1/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2/*
3 * SSL3 Protocol
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8
9/* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
10
11#include "cert.h"
12#include "ssl.h"
13#include "cryptohi.h"	/* for DSAU_ stuff */
14#include "keyhi.h"
15#include "secder.h"
16#include "secitem.h"
17#include "sechash.h"
18
19#include "sslimpl.h"
20#include "sslproto.h"
21#include "sslerr.h"
22#include "prtime.h"
23#include "prinrval.h"
24#include "prerror.h"
25#include "pratom.h"
26#include "prthread.h"
27
28#include "pk11func.h"
29#include "secmod.h"
30#ifndef NO_PKCS11_BYPASS
31#include "blapi.h"
32#endif
33
34/* This is a bodge to allow this code to be compiled against older NSS headers
35 * that don't contain the TLS 1.2 changes. */
36#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
37#define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
38#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
39#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
40#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
41#endif
42
43/* This is a bodge to allow this code to be compiled against older NSS
44 * headers. */
45#ifndef CKM_NSS_CHACHA20_POLY1305
46#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 26)
47
48typedef struct CK_NSS_AEAD_PARAMS {
49    CK_BYTE_PTR  pIv;  /* This is the nonce. */
50    CK_ULONG     ulIvLen;
51    CK_BYTE_PTR  pAAD;
52    CK_ULONG     ulAADLen;
53    CK_ULONG     ulTagLen;
54} CK_NSS_AEAD_PARAMS;
55
56#endif
57
58#include <stdio.h>
59#ifdef NSS_ENABLE_ZLIB
60#include "zlib.h"
61#endif
62#ifdef LINUX
63#include <dlfcn.h>
64#endif
65
66#ifndef PK11_SETATTRS
67#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
68		(x)->pValue=(v); (x)->ulValueLen = (l);
69#endif
70
71static SECStatus ssl3_AuthCertificate(sslSocket *ss);
72static void      ssl3_CleanupPeerCerts(sslSocket *ss);
73static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
74static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
75                                       PK11SlotInfo * serverKeySlot);
76static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
77static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
78static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
79static SECStatus ssl3_InitState(             sslSocket *ss);
80static SECStatus ssl3_SendCertificate(       sslSocket *ss);
81static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
82static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
83static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
84static SECStatus ssl3_SendNextProto(         sslSocket *ss);
85static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
86static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
87static SECStatus ssl3_SendServerHello(       sslSocket *ss);
88static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
89static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
90static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
91                                             const unsigned char *b,
92                                             unsigned int l);
93static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
94static int       ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
95
96static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
97			     int maxOutputLen, const unsigned char *input,
98			     int inputLen);
99#ifndef NO_PKCS11_BYPASS
100static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
101				   unsigned char *out, int *outlen, int maxout,
102				   const unsigned char *in, int inlen,
103				   const unsigned char *additionalData,
104				   int additionalDataLen);
105#endif
106
107#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
108#define MIN_SEND_BUF_LENGTH  4000
109
110/* This list of SSL3 cipher suites is sorted in descending order of
111 * precedence (desirability).  It only includes cipher suites we implement.
112 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
113 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
114 *
115 * Important: See bug 946147 before enabling, reordering, or adding any cipher
116 * suites to this list.
117 */
118static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
119   /*      cipher_suite                     policy       enabled   isPresent */
120
121#ifdef NSS_ENABLE_ECC
122 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,  SSL_ALLOWED, PR_FALSE, PR_FALSE},
123 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
124 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
125 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
126   /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
127    * bug 946147.
128    */
129 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
130 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
131 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
132 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
133 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
134 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
135 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
136 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
137 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
138 { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
139#endif /* NSS_ENABLE_ECC */
140
141 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
142 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
143 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
144 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
145 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
146 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
147 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
148 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
149 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
150 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
151 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
152 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
153 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
154 { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
155
156#ifdef NSS_ENABLE_ECC
157 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
158 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
159 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
160 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
161 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
162 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
163 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
164 { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
165#endif /* NSS_ENABLE_ECC */
166
167 /* RSA */
168 { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
169 { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
170 { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
171 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
172 { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
173 { TLS_RSA_WITH_AES_256_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
174 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
175 { TLS_RSA_WITH_SEED_CBC_SHA,               SSL_ALLOWED, PR_FALSE, PR_FALSE},
176 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
177 { SSL_RSA_WITH_3DES_EDE_CBC_SHA,           SSL_ALLOWED, PR_TRUE,  PR_FALSE},
178 { SSL_RSA_WITH_RC4_128_SHA,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
179 { SSL_RSA_WITH_RC4_128_MD5,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
180
181 /* 56-bit DES "domestic" cipher suites */
182 { SSL_DHE_RSA_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
183 { SSL_DHE_DSS_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
184 { SSL_RSA_FIPS_WITH_DES_CBC_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
185 { SSL_RSA_WITH_DES_CBC_SHA,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
186
187 /* export ciphersuites with 1024-bit public key exchange keys */
188 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
189 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
190
191 /* export ciphersuites with 512-bit public key exchange keys */
192 { SSL_RSA_EXPORT_WITH_RC4_40_MD5,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
193 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
194
195 /* ciphersuites with no encryption */
196#ifdef NSS_ENABLE_ECC
197 { TLS_ECDHE_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
198 { TLS_ECDHE_RSA_WITH_NULL_SHA,             SSL_ALLOWED, PR_FALSE, PR_FALSE},
199 { TLS_ECDH_RSA_WITH_NULL_SHA,              SSL_ALLOWED, PR_FALSE, PR_FALSE},
200 { TLS_ECDH_ECDSA_WITH_NULL_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
201#endif /* NSS_ENABLE_ECC */
202 { SSL_RSA_WITH_NULL_SHA,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
203 { TLS_RSA_WITH_NULL_SHA256,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
204 { SSL_RSA_WITH_NULL_MD5,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
205};
206
207/* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
208 */
209#ifdef DEBUG
210void ssl3_CheckCipherSuiteOrderConsistency()
211{
212    unsigned int i;
213
214    /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
215     * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
216     */
217    PORT_Assert(SSL_NumImplementedCiphers >= PR_ARRAY_SIZE(cipherSuites));
218
219    for (i = 0; i < PR_ARRAY_SIZE(cipherSuites); ++i) {
220        PORT_Assert(SSL_ImplementedCiphers[i] == cipherSuites[i].cipher_suite);
221    }
222}
223#endif
224
225/* This list of SSL3 compression methods is sorted in descending order of
226 * precedence (desirability).  It only includes compression methods we
227 * implement.
228 */
229static const /*SSLCompressionMethod*/ PRUint8 compressions [] = {
230#ifdef NSS_ENABLE_ZLIB
231    ssl_compression_deflate,
232#endif
233    ssl_compression_null
234};
235
236static const int compressionMethodsCount =
237    sizeof(compressions) / sizeof(compressions[0]);
238
239/* compressionEnabled returns true iff the compression algorithm is enabled
240 * for the given SSL socket. */
241static PRBool
242compressionEnabled(sslSocket *ss, SSLCompressionMethod compression)
243{
244    switch (compression) {
245    case ssl_compression_null:
246	return PR_TRUE;  /* Always enabled */
247#ifdef NSS_ENABLE_ZLIB
248    case ssl_compression_deflate:
249	return ss->opt.enableDeflate;
250#endif
251    default:
252	return PR_FALSE;
253    }
254}
255
256static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
257    ct_RSA_sign,
258#ifdef NSS_ENABLE_ECC
259    ct_ECDSA_sign,
260#endif /* NSS_ENABLE_ECC */
261    ct_DSS_sign,
262};
263
264/* This block is the contents of the supported_signature_algorithms field of
265 * our TLS 1.2 CertificateRequest message, in wire format. See
266 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
267 *
268 * This block contains only sha256 entries because we only support TLS 1.2
269 * CertificateVerify messages that use the handshake hash. */
270static const PRUint8 supported_signature_algorithms[] = {
271    tls_hash_sha256, tls_sig_rsa,
272#ifdef NSS_ENABLE_ECC
273    tls_hash_sha256, tls_sig_ecdsa,
274#endif
275    tls_hash_sha256, tls_sig_dsa,
276};
277
278#define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
279
280
281/* This global item is used only in servers.  It is is initialized by
282** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
283*/
284CERTDistNames *ssl3_server_ca_list = NULL;
285static SSL3Statistics ssl3stats;
286
287/* indexed by SSL3BulkCipher */
288static const ssl3BulkCipherDef bulk_cipher_defs[] = {
289    /*                                       |--------- Lengths --------| */
290    /* cipher             calg               k  s  type         i  b  t  n */
291    /*                                       e  e               v  l  a  o */
292    /*                                       y  c               |  o  g  n */
293    /*                                       |  r               |  c  |  c */
294    /*                                       |  e               |  k  |  e */
295    /*                                       |  t               |  |  |  | */
296    {cipher_null,         calg_null,         0, 0, type_stream, 0, 0, 0, 0},
297    {cipher_rc4,          calg_rc4,         16,16, type_stream, 0, 0, 0, 0},
298    {cipher_rc4_40,       calg_rc4,         16, 5, type_stream, 0, 0, 0, 0},
299    {cipher_rc4_56,       calg_rc4,         16, 7, type_stream, 0, 0, 0, 0},
300    {cipher_rc2,          calg_rc2,         16,16, type_block,  8, 8, 0, 0},
301    {cipher_rc2_40,       calg_rc2,         16, 5, type_block,  8, 8, 0, 0},
302    {cipher_des,          calg_des,          8, 8, type_block,  8, 8, 0, 0},
303    {cipher_3des,         calg_3des,        24,24, type_block,  8, 8, 0, 0},
304    {cipher_des40,        calg_des,          8, 5, type_block,  8, 8, 0, 0},
305    {cipher_idea,         calg_idea,        16,16, type_block,  8, 8, 0, 0},
306    {cipher_aes_128,      calg_aes,         16,16, type_block, 16,16, 0, 0},
307    {cipher_aes_256,      calg_aes,         32,32, type_block, 16,16, 0, 0},
308    {cipher_camellia_128, calg_camellia,    16,16, type_block, 16,16, 0, 0},
309    {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0},
310    {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0},
311    {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8},
312    {cipher_chacha20,     calg_chacha20,    32,32, type_aead,   0, 0,16, 0},
313    {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
314};
315
316static const ssl3KEADef kea_defs[] =
317{ /* indexed by SSL3KeyExchangeAlgorithm */
318    /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
319    {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
320    {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
321    {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
322    {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
323    {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
324    {kea_dh_dss_export,  kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
325    {kea_dh_rsa,         kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
326    {kea_dh_rsa_export,  kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
327    {kea_dhe_dss,        kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
328    {kea_dhe_dss_export, kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
329    {kea_dhe_rsa,        kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
330    {kea_dhe_rsa_export, kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
331    {kea_dh_anon,        kt_dh,       sign_null, PR_FALSE,   0, PR_FALSE},
332    {kea_dh_anon_export, kt_dh,       sign_null, PR_TRUE,  512, PR_FALSE},
333    {kea_rsa_fips,       kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_TRUE },
334#ifdef NSS_ENABLE_ECC
335    {kea_ecdh_ecdsa,     kt_ecdh,     sign_ecdsa,  PR_FALSE, 0, PR_FALSE},
336    {kea_ecdhe_ecdsa,    kt_ecdh,     sign_ecdsa,  PR_FALSE,   0, PR_FALSE},
337    {kea_ecdh_rsa,       kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
338    {kea_ecdhe_rsa,      kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
339    {kea_ecdh_anon,      kt_ecdh,     sign_null,  PR_FALSE,   0, PR_FALSE},
340#endif /* NSS_ENABLE_ECC */
341};
342
343/* must use ssl_LookupCipherSuiteDef to access */
344static const ssl3CipherSuiteDef cipher_suite_defs[] =
345{
346/*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
347
348    {SSL_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
349    {SSL_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
350    {SSL_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
351    {TLS_RSA_WITH_NULL_SHA256,      cipher_null,   hmac_sha256, kea_rsa},
352    {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
353    {SSL_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
354    {SSL_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
355    {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
356                                    cipher_rc2_40, mac_md5, kea_rsa_export},
357#if 0 /* not implemented */
358    {SSL_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
359    {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
360                                    cipher_des40,  mac_sha, kea_rsa_export},
361#endif
362    {SSL_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
363    {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
364    {SSL_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
365    {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
366                                    cipher_3des,   mac_sha, kea_dhe_dss},
367    {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss},
368#if 0 /* not implemented */
369    {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
370                                    cipher_des40,  mac_sha, kea_dh_dss_export},
371    {SSL_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
372    {SSL_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
373    {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
374                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
375    {SSL_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
376    {SSL_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
377    {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
378                                    cipher_des40,  mac_sha, kea_dh_dss_export},
379    {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
380                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
381#endif
382    {SSL_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
383    {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
384                                    cipher_3des,   mac_sha, kea_dhe_rsa},
385#if 0
386    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
387    {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
388                                    cipher_des40,  mac_sha, kea_dh_anon_export},
389    {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
390    {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
391#endif
392
393
394/* New TLS cipher suites */
395    {TLS_RSA_WITH_AES_128_CBC_SHA,     	cipher_aes_128, mac_sha, kea_rsa},
396    {TLS_RSA_WITH_AES_128_CBC_SHA256,	cipher_aes_128, hmac_sha256, kea_rsa},
397    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_dss},
398    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_rsa},
399    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa},
400    {TLS_RSA_WITH_AES_256_CBC_SHA,     	cipher_aes_256, mac_sha, kea_rsa},
401    {TLS_RSA_WITH_AES_256_CBC_SHA256,	cipher_aes_256, hmac_sha256, kea_rsa},
402    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_dss},
403    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_rsa},
404    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa},
405#if 0
406    {TLS_DH_DSS_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_dss},
407    {TLS_DH_RSA_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_rsa},
408    {TLS_DH_ANON_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dh_anon},
409    {TLS_DH_DSS_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_dss},
410    {TLS_DH_RSA_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_rsa},
411    {TLS_DH_ANON_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dh_anon},
412#endif
413
414    {TLS_RSA_WITH_SEED_CBC_SHA,	    cipher_seed,   mac_sha, kea_rsa},
415
416    {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
417    {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
418     cipher_camellia_128, mac_sha, kea_dhe_dss},
419    {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
420     cipher_camellia_128, mac_sha, kea_dhe_rsa},
421    {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,	cipher_camellia_256, mac_sha, kea_rsa},
422    {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
423     cipher_camellia_256, mac_sha, kea_dhe_dss},
424    {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
425     cipher_camellia_256, mac_sha, kea_dhe_rsa},
426
427    {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
428                                    cipher_des,    mac_sha,kea_rsa_export_1024},
429    {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
430                                    cipher_rc4_56, mac_sha,kea_rsa_export_1024},
431
432    {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
433    {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
434
435    {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
436    {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
437    {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
438    {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
439    {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa},
440    {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa},
441
442#ifdef NSS_ENABLE_ECC
443    {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
444    {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
445    {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
446    {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
447    {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
448
449    {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
450    {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
451    {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
452    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
453    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa},
454    {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
455
456    {TLS_ECDH_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_rsa},
457    {TLS_ECDH_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_rsa},
458    {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_rsa},
459    {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_rsa},
460    {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_rsa},
461
462    {TLS_ECDHE_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdhe_rsa},
463    {TLS_ECDHE_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdhe_rsa},
464    {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdhe_rsa},
465    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdhe_rsa},
466    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa},
467    {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdhe_rsa},
468
469#if 0
470    {TLS_ECDH_anon_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_anon},
471    {TLS_ECDH_anon_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_anon},
472    {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_anon},
473    {TLS_ECDH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_anon},
474    {TLS_ECDH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_anon},
475#endif
476#endif /* NSS_ENABLE_ECC */
477};
478
479static const CK_MECHANISM_TYPE kea_alg_defs[] = {
480    0x80000000L,
481    CKM_RSA_PKCS,
482    CKM_DH_PKCS_DERIVE,
483    CKM_KEA_KEY_DERIVE,
484    CKM_ECDH1_DERIVE
485};
486
487typedef struct SSLCipher2MechStr {
488    SSLCipherAlgorithm  calg;
489    CK_MECHANISM_TYPE   cmech;
490} SSLCipher2Mech;
491
492/* indexed by type SSLCipherAlgorithm */
493static const SSLCipher2Mech alg2Mech[] = {
494    /* calg,          cmech  */
495    { calg_null     , (CK_MECHANISM_TYPE)0x80000000L	},
496    { calg_rc4      , CKM_RC4				},
497    { calg_rc2      , CKM_RC2_CBC			},
498    { calg_des      , CKM_DES_CBC			},
499    { calg_3des     , CKM_DES3_CBC			},
500    { calg_idea     , CKM_IDEA_CBC			},
501    { calg_fortezza , CKM_SKIPJACK_CBC64                },
502    { calg_aes      , CKM_AES_CBC			},
503    { calg_camellia , CKM_CAMELLIA_CBC			},
504    { calg_seed     , CKM_SEED_CBC			},
505    { calg_aes_gcm  , CKM_AES_GCM			},
506    { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305		},
507/*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
508};
509
510#define mmech_invalid  (CK_MECHANISM_TYPE)0x80000000L
511#define mmech_md5      CKM_SSL3_MD5_MAC
512#define mmech_sha      CKM_SSL3_SHA1_MAC
513#define mmech_md5_hmac CKM_MD5_HMAC
514#define mmech_sha_hmac CKM_SHA_1_HMAC
515#define mmech_sha256_hmac CKM_SHA256_HMAC
516
517static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
518    /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
519    /* mac      mmech       pad_size  mac_size                       */
520    { mac_null, mmech_invalid,    0,  0          },
521    { mac_md5,  mmech_md5,       48,  MD5_LENGTH },
522    { mac_sha,  mmech_sha,       40,  SHA1_LENGTH},
523    {hmac_md5,  mmech_md5_hmac,   0,  MD5_LENGTH },
524    {hmac_sha,  mmech_sha_hmac,   0,  SHA1_LENGTH},
525    {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
526    { mac_aead, mmech_invalid,    0,  0          },
527};
528
529/* indexed by SSL3BulkCipher */
530const char * const ssl3_cipherName[] = {
531    "NULL",
532    "RC4",
533    "RC4-40",
534    "RC4-56",
535    "RC2-CBC",
536    "RC2-CBC-40",
537    "DES-CBC",
538    "3DES-EDE-CBC",
539    "DES-CBC-40",
540    "IDEA-CBC",
541    "AES-128",
542    "AES-256",
543    "Camellia-128",
544    "Camellia-256",
545    "SEED-CBC",
546    "AES-128-GCM",
547    "missing"
548};
549
550#ifdef NSS_ENABLE_ECC
551/* The ECCWrappedKeyInfo structure defines how various pieces of
552 * information are laid out within wrappedSymmetricWrappingkey
553 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is
554 * a 512-byte buffer (see sslimpl.h), the variable length field
555 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
556 *
557 * XXX For now, NSS only supports named elliptic curves of size 571 bits
558 * or smaller. The public value will fit within 145 bytes and EC params
559 * will fit within 12 bytes. We'll need to revisit this when NSS
560 * supports arbitrary curves.
561 */
562#define MAX_EC_WRAPPED_KEY_BUFLEN  504
563
564typedef struct ECCWrappedKeyInfoStr {
565    PRUint16 size;            /* EC public key size in bits */
566    PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
567    PRUint16 pubValueLen;     /* length (in bytes) of EC public value */
568    PRUint16 wrappedKeyLen;   /* length (in bytes) of the wrapped key */
569    PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
570    /* EC public-key params, the EC public value and the wrapped key  */
571} ECCWrappedKeyInfo;
572#endif /* NSS_ENABLE_ECC */
573
574#if defined(TRACE)
575
576static char *
577ssl3_DecodeHandshakeType(int msgType)
578{
579    char * rv;
580    static char line[40];
581
582    switch(msgType) {
583    case hello_request:	        rv = "hello_request (0)";               break;
584    case client_hello:	        rv = "client_hello  (1)";               break;
585    case server_hello:	        rv = "server_hello  (2)";               break;
586    case hello_verify_request:  rv = "hello_verify_request (3)";        break;
587    case certificate:	        rv = "certificate  (11)";               break;
588    case server_key_exchange:	rv = "server_key_exchange (12)";        break;
589    case certificate_request:	rv = "certificate_request (13)";        break;
590    case server_hello_done:	rv = "server_hello_done   (14)";        break;
591    case certificate_verify:	rv = "certificate_verify  (15)";        break;
592    case client_key_exchange:	rv = "client_key_exchange (16)";        break;
593    case finished:	        rv = "finished     (20)";               break;
594    default:
595        sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
596	rv = line;
597    }
598    return rv;
599}
600
601static char *
602ssl3_DecodeContentType(int msgType)
603{
604    char * rv;
605    static char line[40];
606
607    switch(msgType) {
608    case content_change_cipher_spec:
609                                rv = "change_cipher_spec (20)";         break;
610    case content_alert:	        rv = "alert      (21)";                 break;
611    case content_handshake:	rv = "handshake  (22)";                 break;
612    case content_application_data:
613                                rv = "application_data (23)";           break;
614    default:
615        sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
616	rv = line;
617    }
618    return rv;
619}
620
621#endif
622
623SSL3Statistics *
624SSL_GetStatistics(void)
625{
626    return &ssl3stats;
627}
628
629typedef struct tooLongStr {
630#if defined(IS_LITTLE_ENDIAN)
631    PRInt32 low;
632    PRInt32 high;
633#else
634    PRInt32 high;
635    PRInt32 low;
636#endif
637} tooLong;
638
639void SSL_AtomicIncrementLong(long * x)
640{
641    if ((sizeof *x) == sizeof(PRInt32)) {
642        PR_ATOMIC_INCREMENT((PRInt32 *)x);
643    } else {
644    	tooLong * tl = (tooLong *)x;
645	if (PR_ATOMIC_INCREMENT(&tl->low) == 0)
646	    PR_ATOMIC_INCREMENT(&tl->high);
647    }
648}
649
650static PRBool
651ssl3_CipherSuiteAllowedForVersionRange(
652    ssl3CipherSuite cipherSuite,
653    const SSLVersionRange *vrange)
654{
655    switch (cipherSuite) {
656    /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
657     * later. This set of cipher suites is similar to, but different from, the
658     * set of cipher suites considered exportable by SSL_IsExportCipherSuite.
659     */
660    case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
661    case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
662    /*   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:      never implemented
663     *   SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:   never implemented
664     *   SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
665     *   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
666     *   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
667     *   SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5:     never implemented
668     *   SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:  never implemented
669     */
670	return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
671    case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
672    case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
673    case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
674    case TLS_RSA_WITH_AES_256_CBC_SHA256:
675    case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
676    case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
677    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
678    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
679    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
680    case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
681    case TLS_RSA_WITH_AES_128_CBC_SHA256:
682    case TLS_RSA_WITH_AES_128_GCM_SHA256:
683    case TLS_RSA_WITH_NULL_SHA256:
684	return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
685    default:
686	return PR_TRUE;
687    }
688}
689
690/* return pointer to ssl3CipherSuiteDef for suite, or NULL */
691/* XXX This does a linear search.  A binary search would be better. */
692static const ssl3CipherSuiteDef *
693ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
694{
695    int cipher_suite_def_len =
696	sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
697    int i;
698
699    for (i = 0; i < cipher_suite_def_len; i++) {
700	if (cipher_suite_defs[i].cipher_suite == suite)
701	    return &cipher_suite_defs[i];
702    }
703    PORT_Assert(PR_FALSE);  /* We should never get here. */
704    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
705    return NULL;
706}
707
708/* Find the cipher configuration struct associate with suite */
709/* XXX This does a linear search.  A binary search would be better. */
710static ssl3CipherSuiteCfg *
711ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
712{
713    int i;
714
715    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
716	if (suites[i].cipher_suite == suite)
717	    return &suites[i];
718    }
719    /* return NULL and let the caller handle it.  */
720    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
721    return NULL;
722}
723
724
725/* Initialize the suite->isPresent value for config_match
726 * Returns count of enabled ciphers supported by extant tokens,
727 * regardless of policy or user preference.
728 * If this returns zero, the user cannot do SSL v3.
729 */
730int
731ssl3_config_match_init(sslSocket *ss)
732{
733    ssl3CipherSuiteCfg *      suite;
734    const ssl3CipherSuiteDef *cipher_def;
735    SSLCipherAlgorithm        cipher_alg;
736    CK_MECHANISM_TYPE         cipher_mech;
737    SSL3KEAType               exchKeyType;
738    int                       i;
739    int                       numPresent		= 0;
740    int                       numEnabled		= 0;
741    PRBool                    isServer;
742    sslServerCerts           *svrAuth;
743
744    PORT_Assert(ss);
745    if (!ss) {
746    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
747	return 0;
748    }
749    if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
750    	return 0;
751    }
752    isServer = (PRBool)(ss->sec.isServer != 0);
753
754    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
755	suite = &ss->cipherSuites[i];
756	if (suite->enabled) {
757	    ++numEnabled;
758	    /* We need the cipher defs to see if we have a token that can handle
759	     * this cipher.  It isn't part of the static definition.
760	     */
761	    cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
762	    if (!cipher_def) {
763	    	suite->isPresent = PR_FALSE;
764		continue;
765	    }
766	    cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
767	    PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
768	    cipher_mech = alg2Mech[cipher_alg].cmech;
769	    exchKeyType =
770	    	    kea_defs[cipher_def->key_exchange_alg].exchKeyType;
771#ifndef NSS_ENABLE_ECC
772	    svrAuth = ss->serverCerts + exchKeyType;
773#else
774	    /* XXX SSLKEAType isn't really a good choice for
775	     * indexing certificates. It doesn't work for
776	     * (EC)DHE-* ciphers. Here we use a hack to ensure
777	     * that the server uses an RSA cert for (EC)DHE-RSA.
778	     */
779	    switch (cipher_def->key_exchange_alg) {
780	    case kea_ecdhe_rsa:
781#if NSS_SERVER_DHE_IMPLEMENTED
782	    /* XXX NSS does not yet implement the server side of _DHE_
783	     * cipher suites.  Correcting the computation for svrAuth,
784	     * as the case below does, causes NSS SSL servers to begin to
785	     * negotiate cipher suites they do not implement.  So, until
786	     * server side _DHE_ is implemented, keep this disabled.
787	     */
788	    case kea_dhe_rsa:
789#endif
790		svrAuth = ss->serverCerts + kt_rsa;
791		break;
792	    case kea_ecdh_ecdsa:
793	    case kea_ecdh_rsa:
794	        /*
795		 * XXX We ought to have different indices for
796		 * ECDSA- and RSA-signed EC certificates so
797		 * we could support both key exchange mechanisms
798		 * simultaneously. For now, both of them use
799		 * whatever is in the certificate slot for kt_ecdh
800		 */
801	    default:
802		svrAuth = ss->serverCerts + exchKeyType;
803		break;
804	    }
805#endif /* NSS_ENABLE_ECC */
806
807	    /* Mark the suites that are backed by real tokens, certs and keys */
808	    suite->isPresent = (PRBool)
809		(((exchKeyType == kt_null) ||
810		   ((!isServer || (svrAuth->serverKeyPair &&
811		                   svrAuth->SERVERKEY &&
812				   svrAuth->serverCertChain)) &&
813		    PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
814		((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
815	    if (suite->isPresent)
816	    	++numPresent;
817	}
818    }
819    PORT_Assert(numPresent > 0 || numEnabled == 0);
820    if (numPresent <= 0) {
821	PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
822    }
823    return numPresent;
824}
825
826
827/* return PR_TRUE if suite matches policy, enabled state and is applicable to
828 * the given version range. */
829/* It would be a REALLY BAD THING (tm) if we ever permitted the use
830** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
831** policy == SSL_NOT_ALLOWED, report no match.
832*/
833/* adjust suite enabled to the availability of a token that can do the
834 * cipher suite. */
835static PRBool
836config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
837	     const SSLVersionRange *vrange)
838{
839    PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
840    if (policy == SSL_NOT_ALLOWED || !enabled)
841    	return PR_FALSE;
842    return (PRBool)(suite->enabled &&
843                    suite->isPresent &&
844	            suite->policy != SSL_NOT_ALLOWED &&
845		    suite->policy <= policy &&
846		    ssl3_CipherSuiteAllowedForVersionRange(
847                        suite->cipher_suite, vrange));
848}
849
850/* return number of cipher suites that match policy, enabled state and are
851 * applicable for the configured protocol version range. */
852/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
853static int
854count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
855{
856    int i, count = 0;
857
858    if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
859	return 0;
860    }
861    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
862	if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
863	    count++;
864    }
865    if (count <= 0) {
866	PORT_SetError(SSL_ERROR_SSL_DISABLED);
867    }
868    return count;
869}
870
871/*
872 * Null compression, mac and encryption functions
873 */
874
875static SECStatus
876Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
877	    const unsigned char *input, int inputLen)
878{
879    if (inputLen > maxOutputLen) {
880        *outputLen = 0;  /* Match PK11_CipherOp in setting outputLen */
881        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
882        return SECFailure;
883    }
884    *outputLen = inputLen;
885    if (input != output)
886	PORT_Memcpy(output, input, inputLen);
887    return SECSuccess;
888}
889
890/*
891 * SSL3 Utility functions
892 */
893
894/* allowLargerPeerVersion controls whether the function will select the
895 * highest enabled SSL version or fail when peerVersion is greater than the
896 * highest enabled version.
897 *
898 * If allowLargerPeerVersion is true, peerVersion is the peer's highest
899 * enabled version rather than the peer's selected version.
900 */
901SECStatus
902ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion,
903		      PRBool allowLargerPeerVersion)
904{
905    if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
906	PORT_SetError(SSL_ERROR_SSL_DISABLED);
907	return SECFailure;
908    }
909
910    if (peerVersion < ss->vrange.min ||
911	(peerVersion > ss->vrange.max && !allowLargerPeerVersion)) {
912	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
913	return SECFailure;
914    }
915
916    ss->version = PR_MIN(peerVersion, ss->vrange.max);
917    PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));
918
919    return SECSuccess;
920}
921
922static SECStatus
923ssl3_GetNewRandom(SSL3Random *random)
924{
925    SECStatus rv;
926
927    /* first 4 bytes are reserverd for time */
928    rv = PK11_GenerateRandom(random->rand, SSL3_RANDOM_LENGTH);
929    if (rv != SECSuccess) {
930	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
931    }
932    return rv;
933}
934
935/* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
936SECStatus
937ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
938                PRBool isTLS)
939{
940    SECStatus rv		= SECFailure;
941    PRBool    doDerEncode       = PR_FALSE;
942    int       signatureLen;
943    SECItem   hashItem;
944
945    buf->data    = NULL;
946
947    switch (key->keyType) {
948    case rsaKey:
949	hashItem.data = hash->u.raw;
950	hashItem.len = hash->len;
951	break;
952    case dsaKey:
953	doDerEncode = isTLS;
954	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
955	 * In that case, we use just the SHA1 part. */
956	if (hash->hashAlg == SEC_OID_UNKNOWN) {
957	    hashItem.data = hash->u.s.sha;
958	    hashItem.len = sizeof(hash->u.s.sha);
959	} else {
960	    hashItem.data = hash->u.raw;
961	    hashItem.len = hash->len;
962	}
963	break;
964#ifdef NSS_ENABLE_ECC
965    case ecKey:
966	doDerEncode = PR_TRUE;
967	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
968	 * In that case, we use just the SHA1 part. */
969	if (hash->hashAlg == SEC_OID_UNKNOWN) {
970	    hashItem.data = hash->u.s.sha;
971	    hashItem.len = sizeof(hash->u.s.sha);
972	} else {
973	    hashItem.data = hash->u.raw;
974	    hashItem.len = hash->len;
975	}
976	break;
977#endif /* NSS_ENABLE_ECC */
978    default:
979	PORT_SetError(SEC_ERROR_INVALID_KEY);
980	goto done;
981    }
982    PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
983
984    if (hash->hashAlg == SEC_OID_UNKNOWN) {
985	signatureLen = PK11_SignatureLen(key);
986	if (signatureLen <= 0) {
987	    PORT_SetError(SEC_ERROR_INVALID_KEY);
988	    goto done;
989	}
990
991	buf->len  = (unsigned)signatureLen;
992	buf->data = (unsigned char *)PORT_Alloc(signatureLen);
993	if (!buf->data)
994	    goto done;  /* error code was set. */
995
996	rv = PK11_Sign(key, buf, &hashItem);
997    } else {
998	rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem);
999    }
1000    if (rv != SECSuccess) {
1001	ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
1002    } else if (doDerEncode) {
1003	SECItem   derSig	= {siBuffer, NULL, 0};
1004
1005	/* This also works for an ECDSA signature */
1006	rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
1007	if (rv == SECSuccess) {
1008	    PORT_Free(buf->data);	/* discard unencoded signature. */
1009	    *buf = derSig;		/* give caller encoded signature. */
1010	} else if (derSig.data) {
1011	    PORT_Free(derSig.data);
1012	}
1013    }
1014
1015    PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
1016done:
1017    if (rv != SECSuccess && buf->data) {
1018	PORT_Free(buf->data);
1019	buf->data = NULL;
1020    }
1021    return rv;
1022}
1023
1024/* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
1025SECStatus
1026ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
1027                        SECItem *buf, PRBool isTLS, void *pwArg)
1028{
1029    SECKEYPublicKey * key;
1030    SECItem *         signature	= NULL;
1031    SECStatus         rv;
1032    SECItem           hashItem;
1033    SECOidTag         encAlg;
1034    SECOidTag         hashAlg;
1035
1036
1037    PRINT_BUF(60, (NULL, "check signed hashes",
1038                  buf->data, buf->len));
1039
1040    key = CERT_ExtractPublicKey(cert);
1041    if (key == NULL) {
1042	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
1043    	return SECFailure;
1044    }
1045
1046    hashAlg = hash->hashAlg;
1047    switch (key->keyType) {
1048    case rsaKey:
1049	encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION;
1050	hashItem.data = hash->u.raw;
1051	hashItem.len = hash->len;
1052	break;
1053    case dsaKey:
1054	encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE;
1055	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
1056	 * In that case, we use just the SHA1 part. */
1057	if (hash->hashAlg == SEC_OID_UNKNOWN) {
1058	    hashItem.data = hash->u.s.sha;
1059	    hashItem.len = sizeof(hash->u.s.sha);
1060	} else {
1061	    hashItem.data = hash->u.raw;
1062	    hashItem.len = hash->len;
1063	}
1064	/* Allow DER encoded DSA signatures in SSL 3.0 */
1065	if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
1066	    signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
1067	    if (!signature) {
1068	    	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1069		return SECFailure;
1070	    }
1071	    buf = signature;
1072	}
1073	break;
1074
1075#ifdef NSS_ENABLE_ECC
1076    case ecKey:
1077	encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
1078	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
1079	 * In that case, we use just the SHA1 part.
1080	 * ECDSA signatures always encode the integers r and s using ASN.1
1081	 * (unlike DSA where ASN.1 encoding is used with TLS but not with
1082	 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
1083	 */
1084	if (hash->hashAlg == SEC_OID_UNKNOWN) {
1085	    hashAlg = SEC_OID_SHA1;
1086	    hashItem.data = hash->u.s.sha;
1087	    hashItem.len = sizeof(hash->u.s.sha);
1088	} else {
1089	    hashItem.data = hash->u.raw;
1090	    hashItem.len = hash->len;
1091	}
1092	break;
1093#endif /* NSS_ENABLE_ECC */
1094
1095    default:
1096    	SECKEY_DestroyPublicKey(key);
1097	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
1098	return SECFailure;
1099    }
1100
1101    PRINT_BUF(60, (NULL, "hash(es) to be verified",
1102                  hashItem.data, hashItem.len));
1103
1104    if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) {
1105	/* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded.
1106	 * DSA signatures are DER-encoded in TLS but not in SSL3 and the code
1107	 * above always removes the DER encoding of DSA signatures when
1108	 * present. Thus DSA signatures are always verified with PK11_Verify.
1109	 */
1110	rv = PK11_Verify(key, buf, &hashItem, pwArg);
1111    } else {
1112	rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
1113				    pwArg);
1114    }
1115    SECKEY_DestroyPublicKey(key);
1116    if (signature) {
1117    	SECITEM_FreeItem(signature, PR_TRUE);
1118    }
1119    if (rv != SECSuccess) {
1120	ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1121    }
1122    return rv;
1123}
1124
1125
1126/* Caller must set hiLevel error code. */
1127/* Called from ssl3_ComputeExportRSAKeyHash
1128 *             ssl3_ComputeDHKeyHash
1129 * which are called from ssl3_HandleServerKeyExchange.
1130 *
1131 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify
1132 * the pre-1.2, MD5/SHA1 combination hash.
1133 */
1134SECStatus
1135ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
1136			  PRUint8 * hashBuf, unsigned int bufLen,
1137			  SSL3Hashes *hashes, PRBool bypassPKCS11)
1138{
1139    SECStatus     rv 		= SECSuccess;
1140
1141#ifndef NO_PKCS11_BYPASS
1142    if (bypassPKCS11) {
1143	if (hashAlg == SEC_OID_UNKNOWN) {
1144	    MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
1145	    SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
1146	    hashes->len = MD5_LENGTH + SHA1_LENGTH;
1147	} else if (hashAlg == SEC_OID_SHA1) {
1148	    SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
1149	    hashes->len = SHA1_LENGTH;
1150	} else if (hashAlg == SEC_OID_SHA256) {
1151	    SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
1152	    hashes->len = SHA256_LENGTH;
1153	} else if (hashAlg == SEC_OID_SHA384) {
1154	    SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
1155	    hashes->len = SHA384_LENGTH;
1156	} else if (hashAlg == SEC_OID_SHA512) {
1157	    SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
1158	    hashes->len = SHA512_LENGTH;
1159	} else {
1160	    PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1161	    return SECFailure;
1162	}
1163    } else
1164#endif
1165    {
1166	if (hashAlg == SEC_OID_UNKNOWN) {
1167	    rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
1168	    if (rv != SECSuccess) {
1169		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1170		rv = SECFailure;
1171		goto done;
1172	    }
1173
1174	    rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
1175	    if (rv != SECSuccess) {
1176		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
1177		rv = SECFailure;
1178	    }
1179	    hashes->len = MD5_LENGTH + SHA1_LENGTH;
1180	} else {
1181	    hashes->len = HASH_ResultLenByOidTag(hashAlg);
1182	    if (hashes->len > sizeof(hashes->u.raw)) {
1183		ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
1184		rv = SECFailure;
1185		goto done;
1186	    }
1187	    rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen);
1188	    if (rv != SECSuccess) {
1189		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
1190		rv = SECFailure;
1191	    }
1192	}
1193    }
1194    hashes->hashAlg = hashAlg;
1195
1196done:
1197    return rv;
1198}
1199
1200/* Caller must set hiLevel error code.
1201** Called from ssl3_SendServerKeyExchange and
1202**             ssl3_HandleServerKeyExchange.
1203*/
1204static SECStatus
1205ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg,
1206			     SECItem modulus, SECItem publicExponent,
1207			     SSL3Random *client_rand, SSL3Random *server_rand,
1208			     SSL3Hashes *hashes, PRBool bypassPKCS11)
1209{
1210    PRUint8     * hashBuf;
1211    PRUint8     * pBuf;
1212    SECStatus     rv 		= SECSuccess;
1213    unsigned int  bufLen;
1214    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1215
1216    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
1217    if (bufLen <= sizeof buf) {
1218    	hashBuf = buf;
1219    } else {
1220    	hashBuf = PORT_Alloc(bufLen);
1221	if (!hashBuf) {
1222	    return SECFailure;
1223	}
1224    }
1225
1226    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1227    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1228    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1229    	pBuf += SSL3_RANDOM_LENGTH;
1230    pBuf[0]  = (PRUint8)(modulus.len >> 8);
1231    pBuf[1]  = (PRUint8)(modulus.len);
1232    	pBuf += 2;
1233    memcpy(pBuf, modulus.data, modulus.len);
1234    	pBuf += modulus.len;
1235    pBuf[0] = (PRUint8)(publicExponent.len >> 8);
1236    pBuf[1] = (PRUint8)(publicExponent.len);
1237    	pBuf += 2;
1238    memcpy(pBuf, publicExponent.data, publicExponent.len);
1239    	pBuf += publicExponent.len;
1240    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1241
1242    rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1243				   bypassPKCS11);
1244
1245    PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
1246    if (hashAlg == SEC_OID_UNKNOWN) {
1247	PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result",
1248		  hashes->u.s.md5, MD5_LENGTH));
1249	PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result",
1250		  hashes->u.s.sha, SHA1_LENGTH));
1251    } else {
1252	PRINT_BUF(95, (NULL, "RSAkey hash: result",
1253		  hashes->u.raw, hashes->len));
1254    }
1255
1256    if (hashBuf != buf && hashBuf != NULL)
1257    	PORT_Free(hashBuf);
1258    return rv;
1259}
1260
1261/* Caller must set hiLevel error code. */
1262/* Called from ssl3_HandleServerKeyExchange. */
1263static SECStatus
1264ssl3_ComputeDHKeyHash(SECOidTag hashAlg,
1265		      SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
1266		      SSL3Random *client_rand, SSL3Random *server_rand,
1267		      SSL3Hashes *hashes, PRBool bypassPKCS11)
1268{
1269    PRUint8     * hashBuf;
1270    PRUint8     * pBuf;
1271    SECStatus     rv 		= SECSuccess;
1272    unsigned int  bufLen;
1273    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1274
1275    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
1276    if (bufLen <= sizeof buf) {
1277    	hashBuf = buf;
1278    } else {
1279    	hashBuf = PORT_Alloc(bufLen);
1280	if (!hashBuf) {
1281	    return SECFailure;
1282	}
1283    }
1284
1285    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1286    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1287    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1288    	pBuf += SSL3_RANDOM_LENGTH;
1289    pBuf[0]  = (PRUint8)(dh_p.len >> 8);
1290    pBuf[1]  = (PRUint8)(dh_p.len);
1291    	pBuf += 2;
1292    memcpy(pBuf, dh_p.data, dh_p.len);
1293    	pBuf += dh_p.len;
1294    pBuf[0] = (PRUint8)(dh_g.len >> 8);
1295    pBuf[1] = (PRUint8)(dh_g.len);
1296    	pBuf += 2;
1297    memcpy(pBuf, dh_g.data, dh_g.len);
1298    	pBuf += dh_g.len;
1299    pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
1300    pBuf[1] = (PRUint8)(dh_Ys.len);
1301    	pBuf += 2;
1302    memcpy(pBuf, dh_Ys.data, dh_Ys.len);
1303    	pBuf += dh_Ys.len;
1304    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1305
1306    rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
1307				   bypassPKCS11);
1308
1309    PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
1310    if (hashAlg == SEC_OID_UNKNOWN) {
1311	PRINT_BUF(95, (NULL, "DHkey hash: MD5 result",
1312		  hashes->u.s.md5, MD5_LENGTH));
1313	PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result",
1314		  hashes->u.s.sha, SHA1_LENGTH));
1315    } else {
1316	PRINT_BUF(95, (NULL, "DHkey hash: result",
1317		  hashes->u.raw, hashes->len));
1318    }
1319
1320    if (hashBuf != buf && hashBuf != NULL)
1321    	PORT_Free(hashBuf);
1322    return rv;
1323}
1324
1325static void
1326ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
1327{
1328    num->low++;
1329    if (num->low == 0)
1330	num->high++;
1331}
1332
1333/* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
1334static void
1335ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
1336{
1337    if (mat->write_key != NULL) {
1338	PK11_FreeSymKey(mat->write_key);
1339	mat->write_key = NULL;
1340    }
1341    if (mat->write_mac_key != NULL) {
1342	PK11_FreeSymKey(mat->write_mac_key);
1343	mat->write_mac_key = NULL;
1344    }
1345    if (mat->write_mac_context != NULL) {
1346	PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
1347	mat->write_mac_context = NULL;
1348    }
1349}
1350
1351/* Called from ssl3_SendChangeCipherSpecs() and
1352**	       ssl3_HandleChangeCipherSpecs()
1353**             ssl3_DestroySSL3Info
1354** Caller must hold SpecWriteLock.
1355*/
1356void
1357ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName)
1358{
1359    PRBool freeit = (PRBool)(!spec->bypassCiphers);
1360/*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
1361    if (spec->destroy) {
1362	spec->destroy(spec->encodeContext, freeit);
1363	spec->destroy(spec->decodeContext, freeit);
1364	spec->encodeContext = NULL; /* paranoia */
1365	spec->decodeContext = NULL;
1366    }
1367    if (spec->destroyCompressContext && spec->compressContext) {
1368	spec->destroyCompressContext(spec->compressContext, 1);
1369	spec->compressContext = NULL;
1370    }
1371    if (spec->destroyDecompressContext && spec->decompressContext) {
1372	spec->destroyDecompressContext(spec->decompressContext, 1);
1373	spec->decompressContext = NULL;
1374    }
1375    if (freeSrvName && spec->srvVirtName.data) {
1376        SECITEM_FreeItem(&spec->srvVirtName, PR_FALSE);
1377    }
1378    if (spec->master_secret != NULL) {
1379	PK11_FreeSymKey(spec->master_secret);
1380	spec->master_secret = NULL;
1381    }
1382    spec->msItem.data = NULL;
1383    spec->msItem.len  = 0;
1384    ssl3_CleanupKeyMaterial(&spec->client);
1385    ssl3_CleanupKeyMaterial(&spec->server);
1386    spec->bypassCiphers = PR_FALSE;
1387    spec->destroy=NULL;
1388    spec->destroyCompressContext = NULL;
1389    spec->destroyDecompressContext = NULL;
1390}
1391
1392/* Fill in the pending cipher spec with info from the selected ciphersuite.
1393** This is as much initialization as we can do without having key material.
1394** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
1395** Caller must hold the ssl3 handshake lock.
1396** Acquires & releases SpecWriteLock.
1397*/
1398static SECStatus
1399ssl3_SetupPendingCipherSpec(sslSocket *ss)
1400{
1401    ssl3CipherSpec *          pwSpec;
1402    ssl3CipherSpec *          cwSpec;
1403    ssl3CipherSuite           suite     = ss->ssl3.hs.cipher_suite;
1404    SSL3MACAlgorithm          mac;
1405    SSL3BulkCipher            cipher;
1406    SSL3KeyExchangeAlgorithm  kea;
1407    const ssl3CipherSuiteDef *suite_def;
1408    PRBool                    isTLS;
1409
1410    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1411
1412    ssl_GetSpecWriteLock(ss);  /*******************************/
1413
1414    pwSpec = ss->ssl3.pwSpec;
1415    PORT_Assert(pwSpec == ss->ssl3.prSpec);
1416
1417    /* This hack provides maximal interoperability with SSL 3 servers. */
1418    cwSpec = ss->ssl3.cwSpec;
1419    if (cwSpec->mac_def->mac == mac_null) {
1420	/* SSL records are not being MACed. */
1421	cwSpec->version = ss->version;
1422    }
1423
1424    pwSpec->version  = ss->version;
1425    isTLS  = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
1426
1427    SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
1428		SSL_GETPID(), ss->fd, suite));
1429
1430    suite_def = ssl_LookupCipherSuiteDef(suite);
1431    if (suite_def == NULL) {
1432	ssl_ReleaseSpecWriteLock(ss);
1433	return SECFailure;	/* error code set by ssl_LookupCipherSuiteDef */
1434    }
1435
1436    if (IS_DTLS(ss)) {
1437	/* Double-check that we did not pick an RC4 suite */
1438	PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
1439		    (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
1440		    (suite_def->bulk_cipher_alg != cipher_rc4_56));
1441    }
1442
1443    cipher = suite_def->bulk_cipher_alg;
1444    kea    = suite_def->key_exchange_alg;
1445    mac    = suite_def->mac_alg;
1446    if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS)
1447	mac += 2;
1448
1449    ss->ssl3.hs.suite_def = suite_def;
1450    ss->ssl3.hs.kea_def   = &kea_defs[kea];
1451    PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
1452
1453    pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
1454    PORT_Assert(pwSpec->cipher_def->cipher == cipher);
1455
1456    pwSpec->mac_def = &mac_defs[mac];
1457    PORT_Assert(pwSpec->mac_def->mac == mac);
1458
1459    ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
1460    ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
1461    ss->sec.cipherType    = cipher;
1462
1463    pwSpec->encodeContext = NULL;
1464    pwSpec->decodeContext = NULL;
1465
1466    pwSpec->mac_size = pwSpec->mac_def->mac_size;
1467
1468    pwSpec->compression_method = ss->ssl3.hs.compression;
1469    pwSpec->compressContext = NULL;
1470    pwSpec->decompressContext = NULL;
1471
1472    ssl_ReleaseSpecWriteLock(ss);  /*******************************/
1473    return SECSuccess;
1474}
1475
1476#ifdef NSS_ENABLE_ZLIB
1477#define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
1478
1479static SECStatus
1480ssl3_MapZlibError(int zlib_error)
1481{
1482    switch (zlib_error) {
1483    case Z_OK:
1484        return SECSuccess;
1485    default:
1486        return SECFailure;
1487    }
1488}
1489
1490static SECStatus
1491ssl3_DeflateInit(void *void_context)
1492{
1493    z_stream *context = void_context;
1494    context->zalloc = NULL;
1495    context->zfree = NULL;
1496    context->opaque = NULL;
1497
1498    return ssl3_MapZlibError(deflateInit(context, Z_DEFAULT_COMPRESSION));
1499}
1500
1501static SECStatus
1502ssl3_InflateInit(void *void_context)
1503{
1504    z_stream *context = void_context;
1505    context->zalloc = NULL;
1506    context->zfree = NULL;
1507    context->opaque = NULL;
1508    context->next_in = NULL;
1509    context->avail_in = 0;
1510
1511    return ssl3_MapZlibError(inflateInit(context));
1512}
1513
1514static SECStatus
1515ssl3_DeflateCompress(void *void_context, unsigned char *out, int *out_len,
1516                     int maxout, const unsigned char *in, int inlen)
1517{
1518    z_stream *context = void_context;
1519
1520    if (!inlen) {
1521        *out_len = 0;
1522        return SECSuccess;
1523    }
1524
1525    context->next_in = (unsigned char*) in;
1526    context->avail_in = inlen;
1527    context->next_out = out;
1528    context->avail_out = maxout;
1529    if (deflate(context, Z_SYNC_FLUSH) != Z_OK) {
1530        return SECFailure;
1531    }
1532    if (context->avail_out == 0) {
1533        /* We ran out of space! */
1534        SSL_TRC(3, ("%d: SSL3[%d] Ran out of buffer while compressing",
1535                    SSL_GETPID()));
1536        return SECFailure;
1537    }
1538
1539    *out_len = maxout - context->avail_out;
1540    return SECSuccess;
1541}
1542
1543static SECStatus
1544ssl3_DeflateDecompress(void *void_context, unsigned char *out, int *out_len,
1545                       int maxout, const unsigned char *in, int inlen)
1546{
1547    z_stream *context = void_context;
1548
1549    if (!inlen) {
1550        *out_len = 0;
1551        return SECSuccess;
1552    }
1553
1554    context->next_in = (unsigned char*) in;
1555    context->avail_in = inlen;
1556    context->next_out = out;
1557    context->avail_out = maxout;
1558    if (inflate(context, Z_SYNC_FLUSH) != Z_OK) {
1559        PORT_SetError(SSL_ERROR_DECOMPRESSION_FAILURE);
1560        return SECFailure;
1561    }
1562
1563    *out_len = maxout - context->avail_out;
1564    return SECSuccess;
1565}
1566
1567static SECStatus
1568ssl3_DestroyCompressContext(void *void_context, PRBool unused)
1569{
1570    deflateEnd(void_context);
1571    PORT_Free(void_context);
1572    return SECSuccess;
1573}
1574
1575static SECStatus
1576ssl3_DestroyDecompressContext(void *void_context, PRBool unused)
1577{
1578    inflateEnd(void_context);
1579    PORT_Free(void_context);
1580    return SECSuccess;
1581}
1582
1583#endif /* NSS_ENABLE_ZLIB */
1584
1585/* Initialize the compression functions and contexts for the given
1586 * CipherSpec.  */
1587static SECStatus
1588ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec)
1589{
1590    /* Setup the compression functions */
1591    switch (pwSpec->compression_method) {
1592    case ssl_compression_null:
1593	pwSpec->compressor = NULL;
1594	pwSpec->decompressor = NULL;
1595	pwSpec->compressContext = NULL;
1596	pwSpec->decompressContext = NULL;
1597	pwSpec->destroyCompressContext = NULL;
1598	pwSpec->destroyDecompressContext = NULL;
1599	break;
1600#ifdef NSS_ENABLE_ZLIB
1601    case ssl_compression_deflate:
1602	pwSpec->compressor = ssl3_DeflateCompress;
1603	pwSpec->decompressor = ssl3_DeflateDecompress;
1604	pwSpec->compressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1605	pwSpec->decompressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1606	pwSpec->destroyCompressContext = ssl3_DestroyCompressContext;
1607	pwSpec->destroyDecompressContext = ssl3_DestroyDecompressContext;
1608	ssl3_DeflateInit(pwSpec->compressContext);
1609	ssl3_InflateInit(pwSpec->decompressContext);
1610	break;
1611#endif /* NSS_ENABLE_ZLIB */
1612    default:
1613	PORT_Assert(0);
1614	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1615	return SECFailure;
1616    }
1617
1618    return SECSuccess;
1619}
1620
1621#ifndef NO_PKCS11_BYPASS
1622/* Initialize encryption contexts for pending spec.
1623 * MAC contexts are set up when computing the mac, not here.
1624 * Master Secret already is derived in spec->msItem
1625 * Caller holds Spec write lock.
1626 */
1627static SECStatus
1628ssl3_InitPendingContextsBypass(sslSocket *ss)
1629{
1630      ssl3CipherSpec  *  pwSpec;
1631      const ssl3BulkCipherDef *cipher_def;
1632      void *             serverContext = NULL;
1633      void *             clientContext = NULL;
1634      BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
1635      int                mode     = 0;
1636      unsigned int       optArg1  = 0;
1637      unsigned int       optArg2  = 0;
1638      PRBool             server_encrypts = ss->sec.isServer;
1639      SSLCipherAlgorithm calg;
1640      SECStatus          rv;
1641
1642    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1643    PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
1644    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1645
1646    pwSpec        = ss->ssl3.pwSpec;
1647    cipher_def    = pwSpec->cipher_def;
1648
1649    calg = cipher_def->calg;
1650
1651    if (calg == ssl_calg_aes_gcm) {
1652	pwSpec->encode = NULL;
1653	pwSpec->decode = NULL;
1654	pwSpec->destroy = NULL;
1655	pwSpec->encodeContext = NULL;
1656	pwSpec->decodeContext = NULL;
1657	pwSpec->aead = ssl3_AESGCMBypass;
1658	ssl3_InitCompressionContext(pwSpec);
1659	return SECSuccess;
1660    }
1661
1662    serverContext = pwSpec->server.cipher_context;
1663    clientContext = pwSpec->client.cipher_context;
1664
1665    switch (calg) {
1666    case ssl_calg_null:
1667	pwSpec->encode  = Null_Cipher;
1668	pwSpec->decode  = Null_Cipher;
1669        pwSpec->destroy = NULL;
1670	goto success;
1671
1672    case ssl_calg_rc4:
1673      	initFn = (BLapiInitContextFunc)RC4_InitContext;
1674	pwSpec->encode  = (SSLCipher) RC4_Encrypt;
1675	pwSpec->decode  = (SSLCipher) RC4_Decrypt;
1676	pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
1677	break;
1678    case ssl_calg_rc2:
1679      	initFn = (BLapiInitContextFunc)RC2_InitContext;
1680	mode = NSS_RC2_CBC;
1681	optArg1 = cipher_def->key_size;
1682	pwSpec->encode  = (SSLCipher) RC2_Encrypt;
1683	pwSpec->decode  = (SSLCipher) RC2_Decrypt;
1684	pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
1685	break;
1686    case ssl_calg_des:
1687      	initFn = (BLapiInitContextFunc)DES_InitContext;
1688	mode = NSS_DES_CBC;
1689	optArg1 = server_encrypts;
1690	pwSpec->encode  = (SSLCipher) DES_Encrypt;
1691	pwSpec->decode  = (SSLCipher) DES_Decrypt;
1692	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1693	break;
1694    case ssl_calg_3des:
1695      	initFn = (BLapiInitContextFunc)DES_InitContext;
1696	mode = NSS_DES_EDE3_CBC;
1697	optArg1 = server_encrypts;
1698	pwSpec->encode  = (SSLCipher) DES_Encrypt;
1699	pwSpec->decode  = (SSLCipher) DES_Decrypt;
1700	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1701	break;
1702    case ssl_calg_aes:
1703      	initFn = (BLapiInitContextFunc)AES_InitContext;
1704	mode = NSS_AES_CBC;
1705	optArg1 = server_encrypts;
1706	optArg2 = AES_BLOCK_SIZE;
1707	pwSpec->encode  = (SSLCipher) AES_Encrypt;
1708	pwSpec->decode  = (SSLCipher) AES_Decrypt;
1709	pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
1710	break;
1711
1712    case ssl_calg_camellia:
1713      	initFn = (BLapiInitContextFunc)Camellia_InitContext;
1714	mode = NSS_CAMELLIA_CBC;
1715	optArg1 = server_encrypts;
1716	optArg2 = CAMELLIA_BLOCK_SIZE;
1717	pwSpec->encode  = (SSLCipher) Camellia_Encrypt;
1718	pwSpec->decode  = (SSLCipher) Camellia_Decrypt;
1719	pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext;
1720	break;
1721
1722    case ssl_calg_seed:
1723      	initFn = (BLapiInitContextFunc)SEED_InitContext;
1724	mode = NSS_SEED_CBC;
1725	optArg1 = server_encrypts;
1726	optArg2 = SEED_BLOCK_SIZE;
1727	pwSpec->encode  = (SSLCipher) SEED_Encrypt;
1728	pwSpec->decode  = (SSLCipher) SEED_Decrypt;
1729	pwSpec->destroy = (SSLDestroy) SEED_DestroyContext;
1730	break;
1731
1732    case ssl_calg_idea:
1733    case ssl_calg_fortezza :
1734    default:
1735	PORT_Assert(0);
1736	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1737	goto bail_out;
1738    }
1739    rv = (*initFn)(serverContext,
1740		   pwSpec->server.write_key_item.data,
1741		   pwSpec->server.write_key_item.len,
1742		   pwSpec->server.write_iv_item.data,
1743		   mode, optArg1, optArg2);
1744    if (rv != SECSuccess) {
1745	PORT_Assert(0);
1746	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1747	goto bail_out;
1748    }
1749
1750    switch (calg) {
1751    case ssl_calg_des:
1752    case ssl_calg_3des:
1753    case ssl_calg_aes:
1754    case ssl_calg_camellia:
1755    case ssl_calg_seed:
1756	/* For block ciphers, if the server is encrypting, then the client
1757	* is decrypting, and vice versa.
1758	*/
1759        optArg1 = !optArg1;
1760        break;
1761    /* kill warnings. */
1762    case ssl_calg_null:
1763    case ssl_calg_rc4:
1764    case ssl_calg_rc2:
1765    case ssl_calg_idea:
1766    case ssl_calg_fortezza:
1767    case ssl_calg_aes_gcm:
1768        break;
1769    }
1770
1771    rv = (*initFn)(clientContext,
1772		   pwSpec->client.write_key_item.data,
1773		   pwSpec->client.write_key_item.len,
1774		   pwSpec->client.write_iv_item.data,
1775		   mode, optArg1, optArg2);
1776    if (rv != SECSuccess) {
1777	PORT_Assert(0);
1778	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1779	goto bail_out;
1780    }
1781
1782    pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
1783    pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
1784
1785    ssl3_InitCompressionContext(pwSpec);
1786
1787success:
1788    return SECSuccess;
1789
1790bail_out:
1791    return SECFailure;
1792}
1793#endif
1794
1795/* This function should probably be moved to pk11wrap and be named
1796 * PK11_ParamFromIVAndEffectiveKeyBits
1797 */
1798static SECItem *
1799ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
1800{
1801    SECItem * param = PK11_ParamFromIV(mtype, iv);
1802    if (param && param->data  && param->len >= sizeof(CK_RC2_PARAMS)) {
1803	switch (mtype) {
1804	case CKM_RC2_KEY_GEN:
1805	case CKM_RC2_ECB:
1806	case CKM_RC2_CBC:
1807	case CKM_RC2_MAC:
1808	case CKM_RC2_MAC_GENERAL:
1809	case CKM_RC2_CBC_PAD:
1810	    *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
1811	default: break;
1812	}
1813    }
1814    return param;
1815}
1816
1817/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
1818 * which is included in the MAC or AEAD additional data) to |out| and returns
1819 * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
1820 * definition of the AEAD additional data.
1821 *
1822 * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
1823 * pseudo-header defintiion to use should be decided based on the version of
1824 * the protocol that was negotiated when the cipher spec became current, NOT
1825 * based on the version value in the record itself, and the decision is passed
1826 * to this function as the |includesVersion| argument. But, the |version|
1827 * argument should be the record's version value.
1828 */
1829static unsigned int
1830ssl3_BuildRecordPseudoHeader(unsigned char *out,
1831			     SSL3SequenceNumber seq_num,
1832			     SSL3ContentType type,
1833			     PRBool includesVersion,
1834			     SSL3ProtocolVersion version,
1835			     PRBool isDTLS,
1836			     int length)
1837{
1838    out[0] = (unsigned char)(seq_num.high >> 24);
1839    out[1] = (unsigned char)(seq_num.high >> 16);
1840    out[2] = (unsigned char)(seq_num.high >>  8);
1841    out[3] = (unsigned char)(seq_num.high >>  0);
1842    out[4] = (unsigned char)(seq_num.low  >> 24);
1843    out[5] = (unsigned char)(seq_num.low  >> 16);
1844    out[6] = (unsigned char)(seq_num.low  >>  8);
1845    out[7] = (unsigned char)(seq_num.low  >>  0);
1846    out[8] = type;
1847
1848    /* SSL3 MAC doesn't include the record's version field. */
1849    if (!includesVersion) {
1850	out[9]  = MSB(length);
1851	out[10] = LSB(length);
1852	return 11;
1853    }
1854
1855    /* TLS MAC and AEAD additional data include version. */
1856    if (isDTLS) {
1857	SSL3ProtocolVersion dtls_version;
1858
1859	dtls_version = dtls_TLSVersionToDTLSVersion(version);
1860	out[9]  = MSB(dtls_version);
1861	out[10] = LSB(dtls_version);
1862    } else {
1863	out[9]  = MSB(version);
1864	out[10] = LSB(version);
1865    }
1866    out[11] = MSB(length);
1867    out[12] = LSB(length);
1868    return 13;
1869}
1870
1871typedef SECStatus (*PK11CryptFcn)(
1872    PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param,
1873    unsigned char *out, unsigned int *outLen, unsigned int maxLen,
1874    const unsigned char *in, unsigned int inLen);
1875
1876static PK11CryptFcn pk11_encrypt = NULL;
1877static PK11CryptFcn pk11_decrypt = NULL;
1878
1879static PRCallOnceType resolvePK11CryptOnce;
1880
1881static PRStatus
1882ssl3_ResolvePK11CryptFunctions(void)
1883{
1884#ifdef LINUX
1885    /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and
1886     * PK11_Decrypt functions at run time. */
1887    void *handle = dlopen(NULL, RTLD_LAZY);
1888    if (!handle) {
1889	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1890	return PR_FAILURE;
1891    }
1892    pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt");
1893    pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt");
1894    dlclose(handle);
1895    return PR_SUCCESS;
1896#else
1897    /* On other platforms we use our own copy of NSS. PK11_Encrypt and
1898     * PK11_Decrypt are known to be available. */
1899    pk11_encrypt = PK11_Encrypt;
1900    pk11_decrypt = PK11_Decrypt;
1901    return PR_SUCCESS;
1902#endif
1903}
1904
1905/*
1906 * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access
1907 * to the AES GCM implementation in the NSS softoken. So the presence of
1908 * these two functions implies the NSS version supports AES GCM.
1909 */
1910static PRBool
1911ssl3_HasGCMSupport(void)
1912{
1913    (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions);
1914    return pk11_encrypt != NULL;
1915}
1916
1917/* On this socket, disable the GCM cipher suites */
1918SECStatus
1919ssl3_DisableGCMSuites(sslSocket * ss)
1920{
1921    unsigned int i;
1922
1923    for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) {
1924	const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i];
1925	if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) {
1926	    SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite,
1927					      PR_FALSE);
1928	    PORT_Assert(rv == SECSuccess); /* else is coding error */
1929	}
1930    }
1931    return SECSuccess;
1932}
1933
1934static SECStatus
1935ssl3_AESGCM(ssl3KeyMaterial *keys,
1936	    PRBool doDecrypt,
1937	    unsigned char *out,
1938	    int *outlen,
1939	    int maxout,
1940	    const unsigned char *in,
1941	    int inlen,
1942	    const unsigned char *additionalData,
1943	    int additionalDataLen)
1944{
1945    SECItem            param;
1946    SECStatus          rv = SECFailure;
1947    unsigned char      nonce[12];
1948    unsigned int       uOutLen;
1949    CK_GCM_PARAMS      gcmParams;
1950
1951    static const int   tagSize = 16;
1952    static const int   explicitNonceLen = 8;
1953
1954    /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
1955     * nonce is formed. */
1956    memcpy(nonce, keys->write_iv, 4);
1957    if (doDecrypt) {
1958	memcpy(nonce + 4, in, explicitNonceLen);
1959	in += explicitNonceLen;
1960	inlen -= explicitNonceLen;
1961	*outlen = 0;
1962    } else {
1963	if (maxout < explicitNonceLen) {
1964	    PORT_SetError(SEC_ERROR_INPUT_LEN);
1965	    return SECFailure;
1966        }
1967	/* Use the 64-bit sequence number as the explicit nonce. */
1968	memcpy(nonce + 4, additionalData, explicitNonceLen);
1969	memcpy(out, additionalData, explicitNonceLen);
1970	out += explicitNonceLen;
1971	maxout -= explicitNonceLen;
1972	*outlen = explicitNonceLen;
1973    }
1974
1975    param.type = siBuffer;
1976    param.data = (unsigned char *) &gcmParams;
1977    param.len = sizeof(gcmParams);
1978    gcmParams.pIv = nonce;
1979    gcmParams.ulIvLen = sizeof(nonce);
1980    gcmParams.pAAD = (unsigned char *)additionalData;  /* const cast */
1981    gcmParams.ulAADLen = additionalDataLen;
1982    gcmParams.ulTagBits = tagSize * 8;
1983
1984    if (doDecrypt) {
1985	rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1986			  maxout, in, inlen);
1987    } else {
1988	rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1989			  maxout, in, inlen);
1990    }
1991    *outlen += (int) uOutLen;
1992
1993    return rv;
1994}
1995
1996#ifndef NO_PKCS11_BYPASS
1997static SECStatus
1998ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
1999		  PRBool doDecrypt,
2000		  unsigned char *out,
2001		  int *outlen,
2002		  int maxout,
2003		  const unsigned char *in,
2004		  int inlen,
2005		  const unsigned char *additionalData,
2006		  int additionalDataLen)
2007{
2008    SECStatus          rv = SECFailure;
2009    unsigned char      nonce[12];
2010    unsigned int       uOutLen;
2011    AESContext        *cx;
2012    CK_GCM_PARAMS      gcmParams;
2013
2014    static const int   tagSize = 16;
2015    static const int   explicitNonceLen = 8;
2016
2017    /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
2018     * nonce is formed. */
2019    PORT_Assert(keys->write_iv_item.len == 4);
2020    if (keys->write_iv_item.len != 4) {
2021	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2022	return SECFailure;
2023    }
2024    memcpy(nonce, keys->write_iv_item.data, 4);
2025    if (doDecrypt) {
2026	memcpy(nonce + 4, in, explicitNonceLen);
2027	in += explicitNonceLen;
2028	inlen -= explicitNonceLen;
2029	*outlen = 0;
2030    } else {
2031	if (maxout < explicitNonceLen) {
2032	    PORT_SetError(SEC_ERROR_INPUT_LEN);
2033	    return SECFailure;
2034        }
2035	/* Use the 64-bit sequence number as the explicit nonce. */
2036	memcpy(nonce + 4, additionalData, explicitNonceLen);
2037	memcpy(out, additionalData, explicitNonceLen);
2038	out += explicitNonceLen;
2039	maxout -= explicitNonceLen;
2040	*outlen = explicitNonceLen;
2041    }
2042
2043    gcmParams.pIv = nonce;
2044    gcmParams.ulIvLen = sizeof(nonce);
2045    gcmParams.pAAD = (unsigned char *)additionalData;  /* const cast */
2046    gcmParams.ulAADLen = additionalDataLen;
2047    gcmParams.ulTagBits = tagSize * 8;
2048
2049    cx = (AESContext *)keys->cipher_context;
2050    rv = AES_InitContext(cx, keys->write_key_item.data,
2051			 keys->write_key_item.len,
2052			 (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
2053			 AES_BLOCK_SIZE);
2054    if (rv != SECSuccess) {
2055	return rv;
2056    }
2057    if (doDecrypt) {
2058	rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen);
2059    } else {
2060	rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen);
2061    }
2062    AES_DestroyContext(cx, PR_FALSE);
2063    *outlen += (int) uOutLen;
2064
2065    return rv;
2066}
2067#endif
2068
2069static SECStatus
2070ssl3_ChaCha20Poly1305(
2071	ssl3KeyMaterial *keys,
2072	PRBool doDecrypt,
2073	unsigned char *out,
2074	int *outlen,
2075	int maxout,
2076	const unsigned char *in,
2077	int inlen,
2078	const unsigned char *additionalData,
2079	int additionalDataLen)
2080{
2081    SECItem            param;
2082    SECStatus          rv = SECFailure;
2083    unsigned int       uOutLen;
2084    CK_NSS_AEAD_PARAMS aeadParams;
2085    static const int   tagSize = 16;
2086
2087    param.type = siBuffer;
2088    param.len = sizeof(aeadParams);
2089    param.data = (unsigned char *) &aeadParams;
2090    memset(&aeadParams, 0, sizeof(aeadParams));
2091    aeadParams.pIv = (unsigned char *) additionalData;
2092    aeadParams.ulIvLen = 8;
2093    aeadParams.pAAD = (unsigned char *) additionalData;
2094    aeadParams.ulAADLen = additionalDataLen;
2095    aeadParams.ulTagLen = tagSize;
2096
2097    if (doDecrypt) {
2098	rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
2099			  out, &uOutLen, maxout, in, inlen);
2100    } else {
2101	rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
2102			  out, &uOutLen, maxout, in, inlen);
2103    }
2104    *outlen = (int) uOutLen;
2105
2106    return rv;
2107}
2108
2109/* Initialize encryption and MAC contexts for pending spec.
2110 * Master Secret already is derived.
2111 * Caller holds Spec write lock.
2112 */
2113static SECStatus
2114ssl3_InitPendingContextsPKCS11(sslSocket *ss)
2115{
2116      ssl3CipherSpec  *  pwSpec;
2117      const ssl3BulkCipherDef *cipher_def;
2118      PK11Context *      serverContext = NULL;
2119      PK11Context *      clientContext = NULL;
2120      SECItem *          param;
2121      CK_MECHANISM_TYPE  mechanism;
2122      CK_MECHANISM_TYPE  mac_mech;
2123      CK_ULONG           macLength;
2124      CK_ULONG           effKeyBits;
2125      SECItem            iv;
2126      SECItem            mac_param;
2127      SSLCipherAlgorithm calg;
2128
2129    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2130    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
2131    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2132
2133    pwSpec        = ss->ssl3.pwSpec;
2134    cipher_def    = pwSpec->cipher_def;
2135    macLength     = pwSpec->mac_size;
2136    calg          = cipher_def->calg;
2137    PORT_Assert(alg2Mech[calg].calg == calg);
2138
2139    pwSpec->client.write_mac_context = NULL;
2140    pwSpec->server.write_mac_context = NULL;
2141
2142    if (calg == calg_aes_gcm || calg == calg_chacha20) {
2143	pwSpec->encode = NULL;
2144	pwSpec->decode = NULL;
2145	pwSpec->destroy = NULL;
2146	pwSpec->encodeContext = NULL;
2147	pwSpec->decodeContext = NULL;
2148	if (calg == calg_aes_gcm) {
2149	    pwSpec->aead = ssl3_AESGCM;
2150	} else {
2151	    pwSpec->aead = ssl3_ChaCha20Poly1305;
2152	}
2153	return SECSuccess;
2154    }
2155
2156    /*
2157    ** Now setup the MAC contexts,
2158    **   crypto contexts are setup below.
2159    */
2160
2161    mac_mech       = pwSpec->mac_def->mmech;
2162    mac_param.data = (unsigned char *)&macLength;
2163    mac_param.len  = sizeof(macLength);
2164    mac_param.type = 0;
2165
2166    pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
2167	    mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
2168    if (pwSpec->client.write_mac_context == NULL)  {
2169	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2170	goto fail;
2171    }
2172    pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
2173	    mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
2174    if (pwSpec->server.write_mac_context == NULL) {
2175	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2176	goto fail;
2177    }
2178
2179    /*
2180    ** Now setup the crypto contexts.
2181    */
2182
2183    if (calg == calg_null) {
2184	pwSpec->encode  = Null_Cipher;
2185	pwSpec->decode  = Null_Cipher;
2186	pwSpec->destroy = NULL;
2187	return SECSuccess;
2188    }
2189    mechanism = alg2Mech[calg].cmech;
2190    effKeyBits = cipher_def->key_size * BPB;
2191
2192    /*
2193     * build the server context
2194     */
2195    iv.data = pwSpec->server.write_iv;
2196    iv.len  = cipher_def->iv_size;
2197    param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
2198    if (param == NULL) {
2199	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
2200    	goto fail;
2201    }
2202    serverContext = PK11_CreateContextBySymKey(mechanism,
2203				(ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
2204				pwSpec->server.write_key, param);
2205    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
2206    if (iv.data)
2207    	PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
2208    SECITEM_FreeItem(param, PR_TRUE);
2209    if (serverContext == NULL) {
2210	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2211    	goto fail;
2212    }
2213
2214    /*
2215     * build the client context
2216     */
2217    iv.data = pwSpec->client.write_iv;
2218    iv.len  = cipher_def->iv_size;
2219
2220    param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
2221    if (param == NULL) {
2222	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
2223    	goto fail;
2224    }
2225    clientContext = PK11_CreateContextBySymKey(mechanism,
2226				(ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
2227				pwSpec->client.write_key, param);
2228    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
2229    if (iv.data)
2230    	PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
2231    SECITEM_FreeItem(param,PR_TRUE);
2232    if (clientContext == NULL) {
2233	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
2234    	goto fail;
2235    }
2236    pwSpec->encode  = (SSLCipher) PK11_CipherOp;
2237    pwSpec->decode  = (SSLCipher) PK11_CipherOp;
2238    pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
2239
2240    pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
2241    pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
2242
2243    serverContext = NULL;
2244    clientContext = NULL;
2245
2246    ssl3_InitCompressionContext(pwSpec);
2247
2248    return SECSuccess;
2249
2250fail:
2251    if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
2252    if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
2253    if (pwSpec->client.write_mac_context != NULL) {
2254    	PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
2255	pwSpec->client.write_mac_context = NULL;
2256    }
2257    if (pwSpec->server.write_mac_context != NULL) {
2258    	PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
2259	pwSpec->server.write_mac_context = NULL;
2260    }
2261
2262    return SECFailure;
2263}
2264
2265/* Complete the initialization of all keys, ciphers, MACs and their contexts
2266 * for the pending Cipher Spec.
2267 * Called from: ssl3_SendClientKeyExchange 	(for Full handshake)
2268 *              ssl3_HandleRSAClientKeyExchange	(for Full handshake)
2269 *              ssl3_HandleServerHello		(for session restart)
2270 *              ssl3_HandleClientHello		(for session restart)
2271 * Sets error code, but caller probably should override to disambiguate.
2272 * NULL pms means re-use old master_secret.
2273 *
2274 * This code is common to the bypass and PKCS11 execution paths.
2275 * For the bypass case,  pms is NULL.
2276 */
2277SECStatus
2278ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
2279{
2280    ssl3CipherSpec  *  pwSpec;
2281    ssl3CipherSpec  *  cwSpec;
2282    SECStatus          rv;
2283
2284    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2285
2286    ssl_GetSpecWriteLock(ss);	/**************************************/
2287
2288    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2289
2290    pwSpec        = ss->ssl3.pwSpec;
2291    cwSpec        = ss->ssl3.cwSpec;
2292
2293    if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
2294	rv = ssl3_DeriveMasterSecret(ss, pms);
2295	if (rv != SECSuccess) {
2296	    goto done;  /* err code set by ssl3_DeriveMasterSecret */
2297	}
2298    }
2299#ifndef NO_PKCS11_BYPASS
2300    if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
2301	/* Double Bypass succeeded in extracting the master_secret */
2302	const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
2303	PRBool             isTLS   = (PRBool)(kea_def->tls_keygen ||
2304                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
2305	pwSpec->bypassCiphers = PR_TRUE;
2306	rv = ssl3_KeyAndMacDeriveBypass( pwSpec,
2307			     (const unsigned char *)&ss->ssl3.hs.client_random,
2308			     (const unsigned char *)&ss->ssl3.hs.server_random,
2309			     isTLS,
2310			     (PRBool)(kea_def->is_limited));
2311	if (rv == SECSuccess) {
2312	    rv = ssl3_InitPendingContextsBypass(ss);
2313	}
2314    } else
2315#endif
2316    if (pwSpec->master_secret) {
2317	rv = ssl3_DeriveConnectionKeysPKCS11(ss);
2318	if (rv == SECSuccess) {
2319	    rv = ssl3_InitPendingContextsPKCS11(ss);
2320	}
2321    } else {
2322	PORT_Assert(pwSpec->master_secret);
2323	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2324	rv = SECFailure;
2325    }
2326    if (rv != SECSuccess) {
2327	goto done;
2328    }
2329
2330    /* Generic behaviors -- common to all crypto methods */
2331    if (!IS_DTLS(ss)) {
2332	pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
2333    } else {
2334	if (cwSpec->epoch == PR_UINT16_MAX) {
2335	    /* The problem here is that we have rehandshaked too many
2336	     * times (you are not allowed to wrap the epoch). The
2337	     * spec says you should be discarding the connection
2338	     * and start over, so not much we can do here. */
2339	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2340	    rv = SECFailure;
2341	    goto done;
2342	}
2343	/* The sequence number has the high 16 bits as the epoch. */
2344	pwSpec->epoch = cwSpec->epoch + 1;
2345	pwSpec->read_seq_num.high = pwSpec->write_seq_num.high =
2346	    pwSpec->epoch << 16;
2347
2348	dtls_InitRecvdRecords(&pwSpec->recvdRecords);
2349    }
2350    pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;
2351
2352done:
2353    ssl_ReleaseSpecWriteLock(ss);	/******************************/
2354    if (rv != SECSuccess)
2355	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2356    return rv;
2357}
2358
2359/*
2360 * 60 bytes is 3 times the maximum length MAC size that is supported.
2361 */
2362static const unsigned char mac_pad_1 [60] = {
2363    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2364    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2365    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2366    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2367    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2368    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2369    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
2370    0x36, 0x36, 0x36, 0x36
2371};
2372static const unsigned char mac_pad_2 [60] = {
2373    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2374    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2375    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2376    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2377    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2378    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2379    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
2380    0x5c, 0x5c, 0x5c, 0x5c
2381};
2382
2383/* Called from: ssl3_SendRecord()
2384** Caller must already hold the SpecReadLock. (wish we could assert that!)
2385*/
2386static SECStatus
2387ssl3_ComputeRecordMAC(
2388    ssl3CipherSpec *   spec,
2389    PRBool             useServerMacKey,
2390    const unsigned char *header,
2391    unsigned int       headerLen,
2392    const SSL3Opaque * input,
2393    int                inputLength,
2394    unsigned char *    outbuf,
2395    unsigned int *     outLength)
2396{
2397    const ssl3MACDef * mac_def;
2398    SECStatus          rv;
2399
2400    PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
2401    PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
2402
2403    mac_def = spec->mac_def;
2404    if (mac_def->mac == mac_null) {
2405	*outLength = 0;
2406	return SECSuccess;
2407    }
2408#ifndef NO_PKCS11_BYPASS
2409    if (spec->bypassCiphers) {
2410	/* bypass version */
2411	const SECHashObject *hashObj = NULL;
2412	unsigned int       pad_bytes = 0;
2413	PRUint64           write_mac_context[MAX_MAC_CONTEXT_LLONGS];
2414
2415	switch (mac_def->mac) {
2416	case ssl_mac_null:
2417	    *outLength = 0;
2418	    return SECSuccess;
2419	case ssl_mac_md5:
2420	    pad_bytes = 48;
2421	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
2422	    break;
2423	case ssl_mac_sha:
2424	    pad_bytes = 40;
2425	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
2426	    break;
2427	case ssl_hmac_md5: /* used with TLS */
2428	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
2429	    break;
2430	case ssl_hmac_sha: /* used with TLS */
2431	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
2432	    break;
2433	case ssl_hmac_sha256: /* used with TLS */
2434	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
2435	    break;
2436	default:
2437	    break;
2438	}
2439	if (!hashObj) {
2440	    PORT_Assert(0);
2441	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2442	    return SECFailure;
2443	}
2444
2445	if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2446	    unsigned int tempLen;
2447	    unsigned char temp[MAX_MAC_LENGTH];
2448
2449	    /* compute "inner" part of SSL3 MAC */
2450	    hashObj->begin(write_mac_context);
2451	    if (useServerMacKey)
2452		hashObj->update(write_mac_context,
2453				spec->server.write_mac_key_item.data,
2454				spec->server.write_mac_key_item.len);
2455	    else
2456		hashObj->update(write_mac_context,
2457				spec->client.write_mac_key_item.data,
2458				spec->client.write_mac_key_item.len);
2459	    hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
2460	    hashObj->update(write_mac_context, header, headerLen);
2461	    hashObj->update(write_mac_context, input, inputLength);
2462	    hashObj->end(write_mac_context,    temp, &tempLen, sizeof temp);
2463
2464	    /* compute "outer" part of SSL3 MAC */
2465	    hashObj->begin(write_mac_context);
2466	    if (useServerMacKey)
2467		hashObj->update(write_mac_context,
2468				spec->server.write_mac_key_item.data,
2469				spec->server.write_mac_key_item.len);
2470	    else
2471		hashObj->update(write_mac_context,
2472				spec->client.write_mac_key_item.data,
2473				spec->client.write_mac_key_item.len);
2474	    hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
2475	    hashObj->update(write_mac_context, temp, tempLen);
2476	    hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
2477	    rv = SECSuccess;
2478	} else { /* is TLS */
2479#define cx ((HMACContext *)write_mac_context)
2480	    if (useServerMacKey) {
2481		rv = HMAC_Init(cx, hashObj,
2482			       spec->server.write_mac_key_item.data,
2483			       spec->server.write_mac_key_item.len, PR_FALSE);
2484	    } else {
2485		rv = HMAC_Init(cx, hashObj,
2486			       spec->client.write_mac_key_item.data,
2487			       spec->client.write_mac_key_item.len, PR_FALSE);
2488	    }
2489	    if (rv == SECSuccess) {
2490		HMAC_Begin(cx);
2491		HMAC_Update(cx, header, headerLen);
2492		HMAC_Update(cx, input, inputLength);
2493		rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
2494		HMAC_Destroy(cx, PR_FALSE);
2495	    }
2496#undef cx
2497	}
2498    } else
2499#endif
2500    {
2501	PK11Context *mac_context =
2502	    (useServerMacKey ? spec->server.write_mac_context
2503	                     : spec->client.write_mac_context);
2504	rv  = PK11_DigestBegin(mac_context);
2505	rv |= PK11_DigestOp(mac_context, header, headerLen);
2506	rv |= PK11_DigestOp(mac_context, input, inputLength);
2507	rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
2508    }
2509
2510    PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
2511
2512    PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
2513
2514    if (rv != SECSuccess) {
2515    	rv = SECFailure;
2516	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2517    }
2518    return rv;
2519}
2520
2521/* Called from: ssl3_HandleRecord()
2522 * Caller must already hold the SpecReadLock. (wish we could assert that!)
2523 *
2524 * On entry:
2525 *   originalLen >= inputLen >= MAC size
2526*/
2527static SECStatus
2528ssl3_ComputeRecordMACConstantTime(
2529    ssl3CipherSpec *   spec,
2530    PRBool             useServerMacKey,
2531    const unsigned char *header,
2532    unsigned int       headerLen,
2533    const SSL3Opaque * input,
2534    int                inputLen,
2535    int                originalLen,
2536    unsigned char *    outbuf,
2537    unsigned int *     outLen)
2538{
2539    CK_MECHANISM_TYPE            macType;
2540    CK_NSS_MAC_CONSTANT_TIME_PARAMS params;
2541    SECItem                      param, inputItem, outputItem;
2542    SECStatus                    rv;
2543    PK11SymKey *                 key;
2544
2545    PORT_Assert(inputLen >= spec->mac_size);
2546    PORT_Assert(originalLen >= inputLen);
2547
2548    if (spec->bypassCiphers) {
2549	/* This function doesn't support PKCS#11 bypass. We fallback on the
2550	 * non-constant time version. */
2551	goto fallback;
2552    }
2553
2554    if (spec->mac_def->mac == mac_null) {
2555	*outLen = 0;
2556	return SECSuccess;
2557    }
2558
2559    macType = CKM_NSS_HMAC_CONSTANT_TIME;
2560    if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
2561	macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
2562    }
2563
2564    params.macAlg = spec->mac_def->mmech;
2565    params.ulBodyTotalLen = originalLen;
2566    params.pHeader = (unsigned char *) header;  /* const cast */
2567    params.ulHeaderLen = headerLen;
2568
2569    param.data = (unsigned char*) &params;
2570    param.len = sizeof(params);
2571    param.type = 0;
2572
2573    inputItem.data = (unsigned char *) input;
2574    inputItem.len = inputLen;
2575    inputItem.type = 0;
2576
2577    outputItem.data = outbuf;
2578    outputItem.len = *outLen;
2579    outputItem.type = 0;
2580
2581    key = spec->server.write_mac_key;
2582    if (!useServerMacKey) {
2583	key = spec->client.write_mac_key;
2584    }
2585
2586    rv = PK11_SignWithSymKey(key, macType, &param, &outputItem, &inputItem);
2587    if (rv != SECSuccess) {
2588	if (PORT_GetError() == SEC_ERROR_INVALID_ALGORITHM) {
2589	    goto fallback;
2590	}
2591
2592	*outLen = 0;
2593	rv = SECFailure;
2594	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2595	return rv;
2596    }
2597
2598    PORT_Assert(outputItem.len == (unsigned)spec->mac_size);
2599    *outLen = outputItem.len;
2600
2601    return rv;
2602
2603fallback:
2604    /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
2605     * length already. */
2606    inputLen -= spec->mac_size;
2607    return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
2608				 input, inputLen, outbuf, outLen);
2609}
2610
2611static PRBool
2612ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
2613    PK11SlotInfo *slot = NULL;
2614    PRBool isPresent = PR_TRUE;
2615
2616    /* we only care if we are doing client auth */
2617    /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
2618     * used, u.ssl3.clAuthValid will be false and this function will always
2619     * return PR_TRUE. */
2620    if (!sid || !sid->u.ssl3.clAuthValid) {
2621	return PR_TRUE;
2622    }
2623
2624    /* get the slot */
2625    slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
2626	                     sid->u.ssl3.clAuthSlotID);
2627    if (slot == NULL ||
2628	!PK11_IsPresent(slot) ||
2629	sid->u.ssl3.clAuthSeries     != PK11_GetSlotSeries(slot) ||
2630	sid->u.ssl3.clAuthSlotID     != PK11_GetSlotID(slot)     ||
2631	sid->u.ssl3.clAuthModuleID   != PK11_GetModuleID(slot)   ||
2632	(PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
2633	isPresent = PR_FALSE;
2634    }
2635    if (slot) {
2636	PK11_FreeSlot(slot);
2637    }
2638    return isPresent;
2639}
2640
2641/* Caller must hold the spec read lock. */
2642SECStatus
2643ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
2644		              PRBool             isServer,
2645			      PRBool             isDTLS,
2646			      PRBool             capRecordVersion,
2647                              SSL3ContentType    type,
2648		              const SSL3Opaque * pIn,
2649		              PRUint32           contentLen,
2650		              sslBuffer *        wrBuf)
2651{
2652    const ssl3BulkCipherDef * cipher_def;
2653    SECStatus                 rv;
2654    PRUint32                  macLen = 0;
2655    PRUint32                  fragLen;
2656    PRUint32  p1Len, p2Len, oddLen = 0;
2657    PRUint16                  headerLen;
2658    int                       ivLen = 0;
2659    int                       cipherBytes = 0;
2660    unsigned char             pseudoHeader[13];
2661    unsigned int              pseudoHeaderLen;
2662
2663    cipher_def = cwSpec->cipher_def;
2664    headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
2665
2666    if (cipher_def->type == type_block &&
2667	cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
2668	/* Prepend the per-record explicit IV using technique 2b from
2669	 * RFC 4346 section 6.2.3.2: The IV is a cryptographically
2670	 * strong random number XORed with the CBC residue from the previous
2671	 * record.
2672	 */
2673	ivLen = cipher_def->iv_size;
2674	if (ivLen > wrBuf->space - headerLen) {
2675	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2676	    return SECFailure;
2677	}
2678	rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen);
2679	if (rv != SECSuccess) {
2680	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
2681	    return rv;
2682	}
2683	rv = cwSpec->encode( cwSpec->encodeContext,
2684	    wrBuf->buf + headerLen,
2685	    &cipherBytes,                       /* output and actual outLen */
2686	    ivLen,                              /* max outlen */
2687	    wrBuf->buf + headerLen,
2688	    ivLen);                             /* input and inputLen*/
2689	if (rv != SECSuccess || cipherBytes != ivLen) {
2690	    PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2691	    return SECFailure;
2692	}
2693    }
2694
2695    if (cwSpec->compressor) {
2696	int outlen;
2697	rv = cwSpec->compressor(
2698	    cwSpec->compressContext,
2699	    wrBuf->buf + headerLen + ivLen, &outlen,
2700	    wrBuf->space - headerLen - ivLen, pIn, contentLen);
2701	if (rv != SECSuccess)
2702	    return rv;
2703	pIn = wrBuf->buf + headerLen + ivLen;
2704	contentLen = outlen;
2705    }
2706
2707    pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
2708	pseudoHeader, cwSpec->write_seq_num, type,
2709	cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
2710	isDTLS, contentLen);
2711    PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
2712    if (cipher_def->type == type_aead) {
2713	const int nonceLen = cipher_def->explicit_nonce_size;
2714	const int tagLen = cipher_def->tag_size;
2715
2716	if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
2717	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2718	    return SECFailure;
2719	}
2720
2721	cipherBytes = contentLen;
2722	rv = cwSpec->aead(
2723		isServer ? &cwSpec->server : &cwSpec->client,
2724		PR_FALSE,                                   /* do encrypt */
2725		wrBuf->buf + headerLen,                     /* output  */
2726		&cipherBytes,                               /* out len */
2727		wrBuf->space - headerLen,                   /* max out */
2728		pIn, contentLen,                            /* input   */
2729		pseudoHeader, pseudoHeaderLen);
2730	if (rv != SECSuccess) {
2731	    PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2732	    return SECFailure;
2733	}
2734    } else {
2735	/*
2736	 * Add the MAC
2737	 */
2738	rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
2739	    pseudoHeader, pseudoHeaderLen, pIn, contentLen,
2740	    wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
2741	if (rv != SECSuccess) {
2742	    ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2743	    return SECFailure;
2744	}
2745	p1Len   = contentLen;
2746	p2Len   = macLen;
2747	fragLen = contentLen + macLen;	/* needs to be encrypted */
2748	PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
2749
2750	/*
2751	 * Pad the text (if we're doing a block cipher)
2752	 * then Encrypt it
2753	 */
2754	if (cipher_def->type == type_block) {
2755	    unsigned char * pBuf;
2756	    int             padding_length;
2757	    int             i;
2758
2759	    oddLen = contentLen % cipher_def->block_size;
2760	    /* Assume blockSize is a power of two */
2761	    padding_length = cipher_def->block_size - 1 -
2762			    ((fragLen) & (cipher_def->block_size - 1));
2763	    fragLen += padding_length + 1;
2764	    PORT_Assert((fragLen % cipher_def->block_size) == 0);
2765
2766	    /* Pad according to TLS rules (also acceptable to SSL3). */
2767	    pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
2768	    for (i = padding_length + 1; i > 0; --i) {
2769		*pBuf-- = padding_length;
2770	    }
2771	    /* now, if contentLen is not a multiple of block size, fix it */
2772	    p2Len = fragLen - p1Len;
2773	}
2774	if (p1Len < 256) {
2775	    oddLen = p1Len;
2776	    p1Len = 0;
2777	} else {
2778	    p1Len -= oddLen;
2779	}
2780	if (oddLen) {
2781	    p2Len += oddLen;
2782	    PORT_Assert( (cipher_def->block_size < 2) || \
2783			 (p2Len % cipher_def->block_size) == 0);
2784	    memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len,
2785		    oddLen);
2786	}
2787	if (p1Len > 0) {
2788	    int cipherBytesPart1 = -1;
2789	    rv = cwSpec->encode( cwSpec->encodeContext,
2790		wrBuf->buf + headerLen + ivLen,         /* output */
2791		&cipherBytesPart1,                      /* actual outlen */
2792		p1Len,                                  /* max outlen */
2793		pIn, p1Len);                      /* input, and inputlen */
2794	    PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
2795	    if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
2796		PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2797		return SECFailure;
2798	    }
2799	    cipherBytes += cipherBytesPart1;
2800	}
2801	if (p2Len > 0) {
2802	    int cipherBytesPart2 = -1;
2803	    rv = cwSpec->encode( cwSpec->encodeContext,
2804		wrBuf->buf + headerLen + ivLen + p1Len,
2805		&cipherBytesPart2,          /* output and actual outLen */
2806		p2Len,                             /* max outlen */
2807		wrBuf->buf + headerLen + ivLen + p1Len,
2808		p2Len);                            /* input and inputLen*/
2809	    PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
2810	    if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
2811		PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2812		return SECFailure;
2813	    }
2814	    cipherBytes += cipherBytesPart2;
2815	}
2816    }
2817
2818    PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
2819
2820    wrBuf->len    = cipherBytes + headerLen;
2821    wrBuf->buf[0] = type;
2822    if (isDTLS) {
2823	SSL3ProtocolVersion version;
2824
2825	version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
2826	wrBuf->buf[1] = MSB(version);
2827	wrBuf->buf[2] = LSB(version);
2828	wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24);
2829	wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
2830	wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >>  8);
2831	wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >>  0);
2832	wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low  >> 24);
2833	wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low  >> 16);
2834	wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low  >>  8);
2835	wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >>  0);
2836	wrBuf->buf[11] = MSB(cipherBytes);
2837	wrBuf->buf[12] = LSB(cipherBytes);
2838    } else {
2839	SSL3ProtocolVersion version = cwSpec->version;
2840
2841	if (capRecordVersion) {
2842	    version = PR_MIN(SSL_LIBRARY_VERSION_TLS_1_0, version);
2843	}
2844	wrBuf->buf[1] = MSB(version);
2845	wrBuf->buf[2] = LSB(version);
2846	wrBuf->buf[3] = MSB(cipherBytes);
2847	wrBuf->buf[4] = LSB(cipherBytes);
2848    }
2849
2850    ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
2851
2852    return SECSuccess;
2853}
2854
2855/* Process the plain text before sending it.
2856 * Returns the number of bytes of plaintext that were successfully sent
2857 * 	plus the number of bytes of plaintext that were copied into the
2858 *	output (write) buffer.
2859 * Returns SECFailure on a hard IO error, memory error, or crypto error.
2860 * Does NOT return SECWouldBlock.
2861 *
2862 * Notes on the use of the private ssl flags:
2863 * (no private SSL flags)
2864 *    Attempt to make and send SSL records for all plaintext
2865 *    If non-blocking and a send gets WOULD_BLOCK,
2866 *    or if the pending (ciphertext) buffer is not empty,
2867 *    then buffer remaining bytes of ciphertext into pending buf,
2868 *    and continue to do that for all succssive records until all
2869 *    bytes are used.
2870 * ssl_SEND_FLAG_FORCE_INTO_BUFFER
2871 *    As above, except this suppresses all write attempts, and forces
2872 *    all ciphertext into the pending ciphertext buffer.
2873 * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
2874 *    Forces the use of the provided epoch
2875 * ssl_SEND_FLAG_CAP_RECORD_VERSION
2876 *    Caps the record layer version number of TLS ClientHello to { 3, 1 }
2877 *    (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
2878 *    ClientHello.client_version and use the record layer version number
2879 *    (TLSPlaintext.version) instead when negotiating protocol versions. In
2880 *    addition, if the record layer version number of ClientHello is { 3, 2 }
2881 *    (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
2882 *    some F5 BIG-IP servers hang if a record containing a ClientHello has a
2883 *    version greater than { 3, 1 } and a length greater than 255. Set this
2884 *    flag to work around such servers.
2885 */
2886PRInt32
2887ssl3_SendRecord(   sslSocket *        ss,
2888                   DTLSEpoch          epoch, /* DTLS only */
2889                   SSL3ContentType    type,
2890		   const SSL3Opaque * pIn,   /* input buffer */
2891		   PRInt32            nIn,   /* bytes of input */
2892		   PRInt32            flags)
2893{
2894    sslBuffer      *          wrBuf 	  = &ss->sec.writeBuf;
2895    SECStatus                 rv;
2896    PRInt32                   totalSent   = 0;
2897    PRBool                    capRecordVersion;
2898
2899    SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
2900		SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
2901		nIn));
2902    PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
2903
2904    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2905
2906    capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
2907
2908    if (capRecordVersion) {
2909	/* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with the
2910	 * TLS initial ClientHello. */
2911	PORT_Assert(!IS_DTLS(ss));
2912	PORT_Assert(!ss->firstHsDone);
2913	PORT_Assert(type == content_handshake);
2914	PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
2915    }
2916
2917    if (ss->ssl3.initialized == PR_FALSE) {
2918	/* This can happen on a server if the very first incoming record
2919	** looks like a defective ssl3 record (e.g. too long), and we're
2920	** trying to send an alert.
2921	*/
2922	PR_ASSERT(type == content_alert);
2923	rv = ssl3_InitState(ss);
2924	if (rv != SECSuccess) {
2925	    return SECFailure;	/* ssl3_InitState has set the error code. */
2926    	}
2927    }
2928
2929    /* check for Token Presence */
2930    if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
2931	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
2932	return SECFailure;
2933    }
2934
2935    while (nIn > 0) {
2936	PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
2937	unsigned int spaceNeeded;
2938	unsigned int numRecords;
2939
2940	ssl_GetSpecReadLock(ss);    /********************************/
2941
2942	if (nIn > 1 && ss->opt.cbcRandomIV &&
2943	    ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 &&
2944	    type == content_application_data &&
2945	    ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {
2946	    /* We will split the first byte of the record into its own record,
2947	     * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h
2948	     */
2949	    numRecords = 2;
2950	} else {
2951	    numRecords = 1;
2952	}
2953
2954	spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE);
2955	if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
2956	    ss->ssl3.cwSpec->cipher_def->type == type_block) {
2957	    spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size;
2958	}
2959	if (spaceNeeded > wrBuf->space) {
2960	    rv = sslBuffer_Grow(wrBuf, spaceNeeded);
2961	    if (rv != SECSuccess) {
2962		SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
2963			 SSL_GETPID(), ss->fd, spaceNeeded));
2964		goto spec_locked_loser; /* sslBuffer_Grow set error code. */
2965	    }
2966	}
2967
2968	if (numRecords == 2) {
2969	    sslBuffer secondRecord;
2970
2971	    rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2972					       ss->sec.isServer, IS_DTLS(ss),
2973					       capRecordVersion, type, pIn,
2974					       1, wrBuf);
2975	    if (rv != SECSuccess)
2976	        goto spec_locked_loser;
2977
2978	    PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
2979	                   wrBuf->buf, wrBuf->len));
2980
2981	    secondRecord.buf = wrBuf->buf + wrBuf->len;
2982	    secondRecord.len = 0;
2983	    secondRecord.space = wrBuf->space - wrBuf->len;
2984
2985	    rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2986	                                       ss->sec.isServer, IS_DTLS(ss),
2987					       capRecordVersion, type,
2988					       pIn + 1, contentLen - 1,
2989	                                       &secondRecord);
2990	    if (rv == SECSuccess) {
2991	        PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
2992	                       secondRecord.buf, secondRecord.len));
2993	        wrBuf->len += secondRecord.len;
2994	    }
2995	} else {
2996	    if (!IS_DTLS(ss)) {
2997		rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
2998						   ss->sec.isServer,
2999						   IS_DTLS(ss),
3000						   capRecordVersion,
3001						   type, pIn,
3002						   contentLen, wrBuf);
3003	    } else {
3004		rv = dtls_CompressMACEncryptRecord(ss, epoch,
3005						   !!(flags & ssl_SEND_FLAG_USE_EPOCH),
3006						   type, pIn,
3007						   contentLen, wrBuf);
3008	    }
3009
3010	    if (rv == SECSuccess) {
3011	        PRINT_BUF(50, (ss, "send (encrypted) record data:",
3012	                       wrBuf->buf, wrBuf->len));
3013	    }
3014	}
3015
3016spec_locked_loser:
3017	ssl_ReleaseSpecReadLock(ss); /************************************/
3018
3019	if (rv != SECSuccess)
3020	    return SECFailure;
3021
3022	pIn += contentLen;
3023	nIn -= contentLen;
3024	PORT_Assert( nIn >= 0 );
3025
3026	/* If there's still some previously saved ciphertext,
3027	 * or the caller doesn't want us to send the data yet,
3028	 * then add all our new ciphertext to the amount previously saved.
3029	 */
3030	if ((ss->pendingBuf.len > 0) ||
3031	    (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
3032
3033	    rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len);
3034	    if (rv != SECSuccess) {
3035		/* presumably a memory error, SEC_ERROR_NO_MEMORY */
3036		return SECFailure;
3037	    }
3038	    wrBuf->len = 0;	/* All cipher text is saved away. */
3039
3040	    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
3041		PRInt32   sent;
3042		ss->handshakeBegun = 1;
3043		sent = ssl_SendSavedWriteData(ss);
3044		if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
3045		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
3046		    return SECFailure;
3047		}
3048		if (ss->pendingBuf.len) {
3049		    flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER;
3050		}
3051	    }
3052	} else if (wrBuf->len > 0) {
3053	    PRInt32   sent;
3054	    ss->handshakeBegun = 1;
3055	    sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len,
3056			       flags & ~ssl_SEND_FLAG_MASK);
3057	    if (sent < 0) {
3058		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
3059		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
3060		    return SECFailure;
3061		}
3062		/* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
3063		sent = 0;
3064	    }
3065	    wrBuf->len -= sent;
3066	    if (wrBuf->len) {
3067		if (IS_DTLS(ss)) {
3068		    /* DTLS just says no in this case. No buffering */
3069		    PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
3070		    return SECFailure;
3071		}
3072		/* now take all the remaining unsent new ciphertext and
3073		 * append it to the buffer of previously unsent ciphertext.
3074		 */
3075		rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
3076		if (rv != SECSuccess) {
3077		    /* presumably a memory error, SEC_ERROR_NO_MEMORY */
3078		    return SECFailure;
3079		}
3080	    }
3081	}
3082	totalSent += contentLen;
3083    }
3084    return totalSent;
3085}
3086
3087#define SSL3_PENDING_HIGH_WATER 1024
3088
3089/* Attempt to send the content of "in" in an SSL application_data record.
3090 * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
3091 */
3092int
3093ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
3094			 PRInt32 len, PRInt32 flags)
3095{
3096    PRInt32   totalSent	= 0;
3097    PRInt32   discarded = 0;
3098
3099    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3100    /* These flags for internal use only */
3101    PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
3102			   ssl_SEND_FLAG_NO_RETRANSMIT)));
3103    if (len < 0 || !in) {
3104	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
3105	return SECFailure;
3106    }
3107
3108    if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
3109        !ssl_SocketIsBlocking(ss)) {
3110	PORT_Assert(!ssl_SocketIsBlocking(ss));
3111	PORT_SetError(PR_WOULD_BLOCK_ERROR);
3112	return SECFailure;
3113    }
3114
3115    if (ss->appDataBuffered && len) {
3116	PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
3117	if (in[0] != (unsigned char)(ss->appDataBuffered)) {
3118	    PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
3119	    return SECFailure;
3120	}
3121    	in++;
3122	len--;
3123	discarded = 1;
3124    }
3125    while (len > totalSent) {
3126	PRInt32   sent, toSend;
3127
3128	if (totalSent > 0) {
3129	    /*
3130	     * The thread yield is intended to give the reader thread a
3131	     * chance to get some cycles while the writer thread is in
3132	     * the middle of a large application data write.  (See
3133	     * Bugzilla bug 127740, comment #1.)
3134	     */
3135	    ssl_ReleaseXmitBufLock(ss);
3136	    PR_Sleep(PR_INTERVAL_NO_WAIT);	/* PR_Yield(); */
3137	    ssl_GetXmitBufLock(ss);
3138	}
3139	toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
3140	/*
3141	 * Note that the 0 epoch is OK because flags will never require
3142	 * its use, as guaranteed by the PORT_Assert above.
3143	 */
3144	sent = ssl3_SendRecord(ss, 0, content_application_data,
3145	                       in + totalSent, toSend, flags);
3146	if (sent < 0) {
3147	    if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
3148		PORT_Assert(ss->lastWriteBlocked);
3149	    	break;
3150	    }
3151	    return SECFailure; /* error code set by ssl3_SendRecord */
3152	}
3153	totalSent += sent;
3154	if (ss->pendingBuf.len) {
3155	    /* must be a non-blocking socket */
3156	    PORT_Assert(!ssl_SocketIsBlocking(ss));
3157	    PORT_Assert(ss->lastWriteBlocked);
3158	    break;
3159	}
3160    }
3161    if (ss->pendingBuf.len) {
3162	/* Must be non-blocking. */
3163	PORT_Assert(!ssl_SocketIsBlocking(ss));
3164	if (totalSent > 0) {
3165	    ss->appDataBuffered = 0x100 | in[totalSent - 1];
3166	}
3167
3168	totalSent = totalSent + discarded - 1;
3169	if (totalSent <= 0) {
3170	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
3171	    totalSent = SECFailure;
3172	}
3173	return totalSent;
3174    }
3175    ss->appDataBuffered = 0;
3176    return totalSent + discarded;
3177}
3178
3179/* Attempt to send buffered handshake messages.
3180 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
3181 * Always set sendBuf.len to 0, even when returning SECFailure.
3182 *
3183 * Depending on whether we are doing DTLS or not, this either calls
3184 *
3185 * - ssl3_FlushHandshakeMessages if non-DTLS
3186 * - dtls_FlushHandshakeMessages if DTLS
3187 *
3188 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
3189 *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
3190 *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
3191 *             ssl3_SendFinished(),
3192 */
3193static SECStatus
3194ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
3195{
3196    if (IS_DTLS(ss)) {
3197        return dtls_FlushHandshakeMessages(ss, flags);
3198    } else {
3199        return ssl3_FlushHandshakeMessages(ss, flags);
3200    }
3201}
3202
3203/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
3204 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
3205 * Always set sendBuf.len to 0, even when returning SECFailure.
3206 *
3207 * Called from ssl3_FlushHandshake
3208 */
3209static SECStatus
3210ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
3211{
3212    static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER |
3213                                        ssl_SEND_FLAG_CAP_RECORD_VERSION;
3214    PRInt32 rv = SECSuccess;
3215
3216    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3217    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3218
3219    if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
3220	return rv;
3221
3222    /* only these flags are allowed */
3223    PORT_Assert(!(flags & ~allowedFlags));
3224    if ((flags & ~allowedFlags) != 0) {
3225	PORT_SetError(SEC_ERROR_INVALID_ARGS);
3226	rv = SECFailure;
3227    } else {
3228	rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
3229			     ss->sec.ci.sendBuf.len, flags);
3230    }
3231    if (rv < 0) {
3232    	int err = PORT_GetError();
3233	PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
3234	if (err == PR_WOULD_BLOCK_ERROR) {
3235	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3236	}
3237    } else if (rv < ss->sec.ci.sendBuf.len) {
3238    	/* short write should never happen */
3239	PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
3240	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3241	rv = SECFailure;
3242    } else {
3243	rv = SECSuccess;
3244    }
3245
3246    /* Whether we succeeded or failed, toss the old handshake data. */
3247    ss->sec.ci.sendBuf.len = 0;
3248    return rv;
3249}
3250
3251/*
3252 * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
3253 * the remote client sends a negative response to our certificate request.
3254 * Returns SECFailure if the application has required client auth.
3255 *         SECSuccess otherwise.
3256 */
3257static SECStatus
3258ssl3_HandleNoCertificate(sslSocket *ss)
3259{
3260    if (ss->sec.peerCert != NULL) {
3261	if (ss->sec.peerKey != NULL) {
3262	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
3263	    ss->sec.peerKey = NULL;
3264	}
3265	CERT_DestroyCertificate(ss->sec.peerCert);
3266	ss->sec.peerCert = NULL;
3267    }
3268    ssl3_CleanupPeerCerts(ss);
3269
3270    /* If the server has required client-auth blindly but doesn't
3271     * actually look at the certificate it won't know that no
3272     * certificate was presented so we shutdown the socket to ensure
3273     * an error.  We only do this if we haven't already completed the
3274     * first handshake because if we're redoing the handshake we
3275     * know the server is paying attention to the certificate.
3276     */
3277    if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
3278	(!ss->firstHsDone &&
3279	 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
3280	PRFileDesc * lower;
3281
3282	if (ss->sec.uncache)
3283            ss->sec.uncache(ss->sec.ci.sid);
3284	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
3285
3286	lower = ss->fd->lower;
3287#ifdef _WIN32
3288	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
3289#else
3290	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
3291#endif
3292	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
3293	return SECFailure;
3294    }
3295    return SECSuccess;
3296}
3297
3298/************************************************************************
3299 * Alerts
3300 */
3301
3302/*
3303** Acquires both handshake and XmitBuf locks.
3304** Called from: ssl3_IllegalParameter	<-
3305**              ssl3_HandshakeFailure	<-
3306**              ssl3_HandleAlert	<- ssl3_HandleRecord.
3307**              ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
3308**              ssl3_ConsumeHandshakeVariable <-
3309**              ssl3_HandleHelloRequest	<-
3310**              ssl3_HandleServerHello	<-
3311**              ssl3_HandleServerKeyExchange <-
3312**              ssl3_HandleCertificateRequest <-
3313**              ssl3_HandleServerHelloDone <-
3314**              ssl3_HandleClientHello	<-
3315**              ssl3_HandleV2ClientHello <-
3316**              ssl3_HandleCertificateVerify <-
3317**              ssl3_HandleClientKeyExchange <-
3318**              ssl3_HandleCertificate	<-
3319**              ssl3_HandleFinished	<-
3320**              ssl3_HandleHandshakeMessage <-
3321**              ssl3_HandleRecord	<-
3322**
3323*/
3324SECStatus
3325SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
3326{
3327    PRUint8 	bytes[2];
3328    SECStatus	rv;
3329
3330    SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
3331		SSL_GETPID(), ss->fd, level, desc));
3332
3333    bytes[0] = level;
3334    bytes[1] = desc;
3335
3336    ssl_GetSSL3HandshakeLock(ss);
3337    if (level == alert_fatal) {
3338	if (!ss->opt.noCache && ss->sec.ci.sid && ss->sec.uncache) {
3339	    ss->sec.uncache(ss->sec.ci.sid);
3340	}
3341    }
3342    ssl_GetXmitBufLock(ss);
3343    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3344    if (rv == SECSuccess) {
3345	PRInt32 sent;
3346	sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2,
3347			       desc == no_certificate
3348			       ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
3349	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
3350    }
3351    ssl_ReleaseXmitBufLock(ss);
3352    ssl_ReleaseSSL3HandshakeLock(ss);
3353    return rv;	/* error set by ssl3_FlushHandshake or ssl3_SendRecord */
3354}
3355
3356/*
3357 * Send illegal_parameter alert.  Set generic error number.
3358 */
3359static SECStatus
3360ssl3_IllegalParameter(sslSocket *ss)
3361{
3362    (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
3363    PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3364                                   : SSL_ERROR_BAD_SERVER );
3365    return SECFailure;
3366}
3367
3368/*
3369 * Send handshake_Failure alert.  Set generic error number.
3370 */
3371static SECStatus
3372ssl3_HandshakeFailure(sslSocket *ss)
3373{
3374    (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
3375    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3376                                    : SSL_ERROR_BAD_SERVER );
3377    return SECFailure;
3378}
3379
3380static void
3381ssl3_SendAlertForCertError(sslSocket * ss, PRErrorCode errCode)
3382{
3383    SSL3AlertDescription desc	= bad_certificate;
3384    PRBool isTLS = ss->version >= SSL_LIBRARY_VERSION_3_1_TLS;
3385
3386    switch (errCode) {
3387    case SEC_ERROR_LIBRARY_FAILURE:     desc = unsupported_certificate; break;
3388    case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired;     break;
3389    case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked;     break;
3390    case SEC_ERROR_INADEQUATE_KEY_USAGE:
3391    case SEC_ERROR_INADEQUATE_CERT_TYPE:
3392		                        desc = certificate_unknown;     break;
3393    case SEC_ERROR_UNTRUSTED_CERT:
3394		    desc = isTLS ? access_denied : certificate_unknown; break;
3395    case SEC_ERROR_UNKNOWN_ISSUER:
3396    case SEC_ERROR_UNTRUSTED_ISSUER:
3397		    desc = isTLS ? unknown_ca : certificate_unknown; break;
3398    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
3399		    desc = isTLS ? unknown_ca : certificate_expired; break;
3400
3401    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
3402    case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
3403    case SEC_ERROR_CA_CERT_INVALID:
3404    case SEC_ERROR_BAD_SIGNATURE:
3405    default:                            desc = bad_certificate;     break;
3406    }
3407    SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
3408	     SSL_GETPID(), ss->fd, errCode));
3409
3410    (void) SSL3_SendAlert(ss, alert_fatal, desc);
3411}
3412
3413
3414/*
3415 * Send decode_error alert.  Set generic error number.
3416 */
3417SECStatus
3418ssl3_DecodeError(sslSocket *ss)
3419{
3420    (void)SSL3_SendAlert(ss, alert_fatal,
3421		  ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error
3422							: illegal_parameter);
3423    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
3424                                    : SSL_ERROR_BAD_SERVER );
3425    return SECFailure;
3426}
3427
3428/* Called from ssl3_HandleRecord.
3429** Caller must hold both RecvBuf and Handshake locks.
3430*/
3431static SECStatus
3432ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
3433{
3434    SSL3AlertLevel       level;
3435    SSL3AlertDescription desc;
3436    int                  error;
3437
3438    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3439    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3440
3441    SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
3442
3443    if (buf->len != 2) {
3444	(void)ssl3_DecodeError(ss);
3445	PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
3446	return SECFailure;
3447    }
3448    level = (SSL3AlertLevel)buf->buf[0];
3449    desc  = (SSL3AlertDescription)buf->buf[1];
3450    buf->len = 0;
3451    SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
3452        SSL_GETPID(), ss->fd, level, desc));
3453
3454    switch (desc) {
3455    case close_notify:		ss->recvdCloseNotify = 1;
3456		        	error = SSL_ERROR_CLOSE_NOTIFY_ALERT;     break;
3457    case unexpected_message: 	error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
3458									  break;
3459    case bad_record_mac: 	error = SSL_ERROR_BAD_MAC_ALERT; 	  break;
3460    case decryption_failed_RESERVED:
3461                                error = SSL_ERROR_DECRYPTION_FAILED_ALERT;
3462    									  break;
3463    case record_overflow: 	error = SSL_ERROR_RECORD_OVERFLOW_ALERT;  break;
3464    case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
3465									  break;
3466    case handshake_failure: 	error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
3467			        					  break;
3468    case no_certificate: 	error = SSL_ERROR_NO_CERTIFICATE;	  break;
3469    case bad_certificate: 	error = SSL_ERROR_BAD_CERT_ALERT; 	  break;
3470    case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
3471    case certificate_revoked: 	error = SSL_ERROR_REVOKED_CERT_ALERT; 	  break;
3472    case certificate_expired: 	error = SSL_ERROR_EXPIRED_CERT_ALERT; 	  break;
3473    case certificate_unknown: 	error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
3474			        					  break;
3475    case illegal_parameter: 	error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
3476    case inappropriate_fallback:
3477        error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
3478        break;
3479
3480    /* All alerts below are TLS only. */
3481    case unknown_ca: 		error = SSL_ERROR_UNKNOWN_CA_ALERT;       break;
3482    case access_denied: 	error = SSL_ERROR_ACCESS_DENIED_ALERT;    break;
3483    case decode_error: 		error = SSL_ERROR_DECODE_ERROR_ALERT;     break;
3484    case decrypt_error: 	error = SSL_ERROR_DECRYPT_ERROR_ALERT;    break;
3485    case export_restriction: 	error = SSL_ERROR_EXPORT_RESTRICTION_ALERT;
3486    									  break;
3487    case protocol_version: 	error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
3488    case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT;
3489    									  break;
3490    case internal_error: 	error = SSL_ERROR_INTERNAL_ERROR_ALERT;   break;
3491    case user_canceled: 	error = SSL_ERROR_USER_CANCELED_ALERT;    break;
3492    case no_renegotiation: 	error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
3493
3494    /* Alerts for TLS client hello extensions */
3495    case unsupported_extension:
3496			error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT;    break;
3497    case certificate_unobtainable:
3498			error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
3499    case unrecognized_name:
3500			error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;        break;
3501    case bad_certificate_status_response:
3502			error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
3503    case bad_certificate_hash_value:
3504			error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT;      break;
3505    default: 		error = SSL_ERROR_RX_UNKNOWN_ALERT;               break;
3506    }
3507    if (level == alert_fatal) {
3508	if (!ss->opt.noCache) {
3509	    if (ss->sec.uncache)
3510                ss->sec.uncache(ss->sec.ci.sid);
3511	}
3512	if ((ss->ssl3.hs.ws == wait_server_hello) &&
3513	    (desc == handshake_failure)) {
3514	    /* XXX This is a hack.  We're assuming that any handshake failure
3515	     * XXX on the client hello is a failure to match ciphers.
3516	     */
3517	    error = SSL_ERROR_NO_CYPHER_OVERLAP;
3518	}
3519	PORT_SetError(error);
3520	return SECFailure;
3521    }
3522    if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
3523    	/* I'm a server. I've requested a client cert. He hasn't got one. */
3524	SECStatus rv;
3525
3526	PORT_Assert(ss->sec.isServer);
3527	ss->ssl3.hs.ws = wait_client_key;
3528	rv = ssl3_HandleNoCertificate(ss);
3529	return rv;
3530    }
3531    return SECSuccess;
3532}
3533
3534/*
3535 * Change Cipher Specs
3536 * Called from ssl3_HandleServerHelloDone,
3537 *             ssl3_HandleClientHello,
3538 * and         ssl3_HandleFinished
3539 *
3540 * Acquires and releases spec write lock, to protect switching the current
3541 * and pending write spec pointers.
3542 */
3543
3544static SECStatus
3545ssl3_SendChangeCipherSpecs(sslSocket *ss)
3546{
3547    PRUint8           change = change_cipher_spec_choice;
3548    ssl3CipherSpec *  pwSpec;
3549    SECStatus         rv;
3550    PRInt32           sent;
3551
3552    SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
3553		SSL_GETPID(), ss->fd));
3554
3555    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3556    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3557
3558    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3559    if (rv != SECSuccess) {
3560	return rv;	/* error code set by ssl3_FlushHandshake */
3561    }
3562    if (!IS_DTLS(ss)) {
3563	sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1,
3564			       ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3565	if (sent < 0) {
3566	    return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
3567	}
3568    } else {
3569	rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
3570	if (rv != SECSuccess) {
3571	    return rv;
3572	}
3573    }
3574
3575    /* swap the pending and current write specs. */
3576    ssl_GetSpecWriteLock(ss);	/**************************************/
3577    pwSpec                     = ss->ssl3.pwSpec;
3578
3579    ss->ssl3.pwSpec = ss->ssl3.cwSpec;
3580    ss->ssl3.cwSpec = pwSpec;
3581
3582    SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
3583		SSL_GETPID(), ss->fd ));
3584
3585    /* We need to free up the contexts, keys and certs ! */
3586    /* If we are really through with the old cipher spec
3587     * (Both the read and write sides have changed) destroy it.
3588     */
3589    if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
3590	if (!IS_DTLS(ss)) {
3591	    ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
3592	} else {
3593	    /* With DTLS, we need to set a holddown timer in case the final
3594	     * message got lost */
3595	    ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS;
3596	    dtls_StartTimer(ss, dtls_FinishedTimerCb);
3597	}
3598    }
3599    ssl_ReleaseSpecWriteLock(ss); /**************************************/
3600
3601    return SECSuccess;
3602}
3603
3604/* Called from ssl3_HandleRecord.
3605** Caller must hold both RecvBuf and Handshake locks.
3606 *
3607 * Acquires and releases spec write lock, to protect switching the current
3608 * and pending write spec pointers.
3609*/
3610static SECStatus
3611ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
3612{
3613    ssl3CipherSpec *           prSpec;
3614    SSL3WaitState              ws      = ss->ssl3.hs.ws;
3615    SSL3ChangeCipherSpecChoice change;
3616
3617    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3618    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3619
3620    SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
3621		SSL_GETPID(), ss->fd));
3622
3623    if (ws != wait_change_cipher) {
3624	if (IS_DTLS(ss)) {
3625	    /* Ignore this because it's out of order. */
3626	    SSL_TRC(3, ("%d: SSL3[%d]: discard out of order "
3627			"DTLS change_cipher_spec",
3628			SSL_GETPID(), ss->fd));
3629	    buf->len = 0;
3630	    return SECSuccess;
3631	}
3632	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
3633	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
3634	return SECFailure;
3635    }
3636
3637    if(buf->len != 1) {
3638	(void)ssl3_DecodeError(ss);
3639	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
3640	return SECFailure;
3641    }
3642    change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
3643    if (change != change_cipher_spec_choice) {
3644	/* illegal_parameter is correct here for both SSL3 and TLS. */
3645	(void)ssl3_IllegalParameter(ss);
3646	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
3647	return SECFailure;
3648    }
3649    buf->len = 0;
3650
3651    /* Swap the pending and current read specs. */
3652    ssl_GetSpecWriteLock(ss);   /*************************************/
3653    prSpec                    = ss->ssl3.prSpec;
3654
3655    ss->ssl3.prSpec  = ss->ssl3.crSpec;
3656    ss->ssl3.crSpec  = prSpec;
3657    ss->ssl3.hs.ws   = wait_finished;
3658
3659    SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
3660		SSL_GETPID(), ss->fd ));
3661
3662    /* If we are really through with the old cipher prSpec
3663     * (Both the read and write sides have changed) destroy it.
3664     */
3665    if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
3666    	ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/);
3667    }
3668    ssl_ReleaseSpecWriteLock(ss);   /*************************************/
3669    return SECSuccess;
3670}
3671
3672/* This method uses PKCS11 to derive the MS from the PMS, where PMS
3673** is a PKCS11 symkey. This is used in all cases except the
3674** "triple bypass" with RSA key exchange.
3675** Called from ssl3_InitPendingCipherSpec.   prSpec is pwSpec.
3676*/
3677static SECStatus
3678ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
3679{
3680    ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
3681    const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
3682    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
3683    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
3684    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
3685                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3686    PRBool            isTLS12=
3687	    (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3688    /*
3689     * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
3690     * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
3691     * data into a 48-byte value.
3692     */
3693    PRBool    isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
3694	                       (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
3695    SECStatus         rv = SECFailure;
3696    CK_MECHANISM_TYPE master_derive;
3697    CK_MECHANISM_TYPE key_derive;
3698    SECItem           params;
3699    CK_FLAGS          keyFlags;
3700    CK_VERSION        pms_version;
3701    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
3702
3703    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3704    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3705    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3706    if (isTLS12) {
3707	if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
3708	else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
3709	key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3710	keyFlags      = CKF_SIGN | CKF_VERIFY;
3711    } else if (isTLS) {
3712	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
3713	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
3714	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
3715	keyFlags      = CKF_SIGN | CKF_VERIFY;
3716    } else {
3717	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
3718	else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
3719	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
3720	keyFlags      = 0;
3721    }
3722
3723    if (pms || !pwSpec->master_secret) {
3724	if (isDH) {
3725	    master_params.pVersion                     = NULL;
3726	} else {
3727	    master_params.pVersion                     = &pms_version;
3728	}
3729	master_params.RandomInfo.pClientRandom     = cr;
3730	master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
3731	master_params.RandomInfo.pServerRandom     = sr;
3732	master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
3733
3734	params.data = (unsigned char *) &master_params;
3735	params.len  = sizeof master_params;
3736    }
3737
3738    if (pms != NULL) {
3739#if defined(TRACE)
3740	if (ssl_trace >= 100) {
3741	    SECStatus extractRV = PK11_ExtractKeyValue(pms);
3742	    if (extractRV == SECSuccess) {
3743		SECItem * keyData = PK11_GetKeyData(pms);
3744		if (keyData && keyData->data && keyData->len) {
3745		    ssl_PrintBuf(ss, "Pre-Master Secret",
3746				 keyData->data, keyData->len);
3747		}
3748	    }
3749	}
3750#endif
3751	pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive,
3752				&params, key_derive, CKA_DERIVE, 0, keyFlags);
3753	if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
3754	    SSL3ProtocolVersion client_version;
3755	    client_version = pms_version.major << 8 | pms_version.minor;
3756
3757	    if (IS_DTLS(ss)) {
3758		client_version = dtls_DTLSVersionToTLSVersion(client_version);
3759	    }
3760
3761	    if (client_version != ss->clientHelloVersion) {
3762		/* Destroy it.  Version roll-back detected. */
3763		PK11_FreeSymKey(pwSpec->master_secret);
3764	    	pwSpec->master_secret = NULL;
3765	    }
3766	}
3767	if (pwSpec->master_secret == NULL) {
3768	    /* Generate a faux master secret in the same slot as the old one. */
3769	    PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
3770	    PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
3771
3772	    PK11_FreeSlot(slot);
3773	    if (fpms != NULL) {
3774		pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
3775					master_derive, &params, key_derive,
3776					CKA_DERIVE, 0, keyFlags);
3777		PK11_FreeSymKey(fpms);
3778	    }
3779	}
3780    }
3781    if (pwSpec->master_secret == NULL) {
3782	/* Generate a faux master secret from the internal slot. */
3783	PK11SlotInfo *  slot = PK11_GetInternalSlot();
3784	PK11SymKey *    fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
3785
3786	PK11_FreeSlot(slot);
3787	if (fpms != NULL) {
3788	    pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
3789					master_derive, &params, key_derive,
3790					CKA_DERIVE, 0, keyFlags);
3791	    if (pwSpec->master_secret == NULL) {
3792	    	pwSpec->master_secret = fpms; /* use the fpms as the master. */
3793		fpms = NULL;
3794	    }
3795	}
3796	if (fpms) {
3797	    PK11_FreeSymKey(fpms);
3798    	}
3799    }
3800    if (pwSpec->master_secret == NULL) {
3801	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3802	return rv;
3803    }
3804#ifndef NO_PKCS11_BYPASS
3805    if (ss->opt.bypassPKCS11) {
3806	SECItem * keydata;
3807	/* In hope of doing a "double bypass",
3808	 * need to extract the master secret's value from the key object
3809	 * and store it raw in the sslSocket struct.
3810	 */
3811	rv = PK11_ExtractKeyValue(pwSpec->master_secret);
3812	if (rv != SECSuccess) {
3813	    return rv;
3814	}
3815	/* This returns the address of the secItem inside the key struct,
3816	 * not a copy or a reference.  So, there's no need to free it.
3817	 */
3818	keydata = PK11_GetKeyData(pwSpec->master_secret);
3819	if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
3820	    memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
3821	    pwSpec->msItem.data = pwSpec->raw_master_secret;
3822	    pwSpec->msItem.len  = keydata->len;
3823	} else {
3824	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3825	    return SECFailure;
3826	}
3827    }
3828#endif
3829    return SECSuccess;
3830}
3831
3832
3833/*
3834 * Derive encryption and MAC Keys (and IVs) from master secret
3835 * Sets a useful error code when returning SECFailure.
3836 *
3837 * Called only from ssl3_InitPendingCipherSpec(),
3838 * which in turn is called from
3839 *              sendRSAClientKeyExchange        (for Full handshake)
3840 *              sendDHClientKeyExchange         (for Full handshake)
3841 *              ssl3_HandleClientKeyExchange    (for Full handshake)
3842 *              ssl3_HandleServerHello          (for session restart)
3843 *              ssl3_HandleClientHello          (for session restart)
3844 * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
3845 * ssl3_InitPendingCipherSpec does that.
3846 *
3847 */
3848static SECStatus
3849ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
3850{
3851    ssl3CipherSpec *         pwSpec     = ss->ssl3.pwSpec;
3852    const ssl3KEADef *       kea_def    = ss->ssl3.hs.kea_def;
3853    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
3854    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
3855    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
3856                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3857    PRBool            isTLS12=
3858	    (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3859    /* following variables used in PKCS11 path */
3860    const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
3861    PK11SlotInfo *         slot   = NULL;
3862    PK11SymKey *           symKey = NULL;
3863    void *                 pwArg  = ss->pkcs11PinArg;
3864    int                    keySize;
3865    CK_SSL3_KEY_MAT_PARAMS key_material_params;
3866    CK_SSL3_KEY_MAT_OUT    returnedKeys;
3867    CK_MECHANISM_TYPE      key_derive;
3868    CK_MECHANISM_TYPE      bulk_mechanism;
3869    SSLCipherAlgorithm     calg;
3870    SECItem                params;
3871    PRBool         skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
3872
3873    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3874    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3875    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3876
3877    if (!pwSpec->master_secret) {
3878	PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3879	return SECFailure;
3880    }
3881    /*
3882     * generate the key material
3883     */
3884    key_material_params.ulMacSizeInBits = pwSpec->mac_size           * BPB;
3885    key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
3886    key_material_params.ulIVSizeInBits  = cipher_def->iv_size        * BPB;
3887    if (cipher_def->type == type_block &&
3888	pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
3889	/* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
3890	key_material_params.ulIVSizeInBits = 0;
3891	memset(pwSpec->client.write_iv, 0, cipher_def->iv_size);
3892	memset(pwSpec->server.write_iv, 0, cipher_def->iv_size);
3893    }
3894
3895    key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
3896
3897    key_material_params.RandomInfo.pClientRandom     = cr;
3898    key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
3899    key_material_params.RandomInfo.pServerRandom     = sr;
3900    key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
3901    key_material_params.pReturnedKeyMaterial         = &returnedKeys;
3902
3903    returnedKeys.pIVClient = pwSpec->client.write_iv;
3904    returnedKeys.pIVServer = pwSpec->server.write_iv;
3905    keySize                = cipher_def->key_size;
3906
3907    if (skipKeysAndIVs) {
3908	keySize                             = 0;
3909        key_material_params.ulKeySizeInBits = 0;
3910        key_material_params.ulIVSizeInBits  = 0;
3911    	returnedKeys.pIVClient              = NULL;
3912    	returnedKeys.pIVServer              = NULL;
3913    }
3914
3915    calg = cipher_def->calg;
3916    PORT_Assert(     alg2Mech[calg].calg == calg);
3917    bulk_mechanism = alg2Mech[calg].cmech;
3918
3919    params.data    = (unsigned char *)&key_material_params;
3920    params.len     = sizeof(key_material_params);
3921
3922    if (isTLS12) {
3923	key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3924    } else if (isTLS) {
3925	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
3926    } else {
3927	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
3928    }
3929
3930    /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
3931     * DERIVE by DEFAULT */
3932    symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
3933                         bulk_mechanism, CKA_ENCRYPT, keySize);
3934    if (!symKey) {
3935	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3936	return SECFailure;
3937    }
3938    /* we really should use the actual mac'ing mechanism here, but we
3939     * don't because these types are used to map keytype anyway and both
3940     * mac's map to the same keytype.
3941     */
3942    slot  = PK11_GetSlotFromKey(symKey);
3943
3944    PK11_FreeSlot(slot); /* slot is held until the key is freed */
3945    pwSpec->client.write_mac_key =
3946    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3947	    CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
3948    if (pwSpec->client.write_mac_key == NULL ) {
3949	goto loser;	/* loser sets err */
3950    }
3951    pwSpec->server.write_mac_key =
3952    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3953	    CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
3954    if (pwSpec->server.write_mac_key == NULL ) {
3955	goto loser;	/* loser sets err */
3956    }
3957    if (!skipKeysAndIVs) {
3958	pwSpec->client.write_key =
3959		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3960		     bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
3961	if (pwSpec->client.write_key == NULL ) {
3962	    goto loser;	/* loser sets err */
3963	}
3964	pwSpec->server.write_key =
3965		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3966		     bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
3967	if (pwSpec->server.write_key == NULL ) {
3968	    goto loser;	/* loser sets err */
3969	}
3970    }
3971    PK11_FreeSymKey(symKey);
3972    return SECSuccess;
3973
3974
3975loser:
3976    if (symKey) PK11_FreeSymKey(symKey);
3977    ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3978    return SECFailure;
3979}
3980
3981/* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
3982 * buffered messages in ss->ssl3.hs.messages. */
3983static SECStatus
3984ssl3_InitHandshakeHashes(sslSocket *ss)
3985{
3986    SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
3987
3988    PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown);
3989#ifndef NO_PKCS11_BYPASS
3990    if (ss->opt.bypassPKCS11) {
3991	PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
3992	if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
3993	    /* If we ever support ciphersuites where the PRF hash isn't SHA-256
3994	     * then this will need to be updated. */
3995	    ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
3996	    if (!ss->ssl3.hs.sha_obj) {
3997		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
3998		return SECFailure;
3999	    }
4000	    ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
4001	    ss->ssl3.hs.hashType = handshake_hash_single;
4002	    ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
4003	} else {
4004	    ss->ssl3.hs.hashType = handshake_hash_combo;
4005	    MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
4006	    SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
4007	}
4008    } else
4009#endif
4010    {
4011	PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
4012	/*
4013	 * note: We should probably lookup an SSL3 slot for these
4014	 * handshake hashes in hopes that we wind up with the same slots
4015	 * that the master secret will wind up in ...
4016	 */
4017	if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
4018	    /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4019	     * then this will need to be updated. */
4020	    ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
4021	    if (ss->ssl3.hs.sha == NULL) {
4022		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4023		return SECFailure;
4024	    }
4025	    ss->ssl3.hs.hashType = handshake_hash_single;
4026
4027	    if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
4028		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4029		return SECFailure;
4030	    }
4031
4032	    /* Create a backup SHA-1 hash for a potential client auth
4033	     * signature.
4034	     *
4035	     * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
4036	     * handshake hash function (SHA-256). If the server or the client
4037	     * does not support SHA-256 as a signature hash, we can either
4038	     * maintain a backup SHA-1 handshake hash or buffer all handshake
4039	     * messages.
4040	     */
4041	    if (!ss->sec.isServer) {
4042		ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
4043		if (ss->ssl3.hs.backupHash == NULL) {
4044		    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4045		    return SECFailure;
4046		}
4047
4048		if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) {
4049		    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4050		    return SECFailure;
4051		}
4052	    }
4053	} else {
4054	    /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
4055	     * created successfully. */
4056	    ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
4057	    if (ss->ssl3.hs.md5 == NULL) {
4058		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4059		return SECFailure;
4060	    }
4061	    ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
4062	    if (ss->ssl3.hs.sha == NULL) {
4063		PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
4064		ss->ssl3.hs.md5 = NULL;
4065		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4066		return SECFailure;
4067	    }
4068	    ss->ssl3.hs.hashType = handshake_hash_combo;
4069
4070	    if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
4071		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4072		return SECFailure;
4073	    }
4074	    if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
4075		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4076		return SECFailure;
4077	    }
4078	}
4079    }
4080
4081    if (ss->ssl3.hs.messages.len > 0) {
4082	if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
4083				       ss->ssl3.hs.messages.len) !=
4084	    SECSuccess) {
4085	    return SECFailure;
4086	}
4087	PORT_Free(ss->ssl3.hs.messages.buf);
4088	ss->ssl3.hs.messages.buf = NULL;
4089	ss->ssl3.hs.messages.len = 0;
4090	ss->ssl3.hs.messages.space = 0;
4091    }
4092
4093    return SECSuccess;
4094}
4095
4096static SECStatus
4097ssl3_RestartHandshakeHashes(sslSocket *ss)
4098{
4099    SECStatus rv = SECSuccess;
4100
4101    SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
4102	    SSL_GETPID(), ss->fd ));
4103    ss->ssl3.hs.hashType = handshake_hash_unknown;
4104    ss->ssl3.hs.messages.len = 0;
4105#ifndef NO_PKCS11_BYPASS
4106    ss->ssl3.hs.sha_obj = NULL;
4107    ss->ssl3.hs.sha_clone = NULL;
4108#endif
4109    if (ss->ssl3.hs.md5) {
4110	PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
4111	ss->ssl3.hs.md5 = NULL;
4112    }
4113    if (ss->ssl3.hs.sha) {
4114	PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
4115	ss->ssl3.hs.sha = NULL;
4116    }
4117    return rv;
4118}
4119
4120/*
4121 * Handshake messages
4122 */
4123/* Called from	ssl3_InitHandshakeHashes()
4124**		ssl3_AppendHandshake()
4125**		ssl3_StartHandshakeHash()
4126**		ssl3_HandleV2ClientHello()
4127**		ssl3_HandleHandshakeMessage()
4128** Caller must hold the ssl3Handshake lock.
4129*/
4130static SECStatus
4131ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
4132			   unsigned int l)
4133{
4134    SECStatus  rv = SECSuccess;
4135
4136    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4137
4138    /* We need to buffer the handshake messages until we have established
4139     * which handshake hash function to use. */
4140    if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
4141	return sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
4142    }
4143
4144    PRINT_BUF(90, (NULL, "handshake hash input:", b, l));
4145
4146#ifndef NO_PKCS11_BYPASS
4147    if (ss->opt.bypassPKCS11) {
4148	if (ss->ssl3.hs.hashType == handshake_hash_single) {
4149	    ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l);
4150	} else {
4151	    MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
4152	    SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
4153	}
4154	return rv;
4155    }
4156#endif
4157    if (ss->ssl3.hs.hashType == handshake_hash_single) {
4158	rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
4159	if (rv != SECSuccess) {
4160	    ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4161	    return rv;
4162	}
4163	if (ss->ssl3.hs.backupHash) {
4164	    rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l);
4165	    if (rv != SECSuccess) {
4166		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4167		return rv;
4168	    }
4169	}
4170    } else {
4171	rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
4172	if (rv != SECSuccess) {
4173	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4174	    return rv;
4175	}
4176	rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
4177	if (rv != SECSuccess) {
4178	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4179	    return rv;
4180	}
4181    }
4182    return rv;
4183}
4184
4185/**************************************************************************
4186 * Append Handshake functions.
4187 * All these functions set appropriate error codes.
4188 * Most rely on ssl3_AppendHandshake to set the error code.
4189 **************************************************************************/
4190SECStatus
4191ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
4192{
4193    unsigned char *  src  = (unsigned char *)void_src;
4194    int              room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
4195    SECStatus        rv;
4196
4197    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
4198
4199    if (!bytes)
4200    	return SECSuccess;
4201    if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
4202	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
4203		 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
4204	if (rv != SECSuccess)
4205	    return rv;	/* sslBuffer_Grow has set a memory error code. */
4206	room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
4207    }
4208
4209    PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
4210    rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
4211    if (rv != SECSuccess)
4212	return rv;	/* error code set by ssl3_UpdateHandshakeHashes */
4213
4214    while (bytes > room) {
4215	if (room > 0)
4216	    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src,
4217	                room);
4218	ss->sec.ci.sendBuf.len += room;
4219	rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
4220	if (rv != SECSuccess) {
4221	    return rv;	/* error code set by ssl3_FlushHandshake */
4222	}
4223	bytes -= room;
4224	src += room;
4225	room = ss->sec.ci.sendBuf.space;
4226	PORT_Assert(ss->sec.ci.sendBuf.len == 0);
4227    }
4228    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
4229    ss->sec.ci.sendBuf.len += bytes;
4230    return SECSuccess;
4231}
4232
4233SECStatus
4234ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
4235{
4236    SECStatus rv;
4237    PRUint8   b[4];
4238    PRUint8 * p = b;
4239
4240    switch (lenSize) {
4241      case 4:
4242	*p++ = (num >> 24) & 0xff;
4243      case 3:
4244	*p++ = (num >> 16) & 0xff;
4245      case 2:
4246	*p++ = (num >> 8) & 0xff;
4247      case 1:
4248	*p = num & 0xff;
4249    }
4250    SSL_TRC(60, ("%d: number:", SSL_GETPID()));
4251    rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
4252    return rv;	/* error code set by AppendHandshake, if applicable. */
4253}
4254
4255SECStatus
4256ssl3_AppendHandshakeVariable(
4257    sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
4258{
4259    SECStatus rv;
4260
4261    PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
4262	      (bytes < (1L<<16) && lenSize == 2) ||
4263	      (bytes < (1L<<24) && lenSize == 3));
4264
4265    SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
4266    rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
4267    if (rv != SECSuccess) {
4268	return rv;	/* error code set by AppendHandshake, if applicable. */
4269    }
4270    SSL_TRC(60, ("data:"));
4271    rv = ssl3_AppendHandshake(ss, src, bytes);
4272    return rv;	/* error code set by AppendHandshake, if applicable. */
4273}
4274
4275SECStatus
4276ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
4277{
4278    SECStatus rv;
4279
4280    /* If we already have a message in place, we need to enqueue it.
4281     * This empties the buffer. This is a convenient place to call
4282     * dtls_StageHandshakeMessage to mark the message boundary.
4283     */
4284    if (IS_DTLS(ss)) {
4285	rv = dtls_StageHandshakeMessage(ss);
4286	if (rv != SECSuccess) {
4287	    return rv;
4288	}
4289    }
4290
4291    SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
4292    	SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
4293
4294    rv = ssl3_AppendHandshakeNumber(ss, t, 1);
4295    if (rv != SECSuccess) {
4296    	return rv;	/* error code set by AppendHandshake, if applicable. */
4297    }
4298    rv = ssl3_AppendHandshakeNumber(ss, length, 3);
4299    if (rv != SECSuccess) {
4300    	return rv;	/* error code set by AppendHandshake, if applicable. */
4301    }
4302
4303    if (IS_DTLS(ss)) {
4304	/* Note that we make an unfragmented message here. We fragment in the
4305	 * transmission code, if necessary */
4306	rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2);
4307	if (rv != SECSuccess) {
4308	    return rv;	/* error code set by AppendHandshake, if applicable. */
4309	}
4310	ss->ssl3.hs.sendMessageSeq++;
4311
4312	/* 0 is the fragment offset, because it's not fragmented yet */
4313	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
4314	if (rv != SECSuccess) {
4315	    return rv;	/* error code set by AppendHandshake, if applicable. */
4316	}
4317
4318	/* Fragment length -- set to the packet length because not fragmented */
4319	rv = ssl3_AppendHandshakeNumber(ss, length, 3);
4320	if (rv != SECSuccess) {
4321	    return rv;	/* error code set by AppendHandshake, if applicable. */
4322	}
4323    }
4324
4325    return rv;		/* error code set by AppendHandshake, if applicable. */
4326}
4327
4328/* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
4329 * |sigAndHash| to the current handshake message. */
4330SECStatus
4331ssl3_AppendSignatureAndHashAlgorithm(
4332	sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash)
4333{
4334    unsigned char serialized[2];
4335
4336    serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
4337    if (serialized[0] == 0) {
4338	PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
4339	return SECFailure;
4340    }
4341
4342    serialized[1] = sigAndHash->sigAlg;
4343
4344    return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
4345}
4346
4347/**************************************************************************
4348 * Consume Handshake functions.
4349 *
4350 * All data used in these functions is protected by two locks,
4351 * the RecvBufLock and the SSL3HandshakeLock
4352 **************************************************************************/
4353
4354/* Read up the next "bytes" number of bytes from the (decrypted) input
4355 * stream "b" (which is *length bytes long). Copy them into buffer "v".
4356 * Reduces *length by bytes.  Advances *b by bytes.
4357 *
4358 * If this function returns SECFailure, it has already sent an alert,
4359 * and has set a generic error code.  The caller should probably
4360 * override the generic error code by setting another.
4361 */
4362SECStatus
4363ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
4364		      PRUint32 *length)
4365{
4366    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4367    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4368
4369    if ((PRUint32)bytes > *length) {
4370	return ssl3_DecodeError(ss);
4371    }
4372    PORT_Memcpy(v, *b, bytes);
4373    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
4374    *b      += bytes;
4375    *length -= bytes;
4376    return SECSuccess;
4377}
4378
4379/* Read up the next "bytes" number of bytes from the (decrypted) input
4380 * stream "b" (which is *length bytes long), and interpret them as an
4381 * integer in network byte order.  Returns the received value.
4382 * Reduces *length by bytes.  Advances *b by bytes.
4383 *
4384 * Returns SECFailure (-1) on failure.
4385 * This value is indistinguishable from the equivalent received value.
4386 * Only positive numbers are to be received this way.
4387 * Thus, the largest value that may be sent this way is 0x7fffffff.
4388 * On error, an alert has been sent, and a generic error code has been set.
4389 */
4390PRInt32
4391ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
4392			    PRUint32 *length)
4393{
4394    PRUint8  *buf = *b;
4395    int       i;
4396    PRInt32   num = 0;
4397
4398    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4399    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4400    PORT_Assert( bytes <= sizeof num);
4401
4402    if ((PRUint32)bytes > *length) {
4403	return ssl3_DecodeError(ss);
4404    }
4405    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
4406
4407    for (i = 0; i < bytes; i++)
4408	num = (num << 8) + buf[i];
4409    *b      += bytes;
4410    *length -= bytes;
4411    return num;
4412}
4413
4414/* Read in two values from the incoming decrypted byte stream "b", which is
4415 * *length bytes long.  The first value is a number whose size is "bytes"
4416 * bytes long.  The second value is a byte-string whose size is the value
4417 * of the first number received.  The latter byte-string, and its length,
4418 * is returned in the SECItem i.
4419 *
4420 * Returns SECFailure (-1) on failure.
4421 * On error, an alert has been sent, and a generic error code has been set.
4422 *
4423 * RADICAL CHANGE for NSS 3.11.  All callers of this function make copies
4424 * of the data returned in the SECItem *i, so making a copy of it here
4425 * is simply wasteful.  So, This function now just sets SECItem *i to
4426 * point to the values in the buffer **b.
4427 */
4428SECStatus
4429ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
4430			      SSL3Opaque **b, PRUint32 *length)
4431{
4432    PRInt32   count;
4433
4434    PORT_Assert(bytes <= 3);
4435    i->len  = 0;
4436    i->data = NULL;
4437    count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
4438    if (count < 0) { 		/* Can't test for SECSuccess here. */
4439    	return SECFailure;
4440    }
4441    if (count > 0) {
4442	if ((PRUint32)count > *length) {
4443	    return ssl3_DecodeError(ss);
4444	}
4445	i->data = *b;
4446	i->len  = count;
4447	*b      += count;
4448	*length -= count;
4449    }
4450    return SECSuccess;
4451}
4452
4453/* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
4454 * SECOidTag used internally by NSS. */
4455static const struct {
4456    int tlsHash;
4457    SECOidTag oid;
4458} tlsHashOIDMap[] = {
4459    { tls_hash_md5, SEC_OID_MD5 },
4460    { tls_hash_sha1, SEC_OID_SHA1 },
4461    { tls_hash_sha224, SEC_OID_SHA224 },
4462    { tls_hash_sha256, SEC_OID_SHA256 },
4463    { tls_hash_sha384, SEC_OID_SHA384 },
4464    { tls_hash_sha512, SEC_OID_SHA512 }
4465};
4466
4467/* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value.
4468 * If the hash is not recognised, SEC_OID_UNKNOWN is returned.
4469 *
4470 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4471SECOidTag
4472ssl3_TLSHashAlgorithmToOID(int hashFunc)
4473{
4474    unsigned int i;
4475
4476    for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4477	if (hashFunc == tlsHashOIDMap[i].tlsHash) {
4478	    return tlsHashOIDMap[i].oid;
4479	}
4480    }
4481    return SEC_OID_UNKNOWN;
4482}
4483
4484/* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm
4485 * identifier. If the hash is not recognised, zero is returned.
4486 *
4487 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4488static int
4489ssl3_OIDToTLSHashAlgorithm(SECOidTag oid)
4490{
4491    unsigned int i;
4492
4493    for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
4494	if (oid == tlsHashOIDMap[i].oid) {
4495	    return tlsHashOIDMap[i].tlsHash;
4496	}
4497    }
4498    return 0;
4499}
4500
4501/* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm
4502 * identifier for a given KeyType. */
4503static SECStatus
4504ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType,
4505				     TLSSignatureAlgorithm *out)
4506{
4507    switch (keyType) {
4508    case rsaKey:
4509	*out = tls_sig_rsa;
4510	return SECSuccess;
4511    case dsaKey:
4512	*out = tls_sig_dsa;
4513	return SECSuccess;
4514    case ecKey:
4515	*out = tls_sig_ecdsa;
4516	return SECSuccess;
4517    default:
4518	PORT_SetError(SEC_ERROR_INVALID_KEY);
4519	return SECFailure;
4520    }
4521}
4522
4523/* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature
4524 * algorithm identifier for the given certificate. */
4525static SECStatus
4526ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert,
4527					 TLSSignatureAlgorithm *out)
4528{
4529    SECKEYPublicKey *key;
4530    KeyType keyType;
4531
4532    key = CERT_ExtractPublicKey(cert);
4533    if (key == NULL) {
4534	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
4535    	return SECFailure;
4536    }
4537
4538    keyType = key->keyType;
4539    SECKEY_DestroyPublicKey(key);
4540    return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out);
4541}
4542
4543/* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature
4544 * algorithm identifier in |sigAndHash| is consistent with the public key in
4545 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called
4546 * and SECFailure is returned. */
4547SECStatus
4548ssl3_CheckSignatureAndHashAlgorithmConsistency(
4549	const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert)
4550{
4551    SECStatus rv;
4552    TLSSignatureAlgorithm sigAlg;
4553
4554    rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg);
4555    if (rv != SECSuccess) {
4556	return rv;
4557    }
4558    if (sigAlg != sigAndHash->sigAlg) {
4559	PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
4560	return SECFailure;
4561    }
4562    return SECSuccess;
4563}
4564
4565/* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm
4566 * structure from |b| and puts the resulting value into |out|. |b| and |length|
4567 * are updated accordingly.
4568 *
4569 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4570SECStatus
4571ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
4572				      SSL3Opaque **b,
4573				      PRUint32 *length,
4574				      SSL3SignatureAndHashAlgorithm *out)
4575{
4576    unsigned char bytes[2];
4577    SECStatus rv;
4578
4579    rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
4580    if (rv != SECSuccess) {
4581	return rv;
4582    }
4583
4584    out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]);
4585    if (out->hashAlg == SEC_OID_UNKNOWN) {
4586	PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
4587	return SECFailure;
4588    }
4589
4590    out->sigAlg = bytes[1];
4591    return SECSuccess;
4592}
4593
4594/**************************************************************************
4595 * end of Consume Handshake functions.
4596 **************************************************************************/
4597
4598/* Extract the hashes of handshake messages to this point.
4599 * Called from ssl3_SendCertificateVerify
4600 *             ssl3_SendFinished
4601 *             ssl3_HandleHandshakeMessage
4602 *
4603 * Caller must hold the SSL3HandshakeLock.
4604 * Caller must hold a read or write lock on the Spec R/W lock.
4605 *	(There is presently no way to assert on a Read lock.)
4606 */
4607static SECStatus
4608ssl3_ComputeHandshakeHashes(sslSocket *     ss,
4609                            ssl3CipherSpec *spec,   /* uses ->master_secret */
4610			    SSL3Hashes *    hashes, /* output goes here. */
4611			    PRUint32        sender)
4612{
4613    SECStatus     rv        = SECSuccess;
4614    PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
4615    unsigned int  outLength;
4616    SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
4617    SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
4618
4619    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4620    hashes->hashAlg = SEC_OID_UNKNOWN;
4621
4622#ifndef NO_PKCS11_BYPASS
4623    if (ss->opt.bypassPKCS11 &&
4624	ss->ssl3.hs.hashType == handshake_hash_single) {
4625	/* compute them without PKCS11 */
4626	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
4627
4628	if (!spec->msItem.data) {
4629	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4630	    return SECFailure;
4631	}
4632
4633	ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
4634	ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
4635				 sizeof(hashes->u.raw));
4636
4637	PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
4638
4639	/* If we ever support ciphersuites where the PRF hash isn't SHA-256
4640	 * then this will need to be updated. */
4641	hashes->hashAlg = SEC_OID_SHA256;
4642	rv = SECSuccess;
4643    } else if (ss->opt.bypassPKCS11) {
4644	/* compute them without PKCS11 */
4645	PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
4646	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
4647
4648#define md5cx ((MD5Context *)md5_cx)
4649#define shacx ((SHA1Context *)sha_cx)
4650
4651	if (!spec->msItem.data) {
4652	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4653	    return SECFailure;
4654	}
4655
4656	MD5_Clone (md5cx,  (MD5Context *)ss->ssl3.hs.md5_cx);
4657	SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
4658
4659	if (!isTLS) {
4660	    /* compute hashes for SSL3. */
4661	    unsigned char s[4];
4662
4663	    s[0] = (unsigned char)(sender >> 24);
4664	    s[1] = (unsigned char)(sender >> 16);
4665	    s[2] = (unsigned char)(sender >> 8);
4666	    s[3] = (unsigned char)sender;
4667
4668	    if (sender != 0) {
4669		MD5_Update(md5cx, s, 4);
4670		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
4671	    }
4672
4673	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
4674			    mac_defs[mac_md5].pad_size));
4675
4676	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
4677	    MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
4678	    MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
4679
4680	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
4681
4682	    if (sender != 0) {
4683		SHA1_Update(shacx, s, 4);
4684		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
4685	    }
4686
4687	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
4688			    mac_defs[mac_sha].pad_size));
4689
4690	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
4691	    SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
4692	    SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
4693
4694	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
4695	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4696			    mac_defs[mac_md5].pad_size));
4697	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
4698
4699	    MD5_Begin(md5cx);
4700	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
4701	    MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
4702	    MD5_Update(md5cx, md5_inner, MD5_LENGTH);
4703	}
4704	MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH);
4705
4706	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4707
4708	if (!isTLS) {
4709	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4710			    mac_defs[mac_sha].pad_size));
4711	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
4712
4713	    SHA1_Begin(shacx);
4714	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
4715	    SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
4716	    SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
4717	}
4718	SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4719
4720	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH));
4721
4722	hashes->len = MD5_LENGTH + SHA1_LENGTH;
4723	rv = SECSuccess;
4724#undef md5cx
4725#undef shacx
4726    } else
4727#endif
4728    if (ss->ssl3.hs.hashType == handshake_hash_single) {
4729	/* compute hashes with PKCS11 */
4730	PK11Context *h;
4731	unsigned int  stateLen;
4732	unsigned char stackBuf[1024];
4733	unsigned char *stateBuf = NULL;
4734
4735	if (!spec->master_secret) {
4736	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4737	    return SECFailure;
4738	}
4739
4740	h = ss->ssl3.hs.sha;
4741	stateBuf = PK11_SaveContextAlloc(h, stackBuf,
4742					 sizeof(stackBuf), &stateLen);
4743	if (stateBuf == NULL) {
4744	    ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4745	    goto tls12_loser;
4746	}
4747	rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
4748			       sizeof(hashes->u.raw));
4749	if (rv != SECSuccess) {
4750	    ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4751	    rv = SECFailure;
4752	    goto tls12_loser;
4753	}
4754	/* If we ever support ciphersuites where the PRF hash isn't SHA-256
4755	 * then this will need to be updated. */
4756	hashes->hashAlg = SEC_OID_SHA256;
4757	rv = SECSuccess;
4758
4759tls12_loser:
4760	if (stateBuf) {
4761	    if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
4762		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4763		rv = SECFailure;
4764	    }
4765	    if (stateBuf != stackBuf) {
4766		PORT_ZFree(stateBuf, stateLen);
4767	    }
4768	}
4769    } else {
4770	/* compute hashes with PKCS11 */
4771	PK11Context * md5;
4772	PK11Context * sha       = NULL;
4773	unsigned char *md5StateBuf = NULL;
4774	unsigned char *shaStateBuf = NULL;
4775	unsigned int  md5StateLen, shaStateLen;
4776	unsigned char md5StackBuf[256];
4777	unsigned char shaStackBuf[512];
4778
4779	if (!spec->master_secret) {
4780	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4781	    return SECFailure;
4782	}
4783
4784	md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
4785					    sizeof md5StackBuf, &md5StateLen);
4786	if (md5StateBuf == NULL) {
4787	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4788	    goto loser;
4789	}
4790	md5 = ss->ssl3.hs.md5;
4791
4792	shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
4793					    sizeof shaStackBuf, &shaStateLen);
4794	if (shaStateBuf == NULL) {
4795	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4796	    goto loser;
4797	}
4798	sha = ss->ssl3.hs.sha;
4799
4800	if (!isTLS) {
4801	    /* compute hashes for SSL3. */
4802	    unsigned char s[4];
4803
4804	    s[0] = (unsigned char)(sender >> 24);
4805	    s[1] = (unsigned char)(sender >> 16);
4806	    s[2] = (unsigned char)(sender >> 8);
4807	    s[3] = (unsigned char)sender;
4808
4809	    if (sender != 0) {
4810		rv |= PK11_DigestOp(md5, s, 4);
4811		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
4812	    }
4813
4814	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
4815			  mac_defs[mac_md5].pad_size));
4816
4817	    rv |= PK11_DigestKey(md5,spec->master_secret);
4818	    rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
4819	    rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
4820	    PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4821	    if (rv != SECSuccess) {
4822		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4823		rv = SECFailure;
4824		goto loser;
4825	    }
4826
4827	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
4828
4829	    if (sender != 0) {
4830		rv |= PK11_DigestOp(sha, s, 4);
4831		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
4832	    }
4833
4834	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
4835			  mac_defs[mac_sha].pad_size));
4836
4837	    rv |= PK11_DigestKey(sha, spec->master_secret);
4838	    rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
4839	    rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
4840	    PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4841	    if (rv != SECSuccess) {
4842		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4843		rv = SECFailure;
4844		goto loser;
4845	    }
4846
4847	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
4848
4849	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4850			  mac_defs[mac_md5].pad_size));
4851	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
4852
4853	    rv |= PK11_DigestBegin(md5);
4854	    rv |= PK11_DigestKey(md5, spec->master_secret);
4855	    rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
4856	    rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
4857	}
4858	rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH);
4859	PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4860	if (rv != SECSuccess) {
4861	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4862	    rv = SECFailure;
4863	    goto loser;
4864	}
4865
4866	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4867
4868	if (!isTLS) {
4869	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4870			  mac_defs[mac_sha].pad_size));
4871	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
4872
4873	    rv |= PK11_DigestBegin(sha);
4874	    rv |= PK11_DigestKey(sha,spec->master_secret);
4875	    rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
4876	    rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
4877	}
4878	rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4879	PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4880	if (rv != SECSuccess) {
4881	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4882	    rv = SECFailure;
4883	    goto loser;
4884	}
4885
4886	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH));
4887
4888	hashes->len = MD5_LENGTH + SHA1_LENGTH;
4889	rv = SECSuccess;
4890
4891    loser:
4892	if (md5StateBuf) {
4893	    if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
4894		 != SECSuccess)
4895	    {
4896		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4897		rv = SECFailure;
4898	    }
4899	    if (md5StateBuf != md5StackBuf) {
4900		PORT_ZFree(md5StateBuf, md5StateLen);
4901	    }
4902	}
4903	if (shaStateBuf) {
4904	    if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
4905		 != SECSuccess)
4906	    {
4907		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4908		rv = SECFailure;
4909	    }
4910	    if (shaStateBuf != shaStackBuf) {
4911		PORT_ZFree(shaStateBuf, shaStateLen);
4912	    }
4913	}
4914    }
4915    return rv;
4916}
4917
4918static SECStatus
4919ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
4920				  SSL3Hashes * hashes) /* output goes here. */
4921{
4922    SECStatus rv = SECSuccess;
4923
4924    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4925    PORT_Assert( !ss->sec.isServer );
4926    PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
4927
4928    rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
4929			  sizeof(hashes->u.raw));
4930    if (rv != SECSuccess) {
4931	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4932	rv = SECFailure;
4933	goto loser;
4934    }
4935    hashes->hashAlg = SEC_OID_SHA1;
4936
4937loser:
4938    PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
4939    ss->ssl3.hs.backupHash = NULL;
4940    return rv;
4941}
4942
4943/*
4944 * SSL 2 based implementations pass in the initial outbound buffer
4945 * so that the handshake hash can contain the included information.
4946 *
4947 * Called from ssl2_BeginClientHandshake() in sslcon.c
4948 */
4949SECStatus
4950ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
4951{
4952    SECStatus rv;
4953
4954    ssl_GetSSL3HandshakeLock(ss);  /**************************************/
4955
4956    rv = ssl3_InitState(ss);
4957    if (rv != SECSuccess) {
4958	goto done;		/* ssl3_InitState has set the error code. */
4959    }
4960    rv = ssl3_RestartHandshakeHashes(ss);
4961    if (rv != SECSuccess) {
4962	goto done;
4963    }
4964
4965    PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
4966    PORT_Memcpy(
4967	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
4968	&ss->sec.ci.clientChallenge,
4969	SSL_CHALLENGE_BYTES);
4970
4971    rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
4972    /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
4973
4974done:
4975    ssl_ReleaseSSL3HandshakeLock(ss);  /**************************************/
4976    return rv;
4977}
4978
4979/**************************************************************************
4980 * end of Handshake Hash functions.
4981 * Begin Send and Handle functions for handshakes.
4982 **************************************************************************/
4983
4984/* Called from ssl3_HandleHelloRequest(),
4985 *             ssl3_RedoHandshake()
4986 *             ssl2_BeginClientHandshake (when resuming ssl3 session)
4987 *             dtls_HandleHelloVerifyRequest(with resending=PR_TRUE)
4988 */
4989SECStatus
4990ssl3_SendClientHello(sslSocket *ss, PRBool resending)
4991{
4992    sslSessionID *   sid;
4993    ssl3CipherSpec * cwSpec;
4994    SECStatus        rv;
4995    int              i;
4996    int              length;
4997    int              num_suites;
4998    int              actual_count = 0;
4999    PRBool           isTLS = PR_FALSE;
5000    PRBool           requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE;
5001    PRInt32          total_exten_len = 0;
5002    unsigned         paddingExtensionLen;
5003    unsigned         numCompressionMethods;
5004    PRInt32          flags;
5005
5006    SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
5007		ss->fd));
5008
5009    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5010    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
5011
5012    rv = ssl3_InitState(ss);
5013    if (rv != SECSuccess) {
5014	return rv;		/* ssl3_InitState has set the error code. */
5015    }
5016    ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
5017    PORT_Assert(IS_DTLS(ss) || !resending);
5018
5019    SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
5020    ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
5021
5022    /* We might be starting a session renegotiation in which case we should
5023     * clear previous state.
5024     */
5025    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
5026
5027    rv = ssl3_RestartHandshakeHashes(ss);
5028    if (rv != SECSuccess) {
5029	return rv;
5030    }
5031
5032    /*
5033     * During a renegotiation, ss->clientHelloVersion will be used again to
5034     * work around a Windows SChannel bug. Ensure that it is still enabled.
5035     */
5036    if (ss->firstHsDone) {
5037	if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
5038	    PORT_SetError(SSL_ERROR_SSL_DISABLED);
5039	    return SECFailure;
5040	}
5041
5042	if (ss->clientHelloVersion < ss->vrange.min ||
5043	    ss->clientHelloVersion > ss->vrange.max) {
5044	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
5045	    return SECFailure;
5046	}
5047    }
5048
5049    /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
5050     * handles expired entries and other details.
5051     * XXX If we've been called from ssl2_BeginClientHandshake, then
5052     * this lookup is duplicative and wasteful.
5053     */
5054    sid = (ss->opt.noCache) ? NULL
5055	    : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
5056
5057    /* We can't resume based on a different token. If the sid exists,
5058     * make sure the token that holds the master secret still exists ...
5059     * If we previously did client-auth, make sure that the token that holds
5060     * the private key still exists, is logged in, hasn't been removed, etc.
5061     */
5062    if (sid) {
5063	PRBool sidOK = PR_TRUE;
5064	if (sid->u.ssl3.keys.msIsWrapped) {
5065	    /* Session key was wrapped, which means it was using PKCS11, */
5066	    PK11SlotInfo *slot = NULL;
5067	    if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
5068		slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
5069					 sid->u.ssl3.masterSlotID);
5070	    }
5071	    if (slot == NULL) {
5072	       sidOK = PR_FALSE;
5073	    } else {
5074		PK11SymKey *wrapKey = NULL;
5075		if (!PK11_IsPresent(slot) ||
5076		    ((wrapKey = PK11_GetWrapKey(slot,
5077						sid->u.ssl3.masterWrapIndex,
5078						sid->u.ssl3.masterWrapMech,
5079						sid->u.ssl3.masterWrapSeries,
5080						ss->pkcs11PinArg)) == NULL) ) {
5081		    sidOK = PR_FALSE;
5082		}
5083		if (wrapKey) PK11_FreeSymKey(wrapKey);
5084		PK11_FreeSlot(slot);
5085		slot = NULL;
5086	    }
5087	}
5088	/* If we previously did client-auth, make sure that the token that
5089	** holds the private key still exists, is logged in, hasn't been
5090	** removed, etc.
5091	*/
5092	if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
5093	    sidOK = PR_FALSE;
5094	}
5095
5096	/* TLS 1.0 (RFC 2246) Appendix E says:
5097	 *   Whenever a client already knows the highest protocol known to
5098	 *   a server (for example, when resuming a session), it should
5099	 *   initiate the connection in that native protocol.
5100	 * So we pass sid->version to ssl3_NegotiateVersion() here, except
5101	 * when renegotiating.
5102	 *
5103	 * Windows SChannel compares the client_version inside the RSA
5104	 * EncryptedPreMasterSecret of a renegotiation with the
5105	 * client_version of the initial ClientHello rather than the
5106	 * ClientHello in the renegotiation. To work around this bug, we
5107	 * continue to use the client_version used in the initial
5108	 * ClientHello when renegotiating.
5109	 */
5110	if (sidOK) {
5111	    if (ss->firstHsDone) {
5112		/*
5113		 * The client_version of the initial ClientHello is still
5114		 * available in ss->clientHelloVersion. Ensure that
5115		 * sid->version is bounded within
5116		 * [ss->vrange.min, ss->clientHelloVersion], otherwise we
5117		 * can't use sid.
5118		 */
5119		if (sid->version >= ss->vrange.min &&
5120		    sid->version <= ss->clientHelloVersion) {
5121		    ss->version = ss->clientHelloVersion;
5122		} else {
5123		    sidOK = PR_FALSE;
5124		}
5125	    } else {
5126		if (ssl3_NegotiateVersion(ss, sid->version,
5127					  PR_FALSE) != SECSuccess) {
5128		    sidOK = PR_FALSE;
5129		}
5130	    }
5131	}
5132
5133	if (!sidOK) {
5134	    SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
5135	    if (ss->sec.uncache)
5136                (*ss->sec.uncache)(sid);
5137	    ssl_FreeSID(sid);
5138	    sid = NULL;
5139	}
5140    }
5141
5142    if (sid) {
5143	requestingResume = PR_TRUE;
5144	SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
5145
5146	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
5147		      sid->u.ssl3.sessionIDLength));
5148
5149	ss->ssl3.policy = sid->u.ssl3.policy;
5150    } else {
5151	SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
5152
5153	/*
5154	 * Windows SChannel compares the client_version inside the RSA
5155	 * EncryptedPreMasterSecret of a renegotiation with the
5156	 * client_version of the initial ClientHello rather than the
5157	 * ClientHello in the renegotiation. To work around this bug, we
5158	 * continue to use the client_version used in the initial
5159	 * ClientHello when renegotiating.
5160	 */
5161	if (ss->firstHsDone) {
5162	    ss->version = ss->clientHelloVersion;
5163	} else {
5164	    rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
5165				       PR_TRUE);
5166	    if (rv != SECSuccess)
5167		return rv;	/* error code was set */
5168	}
5169
5170	sid = ssl3_NewSessionID(ss, PR_FALSE);
5171	if (!sid) {
5172	    return SECFailure;	/* memory error is set */
5173        }
5174    }
5175
5176    isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
5177    ssl_GetSpecWriteLock(ss);
5178    cwSpec = ss->ssl3.cwSpec;
5179    if (cwSpec->mac_def->mac == mac_null) {
5180	/* SSL records are not being MACed. */
5181	cwSpec->version = ss->version;
5182    }
5183    ssl_ReleaseSpecWriteLock(ss);
5184
5185    if (ss->sec.ci.sid != NULL) {
5186	ssl_FreeSID(ss->sec.ci.sid);	/* decrement ref count, free if zero */
5187    }
5188    ss->sec.ci.sid = sid;
5189
5190    ss->sec.send = ssl3_SendApplicationData;
5191
5192    /* shouldn't get here if SSL3 is disabled, but ... */
5193    if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
5194	PR_NOT_REACHED("No versions of SSL 3.0 or later are enabled");
5195	PORT_SetError(SSL_ERROR_SSL_DISABLED);
5196    	return SECFailure;
5197    }
5198
5199    /* how many suites does our PKCS11 support (regardless of policy)? */
5200    num_suites = ssl3_config_match_init(ss);
5201    if (!num_suites)
5202    	return SECFailure;	/* ssl3_config_match_init has set error code. */
5203
5204    /* HACK for SCSV in SSL 3.0.  On initial handshake, prepend SCSV,
5205     * only if TLS is disabled.
5206     */
5207    if (!ss->firstHsDone && !isTLS) {
5208	/* Must set this before calling Hello Extension Senders,
5209	 * to suppress sending of empty RI extension.
5210	 */
5211	ss->ssl3.hs.sendingSCSV = PR_TRUE;
5212    }
5213
5214    /* When we attempt session resumption (only), we must lock the sid to
5215     * prevent races with other resumption connections that receive a
5216     * NewSessionTicket that will cause the ticket in the sid to be replaced.
5217     * Once we've copied the session ticket into our ClientHello message, it
5218     * is OK for the ticket to change, so we just need to make sure we hold
5219     * the lock across the calls to ssl3_CallHelloExtensionSenders.
5220     */
5221    if (sid->u.ssl3.lock) {
5222        NSSRWLock_LockRead(sid->u.ssl3.lock);
5223    }
5224
5225    if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
5226	PRUint32 maxBytes = 65535; /* 2^16 - 1 */
5227	PRInt32  extLen;
5228
5229	extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
5230	if (extLen < 0) {
5231	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5232	    return SECFailure;
5233	}
5234	maxBytes        -= extLen;
5235	total_exten_len += extLen;
5236
5237	if (total_exten_len > 0)
5238	    total_exten_len += 2;
5239    }
5240
5241#if defined(NSS_ENABLE_ECC)
5242    if (!total_exten_len || !isTLS) {
5243	/* not sending the elliptic_curves and ec_point_formats extensions */
5244    	ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
5245    }
5246#endif
5247
5248    if (IS_DTLS(ss)) {
5249	ssl3_DisableNonDTLSSuites(ss);
5250    }
5251
5252    if (!ssl3_HasGCMSupport()) {
5253	ssl3_DisableGCMSuites(ss);
5254    }
5255
5256    /* how many suites are permitted by policy and user preference? */
5257    num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
5258    if (!num_suites) {
5259    	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5260    	return SECFailure;	/* count_cipher_suites has set error code. */
5261    }
5262
5263    fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume ||
5264						  ss->version < sid->version);
5265    /* make room for SCSV */
5266    if (ss->ssl3.hs.sendingSCSV) {
5267	++num_suites;
5268    }
5269    if (fallbackSCSV) {
5270	++num_suites;
5271    }
5272
5273    /* count compression methods */
5274    numCompressionMethods = 0;
5275    for (i = 0; i < compressionMethodsCount; i++) {
5276	if (compressionEnabled(ss, compressions[i]))
5277	    numCompressionMethods++;
5278    }
5279
5280    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
5281	1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
5282	2 + num_suites*sizeof(ssl3CipherSuite) +
5283	1 + numCompressionMethods + total_exten_len;
5284    if (IS_DTLS(ss)) {
5285	length += 1 + ss->ssl3.hs.cookieLen;
5286    }
5287
5288    /* A padding extension may be included to ensure that the record containing
5289     * the ClientHello doesn't have a length between 256 and 511 bytes
5290     * (inclusive). Initial, ClientHello records with such lengths trigger bugs
5291     * in F5 devices.
5292     *
5293     * This is not done for DTLS nor for renegotiation. */
5294    if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) {
5295        paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
5296        total_exten_len += paddingExtensionLen;
5297        length += paddingExtensionLen;
5298    } else {
5299        paddingExtensionLen = 0;
5300    }
5301
5302    rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
5303    if (rv != SECSuccess) {
5304	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5305	return rv;	/* err set by ssl3_AppendHandshake* */
5306    }
5307
5308    if (ss->firstHsDone) {
5309	/* The client hello version must stay unchanged to work around
5310	 * the Windows SChannel bug described above. */
5311	PORT_Assert(ss->version == ss->clientHelloVersion);
5312    }
5313    ss->clientHelloVersion = ss->version;
5314    if (IS_DTLS(ss)) {
5315	PRUint16 version;
5316
5317	version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
5318	rv = ssl3_AppendHandshakeNumber(ss, version, 2);
5319    } else {
5320	rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
5321    }
5322    if (rv != SECSuccess) {
5323	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5324	return rv;	/* err set by ssl3_AppendHandshake* */
5325    }
5326
5327    if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
5328	rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
5329	if (rv != SECSuccess) {
5330	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5331	    return rv;	/* err set by GetNewRandom. */
5332	}
5333    }
5334    rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
5335                              SSL3_RANDOM_LENGTH);
5336    if (rv != SECSuccess) {
5337	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5338	return rv;	/* err set by ssl3_AppendHandshake* */
5339    }
5340
5341    if (sid)
5342	rv = ssl3_AppendHandshakeVariable(
5343	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
5344    else
5345	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
5346    if (rv != SECSuccess) {
5347	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5348	return rv;	/* err set by ssl3_AppendHandshake* */
5349    }
5350
5351    if (IS_DTLS(ss)) {
5352	rv = ssl3_AppendHandshakeVariable(
5353	    ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
5354	if (rv != SECSuccess) {
5355	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5356	    return rv;	/* err set by ssl3_AppendHandshake* */
5357	}
5358    }
5359
5360    rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
5361    if (rv != SECSuccess) {
5362	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5363	return rv;	/* err set by ssl3_AppendHandshake* */
5364    }
5365
5366    if (ss->ssl3.hs.sendingSCSV) {
5367	/* Add the actual SCSV */
5368	rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
5369					sizeof(ssl3CipherSuite));
5370	if (rv != SECSuccess) {
5371	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5372	    return rv;	/* err set by ssl3_AppendHandshake* */
5373	}
5374	actual_count++;
5375    }
5376    if (fallbackSCSV) {
5377	rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
5378					sizeof(ssl3CipherSuite));
5379	if (rv != SECSuccess) {
5380	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5381	    return rv;	/* err set by ssl3_AppendHandshake* */
5382	}
5383	actual_count++;
5384    }
5385    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
5386	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
5387	if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
5388	    actual_count++;
5389	    if (actual_count > num_suites) {
5390		if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5391		/* set error card removal/insertion error */
5392		PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5393		return SECFailure;
5394	    }
5395	    rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
5396					    sizeof(ssl3CipherSuite));
5397	    if (rv != SECSuccess) {
5398		if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5399		return rv;	/* err set by ssl3_AppendHandshake* */
5400	    }
5401	}
5402    }
5403
5404    /* if cards were removed or inserted between count_cipher_suites and
5405     * generating our list, detect the error here rather than send it off to
5406     * the server.. */
5407    if (actual_count != num_suites) {
5408	/* Card removal/insertion error */
5409	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5410	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5411	return SECFailure;
5412    }
5413
5414    rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
5415    if (rv != SECSuccess) {
5416	if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5417	return rv;	/* err set by ssl3_AppendHandshake* */
5418    }
5419    for (i = 0; i < compressionMethodsCount; i++) {
5420	if (!compressionEnabled(ss, compressions[i]))
5421	    continue;
5422	rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
5423	if (rv != SECSuccess) {
5424	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5425	    return rv;	/* err set by ssl3_AppendHandshake* */
5426	}
5427    }
5428
5429    if (total_exten_len) {
5430	PRUint32 maxBytes = total_exten_len - 2;
5431	PRInt32  extLen;
5432
5433	rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
5434	if (rv != SECSuccess) {
5435	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5436	    return rv;	/* err set by AppendHandshake. */
5437	}
5438
5439	extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
5440	if (extLen < 0) {
5441	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5442	    return SECFailure;
5443	}
5444	maxBytes -= extLen;
5445
5446	extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
5447	if (extLen < 0) {
5448	    if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5449	    return SECFailure;
5450	}
5451	maxBytes -= extLen;
5452
5453	PORT_Assert(!maxBytes);
5454    }
5455
5456    if (sid->u.ssl3.lock) {
5457        NSSRWLock_UnlockRead(sid->u.ssl3.lock);
5458    }
5459
5460    if (ss->xtnData.sentSessionTicketInClientHello) {
5461        SSL_AtomicIncrementLong(&ssl3stats.sch_sid_stateless_resumes);
5462    }
5463
5464    if (ss->ssl3.hs.sendingSCSV) {
5465	/* Since we sent the SCSV, pretend we sent empty RI extension. */
5466	TLSExtensionData *xtnData = &ss->xtnData;
5467	xtnData->advertised[xtnData->numAdvertised++] =
5468	    ssl_renegotiation_info_xtn;
5469    }
5470
5471    flags = 0;
5472    if (!ss->firstHsDone && !IS_DTLS(ss)) {
5473	flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
5474    }
5475    rv = ssl3_FlushHandshake(ss, flags);
5476    if (rv != SECSuccess) {
5477	return rv;	/* error code set by ssl3_FlushHandshake */
5478    }
5479
5480    ss->ssl3.hs.ws = wait_server_hello;
5481    return rv;
5482}
5483
5484
5485/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5486 * ssl3 Hello Request.
5487 * Caller must hold Handshake and RecvBuf locks.
5488 */
5489static SECStatus
5490ssl3_HandleHelloRequest(sslSocket *ss)
5491{
5492    sslSessionID *sid = ss->sec.ci.sid;
5493    SECStatus     rv;
5494
5495    SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
5496		SSL_GETPID(), ss->fd));
5497
5498    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5499    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5500
5501    if (ss->ssl3.hs.ws == wait_server_hello)
5502	return SECSuccess;
5503    if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
5504	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
5505	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
5506	return SECFailure;
5507    }
5508    if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
5509	ssl_GetXmitBufLock(ss);
5510	rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
5511	ssl_ReleaseXmitBufLock(ss);
5512	PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
5513	return SECFailure;
5514    }
5515
5516    if (sid) {
5517	if (ss->sec.uncache)
5518            ss->sec.uncache(sid);
5519	ssl_FreeSID(sid);
5520	ss->sec.ci.sid = NULL;
5521    }
5522
5523    if (IS_DTLS(ss)) {
5524	dtls_RehandshakeCleanup(ss);
5525    }
5526
5527    ssl_GetXmitBufLock(ss);
5528    rv = ssl3_SendClientHello(ss, PR_FALSE);
5529    ssl_ReleaseXmitBufLock(ss);
5530
5531    return rv;
5532}
5533
5534#define UNKNOWN_WRAP_MECHANISM 0x7fffffff
5535
5536static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
5537    CKM_DES3_ECB,
5538    CKM_CAST5_ECB,
5539    CKM_DES_ECB,
5540    CKM_KEY_WRAP_LYNKS,
5541    CKM_IDEA_ECB,
5542    CKM_CAST3_ECB,
5543    CKM_CAST_ECB,
5544    CKM_RC5_ECB,
5545    CKM_RC2_ECB,
5546    CKM_CDMF_ECB,
5547    CKM_SKIPJACK_WRAP,
5548    CKM_SKIPJACK_CBC64,
5549    CKM_AES_ECB,
5550    CKM_CAMELLIA_ECB,
5551    CKM_SEED_ECB,
5552    UNKNOWN_WRAP_MECHANISM
5553};
5554
5555static int
5556ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
5557{
5558    const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
5559
5560    while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
5561    	++pMech;
5562    }
5563    return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
5564                                              : (pMech - wrapMechanismList);
5565}
5566
5567static PK11SymKey *
5568ssl_UnwrapSymWrappingKey(
5569	SSLWrappedSymWrappingKey *pWswk,
5570	SECKEYPrivateKey *        svrPrivKey,
5571	SSL3KEAType               exchKeyType,
5572	CK_MECHANISM_TYPE         masterWrapMech,
5573	void *                    pwArg)
5574{
5575    PK11SymKey *             unwrappedWrappingKey  = NULL;
5576    SECItem                  wrappedKey;
5577#ifdef NSS_ENABLE_ECC
5578    PK11SymKey *             Ks;
5579    SECKEYPublicKey          pubWrapKey;
5580    ECCWrappedKeyInfo        *ecWrapped;
5581#endif /* NSS_ENABLE_ECC */
5582
5583    /* found the wrapping key on disk. */
5584    PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
5585    PORT_Assert(pWswk->exchKeyType      == exchKeyType);
5586    if (pWswk->symWrapMechanism != masterWrapMech ||
5587	pWswk->exchKeyType      != exchKeyType) {
5588	goto loser;
5589    }
5590    wrappedKey.type = siBuffer;
5591    wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
5592    wrappedKey.len  = pWswk->wrappedSymKeyLen;
5593    PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
5594
5595    switch (exchKeyType) {
5596
5597    case kt_rsa:
5598	unwrappedWrappingKey =
5599	    PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
5600				 masterWrapMech, CKA_UNWRAP, 0);
5601	break;
5602
5603#ifdef NSS_ENABLE_ECC
5604    case kt_ecdh:
5605        /*
5606         * For kt_ecdh, we first create an EC public key based on
5607         * data stored with the wrappedSymmetricWrappingkey. Next,
5608         * we do an ECDH computation involving this public key and
5609         * the SSL server's (long-term) EC private key. The resulting
5610         * shared secret is treated the same way as Fortezza's Ks, i.e.,
5611         * it is used to recover the symmetric wrapping key.
5612         *
5613         * The data in wrappedSymmetricWrappingkey is laid out as defined
5614         * in the ECCWrappedKeyInfo structure.
5615         */
5616        ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey;
5617
5618        PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
5619            ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN);
5620
5621        if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
5622            ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) {
5623            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5624            goto loser;
5625        }
5626
5627        pubWrapKey.keyType = ecKey;
5628        pubWrapKey.u.ec.size = ecWrapped->size;
5629        pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen;
5630        pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var;
5631        pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen;
5632        pubWrapKey.u.ec.publicValue.data = ecWrapped->var +
5633            ecWrapped->encodedParamLen;
5634
5635        wrappedKey.len  = ecWrapped->wrappedKeyLen;
5636        wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
5637            ecWrapped->pubValueLen;
5638
5639        /* Derive Ks using ECDH */
5640        Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL,
5641				   NULL, CKM_ECDH1_DERIVE, masterWrapMech,
5642				   CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
5643        if (Ks == NULL) {
5644            goto loser;
5645        }
5646
5647        /*  Use Ks to unwrap the wrapping key */
5648        unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL,
5649						 &wrappedKey, masterWrapMech,
5650						 CKA_UNWRAP, 0);
5651        PK11_FreeSymKey(Ks);
5652
5653        break;
5654#endif
5655
5656    default:
5657	/* Assert? */
5658	SET_ERROR_CODE
5659	goto loser;
5660    }
5661loser:
5662    return unwrappedWrappingKey;
5663}
5664
5665/* Each process sharing the server session ID cache has its own array of
5666 * SymKey pointers for the symmetric wrapping keys that are used to wrap
5667 * the master secrets.  There is one key for each KEA type.  These Symkeys
5668 * correspond to the wrapped SymKeys kept in the server session cache.
5669 */
5670
5671typedef struct {
5672    PK11SymKey *      symWrapKey[kt_kea_size];
5673} ssl3SymWrapKey;
5674
5675static PZLock *          symWrapKeysLock = NULL;
5676static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
5677
5678SECStatus ssl_FreeSymWrapKeysLock(void)
5679{
5680    if (symWrapKeysLock) {
5681        PZ_DestroyLock(symWrapKeysLock);
5682        symWrapKeysLock = NULL;
5683        return SECSuccess;
5684    }
5685    PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
5686    return SECFailure;
5687}
5688
5689SECStatus
5690SSL3_ShutdownServerCache(void)
5691{
5692    int             i, j;
5693
5694    if (!symWrapKeysLock)
5695    	return SECSuccess;	/* lock was never initialized */
5696    PZ_Lock(symWrapKeysLock);
5697    /* get rid of all symWrapKeys */
5698    for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
5699    	for (j = 0; j < kt_kea_size; ++j) {
5700	    PK11SymKey **   pSymWrapKey;
5701	    pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
5702	    if (*pSymWrapKey) {
5703		PK11_FreeSymKey(*pSymWrapKey);
5704	    	*pSymWrapKey = NULL;
5705	    }
5706	}
5707    }
5708
5709    PZ_Unlock(symWrapKeysLock);
5710    return SECSuccess;
5711}
5712
5713SECStatus ssl_InitSymWrapKeysLock(void)
5714{
5715    symWrapKeysLock = PZ_NewLock(nssILockOther);
5716    return symWrapKeysLock ? SECSuccess : SECFailure;
5717}
5718
5719/* Try to get wrapping key for mechanism from in-memory array.
5720 * If that fails, look for one on disk.
5721 * If that fails, generate a new one, put the new one on disk,
5722 * Put the new key in the in-memory array.
5723 */
5724static PK11SymKey *
5725getWrappingKey( sslSocket *       ss,
5726		PK11SlotInfo *    masterSecretSlot,
5727		SSL3KEAType       exchKeyType,
5728                CK_MECHANISM_TYPE masterWrapMech,
5729	        void *            pwArg)
5730{
5731    SECKEYPrivateKey *       svrPrivKey;
5732    SECKEYPublicKey *        svrPubKey             = NULL;
5733    PK11SymKey *             unwrappedWrappingKey  = NULL;
5734    PK11SymKey **            pSymWrapKey;
5735    CK_MECHANISM_TYPE        asymWrapMechanism = CKM_INVALID_MECHANISM;
5736    int                      length;
5737    int                      symWrapMechIndex;
5738    SECStatus                rv;
5739    SECItem                  wrappedKey;
5740    SSLWrappedSymWrappingKey wswk;
5741#ifdef NSS_ENABLE_ECC
5742    PK11SymKey *      Ks = NULL;
5743    SECKEYPublicKey   *pubWrapKey = NULL;
5744    SECKEYPrivateKey  *privWrapKey = NULL;
5745    ECCWrappedKeyInfo *ecWrapped;
5746#endif /* NSS_ENABLE_ECC */
5747
5748    svrPrivKey  = ss->serverCerts[exchKeyType].SERVERKEY;
5749    PORT_Assert(svrPrivKey != NULL);
5750    if (!svrPrivKey) {
5751    	return NULL;	/* why are we here?!? */
5752    }
5753
5754    symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
5755    PORT_Assert(symWrapMechIndex >= 0);
5756    if (symWrapMechIndex < 0)
5757    	return NULL;	/* invalid masterWrapMech. */
5758
5759    pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
5760
5761    ssl_InitSessionCacheLocks();
5762
5763    PZ_Lock(symWrapKeysLock);
5764
5765    unwrappedWrappingKey = *pSymWrapKey;
5766    if (unwrappedWrappingKey != NULL) {
5767	if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
5768	    unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
5769	    goto done;
5770	}
5771	/* slot series has changed, so this key is no good any more. */
5772	PK11_FreeSymKey(unwrappedWrappingKey);
5773	*pSymWrapKey = unwrappedWrappingKey = NULL;
5774    }
5775
5776    /* Try to get wrapped SymWrapping key out of the (disk) cache. */
5777    /* Following call fills in wswk on success. */
5778    if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
5779    	/* found the wrapped sym wrapping key on disk. */
5780	unwrappedWrappingKey =
5781	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
5782                                     masterWrapMech, pwArg);
5783	if (unwrappedWrappingKey) {
5784	    goto install;
5785	}
5786    }
5787
5788    if (!masterSecretSlot) 	/* caller doesn't want to create a new one. */
5789    	goto loser;
5790
5791    length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
5792    /* Zero length means fixed key length algorithm, or error.
5793     * It's ambiguous.
5794     */
5795    unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
5796                                       length, pwArg);
5797    if (!unwrappedWrappingKey) {
5798    	goto loser;
5799    }
5800
5801    /* Prepare the buffer to receive the wrappedWrappingKey,
5802     * the symmetric wrapping key wrapped using the server's pub key.
5803     */
5804    PORT_Memset(&wswk, 0, sizeof wswk);	/* eliminate UMRs. */
5805
5806    if (ss->serverCerts[exchKeyType].serverKeyPair) {
5807	svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey;
5808    }
5809    if (svrPubKey == NULL) {
5810	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5811	goto loser;
5812    }
5813    wrappedKey.type = siBuffer;
5814    wrappedKey.len  = SECKEY_PublicKeyStrength(svrPubKey);
5815    wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
5816
5817    PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
5818    if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
5819    	goto loser;
5820
5821    /* wrap symmetric wrapping key in server's public key. */
5822    switch (exchKeyType) {
5823    case kt_rsa:
5824	asymWrapMechanism = CKM_RSA_PKCS;
5825	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
5826	                        unwrappedWrappingKey, &wrappedKey);
5827	break;
5828
5829#ifdef NSS_ENABLE_ECC
5830    case kt_ecdh:
5831	/*
5832	 * We generate an ephemeral EC key pair. Perform an ECDH
5833	 * computation involving this ephemeral EC public key and
5834	 * the SSL server's (long-term) EC private key. The resulting
5835	 * shared secret is treated in the same way as Fortezza's Ks,
5836	 * i.e., it is used to wrap the wrapping key. To facilitate
5837	 * unwrapping in ssl_UnwrapWrappingKey, we also store all
5838	 * relevant info about the ephemeral EC public key in
5839	 * wswk.wrappedSymmetricWrappingkey and lay it out as
5840	 * described in the ECCWrappedKeyInfo structure.
5841	 */
5842	PORT_Assert(svrPubKey->keyType == ecKey);
5843	if (svrPubKey->keyType != ecKey) {
5844	    /* something is wrong in sslsecur.c if this isn't an ecKey */
5845	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
5846	    rv = SECFailure;
5847	    goto ec_cleanup;
5848	}
5849
5850	privWrapKey = SECKEY_CreateECPrivateKey(
5851	    &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL);
5852	if ((privWrapKey == NULL) || (pubWrapKey == NULL)) {
5853	    rv = SECFailure;
5854	    goto ec_cleanup;
5855	}
5856
5857	/* Set the key size in bits */
5858	if (pubWrapKey->u.ec.size == 0) {
5859	    pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey);
5860	}
5861
5862	PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len +
5863	    pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN);
5864	if (pubWrapKey->u.ec.DEREncodedParams.len +
5865	    pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) {
5866	    PORT_SetError(SEC_ERROR_INVALID_KEY);
5867	    rv = SECFailure;
5868	    goto ec_cleanup;
5869	}
5870
5871	/* Derive Ks using ECDH */
5872	Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL,
5873				   NULL, CKM_ECDH1_DERIVE, masterWrapMech,
5874				   CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
5875	if (Ks == NULL) {
5876	    rv = SECFailure;
5877	    goto ec_cleanup;
5878	}
5879
5880	ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey);
5881	ecWrapped->size = pubWrapKey->u.ec.size;
5882	ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len;
5883	PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data,
5884	    pubWrapKey->u.ec.DEREncodedParams.len);
5885
5886	ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len;
5887	PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen,
5888		    pubWrapKey->u.ec.publicValue.data,
5889		    pubWrapKey->u.ec.publicValue.len);
5890
5891	wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN -
5892	    (ecWrapped->encodedParamLen + ecWrapped->pubValueLen);
5893	wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
5894	    ecWrapped->pubValueLen;
5895
5896	/* wrap symmetricWrapping key with the local Ks */
5897	rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks,
5898			     unwrappedWrappingKey, &wrappedKey);
5899
5900	if (rv != SECSuccess) {
5901	    goto ec_cleanup;
5902	}
5903
5904	/* Write down the length of wrapped key in the buffer
5905	 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
5906	 */
5907	ecWrapped->wrappedKeyLen = wrappedKey.len;
5908
5909ec_cleanup:
5910	if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
5911	if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
5912	if (Ks) PK11_FreeSymKey(Ks);
5913	asymWrapMechanism = masterWrapMech;
5914	break;
5915#endif /* NSS_ENABLE_ECC */
5916
5917    default:
5918	rv = SECFailure;
5919	break;
5920    }
5921
5922    if (rv != SECSuccess) {
5923	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
5924	goto loser;
5925    }
5926
5927    PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
5928
5929    wswk.symWrapMechanism  = masterWrapMech;
5930    wswk.symWrapMechIndex  = symWrapMechIndex;
5931    wswk.asymWrapMechanism = asymWrapMechanism;
5932    wswk.exchKeyType       = exchKeyType;
5933    wswk.wrappedSymKeyLen  = wrappedKey.len;
5934
5935    /* put it on disk. */
5936    /* If the wrapping key for this KEA type has already been set,
5937     * then abandon the value we just computed and
5938     * use the one we got from the disk.
5939     */
5940    if (ssl_SetWrappingKey(&wswk)) {
5941    	/* somebody beat us to it.  The original contents of our wswk
5942	 * has been replaced with the content on disk.  Now, discard
5943	 * the key we just created and unwrap this new one.
5944	 */
5945    	PK11_FreeSymKey(unwrappedWrappingKey);
5946
5947	unwrappedWrappingKey =
5948	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
5949                                     masterWrapMech, pwArg);
5950    }
5951
5952install:
5953    if (unwrappedWrappingKey) {
5954	*pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
5955    }
5956
5957loser:
5958done:
5959    PZ_Unlock(symWrapKeysLock);
5960    return unwrappedWrappingKey;
5961}
5962
5963/* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2|
5964 * bytes to |out|. */
5965static void
5966hexEncode(char *out, const unsigned char *in, unsigned int length)
5967{
5968    static const char hextable[] = "0123456789abcdef";
5969    unsigned int i;
5970
5971    for (i = 0; i < length; i++) {
5972	*(out++) = hextable[in[i] >> 4];
5973	*(out++) = hextable[in[i] & 15];
5974    }
5975}
5976
5977/* Called from ssl3_SendClientKeyExchange(). */
5978/* Presently, this always uses PKCS11.  There is no bypass for this. */
5979static SECStatus
5980sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
5981{
5982    PK11SymKey *	pms 		= NULL;
5983    SECStatus           rv    		= SECFailure;
5984    SECItem 		enc_pms 	= {siBuffer, NULL, 0};
5985    PRBool              isTLS;
5986
5987    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5988    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
5989
5990    /* Generate the pre-master secret ...  */
5991    ssl_GetSpecWriteLock(ss);
5992    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
5993
5994    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
5995    ssl_ReleaseSpecWriteLock(ss);
5996    if (pms == NULL) {
5997	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
5998	goto loser;
5999    }
6000
6001    /* Get the wrapped (encrypted) pre-master secret, enc_pms */
6002    enc_pms.len  = SECKEY_PublicKeyStrength(svrPubKey);
6003    enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
6004    if (enc_pms.data == NULL) {
6005	goto loser;	/* err set by PORT_Alloc */
6006    }
6007
6008    /* wrap pre-master secret in server's public key. */
6009    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
6010    if (rv != SECSuccess) {
6011	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6012	goto loser;
6013    }
6014
6015    if (ssl_keylog_iob) {
6016	SECStatus extractRV = PK11_ExtractKeyValue(pms);
6017	if (extractRV == SECSuccess) {
6018	    SECItem * keyData = PK11_GetKeyData(pms);
6019	    if (keyData && keyData->data && keyData->len) {
6020#ifdef TRACE
6021		if (ssl_trace >= 100) {
6022		    ssl_PrintBuf(ss, "Pre-Master Secret",
6023				 keyData->data, keyData->len);
6024		}
6025#endif
6026		if (ssl_keylog_iob && enc_pms.len >= 8 && keyData->len == 48) {
6027		    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
6028
6029		    /* There could be multiple, concurrent writers to the
6030		     * keylog, so we have to do everything in a single call to
6031		     * fwrite. */
6032		    char buf[4 + 8*2 + 1 + 48*2 + 1];
6033
6034		    strcpy(buf, "RSA ");
6035		    hexEncode(buf + 4, enc_pms.data, 8);
6036		    buf[20] = ' ';
6037		    hexEncode(buf + 21, keyData->data, 48);
6038		    buf[sizeof(buf) - 1] = '\n';
6039
6040		    fwrite(buf, sizeof(buf), 1, ssl_keylog_iob);
6041		    fflush(ssl_keylog_iob);
6042		}
6043	    }
6044	}
6045    }
6046
6047    rv = ssl3_InitPendingCipherSpec(ss,  pms);
6048    PK11_FreeSymKey(pms); pms = NULL;
6049
6050    if (rv != SECSuccess) {
6051	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6052	goto loser;
6053    }
6054
6055    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
6056				    isTLS ? enc_pms.len + 2 : enc_pms.len);
6057    if (rv != SECSuccess) {
6058	goto loser;	/* err set by ssl3_AppendHandshake* */
6059    }
6060    if (isTLS) {
6061    	rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
6062    } else {
6063	rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
6064    }
6065    if (rv != SECSuccess) {
6066	goto loser;	/* err set by ssl3_AppendHandshake* */
6067    }
6068
6069    rv = SECSuccess;
6070
6071loser:
6072    if (enc_pms.data != NULL) {
6073	PORT_Free(enc_pms.data);
6074    }
6075    if (pms != NULL) {
6076    	PK11_FreeSymKey(pms);
6077    }
6078    return rv;
6079}
6080
6081/* Called from ssl3_SendClientKeyExchange(). */
6082/* Presently, this always uses PKCS11.  There is no bypass for this. */
6083static SECStatus
6084sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
6085{
6086    PK11SymKey *	pms 		= NULL;
6087    SECStatus           rv    		= SECFailure;
6088    PRBool              isTLS;
6089    CK_MECHANISM_TYPE	target;
6090
6091    SECKEYDHParams	dhParam;		/* DH parameters */
6092    SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral DH key */
6093    SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral DH key */
6094
6095    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6096    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6097
6098    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6099
6100    /* Copy DH parameters from server key */
6101
6102    if (svrPubKey->keyType != dhKey) {
6103	PORT_SetError(SEC_ERROR_BAD_KEY);
6104	goto loser;
6105    }
6106    dhParam.prime.data = svrPubKey->u.dh.prime.data;
6107    dhParam.prime.len = svrPubKey->u.dh.prime.len;
6108    dhParam.base.data = svrPubKey->u.dh.base.data;
6109    dhParam.base.len = svrPubKey->u.dh.base.len;
6110
6111    /* Generate ephemeral DH keypair */
6112    privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
6113    if (!privKey || !pubKey) {
6114	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
6115	    rv = SECFailure;
6116	    goto loser;
6117    }
6118    PRINT_BUF(50, (ss, "DH public value:",
6119					pubKey->u.dh.publicValue.data,
6120					pubKey->u.dh.publicValue.len));
6121
6122    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
6123    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
6124
6125    /* Determine the PMS */
6126
6127    pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
6128			    CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
6129
6130    if (pms == NULL) {
6131	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6132	goto loser;
6133    }
6134
6135    SECKEY_DestroyPrivateKey(privKey);
6136    privKey = NULL;
6137
6138    rv = ssl3_InitPendingCipherSpec(ss,  pms);
6139    PK11_FreeSymKey(pms); pms = NULL;
6140
6141    if (rv != SECSuccess) {
6142	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6143	goto loser;
6144    }
6145
6146    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
6147					pubKey->u.dh.publicValue.len + 2);
6148    if (rv != SECSuccess) {
6149	goto loser;	/* err set by ssl3_AppendHandshake* */
6150    }
6151    rv = ssl3_AppendHandshakeVariable(ss,
6152					pubKey->u.dh.publicValue.data,
6153					pubKey->u.dh.publicValue.len, 2);
6154    SECKEY_DestroyPublicKey(pubKey);
6155    pubKey = NULL;
6156
6157    if (rv != SECSuccess) {
6158	goto loser;	/* err set by ssl3_AppendHandshake* */
6159    }
6160
6161    rv = SECSuccess;
6162
6163
6164loser:
6165
6166    if(pms) PK11_FreeSymKey(pms);
6167    if(privKey) SECKEY_DestroyPrivateKey(privKey);
6168    if(pubKey) SECKEY_DestroyPublicKey(pubKey);
6169    return rv;
6170}
6171
6172
6173
6174
6175
6176/* Called from ssl3_HandleServerHelloDone(). */
6177static SECStatus
6178ssl3_SendClientKeyExchange(sslSocket *ss)
6179{
6180    SECKEYPublicKey *	serverKey 	= NULL;
6181    SECStatus 		rv 		= SECFailure;
6182    PRBool              isTLS;
6183
6184    SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
6185		SSL_GETPID(), ss->fd));
6186
6187    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6188    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6189
6190    if (ss->sec.peerKey == NULL) {
6191	serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
6192	if (serverKey == NULL) {
6193	    ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
6194	    return SECFailure;
6195	}
6196    } else {
6197	serverKey = ss->sec.peerKey;
6198	ss->sec.peerKey = NULL; /* we're done with it now */
6199    }
6200
6201    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6202    /* enforce limits on kea key sizes. */
6203    if (ss->ssl3.hs.kea_def->is_limited) {
6204	int keyLen = SECKEY_PublicKeyStrength(serverKey);	/* bytes */
6205
6206	if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
6207	    if (isTLS)
6208		(void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
6209	    else
6210		(void)ssl3_HandshakeFailure(ss);
6211	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
6212	    goto loser;
6213	}
6214    }
6215
6216    ss->sec.keaType    = ss->ssl3.hs.kea_def->exchKeyType;
6217    ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
6218
6219    switch (ss->ssl3.hs.kea_def->exchKeyType) {
6220    case kt_rsa:
6221	rv = sendRSAClientKeyExchange(ss, serverKey);
6222	break;
6223
6224    case kt_dh:
6225	rv = sendDHClientKeyExchange(ss, serverKey);
6226	break;
6227
6228#ifdef NSS_ENABLE_ECC
6229    case kt_ecdh:
6230	rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
6231	break;
6232#endif /* NSS_ENABLE_ECC */
6233
6234    default:
6235	/* got an unknown or unsupported Key Exchange Algorithm.  */
6236	SEND_ALERT
6237	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
6238	break;
6239    }
6240
6241    SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
6242		SSL_GETPID(), ss->fd));
6243
6244loser:
6245    if (serverKey)
6246    	SECKEY_DestroyPublicKey(serverKey);
6247    return rv;	/* err code already set. */
6248}
6249
6250/* Called from ssl3_HandleServerHelloDone(). */
6251static SECStatus
6252ssl3_SendCertificateVerify(sslSocket *ss)
6253{
6254    SECStatus     rv		= SECFailure;
6255    PRBool        isTLS;
6256    PRBool        isTLS12;
6257    SECItem       buf           = {siBuffer, NULL, 0};
6258    SSL3Hashes    hashes;
6259    KeyType       keyType;
6260    unsigned int  len;
6261    SSL3SignatureAndHashAlgorithm sigAndHash;
6262
6263    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6264    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6265
6266    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
6267		SSL_GETPID(), ss->fd));
6268
6269    ssl_GetSpecReadLock(ss);
6270    if (ss->ssl3.hs.hashType == handshake_hash_single &&
6271	ss->ssl3.hs.backupHash) {
6272	rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
6273	PORT_Assert(!ss->ssl3.hs.backupHash);
6274    } else {
6275	rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
6276    }
6277    ssl_ReleaseSpecReadLock(ss);
6278    if (rv != SECSuccess) {
6279	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
6280    }
6281
6282    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6283    isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
6284    if (ss->ssl3.platformClientKey) {
6285#ifdef NSS_PLATFORM_CLIENT_AUTH
6286	keyType = CERT_GetCertKeyType(
6287	    &ss->ssl3.clientCertificate->subjectPublicKeyInfo);
6288	rv = ssl3_PlatformSignHashes(
6289	    &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType);
6290	ssl_FreePlatformKey(ss->ssl3.platformClientKey);
6291	ss->ssl3.platformClientKey = (PlatformKey)NULL;
6292#endif /* NSS_PLATFORM_CLIENT_AUTH */
6293    } else {
6294	keyType = ss->ssl3.clientPrivateKey->keyType;
6295	rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
6296	if (rv == SECSuccess) {
6297	    PK11SlotInfo * slot;
6298	    sslSessionID * sid   = ss->sec.ci.sid;
6299
6300	    /* Remember the info about the slot that did the signing.
6301	    ** Later, when doing an SSL restart handshake, verify this.
6302	    ** These calls are mere accessors, and can't fail.
6303	    */
6304	    slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
6305	    sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
6306	    sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
6307	    sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
6308	    sid->u.ssl3.clAuthValid      = PR_TRUE;
6309	    PK11_FreeSlot(slot);
6310	}
6311	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
6312	ss->ssl3.clientPrivateKey = NULL;
6313    }
6314    if (rv != SECSuccess) {
6315	goto done;	/* err code was set by ssl3_SignHashes */
6316    }
6317
6318    len = buf.len + 2 + (isTLS12 ? 2 : 0);
6319
6320    rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
6321    if (rv != SECSuccess) {
6322	goto done;	/* error code set by AppendHandshake */
6323    }
6324    if (isTLS12) {
6325	rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
6326						  &sigAndHash.sigAlg);
6327	if (rv != SECSuccess) {
6328	    goto done;
6329	}
6330	sigAndHash.hashAlg = hashes.hashAlg;
6331
6332	rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
6333	if (rv != SECSuccess) {
6334	    goto done; 	/* err set by AppendHandshake. */
6335	}
6336    }
6337    rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
6338    if (rv != SECSuccess) {
6339	goto done;	/* error code set by AppendHandshake */
6340    }
6341
6342done:
6343    if (buf.data)
6344	PORT_Free(buf.data);
6345    return rv;
6346}
6347
6348/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6349 * ssl3 ServerHello message.
6350 * Caller must hold Handshake and RecvBuf locks.
6351 */
6352static SECStatus
6353ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6354{
6355    sslSessionID *sid		= ss->sec.ci.sid;
6356    PRInt32       temp;		/* allow for consume number failure */
6357    PRBool        suite_found   = PR_FALSE;
6358    int           i;
6359    int           errCode	= SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
6360    SECStatus     rv;
6361    SECItem       sidBytes 	= {siBuffer, NULL, 0};
6362    PRBool        sid_match;
6363    PRBool        isTLS		= PR_FALSE;
6364    SSL3AlertDescription desc   = illegal_parameter;
6365    SSL3ProtocolVersion version;
6366
6367    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
6368    	SSL_GETPID(), ss->fd));
6369    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6370    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6371    PORT_Assert( ss->ssl3.initialized );
6372
6373    if (ss->ssl3.hs.ws != wait_server_hello) {
6374        errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
6375	desc    = unexpected_message;
6376	goto alert_loser;
6377    }
6378
6379    /* clean up anything left from previous handshake. */
6380    if (ss->ssl3.clientCertChain != NULL) {
6381       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
6382       ss->ssl3.clientCertChain = NULL;
6383    }
6384    if (ss->ssl3.clientCertificate != NULL) {
6385       CERT_DestroyCertificate(ss->ssl3.clientCertificate);
6386       ss->ssl3.clientCertificate = NULL;
6387    }
6388    if (ss->ssl3.clientPrivateKey != NULL) {
6389       SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
6390       ss->ssl3.clientPrivateKey = NULL;
6391    }
6392#ifdef NSS_PLATFORM_CLIENT_AUTH
6393    if (ss->ssl3.platformClientKey) {
6394       ssl_FreePlatformKey(ss->ssl3.platformClientKey);
6395       ss->ssl3.platformClientKey = (PlatformKey)NULL;
6396    }
6397#endif  /* NSS_PLATFORM_CLIENT_AUTH */
6398
6399    if (ss->ssl3.channelID != NULL) {
6400	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
6401	ss->ssl3.channelID = NULL;
6402    }
6403    if (ss->ssl3.channelIDPub != NULL) {
6404	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
6405	ss->ssl3.channelIDPub = NULL;
6406    }
6407
6408    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
6409    if (temp < 0) {
6410    	goto loser; 	/* alert has been sent */
6411    }
6412    version = (SSL3ProtocolVersion)temp;
6413
6414    if (IS_DTLS(ss)) {
6415	/* RFC 4347 required that you verify that the server versions
6416	 * match (Section 4.2.1) in the HelloVerifyRequest and the
6417	 * ServerHello.
6418	 *
6419	 * RFC 6347 suggests (SHOULD) that servers always use 1.0
6420	 * in HelloVerifyRequest and allows the versions not to match,
6421	 * especially when 1.2 is being negotiated.
6422	 *
6423	 * Therefore we do not check for matching here.
6424	 */
6425	version = dtls_DTLSVersionToTLSVersion(version);
6426	if (version == 0) {  /* Insane version number */
6427            goto alert_loser;
6428	}
6429    }
6430
6431    rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
6432    if (rv != SECSuccess) {
6433    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
6434						   : handshake_failure;
6435	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6436	goto alert_loser;
6437    }
6438    isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
6439
6440    rv = ssl3_InitHandshakeHashes(ss);
6441    if (rv != SECSuccess) {
6442	desc = internal_error;
6443	errCode = PORT_GetError();
6444	goto alert_loser;
6445    }
6446
6447    rv = ssl3_ConsumeHandshake(
6448	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
6449    if (rv != SECSuccess) {
6450    	goto loser; 	/* alert has been sent */
6451    }
6452
6453    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
6454    if (rv != SECSuccess) {
6455    	goto loser; 	/* alert has been sent */
6456    }
6457    if (sidBytes.len > SSL3_SESSIONID_BYTES) {
6458	if (isTLS)
6459	    desc = decode_error;
6460	goto alert_loser;	/* malformed. */
6461    }
6462
6463    /* find selected cipher suite in our list. */
6464    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
6465    if (temp < 0) {
6466    	goto loser; 	/* alert has been sent */
6467    }
6468    ssl3_config_match_init(ss);
6469    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
6470	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
6471	if (temp == suite->cipher_suite) {
6472	    SSLVersionRange vrange = {ss->version, ss->version};
6473	    if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
6474		/* config_match already checks whether the cipher suite is
6475		 * acceptable for the version, but the check is repeated here
6476		 * in order to give a more precise error code. */
6477		if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) {
6478		    desc    = handshake_failure;
6479		    errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
6480		    goto alert_loser;
6481		}
6482
6483		break;	/* failure */
6484	    }
6485
6486	    suite_found = PR_TRUE;
6487	    break;	/* success */
6488	}
6489    }
6490    if (!suite_found) {
6491    	desc    = handshake_failure;
6492	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6493	goto alert_loser;
6494    }
6495    ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
6496    ss->ssl3.hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
6497    PORT_Assert(ss->ssl3.hs.suite_def);
6498    if (!ss->ssl3.hs.suite_def) {
6499    	PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
6500	goto loser;	/* we don't send alerts for our screw-ups. */
6501    }
6502
6503    /* find selected compression method in our list. */
6504    temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
6505    if (temp < 0) {
6506    	goto loser; 	/* alert has been sent */
6507    }
6508    suite_found = PR_FALSE;
6509    for (i = 0; i < compressionMethodsCount; i++) {
6510	if (temp == compressions[i]) {
6511	    if (!compressionEnabled(ss, compressions[i])) {
6512		break;	/* failure */
6513	    }
6514	    suite_found = PR_TRUE;
6515	    break;	/* success */
6516    	}
6517    }
6518    if (!suite_found) {
6519    	desc    = handshake_failure;
6520	errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
6521	goto alert_loser;
6522    }
6523    ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
6524
6525    /* Note that if !isTLS and the extra stuff is not extensions, we
6526     * do NOT goto alert_loser.
6527     * There are some old SSL 3.0 implementations that do send stuff
6528     * after the end of the server hello, and we deliberately ignore
6529     * such stuff in the interest of maximal interoperability (being
6530     * "generous in what you accept").
6531     * Update: Starting in NSS 3.12.6, we handle the renegotiation_info
6532     * extension in SSL 3.0.
6533     */
6534    if (length != 0) {
6535	SECItem extensions;
6536	rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length);
6537	if (rv != SECSuccess || length != 0) {
6538	    if (isTLS)
6539		goto alert_loser;
6540	} else {
6541	    rv = ssl3_HandleHelloExtensions(ss, &extensions.data,
6542					    &extensions.len);
6543	    if (rv != SECSuccess)
6544		goto alert_loser;
6545	}
6546    }
6547    if ((ss->opt.requireSafeNegotiation ||
6548         (ss->firstHsDone && (ss->peerRequestedProtection ||
6549	 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN))) &&
6550	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
6551	desc = handshake_failure;
6552	errCode = ss->firstHsDone ? SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
6553	                          : SSL_ERROR_UNSAFE_NEGOTIATION;
6554	goto alert_loser;
6555    }
6556
6557    /* Any errors after this point are not "malformed" errors. */
6558    desc    = handshake_failure;
6559
6560    /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
6561     * key exchange algorithm. */
6562    rv = ssl3_SetupPendingCipherSpec(ss);
6563    if (rv != SECSuccess) {
6564	goto alert_loser;	/* error code is set. */
6565    }
6566
6567    /* We may or may not have sent a session id, we may get one back or
6568     * not and if so it may match the one we sent.
6569     * Attempt to restore the master secret to see if this is so...
6570     * Don't consider failure to find a matching SID an error.
6571     */
6572    sid_match = (PRBool)(sidBytes.len > 0 &&
6573	sidBytes.len == sid->u.ssl3.sessionIDLength &&
6574	!PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
6575
6576    if (sid_match &&
6577	sid->version == ss->version &&
6578	sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
6579	ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
6580
6581	SECItem       wrappedMS;   /* wrapped master secret. */
6582
6583	ss->sec.authAlgorithm = sid->authAlgorithm;
6584	ss->sec.authKeyBits   = sid->authKeyBits;
6585	ss->sec.keaType       = sid->keaType;
6586	ss->sec.keaKeyBits    = sid->keaKeyBits;
6587
6588	/* 3 cases here:
6589	 * a) key is wrapped (implies using PKCS11)
6590	 * b) key is unwrapped, but we're still using PKCS11
6591	 * c) key is unwrapped, and we're bypassing PKCS11.
6592	 */
6593	if (sid->u.ssl3.keys.msIsWrapped) {
6594	    PK11SlotInfo *slot;
6595	    PK11SymKey *  wrapKey;     /* wrapping key */
6596	    CK_FLAGS      keyFlags      = 0;
6597
6598#ifndef NO_PKCS11_BYPASS
6599	    if (ss->opt.bypassPKCS11) {
6600		/* we cannot restart a non-bypass session in a
6601		** bypass socket.
6602		*/
6603		break;
6604	    }
6605#endif
6606	    /* unwrap master secret with PKCS11 */
6607	    slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
6608				     sid->u.ssl3.masterSlotID);
6609	    if (slot == NULL) {
6610		break;		/* not considered an error. */
6611	    }
6612	    if (!PK11_IsPresent(slot)) {
6613		PK11_FreeSlot(slot);
6614		break;		/* not considered an error. */
6615	    }
6616	    wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
6617				      sid->u.ssl3.masterWrapMech,
6618				      sid->u.ssl3.masterWrapSeries,
6619				      ss->pkcs11PinArg);
6620	    PK11_FreeSlot(slot);
6621	    if (wrapKey == NULL) {
6622		break;		/* not considered an error. */
6623	    }
6624
6625	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
6626		keyFlags = CKF_SIGN | CKF_VERIFY;
6627	    }
6628
6629	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6630	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
6631	    pwSpec->master_secret =
6632		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
6633			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
6634			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
6635	    errCode = PORT_GetError();
6636	    PK11_FreeSymKey(wrapKey);
6637	    if (pwSpec->master_secret == NULL) {
6638		break;	/* errorCode set just after call to UnwrapSymKey. */
6639	    }
6640#ifndef NO_PKCS11_BYPASS
6641	} else if (ss->opt.bypassPKCS11) {
6642	    /* MS is not wrapped */
6643	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6644	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
6645	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
6646	    pwSpec->msItem.data = pwSpec->raw_master_secret;
6647	    pwSpec->msItem.len  = wrappedMS.len;
6648#endif
6649	} else {
6650	    /* We CAN restart a bypass session in a non-bypass socket. */
6651	    /* need to import the raw master secret to session object */
6652	    PK11SlotInfo *slot = PK11_GetInternalSlot();
6653	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6654	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
6655	    pwSpec->master_secret =
6656		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
6657				  PK11_OriginUnwrap, CKA_ENCRYPT,
6658				  &wrappedMS, NULL);
6659	    PK11_FreeSlot(slot);
6660	    if (pwSpec->master_secret == NULL) {
6661		break;
6662	    }
6663	}
6664
6665	/* Got a Match */
6666	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
6667
6668	/* If we sent a session ticket, then this is a stateless resume. */
6669	if (ss->xtnData.sentSessionTicketInClientHello)
6670	    SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
6671
6672	if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
6673	    ss->ssl3.hs.ws = wait_new_session_ticket;
6674	else
6675	    ss->ssl3.hs.ws = wait_change_cipher;
6676
6677	ss->ssl3.hs.isResuming = PR_TRUE;
6678
6679	/* copy the peer cert from the SID */
6680	if (sid->peerCert != NULL) {
6681	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
6682	    ssl3_CopyPeerCertsFromSID(ss, sid);
6683	}
6684
6685	/* NULL value for PMS signifies re-use of the old MS */
6686	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
6687	if (rv != SECSuccess) {
6688	    goto alert_loser;	/* err code was set */
6689	}
6690	goto winner;
6691    } while (0);
6692
6693    if (sid_match)
6694	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
6695    else
6696	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
6697
6698    /* throw the old one away */
6699    sid->u.ssl3.keys.resumable = PR_FALSE;
6700    if (ss->sec.uncache)
6701        (*ss->sec.uncache)(sid);
6702    ssl_FreeSID(sid);
6703
6704    /* get a new sid */
6705    ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
6706    if (sid == NULL) {
6707	goto alert_loser;	/* memory error is set. */
6708    }
6709
6710    sid->version = ss->version;
6711    sid->u.ssl3.sessionIDLength = sidBytes.len;
6712    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
6713
6714    /* Copy Signed Certificate Timestamps, if any. */
6715    if (ss->xtnData.signedCertTimestamps.data) {
6716	rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
6717			      &ss->xtnData.signedCertTimestamps);
6718	if (rv != SECSuccess)
6719	    goto loser;
6720    }
6721
6722    ss->ssl3.hs.isResuming = PR_FALSE;
6723    ss->ssl3.hs.ws         = wait_server_cert;
6724
6725winner:
6726    /* Clean up the temporary pointer to the handshake buffer. */
6727    ss->xtnData.signedCertTimestamps.data = NULL;
6728    ss->xtnData.signedCertTimestamps.len = 0;
6729
6730    /* If we will need a ChannelID key then we make the callback now. This
6731     * allows the handshake to be restarted cleanly if the callback returns
6732     * SECWouldBlock. */
6733    if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
6734	rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
6735			      &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
6736	if (rv == SECWouldBlock) {
6737	    ssl3_SetAlwaysBlock(ss);
6738	    return rv;
6739	}
6740	if (rv != SECSuccess ||
6741	    ss->ssl3.channelIDPub == NULL ||
6742	    ss->ssl3.channelID == NULL) {
6743	    PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
6744	    desc = internal_error;
6745	    goto alert_loser;
6746	}
6747    }
6748
6749    return SECSuccess;
6750
6751alert_loser:
6752    (void)SSL3_SendAlert(ss, alert_fatal, desc);
6753
6754loser:
6755    /* Clean up the temporary pointer to the handshake buffer. */
6756    ss->xtnData.signedCertTimestamps.data = NULL;
6757    ss->xtnData.signedCertTimestamps.len = 0;
6758    errCode = ssl_MapLowLevelError(errCode);
6759    return SECFailure;
6760}
6761
6762/* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned,
6763 * big-endian integer is > 1 */
6764static PRBool
6765ssl3_BigIntGreaterThanOne(const SECItem* mpint) {
6766    unsigned char firstNonZeroByte = 0;
6767    unsigned int i;
6768
6769    for (i = 0; i < mpint->len; i++) {
6770	if (mpint->data[i]) {
6771	    firstNonZeroByte = mpint->data[i];
6772	    break;
6773	}
6774    }
6775
6776    if (firstNonZeroByte == 0)
6777	return PR_FALSE;
6778    if (firstNonZeroByte > 1)
6779	return PR_TRUE;
6780
6781    /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte
6782     * is followed by another byte. */
6783    return (i < mpint->len - 1);
6784}
6785
6786/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6787 * ssl3 ServerKeyExchange message.
6788 * Caller must hold Handshake and RecvBuf locks.
6789 */
6790static SECStatus
6791ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
6792{
6793    PLArenaPool *    arena     = NULL;
6794    SECKEYPublicKey *peerKey   = NULL;
6795    PRBool           isTLS, isTLS12;
6796    SECStatus        rv;
6797    int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
6798    SSL3AlertDescription desc  = illegal_parameter;
6799    SSL3Hashes       hashes;
6800    SECItem          signature = {siBuffer, NULL, 0};
6801    SSL3SignatureAndHashAlgorithm sigAndHash;
6802
6803    sigAndHash.hashAlg = SEC_OID_UNKNOWN;
6804
6805    SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
6806		SSL_GETPID(), ss->fd));
6807    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6808    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6809
6810    if (ss->ssl3.hs.ws != wait_server_key &&
6811	ss->ssl3.hs.ws != wait_server_cert) {
6812	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
6813	desc    = unexpected_message;
6814	goto alert_loser;
6815    }
6816    if (ss->sec.peerCert == NULL) {
6817	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
6818	desc    = unexpected_message;
6819	goto alert_loser;
6820    }
6821
6822    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
6823    isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
6824
6825    switch (ss->ssl3.hs.kea_def->exchKeyType) {
6826
6827    case kt_rsa: {
6828	SECItem          modulus   = {siBuffer, NULL, 0};
6829	SECItem          exponent  = {siBuffer, NULL, 0};
6830
6831    	rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
6832    	if (rv != SECSuccess) {
6833	    goto loser;		/* malformed. */
6834	}
6835    	rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
6836    	if (rv != SECSuccess) {
6837	    goto loser;		/* malformed. */
6838	}
6839	if (isTLS12) {
6840	    rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6841						       &sigAndHash);
6842	    if (rv != SECSuccess) {
6843		goto loser;	/* malformed or unsupported. */
6844	    }
6845	    rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6846		    &sigAndHash, ss->sec.peerCert);
6847	    if (rv != SECSuccess) {
6848		goto loser;
6849	    }
6850	}
6851    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
6852    	if (rv != SECSuccess) {
6853	    goto loser;		/* malformed. */
6854	}
6855    	if (length != 0) {
6856	    if (isTLS)
6857		desc = decode_error;
6858	    goto alert_loser;		/* malformed. */
6859	}
6860
6861	/* failures after this point are not malformed handshakes. */
6862	/* TLS: send decrypt_error if signature failed. */
6863    	desc = isTLS ? decrypt_error : handshake_failure;
6864
6865    	/*
6866     	 *  check to make sure the hash is signed by right guy
6867     	 */
6868	rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
6869					  &ss->ssl3.hs.client_random,
6870					  &ss->ssl3.hs.server_random,
6871					  &hashes, ss->opt.bypassPKCS11);
6872        if (rv != SECSuccess) {
6873	    errCode =
6874	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6875	    goto alert_loser;
6876	}
6877        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
6878				    isTLS, ss->pkcs11PinArg);
6879	if (rv != SECSuccess)  {
6880	    errCode =
6881	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6882	    goto alert_loser;
6883	}
6884
6885	/*
6886	 * we really need to build a new key here because we can no longer
6887	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
6888	 * pkcs11 slots and ID's.
6889	 */
6890    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
6891	if (arena == NULL) {
6892	    goto no_memory;
6893	}
6894
6895    	peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
6896    	if (peerKey == NULL) {
6897            PORT_FreeArena(arena, PR_FALSE);
6898	    goto no_memory;
6899	}
6900
6901	peerKey->arena              = arena;
6902	peerKey->keyType            = rsaKey;
6903	peerKey->pkcs11Slot         = NULL;
6904	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
6905	if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus,        &modulus) ||
6906	    SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
6907	{
6908            PORT_FreeArena(arena, PR_FALSE);
6909	    goto no_memory;
6910        }
6911    	ss->sec.peerKey = peerKey;
6912    	ss->ssl3.hs.ws = wait_cert_request;
6913    	return SECSuccess;
6914    }
6915
6916    case kt_dh: {
6917	SECItem          dh_p      = {siBuffer, NULL, 0};
6918	SECItem          dh_g      = {siBuffer, NULL, 0};
6919	SECItem          dh_Ys     = {siBuffer, NULL, 0};
6920
6921    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
6922    	if (rv != SECSuccess) {
6923	    goto loser;		/* malformed. */
6924	}
6925	if (dh_p.len < 512/8) {
6926	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
6927	    goto alert_loser;
6928	}
6929    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
6930    	if (rv != SECSuccess) {
6931	    goto loser;		/* malformed. */
6932	}
6933	if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
6934	    goto alert_loser;
6935    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
6936    	if (rv != SECSuccess) {
6937	    goto loser;		/* malformed. */
6938	}
6939	if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
6940	    goto alert_loser;
6941	if (isTLS12) {
6942	    rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
6943						       &sigAndHash);
6944	    if (rv != SECSuccess) {
6945		goto loser;	/* malformed or unsupported. */
6946	    }
6947	    rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6948		    &sigAndHash, ss->sec.peerCert);
6949	    if (rv != SECSuccess) {
6950		goto loser;
6951	    }
6952	}
6953    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
6954    	if (rv != SECSuccess) {
6955	    goto loser;		/* malformed. */
6956	}
6957    	if (length != 0) {
6958	    if (isTLS)
6959		desc = decode_error;
6960	    goto alert_loser;		/* malformed. */
6961	}
6962
6963	PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
6964	PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
6965	PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
6966
6967	/* failures after this point are not malformed handshakes. */
6968	/* TLS: send decrypt_error if signature failed. */
6969    	desc = isTLS ? decrypt_error : handshake_failure;
6970
6971    	/*
6972     	 *  check to make sure the hash is signed by right guy
6973     	 */
6974	rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
6975					  &ss->ssl3.hs.client_random,
6976					  &ss->ssl3.hs.server_random,
6977					  &hashes, ss->opt.bypassPKCS11);
6978        if (rv != SECSuccess) {
6979	    errCode =
6980	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6981	    goto alert_loser;
6982	}
6983        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
6984				    isTLS, ss->pkcs11PinArg);
6985	if (rv != SECSuccess)  {
6986	    errCode =
6987	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6988	    goto alert_loser;
6989	}
6990
6991	/*
6992	 * we really need to build a new key here because we can no longer
6993	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
6994	 * pkcs11 slots and ID's.
6995	 */
6996    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
6997	if (arena == NULL) {
6998	    goto no_memory;
6999	}
7000
7001    	ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
7002    	if (peerKey == NULL) {
7003	    goto no_memory;
7004	}
7005
7006	peerKey->arena              = arena;
7007	peerKey->keyType            = dhKey;
7008	peerKey->pkcs11Slot         = NULL;
7009	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
7010
7011	if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime,        &dh_p) ||
7012	    SECITEM_CopyItem(arena, &peerKey->u.dh.base,         &dh_g) ||
7013	    SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue,  &dh_Ys))
7014	{
7015            PORT_FreeArena(arena, PR_FALSE);
7016	    goto no_memory;
7017        }
7018    	ss->sec.peerKey = peerKey;
7019    	ss->ssl3.hs.ws = wait_cert_request;
7020    	return SECSuccess;
7021    }
7022
7023#ifdef NSS_ENABLE_ECC
7024    case kt_ecdh:
7025	rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
7026	return rv;
7027#endif /* NSS_ENABLE_ECC */
7028
7029    default:
7030    	desc    = handshake_failure;
7031	errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
7032	break;		/* goto alert_loser; */
7033    }
7034
7035alert_loser:
7036    (void)SSL3_SendAlert(ss, alert_fatal, desc);
7037loser:
7038    PORT_SetError( errCode );
7039    return SECFailure;
7040
7041no_memory:	/* no-memory error has already been set. */
7042    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
7043    return SECFailure;
7044}
7045
7046
7047/*
7048 * Returns the TLS signature algorithm for the client authentication key and
7049 * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes.
7050 */
7051static SECStatus
7052ssl3_ExtractClientKeyInfo(sslSocket *ss,
7053			  TLSSignatureAlgorithm *sigAlg,
7054			  PRBool *preferSha1)
7055{
7056    SECStatus rv = SECSuccess;
7057    SECKEYPublicKey *pubk;
7058
7059    pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
7060    if (pubk == NULL) {
7061	rv = SECFailure;
7062	goto done;
7063    }
7064
7065    rv = ssl3_TLSSignatureAlgorithmForKeyType(pubk->keyType, sigAlg);
7066    if (rv != SECSuccess) {
7067	goto done;
7068    }
7069
7070#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(_WIN32)
7071    /* If the key is in CAPI, assume conservatively that the CAPI service
7072     * provider may be unable to sign SHA-256 hashes.
7073     */
7074    if (ss->ssl3.platformClientKey->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
7075	/* CAPI only supports RSA and DSA signatures, so we don't need to
7076	 * check the key type. */
7077	*preferSha1 = PR_TRUE;
7078	goto done;
7079    }
7080#endif  /* NSS_PLATFORM_CLIENT_AUTH && _WIN32 */
7081
7082    /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
7083     * it may be unable to sign SHA-256 hashes. This is the case for older
7084     * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
7085     * older, DSA key size is at most 1024 bits and the hash function must
7086     * be SHA-1.
7087     */
7088    if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
7089	*preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
7090    } else {
7091	*preferSha1 = PR_FALSE;
7092    }
7093
7094done:
7095    if (pubk)
7096	SECKEY_DestroyPublicKey(pubk);
7097    return rv;
7098}
7099
7100/* Destroys the backup handshake hash context if we don't need it. Note that
7101 * this function selects the hash algorithm for client authentication
7102 * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
7103 * to determine whether to use SHA-1 or SHA-256. */
7104static void
7105ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
7106					   const SECItem *algorithms)
7107{
7108    SECStatus rv;
7109    TLSSignatureAlgorithm sigAlg;
7110    PRBool preferSha1;
7111    PRBool supportsSha1 = PR_FALSE;
7112    PRBool supportsSha256 = PR_FALSE;
7113    PRBool needBackupHash = PR_FALSE;
7114    unsigned int i;
7115
7116#ifndef NO_PKCS11_BYPASS
7117    /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
7118    if (ss->opt.bypassPKCS11) {
7119	PORT_Assert(!ss->ssl3.hs.backupHash);
7120	return;
7121    }
7122#endif
7123    PORT_Assert(ss->ssl3.hs.backupHash);
7124
7125    /* Determine the key's signature algorithm and whether it prefers SHA-1. */
7126    rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
7127    if (rv != SECSuccess) {
7128	goto done;
7129    }
7130
7131    /* Determine the server's hash support for that signature algorithm. */
7132    for (i = 0; i < algorithms->len; i += 2) {
7133	if (algorithms->data[i+1] == sigAlg) {
7134	    if (algorithms->data[i] == tls_hash_sha1) {
7135		supportsSha1 = PR_TRUE;
7136	    } else if (algorithms->data[i] == tls_hash_sha256) {
7137		supportsSha256 = PR_TRUE;
7138	    }
7139	}
7140    }
7141
7142    /* If either the server does not support SHA-256 or the client key prefers
7143     * SHA-1, leave the backup hash. */
7144    if (supportsSha1 && (preferSha1 || !supportsSha256)) {
7145	needBackupHash = PR_TRUE;
7146    }
7147
7148done:
7149    if (!needBackupHash) {
7150	PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
7151	ss->ssl3.hs.backupHash = NULL;
7152    }
7153}
7154
7155typedef struct dnameNode {
7156    struct dnameNode *next;
7157    SECItem           name;
7158} dnameNode;
7159
7160/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7161 * ssl3 Certificate Request message.
7162 * Caller must hold Handshake and RecvBuf locks.
7163 */
7164static SECStatus
7165ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7166{
7167    PLArenaPool *        arena       = NULL;
7168    dnameNode *          node;
7169    PRInt32              remaining;
7170    PRBool               isTLS       = PR_FALSE;
7171    PRBool               isTLS12     = PR_FALSE;
7172    int                  i;
7173    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
7174    int                  nnames      = 0;
7175    SECStatus            rv;
7176    SSL3AlertDescription desc        = illegal_parameter;
7177    SECItem              cert_types  = {siBuffer, NULL, 0};
7178    SECItem              algorithms  = {siBuffer, NULL, 0};
7179    CERTDistNames        ca_list;
7180#ifdef NSS_PLATFORM_CLIENT_AUTH
7181    CERTCertList *       platform_cert_list = NULL;
7182    CERTCertListNode *   certNode = NULL;
7183#endif  /* NSS_PLATFORM_CLIENT_AUTH */
7184
7185    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
7186		SSL_GETPID(), ss->fd));
7187    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7188    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7189
7190    if (ss->ssl3.hs.ws != wait_cert_request &&
7191    	ss->ssl3.hs.ws != wait_server_key) {
7192	desc    = unexpected_message;
7193	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
7194	goto alert_loser;
7195    }
7196
7197    PORT_Assert(ss->ssl3.clientCertChain == NULL);
7198    PORT_Assert(ss->ssl3.clientCertificate == NULL);
7199    PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
7200    PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
7201
7202    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
7203    isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
7204    rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
7205    if (rv != SECSuccess)
7206    	goto loser;		/* malformed, alert has been sent */
7207
7208    PORT_Assert(!ss->requestedCertTypes);
7209    ss->requestedCertTypes = &cert_types;
7210
7211    if (isTLS12) {
7212	rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
7213	if (rv != SECSuccess)
7214	    goto loser;		/* malformed, alert has been sent */
7215	/* An empty or odd-length value is invalid.
7216	 *    SignatureAndHashAlgorithm
7217	 *      supported_signature_algorithms<2..2^16-2>;
7218	 */
7219	if (algorithms.len == 0 || (algorithms.len & 1) != 0)
7220	    goto alert_loser;
7221    }
7222
7223    arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
7224    if (arena == NULL)
7225    	goto no_mem;
7226
7227    remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
7228    if (remaining < 0)
7229    	goto loser;	 	/* malformed, alert has been sent */
7230
7231    if ((PRUint32)remaining > length)
7232	goto alert_loser;
7233
7234    ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
7235    if (node == NULL)
7236    	goto no_mem;
7237
7238    while (remaining > 0) {
7239	PRInt32 len;
7240
7241	if (remaining < 2)
7242	    goto alert_loser;	/* malformed */
7243
7244	node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
7245	if (len <= 0)
7246	    goto loser;		/* malformed, alert has been sent */
7247
7248	remaining -= 2;
7249	if (remaining < len)
7250	    goto alert_loser;	/* malformed */
7251
7252	node->name.data = b;
7253	b         += len;
7254	length    -= len;
7255	remaining -= len;
7256	nnames++;
7257	if (remaining <= 0)
7258	    break;		/* success */
7259
7260	node->next = PORT_ArenaZNew(arena, dnameNode);
7261	node = node->next;
7262	if (node == NULL)
7263	    goto no_mem;
7264    }
7265
7266    ca_list.nnames = nnames;
7267    ca_list.names  = PORT_ArenaNewArray(arena, SECItem, nnames);
7268    if (nnames > 0 && ca_list.names == NULL)
7269        goto no_mem;
7270
7271    for(i = 0, node = (dnameNode*)ca_list.head;
7272	i < nnames;
7273	i++, node = node->next) {
7274	ca_list.names[i] = node->name;
7275    }
7276
7277    if (length != 0)
7278        goto alert_loser;   	/* malformed */
7279
7280    desc = no_certificate;
7281    ss->ssl3.hs.ws = wait_hello_done;
7282
7283#ifdef NSS_PLATFORM_CLIENT_AUTH
7284    if (ss->getPlatformClientAuthData != NULL) {
7285	/* XXX Should pass cert_types and algorithms in this call!! */
7286        rv = (SECStatus)(*ss->getPlatformClientAuthData)(
7287                                        ss->getPlatformClientAuthDataArg,
7288                                        ss->fd, &ca_list,
7289                                        &platform_cert_list,
7290                                        (void**)&ss->ssl3.platformClientKey,
7291                                        &ss->ssl3.clientCertificate,
7292                                        &ss->ssl3.clientPrivateKey);
7293    } else
7294#endif
7295    if (ss->getClientAuthData != NULL) {
7296	/* XXX Should pass cert_types and algorithms in this call!! */
7297	rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
7298						 ss->fd, &ca_list,
7299						 &ss->ssl3.clientCertificate,
7300						 &ss->ssl3.clientPrivateKey);
7301    } else {
7302	rv = SECFailure; /* force it to send a no_certificate alert */
7303    }
7304
7305    switch (rv) {
7306    case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
7307	ssl3_SetAlwaysBlock(ss);
7308	break;	/* not an error */
7309
7310    case SECSuccess:
7311#ifdef NSS_PLATFORM_CLIENT_AUTH
7312        if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
7313            !ss->ssl3.platformClientKey) {
7314            if (platform_cert_list) {
7315                CERT_DestroyCertList(platform_cert_list);
7316                platform_cert_list = NULL;
7317            }
7318            if (ss->ssl3.platformClientKey) {
7319                ssl_FreePlatformKey(ss->ssl3.platformClientKey);
7320                ss->ssl3.platformClientKey = (PlatformKey)NULL;
7321            }
7322	    /* Fall through to NSS client auth check */
7323        } else {
7324	    certNode = CERT_LIST_HEAD(platform_cert_list);
7325	    ss->ssl3.clientCertificate = CERT_DupCertificate(certNode->cert);
7326
7327	    /* Setting ssl3.clientCertChain non-NULL will cause
7328	     * ssl3_HandleServerHelloDone to call SendCertificate.
7329	     * Note: clientCertChain should include the EE cert as
7330	     * clientCertificate is ignored during the actual sending
7331	     */
7332	    ss->ssl3.clientCertChain =
7333		    hack_NewCertificateListFromCertList(platform_cert_list);
7334	    CERT_DestroyCertList(platform_cert_list);
7335	    platform_cert_list = NULL;
7336	    if (ss->ssl3.clientCertChain == NULL) {
7337		if (ss->ssl3.clientCertificate != NULL) {
7338		    CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7339		    ss->ssl3.clientCertificate = NULL;
7340		}
7341		if (ss->ssl3.platformClientKey) {
7342		    ssl_FreePlatformKey(ss->ssl3.platformClientKey);
7343		    ss->ssl3.platformClientKey = (PlatformKey)NULL;
7344		}
7345		goto send_no_certificate;
7346	    }
7347	    if (ss->ssl3.hs.hashType == handshake_hash_single) {
7348		ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
7349	    }
7350	    break;  /* not an error */
7351	}
7352#endif   /* NSS_PLATFORM_CLIENT_AUTH */
7353        /* check what the callback function returned */
7354        if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
7355            /* we are missing either the key or cert */
7356            if (ss->ssl3.clientCertificate) {
7357                /* got a cert, but no key - free it */
7358                CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7359                ss->ssl3.clientCertificate = NULL;
7360            }
7361            if (ss->ssl3.clientPrivateKey) {
7362                /* got a key, but no cert - free it */
7363                SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7364                ss->ssl3.clientPrivateKey = NULL;
7365            }
7366            goto send_no_certificate;
7367        }
7368	/* Setting ssl3.clientCertChain non-NULL will cause
7369	 * ssl3_HandleServerHelloDone to call SendCertificate.
7370	 */
7371	ss->ssl3.clientCertChain = CERT_CertChainFromCert(
7372					ss->ssl3.clientCertificate,
7373					certUsageSSLClient, PR_FALSE);
7374	if (ss->ssl3.clientCertChain == NULL) {
7375	    CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7376	    ss->ssl3.clientCertificate = NULL;
7377	    SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7378	    ss->ssl3.clientPrivateKey = NULL;
7379	    goto send_no_certificate;
7380	}
7381	if (ss->ssl3.hs.hashType == handshake_hash_single) {
7382	    ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
7383	}
7384	break;	/* not an error */
7385
7386    case SECFailure:
7387    default:
7388send_no_certificate:
7389	if (isTLS) {
7390	    ss->ssl3.sendEmptyCert = PR_TRUE;
7391	} else {
7392	    (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
7393	}
7394	rv = SECSuccess;
7395	break;
7396    }
7397    goto done;
7398
7399no_mem:
7400    rv = SECFailure;
7401    PORT_SetError(SEC_ERROR_NO_MEMORY);
7402    goto done;
7403
7404alert_loser:
7405    if (isTLS && desc == illegal_parameter)
7406    	desc = decode_error;
7407    (void)SSL3_SendAlert(ss, alert_fatal, desc);
7408loser:
7409    PORT_SetError(errCode);
7410    rv = SECFailure;
7411done:
7412    ss->requestedCertTypes = NULL;
7413    if (arena != NULL)
7414    	PORT_FreeArena(arena, PR_FALSE);
7415#ifdef NSS_PLATFORM_CLIENT_AUTH
7416    if (platform_cert_list)
7417        CERT_DestroyCertList(platform_cert_list);
7418#endif
7419    return rv;
7420}
7421
7422/*
7423 * attempt to restart the handshake after asynchronously handling
7424 * a request for the client's certificate.
7425 *
7426 * inputs:
7427 *	cert	Client cert chosen by application.
7428 *		Note: ssl takes this reference, and does not bump the
7429 *		reference count.  The caller should drop its reference
7430 *		without calling CERT_DestroyCert after calling this function.
7431 *
7432 *	key	Private key associated with cert.  This function takes
7433 *		ownership of the private key, so the caller should drop its
7434 *		reference without destroying the private key after this
7435 *		function returns.
7436 *
7437 *	certChain  DER-encoded certs, client cert and its signers.
7438 *		Note: ssl takes this reference, and does not copy the chain.
7439 *		The caller should drop its reference without destroying the
7440 *		chain.  SSL will free the chain when it is done with it.
7441 *
7442 * Return value: XXX
7443 *
7444 * XXX This code only works on the initial handshake on a connection, XXX
7445 *     It does not work on a subsequent handshake (redo).
7446 *
7447 * Caller holds 1stHandshakeLock.
7448 */
7449SECStatus
7450ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
7451				CERTCertificate *    cert,
7452				SECKEYPrivateKey *   key,
7453				CERTCertificateList *certChain)
7454{
7455    SECStatus        rv          = SECSuccess;
7456
7457    /* XXX This code only works on the initial handshake on a connection,
7458    ** XXX It does not work on a subsequent handshake (redo).
7459    */
7460    if (ss->handshake != 0) {
7461	ss->handshake              = ssl_GatherRecord1stHandshake;
7462	ss->ssl3.clientCertificate = cert;
7463	ss->ssl3.clientPrivateKey  = key;
7464	ss->ssl3.clientCertChain   = certChain;
7465        if (!cert || !key || !certChain) {
7466            /* we are missing the key, cert, or cert chain */
7467            if (ss->ssl3.clientCertificate) {
7468                CERT_DestroyCertificate(ss->ssl3.clientCertificate);
7469                ss->ssl3.clientCertificate = NULL;
7470            }
7471            if (ss->ssl3.clientPrivateKey) {
7472                SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
7473                ss->ssl3.clientPrivateKey = NULL;
7474            }
7475            if (ss->ssl3.clientCertChain != NULL) {
7476                CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
7477                ss->ssl3.clientCertChain = NULL;
7478            }
7479            if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) {
7480                ss->ssl3.sendEmptyCert = PR_TRUE;
7481            } else {
7482                (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
7483            }
7484	}
7485    } else {
7486	if (cert) {
7487	    CERT_DestroyCertificate(cert);
7488	}
7489	if (key) {
7490	    SECKEY_DestroyPrivateKey(key);
7491	}
7492	if (certChain) {
7493	    CERT_DestroyCertificateList(certChain);
7494	}
7495	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
7496	rv = SECFailure;
7497    }
7498    return rv;
7499}
7500
7501static SECStatus
7502ssl3_CheckFalseStart(sslSocket *ss)
7503{
7504    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7505    PORT_Assert( !ss->ssl3.hs.authCertificatePending );
7506    PORT_Assert( !ss->ssl3.hs.canFalseStart );
7507
7508    if (!ss->canFalseStartCallback) {
7509	SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
7510		    SSL_GETPID(), ss->fd));
7511    } else {
7512	PRBool maybeFalseStart;
7513	SECStatus rv;
7514
7515	/* An attacker can control the selected ciphersuite so we only wish to
7516	 * do False Start in the case that the selected ciphersuite is
7517	 * sufficiently strong that the attack can gain no advantage.
7518	 * Therefore we always require an 80-bit cipher. */
7519        ssl_GetSpecReadLock(ss);
7520        maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
7521        ssl_ReleaseSpecReadLock(ss);
7522
7523	if (!maybeFalseStart) {
7524	    SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
7525			SSL_GETPID(), ss->fd));
7526	} else {
7527	    rv = (ss->canFalseStartCallback)(ss->fd,
7528					     ss->canFalseStartCallbackData,
7529					     &ss->ssl3.hs.canFalseStart);
7530	    if (rv == SECSuccess) {
7531		SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
7532			    SSL_GETPID(), ss->fd,
7533			    ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
7534	    } else {
7535		SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
7536			    SSL_GETPID(), ss->fd,
7537			    PR_ErrorToName(PR_GetError())));
7538	    }
7539	    return rv;
7540	}
7541    }
7542
7543    ss->ssl3.hs.canFalseStart = PR_FALSE;
7544    return SECSuccess;
7545}
7546
7547PRBool
7548ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
7549{
7550    PRBool result;
7551
7552    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7553
7554    switch (ss->ssl3.hs.ws) {
7555    case wait_new_session_ticket:
7556        result = PR_TRUE;
7557        break;
7558    case wait_change_cipher:
7559        result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
7560        break;
7561    default:
7562        result = PR_FALSE;
7563        break;
7564    }
7565
7566    return result;
7567}
7568
7569static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
7570
7571/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7572 * ssl3 Server Hello Done message.
7573 * Caller must hold Handshake and RecvBuf locks.
7574 */
7575static SECStatus
7576ssl3_HandleServerHelloDone(sslSocket *ss)
7577{
7578    SECStatus     rv;
7579    SSL3WaitState ws          = ss->ssl3.hs.ws;
7580
7581    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
7582		SSL_GETPID(), ss->fd));
7583    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7584    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7585
7586    if (ws != wait_hello_done  &&
7587        ws != wait_server_cert &&
7588	ws != wait_server_key  &&
7589	ws != wait_cert_request) {
7590	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7591	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
7592	return SECFailure;
7593    }
7594
7595    rv = ssl3_SendClientSecondRound(ss);
7596
7597    return rv;
7598}
7599
7600/* Called from ssl3_HandleServerHelloDone and ssl3_AuthCertificateComplete.
7601 *
7602 * Caller must hold Handshake and RecvBuf locks.
7603 */
7604static SECStatus
7605ssl3_SendClientSecondRound(sslSocket *ss)
7606{
7607    SECStatus rv;
7608    PRBool sendClientCert;
7609
7610    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7611    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7612
7613    sendClientCert = !ss->ssl3.sendEmptyCert &&
7614		     ss->ssl3.clientCertChain  != NULL &&
7615		     (ss->ssl3.platformClientKey ||
7616		     ss->ssl3.clientPrivateKey != NULL);
7617
7618    if (!sendClientCert &&
7619	ss->ssl3.hs.hashType == handshake_hash_single &&
7620	ss->ssl3.hs.backupHash) {
7621	/* Don't need the backup handshake hash. */
7622	PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
7623	ss->ssl3.hs.backupHash = NULL;
7624    }
7625
7626    /* We must wait for the server's certificate to be authenticated before
7627     * sending the client certificate in order to disclosing the client
7628     * certificate to an attacker that does not have a valid cert for the
7629     * domain we are connecting to.
7630     *
7631     * XXX: We should do the same for the NPN extension, but for that we
7632     * need an option to give the application the ability to leak the NPN
7633     * information to get better performance.
7634     *
7635     * During the initial handshake on a connection, we never send/receive
7636     * application data until we have authenticated the server's certificate;
7637     * i.e. we have fully authenticated the handshake before using the cipher
7638     * specs agreed upon for that handshake. During a renegotiation, we may
7639     * continue sending and receiving application data during the handshake
7640     * interleaved with the handshake records. If we were to send the client's
7641     * second round for a renegotiation before the server's certificate was
7642     * authenticated, then the application data sent/received after this point
7643     * would be using cipher spec that hadn't been authenticated. By waiting
7644     * until the server's certificate has been authenticated during
7645     * renegotiations, we ensure that renegotiations have the same property
7646     * as initial handshakes; i.e. we have fully authenticated the handshake
7647     * before using the cipher specs agreed upon for that handshake for
7648     * application data.
7649     */
7650    if (ss->ssl3.hs.restartTarget) {
7651	PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget");
7652	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
7653	return SECFailure;
7654    }
7655    if (ss->ssl3.hs.authCertificatePending &&
7656	(sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
7657	SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
7658		    " certificate authentication is still pending.",
7659		    SSL_GETPID(), ss->fd));
7660	ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
7661	return SECWouldBlock;
7662    }
7663
7664    ssl_GetXmitBufLock(ss);		/*******************************/
7665
7666    if (ss->ssl3.sendEmptyCert) {
7667	ss->ssl3.sendEmptyCert = PR_FALSE;
7668	rv = ssl3_SendEmptyCertificate(ss);
7669	/* Don't send verify */
7670	if (rv != SECSuccess) {
7671	    goto loser;	/* error code is set. */
7672    	}
7673    } else if (sendClientCert) {
7674	rv = ssl3_SendCertificate(ss);
7675	if (rv != SECSuccess) {
7676	    goto loser;	/* error code is set. */
7677    	}
7678    }
7679
7680    rv = ssl3_SendClientKeyExchange(ss);
7681    if (rv != SECSuccess) {
7682    	goto loser;	/* err is set. */
7683    }
7684
7685    if (sendClientCert) {
7686	rv = ssl3_SendCertificateVerify(ss);
7687	if (rv != SECSuccess) {
7688	    goto loser;	/* err is set. */
7689        }
7690    }
7691
7692    rv = ssl3_SendChangeCipherSpecs(ss);
7693    if (rv != SECSuccess) {
7694	goto loser;	/* err code was set. */
7695    }
7696
7697    /* This must be done after we've set ss->ssl3.cwSpec in
7698     * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
7699     * from cwSpec. This must be done before we call ssl3_CheckFalseStart
7700     * because the false start callback (if any) may need the information from
7701     * the functions that depend on this being set.
7702     */
7703    ss->enoughFirstHsDone = PR_TRUE;
7704
7705    if (!ss->firstHsDone) {
7706	/* XXX: If the server's certificate hasn't been authenticated by this
7707	 * point, then we may be leaking this NPN message to an attacker.
7708	 */
7709	rv = ssl3_SendNextProto(ss);
7710	if (rv != SECSuccess) {
7711	    goto loser;	/* err code was set. */
7712	}
7713    }
7714
7715    rv = ssl3_SendEncryptedExtensions(ss);
7716    if (rv != SECSuccess) {
7717	goto loser; /* err code was set. */
7718    }
7719
7720    if (!ss->firstHsDone) {
7721	if (ss->opt.enableFalseStart) {
7722	    if (!ss->ssl3.hs.authCertificatePending) {
7723		/* When we fix bug 589047, we will need to know whether we are
7724		 * false starting before we try to flush the client second
7725		 * round to the network. With that in mind, we purposefully
7726		 * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
7727		 * which includes a call to ssl3_FlushHandshake, so that
7728		 * no application develops a reliance on such flushing being
7729		 * done before its false start callback is called.
7730		 */
7731		ssl_ReleaseXmitBufLock(ss);
7732		rv = ssl3_CheckFalseStart(ss);
7733		ssl_GetXmitBufLock(ss);
7734		if (rv != SECSuccess) {
7735		    goto loser;
7736		}
7737	    } else {
7738		/* The certificate authentication and the server's Finished
7739		 * message are racing each other. If the certificate
7740		 * authentication wins, then we will try to false start in
7741		 * ssl3_AuthCertificateComplete.
7742		 */
7743		SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
7744			    " certificate authentication is still pending.",
7745			    SSL_GETPID(), ss->fd));
7746	    }
7747	}
7748    }
7749
7750    rv = ssl3_SendFinished(ss, 0);
7751    if (rv != SECSuccess) {
7752	goto loser;	/* err code was set. */
7753    }
7754
7755    ssl_ReleaseXmitBufLock(ss);		/*******************************/
7756
7757    if (!ss->ssl3.hs.isResuming &&
7758        ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
7759        /* If we are negotiating ChannelID on a full handshake then we record
7760         * the handshake hashes in |sid| at this point. They will be needed in
7761         * the event that we resume this session and use ChannelID on the
7762         * resumption handshake. */
7763        SSL3Hashes hashes;
7764        SECItem *originalHandshakeHash =
7765            &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
7766        PORT_Assert(ss->sec.ci.sid->cached == never_cached);
7767
7768        ssl_GetSpecReadLock(ss);
7769        PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
7770        rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
7771        ssl_ReleaseSpecReadLock(ss);
7772        if (rv != SECSuccess) {
7773            return rv;
7774        }
7775
7776        PORT_Assert(originalHandshakeHash->len == 0);
7777        originalHandshakeHash->data = PORT_Alloc(hashes.len);
7778        if (!originalHandshakeHash->data)
7779            return SECFailure;
7780        originalHandshakeHash->len = hashes.len;
7781        memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len);
7782    }
7783
7784    if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
7785	ss->ssl3.hs.ws = wait_new_session_ticket;
7786    else
7787	ss->ssl3.hs.ws = wait_change_cipher;
7788
7789    PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
7790
7791    return SECSuccess;
7792
7793loser:
7794    ssl_ReleaseXmitBufLock(ss);
7795    return rv;
7796}
7797
7798/*
7799 * Routines used by servers
7800 */
7801static SECStatus
7802ssl3_SendHelloRequest(sslSocket *ss)
7803{
7804    SECStatus rv;
7805
7806    SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
7807		ss->fd));
7808
7809    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7810    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
7811
7812    rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
7813    if (rv != SECSuccess) {
7814	return rv;	/* err set by AppendHandshake */
7815    }
7816    rv = ssl3_FlushHandshake(ss, 0);
7817    if (rv != SECSuccess) {
7818	return rv;	/* error code set by ssl3_FlushHandshake */
7819    }
7820    ss->ssl3.hs.ws = wait_client_hello;
7821    return SECSuccess;
7822}
7823
7824/*
7825 * Called from:
7826 *	ssl3_HandleClientHello()
7827 */
7828static SECComparison
7829ssl3_ServerNameCompare(const SECItem *name1, const SECItem *name2)
7830{
7831    if (!name1 != !name2) {
7832        return SECLessThan;
7833    }
7834    if (!name1) {
7835        return SECEqual;
7836    }
7837    if (name1->type != name2->type) {
7838        return SECLessThan;
7839    }
7840    return SECITEM_CompareItem(name1, name2);
7841}
7842
7843/* Sets memory error when returning NULL.
7844 * Called from:
7845 *	ssl3_SendClientHello()
7846 *	ssl3_HandleServerHello()
7847 *	ssl3_HandleClientHello()
7848 *	ssl3_HandleV2ClientHello()
7849 */
7850sslSessionID *
7851ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
7852{
7853    sslSessionID *sid;
7854
7855    sid = PORT_ZNew(sslSessionID);
7856    if (sid == NULL)
7857    	return sid;
7858
7859    if (is_server) {
7860        const SECItem *  srvName;
7861        SECStatus        rv = SECSuccess;
7862
7863        ssl_GetSpecReadLock(ss);	/********************************/
7864        srvName = &ss->ssl3.prSpec->srvVirtName;
7865        if (srvName->len && srvName->data) {
7866            rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName, srvName);
7867        }
7868        ssl_ReleaseSpecReadLock(ss); /************************************/
7869        if (rv != SECSuccess) {
7870            PORT_Free(sid);
7871            return NULL;
7872        }
7873    }
7874    sid->peerID		= (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
7875    sid->urlSvrName	= (ss->url    == NULL) ? NULL : PORT_Strdup(ss->url);
7876    sid->addr           = ss->sec.ci.peer;
7877    sid->port           = ss->sec.ci.port;
7878    sid->references     = 1;
7879    sid->cached         = never_cached;
7880    sid->version        = ss->version;
7881
7882    sid->u.ssl3.keys.resumable = PR_TRUE;
7883    sid->u.ssl3.policy         = SSL_ALLOWED;
7884    sid->u.ssl3.clientWriteKey = NULL;
7885    sid->u.ssl3.serverWriteKey = NULL;
7886
7887    if (is_server) {
7888	SECStatus rv;
7889	int       pid = SSL_GETPID();
7890
7891	sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
7892	sid->u.ssl3.sessionID[0]    = (pid >> 8) & 0xff;
7893	sid->u.ssl3.sessionID[1]    =  pid       & 0xff;
7894	rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
7895	                         SSL3_SESSIONID_BYTES -2);
7896	if (rv != SECSuccess) {
7897	    ssl_FreeSID(sid);
7898	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
7899	    return NULL;
7900    	}
7901    }
7902    return sid;
7903}
7904
7905/* Called from:  ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
7906static SECStatus
7907ssl3_SendServerHelloSequence(sslSocket *ss)
7908{
7909    const ssl3KEADef *kea_def;
7910    SECStatus         rv;
7911
7912    SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
7913		SSL_GETPID(), ss->fd));
7914
7915    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7916    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
7917
7918    rv = ssl3_SendServerHello(ss);
7919    if (rv != SECSuccess) {
7920	return rv;	/* err code is set. */
7921    }
7922    rv = ssl3_SendCertificate(ss);
7923    if (rv != SECSuccess) {
7924	return rv;	/* error code is set. */
7925    }
7926    rv = ssl3_SendCertificateStatus(ss);
7927    if (rv != SECSuccess) {
7928	return rv;	/* error code is set. */
7929    }
7930    /* We have to do this after the call to ssl3_SendServerHello,
7931     * because kea_def is set up by ssl3_SendServerHello().
7932     */
7933    kea_def = ss->ssl3.hs.kea_def;
7934    ss->ssl3.hs.usedStepDownKey = PR_FALSE;
7935
7936    if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
7937	/* see if we can legally use the key in the cert. */
7938	int keyLen;  /* bytes */
7939
7940	keyLen = PK11_GetPrivateModulusLen(
7941			    ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
7942
7943	if (keyLen > 0 &&
7944	    keyLen * BPB <= kea_def->key_size_limit ) {
7945	    /* XXX AND cert is not signing only!! */
7946	    /* just fall through and use it. */
7947	} else if (ss->stepDownKeyPair != NULL) {
7948	    ss->ssl3.hs.usedStepDownKey = PR_TRUE;
7949	    rv = ssl3_SendServerKeyExchange(ss);
7950	    if (rv != SECSuccess) {
7951		return rv;	/* err code was set. */
7952	    }
7953	} else {
7954#ifndef HACKED_EXPORT_SERVER
7955	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
7956	    return rv;
7957#endif
7958	}
7959#ifdef NSS_ENABLE_ECC
7960    } else if ((kea_def->kea == kea_ecdhe_rsa) ||
7961	       (kea_def->kea == kea_ecdhe_ecdsa)) {
7962	rv = ssl3_SendServerKeyExchange(ss);
7963	if (rv != SECSuccess) {
7964	    return rv;	/* err code was set. */
7965	}
7966#endif /* NSS_ENABLE_ECC */
7967    }
7968
7969    if (ss->opt.requestCertificate) {
7970	rv = ssl3_SendCertificateRequest(ss);
7971	if (rv != SECSuccess) {
7972	    return rv;		/* err code is set. */
7973	}
7974    }
7975    rv = ssl3_SendServerHelloDone(ss);
7976    if (rv != SECSuccess) {
7977	return rv;		/* err code is set. */
7978    }
7979
7980    ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
7981                                               : wait_client_key;
7982    return SECSuccess;
7983}
7984
7985/* An empty TLS Renegotiation Info (RI) extension */
7986static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00};
7987
7988/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7989 * ssl3 Client Hello message.
7990 * Caller must hold Handshake and RecvBuf locks.
7991 */
7992static SECStatus
7993ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7994{
7995    sslSessionID *      sid      = NULL;
7996    PRInt32		tmp;
7997    unsigned int        i;
7998    int                 j;
7999    SECStatus           rv;
8000    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
8001    SSL3AlertDescription desc    = illegal_parameter;
8002    SSL3AlertLevel      level    = alert_fatal;
8003    SSL3ProtocolVersion version;
8004    SECItem             sidBytes = {siBuffer, NULL, 0};
8005    SECItem             cookieBytes = {siBuffer, NULL, 0};
8006    SECItem             suites   = {siBuffer, NULL, 0};
8007    SECItem             comps    = {siBuffer, NULL, 0};
8008    PRBool              haveSpecWriteLock = PR_FALSE;
8009    PRBool              haveXmitBufLock   = PR_FALSE;
8010
8011    SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
8012    	SSL_GETPID(), ss->fd));
8013
8014    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8015    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
8016    PORT_Assert( ss->ssl3.initialized );
8017
8018    /* Get peer name of client */
8019    rv = ssl_GetPeerInfo(ss);
8020    if (rv != SECSuccess) {
8021	return rv;		/* error code is set. */
8022    }
8023
8024    /* Clearing the handshake pointers so that ssl_Do1stHandshake won't
8025     * call ssl2_HandleMessage.
8026     *
8027     * The issue here is that TLS ordinarily starts out in
8028     * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility
8029     * code paths. That function zeroes these next pointers. But with DTLS,
8030     * we don't even try to do the v2 ClientHello so we skip that function
8031     * and need to reset these values here.
8032     */
8033    if (IS_DTLS(ss)) {
8034	ss->nextHandshake     = 0;
8035	ss->securityHandshake = 0;
8036    }
8037
8038    /* We might be starting session renegotiation in which case we should
8039     * clear previous state.
8040     */
8041    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8042    ss->statelessResume = PR_FALSE;
8043
8044    if ((ss->ssl3.hs.ws != wait_client_hello) &&
8045	(ss->ssl3.hs.ws != idle_handshake)) {
8046	desc    = unexpected_message;
8047	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
8048	goto alert_loser;
8049    }
8050    if (ss->ssl3.hs.ws == idle_handshake  &&
8051        ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
8052	desc    = no_renegotiation;
8053	level   = alert_warning;
8054	errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
8055	goto alert_loser;
8056    }
8057
8058    if (IS_DTLS(ss)) {
8059	dtls_RehandshakeCleanup(ss);
8060    }
8061
8062    tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
8063    if (tmp < 0)
8064	goto loser;		/* malformed, alert already sent */
8065
8066    /* Translate the version */
8067    if (IS_DTLS(ss)) {
8068	ss->clientHelloVersion = version =
8069	    dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
8070    } else {
8071	ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
8072    }
8073
8074    rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8075    if (rv != SECSuccess) {
8076    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
8077	                                           : handshake_failure;
8078	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8079	goto alert_loser;
8080    }
8081
8082    rv = ssl3_InitHandshakeHashes(ss);
8083    if (rv != SECSuccess) {
8084	desc = internal_error;
8085	errCode = PORT_GetError();
8086	goto alert_loser;
8087    }
8088
8089    /* grab the client random data. */
8090    rv = ssl3_ConsumeHandshake(
8091	ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
8092    if (rv != SECSuccess) {
8093	goto loser;		/* malformed */
8094    }
8095
8096    /* grab the client's SID, if present. */
8097    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
8098    if (rv != SECSuccess) {
8099	goto loser;		/* malformed */
8100    }
8101
8102    /* grab the client's cookie, if present. */
8103    if (IS_DTLS(ss)) {
8104	rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length);
8105	if (rv != SECSuccess) {
8106	    goto loser;		/* malformed */
8107	}
8108    }
8109
8110    /* grab the list of cipher suites. */
8111    rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
8112    if (rv != SECSuccess) {
8113	goto loser;		/* malformed */
8114    }
8115
8116    /* If the ClientHello version is less than our maximum version, check for a
8117     * TLS_FALLBACK_SCSV and reject the connection if found. */
8118    if (ss->vrange.max > ss->clientHelloVersion) {
8119	for (i = 0; i + 1 < suites.len; i += 2) {
8120	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8121	    if (suite_i != TLS_FALLBACK_SCSV)
8122		continue;
8123	    desc = inappropriate_fallback;
8124	    errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
8125	    goto alert_loser;
8126	}
8127    }
8128
8129    /* grab the list of compression methods. */
8130    rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
8131    if (rv != SECSuccess) {
8132	goto loser;		/* malformed */
8133    }
8134
8135    desc = handshake_failure;
8136
8137    /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
8138     * we are restarting a previous session until extensions have been
8139     * parsed, since we might have received a SessionTicket extension.
8140     * Note: we allow extensions even when negotiating SSL3 for the sake
8141     * of interoperability (and backwards compatibility).
8142     */
8143
8144    if (length) {
8145	/* Get length of hello extensions */
8146	PRInt32 extension_length;
8147	extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
8148	if (extension_length < 0) {
8149	    goto loser;				/* alert already sent */
8150	}
8151	if (extension_length != length) {
8152	    ssl3_DecodeError(ss);		/* send alert */
8153	    goto loser;
8154	}
8155	rv = ssl3_HandleHelloExtensions(ss, &b, &length);
8156	if (rv != SECSuccess) {
8157	    goto loser;		/* malformed */
8158	}
8159    }
8160    if (!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8161    	/* If we didn't receive an RI extension, look for the SCSV,
8162	 * and if found, treat it just like an empty RI extension
8163	 * by processing a local copy of an empty RI extension.
8164	 */
8165	for (i = 0; i + 1 < suites.len; i += 2) {
8166	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8167	    if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
8168		SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
8169		PRUint32     L2 = sizeof emptyRIext;
8170		(void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
8171	    	break;
8172	    }
8173	}
8174    }
8175    if (ss->firstHsDone &&
8176        (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_REQUIRES_XTN ||
8177        ss->opt.enableRenegotiation == SSL_RENEGOTIATE_TRANSITIONAL) &&
8178	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8179	desc    = no_renegotiation;
8180	level   = alert_warning;
8181	errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
8182	goto alert_loser;
8183    }
8184    if ((ss->opt.requireSafeNegotiation ||
8185         (ss->firstHsDone && ss->peerRequestedProtection)) &&
8186	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8187	desc = handshake_failure;
8188	errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
8189    	goto alert_loser;
8190    }
8191
8192    /* We do stateful resumes only if either of the following
8193     * conditions are satisfied: (1) the client does not support the
8194     * session ticket extension, or (2) the client support the session
8195     * ticket extension, but sent an empty ticket.
8196     */
8197    if (!ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) ||
8198	ss->xtnData.emptySessionTicket) {
8199	if (sidBytes.len > 0 && !ss->opt.noCache) {
8200	    SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
8201			SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
8202			ss->sec.ci.peer.pr_s6_addr32[1],
8203			ss->sec.ci.peer.pr_s6_addr32[2],
8204			ss->sec.ci.peer.pr_s6_addr32[3]));
8205	    if (ssl_sid_lookup) {
8206		sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data,
8207					sidBytes.len, ss->dbHandle);
8208	    } else {
8209		errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
8210		goto loser;
8211	    }
8212	}
8213    } else if (ss->statelessResume) {
8214	/* Fill in the client's session ID if doing a stateless resume.
8215	 * (When doing stateless resumes, server echos client's SessionID.)
8216	 */
8217	sid = ss->sec.ci.sid;
8218	PORT_Assert(sid != NULL);  /* Should have already been filled in.*/
8219
8220	if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) {
8221	    sid->u.ssl3.sessionIDLength = sidBytes.len;
8222	    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data,
8223		sidBytes.len);
8224	    sid->u.ssl3.sessionIDLength = sidBytes.len;
8225	} else {
8226	    sid->u.ssl3.sessionIDLength = 0;
8227	}
8228	ss->sec.ci.sid = NULL;
8229    }
8230
8231    /* We only send a session ticket extension if the client supports
8232     * the extension and we are unable to do either a stateful or
8233     * stateless resume.
8234     *
8235     * TODO: send a session ticket if performing a stateful
8236     * resumption.  (As per RFC4507, a server may issue a session
8237     * ticket while doing a (stateless or stateful) session resume,
8238     * but OpenSSL-0.9.8g does not accept session tickets while
8239     * resuming.)
8240     */
8241    if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) {
8242	ssl3_RegisterServerHelloExtensionSender(ss,
8243	    ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
8244    }
8245
8246    if (sid != NULL) {
8247	/* We've found a session cache entry for this client.
8248	 * Now, if we're going to require a client-auth cert,
8249	 * and we don't already have this client's cert in the session cache,
8250	 * and this is the first handshake on this connection (not a redo),
8251	 * then drop this old cache entry and start a new session.
8252	 */
8253	if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
8254	    ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
8255	     (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
8256	     ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE)
8257	      && !ss->firstHsDone))) {
8258
8259	    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
8260	    if (ss->sec.uncache)
8261                ss->sec.uncache(sid);
8262	    ssl_FreeSID(sid);
8263	    sid = NULL;
8264	}
8265    }
8266
8267#ifdef NSS_ENABLE_ECC
8268    /* Disable any ECC cipher suites for which we have no cert. */
8269    ssl3_FilterECCipherSuitesByServerCerts(ss);
8270#endif
8271
8272    if (IS_DTLS(ss)) {
8273	ssl3_DisableNonDTLSSuites(ss);
8274    }
8275
8276    if (!ssl3_HasGCMSupport()) {
8277	ssl3_DisableGCMSuites(ss);
8278    }
8279
8280#ifdef PARANOID
8281    /* Look for a matching cipher suite. */
8282    j = ssl3_config_match_init(ss);
8283    if (j <= 0) {		/* no ciphers are working/supported by PK11 */
8284    	errCode = PORT_GetError();	/* error code is already set. */
8285	goto alert_loser;
8286    }
8287#endif
8288
8289    /* If we already have a session for this client, be sure to pick the
8290    ** same cipher suite and compression method we picked before.
8291    ** This is not a loop, despite appearances.
8292    */
8293    if (sid) do {
8294	ssl3CipherSuiteCfg *suite;
8295#ifdef PARANOID
8296	SSLVersionRange vrange = {ss->version, ss->version};
8297#endif
8298
8299	/* Check that the cached compression method is still enabled. */
8300	if (!compressionEnabled(ss, sid->u.ssl3.compression))
8301	    break;
8302
8303	/* Check that the cached compression method is in the client's list */
8304	for (i = 0; i < comps.len; i++) {
8305	    if (comps.data[i] == sid->u.ssl3.compression)
8306		break;
8307	}
8308	if (i == comps.len)
8309	    break;
8310
8311	suite = ss->cipherSuites;
8312	/* Find the entry for the cipher suite used in the cached session. */
8313	for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
8314	    if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
8315		break;
8316	}
8317	PORT_Assert(j > 0);
8318	if (j <= 0)
8319	    break;
8320#ifdef PARANOID
8321	/* Double check that the cached cipher suite is still enabled,
8322	 * implemented, and allowed by policy.  Might have been disabled.
8323	 * The product policy won't change during the process lifetime.
8324	 * Implemented ("isPresent") shouldn't change for servers.
8325	 */
8326	if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange))
8327	    break;
8328#else
8329	if (!suite->enabled)
8330	    break;
8331#endif
8332	/* Double check that the cached cipher suite is in the client's list */
8333	for (i = 0; i + 1 < suites.len; i += 2) {
8334	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8335	    if (suite_i == suite->cipher_suite) {
8336		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8337		ss->ssl3.hs.suite_def =
8338		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8339
8340		/* Use the cached compression method. */
8341		ss->ssl3.hs.compression = sid->u.ssl3.compression;
8342		goto compression_found;
8343	    }
8344	}
8345    } while (0);
8346
8347    /* START A NEW SESSION */
8348
8349#ifndef PARANOID
8350    /* Look for a matching cipher suite. */
8351    j = ssl3_config_match_init(ss);
8352    if (j <= 0) {		/* no ciphers are working/supported by PK11 */
8353    	errCode = PORT_GetError();	/* error code is already set. */
8354	goto alert_loser;
8355    }
8356#endif
8357
8358    /* Select a cipher suite.
8359    **
8360    ** NOTE: This suite selection algorithm should be the same as the one in
8361    ** ssl3_HandleV2ClientHello().
8362    **
8363    ** If TLS 1.0 is enabled, we could handle the case where the client
8364    ** offered TLS 1.1 but offered only export cipher suites by choosing TLS
8365    ** 1.0 and selecting one of those export cipher suites. However, a secure
8366    ** TLS 1.1 client should not have export cipher suites enabled at all,
8367    ** and a TLS 1.1 client should definitely not be offering *only* export
8368    ** cipher suites. Therefore, we refuse to negotiate export cipher suites
8369    ** with any client that indicates support for TLS 1.1 or higher when we
8370    ** (the server) have TLS 1.1 support enabled.
8371    */
8372    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
8373	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
8374	SSLVersionRange vrange = {ss->version, ss->version};
8375	if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
8376	    continue;
8377	}
8378	for (i = 0; i + 1 < suites.len; i += 2) {
8379	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
8380	    if (suite_i == suite->cipher_suite) {
8381		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8382		ss->ssl3.hs.suite_def =
8383		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8384		goto suite_found;
8385	    }
8386	}
8387    }
8388    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8389    goto alert_loser;
8390
8391suite_found:
8392    /* Select a compression algorithm. */
8393    for (i = 0; i < comps.len; i++) {
8394	if (!compressionEnabled(ss, comps.data[i]))
8395	    continue;
8396	for (j = 0; j < compressionMethodsCount; j++) {
8397	    if (comps.data[i] == compressions[j]) {
8398		ss->ssl3.hs.compression =
8399					(SSLCompressionMethod)compressions[j];
8400		goto compression_found;
8401	    }
8402	}
8403    }
8404    errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
8405    				/* null compression must be supported */
8406    goto alert_loser;
8407
8408compression_found:
8409    suites.data = NULL;
8410    comps.data = NULL;
8411
8412    ss->sec.send = ssl3_SendApplicationData;
8413
8414    /* If there are any failures while processing the old sid,
8415     * we don't consider them to be errors.  Instead, We just behave
8416     * as if the client had sent us no sid to begin with, and make a new one.
8417     */
8418    if (sid != NULL) do {
8419	ssl3CipherSpec *pwSpec;
8420	SECItem         wrappedMS;  	/* wrapped key */
8421
8422	if (sid->version != ss->version  ||
8423	    sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite ||
8424	    sid->u.ssl3.compression != ss->ssl3.hs.compression) {
8425	    break;	/* not an error */
8426	}
8427
8428	if (ss->sec.ci.sid) {
8429	    if (ss->sec.uncache)
8430                ss->sec.uncache(ss->sec.ci.sid);
8431	    PORT_Assert(ss->sec.ci.sid != sid);  /* should be impossible, but ... */
8432	    if (ss->sec.ci.sid != sid) {
8433		ssl_FreeSID(ss->sec.ci.sid);
8434	    }
8435	    ss->sec.ci.sid = NULL;
8436	}
8437	/* we need to resurrect the master secret.... */
8438
8439	ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
8440	pwSpec = ss->ssl3.pwSpec;
8441	if (sid->u.ssl3.keys.msIsWrapped) {
8442	    PK11SymKey *    wrapKey; 	/* wrapping key */
8443	    CK_FLAGS        keyFlags      = 0;
8444#ifndef NO_PKCS11_BYPASS
8445	    if (ss->opt.bypassPKCS11) {
8446		/* we cannot restart a non-bypass session in a
8447		** bypass socket.
8448		*/
8449		break;
8450	    }
8451#endif
8452
8453	    wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
8454				     sid->u.ssl3.masterWrapMech,
8455				     ss->pkcs11PinArg);
8456	    if (!wrapKey) {
8457		/* we have a SID cache entry, but no wrapping key for it??? */
8458		break;
8459	    }
8460
8461	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
8462		keyFlags = CKF_SIGN | CKF_VERIFY;
8463	    }
8464
8465	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8466	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
8467
8468	    /* unwrap the master secret. */
8469	    pwSpec->master_secret =
8470		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
8471			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
8472			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
8473	    PK11_FreeSymKey(wrapKey);
8474	    if (pwSpec->master_secret == NULL) {
8475		break;	/* not an error */
8476	    }
8477#ifndef NO_PKCS11_BYPASS
8478	} else if (ss->opt.bypassPKCS11) {
8479	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8480	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
8481	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
8482	    pwSpec->msItem.data = pwSpec->raw_master_secret;
8483	    pwSpec->msItem.len  = wrappedMS.len;
8484#endif
8485	} else {
8486	    /* We CAN restart a bypass session in a non-bypass socket. */
8487	    /* need to import the raw master secret to session object */
8488	    PK11SlotInfo * slot;
8489	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
8490	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
8491	    slot = PK11_GetInternalSlot();
8492	    pwSpec->master_secret =
8493		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
8494				  PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS,
8495				  NULL);
8496	    PK11_FreeSlot(slot);
8497	    if (pwSpec->master_secret == NULL) {
8498		break;	/* not an error */
8499	    }
8500	}
8501	ss->sec.ci.sid = sid;
8502	if (sid->peerCert != NULL) {
8503	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
8504	    ssl3_CopyPeerCertsFromSID(ss, sid);
8505	}
8506
8507	/*
8508	 * Old SID passed all tests, so resume this old session.
8509	 *
8510	 * XXX make sure compression still matches
8511	 */
8512	SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits );
8513	if (ss->statelessResume)
8514	    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes );
8515	ss->ssl3.hs.isResuming = PR_TRUE;
8516
8517        ss->sec.authAlgorithm = sid->authAlgorithm;
8518	ss->sec.authKeyBits   = sid->authKeyBits;
8519	ss->sec.keaType       = sid->keaType;
8520	ss->sec.keaKeyBits    = sid->keaKeyBits;
8521
8522	/* server sids don't remember the server cert we previously sent,
8523	** but they do remember the kea type we originally used, so we
8524	** can locate it again, provided that the current ssl socket
8525	** has had its server certs configured the same as the previous one.
8526	*/
8527	ss->sec.localCert     =
8528		CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
8529
8530        /* Copy cached name in to pending spec */
8531        if (sid != NULL &&
8532            sid->version > SSL_LIBRARY_VERSION_3_0 &&
8533            sid->u.ssl3.srvName.len && sid->u.ssl3.srvName.data) {
8534            /* Set server name from sid */
8535            SECItem *sidName = &sid->u.ssl3.srvName;
8536            SECItem *pwsName = &ss->ssl3.pwSpec->srvVirtName;
8537            if (pwsName->data) {
8538                SECITEM_FreeItem(pwsName, PR_FALSE);
8539            }
8540            rv = SECITEM_CopyItem(NULL, pwsName, sidName);
8541            if (rv != SECSuccess) {
8542                errCode = PORT_GetError();
8543                desc = internal_error;
8544                goto alert_loser;
8545            }
8546        }
8547
8548        /* Clean up sni name array */
8549        if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn) &&
8550            ss->xtnData.sniNameArr) {
8551            PORT_Free(ss->xtnData.sniNameArr);
8552            ss->xtnData.sniNameArr = NULL;
8553            ss->xtnData.sniNameArrSize = 0;
8554        }
8555
8556	ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
8557
8558	rv = ssl3_SendServerHello(ss);
8559	if (rv != SECSuccess) {
8560	    errCode = PORT_GetError();
8561	    goto loser;
8562	}
8563
8564	if (haveSpecWriteLock) {
8565	    ssl_ReleaseSpecWriteLock(ss);
8566	    haveSpecWriteLock = PR_FALSE;
8567	}
8568
8569	/* NULL value for PMS signifies re-use of the old MS */
8570	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
8571	if (rv != SECSuccess) {
8572	    errCode = PORT_GetError();
8573	    goto loser;
8574	}
8575
8576	rv = ssl3_SendChangeCipherSpecs(ss);
8577	if (rv != SECSuccess) {
8578	    errCode = PORT_GetError();
8579	    goto loser;
8580	}
8581	rv = ssl3_SendFinished(ss, 0);
8582	ss->ssl3.hs.ws = wait_change_cipher;
8583	if (rv != SECSuccess) {
8584	    errCode = PORT_GetError();
8585	    goto loser;
8586	}
8587
8588	if (haveXmitBufLock) {
8589	    ssl_ReleaseXmitBufLock(ss);
8590	    haveXmitBufLock = PR_FALSE;
8591	}
8592
8593        return SECSuccess;
8594    } while (0);
8595
8596    if (haveSpecWriteLock) {
8597	ssl_ReleaseSpecWriteLock(ss);
8598	haveSpecWriteLock = PR_FALSE;
8599    }
8600
8601    if (sid) { 	/* we had a sid, but it's no longer valid, free it */
8602	SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
8603	if (ss->sec.uncache)
8604            ss->sec.uncache(sid);
8605	ssl_FreeSID(sid);
8606	sid = NULL;
8607    }
8608    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
8609
8610    if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) {
8611        int ret = 0;
8612        if (ss->sniSocketConfig) do { /* not a loop */
8613            ret = SSL_SNI_SEND_ALERT;
8614            /* If extension is negotiated, the len of names should > 0. */
8615            if (ss->xtnData.sniNameArrSize) {
8616                /* Calling client callback to reconfigure the socket. */
8617                ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd,
8618                                         ss->xtnData.sniNameArr,
8619                                      ss->xtnData.sniNameArrSize,
8620                                          ss->sniSocketConfigArg);
8621            }
8622            if (ret <= SSL_SNI_SEND_ALERT) {
8623                /* Application does not know the name or was not able to
8624                 * properly reconfigure the socket. */
8625                errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8626                desc = unrecognized_name;
8627                break;
8628            } else if (ret == SSL_SNI_CURRENT_CONFIG_IS_USED) {
8629                SECStatus       rv = SECSuccess;
8630                SECItem *       cwsName, *pwsName;
8631
8632                ssl_GetSpecWriteLock(ss);  /*******************************/
8633                pwsName = &ss->ssl3.pwSpec->srvVirtName;
8634                cwsName = &ss->ssl3.cwSpec->srvVirtName;
8635#ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8636                /* not allow name change on the 2d HS */
8637                if (ss->firstHsDone) {
8638                    if (ssl3_ServerNameCompare(pwsName, cwsName)) {
8639                        ssl_ReleaseSpecWriteLock(ss);  /******************/
8640                        errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8641                        desc = handshake_failure;
8642                        ret = SSL_SNI_SEND_ALERT;
8643                        break;
8644                    }
8645                }
8646#endif
8647                if (pwsName->data) {
8648                    SECITEM_FreeItem(pwsName, PR_FALSE);
8649                }
8650                if (cwsName->data) {
8651                    rv = SECITEM_CopyItem(NULL, pwsName, cwsName);
8652                }
8653                ssl_ReleaseSpecWriteLock(ss);  /**************************/
8654                if (rv != SECSuccess) {
8655                    errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8656                    desc = internal_error;
8657                    ret = SSL_SNI_SEND_ALERT;
8658                    break;
8659                }
8660            } else if (ret < ss->xtnData.sniNameArrSize) {
8661                /* Application has configured new socket info. Lets check it
8662                 * and save the name. */
8663                SECStatus       rv;
8664                SECItem *       name = &ss->xtnData.sniNameArr[ret];
8665                int             configedCiphers;
8666                SECItem *       pwsName;
8667
8668                /* get rid of the old name and save the newly picked. */
8669                /* This code is protected by ssl3HandshakeLock. */
8670                ssl_GetSpecWriteLock(ss);  /*******************************/
8671#ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8672                /* not allow name change on the 2d HS */
8673                if (ss->firstHsDone) {
8674                    SECItem *cwsName = &ss->ssl3.cwSpec->srvVirtName;
8675                    if (ssl3_ServerNameCompare(name, cwsName)) {
8676                        ssl_ReleaseSpecWriteLock(ss);  /******************/
8677                        errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8678                        desc = handshake_failure;
8679                        ret = SSL_SNI_SEND_ALERT;
8680                        break;
8681                    }
8682                }
8683#endif
8684                pwsName = &ss->ssl3.pwSpec->srvVirtName;
8685                if (pwsName->data) {
8686                    SECITEM_FreeItem(pwsName, PR_FALSE);
8687                }
8688                rv = SECITEM_CopyItem(NULL, pwsName, name);
8689                ssl_ReleaseSpecWriteLock(ss);  /***************************/
8690                if (rv != SECSuccess) {
8691                    errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8692                    desc = internal_error;
8693                    ret = SSL_SNI_SEND_ALERT;
8694                    break;
8695                }
8696                configedCiphers = ssl3_config_match_init(ss);
8697                if (configedCiphers <= 0) {
8698                    /* no ciphers are working/supported */
8699                    errCode = PORT_GetError();
8700                    desc = handshake_failure;
8701                    ret = SSL_SNI_SEND_ALERT;
8702                    break;
8703                }
8704                /* Need to tell the client that application has picked
8705                 * the name from the offered list and reconfigured the socket.
8706                 */
8707                ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn,
8708                                                        ssl3_SendServerNameXtn);
8709            } else {
8710                /* Callback returned index outside of the boundary. */
8711                PORT_Assert(ret < ss->xtnData.sniNameArrSize);
8712                errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
8713                desc = internal_error;
8714                ret = SSL_SNI_SEND_ALERT;
8715                break;
8716            }
8717        } while (0);
8718        /* Free sniNameArr. The data that each SECItem in the array
8719         * points into is the data from the input buffer "b". It will
8720         * not be available outside the scope of this or it's child
8721         * functions.*/
8722        if (ss->xtnData.sniNameArr) {
8723            PORT_Free(ss->xtnData.sniNameArr);
8724            ss->xtnData.sniNameArr = NULL;
8725            ss->xtnData.sniNameArrSize = 0;
8726        }
8727        if (ret <= SSL_SNI_SEND_ALERT) {
8728            /* desc and errCode should be set. */
8729            goto alert_loser;
8730        }
8731    }
8732#ifndef SSL_SNI_ALLOW_NAME_CHANGE_2HS
8733    else if (ss->firstHsDone) {
8734        /* Check that we don't have the name is current spec
8735         * if this extension was not negotiated on the 2d hs. */
8736        PRBool passed = PR_TRUE;
8737        ssl_GetSpecReadLock(ss);  /*******************************/
8738        if (ss->ssl3.cwSpec->srvVirtName.data) {
8739            passed = PR_FALSE;
8740        }
8741        ssl_ReleaseSpecReadLock(ss);  /***************************/
8742        if (!passed) {
8743            errCode = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;
8744            desc = handshake_failure;
8745            goto alert_loser;
8746        }
8747    }
8748#endif
8749
8750    sid = ssl3_NewSessionID(ss, PR_TRUE);
8751    if (sid == NULL) {
8752	errCode = PORT_GetError();
8753	goto loser;	/* memory error is set. */
8754    }
8755    ss->sec.ci.sid = sid;
8756
8757    ss->ssl3.hs.isResuming = PR_FALSE;
8758    ssl_GetXmitBufLock(ss);
8759    rv = ssl3_SendServerHelloSequence(ss);
8760    ssl_ReleaseXmitBufLock(ss);
8761    if (rv != SECSuccess) {
8762	errCode = PORT_GetError();
8763	goto loser;
8764    }
8765
8766    if (haveXmitBufLock) {
8767	ssl_ReleaseXmitBufLock(ss);
8768	haveXmitBufLock = PR_FALSE;
8769    }
8770
8771    return SECSuccess;
8772
8773alert_loser:
8774    if (haveSpecWriteLock) {
8775	ssl_ReleaseSpecWriteLock(ss);
8776	haveSpecWriteLock = PR_FALSE;
8777    }
8778    (void)SSL3_SendAlert(ss, level, desc);
8779    /* FALLTHRU */
8780loser:
8781    if (haveSpecWriteLock) {
8782	ssl_ReleaseSpecWriteLock(ss);
8783	haveSpecWriteLock = PR_FALSE;
8784    }
8785
8786    if (haveXmitBufLock) {
8787	ssl_ReleaseXmitBufLock(ss);
8788	haveXmitBufLock = PR_FALSE;
8789    }
8790
8791    PORT_SetError(errCode);
8792    return SECFailure;
8793}
8794
8795/*
8796 * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
8797 * in asking to use the V3 handshake.
8798 * Called from ssl2_HandleClientHelloMessage() in sslcon.c
8799 */
8800SECStatus
8801ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
8802{
8803    sslSessionID *      sid 		= NULL;
8804    unsigned char *     suites;
8805    unsigned char *     random;
8806    SSL3ProtocolVersion version;
8807    SECStatus           rv;
8808    int                 i;
8809    int                 j;
8810    int                 sid_length;
8811    int                 suite_length;
8812    int                 rand_length;
8813    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
8814    SSL3AlertDescription desc    = handshake_failure;
8815
8816    SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
8817
8818    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8819
8820    ssl_GetSSL3HandshakeLock(ss);
8821
8822    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8823
8824    rv = ssl3_InitState(ss);
8825    if (rv != SECSuccess) {
8826	ssl_ReleaseSSL3HandshakeLock(ss);
8827	return rv;		/* ssl3_InitState has set the error code. */
8828    }
8829    rv = ssl3_RestartHandshakeHashes(ss);
8830    if (rv != SECSuccess) {
8831	ssl_ReleaseSSL3HandshakeLock(ss);
8832	return rv;
8833    }
8834
8835    if (ss->ssl3.hs.ws != wait_client_hello) {
8836	desc    = unexpected_message;
8837	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
8838	goto loser;	/* alert_loser */
8839    }
8840
8841    version      = (buffer[1] << 8) | buffer[2];
8842    suite_length = (buffer[3] << 8) | buffer[4];
8843    sid_length   = (buffer[5] << 8) | buffer[6];
8844    rand_length  = (buffer[7] << 8) | buffer[8];
8845    ss->clientHelloVersion = version;
8846
8847    rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8848    if (rv != SECSuccess) {
8849	/* send back which ever alert client will understand. */
8850    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
8851	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8852	goto alert_loser;
8853    }
8854
8855    rv = ssl3_InitHandshakeHashes(ss);
8856    if (rv != SECSuccess) {
8857	desc = internal_error;
8858	errCode = PORT_GetError();
8859	goto alert_loser;
8860    }
8861
8862    /* if we get a non-zero SID, just ignore it. */
8863    if (length !=
8864        SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
8865	SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
8866		 SSL_GETPID(), ss->fd, length,
8867		 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
8868		 rand_length));
8869	goto loser;	/* malformed */	/* alert_loser */
8870    }
8871
8872    suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
8873    random = suites + suite_length + sid_length;
8874
8875    if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
8876	rand_length > SSL_MAX_CHALLENGE_BYTES) {
8877	goto loser;	/* malformed */	/* alert_loser */
8878    }
8879
8880    PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
8881
8882    PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
8883    PORT_Memcpy(
8884	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
8885	random, rand_length);
8886
8887    PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
8888		   SSL3_RANDOM_LENGTH));
8889#ifdef NSS_ENABLE_ECC
8890    /* Disable any ECC cipher suites for which we have no cert. */
8891    ssl3_FilterECCipherSuitesByServerCerts(ss);
8892#endif
8893    i = ssl3_config_match_init(ss);
8894    if (i <= 0) {
8895    	errCode = PORT_GetError();	/* error code is already set. */
8896	goto alert_loser;
8897    }
8898
8899    /* Select a cipher suite.
8900    **
8901    ** NOTE: This suite selection algorithm should be the same as the one in
8902    ** ssl3_HandleClientHello().
8903    **
8904    ** See the comments about export cipher suites in ssl3_HandleClientHello().
8905    */
8906    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
8907	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
8908	SSLVersionRange vrange = {ss->version, ss->version};
8909	if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
8910	    continue;
8911	}
8912	for (i = 0; i+2 < suite_length; i += 3) {
8913	    PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
8914	    if (suite_i == suite->cipher_suite) {
8915		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
8916		ss->ssl3.hs.suite_def =
8917		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
8918		goto suite_found;
8919	    }
8920	}
8921    }
8922    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
8923    goto alert_loser;
8924
8925suite_found:
8926
8927    /* Look for the SCSV, and if found, treat it just like an empty RI
8928     * extension by processing a local copy of an empty RI extension.
8929     */
8930    for (i = 0; i+2 < suite_length; i += 3) {
8931	PRUint32 suite_i = (suites[i] << 16) | (suites[i+1] << 8) | suites[i+2];
8932	if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
8933	    SSL3Opaque * b2 = (SSL3Opaque *)emptyRIext;
8934	    PRUint32     L2 = sizeof emptyRIext;
8935	    (void)ssl3_HandleHelloExtensions(ss, &b2, &L2);
8936	    break;
8937	}
8938    }
8939
8940    if (ss->opt.requireSafeNegotiation &&
8941	!ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) {
8942	desc = handshake_failure;
8943	errCode = SSL_ERROR_UNSAFE_NEGOTIATION;
8944    	goto alert_loser;
8945    }
8946
8947    ss->ssl3.hs.compression = ssl_compression_null;
8948    ss->sec.send            = ssl3_SendApplicationData;
8949
8950    /* we don't even search for a cache hit here.  It's just a miss. */
8951    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
8952    sid = ssl3_NewSessionID(ss, PR_TRUE);
8953    if (sid == NULL) {
8954    	errCode = PORT_GetError();
8955	goto loser;	/* memory error is set. */
8956    }
8957    ss->sec.ci.sid = sid;
8958    /* do not worry about memory leak of sid since it now belongs to ci */
8959
8960    /* We have to update the handshake hashes before we can send stuff */
8961    rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
8962    if (rv != SECSuccess) {
8963    	errCode = PORT_GetError();
8964	goto loser;
8965    }
8966
8967    ssl_GetXmitBufLock(ss);
8968    rv = ssl3_SendServerHelloSequence(ss);
8969    ssl_ReleaseXmitBufLock(ss);
8970    if (rv != SECSuccess) {
8971    	errCode = PORT_GetError();
8972	goto loser;
8973    }
8974
8975    /* XXX_1 	The call stack to here is:
8976     * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
8977     * ssl2_HandleClientHelloMessage returns whatever we return here.
8978     * ssl_Do1stHandshake will continue looping if it gets back either
8979     *		SECSuccess or SECWouldBlock.
8980     * SECSuccess is preferable here.  See XXX_1 in sslgathr.c.
8981     */
8982    ssl_ReleaseSSL3HandshakeLock(ss);
8983    return SECSuccess;
8984
8985alert_loser:
8986    SSL3_SendAlert(ss, alert_fatal, desc);
8987loser:
8988    ssl_ReleaseSSL3HandshakeLock(ss);
8989    PORT_SetError(errCode);
8990    return SECFailure;
8991}
8992
8993/* The negotiated version number has been already placed in ss->version.
8994**
8995** Called from:  ssl3_HandleClientHello                     (resuming session),
8996** 	ssl3_SendServerHelloSequence <- ssl3_HandleClientHello   (new session),
8997** 	ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
8998*/
8999static SECStatus
9000ssl3_SendServerHello(sslSocket *ss)
9001{
9002    sslSessionID *sid;
9003    SECStatus     rv;
9004    PRUint32      maxBytes = 65535;
9005    PRUint32      length;
9006    PRInt32       extensions_len = 0;
9007    SSL3ProtocolVersion version;
9008
9009    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
9010		ss->fd));
9011
9012    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9013    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9014
9015    if (!IS_DTLS(ss)) {
9016	PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
9017
9018	if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
9019	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
9020	    return SECFailure;
9021	}
9022    } else {
9023	PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0));
9024
9025	if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) {
9026	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
9027	    return SECFailure;
9028	}
9029    }
9030
9031    sid = ss->sec.ci.sid;
9032
9033    extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
9034					       &ss->xtnData.serverSenders[0]);
9035    if (extensions_len > 0)
9036    	extensions_len += 2; /* Add sizeof total extension length */
9037
9038    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
9039             ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
9040	     sizeof(ssl3CipherSuite) + 1 + extensions_len;
9041    rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
9042    if (rv != SECSuccess) {
9043	return rv;	/* err set by AppendHandshake. */
9044    }
9045
9046    if (IS_DTLS(ss)) {
9047	version = dtls_TLSVersionToDTLSVersion(ss->version);
9048    } else {
9049	version = ss->version;
9050    }
9051
9052    rv = ssl3_AppendHandshakeNumber(ss, version, 2);
9053    if (rv != SECSuccess) {
9054	return rv;	/* err set by AppendHandshake. */
9055    }
9056    rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
9057    if (rv != SECSuccess) {
9058	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
9059	return rv;
9060    }
9061    rv = ssl3_AppendHandshake(
9062	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
9063    if (rv != SECSuccess) {
9064	return rv;	/* err set by AppendHandshake. */
9065    }
9066
9067    if (sid)
9068	rv = ssl3_AppendHandshakeVariable(
9069	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
9070    else
9071	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
9072    if (rv != SECSuccess) {
9073	return rv;	/* err set by AppendHandshake. */
9074    }
9075
9076    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
9077    if (rv != SECSuccess) {
9078	return rv;	/* err set by AppendHandshake. */
9079    }
9080    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
9081    if (rv != SECSuccess) {
9082	return rv;	/* err set by AppendHandshake. */
9083    }
9084    if (extensions_len) {
9085	PRInt32 sent_len;
9086
9087    	extensions_len -= 2;
9088	rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
9089	if (rv != SECSuccess)
9090	    return rv;	/* err set by ssl3_SetupPendingCipherSpec */
9091	sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
9092					   &ss->xtnData.serverSenders[0]);
9093        PORT_Assert(sent_len == extensions_len);
9094	if (sent_len != extensions_len) {
9095	    if (sent_len >= 0)
9096	    	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
9097	    return SECFailure;
9098	}
9099    }
9100    rv = ssl3_SetupPendingCipherSpec(ss);
9101    if (rv != SECSuccess) {
9102	return rv;	/* err set by ssl3_SetupPendingCipherSpec */
9103    }
9104
9105    return SECSuccess;
9106}
9107
9108/* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing
9109 * elements of the handshake. (The negotiated cipher suite determines the
9110 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always
9111 * used. With TLS 1.2, a client may advertise its support for signature and
9112 * hash combinations. */
9113static SECStatus
9114ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
9115				SSL3SignatureAndHashAlgorithm* out)
9116{
9117    TLSSignatureAlgorithm sigAlg;
9118    unsigned int i, j;
9119    /* hashPreference expresses our preferences for hash algorithms, most
9120     * preferable first. */
9121    static const PRUint8 hashPreference[] = {
9122	tls_hash_sha256,
9123	tls_hash_sha384,
9124	tls_hash_sha512,
9125	tls_hash_sha1,
9126    };
9127
9128    switch (ss->ssl3.hs.kea_def->kea) {
9129    case kea_rsa:
9130    case kea_rsa_export:
9131    case kea_rsa_export_1024:
9132    case kea_dh_rsa:
9133    case kea_dh_rsa_export:
9134    case kea_dhe_rsa:
9135    case kea_dhe_rsa_export:
9136    case kea_rsa_fips:
9137    case kea_ecdh_rsa:
9138    case kea_ecdhe_rsa:
9139	sigAlg = tls_sig_rsa;
9140	break;
9141    case kea_dh_dss:
9142    case kea_dh_dss_export:
9143    case kea_dhe_dss:
9144    case kea_dhe_dss_export:
9145	sigAlg = tls_sig_dsa;
9146	break;
9147    case kea_ecdh_ecdsa:
9148    case kea_ecdhe_ecdsa:
9149	sigAlg = tls_sig_ecdsa;
9150	break;
9151    default:
9152	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9153	return SECFailure;
9154    }
9155    out->sigAlg = sigAlg;
9156
9157    if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) {
9158	/* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
9159	 * prior. */
9160	out->hashAlg = SEC_OID_UNKNOWN;
9161	return SECSuccess;
9162    }
9163
9164    if (ss->ssl3.hs.numClientSigAndHash == 0) {
9165	/* If the client didn't provide any signature_algorithms extension then
9166	 * we can assume that they support SHA-1:
9167	 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
9168	out->hashAlg = SEC_OID_SHA1;
9169	return SECSuccess;
9170    }
9171
9172    for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) {
9173	for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
9174	    const SSL3SignatureAndHashAlgorithm* sh =
9175		&ss->ssl3.hs.clientSigAndHash[j];
9176	    if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) {
9177		out->hashAlg = sh->hashAlg;
9178		return SECSuccess;
9179	    }
9180	}
9181    }
9182
9183    PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
9184    return SECFailure;
9185}
9186
9187
9188static SECStatus
9189ssl3_SendServerKeyExchange(sslSocket *ss)
9190{
9191    const ssl3KEADef * kea_def     = ss->ssl3.hs.kea_def;
9192    SECStatus          rv          = SECFailure;
9193    int                length;
9194    PRBool             isTLS;
9195    SECItem            signed_hash = {siBuffer, NULL, 0};
9196    SSL3Hashes         hashes;
9197    SECKEYPublicKey *  sdPub;	/* public key for step-down */
9198    SSL3SignatureAndHashAlgorithm sigAndHash;
9199
9200    SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
9201		SSL_GETPID(), ss->fd));
9202
9203    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9204    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9205
9206    if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
9207	return SECFailure;
9208    }
9209
9210    switch (kea_def->exchKeyType) {
9211    case kt_rsa:
9212	/* Perform SSL Step-Down here. */
9213	sdPub = ss->stepDownKeyPair->pubKey;
9214	PORT_Assert(sdPub != NULL);
9215	if (!sdPub) {
9216	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9217	    return SECFailure;
9218	}
9219	rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg,
9220					  sdPub->u.rsa.modulus,
9221					  sdPub->u.rsa.publicExponent,
9222	                                  &ss->ssl3.hs.client_random,
9223	                                  &ss->ssl3.hs.server_random,
9224					  &hashes, ss->opt.bypassPKCS11);
9225        if (rv != SECSuccess) {
9226	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9227	    return rv;
9228	}
9229
9230	isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
9231	rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY,
9232	                     &signed_hash, isTLS);
9233        if (rv != SECSuccess) {
9234	    goto loser;		/* ssl3_SignHashes has set err. */
9235	}
9236	if (signed_hash.data == NULL) {
9237	    /* how can this happen and rv == SECSuccess ?? */
9238	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
9239	    goto loser;
9240	}
9241	length = 2 + sdPub->u.rsa.modulus.len +
9242	         2 + sdPub->u.rsa.publicExponent.len +
9243	         2 + signed_hash.len;
9244
9245	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
9246	if (rv != SECSuccess) {
9247	    goto loser; 	/* err set by AppendHandshake. */
9248	}
9249
9250	rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
9251					  sdPub->u.rsa.modulus.len, 2);
9252	if (rv != SECSuccess) {
9253	    goto loser; 	/* err set by AppendHandshake. */
9254	}
9255
9256	rv = ssl3_AppendHandshakeVariable(
9257				ss, sdPub->u.rsa.publicExponent.data,
9258				sdPub->u.rsa.publicExponent.len, 2);
9259	if (rv != SECSuccess) {
9260	    goto loser; 	/* err set by AppendHandshake. */
9261	}
9262
9263	if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
9264	    rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
9265	    if (rv != SECSuccess) {
9266		goto loser; 	/* err set by AppendHandshake. */
9267	    }
9268	}
9269
9270	rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
9271	                                  signed_hash.len, 2);
9272	if (rv != SECSuccess) {
9273	    goto loser; 	/* err set by AppendHandshake. */
9274	}
9275	PORT_Free(signed_hash.data);
9276	return SECSuccess;
9277
9278#ifdef NSS_ENABLE_ECC
9279    case kt_ecdh: {
9280	rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
9281	return rv;
9282    }
9283#endif /* NSS_ENABLE_ECC */
9284
9285    case kt_dh:
9286    case kt_null:
9287    default:
9288	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9289	break;
9290    }
9291loser:
9292    if (signed_hash.data != NULL)
9293    	PORT_Free(signed_hash.data);
9294    return SECFailure;
9295}
9296
9297
9298static SECStatus
9299ssl3_SendCertificateRequest(sslSocket *ss)
9300{
9301    PRBool         isTLS12;
9302    SECItem *      name;
9303    CERTDistNames *ca_list;
9304    const PRUint8 *certTypes;
9305    const PRUint8 *sigAlgs;
9306    SECItem *      names	= NULL;
9307    SECStatus      rv;
9308    int            length;
9309    int            i;
9310    int            calen	= 0;
9311    int            nnames	= 0;
9312    int            certTypesLength;
9313    int            sigAlgsLength;
9314
9315    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
9316		SSL_GETPID(), ss->fd));
9317
9318    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9319    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9320
9321    isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
9322
9323    /* ssl3.ca_list is initialized to NULL, and never changed. */
9324    ca_list = ss->ssl3.ca_list;
9325    if (!ca_list) {
9326	ca_list = ssl3_server_ca_list;
9327    }
9328
9329    if (ca_list != NULL) {
9330	names = ca_list->names;
9331	nnames = ca_list->nnames;
9332    }
9333
9334    for (i = 0, name = names; i < nnames; i++, name++) {
9335	calen += 2 + name->len;
9336    }
9337
9338    certTypes       = certificate_types;
9339    certTypesLength = sizeof certificate_types;
9340    sigAlgs         = supported_signature_algorithms;
9341    sigAlgsLength   = sizeof supported_signature_algorithms;
9342
9343    length = 1 + certTypesLength + 2 + calen;
9344    if (isTLS12) {
9345	length += 2 + sigAlgsLength;
9346    }
9347
9348    rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
9349    if (rv != SECSuccess) {
9350	return rv; 		/* err set by AppendHandshake. */
9351    }
9352    rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
9353    if (rv != SECSuccess) {
9354	return rv; 		/* err set by AppendHandshake. */
9355    }
9356    if (isTLS12) {
9357	rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2);
9358	if (rv != SECSuccess) {
9359	    return rv; 		/* err set by AppendHandshake. */
9360	}
9361    }
9362    rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
9363    if (rv != SECSuccess) {
9364	return rv; 		/* err set by AppendHandshake. */
9365    }
9366    for (i = 0, name = names; i < nnames; i++, name++) {
9367	rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
9368	if (rv != SECSuccess) {
9369	    return rv; 		/* err set by AppendHandshake. */
9370	}
9371    }
9372
9373    return SECSuccess;
9374}
9375
9376static SECStatus
9377ssl3_SendServerHelloDone(sslSocket *ss)
9378{
9379    SECStatus rv;
9380
9381    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
9382		SSL_GETPID(), ss->fd));
9383
9384    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9385    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9386
9387    rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
9388    if (rv != SECSuccess) {
9389	return rv; 		/* err set by AppendHandshake. */
9390    }
9391    rv = ssl3_FlushHandshake(ss, 0);
9392    if (rv != SECSuccess) {
9393	return rv;	/* error code set by ssl3_FlushHandshake */
9394    }
9395    return SECSuccess;
9396}
9397
9398/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
9399 * ssl3 Certificate Verify message
9400 * Caller must hold Handshake and RecvBuf locks.
9401 */
9402static SECStatus
9403ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
9404			     SSL3Hashes *hashes)
9405{
9406    SECItem              signed_hash = {siBuffer, NULL, 0};
9407    SECStatus            rv;
9408    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
9409    SSL3AlertDescription desc        = handshake_failure;
9410    PRBool               isTLS, isTLS12;
9411    SSL3SignatureAndHashAlgorithm sigAndHash;
9412
9413    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
9414		SSL_GETPID(), ss->fd));
9415    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9416    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9417
9418    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
9419    isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
9420
9421    if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
9422	desc    = unexpected_message;
9423	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
9424	goto alert_loser;
9425    }
9426
9427    if (isTLS12) {
9428	rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
9429						   &sigAndHash);
9430	if (rv != SECSuccess) {
9431	    goto loser;	/* malformed or unsupported. */
9432	}
9433	rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
9434		&sigAndHash, ss->sec.peerCert);
9435	if (rv != SECSuccess) {
9436	    errCode = PORT_GetError();
9437	    desc = decrypt_error;
9438	    goto alert_loser;
9439	}
9440
9441	/* We only support CertificateVerify messages that use the handshake
9442	 * hash. */
9443	if (sigAndHash.hashAlg != hashes->hashAlg) {
9444	    errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM;
9445	    desc = decrypt_error;
9446	    goto alert_loser;
9447	}
9448    }
9449
9450    rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
9451    if (rv != SECSuccess) {
9452	goto loser;		/* malformed. */
9453    }
9454
9455    /* XXX verify that the key & kea match */
9456    rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
9457				 isTLS, ss->pkcs11PinArg);
9458    if (rv != SECSuccess) {
9459    	errCode = PORT_GetError();
9460	desc = isTLS ? decrypt_error : handshake_failure;
9461	goto alert_loser;
9462    }
9463
9464    signed_hash.data = NULL;
9465
9466    if (length != 0) {
9467	desc    = isTLS ? decode_error : illegal_parameter;
9468	goto alert_loser;	/* malformed */
9469    }
9470    ss->ssl3.hs.ws = wait_change_cipher;
9471    return SECSuccess;
9472
9473alert_loser:
9474    SSL3_SendAlert(ss, alert_fatal, desc);
9475loser:
9476    PORT_SetError(errCode);
9477    return SECFailure;
9478}
9479
9480
9481/* find a slot that is able to generate a PMS and wrap it with RSA.
9482 * Then generate and return the PMS.
9483 * If the serverKeySlot parameter is non-null, this function will use
9484 * that slot to do the job, otherwise it will find a slot.
9485 *
9486 * Called from  ssl3_DeriveConnectionKeysPKCS11()  (above)
9487 *		sendRSAClientKeyExchange()         (above)
9488 *		ssl3_HandleRSAClientKeyExchange()  (below)
9489 * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
9490 */
9491static PK11SymKey *
9492ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
9493                    PK11SlotInfo * serverKeySlot)
9494{
9495    PK11SymKey *      pms		= NULL;
9496    PK11SlotInfo *    slot		= serverKeySlot;
9497    void *	      pwArg 		= ss->pkcs11PinArg;
9498    SECItem           param;
9499    CK_VERSION 	      version;
9500    CK_MECHANISM_TYPE mechanism_array[3];
9501
9502    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9503
9504    if (slot == NULL) {
9505	SSLCipherAlgorithm calg;
9506	/* The specReadLock would suffice here, but we cannot assert on
9507	** read locks.  Also, all the callers who call with a non-null
9508	** slot already hold the SpecWriteLock.
9509	*/
9510	PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
9511	PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
9512
9513        calg = spec->cipher_def->calg;
9514	PORT_Assert(alg2Mech[calg].calg == calg);
9515
9516	/* First get an appropriate slot.  */
9517	mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
9518	mechanism_array[1] = CKM_RSA_PKCS;
9519	mechanism_array[2] = alg2Mech[calg].cmech;
9520
9521	slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
9522	if (slot == NULL) {
9523	   /* can't find a slot with all three, find a slot with the minimum */
9524	    slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
9525	    if (slot == NULL) {
9526		PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
9527		return pms;	/* which is NULL */
9528	    }
9529	}
9530    }
9531
9532    /* Generate the pre-master secret ...  */
9533    if (IS_DTLS(ss)) {
9534	SSL3ProtocolVersion temp;
9535
9536	temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
9537	version.major = MSB(temp);
9538	version.minor = LSB(temp);
9539    } else {
9540	version.major = MSB(ss->clientHelloVersion);
9541	version.minor = LSB(ss->clientHelloVersion);
9542    }
9543
9544    param.data = (unsigned char *)&version;
9545    param.len  = sizeof version;
9546
9547    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
9548    if (!serverKeySlot)
9549	PK11_FreeSlot(slot);
9550    if (pms == NULL) {
9551	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9552    }
9553    return pms;
9554}
9555
9556/* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
9557 * return any indication of failure of the Client Key Exchange message,
9558 * where that failure is caused by the content of the client's message.
9559 * This function must not return SECFailure for any reason that is directly
9560 * or indirectly caused by the content of the client's encrypted PMS.
9561 * We must not send an alert and also not drop the connection.
9562 * Instead, we generate a random PMS.  This will cause a failure
9563 * in the processing the finished message, which is exactly where
9564 * the failure must occur.
9565 *
9566 * Called from ssl3_HandleClientKeyExchange
9567 */
9568static SECStatus
9569ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
9570                                SSL3Opaque *b,
9571				PRUint32 length,
9572				SECKEYPrivateKey *serverKey)
9573{
9574    PK11SymKey *      pms;
9575#ifndef NO_PKCS11_BYPASS
9576    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
9577    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
9578    ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
9579    unsigned int      outLen = 0;
9580#endif
9581    PRBool            isTLS  = PR_FALSE;
9582    SECStatus         rv;
9583    SECItem           enc_pms;
9584    unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
9585    SECItem           pmsItem = {siBuffer, NULL, 0};
9586
9587    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9588    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9589    PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec );
9590
9591    enc_pms.data = b;
9592    enc_pms.len  = length;
9593    pmsItem.data = rsaPmsBuf;
9594    pmsItem.len  = sizeof rsaPmsBuf;
9595
9596    if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
9597	PRInt32 kLen;
9598	kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
9599	if (kLen < 0) {
9600	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9601	    return SECFailure;
9602	}
9603	if ((unsigned)kLen < enc_pms.len) {
9604	    enc_pms.len = kLen;
9605	}
9606	isTLS = PR_TRUE;
9607    } else {
9608	isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
9609    }
9610
9611#ifndef NO_PKCS11_BYPASS
9612    if (ss->opt.bypassPKCS11) {
9613	/* TRIPLE BYPASS, get PMS directly from RSA decryption.
9614	 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer,
9615	 * then, check for version rollback attack, then
9616	 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in
9617	 * pwSpec->msItem.  Finally call ssl3_InitPendingCipherSpec with
9618	 * ss and NULL, so that it will use the MS we've already derived here.
9619	 */
9620
9621	rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen,
9622				   sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
9623	if (rv != SECSuccess) {
9624	    /* triple bypass failed.  Let's try for a double bypass. */
9625	    goto double_bypass;
9626	} else if (ss->opt.detectRollBack) {
9627	    SSL3ProtocolVersion client_version =
9628					 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
9629
9630	    if (IS_DTLS(ss)) {
9631		client_version = dtls_DTLSVersionToTLSVersion(client_version);
9632	    }
9633
9634	    if (client_version != ss->clientHelloVersion) {
9635		/* Version roll-back detected. ensure failure.  */
9636		rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
9637	    }
9638	}
9639	/* have PMS, build MS without PKCS11 */
9640	rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS,
9641					PR_TRUE);
9642	if (rv != SECSuccess) {
9643	    pwSpec->msItem.data = pwSpec->raw_master_secret;
9644	    pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
9645	    PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
9646	}
9647	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
9648    } else
9649#endif
9650    {
9651#ifndef NO_PKCS11_BYPASS
9652double_bypass:
9653#endif
9654	/*
9655	 * unwrap pms out of the incoming buffer
9656	 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
9657	 *	the unwrap.  Rather, it is the mechanism with which the
9658	 *      unwrapped pms will be used.
9659	 */
9660	pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
9661				   CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
9662	if (pms != NULL) {
9663	    PRINT_BUF(60, (ss, "decrypted premaster secret:",
9664			   PK11_GetKeyData(pms)->data,
9665			   PK11_GetKeyData(pms)->len));
9666	} else {
9667	    /* unwrap failed. Generate a bogus PMS and carry on. */
9668	    PK11SlotInfo *  slot   = PK11_GetSlotFromPrivateKey(serverKey);
9669
9670	    ssl_GetSpecWriteLock(ss);
9671	    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
9672	    ssl_ReleaseSpecWriteLock(ss);
9673	    PK11_FreeSlot(slot);
9674	}
9675
9676	if (pms == NULL) {
9677	    /* last gasp.  */
9678	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
9679	    return SECFailure;
9680	}
9681
9682	/* This step will derive the MS from the PMS, among other things. */
9683	rv = ssl3_InitPendingCipherSpec(ss,  pms);
9684	PK11_FreeSymKey(pms);
9685    }
9686
9687    if (rv != SECSuccess) {
9688	SEND_ALERT
9689	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
9690    }
9691    return SECSuccess;
9692}
9693
9694
9695/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
9696 * ssl3 ClientKeyExchange message from the remote client
9697 * Caller must hold Handshake and RecvBuf locks.
9698 */
9699static SECStatus
9700ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
9701{
9702    SECKEYPrivateKey *serverKey         = NULL;
9703    SECStatus         rv;
9704    const ssl3KEADef *kea_def;
9705    ssl3KeyPair     *serverKeyPair      = NULL;
9706#ifdef NSS_ENABLE_ECC
9707    SECKEYPublicKey *serverPubKey       = NULL;
9708#endif /* NSS_ENABLE_ECC */
9709
9710    SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
9711		SSL_GETPID(), ss->fd));
9712
9713    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9714    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9715
9716    if (ss->ssl3.hs.ws != wait_client_key) {
9717	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
9718    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
9719	return SECFailure;
9720    }
9721
9722    kea_def   = ss->ssl3.hs.kea_def;
9723
9724    if (ss->ssl3.hs.usedStepDownKey) {
9725	 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
9726		 && kea_def->exchKeyType == kt_rsa
9727		 && ss->stepDownKeyPair != NULL);
9728	 if (!kea_def->is_limited  ||
9729	      kea_def->exchKeyType != kt_rsa ||
9730	      ss->stepDownKeyPair == NULL) {
9731	 	/* shouldn't happen, don't use step down if it does */
9732		goto skip;
9733	 }
9734    	serverKeyPair = ss->stepDownKeyPair;
9735	ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
9736    } else
9737skip:
9738#ifdef NSS_ENABLE_ECC
9739    /* XXX Using SSLKEAType to index server certifiates
9740     * does not work for (EC)DHE ciphers. Until we have
9741     * an indexing mechanism general enough for all key
9742     * exchange algorithms, we'll need to deal with each
9743     * one seprately.
9744     */
9745    if ((kea_def->kea == kea_ecdhe_rsa) ||
9746               (kea_def->kea == kea_ecdhe_ecdsa)) {
9747	if (ss->ephemeralECDHKeyPair != NULL) {
9748	   serverKeyPair = ss->ephemeralECDHKeyPair;
9749	   if (serverKeyPair->pubKey) {
9750		ss->sec.keaKeyBits =
9751		    SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
9752	   }
9753	}
9754    } else
9755#endif
9756    {
9757	sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
9758	serverKeyPair = sc->serverKeyPair;
9759	ss->sec.keaKeyBits = sc->serverKeyBits;
9760    }
9761
9762    if (serverKeyPair) {
9763	serverKey = serverKeyPair->privKey;
9764    }
9765
9766    if (serverKey == NULL) {
9767    	SEND_ALERT
9768	PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
9769	return SECFailure;
9770    }
9771
9772    ss->sec.keaType    = kea_def->exchKeyType;
9773
9774    switch (kea_def->exchKeyType) {
9775    case kt_rsa:
9776	rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
9777	if (rv != SECSuccess) {
9778	    SEND_ALERT
9779	    return SECFailure;	/* error code set */
9780	}
9781	break;
9782
9783
9784#ifdef NSS_ENABLE_ECC
9785    case kt_ecdh:
9786	/* XXX We really ought to be able to store multiple
9787	 * EC certs (a requirement if we wish to support both
9788	 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
9789	 * When we make that change, we'll need an index other
9790	 * than kt_ecdh to pick the right EC certificate.
9791	 */
9792	if (serverKeyPair) {
9793	    serverPubKey = serverKeyPair->pubKey;
9794        }
9795	if (serverPubKey == NULL) {
9796	    /* XXX Is this the right error code? */
9797	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
9798	    return SECFailure;
9799	}
9800	rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
9801					      serverPubKey, serverKey);
9802	if (rv != SECSuccess) {
9803	    return SECFailure;	/* error code set */
9804	}
9805	break;
9806#endif /* NSS_ENABLE_ECC */
9807
9808    default:
9809	(void) ssl3_HandshakeFailure(ss);
9810	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9811	return SECFailure;
9812    }
9813    ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
9814    return SECSuccess;
9815
9816}
9817
9818/* This is TLS's equivalent of sending a no_certificate alert. */
9819static SECStatus
9820ssl3_SendEmptyCertificate(sslSocket *ss)
9821{
9822    SECStatus            rv;
9823
9824    rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
9825    if (rv == SECSuccess) {
9826	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
9827    }
9828    return rv;	/* error, if any, set by functions called above. */
9829}
9830
9831SECStatus
9832ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
9833{
9834    SECStatus rv;
9835    SECItem ticketData;
9836
9837    SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
9838		SSL_GETPID(), ss->fd));
9839
9840    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9841    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9842
9843    PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
9844    PORT_Assert(!ss->ssl3.hs.receivedNewSessionTicket);
9845
9846    if (ss->ssl3.hs.ws != wait_new_session_ticket) {
9847	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
9848	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
9849	return SECFailure;
9850    }
9851
9852    /* RFC5077 Section 3.3: "The client MUST NOT treat the ticket as valid
9853     * until it has verified the server's Finished message." See the comment in
9854     * ssl3_FinishHandshake for more details.
9855     */
9856    ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time();
9857    if (length < 4) {
9858	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9859	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9860	return SECFailure;
9861    }
9862    ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
9863	(PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
9864
9865    rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
9866    if (length != 0 || rv != SECSuccess) {
9867	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9868	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9869	return SECFailure;  /* malformed */
9870    }
9871    rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
9872			  &ticketData);
9873    if (rv != SECSuccess) {
9874	return rv;
9875    }
9876    ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
9877
9878    ss->ssl3.hs.ws = wait_change_cipher;
9879    return SECSuccess;
9880}
9881
9882#ifdef NISCC_TEST
9883static PRInt32 connNum = 0;
9884
9885static SECStatus
9886get_fake_cert(SECItem *pCertItem, int *pIndex)
9887{
9888    PRFileDesc *cf;
9889    char *      testdir;
9890    char *      startat;
9891    char *      stopat;
9892    const char *extension;
9893    int         fileNum;
9894    PRInt32     numBytes   = 0;
9895    PRStatus    prStatus;
9896    PRFileInfo  info;
9897    char        cfn[100];
9898
9899    pCertItem->data = 0;
9900    if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
9901	return SECSuccess;
9902    }
9903    *pIndex   = (NULL != strstr(testdir, "root"));
9904    extension = (strstr(testdir, "simple") ? "" : ".der");
9905    fileNum     = PR_ATOMIC_INCREMENT(&connNum) - 1;
9906    if ((startat = PR_GetEnv("START_AT")) != NULL) {
9907	fileNum += atoi(startat);
9908    }
9909    if ((stopat = PR_GetEnv("STOP_AT")) != NULL &&
9910	fileNum >= atoi(stopat)) {
9911	*pIndex = -1;
9912	return SECSuccess;
9913    }
9914    sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
9915    cf = PR_Open(cfn, PR_RDONLY, 0);
9916    if (!cf) {
9917	goto loser;
9918    }
9919    prStatus = PR_GetOpenFileInfo(cf, &info);
9920    if (prStatus != PR_SUCCESS) {
9921	PR_Close(cf);
9922	goto loser;
9923    }
9924    pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
9925    if (pCertItem) {
9926	numBytes = PR_Read(cf, pCertItem->data, info.size);
9927    }
9928    PR_Close(cf);
9929    if (numBytes != info.size) {
9930	SECITEM_FreeItem(pCertItem, PR_FALSE);
9931	PORT_SetError(SEC_ERROR_IO);
9932	goto loser;
9933    }
9934    fprintf(stderr, "using %s\n", cfn);
9935    return SECSuccess;
9936
9937loser:
9938    fprintf(stderr, "failed to use %s\n", cfn);
9939    *pIndex = -1;
9940    return SECFailure;
9941}
9942#endif
9943
9944/*
9945 * Used by both client and server.
9946 * Called from HandleServerHelloDone and from SendServerHelloSequence.
9947 */
9948static SECStatus
9949ssl3_SendCertificate(sslSocket *ss)
9950{
9951    SECStatus            rv;
9952    CERTCertificateList *certChain;
9953    int                  len 		= 0;
9954    int                  i;
9955    SSL3KEAType          certIndex;
9956#ifdef NISCC_TEST
9957    SECItem              fakeCert;
9958    int                  ndex           = -1;
9959#endif
9960
9961    SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
9962		SSL_GETPID(), ss->fd));
9963
9964    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
9965    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
9966
9967    if (ss->sec.localCert)
9968    	CERT_DestroyCertificate(ss->sec.localCert);
9969    if (ss->sec.isServer) {
9970	sslServerCerts * sc = NULL;
9971
9972	/* XXX SSLKEAType isn't really a good choice for
9973	 * indexing certificates (it breaks when we deal
9974	 * with (EC)DHE-* cipher suites. This hack ensures
9975	 * the RSA cert is picked for (EC)DHE-RSA.
9976	 * Revisit this when we add server side support
9977	 * for ECDHE-ECDSA or client-side authentication
9978	 * using EC certificates.
9979	 */
9980	if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
9981	    (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
9982	    certIndex = kt_rsa;
9983	} else {
9984	    certIndex = ss->ssl3.hs.kea_def->exchKeyType;
9985	}
9986	sc                    = ss->serverCerts + certIndex;
9987	certChain             = sc->serverCertChain;
9988	ss->sec.authKeyBits   = sc->serverKeyBits;
9989	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
9990	ss->sec.localCert     = CERT_DupCertificate(sc->serverCert);
9991    } else {
9992	certChain          = ss->ssl3.clientCertChain;
9993	ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
9994    }
9995
9996#ifdef NISCC_TEST
9997    rv = get_fake_cert(&fakeCert, &ndex);
9998#endif
9999
10000    if (certChain) {
10001	for (i = 0; i < certChain->len; i++) {
10002#ifdef NISCC_TEST
10003	    if (fakeCert.len > 0 && i == ndex) {
10004		len += fakeCert.len + 3;
10005	    } else {
10006		len += certChain->certs[i].len + 3;
10007	    }
10008#else
10009	    len += certChain->certs[i].len + 3;
10010#endif
10011	}
10012    }
10013
10014    rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
10015    if (rv != SECSuccess) {
10016	return rv; 		/* err set by AppendHandshake. */
10017    }
10018    rv = ssl3_AppendHandshakeNumber(ss, len, 3);
10019    if (rv != SECSuccess) {
10020	return rv; 		/* err set by AppendHandshake. */
10021    }
10022    if (certChain) {
10023        for (i = 0; i < certChain->len; i++) {
10024#ifdef NISCC_TEST
10025            if (fakeCert.len > 0 && i == ndex) {
10026                rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
10027                                                  fakeCert.len, 3);
10028                SECITEM_FreeItem(&fakeCert, PR_FALSE);
10029            } else {
10030                rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
10031                                                  certChain->certs[i].len, 3);
10032            }
10033#else
10034            rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
10035                                              certChain->certs[i].len, 3);
10036#endif
10037            if (rv != SECSuccess) {
10038                return rv; 		/* err set by AppendHandshake. */
10039            }
10040        }
10041    }
10042
10043    return SECSuccess;
10044}
10045
10046/*
10047 * Used by server only.
10048 * single-stapling, send only a single cert status
10049 */
10050static SECStatus
10051ssl3_SendCertificateStatus(sslSocket *ss)
10052{
10053    SECStatus rv;
10054    int len = 0;
10055    SECItemArray *statusToSend = NULL;
10056    SSL3KEAType certIndex;
10057
10058    SSL_TRC(3, ("%d: SSL3[%d]: send certificate status handshake",
10059		SSL_GETPID(), ss->fd));
10060
10061    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10062    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10063    PORT_Assert( ss->sec.isServer);
10064
10065    if (!ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn))
10066	return SECSuccess;
10067
10068    /* Use certStatus based on the cert being used. */
10069    if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
10070	(ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
10071	certIndex = kt_rsa;
10072    } else {
10073	certIndex = ss->ssl3.hs.kea_def->exchKeyType;
10074    }
10075    if (ss->certStatusArray[certIndex] && ss->certStatusArray[certIndex]->len) {
10076	statusToSend = ss->certStatusArray[certIndex];
10077    }
10078    if (!statusToSend)
10079	return SECSuccess;
10080
10081    /* Use the array's first item only (single stapling) */
10082    len = 1 + statusToSend->items[0].len + 3;
10083
10084    rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len);
10085    if (rv != SECSuccess) {
10086	return rv; 		/* err set by AppendHandshake. */
10087    }
10088    rv = ssl3_AppendHandshakeNumber(ss, 1 /*ocsp*/, 1);
10089    if (rv != SECSuccess)
10090	return rv; 		/* err set by AppendHandshake. */
10091
10092    rv = ssl3_AppendHandshakeVariable(ss,
10093				      statusToSend->items[0].data,
10094				      statusToSend->items[0].len,
10095				      3);
10096    if (rv != SECSuccess)
10097	return rv; 		/* err set by AppendHandshake. */
10098
10099    return SECSuccess;
10100}
10101
10102/* This is used to delete the CA certificates in the peer certificate chain
10103 * from the cert database after they've been validated.
10104 */
10105static void
10106ssl3_CleanupPeerCerts(sslSocket *ss)
10107{
10108    PLArenaPool * arena = ss->ssl3.peerCertArena;
10109    ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
10110
10111    for (; certs; certs = certs->next) {
10112	CERT_DestroyCertificate(certs->cert);
10113    }
10114    if (arena) PORT_FreeArena(arena, PR_FALSE);
10115    ss->ssl3.peerCertArena = NULL;
10116    ss->ssl3.peerCertChain = NULL;
10117}
10118
10119static void
10120ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
10121{
10122    PLArenaPool *arena;
10123    ssl3CertNode *lastCert = NULL;
10124    ssl3CertNode *certs = NULL;
10125    int i;
10126
10127    if (!sid->peerCertChain[0])
10128	return;
10129    PORT_Assert(!ss->ssl3.peerCertArena);
10130    PORT_Assert(!ss->ssl3.peerCertChain);
10131    ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
10132    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
10133	ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
10134	c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
10135	c->next = NULL;
10136	if (lastCert) {
10137	    lastCert->next = c;
10138	} else {
10139	    certs = c;
10140	}
10141	lastCert = c;
10142    }
10143    ss->ssl3.peerCertChain = certs;
10144}
10145
10146static void
10147ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
10148{
10149    int i = 0;
10150    ssl3CertNode *c = certs;
10151    for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
10152	PORT_Assert(!sid->peerCertChain[i]);
10153	sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
10154    }
10155}
10156
10157/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
10158 * ssl3 CertificateStatus message.
10159 * Caller must hold Handshake and RecvBuf locks.
10160 * This is always called before ssl3_HandleCertificate, even if the Certificate
10161 * message is sent first.
10162 */
10163static SECStatus
10164ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
10165{
10166    PRInt32 status, len;
10167
10168    if (ss->ssl3.hs.ws != wait_certificate_status) {
10169        (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
10170        PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS);
10171        return SECFailure;
10172    }
10173
10174    PORT_Assert(!ss->sec.isServer);
10175
10176    /* Consume the CertificateStatusType enum */
10177    status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
10178    if (status != 1 /* ocsp */) {
10179       goto format_loser;
10180    }
10181
10182    len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10183    if (len != length) {
10184       goto format_loser;
10185    }
10186
10187#define MAX_CERTSTATUS_LEN 0x1ffff   /* 128k - 1 */
10188    if (length > MAX_CERTSTATUS_LEN)
10189       goto format_loser;
10190#undef MAX_CERTSTATUS_LEN
10191
10192    /* Array size 1, because we currently implement single-stapling only */
10193    SECITEM_AllocArray(NULL, &ss->sec.ci.sid->peerCertStatus, 1);
10194    if (!ss->sec.ci.sid->peerCertStatus.items)
10195       return SECFailure;
10196
10197    ss->sec.ci.sid->peerCertStatus.items[0].data = PORT_Alloc(length);
10198
10199    if (!ss->sec.ci.sid->peerCertStatus.items[0].data) {
10200        SECITEM_FreeArray(&ss->sec.ci.sid->peerCertStatus, PR_FALSE);
10201        return SECFailure;
10202    }
10203
10204    PORT_Memcpy(ss->sec.ci.sid->peerCertStatus.items[0].data, b, length);
10205    ss->sec.ci.sid->peerCertStatus.items[0].len = length;
10206    ss->sec.ci.sid->peerCertStatus.items[0].type = siBuffer;
10207
10208    return ssl3_AuthCertificate(ss);
10209
10210format_loser:
10211    return ssl3_DecodeError(ss);
10212}
10213
10214/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
10215 * ssl3 Certificate message.
10216 * Caller must hold Handshake and RecvBuf locks.
10217 */
10218static SECStatus
10219ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
10220{
10221    ssl3CertNode *   c;
10222    ssl3CertNode *   lastCert 	= NULL;
10223    PRInt32          remaining  = 0;
10224    PRInt32          size;
10225    SECStatus        rv;
10226    PRBool           isServer	= (PRBool)(!!ss->sec.isServer);
10227    PRBool           isTLS;
10228    SSL3AlertDescription desc;
10229    int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
10230    SECItem          certItem;
10231
10232    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
10233		SSL_GETPID(), ss->fd));
10234    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
10235    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
10236
10237    if ((ss->ssl3.hs.ws != wait_server_cert) &&
10238	(ss->ssl3.hs.ws != wait_client_cert)) {
10239	desc    = unexpected_message;
10240	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
10241	goto alert_loser;
10242    }
10243
10244    if (ss->sec.peerCert != NULL) {
10245	if (ss->sec.peerKey) {
10246	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
10247	    ss->sec.peerKey = NULL;
10248	}
10249	CERT_DestroyCertificate(ss->sec.peerCert);
10250	ss->sec.peerCert = NULL;
10251    }
10252
10253    ssl3_CleanupPeerCerts(ss);
10254    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
10255
10256    /* It is reported that some TLS client sends a Certificate message
10257    ** with a zero-length message body.  We'll treat that case like a
10258    ** normal no_certificates message to maximize interoperability.
10259    */
10260    if (length) {
10261	remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10262	if (remaining < 0)
10263	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
10264	if ((PRUint32)remaining > length)
10265	    goto decode_loser;
10266    }
10267
10268    if (!remaining) {
10269	if (!(isTLS && isServer)) {
10270	    desc = bad_certificate;
10271	    goto alert_loser;
10272	}
10273    	/* This is TLS's version of a no_certificate alert. */
10274    	/* I'm a server. I've requested a client cert. He hasn't got one. */
10275	rv = ssl3_HandleNoCertificate(ss);
10276	if (rv != SECSuccess) {
10277	    errCode = PORT_GetError();
10278	    goto loser;
10279	}
10280       ss->ssl3.hs.ws = wait_client_key;
10281       return SECSuccess;
10282    }
10283
10284    ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
10285    if (ss->ssl3.peerCertArena == NULL) {
10286	goto loser;	/* don't send alerts on memory errors */
10287    }
10288
10289    /* First get the peer cert. */
10290    remaining -= 3;
10291    if (remaining < 0)
10292	goto decode_loser;
10293
10294    size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10295    if (size <= 0)
10296	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
10297
10298    if (remaining < size)
10299	goto decode_loser;
10300
10301    certItem.data = b;
10302    certItem.len = size;
10303    b      += size;
10304    length -= size;
10305    remaining -= size;
10306
10307    ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
10308                                            PR_FALSE, PR_TRUE);
10309    if (ss->sec.peerCert == NULL) {
10310	/* We should report an alert if the cert was bad, but not if the
10311	 * problem was just some local problem, like memory error.
10312	 */
10313	goto ambiguous_err;
10314    }
10315
10316    /* Now get all of the CA certs. */
10317    while (remaining > 0) {
10318	remaining -= 3;
10319	if (remaining < 0)
10320	    goto decode_loser;
10321
10322	size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
10323	if (size <= 0)
10324	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
10325
10326	if (remaining < size)
10327	    goto decode_loser;
10328
10329	certItem.data = b;
10330	certItem.len = size;
10331	b      += size;
10332	length -= size;
10333	remaining -= size;
10334
10335	c = PORT_ArenaNew(ss->ssl3.peerCertArena, ssl3CertNode);
10336	if (c == NULL) {
10337	    goto loser;	/* don't send alerts on memory errors */
10338	}
10339
10340	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
10341	                                  PR_FALSE, PR_TRUE);
10342	if (c->cert == NULL) {
10343	    goto ambiguous_err;
10344	}
10345
10346	c->next = NULL;
10347	if (lastCert) {
10348	    lastCert->next = c;
10349	} else {
10350	    ss->ssl3.peerCertChain = c;
10351	}
10352	lastCert = c;
10353    }
10354
10355    if (remaining != 0)
10356        goto decode_loser;
10357
10358    SECKEY_UpdateCertPQG(ss->sec.peerCert);
10359
10360    if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) {
10361       ss->ssl3.hs.ws = wait_certificate_status;
10362       rv = SECSuccess;
10363    } else {
10364       rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
10365    }
10366
10367    return rv;
10368
10369ambiguous_err:
10370    errCode = PORT_GetError();
10371    switch (errCode) {
10372    case PR_OUT_OF_MEMORY_ERROR:
10373    case SEC_ERROR_BAD_DATABASE:
10374    case SEC_ERROR_NO_MEMORY:
10375       if (isTLS) {
10376           desc = internal_error;
10377           goto alert_loser;
10378       }
10379       goto loser;
10380    }
10381    ssl3_SendAlertForCertError(ss, errCode);
10382    goto loser;
10383
10384decode_loser:
10385    desc = isTLS ? decode_error : bad_certificate;
10386
10387alert_loser:
10388    (void)SSL3_SendAlert(ss, alert_fatal, desc);
10389
10390loser:
10391    (void)ssl_MapLowLevelError(errCode);
10392    return SECFailure;
10393}
10394
10395static SECStatus
10396ssl3_AuthCertificate(sslSocket *ss)
10397{
10398    SECStatus        rv;
10399    PRBool           isServer   = (PRBool)(!!ss->sec.isServer);
10400    int              errCode;
10401
10402    ss->ssl3.hs.authCertificatePending = PR_FALSE;
10403
10404    /*
10405     * Ask caller-supplied callback function to validate cert chain.
10406     */
10407    rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
10408					   PR_TRUE, isServer);
10409    if (rv) {
10410	errCode = PORT_GetError();
10411	if (rv != SECWouldBlock) {
10412	    if (ss->handleBadCert) {
10413		rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
10414	    }
10415	}
10416
10417	if (rv == SECWouldBlock) {
10418	    if (ss->sec.isServer) {
10419		errCode = SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS;
10420		rv = SECFailure;
10421		goto loser;
10422	    }
10423
10424	    ss->ssl3.hs.authCertificatePending = PR_TRUE;
10425	    rv = SECSuccess;
10426	}
10427
10428	if (rv != SECSuccess) {
10429	    ssl3_SendAlertForCertError(ss, errCode);
10430	    goto loser;
10431	}
10432    }
10433
10434    ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
10435    ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
10436
10437    if (!ss->sec.isServer) {
10438        CERTCertificate *cert = ss->sec.peerCert;
10439
10440	/* set the server authentication and key exchange types and sizes
10441	** from the value in the cert.  If the key exchange key is different,
10442	** it will get fixed when we handle the server key exchange message.
10443	*/
10444	SECKEYPublicKey * pubKey  = CERT_ExtractPublicKey(cert);
10445	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
10446	ss->sec.keaType       = ss->ssl3.hs.kea_def->exchKeyType;
10447	if (pubKey) {
10448	    ss->sec.keaKeyBits = ss->sec.authKeyBits =
10449		SECKEY_PublicKeyStrengthInBits(pubKey);
10450#ifdef NSS_ENABLE_ECC
10451	    if (ss->sec.keaType == kt_ecdh) {
10452		/* Get authKeyBits from signing key.
10453		 * XXX The code below uses a quick approximation of
10454		 * key size based on cert->signatureWrap.signature.data
10455		 * (which contains the DER encoded signature). The field
10456		 * cert->signatureWrap.signature.len contains the
10457		 * length of the encoded signature in bits.
10458		 */
10459		if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
10460		    ss->sec.authKeyBits =
10461			cert->signatureWrap.signature.data[3]*8;
10462		    if (cert->signatureWrap.signature.data[4] == 0x00)
10463			    ss->sec.authKeyBits -= 8;
10464		    /*
10465		     * XXX: if cert is not signed by ecdsa we should
10466		     * destroy pubKey and goto bad_cert
10467		     */
10468		} else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
10469		    ss->sec.authKeyBits = cert->signatureWrap.signature.len;
10470		    /*
10471		     * XXX: if cert is not signed by rsa we should
10472		     * destroy pubKey and goto bad_cert
10473		     */
10474		}
10475	    }
10476#endif /* NSS_ENABLE_ECC */
10477	    SECKEY_DestroyPublicKey(pubKey);
10478	    pubKey = NULL;
10479    	}
10480
10481	ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
10482	if (ss->ssl3.hs.kea_def->is_limited ||
10483	    /* XXX OR server cert is signing only. */
10484#ifdef NSS_ENABLE_ECC
10485	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
10486	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
10487#endif /* NSS_ENABLE_ECC */
10488	    ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
10489	    ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
10490	}
10491    } else {
10492	ss->ssl3.hs.ws = wait_client_key;
10493    }
10494
10495    PORT_Assert(rv == SECSuccess);
10496    if (rv != SECSuccess) {
10497	errCode = SEC_ERROR_LIBRARY_FAILURE;
10498	rv = SECFailure;
10499	goto loser;
10500    }
10501
10502    return rv;
10503
10504loser:
10505    (void)ssl_MapLowLevelError(errCode);
10506    return SECFailure;
10507}
10508
10509static SECStatus ssl3_FinishHandshake(sslSocket *ss);
10510
10511static SECStatus
10512ssl3_AlwaysFail(sslSocket * ss)
10513{
10514    PORT_SetError(PR_INVALID_STATE_ERROR);
10515    return SECFailure;
10516}
10517
10518/* Caller must hold 1stHandshakeLock.
10519*/
10520SECStatus
10521ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
10522{
10523    SECStatus rv;
10524
10525    PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
10526
10527    if (ss->sec.isServer) {
10528	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS);
10529	return SECFailure;
10530    }
10531
10532    ssl_GetRecvBufLock(ss);
10533    ssl_GetSSL3HandshakeLock(ss);
10534
10535    if (!ss->ssl3.hs.authCertificatePending) {
10536	PORT_SetError(PR_INVALID_STATE_ERROR);
10537	rv = SECFailure;
10538	goto done;
10539    }
10540
10541    ss->ssl3.hs.authCertificatePending = PR_FALSE;
10542
10543    if (error != 0) {
10544	ss->ssl3.hs.restartTarget = ssl3_AlwaysFail;
10545	ssl3_SendAlertForCertError(ss, error);
10546	rv = SECSuccess;
10547    } else if (ss->ssl3.hs.restartTarget != NULL) {
10548	sslRestartTarget target = ss->ssl3.hs.restartTarget;
10549	ss->ssl3.hs.restartTarget = NULL;
10550
10551	if (target == ssl3_FinishHandshake) {
10552	    SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
10553		       " with peer's finished message", SSL_GETPID(), ss->fd));
10554	}
10555
10556	rv = target(ss);
10557	/* Even if we blocked here, we have accomplished enough to claim
10558	 * success. Any remaining work will be taken care of by subsequent
10559	 * calls to SSL_ForceHandshake/PR_Send/PR_Read/etc.
10560	 */
10561	if (rv == SECWouldBlock) {
10562	    rv = SECSuccess;
10563	}
10564    } else {
10565	SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
10566        	    " peer's finished message", SSL_GETPID(), ss->fd));
10567
10568	PORT_Assert(!ss->ssl3.hs.isResuming);
10569	PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
10570
10571	if (ss->opt.enableFalseStart &&
10572	    !ss->firstHsDone &&
10573	    !ss->ssl3.hs.isResuming &&
10574	    ssl3_WaitingForStartOfServerSecondRound(ss)) {
10575	    /* ssl3_SendClientSecondRound deferred the false start check because
10576	     * certificate authentication was pending, so we do it now if we still
10577	     * haven't received any of the server's second round yet.
10578	     */
10579	    rv = ssl3_CheckFalseStart(ss);
10580	} else {
10581	    rv = SECSuccess;
10582	}
10583    }
10584
10585done:
10586    ssl_ReleaseSSL3HandshakeLock(ss);
10587    ssl_ReleaseRecvBufLock(ss);
10588
10589    return rv;
10590}
10591
10592static SECStatus
10593ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
10594			PRBool          isServer,
10595                const   SSL3Hashes   *  hashes,
10596                        TLSFinished  *  tlsFinished)
10597{
10598    const char * label;
10599    unsigned int len;
10600    SECStatus    rv;
10601
10602    label = isServer ? "server finished" : "client finished";
10603    len   = 15;
10604
10605    rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
10606	hashes->len, tlsFinished->verify_data,
10607	sizeof tlsFinished->verify_data);
10608
10609    return rv;
10610}
10611
10612/* The calling function must acquire and release the appropriate
10613 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
10614 * ss->ssl3.crSpec).
10615 */
10616SECStatus
10617ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
10618    unsigned int labelLen, const unsigned char *val, unsigned int valLen,
10619    unsigned char *out, unsigned int outLen)
10620{
10621    SECStatus rv = SECSuccess;
10622
10623    if (spec->master_secret && !spec->bypassCiphers) {
10624	SECItem param = {siBuffer, NULL, 0};
10625	CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL;
10626	PK11Context *prf_context;
10627	unsigned int retLen;
10628
10629	if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
10630	    mech = CKM_NSS_TLS_PRF_GENERAL_SHA256;
10631	}
10632	prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN,
10633						 spec->master_secret, &param);
10634	if (!prf_context)
10635	    return SECFailure;
10636
10637	rv  = PK11_DigestBegin(prf_context);
10638	rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
10639	rv |= PK11_DigestOp(prf_context, val, valLen);
10640	rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
10641	PORT_Assert(rv != SECSuccess || retLen == outLen);
10642
10643	PK11_DestroyContext(prf_context, PR_TRUE);
10644    } else {
10645	/* bypass PKCS11 */
10646#ifdef NO_PKCS11_BYPASS
10647	PORT_Assert(spec->master_secret);
10648	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
10649	rv = SECFailure;
10650#else
10651	SECItem inData  = { siBuffer, };
10652	SECItem outData = { siBuffer, };
10653	PRBool isFIPS   = PR_FALSE;
10654
10655	inData.data  = (unsigned char *) val;
10656	inData.len   = valLen;
10657	outData.data = out;
10658	outData.len  = outLen;
10659	if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
10660	    rv = TLS_P_hash(HASH_AlgSHA256, &spec->msItem, label, &inData,
10661			    &outData, isFIPS);
10662	} else {
10663	    rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
10664	}
10665	PORT_Assert(rv != SECSuccess || outData.len == outLen);
10666#endif
10667    }
10668    return rv;
10669}
10670
10671/* called from ssl3_SendClientSecondRound
10672 *             ssl3_HandleFinished
10673 */
10674static SECStatus
10675ssl3_SendNextProto(sslSocket *ss)
10676{
10677    SECStatus rv;
10678    int padding_len;
10679    static const unsigned char padding[32] = {0};
10680
10681    if (ss->ssl3.nextProto.len == 0 ||
10682	ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
10683	return SECSuccess;
10684    }
10685
10686    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10687    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10688
10689    padding_len = 32 - ((ss->ssl3.nextProto.len + 2) % 32);
10690
10691    rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->ssl3.nextProto.len +
10692						    2 + padding_len);
10693    if (rv != SECSuccess) {
10694	return rv;	/* error code set by AppendHandshakeHeader */
10695    }
10696    rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data,
10697				      ss->ssl3.nextProto.len, 1);
10698    if (rv != SECSuccess) {
10699	return rv;	/* error code set by AppendHandshake */
10700    }
10701    rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
10702    if (rv != SECSuccess) {
10703	return rv;	/* error code set by AppendHandshake */
10704    }
10705    return rv;
10706}
10707
10708/* called from ssl3_SendFinished
10709 *
10710 * This function is simply a debugging aid and therefore does not return a
10711 * SECStatus. */
10712static void
10713ssl3_RecordKeyLog(sslSocket *ss)
10714{
10715    SECStatus rv;
10716    SECItem *keyData;
10717    char buf[14 /* "CLIENT_RANDOM " */ +
10718	     SSL3_RANDOM_LENGTH*2 /* client_random */ +
10719	     1 /* " " */ +
10720	     48*2 /* master secret */ +
10721             1 /* new line */];
10722    unsigned int j;
10723
10724    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10725
10726    if (!ssl_keylog_iob)
10727	return;
10728
10729    rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
10730    if (rv != SECSuccess)
10731	return;
10732
10733    ssl_GetSpecReadLock(ss);
10734
10735    /* keyData does not need to be freed. */
10736    keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
10737    if (!keyData || !keyData->data || keyData->len != 48) {
10738	ssl_ReleaseSpecReadLock(ss);
10739	return;
10740    }
10741
10742    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
10743
10744    /* There could be multiple, concurrent writers to the
10745     * keylog, so we have to do everything in a single call to
10746     * fwrite. */
10747
10748    memcpy(buf, "CLIENT_RANDOM ", 14);
10749    j = 14;
10750    hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
10751    j += SSL3_RANDOM_LENGTH*2;
10752    buf[j++] = ' ';
10753    hexEncode(buf + j, keyData->data, 48);
10754    j += 48*2;
10755    buf[j++] = '\n';
10756
10757    PORT_Assert(j == sizeof(buf));
10758
10759    ssl_ReleaseSpecReadLock(ss);
10760
10761    if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
10762        return;
10763    fflush(ssl_keylog_iob);
10764    return;
10765}
10766
10767/* called from ssl3_SendClientSecondRound
10768 *	     ssl3_HandleFinished
10769 */
10770static SECStatus
10771ssl3_SendEncryptedExtensions(sslSocket *ss)
10772{
10773    static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
10774    static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
10775    /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
10776     * SEQUENCE
10777     *   SEQUENCE
10778     *     OID id-ecPublicKey
10779     *     OID prime256v1
10780     *   BIT STRING, length 66, 0 trailing bits: 0x04
10781     *
10782     * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
10783     * public key. Following that are the two field elements as 32-byte,
10784     * big-endian numbers, as required by the Channel ID. */
10785    static const unsigned char P256_SPKI_PREFIX[] = {
10786	0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
10787	0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
10788	0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
10789	0x42, 0x00, 0x04
10790    };
10791    /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
10792     * bytes of ECDSA signature. */
10793    static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
10794    static const int CHANNEL_ID_LENGTH = 128;
10795
10796    SECStatus rv = SECFailure;
10797    SECItem *spki = NULL;
10798    SSL3Hashes hashes;
10799    const unsigned char *pub_bytes;
10800    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
10801                              sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
10802                              sizeof(SSL3Hashes)*2];
10803    size_t signed_data_len;
10804    unsigned char digest[SHA256_LENGTH];
10805    SECItem digest_item;
10806    unsigned char signature[64];
10807    SECItem signature_item;
10808
10809    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10810    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10811
10812    if (ss->ssl3.channelID == NULL)
10813	return SECSuccess;
10814
10815    PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn));
10816
10817    if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
10818	PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
10819	PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
10820	rv = SECFailure;
10821	goto loser;
10822    }
10823
10824    ssl_GetSpecReadLock(ss);
10825    rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
10826    ssl_ReleaseSpecReadLock(ss);
10827
10828    if (rv != SECSuccess)
10829	goto loser;
10830
10831    rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
10832				    2 + 2 + CHANNEL_ID_LENGTH);
10833    if (rv != SECSuccess)
10834	goto loser;	/* error code set by AppendHandshakeHeader */
10835    rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
10836    if (rv != SECSuccess)
10837	goto loser;	/* error code set by AppendHandshake */
10838    rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
10839    if (rv != SECSuccess)
10840	goto loser;	/* error code set by AppendHandshake */
10841
10842    spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
10843
10844    if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
10845	memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) {
10846	PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
10847	rv = SECFailure;
10848	goto loser;
10849    }
10850
10851    pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
10852
10853    signed_data_len = 0;
10854    memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC,
10855           sizeof(CHANNEL_ID_MAGIC));
10856    signed_data_len += sizeof(CHANNEL_ID_MAGIC);
10857    if (ss->ssl3.hs.isResuming) {
10858        SECItem *originalHandshakeHash =
10859            &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
10860        PORT_Assert(originalHandshakeHash->len > 0);
10861
10862        memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC,
10863               sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
10864        signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
10865        memcpy(signed_data + signed_data_len, originalHandshakeHash->data,
10866               originalHandshakeHash->len);
10867        signed_data_len += originalHandshakeHash->len;
10868    }
10869    memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len);
10870    signed_data_len += hashes.len;
10871
10872    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len);
10873    if (rv != SECSuccess)
10874	goto loser;
10875
10876    digest_item.data = digest;
10877    digest_item.len = sizeof(digest);
10878
10879    signature_item.data = signature;
10880    signature_item.len = sizeof(signature);
10881
10882    rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
10883    if (rv != SECSuccess)
10884	goto loser;
10885
10886    rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
10887    if (rv != SECSuccess)
10888	goto loser;
10889    rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
10890
10891loser:
10892    if (spki)
10893	SECITEM_FreeItem(spki, PR_TRUE);
10894    if (ss->ssl3.channelID) {
10895	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
10896	ss->ssl3.channelID = NULL;
10897    }
10898    if (ss->ssl3.channelIDPub) {
10899	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
10900	ss->ssl3.channelIDPub = NULL;
10901    }
10902
10903    return rv;
10904}
10905
10906/* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake
10907 * after a ChannelID callback returned SECWouldBlock. At this point we have
10908 * processed the server's ServerHello but not yet any further messages. We will
10909 * always get a message from the server after a ServerHello so either they are
10910 * waiting in the buffer or we'll get network I/O. */
10911SECStatus
10912ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
10913				       SECKEYPublicKey *channelIDPub,
10914				       SECKEYPrivateKey *channelID)
10915{
10916    if (ss->handshake == 0) {
10917	SECKEY_DestroyPublicKey(channelIDPub);
10918	SECKEY_DestroyPrivateKey(channelID);
10919	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
10920	return SECFailure;
10921    }
10922
10923    if (channelIDPub == NULL ||
10924	channelID == NULL) {
10925	if (channelIDPub)
10926	    SECKEY_DestroyPublicKey(channelIDPub);
10927	if (channelID)
10928	    SECKEY_DestroyPrivateKey(channelID);
10929	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
10930	return SECFailure;
10931    }
10932
10933    if (ss->ssl3.channelID)
10934	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
10935    if (ss->ssl3.channelIDPub)
10936	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
10937
10938    ss->handshake = ssl_GatherRecord1stHandshake;
10939    ss->ssl3.channelID = channelID;
10940    ss->ssl3.channelIDPub = channelIDPub;
10941
10942    return SECSuccess;
10943}
10944
10945/* called from ssl3_SendClientSecondRound
10946 *             ssl3_HandleClientHello
10947 *             ssl3_HandleFinished
10948 */
10949static SECStatus
10950ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
10951{
10952    ssl3CipherSpec *cwSpec;
10953    PRBool          isTLS;
10954    PRBool          isServer = ss->sec.isServer;
10955    SECStatus       rv;
10956    SSL3Sender      sender = isServer ? sender_server : sender_client;
10957    SSL3Hashes      hashes;
10958    TLSFinished     tlsFinished;
10959
10960    SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
10961
10962    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
10963    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
10964
10965    ssl_GetSpecReadLock(ss);
10966    cwSpec = ss->ssl3.cwSpec;
10967    isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
10968    rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
10969    if (isTLS && rv == SECSuccess) {
10970	rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
10971    }
10972    ssl_ReleaseSpecReadLock(ss);
10973    if (rv != SECSuccess) {
10974	goto fail;	/* err code was set by ssl3_ComputeHandshakeHashes */
10975    }
10976
10977    if (isTLS) {
10978	if (isServer)
10979	    ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
10980	else
10981	    ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
10982	ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
10983	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
10984	if (rv != SECSuccess)
10985	    goto fail; 		/* err set by AppendHandshake. */
10986	rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
10987	if (rv != SECSuccess)
10988	    goto fail; 		/* err set by AppendHandshake. */
10989    } else {
10990	if (isServer)
10991	    ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s;
10992	else
10993	    ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s;
10994	PORT_Assert(hashes.len == sizeof hashes.u.s);
10995	ss->ssl3.hs.finishedBytes = sizeof hashes.u.s;
10996	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s);
10997	if (rv != SECSuccess)
10998	    goto fail; 		/* err set by AppendHandshake. */
10999	rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s);
11000	if (rv != SECSuccess)
11001	    goto fail; 		/* err set by AppendHandshake. */
11002    }
11003    rv = ssl3_FlushHandshake(ss, flags);
11004    if (rv != SECSuccess) {
11005	goto fail;	/* error code set by ssl3_FlushHandshake */
11006    }
11007
11008    ssl3_RecordKeyLog(ss);
11009
11010    return SECSuccess;
11011
11012fail:
11013    return rv;
11014}
11015
11016/* wrap the master secret, and put it into the SID.
11017 * Caller holds the Spec read lock.
11018 */
11019SECStatus
11020ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid,
11021    ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType)
11022{
11023    PK11SymKey *      wrappingKey  = NULL;
11024    PK11SlotInfo *    symKeySlot;
11025    void *            pwArg        = ss->pkcs11PinArg;
11026    SECStatus         rv           = SECFailure;
11027    PRBool            isServer     = ss->sec.isServer;
11028    CK_MECHANISM_TYPE mechanism    = CKM_INVALID_MECHANISM;
11029    symKeySlot = PK11_GetSlotFromKey(spec->master_secret);
11030    if (!isServer) {
11031	int  wrapKeyIndex;
11032	int  incarnation;
11033
11034	/* these next few functions are mere accessors and don't fail. */
11035	sid->u.ssl3.masterWrapIndex  = wrapKeyIndex =
11036				       PK11_GetCurrentWrapIndex(symKeySlot);
11037	PORT_Assert(wrapKeyIndex == 0);	/* array has only one entry! */
11038
11039	sid->u.ssl3.masterWrapSeries = incarnation =
11040				       PK11_GetSlotSeries(symKeySlot);
11041	sid->u.ssl3.masterSlotID   = PK11_GetSlotID(symKeySlot);
11042	sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
11043	sid->u.ssl3.masterValid    = PR_TRUE;
11044	/* Get the default wrapping key, for wrapping the master secret before
11045	 * placing it in the SID cache entry. */
11046	wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
11047				      CKM_INVALID_MECHANISM, incarnation,
11048				      pwArg);
11049	if (wrappingKey) {
11050	    mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
11051	} else {
11052	    int keyLength;
11053	    /* if the wrappingKey doesn't exist, attempt to create it.
11054	     * Note: we intentionally ignore errors here.  If we cannot
11055	     * generate a wrapping key, it is not fatal to this SSL connection,
11056	     * but we will not be able to restart this session.
11057	     */
11058	    mechanism = PK11_GetBestWrapMechanism(symKeySlot);
11059	    keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
11060	    /* Zero length means fixed key length algorithm, or error.
11061	     * It's ambiguous.
11062	     */
11063	    wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
11064				      keyLength, pwArg);
11065	    if (wrappingKey) {
11066		PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
11067	    }
11068	}
11069    } else {
11070	/* server socket using session cache. */
11071	mechanism = PK11_GetBestWrapMechanism(symKeySlot);
11072	if (mechanism != CKM_INVALID_MECHANISM) {
11073	    wrappingKey =
11074		getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
11075			       mechanism, pwArg);
11076	    if (wrappingKey) {
11077		mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
11078	    }
11079	}
11080    }
11081
11082    sid->u.ssl3.masterWrapMech = mechanism;
11083    PK11_FreeSlot(symKeySlot);
11084
11085    if (wrappingKey) {
11086	SECItem wmsItem;
11087
11088	wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
11089	wmsItem.len  = sizeof sid->u.ssl3.keys.wrapped_master_secret;
11090	rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
11091			     spec->master_secret, &wmsItem);
11092	/* rv is examined below. */
11093	sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
11094	PK11_FreeSymKey(wrappingKey);
11095    }
11096    return rv;
11097}
11098
11099/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
11100 * ssl3 Finished message from the peer.
11101 * Caller must hold Handshake and RecvBuf locks.
11102 */
11103static SECStatus
11104ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
11105		    const SSL3Hashes *hashes)
11106{
11107    sslSessionID *    sid	   = ss->sec.ci.sid;
11108    SECStatus         rv           = SECSuccess;
11109    PRBool            isServer     = ss->sec.isServer;
11110    PRBool            isTLS;
11111    SSL3KEAType       effectiveExchKeyType;
11112
11113    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11114    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11115
11116    SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
11117    	SSL_GETPID(), ss->fd));
11118
11119    if (ss->ssl3.hs.ws != wait_finished) {
11120	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11121    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
11122	return SECFailure;
11123    }
11124
11125    isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
11126    if (isTLS) {
11127	TLSFinished tlsFinished;
11128
11129	if (length != sizeof tlsFinished) {
11130	    (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
11131	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
11132	    return SECFailure;
11133	}
11134	rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
11135	                             hashes, &tlsFinished);
11136	if (!isServer)
11137	    ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
11138	else
11139	    ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
11140	ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
11141	if (rv != SECSuccess ||
11142	    0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
11143	    (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
11144	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
11145	    return SECFailure;
11146	}
11147    } else {
11148	if (length != sizeof(SSL3Finished)) {
11149	    (void)ssl3_IllegalParameter(ss);
11150	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
11151	    return SECFailure;
11152	}
11153
11154	if (!isServer)
11155	    ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s;
11156	else
11157	    ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s;
11158	PORT_Assert(hashes->len == sizeof hashes->u.s);
11159	ss->ssl3.hs.finishedBytes = sizeof hashes->u.s;
11160	if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) {
11161	    (void)ssl3_HandshakeFailure(ss);
11162	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
11163	    return SECFailure;
11164	}
11165    }
11166
11167    ssl_GetXmitBufLock(ss);	/*************************************/
11168
11169    if ((isServer && !ss->ssl3.hs.isResuming) ||
11170	(!isServer && ss->ssl3.hs.isResuming)) {
11171	PRInt32 flags = 0;
11172
11173	/* Send a NewSessionTicket message if the client sent us
11174	 * either an empty session ticket, or one that did not verify.
11175	 * (Note that if either of these conditions was met, then the
11176	 * server has sent a SessionTicket extension in the
11177	 * ServerHello message.)
11178	 */
11179	if (isServer && !ss->ssl3.hs.isResuming &&
11180	    ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
11181	    /* RFC 5077 Section 3.3: "In the case of a full handshake, the
11182	     * server MUST verify the client's Finished message before sending
11183	     * the ticket." Presumably, this also means that the client's
11184	     * certificate, if any, must be verified beforehand too.
11185	     */
11186	    rv = ssl3_SendNewSessionTicket(ss);
11187	    if (rv != SECSuccess) {
11188		goto xmit_loser;
11189	    }
11190	}
11191
11192	rv = ssl3_SendChangeCipherSpecs(ss);
11193	if (rv != SECSuccess) {
11194	    goto xmit_loser;	/* err is set. */
11195	}
11196	/* If this thread is in SSL_SecureSend (trying to write some data)
11197	** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
11198	** last two handshake messages (change cipher spec and finished)
11199	** will be sent in the same send/write call as the application data.
11200	*/
11201	if (ss->writerThread == PR_GetCurrentThread()) {
11202	    flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
11203	}
11204
11205	if (!isServer) {
11206	    if (!ss->firstHsDone) {
11207		rv = ssl3_SendNextProto(ss);
11208		if (rv != SECSuccess) {
11209		    goto xmit_loser; /* err code was set. */
11210		}
11211	    }
11212	    rv = ssl3_SendEncryptedExtensions(ss);
11213	    if (rv != SECSuccess)
11214		goto xmit_loser; /* err code was set. */
11215	}
11216
11217	if (IS_DTLS(ss)) {
11218	    flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
11219	}
11220
11221	rv = ssl3_SendFinished(ss, flags);
11222	if (rv != SECSuccess) {
11223	    goto xmit_loser;	/* err is set. */
11224	}
11225    }
11226
11227xmit_loser:
11228    ssl_ReleaseXmitBufLock(ss);	/*************************************/
11229    if (rv != SECSuccess) {
11230        return rv;
11231    }
11232
11233    if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
11234	effectiveExchKeyType = kt_rsa;
11235    } else {
11236	effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
11237    }
11238
11239    if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
11240	/* fill in the sid */
11241	sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
11242	sid->u.ssl3.compression = ss->ssl3.hs.compression;
11243	sid->u.ssl3.policy      = ss->ssl3.policy;
11244#ifdef NSS_ENABLE_ECC
11245	sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
11246#endif
11247	sid->u.ssl3.exchKeyType = effectiveExchKeyType;
11248	sid->version            = ss->version;
11249	sid->authAlgorithm      = ss->sec.authAlgorithm;
11250	sid->authKeyBits        = ss->sec.authKeyBits;
11251	sid->keaType            = ss->sec.keaType;
11252	sid->keaKeyBits         = ss->sec.keaKeyBits;
11253	sid->lastAccessTime     = sid->creationTime = ssl_Time();
11254	sid->expirationTime     = sid->creationTime + ssl3_sid_timeout;
11255	sid->localCert          = CERT_DupCertificate(ss->sec.localCert);
11256
11257	ssl_GetSpecReadLock(ss);	/*************************************/
11258
11259	/* Copy the master secret (wrapped or unwrapped) into the sid */
11260	if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
11261	    sid->u.ssl3.keys.wrapped_master_secret_len =
11262			    ss->ssl3.crSpec->msItem.len;
11263	    memcpy(sid->u.ssl3.keys.wrapped_master_secret,
11264		   ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
11265	    sid->u.ssl3.masterValid    = PR_TRUE;
11266	    sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
11267	    rv = SECSuccess;
11268	} else {
11269	    rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid,
11270					       ss->ssl3.crSpec,
11271					       effectiveExchKeyType);
11272	    sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
11273	}
11274	ssl_ReleaseSpecReadLock(ss);  /*************************************/
11275
11276	/* If the wrap failed, we don't cache the sid.
11277	 * The connection continues normally however.
11278	 */
11279	ss->ssl3.hs.cacheSID = rv == SECSuccess;
11280    }
11281
11282    if (ss->ssl3.hs.authCertificatePending) {
11283	if (ss->ssl3.hs.restartTarget) {
11284	    PR_NOT_REACHED("ssl3_HandleFinished: unexpected restartTarget");
11285	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
11286	    return SECFailure;
11287	}
11288
11289	ss->ssl3.hs.restartTarget = ssl3_FinishHandshake;
11290	return SECWouldBlock;
11291    }
11292
11293    rv = ssl3_FinishHandshake(ss);
11294    return rv;
11295}
11296
11297/* The return type is SECStatus instead of void because this function needs
11298 * to have type sslRestartTarget.
11299 */
11300SECStatus
11301ssl3_FinishHandshake(sslSocket * ss)
11302{
11303    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11304    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11305    PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
11306
11307    /* The first handshake is now completed. */
11308    ss->handshake           = NULL;
11309
11310    /* RFC 5077 Section 3.3: "The client MUST NOT treat the ticket as valid
11311     * until it has verified the server's Finished message." When the server
11312     * sends a NewSessionTicket in a resumption handshake, we must wait until
11313     * the handshake is finished (we have verified the server's Finished
11314     * AND the server's certificate) before we update the ticket in the sid.
11315     *
11316     * This must be done before we call (*ss->sec.cache)(ss->sec.ci.sid)
11317     * because CacheSID requires the session ticket to already be set, and also
11318     * because of the lazy lock creation scheme used by CacheSID and
11319     * ssl3_SetSIDSessionTicket.
11320     */
11321    if (ss->ssl3.hs.receivedNewSessionTicket) {
11322	PORT_Assert(!ss->sec.isServer);
11323	ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ss->ssl3.hs.newSessionTicket);
11324	/* The sid took over the ticket data */
11325	PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
11326        ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
11327    }
11328
11329    if (ss->ssl3.hs.cacheSID && ss->sec.isServer) {
11330	PORT_Assert(ss->sec.ci.sid->cached == never_cached);
11331	(*ss->sec.cache)(ss->sec.ci.sid);
11332	ss->ssl3.hs.cacheSID = PR_FALSE;
11333    }
11334
11335    ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
11336    ss->ssl3.hs.ws = idle_handshake;
11337
11338    ssl_FinishHandshake(ss);
11339
11340    return SECSuccess;
11341}
11342
11343/* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
11344 * hanshake message.
11345 * Caller must hold Handshake and RecvBuf locks.
11346 */
11347SECStatus
11348ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
11349{
11350    SECStatus         rv 	= SECSuccess;
11351    SSL3HandshakeType type 	= ss->ssl3.hs.msg_type;
11352    SSL3Hashes        hashes;	/* computed hashes are put here. */
11353    PRUint8           hdr[4];
11354    PRUint8           dtlsData[8];
11355
11356    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11357    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11358    /*
11359     * We have to compute the hashes before we update them with the
11360     * current message.
11361     */
11362    ssl_GetSpecReadLock(ss);	/************************************/
11363    if((type == finished) || (type == certificate_verify)) {
11364	SSL3Sender      sender = (SSL3Sender)0;
11365	ssl3CipherSpec *rSpec  = ss->ssl3.prSpec;
11366
11367	if (type == finished) {
11368	    sender = ss->sec.isServer ? sender_client : sender_server;
11369	    rSpec  = ss->ssl3.crSpec;
11370	}
11371	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
11372    }
11373    ssl_ReleaseSpecReadLock(ss); /************************************/
11374    if (rv != SECSuccess) {
11375	return rv;	/* error code was set by ssl3_ComputeHandshakeHashes*/
11376    }
11377    SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
11378		ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
11379
11380    hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
11381    hdr[1] = (PRUint8)(length >> 16);
11382    hdr[2] = (PRUint8)(length >>  8);
11383    hdr[3] = (PRUint8)(length      );
11384
11385    /* Start new handshake hashes when we start a new handshake */
11386    if (ss->ssl3.hs.msg_type == client_hello) {
11387	rv = ssl3_RestartHandshakeHashes(ss);
11388	if (rv != SECSuccess) {
11389	    return rv;
11390	}
11391    }
11392    /* We should not include hello_request and hello_verify_request messages
11393     * in the handshake hashes */
11394    if ((ss->ssl3.hs.msg_type != hello_request) &&
11395	(ss->ssl3.hs.msg_type != hello_verify_request)) {
11396	rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
11397	if (rv != SECSuccess) return rv;	/* err code already set. */
11398
11399	/* Extra data to simulate a complete DTLS handshake fragment */
11400	if (IS_DTLS(ss)) {
11401	    /* Sequence number */
11402	    dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq);
11403	    dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq);
11404
11405	    /* Fragment offset */
11406	    dtlsData[2] = 0;
11407	    dtlsData[3] = 0;
11408	    dtlsData[4] = 0;
11409
11410	    /* Fragment length */
11411	    dtlsData[5] = (PRUint8)(length >> 16);
11412	    dtlsData[6] = (PRUint8)(length >>  8);
11413	    dtlsData[7] = (PRUint8)(length      );
11414
11415	    rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData,
11416					    sizeof(dtlsData));
11417	    if (rv != SECSuccess) return rv;	/* err code already set. */
11418	}
11419
11420	/* The message body */
11421	rv = ssl3_UpdateHandshakeHashes(ss, b, length);
11422	if (rv != SECSuccess) return rv;	/* err code already set. */
11423    }
11424
11425    PORT_SetError(0);	/* each message starts with no error. */
11426
11427    if (ss->ssl3.hs.ws == wait_certificate_status &&
11428        ss->ssl3.hs.msg_type != certificate_status) {
11429        /* If we negotiated the certificate_status extension then we deferred
11430         * certificate validation until we get the CertificateStatus messsage.
11431         * But the CertificateStatus message is optional. If the server did
11432         * not send it then we need to validate the certificate now. If the
11433         * server does send the CertificateStatus message then we will
11434         * authenticate the certificate in ssl3_HandleCertificateStatus.
11435         */
11436        rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
11437        PORT_Assert(rv != SECWouldBlock);
11438        if (rv != SECSuccess) {
11439            return rv;
11440        }
11441    }
11442
11443    switch (ss->ssl3.hs.msg_type) {
11444    case hello_request:
11445	if (length != 0) {
11446	    (void)ssl3_DecodeError(ss);
11447	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
11448	    return SECFailure;
11449	}
11450	if (ss->sec.isServer) {
11451	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11452	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
11453	    return SECFailure;
11454	}
11455	rv = ssl3_HandleHelloRequest(ss);
11456	break;
11457    case client_hello:
11458	if (!ss->sec.isServer) {
11459	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11460	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
11461	    return SECFailure;
11462	}
11463	rv = ssl3_HandleClientHello(ss, b, length);
11464	break;
11465    case server_hello:
11466	if (ss->sec.isServer) {
11467	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11468	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
11469	    return SECFailure;
11470	}
11471	rv = ssl3_HandleServerHello(ss, b, length);
11472	break;
11473    case hello_verify_request:
11474	if (!IS_DTLS(ss) || ss->sec.isServer) {
11475	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11476	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
11477	    return SECFailure;
11478	}
11479	rv = dtls_HandleHelloVerifyRequest(ss, b, length);
11480	break;
11481    case certificate:
11482	rv = ssl3_HandleCertificate(ss, b, length);
11483	break;
11484    case certificate_status:
11485	rv = ssl3_HandleCertificateStatus(ss, b, length);
11486	break;
11487    case server_key_exchange:
11488	if (ss->sec.isServer) {
11489	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11490	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
11491	    return SECFailure;
11492	}
11493	rv = ssl3_HandleServerKeyExchange(ss, b, length);
11494	break;
11495    case certificate_request:
11496	if (ss->sec.isServer) {
11497	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11498	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
11499	    return SECFailure;
11500	}
11501	rv = ssl3_HandleCertificateRequest(ss, b, length);
11502	break;
11503    case server_hello_done:
11504	if (length != 0) {
11505	    (void)ssl3_DecodeError(ss);
11506	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
11507	    return SECFailure;
11508	}
11509	if (ss->sec.isServer) {
11510	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11511	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
11512	    return SECFailure;
11513	}
11514	rv = ssl3_HandleServerHelloDone(ss);
11515	break;
11516    case certificate_verify:
11517	if (!ss->sec.isServer) {
11518	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11519	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
11520	    return SECFailure;
11521	}
11522	rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
11523	break;
11524    case client_key_exchange:
11525	if (!ss->sec.isServer) {
11526	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11527	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
11528	    return SECFailure;
11529	}
11530	rv = ssl3_HandleClientKeyExchange(ss, b, length);
11531	break;
11532    case new_session_ticket:
11533	if (ss->sec.isServer) {
11534	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11535	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
11536	    return SECFailure;
11537	}
11538	rv = ssl3_HandleNewSessionTicket(ss, b, length);
11539	break;
11540    case finished:
11541        rv = ssl3_HandleFinished(ss, b, length, &hashes);
11542	break;
11543    default:
11544	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
11545	PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
11546	rv = SECFailure;
11547    }
11548
11549    if (IS_DTLS(ss) && (rv != SECFailure)) {
11550	/* Increment the expected sequence number */
11551	ss->ssl3.hs.recvMessageSeq++;
11552    }
11553
11554    return rv;
11555}
11556
11557/* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
11558 * origBuf is the decrypted ssl record content.
11559 * Caller must hold the handshake and RecvBuf locks.
11560 */
11561static SECStatus
11562ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
11563{
11564    /*
11565     * There may be a partial handshake message already in the handshake
11566     * state. The incoming buffer may contain another portion, or a
11567     * complete message or several messages followed by another portion.
11568     *
11569     * Each message is made contiguous before being passed to the actual
11570     * message parser.
11571     */
11572    sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */
11573    SECStatus rv;
11574
11575    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11576    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
11577
11578    if (buf->buf == NULL) {
11579	*buf = *origBuf;
11580    }
11581    while (buf->len > 0) {
11582	if (ss->ssl3.hs.header_bytes < 4) {
11583	    PRUint8 t;
11584	    t = *(buf->buf++);
11585	    buf->len--;
11586	    if (ss->ssl3.hs.header_bytes++ == 0)
11587		ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
11588	    else
11589		ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
11590	    if (ss->ssl3.hs.header_bytes < 4)
11591	    	continue;
11592
11593#define MAX_HANDSHAKE_MSG_LEN 0x1ffff	/* 128k - 1 */
11594	    if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
11595		(void)ssl3_DecodeError(ss);
11596		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
11597		return SECFailure;
11598	    }
11599#undef MAX_HANDSHAKE_MSG_LEN
11600
11601	    /* If msg_len is zero, be sure we fall through,
11602	    ** even if buf->len is zero.
11603	    */
11604	    if (ss->ssl3.hs.msg_len > 0)
11605	    	continue;
11606	}
11607
11608	/*
11609	 * Header has been gathered and there is at least one byte of new
11610	 * data available for this message. If it can be done right out
11611	 * of the original buffer, then use it from there.
11612	 */
11613	if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
11614	    /* handle it from input buffer */
11615	    rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
11616	    if (rv == SECFailure) {
11617		/* This test wants to fall through on either
11618		 * SECSuccess or SECWouldBlock.
11619		 * ssl3_HandleHandshakeMessage MUST set the error code.
11620		 */
11621		return rv;
11622	    }
11623	    buf->buf += ss->ssl3.hs.msg_len;
11624	    buf->len -= ss->ssl3.hs.msg_len;
11625	    ss->ssl3.hs.msg_len = 0;
11626	    ss->ssl3.hs.header_bytes = 0;
11627	    if (rv != SECSuccess) { /* return if SECWouldBlock. */
11628		return rv;
11629	    }
11630	} else {
11631	    /* must be copied to msg_body and dealt with from there */
11632	    unsigned int bytes;
11633
11634	    PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len);
11635	    bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
11636
11637	    /* Grow the buffer if needed */
11638	    rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
11639	    if (rv != SECSuccess) {
11640		/* sslBuffer_Grow has set a memory error code. */
11641		return SECFailure;
11642	    }
11643
11644	    PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
11645		        buf->buf, bytes);
11646	    ss->ssl3.hs.msg_body.len += bytes;
11647	    buf->buf += bytes;
11648	    buf->len -= bytes;
11649
11650	    PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
11651
11652	    /* if we have a whole message, do it */
11653	    if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
11654		rv = ssl3_HandleHandshakeMessage(
11655		    ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
11656		if (rv == SECFailure) {
11657		    /* This test wants to fall through on either
11658		     * SECSuccess or SECWouldBlock.
11659		     * ssl3_HandleHandshakeMessage MUST set error code.
11660		     */
11661		    return rv;
11662		}
11663		ss->ssl3.hs.msg_body.len = 0;
11664		ss->ssl3.hs.msg_len = 0;
11665		ss->ssl3.hs.header_bytes = 0;
11666		if (rv != SECSuccess) { /* return if SECWouldBlock. */
11667		    return rv;
11668		}
11669	    } else {
11670		PORT_Assert(buf->len == 0);
11671		break;
11672	    }
11673	}
11674    }	/* end loop */
11675
11676    origBuf->len = 0;	/* So ssl3_GatherAppDataRecord will keep looping. */
11677    buf->buf = NULL;	/* not a leak. */
11678    return SECSuccess;
11679}
11680
11681/* These macros return the given value with the MSB copied to all the other
11682 * bits. They use the fact that arithmetic shift shifts-in the sign bit.
11683 * However, this is not ensured by the C standard so you may need to replace
11684 * them with something else for odd compilers. */
11685#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
11686#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
11687
11688/* SECStatusToMask returns, in constant time, a mask value of all ones if
11689 * rv == SECSuccess.  Otherwise it returns zero. */
11690static unsigned int
11691SECStatusToMask(SECStatus rv)
11692{
11693    unsigned int good;
11694    /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results
11695     * in the MSB being set to one iff it was zero before. */
11696    good = rv ^ SECSuccess;
11697    good--;
11698    return DUPLICATE_MSB_TO_ALL(good);
11699}
11700
11701/* ssl_ConstantTimeGE returns 0xff if a>=b and 0x00 otherwise. */
11702static unsigned char
11703ssl_ConstantTimeGE(unsigned int a, unsigned int b)
11704{
11705    a -= b;
11706    return DUPLICATE_MSB_TO_ALL(~a);
11707}
11708
11709/* ssl_ConstantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */
11710static unsigned char
11711ssl_ConstantTimeEQ8(unsigned char a, unsigned char b)
11712{
11713    unsigned int c = a ^ b;
11714    c--;
11715    return DUPLICATE_MSB_TO_ALL_8(c);
11716}
11717
11718static SECStatus
11719ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
11720			  unsigned int blockSize,
11721			  unsigned int macSize)
11722{
11723    unsigned int paddingLength, good, t;
11724    const unsigned int overhead = 1 /* padding length byte */ + macSize;
11725
11726    /* These lengths are all public so we can test them in non-constant
11727     * time. */
11728    if (overhead > plaintext->len) {
11729	return SECFailure;
11730    }
11731
11732    paddingLength = plaintext->buf[plaintext->len-1];
11733    /* SSLv3 padding bytes are random and cannot be checked. */
11734    t = plaintext->len;
11735    t -= paddingLength+overhead;
11736    /* If len >= paddingLength+overhead then the MSB of t is zero. */
11737    good = DUPLICATE_MSB_TO_ALL(~t);
11738    /* SSLv3 requires that the padding is minimal. */
11739    t = blockSize - (paddingLength+1);
11740    good &= DUPLICATE_MSB_TO_ALL(~t);
11741    plaintext->len -= good & (paddingLength+1);
11742    return (good & SECSuccess) | (~good & SECFailure);
11743}
11744
11745static SECStatus
11746ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize)
11747{
11748    unsigned int paddingLength, good, t, toCheck, i;
11749    const unsigned int overhead = 1 /* padding length byte */ + macSize;
11750
11751    /* These lengths are all public so we can test them in non-constant
11752     * time. */
11753    if (overhead > plaintext->len) {
11754	return SECFailure;
11755    }
11756
11757    paddingLength = plaintext->buf[plaintext->len-1];
11758    t = plaintext->len;
11759    t -= paddingLength+overhead;
11760    /* If len >= paddingLength+overhead then the MSB of t is zero. */
11761    good = DUPLICATE_MSB_TO_ALL(~t);
11762
11763    /* The padding consists of a length byte at the end of the record and then
11764     * that many bytes of padding, all with the same value as the length byte.
11765     * Thus, with the length byte included, there are paddingLength+1 bytes of
11766     * padding.
11767     *
11768     * We can't check just |paddingLength+1| bytes because that leaks
11769     * decrypted information. Therefore we always have to check the maximum
11770     * amount of padding possible. (Again, the length of the record is
11771     * public information so we can use it.) */
11772    toCheck = 255; /* maximum amount of padding. */
11773    if (toCheck > plaintext->len-1) {
11774	toCheck = plaintext->len-1;
11775    }
11776
11777    for (i = 0; i < toCheck; i++) {
11778	unsigned int t = paddingLength - i;
11779	/* If i <= paddingLength then the MSB of t is zero and mask is
11780	 * 0xff.  Otherwise, mask is 0. */
11781	unsigned char mask = DUPLICATE_MSB_TO_ALL(~t);
11782	unsigned char b = plaintext->buf[plaintext->len-1-i];
11783	/* The final |paddingLength+1| bytes should all have the value
11784	 * |paddingLength|. Therefore the XOR should be zero. */
11785	good &= ~(mask&(paddingLength ^ b));
11786    }
11787
11788    /* If any of the final |paddingLength+1| bytes had the wrong value,
11789     * one or more of the lower eight bits of |good| will be cleared. We
11790     * AND the bottom 8 bits together and duplicate the result to all the
11791     * bits. */
11792    good &= good >> 4;
11793    good &= good >> 2;
11794    good &= good >> 1;
11795    good <<= sizeof(good)*8-1;
11796    good = DUPLICATE_MSB_TO_ALL(good);
11797
11798    plaintext->len -= good & (paddingLength+1);
11799    return (good & SECSuccess) | (~good & SECFailure);
11800}
11801
11802/* On entry:
11803 *   originalLength >= macSize
11804 *   macSize <= MAX_MAC_LENGTH
11805 *   plaintext->len >= macSize
11806 */
11807static void
11808ssl_CBCExtractMAC(sslBuffer *plaintext,
11809		  unsigned int originalLength,
11810		  SSL3Opaque* out,
11811		  unsigned int macSize)
11812{
11813    unsigned char rotatedMac[MAX_MAC_LENGTH];
11814    /* macEnd is the index of |plaintext->buf| just after the end of the
11815     * MAC. */
11816    unsigned macEnd = plaintext->len;
11817    unsigned macStart = macEnd - macSize;
11818    /* scanStart contains the number of bytes that we can ignore because
11819     * the MAC's position can only vary by 255 bytes. */
11820    unsigned scanStart = 0;
11821    unsigned i, j, divSpoiler;
11822    unsigned char rotateOffset;
11823
11824    if (originalLength > macSize + 255 + 1)
11825	scanStart = originalLength - (macSize + 255 + 1);
11826
11827    /* divSpoiler contains a multiple of macSize that is used to cause the
11828     * modulo operation to be constant time. Without this, the time varies
11829     * based on the amount of padding when running on Intel chips at least.
11830     *
11831     * The aim of right-shifting macSize is so that the compiler doesn't
11832     * figure out that it can remove divSpoiler as that would require it
11833     * to prove that macSize is always even, which I hope is beyond it. */
11834    divSpoiler = macSize >> 1;
11835    divSpoiler <<= (sizeof(divSpoiler)-1)*8;
11836    rotateOffset = (divSpoiler + macStart - scanStart) % macSize;
11837
11838    memset(rotatedMac, 0, macSize);
11839    for (i = scanStart; i < originalLength;) {
11840	for (j = 0; j < macSize && i < originalLength; i++, j++) {
11841	    unsigned char macStarted = ssl_ConstantTimeGE(i, macStart);
11842	    unsigned char macEnded = ssl_ConstantTimeGE(i, macEnd);
11843	    unsigned char b = 0;
11844	    b = plaintext->buf[i];
11845	    rotatedMac[j] |= b & macStarted & ~macEnded;
11846	}
11847    }
11848
11849    /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
11850     * we could line-align |rotatedMac| and rotate in place. */
11851    memset(out, 0, macSize);
11852    for (i = 0; i < macSize; i++) {
11853	unsigned char offset =
11854	    (divSpoiler + macSize - rotateOffset + i) % macSize;
11855	for (j = 0; j < macSize; j++) {
11856	    out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset);
11857	}
11858    }
11859}
11860
11861/* if cText is non-null, then decipher, check MAC, and decompress the
11862 * SSL record from cText->buf (typically gs->inbuf)
11863 * into databuf (typically gs->buf), and any previous contents of databuf
11864 * is lost.  Then handle databuf according to its SSL record type,
11865 * unless it's an application record.
11866 *
11867 * If cText is NULL, then the ciphertext has previously been deciphered and
11868 * checked, and is already sitting in databuf.  It is processed as an SSL
11869 * Handshake message.
11870 *
11871 * DOES NOT process the decrypted/decompressed application data.
11872 * On return, databuf contains the decrypted/decompressed record.
11873 *
11874 * Called from ssl3_GatherCompleteHandshake
11875 *             ssl3_RestartHandshakeAfterCertReq
11876 *
11877 * Caller must hold the RecvBufLock.
11878 *
11879 * This function aquires and releases the SSL3Handshake Lock, holding the
11880 * lock around any calls to functions that handle records other than
11881 * Application Data records.
11882 */
11883SECStatus
11884ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
11885{
11886    const ssl3BulkCipherDef *cipher_def;
11887    ssl3CipherSpec *     crSpec;
11888    SECStatus            rv;
11889    unsigned int         hashBytes = MAX_MAC_LENGTH + 1;
11890    PRBool               isTLS;
11891    SSL3ContentType      rType;
11892    SSL3Opaque           hash[MAX_MAC_LENGTH];
11893    SSL3Opaque           givenHashBuf[MAX_MAC_LENGTH];
11894    SSL3Opaque          *givenHash;
11895    sslBuffer           *plaintext;
11896    sslBuffer            temp_buf;
11897    PRUint64             dtls_seq_num;
11898    unsigned int         ivLen = 0;
11899    unsigned int         originalLen = 0;
11900    unsigned int         good;
11901    unsigned int         minLength;
11902    unsigned char        header[13];
11903    unsigned int         headerLen;
11904
11905    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
11906
11907    if (!ss->ssl3.initialized) {
11908	ssl_GetSSL3HandshakeLock(ss);
11909	rv = ssl3_InitState(ss);
11910	ssl_ReleaseSSL3HandshakeLock(ss);
11911	if (rv != SECSuccess) {
11912	    return rv;		/* ssl3_InitState has set the error code. */
11913    	}
11914    }
11915
11916    /* check for Token Presence */
11917    if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
11918	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
11919	return SECFailure;
11920    }
11921
11922    /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
11923     * This implies that databuf holds a previously deciphered SSL Handshake
11924     * message.
11925     */
11926    if (cText == NULL) {
11927	SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
11928		 SSL_GETPID(), ss->fd));
11929	rType = content_handshake;
11930	goto process_it;
11931    }
11932
11933    ssl_GetSpecReadLock(ss); /******************************************/
11934
11935    crSpec = ss->ssl3.crSpec;
11936    cipher_def = crSpec->cipher_def;
11937
11938    /*
11939     * DTLS relevance checks:
11940     * Note that this code currently ignores all out-of-epoch packets,
11941     * which means we lose some in the case of rehandshake +
11942     * loss/reordering. Since DTLS is explicitly unreliable, this
11943     * seems like a good tradeoff for implementation effort and is
11944     * consistent with the guidance of RFC 6347 Sections 4.1 and 4.2.4.1
11945     */
11946    if (IS_DTLS(ss)) {
11947	DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff;
11948
11949	if (crSpec->epoch != epoch) {
11950	    ssl_ReleaseSpecReadLock(ss);
11951	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet "
11952		     "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
11953	    /* Silently drop the packet */
11954            databuf->len = 0; /* Needed to ensure data not left around */
11955	    return SECSuccess;
11956	}
11957
11958	dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) |
11959			((PRUint64)cText->seq_num.low);
11960
11961	if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num) != 0) {
11962	    ssl_ReleaseSpecReadLock(ss);
11963	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting "
11964		     "potentially replayed packet", SSL_GETPID(), ss->fd));
11965	    /* Silently drop the packet */
11966            databuf->len = 0; /* Needed to ensure data not left around */
11967	    return SECSuccess;
11968	}
11969    }
11970
11971    good = ~0U;
11972    minLength = crSpec->mac_size;
11973    if (cipher_def->type == type_block) {
11974	/* CBC records have a padding length byte at the end. */
11975	minLength++;
11976	if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
11977	    /* With >= TLS 1.1, CBC records have an explicit IV. */
11978	    minLength += cipher_def->iv_size;
11979	}
11980    } else if (cipher_def->type == type_aead) {
11981	minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
11982    }
11983
11984    /* We can perform this test in variable time because the record's total
11985     * length and the ciphersuite are both public knowledge. */
11986    if (cText->buf->len < minLength) {
11987	goto decrypt_loser;
11988    }
11989
11990    if (cipher_def->type == type_block &&
11991	crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
11992	/* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
11993	 * "The receiver decrypts the entire GenericBlockCipher structure and
11994	 * then discards the first cipher block corresponding to the IV
11995	 * component." Instead, we decrypt the first cipher block and then
11996	 * discard it before decrypting the rest.
11997	 */
11998	SSL3Opaque iv[MAX_IV_LENGTH];
11999	int decoded;
12000
12001	ivLen = cipher_def->iv_size;
12002	if (ivLen < 8 || ivLen > sizeof(iv)) {
12003	    ssl_ReleaseSpecReadLock(ss);
12004	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
12005	    return SECFailure;
12006	}
12007
12008	PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen));
12009
12010	/* The decryption result is garbage, but since we just throw away
12011	 * the block it doesn't matter.  The decryption of the next block
12012	 * depends only on the ciphertext of the IV block.
12013	 */
12014	rv = crSpec->decode(crSpec->decodeContext, iv, &decoded,
12015			    sizeof(iv), cText->buf->buf, ivLen);
12016
12017	good &= SECStatusToMask(rv);
12018    }
12019
12020    /* If we will be decompressing the buffer we need to decrypt somewhere
12021     * other than into databuf */
12022    if (crSpec->decompressor) {
12023	temp_buf.buf = NULL;
12024	temp_buf.space = 0;
12025	plaintext = &temp_buf;
12026    } else {
12027	plaintext = databuf;
12028    }
12029
12030    plaintext->len = 0; /* filled in by decode call below. */
12031    if (plaintext->space < MAX_FRAGMENT_LENGTH) {
12032	rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048);
12033	if (rv != SECSuccess) {
12034	    ssl_ReleaseSpecReadLock(ss);
12035	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
12036		     SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
12037	    /* sslBuffer_Grow has set a memory error code. */
12038	    /* Perhaps we should send an alert. (but we have no memory!) */
12039	    return SECFailure;
12040	}
12041    }
12042
12043    PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen,
12044				      cText->buf->len - ivLen));
12045
12046    isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
12047
12048    if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
12049	ssl_ReleaseSpecReadLock(ss);
12050	SSL3_SendAlert(ss, alert_fatal, record_overflow);
12051	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
12052	return SECFailure;
12053    }
12054
12055    rType = cText->type;
12056    if (cipher_def->type == type_aead) {
12057	/* XXX For many AEAD ciphers, the plaintext is shorter than the
12058	 * ciphertext by a fixed byte count, but it is not true in general.
12059	 * Each AEAD cipher should provide a function that returns the
12060	 * plaintext length for a given ciphertext. */
12061	unsigned int decryptedLen =
12062	    cText->buf->len - cipher_def->explicit_nonce_size -
12063	    cipher_def->tag_size;
12064	headerLen = ssl3_BuildRecordPseudoHeader(
12065	    header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
12066	    rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
12067	PORT_Assert(headerLen <= sizeof(header));
12068	rv = crSpec->aead(
12069		ss->sec.isServer ? &crSpec->client : &crSpec->server,
12070		PR_TRUE,                          /* do decrypt */
12071		plaintext->buf,                   /* out */
12072		(int*) &plaintext->len,           /* outlen */
12073		plaintext->space,                 /* maxout */
12074		cText->buf->buf,                  /* in */
12075		cText->buf->len,                  /* inlen */
12076		header, headerLen);
12077	if (rv != SECSuccess) {
12078	    good = 0;
12079	}
12080    } else {
12081	if (cipher_def->type == type_block &&
12082	    ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
12083	    goto decrypt_loser;
12084	}
12085
12086	/* decrypt from cText buf to plaintext. */
12087	rv = crSpec->decode(
12088	    crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
12089	    plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
12090	if (rv != SECSuccess) {
12091	    goto decrypt_loser;
12092	}
12093
12094	PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
12095
12096	originalLen = plaintext->len;
12097
12098	/* If it's a block cipher, check and strip the padding. */
12099	if (cipher_def->type == type_block) {
12100	    const unsigned int blockSize = cipher_def->block_size;
12101	    const unsigned int macSize = crSpec->mac_size;
12102
12103	    if (!isTLS) {
12104		good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
12105			    plaintext, blockSize, macSize));
12106	    } else {
12107		good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
12108			    plaintext, macSize));
12109	    }
12110	}
12111
12112	/* compute the MAC */
12113	headerLen = ssl3_BuildRecordPseudoHeader(
12114	    header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
12115	    rType, isTLS, cText->version, IS_DTLS(ss),
12116	    plaintext->len - crSpec->mac_size);
12117	PORT_Assert(headerLen <= sizeof(header));
12118	if (cipher_def->type == type_block) {
12119	    rv = ssl3_ComputeRecordMACConstantTime(
12120		crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
12121		plaintext->buf, plaintext->len, originalLen,
12122		hash, &hashBytes);
12123
12124	    ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
12125			      crSpec->mac_size);
12126	    givenHash = givenHashBuf;
12127
12128	    /* plaintext->len will always have enough space to remove the MAC
12129	     * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
12130	     * plaintext->len if the result has enough space for the MAC and we
12131	     * tested the unadjusted size against minLength, above. */
12132	    plaintext->len -= crSpec->mac_size;
12133	} else {
12134	    /* This is safe because we checked the minLength above. */
12135	    plaintext->len -= crSpec->mac_size;
12136
12137	    rv = ssl3_ComputeRecordMAC(
12138		crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
12139		plaintext->buf, plaintext->len, hash, &hashBytes);
12140
12141	    /* We can read the MAC directly from the record because its location
12142	     * is public when a stream cipher is used. */
12143	    givenHash = plaintext->buf + plaintext->len;
12144	}
12145
12146	good &= SECStatusToMask(rv);
12147
12148	if (hashBytes != (unsigned)crSpec->mac_size ||
12149	    NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
12150	    /* We're allowed to leak whether or not the MAC check was correct */
12151	    good = 0;
12152	}
12153    }
12154
12155    if (good == 0) {
12156decrypt_loser:
12157	/* must not hold spec lock when calling SSL3_SendAlert. */
12158	ssl_ReleaseSpecReadLock(ss);
12159
12160	SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
12161
12162	if (!IS_DTLS(ss)) {
12163	    SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
12164	    /* always log mac error, in case attacker can read server logs. */
12165	    PORT_SetError(SSL_ERROR_BAD_MAC_READ);
12166	    return SECFailure;
12167	} else {
12168	    /* Silently drop the packet */
12169            databuf->len = 0; /* Needed to ensure data not left around */
12170	    return SECSuccess;
12171	}
12172    }
12173
12174    if (!IS_DTLS(ss)) {
12175	ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
12176    } else {
12177	dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num);
12178    }
12179
12180    ssl_ReleaseSpecReadLock(ss); /*****************************************/
12181
12182    /*
12183     * The decrypted data is now in plaintext.
12184     */
12185
12186    /* possibly decompress the record. If we aren't using compression then
12187     * plaintext == databuf and so the uncompressed data is already in
12188     * databuf. */
12189    if (crSpec->decompressor) {
12190	if (databuf->space < plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION) {
12191	    rv = sslBuffer_Grow(
12192	        databuf, plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION);
12193	    if (rv != SECSuccess) {
12194		SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
12195			 SSL_GETPID(), ss->fd,
12196			 plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION));
12197		/* sslBuffer_Grow has set a memory error code. */
12198		/* Perhaps we should send an alert. (but we have no memory!) */
12199		PORT_Free(plaintext->buf);
12200		return SECFailure;
12201	    }
12202	}
12203
12204	rv = crSpec->decompressor(crSpec->decompressContext,
12205				  databuf->buf,
12206				  (int*) &databuf->len,
12207				  databuf->space,
12208				  plaintext->buf,
12209				  plaintext->len);
12210
12211	if (rv != SECSuccess) {
12212	    int err = ssl_MapLowLevelError(SSL_ERROR_DECOMPRESSION_FAILURE);
12213	    SSL3_SendAlert(ss, alert_fatal,
12214			   isTLS ? decompression_failure : bad_record_mac);
12215
12216	    /* There appears to be a bug with (at least) Apache + OpenSSL where
12217	     * resumed SSLv3 connections don't actually use compression. See
12218	     * comments 93-95 of
12219	     * https://bugzilla.mozilla.org/show_bug.cgi?id=275744
12220	     *
12221	     * So, if we get a decompression error, and the record appears to
12222	     * be already uncompressed, then we return a more specific error
12223	     * code to hopefully save somebody some debugging time in the
12224	     * future.
12225	     */
12226	    if (plaintext->len >= 4) {
12227		unsigned int len = ((unsigned int) plaintext->buf[1] << 16) |
12228		                   ((unsigned int) plaintext->buf[2] << 8) |
12229		                   (unsigned int) plaintext->buf[3];
12230		if (len == plaintext->len - 4) {
12231		    /* This appears to be uncompressed already */
12232		    err = SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD;
12233		}
12234	    }
12235
12236	    PORT_Free(plaintext->buf);
12237	    PORT_SetError(err);
12238	    return SECFailure;
12239	}
12240
12241	PORT_Free(plaintext->buf);
12242    }
12243
12244    /*
12245    ** Having completed the decompression, check the length again.
12246    */
12247    if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
12248	SSL3_SendAlert(ss, alert_fatal, record_overflow);
12249	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
12250	return SECFailure;
12251    }
12252
12253    /* Application data records are processed by the caller of this
12254    ** function, not by this function.
12255    */
12256    if (rType == content_application_data) {
12257	if (ss->firstHsDone)
12258	    return SECSuccess;
12259	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
12260	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
12261	return SECFailure;
12262    }
12263
12264    /* It's a record that must be handled by ssl itself, not the application.
12265    */
12266process_it:
12267    /* XXX  Get the xmit lock here.  Odds are very high that we'll be xmiting
12268     * data ang getting the xmit lock here prevents deadlocks.
12269     */
12270    ssl_GetSSL3HandshakeLock(ss);
12271
12272    /* All the functions called in this switch MUST set error code if
12273    ** they return SECFailure or SECWouldBlock.
12274    */
12275    switch (rType) {
12276    case content_change_cipher_spec:
12277	rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
12278	break;
12279    case content_alert:
12280	rv = ssl3_HandleAlert(ss, databuf);
12281	break;
12282    case content_handshake:
12283	if (!IS_DTLS(ss)) {
12284	    rv = ssl3_HandleHandshake(ss, databuf);
12285	} else {
12286	    rv = dtls_HandleHandshake(ss, databuf);
12287	}
12288	break;
12289    /*
12290    case content_application_data is handled before this switch
12291    */
12292    default:
12293	SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
12294		 SSL_GETPID(), ss->fd, cText->type));
12295	/* XXX Send an alert ???  */
12296	PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
12297	rv = SECFailure;
12298	break;
12299    }
12300
12301    ssl_ReleaseSSL3HandshakeLock(ss);
12302    return rv;
12303}
12304
12305/*
12306 * Initialization functions
12307 */
12308
12309/* Called from ssl3_InitState, immediately below. */
12310/* Caller must hold the SpecWriteLock. */
12311static void
12312ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
12313{
12314    spec->cipher_def               = &bulk_cipher_defs[cipher_null];
12315    PORT_Assert(spec->cipher_def->cipher == cipher_null);
12316    spec->mac_def                  = &mac_defs[mac_null];
12317    PORT_Assert(spec->mac_def->mac == mac_null);
12318    spec->encode                   = Null_Cipher;
12319    spec->decode                   = Null_Cipher;
12320    spec->destroy                  = NULL;
12321    spec->compressor               = NULL;
12322    spec->decompressor             = NULL;
12323    spec->destroyCompressContext   = NULL;
12324    spec->destroyDecompressContext = NULL;
12325    spec->mac_size                 = 0;
12326    spec->master_secret            = NULL;
12327    spec->bypassCiphers            = PR_FALSE;
12328
12329    spec->msItem.data              = NULL;
12330    spec->msItem.len               = 0;
12331
12332    spec->client.write_key         = NULL;
12333    spec->client.write_mac_key     = NULL;
12334    spec->client.write_mac_context = NULL;
12335
12336    spec->server.write_key         = NULL;
12337    spec->server.write_mac_key     = NULL;
12338    spec->server.write_mac_context = NULL;
12339
12340    spec->write_seq_num.high       = 0;
12341    spec->write_seq_num.low        = 0;
12342
12343    spec->read_seq_num.high        = 0;
12344    spec->read_seq_num.low         = 0;
12345
12346    spec->epoch                    = 0;
12347    dtls_InitRecvdRecords(&spec->recvdRecords);
12348
12349    spec->version                  = ss->vrange.max;
12350}
12351
12352/* Called from:	ssl3_SendRecord
12353**		ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
12354**		ssl3_SendClientHello()
12355**		ssl3_HandleV2ClientHello()
12356**		ssl3_HandleRecord()
12357**
12358** This function should perhaps acquire and release the SpecWriteLock.
12359**
12360**
12361*/
12362static SECStatus
12363ssl3_InitState(sslSocket *ss)
12364{
12365    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
12366
12367    if (ss->ssl3.initialized)
12368    	return SECSuccess;	/* Function should be idempotent */
12369
12370    ss->ssl3.policy = SSL_ALLOWED;
12371
12372    ssl_GetSpecWriteLock(ss);
12373    ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
12374    ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
12375    ss->ssl3.hs.sendingSCSV = PR_FALSE;
12376    ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
12377    ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
12378
12379    ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
12380#ifdef NSS_ENABLE_ECC
12381    ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss);
12382#endif
12383    ssl_ReleaseSpecWriteLock(ss);
12384
12385    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
12386
12387    if (IS_DTLS(ss)) {
12388	ss->ssl3.hs.sendMessageSeq = 0;
12389	ss->ssl3.hs.recvMessageSeq = 0;
12390	ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
12391	ss->ssl3.hs.rtRetries = 0;
12392	ss->ssl3.hs.recvdHighWater = -1;
12393	PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
12394	dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
12395    }
12396
12397    PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
12398    ss->ssl3.hs.messages.buf = NULL;
12399    ss->ssl3.hs.messages.space = 0;
12400
12401    ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
12402    PORT_Memset(&ss->ssl3.hs.newSessionTicket, 0,
12403		sizeof(ss->ssl3.hs.newSessionTicket));
12404
12405    ss->ssl3.initialized = PR_TRUE;
12406    return SECSuccess;
12407}
12408
12409/* Returns a reference counted object that contains a key pair.
12410 * Or NULL on failure.  Initial ref count is 1.
12411 * Uses the keys in the pair as input.
12412 */
12413ssl3KeyPair *
12414ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
12415{
12416    ssl3KeyPair * pair;
12417
12418    if (!privKey || !pubKey) {
12419	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
12420    	return NULL;
12421    }
12422    pair = PORT_ZNew(ssl3KeyPair);
12423    if (!pair)
12424    	return NULL;			/* error code is set. */
12425    pair->refCount = 1;
12426    pair->privKey  = privKey;
12427    pair->pubKey   = pubKey;
12428    return pair;			/* success */
12429}
12430
12431ssl3KeyPair *
12432ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
12433{
12434    PR_ATOMIC_INCREMENT(&keyPair->refCount);
12435    return keyPair;
12436}
12437
12438void
12439ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
12440{
12441    PRInt32 newCount =  PR_ATOMIC_DECREMENT(&keyPair->refCount);
12442    if (!newCount) {
12443	if (keyPair->privKey)
12444	    SECKEY_DestroyPrivateKey(keyPair->privKey);
12445	if (keyPair->pubKey)
12446	    SECKEY_DestroyPublicKey( keyPair->pubKey);
12447    	PORT_Free(keyPair);
12448    }
12449}
12450
12451
12452
12453/*
12454 * Creates the public and private RSA keys for SSL Step down.
12455 * Called from SSL_ConfigSecureServer in sslsecur.c
12456 */
12457SECStatus
12458ssl3_CreateRSAStepDownKeys(sslSocket *ss)
12459{
12460    SECStatus             rv  	 = SECSuccess;
12461    SECKEYPrivateKey *    privKey;		/* RSA step down key */
12462    SECKEYPublicKey *     pubKey;		/* RSA step down key */
12463
12464    if (ss->stepDownKeyPair)
12465	ssl3_FreeKeyPair(ss->stepDownKeyPair);
12466    ss->stepDownKeyPair = NULL;
12467#ifndef HACKED_EXPORT_SERVER
12468    /* Sigh, should have a get key strength call for private keys */
12469    if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
12470                                                     EXPORT_RSA_KEY_LENGTH) {
12471	/* need to ask for the key size in bits */
12472	privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
12473					     &pubKey, NULL);
12474    	if (!privKey || !pubKey ||
12475	    !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
12476	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
12477	    rv = SECFailure;
12478	}
12479    }
12480#endif
12481    return rv;
12482}
12483
12484
12485/* record the export policy for this cipher suite */
12486SECStatus
12487ssl3_SetPolicy(ssl3CipherSuite which, int policy)
12488{
12489    ssl3CipherSuiteCfg *suite;
12490
12491    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12492    if (suite == NULL) {
12493	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12494    }
12495    suite->policy = policy;
12496
12497    return SECSuccess;
12498}
12499
12500SECStatus
12501ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
12502{
12503    ssl3CipherSuiteCfg *suite;
12504    PRInt32             policy;
12505    SECStatus           rv;
12506
12507    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12508    if (suite) {
12509    	policy = suite->policy;
12510	rv     = SECSuccess;
12511    } else {
12512    	policy = SSL_NOT_ALLOWED;
12513	rv     = SECFailure;	/* err code was set by Lookup. */
12514    }
12515    *oPolicy = policy;
12516    return rv;
12517}
12518
12519/* record the user preference for this suite */
12520SECStatus
12521ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
12522{
12523    ssl3CipherSuiteCfg *suite;
12524
12525    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12526    if (suite == NULL) {
12527	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12528    }
12529    suite->enabled = enabled;
12530    return SECSuccess;
12531}
12532
12533/* return the user preference for this suite */
12534SECStatus
12535ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
12536{
12537    ssl3CipherSuiteCfg *suite;
12538    PRBool              pref;
12539    SECStatus           rv;
12540
12541    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
12542    if (suite) {
12543    	pref   = suite->enabled;
12544	rv     = SECSuccess;
12545    } else {
12546    	pref   = SSL_NOT_ALLOWED;
12547	rv     = SECFailure;	/* err code was set by Lookup. */
12548    }
12549    *enabled = pref;
12550    return rv;
12551}
12552
12553SECStatus
12554ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
12555{
12556    ssl3CipherSuiteCfg *suite;
12557
12558    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
12559    if (suite == NULL) {
12560	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
12561    }
12562    suite->enabled = enabled;
12563    return SECSuccess;
12564}
12565
12566SECStatus
12567ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
12568{
12569    ssl3CipherSuiteCfg *suite;
12570    PRBool              pref;
12571    SECStatus           rv;
12572
12573    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
12574    if (suite) {
12575    	pref   = suite->enabled;
12576	rv     = SECSuccess;
12577    } else {
12578    	pref   = SSL_NOT_ALLOWED;
12579	rv     = SECFailure;	/* err code was set by Lookup. */
12580    }
12581    *enabled = pref;
12582    return rv;
12583}
12584
12585SECStatus
12586ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int len)
12587{
12588    /* |i| iterates over |ciphers| while |done| and |j| iterate over
12589     * |ss->cipherSuites|. */
12590    unsigned int i, done;
12591
12592    for (i = done = 0; i < len; i++) {
12593	PRUint16 id = ciphers[i];
12594	unsigned int existingIndex, j;
12595	PRBool found = PR_FALSE;
12596
12597	for (j = done; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
12598	    if (ss->cipherSuites[j].cipher_suite == id) {
12599		existingIndex = j;
12600		found = PR_TRUE;
12601		break;
12602	    }
12603	}
12604
12605	if (!found) {
12606	    continue;
12607	}
12608
12609	if (existingIndex != done) {
12610	    const ssl3CipherSuiteCfg temp = ss->cipherSuites[done];
12611	    ss->cipherSuites[done] = ss->cipherSuites[existingIndex];
12612	    ss->cipherSuites[existingIndex] = temp;
12613	}
12614	done++;
12615    }
12616
12617    /* Disable all cipher suites that weren't included. */
12618    for (; done < ssl_V3_SUITES_IMPLEMENTED; done++) {
12619	ss->cipherSuites[done].enabled = 0;
12620    }
12621
12622    return SECSuccess;
12623}
12624
12625/* copy global default policy into socket. */
12626void
12627ssl3_InitSocketPolicy(sslSocket *ss)
12628{
12629    PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
12630}
12631
12632SECStatus
12633ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
12634				unsigned char *out,
12635				unsigned int *outLen,
12636				unsigned int outLenMax) {
12637    PRBool       isTLS;
12638    int          index = 0;
12639    unsigned int len;
12640    SECStatus    rv = SECFailure;
12641
12642    *outLen = 0;
12643
12644    ssl_GetSSL3HandshakeLock(ss);
12645
12646    ssl_GetSpecReadLock(ss);
12647    isTLS = (PRBool)(ss->ssl3.cwSpec->version > SSL_LIBRARY_VERSION_3_0);
12648    ssl_ReleaseSpecReadLock(ss);
12649
12650    /* The tls-unique channel binding is the first Finished structure in the
12651     * handshake. In the case of a resumption, that's the server's Finished.
12652     * Otherwise, it's the client's Finished. */
12653    len = ss->ssl3.hs.finishedBytes;
12654
12655    /* Sending or receiving a Finished message will set finishedBytes to a
12656     * non-zero value. */
12657    if (len == 0) {
12658	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
12659	goto loser;
12660    }
12661
12662    /* If we are in the middle of a renegotiation then the channel binding
12663     * value is poorly defined and depends on the direction that it will be
12664     * used on. Therefore we simply return an error in this case. */
12665    if (ss->firstHsDone && ss->ssl3.hs.ws != idle_handshake) {
12666	PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
12667	goto loser;
12668    }
12669
12670    /* If resuming, then we want the second Finished value in the array, which
12671     * is the server's */
12672    if (ss->ssl3.hs.isResuming)
12673	index = 1;
12674
12675    *outLen = len;
12676    if (outLenMax < len) {
12677	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
12678	goto loser;
12679    }
12680
12681    if (isTLS) {
12682	memcpy(out, &ss->ssl3.hs.finishedMsgs.tFinished[index], len);
12683    } else {
12684	memcpy(out, &ss->ssl3.hs.finishedMsgs.sFinished[index], len);
12685    }
12686
12687    rv = SECSuccess;
12688
12689loser:
12690    ssl_ReleaseSSL3HandshakeLock(ss);
12691    return rv;
12692}
12693
12694/* ssl3_config_match_init must have already been called by
12695 * the caller of this function.
12696 */
12697SECStatus
12698ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
12699{
12700    int i, count = 0;
12701
12702    PORT_Assert(ss != 0);
12703    if (!ss) {
12704	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
12705	return SECFailure;
12706    }
12707    if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
12708    	*size = 0;
12709	return SECSuccess;
12710    }
12711    if (cs == NULL) {
12712	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
12713	return SECSuccess;
12714    }
12715
12716    /* ssl3_config_match_init was called by the caller of this function. */
12717    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
12718	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
12719	if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) {
12720	    if (cs != NULL) {
12721		*cs++ = 0x00;
12722		*cs++ = (suite->cipher_suite >> 8) & 0xFF;
12723		*cs++ =  suite->cipher_suite       & 0xFF;
12724	    }
12725	    count++;
12726	}
12727    }
12728    *size = count;
12729    return SECSuccess;
12730}
12731
12732/*
12733** If ssl3 socket has completed the first handshake, and is in idle state,
12734** then start a new handshake.
12735** If flushCache is true, the SID cache will be flushed first, forcing a
12736** "Full" handshake (not a session restart handshake), to be done.
12737**
12738** called from SSL_RedoHandshake(), which already holds the handshake locks.
12739*/
12740SECStatus
12741ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
12742{
12743    sslSessionID *   sid = ss->sec.ci.sid;
12744    SECStatus        rv;
12745
12746    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
12747
12748    if (!ss->firstHsDone ||
12749        ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
12750	 ss->ssl3.initialized &&
12751	 (ss->ssl3.hs.ws != idle_handshake))) {
12752	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
12753	return SECFailure;
12754    }
12755
12756    if (IS_DTLS(ss)) {
12757	dtls_RehandshakeCleanup(ss);
12758    }
12759
12760    if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
12761	PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
12762	return SECFailure;
12763    }
12764    if (sid && flushCache) {
12765        if (ss->sec.uncache)
12766            ss->sec.uncache(sid); /* remove it from whichever cache it's in. */
12767	ssl_FreeSID(sid);	/* dec ref count and free if zero. */
12768	ss->sec.ci.sid = NULL;
12769    }
12770
12771    ssl_GetXmitBufLock(ss);	/**************************************/
12772
12773    /* start off a new handshake. */
12774    rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
12775                            : ssl3_SendClientHello(ss, PR_FALSE);
12776
12777    ssl_ReleaseXmitBufLock(ss);	/**************************************/
12778    return rv;
12779}
12780
12781/* Called from ssl_DestroySocketContents() in sslsock.c */
12782void
12783ssl3_DestroySSL3Info(sslSocket *ss)
12784{
12785
12786    if (ss->ssl3.clientCertificate != NULL)
12787	CERT_DestroyCertificate(ss->ssl3.clientCertificate);
12788
12789    if (ss->ssl3.clientPrivateKey != NULL)
12790	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
12791#ifdef NSS_PLATFORM_CLIENT_AUTH
12792    if (ss->ssl3.platformClientKey)
12793	ssl_FreePlatformKey(ss->ssl3.platformClientKey);
12794#endif /* NSS_PLATFORM_CLIENT_AUTH */
12795
12796    if (ss->ssl3.channelID)
12797	SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
12798    if (ss->ssl3.channelIDPub)
12799	SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
12800
12801    if (ss->ssl3.peerCertArena != NULL)
12802	ssl3_CleanupPeerCerts(ss);
12803
12804    if (ss->ssl3.clientCertChain != NULL) {
12805       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
12806       ss->ssl3.clientCertChain = NULL;
12807    }
12808
12809    /* clean up handshake */
12810#ifndef NO_PKCS11_BYPASS
12811    if (ss->opt.bypassPKCS11) {
12812	if (ss->ssl3.hs.hashType == handshake_hash_combo) {
12813	    SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
12814	    MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
12815	} else if (ss->ssl3.hs.hashType == handshake_hash_single) {
12816	    ss->ssl3.hs.sha_obj->destroy(ss->ssl3.hs.sha_cx, PR_FALSE);
12817	}
12818    }
12819#endif
12820    if (ss->ssl3.hs.md5) {
12821	PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
12822    }
12823    if (ss->ssl3.hs.sha) {
12824	PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
12825    }
12826    if (ss->ssl3.hs.clientSigAndHash) {
12827	PORT_Free(ss->ssl3.hs.clientSigAndHash);
12828    }
12829    if (ss->ssl3.hs.messages.buf) {
12830    	PORT_Free(ss->ssl3.hs.messages.buf);
12831	ss->ssl3.hs.messages.buf = NULL;
12832	ss->ssl3.hs.messages.len = 0;
12833	ss->ssl3.hs.messages.space = 0;
12834    }
12835
12836    /* free the SSL3Buffer (msg_body) */
12837    PORT_Free(ss->ssl3.hs.msg_body.buf);
12838
12839    SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
12840
12841    /* free up the CipherSpecs */
12842    ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
12843    ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
12844
12845    /* Destroy the DTLS data */
12846    if (IS_DTLS(ss)) {
12847	dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
12848	if (ss->ssl3.hs.recvdFragments.buf) {
12849	    PORT_Free(ss->ssl3.hs.recvdFragments.buf);
12850	}
12851    }
12852
12853    ss->ssl3.initialized = PR_FALSE;
12854
12855    SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
12856}
12857
12858/* End of ssl3con.c */
12859