unsigned int NSSCryptoKeyRSA::getLength(void) const { unsigned int ret = 0; if (mp_pubkey != 0) { ret = SECKEY_PublicKeyStrength(mp_pubkey); } else if (mp_privkey != 0) { ret = PK11_GetPrivateModulusLen(mp_privkey); } return ret; }
SECStatus SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, PRBool *pcanbypass, void *pwArg) { SECStatus rv; int i; PRUint16 suite; PK11SymKey * pms = NULL; SECKEYPublicKey * srvPubkey = NULL; KeyType privKeytype; PK11SlotInfo * slot = NULL; SECItem param; CK_VERSION version; CK_MECHANISM_TYPE mechanism_array[2]; SECItem enc_pms = {siBuffer, NULL, 0}; PRBool isTLS = PR_FALSE; SSLCipherSuiteInfo csdef; PRBool testrsa = PR_FALSE; PRBool testrsa_export = PR_FALSE; PRBool testecdh = PR_FALSE; PRBool testecdhe = PR_FALSE; #ifdef NSS_ENABLE_ECC SECKEYECParams ecParams = { siBuffer, NULL, 0 }; #endif if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } srvPubkey = CERT_ExtractPublicKey(cert); if (!srvPubkey) return SECFailure; *pcanbypass = PR_TRUE; rv = SECFailure; /* determine which KEAs to test */ /* 0 (SSL_NULL_WITH_NULL_NULL) is used as a list terminator because * SSL3 and TLS specs forbid negotiating that cipher suite number. */ for (i=0; i < nsuites && (suite = *ciphersuites++) != 0; i++) { /* skip SSL2 cipher suites and ones NSS doesn't support */ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess || SSL_IS_SSL2_CIPHER(suite) ) continue; switch (csdef.keaType) { case ssl_kea_rsa: switch (csdef.cipherSuite) { case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: case SSL_RSA_EXPORT_WITH_RC4_40_MD5: case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: testrsa_export = PR_TRUE; } if (!testrsa_export) testrsa = PR_TRUE; break; case ssl_kea_ecdh: if (strcmp(csdef.keaTypeName, "ECDHE") == 0) /* ephemeral? */ testecdhe = PR_TRUE; else testecdh = PR_TRUE; break; case ssl_kea_dh: /* this is actually DHE */ default: continue; } } /* For each protocol try to derive and extract an MS. * Failure of function any function except MS extract means * continue with the next cipher test. Stop testing when the list is * exhausted or when the first MS extract--not derive--fails. */ privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey); protocolmask &= SSL_CBP_SSL3|SSL_CBP_TLS1_0; while (protocolmask) { if (protocolmask & SSL_CBP_SSL3) { isTLS = PR_FALSE; protocolmask ^= SSL_CBP_SSL3; } else { isTLS = PR_TRUE; protocolmask ^= SSL_CBP_TLS1_0; } if (privKeytype == rsaKey && testrsa_export) { if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) { *pcanbypass = PR_FALSE; rv = SECSuccess; break; } else testrsa = PR_TRUE; } for (; privKeytype == rsaKey && testrsa; ) { /* TLS_RSA */ unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; unsigned int outLen = 0; CK_MECHANISM_TYPE target; SECStatus irv; mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN; mechanism_array[1] = CKM_RSA_PKCS; slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); if (slot == NULL) { PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); break; } /* Generate the pre-master secret ... (client side) */ version.major = 3 /*MSB(clientHelloVersion)*/; version.minor = 0 /*LSB(clientHelloVersion)*/; param.data = (unsigned char *)&version; param.len = sizeof version; pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); PK11_FreeSlot(slot); if (!pms) break; /* now wrap it */ enc_pms.len = SECKEY_PublicKeyStrength(srvPubkey); enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len); if (enc_pms.data == NULL) { PORT_SetError(PR_OUT_OF_MEMORY_ERROR); break; } irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms); if (irv != SECSuccess) break; PK11_FreeSymKey(pms); pms = NULL; /* now do the server side--check the triple bypass first */ rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen, sizeof rsaPmsBuf, (unsigned char *)enc_pms.data, enc_pms.len); /* if decrypt worked we're done with the RSA test */ if (rv == SECSuccess) { *pcanbypass = PR_TRUE; break; } /* check for fallback to double bypass */ target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE : CKM_SSL3_MASTER_KEY_DERIVE; pms = PK11_PubUnwrapSymKey(srvPrivkey, &enc_pms, target, CKA_DERIVE, 0); rv = ssl_canExtractMS(pms, isTLS, PR_FALSE, pcanbypass); if (rv == SECSuccess && *pcanbypass == PR_FALSE) goto done; break; } /* Check for NULL to avoid double free. * SECItem_FreeItem sets data NULL in secitem.c#265 */ if (enc_pms.data != NULL) { SECITEM_FreeItem(&enc_pms, PR_FALSE); } #ifdef NSS_ENABLE_ECC for (; (privKeytype == ecKey && ( testecdh || testecdhe)) || (privKeytype == rsaKey && testecdhe); ) { CK_MECHANISM_TYPE target; SECKEYPublicKey *keapub = NULL; SECKEYPrivateKey *keapriv; SECKEYPublicKey *cpub = NULL; /* client's ephemeral ECDH keys */ SECKEYPrivateKey *cpriv = NULL; SECKEYECParams *pecParams = NULL; if (privKeytype == ecKey && testecdhe) { /* TLS_ECDHE_ECDSA */ pecParams = &srvPubkey->u.ec.DEREncodedParams; } else if (privKeytype == rsaKey && testecdhe) { /* TLS_ECDHE_RSA */ ECName ec_curve; int serverKeyStrengthInBits; int signatureKeyStrength; int requiredECCbits; /* find a curve of equivalent strength to the RSA key's */ requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey); if (requiredECCbits < 0) break; requiredECCbits *= BPB; serverKeyStrengthInBits = srvPubkey->u.rsa.modulus.len; if (srvPubkey->u.rsa.modulus.data[0] == 0) { serverKeyStrengthInBits--; } /* convert to strength in bits */ serverKeyStrengthInBits *= BPB; signatureKeyStrength = SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits); if ( requiredECCbits > signatureKeyStrength ) requiredECCbits = signatureKeyStrength; ec_curve = ssl3_GetCurveWithECKeyStrength(SSL3_SUPPORTED_CURVES_MASK, requiredECCbits); rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams); if (rv == SECFailure) { break; } pecParams = &ecParams; } if (testecdhe) { /* generate server's ephemeral keys */ keapriv = SECKEY_CreateECPrivateKey(pecParams, &keapub, NULL); if (!keapriv || !keapub) { if (keapriv) SECKEY_DestroyPrivateKey(keapriv); if (keapub) SECKEY_DestroyPublicKey(keapub); PORT_SetError(SEC_ERROR_KEYGEN_FAIL); rv = SECFailure; break; } } else { /* TLS_ECDH_ECDSA */ keapub = srvPubkey; keapriv = srvPrivkey; pecParams = &srvPubkey->u.ec.DEREncodedParams; } /* perform client side ops */ /* generate a pair of ephemeral keys using server's parms */ cpriv = SECKEY_CreateECPrivateKey(pecParams, &cpub, NULL); if (!cpriv || !cpub) { if (testecdhe) { SECKEY_DestroyPrivateKey(keapriv); SECKEY_DestroyPublicKey(keapub); } PORT_SetError(SEC_ERROR_KEYGEN_FAIL); rv = SECFailure; break; } /* now do the server side */ /* determine the PMS using client's public value */ target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE_DH : CKM_SSL3_MASTER_KEY_DERIVE_DH; pms = PK11_PubDeriveWithKDF(keapriv, cpub, PR_FALSE, NULL, NULL, CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, CKD_NULL, NULL, NULL); rv = ssl_canExtractMS(pms, isTLS, PR_TRUE, pcanbypass); SECKEY_DestroyPrivateKey(cpriv); SECKEY_DestroyPublicKey(cpub); if (testecdhe) { SECKEY_DestroyPrivateKey(keapriv); SECKEY_DestroyPublicKey(keapub); } if (rv == SECSuccess && *pcanbypass == PR_FALSE) goto done; break; } /* Check for NULL to avoid double free. */ if (ecParams.data != NULL) { PORT_Free(ecParams.data); ecParams.data = NULL; } #endif /* NSS_ENABLE_ECC */ if (pms) PK11_FreeSymKey(pms); } /* *pcanbypass has been set */ rv = SECSuccess; done: if (pms) PK11_FreeSymKey(pms); /* Check for NULL to avoid double free. * SECItem_FreeItem sets data NULL in secitem.c#265 */ if (enc_pms.data != NULL) { SECITEM_FreeItem(&enc_pms, PR_FALSE); } #ifdef NSS_ENABLE_ECC if (ecParams.data != NULL) { PORT_Free(ecParams.data); ecParams.data = NULL; } #endif /* NSS_ENABLE_ECC */ if (srvPubkey) { SECKEY_DestroyPublicKey(srvPubkey); srvPubkey = NULL; } return rv; }
static SECItem * sec_CreateRSAPSSParameters(PLArenaPool *arena, SECItem *result, SECOidTag hashAlgTag, const SECItem *params, const SECKEYPrivateKey *key) { SECKEYRSAPSSParams pssParams; int modBytes, hashLength; unsigned long saltLength; PRBool defaultSHA1 = PR_FALSE; SECStatus rv; if (key->keyType != rsaKey && key->keyType != rsaPssKey) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } PORT_Memset(&pssParams, 0, sizeof(pssParams)); if (params && params->data) { /* The parameters field should either be empty or contain * valid RSA-PSS parameters */ PORT_Assert(!(params->len == 2 && params->data[0] == SEC_ASN1_NULL && params->data[1] == 0)); rv = SEC_QuickDERDecodeItem(arena, &pssParams, SECKEY_RSAPSSParamsTemplate, params); if (rv != SECSuccess) { return NULL; } defaultSHA1 = PR_TRUE; } if (pssParams.trailerField.data) { unsigned long trailerField; rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.trailerField, &trailerField); if (rv != SECSuccess) { return NULL; } if (trailerField != 1) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } } modBytes = PK11_GetPrivateModulusLen((SECKEYPrivateKey *)key); /* Determine the hash algorithm to use, based on hashAlgTag and * pssParams.hashAlg; there are four cases */ if (hashAlgTag != SEC_OID_UNKNOWN) { SECOidTag tag = SEC_OID_UNKNOWN; if (pssParams.hashAlg) { tag = SECOID_GetAlgorithmTag(pssParams.hashAlg); } else if (defaultSHA1) { tag = SEC_OID_SHA1; } if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } } else if (hashAlgTag == SEC_OID_UNKNOWN) { if (pssParams.hashAlg) { hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg); } else if (defaultSHA1) { hashAlgTag = SEC_OID_SHA1; } else { /* Find a suitable hash algorithm based on the NIST recommendation */ if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */ hashAlgTag = SEC_OID_SHA256; } else if (modBytes <= 960) { /* 192, NIST 800-57, Part 1 */ hashAlgTag = SEC_OID_SHA384; } else { hashAlgTag = SEC_OID_SHA512; } } } if (hashAlgTag != SEC_OID_SHA1 && hashAlgTag != SEC_OID_SHA224 && hashAlgTag != SEC_OID_SHA256 && hashAlgTag != SEC_OID_SHA384 && hashAlgTag != SEC_OID_SHA512) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } /* Now that the hash algorithm is decided, check if it matches the * existing parameters if any */ if (pssParams.maskAlg) { SECAlgorithmID maskHashAlg; if (SECOID_GetAlgorithmTag(pssParams.maskAlg) != SEC_OID_PKCS1_MGF1) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } if (pssParams.maskAlg->parameters.data == NULL) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } PORT_Memset(&maskHashAlg, 0, sizeof(maskHashAlg)); rv = SEC_QuickDERDecodeItem(arena, &maskHashAlg, SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), &pssParams.maskAlg->parameters); if (rv != SECSuccess) { return NULL; } /* Following the recommendation in RFC 4055, assume the hash * algorithm identical to pssParam.hashAlg */ if (SECOID_GetAlgorithmTag(&maskHashAlg) != hashAlgTag) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } } else if (defaultSHA1) { if (hashAlgTag != SEC_OID_SHA1) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } } hashLength = HASH_ResultLenByOidTag(hashAlgTag); if (pssParams.saltLength.data) { rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.saltLength, &saltLength); if (rv != SECSuccess) { return NULL; } /* The specified salt length is too long */ if (saltLength > modBytes - hashLength - 2) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } } else if (defaultSHA1) { saltLength = 20; } /* Fill in the parameters */ if (pssParams.hashAlg) { if (hashAlgTag == SEC_OID_SHA1) { /* Omit hashAlg if the the algorithm is SHA-1 (default) */ pssParams.hashAlg = NULL; } } else { if (hashAlgTag != SEC_OID_SHA1) { pssParams.hashAlg = PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID)); if (!pssParams.hashAlg) { return NULL; } rv = SECOID_SetAlgorithmID(arena, pssParams.hashAlg, hashAlgTag, NULL); if (rv != SECSuccess) { return NULL; } } } if (pssParams.maskAlg) { if (hashAlgTag == SEC_OID_SHA1) { /* Omit maskAlg if the the algorithm is SHA-1 (default) */ pssParams.maskAlg = NULL; } } else { if (hashAlgTag != SEC_OID_SHA1) { SECItem *hashAlgItem; PORT_Assert(pssParams.hashAlg != NULL); hashAlgItem = SEC_ASN1EncodeItem(arena, NULL, pssParams.hashAlg, SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); if (!hashAlgItem) { return NULL; } pssParams.maskAlg = PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID)); if (!pssParams.maskAlg) { return NULL; } rv = SECOID_SetAlgorithmID(arena, pssParams.maskAlg, SEC_OID_PKCS1_MGF1, hashAlgItem); if (rv != SECSuccess) { return NULL; } } } if (pssParams.saltLength.data) { if (saltLength == 20) { /* Omit the salt length if it is the default */ pssParams.saltLength.data = NULL; } } else { /* Find a suitable length from the hash algorithm and modulus bits */ saltLength = PR_MIN(hashLength, modBytes - hashLength - 2); if (saltLength != 20 && !SEC_ASN1EncodeInteger(arena, &pssParams.saltLength, saltLength)) { return NULL; } } if (pssParams.trailerField.data) { /* Omit trailerField if the value is 1 (default) */ pssParams.trailerField.data = NULL; } return SEC_ASN1EncodeItem(arena, result, &pssParams, SECKEY_RSAPSSParamsTemplate); }
SECStatus SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, PRBool *pcanbypass, void *pwArg) { #ifdef NO_PKCS11_BYPASS if (!pcanbypass) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } *pcanbypass = PR_FALSE; return SECSuccess; #else SECStatus rv; int i; PRUint16 suite; PK11SymKey * pms = NULL; SECKEYPublicKey * srvPubkey = NULL; KeyType privKeytype; PK11SlotInfo * slot = NULL; SECItem param; CK_VERSION version; CK_MECHANISM_TYPE mechanism_array[2]; SECItem enc_pms = {siBuffer, NULL, 0}; PRBool isTLS = PR_FALSE; SSLCipherSuiteInfo csdef; PRBool testrsa = PR_FALSE; PRBool testrsa_export = PR_FALSE; PRBool testecdh = PR_FALSE; PRBool testecdhe = PR_FALSE; #ifdef NSS_ENABLE_ECC SECKEYECParams ecParams = { siBuffer, NULL, 0 }; #endif if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } srvPubkey = CERT_ExtractPublicKey(cert); if (!srvPubkey) return SECFailure; *pcanbypass = PR_TRUE; rv = SECFailure; for (i=0; i < nsuites && (suite = *ciphersuites++) != 0; i++) { if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess || SSL_IS_SSL2_CIPHER(suite) ) continue; switch (csdef.keaType) { case ssl_kea_rsa: switch (csdef.cipherSuite) { case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: case SSL_RSA_EXPORT_WITH_RC4_40_MD5: case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: testrsa_export = PR_TRUE; } if (!testrsa_export) testrsa = PR_TRUE; break; case ssl_kea_ecdh: if (strcmp(csdef.keaTypeName, "ECDHE") == 0) testecdhe = PR_TRUE; else testecdh = PR_TRUE; break; case ssl_kea_dh: default: continue; } } privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey); protocolmask &= SSL_CBP_SSL3|SSL_CBP_TLS1_0; while (protocolmask) { if (protocolmask & SSL_CBP_SSL3) { isTLS = PR_FALSE; protocolmask ^= SSL_CBP_SSL3; } else { isTLS = PR_TRUE; protocolmask ^= SSL_CBP_TLS1_0; } if (privKeytype == rsaKey && testrsa_export) { if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) { *pcanbypass = PR_FALSE; rv = SECSuccess; break; } else testrsa = PR_TRUE; } for (; privKeytype == rsaKey && testrsa; ) { unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH]; unsigned int outLen = 0; CK_MECHANISM_TYPE target; SECStatus irv; mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN; mechanism_array[1] = CKM_RSA_PKCS; slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); if (slot == NULL) { PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); break; } version.major = 3 ; version.minor = 0 ; param.data = (unsigned char *)&version; param.len = sizeof version; pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); PK11_FreeSlot(slot); if (!pms) break; enc_pms.len = SECKEY_PublicKeyStrength(srvPubkey); enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len); if (enc_pms.data == NULL) { PORT_SetError(PR_OUT_OF_MEMORY_ERROR); break; } irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms); if (irv != SECSuccess) break; PK11_FreeSymKey(pms); pms = NULL; rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen, sizeof rsaPmsBuf, (unsigned char *)enc_pms.data, enc_pms.len); if (rv == SECSuccess) { *pcanbypass = PR_TRUE; break; } target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE : CKM_SSL3_MASTER_KEY_DERIVE; pms = PK11_PubUnwrapSymKey(srvPrivkey, &enc_pms, target, CKA_DERIVE, 0); rv = ssl_canExtractMS(pms, isTLS, PR_FALSE, pcanbypass); if (rv == SECSuccess && *pcanbypass == PR_FALSE) goto done; break; } if (enc_pms.data != NULL) { SECITEM_FreeItem(&enc_pms, PR_FALSE); } #ifdef NSS_ENABLE_ECC for (; (privKeytype == ecKey && ( testecdh || testecdhe)) || (privKeytype == rsaKey && testecdhe); ) { CK_MECHANISM_TYPE target; SECKEYPublicKey *keapub = NULL; SECKEYPrivateKey *keapriv; SECKEYPublicKey *cpub = NULL; SECKEYPrivateKey *cpriv = NULL; SECKEYECParams *pecParams = NULL; if (privKeytype == ecKey && testecdhe) { pecParams = &srvPubkey->u.ec.DEREncodedParams; } else if (privKeytype == rsaKey && testecdhe) { ECName ec_curve; int serverKeyStrengthInBits; int signatureKeyStrength; int requiredECCbits; requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey); if (requiredECCbits < 0) break; requiredECCbits *= BPB; serverKeyStrengthInBits = srvPubkey->u.rsa.modulus.len; if (srvPubkey->u.rsa.modulus.data[0] == 0) { serverKeyStrengthInBits--; } serverKeyStrengthInBits *= BPB; signatureKeyStrength = SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits); if ( requiredECCbits > signatureKeyStrength ) requiredECCbits = signatureKeyStrength; ec_curve = ssl3_GetCurveWithECKeyStrength( ssl3_GetSupportedECCurveMask(NULL), requiredECCbits); rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams); if (rv == SECFailure) { break; } pecParams = &ecParams; } if (testecdhe) { keapriv = SECKEY_CreateECPrivateKey(pecParams, &keapub, NULL); if (!keapriv || !keapub) { if (keapriv) SECKEY_DestroyPrivateKey(keapriv); if (keapub) SECKEY_DestroyPublicKey(keapub); PORT_SetError(SEC_ERROR_KEYGEN_FAIL); rv = SECFailure; break; } } else { keapub = srvPubkey; keapriv = srvPrivkey; pecParams = &srvPubkey->u.ec.DEREncodedParams; } cpriv = SECKEY_CreateECPrivateKey(pecParams, &cpub, NULL); if (!cpriv || !cpub) { if (testecdhe) { SECKEY_DestroyPrivateKey(keapriv); SECKEY_DestroyPublicKey(keapub); } PORT_SetError(SEC_ERROR_KEYGEN_FAIL); rv = SECFailure; break; } target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE_DH : CKM_SSL3_MASTER_KEY_DERIVE_DH; pms = PK11_PubDeriveWithKDF(keapriv, cpub, PR_FALSE, NULL, NULL, CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0, CKD_NULL, NULL, NULL); rv = ssl_canExtractMS(pms, isTLS, PR_TRUE, pcanbypass); SECKEY_DestroyPrivateKey(cpriv); SECKEY_DestroyPublicKey(cpub); if (testecdhe) { SECKEY_DestroyPrivateKey(keapriv); SECKEY_DestroyPublicKey(keapub); } if (rv == SECSuccess && *pcanbypass == PR_FALSE) goto done; break; } if (ecParams.data != NULL) { PORT_Free(ecParams.data); ecParams.data = NULL; } #endif if (pms) PK11_FreeSymKey(pms); } rv = SECSuccess; done: if (pms) PK11_FreeSymKey(pms); if (enc_pms.data != NULL) { SECITEM_FreeItem(&enc_pms, PR_FALSE); } #ifdef NSS_ENABLE_ECC if (ecParams.data != NULL) { PORT_Free(ecParams.data); ecParams.data = NULL; } #endif if (srvPubkey) { SECKEY_DestroyPublicKey(srvPubkey); srvPubkey = NULL; } return rv; #endif }