/security/nss/lib/ssl/ssl3ecc.c

http://github.com/zpao/v8monkey · C · 1194 lines · 892 code · 149 blank · 153 comment · 185 complexity · 38834139a6ba69e68c44cd32c0334d78 MD5 · raw file

  1. /*
  2. * SSL3 Protocol
  3. *
  4. * ***** BEGIN LICENSE BLOCK *****
  5. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  6. *
  7. * The contents of this file are subject to the Mozilla Public License Version
  8. * 1.1 (the "License"); you may not use this file except in compliance with
  9. * the License. You may obtain a copy of the License at
  10. * http://www.mozilla.org/MPL/
  11. *
  12. * Software distributed under the License is distributed on an "AS IS" basis,
  13. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  14. * for the specific language governing rights and limitations under the
  15. * License.
  16. *
  17. * The Original Code is the Netscape security libraries.
  18. *
  19. * The Initial Developer of the Original Code is
  20. * Netscape Communications Corporation.
  21. * Portions created by the Initial Developer are Copyright (C) 1994-2000
  22. * the Initial Developer. All Rights Reserved.
  23. *
  24. * Contributor(s):
  25. * Dr Vipul Gupta <vipul.gupta@sun.com> and
  26. * Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  27. *
  28. * Alternatively, the contents of this file may be used under the terms of
  29. * either the GNU General Public License Version 2 or later (the "GPL"), or
  30. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  31. * in which case the provisions of the GPL or the LGPL are applicable instead
  32. * of those above. If you wish to allow use of your version of this file only
  33. * under the terms of either the GPL or the LGPL, and not to allow others to
  34. * use your version of this file under the terms of the MPL, indicate your
  35. * decision by deleting the provisions above and replace them with the notice
  36. * and other provisions required by the GPL or the LGPL. If you do not delete
  37. * the provisions above, a recipient may use your version of this file under
  38. * the terms of any one of the MPL, the GPL or the LGPL.
  39. *
  40. * ***** END LICENSE BLOCK ***** */
  41. /* ECC code moved here from ssl3con.c */
  42. /* $Id: ssl3ecc.c,v 1.26 2012/02/13 17:19:40 kaie%kuix.de Exp $ */
  43. #include "nss.h"
  44. #include "cert.h"
  45. #include "ssl.h"
  46. #include "cryptohi.h" /* for DSAU_ stuff */
  47. #include "keyhi.h"
  48. #include "secder.h"
  49. #include "secitem.h"
  50. #include "sslimpl.h"
  51. #include "sslproto.h"
  52. #include "sslerr.h"
  53. #include "prtime.h"
  54. #include "prinrval.h"
  55. #include "prerror.h"
  56. #include "pratom.h"
  57. #include "prthread.h"
  58. #include "prinit.h"
  59. #include "pk11func.h"
  60. #include "secmod.h"
  61. #include "ec.h"
  62. #include "blapi.h"
  63. #include <stdio.h>
  64. #ifdef NSS_ENABLE_ECC
  65. #ifndef PK11_SETATTRS
  66. #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
  67. (x)->pValue=(v); (x)->ulValueLen = (l);
  68. #endif
  69. #define SSL_GET_SERVER_PUBLIC_KEY(sock, type) \
  70. (ss->serverCerts[type].serverKeyPair ? \
  71. ss->serverCerts[type].serverKeyPair->pubKey : NULL)
  72. #define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \
  73. ((curveName > ec_noName) && \
  74. (curveName < ec_pastLastName) && \
  75. ((1UL << curveName) & curvemsk) != 0)
  76. static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve);
  77. #define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName))
  78. /* Table containing OID tags for elliptic curves named in the
  79. * ECC-TLS IETF draft.
  80. */
  81. static const SECOidTag ecName2OIDTag[] = {
  82. 0,
  83. SEC_OID_SECG_EC_SECT163K1, /* 1 */
  84. SEC_OID_SECG_EC_SECT163R1, /* 2 */
  85. SEC_OID_SECG_EC_SECT163R2, /* 3 */
  86. SEC_OID_SECG_EC_SECT193R1, /* 4 */
  87. SEC_OID_SECG_EC_SECT193R2, /* 5 */
  88. SEC_OID_SECG_EC_SECT233K1, /* 6 */
  89. SEC_OID_SECG_EC_SECT233R1, /* 7 */
  90. SEC_OID_SECG_EC_SECT239K1, /* 8 */
  91. SEC_OID_SECG_EC_SECT283K1, /* 9 */
  92. SEC_OID_SECG_EC_SECT283R1, /* 10 */
  93. SEC_OID_SECG_EC_SECT409K1, /* 11 */
  94. SEC_OID_SECG_EC_SECT409R1, /* 12 */
  95. SEC_OID_SECG_EC_SECT571K1, /* 13 */
  96. SEC_OID_SECG_EC_SECT571R1, /* 14 */
  97. SEC_OID_SECG_EC_SECP160K1, /* 15 */
  98. SEC_OID_SECG_EC_SECP160R1, /* 16 */
  99. SEC_OID_SECG_EC_SECP160R2, /* 17 */
  100. SEC_OID_SECG_EC_SECP192K1, /* 18 */
  101. SEC_OID_SECG_EC_SECP192R1, /* 19 */
  102. SEC_OID_SECG_EC_SECP224K1, /* 20 */
  103. SEC_OID_SECG_EC_SECP224R1, /* 21 */
  104. SEC_OID_SECG_EC_SECP256K1, /* 22 */
  105. SEC_OID_SECG_EC_SECP256R1, /* 23 */
  106. SEC_OID_SECG_EC_SECP384R1, /* 24 */
  107. SEC_OID_SECG_EC_SECP521R1, /* 25 */
  108. };
  109. static const PRUint16 curve2bits[] = {
  110. 0, /* ec_noName = 0, */
  111. 163, /* ec_sect163k1 = 1, */
  112. 163, /* ec_sect163r1 = 2, */
  113. 163, /* ec_sect163r2 = 3, */
  114. 193, /* ec_sect193r1 = 4, */
  115. 193, /* ec_sect193r2 = 5, */
  116. 233, /* ec_sect233k1 = 6, */
  117. 233, /* ec_sect233r1 = 7, */
  118. 239, /* ec_sect239k1 = 8, */
  119. 283, /* ec_sect283k1 = 9, */
  120. 283, /* ec_sect283r1 = 10, */
  121. 409, /* ec_sect409k1 = 11, */
  122. 409, /* ec_sect409r1 = 12, */
  123. 571, /* ec_sect571k1 = 13, */
  124. 571, /* ec_sect571r1 = 14, */
  125. 160, /* ec_secp160k1 = 15, */
  126. 160, /* ec_secp160r1 = 16, */
  127. 160, /* ec_secp160r2 = 17, */
  128. 192, /* ec_secp192k1 = 18, */
  129. 192, /* ec_secp192r1 = 19, */
  130. 224, /* ec_secp224k1 = 20, */
  131. 224, /* ec_secp224r1 = 21, */
  132. 256, /* ec_secp256k1 = 22, */
  133. 256, /* ec_secp256r1 = 23, */
  134. 384, /* ec_secp384r1 = 24, */
  135. 521, /* ec_secp521r1 = 25, */
  136. 65535 /* ec_pastLastName */
  137. };
  138. typedef struct Bits2CurveStr {
  139. PRUint16 bits;
  140. ECName curve;
  141. } Bits2Curve;
  142. static const Bits2Curve bits2curve [] = {
  143. { 192, ec_secp192r1 /* = 19, fast */ },
  144. { 160, ec_secp160r2 /* = 17, fast */ },
  145. { 160, ec_secp160k1 /* = 15, */ },
  146. { 160, ec_secp160r1 /* = 16, */ },
  147. { 163, ec_sect163k1 /* = 1, */ },
  148. { 163, ec_sect163r1 /* = 2, */ },
  149. { 163, ec_sect163r2 /* = 3, */ },
  150. { 192, ec_secp192k1 /* = 18, */ },
  151. { 193, ec_sect193r1 /* = 4, */ },
  152. { 193, ec_sect193r2 /* = 5, */ },
  153. { 224, ec_secp224r1 /* = 21, fast */ },
  154. { 224, ec_secp224k1 /* = 20, */ },
  155. { 233, ec_sect233k1 /* = 6, */ },
  156. { 233, ec_sect233r1 /* = 7, */ },
  157. { 239, ec_sect239k1 /* = 8, */ },
  158. { 256, ec_secp256r1 /* = 23, fast */ },
  159. { 256, ec_secp256k1 /* = 22, */ },
  160. { 283, ec_sect283k1 /* = 9, */ },
  161. { 283, ec_sect283r1 /* = 10, */ },
  162. { 384, ec_secp384r1 /* = 24, fast */ },
  163. { 409, ec_sect409k1 /* = 11, */ },
  164. { 409, ec_sect409r1 /* = 12, */ },
  165. { 521, ec_secp521r1 /* = 25, fast */ },
  166. { 571, ec_sect571k1 /* = 13, */ },
  167. { 571, ec_sect571r1 /* = 14, */ },
  168. { 65535, ec_noName }
  169. };
  170. typedef struct ECDHEKeyPairStr {
  171. ssl3KeyPair * pair;
  172. int error; /* error code of the call-once function */
  173. PRCallOnceType once;
  174. } ECDHEKeyPair;
  175. /* arrays of ECDHE KeyPairs */
  176. static ECDHEKeyPair gECDHEKeyPairs[ec_pastLastName];
  177. SECStatus
  178. ssl3_ECName2Params(PRArenaPool * arena, ECName curve, SECKEYECParams * params)
  179. {
  180. SECOidData *oidData = NULL;
  181. if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
  182. ((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
  183. PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
  184. return SECFailure;
  185. }
  186. SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
  187. /*
  188. * params->data needs to contain the ASN encoding of an object ID (OID)
  189. * representing the named curve. The actual OID is in
  190. * oidData->oid.data so we simply prepend 0x06 and OID length
  191. */
  192. params->data[0] = SEC_ASN1_OBJECT_ID;
  193. params->data[1] = oidData->oid.len;
  194. memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
  195. return SECSuccess;
  196. }
  197. static ECName
  198. params2ecName(SECKEYECParams * params)
  199. {
  200. SECItem oid = { siBuffer, NULL, 0};
  201. SECOidData *oidData = NULL;
  202. ECName i;
  203. /*
  204. * params->data needs to contain the ASN encoding of an object ID (OID)
  205. * representing a named curve. Here, we strip away everything
  206. * before the actual OID and use the OID to look up a named curve.
  207. */
  208. if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName;
  209. oid.len = params->len - 2;
  210. oid.data = params->data + 2;
  211. if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName;
  212. for (i = ec_noName + 1; i < ec_pastLastName; i++) {
  213. if (ecName2OIDTag[i] == oidData->offset)
  214. return i;
  215. }
  216. return ec_noName;
  217. }
  218. /* Caller must set hiLevel error code. */
  219. static SECStatus
  220. ssl3_ComputeECDHKeyHash(SECItem ec_params, SECItem server_ecpoint,
  221. SSL3Random *client_rand, SSL3Random *server_rand,
  222. SSL3Hashes *hashes, PRBool bypassPKCS11)
  223. {
  224. PRUint8 * hashBuf;
  225. PRUint8 * pBuf;
  226. SECStatus rv = SECSuccess;
  227. unsigned int bufLen;
  228. /*
  229. * XXX For now, we only support named curves (the appropriate
  230. * checks are made before this method is called) so ec_params
  231. * takes up only two bytes. ECPoint needs to fit in 256 bytes
  232. * (because the spec says the length must fit in one byte)
  233. */
  234. PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 1 + 256];
  235. bufLen = 2*SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
  236. if (bufLen <= sizeof buf) {
  237. hashBuf = buf;
  238. } else {
  239. hashBuf = PORT_Alloc(bufLen);
  240. if (!hashBuf) {
  241. return SECFailure;
  242. }
  243. }
  244. memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
  245. pBuf = hashBuf + SSL3_RANDOM_LENGTH;
  246. memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
  247. pBuf += SSL3_RANDOM_LENGTH;
  248. memcpy(pBuf, ec_params.data, ec_params.len);
  249. pBuf += ec_params.len;
  250. pBuf[0] = (PRUint8)(server_ecpoint.len);
  251. pBuf += 1;
  252. memcpy(pBuf, server_ecpoint.data, server_ecpoint.len);
  253. pBuf += server_ecpoint.len;
  254. PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
  255. rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
  256. PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen));
  257. PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
  258. PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
  259. if (hashBuf != buf)
  260. PORT_Free(hashBuf);
  261. return rv;
  262. }
  263. /* Called from ssl3_SendClientKeyExchange(). */
  264. SECStatus
  265. ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
  266. {
  267. PK11SymKey * pms = NULL;
  268. SECStatus rv = SECFailure;
  269. PRBool isTLS;
  270. CK_MECHANISM_TYPE target;
  271. SECKEYPublicKey *pubKey = NULL; /* Ephemeral ECDH key */
  272. SECKEYPrivateKey *privKey = NULL; /* Ephemeral ECDH key */
  273. PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
  274. PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
  275. isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
  276. /* Generate ephemeral EC keypair */
  277. if (svrPubKey->keyType != ecKey) {
  278. PORT_SetError(SEC_ERROR_BAD_KEY);
  279. goto loser;
  280. }
  281. /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */
  282. privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams,
  283. &pubKey, ss->pkcs11PinArg);
  284. if (!privKey || !pubKey) {
  285. ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
  286. rv = SECFailure;
  287. goto loser;
  288. }
  289. PRINT_BUF(50, (ss, "ECDH public value:",
  290. pubKey->u.ec.publicValue.data,
  291. pubKey->u.ec.publicValue.len));
  292. if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
  293. else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
  294. /* Determine the PMS */
  295. pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL,
  296. CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
  297. CKD_NULL, NULL, NULL);
  298. if (pms == NULL) {
  299. SSL3AlertDescription desc = illegal_parameter;
  300. (void)SSL3_SendAlert(ss, alert_fatal, desc);
  301. ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
  302. goto loser;
  303. }
  304. SECKEY_DestroyPrivateKey(privKey);
  305. privKey = NULL;
  306. rv = ssl3_InitPendingCipherSpec(ss, pms);
  307. PK11_FreeSymKey(pms); pms = NULL;
  308. if (rv != SECSuccess) {
  309. ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
  310. goto loser;
  311. }
  312. rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
  313. pubKey->u.ec.publicValue.len + 1);
  314. if (rv != SECSuccess) {
  315. goto loser; /* err set by ssl3_AppendHandshake* */
  316. }
  317. rv = ssl3_AppendHandshakeVariable(ss,
  318. pubKey->u.ec.publicValue.data,
  319. pubKey->u.ec.publicValue.len, 1);
  320. SECKEY_DestroyPublicKey(pubKey);
  321. pubKey = NULL;
  322. if (rv != SECSuccess) {
  323. goto loser; /* err set by ssl3_AppendHandshake* */
  324. }
  325. rv = SECSuccess;
  326. loser:
  327. if(pms) PK11_FreeSymKey(pms);
  328. if(privKey) SECKEY_DestroyPrivateKey(privKey);
  329. if(pubKey) SECKEY_DestroyPublicKey(pubKey);
  330. return rv;
  331. }
  332. /*
  333. ** Called from ssl3_HandleClientKeyExchange()
  334. */
  335. SECStatus
  336. ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
  337. PRUint32 length,
  338. SECKEYPublicKey *srvrPubKey,
  339. SECKEYPrivateKey *srvrPrivKey)
  340. {
  341. PK11SymKey * pms;
  342. SECStatus rv;
  343. SECKEYPublicKey clntPubKey;
  344. CK_MECHANISM_TYPE target;
  345. PRBool isTLS;
  346. PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
  347. PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
  348. clntPubKey.keyType = ecKey;
  349. clntPubKey.u.ec.DEREncodedParams.len =
  350. srvrPubKey->u.ec.DEREncodedParams.len;
  351. clntPubKey.u.ec.DEREncodedParams.data =
  352. srvrPubKey->u.ec.DEREncodedParams.data;
  353. rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue,
  354. 1, &b, &length);
  355. if (rv != SECSuccess) {
  356. SEND_ALERT
  357. return SECFailure; /* XXX Who sets the error code?? */
  358. }
  359. isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
  360. if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
  361. else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
  362. /* Determine the PMS */
  363. pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL,
  364. CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
  365. CKD_NULL, NULL, NULL);
  366. if (pms == NULL) {
  367. /* last gasp. */
  368. ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
  369. return SECFailure;
  370. }
  371. rv = ssl3_InitPendingCipherSpec(ss, pms);
  372. PK11_FreeSymKey(pms);
  373. if (rv != SECSuccess) {
  374. SEND_ALERT
  375. return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
  376. }
  377. return SECSuccess;
  378. }
  379. ECName
  380. ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits)
  381. {
  382. int i;
  383. for ( i = 0; bits2curve[i].curve != ec_noName; i++) {
  384. if (bits2curve[i].bits < requiredECCbits)
  385. continue;
  386. if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) {
  387. return bits2curve[i].curve;
  388. }
  389. }
  390. PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
  391. return ec_noName;
  392. }
  393. /* find the "weakest link". Get strength of signature key and of sym key.
  394. * choose curve for the weakest of those two.
  395. */
  396. ECName
  397. ssl3_GetCurveNameForServerSocket(sslSocket *ss)
  398. {
  399. SECKEYPublicKey * svrPublicKey = NULL;
  400. ECName ec_curve = ec_noName;
  401. int signatureKeyStrength = 521;
  402. int requiredECCbits = ss->sec.secretKeyBits * 2;
  403. if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa) {
  404. svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh);
  405. if (svrPublicKey)
  406. ec_curve = params2ecName(&svrPublicKey->u.ec.DEREncodedParams);
  407. if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve)) {
  408. PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
  409. return ec_noName;
  410. }
  411. signatureKeyStrength = curve2bits[ ec_curve ];
  412. } else {
  413. /* RSA is our signing cert */
  414. int serverKeyStrengthInBits;
  415. svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_rsa);
  416. if (!svrPublicKey) {
  417. PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
  418. return ec_noName;
  419. }
  420. /* currently strength in bytes */
  421. serverKeyStrengthInBits = svrPublicKey->u.rsa.modulus.len;
  422. if (svrPublicKey->u.rsa.modulus.data[0] == 0) {
  423. serverKeyStrengthInBits--;
  424. }
  425. /* convert to strength in bits */
  426. serverKeyStrengthInBits *= BPB;
  427. signatureKeyStrength =
  428. SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
  429. }
  430. if ( requiredECCbits > signatureKeyStrength )
  431. requiredECCbits = signatureKeyStrength;
  432. return ssl3_GetCurveWithECKeyStrength(ss->ssl3.hs.negotiatedECCurves,
  433. requiredECCbits);
  434. }
  435. /* function to clear out the lists */
  436. static SECStatus
  437. ssl3_ShutdownECDHECurves(void *appData, void *nssData)
  438. {
  439. int i;
  440. ECDHEKeyPair *keyPair = &gECDHEKeyPairs[0];
  441. for (i=0; i < ec_pastLastName; i++, keyPair++) {
  442. if (keyPair->pair) {
  443. ssl3_FreeKeyPair(keyPair->pair);
  444. }
  445. }
  446. memset(gECDHEKeyPairs, 0, sizeof gECDHEKeyPairs);
  447. return SECSuccess;
  448. }
  449. static PRStatus
  450. ssl3_ECRegister(void)
  451. {
  452. SECStatus rv;
  453. rv = NSS_RegisterShutdown(ssl3_ShutdownECDHECurves, gECDHEKeyPairs);
  454. if (rv != SECSuccess) {
  455. gECDHEKeyPairs[ec_noName].error = PORT_GetError();
  456. }
  457. return (PRStatus)rv;
  458. }
  459. /* CallOnce function, called once for each named curve. */
  460. static PRStatus
  461. ssl3_CreateECDHEphemeralKeyPair(void * arg)
  462. {
  463. SECKEYPrivateKey * privKey = NULL;
  464. SECKEYPublicKey * pubKey = NULL;
  465. ssl3KeyPair * keyPair = NULL;
  466. ECName ec_curve = (ECName)arg;
  467. SECKEYECParams ecParams = { siBuffer, NULL, 0 };
  468. PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL);
  469. /* ok, no one has generated a global key for this curve yet, do so */
  470. if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) {
  471. gECDHEKeyPairs[ec_curve].error = PORT_GetError();
  472. return PR_FAILURE;
  473. }
  474. privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);
  475. SECITEM_FreeItem(&ecParams, PR_FALSE);
  476. if (!privKey || !pubKey || !(keyPair = ssl3_NewKeyPair(privKey, pubKey))) {
  477. if (privKey) {
  478. SECKEY_DestroyPrivateKey(privKey);
  479. }
  480. if (pubKey) {
  481. SECKEY_DestroyPublicKey(pubKey);
  482. }
  483. ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
  484. gECDHEKeyPairs[ec_curve].error = PORT_GetError();
  485. return PR_FAILURE;
  486. }
  487. gECDHEKeyPairs[ec_curve].pair = keyPair;
  488. return PR_SUCCESS;
  489. }
  490. /*
  491. * Creates the ephemeral public and private ECDH keys used by
  492. * server in ECDHE_RSA and ECDHE_ECDSA handshakes.
  493. * For now, the elliptic curve is chosen to be the same
  494. * strength as the signing certificate (ECC or RSA).
  495. * We need an API to specify the curve. This won't be a real
  496. * issue until we further develop server-side support for ECC
  497. * cipher suites.
  498. */
  499. static SECStatus
  500. ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve)
  501. {
  502. ssl3KeyPair * keyPair = NULL;
  503. /* if there's no global key for this curve, make one. */
  504. if (gECDHEKeyPairs[ec_curve].pair == NULL) {
  505. PRStatus status;
  506. status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister);
  507. if (status != PR_SUCCESS) {
  508. PORT_SetError(gECDHEKeyPairs[ec_noName].error);
  509. return SECFailure;
  510. }
  511. status = PR_CallOnceWithArg(&gECDHEKeyPairs[ec_curve].once,
  512. ssl3_CreateECDHEphemeralKeyPair,
  513. (void *)ec_curve);
  514. if (status != PR_SUCCESS) {
  515. PORT_SetError(gECDHEKeyPairs[ec_curve].error);
  516. return SECFailure;
  517. }
  518. }
  519. keyPair = gECDHEKeyPairs[ec_curve].pair;
  520. PORT_Assert(keyPair != NULL);
  521. if (!keyPair)
  522. return SECFailure;
  523. ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair);
  524. return SECSuccess;
  525. }
  526. SECStatus
  527. ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
  528. {
  529. PRArenaPool * arena = NULL;
  530. SECKEYPublicKey *peerKey = NULL;
  531. PRBool isTLS;
  532. SECStatus rv;
  533. int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
  534. SSL3AlertDescription desc = illegal_parameter;
  535. SSL3Hashes hashes;
  536. SECItem signature = {siBuffer, NULL, 0};
  537. SECItem ec_params = {siBuffer, NULL, 0};
  538. SECItem ec_point = {siBuffer, NULL, 0};
  539. unsigned char paramBuf[3]; /* only for curve_type == named_curve */
  540. isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
  541. /* XXX This works only for named curves, revisit this when
  542. * we support generic curves.
  543. */
  544. ec_params.len = sizeof paramBuf;
  545. ec_params.data = paramBuf;
  546. rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length);
  547. if (rv != SECSuccess) {
  548. goto loser; /* malformed. */
  549. }
  550. /* Fail if the curve is not a named curve */
  551. if ((ec_params.data[0] != ec_type_named) ||
  552. (ec_params.data[1] != 0) ||
  553. !supportedCurve(ec_params.data[2])) {
  554. errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
  555. desc = handshake_failure;
  556. goto alert_loser;
  557. }
  558. rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length);
  559. if (rv != SECSuccess) {
  560. goto loser; /* malformed. */
  561. }
  562. /* Fail if the ec point uses compressed representation */
  563. if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
  564. errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
  565. desc = handshake_failure;
  566. goto alert_loser;
  567. }
  568. rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
  569. if (rv != SECSuccess) {
  570. goto loser; /* malformed. */
  571. }
  572. if (length != 0) {
  573. if (isTLS)
  574. desc = decode_error;
  575. goto alert_loser; /* malformed. */
  576. }
  577. PRINT_BUF(60, (NULL, "Server EC params", ec_params.data,
  578. ec_params.len));
  579. PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len));
  580. /* failures after this point are not malformed handshakes. */
  581. /* TLS: send decrypt_error if signature failed. */
  582. desc = isTLS ? decrypt_error : handshake_failure;
  583. /*
  584. * check to make sure the hash is signed by right guy
  585. */
  586. rv = ssl3_ComputeECDHKeyHash(ec_params, ec_point,
  587. &ss->ssl3.hs.client_random,
  588. &ss->ssl3.hs.server_random,
  589. &hashes, ss->opt.bypassPKCS11);
  590. if (rv != SECSuccess) {
  591. errCode =
  592. ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
  593. goto alert_loser;
  594. }
  595. rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
  596. isTLS, ss->pkcs11PinArg);
  597. if (rv != SECSuccess) {
  598. errCode =
  599. ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
  600. goto alert_loser;
  601. }
  602. arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
  603. if (arena == NULL) {
  604. goto no_memory;
  605. }
  606. ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
  607. if (peerKey == NULL) {
  608. goto no_memory;
  609. }
  610. peerKey->arena = arena;
  611. peerKey->keyType = ecKey;
  612. /* set up EC parameters in peerKey */
  613. if (ssl3_ECName2Params(arena, ec_params.data[2],
  614. &peerKey->u.ec.DEREncodedParams) != SECSuccess) {
  615. /* we should never get here since we already
  616. * checked that we are dealing with a supported curve
  617. */
  618. errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
  619. goto alert_loser;
  620. }
  621. /* copy publicValue in peerKey */
  622. if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point))
  623. {
  624. PORT_FreeArena(arena, PR_FALSE);
  625. goto no_memory;
  626. }
  627. peerKey->pkcs11Slot = NULL;
  628. peerKey->pkcs11ID = CK_INVALID_HANDLE;
  629. ss->sec.peerKey = peerKey;
  630. ss->ssl3.hs.ws = wait_cert_request;
  631. return SECSuccess;
  632. alert_loser:
  633. (void)SSL3_SendAlert(ss, alert_fatal, desc);
  634. loser:
  635. PORT_SetError( errCode );
  636. return SECFailure;
  637. no_memory: /* no-memory error has already been set. */
  638. ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
  639. return SECFailure;
  640. }
  641. SECStatus
  642. ssl3_SendECDHServerKeyExchange(sslSocket *ss)
  643. {
  644. const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
  645. SECStatus rv = SECFailure;
  646. int length;
  647. PRBool isTLS;
  648. SECItem signed_hash = {siBuffer, NULL, 0};
  649. SSL3Hashes hashes;
  650. SECKEYPublicKey * ecdhePub;
  651. SECItem ec_params = {siBuffer, NULL, 0};
  652. unsigned char paramBuf[3];
  653. ECName curve;
  654. SSL3KEAType certIndex;
  655. /* Generate ephemeral ECDH key pair and send the public key */
  656. curve = ssl3_GetCurveNameForServerSocket(ss);
  657. if (curve == ec_noName) {
  658. goto loser;
  659. }
  660. rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
  661. if (rv != SECSuccess) {
  662. goto loser; /* err set by AppendHandshake. */
  663. }
  664. ecdhePub = ss->ephemeralECDHKeyPair->pubKey;
  665. PORT_Assert(ecdhePub != NULL);
  666. if (!ecdhePub) {
  667. PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
  668. return SECFailure;
  669. }
  670. ec_params.len = sizeof paramBuf;
  671. ec_params.data = paramBuf;
  672. curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams);
  673. if (curve != ec_noName) {
  674. ec_params.data[0] = ec_type_named;
  675. ec_params.data[1] = 0x00;
  676. ec_params.data[2] = curve;
  677. } else {
  678. PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
  679. goto loser;
  680. }
  681. rv = ssl3_ComputeECDHKeyHash(ec_params, ecdhePub->u.ec.publicValue,
  682. &ss->ssl3.hs.client_random,
  683. &ss->ssl3.hs.server_random,
  684. &hashes, ss->opt.bypassPKCS11);
  685. if (rv != SECSuccess) {
  686. ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
  687. goto loser;
  688. }
  689. isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
  690. /* XXX SSLKEAType isn't really a good choice for
  691. * indexing certificates but that's all we have
  692. * for now.
  693. */
  694. if (kea_def->kea == kea_ecdhe_rsa)
  695. certIndex = kt_rsa;
  696. else /* kea_def->kea == kea_ecdhe_ecdsa */
  697. certIndex = kt_ecdh;
  698. rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY,
  699. &signed_hash, isTLS);
  700. if (rv != SECSuccess) {
  701. goto loser; /* ssl3_SignHashes has set err. */
  702. }
  703. if (signed_hash.data == NULL) {
  704. /* how can this happen and rv == SECSuccess ?? */
  705. PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
  706. goto loser;
  707. }
  708. length = ec_params.len +
  709. 1 + ecdhePub->u.ec.publicValue.len +
  710. 2 + signed_hash.len;
  711. rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
  712. if (rv != SECSuccess) {
  713. goto loser; /* err set by AppendHandshake. */
  714. }
  715. rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len);
  716. if (rv != SECSuccess) {
  717. goto loser; /* err set by AppendHandshake. */
  718. }
  719. rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data,
  720. ecdhePub->u.ec.publicValue.len, 1);
  721. if (rv != SECSuccess) {
  722. goto loser; /* err set by AppendHandshake. */
  723. }
  724. rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
  725. signed_hash.len, 2);
  726. if (rv != SECSuccess) {
  727. goto loser; /* err set by AppendHandshake. */
  728. }
  729. PORT_Free(signed_hash.data);
  730. return SECSuccess;
  731. loser:
  732. if (signed_hash.data != NULL)
  733. PORT_Free(signed_hash.data);
  734. return SECFailure;
  735. }
  736. /* Lists of ECC cipher suites for searching and disabling. */
  737. static const ssl3CipherSuite ecdh_suites[] = {
  738. TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
  739. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  740. TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  741. TLS_ECDH_ECDSA_WITH_NULL_SHA,
  742. TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
  743. TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
  744. TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
  745. TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
  746. TLS_ECDH_RSA_WITH_NULL_SHA,
  747. TLS_ECDH_RSA_WITH_RC4_128_SHA,
  748. 0 /* end of list marker */
  749. };
  750. static const ssl3CipherSuite ecdh_ecdsa_suites[] = {
  751. TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
  752. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  753. TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  754. TLS_ECDH_ECDSA_WITH_NULL_SHA,
  755. TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
  756. 0 /* end of list marker */
  757. };
  758. static const ssl3CipherSuite ecdh_rsa_suites[] = {
  759. TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
  760. TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
  761. TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
  762. TLS_ECDH_RSA_WITH_NULL_SHA,
  763. TLS_ECDH_RSA_WITH_RC4_128_SHA,
  764. 0 /* end of list marker */
  765. };
  766. static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
  767. TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
  768. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  769. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  770. TLS_ECDHE_ECDSA_WITH_NULL_SHA,
  771. TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
  772. 0 /* end of list marker */
  773. };
  774. static const ssl3CipherSuite ecdhe_rsa_suites[] = {
  775. TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
  776. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  777. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  778. TLS_ECDHE_RSA_WITH_NULL_SHA,
  779. TLS_ECDHE_RSA_WITH_RC4_128_SHA,
  780. 0 /* end of list marker */
  781. };
  782. /* List of all ECC cipher suites */
  783. static const ssl3CipherSuite ecSuites[] = {
  784. TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
  785. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  786. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  787. TLS_ECDHE_ECDSA_WITH_NULL_SHA,
  788. TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
  789. TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
  790. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  791. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  792. TLS_ECDHE_RSA_WITH_NULL_SHA,
  793. TLS_ECDHE_RSA_WITH_RC4_128_SHA,
  794. TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
  795. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  796. TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  797. TLS_ECDH_ECDSA_WITH_NULL_SHA,
  798. TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
  799. TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
  800. TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
  801. TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
  802. TLS_ECDH_RSA_WITH_NULL_SHA,
  803. TLS_ECDH_RSA_WITH_RC4_128_SHA,
  804. 0 /* end of list marker */
  805. };
  806. /* On this socket, Disable the ECC cipher suites in the argument's list */
  807. SECStatus
  808. ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite)
  809. {
  810. if (!suite)
  811. suite = ecSuites;
  812. for (; *suite; ++suite) {
  813. SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
  814. PORT_Assert(rv == SECSuccess); /* else is coding error */
  815. }
  816. return SECSuccess;
  817. }
  818. /* Look at the server certs configured on this socket, and disable any
  819. * ECC cipher suites that are not supported by those certs.
  820. */
  821. void
  822. ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
  823. {
  824. CERTCertificate * svrCert;
  825. svrCert = ss->serverCerts[kt_rsa].serverCert;
  826. if (!svrCert) {
  827. ssl3_DisableECCSuites(ss, ecdhe_rsa_suites);
  828. }
  829. svrCert = ss->serverCerts[kt_ecdh].serverCert;
  830. if (!svrCert) {
  831. ssl3_DisableECCSuites(ss, ecdh_suites);
  832. ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
  833. } else {
  834. SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
  835. switch (sigTag) {
  836. case SEC_OID_PKCS1_RSA_ENCRYPTION:
  837. case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
  838. case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
  839. case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
  840. case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
  841. case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
  842. case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
  843. case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
  844. case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
  845. ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
  846. break;
  847. case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
  848. case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
  849. case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
  850. case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
  851. case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
  852. case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
  853. case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
  854. ssl3_DisableECCSuites(ss, ecdh_rsa_suites);
  855. break;
  856. default:
  857. ssl3_DisableECCSuites(ss, ecdh_suites);
  858. break;
  859. }
  860. }
  861. }
  862. /* Ask: is ANY ECC cipher suite enabled on this socket? */
  863. /* Order(N^2). Yuk. Also, this ignores export policy. */
  864. PRBool
  865. ssl3_IsECCEnabled(sslSocket * ss)
  866. {
  867. const ssl3CipherSuite * suite;
  868. for (suite = ecSuites; *suite; ++suite) {
  869. PRBool enabled = PR_FALSE;
  870. SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled);
  871. PORT_Assert(rv == SECSuccess); /* else is coding error */
  872. if (rv == SECSuccess && enabled)
  873. return PR_TRUE;
  874. }
  875. return PR_FALSE;
  876. }
  877. #define BE(n) 0, n
  878. #ifndef NSS_ECC_MORE_THAN_SUITE_B
  879. /* Prefabricated TLS client hello extension, Elliptic Curves List,
  880. * offers only 3 curves, the Suite B curves, 23-25
  881. */
  882. static const PRUint8 EClist[12] = {
  883. BE(10), /* Extension type */
  884. BE( 8), /* octets that follow ( 3 pairs + 1 length pair) */
  885. BE( 6), /* octets that follow ( 3 pairs) */
  886. BE(23), BE(24), BE(25)
  887. };
  888. #else
  889. /* Prefabricated TLS client hello extension, Elliptic Curves List,
  890. * offers curves 1-25.
  891. */
  892. static const PRUint8 EClist[56] = {
  893. BE(10), /* Extension type */
  894. BE(52), /* octets that follow (25 pairs + 1 length pair) */
  895. BE(50), /* octets that follow (25 pairs) */
  896. BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7),
  897. BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15),
  898. BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23),
  899. BE(24), BE(25)
  900. };
  901. #endif
  902. static const PRUint8 ECPtFmt[6] = {
  903. BE(11), /* Extension type */
  904. BE( 2), /* octets that follow */
  905. 1, /* octets that follow */
  906. 0 /* uncompressed type only */
  907. };
  908. /* Send our "canned" (precompiled) Supported Elliptic Curves extension,
  909. * which says that we support all TLS-defined named curves.
  910. */
  911. PRInt32
  912. ssl3_SendSupportedCurvesXtn(
  913. sslSocket * ss,
  914. PRBool append,
  915. PRUint32 maxBytes)
  916. {
  917. if (!ss || !ssl3_IsECCEnabled(ss))
  918. return 0;
  919. if (append && maxBytes >= (sizeof EClist)) {
  920. SECStatus rv = ssl3_AppendHandshake(ss, EClist, (sizeof EClist));
  921. if (rv != SECSuccess)
  922. return -1;
  923. if (!ss->sec.isServer) {
  924. TLSExtensionData *xtnData = &ss->xtnData;
  925. xtnData->advertised[xtnData->numAdvertised++] =
  926. ssl_elliptic_curves_xtn;
  927. }
  928. }
  929. return (sizeof EClist);
  930. }
  931. /* Send our "canned" (precompiled) Supported Point Formats extension,
  932. * which says that we only support uncompressed points.
  933. */
  934. PRInt32
  935. ssl3_SendSupportedPointFormatsXtn(
  936. sslSocket * ss,
  937. PRBool append,
  938. PRUint32 maxBytes)
  939. {
  940. if (!ss || !ssl3_IsECCEnabled(ss))
  941. return 0;
  942. if (append && maxBytes >= (sizeof ECPtFmt)) {
  943. SECStatus rv = ssl3_AppendHandshake(ss, ECPtFmt, (sizeof ECPtFmt));
  944. if (rv != SECSuccess)
  945. return -1;
  946. if (!ss->sec.isServer) {
  947. TLSExtensionData *xtnData = &ss->xtnData;
  948. xtnData->advertised[xtnData->numAdvertised++] =
  949. ssl_ec_point_formats_xtn;
  950. }
  951. }
  952. return (sizeof ECPtFmt);
  953. }
  954. /* Just make sure that the remote client supports uncompressed points,
  955. * Since that is all we support. Disable ECC cipher suites if it doesn't.
  956. */
  957. SECStatus
  958. ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type,
  959. SECItem *data)
  960. {
  961. int i;
  962. if (data->len < 2 || data->len > 255 || !data->data ||
  963. data->len != (unsigned int)data->data[0] + 1) {
  964. /* malformed */
  965. goto loser;
  966. }
  967. for (i = data->len; --i > 0; ) {
  968. if (data->data[i] == 0) {
  969. /* indicate that we should send a reply */
  970. SECStatus rv;
  971. rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
  972. &ssl3_SendSupportedPointFormatsXtn);
  973. return rv;
  974. }
  975. }
  976. loser:
  977. /* evil client doesn't support uncompressed */
  978. ssl3_DisableECCSuites(ss, ecSuites);
  979. return SECFailure;
  980. }
  981. #define SSL3_GET_SERVER_PUBLICKEY(sock, type) \
  982. (ss->serverCerts[type].serverKeyPair ? \
  983. ss->serverCerts[type].serverKeyPair->pubKey : NULL)
  984. /* Extract the TLS curve name for the public key in our EC server cert. */
  985. ECName ssl3_GetSvrCertCurveName(sslSocket *ss)
  986. {
  987. SECKEYPublicKey *srvPublicKey;
  988. ECName ec_curve = ec_noName;
  989. srvPublicKey = SSL3_GET_SERVER_PUBLICKEY(ss, kt_ecdh);
  990. if (srvPublicKey) {
  991. ec_curve = params2ecName(&srvPublicKey->u.ec.DEREncodedParams);
  992. }
  993. return ec_curve;
  994. }
  995. /* Ensure that the curve in our server cert is one of the ones suppored
  996. * by the remote client, and disable all ECC cipher suites if not.
  997. */
  998. SECStatus
  999. ssl3_HandleSupportedCurvesXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
  1000. {
  1001. PRInt32 list_len;
  1002. PRUint32 peerCurves = 0;
  1003. PRUint32 mutualCurves = 0;
  1004. PRUint16 svrCertCurveName;
  1005. if (!data->data || data->len < 4 || data->len > 65535)
  1006. goto loser;
  1007. /* get the length of elliptic_curve_list */
  1008. list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
  1009. if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) {
  1010. /* malformed */
  1011. goto loser;
  1012. }
  1013. /* build bit vector of peer's supported curve names */
  1014. while (data->len) {
  1015. PRInt32 curve_name =
  1016. ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
  1017. if (curve_name > ec_noName && curve_name < ec_pastLastName) {
  1018. peerCurves |= (1U << curve_name);
  1019. }
  1020. }
  1021. /* What curves do we support in common? */
  1022. mutualCurves = ss->ssl3.hs.negotiatedECCurves &= peerCurves;
  1023. if (!mutualCurves) { /* no mutually supported EC Curves */
  1024. goto loser;
  1025. }
  1026. /* if our ECC cert doesn't use one of these supported curves,
  1027. * disable ECC cipher suites that require an ECC cert.
  1028. */
  1029. svrCertCurveName = ssl3_GetSvrCertCurveName(ss);
  1030. if (svrCertCurveName != ec_noName &&
  1031. (mutualCurves & (1U << svrCertCurveName)) != 0) {
  1032. return SECSuccess;
  1033. }
  1034. /* Our EC cert doesn't contain a mutually supported curve.
  1035. * Disable all ECC cipher suites that require an EC cert
  1036. */
  1037. ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
  1038. ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
  1039. return SECFailure;
  1040. loser:
  1041. /* no common curve supported */
  1042. ssl3_DisableECCSuites(ss, ecSuites);
  1043. return SECFailure;
  1044. }
  1045. #endif /* NSS_ENABLE_ECC */