/* Create an ECDHE key pair for a given curve */ SECStatus ssl_CreateECDHEphemeralKeyPair(const namedGroupDef *ecGroup, sslEphemeralKeyPair **keyPair) { SECKEYPrivateKey *privKey = NULL; SECKEYPublicKey *pubKey = NULL; SECKEYECParams ecParams = { siBuffer, NULL, 0 }; sslEphemeralKeyPair *pair; if (ssl_NamedGroup2ECParams(NULL, ecGroup, &ecParams) != SECSuccess) { return SECFailure; } privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL); SECITEM_FreeItem(&ecParams, PR_FALSE); if (!privKey || !pubKey || !(pair = ssl_NewEphemeralKeyPair(ecGroup, privKey, pubKey))) { if (privKey) { SECKEY_DestroyPrivateKey(privKey); } if (pubKey) { SECKEY_DestroyPublicKey(pubKey); } ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); return SECFailure; } *keyPair = pair; return SECSuccess; }
/* Create an ECDHE key pair for a given curve */ SECStatus ssl_CreateECDHEphemeralKeyPair(const sslSocket *ss, const sslNamedGroupDef *ecGroup, sslEphemeralKeyPair **keyPair) { SECKEYPrivateKey *privKey = NULL; SECKEYPublicKey *pubKey = NULL; SECKEYECParams ecParams = { siBuffer, NULL, 0 }; sslEphemeralKeyPair *pair; if (ssl_NamedGroup2ECParams(NULL, ecGroup, &ecParams) != SECSuccess) { return SECFailure; } privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, ss->pkcs11PinArg); SECITEM_FreeItem(&ecParams, PR_FALSE); if (!privKey || !pubKey || !(pair = ssl_NewEphemeralKeyPair(ecGroup, privKey, pubKey))) { if (privKey) { SECKEY_DestroyPrivateKey(privKey); } if (pubKey) { SECKEY_DestroyPublicKey(pubKey); } ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); return SECFailure; } *keyPair = pair; SSL_TRC(50, ("%d: SSL[%d]: Create ECDH ephemeral key %d", SSL_GETPID(), ss ? ss->fd : NULL, ecGroup->name)); PRINT_BUF(50, (ss, "Public Key", pubKey->u.ec.publicValue.data, pubKey->u.ec.publicValue.len)); #ifdef TRACE if (ssl_trace >= 50) { SECItem d = { siBuffer, NULL, 0 }; SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_VALUE, &d); if (rv == SECSuccess) { PRINT_BUF(50, (ss, "Private Key", d.data, d.len)); SECITEM_FreeItem(&d, PR_FALSE); } else { SSL_TRC(50, ("Error extracting private key")); } } #endif return SECSuccess; }
/* ** Take an encoded key share and make a public key out of it. */ SECStatus ssl_ImportECDHKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey, SSL3Opaque *b, PRUint32 length, const sslNamedGroupDef *ecGroup) { SECStatus rv; SECItem ecPoint = { siBuffer, NULL, 0 }; PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); if (!length) { PORT_SetError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE); return SECFailure; } /* Fail if the ec point uses compressed representation */ if (b[0] != EC_POINT_FORM_UNCOMPRESSED && ecGroup->name != ssl_grp_ec_curve25519) { PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); return SECFailure; } peerKey->keyType = ecKey; /* Set up the encoded params */ rv = ssl_NamedGroup2ECParams(peerKey->arena, ecGroup, &peerKey->u.ec.DEREncodedParams); if (rv != SECSuccess) { ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE); return SECFailure; } if (ecGroup->name == ssl_grp_ec_curve25519) { peerKey->u.ec.encoding = ECPoint_XOnly; } else { peerKey->u.ec.encoding = ECPoint_Uncompressed; } /* copy publicValue in peerKey */ ecPoint.data = b; ecPoint.len = length; rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.ec.publicValue, &ecPoint); if (rv != SECSuccess) { return SECFailure; } return SECSuccess; }
SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) { PLArenaPool *arena = NULL; SECKEYPublicKey *peerKey = NULL; PRBool isTLS; SECStatus rv; int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; SSL3AlertDescription desc = illegal_parameter; SSL3Hashes hashes; SECItem signature = { siBuffer, NULL, 0 }; SSLHashType hashAlg = ssl_hash_none; SECItem ec_params = { siBuffer, NULL, 0 }; SECItem ec_point = { siBuffer, NULL, 0 }; unsigned char paramBuf[3]; /* only for curve_type == named_curve */ const namedGroupDef *ecGroup; isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); ec_params.len = sizeof paramBuf; ec_params.data = paramBuf; rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length); if (rv != SECSuccess) { goto loser; /* malformed. */ } /* Fail if the curve is not a named curve */ if (ec_params.data[0] != ec_type_named) { errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE; desc = handshake_failure; goto alert_loser; } ecGroup = ssl_LookupNamedGroup(ec_params.data[1] << 8 | ec_params.data[2]); if (!ecGroup || ecGroup->type != group_type_ec) { errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE; desc = handshake_failure; goto alert_loser; } rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length); if (rv != SECSuccess) { goto loser; /* malformed. */ } /* Fail if the provided point has length 0. */ if (!ec_point.len) { /* desc and errCode are initialized already */ goto alert_loser; } /* Fail if the ec point uses compressed representation. */ if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) { errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM; desc = handshake_failure; goto alert_loser; } if (ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { SSLSignatureAndHashAlg sigAndHash; rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, &sigAndHash); if (rv != SECSuccess) { goto loser; /* malformed or unsupported. */ } rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( ss, &sigAndHash, ss->sec.peerCert); if (rv != SECSuccess) { goto loser; } hashAlg = sigAndHash.hashAlg; } rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); if (rv != SECSuccess) { goto loser; /* malformed. */ } if (length != 0) { if (isTLS) desc = decode_error; goto alert_loser; /* malformed. */ } PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, ec_params.len)); PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len)); /* failures after this point are not malformed handshakes. */ /* TLS: send decrypt_error if signature failed. */ desc = isTLS ? decrypt_error : handshake_failure; /* * check to make sure the hash is signed by right guy */ rv = ssl3_ComputeECDHKeyHash(hashAlg, ec_params, ec_point, &ss->ssl3.hs.client_random, &ss->ssl3.hs.server_random, &hashes, ss->opt.bypassPKCS11); if (rv != SECSuccess) { errCode = ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); goto alert_loser; } rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, isTLS, ss->pkcs11PinArg); if (rv != SECSuccess) { errCode = ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); goto alert_loser; } arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { errCode = SEC_ERROR_NO_MEMORY; goto loser; } peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey); if (peerKey == NULL) { errCode = SEC_ERROR_NO_MEMORY; goto loser; } peerKey->arena = arena; peerKey->keyType = ecKey; /* set up EC parameters in peerKey */ rv = ssl_NamedGroup2ECParams(arena, ecGroup, &peerKey->u.ec.DEREncodedParams); if (rv != SECSuccess) { /* we should never get here since we already * checked that we are dealing with a supported curve */ errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE; goto alert_loser; } /* copy publicValue in peerKey */ if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point)) { errCode = SEC_ERROR_NO_MEMORY; goto loser; } peerKey->pkcs11Slot = NULL; peerKey->pkcs11ID = CK_INVALID_HANDLE; ss->sec.peerKey = peerKey; return SECSuccess; alert_loser: (void)SSL3_SendAlert(ss, alert_fatal, desc); loser: if (arena) { PORT_FreeArena(arena, PR_FALSE); } PORT_SetError(errCode); return SECFailure; }