<a class="header-button" href="https://bugzilla.mozilla.org/home" title="Go to home page"> Bugzilla

Assignee

Comment 7

•

9 years ago

Work for adding support for the SHA384 TLS cipher suites has been conducted by Red Hat as this is required for obtaining Common Criteria certification. Some background information is in order. The work started based on, and extends, previous work done for Chromium. See https://codereview.chromium.org/23510003. It implements mechanisms as defined by Oasis for PKCS #11 V 2.40, see http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf. Some of the patches I'll submit have an overlap with a patch that Wan-Teh had submiited for Bug 951455 see https://bugzilla.mozilla.org/show_bug.cgi?id=951455. I'll split the work unto a series of patches for util, softoken, libssl, test scripts and tstcnt for ease of review. The libssl part in particular needs a bit more work.

Assignee

•

9 years ago

Attached patch the libssl portion - patch 3 of 5 (obsolete) — Details — Splinter Review

This patch has been modified from the original to account for changes that Martin has already committed.

Attachment #8631855 - Flags: review?(rrelyea)

Assignee

Comment 12

•

9 years ago

Attached patch ssl test script - as used downstream (obsolete) — Details — Splinter Review

Attachment #8631856 - Flags: review?(rrelyea)

Assignee

Updated

•

9 years ago

Attachment #8631855 - Attachment description: The libssl portion - patach 3 of 5 → the libssl portion - patch 3 of 5

Assignee

Comment 13

•

9 years ago

Attached patch tstclnt ssl2 off by default (obsolete) — Details — Splinter Review

As we tested on rhel-7.1 I had to make that change for the tests to pass. On rhel-7 we build with ssl2 and export cipher suites disabled which is not yet the case here.

Attachment #8631857 - Flags: review?(rrelyea)

Hubert Kario

Comment 14

•

9 years ago

"tested" - we have conducted interoperability tests with OpenSSL and GnuTLS in configurations with and without client certificates with ECDHE, DHE and RSA key exchange with ECDSA, DSS and RSA authentication. The only issue is with TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 when it's used with client certificates, as GnuTLS won't use or accept SHA384 hash in Certificate Verify. To fix this, we need to fix bug 1179338.

•

9 years ago

Revised 3 patches on account of the recent https://hg.mozilla.org/projects/nss/rev/f9b7bdf6e68b commit.

Assignee

Updated

•

9 years ago

Attachment #8632339 - Attachment description: libssl prtion V2 - patch 1 of 5 → libssl prtion V2 - patch 3 of 5

Assignee

Comment 20

•

9 years ago

Attached patch adds tls12 sha384 prf support to softoken & ssl libraries (obsolete) — Details — Splinter Review

Assignee: nobody → emaldona

Attachment #8632337 - Attachment is obsolete: true

Attachment #8632338 - Attachment is obsolete: true

Attachment #8632339 - Attachment is obsolete: true

Attachment #8632337 - Flags: review?(rrelyea)

Attachment #8632338 - Flags: review?(rrelyea)

Attachment #8632339 - Flags: review?(rrelyea)

Attachment #8632467 - Flags: review?(rrelyea)

Assignee

Updated

•

9 years ago

Attachment #8631856 - Attachment description: ssl test script - patch 4 of 5 → ssl test script

Assignee

Updated

•

9 years ago

Attachment #8631857 - Attachment description: tstclnt ssl2 off by default - patch 5 of 5 → tstclnt ssl2 off by default

Assignee

Comment 21

•

•

9 years ago

OK, Now that I read the comments, I see the difference between the patches. I'm OK with either, I've r+ the one that removes ssl2. I'm open to feedback by others about the idea of dropping ssl2 in the test cases (currently Red Hat is the only one that 'uses' it... in that we have products that can enable it and still officially support it). I'm OK if someone else wants us to keep the ssl2 tests util we actually ax the ssl2 code. NOTE to Elio.. this means if someone breaks SSL2 by accident you won't know it until you integrate it into RHEL 5, are you sure you want that (of course it makes RHEL 7 easier since you don't need to turn SSL2 off in RHEL 7). bob

Assignee

Updated

•

9 years ago

Depends on: 1181814

Robert Relyea

Comment 28

•

9 years ago

This bug does not depend on bug 1181814. The softoken work to make this work is already in softoken.

No longer depends on: 1181814

Assignee

Comment 29

•

9 years ago

Attached patch adds tls12 sha384 prf support to softoken & ssl libraries (obsolete) — Details — Splinter Review

This is still a work in progress and not ready for review but I attach it for discussion and to clarify some requests that Bob made an previous review and are not yet entirely clear to me. Per Bob's request this patch does not try to handle the client auth case, drops the code for swapping between sha256 and sha384. The functions in question are ssl3_DestroyBackupHandshakeHashIfNotNeeded ssl3_ComputeHandshakeHashes ssl3_HandleServerHello ssl3_SendCertificateRequest moved the changes to a separte patch which I will attach next. What about the changes in ssl3_InitHandshakeHashes, shall they remain? Bob, you stated as part of Comment 25 "...., we should probably drop our hack of swapping between sha256 and sha384 and plan on implementing the fix we already have a patch for." And what is that patch? I know that Kai is going to be working o something related Bug 1179338 - Don't require that the signature method for certificate verify is identical with PRF, support alternatives Is that the work you are referring to?

Attachment #8632467 - Attachment is obsolete: true

Flags: needinfo?(rrelyea)

Assignee

Comment 30

•

9 years ago

Attached patch client authentication changes due to sha384 support (obsolete) — Details — Splinter Review

Moved here the changes to ssl3_DestroyBackupHandshakeHashIfNotNeeded ssl3_ComputeHandshakeHashes ssl3_HandleServerHello ssl3_SendCertificateRequest as requested. Will this be starting point for Kai's work?

Assignee

Comment 31

•

9 years ago

Comment on attachment 8738190 [details] [diff] [review] adds tls12 sha384 prf support to softoken & ssl libraries Preliminary reviewer Bob, will request review from Martin later once my questions are clarified.

Attachment #8738190 - Flags: review?(rrelyea)

Assignee

Comment 32

•

9 years ago

Comment on attachment 8738191 [details] [diff] [review] client authentication changes due to sha384 support Preliminary reviewer Bob, will request review from Martin later once my doubts are clarified.

Attachment #8738191 - Flags: review?(rrelyea)

Assignee

Comment 33

•

9 years ago

I should add that not all test are passing yet and I'm on working that but needed some early look at the work done so far.

Assignee

Updated

•

9 years ago

Attachment #8738190 - Flags: review?(emaldona)

Assignee

Comment 34

•

9 years ago

Comment on attachment 8738190 [details] [diff] [review] adds tls12 sha384 prf support to softoken & ssl libraries Review of attachment 8738190 [details] [diff] [review]: ----------------------------------------------------------------- r- on self-review, new patch coming soon. ::: lib/ssl/ssl3con.c @@ +112,4 @@ > { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, Not inconsistent with the order in the table from sslenum.c @@ +312,5 @@ > {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0, SEC_OID_CAMELLIA_256_CBC}, > {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0, SEC_OID_SEED_CBC}, > {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8, SEC_OID_AES_128_GCM}, > {cipher_chacha20, calg_chacha20, 32,32, type_aead, 12, 0,16, 0, SEC_OID_CHACHA20_POLY1305}, > + {cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8}, Move it up one to be aftre cipher_aes_a128_gcm and before cipher_chacha20. @@ +3883,5 @@ > + SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg; > + > + if (prf_alg == 0) > + return CKM_SHA256; > + NIT: whitespace @@ +6971,5 @@ > + if (rv != SECSuccess) { > + desc = internal_error; > + errCode = PORT_GetError(); > + goto alert_loser; > + } Not visible here but near the beginning of ssl3_InitHandshakeHashes(sslSocket *ss) it okay to bring these changes: - ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); + HASH_HashType ht; + CK_MECHANISM_TYPE hm; + SECOidTag ot; + SECOidData *hashOid; + + hm = ssl3_GetPrfHashMechanism(ss); + hashOid = SECOID_FindOIDByMechanism(hm); + + if (hashOid == NULL) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + return SECFailure; + } + ot = hashOid->offset; + ht = HASH_GetHashTypeByOidTag(ot); + ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(ht); ::: lib/ssl/sslimpl.h @@ +319,2 @@ > #else > #define ssl_V3_SUITES_IMPLEMENTED 41 Change -#define ssl_V3_SUITES_IMPLEMENTED 41 +#define ssl_V3_SUITES_IMPLEMENTED 44 We are adding 7 ciphers of which 4 are ECC and 3 aren't. While testing an assertion caught this. ::: tests/doc/nssqa.txt @@ +86,5 @@ > header:exit (global) > remove temporary files > kill remaining selfservers > send email to the list > This changes sneaked by mistake because the way I test. Remove them in the next round. ::: tests/doc/platform_specific_problems @@ +13,2 @@ > /local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n > conrail.cs.columbia.edu -w nss -i /tmp/tests_pid.5505 & strsclnt -p 8443 -d . -w nss -c 1000 -C A conrail.cs.columbia.edu These changes sneaked by mistake because the way I test. Remove them in the next round. ::: tests/doc/qa_wrapper.html @@ +105,5 @@ > no-lockfile) > <br>        set HOST and DOMSUF variables > if running interavtively > <br>        set flag to kill remaining > +selfserv_9460 processes during cleanup These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/header @@ +145,4 @@ > > # Set the masterbuilds > if [ -z "$UX_MASTERBUILD" ] > then These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/iopr/ssl_iopr.sh @@ +277,2 @@ > # No return value > # These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/memleak/ignored @@ +47,5 @@ > #463631 > vfychain/main/PL_CreateOptState/** > > #486298 > +selfserv_9460/main/PORT_Strdup_Util** These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/memleak/memleak.sh @@ +322,2 @@ > echo "==0==" > These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/nssqa @@ +36,4 @@ > . `dirname $0`/header # utilities, shellfunctions etc, global to NSS QA > > if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then > is_running ${TMP}/nssqa These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/qa_stat @@ +772,5 @@ > grep "bgcolor=red" $BCT_RESULT | > sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g' > grep 'cache hits; .* cache misses, .* cache not reusable' \ > $BCT_LOG | > + grep -v selfserv_9460 | These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/qaclean @@ +76,5 @@ > i=0 > while [ $i -lt $1 ] > do > kill_by_name nssqa > + kill_by_name selfserv_9460 These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/run_niscc.sh @@ +197,5 @@ > > # Directory where to write all the output data (around 650MiB for each run) > export TEST_OUTPUT=${TEST_OUTPUT:-"$HOME/out"} > > + # How many threads to use in selfserv_9460 and strsclnt (max. 10) These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round. ::: tests/ssl/ssl.sh @@ +114,3 @@ > fi > fi > These changes sneaked by mistake because the way I test and didn't cleanup afterwards. Remove them in the next round.

Attachment #8738190 - Flags: review?(emaldona) → review-

Assignee

Updated

•

9 years ago

Attachment #8738191 - Flags: review?(emaldona)

Assignee

Comment 35

•

9 years ago

Comment on attachment 8738191 [details] [diff] [review] client authentication changes due to sha384 support The need to submit a new version of the other patch renders this one obsolete.

Attachment #8738191 - Attachment is obsolete: true

Attachment #8738191 - Flags: review?(rrelyea)

Attachment #8738191 - Flags: review?(emaldona)

Assignee

Comment 36

•

9 years ago

Comment on attachment 8738190 [details] [diff] [review] adds tls12 sha384 prf support to softoken & ssl libraries SSL2 support is now removed.

Attachment #8738190 - Attachment is obsolete: true

Attachment #8738190 - Flags: review?(rrelyea)

Assignee

Comment 37

•

9 years ago

Attached patch add test cases for new supported cipher suites (obsolete) — Details — Splinter Review

Attachment #8632759 - Attachment is obsolete: true

Attachment #8738862 - Flags: review?(rrelyea)

Assignee

Updated

•

9 years ago

Attachment #8631856 - Attachment is obsolete: true

Assignee

Comment 47

•

9 years ago

Comment on attachment 8738865 [details] [diff] [review] tls12 sha384 prf support libsssl - plus client auth Review of attachment 8738865 [details] [diff] [review]: ----------------------------------------------------------------- r- for the reasons given before.

Attachment #8738865 - Flags: review?(emaldona) → review-

Assignee

Comment 48

•

9 years ago

Eric, I noticed a possible inconsistency among various tables when it comes to TLS 1.3 ECDHE_PSK. https://hg.mozilla.org/projects/nss/file/tip/lib/ssl/sslinfo.c look at lines 230 through 234 for static const SSLCipherSuiteInfo suiteInfo[] = { ... 230 #ifndef NSS_DISABLE_ECC The TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 entry was added inside the #ifndef NSS_DISABLE_ECC but that is not the case in https://hg.mozilla.org/projects/nss/file/tip/lib/ssl/sslinfo.c static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { /* cipher_suite policy enabled isPresent */ /* ECDHE-PSK from [draft-mattsson-tls-ecdhe-psk-aead]. Only enabled if * we are doing TLS 1.3 PSK-resumption. */ { TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, where it's outside the #ifndef NSS_DISABLE_ECC #ifndef NSS_DISABLE_ECC { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, not on https://hg.mozilla.org/projects/nss/file/tip/lib/ssl/enum.c const PRUint16 SSL_ImplementedCiphers[] = { /* ECDHE-PSK from [draft-mattsson-tls-ecdhe-psk-aead]. */ TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, #ifndef NSS_DISABLE_ECC TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, .... where it's outside the #ifndef NSS_DISABLE_ECC

Assignee

Comment 49

•

9 years ago

Attached patch tls12 sha384 prf support libsssl - plus client auth hacks (obsolete) — Details — Splinter Review

This is not to be committed as some changes need to be moved to a separate patch as Bob suggested and I/m still investigating some test failures. In some cases the server won't start due to a couple of Assertion failure: PR_FALSE, at ssl3con.c:814 which tells me that not all the affected tables are in sync. I attach it here in order to get some needed feedback and make sure I'm on the right track.

Attachment #8738865 - Attachment is obsolete: true

Attachment #8738865 - Flags: review?(rrelyea)

Attachment #8740117 - Flags: feedback?(rrelyea)

Attachment #8740117 - Flags: feedback?(martin.thomson)

Attachment #8740117 - Flags: feedback?(ekr)

Assignee

Comment 50

•

9 years ago

Comment on attachment 8740117 [details] [diff] [review] tls12 sha384 prf support libsssl - plus client auth hacks Review of attachment 8740117 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/ssl/sslinfo.c @@ +263,5 @@ > {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0 }, > {0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 }, > + {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_128, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0 }, change C_AES to AESGCM @@ +264,5 @@ > {0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 }, > + {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_128, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0 }, change C_AES to AESGCM @@ +265,5 @@ > + {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_128, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0 }, > + {0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AES, B_128, M_SHA384, 1, 0, 0 }, change C_AES to AESGCM

Comment 51

•

Hubert Kario

•

9 years ago

Attached patch tls12 sha384 prf support in libsssl - with client auth changes (obsolete) — Details — Splinter Review

This one applies cleanly, all standard non-sha384 tests regression pass (Passed: 17081) and the ssl-gtest failures are now gone. I'll start enabling the sha384 prf ciphers by default and test them.

Attachment #8742370 - Attachment is obsolete: true

Comment 60

•

9 years ago

Comment on attachment 8742464 [details] [diff] [review] tls12 sha384 prf support in libsssl - with client auth changes Review of attachment 8742464 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/ssl/ssl3con.c @@ +133,5 @@ > { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, This is still misplaced (not TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 but TLS_DHE_DSS_WITH_AES_128_GCM_SHA256).

Comment 61

•

9 years ago

Comment on attachment 8742464 [details] [diff] [review] tls12 sha384 prf support in libsssl - with client auth changes Review of attachment 8742464 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/ssl/ssl3con.c @@ +109,5 @@ > { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > + { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, TLS_ECDHE_*_WITH_AES_256_CBC_SHA384 should be placed under TLS_ECDHE_*_WITH_AES_128_CBC_SHA256.

Assignee

Updated

•

9 years ago

Blocks: flexible-certverify

Robert Relyea

Comment 62

•

9 years ago

Elio, no need to split the basic client auth out of this patch. It's still needed, at least until kai does his work.

Flags: needinfo?(rrelyea)

Assignee

Comment 63

•

9 years ago

Comment on attachment 8738863 [details] [diff] [review] adds tls12 sha384 prf support libsssl - basic part >diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c >--- a/lib/ssl/ssl3con.c >+++ b/lib/ssl/ssl3con.c >@@ -100,17 +100,21 @@ static ssl3CipherSuiteCfg cipherSuites[s > > /* ECDHE-PSK from [draft-mattsson-tls-ecdhe-psk-aead]. Only enabled if > * we are doing TLS 1.3 PSK-resumption. > */ > { TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > > #ifndef NSS_DISABLE_ECC > { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, >+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, >+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, >+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, >+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around > * bug 946147. > */ > { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, >@@ -127,16 +131,18 @@ static ssl3CipherSuiteCfg cipherSuites[s > { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, >+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, >+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, >@@ -149,16 +155,17 @@ static ssl3CipherSuiteCfg cipherSuites[s > { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > #endif /* NSS_DISABLE_ECC */ > > /* RSA */ >+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, >@@ -298,16 +305,17 @@ static const ssl3BulkCipherDef bulk_ciph > {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0, SEC_OID_DES_40_CBC}, > {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0, SEC_OID_IDEA_CBC}, > {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0, SEC_OID_AES_128_CBC}, > {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0, SEC_OID_AES_256_CBC}, > {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0, SEC_OID_CAMELLIA_128_CBC}, > {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0, SEC_OID_CAMELLIA_256_CBC}, > {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0, SEC_OID_SEED_CBC}, > {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8, SEC_OID_AES_128_GCM}, >+ {cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8, SEC_OID_AES_256_GCM}, > {cipher_chacha20, calg_chacha20, 32,32, type_aead, 12, 0,16, 0, SEC_OID_CHACHA20_POLY1305}, > {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0, 0}, > }; > > static const ssl3KEADef kea_defs[] = > { /* indexed by SSL3KeyExchangeAlgorithm */ > /* kea exchKeyType signKeyType is_limited limit tls_keygen ephemeral oid */ > {kea_null, kt_null, ssl_sign_null, PR_FALSE, 0, PR_FALSE, PR_FALSE, 0}, >@@ -427,20 +435,28 @@ static const ssl3CipherSuiteDef cipher_s > {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, > {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, > > {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, > {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, > {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, > {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, > >+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, >+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, >+ {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa}, >+ {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa}, >+ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa}, >+ {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa}, > {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss}, >+ {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss}, > {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss}, > {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss}, > >+ {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa}, > {TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_dhe_rsa}, > {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_rsa}, > {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa}, > > #ifndef NSS_DISABLE_ECC > {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, > {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, > {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa}, >@@ -511,28 +527,30 @@ static const SSLCipher2Mech alg2Mech[] = > }; > > #define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L > #define mmech_md5 CKM_SSL3_MD5_MAC > #define mmech_sha CKM_SSL3_SHA1_MAC > #define mmech_md5_hmac CKM_MD5_HMAC > #define mmech_sha_hmac CKM_SHA_1_HMAC > #define mmech_sha256_hmac CKM_SHA256_HMAC >+#define mmech_sha384_hmac CKM_SHA384_HMAC > > /* clang-format off */ > static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ > /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ > /* mac mmech pad_size mac_size */ > { mac_null, mmech_invalid, 0, 0 , 0}, > { mac_md5, mmech_md5, 48, MD5_LENGTH, SEC_OID_HMAC_MD5 }, > { mac_sha, mmech_sha, 40, SHA1_LENGTH, SEC_OID_HMAC_SHA1}, > {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH, SEC_OID_HMAC_MD5}, > {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH, SEC_OID_HMAC_SHA1}, > {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH, SEC_OID_HMAC_SHA256}, > { mac_aead, mmech_invalid, 0, 0, 0 }, >+ {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH} > }; > /* clang-format on */ > > /* indexed by SSL3BulkCipher */ > const char *const ssl3_cipherName[] = { > "NULL", > "RC4", > "RC4-40", >@@ -719,29 +737,36 @@ ssl3_CipherSuiteAllowedForVersionRange( > * TLS_DH_anon_EXPORT_WITH_RC4_40_MD5: never implemented > * TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA: never implemented > */ > return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; > > case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: > case TLS_RSA_WITH_AES_256_CBC_SHA256: > case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: >+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: > case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: >+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: > case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: > case TLS_RSA_WITH_AES_128_CBC_SHA256: > case TLS_RSA_WITH_AES_128_GCM_SHA256: >+ case TLS_RSA_WITH_AES_256_GCM_SHA384: > case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: > case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: > case TLS_RSA_WITH_NULL_SHA256: > case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: > return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; > > case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: >+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: > case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: >+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: > case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: >+ case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: >+ case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: > return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; > > /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and > * point formats.*/ > case TLS_ECDH_ECDSA_WITH_NULL_SHA: > case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: > case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: > case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: >@@ -2507,16 +2532,19 @@ ssl3_ComputeRecordMAC( > hashObj = HASH_GetRawHashObject(HASH_AlgMD5); > break; > case ssl_hmac_sha: /* used with TLS */ > hashObj = HASH_GetRawHashObject(HASH_AlgSHA1); > break; > case ssl_hmac_sha256: /* used with TLS */ > hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); > break; >+ case ssl_hmac_sha384: /* used with TLS */ >+ hashObj = HASH_GetRawHashObject(HASH_AlgSHA384); >+ break; > default: > break; > } > if (!hashObj) { > PORT_Assert(0); > PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); > return SECFailure; > } >@@ -3824,16 +3852,27 @@ ssl3_HandleChangeCipherSpecs(sslSocket * > */ > if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { > ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE /*freeSrvName*/); > } > ssl_ReleaseSpecWriteLock(ss); /*************************************/ > return SECSuccess; > } > >+CK_MECHANISM_TYPE >+ssl3_GetPrfHashMechanism(sslSocket *ss) >+{ >+ SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg; >+ >+ if (prf_alg == 0) >+ return CKM_SHA256; >+ >+ return prf_alg; >+} >+ > /* This method completes the derivation of the MS from the PMS. > ** > ** 1. Derive the MS, if possible, else return an error. > ** > ** 2. Check the version if |pms_version| is non-zero and if wrong, > ** return an error. > ** > ** 3. If |msp| is nonzero, return MS in |*msp|. >@@ -3947,17 +3986,17 @@ ssl3_ComputeMasterSecretInt(sslSocket *s > } > > master_params.pVersion = pms_version_ptr; > master_params.RandomInfo.pClientRandom = cr; > master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; > master_params.RandomInfo.pServerRandom = sr; > master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH; > if (isTLS12) { >- master_params.prfHashMechanism = CKM_SHA256; >+ master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); > master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS); > } else { > /* prfHashMechanism is not relevant with this PRF */ > master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); > } > > params.data = (unsigned char *)&master_params; > params.len = master_params_len; >@@ -4190,17 +4229,17 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke > returnedKeys.pIVServer = NULL; > } > > calg = cipher_def->calg; > bulk_mechanism = ssl3_Alg2Mech(calg); > > if (isTLS12) { > key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; >- key_material_params.prfHashMechanism = CKM_SHA256; >+ key_material_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); > key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS); > } else if (isTLS) { > key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; > key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); > } else { > key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; > key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS); > } >@@ -4268,17 +4307,31 @@ ssl3_InitHandshakeHashes(sslSocket *ss) > > PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); > #ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); > if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { > /* If we ever support ciphersuites where the PRF hash isn't SHA-256 > * then this will need to be updated. */ >- ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256); >+ HASH_HashType ht; >+ CK_MECHANISM_TYPE hm; >+ SECOidTag ot; >+ SECOidData *hashOid; >+ >+ hm = ssl3_GetPrfHashMechanism(ss); >+ hashOid = SECOID_FindOIDByMechanism(hm); >+ >+ if (hashOid == NULL) { >+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); >+ return SECFailure; >+ } >+ ot = hashOid->offset; >+ ht = HASH_GetHashTypeByOidTag(ot); >+ ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(ht); > if (!ss->ssl3.hs.sha_obj) { > ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); > return SECFailure; > } > ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone; > ss->ssl3.hs.hashType = handshake_hash_single; > ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx); > } else { >@@ -4613,16 +4666,21 @@ ssl3_AppendHandshakeHeader(sslSocket *ss > > /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of > * |sigAndHash| to the current handshake message. */ > SECStatus > ssl3_AppendSignatureAndHashAlgorithm( > sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash) > { > PRUint8 serialized[2]; >+ SECOidTag hashAlg = ssl3_TLSHashAlgorithmToOID(sigAndHash->hashAlg); >+ if (hashAlg == SEC_OID_UNKNOWN) { >+ PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); >+ return SECFailure; >+ } > > serialized[0] = (PRUint8)sigAndHash->hashAlg; > serialized[1] = (PRUint8)sigAndHash->sigAlg; > > return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); > } > > /************************************************************************** >@@ -6777,23 +6835,16 @@ ssl3_HandleServerHello(sslSocket *ss, SS > desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version > : handshake_failure; > errCode = SSL_ERROR_UNSUPPORTED_VERSION; > goto alert_loser; > } > ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; > isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); > >- rv = ssl3_InitHandshakeHashes(ss); >- if (rv != SECSuccess) { >- desc = internal_error; >- errCode = PORT_GetError(); >- goto alert_loser; >- } >- > rv = ssl3_ConsumeHandshake( > ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); > if (rv != SECSuccess) { > goto loser; /* alert has been sent */ > } > > /* Check the ServerHello.random per > * [draft-ietf-tls-tls13-11 Section 6.3.1.1]. >@@ -6898,16 +6949,24 @@ ssl3_HandleServerHello(sslSocket *ss, SS > errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; > goto alert_loser; > } > ss->ssl3.hs.compression = (SSLCompressionMethod)temp; > } else { > ss->ssl3.hs.compression = ssl_compression_null; > } > >+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ >+ rv = ssl3_InitHandshakeHashes(ss); >+ if (rv != SECSuccess) { >+ desc = internal_error; >+ errCode = PORT_GetError(); >+ goto alert_loser; >+ } >+ > /* Note that if !isTLS and the extra stuff is not extensions, we > * do NOT goto alert_loser. > * There are some old SSL 3.0 implementations that do send stuff > * after the end of the server hello, and we deliberately ignore > * such stuff in the interest of maximal interoperability (being > * "generous in what you accept"). > * Update: Starting in NSS 3.12.6, we handle the renegotiation_info > * extension in SSL 3.0. >@@ -8576,23 +8635,16 @@ ssl3_HandleClientHello(sslSocket *ss, SS > desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version > : handshake_failure; > errCode = SSL_ERROR_UNSUPPORTED_VERSION; > goto alert_loser; > } > isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3; > ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; > >- rv = ssl3_InitHandshakeHashes(ss); >- if (rv != SECSuccess) { >- desc = internal_error; >- errCode = PORT_GetError(); >- goto alert_loser; >- } >- > /* Generate the Server Random now so it is available > * when we process the ClientKeyShare in TLS 1.3 */ > rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); > if (rv != SECSuccess) { > errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE; > goto loser; > } > >@@ -8980,16 +9032,24 @@ static SECStatus ssl3_HandleClientHelloP > errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP; > /* null compression must be supported */ > goto alert_loser; > > compression_found: > suites->data = NULL; > comps->data = NULL; > >+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ >+ rv = ssl3_InitHandshakeHashes(ss); >+ if (rv != SECSuccess) { >+ desc = internal_error; >+ errCode = PORT_GetError(); >+ goto alert_loser; >+ } >+ > /* If there are any failures while processing the old sid, > * we don't consider them to be errors. Instead, We just behave > * as if the client had sent us no sid to begin with, and make a new one. > * The exception here is attempts to resume extended_master_secret > * sessions without the extension, which causes an alert. > */ > if (sid != NULL) > do { >@@ -9333,23 +9393,16 @@ ssl3_HandleV2ClientHello(sslSocket *ss, > /* send back which ever alert client will understand. */ > desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version > : handshake_failure; > errCode = SSL_ERROR_UNSUPPORTED_VERSION; > goto alert_loser; > } > ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version; > >- rv = ssl3_InitHandshakeHashes(ss); >- if (rv != SECSuccess) { >- desc = internal_error; >- errCode = PORT_GetError(); >- goto alert_loser; >- } >- > /* if we get a non-zero SID, just ignore it. */ > if (length != total) { > SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", > SSL_GETPID(), ss->fd, length, total)); > desc = illegal_parameter; > errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; > goto alert_loser; > } >@@ -9444,16 +9497,24 @@ suite_found: > !ssl3_ExtensionNegotiated(ss, ssl_renegotiation_info_xtn)) { > desc = handshake_failure; > errCode = SSL_ERROR_UNSAFE_NEGOTIATION; > goto alert_loser; > } > > ss->ssl3.hs.compression = ssl_compression_null; > >+ /* Wait until we've figured out the cipher suite before we initialize the handshake hashes */ >+ rv = ssl3_InitHandshakeHashes(ss); >+ if (rv != SECSuccess) { >+ desc = internal_error; >+ errCode = PORT_GetError(); >+ goto alert_loser; >+ } >+ > /* we don't even search for a cache hit here. It's just a miss. */ > SSL_AtomicIncrementLong(&ssl3stats.hch_sid_cache_misses); > sid = ssl3_NewSessionID(ss, PR_TRUE); > if (sid == NULL) { > errCode = PORT_GetError(); > goto loser; /* memory error is set. */ > } > ss->sec.ci.sid = sid; >@@ -9946,17 +10007,17 @@ ssl3_EncodeCertificateRequestSigAlgs(ssl > } > > *len = 0; > for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { > const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; > /* Note that we don't support a handshake hash with anything other than > * SHA-256, so asking for a signature from clients for something else > * would be inviting disaster. */ >- if (alg->hashAlg == ssl_hash_sha256) { >+ if (alg->hashAlg == ssl_hash_sha256 || alg->hashAlg == ssl_hash_sha384) { > buf[(*len)++] = (PRUint8)alg->hashAlg; > buf[(*len)++] = (PRUint8)alg->sigAlg; > } > } > > if (*len == 0) { > PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); > return SECFailure; >@@ -10017,17 +10078,18 @@ ssl3_SendCertificateRequest(sslSocket *s > isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); > > ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames); > certTypes = certificate_types; > certTypesLength = sizeof certificate_types; > > length = 1 + certTypesLength + 2 + calen; > if (isTLS12) { >- rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), >+ rv = ssl3_EncodeCertificateRequestSigAlgs(ss, >+ sigAlgs, sizeof(sigAlgs), > &sigAlgsLength); > if (rv != SECSuccess) { > return rv; > } > length += 2 + sigAlgsLength; > } > > rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); >@@ -11501,17 +11563,17 @@ ssl3_AuthCertificateComplete(sslSocket * > done: > ssl_ReleaseSSL3HandshakeLock(ss); > ssl_ReleaseRecvBufLock(ss); > > return rv; > } > > static SECStatus >-ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, >+ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec, > PRBool isServer, > const SSL3Hashes *hashes, > TLSFinished *tlsFinished) > { > SECStatus rv; > CK_TLS_MAC_PARAMS tls_mac_params; > SECItem param = { siBuffer, NULL, 0 }; > PK11Context *prf_context; >@@ -11524,17 +11586,17 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec * > return ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, > hashes->len, tlsFinished->verify_data, > sizeof tlsFinished->verify_data); > } > > if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) { > tls_mac_params.prfMechanism = CKM_TLS_PRF; > } else { >- tls_mac_params.prfMechanism = CKM_SHA256; >+ tls_mac_params.prfMechanism = ssl3_GetPrfHashMechanism(ss); > } > tls_mac_params.ulMacLength = 12; > tls_mac_params.ulServerOrClient = isServer ? 1 : 2; > param.data = (unsigned char *)&tls_mac_params; > param.len = sizeof(tls_mac_params); > prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN, > spec->master_secret, &param); > if (!prf_context) >@@ -11727,17 +11789,17 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 > PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); > PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); > > ssl_GetSpecReadLock(ss); > cwSpec = ss->ssl3.cwSpec; > isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); > rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender); > if (isTLS && rv == SECSuccess) { >- rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished); >+ rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished); > } > ssl_ReleaseSpecReadLock(ss); > if (rv != SECSuccess) { > goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */ > } > > if (isTLS) { > if (isServer) >@@ -11898,17 +11960,17 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O > if (isTLS) { > TLSFinished tlsFinished; > > if (length != sizeof tlsFinished) { > (void)SSL3_SendAlert(ss, alert_fatal, decode_error); > PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); > return SECFailure; > } >- rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, >+ rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer, > hashes, &tlsFinished); > if (!isServer) > ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished; > else > ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; > ss->ssl3.hs.finishedBytes = sizeof tlsFinished; > if (rv != SECSuccess || > 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { >diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c >--- a/lib/ssl/ssl3ecc.c >+++ b/lib/ssl/ssl3ecc.c >@@ -1061,50 +1061,58 @@ static const ssl3CipherSuite ecdh_rsa_su > 0 /* end of list marker */ > }; > > static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, >+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, >+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_ECDHE_ECDSA_WITH_NULL_SHA, > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, > 0 /* end of list marker */ > }; > > static const ssl3CipherSuite ecdhe_rsa_suites[] = { > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, >+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_ECDHE_RSA_WITH_NULL_SHA, > TLS_ECDHE_RSA_WITH_RC4_128_SHA, > 0 /* end of list marker */ > }; > > /* List of all ECC cipher suites */ > static const ssl3CipherSuite ecSuites[] = { > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_ECDHE_ECDSA_WITH_NULL_SHA, > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, >+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, >+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, >+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_ECDHE_RSA_WITH_NULL_SHA, > TLS_ECDHE_RSA_WITH_RC4_128_SHA, > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDH_ECDSA_WITH_NULL_SHA, > TLS_ECDH_ECDSA_WITH_RC4_128_SHA, >diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h >--- a/lib/ssl/ssl3prot.h >+++ b/lib/ssl/ssl3prot.h >@@ -217,16 +217,42 @@ typedef struct { > > typedef struct { > union { > SSL3ServerDHParams dh; > SSL3ServerRSAParams rsa; > } u; > } SSL3ServerParams; > >+/* This enum reflects HashAlgorithm enum from >+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 >+ * >+ * When updating, be sure to also update ssl3_TLSHashAlgorithmToOID. */ >+typedef enum { >+ tls_hash_md5 = 1, >+ tls_hash_sha1 = 2, >+ tls_hash_sha224 = 3, >+ tls_hash_sha256 = 4, >+ tls_hash_sha384 = 5, >+ tls_hash_sha512 = 6 >+} TLSHashAlgorithm; >+ >+/* This enum reflects SignatureAlgorithm enum from >+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ >+typedef enum { >+ tls_sig_rsa = 1, >+ tls_sig_dsa = 2, >+ tls_sig_ecdsa = 3 >+} TLSSignatureAlgorithm; >+ >+typedef struct { >+ SECOidTag hashAlg; >+ TLSSignatureAlgorithm sigAlg; >+} SSL3SignatureAndHashAlgorithm; >+ > /* SSL3HashesIndividually contains a combination MD5/SHA1 hash, as used in TLS > * prior to 1.2. */ > typedef struct { > PRUint8 md5[16]; > PRUint8 sha[20]; > } SSL3HashesIndividually; > > /* SSL3Hashes contains an SSL hash value. The digest is contained in |u.raw| >diff --git a/lib/ssl/sslenum.c b/lib/ssl/sslenum.c >--- a/lib/ssl/sslenum.c >+++ b/lib/ssl/sslenum.c >@@ -50,17 +50,21 @@ > */ > const PRUint16 SSL_ImplementedCiphers[] = { > /* ECDHE-PSK from [draft-mattsson-tls-ecdhe-psk-aead]. */ > TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, > > > #ifndef NSS_DISABLE_ECC > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, >+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, >+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, >+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before > * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. > */ > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, >@@ -77,16 +81,18 @@ const PRUint16 SSL_ImplementedCiphers[] > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, >+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, >+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, >@@ -98,16 +104,17 @@ const PRUint16 SSL_ImplementedCiphers[] > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_ECDSA_WITH_RC4_128_SHA, > TLS_ECDH_RSA_WITH_RC4_128_SHA, > #endif /* NSS_DISABLE_ECC */ > >+ TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, > TLS_RSA_WITH_SEED_CBC_SHA, >diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h >--- a/lib/ssl/sslimpl.h >+++ b/lib/ssl/sslimpl.h >@@ -53,16 +53,17 @@ typedef SSLMACAlgorithm SSL3MACAlgorithm > #define calg_chacha20 ssl_calg_chacha20 > > #define mac_null ssl_mac_null > #define mac_md5 ssl_mac_md5 > #define mac_sha ssl_mac_sha > #define hmac_md5 ssl_hmac_md5 > #define hmac_sha ssl_hmac_sha > #define hmac_sha256 ssl_hmac_sha256 >+#define hmac_sha384 ssl_hmac_sha384 > #define mac_aead ssl_mac_aead > > #define SET_ERROR_CODE /* reminder */ > #define SEND_ALERT /* reminder */ > #define TEST_FOR_FAILURE /* reminder */ > #define DEAL_WITH_FAILURE /* reminder */ > > #if defined(DEBUG) || defined(TRACE) >@@ -271,19 +272,19 @@ typedef struct { > ssl3CipherSuite cipher_suite; > PRUint8 policy; > unsigned char enabled : 1; > unsigned char isPresent : 1; > #endif > } ssl3CipherSuiteCfg; > > #ifndef NSS_DISABLE_ECC >-#define ssl_V3_SUITES_IMPLEMENTED 68 >+#define ssl_V3_SUITES_IMPLEMENTED 75 > #else >-#define ssl_V3_SUITES_IMPLEMENTED 41 >+#define ssl_V3_SUITES_IMPLEMENTED 44 > #endif /* NSS_DISABLE_ECC */ > > #define MAX_DTLS_SRTP_CIPHER_SUITES 4 > > /* MAX_SIGNATURE_ALGORITHMS allows for a large number of combinations of > * SSLSignType and SSLHashType, but not all combinations (specifically, this > * doesn't allow space for combinations with MD5). */ > #define MAX_SIGNATURE_ALGORITHMS 15 >@@ -435,21 +436,29 @@ typedef enum { > cipher_des40, > cipher_idea, > cipher_aes_128, > cipher_aes_256, > cipher_camellia_128, > cipher_camellia_256, > cipher_seed, > cipher_aes_128_gcm, >+ cipher_aes_256_gcm, > cipher_chacha20, > cipher_missing /* reserved for no such supported cipher */ > /* This enum must match ssl3_cipherName[] in ssl3con.c. */ > } SSL3BulkCipher; > >+/* The TLS PRF definition */ >+typedef enum { >+ prf_null = 0, /* use default prf */ >+ prf_256 = CKM_SHA256, >+ prf_384 = CKM_SHA384 >+} SSL3PRF; >+ > typedef enum { type_stream, > type_block, > type_aead } CipherType; > > #define MAX_IV_LENGTH 24 > > /* > * Do not depend upon 64 bit arithmetic in the underlying machine. >@@ -685,16 +694,17 @@ struct sslSessionIDStr { > } u; > }; > > typedef struct ssl3CipherSuiteDefStr { > ssl3CipherSuite cipher_suite; > SSL3BulkCipher bulk_cipher_alg; > SSL3MACAlgorithm mac_alg; > SSL3KeyExchangeAlgorithm key_exchange_alg; >+ SSL3PRF prf_alg; > } ssl3CipherSuiteDef; > > /* > ** There are tables of these, all const. > */ > typedef struct { > SSL3KeyExchangeAlgorithm kea; > SSL3KEAType exchKeyType; >@@ -1913,16 +1923,17 @@ SECStatus ssl3_SetupPendingCipherSpec(ss > SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags); > SECStatus ssl3_SendCertificate(sslSocket *ss); > SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss, > SSL3Opaque *b, PRUint32 length); > SECStatus ssl3_SendEmptyCertificate(sslSocket *ss); > SECStatus ssl3_SendCertificateStatus(sslSocket *ss); > SECStatus ssl3_CompleteHandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, > PRUint32 length); >+CK_MECHANISM_TYPE ssl3_GetPrfHashMechanism(sslSocket *ss); > SECStatus ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, > unsigned maxLen, PRUint32 *len); > void ssl3_GetCertificateRequestCAs(sslSocket *ss, int *calenp, SECItem **namesp, > int *nnamesp); > SECStatus ssl3_ParseCertificateRequestCAs(sslSocket *ss, SSL3Opaque **b, > PRUint32 *length, PLArenaPool *arena, > CERTDistNames *ca_list); > SECStatus ssl3_CompleteHandleCertificateRequest(sslSocket *ss, >diff --git a/lib/ssl/sslproto.h b/lib/ssl/sslproto.h >--- a/lib/ssl/sslproto.h >+++ b/lib/ssl/sslproto.h >@@ -159,18 +159,21 @@ > #define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086 > #define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 > #define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 > #define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 0x0089 > > #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 > > #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C >+#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D > #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E >+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F > #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 >+#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3 > > /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. > * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending > * back an empty Renegotiation Info (RI) server hello extension. > */ > #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF > > /* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a >@@ -207,21 +210,25 @@ > > #define TLS_ECDH_anon_WITH_NULL_SHA 0xC015 > #define TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016 > #define TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017 > #define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 > #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 > > #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 >+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 > #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 >+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 > > #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B >+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C > #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D > #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F >+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 > #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 > > #define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 > #define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 > #define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA > > /* Experimental PSK support for [draft-mattsson-tls-ecdhe-psk-aead] */ > #define TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 0xD001 >diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h >--- a/lib/ssl/sslt.h >+++ b/lib/ssl/sslt.h >@@ -111,17 +111,18 @@ typedef enum { > > typedef enum { > ssl_mac_null = 0, > ssl_mac_md5 = 1, > ssl_mac_sha = 2, > ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ > ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ > ssl_hmac_sha256 = 5, >- ssl_mac_aead = 6 >+ ssl_mac_aead = 6, >+ ssl_hmac_sha384 = 7 > } SSLMACAlgorithm; > > typedef enum { > ssl_compression_null = 0, > ssl_compression_deflate = 1 /* RFC 3749 */ > } SSLCompressionMethod; > > typedef struct SSLChannelInfoStr {

Attachment #8738863 - Attachment is obsolete: true

Attachment #8738863 - Flags: review?(rrelyea)

Assignee

Comment 64

•

9 years ago

I wasn't expecting the just obsoleted patch too be shown here, I obsoleted it because of Comment 62.

Robert Relyea

Updated

•

9 years ago

Attachment #8738862 - Flags: review?(rrelyea) → review+

Assignee

Comment 65

•

9 years ago

Attached patch sha384 prf support in libsssl + plus tests changes (obsolete) — Details — Splinter Review

Not ready to be checked in as it isn't working yet. I do attach for review and to get some help identifying the cause of the failures.

Attachment #8742464 - Attachment is obsolete: true

Attachment #8744036 - Flags: review?(martin.thomson)

Assignee

Comment 66

•

9 years ago

Here is an excerpt from the test output log with some of the failures: ------------------------------------------------------------------------------------------------ selfserv: normal termination selfserv_9270 -b -p 9270 2>/dev/null; selfserv_9270 with PID 11344 killed at Thu Apr 21 13:11:12 PDT 2016 ssl.sh: SSL3 Require client auth on 2nd hs (EC) (client auth) ---- selfserv_9270 starting at Thu Apr 21 13:11:12 PDT 2016 selfserv_9270 -D -p 9270 -d ../server -n localhost.localdomain \ -e localhost.localdomain-ec -S localhost.localdomain-dsa -w nss -r -r -r -r -i ../tests_pid.25017\ -H 1 & trying to connect to selfserv_9270 at Thu Apr 21 13:11:12 PDT 2016 tstclnt -p 9270 -h localhost.localdomain -q \ -d ../client -v < /home/emaldona/work4nss/upstream/one-sha384-test-enabled/nss/tests/ssl/sslreq.dat tstclnt: connecting to localhost.localdomain:9270 (address=127.0.0.1) kill -0 12766 >/dev/null 2>/dev/null selfserv_9270 with PID 12766 found at Thu Apr 21 13:11:12 PDT 2016 selfserv_9270 with PID 12766 started at Thu Apr 21 13:11:12 PDT 2016 trying to kill selfserv_9270 with PID 12766 at Thu Apr 21 13:11:12 PDT 2016 kill -USR1 12766 ./ssl.sh: line 175: 12766 User defined signal 1 ${PROFTOOL} ${BINDIR}/selfserv_9270 -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 selfserv_9270 -b -p 9270 2>/dev/null; selfserv_9270 with PID 12766 killed at Thu Apr 21 13:11:12 PDT 2016 ssl.sh: SSL Cipher Coverage - server bypass/client normal - with ECC =============================== selfserv_9270 starting at Thu Apr 21 13:11:12 PDT 2016 selfserv_9270 -D -p 9270 -d ../server -n localhost.localdomain -B -s \ -e localhost.localdomain-ec -S localhost.localdomain-dsa -w nss -c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz -i ../tests_pid.25017\ -H 1 & trying to connect to selfserv_9270 at Thu Apr 21 13:11:12 PDT 2016 tstclnt -p 9270 -h localhost.localdomain -q \ -d ../client -v < /home/emaldona/work4nss/upstream/one-sha384-test-enabled/nss/tests/ssl/sslreq.dat tstclnt: connecting to localhost.localdomain:9270 (address=127.0.0.1) kill -0 12814 >/dev/null 2>/dev/null selfserv_9270 with PID 12814 found at Thu Apr 21 13:11:12 PDT 2016 selfserv_9270 with PID 12814 started at Thu Apr 21 13:11:12 PDT 2016 ssl.sh: running TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ---------------------------- kill -0 12814 >/dev/null 2>/dev/null selfserv_9270 with PID 12814 found at Thu Apr 21 13:11:13 PDT 2016 tstclnt -p 9270 -h localhost.localdomain -c :009F -V ssl3:tls1.2 \ -f -d ../client -v -w nss < /home/emaldona/work4nss/upstream/one-sha384-test-enabled/nss/tests/ssl/sslreq.dat selfserv: HDX PR_Read returned error -12260: SSL received a malformed Client Hello handshake message. tstclnt: connecting to localhost.localdomain:9270 (address=127.0.0.1) tstclnt: connect: PR_IN_PROGRESS_ERROR: Operation is still in progress (probably a non-blocking connect) tstclnt: about to call PR_Poll for connect completion! tstclnt: PR_Poll returned 0x02 for socket out_flags. tstclnt: ready... tstclnt: about to call PR_Poll ! tstclnt: PR_Poll returned! tstclnt: PR_Poll returned 0x01 for stdin out_flags. tstclnt: PR_Poll returned 0x00 for socket out_flags. tstclnt: stdin read 18 bytes tstclnt: Writing 18 bytes to server tstclnt: write to SSL socket failed: SSL_ERROR_NO_CYPHER_OVERLAP: Cannot communicate securely with peer: no common encryption algorithm(s). tstclnt: exiting with return code 254 ssl.sh: #1727: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 produced a returncode of 254, expected is 0 - FAILED ssl.sh: running TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 ---------------------------- kill -0 12814 >/dev/null 2>/dev/null selfserv_9270 with PID 12814 found at Thu Apr 21 13:11:13 PDT 2016 tstclnt -p 9270 -h localhost.localdomain -c :00A3 -V ssl3:tls1.2 \ -f -d ../client -v -w nss < /home/emaldona/work4nss/upstream/one-sha384-test-enabled/nss/tests/ssl/sslreq.dat selfserv: HDX PR_Read returned error -12260: SSL received a malformed Client Hello handshake message. tstclnt: connecting to localhost.localdomain:9270 (address=127.0.0.1) tstclnt: connect: PR_IN_PROGRESS_ERROR: Operation is still in progress (probably a non-blocking connect) tstclnt: about to call PR_Poll for connect completion! tstclnt: PR_Poll returned 0x02 for socket out_flags. tstclnt: ready... tstclnt: about to call PR_Poll ! tstclnt: PR_Poll returned! tstclnt: PR_Poll returned 0x01 for stdin out_flags. tstclnt: PR_Poll returned 0x00 for socket out_flags. tstclnt: stdin read 18 bytes tstclnt: Writing 18 bytes to server tstclnt: write to SSL socket failed: SSL_ERROR_NO_CYPHER_OVERLAP: Cannot communicate securely with peer: no common encryption algorithm(s). tstclnt: exiting with return code 254 ssl.sh: #1728: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 produced a returncode of 254, expected is 0 - FAILED ssl.sh: running TLS_RSA_WITH_AES_256_GCM_SHA384 ---------------------------- kill -0 12814 >/dev/null 2>/dev/null selfserv_9270 with PID 12814 found at Thu Apr 21 13:11:13 PDT 2016 tstclnt -p 9270 -h localhost.localdomain -c :009D -V ssl3:tls1.2 \ -f -d ../client -v -w nss < /home/emaldona/work4nss/upstream/one-sha384-test-enabled/nss/tests/ssl/sslreq.dat selfserv: HDX PR_Read returned error -12260: SSL received a malformed Client Hello handshake message. tstclnt: connecting to localhost.localdomain:9270 (address=127.0.0.1) tstclnt: connect: PR_IN_PROGRESS_ERROR: Operation is still in progress (probably a non-blocking connect) tstclnt: about to call PR_Poll for connect completion! tstclnt: PR_Poll returned 0x02 for socket out_flags. tstclnt: ready... tstclnt: about to call PR_Poll ! tstclnt: PR_Poll returned! tstclnt: PR_Poll returned 0x01 for stdin out_flags. tstclnt: PR_Poll returned 0x00 for socket out_flags. tstclnt: stdin read 18 bytes tstclnt: Writing 18 bytes to server tstclnt: write to SSL socket failed: SSL_ERROR_NO_CYPHER_OVERLAP: Cannot communicate securely with peer: no common encryption algorithm(s). tstclnt: exiting with return code 254 ssl.sh: #1729: TLS_RSA_WITH_AES_256_GCM_SHA384 produced a returncode of 254, expected is 0 - FAILED ssl.sh: running TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ---------------------------- kill -0 12814 >/dev/null 2>/dev/null selfserv_9270 with PID 12814 found at Thu Apr 21 13:11:13 PDT 2016 tstclnt -p 9270 -h localhost.localdomain -c :C024 -V ssl3:tls1.2 \ -f -d ../client -v -w nss < /home/emaldona/work4nss/upstream/one-sha384-test-enabled/nss/tests/ssl/sslreq.dat ./ssl.sh: line 260: 13688 Aborted (core dumped) ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} > ${TMP}/$HOST.tmp.$$ 2>&1 tstclnt: connecting to localhost.localdomain:9270 (address=127.0.0.1) tstclnt: connect: PR_IN_PROGRESS_ERROR: Operation is still in progress (probably a non-blocking connect) tstclnt: about to call PR_Poll for connect completion! tstclnt: PR_Poll returned 0x02 for socket out_flags. tstclnt: ready... tstclnt: about to call PR_Poll ! tstclnt: PR_Poll returned! tstclnt: PR_Poll returned 0x01 for stdin out_flags. tstclnt: PR_Poll returned 0x00 for socket out_flags. tstclnt: stdin read 18 bytes tstclnt: Writing 18 bytes to server tstclnt: about to call PR_Poll on writable socket ! tstclnt: PR_Poll returned with writable socket ! tstclnt: using asynchronous certificate validation ERROR: bock_need=160 > key_block=1052988032 Assertion failure: block_needed <= sizeof key_block, at pkcs11c.c:6539 ssl.sh: #1730: TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 produced a returncode of 134, expected is 0 - FAILED ssl.sh: running TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ---------------------------- kill -0 12814 >/dev/null 2>/dev/null selfserv_9270 with PID 12814 found at Thu Apr 21 13:11:13 PDT 2016 tstclnt -p 9270 -h localhost.localdomain -c :C028 -V ssl3:tls1.2 \ -f -d ../client -v -w nss < /home/emaldona/work4nss/upstream/one-sha384-test-enabled/nss/tests/ssl/sslreq.dat tstclnt: connecting to localhost.localdomain:9270 (address=127.0.0.1) tstclnt: connect: PR_IN_PROGRESS_ERROR: Operation is still in progress (probably a non-blocking connect) tstclnt: about to call PR_Poll for connect completion! tstclnt: PR_Poll returned 0x02 for socket out_flags. tstclnt: ready... tstclnt: about to call PR_Poll ! tstclnt: PR_Poll returned! tstclnt: PR_Poll returned 0x01 for stdin out_flags. tstclnt: PR_Poll returned 0x00 for socket out_flags. tstclnt: stdin read 18 bytes tstclnt: Writing 18 bytes to server tstclnt: about to call PR_Poll on writable socket ! tstclnt: PR_Poll returned with writable socket ! tstclnt: write to SSL socket failed: PR_END_OF_FILE_ERROR: Encountered end of file tstclnt: exiting with return code 254 ./ssl.sh: line 260: 12814 Segmentation fault (core dumped) ${PROFTOOL} ${BINDIR}/selfserv_9270 -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 ssl.sh: #1731: TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384 produced a returncode of 254, expected is 0 - FAILED ssl.sh: running TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ---------------------------- kill -0 12814 >/dev/null 2>/dev/null ssl.sh: Exit: 10 Fatal - selfserv_9270 process not detectable - FAILED ssl.sh: #1732: 10 Fatal - selfserv_9270 process not detectable - FAILED ./init.sh: line 155: kill: (12814) - No such process ------------------------------------------------------------

Assignee

Comment 67

•

9 years ago

To nss/tests/ssl/sslcov.txt I have added these tests: ECC TLS12 :C024 TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECC TLS12 :C028 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384 Looking at nss/tests/ssl/ssl.sh it seems to me that I should also add :C024, :C028, :C02C, and :C030 in their proper places to CIPHER_SUITES inside the if [ -z "$NSS_DISABLE_ECC" ] ; then ECC_STRING=" - with ECC" # List of cipher suites to test, including ECC cipher suites. CIPHER_SUITES="-c ..... part and and add :009F, :00A3, and :009D in their proper places to CIPHER_SUITES for else ECC_STRING="" # List of cipher suites to test, excluding ECC cipher suites. CIPHER_SUITES="-c : ..... I see that :CCA8:CCA9: for TLS12_ECDHE_{RSA|ECDsa}_WITH_CHACHA20_POLY1305_SHA256 were added. Martin, what do you think?

Flags: needinfo?(martin.thomson)

Comment 68

•

9 years ago

Yes, that looks correct. I would look for one of the existing cipher suite definitions throughout the whole tree just to be doubly sure.

Flags: needinfo?(martin.thomson)

Comment 69

•

9 years ago

Attached patch tests.patch (obsolete) — Details — Splinter Review

This should apply on top of attachment 8744036 [details] [diff] [review] and let you run tests. I usually run the script in tests/ssl_gtests then save the directory created, e.g.: ../tests_results/security/localhost.80/ssl_gtests Then it's a matter of running the binary. You can set a filter to make it easier. Here's a snippet from the script that I use, you will need to tweak all the ~ directories. ~/ssl_gtest is a saved copy of the certificate DB. filter="$1" v="$(uname -s)$(uname -r | cut -f 1-2 -d . -)_$(uname -m)_${CC:-cc}_glibc_PTH_64_$([ -n "$BUILD_OPT" ] && echo OPT || echo DBG).OBJ" export LD_LIBRARY_PATH=~/code/dist/$v/lib:"$LD_LIBRARY_PATH" exec ~/code/dist/$v/bin/ssl_gtest -d ~/ssl_gtests --gtest_filter="$filter"

Comment 70

•

9 years ago

Comment on attachment 8744036 [details] [diff] [review] sha384 prf support in libsssl + plus tests changes Review of attachment 8744036 [details] [diff] [review]: ----------------------------------------------------------------- Looks like comments #60 and #61 are ignored, So I'll add more explanations. Comments above SSL_ImplementedCiphers should be updated. Proposed text: * No-encryption cipher suites last * Export/weak/obsolete cipher suites before no-encryption cipher suites * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA. * Within key agreement sections, prefer AEAD cipher suites over non-AEAD cipher suites. * Within AEAD sections, order by symmetric encryption algorithm which integrates message authentication algorithm: AES-128-GCM, then ChaCha20-Poly1305, then AES-256-GCM, * Within non-AEAD sections, order by symmetric encryption algorithm: AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED, then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a strong cipher internationally, and is often hardware-accelerated. Camellia also has wide international support across standards organizations. SEED is only recommended by the Korean government. 3DES only provides 112 bits of security. RC4 is now deprecated or forbidden by many standards organizations. * Within non-AEAD symmetric algorithm sections, order by message authentication algorithm: HMAC-SHA1, then HMAC-SHA256, then HMAC-SHA384, then HMAC-MD5. * Within message authentication algorithm sections, order by asymmetric signature algorithm: ECDSA, then RSA, then DSS. * As a special case, the PSK ciphers, which are only enabled when TLS 1.3 PSK-resumption is in use, come first. According to this order, some added cipher suites are out of order. ::: lib/ssl/ssl3con.c @@ +109,5 @@ > { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 should be placed after TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. @@ +128,5 @@ > > { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, > { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, > + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 should be placed here (that is, after TLS_DHE_RSA_WITH_AES_256_GCM_SHA384).

ggramaiz

Comment 71

•

9 years ago

(In reply to Masatoshi Kimura [:emk] from comment #70) > Comment on attachment 8744036 [details] [diff] [review] > sha384 prf support in libsssl + plus tests changes > > * Within non-AEAD symmetric algorithm sections, order by message > authentication algorithm: HMAC-SHA1, then HMAC-SHA256, then > HMAC-SHA384, then HMAC-MD5. Not an expert here, but shouldn't we prefer HMAC-SHA256, then HMAC-SHA384, then HMAC-SHA1, then HMAC-MD5? The French information security agency recommends the MAC to be ordered that way ( http://www.ssi.gouv.fr/uploads/IMG/pdf/SSL_TLS_etat_des_lieux_et_recommandations.pdf for reference). I agree with you on the other points.

Comment 72

•

Attachment #8744036 - Flags: review?(martin.thomson)

Attachment #8744737 - Flags: review?(martin.thomson)

Assignee

•

9 years ago

Comment on attachment 8744737 [details] [diff] [review] sha384 prf support - full patch Review of attachment 8744737 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/softoken/pkcs11c.c @@ +6088,2 @@ > unsigned char key_block2[MD5_LENGTH]; > PRBool isFIPS; nit: whitespace @@ +6534,5 @@ > + if (block_needed > sizeof key_block) { > + PR_fprintf(PR_STDERR, "ERROR: block_need=%d > key_block=%d\n ", > + block_needed, key_block); > + } > +#endif This was temporary for me to see the actual value and I forgot to remove it. There is a PORT_Assert in the next line. ::: lib/ssl/ssl3con.c @@ +118,5 @@ > { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, > + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, I agree with you on that. @@ +4367,5 @@ > + > + hm = ssl3_GetPrfHashMechanism(ss); > + hashOid = SECOID_FindOIDByMechanism(hm); > + > + if (hashOid == NULL) { Yes, I'll add one. @@ +4893,5 @@ > + * identifier. If the hash is not recognised, zero is returned. > + * > + * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ > +static int > +ssl3_OIDToTLSHashAlgorithm(SECOidTag oid) I see being called from ssl3_ComputeHandshakeHashes so I can do some check hashes->hashAlg = ssl3_OIDToTLSHashAlgorithm(hashOid->offset); PORT_Assert(hashes->hashAlg == ssl_hash_sha256 || hashes->hashAlg == ssl_hash_sha384); if (hashes->hashAlg != ssl_hash_sha256 && hashes->hashAlg != ssl_hash_sha384) { ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); rv = SECFailure; goto tls12_loser; } rv = SECSuccess; Let me see if I can find a way to get rid of it. @@ +7733,5 @@ > + suitePRFHash = ssl_hash_sha256; > + suitePRFIs256Or384 = PR_TRUE; > + } else if (hashOid->offset == SEC_OID_SHA384) { > + suitePRFHash = ssl_hash_sha384; > + suitePRFIs256Or384 = PR_TRUE; Yes, I remember you stated that in the first feedback. I'll clean up that. @@ +10284,5 @@ > int i; > int certTypesLength; > PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; > unsigned int sigAlgsLength = 0; > + SSLHashType suiteHashAlg = ssl3_GetSuiteHashAlg(ss); shooud add const if I want to keep at all. ::: lib/ssl/sslimpl.h @@ +474,5 @@ > cipher_missing /* reserved for no such supported cipher */ > /* This enum must match ssl3_cipherName[] in ssl3con.c. */ > } SSL3BulkCipher; > > +/* The TLS PRF definition */ Yes, and adapting your own comments something like /* The TLS PRF definition */ /* Note that the prf_null value is generally used for suites designed before * TLS 1.2 and for TLS 1.2 prf_null actually means CKM_SHA256. */ ::: lib/ssl/sslinfo.c @@ +297,5 @@ > + { 0, CS(ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_RSAS }, > + { 0, CS(ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_ECDSA }, > + { 0, CS(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_SHA384, F_FIPS_STD, A_ECDSA }, > + { 0, CS(ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_SHA256, F_FIPS_STD, A_RSAS }, > + { 0, CS(ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_SHA384, F_FIPS_STD, A_RSAS }, Yes, I thought I had done it. I was testing several slightly different versions of the patch and most likely attached the wrong one. ::: tests/ssl/ssl.sh @@ +85,5 @@ > > if [ -z "$NSS_DISABLE_ECC" ] ; then > ECC_STRING=" - with ECC" > # List of cipher suites to test, including ECC cipher suites. > + CIPHER_SUITES="-c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3cdefgijklmnvyz" I agree, it hurts my eyes.

Updated

•

•

9 years ago

(In reply to Masatoshi Kimura [:emk] from comment #91) > It is not obvious that AES-256 is more secure than AES-128; See bug 975832. The problem with AES-128 is that in Post Quantum computing world it will be considered broken as 128 bits for a key is too low when divided by two. I do not know whether the attacks on AES-256 key schedule can be sped up by quantum computer though.

Assignee

Comment 95

•

9 years ago

I a have a new version of the patch with many improvements suggested by Martin. Not all test are passing and looking at some of the failures I found Assertion failure: secmod_PrivateModuleCount == 0, at pk11util.c:88 and witch it tstclnt: write to SSL socket failed: SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION: SSL feature not supported for the protocol version /* TODO(ekr@rtfm.com): Reenable for TLS 1.3 */ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { errCode = SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION; goto loser; } That let me to search for more cases I found this lib/ssl/ssl3prot.h: * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Handle multiple curves here. */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Would it be better to check all the states here? */ lib/ssl/tls13con.c: * TODO(ekr@rtfm.com): Make a version with the "true" values. lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Check the KDF code whenever we have lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Free resumeSID. */ lib/ssl/tls13con.c: * TODO(ekr@rtfm.com): Write code to correct client. lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): This first clause is futureproofing for lib/ssl/tls13con.c: * TODO(ekr@rtfm.com): This should be easy to relax in TLS 1.3 by lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Record key log */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Add support for new tickets in PSK. */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Handle pending auth */ lib/ssl/tls13con.c: /* TODO(ekr@rtfm.com): Re-enable new tickets when PSK mode is lib/ssl/tls13con.c: ExtensionNotUsed /* TODO(ekr@rtfm.com): Disabled because broken lib/ssl/tls13hkdf.c:// TODO(ekr@rtfm.com): Export this separately. lib/ssl/tls13hkdf.c: /* TODO(ekr@rtfm.com): This violates the PKCS#11 key boundary lib/ssl/ssl3ext.c: /* TODO: add a handler for ssl_ec_point_formats_xtn */ lib/ssl/ssl3ext.c: /* TODO: server side NPN support would require calling lib/ssl/ssl3ext.c: /* TODO: crash */ lib/ssl/ssl3ext.c: /* TODO: else send an empty ticket. */ lib/ssl/ssl3ext.c: * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ lib/ssl/ssl3ext.c: * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ lib/ssl/os2_err.c: * OS2TODO Stub everything for now to build. HCT lib/ssl/ssl3con.c:/* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ lib/ssl/ssl3con.c: * TODO(ekr@rtfm.com): Verify that the slot can handle this key expansion lib/ssl/ssl3con.c: /* TODO(ekr@rtfm.com): The backup hash here contains a SHA-1 hash lib/ssl/ssl3con.c: * TODO(ekr@rtfm.com): Add option to refuse to resume when EMS is not lib/ssl/ssl3con.c: /* TODO: Fix session tickets for DSS. The server code rejects the lib/ssl/ssl3con.c: * TODO(ekr@rtfm.com): Note this change was not added in the SSLv2 lib/ssl/ssl3con.c: /* TODO: For TLS 1.3 final, downgrade when the extension IS present. */ lib/ssl/ssl3con.c: * TODO: send a session ticket if performing a stateful lib/ssl/ssl3con.c: /* TODO: Support DH_anon. It might be sufficient to drop the signature. lib/ssl/ssl3con.c: /* TODO(ekr@rtfm.com): Reenable for TLS 1.3 */ lib/ssl/sslt.h: ssl_tls13_key_share_xtn = 40, /* unofficial TODO(ekr) */ lib/ssl/sslt.h: ssl_tls13_pre_shared_key_xtn = 41, /* unofficial TODO(ekr) */ Most of then deal with TLS 1.3. Eric, Martin, Could it be possible that current TLS 1.3 work gets in the way of this work as we are both adding and enabling cipher suites that need to play well in the presence of each other?

Flags: needinfo?(martin.thomson)

Flags: needinfo?(ekr)

Assignee

Comment 96

•

9 years ago

Attached patch sha384 prf support (obsolete) — Details — Splinter Review

This is work in progress.

Attachment #8744737 - Attachment is obsolete: true

Assignee

Comment 97

•

9 years ago

Attached patch sha384 prf support (obsolete) — Details — Splinter Review

Work in progress, let's see his one works better with interdiff.

Attachment #8747806 - Attachment is obsolete: true

Assignee

Comment 98

•

9 years ago

Comment on attachment 8747816 [details] [diff] [review] sha384 prf support wrong patch.

Attachment #8747816 - Attachment is obsolete: true

Assignee

Comment 99

•

9 years ago

Attached patch tls12 sha384 prf support - wip (obsolete) — Details — Splinter Review

Assignee

Updated

•

9 years ago

Target Milestone: 3.20 → 3.25

•

9 years ago

Attached patch tls12 prf sha384 hash support - disabled by default (obsolete) — Details — Splinter Review

Updated on account of latest changes but still a work in progress.

Attachment #8747832 - Attachment is obsolete: true

Attachment #8748223 - Attachment is obsolete: true

Comment 104

•

9 years ago

Comment on attachment 8749264 [details] [diff] [review] tls12 prf sha384 hash support - disabled by default Review of attachment 8749264 [details] [diff] [review]: ----------------------------------------------------------------- I managed to get this working. I'll upload my patch, which includes fixes for the below comments. I'm now disqualified from reviewing this. Maybe ask Kai or Tim. ::: lib/ssl/ssl3con.c @@ +4849,5 @@ > + * { ssl_hash_sha224, SEC_OID_SHA224 } as one of the entries > + * in which I haven't included as not recommended for TLS 1.3 > + * https://tools.ietf.org/html/draft-ietf-tls-tls13-08 which > + * we plan to support. We still need to work this out, see > + * also Bug 1179338. See https://bugzilla.mozilla.org/show_bug.cgi?id=1179338#c19 @@ +7700,5 @@ > /* Determine the server's hash support for that signature algorithm. */ > for (i = 0; i < algorithms->len; i += 2) { > if (algorithms->data[i + 1] == sigAlg) { > if (algorithms->data[i] == ssl_hash_sha1) { > supportsSha1 = PR_TRUE; This change is confusing. You still need to check that the peer supports the PRF hash. Here, you assume that the existence of the hash in the cipher suite is enough, but it isn't. The signature algorithms that the server advertises need to be checked. ::: tests/ssl/ssl.sh @@ +83,5 @@ > USER_NICKNAME=TestUser > NORM_EXT="" > > + EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D" > + EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027" trailing space here.

Attachment #8749264 - Flags: review-

Comment 105

•

9 years ago

Attached patch bug923089-1.patch (obsolete) — Details — Splinter Review

This passes all the gtests.

Comment 106

•

8 years ago

Comment on attachment 8750574 [details] [diff] [review] bug923089-1.patch Review of attachment 8750574 [details] [diff] [review]: ----------------------------------------------------------------- I realize that this doesn't include the gtests that I added for the new ciphersuites. That's easy to fix, but a pretty serious omission.

Assignee

Comment 107

•

8 years ago

Attached patch adds sha384 tests - naive (obsolete) — Details — Splinter Review

Is this what you have in mind? I tried it with TLS 1.3 enabled and had a core dump but none when it wasn't. I also see some comments like // The cipher suites of type ECDH_RSA are disabled because we don't have // a compatible certificate in the test fixture. INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12 and // TODO - Bug 1251136 move DHE_RSA suites to V12Plus INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V12,

Flags: needinfo?(martin.thomson)

Attachment #8751087 - Flags: review?(martin.thomson)

Comment 108

•

8 years ago

Comment on attachment 8751087 [details] [diff] [review] adds sha384 tests - naive Review of attachment 8751087 [details] [diff] [review]: ----------------------------------------------------------------- Almost. The problem I see might cause the crash you are seeing. ::: external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc @@ +112,4 @@ > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256); > INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12Plus, > + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS 1.3 doesn't support CBC modes, move these to the 1.2 section as well.

Attachment #8751087 - Flags: review?(martin.thomson)

Comment 109

•

8 years ago

One important thing that is missing, can you update tls13_AllowPskCipher() to check that the old cipher suite and the new one use the same PRF hash? See comment 93. (In reply to Elio Maldonado from comment #107) > // The cipher suites of type ECDH_RSA are disabled because we don't have > // a compatible certificate in the test fixture. > INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12 I'm currently working on making the DHE suites good, so that one goes away soon. We still rely on the scripts to test ECDH_RSA suites at the moment. The only hard part is working out how to generate a certificate for them. If you are able to do that and add it to ssl_gtests.sh, then I can do the rest. I just don't see it as urgent right now. > // TODO - Bug 1251136 move DHE_RSA suites to V12Plus > INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V12, I'm working on implementing DHE for TLS 1.3, almost there. I hope that this patch lands first. You do not want to land second in this case.

Flags: needinfo?(martin.thomson)

Assignee

Comment 110

•

8 years ago

(In reply to Martin Thomson [:mt:] from comment #104) > I'm now disqualified from reviewing this. Maybe ask Kai or Tim. Let's start with Kai as this is blocking other work he's trying do do.

Assignee

Updated

•

8 years ago

Attachment #8750574 - Flags: review?(kaie)

Assignee

Updated

•

8 years ago

Attachment #8754058 - Flags: feedback?(martin.thomson)

Comment 117

•

8 years ago

Attached patch 8753914: incremental on top of attachment 8750574 (obsolete) — Details — Splinter Review

Attachment #8753914 - Attachment is obsolete: true

Attachment #8754058 - Attachment is obsolete: true

Attachment #8754058 - Flags: feedback?(martin.thomson)

Comment 118

•

8 years ago

Martin, I'm trying to help here. Instead of involving more people, I consider to review the interdiff between Elio's last big patch (attachment 8749264 [details] [diff] [review]) and the modified patch that you (Martin) posted afterwards (attachment 8750574 [details] [diff] [review]). If I give r+ to your changes, you could potentially continue as the main reviewer here. If that sounds ok, I'll do that review early tomorrow (starting in about 12 hours from now). I just attached an incremental patch on top of attachment 8750574 [details] [diff] [review] that does several things: - it fixes the issues I described in comment 112 and comment 113 - I added an attempted implementation for the request from comment 93, similar to what Elio also just attached. However, Elio's implemention didn't handle the scenario if ss->sec.isServer is true and ss->statelessResume is true I don't know if this scenario must be handled. I added a conservative implementation attempt. Let us know if that can be simplified. - I merged in Elio's test from comment 107 and addressed Martin's request from comment 108 - I attempted to address Martin's requests from comment 111. Let me know if you want it done differently. I built that code with NSS_ENABLE_TLS_1_3=1 From a previous test run, I copied the tests_results/security/localhost.6/ssl_gtests directory, cd'ed into it, and executed ssl_gtest. That crashes with the following stack: Program received signal SIGSEGV, Segmentation fault. 0x000000000040f141 in SSLInt_CountTls13CipherSpecs (fd=0xc04010) at libssl_internals.c:111 111 cur_p = PR_NEXT_LINK(cur_p)) { Missing separate debuginfos, use: dnf debuginfo-install libgcc-5.3.1-6.fc23.x86_64 libstdc++-5.3.1-6.fc23.x86_64 zlib-1.2.8-9.fc23.x86_64 (gdb) bt #0 0x000000000040f141 in SSLInt_CountTls13CipherSpecs (fd=0xc04010) at libssl_internals.c:111 #1 0x000000000047e057 in nss_test::TlsAgent::Connected (this=0xa05300) at tls_agent.cc:519 #2 0x000000000047efd3 in nss_test::TlsAgent::Handshake (this=0xa05300) at tls_agent.cc:571 #3 0x0000000000476222 in nss_test::TlsAgent::ReadableCallback_int (this=0xa05300) at tls_agent.h:248 #4 0x00000000004761a7 in nss_test::TlsAgent::ReadableCallback (self=0xa05300, event=nss_test::READABLE_EVENT) at tls_agent.h:241 #5 0x0000000000470e3b in nss_test::Poller::Poll (this=0x9d9950) at test_io.cc:478 #6 0x0000000000486dc9 in nss_test::TlsConnectTestBase::Handshake (this=0x9dfd90) at tls_connect.cc:205 #7 0x0000000000486ff0 in nss_test::TlsConnectTestBase::Connect (this=0x9dfd90) at tls_connect.cc:219 #8 0x00000000004284ad in nss_test::TlsConnectTest_TestTls13ResumptionTwice_Test::TestBody (this=0x9dfd90) at ssl_loopback_unittest.cc:985 #9 0x00000000004b676c in testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void> (object=0x9dfd90, method=&virtual testing::Test::TestBody(), location=0x6495db "the test body") at gtest/src/gtest.cc:2362 #10 0x00000000004b0a96 in testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void> (object=0x9dfd90, method=&virtual testing::Test::TestBody(), location=0x6495db "the test body") at gtest/src/gtest.cc:2398 #11 0x000000000049b938 in testing::Test::Run (this=0x9dfd90) at gtest/src/gtest.cc:2435 #12 0x000000000049c0f0 in testing::TestInfo::Run (this=0x921460) at gtest/src/gtest.cc:2610 #13 0x000000000049c741 in testing::TestCase::Run (this=0x920b40) at gtest/src/gtest.cc:2728 #14 0x00000000004a36cf in testing::internal::UnitTestImpl::RunAllTests (this=0x91bc40) at gtest/src/gtest.cc:4591 #15 0x00000000004b7583 in testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> (object=0x91bc40, method=(bool (testing::internal::UnitTestImpl::*)(testing::internal::UnitTestImpl * const)) 0x4a340c <testing::internal::UnitTestImpl::RunAllTests()>, location=0x649d50 "auxiliary test code (environments or event listeners)") at gtest/src/gtest.cc:2362 #16 0x00000000004b17d0 in testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> (object=0x91bc40, method=(bool (testing::internal::UnitTestImpl::*)(testing::internal::UnitTestImpl * const)) 0x4a340c <testing::internal::UnitTestImpl::RunAllTests()>, location=0x649d50 "auxiliary test code (environments or event listeners)") at gtest/src/gtest.cc:2398 #17 0x00000000004a22c7 in testing::UnitTest::Run (this=0x9078a0 <testing::UnitTest::GetInstance()::instance>) at gtest/src/gtest.cc:4209 #18 0x000000000046ef31 in RUN_ALL_TESTS () at ../../external_tests/google_test/gtest/include/gtest/gtest.h:2304 #19 0x000000000046f044 in main (argc=1, argv=0x7fffffffdcb8) at ssl_gtest.cc:33 (gdb) print ss->ssl3.hs.cipherSpecs $1 = {next = 0x0, prev = 0x0}

Updated

•

8 years ago

Attachment #8751087 - Attachment is obsolete: true

•

8 years ago

Attachment #8754143 - Flags: review?(martin.thomson)

Comment 123

•

8 years ago

Attached patch merged, with r=kaie on Martin's changes [not-for-checkin] — Details — Splinter Review

This patch merges Martin's latest attachment with my incremental attachment v4. This has r=kaie on the fixes that Martin made. As a result, I believe you are no longer disqualified from reviewing. Martin, if you are OK with attachment 8754143 [details] [diff] [review], then I think it's OK for you to r+ this combined patch. If you request further changes, then I think it's OK to use this patch as a base for future changes made by Elio or me, and have Martin as the reviewer going forward.

Attachment #8754325 - Flags: review?(martin.thomson)

Comment 124

•

8 years ago

Comment on attachment 8754325 [details] [diff] [review] merged, with r=kaie on Martin's changes [not-for-checkin] Review of attachment 8754325 [details] [diff] [review]: ----------------------------------------------------------------- Probably still disqualified, but this LGTM. ::: lib/ssl/ssl3con.c @@ +9127,5 @@ > /* Use the cached compression method. */ > ss->ssl3.hs.compression = > sid->u.ssl3.compression; > + > + Extra lines. ::: lib/ssl/tls13con.c @@ +1629,5 @@ > PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); > /* TODO(ekr@rtfm.com): This first clause is futureproofing for > * 0-RTT. */ > if (ss->ssl3.hs.hashType == handshake_hash_unknown) { > + PORT_Assert(ss->ssl3.hs.hashType != handshake_hash_unknown); I think that this is a good change, but we should probably just remove the if statement as a result. ::: lib/ssl/tls13hkdf.c @@ +96,5 @@ > PK11SymKey **keyp) > { > CK_NSS_HKDFParams params; > SECItem paramsi = { siBuffer, NULL, 0 }; > + PRUint8 info[110]; This highlights the need for a comment explaining why the buffer is this big.

Attachment #8754325 - Flags: review?(martin.thomson) → review+

Comment 125

•

Comment 129

•

8 years ago

Martin, I notice that you already gave r+. Since I've exactly addressed your final requests, I think I'll go ahead and land right now, so we can get test results from buildbot.

Updated

•

8 years ago

Attachment #8754445 - Flags: review?(martin.thomson)

Updated

•

8 years ago

Attachment #8754448 - Flags: review?(martin.thomson)

Franziskus Kiefer [:franziskus]

Comment 130

•

8 years ago

Comment on attachment 8754445 [details] [diff] [review] 923089-comment124.patch [ready-for-checkin] Landed as https://hg.mozilla.org/projects/nss/rev/79471a8d67fa "inline static" doesn't seem to be supported on Windows. Removed the "inline" definition as a bustage fix. Is it worth to have a follow up, to have this inline on the platform that support it? https://hg.mozilla.org/projects/nss/rev/95008b877a39

Comment 131

•

8 years ago

•

8 years ago

Comment on attachment 8754843 [details] [diff] [review] Fix bypass, on top of attachment 8754445 [details] [diff] [review] Review of attachment 8754843 [details] [diff] [review]: ----------------------------------------------------------------- Looks mostly OK. ::: lib/ssl/ssl3con.c @@ +86,5 @@ > #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ > #define MIN_SEND_BUF_LENGTH 4000 > > +#if defined(_MSC_VER) && _MSC_VER < 1900 > +#define inline __inline Let's just not use inline. Unless you have evidence that there is a significant performance difference. @@ +2411,5 @@ > } > #endif > > +HASH_HashType > +ssl3_GetTls12BypassHashType(sslSocket *ss) I think that you can change this to include the version check. Check within this function if this is TLS 1.2 or greater and return HASH_AlgNull. @@ +2489,5 @@ > /* Double Bypass succeeded in extracting the master_secret */ > const ssl3KEADef *kea_def = ss->ssl3.hs.kea_def; > PRBool isTLS = (PRBool)(kea_def->tls_keygen || > (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); > + HASH_HashType ht = HASH_AlgNULL; s/ht/hashType/ @@ +2494,3 @@ > pwSpec->bypassCiphers = PR_TRUE; > + > + if (isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { The isTLS check is redundant here. And move the check inside the function. @@ +10514,5 @@ > unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; > #endif > SECStatus rv; > SECItem enc_pms; > + HASH_HashType ht = HASH_AlgNULL; s/ht/hashType ::: tests/ssl/sslstress.txt @@ +80,5 @@ > noECC 0 -r_-r_-c_:0032 -V_ssl3:_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth) > noECC 0 -r_-r_-c_:0067 -V_ssl3:_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth) > > # noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth) > +# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth) I assume that you know why these are commented out.

Attachment #8754843 - Flags: review?(martin.thomson)

Comment 138

•

8 years ago

(In reply to Elio Maldonado from comment #136) > > ssl3con.c: In function ‘ssl3_GetTls12BypassHashCloneFunc’: > ssl3con.c:2437:37: error: ‘SHA384_Clone’ undeclared (first use in this > function) > return (hash_clone_func)SHA384_Clone; I don't understand why SHA384_Clone and SHA256_Clone are undeclared on your system. Prior to this patch, file ssl3con.c already contained a reference to SHA256_Clone.

Comment 139

•

8 years ago

(In reply to Kai Engert (:kaie) from comment #138) > I don't understand why SHA384_Clone and SHA256_Clone are undeclared on your > system. > > Prior to this patch, file ssl3con.c already contained a reference to > SHA256_Clone. Now I see it. We already have: #ifndef NO_PKCS11_BYPASS #include "blapi.h" #endif The two helper functions also should be wrapped with #ifndef NO_PKCS11_BYPASS Thanks

Assignee

Comment 140

•

8 years ago

(In reply to Kai Engert (:kaie) from comment #138) I think the problem was the system I used. I should always use my normal development system. When I moved there it compiled just fine. Sorry for that.

Comment 141

•

8 years ago

(In reply to Martin Thomson [:mt:] from comment #137) > > # noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth) > > +# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth) > > I assume that you know why these are commented out. See the explanation in the line below: # use the above session ticket test, once session tickets with DHE_DSS are working

Comment 142

•

8 years ago

Attached patch Fix bypass v2, on top of attachment 8754445 (obsolete) — Details — Splinter Review

Addressed Martin's change requests.

Attachment #8754843 - Attachment is obsolete: true

Attachment #8754931 - Flags: review?(martin.thomson)

Comment 143

•

8 years ago

Comment on attachment 8754931 [details] [diff] [review] Fix bypass v2, on top of attachment 8754445 [details] [diff] [review] build errors when building with NO_PKCS11_BYPASS (undefined things)

Attachment #8754931 - Flags: review?(martin.thomson) → review-

Comment 144

•

8 years ago

Attached patch Fix bypass v3, on top of attachment 8754445 (obsolete) — Details — Splinter Review

Elio was right, ssl3_GetTls12BypassHashType is used in both build modes, and therefore the include to blapi.h must be unconditional. Because it's used in non-bypass code, I've renamed it to ssl3_GetTls12HashType. This patch builds both with and without NO_PKCS11_BYPASS=1.

Attachment #8754945 - Flags: review?(martin.thomson)

Comment 145

•

8 years ago

Attached patch Fix bypass v4, on top of attachment 8754445 (obsolete) — Details — Splinter Review

Sorry for going back and forth, removed two more unnecessary versions checks prior to calling ssl3_GetTls12HashType.

Attachment #8754931 - Attachment is obsolete: true

Attachment #8754945 - Attachment is obsolete: true

Attachment #8754945 - Flags: review?(martin.thomson)

Attachment #8754947 - Flags: review?(martin.thomson)

Comment 146

•

8 years ago

Attached patch Fix bypass v5, on top of attachment 8754445 — Details — Splinter Review

Grrr, found two more places to improve. I hope this is it, and you didn't yet look at the intermediate ones.

Attachment #8754947 - Attachment is obsolete: true

Attachment #8754947 - Flags: review?(martin.thomson)

Attachment #8754948 - Flags: review?(martin.thomson)

Comment 147

•

8 years ago

Comment on attachment 8754948 [details] [diff] [review] Fix bypass v5, on top of attachment 8754445 [details] [diff] [review] Review of attachment 8754948 [details] [diff] [review]: ----------------------------------------------------------------- Looks like you fixed my other comments. ::: lib/ssl/ssl3con.c @@ +10585,2 @@ > rv = ssl3_MasterSecretDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, > + hashType, PR_TRUE); You could just inline the call here.

Attachment #8754948 - Flags: review?(martin.thomson) → review+

Comment 148

•

8 years ago

Clearing needinfo for EKR, which Elio had added in comment 95. It seems Martin had answered the question in comment 101.

Flags: needinfo?(ekr)

Comment 149

•

8 years ago

(In reply to Martin Thomson [:mt:] from comment #147) > You could just inline the call here. Will do, thanks for the patient review!

Tim Taubert [:ttaubert] (inactive)

Comment 150

•

8 years ago

Resolution: --- → FIXED

Updated

•

8 years ago

Depends on: 1276618