OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* ECC code moved here from ssl3con.c */ | 9 /* ECC code moved here from ssl3con.c */ |
10 | 10 |
11 #include "nss.h" | 11 #include "nss.h" |
12 #include "cert.h" | 12 #include "cert.h" |
13 #include "ssl.h" | 13 #include "ssl.h" |
14 #include "cryptohi.h" /* for DSAU_ stuff */ | 14 #include "cryptohi.h" /* for DSAU_ stuff */ |
15 #include "keyhi.h" | 15 #include "keyhi.h" |
16 #include "secder.h" | 16 #include "secder.h" |
17 #include "secitem.h" | 17 #include "secitem.h" |
18 | 18 |
19 #include "sslimpl.h" | 19 #include "sslimpl.h" |
20 #include "sslproto.h" | 20 #include "sslproto.h" |
21 #include "sslerr.h" | 21 #include "sslerr.h" |
22 #include "prtime.h" | 22 #include "prtime.h" |
23 #include "prinrval.h" | 23 #include "prinrval.h" |
24 #include "prerror.h" | 24 #include "prerror.h" |
25 #include "pratom.h" | 25 #include "pratom.h" |
26 #include "prthread.h" | 26 #include "prthread.h" |
27 #include "prinit.h" | 27 #include "prinit.h" |
28 | 28 |
29 #include "pk11func.h" | 29 #include "pk11func.h" |
30 #include "secmod.h" | 30 #include "secmod.h" |
31 | 31 |
32 #include <stdio.h> | 32 #include <stdio.h> |
33 | 33 |
34 /* This is a bodge to allow this code to be compiled against older NSS headers | |
35 * that don't contain the TLS 1.2 changes. */ | |
36 #ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 | |
37 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
38 #endif | |
39 | |
40 #ifndef NSS_DISABLE_ECC | 34 #ifndef NSS_DISABLE_ECC |
41 | 35 |
42 #ifndef PK11_SETATTRS | 36 #ifndef PK11_SETATTRS |
43 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ | 37 #define PK11_SETATTRS(x, id, v, l) \ |
44 (x)->pValue=(v); (x)->ulValueLen = (l); | 38 (x)->type = (id); \ |
| 39 (x)->pValue = (v); \ |
| 40 (x)->ulValueLen = (l); |
45 #endif | 41 #endif |
46 | 42 |
47 #define SSL_GET_SERVER_PUBLIC_KEY(sock, type) \ | 43 #define SSL_GET_SERVER_PUBLIC_KEY(sock, type)
\ |
48 (ss->serverCerts[type].serverKeyPair ? \ | 44 (ss->serverCerts[type].serverKeyPair ? ss->serverCerts[type].serverKeyPair->
pubKey \ |
49 ss->serverCerts[type].serverKeyPair->pubKey : NULL) | 45 : NULL) |
50 | 46 |
51 #define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \ | 47 #define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \ |
52 ((curveName > ec_noName) && \ | 48 ((curveName > ec_noName) && \ |
53 (curveName < ec_pastLastName) && \ | 49 (curveName < ec_pastLastName) && \ |
54 ((1UL << curveName) & curvemsk) != 0) | 50 ((1UL << curveName) & curvemsk) != 0) |
55 | 51 |
56 | |
57 | |
58 static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve); | 52 static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve); |
59 | 53 |
60 #define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName)) | 54 #define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName)) |
61 | 55 |
62 /* Table containing OID tags for elliptic curves named in the | 56 /* Table containing OID tags for elliptic curves named in the |
63 * ECC-TLS IETF draft. | 57 * ECC-TLS IETF draft. |
64 */ | 58 */ |
65 static const SECOidTag ecName2OIDTag[] = { | 59 static const SECOidTag ecName2OIDTag[] = { |
66 0, | 60 0, |
67 SEC_OID_SECG_EC_SECT163K1, /* 1 */ | 61 SEC_OID_SECG_EC_SECT163K1, /* 1 */ |
68 SEC_OID_SECG_EC_SECT163R1, /* 2 */ | 62 SEC_OID_SECG_EC_SECT163R1, /* 2 */ |
69 SEC_OID_SECG_EC_SECT163R2, /* 3 */ | 63 SEC_OID_SECG_EC_SECT163R2, /* 3 */ |
70 SEC_OID_SECG_EC_SECT193R1, /* 4 */ | 64 SEC_OID_SECG_EC_SECT193R1, /* 4 */ |
71 SEC_OID_SECG_EC_SECT193R2, /* 5 */ | 65 SEC_OID_SECG_EC_SECT193R2, /* 5 */ |
72 SEC_OID_SECG_EC_SECT233K1, /* 6 */ | 66 SEC_OID_SECG_EC_SECT233K1, /* 6 */ |
73 SEC_OID_SECG_EC_SECT233R1, /* 7 */ | 67 SEC_OID_SECG_EC_SECT233R1, /* 7 */ |
74 SEC_OID_SECG_EC_SECT239K1, /* 8 */ | 68 SEC_OID_SECG_EC_SECT239K1, /* 8 */ |
75 SEC_OID_SECG_EC_SECT283K1, /* 9 */ | 69 SEC_OID_SECG_EC_SECT283K1, /* 9 */ |
76 SEC_OID_SECG_EC_SECT283R1, /* 10 */ | 70 SEC_OID_SECG_EC_SECT283R1, /* 10 */ |
77 SEC_OID_SECG_EC_SECT409K1, /* 11 */ | 71 SEC_OID_SECG_EC_SECT409K1, /* 11 */ |
78 SEC_OID_SECG_EC_SECT409R1, /* 12 */ | 72 SEC_OID_SECG_EC_SECT409R1, /* 12 */ |
79 SEC_OID_SECG_EC_SECT571K1, /* 13 */ | 73 SEC_OID_SECG_EC_SECT571K1, /* 13 */ |
80 SEC_OID_SECG_EC_SECT571R1, /* 14 */ | 74 SEC_OID_SECG_EC_SECT571R1, /* 14 */ |
81 SEC_OID_SECG_EC_SECP160K1, /* 15 */ | 75 SEC_OID_SECG_EC_SECP160K1, /* 15 */ |
82 SEC_OID_SECG_EC_SECP160R1, /* 16 */ | 76 SEC_OID_SECG_EC_SECP160R1, /* 16 */ |
83 SEC_OID_SECG_EC_SECP160R2, /* 17 */ | 77 SEC_OID_SECG_EC_SECP160R2, /* 17 */ |
84 SEC_OID_SECG_EC_SECP192K1, /* 18 */ | 78 SEC_OID_SECG_EC_SECP192K1, /* 18 */ |
85 SEC_OID_SECG_EC_SECP192R1, /* 19 */ | 79 SEC_OID_SECG_EC_SECP192R1, /* 19 */ |
86 SEC_OID_SECG_EC_SECP224K1, /* 20 */ | 80 SEC_OID_SECG_EC_SECP224K1, /* 20 */ |
87 SEC_OID_SECG_EC_SECP224R1, /* 21 */ | 81 SEC_OID_SECG_EC_SECP224R1, /* 21 */ |
88 SEC_OID_SECG_EC_SECP256K1, /* 22 */ | 82 SEC_OID_SECG_EC_SECP256K1, /* 22 */ |
89 SEC_OID_SECG_EC_SECP256R1, /* 23 */ | 83 SEC_OID_SECG_EC_SECP256R1, /* 23 */ |
90 SEC_OID_SECG_EC_SECP384R1, /* 24 */ | 84 SEC_OID_SECG_EC_SECP384R1, /* 24 */ |
91 SEC_OID_SECG_EC_SECP521R1, /* 25 */ | 85 SEC_OID_SECG_EC_SECP521R1, /* 25 */ |
92 }; | 86 }; |
93 | 87 |
94 static const PRUint16 curve2bits[] = { | 88 static const PRUint16 curve2bits[] = { |
95 0, /* ec_noName = 0, */ | 89 0, /* ec_noName = 0, */ |
96 163, /* ec_sect163k1 = 1, */ | 90 163, /* ec_sect163k1 = 1, */ |
97 163, /* ec_sect163r1 = 2, */ | 91 163, /* ec_sect163r1 = 2, */ |
98 163, /* ec_sect163r2 = 3, */ | 92 163, /* ec_sect163r2 = 3, */ |
99 193, /* ec_sect193r1 = 4, */ | 93 193, /* ec_sect193r1 = 4, */ |
100 193, /* ec_sect193r2 = 5, */ | 94 193, /* ec_sect193r2 = 5, */ |
101 233, /* ec_sect233k1 = 6, */ | 95 233, /* ec_sect233k1 = 6, */ |
102 233, /* ec_sect233r1 = 7, */ | 96 233, /* ec_sect233r1 = 7, */ |
103 239, /* ec_sect239k1 = 8, */ | 97 239, /* ec_sect239k1 = 8, */ |
104 283, /* ec_sect283k1 = 9, */ | 98 283, /* ec_sect283k1 = 9, */ |
105 283, /* ec_sect283r1 = 10, */ | 99 283, /* ec_sect283r1 = 10, */ |
106 409, /* ec_sect409k1 = 11, */ | 100 409, /* ec_sect409k1 = 11, */ |
107 409, /* ec_sect409r1 = 12, */ | 101 409, /* ec_sect409r1 = 12, */ |
108 571, /* ec_sect571k1 = 13, */ | 102 571, /* ec_sect571k1 = 13, */ |
109 571, /* ec_sect571r1 = 14, */ | 103 571, /* ec_sect571r1 = 14, */ |
110 160, /* ec_secp160k1 = 15, */ | 104 160, /* ec_secp160k1 = 15, */ |
111 160, /* ec_secp160r1 = 16, */ | 105 160, /* ec_secp160r1 = 16, */ |
112 160, /* ec_secp160r2 = 17, */ | 106 160, /* ec_secp160r2 = 17, */ |
113 192, /* ec_secp192k1 = 18, */ | 107 192, /* ec_secp192k1 = 18, */ |
114 192, /* ec_secp192r1 = 19, */ | 108 192, /* ec_secp192r1 = 19, */ |
115 224, /* ec_secp224k1 = 20, */ | 109 224, /* ec_secp224k1 = 20, */ |
116 224, /* ec_secp224r1 = 21, */ | 110 224, /* ec_secp224r1 = 21, */ |
117 256, /* ec_secp256k1 = 22, */ | 111 256, /* ec_secp256k1 = 22, */ |
118 256, /* ec_secp256r1 = 23, */ | 112 256, /* ec_secp256r1 = 23, */ |
119 384, /* ec_secp384r1 = 24, */ | 113 384, /* ec_secp384r1 = 24, */ |
120 521, /* ec_secp521r1 = 25, */ | 114 521, /* ec_secp521r1 = 25, */ |
121 65535 /* ec_pastLastName */ | 115 65535 /* ec_pastLastName */ |
122 }; | 116 }; |
123 | 117 |
124 typedef struct Bits2CurveStr { | 118 typedef struct Bits2CurveStr { |
125 PRUint16 bits; | 119 PRUint16 bits; |
126 ECName curve; | 120 ECName curve; |
127 } Bits2Curve; | 121 } Bits2Curve; |
128 | 122 |
129 static const Bits2Curve bits2curve [] = { | 123 static const Bits2Curve bits2curve[] = { |
130 { 192, ec_secp192r1 /* = 19, fast */ }, | 124 { 192, ec_secp192r1 /* = 19, fast */ }, |
131 { 160, ec_secp160r2 /* = 17, fast */ }, | 125 { 160, ec_secp160r2 /* = 17, fast */ }, |
132 { 160, ec_secp160k1 /* = 15, */ }, | 126 { 160, ec_secp160k1 /* = 15, */ }, |
133 { 160, ec_secp160r1 /* = 16, */ }, | 127 { 160, ec_secp160r1 /* = 16, */ }, |
134 { 163, ec_sect163k1 /* = 1, */ }, | 128 { 163, ec_sect163k1 /* = 1, */ }, |
135 { 163, ec_sect163r1 /* = 2, */ }, | 129 { 163, ec_sect163r1 /* = 2, */ }, |
136 { 163, ec_sect163r2 /* = 3, */ }, | 130 { 163, ec_sect163r2 /* = 3, */ }, |
137 { 192, ec_secp192k1 /* = 18, */ }, | 131 { 192, ec_secp192k1 /* = 18, */ }, |
138 { 193, ec_sect193r1 /* = 4, */ }, | 132 { 193, ec_sect193r1 /* = 4, */ }, |
139 { 193, ec_sect193r2 /* = 5, */ }, | 133 { 193, ec_sect193r2 /* = 5, */ }, |
140 { 224, ec_secp224r1 /* = 21, fast */ }, | 134 { 224, ec_secp224r1 /* = 21, fast */ }, |
141 { 224, ec_secp224k1 /* = 20, */ }, | 135 { 224, ec_secp224k1 /* = 20, */ }, |
142 { 233, ec_sect233k1 /* = 6, */ }, | 136 { 233, ec_sect233k1 /* = 6, */ }, |
143 { 233, ec_sect233r1 /* = 7, */ }, | 137 { 233, ec_sect233r1 /* = 7, */ }, |
144 { 239, ec_sect239k1 /* = 8, */ }, | 138 { 239, ec_sect239k1 /* = 8, */ }, |
145 { 256, ec_secp256r1 /* = 23, fast */ }, | 139 { 256, ec_secp256r1 /* = 23, fast */ }, |
146 { 256, ec_secp256k1 /* = 22, */ }, | 140 { 256, ec_secp256k1 /* = 22, */ }, |
147 { 283, ec_sect283k1 /* = 9, */ }, | 141 { 283, ec_sect283k1 /* = 9, */ }, |
148 { 283, ec_sect283r1 /* = 10, */ }, | 142 { 283, ec_sect283r1 /* = 10, */ }, |
149 { 384, ec_secp384r1 /* = 24, fast */ }, | 143 { 384, ec_secp384r1 /* = 24, fast */ }, |
150 { 409, ec_sect409k1 /* = 11, */ }, | 144 { 409, ec_sect409k1 /* = 11, */ }, |
151 { 409, ec_sect409r1 /* = 12, */ }, | 145 { 409, ec_sect409r1 /* = 12, */ }, |
152 { 521, ec_secp521r1 /* = 25, fast */ }, | 146 { 521, ec_secp521r1 /* = 25, fast */ }, |
153 { 571, ec_sect571k1 /* = 13, */ }, | 147 { 571, ec_sect571k1 /* = 13, */ }, |
154 { 571, ec_sect571r1 /* = 14, */ }, | 148 { 571, ec_sect571r1 /* = 14, */ }, |
155 { 65535, ec_noName } | 149 { 65535, ec_noName } |
156 }; | 150 }; |
157 | 151 |
158 typedef struct ECDHEKeyPairStr { | 152 typedef struct ECDHEKeyPairStr { |
159 ssl3KeyPair * pair; | 153 ssl3KeyPair *pair; |
160 int error; /* error code of the call-once function */ | 154 int error; /* error code of the call-once function */ |
161 PRCallOnceType once; | 155 PRCallOnceType once; |
162 } ECDHEKeyPair; | 156 } ECDHEKeyPair; |
163 | 157 |
164 /* arrays of ECDHE KeyPairs */ | 158 /* arrays of ECDHE KeyPairs */ |
165 static ECDHEKeyPair gECDHEKeyPairs[ec_pastLastName]; | 159 static ECDHEKeyPair gECDHEKeyPairs[ec_pastLastName]; |
166 | 160 |
167 SECStatus | 161 SECStatus |
168 ssl3_ECName2Params(PLArenaPool * arena, ECName curve, SECKEYECParams * params) | 162 ssl3_ECName2Params(PLArenaPool *arena, ECName curve, SECKEYECParams *params) |
169 { | 163 { |
170 SECOidData *oidData = NULL; | 164 SECOidData *oidData = NULL; |
| 165 PRUint32 policyFlags = 0; |
171 | 166 |
172 if ((curve <= ec_noName) || (curve >= ec_pastLastName) || | 167 if ((curve <= ec_noName) || (curve >= ec_pastLastName) || |
173 ((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) { | 168 ((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) { |
174 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); | 169 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); |
175 return SECFailure; | 170 return SECFailure; |
176 } | 171 } |
177 | 172 |
| 173 if ((NSS_GetAlgorithmPolicy(ecName2OIDTag[curve], &policyFlags) == |
| 174 SECSuccess) && |
| 175 !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) { |
| 176 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); |
| 177 return SECFailure; |
| 178 } |
| 179 |
178 SECITEM_AllocItem(arena, params, (2 + oidData->oid.len)); | 180 SECITEM_AllocItem(arena, params, (2 + oidData->oid.len)); |
179 /* | 181 /* |
180 * params->data needs to contain the ASN encoding of an object ID (OID) | 182 * params->data needs to contain the ASN encoding of an object ID (OID) |
181 * representing the named curve. The actual OID is in | 183 * representing the named curve. The actual OID is in |
182 * oidData->oid.data so we simply prepend 0x06 and OID length | 184 * oidData->oid.data so we simply prepend 0x06 and OID length |
183 */ | 185 */ |
184 params->data[0] = SEC_ASN1_OBJECT_ID; | 186 params->data[0] = SEC_ASN1_OBJECT_ID; |
185 params->data[1] = oidData->oid.len; | 187 params->data[1] = oidData->oid.len; |
186 memcpy(params->data + 2, oidData->oid.data, oidData->oid.len); | 188 memcpy(params->data + 2, oidData->oid.data, oidData->oid.len); |
187 | 189 |
188 return SECSuccess; | 190 return SECSuccess; |
189 } | 191 } |
190 | 192 |
191 static ECName | 193 ECName |
192 params2ecName(SECKEYECParams * params) | 194 ssl3_PubKey2ECName(SECKEYPublicKey *pubKey) |
193 { | 195 { |
194 SECItem oid = { siBuffer, NULL, 0}; | 196 SECItem oid = { siBuffer, NULL, 0 }; |
195 SECOidData *oidData = NULL; | 197 SECOidData *oidData = NULL; |
| 198 PRUint32 policyFlags = 0; |
196 ECName i; | 199 ECName i; |
| 200 SECKEYECParams *params; |
| 201 |
| 202 if (pubKey->keyType != ecKey) { |
| 203 PORT_Assert(0); |
| 204 return ec_noName; |
| 205 } |
| 206 |
| 207 params = &pubKey->u.ec.DEREncodedParams; |
197 | 208 |
198 /* | 209 /* |
199 * params->data needs to contain the ASN encoding of an object ID (OID) | 210 * params->data needs to contain the ASN encoding of an object ID (OID) |
200 * representing a named curve. Here, we strip away everything | 211 * representing a named curve. Here, we strip away everything |
201 * before the actual OID and use the OID to look up a named curve. | 212 * before the actual OID and use the OID to look up a named curve. |
202 */ | 213 */ |
203 if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName; | 214 if (params->data[0] != SEC_ASN1_OBJECT_ID) |
| 215 return ec_noName; |
204 oid.len = params->len - 2; | 216 oid.len = params->len - 2; |
205 oid.data = params->data + 2; | 217 oid.data = params->data + 2; |
206 if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName; | 218 if ((oidData = SECOID_FindOID(&oid)) == NULL) |
| 219 return ec_noName; |
| 220 if ((NSS_GetAlgorithmPolicy(oidData->offset, &policyFlags) == |
| 221 SECSuccess) && |
| 222 !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) { |
| 223 return ec_noName; |
| 224 } |
207 for (i = ec_noName + 1; i < ec_pastLastName; i++) { | 225 for (i = ec_noName + 1; i < ec_pastLastName; i++) { |
208 if (ecName2OIDTag[i] == oidData->offset) | 226 if (ecName2OIDTag[i] == oidData->offset) |
209 return i; | 227 return i; |
210 } | 228 } |
211 | 229 |
212 return ec_noName; | 230 return ec_noName; |
213 } | 231 } |
214 | 232 |
215 /* Caller must set hiLevel error code. */ | 233 /* Caller must set hiLevel error code. */ |
216 static SECStatus | 234 static SECStatus |
217 ssl3_ComputeECDHKeyHash(SSLHashType hashAlg, | 235 ssl3_ComputeECDHKeyHash(SSLHashType hashAlg, |
218 SECItem ec_params, SECItem server_ecpoint, | 236 SECItem ec_params, SECItem server_ecpoint, |
219 SSL3Random *client_rand, SSL3Random *server_rand, | 237 SSL3Random *client_rand, SSL3Random *server_rand, |
220 SSL3Hashes *hashes, PRBool bypassPKCS11) | 238 SSL3Hashes *hashes, PRBool bypassPKCS11) |
221 { | 239 { |
222 PRUint8 * hashBuf; | 240 PRUint8 *hashBuf; |
223 PRUint8 * pBuf; | 241 PRUint8 *pBuf; |
224 SECStatus rv = SECSuccess; | 242 SECStatus rv = SECSuccess; |
225 unsigned int bufLen; | 243 unsigned int bufLen; |
226 /* | 244 /* |
227 * XXX For now, we only support named curves (the appropriate | 245 * XXX For now, we only support named curves (the appropriate |
228 * checks are made before this method is called) so ec_params | 246 * checks are made before this method is called) so ec_params |
229 * takes up only two bytes. ECPoint needs to fit in 256 bytes | 247 * takes up only two bytes. ECPoint needs to fit in 256 bytes |
230 * (because the spec says the length must fit in one byte) | 248 * (because the spec says the length must fit in one byte) |
231 */ | 249 */ |
232 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 1 + 256]; | 250 PRUint8 buf[2 * SSL3_RANDOM_LENGTH + 2 + 1 + 256]; |
233 | 251 |
234 bufLen = 2*SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len; | 252 bufLen = 2 * SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len; |
235 if (bufLen <= sizeof buf) { | 253 if (bufLen <= sizeof buf) { |
236 hashBuf = buf; | 254 hashBuf = buf; |
237 } else { | 255 } else { |
238 hashBuf = PORT_Alloc(bufLen); | 256 hashBuf = PORT_Alloc(bufLen); |
239 if (!hashBuf) { | 257 if (!hashBuf) { |
240 return SECFailure; | 258 return SECFailure; |
241 } | 259 } |
242 } | 260 } |
243 | 261 |
244 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); | 262 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); |
245 pBuf = hashBuf + SSL3_RANDOM_LENGTH; | 263 pBuf = hashBuf + SSL3_RANDOM_LENGTH; |
246 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); | 264 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH); |
247 pBuf += SSL3_RANDOM_LENGTH; | 265 pBuf += SSL3_RANDOM_LENGTH; |
248 memcpy(pBuf, ec_params.data, ec_params.len); | 266 memcpy(pBuf, ec_params.data, ec_params.len); |
249 pBuf += ec_params.len; | 267 pBuf += ec_params.len; |
250 pBuf[0] = (PRUint8)(server_ecpoint.len); | 268 pBuf[0] = (PRUint8)(server_ecpoint.len); |
251 pBuf += 1; | 269 pBuf += 1; |
252 memcpy(pBuf, server_ecpoint.data, server_ecpoint.len); | 270 memcpy(pBuf, server_ecpoint.data, server_ecpoint.len); |
253 pBuf += server_ecpoint.len; | 271 pBuf += server_ecpoint.len; |
254 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 272 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
255 | 273 |
256 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, | 274 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
257 bypassPKCS11); | 275 bypassPKCS11); |
258 | 276 |
259 PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen)); | 277 PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen)); |
260 PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", | 278 PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", |
261 hashes->u.s.md5, MD5_LENGTH)); | 279 hashes->u.s.md5, MD5_LENGTH)); |
262 PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", | 280 PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", |
263 hashes->u.s.sha, SHA1_LENGTH)); | 281 hashes->u.s.sha, SHA1_LENGTH)); |
264 | 282 |
265 if (hashBuf != buf) | 283 if (hashBuf != buf) |
266 PORT_Free(hashBuf); | 284 PORT_Free(hashBuf); |
267 return rv; | 285 return rv; |
268 } | 286 } |
269 | 287 |
270 | |
271 /* Called from ssl3_SendClientKeyExchange(). */ | 288 /* Called from ssl3_SendClientKeyExchange(). */ |
272 SECStatus | 289 SECStatus |
273 ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) | 290 ssl3_SendECDHClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey) |
274 { | 291 { |
275 PK11SymKey * pms = NULL; | 292 PK11SymKey *pms = NULL; |
276 SECStatus rv = SECFailure; | 293 SECStatus rv = SECFailure; |
277 PRBool isTLS, isTLS12; | 294 PRBool isTLS, isTLS12; |
278 CK_MECHANISM_TYPE target; | 295 CK_MECHANISM_TYPE target; |
279 SECKEYPublicKey *pubKey = NULL; /* Ephemeral ECDH key */ | 296 SECKEYPublicKey *pubKey = NULL; /* Ephemeral ECDH key */ |
280 SECKEYPrivateKey *privKey = NULL; /* Ephemeral ECDH key */ | 297 SECKEYPrivateKey *privKey = NULL; /* Ephemeral ECDH key */ |
281 | 298 |
282 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 299 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
283 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 300 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
284 | 301 |
285 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 302 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
286 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 303 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
287 | 304 |
288 /* Generate ephemeral EC keypair */ | 305 /* Generate ephemeral EC keypair */ |
289 if (svrPubKey->keyType != ecKey) { | 306 if (svrPubKey->keyType != ecKey) { |
290 PORT_SetError(SEC_ERROR_BAD_KEY); | 307 PORT_SetError(SEC_ERROR_BAD_KEY); |
291 goto loser; | 308 goto loser; |
292 } | 309 } |
293 /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */ | 310 /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */ |
294 privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, | 311 privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, |
295 &pubKey, ss->pkcs11PinArg); | 312 &pubKey, ss->pkcs11PinArg); |
296 if (!privKey || !pubKey) { | 313 if (!privKey || !pubKey) { |
297 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); | 314 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
298 rv = SECFailure; | 315 rv = SECFailure; |
299 goto loser; | 316 goto loser; |
300 } | 317 } |
301 PRINT_BUF(50, (ss, "ECDH public value:", | 318 PRINT_BUF(50, (ss, "ECDH public value:", |
302 pubKey->u.ec.publicValue.data, | 319 pubKey->u.ec.publicValue.data, |
303 pubKey->u.ec.publicValue.len)); | 320 pubKey->u.ec.publicValue.len)); |
304 | 321 |
305 if (isTLS12) { | 322 if (isTLS12) { |
306 target = CKM_TLS12_MASTER_KEY_DERIVE_DH; | 323 target = CKM_TLS12_MASTER_KEY_DERIVE_DH; |
307 } else if (isTLS) { | 324 } else if (isTLS) { |
308 target = CKM_TLS_MASTER_KEY_DERIVE_DH; | 325 target = CKM_TLS_MASTER_KEY_DERIVE_DH; |
309 } else { | 326 } else { |
310 target = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 327 target = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
311 } | 328 } |
312 | 329 |
313 /* Determine the PMS */ | 330 /* Determine the PMS */ |
314 pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL, | 331 pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL, |
315 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, | 332 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, |
316 CKD_NULL, NULL, NULL); | 333 CKD_NULL, NULL, NULL); |
317 | 334 |
318 if (pms == NULL) { | 335 if (pms == NULL) { |
319 SSL3AlertDescription desc = illegal_parameter; | 336 SSL3AlertDescription desc = illegal_parameter; |
320 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 337 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
321 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 338 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
322 goto loser; | 339 goto loser; |
323 } | 340 } |
324 | 341 |
325 SECKEY_DestroyPrivateKey(privKey); | 342 SECKEY_DestroyPrivateKey(privKey); |
326 privKey = NULL; | 343 privKey = NULL; |
327 | 344 |
328 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, | 345 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, |
329 pubKey->u.ec.publicValue.len + 1); | 346 pubKey->u.ec.publicValue.len + 1); |
330 if (rv != SECSuccess) { | 347 if (rv != SECSuccess) { |
331 goto loser; /* err set by ssl3_AppendHandshake* */ | 348 goto loser; /* err set by ssl3_AppendHandshake* */ |
332 } | 349 } |
333 | 350 |
334 rv = ssl3_AppendHandshakeVariable(ss, | 351 rv = ssl3_AppendHandshakeVariable(ss, |
335 pubKey->u.ec.publicValue.data, | 352 pubKey->u.ec.publicValue.data, |
336 pubKey->u.ec.publicValue.len, 1); | 353 pubKey->u.ec.publicValue.len, 1); |
337 SECKEY_DestroyPublicKey(pubKey); | 354 SECKEY_DestroyPublicKey(pubKey); |
338 pubKey = NULL; | 355 pubKey = NULL; |
339 | 356 |
340 if (rv != SECSuccess) { | 357 if (rv != SECSuccess) { |
341 goto loser; /* err set by ssl3_AppendHandshake* */ | 358 goto loser; /* err set by ssl3_AppendHandshake* */ |
342 } | 359 } |
343 | 360 |
344 rv = ssl3_InitPendingCipherSpec(ss, pms); | 361 rv = ssl3_InitPendingCipherSpec(ss, pms); |
345 PK11_FreeSymKey(pms); pms = NULL; | 362 PK11_FreeSymKey(pms); |
| 363 pms = NULL; |
346 | 364 |
347 if (rv != SECSuccess) { | 365 if (rv != SECSuccess) { |
348 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 366 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
349 goto loser; | 367 goto loser; |
350 } | 368 } |
351 | 369 |
352 rv = SECSuccess; | 370 rv = SECSuccess; |
353 | 371 |
354 loser: | 372 loser: |
355 if(pms) PK11_FreeSymKey(pms); | 373 if (pms) |
356 if(privKey) SECKEY_DestroyPrivateKey(privKey); | 374 PK11_FreeSymKey(pms); |
357 if(pubKey) SECKEY_DestroyPublicKey(pubKey); | 375 if (privKey) |
| 376 SECKEY_DestroyPrivateKey(privKey); |
| 377 if (pubKey) |
| 378 SECKEY_DestroyPublicKey(pubKey); |
358 return rv; | 379 return rv; |
359 } | 380 } |
360 | 381 |
| 382 ECName |
| 383 tls13_GroupForECDHEKeyShare(ssl3KeyPair *pair) |
| 384 { |
| 385 return ssl3_PubKey2ECName(pair->pubKey); |
| 386 } |
| 387 |
| 388 /* This function returns the size of the key_exchange field in |
| 389 * the KeyShareEntry structure. */ |
| 390 unsigned int |
| 391 tls13_SizeOfECDHEKeyShareKEX(ssl3KeyPair *pair) |
| 392 { |
| 393 return 1 + /* Length */ |
| 394 pair->pubKey->u.ec.publicValue.len; |
| 395 } |
| 396 |
| 397 /* This function encodes the key_exchange field in |
| 398 * the KeyShareEntry structure. */ |
| 399 SECStatus |
| 400 tls13_EncodeECDHEKeyShareKEX(sslSocket *ss, ssl3KeyPair *pair) |
| 401 { |
| 402 const SECItem *publicValue; |
| 403 |
| 404 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 405 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 406 |
| 407 publicValue = &pair->pubKey->u.ec.publicValue; |
| 408 |
| 409 return ssl3_AppendHandshakeVariable(ss, publicValue->data, |
| 410 publicValue->len, 1); |
| 411 } |
361 | 412 |
362 /* | 413 /* |
363 ** Called from ssl3_HandleClientKeyExchange() | 414 ** Called from ssl3_HandleClientKeyExchange() |
364 */ | 415 */ |
365 SECStatus | 416 SECStatus |
366 ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b, | 417 ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b, |
367 PRUint32 length, | 418 PRUint32 length, |
368 SECKEYPublicKey *srvrPubKey, | 419 SECKEYPublicKey *srvrPubKey, |
369 SECKEYPrivateKey *srvrPrivKey) | 420 SECKEYPrivateKey *srvrPrivKey) |
370 { | 421 { |
371 PK11SymKey * pms; | 422 PK11SymKey *pms; |
372 SECStatus rv; | 423 SECStatus rv; |
373 SECKEYPublicKey clntPubKey; | 424 SECKEYPublicKey clntPubKey; |
374 CK_MECHANISM_TYPE target; | 425 CK_MECHANISM_TYPE target; |
375 PRBool isTLS, isTLS12; | 426 PRBool isTLS, isTLS12; |
376 | 427 |
377 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 428 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
378 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 429 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
379 | 430 |
380 clntPubKey.keyType = ecKey; | 431 clntPubKey.keyType = ecKey; |
381 clntPubKey.u.ec.DEREncodedParams.len = | 432 clntPubKey.u.ec.DEREncodedParams.len = |
382 srvrPubKey->u.ec.DEREncodedParams.len; | 433 srvrPubKey->u.ec.DEREncodedParams.len; |
383 clntPubKey.u.ec.DEREncodedParams.data = | 434 clntPubKey.u.ec.DEREncodedParams.data = |
384 srvrPubKey->u.ec.DEREncodedParams.data; | 435 srvrPubKey->u.ec.DEREncodedParams.data; |
385 | 436 |
386 rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, | 437 rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, |
387 1, &b, &length); | 438 1, &b, &length); |
388 if (rv != SECSuccess) { | 439 if (rv != SECSuccess) { |
389 SEND_ALERT | 440 SEND_ALERT |
390 return SECFailure; /* XXX Who sets the error code?? */ | 441 return SECFailure; /* XXX Who sets the error code?? */ |
391 } | 442 } |
392 | 443 |
393 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 444 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
394 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 445 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
395 | 446 |
396 if (isTLS12) { | 447 if (isTLS12) { |
397 target = CKM_TLS12_MASTER_KEY_DERIVE_DH; | 448 target = CKM_TLS12_MASTER_KEY_DERIVE_DH; |
398 } else if (isTLS) { | 449 } else if (isTLS) { |
399 target = CKM_TLS_MASTER_KEY_DERIVE_DH; | 450 target = CKM_TLS_MASTER_KEY_DERIVE_DH; |
400 } else { | 451 } else { |
401 target = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 452 target = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
402 } | 453 } |
403 | 454 |
404 /* Determine the PMS */ | 455 /* Determine the PMS */ |
405 pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL, | 456 pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL, |
406 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, | 457 CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, |
407 CKD_NULL, NULL, NULL); | 458 CKD_NULL, NULL, NULL); |
408 | 459 |
409 if (pms == NULL) { | 460 if (pms == NULL) { |
410 /* last gasp. */ | 461 /* last gasp. */ |
411 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 462 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
412 return SECFailure; | 463 return SECFailure; |
413 } | 464 } |
414 | 465 |
415 rv = ssl3_InitPendingCipherSpec(ss, pms); | 466 rv = ssl3_InitPendingCipherSpec(ss, pms); |
416 PK11_FreeSymKey(pms); | 467 PK11_FreeSymKey(pms); |
417 if (rv != SECSuccess) { | 468 if (rv != SECSuccess) { |
418 SEND_ALERT | 469 SEND_ALERT |
419 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ | 470 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ |
420 } | 471 } |
421 return SECSuccess; | 472 return SECSuccess; |
422 } | 473 } |
423 | 474 |
| 475 /* |
| 476 ** Take an encoded key share and make a public key out of it. |
| 477 ** returns NULL on error. |
| 478 */ |
| 479 SECKEYPublicKey * |
| 480 tls13_ImportECDHKeyShare(sslSocket *ss, SSL3Opaque *b, |
| 481 PRUint32 length, ECName curve) |
| 482 { |
| 483 PLArenaPool *arena = NULL; |
| 484 SECKEYPublicKey *peerKey = NULL; |
| 485 SECStatus rv; |
| 486 SECItem ecPoint = { siBuffer, NULL, 0 }; |
| 487 |
| 488 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 489 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 490 |
| 491 rv = ssl3_ConsumeHandshakeVariable(ss, &ecPoint, 1, &b, &length); |
| 492 if (rv != SECSuccess) { |
| 493 tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE, |
| 494 illegal_parameter); |
| 495 return NULL; |
| 496 } |
| 497 if (length || !ecPoint.len) { |
| 498 tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE, |
| 499 illegal_parameter); |
| 500 return NULL; |
| 501 } |
| 502 |
| 503 /* Fail if the ec point uses compressed representation */ |
| 504 if (ecPoint.data[0] != EC_POINT_FORM_UNCOMPRESSED) { |
| 505 tls13_FatalError(ss, SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, |
| 506 illegal_parameter); |
| 507 return NULL; |
| 508 } |
| 509 |
| 510 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 511 if (arena == NULL) { |
| 512 goto no_memory; |
| 513 } |
| 514 |
| 515 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); |
| 516 if (peerKey == NULL) { |
| 517 goto no_memory; |
| 518 } |
| 519 |
| 520 peerKey->arena = arena; |
| 521 peerKey->keyType = ecKey; |
| 522 /* Set up the encoded params */ |
| 523 rv = ssl3_ECName2Params(arena, curve, &peerKey->u.ec.DEREncodedParams); |
| 524 if (rv != SECSuccess) { |
| 525 goto no_memory; |
| 526 } |
| 527 |
| 528 /* copy publicValue in peerKey */ |
| 529 if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ecPoint) != |
| 530 SECSuccess) { |
| 531 goto no_memory; |
| 532 } |
| 533 peerKey->pkcs11Slot = NULL; |
| 534 peerKey->pkcs11ID = CK_INVALID_HANDLE; |
| 535 |
| 536 return peerKey; |
| 537 |
| 538 no_memory: /* no-memory error has already been set. */ |
| 539 PORT_FreeArena(arena, PR_FALSE); |
| 540 ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE); |
| 541 return NULL; |
| 542 } |
| 543 |
| 544 PK11SymKey * |
| 545 tls13_ComputeECDHSharedKey(sslSocket *ss, |
| 546 SECKEYPrivateKey *myPrivKey, |
| 547 SECKEYPublicKey *peerKey) |
| 548 { |
| 549 PK11SymKey *shared; |
| 550 |
| 551 /* Determine the PMS */ |
| 552 shared = PK11_PubDeriveWithKDF(myPrivKey, peerKey, PR_FALSE, NULL, NULL, |
| 553 CKM_ECDH1_DERIVE, |
| 554 tls13_GetHkdfMechanism(ss), CKA_DERIVE, 0, |
| 555 CKD_NULL, NULL, NULL); |
| 556 |
| 557 if (!shared) { |
| 558 ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); |
| 559 return NULL; |
| 560 } |
| 561 |
| 562 return shared; |
| 563 } |
| 564 |
424 ECName | 565 ECName |
425 ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits) | 566 ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits) |
426 { | 567 { |
427 int i; | 568 int i; |
428 | 569 |
429 for ( i = 0; bits2curve[i].curve != ec_noName; i++) { | 570 for (i = 0; bits2curve[i].curve != ec_noName; i++) { |
430 if (bits2curve[i].bits < requiredECCbits) | 571 if (bits2curve[i].bits < requiredECCbits) |
431 continue; | 572 continue; |
432 if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) { | 573 if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) { |
433 return bits2curve[i].curve; | 574 return bits2curve[i].curve; |
434 } | 575 } |
435 } | 576 } |
436 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 577 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); |
437 return ec_noName; | 578 return ec_noName; |
438 } | 579 } |
439 | 580 |
440 /* find the "weakest link". Get strength of signature key and of sym key. | 581 /* find the "weakest link". Get strength of signature key and of sym key. |
441 * choose curve for the weakest of those two. | 582 * choose curve for the weakest of those two. |
442 */ | 583 */ |
443 ECName | 584 ECName |
444 ssl3_GetCurveNameForServerSocket(sslSocket *ss) | 585 ssl3_GetCurveNameForServerSocket(sslSocket *ss) |
445 { | 586 { |
446 SECKEYPublicKey * svrPublicKey = NULL; | 587 SECKEYPublicKey *svrPublicKey = NULL; |
447 ECName ec_curve = ec_noName; | 588 ECName ec_curve = ec_noName; |
448 int signatureKeyStrength = 521; | 589 int signatureKeyStrength = 521; |
449 int requiredECCbits = ss->sec.secretKeyBits * 2; | 590 int requiredECCbits = ss->sec.secretKeyBits * 2; |
450 | 591 |
451 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa) { | 592 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa) { |
452 svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh); | 593 svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh); |
453 if (svrPublicKey) | 594 if (svrPublicKey) |
454 ec_curve = params2ecName(&svrPublicKey->u.ec.DEREncodedParams); | 595 ec_curve = ssl3_PubKey2ECName(svrPublicKey); |
455 if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve))
{ | 596 if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve))
{ |
456 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 597 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); |
457 return ec_noName; | 598 return ec_noName; |
458 } | 599 } |
459 signatureKeyStrength = curve2bits[ ec_curve ]; | 600 signatureKeyStrength = curve2bits[ec_curve]; |
460 } else { | 601 } else { |
461 /* RSA is our signing cert */ | 602 /* RSA is our signing cert */ |
462 int serverKeyStrengthInBits; | 603 int serverKeyStrengthInBits; |
463 | 604 |
464 svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_rsa); | 605 svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_rsa); |
465 if (!svrPublicKey) { | 606 if (!svrPublicKey) { |
466 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 607 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); |
467 return ec_noName; | 608 return ec_noName; |
468 } | 609 } |
469 | 610 |
470 /* currently strength in bytes */ | 611 /* currently strength in bytes */ |
471 serverKeyStrengthInBits = svrPublicKey->u.rsa.modulus.len; | 612 serverKeyStrengthInBits = svrPublicKey->u.rsa.modulus.len; |
472 if (svrPublicKey->u.rsa.modulus.data[0] == 0) { | 613 if (svrPublicKey->u.rsa.modulus.data[0] == 0) { |
473 serverKeyStrengthInBits--; | 614 serverKeyStrengthInBits--; |
474 } | 615 } |
475 /* convert to strength in bits */ | 616 /* convert to strength in bits */ |
476 serverKeyStrengthInBits *= BPB; | 617 serverKeyStrengthInBits *= BPB; |
477 | 618 |
478 signatureKeyStrength = | 619 signatureKeyStrength = |
479 SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits); | 620 SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits); |
480 } | 621 } |
481 if ( requiredECCbits > signatureKeyStrength ) | 622 if (requiredECCbits > signatureKeyStrength) |
482 requiredECCbits = signatureKeyStrength; | 623 requiredECCbits = signatureKeyStrength; |
483 | 624 |
484 return ssl3_GetCurveWithECKeyStrength(ss->ssl3.hs.negotiatedECCurves, | 625 return ssl3_GetCurveWithECKeyStrength(ss->ssl3.hs.negotiatedECCurves, |
485 requiredECCbits); | 626 requiredECCbits); |
486 } | 627 } |
487 | 628 |
488 /* function to clear out the lists */ | 629 /* function to clear out the lists */ |
489 static SECStatus | 630 static SECStatus |
490 ssl3_ShutdownECDHECurves(void *appData, void *nssData) | 631 ssl3_ShutdownECDHECurves(void *appData, void *nssData) |
491 { | 632 { |
492 int i; | 633 int i; |
493 ECDHEKeyPair *keyPair = &gECDHEKeyPairs[0]; | 634 ECDHEKeyPair *keyPair = &gECDHEKeyPairs[0]; |
494 | 635 |
495 for (i=0; i < ec_pastLastName; i++, keyPair++) { | 636 for (i = 0; i < ec_pastLastName; i++, keyPair++) { |
496 if (keyPair->pair) { | 637 if (keyPair->pair) { |
497 ssl3_FreeKeyPair(keyPair->pair); | 638 ssl3_FreeKeyPair(keyPair->pair); |
498 } | 639 } |
499 } | 640 } |
500 memset(gECDHEKeyPairs, 0, sizeof gECDHEKeyPairs); | 641 memset(gECDHEKeyPairs, 0, sizeof gECDHEKeyPairs); |
501 return SECSuccess; | 642 return SECSuccess; |
502 } | 643 } |
503 | 644 |
504 static PRStatus | 645 static PRStatus |
505 ssl3_ECRegister(void) | 646 ssl3_ECRegister(void) |
506 { | 647 { |
507 SECStatus rv; | 648 SECStatus rv; |
508 rv = NSS_RegisterShutdown(ssl3_ShutdownECDHECurves, gECDHEKeyPairs); | 649 rv = NSS_RegisterShutdown(ssl3_ShutdownECDHECurves, gECDHEKeyPairs); |
509 if (rv != SECSuccess) { | 650 if (rv != SECSuccess) { |
510 gECDHEKeyPairs[ec_noName].error = PORT_GetError(); | 651 gECDHEKeyPairs[ec_noName].error = PORT_GetError(); |
511 } | 652 } |
512 return (PRStatus)rv; | 653 return (PRStatus)rv; |
513 } | 654 } |
514 | 655 |
515 /* Create an ECDHE key pair for a given curve */ | 656 /* Create an ECDHE key pair for a given curve */ |
516 static SECStatus | 657 SECStatus |
517 ssl3_CreateECDHEphemeralKeyPair(ECName ec_curve, ssl3KeyPair** keyPair) | 658 ssl3_CreateECDHEphemeralKeyPair(ECName ec_curve, ssl3KeyPair **keyPair) |
518 { | 659 { |
519 SECKEYPrivateKey * privKey = NULL; | 660 SECKEYPrivateKey *privKey = NULL; |
520 SECKEYPublicKey * pubKey = NULL; | 661 SECKEYPublicKey *pubKey = NULL; |
521 SECKEYECParams ecParams = { siBuffer, NULL, 0 }; | 662 SECKEYECParams ecParams = { siBuffer, NULL, 0 }; |
522 | 663 |
523 if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) { | 664 if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) { |
524 return SECFailure; | 665 return SECFailure; |
525 } | 666 } |
526 privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL); | 667 privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL); |
527 SECITEM_FreeItem(&ecParams, PR_FALSE); | 668 SECITEM_FreeItem(&ecParams, PR_FALSE); |
528 | 669 |
529 if (!privKey || !pubKey || !(*keyPair = ssl3_NewKeyPair(privKey, pubKey))) { | 670 if (!privKey || !pubKey || !(*keyPair = ssl3_NewKeyPair(privKey, pubKey))) { |
530 if (privKey) { | 671 if (privKey) { |
531 SECKEY_DestroyPrivateKey(privKey); | 672 SECKEY_DestroyPrivateKey(privKey); |
532 } | 673 } |
533 if (pubKey) { | 674 if (pubKey) { |
534 SECKEY_DestroyPublicKey(pubKey); | 675 SECKEY_DestroyPublicKey(pubKey); |
535 } | 676 } |
536 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); | 677 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
537 return SECFailure; | 678 return SECFailure; |
538 } | 679 } |
539 | 680 |
540 return SECSuccess; | 681 return SECSuccess; |
541 } | 682 } |
542 | 683 |
543 /* CallOnce function, called once for each named curve. */ | 684 /* CallOnce function, called once for each named curve. */ |
544 static PRStatus | 685 static PRStatus |
545 ssl3_CreateECDHEphemeralKeyPairOnce(void * arg) | 686 ssl3_CreateECDHEphemeralKeyPairOnce(void *arg) |
546 { | 687 { |
547 ECName ec_curve = (ECName)arg; | 688 ECName ec_curve = (ECName)arg; |
548 ssl3KeyPair * keyPair = NULL; | 689 ssl3KeyPair *keyPair = NULL; |
549 | 690 |
550 PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL); | 691 PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL); |
551 | 692 |
552 /* ok, no one has generated a global key for this curve yet, do so */ | 693 /* ok, no one has generated a global key for this curve yet, do so */ |
553 if (ssl3_CreateECDHEphemeralKeyPair(ec_curve, &keyPair) != SECSuccess) { | 694 if (ssl3_CreateECDHEphemeralKeyPair(ec_curve, &keyPair) != SECSuccess) { |
554 gECDHEKeyPairs[ec_curve].error = PORT_GetError(); | 695 gECDHEKeyPairs[ec_curve].error = PORT_GetError(); |
555 return PR_FAILURE; | 696 return PR_FAILURE; |
556 } | 697 } |
557 | 698 |
558 gECDHEKeyPairs[ec_curve].pair = keyPair; | 699 gECDHEKeyPairs[ec_curve].pair = keyPair; |
559 return PR_SUCCESS; | 700 return PR_SUCCESS; |
560 } | 701 } |
561 | 702 |
562 /* | 703 /* |
563 * Creates the ephemeral public and private ECDH keys used by | 704 * Creates the ephemeral public and private ECDH keys used by |
564 * server in ECDHE_RSA and ECDHE_ECDSA handshakes. | 705 * server in ECDHE_RSA and ECDHE_ECDSA handshakes. |
565 * For now, the elliptic curve is chosen to be the same | 706 * For now, the elliptic curve is chosen to be the same |
566 * strength as the signing certificate (ECC or RSA). | 707 * strength as the signing certificate (ECC or RSA). |
567 * We need an API to specify the curve. This won't be a real | 708 * We need an API to specify the curve. This won't be a real |
568 * issue until we further develop server-side support for ECC | 709 * issue until we further develop server-side support for ECC |
569 * cipher suites. | 710 * cipher suites. |
570 */ | 711 */ |
571 static SECStatus | 712 static SECStatus |
572 ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve) | 713 ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve) |
573 { | 714 { |
574 ssl3KeyPair * keyPair = NULL; | 715 ssl3KeyPair *keyPair = NULL; |
575 | 716 |
576 /* if there's no global key for this curve, make one. */ | 717 /* if there's no global key for this curve, make one. */ |
577 if (gECDHEKeyPairs[ec_curve].pair == NULL) { | 718 if (gECDHEKeyPairs[ec_curve].pair == NULL) { |
578 PRStatus status; | 719 PRStatus status; |
579 | 720 |
580 status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister); | 721 status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister); |
581 if (status != PR_SUCCESS) { | 722 if (status != PR_SUCCESS) { |
582 PORT_SetError(gECDHEKeyPairs[ec_noName].error); | 723 PORT_SetError(gECDHEKeyPairs[ec_noName].error); |
583 return SECFailure; | 724 return SECFailure; |
584 } | 725 } |
(...skipping 11 matching lines...) Expand all Loading... |
596 if (!keyPair) | 737 if (!keyPair) |
597 return SECFailure; | 738 return SECFailure; |
598 ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair); | 739 ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair); |
599 | 740 |
600 return SECSuccess; | 741 return SECSuccess; |
601 } | 742 } |
602 | 743 |
603 SECStatus | 744 SECStatus |
604 ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 745 ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
605 { | 746 { |
606 PLArenaPool * arena = NULL; | 747 PLArenaPool *arena = NULL; |
607 SECKEYPublicKey *peerKey = NULL; | 748 SECKEYPublicKey *peerKey = NULL; |
608 PRBool isTLS, isTLS12; | 749 PRBool isTLS, isTLS12; |
609 SECStatus rv; | 750 SECStatus rv; |
610 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; | 751 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; |
611 SSL3AlertDescription desc = illegal_parameter; | 752 SSL3AlertDescription desc = illegal_parameter; |
612 SSL3Hashes hashes; | 753 SSL3Hashes hashes; |
613 SECItem signature = {siBuffer, NULL, 0}; | 754 SECItem signature = { siBuffer, NULL, 0 }; |
614 | 755 |
615 SECItem ec_params = {siBuffer, NULL, 0}; | 756 SECItem ec_params = { siBuffer, NULL, 0 }; |
616 SECItem ec_point = {siBuffer, NULL, 0}; | 757 SECItem ec_point = { siBuffer, NULL, 0 }; |
617 unsigned char paramBuf[3]; /* only for curve_type == named_curve */ | 758 unsigned char paramBuf[3]; /* only for curve_type == named_curve */ |
618 SSLSignatureAndHashAlg sigAndHash; | 759 SSLSignatureAndHashAlg sigAndHash; |
619 | 760 |
620 sigAndHash.hashAlg = ssl_hash_none; | 761 sigAndHash.hashAlg = ssl_hash_none; |
621 | 762 |
622 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 763 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
623 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); | 764 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
624 | 765 |
625 /* XXX This works only for named curves, revisit this when | 766 /* XXX This works only for named curves, revisit this when |
626 * we support generic curves. | 767 * we support generic curves. |
627 */ | 768 */ |
628 ec_params.len = sizeof paramBuf; | 769 ec_params.len = sizeof paramBuf; |
629 ec_params.data = paramBuf; | 770 ec_params.data = paramBuf; |
630 rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length); | 771 rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length); |
631 if (rv != SECSuccess) { | 772 if (rv != SECSuccess) { |
632 goto loser; /* malformed. */ | 773 goto loser; /* malformed. */ |
633 } | 774 } |
634 | 775 |
635 /* Fail if the curve is not a named curve */ | 776 /* Fail if the curve is not a named curve */ |
636 if ((ec_params.data[0] != ec_type_named) || | 777 if ((ec_params.data[0] != ec_type_named) || |
637 (ec_params.data[1] != 0) || | 778 (ec_params.data[1] != 0) || |
638 !supportedCurve(ec_params.data[2])) { | 779 !supportedCurve(ec_params.data[2])) { |
639 errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE; | 780 errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE; |
640 desc = handshake_failure; | 781 desc = handshake_failure; |
641 goto alert_loser; | 782 goto alert_loser; |
642 } | 783 } |
643 | 784 |
644 rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length); | 785 rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length); |
645 if (rv != SECSuccess) { | 786 if (rv != SECSuccess) { |
646 goto loser; /* malformed. */ | 787 goto loser; /* malformed. */ |
647 } | 788 } |
648 /* Fail if the ec point uses compressed representation */ | 789 /* Fail if the ec point uses compressed representation */ |
649 if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) { | 790 if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) { |
650 errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM; | 791 errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM; |
651 desc = handshake_failure; | 792 desc = handshake_failure; |
652 goto alert_loser; | 793 goto alert_loser; |
653 } | 794 } |
654 | 795 |
655 if (isTLS12) { | 796 if (isTLS12) { |
656 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | 797 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
657 &sigAndHash); | 798 &sigAndHash); |
658 if (rv != SECSuccess) { | 799 if (rv != SECSuccess) { |
659 goto loser; /* malformed or unsupported. */ | 800 goto loser; /* malformed or unsupported. */ |
660 } | 801 } |
661 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | 802 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
662 ss, &sigAndHash, ss->sec.peerCert); | 803 ss, &sigAndHash, ss->sec.peerCert); |
663 if (rv != SECSuccess) { | 804 if (rv != SECSuccess) { |
664 goto loser; | 805 goto loser; |
665 } | 806 } |
666 } | 807 } |
667 | 808 |
668 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 809 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
669 if (rv != SECSuccess) { | 810 if (rv != SECSuccess) { |
670 goto loser; /* malformed. */ | 811 goto loser; /* malformed. */ |
671 } | 812 } |
672 | 813 |
673 if (length != 0) { | 814 if (length != 0) { |
674 if (isTLS) | 815 if (isTLS) |
675 desc = decode_error; | 816 desc = decode_error; |
676 goto alert_loser; /* malformed. */ | 817 goto alert_loser; /* malformed. */ |
677 } | 818 } |
678 | 819 |
679 PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, | 820 PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, |
680 ec_params.len)); | 821 ec_params.len)); |
681 PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len)); | 822 PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len)); |
682 | 823 |
683 /* failures after this point are not malformed handshakes. */ | 824 /* failures after this point are not malformed handshakes. */ |
684 /* TLS: send decrypt_error if signature failed. */ | 825 /* TLS: send decrypt_error if signature failed. */ |
685 desc = isTLS ? decrypt_error : handshake_failure; | 826 desc = isTLS ? decrypt_error : handshake_failure; |
686 | 827 |
687 /* | 828 /* |
688 * check to make sure the hash is signed by right guy | 829 * check to make sure the hash is signed by right guy |
689 */ | 830 */ |
690 rv = ssl3_ComputeECDHKeyHash(sigAndHash.hashAlg, ec_params, ec_point, | 831 rv = ssl3_ComputeECDHKeyHash(sigAndHash.hashAlg, ec_params, ec_point, |
691 &ss->ssl3.hs.client_random, | 832 &ss->ssl3.hs.client_random, |
692 &ss->ssl3.hs.server_random, | 833 &ss->ssl3.hs.server_random, |
693 &hashes, ss->opt.bypassPKCS11); | 834 &hashes, ss->opt.bypassPKCS11); |
694 | 835 |
695 if (rv != SECSuccess) { | 836 if (rv != SECSuccess) { |
696 errCode = | 837 errCode = |
697 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 838 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
698 goto alert_loser; | 839 goto alert_loser; |
699 } | 840 } |
700 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 841 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
701 isTLS, ss->pkcs11PinArg); | 842 isTLS, ss->pkcs11PinArg); |
702 if (rv != SECSuccess) { | 843 if (rv != SECSuccess) { |
703 errCode = | 844 errCode = |
704 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 845 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
705 goto alert_loser; | 846 goto alert_loser; |
706 } | 847 } |
707 | 848 |
708 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 849 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
709 if (arena == NULL) { | 850 if (arena == NULL) { |
710 goto no_memory; | 851 goto no_memory; |
711 } | 852 } |
712 | 853 |
713 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); | 854 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); |
714 if (peerKey == NULL) { | 855 if (peerKey == NULL) { |
715 goto no_memory; | 856 goto no_memory; |
716 } | 857 } |
717 | 858 |
718 peerKey->arena = arena; | 859 peerKey->arena = arena; |
719 peerKey->keyType = ecKey; | 860 peerKey->keyType = ecKey; |
720 | 861 |
721 /* set up EC parameters in peerKey */ | 862 /* set up EC parameters in peerKey */ |
722 if (ssl3_ECName2Params(arena, ec_params.data[2], | 863 if (ssl3_ECName2Params(arena, ec_params.data[2], |
723 &peerKey->u.ec.DEREncodedParams) != SECSuccess) { | 864 &peerKey->u.ec.DEREncodedParams) != |
| 865 SECSuccess) { |
724 /* we should never get here since we already | 866 /* we should never get here since we already |
725 * checked that we are dealing with a supported curve | 867 * checked that we are dealing with a supported curve |
726 */ | 868 */ |
727 errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE; | 869 errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE; |
728 goto alert_loser; | 870 goto alert_loser; |
729 } | 871 } |
730 | 872 |
731 /* copy publicValue in peerKey */ | 873 /* copy publicValue in peerKey */ |
732 if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point)) | 874 if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point)) { |
733 { | |
734 goto no_memory; | 875 goto no_memory; |
735 } | 876 } |
736 peerKey->pkcs11Slot = NULL; | 877 peerKey->pkcs11Slot = NULL; |
737 peerKey->pkcs11ID = CK_INVALID_HANDLE; | 878 peerKey->pkcs11ID = CK_INVALID_HANDLE; |
738 | 879 |
739 ss->sec.peerKey = peerKey; | 880 ss->sec.peerKey = peerKey; |
740 ss->ssl3.hs.ws = wait_cert_request; | 881 ss->ssl3.hs.ws = wait_cert_request; |
741 | 882 |
742 return SECSuccess; | 883 return SECSuccess; |
743 | 884 |
744 alert_loser: | 885 alert_loser: |
745 (void)SSL3_SendAlert(ss, alert_fatal, desc); | 886 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
746 loser: | 887 loser: |
747 if (arena) { | 888 if (arena) { |
748 PORT_FreeArena(arena, PR_FALSE); | 889 PORT_FreeArena(arena, PR_FALSE); |
749 } | 890 } |
750 PORT_SetError( errCode ); | 891 PORT_SetError(errCode); |
751 return SECFailure; | 892 return SECFailure; |
752 | 893 |
753 no_memory: /* no-memory error has already been set. */ | 894 no_memory: /* no-memory error has already been set. */ |
754 if (arena) { | 895 if (arena) { |
755 PORT_FreeArena(arena, PR_FALSE); | 896 PORT_FreeArena(arena, PR_FALSE); |
756 } | 897 } |
757 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 898 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
758 return SECFailure; | 899 return SECFailure; |
759 } | 900 } |
760 | 901 |
761 SECStatus | 902 SECStatus |
762 ssl3_SendECDHServerKeyExchange( | 903 ssl3_SendECDHServerKeyExchange( |
763 sslSocket *ss, | 904 sslSocket *ss, |
764 const SSLSignatureAndHashAlg *sigAndHash) | 905 const SSLSignatureAndHashAlg *sigAndHash) |
765 { | 906 { |
766 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 907 const ssl3KEADef *kea_def = ss->ssl3.hs.kea_def; |
767 SECStatus rv = SECFailure; | 908 SECStatus rv = SECFailure; |
768 int length; | 909 int length; |
769 PRBool isTLS, isTLS12; | 910 PRBool isTLS, isTLS12; |
770 SECItem signed_hash = {siBuffer, NULL, 0}; | 911 SECItem signed_hash = { siBuffer, NULL, 0 }; |
771 SSL3Hashes hashes; | 912 SSL3Hashes hashes; |
772 | 913 |
773 SECKEYPublicKey * ecdhePub; | 914 SECKEYPublicKey *ecdhePub; |
774 SECItem ec_params = {siBuffer, NULL, 0}; | 915 SECItem ec_params = { siBuffer, NULL, 0 }; |
775 unsigned char paramBuf[3]; | 916 unsigned char paramBuf[3]; |
776 ECName curve; | 917 ECName curve; |
777 SSL3KEAType certIndex; | 918 SSL3KEAType certIndex; |
778 | 919 |
779 /* Generate ephemeral ECDH key pair and send the public key */ | 920 /* Generate ephemeral ECDH key pair and send the public key */ |
780 curve = ssl3_GetCurveNameForServerSocket(ss); | 921 curve = ssl3_GetCurveNameForServerSocket(ss); |
781 if (curve == ec_noName) { | 922 if (curve == ec_noName) { |
782 goto loser; | 923 goto loser; |
783 } | 924 } |
784 | 925 |
785 if (ss->opt.reuseServerECDHEKey) { | 926 if (ss->opt.reuseServerECDHEKey) { |
786 rv = ssl3_CreateECDHEphemeralKeys(ss, curve); | 927 rv = ssl3_CreateECDHEphemeralKeys(ss, curve); |
787 } else { | 928 } else { |
788 rv = ssl3_CreateECDHEphemeralKeyPair(curve, &ss->ephemeralECDHKeyPair); | 929 rv = ssl3_CreateECDHEphemeralKeyPair(curve, &ss->ephemeralECDHKeyPair); |
789 } | 930 } |
790 if (rv != SECSuccess) { | 931 if (rv != SECSuccess) { |
791 goto loser; | 932 goto loser; |
792 } | 933 } |
793 | 934 |
794 ecdhePub = ss->ephemeralECDHKeyPair->pubKey; | 935 ecdhePub = ss->ephemeralECDHKeyPair->pubKey; |
795 PORT_Assert(ecdhePub != NULL); | 936 PORT_Assert(ecdhePub != NULL); |
796 if (!ecdhePub) { | 937 if (!ecdhePub) { |
797 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 938 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
798 return SECFailure; | 939 return SECFailure; |
799 } | 940 } |
800 | 941 |
801 ec_params.len = sizeof paramBuf; | 942 ec_params.len = sizeof paramBuf; |
802 ec_params.data = paramBuf; | 943 ec_params.data = paramBuf; |
803 curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams); | 944 curve = ssl3_PubKey2ECName(ecdhePub); |
804 if (curve != ec_noName) { | 945 if (curve != ec_noName) { |
805 ec_params.data[0] = ec_type_named; | 946 ec_params.data[0] = ec_type_named; |
806 ec_params.data[1] = 0x00; | 947 ec_params.data[1] = 0x00; |
807 ec_params.data[2] = curve; | 948 ec_params.data[2] = curve; |
808 } else { | 949 } else { |
809 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); | 950 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); |
810 goto loser; | 951 goto loser; |
811 } | 952 } |
812 | 953 |
813 rv = ssl3_ComputeECDHKeyHash(sigAndHash->hashAlg, | 954 rv = ssl3_ComputeECDHKeyHash(sigAndHash->hashAlg, |
(...skipping 15 matching lines...) Expand all Loading... |
829 * for now. | 970 * for now. |
830 */ | 971 */ |
831 if (kea_def->kea == kea_ecdhe_rsa) | 972 if (kea_def->kea == kea_ecdhe_rsa) |
832 certIndex = kt_rsa; | 973 certIndex = kt_rsa; |
833 else /* kea_def->kea == kea_ecdhe_ecdsa */ | 974 else /* kea_def->kea == kea_ecdhe_ecdsa */ |
834 certIndex = kt_ecdh; | 975 certIndex = kt_ecdh; |
835 | 976 |
836 rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, | 977 rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, |
837 &signed_hash, isTLS); | 978 &signed_hash, isTLS); |
838 if (rv != SECSuccess) { | 979 if (rv != SECSuccess) { |
839 goto loser; /* ssl3_SignHashes has set err. */ | 980 goto loser; /* ssl3_SignHashes has set err. */ |
840 } | 981 } |
841 if (signed_hash.data == NULL) { | 982 if (signed_hash.data == NULL) { |
842 /* how can this happen and rv == SECSuccess ?? */ | 983 /* how can this happen and rv == SECSuccess ?? */ |
843 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 984 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
844 goto loser; | 985 goto loser; |
845 } | 986 } |
846 | 987 |
847 length = ec_params.len + | 988 length = ec_params.len + |
848 1 + ecdhePub->u.ec.publicValue.len + | 989 1 + ecdhePub->u.ec.publicValue.len + |
849 (isTLS12 ? 2 : 0) + 2 + signed_hash.len; | 990 (isTLS12 ? 2 : 0) + 2 + signed_hash.len; |
850 | 991 |
851 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); | 992 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); |
852 if (rv != SECSuccess) { | 993 if (rv != SECSuccess) { |
853 goto loser; /* err set by AppendHandshake. */ | 994 goto loser; /* err set by AppendHandshake. */ |
854 } | 995 } |
855 | 996 |
856 rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len); | 997 rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len); |
857 if (rv != SECSuccess) { | 998 if (rv != SECSuccess) { |
858 goto loser; /* err set by AppendHandshake. */ | 999 goto loser; /* err set by AppendHandshake. */ |
859 } | 1000 } |
860 | 1001 |
861 rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data, | 1002 rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data, |
862 ecdhePub->u.ec.publicValue.len, 1); | 1003 ecdhePub->u.ec.publicValue.len, 1); |
863 if (rv != SECSuccess) { | 1004 if (rv != SECSuccess) { |
864 goto loser; /* err set by AppendHandshake. */ | 1005 goto loser; /* err set by AppendHandshake. */ |
865 } | 1006 } |
866 | 1007 |
867 if (isTLS12) { | 1008 if (isTLS12) { |
868 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, sigAndHash); | 1009 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, sigAndHash); |
869 if (rv != SECSuccess) { | 1010 if (rv != SECSuccess) { |
870 goto loser; /* err set by AppendHandshake. */ | 1011 goto loser; /* err set by AppendHandshake. */ |
871 } | 1012 } |
872 } | 1013 } |
873 | 1014 |
874 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, | 1015 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
875 signed_hash.len, 2); | 1016 signed_hash.len, 2); |
876 if (rv != SECSuccess) { | 1017 if (rv != SECSuccess) { |
877 goto loser; /* err set by AppendHandshake. */ | 1018 goto loser; /* err set by AppendHandshake. */ |
878 } | 1019 } |
879 | 1020 |
880 PORT_Free(signed_hash.data); | 1021 PORT_Free(signed_hash.data); |
881 return SECSuccess; | 1022 return SECSuccess; |
882 | 1023 |
883 loser: | 1024 loser: |
884 if (signed_hash.data != NULL) | 1025 if (signed_hash.data != NULL) |
885 PORT_Free(signed_hash.data); | 1026 PORT_Free(signed_hash.data); |
886 return SECFailure; | 1027 return SECFailure; |
887 } | 1028 } |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
919 TLS_ECDH_RSA_WITH_RC4_128_SHA, | 1060 TLS_ECDH_RSA_WITH_RC4_128_SHA, |
920 0 /* end of list marker */ | 1061 0 /* end of list marker */ |
921 }; | 1062 }; |
922 | 1063 |
923 static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { | 1064 static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { |
924 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, | 1065 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
925 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | 1066 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
926 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, | 1067 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
927 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | 1068 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
928 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | 1069 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
929 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | 1070 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
930 TLS_ECDHE_ECDSA_WITH_NULL_SHA, | 1071 TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
931 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | 1072 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
932 0 /* end of list marker */ | 1073 0 /* end of list marker */ |
933 }; | 1074 }; |
934 | 1075 |
935 static const ssl3CipherSuite ecdhe_rsa_suites[] = { | 1076 static const ssl3CipherSuite ecdhe_rsa_suites[] = { |
936 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, | 1077 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
937 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | 1078 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
938 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, | 1079 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
939 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | 1080 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
940 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | 1081 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
941 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | 1082 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
942 TLS_ECDHE_RSA_WITH_NULL_SHA, | 1083 TLS_ECDHE_RSA_WITH_NULL_SHA, |
943 TLS_ECDHE_RSA_WITH_RC4_128_SHA, | 1084 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
944 0 /* end of list marker */ | 1085 0 /* end of list marker */ |
945 }; | 1086 }; |
946 | 1087 |
947 /* List of all ECC cipher suites */ | 1088 /* List of all ECC cipher suites */ |
948 static const ssl3CipherSuite ecSuites[] = { | 1089 static const ssl3CipherSuite ecSuites[] = { |
949 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, | 1090 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
950 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | 1091 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
951 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, | 1092 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
952 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | 1093 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
953 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | 1094 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
954 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | 1095 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
955 TLS_ECDHE_ECDSA_WITH_NULL_SHA, | 1096 TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
956 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | 1097 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
957 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, | 1098 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
958 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | 1099 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
959 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, | 1100 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
960 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | 1101 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
961 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | 1102 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
962 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | 1103 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
963 TLS_ECDHE_RSA_WITH_NULL_SHA, | 1104 TLS_ECDHE_RSA_WITH_NULL_SHA, |
964 TLS_ECDHE_RSA_WITH_RC4_128_SHA, | 1105 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
965 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, | 1106 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, |
966 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, | 1107 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, |
967 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, | 1108 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, |
968 TLS_ECDH_ECDSA_WITH_NULL_SHA, | 1109 TLS_ECDH_ECDSA_WITH_NULL_SHA, |
969 TLS_ECDH_ECDSA_WITH_RC4_128_SHA, | 1110 TLS_ECDH_ECDSA_WITH_RC4_128_SHA, |
970 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, | 1111 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, |
971 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, | 1112 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, |
972 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, | 1113 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, |
973 TLS_ECDH_RSA_WITH_NULL_SHA, | 1114 TLS_ECDH_RSA_WITH_NULL_SHA, |
974 TLS_ECDH_RSA_WITH_RC4_128_SHA, | 1115 TLS_ECDH_RSA_WITH_RC4_128_SHA, |
975 0 /* end of list marker */ | 1116 0 /* end of list marker */ |
976 }; | 1117 }; |
977 | 1118 |
978 /* On this socket, Disable the ECC cipher suites in the argument's list */ | 1119 /* On this socket, Disable the ECC cipher suites in the argument's list */ |
979 SECStatus | 1120 SECStatus |
980 ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite) | 1121 ssl3_DisableECCSuites(sslSocket *ss, const ssl3CipherSuite *suite) |
981 { | 1122 { |
982 if (!suite) | 1123 if (!suite) |
983 suite = ecSuites; | 1124 suite = ecSuites; |
984 for (; *suite; ++suite) { | 1125 for (; *suite; ++suite) { |
985 PORT_CheckSuccess(ssl3_CipherPrefSet(ss, *suite, PR_FALSE)); | 1126 PORT_CheckSuccess(ssl3_CipherPrefSet(ss, *suite, PR_FALSE)); |
986 } | 1127 } |
987 return SECSuccess; | 1128 return SECSuccess; |
988 } | 1129 } |
989 | 1130 |
990 /* Look at the server certs configured on this socket, and disable any | 1131 /* Look at the server certs configured on this socket, and disable any |
991 * ECC cipher suites that are not supported by those certs. | 1132 * ECC cipher suites that are not supported by those certs. |
992 */ | 1133 */ |
993 void | 1134 void |
994 ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss) | 1135 ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss) |
995 { | 1136 { |
996 CERTCertificate * svrCert; | 1137 CERTCertificate *svrCert; |
997 | 1138 |
998 svrCert = ss->serverCerts[kt_rsa].serverCert; | 1139 svrCert = ss->serverCerts[kt_rsa].serverCert; |
999 if (!svrCert) { | 1140 if (!svrCert) { |
1000 ssl3_DisableECCSuites(ss, ecdhe_rsa_suites); | 1141 ssl3_DisableECCSuites(ss, ecdhe_rsa_suites); |
1001 } | 1142 } |
1002 | 1143 |
1003 svrCert = ss->serverCerts[kt_ecdh].serverCert; | 1144 svrCert = ss->serverCerts[kt_ecdh].serverCert; |
1004 if (!svrCert) { | 1145 if (!svrCert) { |
1005 ssl3_DisableECCSuites(ss, ecdh_suites); | 1146 ssl3_DisableECCSuites(ss, ecdh_suites); |
1006 ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites); | 1147 ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites); |
1007 } else { | 1148 } else { |
1008 SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature); | 1149 SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature); |
1009 | 1150 |
1010 switch (sigTag) { | 1151 switch (sigTag) { |
1011 case SEC_OID_PKCS1_RSA_ENCRYPTION: | 1152 case SEC_OID_PKCS1_RSA_ENCRYPTION: |
1012 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: | 1153 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: |
1013 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: | 1154 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: |
1014 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: | 1155 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: |
1015 case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: | 1156 case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: |
1016 case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: | 1157 case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: |
1017 case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: | 1158 case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: |
1018 case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: | 1159 case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: |
1019 case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: | 1160 case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: |
1020 ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites); | 1161 ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites); |
1021 break; | 1162 break; |
1022 case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: | 1163 case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: |
1023 case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: | 1164 case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: |
1024 case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: | 1165 case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: |
1025 case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: | 1166 case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: |
1026 case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: | 1167 case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: |
1027 case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: | 1168 case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: |
1028 case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: | 1169 case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: |
1029 ssl3_DisableECCSuites(ss, ecdh_rsa_suites); | 1170 ssl3_DisableECCSuites(ss, ecdh_rsa_suites); |
1030 break; | 1171 break; |
1031 default: | 1172 default: |
1032 ssl3_DisableECCSuites(ss, ecdh_suites); | 1173 ssl3_DisableECCSuites(ss, ecdh_suites); |
1033 break; | 1174 break; |
1034 } | 1175 } |
1035 } | 1176 } |
1036 } | 1177 } |
1037 | 1178 |
1038 /* Ask: is ANY ECC cipher suite enabled on this socket? */ | 1179 /* Ask: is ANY ECC cipher suite enabled on this socket? */ |
1039 /* Order(N^2). Yuk. Also, this ignores export policy. */ | 1180 /* Order(N^2). Yuk. Also, this ignores export policy. */ |
1040 PRBool | 1181 PRBool |
1041 ssl3_IsECCEnabled(sslSocket * ss) | 1182 ssl3_IsECCEnabled(sslSocket *ss) |
1042 { | 1183 { |
1043 const ssl3CipherSuite * suite; | 1184 const ssl3CipherSuite *suite; |
1044 PK11SlotInfo *slot; | 1185 PK11SlotInfo *slot; |
1045 | 1186 |
1046 /* make sure we can do ECC */ | 1187 /* make sure we can do ECC */ |
1047 slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE, ss->pkcs11PinArg); | 1188 slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE, ss->pkcs11PinArg); |
1048 if (!slot) { | 1189 if (!slot) { |
1049 return PR_FALSE; | 1190 return PR_FALSE; |
1050 } | 1191 } |
1051 PK11_FreeSlot(slot); | 1192 PK11_FreeSlot(slot); |
1052 | 1193 |
1053 /* make sure an ECC cipher is enabled */ | 1194 /* make sure an ECC cipher is enabled */ |
1054 for (suite = ecSuites; *suite; ++suite) { | 1195 for (suite = ecSuites; *suite; ++suite) { |
1055 PRBool enabled = PR_FALSE; | 1196 PRBool enabled = PR_FALSE; |
1056 SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled); | 1197 SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled); |
1057 | 1198 |
1058 PORT_Assert(rv == SECSuccess); /* else is coding error */ | 1199 PORT_Assert(rv == SECSuccess); /* else is coding error */ |
1059 if (rv == SECSuccess && enabled) | 1200 if (rv == SECSuccess && enabled) |
1060 return PR_TRUE; | 1201 return PR_TRUE; |
1061 } | 1202 } |
1062 return PR_FALSE; | 1203 return PR_FALSE; |
1063 } | 1204 } |
1064 | 1205 |
1065 #define BE(n) 0, n | 1206 #define BE(n) 0, n |
1066 | 1207 |
1067 /* Prefabricated TLS client hello extension, Elliptic Curves List, | 1208 /* Prefabricated TLS client hello extension, Elliptic Curves List, |
1068 * offers only 3 curves, the Suite B curves, 23-25 | 1209 * offers only 3 curves, the Suite B curves, 23-25 |
1069 */ | 1210 */ |
1070 static const PRUint8 suiteBECList[12] = { | 1211 static const PRUint8 suiteBECList[] = { |
1071 BE(10), /* Extension type */ | 1212 23, 24, 25 |
1072 BE( 8), /* octets that follow ( 3 pairs + 1 length pair) */ | |
1073 BE( 6), /* octets that follow ( 3 pairs) */ | |
1074 BE(23), BE(24), BE(25) | |
1075 }; | 1213 }; |
1076 | 1214 |
1077 /* Prefabricated TLS client hello extension, Elliptic Curves List, | 1215 /* Prefabricated TLS client hello extension, Elliptic Curves List, |
1078 * offers curves 1-25. | 1216 * offers curves 1-25. |
1079 */ | 1217 */ |
1080 static const PRUint8 tlsECList[56] = { | 1218 /* clang-format off */ |
1081 BE(10), /* Extension type */ | 1219 static const PRUint8 tlsECList[] = { |
1082 BE(52), /* octets that follow (25 pairs + 1 length pair) */ | 1220 1, 2, 3, 4, 5, 6, 7, 8, |
1083 BE(50), /* octets that follow (25 pairs) */ | 1221 9, 10, 11, 12, 13, 14, 15, 16, |
1084 BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7), | 1222 17, 18, 19, 20, 21, 22, 23, 24, |
1085 BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15), | 1223 25 |
1086 BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23), | |
1087 BE(24), BE(25) | |
1088 }; | 1224 }; |
| 1225 /* clang-format on */ |
1089 | 1226 |
1090 static const PRUint8 ecPtFmt[6] = { | 1227 static const PRUint8 ecPtFmt[6] = { |
1091 BE(11), /* Extension type */ | 1228 BE(11), /* Extension type */ |
1092 BE( 2), /* octets that follow */ | 1229 BE(2), /* octets that follow */ |
1093 1, /* octets that follow */ | 1230 1, /* octets that follow */ |
1094 0 /* uncompressed type only */ | 1231 0 /* uncompressed type only */ |
1095 }; | 1232 }; |
1096 | 1233 |
1097 /* This function already presumes we can do ECC, ssl3_IsECCEnabled must be | 1234 /* This function already presumes we can do ECC, ssl3_IsECCEnabled must be |
1098 * called before this function. It looks to see if we have a token which | 1235 * called before this function. It looks to see if we have a token which |
1099 * is capable of doing smaller than SuiteB curves. If the token can, we | 1236 * is capable of doing smaller than SuiteB curves. If the token can, we |
1100 * presume the token can do the whole SSL suite of curves. If it can't we | 1237 * presume the token can do the whole SSL suite of curves. If it can't we |
1101 * presume the token that allowed ECC to be enabled can only do suite B | 1238 * presume the token that allowed ECC to be enabled can only do suite B |
1102 * curves. */ | 1239 * curves. */ |
1103 static PRBool | 1240 static PRBool |
1104 ssl3_SuiteBOnly(sslSocket *ss) | 1241 ssl3_SuiteBOnly(sslSocket *ss) |
1105 { | 1242 { |
1106 #if 0 | |
1107 /* See if we can support small curves (like 163). If not, assume we can | 1243 /* See if we can support small curves (like 163). If not, assume we can |
1108 * only support Suite-B curves (P-256, P-384, P-521). */ | 1244 * only support Suite-B curves (P-256, P-384, P-521). */ |
1109 PK11SlotInfo *slot = | 1245 PK11SlotInfo *slot = |
1110 PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163, | 1246 PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163, |
1111 ss ? ss->pkcs11PinArg : NULL); | 1247 ss ? ss->pkcs11PinArg : NULL); |
1112 | 1248 |
1113 if (!slot) { | 1249 if (!slot) { |
1114 /* nope, presume we can only do suite B */ | 1250 /* nope, presume we can only do suite B */ |
1115 return PR_TRUE; | 1251 return PR_TRUE; |
1116 } | 1252 } |
1117 /* we can, presume we can do all curves */ | 1253 /* we can, presume we can do all curves */ |
1118 PK11_FreeSlot(slot); | 1254 PK11_FreeSlot(slot); |
1119 return PR_FALSE; | 1255 return PR_FALSE; |
1120 #else | |
1121 return PR_TRUE; | |
1122 #endif | |
1123 } | 1256 } |
1124 | 1257 |
| 1258 #define APPEND_CURVE(CURVE_ID) \ |
| 1259 if ((NSS_GetAlgorithmPolicy(ecName2OIDTag[CURVE_ID], &policy) == \ |
| 1260 SECFailure) || \ |
| 1261 (policy & NSS_USE_ALG_IN_SSL_KX)) { \ |
| 1262 enabledCurves[pos++] = 0; \ |
| 1263 enabledCurves[pos++] = CURVE_ID; \ |
| 1264 } |
| 1265 |
1125 /* Send our "canned" (precompiled) Supported Elliptic Curves extension, | 1266 /* Send our "canned" (precompiled) Supported Elliptic Curves extension, |
1126 * which says that we support all TLS-defined named curves. | 1267 * which says that we support all TLS-defined named curves. |
1127 */ | 1268 */ |
1128 PRInt32 | 1269 PRInt32 |
1129 ssl3_SendSupportedCurvesXtn( | 1270 ssl3_SendSupportedCurvesXtn( |
1130 sslSocket * ss, | 1271 sslSocket *ss, |
1131 PRBool append, | 1272 PRBool append, |
1132 PRUint32 maxBytes) | 1273 PRUint32 maxBytes) |
1133 { | 1274 { |
| 1275 unsigned char enabledCurves[64]; |
| 1276 PRUint32 policy; |
| 1277 PRInt32 extension_length; |
1134 PRInt32 ecListSize = 0; | 1278 PRInt32 ecListSize = 0; |
1135 const PRUint8 *ecList = NULL; | 1279 unsigned int pos = 0; |
| 1280 unsigned int i; |
1136 | 1281 |
1137 if (!ss || !ssl3_IsECCEnabled(ss)) | 1282 if (!ss || !ssl3_IsECCEnabled(ss)) |
1138 return 0; | 1283 return 0; |
1139 | 1284 |
| 1285 PORT_Assert(sizeof(enabledCurves) > sizeof(tlsECList) * 2); |
1140 if (ssl3_SuiteBOnly(ss)) { | 1286 if (ssl3_SuiteBOnly(ss)) { |
1141 ecListSize = sizeof suiteBECList; | 1287 for (i = 0; i < sizeof(suiteBECList); i++) { |
1142 ecList = suiteBECList; | 1288 APPEND_CURVE(suiteBECList[i]); |
| 1289 } |
| 1290 ecListSize = pos; |
1143 } else { | 1291 } else { |
1144 ecListSize = sizeof tlsECList; | 1292 for (i = 0; i < sizeof(tlsECList); i++) { |
1145 ecList = tlsECList; | 1293 APPEND_CURVE(tlsECList[i]); |
| 1294 } |
| 1295 ecListSize = pos; |
| 1296 } |
| 1297 extension_length = |
| 1298 2 /* extension type */ + |
| 1299 2 /* extension length */ + |
| 1300 2 /* elliptic curves length */ + |
| 1301 ecListSize; |
| 1302 |
| 1303 if (maxBytes < (PRUint32)extension_length) { |
| 1304 return 0; |
1146 } | 1305 } |
1147 | 1306 |
1148 if (maxBytes < (PRUint32)ecListSize) { | |
1149 return 0; | |
1150 } | |
1151 if (append) { | 1307 if (append) { |
1152 SECStatus rv = ssl3_AppendHandshake(ss, ecList, ecListSize); | 1308 SECStatus rv; |
| 1309 rv = ssl3_AppendHandshakeNumber(ss, ssl_elliptic_curves_xtn, 2); |
| 1310 if (rv != SECSuccess) |
| 1311 return -1; |
| 1312 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
| 1313 if (rv != SECSuccess) |
| 1314 return -1; |
| 1315 rv = ssl3_AppendHandshakeVariable(ss, enabledCurves, ecListSize, 2); |
1153 if (rv != SECSuccess) | 1316 if (rv != SECSuccess) |
1154 return -1; | 1317 return -1; |
1155 if (!ss->sec.isServer) { | 1318 if (!ss->sec.isServer) { |
1156 TLSExtensionData *xtnData = &ss->xtnData; | 1319 TLSExtensionData *xtnData = &ss->xtnData; |
1157 xtnData->advertised[xtnData->numAdvertised++] = | 1320 xtnData->advertised[xtnData->numAdvertised++] = |
1158 ssl_elliptic_curves_xtn; | 1321 ssl_elliptic_curves_xtn; |
1159 } | 1322 } |
1160 } | 1323 } |
1161 return ecListSize; | 1324 return extension_length; |
1162 } | 1325 } |
1163 | 1326 |
1164 PRUint32 | 1327 PRUint32 |
1165 ssl3_GetSupportedECCurveMask(sslSocket *ss) | 1328 ssl3_GetSupportedECCurveMask(sslSocket *ss) |
1166 { | 1329 { |
| 1330 int i; |
| 1331 PRUint32 curves = 0; |
| 1332 PRUint32 policyFlags = 0; |
| 1333 |
| 1334 PORT_Assert(ec_pastLastName < sizeof(PRUint32) * 8); |
| 1335 |
1167 if (ssl3_SuiteBOnly(ss)) { | 1336 if (ssl3_SuiteBOnly(ss)) { |
1168 return SSL3_SUITE_B_SUPPORTED_CURVES_MASK; | 1337 curves = SSL3_SUITE_B_SUPPORTED_CURVES_MASK; |
| 1338 } else { |
| 1339 curves = SSL3_ALL_SUPPORTED_CURVES_MASK; |
1169 } | 1340 } |
1170 return SSL3_ALL_SUPPORTED_CURVES_MASK; | 1341 |
| 1342 for (i = ec_noName + 1; i < ec_pastLastName; i++) { |
| 1343 PRUint32 curve_bit = (1U << i); |
| 1344 if ((curves & curve_bit) && |
| 1345 (NSS_GetAlgorithmPolicy(ecName2OIDTag[i], &policyFlags) == |
| 1346 SECSuccess) && |
| 1347 !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) { |
| 1348 curves &= ~curve_bit; |
| 1349 } |
| 1350 } |
| 1351 return curves; |
1171 } | 1352 } |
1172 | 1353 |
1173 /* Send our "canned" (precompiled) Supported Point Formats extension, | 1354 /* Send our "canned" (precompiled) Supported Point Formats extension, |
1174 * which says that we only support uncompressed points. | 1355 * which says that we only support uncompressed points. |
1175 */ | 1356 */ |
1176 PRInt32 | 1357 PRInt32 |
1177 ssl3_SendSupportedPointFormatsXtn( | 1358 ssl3_SendSupportedPointFormatsXtn( |
1178 sslSocket * ss, | 1359 sslSocket *ss, |
1179 PRBool append, | 1360 PRBool append, |
1180 PRUint32 maxBytes) | 1361 PRUint32 maxBytes) |
1181 { | 1362 { |
1182 if (!ss || !ssl3_IsECCEnabled(ss)) | 1363 if (!ss || !ssl3_IsECCEnabled(ss)) |
1183 return 0; | 1364 return 0; |
1184 if (append && maxBytes >= (sizeof ecPtFmt)) { | 1365 if (append && maxBytes >= (sizeof ecPtFmt)) { |
1185 SECStatus rv = ssl3_AppendHandshake(ss, ecPtFmt, (sizeof ecPtFmt)); | 1366 SECStatus rv = ssl3_AppendHandshake(ss, ecPtFmt, (sizeof ecPtFmt)); |
1186 if (rv != SECSuccess) | 1367 if (rv != SECSuccess) |
1187 return -1; | 1368 return -1; |
1188 if (!ss->sec.isServer) { | 1369 if (!ss->sec.isServer) { |
1189 TLSExtensionData *xtnData = &ss->xtnData; | 1370 TLSExtensionData *xtnData = &ss->xtnData; |
1190 xtnData->advertised[xtnData->numAdvertised++] = | 1371 xtnData->advertised[xtnData->numAdvertised++] = |
1191 ssl_ec_point_formats_xtn; | 1372 ssl_ec_point_formats_xtn; |
1192 } | 1373 } |
1193 } | 1374 } |
1194 return (sizeof ecPtFmt); | 1375 return (sizeof ecPtFmt); |
1195 } | 1376 } |
1196 | 1377 |
1197 /* Just make sure that the remote client supports uncompressed points, | 1378 /* Just make sure that the remote client supports uncompressed points, |
1198 * Since that is all we support. Disable ECC cipher suites if it doesn't. | 1379 * Since that is all we support. Disable ECC cipher suites if it doesn't. |
1199 */ | 1380 */ |
1200 SECStatus | 1381 SECStatus |
1201 ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type, | 1382 ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type, |
1202 SECItem *data) | 1383 SECItem *data) |
1203 { | 1384 { |
1204 int i; | 1385 int i; |
1205 | 1386 |
1206 if (data->len < 2 || data->len > 255 || !data->data || | 1387 if (data->len < 2 || data->len > 255 || !data->data || |
1207 data->len != (unsigned int)data->data[0] + 1) { | 1388 data->len != (unsigned int)data->data[0] + 1) { |
1208 return ssl3_DecodeError(ss); | 1389 return ssl3_DecodeError(ss); |
1209 } | 1390 } |
1210 for (i = data->len; --i > 0; ) { | 1391 for (i = data->len; --i > 0;) { |
1211 if (data->data[i] == 0) { | 1392 if (data->data[i] == 0) { |
1212 /* indicate that we should send a reply */ | 1393 /* indicate that we should send a reply */ |
1213 SECStatus rv; | 1394 SECStatus rv; |
1214 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | 1395 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, |
1215 &ssl3_SendSupportedPointFormatsXtn); | 1396 &ssl3_SendSupportedPoin
tFormatsXtn); |
1216 return rv; | 1397 return rv; |
1217 } | 1398 } |
1218 } | 1399 } |
1219 | 1400 |
1220 /* evil client doesn't support uncompressed */ | 1401 /* evil client doesn't support uncompressed */ |
1221 ssl3_DisableECCSuites(ss, ecSuites); | 1402 ssl3_DisableECCSuites(ss, ecSuites); |
1222 return SECSuccess; | 1403 return SECSuccess; |
1223 } | 1404 } |
1224 | 1405 |
1225 | 1406 #define SSL3_GET_SERVER_PUBLICKEY(sock, type)
\ |
1226 #define SSL3_GET_SERVER_PUBLICKEY(sock, type) \ | 1407 (ss->serverCerts[type].serverKeyPair ? ss->serverCerts[type].serverKeyPair->
pubKey \ |
1227 (ss->serverCerts[type].serverKeyPair ? \ | 1408 : NULL) |
1228 ss->serverCerts[type].serverKeyPair->pubKey : NULL) | |
1229 | 1409 |
1230 /* Extract the TLS curve name for the public key in our EC server cert. */ | 1410 /* Extract the TLS curve name for the public key in our EC server cert. */ |
1231 ECName ssl3_GetSvrCertCurveName(sslSocket *ss) | 1411 ECName |
| 1412 ssl3_GetSvrCertCurveName(sslSocket *ss) |
1232 { | 1413 { |
1233 SECKEYPublicKey *srvPublicKey; | 1414 SECKEYPublicKey *srvPublicKey; |
1234 ECName ec_curve = ec_noName; | 1415 ECName ec_curve = ec_noName; |
1235 | 1416 |
1236 srvPublicKey = SSL3_GET_SERVER_PUBLICKEY(ss, kt_ecdh); | 1417 srvPublicKey = SSL3_GET_SERVER_PUBLICKEY(ss, kt_ecdh); |
1237 if (srvPublicKey) { | 1418 if (srvPublicKey) { |
1238 ec_curve = params2ecName(&srvPublicKey->u.ec.DEREncodedParams); | 1419 ec_curve = ssl3_PubKey2ECName(srvPublicKey); |
1239 } | 1420 } |
1240 return ec_curve; | 1421 return ec_curve; |
1241 } | 1422 } |
1242 | 1423 |
1243 /* Ensure that the curve in our server cert is one of the ones supported | 1424 /* Ensure that the curve in our server cert is one of the ones supported |
1244 * by the remote client, and disable all ECC cipher suites if not. | 1425 * by the remote client, and disable all ECC cipher suites if not. |
1245 */ | 1426 */ |
1246 SECStatus | 1427 SECStatus |
1247 ssl3_HandleSupportedCurvesXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 1428 ssl3_HandleSupportedCurvesXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
1248 { | 1429 { |
1249 PRInt32 list_len; | 1430 PRInt32 list_len; |
1250 PRUint32 peerCurves = 0; | 1431 PRUint32 peerCurves = 0; |
1251 PRUint32 mutualCurves = 0; | 1432 PRUint32 mutualCurves = 0; |
1252 PRUint16 svrCertCurveName; | 1433 PRUint16 svrCertCurveName; |
1253 | 1434 |
1254 if (!data->data || data->len < 4) { | 1435 if (!data->data || data->len < 4) { |
1255 (void)ssl3_DecodeError(ss); | 1436 (void)ssl3_DecodeError(ss); |
1256 return SECFailure; | 1437 return SECFailure; |
1257 } | 1438 } |
1258 | 1439 |
1259 /* get the length of elliptic_curve_list */ | 1440 /* get the length of elliptic_curve_list */ |
1260 list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | 1441 list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); |
1261 if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) { | 1442 if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) { |
1262 (void)ssl3_DecodeError(ss); | 1443 (void)ssl3_DecodeError(ss); |
1263 return SECFailure; | 1444 return SECFailure; |
1264 } | 1445 } |
1265 /* build bit vector of peer's supported curve names */ | 1446 /* build bit vector of peer's supported curve names */ |
1266 while (data->len) { | 1447 while (data->len) { |
1267 PRInt32 curve_name = | 1448 PRInt32 curve_name = |
1268 ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | 1449 ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); |
1269 if (curve_name < 0) { | 1450 if (curve_name < 0) { |
1270 return SECFailure; /* fatal alert already sent */ | 1451 return SECFailure; /* fatal alert already sent */ |
1271 } | 1452 } |
1272 if (curve_name > ec_noName && curve_name < ec_pastLastName) { | 1453 if (curve_name > ec_noName && curve_name < ec_pastLastName) { |
1273 peerCurves |= (1U << curve_name); | 1454 peerCurves |= (1U << curve_name); |
1274 } | 1455 } |
1275 } | 1456 } |
1276 /* What curves do we support in common? */ | 1457 /* What curves do we support in common? */ |
1277 mutualCurves = ss->ssl3.hs.negotiatedECCurves &= peerCurves; | 1458 mutualCurves = ss->ssl3.hs.negotiatedECCurves &= peerCurves; |
1278 if (!mutualCurves) { | 1459 if (!mutualCurves) { |
(...skipping 12 matching lines...) Expand all Loading... |
1291 } | 1472 } |
1292 /* Our EC cert doesn't contain a mutually supported curve. | 1473 /* Our EC cert doesn't contain a mutually supported curve. |
1293 * Disable all ECC cipher suites that require an EC cert | 1474 * Disable all ECC cipher suites that require an EC cert |
1294 */ | 1475 */ |
1295 ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites); | 1476 ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites); |
1296 ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites); | 1477 ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites); |
1297 return SECSuccess; | 1478 return SECSuccess; |
1298 } | 1479 } |
1299 | 1480 |
1300 #endif /* NSS_DISABLE_ECC */ | 1481 #endif /* NSS_DISABLE_ECC */ |
OLD | NEW |