT_Memset(rand, 0, SSL3_RANDOM_LENGTH); |
| |
| if (isTLS) { |
| if (isDH) |
| master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; |
| else |
| master_derive = CKM_TLS_MASTER_KEY_DERIVE; |
| key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
| keyFlags = CKF_SIGN | CKF_VERIFY; |
| } else { |
| if (isDH) |
| master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
| else |
| master_derive = CKM_SSL3_MASTER_KEY_DERIVE; |
| key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
| keyFlags = 0; |
| } |
| |
| master_params.pVersion = &pms_version; |
| master_params.RandomInfo.pClientRandom = rand; |
| master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
| master_params.RandomInfo.pServerRandom = rand; |
| master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; |
| |
| params.data = (unsigned char *)&master_params; |
| params.len = sizeof master_params; |
| |
| ms = PK11_DeriveWithFlags(pms, master_derive, ¶ms, key_derive, |
| CKA_DERIVE, 0, keyFlags); |
| if (ms == NULL) |
| return (SECFailure); |
| |
| rv = PK11_ExtractKeyValue(ms); |
| *pcbp = (rv == SECSuccess); |
| PK11_FreeSymKey(ms); |
| |
| return (rv); |
| } |
| #endif /* !NO_PKCS11_BYPASS */ |
| |
| /* Check the key exchange algorithm for each cipher in the list to see if |
| * a master secret key can be extracted. If the KEA will use keys from the |
| * specified cert make sure the extract operation is attempted from the slot |
| * where the private key resides. |
| * If MS can be extracted for all ciphers, (*pcanbypass) is set to TRUE and |
| * SECSuccess is returned. In all other cases but one (*pcanbypass) is |
| * set to FALSE and SECFailure is returned. |
| * In that last case Derive() has been called successfully but the MS is null, |
| * CanBypass sets (*pcanbypass) to FALSE and returns SECSuccess indicating the |
| * arguments were all valid but the slot cannot be bypassed. |
| */ |
| |
| /* XXX Add SSL_CBP_TLS1_1 and test it in protocolmask when setting isTLS. */ |
| |
| SECStatus |
| SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, |
| PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, |
| PRBool *pcanbypass, void *pwArg) |
| { |
| #ifdef NO_PKCS11_BYPASS |
| if (!pcanbypass) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| *pcanbypass = PR_FALSE; |
| return SECSuccess; |
| #else |
| SECStatus rv; |
| int i; |
| PRUint16 suite; |
| PK11SymKey *pms = NULL; |
| SECKEYPublicKey *srvPubkey = NULL; |
| KeyType privKeytype; |
| PK11SlotInfo *slot = NULL; |
| SECItem param; |
| CK_VERSION version; |
| CK_MECHANISM_TYPE mechanism_array[2]; |
| SECItem enc_pms = { siBuffer, NULL, 0 }; |
| PRBool isTLS = PR_FALSE; |
| SSLCipherSuiteInfo csdef; |
| PRBool testrsa = PR_FALSE; |
| PRBool testrsa_export = PR_FALSE; |
| PRBool testecdh = PR_FALSE; |
| PRBool testecdhe = PR_FALSE; |
| #ifndef NSS_DISABLE_ECC |
| SECKEYECParams ecParams = { siBuffer, NULL, 0 }; |
| #endif |
| |
| if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| srvPubkey = CERT_ExtractPublicKey(cert); |
| if (!srvPubkey) |
| return SECFailure; |
| |
| *pcanbypass = PR_TRUE; |
| rv = SECFailure; |
| |
| /* determine which KEAs to test */ |
| /* 0 (TLS_NULL_WITH_NULL_NULL) is used as a list terminator because |
| * SSL3 and TLS specs forbid negotiating that cipher suite number. |
| */ |
| for (i = 0; i < nsuites && (suite = *ciphersuites++) != 0; i++) { |
| /* skip SSL2 cipher suites and ones NSS doesn't support */ |
| if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess || |
| SSL_IS_SSL2_CIPHER(suite)) |
| continue; |
| switch (csdef.keaType) { |
| case ssl_kea_rsa: |
| switch (csdef.cipherSuite) { |
| case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: |
| case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: |
| case TLS_RSA_EXPORT_WITH_RC4_40_MD5: |
| case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: |
| testrsa_export = PR_TRUE; |
| } |
| if (!testrsa_export) |
| testrsa = PR_TRUE; |
| break; |
| case ssl_kea_ecdh: |
| if (strcmp(csdef.keaTypeName, "ECDHE") == 0) /* ephemeral? */ |
| testecdhe = PR_TRUE; |
| else |
| testecdh = PR_TRUE; |
| break; |
| case ssl_kea_dh: |
| /* this is actually DHE */ |
| default: |
| continue; |
| } |
| } |
| |
| /* For each protocol try to derive and extract an MS. |
| * Failure of function any function except MS extract means |
| * continue with the next cipher test. Stop testing when the list is |
| * exhausted or when the first MS extract--not derive--fails. |
| */ |
| privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey); |
| protocolmask &= SSL_CBP_SSL3 | SSL_CBP_TLS1_0; |
| while (protocolmask) { |
| if (protocolmask & SSL_CBP_SSL3) { |
| isTLS = PR_FALSE; |
| protocolmask ^= SSL_CBP_SSL3; |
| } else { |
| isTLS = PR_TRUE; |
| protocolmask ^= SSL_CBP_TLS1_0; |
| } |
| |
| if (privKeytype == rsaKey && testrsa_export) { |
| if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) { |
| *pcanbypass = PR_FALSE; |
| rv = SECSuccess; |
| break; |
| } else |
| testrsa = PR_TRUE; |
| } |
| for (; privKeytype == rsaKey && testrsa;) { |
| /* TLS_RSA */ |
| unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; |
| unsigned int outLen = 0; |
| CK_MECHANISM_TYPE target; |
| SECStatus irv; |
| |
| mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN; |
| mechanism_array[1] = CKM_RSA_PKCS; |
| |
| slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); |
| if (slot == NULL) { |
| PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); |
| break; |
| } |
| |
| /* Generate the pre-master secret ... (client side) */ |
| version.major = 3 /*MSB(clientHelloVersion)*/; |
| version.minor = 0 /*LSB(clientHelloVersion)*/; |
| param.data = (unsigned char *)&version; |
| param.len = sizeof version; |
| pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); |
| PK11_FreeSlot(slot); |
| if (!pms) |
| break; |
| /* now wrap it */ |
| enc_pms.len = SECKEY_PublicKeyStrength(srvPubkey); |
| enc_pms.data = (unsigned char *)PORT_Alloc(enc_pms.len); |
| if (enc_pms.data == NULL) { |
| PORT_SetError(PR_OUT_OF_MEMORY_ERROR); |
| break; |
| } |
| irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms); |
| if (irv != SECSuccess) |
| break; |
| PK11_FreeSymKey(pms); |
| pms = NULL; |
| /* now do the server side--check the triple bypass first */ |
| rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen, |
| sizeof rsaPmsBuf, |
| (unsigned char *)enc_pms.data, |
| enc_pms.len); |
| /* if decrypt worked we're done with the RSA test */ |
| if (rv == SECSuccess) { |
| *pcanbypass = PR_TRUE; |
| break; |
| } |
| /* check for fallback to double bypass */ |
| target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE |
| : CKM_SSL3_MASTER_KEY_DERIVE; |
| pms = PK11_PubUnwrapSymKey(srvPrivkey, &enc_pms, |
| target, CKA_DERIVE, 0); |
| rv = ssl_canExtractMS(pms, isTLS, PR_FALSE, pcanbypass); |
| if (rv == SECSuccess && *pcanbypass == PR_FALSE) |
| goto done; |
| break; |
| } |
| |
| /* Check for NULL to avoid double free. |
| * SECItem_FreeItem sets data NULL in secitem.c#265 |
| */ |
| if (enc_pms.data != NULL) { |
| SECITEM_FreeItem(&enc_pms, PR_FALSE); |
| } |
| #ifndef NSS_DISABLE_ECC |
| for (; (privKeytype == ecKey && (testecdh || testecdhe)) || |
| (privKeytype == rsaKey && testecdhe);) { |
| CK_MECHANISM_TYPE target; |
| SECKEYPublicKey *keapub = NULL; |
| SECKEYPrivateKey *keapriv; |
| SECKEYPublicKey *cpub = NULL; /* client's ephemeral ECDH keys */ |
| SECKEYPrivateKey *cpriv = NULL; |
| SECKEYECParams *pecParams = NULL; |
| |
| if (privKeytype == ecKey && testecdhe) { |
| /* TLS_ECDHE_ECDSA */ |
| pecParams = &srvPubkey->u.ec.DEREncodedParams; |
| } else if (privKeytype == rsaKey && testecdhe) { |
| /* TLS_ECDHE_RSA */ |
| ECName ec_curve; |
| int serverKeyStrengthInBits; |
| int signatureKeyStrength; |
| int requiredECCbits; |
| |
| /* find a curve of equivalent strength to the RSA key's */ |
| requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey); |
| if (requiredECCbits < 0) |
| break; |
| requiredECCbits *= BPB; |
| serverKeyStrengthInBits = srvPubkey->u.rsa.modulus.len; |
| if (srvPubkey->u.rsa.modulus.data[0] == 0) { |
| serverKeyStrengthInBits--; |
| } |
| /* convert to strength in bits */ |
| serverKeyStrengthInBits *= BPB; |
| |
| signatureKeyStrength = |
| SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits); |
| |
| if (requiredECCbits > signatureKeyStrength) |
| requiredECCbits = signatureKeyStrength; |
| |
| ec_curve = |
| ssl3_GetCurveWithECKeyStrength( |
| ssl3_GetSupportedECCurveMask(NULL), |
| requiredECCbits); |
| rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams); |
| if (rv == SECFailure) { |
| break; |
| } |
| pecParams = &ecParams; |
| } |
| |
| if (testecdhe) { |
| /* generate server's ephemeral keys */ |
| keapriv = SECKEY_CreateECPrivateKey(pecParams, &keapub, NULL); |
| if (!keapriv || !keapub) { |
| if (keapriv) |
| SECKEY_DestroyPrivateKey(keapriv); |
| if (keapub) |
| SECKEY_DestroyPublicKey(keapub); |
| PORT_SetError(SEC_ERROR_KEYGEN_FAIL); |
| rv = SECFailure; |
| break; |
| } |
| } else { |
| /* TLS_ECDH_ECDSA */ |
| keapub = srvPubkey; |
| keapriv = srvPrivkey; |
| pecParams = &srvPubkey->u.ec.DEREncodedParams; |
| } |
| |
| /* perform client side ops */ |
| /* generate a pair of ephemeral keys using server's parms */ |
| cpriv = SECKEY_CreateECPrivateKey(pecParams, &cpub, NULL); |
| if (!cpriv || !cpub) { |
| if (testecdhe) { |
| SECKEY_DestroyPrivateKey(keapriv); |
| SECKEY_DestroyPublicKey(keapub); |
| } |
| PORT_SetError(SEC_ERROR_KEYGEN_FAIL); |
| rv = SECFailure; |
| break; |
| } |
| /* now do the server side */ |
| /* determine the PMS using client's public value */ |
| target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE_DH |
| : CKM_SSL3_MASTER_KEY_DERIVE_DH; |
| pms = PK11_PubDeriveWithKDF(keapriv, cpub, PR_FALSE, NULL, NULL, |
| CKM_ECDH1_DERIVE, |
| target, |
| CKA_DERIVE, 0, CKD_NULL, NULL, NULL); |
| rv = ssl_canExtractMS(pms, isTLS, PR_TRUE, pcanbypass); |
| SECKEY_DestroyPrivateKey(cpriv); |
| SECKEY_DestroyPublicKey(cpub); |
| if (testecdhe) { |
| SECKEY_DestroyPrivateKey(keapriv); |
| SECKEY_DestroyPublicKey(keapub); |
| } |
| if (rv == SECSuccess && *pcanbypass == PR_FALSE) |
| goto done; |
| break; |
| } |
| /* Check for NULL to avoid double free. */ |
| if (ecParams.data != NULL) { |
| PORT_Free(ecParams.data); |
| ecParams.data = NULL; |
| } |
| #endif /* NSS_DISABLE_ECC */ |
| if (pms) |
| PK11_FreeSymKey(pms); |
| } |
| |
| /* *pcanbypass has been set */ |
| rv = SECSuccess; |
| |
| done: |
| if (pms) |
| PK11_FreeSymKey(pms); |
| |
| /* Check for NULL to avoid double free. |
| * SECItem_FreeItem sets data NULL in secitem.c#265 |
| */ |
| if (enc_pms.data != NULL) { |
| SECITEM_FreeItem(&enc_pms, PR_FALSE); |
| } |
| #ifndef NSS_DISABLE_ECC |
| if (ecParams.data != NULL) { |
| PORT_Free(ecParams.data); |
| ecParams.data = NULL; |
| } |
| #endif /* NSS_DISABLE_ECC */ |
| |
| if (srvPubkey) { |
| SECKEY_DestroyPublicKey(srvPubkey); |
| srvPubkey = NULL; |
| } |
| |
| return rv; |
| #endif /* NO_PKCS11_BYPASS */ |
| } |
