| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * SSL3 Protocol | 2 * SSL3 Protocol |
| 3 * | 3 * |
| 4 * This Source Code Form is subject to the terms of the Mozilla Public | 4 * This Source Code Form is subject to the terms of the Mozilla Public |
| 5 * License, v. 2.0. If a copy of the MPL was not distributed with this | 5 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 7 | 7 |
| 8 /* ECC code moved here from ssl3con.c */ | 8 /* ECC code moved here from ssl3con.c */ |
| 9 /* $Id$ */ | 9 /* $Id$ */ |
| 10 | 10 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 24 #include "prerror.h" | 24 #include "prerror.h" |
| 25 #include "pratom.h" | 25 #include "pratom.h" |
| 26 #include "prthread.h" | 26 #include "prthread.h" |
| 27 #include "prinit.h" | 27 #include "prinit.h" |
| 28 | 28 |
| 29 #include "pk11func.h" | 29 #include "pk11func.h" |
| 30 #include "secmod.h" | 30 #include "secmod.h" |
| 31 | 31 |
| 32 #include <stdio.h> | 32 #include <stdio.h> |
| 33 | 33 |
| 34 /* This is a bodge to allow this code to be compiled against older NSS headers |
| 35 * that don't contain the TLS 1.2 changes. */ |
| 36 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 |
| 37 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
| 38 #endif |
| 39 |
| 34 #ifdef NSS_ENABLE_ECC | 40 #ifdef NSS_ENABLE_ECC |
| 35 | 41 |
| 36 /* | 42 /* |
| 37 * In NSS 3.13.2 the definition of the EC_POINT_FORM_UNCOMPRESSED macro | 43 * In NSS 3.13.2 the definition of the EC_POINT_FORM_UNCOMPRESSED macro |
| 38 * was moved from the internal header ec.h to the public header blapit.h. | 44 * was moved from the internal header ec.h to the public header blapit.h. |
| 39 * Define the macro here when compiling against older system NSS headers. | 45 * Define the macro here when compiling against older system NSS headers. |
| 40 */ | 46 */ |
| 41 #ifndef EC_POINT_FORM_UNCOMPRESSED | 47 #ifndef EC_POINT_FORM_UNCOMPRESSED |
| 42 #define EC_POINT_FORM_UNCOMPRESSED 0x04 | 48 #define EC_POINT_FORM_UNCOMPRESSED 0x04 |
| 43 #endif | 49 #endif |
| (...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 210 for (i = ec_noName + 1; i < ec_pastLastName; i++) { | 216 for (i = ec_noName + 1; i < ec_pastLastName; i++) { |
| 211 if (ecName2OIDTag[i] == oidData->offset) | 217 if (ecName2OIDTag[i] == oidData->offset) |
| 212 return i; | 218 return i; |
| 213 } | 219 } |
| 214 | 220 |
| 215 return ec_noName; | 221 return ec_noName; |
| 216 } | 222 } |
| 217 | 223 |
| 218 /* Caller must set hiLevel error code. */ | 224 /* Caller must set hiLevel error code. */ |
| 219 static SECStatus | 225 static SECStatus |
| 220 ssl3_ComputeECDHKeyHash(SECItem ec_params, SECItem server_ecpoint, | 226 ssl3_ComputeECDHKeyHash(SECOidTag hashAlg, |
| 221 » » » SSL3Random *client_rand, SSL3Random *server_rand, | 227 » » » SECItem ec_params, SECItem server_ecpoint, |
| 222 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 228 » » » SSL3Random *client_rand, SSL3Random *server_rand, |
| 229 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) |
| 223 { | 230 { |
| 224 PRUint8 * hashBuf; | 231 PRUint8 * hashBuf; |
| 225 PRUint8 * pBuf; | 232 PRUint8 * pBuf; |
| 226 SECStatus rv = SECSuccess; | 233 SECStatus rv = SECSuccess; |
| 227 unsigned int bufLen; | 234 unsigned int bufLen; |
| 228 /* | 235 /* |
| 229 * XXX For now, we only support named curves (the appropriate | 236 * XXX For now, we only support named curves (the appropriate |
| 230 * checks are made before this method is called) so ec_params | 237 * checks are made before this method is called) so ec_params |
| 231 * takes up only two bytes. ECPoint needs to fit in 256 bytes | 238 * takes up only two bytes. ECPoint needs to fit in 256 bytes |
| 232 * (because the spec says the length must fit in one byte) | 239 * (because the spec says the length must fit in one byte) |
| (...skipping 15 matching lines...) Expand all Loading... |
| 248 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); | 255 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); |
| 249 pBuf += SSL3_RANDOM_LENGTH; | 256 pBuf += SSL3_RANDOM_LENGTH; |
| 250 memcpy(pBuf, ec_params.data, ec_params.len); | 257 memcpy(pBuf, ec_params.data, ec_params.len); |
| 251 pBuf += ec_params.len; | 258 pBuf += ec_params.len; |
| 252 pBuf[0] = (PRUint8)(server_ecpoint.len); | 259 pBuf[0] = (PRUint8)(server_ecpoint.len); |
| 253 pBuf += 1; | 260 pBuf += 1; |
| 254 memcpy(pBuf, server_ecpoint.data, server_ecpoint.len); | 261 memcpy(pBuf, server_ecpoint.data, server_ecpoint.len); |
| 255 pBuf += server_ecpoint.len; | 262 pBuf += server_ecpoint.len; |
| 256 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 263 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
| 257 | 264 |
| 258 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); | 265 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
| 266 » » » » bypassPKCS11); |
| 259 | 267 |
| 260 PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen)); | 268 PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen)); |
| 261 PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", hashes->md5, MD5_LENGTH)); | 269 PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", |
| 262 PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH))
; | 270 » hashes->u.s.md5, MD5_LENGTH)); |
| 271 PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", |
| 272 » hashes->u.s.sha, SHA1_LENGTH)); |
| 263 | 273 |
| 264 if (hashBuf != buf) | 274 if (hashBuf != buf) |
| 265 PORT_Free(hashBuf); | 275 PORT_Free(hashBuf); |
| 266 return rv; | 276 return rv; |
| 267 } | 277 } |
| 268 | 278 |
| 269 | 279 |
| 270 /* Called from ssl3_SendClientKeyExchange(). */ | 280 /* Called from ssl3_SendClientKeyExchange(). */ |
| 271 SECStatus | 281 SECStatus |
| 272 ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) | 282 ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) |
| 273 { | 283 { |
| 274 PK11SymKey * pms = NULL; | 284 PK11SymKey * pms = NULL; |
| 275 SECStatus rv = SECFailure; | 285 SECStatus rv = SECFailure; |
| 276 PRBool isTLS; | 286 PRBool isTLS, isTLS12; |
| 277 CK_MECHANISM_TYPE target; | 287 CK_MECHANISM_TYPE target; |
| 278 SECKEYPublicKey *pubKey = NULL; /* Ephemeral ECDH key */ | 288 SECKEYPublicKey *pubKey = NULL; /* Ephemeral ECDH key */ |
| 279 SECKEYPrivateKey *privKey = NULL; /* Ephemeral ECDH key */ | 289 SECKEYPrivateKey *privKey = NULL; /* Ephemeral ECDH key */ |
| 280 | 290 |
| 281 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 291 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 282 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 292 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 283 | 293 |
| 284 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 294 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 295 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 285 | 296 |
| 286 /* Generate ephemeral EC keypair */ | 297 /* Generate ephemeral EC keypair */ |
| 287 if (svrPubKey->keyType != ecKey) { | 298 if (svrPubKey->keyType != ecKey) { |
| 288 PORT_SetError(SEC_ERROR_BAD_KEY); | 299 PORT_SetError(SEC_ERROR_BAD_KEY); |
| 289 goto loser; | 300 goto loser; |
| 290 } | 301 } |
| 291 /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */ | 302 /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */ |
| 292 privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, | 303 privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, |
| 293 &pubKey, ss->pkcs11PinArg); | 304 &pubKey, ss->pkcs11PinArg); |
| 294 if (!privKey || !pubKey) { | 305 if (!privKey || !pubKey) { |
| 295 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); | 306 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
| 296 rv = SECFailure; | 307 rv = SECFailure; |
| 297 goto loser; | 308 goto loser; |
| 298 } | 309 } |
| 299 PRINT_BUF(50, (ss, "ECDH public value:", | 310 PRINT_BUF(50, (ss, "ECDH public value:", |
| 300 pubKey->u.ec.publicValue.data, | 311 pubKey->u.ec.publicValue.data, |
| 301 pubKey->u.ec.publicValue.len)); | 312 pubKey->u.ec.publicValue.len)); |
| 302 | 313 |
| 303 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; | 314 if (isTLS12) { |
| 304 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 315 » target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; |
| 316 } else if (isTLS) { |
| 317 » target = CKM_TLS_MASTER_KEY_DERIVE_DH; |
| 318 } else { |
| 319 » target = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
| 320 } |
| 305 | 321 |
| 306 /* Determine the PMS */ | 322 /* Determine the PMS */ |
| 307 pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL, | 323 pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL, |
| 308 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, | 324 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, |
| 309 CKD_NULL, NULL, NULL); | 325 CKD_NULL, NULL, NULL); |
| 310 | 326 |
| 311 if (pms == NULL) { | 327 if (pms == NULL) { |
| 312 SSL3AlertDescription desc = illegal_parameter; | 328 SSL3AlertDescription desc = illegal_parameter; |
| 313 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 329 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| 314 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 330 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 358 SECStatus | 374 SECStatus |
| 359 ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b, | 375 ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b, |
| 360 PRUint32 length, | 376 PRUint32 length, |
| 361 SECKEYPublicKey *srvrPubKey, | 377 SECKEYPublicKey *srvrPubKey, |
| 362 SECKEYPrivateKey *srvrPrivKey) | 378 SECKEYPrivateKey *srvrPrivKey) |
| 363 { | 379 { |
| 364 PK11SymKey * pms; | 380 PK11SymKey * pms; |
| 365 SECStatus rv; | 381 SECStatus rv; |
| 366 SECKEYPublicKey clntPubKey; | 382 SECKEYPublicKey clntPubKey; |
| 367 CK_MECHANISM_TYPE target; | 383 CK_MECHANISM_TYPE target; |
| 368 PRBool isTLS; | 384 PRBool isTLS, isTLS12; |
| 369 | 385 |
| 370 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 386 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 371 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 387 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 372 | 388 |
| 373 clntPubKey.keyType = ecKey; | 389 clntPubKey.keyType = ecKey; |
| 374 clntPubKey.u.ec.DEREncodedParams.len = | 390 clntPubKey.u.ec.DEREncodedParams.len = |
| 375 srvrPubKey->u.ec.DEREncodedParams.len; | 391 srvrPubKey->u.ec.DEREncodedParams.len; |
| 376 clntPubKey.u.ec.DEREncodedParams.data = | 392 clntPubKey.u.ec.DEREncodedParams.data = |
| 377 srvrPubKey->u.ec.DEREncodedParams.data; | 393 srvrPubKey->u.ec.DEREncodedParams.data; |
| 378 | 394 |
| 379 rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, | 395 rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, |
| 380 1, &b, &length); | 396 1, &b, &length); |
| 381 if (rv != SECSuccess) { | 397 if (rv != SECSuccess) { |
| 382 SEND_ALERT | 398 SEND_ALERT |
| 383 return SECFailure; /* XXX Who sets the error code?? */ | 399 return SECFailure; /* XXX Who sets the error code?? */ |
| 384 } | 400 } |
| 385 | 401 |
| 386 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 402 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 403 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 387 | 404 |
| 388 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; | 405 if (isTLS12) { |
| 389 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 406 » target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; |
| 407 } else if (isTLS) { |
| 408 » target = CKM_TLS_MASTER_KEY_DERIVE_DH; |
| 409 } else { |
| 410 » target = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
| 411 } |
| 390 | 412 |
| 391 /* Determine the PMS */ | 413 /* Determine the PMS */ |
| 392 pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL, | 414 pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL, |
| 393 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, | 415 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, |
| 394 CKD_NULL, NULL, NULL); | 416 CKD_NULL, NULL, NULL); |
| 395 | 417 |
| 396 if (pms == NULL) { | 418 if (pms == NULL) { |
| 397 /* last gasp. */ | 419 /* last gasp. */ |
| 398 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 420 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
| 399 return SECFailure; | 421 return SECFailure; |
| (...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 575 ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair); | 597 ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair); |
| 576 | 598 |
| 577 return SECSuccess; | 599 return SECSuccess; |
| 578 } | 600 } |
| 579 | 601 |
| 580 SECStatus | 602 SECStatus |
| 581 ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 603 ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 582 { | 604 { |
| 583 PRArenaPool * arena = NULL; | 605 PRArenaPool * arena = NULL; |
| 584 SECKEYPublicKey *peerKey = NULL; | 606 SECKEYPublicKey *peerKey = NULL; |
| 585 PRBool isTLS; | 607 PRBool isTLS, isTLS12; |
| 586 SECStatus rv; | 608 SECStatus rv; |
| 587 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; | 609 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; |
| 588 SSL3AlertDescription desc = illegal_parameter; | 610 SSL3AlertDescription desc = illegal_parameter; |
| 589 SSL3Hashes hashes; | 611 SSL3Hashes hashes; |
| 590 SECItem signature = {siBuffer, NULL, 0}; | 612 SECItem signature = {siBuffer, NULL, 0}; |
| 591 | 613 |
| 592 SECItem ec_params = {siBuffer, NULL, 0}; | 614 SECItem ec_params = {siBuffer, NULL, 0}; |
| 593 SECItem ec_point = {siBuffer, NULL, 0}; | 615 SECItem ec_point = {siBuffer, NULL, 0}; |
| 594 unsigned char paramBuf[3]; /* only for curve_type == named_curve */ | 616 unsigned char paramBuf[3]; /* only for curve_type == named_curve */ |
| 617 SSL3SignatureAndHashAlgorithm sigAndHash; |
| 618 |
| 619 sigAndHash.hashAlg = SEC_OID_UNKNOWN; |
| 595 | 620 |
| 596 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 621 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 622 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 597 | 623 |
| 598 /* XXX This works only for named curves, revisit this when | 624 /* XXX This works only for named curves, revisit this when |
| 599 * we support generic curves. | 625 * we support generic curves. |
| 600 */ | 626 */ |
| 601 ec_params.len = sizeof paramBuf; | 627 ec_params.len = sizeof paramBuf; |
| 602 ec_params.data = paramBuf; | 628 ec_params.data = paramBuf; |
| 603 rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length); | 629 rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length); |
| 604 if (rv != SECSuccess) { | 630 if (rv != SECSuccess) { |
| 605 goto loser; /* malformed. */ | 631 goto loser; /* malformed. */ |
| 606 } | 632 } |
| (...skipping 11 matching lines...) Expand all Loading... |
| 618 if (rv != SECSuccess) { | 644 if (rv != SECSuccess) { |
| 619 goto loser; /* malformed. */ | 645 goto loser; /* malformed. */ |
| 620 } | 646 } |
| 621 /* Fail if the ec point uses compressed representation */ | 647 /* Fail if the ec point uses compressed representation */ |
| 622 if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) { | 648 if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) { |
| 623 errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM; | 649 errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM; |
| 624 desc = handshake_failure; | 650 desc = handshake_failure; |
| 625 goto alert_loser; | 651 goto alert_loser; |
| 626 } | 652 } |
| 627 | 653 |
| 654 if (isTLS12) { |
| 655 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 656 &sigAndHash); |
| 657 if (rv != SECSuccess) { |
| 658 goto loser; /* malformed or unsupported. */ |
| 659 } |
| 660 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 661 &sigAndHash, ss->sec.peerCert); |
| 662 if (rv != SECSuccess) { |
| 663 goto loser; |
| 664 } |
| 665 } |
| 666 |
| 628 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 667 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
| 629 if (rv != SECSuccess) { | 668 if (rv != SECSuccess) { |
| 630 goto loser; /* malformed. */ | 669 goto loser; /* malformed. */ |
| 631 } | 670 } |
| 632 | 671 |
| 633 if (length != 0) { | 672 if (length != 0) { |
| 634 if (isTLS) | 673 if (isTLS) |
| 635 desc = decode_error; | 674 desc = decode_error; |
| 636 goto alert_loser; /* malformed. */ | 675 goto alert_loser; /* malformed. */ |
| 637 } | 676 } |
| 638 | 677 |
| 639 PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, | 678 PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, |
| 640 ec_params.len)); | 679 ec_params.len)); |
| 641 PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len)); | 680 PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len)); |
| 642 | 681 |
| 643 /* failures after this point are not malformed handshakes. */ | 682 /* failures after this point are not malformed handshakes. */ |
| 644 /* TLS: send decrypt_error if signature failed. */ | 683 /* TLS: send decrypt_error if signature failed. */ |
| 645 desc = isTLS ? decrypt_error : handshake_failure; | 684 desc = isTLS ? decrypt_error : handshake_failure; |
| 646 | 685 |
| 647 /* | 686 /* |
| 648 * check to make sure the hash is signed by right guy | 687 * check to make sure the hash is signed by right guy |
| 649 */ | 688 */ |
| 650 rv = ssl3_ComputeECDHKeyHash(ec_params, ec_point, | 689 rv = ssl3_ComputeECDHKeyHash(sigAndHash.hashAlg, ec_params, ec_point, |
| 651 » » » » &ss->ssl3.hs.client_random, | 690 » » » » &ss->ssl3.hs.client_random, |
| 652 » » » » &ss->ssl3.hs.server_random, | 691 » » » » &ss->ssl3.hs.server_random, |
| 653 » » » » &hashes, ss->opt.bypassPKCS11); | 692 » » » » &hashes, ss->opt.bypassPKCS11); |
| 654 | 693 |
| 655 if (rv != SECSuccess) { | 694 if (rv != SECSuccess) { |
| 656 errCode = | 695 errCode = |
| 657 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 696 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 658 goto alert_loser; | 697 goto alert_loser; |
| 659 } | 698 } |
| 660 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 699 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
| 661 isTLS, ss->pkcs11PinArg); | 700 isTLS, ss->pkcs11PinArg); |
| 662 if (rv != SECSuccess) { | 701 if (rv != SECSuccess) { |
| 663 errCode = | 702 errCode = |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 707 loser: | 746 loser: |
| 708 PORT_SetError( errCode ); | 747 PORT_SetError( errCode ); |
| 709 return SECFailure; | 748 return SECFailure; |
| 710 | 749 |
| 711 no_memory: /* no-memory error has already been set. */ | 750 no_memory: /* no-memory error has already been set. */ |
| 712 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 751 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 713 return SECFailure; | 752 return SECFailure; |
| 714 } | 753 } |
| 715 | 754 |
| 716 SECStatus | 755 SECStatus |
| 717 ssl3_SendECDHServerKeyExchange(sslSocket *ss) | 756 ssl3_SendECDHServerKeyExchange( |
| 757 sslSocket *ss, |
| 758 const SSL3SignatureAndHashAlgorithm *sigAndHash) |
| 718 { | 759 { |
| 719 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 760 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
| 720 SECStatus rv = SECFailure; | 761 SECStatus rv = SECFailure; |
| 721 int length; | 762 int length; |
| 722 PRBool isTLS; | 763 PRBool isTLS, isTLS12; |
| 723 SECItem signed_hash = {siBuffer, NULL, 0}; | 764 SECItem signed_hash = {siBuffer, NULL, 0}; |
| 724 SSL3Hashes hashes; | 765 SSL3Hashes hashes; |
| 725 | 766 |
| 726 SECKEYPublicKey * ecdhePub; | 767 SECKEYPublicKey * ecdhePub; |
| 727 SECItem ec_params = {siBuffer, NULL, 0}; | 768 SECItem ec_params = {siBuffer, NULL, 0}; |
| 728 unsigned char paramBuf[3]; | 769 unsigned char paramBuf[3]; |
| 729 ECName curve; | 770 ECName curve; |
| 730 SSL3KEAType certIndex; | 771 SSL3KEAType certIndex; |
| 731 | 772 |
| 732 | |
| 733 /* Generate ephemeral ECDH key pair and send the public key */ | 773 /* Generate ephemeral ECDH key pair and send the public key */ |
| 734 curve = ssl3_GetCurveNameForServerSocket(ss); | 774 curve = ssl3_GetCurveNameForServerSocket(ss); |
| 735 if (curve == ec_noName) { | 775 if (curve == ec_noName) { |
| 736 goto loser; | 776 goto loser; |
| 737 } | 777 } |
| 738 rv = ssl3_CreateECDHEphemeralKeys(ss, curve); | 778 rv = ssl3_CreateECDHEphemeralKeys(ss, curve); |
| 739 if (rv != SECSuccess) { | 779 if (rv != SECSuccess) { |
| 740 goto loser; /* err set by AppendHandshake. */ | 780 goto loser; /* err set by AppendHandshake. */ |
| 741 } | 781 } |
| 742 ecdhePub = ss->ephemeralECDHKeyPair->pubKey; | 782 ecdhePub = ss->ephemeralECDHKeyPair->pubKey; |
| 743 PORT_Assert(ecdhePub != NULL); | 783 PORT_Assert(ecdhePub != NULL); |
| 744 if (!ecdhePub) { | 784 if (!ecdhePub) { |
| 745 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 785 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 746 return SECFailure; | 786 return SECFailure; |
| 747 } | 787 } |
| 748 | 788 |
| 749 ec_params.len = sizeof paramBuf; | 789 ec_params.len = sizeof paramBuf; |
| 750 ec_params.data = paramBuf; | 790 ec_params.data = paramBuf; |
| 751 curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams); | 791 curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams); |
| 752 if (curve != ec_noName) { | 792 if (curve != ec_noName) { |
| 753 ec_params.data[0] = ec_type_named; | 793 ec_params.data[0] = ec_type_named; |
| 754 ec_params.data[1] = 0x00; | 794 ec_params.data[1] = 0x00; |
| 755 ec_params.data[2] = curve; | 795 ec_params.data[2] = curve; |
| 756 } else { | 796 } else { |
| 757 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); | 797 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); |
| 758 goto loser; | 798 goto loser; |
| 759 } | 799 } |
| 760 | 800 |
| 761 rv = ssl3_ComputeECDHKeyHash(ec_params, ecdhePub->u.ec.publicValue, | 801 rv = ssl3_ComputeECDHKeyHash(sigAndHash->hashAlg, |
| 762 » » » » &ss->ssl3.hs.client_random, | 802 » » » » ec_params, |
| 763 » » » » &ss->ssl3.hs.server_random, | 803 » » » » ecdhePub->u.ec.publicValue, |
| 764 » » » » &hashes, ss->opt.bypassPKCS11); | 804 » » » » &ss->ssl3.hs.client_random, |
| 805 » » » » &ss->ssl3.hs.server_random, |
| 806 » » » » &hashes, ss->opt.bypassPKCS11); |
| 765 if (rv != SECSuccess) { | 807 if (rv != SECSuccess) { |
| 766 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 808 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 767 goto loser; | 809 goto loser; |
| 768 } | 810 } |
| 769 | 811 |
| 770 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 812 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 813 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 771 | 814 |
| 772 /* XXX SSLKEAType isn't really a good choice for | 815 /* XXX SSLKEAType isn't really a good choice for |
| 773 * indexing certificates but that's all we have | 816 * indexing certificates but that's all we have |
| 774 * for now. | 817 * for now. |
| 775 */ | 818 */ |
| 776 if (kea_def->kea == kea_ecdhe_rsa) | 819 if (kea_def->kea == kea_ecdhe_rsa) |
| 777 certIndex = kt_rsa; | 820 certIndex = kt_rsa; |
| 778 else /* kea_def->kea == kea_ecdhe_ecdsa */ | 821 else /* kea_def->kea == kea_ecdhe_ecdsa */ |
| 779 certIndex = kt_ecdh; | 822 certIndex = kt_ecdh; |
| 780 | 823 |
| 781 rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, | 824 rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, |
| 782 &signed_hash, isTLS); | 825 &signed_hash, isTLS); |
| 783 if (rv != SECSuccess) { | 826 if (rv != SECSuccess) { |
| 784 goto loser; /* ssl3_SignHashes has set err. */ | 827 goto loser; /* ssl3_SignHashes has set err. */ |
| 785 } | 828 } |
| 786 if (signed_hash.data == NULL) { | 829 if (signed_hash.data == NULL) { |
| 787 /* how can this happen and rv == SECSuccess ?? */ | 830 /* how can this happen and rv == SECSuccess ?? */ |
| 788 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 831 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
| 789 goto loser; | 832 goto loser; |
| 790 } | 833 } |
| 791 | 834 |
| 792 length = ec_params.len + | 835 length = ec_params.len + |
| 793 1 + ecdhePub->u.ec.publicValue.len + | 836 1 + ecdhePub->u.ec.publicValue.len + |
| 794 » 2 + signed_hash.len; | 837 » (isTLS12 ? 2 : 0) + 2 + signed_hash.len; |
| 795 | 838 |
| 796 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); | 839 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); |
| 797 if (rv != SECSuccess) { | 840 if (rv != SECSuccess) { |
| 798 goto loser; /* err set by AppendHandshake. */ | 841 goto loser; /* err set by AppendHandshake. */ |
| 799 } | 842 } |
| 800 | 843 |
| 801 rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len); | 844 rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len); |
| 802 if (rv != SECSuccess) { | 845 if (rv != SECSuccess) { |
| 803 goto loser; /* err set by AppendHandshake. */ | 846 goto loser; /* err set by AppendHandshake. */ |
| 804 } | 847 } |
| 805 | 848 |
| 806 rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data, | 849 rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data, |
| 807 ecdhePub->u.ec.publicValue.len, 1); | 850 ecdhePub->u.ec.publicValue.len, 1); |
| 808 if (rv != SECSuccess) { | 851 if (rv != SECSuccess) { |
| 809 goto loser; /* err set by AppendHandshake. */ | 852 goto loser; /* err set by AppendHandshake. */ |
| 810 } | 853 } |
| 811 | 854 |
| 855 if (isTLS12) { |
| 856 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, sigAndHash); |
| 857 if (rv != SECSuccess) { |
| 858 goto loser; /* err set by AppendHandshake. */ |
| 859 } |
| 860 } |
| 861 |
| 812 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, | 862 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
| 813 signed_hash.len, 2); | 863 signed_hash.len, 2); |
| 814 if (rv != SECSuccess) { | 864 if (rv != SECSuccess) { |
| 815 goto loser; /* err set by AppendHandshake. */ | 865 goto loser; /* err set by AppendHandshake. */ |
| 816 } | 866 } |
| 817 | 867 |
| 818 PORT_Free(signed_hash.data); | 868 PORT_Free(signed_hash.data); |
| 819 return SECSuccess; | 869 return SECSuccess; |
| 820 | 870 |
| 821 loser: | 871 loser: |
| (...skipping 391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1213 ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites); | 1263 ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites); |
| 1214 return SECFailure; | 1264 return SECFailure; |
| 1215 | 1265 |
| 1216 loser: | 1266 loser: |
| 1217 /* no common curve supported */ | 1267 /* no common curve supported */ |
| 1218 ssl3_DisableECCSuites(ss, ecSuites); | 1268 ssl3_DisableECCSuites(ss, ecSuites); |
| 1219 return SECFailure; | 1269 return SECFailure; |
| 1220 } | 1270 } |
| 1221 | 1271 |
| 1222 #endif /* NSS_ENABLE_ECC */ | 1272 #endif /* NSS_ENABLE_ECC */ |
| OLD | NEW |
|---|
Chromium Code Reviews
