tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

sslspec.c (9751B)

      1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
      2 /*
      3 * Handling of cipher specs.
      4 *
      5 * This Source Code Form is subject to the terms of the Mozilla Public
      6 * License, v. 2.0. If a copy of the MPL was not distributed with this
      7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      8 
      9 #include "ssl.h"
     10 #include "sslexp.h"
     11 #include "sslimpl.h"
     12 #include "sslproto.h"
     13 #include "pk11func.h"
     14 #include "secitem.h"
     15 
     16 #include "sslimpl.h"
     17 
     18 /* Record protection algorithms, indexed by SSL3BulkCipher.
     19 *
     20 * The |max_records| field (|mr| below) is set to a number that is higher than
     21 * recommended in some literature (esp. TLS 1.3) because we currently abort the
     22 * connection when this limit is reached and we want to ensure that we only
     23 * rarely hit this limit.  See bug 1268745 for details.
     24 */
     25 #define MR_MAX RECORD_SEQ_MAX  /* 2^48-1 */
     26 #define MR_128 (0x5aULL << 28) /* For AES and similar. */
     27 #define MR_LOW (1ULL << 20)    /* For weak ciphers. */
     28 /* clang-format off */
     29 static const ssl3BulkCipherDef ssl_bulk_cipher_defs[] = {
     30    /*                                        |--------- Lengths ---------| */
     31    /* cipher             calg                :  s                        : */
     32    /*                                        :  e                  b     n */
     33    /* oid                short_name mr       :  c                  l     o */
     34    /*                                        k  r                  o  t  n */
     35    /*                                        e  e               i  c  a  c */
     36    /*                                        y  t  type         v  k  g  e */
     37    {cipher_null,         ssl_calg_null,      0, 0, type_stream, 0, 0, 0, 0,
     38     SEC_OID_NULL_CIPHER, "NULL", MR_MAX},
     39    {cipher_rc4,          ssl_calg_rc4,      16,16, type_stream, 0, 0, 0, 0,
     40     SEC_OID_RC4,         "RC4", MR_LOW},
     41    {cipher_des,          ssl_calg_des,       8, 8, type_block,  8, 8, 0, 0,
     42     SEC_OID_DES_CBC,     "DES-CBC", MR_LOW},
     43    {cipher_3des,         ssl_calg_3des,     24,24, type_block,  8, 8, 0, 0,
     44     SEC_OID_DES_EDE3_CBC, "3DES-EDE-CBC", MR_LOW},
     45    {cipher_aes_128,      ssl_calg_aes,      16,16, type_block, 16,16, 0, 0,
     46     SEC_OID_AES_128_CBC, "AES-128", MR_128},
     47    {cipher_aes_256,      ssl_calg_aes,      32,32, type_block, 16,16, 0, 0,
     48     SEC_OID_AES_256_CBC, "AES-256", MR_128},
     49    {cipher_camellia_128, ssl_calg_camellia, 16,16, type_block, 16,16, 0, 0,
     50     SEC_OID_CAMELLIA_128_CBC, "Camellia-128", MR_128},
     51    {cipher_camellia_256, ssl_calg_camellia, 32,32, type_block, 16,16, 0, 0,
     52     SEC_OID_CAMELLIA_256_CBC, "Camellia-256", MR_128},
     53    {cipher_seed,         ssl_calg_seed,     16,16, type_block, 16,16, 0, 0,
     54     SEC_OID_SEED_CBC,    "SEED-CBC", MR_128},
     55    {cipher_aes_128_gcm,  ssl_calg_aes_gcm,  16,16, type_aead,   4, 0,16, 8,
     56     SEC_OID_AES_128_GCM, "AES-128-GCM", MR_128},
     57    {cipher_aes_256_gcm,  ssl_calg_aes_gcm,  32,32, type_aead,   4, 0,16, 8,
     58     SEC_OID_AES_256_GCM, "AES-256-GCM", MR_128},
     59    {cipher_chacha20,     ssl_calg_chacha20, 32,32, type_aead,  12, 0,16, 0,
     60     SEC_OID_CHACHA20_POLY1305, "ChaCha20-Poly1305", MR_MAX},
     61    {cipher_missing,      ssl_calg_null,      0, 0, type_stream, 0, 0, 0, 0,
     62     SEC_OID_UNKNOWN,     "missing", 0U},
     63 };
     64 /* clang-format on */
     65 
     66 const ssl3BulkCipherDef *
     67 ssl_GetBulkCipherDef(const ssl3CipherSuiteDef *suiteDef)
     68 {
     69    SSL3BulkCipher bulkCipher = suiteDef->bulk_cipher_alg;
     70    PORT_Assert(bulkCipher < PR_ARRAY_SIZE(ssl_bulk_cipher_defs));
     71    PORT_Assert(ssl_bulk_cipher_defs[bulkCipher].cipher == bulkCipher);
     72    return &ssl_bulk_cipher_defs[bulkCipher];
     73 }
     74 
     75 /* indexed by SSL3MACAlgorithm */
     76 static const ssl3MACDef ssl_mac_defs[] = {
     77    /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
     78    /* mac      mmech       pad_size  mac_size                       */
     79    { ssl_mac_null, CKM_INVALID_MECHANISM, 0, 0, 0 },
     80    { ssl_mac_md5, CKM_SSL3_MD5_MAC, 48, MD5_LENGTH, SEC_OID_HMAC_MD5 },
     81    { ssl_mac_sha, CKM_SSL3_SHA1_MAC, 40, SHA1_LENGTH, SEC_OID_HMAC_SHA1 },
     82    { ssl_hmac_md5, CKM_MD5_HMAC, 0, MD5_LENGTH, SEC_OID_HMAC_MD5 },
     83    { ssl_hmac_sha, CKM_SHA_1_HMAC, 0, SHA1_LENGTH, SEC_OID_HMAC_SHA1 },
     84    { ssl_hmac_sha256, CKM_SHA256_HMAC, 0, SHA256_LENGTH, SEC_OID_HMAC_SHA256 },
     85    { ssl_mac_aead, CKM_INVALID_MECHANISM, 0, 0, 0 },
     86    { ssl_hmac_sha384, CKM_SHA384_HMAC, 0, SHA384_LENGTH, SEC_OID_HMAC_SHA384 }
     87 };
     88 
     89 const ssl3MACDef *
     90 ssl_GetMacDefByAlg(SSL3MACAlgorithm mac)
     91 {
     92    /* Cast here for clang: https://bugs.llvm.org/show_bug.cgi?id=16154 */
     93    PORT_Assert((size_t)mac < PR_ARRAY_SIZE(ssl_mac_defs));
     94    PORT_Assert(ssl_mac_defs[mac].mac == mac);
     95    return &ssl_mac_defs[mac];
     96 }
     97 
     98 const ssl3MACDef *
     99 ssl_GetMacDef(const sslSocket *ss, const ssl3CipherSuiteDef *suiteDef)
    100 {
    101    SSL3MACAlgorithm mac = suiteDef->mac_alg;
    102    if (ss->version > SSL_LIBRARY_VERSION_3_0) {
    103        switch (mac) {
    104            case ssl_mac_md5:
    105                mac = ssl_hmac_md5;
    106                break;
    107            case ssl_mac_sha:
    108                mac = ssl_hmac_sha;
    109                break;
    110            default:
    111                break;
    112        }
    113    }
    114    return ssl_GetMacDefByAlg(mac);
    115 }
    116 
    117 ssl3CipherSpec *
    118 ssl_FindCipherSpecByEpoch(sslSocket *ss, SSLSecretDirection direction,
    119                          DTLSEpoch epoch)
    120 {
    121    PRCList *cur_p;
    122    for (cur_p = PR_LIST_HEAD(&ss->ssl3.hs.cipherSpecs);
    123         cur_p != &ss->ssl3.hs.cipherSpecs;
    124         cur_p = PR_NEXT_LINK(cur_p)) {
    125        ssl3CipherSpec *spec = (ssl3CipherSpec *)cur_p;
    126        if (spec->epoch != epoch) {
    127            continue;
    128        }
    129        if (direction != spec->direction) {
    130            continue;
    131        }
    132        return spec;
    133    }
    134    return NULL;
    135 }
    136 
    137 ssl3CipherSpec *
    138 ssl_CreateCipherSpec(sslSocket *ss, SSLSecretDirection direction)
    139 {
    140    ssl3CipherSpec *spec = PORT_ZNew(ssl3CipherSpec);
    141    if (!spec) {
    142        return NULL;
    143    }
    144    spec->refCt = 1;
    145    spec->version = ss->version;
    146    spec->direction = direction;
    147    spec->recordSizeLimit = MAX_FRAGMENT_LENGTH;
    148    SSL_TRC(10, ("%d: SSL[%d]: new %s spec %d ct=%d",
    149                 SSL_GETPID(), ss->fd, SPEC_DIR(spec), spec,
    150                 spec->refCt));
    151    return spec;
    152 }
    153 
    154 void
    155 ssl_SaveCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
    156 {
    157    PR_APPEND_LINK(&spec->link, &ss->ssl3.hs.cipherSpecs);
    158 }
    159 
    160 /* Called from ssl3_InitState. */
    161 /* Caller must hold the SpecWriteLock. */
    162 SECStatus
    163 ssl_SetupNullCipherSpec(sslSocket *ss, SSLSecretDirection dir)
    164 {
    165    ssl3CipherSpec *spec;
    166 
    167    PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
    168 
    169    spec = ssl_CreateCipherSpec(ss, dir);
    170    if (!spec) {
    171        return SECFailure;
    172    }
    173 
    174    /* Set default versions.  This value will be used to generate and send
    175     * alerts if a version is not negotiated.  These values are overridden when
    176     * sending a ClientHello and when a version is negotiated. */
    177    spec->version = SSL_LIBRARY_VERSION_TLS_1_0;
    178    spec->recordVersion = IS_DTLS(ss)
    179                              ? SSL_LIBRARY_VERSION_DTLS_1_0_WIRE
    180                              : SSL_LIBRARY_VERSION_TLS_1_0;
    181    spec->cipherDef = &ssl_bulk_cipher_defs[cipher_null];
    182    PORT_Assert(spec->cipherDef->cipher == cipher_null);
    183    spec->macDef = &ssl_mac_defs[ssl_mac_null];
    184    PORT_Assert(spec->macDef->mac == ssl_mac_null);
    185    spec->cipher = Null_Cipher;
    186 
    187    spec->phase = "cleartext";
    188    dtls_InitRecvdRecords(&spec->recvdRecords);
    189 
    190    ssl_SaveCipherSpec(ss, spec);
    191    if (dir == ssl_secret_read) {
    192        ss->ssl3.crSpec = spec;
    193    } else {
    194        ss->ssl3.cwSpec = spec;
    195    }
    196    return SECSuccess;
    197 }
    198 
    199 void
    200 ssl_CipherSpecAddRef(ssl3CipherSpec *spec)
    201 {
    202    ++spec->refCt;
    203    SSL_TRC(10, ("%d: SSL[-]: Increment ref ct for %s spec %d. new ct = %d",
    204                 SSL_GETPID(), SPEC_DIR(spec), spec, spec->refCt));
    205 }
    206 
    207 void
    208 ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial)
    209 {
    210    PK11_FreeSymKey(keyMaterial->key);
    211    PK11_FreeSymKey(keyMaterial->macKey);
    212    if (keyMaterial->macContext != NULL) {
    213        PK11_DestroyContext(keyMaterial->macContext, PR_TRUE);
    214    }
    215 }
    216 
    217 static void
    218 ssl_FreeCipherSpec(ssl3CipherSpec *spec)
    219 {
    220    SSL_TRC(10, ("%d: SSL[-]: Freeing %s spec %d. epoch=%d",
    221                 SSL_GETPID(), SPEC_DIR(spec), spec, spec->epoch));
    222 
    223    PR_REMOVE_LINK(&spec->link);
    224 
    225    /*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
    226    if (spec->cipherContext) {
    227        PK11_DestroyContext(spec->cipherContext, PR_TRUE);
    228    }
    229    PK11_FreeSymKey(spec->masterSecret);
    230    ssl_DestroyKeyMaterial(&spec->keyMaterial);
    231    ssl_DestroyMaskingContextInner(spec->maskContext);
    232 
    233    PORT_ZFree(spec, sizeof(*spec));
    234 }
    235 
    236 /* This function is never called on a spec which is on the
    237 * cipherSpecs list. */
    238 void
    239 ssl_CipherSpecRelease(ssl3CipherSpec *spec)
    240 {
    241    if (!spec) {
    242        return;
    243    }
    244 
    245    PORT_Assert(spec->refCt > 0);
    246    --spec->refCt;
    247    SSL_TRC(10, ("%d: SSL[-]: decrement refct for %s spec %d. epoch=%d new ct = %d",
    248                 SSL_GETPID(), SPEC_DIR(spec), spec, spec->epoch, spec->refCt));
    249    if (!spec->refCt) {
    250        ssl_FreeCipherSpec(spec);
    251    }
    252 }
    253 
    254 void
    255 ssl_DestroyCipherSpecs(PRCList *list)
    256 {
    257    while (!PR_CLIST_IS_EMPTY(list)) {
    258        ssl3CipherSpec *spec = (ssl3CipherSpec *)PR_LIST_TAIL(list);
    259        ssl_FreeCipherSpec(spec);
    260    }
    261 }
    262 
    263 void
    264 ssl_CipherSpecReleaseByEpoch(sslSocket *ss, SSLSecretDirection dir,
    265                             DTLSEpoch epoch)
    266 {
    267    ssl3CipherSpec *spec;
    268    SSL_TRC(10, ("%d: SSL[%d]: releasing %s cipher spec for epoch %d",
    269                 SSL_GETPID(), ss->fd,
    270                 (dir == ssl_secret_read) ? "read" : "write", epoch));
    271 
    272    spec = ssl_FindCipherSpecByEpoch(ss, dir, epoch);
    273    if (spec) {
    274        ssl_CipherSpecRelease(spec);
    275    }
    276 }