Home | History | Annotate | Download | only in ssl
      1 /*
      2  * SSL3 Protocol
      3  *
      4  * ***** BEGIN LICENSE BLOCK *****
      5  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
      6  *
      7  * The contents of this file are subject to the Mozilla Public License Version
      8  * 1.1 (the "License"); you may not use this file except in compliance with
      9  * the License. You may obtain a copy of the License at
     10  * http://www.mozilla.org/MPL/
     11  *
     12  * Software distributed under the License is distributed on an "AS IS" basis,
     13  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
     14  * for the specific language governing rights and limitations under the
     15  * License.
     16  *
     17  * The Original Code is the Netscape security libraries.
     18  *
     19  * The Initial Developer of the Original Code is
     20  * Netscape Communications Corporation.
     21  * Portions created by the Initial Developer are Copyright (C) 1994-2000
     22  * the Initial Developer. All Rights Reserved.
     23  *
     24  * Contributor(s):
     25  *   Dr Vipul Gupta <vipul.gupta (at) sun.com> and
     26  *   Douglas Stebila <douglas (at) stebila.ca>, Sun Microsystems Laboratories
     27  *
     28  * Alternatively, the contents of this file may be used under the terms of
     29  * either the GNU General Public License Version 2 or later (the "GPL"), or
     30  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
     31  * in which case the provisions of the GPL or the LGPL are applicable instead
     32  * of those above. If you wish to allow use of your version of this file only
     33  * under the terms of either the GPL or the LGPL, and not to allow others to
     34  * use your version of this file under the terms of the MPL, indicate your
     35  * decision by deleting the provisions above and replace them with the notice
     36  * and other provisions required by the GPL or the LGPL. If you do not delete
     37  * the provisions above, a recipient may use your version of this file under
     38  * the terms of any one of the MPL, the GPL or the LGPL.
     39  *
     40  * ***** END LICENSE BLOCK ***** */
     41 
     42 /* ECC code moved here from ssl3con.c */
     43 /* $Id: ssl3ecc.c,v 1.22 2008/03/10 00:01:28 wtc%google.com Exp $ */
     44 
     45 #include "nss.h"
     46 #include "cert.h"
     47 #include "ssl.h"
     48 #include "cryptohi.h"	/* for DSAU_ stuff */
     49 #include "keyhi.h"
     50 #include "secder.h"
     51 #include "secitem.h"
     52 
     53 #include "sslimpl.h"
     54 #include "sslproto.h"
     55 #include "sslerr.h"
     56 #include "prtime.h"
     57 #include "prinrval.h"
     58 #include "prerror.h"
     59 #include "pratom.h"
     60 #include "prthread.h"
     61 #include "prinit.h"
     62 
     63 #include "pk11func.h"
     64 #include "secmod.h"
     65 #include "ec.h"
     66 #include "blapi.h"
     67 
     68 #include <stdio.h>
     69 
     70 #ifdef NSS_ENABLE_ECC
     71 
     72 #ifndef PK11_SETATTRS
     73 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
     74 		(x)->pValue=(v); (x)->ulValueLen = (l);
     75 #endif
     76 
     77 #define SSL_GET_SERVER_PUBLIC_KEY(sock, type) \
     78     (ss->serverCerts[type].serverKeyPair ? \
     79     ss->serverCerts[type].serverKeyPair->pubKey : NULL)
     80 
     81 #define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \
     82     ((curveName > ec_noName) && \
     83      (curveName < ec_pastLastName) && \
     84      ((1UL << curveName) & curvemsk) != 0)
     85 
     86 
     87 
     88 static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve);
     89 
     90 #define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName))
     91 
     92 /* Table containing OID tags for elliptic curves named in the
     93  * ECC-TLS IETF draft.
     94  */
     95 static const SECOidTag ecName2OIDTag[] = {
     96 	0,
     97 	SEC_OID_SECG_EC_SECT163K1,  /*  1 */
     98 	SEC_OID_SECG_EC_SECT163R1,  /*  2 */
     99 	SEC_OID_SECG_EC_SECT163R2,  /*  3 */
    100 	SEC_OID_SECG_EC_SECT193R1,  /*  4 */
    101 	SEC_OID_SECG_EC_SECT193R2,  /*  5 */
    102 	SEC_OID_SECG_EC_SECT233K1,  /*  6 */
    103 	SEC_OID_SECG_EC_SECT233R1,  /*  7 */
    104 	SEC_OID_SECG_EC_SECT239K1,  /*  8 */
    105 	SEC_OID_SECG_EC_SECT283K1,  /*  9 */
    106 	SEC_OID_SECG_EC_SECT283R1,  /* 10 */
    107 	SEC_OID_SECG_EC_SECT409K1,  /* 11 */
    108 	SEC_OID_SECG_EC_SECT409R1,  /* 12 */
    109 	SEC_OID_SECG_EC_SECT571K1,  /* 13 */
    110 	SEC_OID_SECG_EC_SECT571R1,  /* 14 */
    111 	SEC_OID_SECG_EC_SECP160K1,  /* 15 */
    112 	SEC_OID_SECG_EC_SECP160R1,  /* 16 */
    113 	SEC_OID_SECG_EC_SECP160R2,  /* 17 */
    114 	SEC_OID_SECG_EC_SECP192K1,  /* 18 */
    115 	SEC_OID_SECG_EC_SECP192R1,  /* 19 */
    116 	SEC_OID_SECG_EC_SECP224K1,  /* 20 */
    117 	SEC_OID_SECG_EC_SECP224R1,  /* 21 */
    118 	SEC_OID_SECG_EC_SECP256K1,  /* 22 */
    119 	SEC_OID_SECG_EC_SECP256R1,  /* 23 */
    120 	SEC_OID_SECG_EC_SECP384R1,  /* 24 */
    121 	SEC_OID_SECG_EC_SECP521R1,  /* 25 */
    122 };
    123 
    124 static const PRUint16 curve2bits[] = {
    125 	  0, /*  ec_noName     = 0,   */
    126 	163, /*  ec_sect163k1  = 1,   */
    127 	163, /*  ec_sect163r1  = 2,   */
    128 	163, /*  ec_sect163r2  = 3,   */
    129 	193, /*  ec_sect193r1  = 4,   */
    130 	193, /*  ec_sect193r2  = 5,   */
    131 	233, /*  ec_sect233k1  = 6,   */
    132 	233, /*  ec_sect233r1  = 7,   */
    133 	239, /*  ec_sect239k1  = 8,   */
    134 	283, /*  ec_sect283k1  = 9,   */
    135 	283, /*  ec_sect283r1  = 10,  */
    136 	409, /*  ec_sect409k1  = 11,  */
    137 	409, /*  ec_sect409r1  = 12,  */
    138 	571, /*  ec_sect571k1  = 13,  */
    139 	571, /*  ec_sect571r1  = 14,  */
    140 	160, /*  ec_secp160k1  = 15,  */
    141 	160, /*  ec_secp160r1  = 16,  */
    142 	160, /*  ec_secp160r2  = 17,  */
    143 	192, /*  ec_secp192k1  = 18,  */
    144 	192, /*  ec_secp192r1  = 19,  */
    145 	224, /*  ec_secp224k1  = 20,  */
    146 	224, /*  ec_secp224r1  = 21,  */
    147 	256, /*  ec_secp256k1  = 22,  */
    148 	256, /*  ec_secp256r1  = 23,  */
    149 	384, /*  ec_secp384r1  = 24,  */
    150 	521, /*  ec_secp521r1  = 25,  */
    151       65535  /*  ec_pastLastName      */
    152 };
    153 
    154 typedef struct Bits2CurveStr {
    155     PRUint16    bits;
    156     ECName      curve;
    157 } Bits2Curve;
    158 
    159 static const Bits2Curve bits2curve [] = {
    160    {	192,     ec_secp192r1    /*  = 19,  fast */  },
    161    {	160,     ec_secp160r2    /*  = 17,  fast */  },
    162    {	160,     ec_secp160k1    /*  = 15,  */       },
    163    {	160,     ec_secp160r1    /*  = 16,  */       },
    164    {	163,     ec_sect163k1    /*  = 1,   */       },
    165    {	163,     ec_sect163r1    /*  = 2,   */       },
    166    {	163,     ec_sect163r2    /*  = 3,   */       },
    167    {	192,     ec_secp192k1    /*  = 18,  */       },
    168    {	193,     ec_sect193r1    /*  = 4,   */       },
    169    {	193,     ec_sect193r2    /*  = 5,   */       },
    170    {	224,     ec_secp224r1    /*  = 21,  fast */  },
    171    {	224,     ec_secp224k1    /*  = 20,  */       },
    172    {	233,     ec_sect233k1    /*  = 6,   */       },
    173    {	233,     ec_sect233r1    /*  = 7,   */       },
    174    {	239,     ec_sect239k1    /*  = 8,   */       },
    175    {	256,     ec_secp256r1    /*  = 23,  fast */  },
    176    {	256,     ec_secp256k1    /*  = 22,  */       },
    177    {	283,     ec_sect283k1    /*  = 9,   */       },
    178    {	283,     ec_sect283r1    /*  = 10,  */       },
    179    {	384,     ec_secp384r1    /*  = 24,  fast */  },
    180    {	409,     ec_sect409k1    /*  = 11,  */       },
    181    {	409,     ec_sect409r1    /*  = 12,  */       },
    182    {	521,     ec_secp521r1    /*  = 25,  fast */  },
    183    {	571,     ec_sect571k1    /*  = 13,  */       },
    184    {	571,     ec_sect571r1    /*  = 14,  */       },
    185    {  65535,     ec_noName    }
    186 };
    187 
    188 typedef struct ECDHEKeyPairStr {
    189     ssl3KeyPair *  pair;
    190     int            error;  /* error code of the call-once function */
    191     PRCallOnceType once;
    192 } ECDHEKeyPair;
    193 
    194 /* arrays of ECDHE KeyPairs */
    195 static ECDHEKeyPair gECDHEKeyPairs[ec_pastLastName];
    196 
    197 SECStatus
    198 ssl3_ECName2Params(PRArenaPool * arena, ECName curve, SECKEYECParams * params)
    199 {
    200     SECOidData *oidData = NULL;
    201 
    202     if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
    203 	((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
    204         PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
    205 	return SECFailure;
    206     }
    207 
    208     SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
    209     /*
    210      * params->data needs to contain the ASN encoding of an object ID (OID)
    211      * representing the named curve. The actual OID is in
    212      * oidData->oid.data so we simply prepend 0x06 and OID length
    213      */
    214     params->data[0] = SEC_ASN1_OBJECT_ID;
    215     params->data[1] = oidData->oid.len;
    216     memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
    217 
    218     return SECSuccess;
    219 }
    220 
    221 static ECName
    222 params2ecName(SECKEYECParams * params)
    223 {
    224     SECItem oid = { siBuffer, NULL, 0};
    225     SECOidData *oidData = NULL;
    226     ECName i;
    227 
    228     /*
    229      * params->data needs to contain the ASN encoding of an object ID (OID)
    230      * representing a named curve. Here, we strip away everything
    231      * before the actual OID and use the OID to look up a named curve.
    232      */
    233     if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName;
    234     oid.len = params->len - 2;
    235     oid.data = params->data + 2;
    236     if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName;
    237     for (i = ec_noName + 1; i < ec_pastLastName; i++) {
    238 	if (ecName2OIDTag[i] == oidData->offset)
    239 	    return i;
    240     }
    241 
    242     return ec_noName;
    243 }
    244 
    245 /* Caller must set hiLevel error code. */
    246 static SECStatus
    247 ssl3_ComputeECDHKeyHash(SECItem ec_params, SECItem server_ecpoint,
    248 			     SSL3Random *client_rand, SSL3Random *server_rand,
    249 			     SSL3Hashes *hashes, PRBool bypassPKCS11)
    250 {
    251     PRUint8     * hashBuf;
    252     PRUint8     * pBuf;
    253     SECStatus     rv 		= SECSuccess;
    254     unsigned int  bufLen;
    255     /*
    256      * XXX For now, we only support named curves (the appropriate
    257      * checks are made before this method is called) so ec_params
    258      * takes up only two bytes. ECPoint needs to fit in 256 bytes
    259      * (because the spec says the length must fit in one byte)
    260      */
    261     PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 1 + 256];
    262 
    263     bufLen = 2*SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
    264     if (bufLen <= sizeof buf) {
    265     	hashBuf = buf;
    266     } else {
    267     	hashBuf = PORT_Alloc(bufLen);
    268 	if (!hashBuf) {
    269 	    return SECFailure;
    270 	}
    271     }
    272 
    273     memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
    274     	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
    275     memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
    276     	pBuf += SSL3_RANDOM_LENGTH;
    277     memcpy(pBuf, ec_params.data, ec_params.len);
    278     	pBuf += ec_params.len;
    279     pBuf[0] = (PRUint8)(server_ecpoint.len);
    280     pBuf += 1;
    281     memcpy(pBuf, server_ecpoint.data, server_ecpoint.len);
    282     	pBuf += server_ecpoint.len;
    283     PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
    284 
    285     rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
    286 
    287     PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen));
    288     PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
    289     PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
    290 
    291     if (hashBuf != buf && hashBuf != NULL)
    292     	PORT_Free(hashBuf);
    293     return rv;
    294 }
    295 
    296 
    297 /* Called from ssl3_SendClientKeyExchange(). */
    298 SECStatus
    299 ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
    300 {
    301     PK11SymKey *	pms 		= NULL;
    302     SECStatus           rv    		= SECFailure;
    303     PRBool              isTLS;
    304     CK_MECHANISM_TYPE	target;
    305     SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral ECDH key */
    306     SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral ECDH key */
    307 
    308     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
    309     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
    310 
    311     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
    312 
    313     /* Generate ephemeral EC keypair */
    314     if (svrPubKey->keyType != ecKey) {
    315 	PORT_SetError(SEC_ERROR_BAD_KEY);
    316 	goto loser;
    317     }
    318     /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */
    319     privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams,
    320 	                                &pubKey, NULL);
    321     if (!privKey || !pubKey) {
    322 	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
    323 	    rv = SECFailure;
    324 	    goto loser;
    325     }
    326     PRINT_BUF(50, (ss, "ECDH public value:",
    327 					pubKey->u.ec.publicValue.data,
    328 					pubKey->u.ec.publicValue.len));
    329 
    330     if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
    331     else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
    332 
    333     /*  Determine the PMS */
    334     pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL,
    335 			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
    336 			    CKD_NULL, NULL, NULL);
    337 
    338     if (pms == NULL) {
    339 	SSL3AlertDescription desc  = illegal_parameter;
    340 	(void)SSL3_SendAlert(ss, alert_fatal, desc);
    341 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
    342 	goto loser;
    343     }
    344 
    345     SECKEY_DestroyPrivateKey(privKey);
    346     privKey = NULL;
    347 
    348     rv = ssl3_InitPendingCipherSpec(ss,  pms);
    349     PK11_FreeSymKey(pms); pms = NULL;
    350 
    351     if (rv != SECSuccess) {
    352 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
    353 	goto loser;
    354     }
    355 
    356     rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
    357 					pubKey->u.ec.publicValue.len + 1);
    358     if (rv != SECSuccess) {
    359         goto loser;	/* err set by ssl3_AppendHandshake* */
    360     }
    361 
    362     rv = ssl3_AppendHandshakeVariable(ss,
    363 					pubKey->u.ec.publicValue.data,
    364 					pubKey->u.ec.publicValue.len, 1);
    365     SECKEY_DestroyPublicKey(pubKey);
    366     pubKey = NULL;
    367 
    368     if (rv != SECSuccess) {
    369         goto loser;	/* err set by ssl3_AppendHandshake* */
    370     }
    371 
    372     rv = SECSuccess;
    373 
    374 loser:
    375     if(pms) PK11_FreeSymKey(pms);
    376     if(privKey) SECKEY_DestroyPrivateKey(privKey);
    377     if(pubKey) SECKEY_DestroyPublicKey(pubKey);
    378     return rv;
    379 }
    380 
    381 
    382 /*
    383 ** Called from ssl3_HandleClientKeyExchange()
    384 */
    385 SECStatus
    386 ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
    387 				     PRUint32 length,
    388                                      SECKEYPublicKey *srvrPubKey,
    389                                      SECKEYPrivateKey *srvrPrivKey)
    390 {
    391     PK11SymKey *      pms;
    392     SECStatus         rv;
    393     SECKEYPublicKey   clntPubKey;
    394     CK_MECHANISM_TYPE	target;
    395     PRBool isTLS;
    396 
    397     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
    398     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
    399 
    400     clntPubKey.keyType = ecKey;
    401     clntPubKey.u.ec.DEREncodedParams.len =
    402 	srvrPubKey->u.ec.DEREncodedParams.len;
    403     clntPubKey.u.ec.DEREncodedParams.data =
    404 	srvrPubKey->u.ec.DEREncodedParams.data;
    405 
    406     rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue,
    407 	                               1, &b, &length);
    408     if (rv != SECSuccess) {
    409 	SEND_ALERT
    410 	return SECFailure;	/* XXX Who sets the error code?? */
    411     }
    412 
    413     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
    414 
    415     if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
    416     else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
    417 
    418     /*  Determine the PMS */
    419     pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL,
    420 			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
    421 			    CKD_NULL, NULL, NULL);
    422 
    423     if (pms == NULL) {
    424 	/* last gasp.  */
    425 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
    426 	return SECFailure;
    427     }
    428 
    429     rv = ssl3_InitPendingCipherSpec(ss,  pms);
    430     PK11_FreeSymKey(pms);
    431     if (rv != SECSuccess) {
    432 	SEND_ALERT
    433 	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
    434     }
    435     return SECSuccess;
    436 }
    437 
    438 ECName
    439 ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits)
    440 {
    441     int    i;
    442 
    443     for ( i = 0; bits2curve[i].curve != ec_noName; i++) {
    444 	if (bits2curve[i].bits < requiredECCbits)
    445 	    continue;
    446     	if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) {
    447 	    return bits2curve[i].curve;
    448 	}
    449     }
    450     PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
    451     return ec_noName;
    452 }
    453 
    454 /* find the "weakest link".  Get strength of signature key and of sym key.
    455  * choose curve for the weakest of those two.
    456  */
    457 ECName
    458 ssl3_GetCurveNameForServerSocket(sslSocket *ss)
    459 {
    460     SECKEYPublicKey * svrPublicKey = NULL;
    461     ECName ec_curve = ec_noName;
    462     int    signatureKeyStrength = 521;
    463     int    requiredECCbits = ss->sec.secretKeyBits * 2;
    464 
    465     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa) {
    466 	svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh);
    467 	if (svrPublicKey)
    468 	    ec_curve = params2ecName(&svrPublicKey->u.ec.DEREncodedParams);
    469 	if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve)) {
    470 	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
    471 	    return ec_noName;
    472 	}
    473 	signatureKeyStrength = curve2bits[ ec_curve ];
    474     } else {
    475         /* RSA is our signing cert */
    476         int serverKeyStrengthInBits;
    477 
    478         svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_rsa);
    479         if (!svrPublicKey) {
    480             PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
    481             return ec_noName;
    482         }
    483 
    484         /* currently strength in bytes */
    485         serverKeyStrengthInBits = svrPublicKey->u.rsa.modulus.len;
    486         if (svrPublicKey->u.rsa.modulus.data[0] == 0) {
    487             serverKeyStrengthInBits--;
    488         }
    489         /* convert to strength in bits */
    490         serverKeyStrengthInBits *= BPB;
    491 
    492         signatureKeyStrength =
    493 	    SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
    494     }
    495     if ( requiredECCbits > signatureKeyStrength )
    496          requiredECCbits = signatureKeyStrength;
    497 
    498     return ssl3_GetCurveWithECKeyStrength(ss->ssl3.hs.negotiatedECCurves,
    499 					  requiredECCbits);
    500 }
    501 
    502 /* function to clear out the lists */
    503 static SECStatus
    504 ssl3_ShutdownECDHECurves(void *appData, void *nssData)
    505 {
    506     int i;
    507     ECDHEKeyPair *keyPair = &gECDHEKeyPairs[0];
    508 
    509     for (i=0; i < ec_pastLastName; i++, keyPair++) {
    510 	if (keyPair->pair) {
    511 	    ssl3_FreeKeyPair(keyPair->pair);
    512 	}
    513     }
    514     memset(gECDHEKeyPairs, 0, sizeof gECDHEKeyPairs);
    515     return SECSuccess;
    516 }
    517 
    518 static PRStatus
    519 ssl3_ECRegister(void)
    520 {
    521     SECStatus rv;
    522     rv = NSS_RegisterShutdown(ssl3_ShutdownECDHECurves, gECDHEKeyPairs);
    523     if (rv != SECSuccess) {
    524 	gECDHEKeyPairs[ec_noName].error = PORT_GetError();
    525     }
    526     return (PRStatus)rv;
    527 }
    528 
    529 /* CallOnce function, called once for each named curve. */
    530 static PRStatus
    531 ssl3_CreateECDHEphemeralKeyPair(void * arg)
    532 {
    533     SECKEYPrivateKey *    privKey  = NULL;
    534     SECKEYPublicKey *     pubKey   = NULL;
    535     ssl3KeyPair *	  keyPair  = NULL;
    536     ECName                ec_curve = (ECName)arg;
    537     SECKEYECParams        ecParams = { siBuffer, NULL, 0 };
    538 
    539     PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL);
    540 
    541     /* ok, no one has generated a global key for this curve yet, do so */
    542     if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) {
    543 	gECDHEKeyPairs[ec_curve].error = PORT_GetError();
    544 	return PR_FAILURE;
    545     }
    546 
    547     privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);
    548     SECITEM_FreeItem(&ecParams, PR_FALSE);
    549 
    550     if (!privKey || !pubKey || !(keyPair = ssl3_NewKeyPair(privKey, pubKey))) {
    551 	if (privKey) {
    552 	    SECKEY_DestroyPrivateKey(privKey);
    553 	}
    554 	if (pubKey) {
    555 	    SECKEY_DestroyPublicKey(pubKey);
    556 	}
    557 	ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
    558 	gECDHEKeyPairs[ec_curve].error = PORT_GetError();
    559 	return PR_FAILURE;
    560     }
    561 
    562     gECDHEKeyPairs[ec_curve].pair = keyPair;
    563     return PR_SUCCESS;
    564 }
    565 
    566 /*
    567  * Creates the ephemeral public and private ECDH keys used by
    568  * server in ECDHE_RSA and ECDHE_ECDSA handshakes.
    569  * For now, the elliptic curve is chosen to be the same
    570  * strength as the signing certificate (ECC or RSA).
    571  * We need an API to specify the curve. This won't be a real
    572  * issue until we further develop server-side support for ECC
    573  * cipher suites.
    574  */
    575 static SECStatus
    576 ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve)
    577 {
    578     ssl3KeyPair *	  keyPair        = NULL;
    579 
    580     /* if there's no global key for this curve, make one. */
    581     if (gECDHEKeyPairs[ec_curve].pair == NULL) {
    582 	PRStatus status;
    583 
    584 	status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister);
    585         if (status != PR_SUCCESS) {
    586 	    PORT_SetError(gECDHEKeyPairs[ec_noName].error);
    587 	    return SECFailure;
    588     	}
    589 	status = PR_CallOnceWithArg(&gECDHEKeyPairs[ec_curve].once,
    590 	                            ssl3_CreateECDHEphemeralKeyPair,
    591 				    (void *)ec_curve);
    592         if (status != PR_SUCCESS) {
    593 	    PORT_SetError(gECDHEKeyPairs[ec_curve].error);
    594 	    return SECFailure;
    595     	}
    596     }
    597 
    598     keyPair = gECDHEKeyPairs[ec_curve].pair;
    599     PORT_Assert(keyPair != NULL);
    600     if (!keyPair)
    601     	return SECFailure;
    602     ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair);
    603 
    604     return SECSuccess;
    605 }
    606 
    607 SECStatus
    608 ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
    609 {
    610     PRArenaPool *    arena     = NULL;
    611     SECKEYPublicKey *peerKey   = NULL;
    612     PRBool           isTLS;
    613     SECStatus        rv;
    614     int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
    615     SSL3AlertDescription desc  = illegal_parameter;
    616     SSL3Hashes       hashes;
    617     SECItem          signature = {siBuffer, NULL, 0};
    618 
    619     SECItem          ec_params = {siBuffer, NULL, 0};
    620     SECItem          ec_point  = {siBuffer, NULL, 0};
    621     unsigned char    paramBuf[3]; /* only for curve_type == named_curve */
    622 
    623     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
    624 
    625     /* XXX This works only for named curves, revisit this when
    626      * we support generic curves.
    627      */
    628     ec_params.len  = sizeof paramBuf;
    629     ec_params.data = paramBuf;
    630     rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length);
    631     if (rv != SECSuccess) {
    632 	goto loser;		/* malformed. */
    633     }
    634 
    635     /* Fail if the curve is not a named curve */
    636     if ((ec_params.data[0] != ec_type_named) ||
    637 	(ec_params.data[1] != 0) ||
    638 	!supportedCurve(ec_params.data[2])) {
    639 	    errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
    640 	    desc = handshake_failure;
    641 	    goto alert_loser;
    642     }
    643 
    644     rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length);
    645     if (rv != SECSuccess) {
    646 	goto loser;		/* malformed. */
    647     }
    648     /* Fail if the ec point uses compressed representation */
    649     if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
    650 	    errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
    651 	    desc = handshake_failure;
    652 	    goto alert_loser;
    653     }
    654 
    655     rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
    656     if (rv != SECSuccess) {
    657 	goto loser;		/* malformed. */
    658     }
    659 
    660     if (length != 0) {
    661 	if (isTLS)
    662 	    desc = decode_error;
    663 	goto alert_loser;		/* malformed. */
    664     }
    665 
    666     PRINT_BUF(60, (NULL, "Server EC params", ec_params.data,
    667 	ec_params.len));
    668     PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len));
    669 
    670     /* failures after this point are not malformed handshakes. */
    671     /* TLS: send decrypt_error if signature failed. */
    672     desc = isTLS ? decrypt_error : handshake_failure;
    673 
    674     /*
    675      *  check to make sure the hash is signed by right guy
    676      */
    677     rv = ssl3_ComputeECDHKeyHash(ec_params, ec_point,
    678 				      &ss->ssl3.hs.client_random,
    679 				      &ss->ssl3.hs.server_random,
    680 				      &hashes, ss->opt.bypassPKCS11);
    681 
    682     if (rv != SECSuccess) {
    683 	errCode =
    684 	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
    685 	goto alert_loser;
    686     }
    687     rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
    688 				isTLS, ss->pkcs11PinArg);
    689     if (rv != SECSuccess)  {
    690 	errCode =
    691 	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
    692 	goto alert_loser;
    693     }
    694 
    695     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    696     if (arena == NULL) {
    697 	goto no_memory;
    698     }
    699 
    700     ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
    701     if (peerKey == NULL) {
    702 	goto no_memory;
    703     }
    704 
    705     peerKey->arena                 = arena;
    706     peerKey->keyType               = ecKey;
    707 
    708     /* set up EC parameters in peerKey */
    709     if (ssl3_ECName2Params(arena, ec_params.data[2],
    710 	    &peerKey->u.ec.DEREncodedParams) != SECSuccess) {
    711 	/* we should never get here since we already
    712 	 * checked that we are dealing with a supported curve
    713 	 */
    714 	errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
    715 	goto alert_loser;
    716     }
    717 
    718     /* copy publicValue in peerKey */
    719     if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue,  &ec_point))
    720     {
    721 	PORT_FreeArena(arena, PR_FALSE);
    722 	goto no_memory;
    723     }
    724     peerKey->pkcs11Slot         = NULL;
    725     peerKey->pkcs11ID           = CK_INVALID_HANDLE;
    726 
    727     ss->sec.peerKey = peerKey;
    728     ss->ssl3.hs.ws = wait_cert_request;
    729 
    730     return SECSuccess;
    731 
    732 alert_loser:
    733     (void)SSL3_SendAlert(ss, alert_fatal, desc);
    734 loser:
    735     PORT_SetError( errCode );
    736     return SECFailure;
    737 
    738 no_memory:	/* no-memory error has already been set. */
    739     ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
    740     return SECFailure;
    741 }
    742 
    743 SECStatus
    744 ssl3_SendECDHServerKeyExchange(sslSocket *ss)
    745 {
    746 const ssl3KEADef *     kea_def     = ss->ssl3.hs.kea_def;
    747     SECStatus          rv          = SECFailure;
    748     int                length;
    749     PRBool             isTLS;
    750     SECItem            signed_hash = {siBuffer, NULL, 0};
    751     SSL3Hashes         hashes;
    752 
    753     SECKEYPublicKey *  ecdhePub;
    754     SECItem            ec_params = {siBuffer, NULL, 0};
    755     unsigned char      paramBuf[3];
    756     ECName             curve;
    757     SSL3KEAType        certIndex;
    758 
    759 
    760     /* Generate ephemeral ECDH key pair and send the public key */
    761     curve = ssl3_GetCurveNameForServerSocket(ss);
    762     if (curve == ec_noName) {
    763     	goto loser;
    764     }
    765     rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
    766     if (rv != SECSuccess) {
    767 	goto loser; 	/* err set by AppendHandshake. */
    768     }
    769     ecdhePub = ss->ephemeralECDHKeyPair->pubKey;
    770     PORT_Assert(ecdhePub != NULL);
    771     if (!ecdhePub) {
    772 	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
    773 	return SECFailure;
    774     }
    775 
    776     ec_params.len  = sizeof paramBuf;
    777     ec_params.data = paramBuf;
    778     curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams);
    779     if (curve != ec_noName) {
    780 	ec_params.data[0] = ec_type_named;
    781 	ec_params.data[1] = 0x00;
    782 	ec_params.data[2] = curve;
    783     } else {
    784 	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
    785 	goto loser;
    786     }
    787 
    788     rv = ssl3_ComputeECDHKeyHash(ec_params, ecdhePub->u.ec.publicValue,
    789 				      &ss->ssl3.hs.client_random,
    790 				      &ss->ssl3.hs.server_random,
    791 				      &hashes, ss->opt.bypassPKCS11);
    792     if (rv != SECSuccess) {
    793 	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
    794 	goto loser;
    795     }
    796 
    797     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
    798 
    799     /* XXX SSLKEAType isn't really a good choice for
    800      * indexing certificates but that's all we have
    801      * for now.
    802      */
    803     if (kea_def->kea == kea_ecdhe_rsa)
    804 	certIndex = kt_rsa;
    805     else /* kea_def->kea == kea_ecdhe_ecdsa */
    806 	certIndex = kt_ecdh;
    807 
    808     rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY,
    809 			 &signed_hash, isTLS);
    810     if (rv != SECSuccess) {
    811 	goto loser;		/* ssl3_SignHashes has set err. */
    812     }
    813     if (signed_hash.data == NULL) {
    814 	/* how can this happen and rv == SECSuccess ?? */
    815 	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
    816 	goto loser;
    817     }
    818 
    819     length = ec_params.len +
    820 	     1 + ecdhePub->u.ec.publicValue.len +
    821 	     2 + signed_hash.len;
    822 
    823     rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
    824     if (rv != SECSuccess) {
    825 	goto loser; 	/* err set by AppendHandshake. */
    826     }
    827 
    828     rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len);
    829     if (rv != SECSuccess) {
    830 	goto loser; 	/* err set by AppendHandshake. */
    831     }
    832 
    833     rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data,
    834 				      ecdhePub->u.ec.publicValue.len, 1);
    835     if (rv != SECSuccess) {
    836 	goto loser; 	/* err set by AppendHandshake. */
    837     }
    838 
    839     rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
    840 				      signed_hash.len, 2);
    841     if (rv != SECSuccess) {
    842 	goto loser; 	/* err set by AppendHandshake. */
    843     }
    844 
    845     PORT_Free(signed_hash.data);
    846     return SECSuccess;
    847 
    848 loser:
    849     if (signed_hash.data != NULL)
    850     	PORT_Free(signed_hash.data);
    851     return SECFailure;
    852 }
    853 
    854 /* Lists of ECC cipher suites for searching and disabling. */
    855 
    856 static const ssl3CipherSuite ecdh_suites[] = {
    857     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
    858     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    859     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    860     TLS_ECDH_ECDSA_WITH_NULL_SHA,
    861     TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
    862     TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
    863     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    864     TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    865     TLS_ECDH_RSA_WITH_NULL_SHA,
    866     TLS_ECDH_RSA_WITH_RC4_128_SHA,
    867     0 /* end of list marker */
    868 };
    869 
    870 static const ssl3CipherSuite ecdh_ecdsa_suites[] = {
    871     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
    872     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    873     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    874     TLS_ECDH_ECDSA_WITH_NULL_SHA,
    875     TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
    876     0 /* end of list marker */
    877 };
    878 
    879 static const ssl3CipherSuite ecdh_rsa_suites[] = {
    880     TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
    881     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    882     TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    883     TLS_ECDH_RSA_WITH_NULL_SHA,
    884     TLS_ECDH_RSA_WITH_RC4_128_SHA,
    885     0 /* end of list marker */
    886 };
    887 
    888 static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
    889     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
    890     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    891     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    892     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
    893     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
    894     0 /* end of list marker */
    895 };
    896 
    897 static const ssl3CipherSuite ecdhe_rsa_suites[] = {
    898     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
    899     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    900     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    901     TLS_ECDHE_RSA_WITH_NULL_SHA,
    902     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    903     0 /* end of list marker */
    904 };
    905 
    906 /* List of all ECC cipher suites */
    907 static const ssl3CipherSuite ecSuites[] = {
    908     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
    909     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    910     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    911     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
    912     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
    913     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
    914     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    915     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    916     TLS_ECDHE_RSA_WITH_NULL_SHA,
    917     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    918     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
    919     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    920     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    921     TLS_ECDH_ECDSA_WITH_NULL_SHA,
    922     TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
    923     TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
    924     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    925     TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    926     TLS_ECDH_RSA_WITH_NULL_SHA,
    927     TLS_ECDH_RSA_WITH_RC4_128_SHA,
    928     0 /* end of list marker */
    929 };
    930 
    931 /* On this socket, Disable the ECC cipher suites in the argument's list */
    932 SECStatus
    933 ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite)
    934 {
    935     if (!suite)
    936     	suite = ecSuites;
    937     for (; *suite; ++suite) {
    938 	SECStatus rv      = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
    939 
    940 	PORT_Assert(rv == SECSuccess); /* else is coding error */
    941     }
    942     return SECSuccess;
    943 }
    944 
    945 /* Look at the server certs configured on this socket, and disable any
    946  * ECC cipher suites that are not supported by those certs.
    947  */
    948 void
    949 ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
    950 {
    951     CERTCertificate * svrCert;
    952 
    953     svrCert = ss->serverCerts[kt_rsa].serverCert;
    954     if (!svrCert) {
    955 	ssl3_DisableECCSuites(ss, ecdhe_rsa_suites);
    956     }
    957 
    958     svrCert = ss->serverCerts[kt_ecdh].serverCert;
    959     if (!svrCert) {
    960 	ssl3_DisableECCSuites(ss, ecdh_suites);
    961 	ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
    962     } else {
    963 	SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
    964 
    965 	switch (sigTag) {
    966 	case SEC_OID_PKCS1_RSA_ENCRYPTION:
    967 	case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
    968 	case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
    969 	case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
    970 	case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
    971 	case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
    972 	case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
    973 	case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
    974 	    ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
    975 	    break;
    976 	case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
    977 	case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
    978 	case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
    979 	case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
    980 	case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
    981 	case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
    982 	case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
    983 	    ssl3_DisableECCSuites(ss, ecdh_rsa_suites);
    984 	    break;
    985 	default:
    986 	    ssl3_DisableECCSuites(ss, ecdh_suites);
    987 	    break;
    988 	}
    989     }
    990 }
    991 
    992 /* Ask: is ANY ECC cipher suite enabled on this socket? */
    993 /* Order(N^2).  Yuk.  Also, this ignores export policy. */
    994 PRBool
    995 ssl3_IsECCEnabled(sslSocket * ss)
    996 {
    997     const ssl3CipherSuite * suite;
    998 
    999     for (suite = ecSuites; *suite; ++suite) {
   1000 	PRBool    enabled = PR_FALSE;
   1001 	SECStatus rv      = ssl3_CipherPrefGet(ss, *suite, &enabled);
   1002 
   1003 	PORT_Assert(rv == SECSuccess); /* else is coding error */
   1004 	if (rv == SECSuccess && enabled)
   1005 	    return PR_TRUE;
   1006     }
   1007     return PR_FALSE;
   1008 }
   1009 
   1010 #define BE(n) 0, n
   1011 
   1012 #ifndef NSS_ECC_MORE_THAN_SUITE_B
   1013 /* Prefabricated TLS client hello extension, Elliptic Curves List,
   1014  * offers only 3 curves, the Suite B curves, 23-25
   1015  */
   1016 static const PRUint8 EClist[12] = {
   1017     BE(10),         /* Extension type */
   1018     BE( 8),         /* octets that follow ( 3 pairs + 1 length pair) */
   1019     BE( 6),         /* octets that follow ( 3 pairs) */
   1020     BE(23), BE(24), BE(25)
   1021 };
   1022 #else
   1023 /* Prefabricated TLS client hello extension, Elliptic Curves List,
   1024  * offers curves 1-25.
   1025  */
   1026 static const PRUint8 EClist[56] = {
   1027     BE(10),         /* Extension type */
   1028     BE(52),         /* octets that follow (25 pairs + 1 length pair) */
   1029     BE(50),         /* octets that follow (25 pairs) */
   1030             BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7),
   1031     BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15),
   1032     BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23),
   1033     BE(24), BE(25)
   1034 };
   1035 #endif
   1036 
   1037 static const PRUint8 ECPtFmt[6] = {
   1038     BE(11),         /* Extension type */
   1039     BE( 2),         /* octets that follow */
   1040              1,     /* octets that follow */
   1041                  0  /* uncompressed type only */
   1042 };
   1043 
   1044 /* Send our "canned" (precompiled) Supported Elliptic Curves extension,
   1045  * which says that we support all TLS-defined named curves.
   1046  */
   1047 PRInt32
   1048 ssl3_SendSupportedCurvesXtn(
   1049 			sslSocket * ss,
   1050 			PRBool      append,
   1051 			PRUint32    maxBytes)
   1052 {
   1053     if (!ss || !ssl3_IsECCEnabled(ss))
   1054     	return 0;
   1055     if (append && maxBytes >= (sizeof EClist)) {
   1056 	SECStatus rv = ssl3_AppendHandshake(ss, EClist, (sizeof EClist));
   1057 	if (rv != SECSuccess)
   1058 	    return -1;
   1059 	if (!ss->sec.isServer) {
   1060 	    TLSExtensionData *xtnData = &ss->xtnData;
   1061 	    xtnData->advertised[xtnData->numAdvertised++] =
   1062 		elliptic_curves_xtn;
   1063 	}
   1064     }
   1065     return (sizeof EClist);
   1066 }
   1067 
   1068 /* Send our "canned" (precompiled) Supported Point Formats extension,
   1069  * which says that we only support uncompressed points.
   1070  */
   1071 PRInt32
   1072 ssl3_SendSupportedPointFormatsXtn(
   1073 			sslSocket * ss,
   1074 			PRBool      append,
   1075 			PRUint32    maxBytes)
   1076 {
   1077     if (!ss || !ssl3_IsECCEnabled(ss))
   1078     	return 0;
   1079     if (append && maxBytes >= (sizeof ECPtFmt)) {
   1080 	SECStatus rv = ssl3_AppendHandshake(ss, ECPtFmt, (sizeof ECPtFmt));
   1081 	if (rv != SECSuccess)
   1082 	    return -1;
   1083 	if (!ss->sec.isServer) {
   1084 	    TLSExtensionData *xtnData = &ss->xtnData;
   1085 	    xtnData->advertised[xtnData->numAdvertised++] =
   1086 		ec_point_formats_xtn;
   1087 	}
   1088     }
   1089     return (sizeof ECPtFmt);
   1090 }
   1091 
   1092 /* Just make sure that the remote client supports uncompressed points,
   1093  * Since that is all we support.  Disable ECC cipher suites if it doesn't.
   1094  */
   1095 SECStatus
   1096 ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type,
   1097                                     SECItem *data)
   1098 {
   1099     int i;
   1100 
   1101     if (data->len < 2 || data->len > 255 || !data->data ||
   1102         data->len != (unsigned int)data->data[0] + 1) {
   1103     	/* malformed */
   1104 	goto loser;
   1105     }
   1106     for (i = data->len; --i > 0; ) {
   1107     	if (data->data[i] == 0) {
   1108 	    /* indicate that we should send a reply */
   1109 	    SECStatus rv;
   1110 	    rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
   1111 			      &ssl3_SendSupportedPointFormatsXtn);
   1112 	    return rv;
   1113 	}
   1114     }
   1115 loser:
   1116     /* evil client doesn't support uncompressed */
   1117     ssl3_DisableECCSuites(ss, ecSuites);
   1118     return SECFailure;
   1119 }
   1120 
   1121 
   1122 #define SSL3_GET_SERVER_PUBLICKEY(sock, type) \
   1123     (ss->serverCerts[type].serverKeyPair ? \
   1124     ss->serverCerts[type].serverKeyPair->pubKey : NULL)
   1125 
   1126 /* Extract the TLS curve name for the public key in our EC server cert. */
   1127 ECName ssl3_GetSvrCertCurveName(sslSocket *ss)
   1128 {
   1129     SECKEYPublicKey       *srvPublicKey;
   1130     ECName		  ec_curve       = ec_noName;
   1131 
   1132     srvPublicKey = SSL3_GET_SERVER_PUBLICKEY(ss, kt_ecdh);
   1133     if (srvPublicKey) {
   1134 	ec_curve = params2ecName(&srvPublicKey->u.ec.DEREncodedParams);
   1135     }
   1136     return ec_curve;
   1137 }
   1138 
   1139 /* Ensure that the curve in our server cert is one of the ones suppored
   1140  * by the remote client, and disable all ECC cipher suites if not.
   1141  */
   1142 SECStatus
   1143 ssl3_HandleSupportedCurvesXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
   1144 {
   1145     PRInt32  list_len;
   1146     PRUint32 peerCurves   = 0;
   1147     PRUint32 mutualCurves = 0;
   1148     PRUint16 svrCertCurveName;
   1149 
   1150     if (!data->data || data->len < 4 || data->len > 65535)
   1151     	goto loser;
   1152     /* get the length of elliptic_curve_list */
   1153     list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
   1154     if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) {
   1155     	/* malformed */
   1156 	goto loser;
   1157     }
   1158     /* build bit vector of peer's supported curve names */
   1159     while (data->len) {
   1160 	PRInt32  curve_name =
   1161 		 ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
   1162 	if (curve_name > ec_noName && curve_name < ec_pastLastName) {
   1163 	    peerCurves |= (1U << curve_name);
   1164 	}
   1165     }
   1166     /* What curves do we support in common? */
   1167     mutualCurves = ss->ssl3.hs.negotiatedECCurves &= peerCurves;
   1168     if (!mutualCurves) { /* no mutually supported EC Curves */
   1169     	goto loser;
   1170     }
   1171 
   1172     /* if our ECC cert doesn't use one of these supported curves,
   1173      * disable ECC cipher suites that require an ECC cert.
   1174      */
   1175     svrCertCurveName = ssl3_GetSvrCertCurveName(ss);
   1176     if (svrCertCurveName != ec_noName &&
   1177         (mutualCurves & (1U << svrCertCurveName)) != 0) {
   1178 	return SECSuccess;
   1179     }
   1180     /* Our EC cert doesn't contain a mutually supported curve.
   1181      * Disable all ECC cipher suites that require an EC cert
   1182      */
   1183     ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
   1184     ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
   1185     return SECFailure;
   1186 
   1187 loser:
   1188     /* no common curve supported */
   1189     ssl3_DisableECCSuites(ss, ecSuites);
   1190     return SECFailure;
   1191 }
   1192 
   1193 #endif /* NSS_ENABLE_ECC */
   1194