82
82
* precedence (desirability). It only includes cipher suites we implement.
83
83
* This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
84
84
* in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
86
* Important: See bug 946147 before enabling, reordering, or adding any cipher
87
* suites to this list.
86
89
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
87
90
/* cipher_suite policy enabled isPresent */
88
92
#ifdef NSS_ENABLE_ECC
89
93
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
90
94
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
91
#endif /* NSS_ENABLE_ECC */
92
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
93
{ TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
95
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
96
98
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
97
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
98
#endif /* NSS_ENABLE_ECC */
99
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
100
{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
101
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
102
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
103
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
104
#ifdef NSS_ENABLE_ECC
105
{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
106
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
107
#endif /* NSS_ENABLE_ECC */
108
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
109
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
110
{ TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
112
#ifdef NSS_ENABLE_ECC
113
99
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
100
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
114
101
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
102
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
103
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
104
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
105
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
115
106
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
116
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
117
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
118
107
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
119
108
#endif /* NSS_ENABLE_ECC */
110
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
111
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
112
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
113
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
120
114
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
121
115
{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
122
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
123
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
124
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
116
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
117
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
118
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
119
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
120
{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
121
{ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
122
{ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
125
123
{ TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
126
125
#ifdef NSS_ENABLE_ECC
126
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
127
127
{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
128
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
129
{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
130
{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
131
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
132
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
128
133
{ TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
129
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
130
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
131
134
#endif /* NSS_ENABLE_ECC */
132
{ TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
133
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
137
{ TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
134
138
{ TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
135
139
{ TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
140
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
141
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
142
{ TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
143
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
144
{ TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
145
{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
146
{ SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
136
147
{ SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
137
148
{ SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
139
#ifdef NSS_ENABLE_ECC
140
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
141
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
142
#endif /* NSS_ENABLE_ECC */
143
{ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
144
{ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
145
#ifdef NSS_ENABLE_ECC
146
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
147
{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
148
#endif /* NSS_ENABLE_ECC */
149
{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
150
{ SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
150
/* 56-bit DES "domestic" cipher suites */
153
151
{ SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
154
152
{ SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
155
153
{ SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
156
154
{ SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
156
/* export ciphersuites with 1024-bit public key exchange keys */
157
157
{ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
158
158
{ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
160
/* export ciphersuites with 512-bit public key exchange keys */
160
161
{ SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
161
162
{ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
164
/* ciphersuites with no encryption */
163
165
#ifdef NSS_ENABLE_ECC
164
166
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
165
167
{ TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
6783
* Returns the TLS signature algorithm for the client authentication key and
6784
* whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes.
6787
ssl3_ExtractClientKeyInfo(sslSocket *ss,
6788
TLSSignatureAlgorithm *sigAlg,
6791
SECStatus rv = SECSuccess;
6792
SECKEYPublicKey *pubk;
6794
pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
6800
rv = ssl3_TLSSignatureAlgorithmForKeyType(pubk->keyType, sigAlg);
6801
if (rv != SECSuccess) {
6805
/* If the key is a 1024-bit RSA or DSA key, assume conservatively that
6806
* it may be unable to sign SHA-256 hashes. This is the case for older
6807
* Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
6808
* older, DSA key size is at most 1024 bits and the hash function must
6811
if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
6812
*preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
6814
*preferSha1 = PR_FALSE;
6819
SECKEY_DestroyPublicKey(pubk);
6823
/* Destroys the backup handshake hash context if we don't need it. Note that
6824
* this function selects the hash algorithm for client authentication
6825
* signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
6826
* to determine whether to use SHA-1 or SHA-256. */
6828
ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
6829
const SECItem *algorithms)
6832
TLSSignatureAlgorithm sigAlg;
6834
PRBool supportsSha1 = PR_FALSE;
6835
PRBool supportsSha256 = PR_FALSE;
6836
PRBool needBackupHash = PR_FALSE;
6839
#ifndef NO_PKCS11_BYPASS
6840
/* Backup handshake hash is not supported in PKCS #11 bypass mode. */
6841
if (ss->opt.bypassPKCS11) {
6842
PORT_Assert(!ss->ssl3.hs.backupHash);
6846
PORT_Assert(ss->ssl3.hs.backupHash);
6848
/* Determine the key's signature algorithm and whether it prefers SHA-1. */
6849
rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
6850
if (rv != SECSuccess) {
6854
/* Determine the server's hash support for that signature algorithm. */
6855
for (i = 0; i < algorithms->len; i += 2) {
6856
if (algorithms->data[i+1] == sigAlg) {
6857
if (algorithms->data[i] == tls_hash_sha1) {
6858
supportsSha1 = PR_TRUE;
6859
} else if (algorithms->data[i] == tls_hash_sha256) {
6860
supportsSha256 = PR_TRUE;
6865
/* If either the server does not support SHA-256 or the client key prefers
6866
* SHA-1, leave the backup hash. */
6867
if (supportsSha1 && (preferSha1 || !supportsSha256)) {
6868
needBackupHash = PR_TRUE;
6872
if (!needBackupHash) {
6873
PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
6874
ss->ssl3.hs.backupHash = NULL;
6677
6878
typedef struct dnameNode {
6678
6879
struct dnameNode *next;
7078
ssl3_CheckFalseStart(sslSocket *ss)
7080
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7081
PORT_Assert( !ss->ssl3.hs.authCertificatePending );
7082
PORT_Assert( !ss->ssl3.hs.canFalseStart );
7084
if (!ss->canFalseStartCallback) {
7085
SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
7086
SSL_GETPID(), ss->fd));
7088
PRBool maybeFalseStart;
7091
/* An attacker can control the selected ciphersuite so we only wish to
7092
* do False Start in the case that the selected ciphersuite is
7093
* sufficiently strong that the attack can gain no advantage.
7094
* Therefore we always require an 80-bit cipher. */
7095
ssl_GetSpecReadLock(ss);
7096
maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
7097
ssl_ReleaseSpecReadLock(ss);
7099
if (!maybeFalseStart) {
7100
SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
7101
SSL_GETPID(), ss->fd));
7103
rv = (ss->canFalseStartCallback)(ss->fd,
7104
ss->canFalseStartCallbackData,
7105
&ss->ssl3.hs.canFalseStart);
7106
if (rv == SECSuccess) {
7107
SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
7108
SSL_GETPID(), ss->fd,
7109
ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
7111
SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
7112
SSL_GETPID(), ss->fd,
7113
PR_ErrorToName(PR_GetError())));
7119
ss->ssl3.hs.canFalseStart = PR_FALSE;
6878
ssl3_CanFalseStart(sslSocket *ss) {
7124
ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
6881
7128
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6883
/* XXX: does not take into account whether we are waiting for
6884
* SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
6885
* that is done, this function could return different results each time it
6889
ssl_GetSpecReadLock(ss);
6890
rv = ss->opt.enableFalseStart &&
6891
!ss->sec.isServer &&
6892
!ss->ssl3.hs.isResuming &&
6895
/* An attacker can control the selected ciphersuite so we only wish to
6896
* do False Start in the case that the selected ciphersuite is
6897
* sufficiently strong that the attack can gain no advantage.
6898
* Therefore we require an 80-bit cipher and a forward-secret key
6900
ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
6901
(ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
6902
ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
6903
ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
6904
ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
6905
ssl_ReleaseSpecReadLock(ss);
7130
switch (ss->ssl3.hs.ws) {
7131
case wait_new_session_ticket:
7134
case wait_change_cipher:
7135
result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
6909
7145
static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);