RetroZilla/security/nss/lib/ssl/ssl3ecc.c

1297 lines
42 KiB
C
Raw Normal View History

/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2015-10-21 05:03:22 +02:00
/*
* SSL3 Protocol
*
2018-05-04 16:08:28 +02:00
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
2015-10-21 05:03:22 +02:00
/* ECC code moved here from ssl3con.c */
#include "nss.h"
#include "cert.h"
#include "ssl.h"
#include "cryptohi.h" /* for DSAU_ stuff */
2015-10-21 05:03:22 +02:00
#include "keyhi.h"
#include "secder.h"
#include "secitem.h"
#include "sslimpl.h"
#include "sslproto.h"
#include "sslerr.h"
#include "prtime.h"
#include "prinrval.h"
#include "prerror.h"
#include "pratom.h"
#include "prthread.h"
#include "prinit.h"
#include "pk11func.h"
#include "secmod.h"
#include <stdio.h>
#ifndef NSS_DISABLE_ECC
2015-10-21 05:03:22 +02:00
#ifndef PK11_SETATTRS
#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
(x)->pValue=(v); (x)->ulValueLen = (l);
2015-10-21 05:03:22 +02:00
#endif
#define SSL_GET_SERVER_PUBLIC_KEY(sock, type) \
(ss->serverCerts[type].serverKeyPair ? \
ss->serverCerts[type].serverKeyPair->pubKey : NULL)
#define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \
((curveName > ec_noName) && \
(curveName < ec_pastLastName) && \
((1UL << curveName) & curvemsk) != 0)
static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve);
#define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName))
/* Table containing OID tags for elliptic curves named in the
* ECC-TLS IETF draft.
*/
static const SECOidTag ecName2OIDTag[] = {
0,
SEC_OID_SECG_EC_SECT163K1, /* 1 */
SEC_OID_SECG_EC_SECT163R1, /* 2 */
SEC_OID_SECG_EC_SECT163R2, /* 3 */
SEC_OID_SECG_EC_SECT193R1, /* 4 */
SEC_OID_SECG_EC_SECT193R2, /* 5 */
SEC_OID_SECG_EC_SECT233K1, /* 6 */
SEC_OID_SECG_EC_SECT233R1, /* 7 */
SEC_OID_SECG_EC_SECT239K1, /* 8 */
SEC_OID_SECG_EC_SECT283K1, /* 9 */
SEC_OID_SECG_EC_SECT283R1, /* 10 */
SEC_OID_SECG_EC_SECT409K1, /* 11 */
SEC_OID_SECG_EC_SECT409R1, /* 12 */
SEC_OID_SECG_EC_SECT571K1, /* 13 */
SEC_OID_SECG_EC_SECT571R1, /* 14 */
SEC_OID_SECG_EC_SECP160K1, /* 15 */
SEC_OID_SECG_EC_SECP160R1, /* 16 */
SEC_OID_SECG_EC_SECP160R2, /* 17 */
SEC_OID_SECG_EC_SECP192K1, /* 18 */
SEC_OID_SECG_EC_SECP192R1, /* 19 */
SEC_OID_SECG_EC_SECP224K1, /* 20 */
SEC_OID_SECG_EC_SECP224R1, /* 21 */
SEC_OID_SECG_EC_SECP256K1, /* 22 */
SEC_OID_SECG_EC_SECP256R1, /* 23 */
SEC_OID_SECG_EC_SECP384R1, /* 24 */
SEC_OID_SECG_EC_SECP521R1, /* 25 */
2015-10-21 05:03:22 +02:00
};
static const PRUint16 curve2bits[] = {
0, /* ec_noName = 0, */
163, /* ec_sect163k1 = 1, */
163, /* ec_sect163r1 = 2, */
163, /* ec_sect163r2 = 3, */
193, /* ec_sect193r1 = 4, */
193, /* ec_sect193r2 = 5, */
233, /* ec_sect233k1 = 6, */
233, /* ec_sect233r1 = 7, */
239, /* ec_sect239k1 = 8, */
283, /* ec_sect283k1 = 9, */
283, /* ec_sect283r1 = 10, */
409, /* ec_sect409k1 = 11, */
409, /* ec_sect409r1 = 12, */
571, /* ec_sect571k1 = 13, */
571, /* ec_sect571r1 = 14, */
160, /* ec_secp160k1 = 15, */
160, /* ec_secp160r1 = 16, */
160, /* ec_secp160r2 = 17, */
192, /* ec_secp192k1 = 18, */
192, /* ec_secp192r1 = 19, */
224, /* ec_secp224k1 = 20, */
224, /* ec_secp224r1 = 21, */
256, /* ec_secp256k1 = 22, */
256, /* ec_secp256r1 = 23, */
384, /* ec_secp384r1 = 24, */
521, /* ec_secp521r1 = 25, */
2015-10-21 05:03:22 +02:00
65535 /* ec_pastLastName */
};
typedef struct Bits2CurveStr {
PRUint16 bits;
ECName curve;
} Bits2Curve;
static const Bits2Curve bits2curve [] = {
{ 192, ec_secp192r1 /* = 19, fast */ },
{ 160, ec_secp160r2 /* = 17, fast */ },
{ 160, ec_secp160k1 /* = 15, */ },
{ 160, ec_secp160r1 /* = 16, */ },
{ 163, ec_sect163k1 /* = 1, */ },
{ 163, ec_sect163r1 /* = 2, */ },
{ 163, ec_sect163r2 /* = 3, */ },
{ 192, ec_secp192k1 /* = 18, */ },
{ 193, ec_sect193r1 /* = 4, */ },
{ 193, ec_sect193r2 /* = 5, */ },
{ 224, ec_secp224r1 /* = 21, fast */ },
{ 224, ec_secp224k1 /* = 20, */ },
{ 233, ec_sect233k1 /* = 6, */ },
{ 233, ec_sect233r1 /* = 7, */ },
{ 239, ec_sect239k1 /* = 8, */ },
{ 256, ec_secp256r1 /* = 23, fast */ },
{ 256, ec_secp256k1 /* = 22, */ },
{ 283, ec_sect283k1 /* = 9, */ },
{ 283, ec_sect283r1 /* = 10, */ },
{ 384, ec_secp384r1 /* = 24, fast */ },
{ 409, ec_sect409k1 /* = 11, */ },
{ 409, ec_sect409r1 /* = 12, */ },
{ 521, ec_secp521r1 /* = 25, fast */ },
{ 571, ec_sect571k1 /* = 13, */ },
{ 571, ec_sect571r1 /* = 14, */ },
2015-10-21 05:03:22 +02:00
{ 65535, ec_noName }
};
typedef struct ECDHEKeyPairStr {
ssl3KeyPair * pair;
int error; /* error code of the call-once function */
PRCallOnceType once;
} ECDHEKeyPair;
/* arrays of ECDHE KeyPairs */
static ECDHEKeyPair gECDHEKeyPairs[ec_pastLastName];
SECStatus
2018-05-04 16:08:28 +02:00
ssl3_ECName2Params(PLArenaPool * arena, ECName curve, SECKEYECParams * params)
2015-10-21 05:03:22 +02:00
{
SECOidData *oidData = NULL;
if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
2015-10-21 05:03:22 +02:00
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
2015-10-21 05:03:22 +02:00
}
SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
/*
2015-10-21 05:03:22 +02:00
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
2015-10-21 05:03:22 +02:00
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
params->data[0] = SEC_ASN1_OBJECT_ID;
params->data[1] = oidData->oid.len;
memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
return SECSuccess;
}
static ECName
2015-10-21 05:03:22 +02:00
params2ecName(SECKEYECParams * params)
{
SECItem oid = { siBuffer, NULL, 0};
SECOidData *oidData = NULL;
ECName i;
/*
2015-10-21 05:03:22 +02:00
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing a named curve. Here, we strip away everything
* before the actual OID and use the OID to look up a named curve.
*/
if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName;
oid.len = params->len - 2;
oid.data = params->data + 2;
if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName;
for (i = ec_noName + 1; i < ec_pastLastName; i++) {
if (ecName2OIDTag[i] == oidData->offset)
return i;
2015-10-21 05:03:22 +02:00
}
return ec_noName;
}
/* Caller must set hiLevel error code. */
static SECStatus
ssl3_ComputeECDHKeyHash(SSLHashType hashAlg,
SECItem ec_params, SECItem server_ecpoint,
SSL3Random *client_rand, SSL3Random *server_rand,
SSL3Hashes *hashes, PRBool bypassPKCS11)
2015-10-21 05:03:22 +02:00
{
PRUint8 * hashBuf;
PRUint8 * pBuf;
SECStatus rv = SECSuccess;
2015-10-21 05:03:22 +02:00
unsigned int bufLen;
/*
* XXX For now, we only support named curves (the appropriate
* checks are made before this method is called) so ec_params
* takes up only two bytes. ECPoint needs to fit in 256 bytes
* (because the spec says the length must fit in one byte)
*/
PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 1 + 256];
bufLen = 2*SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
if (bufLen <= sizeof buf) {
hashBuf = buf;
2015-10-21 05:03:22 +02:00
} else {
hashBuf = PORT_Alloc(bufLen);
if (!hashBuf) {
return SECFailure;
}
2015-10-21 05:03:22 +02:00
}
memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
pBuf = hashBuf + SSL3_RANDOM_LENGTH;
2015-10-21 05:03:22 +02:00
memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
pBuf += SSL3_RANDOM_LENGTH;
2015-10-21 05:03:22 +02:00
memcpy(pBuf, ec_params.data, ec_params.len);
pBuf += ec_params.len;
2015-10-21 05:03:22 +02:00
pBuf[0] = (PRUint8)(server_ecpoint.len);
pBuf += 1;
memcpy(pBuf, server_ecpoint.data, server_ecpoint.len);
pBuf += server_ecpoint.len;
2015-10-21 05:03:22 +02:00
PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
2018-05-04 16:08:28 +02:00
rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
bypassPKCS11);
2015-10-21 05:03:22 +02:00
PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen));
2018-05-04 16:08:28 +02:00
PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result",
hashes->u.s.md5, MD5_LENGTH));
2018-05-04 16:08:28 +02:00
PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result",
hashes->u.s.sha, SHA1_LENGTH));
2015-10-21 05:03:22 +02:00
2018-05-04 16:08:28 +02:00
if (hashBuf != buf)
PORT_Free(hashBuf);
2015-10-21 05:03:22 +02:00
return rv;
}
/* Called from ssl3_SendClientKeyExchange(). */
SECStatus
ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
{
PK11SymKey * pms = NULL;
SECStatus rv = SECFailure;
2018-05-04 16:08:28 +02:00
PRBool isTLS, isTLS12;
CK_MECHANISM_TYPE target;
SECKEYPublicKey *pubKey = NULL; /* Ephemeral ECDH key */
SECKEYPrivateKey *privKey = NULL; /* Ephemeral ECDH key */
2015-10-21 05:03:22 +02:00
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
2018-05-04 16:08:28 +02:00
isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
2015-10-21 05:03:22 +02:00
/* Generate ephemeral EC keypair */
if (svrPubKey->keyType != ecKey) {
PORT_SetError(SEC_ERROR_BAD_KEY);
goto loser;
2015-10-21 05:03:22 +02:00
}
/* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */
privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams,
&pubKey, ss->pkcs11PinArg);
2015-10-21 05:03:22 +02:00
if (!privKey || !pubKey) {
ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
rv = SECFailure;
goto loser;
2015-10-21 05:03:22 +02:00
}
PRINT_BUF(50, (ss, "ECDH public value:",
pubKey->u.ec.publicValue.data,
pubKey->u.ec.publicValue.len));
2015-10-21 05:03:22 +02:00
2018-05-04 16:08:28 +02:00
if (isTLS12) {
target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
2018-05-04 16:08:28 +02:00
} else if (isTLS) {
target = CKM_TLS_MASTER_KEY_DERIVE_DH;
2018-05-04 16:08:28 +02:00
} else {
target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
2018-05-04 16:08:28 +02:00
}
2015-10-21 05:03:22 +02:00
/* Determine the PMS */
pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL,
CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
CKD_NULL, NULL, NULL);
2015-10-21 05:03:22 +02:00
if (pms == NULL) {
SSL3AlertDescription desc = illegal_parameter;
(void)SSL3_SendAlert(ss, alert_fatal, desc);
ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
goto loser;
2015-10-21 05:03:22 +02:00
}
SECKEY_DestroyPrivateKey(privKey);
privKey = NULL;
rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
pubKey->u.ec.publicValue.len + 1);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
goto loser; /* err set by ssl3_AppendHandshake* */
2015-10-21 05:03:22 +02:00
}
rv = ssl3_AppendHandshakeVariable(ss,
pubKey->u.ec.publicValue.data,
pubKey->u.ec.publicValue.len, 1);
2015-10-21 05:03:22 +02:00
SECKEY_DestroyPublicKey(pubKey);
pubKey = NULL;
if (rv != SECSuccess) {
goto loser; /* err set by ssl3_AppendHandshake* */
2015-10-21 05:03:22 +02:00
}
rv = ssl3_InitPendingCipherSpec(ss, pms);
PK11_FreeSymKey(pms); pms = NULL;
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
goto loser;
}
2015-10-21 05:03:22 +02:00
rv = SECSuccess;
loser:
if(pms) PK11_FreeSymKey(pms);
if(privKey) SECKEY_DestroyPrivateKey(privKey);
if(pubKey) SECKEY_DestroyPublicKey(pubKey);
return rv;
}
/*
** Called from ssl3_HandleClientKeyExchange()
*/
SECStatus
ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
PRUint32 length,
2015-10-21 05:03:22 +02:00
SECKEYPublicKey *srvrPubKey,
SECKEYPrivateKey *srvrPrivKey)
{
PK11SymKey * pms;
SECStatus rv;
SECKEYPublicKey clntPubKey;
CK_MECHANISM_TYPE target;
2018-05-04 16:08:28 +02:00
PRBool isTLS, isTLS12;
2015-10-21 05:03:22 +02:00
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
clntPubKey.keyType = ecKey;
clntPubKey.u.ec.DEREncodedParams.len =
srvrPubKey->u.ec.DEREncodedParams.len;
clntPubKey.u.ec.DEREncodedParams.data =
srvrPubKey->u.ec.DEREncodedParams.data;
2015-10-21 05:03:22 +02:00
rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue,
1, &b, &length);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
SEND_ALERT
return SECFailure; /* XXX Who sets the error code?? */
2015-10-21 05:03:22 +02:00
}
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
2018-05-04 16:08:28 +02:00
isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
2015-10-21 05:03:22 +02:00
2018-05-04 16:08:28 +02:00
if (isTLS12) {
target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
2018-05-04 16:08:28 +02:00
} else if (isTLS) {
target = CKM_TLS_MASTER_KEY_DERIVE_DH;
2018-05-04 16:08:28 +02:00
} else {
target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
2018-05-04 16:08:28 +02:00
}
2015-10-21 05:03:22 +02:00
/* Determine the PMS */
pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL,
CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
CKD_NULL, NULL, NULL);
2015-10-21 05:03:22 +02:00
if (pms == NULL) {
/* last gasp. */
ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
return SECFailure;
2015-10-21 05:03:22 +02:00
}
rv = ssl3_InitPendingCipherSpec(ss, pms);
PK11_FreeSymKey(pms);
if (rv != SECSuccess) {
SEND_ALERT
return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
2015-10-21 05:03:22 +02:00
}
return SECSuccess;
}
ECName
ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits)
{
int i;
2015-10-21 05:03:22 +02:00
for ( i = 0; bits2curve[i].curve != ec_noName; i++) {
if (bits2curve[i].bits < requiredECCbits)
continue;
if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) {
return bits2curve[i].curve;
}
2015-10-21 05:03:22 +02:00
}
PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
return ec_noName;
}
/* find the "weakest link". Get strength of signature key and of sym key.
* choose curve for the weakest of those two.
*/
ECName
ssl3_GetCurveNameForServerSocket(sslSocket *ss)
{
SECKEYPublicKey * svrPublicKey = NULL;
ECName ec_curve = ec_noName;
int signatureKeyStrength = 521;
int requiredECCbits = ss->sec.secretKeyBits * 2;
if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa) {
svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh);
if (svrPublicKey)
ec_curve = params2ecName(&svrPublicKey->u.ec.DEREncodedParams);
if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve)) {
PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
return ec_noName;
}
signatureKeyStrength = curve2bits[ ec_curve ];
2015-10-21 05:03:22 +02:00
} else {
/* RSA is our signing cert */
int serverKeyStrengthInBits;
2015-10-21 05:03:22 +02:00
svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_rsa);
if (!svrPublicKey) {
PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
return ec_noName;
}
2015-10-21 05:03:22 +02:00
/* currently strength in bytes */
serverKeyStrengthInBits = svrPublicKey->u.rsa.modulus.len;
if (svrPublicKey->u.rsa.modulus.data[0] == 0) {
serverKeyStrengthInBits--;
}
/* convert to strength in bits */
serverKeyStrengthInBits *= BPB;
2015-10-21 05:03:22 +02:00
signatureKeyStrength =
SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
2015-10-21 05:03:22 +02:00
}
if ( requiredECCbits > signatureKeyStrength )
2015-10-21 05:03:22 +02:00
requiredECCbits = signatureKeyStrength;
return ssl3_GetCurveWithECKeyStrength(ss->ssl3.hs.negotiatedECCurves,
requiredECCbits);
2015-10-21 05:03:22 +02:00
}
/* function to clear out the lists */
static SECStatus
2015-10-21 05:03:22 +02:00
ssl3_ShutdownECDHECurves(void *appData, void *nssData)
{
int i;
ECDHEKeyPair *keyPair = &gECDHEKeyPairs[0];
for (i=0; i < ec_pastLastName; i++, keyPair++) {
if (keyPair->pair) {
ssl3_FreeKeyPair(keyPair->pair);
}
2015-10-21 05:03:22 +02:00
}
memset(gECDHEKeyPairs, 0, sizeof gECDHEKeyPairs);
return SECSuccess;
}
static PRStatus
ssl3_ECRegister(void)
{
SECStatus rv;
rv = NSS_RegisterShutdown(ssl3_ShutdownECDHECurves, gECDHEKeyPairs);
if (rv != SECSuccess) {
gECDHEKeyPairs[ec_noName].error = PORT_GetError();
2015-10-21 05:03:22 +02:00
}
return (PRStatus)rv;
}
/* Create an ECDHE key pair for a given curve */
static SECStatus
ssl3_CreateECDHEphemeralKeyPair(ECName ec_curve, ssl3KeyPair** keyPair)
2015-10-21 05:03:22 +02:00
{
SECKEYPrivateKey * privKey = NULL;
SECKEYPublicKey * pubKey = NULL;
SECKEYECParams ecParams = { siBuffer, NULL, 0 };
if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) {
return SECFailure;
2015-10-21 05:03:22 +02:00
}
privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);
2015-10-21 05:03:22 +02:00
SECITEM_FreeItem(&ecParams, PR_FALSE);
if (!privKey || !pubKey || !(*keyPair = ssl3_NewKeyPair(privKey, pubKey))) {
if (privKey) {
SECKEY_DestroyPrivateKey(privKey);
}
if (pubKey) {
SECKEY_DestroyPublicKey(pubKey);
}
ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
return SECFailure;
}
return SECSuccess;
}
/* CallOnce function, called once for each named curve. */
static PRStatus
ssl3_CreateECDHEphemeralKeyPairOnce(void * arg)
{
ECName ec_curve = (ECName)arg;
ssl3KeyPair * keyPair = NULL;
PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL);
/* ok, no one has generated a global key for this curve yet, do so */
if (ssl3_CreateECDHEphemeralKeyPair(ec_curve, &keyPair) != SECSuccess) {
gECDHEKeyPairs[ec_curve].error = PORT_GetError();
return PR_FAILURE;
2015-10-21 05:03:22 +02:00
}
gECDHEKeyPairs[ec_curve].pair = keyPair;
return PR_SUCCESS;
}
/*
* Creates the ephemeral public and private ECDH keys used by
* server in ECDHE_RSA and ECDHE_ECDSA handshakes.
* For now, the elliptic curve is chosen to be the same
* strength as the signing certificate (ECC or RSA).
* We need an API to specify the curve. This won't be a real
* issue until we further develop server-side support for ECC
* cipher suites.
*/
static SECStatus
ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve)
{
ssl3KeyPair * keyPair = NULL;
2015-10-21 05:03:22 +02:00
/* if there's no global key for this curve, make one. */
if (gECDHEKeyPairs[ec_curve].pair == NULL) {
PRStatus status;
2015-10-21 05:03:22 +02:00
status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister);
2015-10-21 05:03:22 +02:00
if (status != PR_SUCCESS) {
PORT_SetError(gECDHEKeyPairs[ec_noName].error);
return SECFailure;
}
status = PR_CallOnceWithArg(&gECDHEKeyPairs[ec_curve].once,
ssl3_CreateECDHEphemeralKeyPairOnce,
(void *)ec_curve);
2015-10-21 05:03:22 +02:00
if (status != PR_SUCCESS) {
PORT_SetError(gECDHEKeyPairs[ec_curve].error);
return SECFailure;
}
2015-10-21 05:03:22 +02:00
}
keyPair = gECDHEKeyPairs[ec_curve].pair;
PORT_Assert(keyPair != NULL);
if (!keyPair)
return SECFailure;
2015-10-21 05:03:22 +02:00
ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair);
return SECSuccess;
}
SECStatus
ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
{
2018-05-04 16:08:28 +02:00
PLArenaPool * arena = NULL;
2015-10-21 05:03:22 +02:00
SECKEYPublicKey *peerKey = NULL;
2018-05-04 16:08:28 +02:00
PRBool isTLS, isTLS12;
2015-10-21 05:03:22 +02:00
SECStatus rv;
int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
SSL3AlertDescription desc = illegal_parameter;
SSL3Hashes hashes;
SECItem signature = {siBuffer, NULL, 0};
SECItem ec_params = {siBuffer, NULL, 0};
SECItem ec_point = {siBuffer, NULL, 0};
unsigned char paramBuf[3]; /* only for curve_type == named_curve */
SSLSignatureAndHashAlg sigAndHash;
2018-05-04 16:08:28 +02:00
sigAndHash.hashAlg = ssl_hash_none;
2015-10-21 05:03:22 +02:00
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
2018-05-04 16:08:28 +02:00
isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
2015-10-21 05:03:22 +02:00
/* XXX This works only for named curves, revisit this when
* we support generic curves.
*/
ec_params.len = sizeof paramBuf;
ec_params.data = paramBuf;
rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length);
if (rv != SECSuccess) {
goto loser; /* malformed. */
2015-10-21 05:03:22 +02:00
}
/* Fail if the curve is not a named curve */
if ((ec_params.data[0] != ec_type_named) ||
(ec_params.data[1] != 0) ||
!supportedCurve(ec_params.data[2])) {
errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
desc = handshake_failure;
goto alert_loser;
2015-10-21 05:03:22 +02:00
}
rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length);
if (rv != SECSuccess) {
goto loser; /* malformed. */
2015-10-21 05:03:22 +02:00
}
/* Fail if the ec point uses compressed representation */
if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
desc = handshake_failure;
goto alert_loser;
2015-10-21 05:03:22 +02:00
}
2018-05-04 16:08:28 +02:00
if (isTLS12) {
rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
&sigAndHash);
if (rv != SECSuccess) {
goto loser; /* malformed or unsupported. */
}
rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
ss, &sigAndHash, ss->sec.peerCert);
if (rv != SECSuccess) {
goto loser;
}
2018-05-04 16:08:28 +02:00
}
2015-10-21 05:03:22 +02:00
rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
if (rv != SECSuccess) {
goto loser; /* malformed. */
2015-10-21 05:03:22 +02:00
}
if (length != 0) {
if (isTLS)
desc = decode_error;
goto alert_loser; /* malformed. */
2015-10-21 05:03:22 +02:00
}
PRINT_BUF(60, (NULL, "Server EC params", ec_params.data,
ec_params.len));
2015-10-21 05:03:22 +02:00
PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len));
/* failures after this point are not malformed handshakes. */
/* TLS: send decrypt_error if signature failed. */
desc = isTLS ? decrypt_error : handshake_failure;
/*
* check to make sure the hash is signed by right guy
*/
2018-05-04 16:08:28 +02:00
rv = ssl3_ComputeECDHKeyHash(sigAndHash.hashAlg, ec_params, ec_point,
&ss->ssl3.hs.client_random,
&ss->ssl3.hs.server_random,
&hashes, ss->opt.bypassPKCS11);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
errCode =
ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
goto alert_loser;
2015-10-21 05:03:22 +02:00
}
rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
isTLS, ss->pkcs11PinArg);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
errCode =
ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
goto alert_loser;
2015-10-21 05:03:22 +02:00
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
goto no_memory;
2015-10-21 05:03:22 +02:00
}
peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
2015-10-21 05:03:22 +02:00
if (peerKey == NULL) {
goto no_memory;
2015-10-21 05:03:22 +02:00
}
peerKey->arena = arena;
peerKey->keyType = ecKey;
/* set up EC parameters in peerKey */
if (ssl3_ECName2Params(arena, ec_params.data[2],
&peerKey->u.ec.DEREncodedParams) != SECSuccess) {
/* we should never get here since we already
* checked that we are dealing with a supported curve
*/
errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
goto alert_loser;
2015-10-21 05:03:22 +02:00
}
/* copy publicValue in peerKey */
if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point))
{
goto no_memory;
2015-10-21 05:03:22 +02:00
}
peerKey->pkcs11Slot = NULL;
peerKey->pkcs11ID = CK_INVALID_HANDLE;
ss->sec.peerKey = peerKey;
ss->ssl3.hs.ws = wait_cert_request;
return SECSuccess;
alert_loser:
(void)SSL3_SendAlert(ss, alert_fatal, desc);
loser:
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
2015-10-21 05:03:22 +02:00
PORT_SetError( errCode );
return SECFailure;
no_memory: /* no-memory error has already been set. */
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
2015-10-21 05:03:22 +02:00
ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
return SECFailure;
}
SECStatus
2018-05-04 16:08:28 +02:00
ssl3_SendECDHServerKeyExchange(
sslSocket *ss,
const SSLSignatureAndHashAlg *sigAndHash)
2015-10-21 05:03:22 +02:00
{
2018-05-04 16:08:28 +02:00
const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
2015-10-21 05:03:22 +02:00
SECStatus rv = SECFailure;
int length;
2018-05-04 16:08:28 +02:00
PRBool isTLS, isTLS12;
2015-10-21 05:03:22 +02:00
SECItem signed_hash = {siBuffer, NULL, 0};
SSL3Hashes hashes;
SECKEYPublicKey * ecdhePub;
SECItem ec_params = {siBuffer, NULL, 0};
unsigned char paramBuf[3];
ECName curve;
SSL3KEAType certIndex;
/* Generate ephemeral ECDH key pair and send the public key */
curve = ssl3_GetCurveNameForServerSocket(ss);
if (curve == ec_noName) {
goto loser;
2015-10-21 05:03:22 +02:00
}
if (ss->opt.reuseServerECDHEKey) {
rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
} else {
rv = ssl3_CreateECDHEphemeralKeyPair(curve, &ss->ephemeralECDHKeyPair);
}
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
goto loser;
}
2015-10-21 05:03:22 +02:00
ecdhePub = ss->ephemeralECDHKeyPair->pubKey;
PORT_Assert(ecdhePub != NULL);
if (!ecdhePub) {
PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
return SECFailure;
}
2015-10-21 05:03:22 +02:00
ec_params.len = sizeof paramBuf;
ec_params.data = paramBuf;
curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams);
if (curve != ec_noName) {
ec_params.data[0] = ec_type_named;
ec_params.data[1] = 0x00;
ec_params.data[2] = curve;
2015-10-21 05:03:22 +02:00
} else {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
goto loser;
}
2015-10-21 05:03:22 +02:00
2018-05-04 16:08:28 +02:00
rv = ssl3_ComputeECDHKeyHash(sigAndHash->hashAlg,
ec_params,
ecdhePub->u.ec.publicValue,
&ss->ssl3.hs.client_random,
&ss->ssl3.hs.server_random,
&hashes, ss->opt.bypassPKCS11);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
goto loser;
2015-10-21 05:03:22 +02:00
}
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
2018-05-04 16:08:28 +02:00
isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
2015-10-21 05:03:22 +02:00
/* XXX SSLKEAType isn't really a good choice for
2015-10-21 05:03:22 +02:00
* indexing certificates but that's all we have
* for now.
*/
if (kea_def->kea == kea_ecdhe_rsa)
certIndex = kt_rsa;
2015-10-21 05:03:22 +02:00
else /* kea_def->kea == kea_ecdhe_ecdsa */
certIndex = kt_ecdh;
2015-10-21 05:03:22 +02:00
rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY,
&signed_hash, isTLS);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
goto loser; /* ssl3_SignHashes has set err. */
2015-10-21 05:03:22 +02:00
}
if (signed_hash.data == NULL) {
/* how can this happen and rv == SECSuccess ?? */
PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
goto loser;
2015-10-21 05:03:22 +02:00
}
length = ec_params.len +
1 + ecdhePub->u.ec.publicValue.len +
(isTLS12 ? 2 : 0) + 2 + signed_hash.len;
2015-10-21 05:03:22 +02:00
rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
if (rv != SECSuccess) {
goto loser; /* err set by AppendHandshake. */
2015-10-21 05:03:22 +02:00
}
rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len);
if (rv != SECSuccess) {
goto loser; /* err set by AppendHandshake. */
2015-10-21 05:03:22 +02:00
}
rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data,
ecdhePub->u.ec.publicValue.len, 1);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
goto loser; /* err set by AppendHandshake. */
2015-10-21 05:03:22 +02:00
}
2018-05-04 16:08:28 +02:00
if (isTLS12) {
rv = ssl3_AppendSignatureAndHashAlgorithm(ss, sigAndHash);
if (rv != SECSuccess) {
goto loser; /* err set by AppendHandshake. */
}
2018-05-04 16:08:28 +02:00
}
2015-10-21 05:03:22 +02:00
rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
signed_hash.len, 2);
2015-10-21 05:03:22 +02:00
if (rv != SECSuccess) {
goto loser; /* err set by AppendHandshake. */
2015-10-21 05:03:22 +02:00
}
PORT_Free(signed_hash.data);
return SECSuccess;
loser:
if (signed_hash.data != NULL)
PORT_Free(signed_hash.data);
2015-10-21 05:03:22 +02:00
return SECFailure;
}
/* Lists of ECC cipher suites for searching and disabling. */
static const ssl3CipherSuite ecdh_suites[] = {
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_NULL_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
0 /* end of list marker */
};
static const ssl3CipherSuite ecdh_ecdsa_suites[] = {
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
0 /* end of list marker */
};
static const ssl3CipherSuite ecdh_rsa_suites[] = {
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_NULL_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
0 /* end of list marker */
};
static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
2018-05-04 16:08:28 +02:00
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2018-08-18 18:30:36 +02:00
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
0 /* end of list marker */
};
static const ssl3CipherSuite ecdhe_rsa_suites[] = {
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
2018-05-04 16:08:28 +02:00
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
2018-08-18 18:30:36 +02:00
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
0 /* end of list marker */
};
/* List of all ECC cipher suites */
static const ssl3CipherSuite ecSuites[] = {
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
2018-05-04 16:08:28 +02:00
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2018-08-18 18:30:36 +02:00
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
2018-05-04 16:08:28 +02:00
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
2018-08-18 18:30:36 +02:00
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
2015-10-21 05:03:22 +02:00
TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_NULL_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
0 /* end of list marker */
};
/* On this socket, Disable the ECC cipher suites in the argument's list */
SECStatus
ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite)
{
if (!suite)
suite = ecSuites;
2015-10-21 05:03:22 +02:00
for (; *suite; ++suite) {
PORT_CheckSuccess(ssl3_CipherPrefSet(ss, *suite, PR_FALSE));
2015-10-21 05:03:22 +02:00
}
return SECSuccess;
}
/* Look at the server certs configured on this socket, and disable any
* ECC cipher suites that are not supported by those certs.
*/
void
ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
{
CERTCertificate * svrCert;
svrCert = ss->serverCerts[kt_rsa].serverCert;
if (!svrCert) {
ssl3_DisableECCSuites(ss, ecdhe_rsa_suites);
2015-10-21 05:03:22 +02:00
}
svrCert = ss->serverCerts[kt_ecdh].serverCert;
if (!svrCert) {
ssl3_DisableECCSuites(ss, ecdh_suites);
ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
2015-10-21 05:03:22 +02:00
} else {
SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
switch (sigTag) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
break;
case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
ssl3_DisableECCSuites(ss, ecdh_rsa_suites);
break;
default:
ssl3_DisableECCSuites(ss, ecdh_suites);
break;
}
2015-10-21 05:03:22 +02:00
}
}
/* Ask: is ANY ECC cipher suite enabled on this socket? */
/* Order(N^2). Yuk. Also, this ignores export policy. */
PRBool
ssl3_IsECCEnabled(sslSocket * ss)
{
const ssl3CipherSuite * suite;
2018-05-04 16:08:28 +02:00
PK11SlotInfo *slot;
/* make sure we can do ECC */
slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE, ss->pkcs11PinArg);
if (!slot) {
return PR_FALSE;
2018-05-04 16:08:28 +02:00
}
PK11_FreeSlot(slot);
2015-10-21 05:03:22 +02:00
2018-05-04 16:08:28 +02:00
/* make sure an ECC cipher is enabled */
2015-10-21 05:03:22 +02:00
for (suite = ecSuites; *suite; ++suite) {
PRBool enabled = PR_FALSE;
SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled);
2015-10-21 05:03:22 +02:00
PORT_Assert(rv == SECSuccess); /* else is coding error */
if (rv == SECSuccess && enabled)
return PR_TRUE;
2015-10-21 05:03:22 +02:00
}
return PR_FALSE;
}
#define BE(n) 0, n
/* Prefabricated TLS client hello extension, Elliptic Curves List,
* offers only 3 curves, the Suite B curves, 23-25
2015-10-21 05:03:22 +02:00
*/
2018-05-04 16:08:28 +02:00
static const PRUint8 suiteBECList[12] = {
2015-10-21 05:03:22 +02:00
BE(10), /* Extension type */
BE( 8), /* octets that follow ( 3 pairs + 1 length pair) */
BE( 6), /* octets that follow ( 3 pairs) */
BE(23), BE(24), BE(25)
};
2018-05-04 16:08:28 +02:00
2015-10-21 05:03:22 +02:00
/* Prefabricated TLS client hello extension, Elliptic Curves List,
* offers curves 1-25.
*/
2018-05-04 16:08:28 +02:00
static const PRUint8 tlsECList[56] = {
2015-10-21 05:03:22 +02:00
BE(10), /* Extension type */
BE(52), /* octets that follow (25 pairs + 1 length pair) */
BE(50), /* octets that follow (25 pairs) */
BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7),
BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15),
BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23),
2015-10-21 05:03:22 +02:00
BE(24), BE(25)
};
2018-05-04 16:08:28 +02:00
static const PRUint8 ecPtFmt[6] = {
2015-10-21 05:03:22 +02:00
BE(11), /* Extension type */
BE( 2), /* octets that follow */
1, /* octets that follow */
0 /* uncompressed type only */
};
2018-05-04 16:08:28 +02:00
/* This function already presumes we can do ECC, ssl3_IsECCEnabled must be
* called before this function. It looks to see if we have a token which
* is capable of doing smaller than SuiteB curves. If the token can, we
* presume the token can do the whole SSL suite of curves. If it can't we
* presume the token that allowed ECC to be enabled can only do suite B
* curves. */
static PRBool
ssl3_SuiteBOnly(sslSocket *ss)
{
/* See if we can support small curves (like 163). If not, assume we can
* only support Suite-B curves (P-256, P-384, P-521). */
PK11SlotInfo *slot =
PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163,
ss ? ss->pkcs11PinArg : NULL);
2018-05-04 16:08:28 +02:00
if (!slot) {
/* nope, presume we can only do suite B */
return PR_TRUE;
2018-05-04 16:08:28 +02:00
}
/* we can, presume we can do all curves */
PK11_FreeSlot(slot);
return PR_FALSE;
}
2015-10-21 05:03:22 +02:00
/* Send our "canned" (precompiled) Supported Elliptic Curves extension,
* which says that we support all TLS-defined named curves.
*/
PRInt32
ssl3_SendSupportedCurvesXtn(
sslSocket * ss,
PRBool append,
PRUint32 maxBytes)
2015-10-21 05:03:22 +02:00
{
2018-05-04 16:08:28 +02:00
PRInt32 ecListSize = 0;
const PRUint8 *ecList = NULL;
2015-10-21 05:03:22 +02:00
if (!ss || !ssl3_IsECCEnabled(ss))
return 0;
2018-05-04 16:08:28 +02:00
if (ssl3_SuiteBOnly(ss)) {
ecListSize = sizeof suiteBECList;
ecList = suiteBECList;
2018-05-04 16:08:28 +02:00
} else {
ecListSize = sizeof tlsECList;
ecList = tlsECList;
2018-05-04 16:08:28 +02:00
}
if (maxBytes < (PRUint32)ecListSize) {
return 0;
}
if (append) {
SECStatus rv = ssl3_AppendHandshake(ss, ecList, ecListSize);
if (rv != SECSuccess)
return -1;
if (!ss->sec.isServer) {
TLSExtensionData *xtnData = &ss->xtnData;
xtnData->advertised[xtnData->numAdvertised++] =
ssl_elliptic_curves_xtn;
}
2015-10-21 05:03:22 +02:00
}
2018-05-04 16:08:28 +02:00
return ecListSize;
}
PRUint32
ssl3_GetSupportedECCurveMask(sslSocket *ss)
{
if (ssl3_SuiteBOnly(ss)) {
return SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
2018-05-04 16:08:28 +02:00
}
return SSL3_ALL_SUPPORTED_CURVES_MASK;
2015-10-21 05:03:22 +02:00
}
/* Send our "canned" (precompiled) Supported Point Formats extension,
* which says that we only support uncompressed points.
*/
PRInt32
ssl3_SendSupportedPointFormatsXtn(
sslSocket * ss,
PRBool append,
PRUint32 maxBytes)
2015-10-21 05:03:22 +02:00
{
if (!ss || !ssl3_IsECCEnabled(ss))
return 0;
2018-05-04 16:08:28 +02:00
if (append && maxBytes >= (sizeof ecPtFmt)) {
SECStatus rv = ssl3_AppendHandshake(ss, ecPtFmt, (sizeof ecPtFmt));
if (rv != SECSuccess)
return -1;
if (!ss->sec.isServer) {
TLSExtensionData *xtnData = &ss->xtnData;
xtnData->advertised[xtnData->numAdvertised++] =
ssl_ec_point_formats_xtn;
}
2015-10-21 05:03:22 +02:00
}
2018-05-04 16:08:28 +02:00
return (sizeof ecPtFmt);
2015-10-21 05:03:22 +02:00
}
/* Just make sure that the remote client supports uncompressed points,
* Since that is all we support. Disable ECC cipher suites if it doesn't.
*/
SECStatus
ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data)
{
int i;
if (data->len < 2 || data->len > 255 || !data->data ||
data->len != (unsigned int)data->data[0] + 1) {
return ssl3_DecodeError(ss);
2015-10-21 05:03:22 +02:00
}
for (i = data->len; --i > 0; ) {
if (data->data[i] == 0) {
/* indicate that we should send a reply */
SECStatus rv;
rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
&ssl3_SendSupportedPointFormatsXtn);
return rv;
}
2015-10-21 05:03:22 +02:00
}
2015-10-21 05:03:22 +02:00
/* evil client doesn't support uncompressed */
ssl3_DisableECCSuites(ss, ecSuites);
return SECSuccess;
2015-10-21 05:03:22 +02:00
}
#define SSL3_GET_SERVER_PUBLICKEY(sock, type) \
(ss->serverCerts[type].serverKeyPair ? \
ss->serverCerts[type].serverKeyPair->pubKey : NULL)
/* Extract the TLS curve name for the public key in our EC server cert. */
ECName ssl3_GetSvrCertCurveName(sslSocket *ss)
2015-10-21 05:03:22 +02:00
{
SECKEYPublicKey *srvPublicKey;
ECName ec_curve = ec_noName;
2015-10-21 05:03:22 +02:00
srvPublicKey = SSL3_GET_SERVER_PUBLICKEY(ss, kt_ecdh);
if (srvPublicKey) {
ec_curve = params2ecName(&srvPublicKey->u.ec.DEREncodedParams);
2015-10-21 05:03:22 +02:00
}
return ec_curve;
}
/* Ensure that the curve in our server cert is one of the ones supported
2015-10-21 05:03:22 +02:00
* by the remote client, and disable all ECC cipher suites if not.
*/
SECStatus
ssl3_HandleSupportedCurvesXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
{
PRInt32 list_len;
PRUint32 peerCurves = 0;
PRUint32 mutualCurves = 0;
PRUint16 svrCertCurveName;
if (!data->data || data->len < 4) {
(void)ssl3_DecodeError(ss);
return SECFailure;
}
2015-10-21 05:03:22 +02:00
/* get the length of elliptic_curve_list */
list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) {
(void)ssl3_DecodeError(ss);
return SECFailure;
2015-10-21 05:03:22 +02:00
}
/* build bit vector of peer's supported curve names */
while (data->len) {
PRInt32 curve_name =
ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
if (curve_name < 0) {
return SECFailure; /* fatal alert already sent */
}
if (curve_name > ec_noName && curve_name < ec_pastLastName) {
peerCurves |= (1U << curve_name);
}
2015-10-21 05:03:22 +02:00
}
/* What curves do we support in common? */
mutualCurves = ss->ssl3.hs.negotiatedECCurves &= peerCurves;
if (!mutualCurves) {
/* no mutually supported EC Curves, disable ECC */
ssl3_DisableECCSuites(ss, ecSuites);
return SECSuccess;
2015-10-21 05:03:22 +02:00
}
/* if our ECC cert doesn't use one of these supported curves,
* disable ECC cipher suites that require an ECC cert.
2015-10-21 05:03:22 +02:00
*/
svrCertCurveName = ssl3_GetSvrCertCurveName(ss);
if (svrCertCurveName != ec_noName &&
(mutualCurves & (1U << svrCertCurveName)) != 0) {
return SECSuccess;
2015-10-21 05:03:22 +02:00
}
/* Our EC cert doesn't contain a mutually supported curve.
* Disable all ECC cipher suites that require an EC cert
2015-10-21 05:03:22 +02:00
*/
ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
return SECSuccess;
2015-10-21 05:03:22 +02:00
}
#endif /* NSS_DISABLE_ECC */