| Index: net/third_party/nss/ssl/ssl3ecc.c
|
| ===================================================================
|
| --- net/third_party/nss/ssl/ssl3ecc.c (revision 196870)
|
| +++ net/third_party/nss/ssl/ssl3ecc.c (working copy)
|
| @@ -6,7 +6,7 @@
|
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
| /* ECC code moved here from ssl3con.c */
|
| -/* $Id: ssl3ecc.c,v 1.29 2012/06/11 02:38:30 emaldona%redhat.com Exp $ */
|
| +/* $Id$ */
|
|
|
| #include "nss.h"
|
| #include "cert.h"
|
| @@ -969,7 +969,16 @@
|
| ssl3_IsECCEnabled(sslSocket * ss)
|
| {
|
| const ssl3CipherSuite * suite;
|
| + PK11SlotInfo *slot;
|
|
|
| + /* make sure we can do ECC */
|
| + slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE, ss->pkcs11PinArg);
|
| + if (!slot) {
|
| + return PR_FALSE;
|
| + }
|
| + PK11_FreeSlot(slot);
|
| +
|
| + /* make sure an ECC cipher is enabled */
|
| for (suite = ecSuites; *suite; ++suite) {
|
| PRBool enabled = PR_FALSE;
|
| SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled);
|
| @@ -983,21 +992,20 @@
|
|
|
| #define BE(n) 0, n
|
|
|
| -#ifndef NSS_ECC_MORE_THAN_SUITE_B
|
| /* Prefabricated TLS client hello extension, Elliptic Curves List,
|
| * offers only 3 curves, the Suite B curves, 23-25
|
| */
|
| -static const PRUint8 EClist[12] = {
|
| +static const PRUint8 suiteBECList[12] = {
|
| BE(10), /* Extension type */
|
| BE( 8), /* octets that follow ( 3 pairs + 1 length pair) */
|
| BE( 6), /* octets that follow ( 3 pairs) */
|
| BE(23), BE(24), BE(25)
|
| };
|
| -#else
|
| +
|
| /* Prefabricated TLS client hello extension, Elliptic Curves List,
|
| * offers curves 1-25.
|
| */
|
| -static const PRUint8 EClist[56] = {
|
| +static const PRUint8 tlsECList[56] = {
|
| BE(10), /* Extension type */
|
| BE(52), /* octets that follow (25 pairs + 1 length pair) */
|
| BE(50), /* octets that follow (25 pairs) */
|
| @@ -1006,7 +1014,6 @@
|
| BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23),
|
| BE(24), BE(25)
|
| };
|
| -#endif
|
|
|
| static const PRUint8 ECPtFmt[6] = {
|
| BE(11), /* Extension type */
|
| @@ -1015,6 +1022,33 @@
|
| 0 /* uncompressed type only */
|
| };
|
|
|
| +/* This function already presumes we can do ECC, ssl_IsECCEnabled must be
|
| + * called before this function. It looks to see if we have a token which
|
| + * is capable of doing smaller than SuiteB curves. If the token can, we
|
| + * presume the token can do the whole SSL suite of curves. If it can't we
|
| + * presume the token that allowed ECC to be enabled can only do suite B
|
| + * curves. */
|
| +static PRBool
|
| +ssl3_SuiteBOnly(sslSocket *ss)
|
| +{
|
| +#if 0
|
| + /* look to see if we can handle certs less than 163 bits */
|
| + PK11SlotInfo *slot =
|
| + PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163,
|
| + ss ? ss->pkcs11PinArg : NULL);
|
| +
|
| + if (!slot) {
|
| + /* nope, presume we can only do suite B */
|
| + return PR_TRUE;
|
| + }
|
| + /* we can, presume we can do all curves */
|
| + PK11_FreeSlot(slot);
|
| + return PR_FALSE;
|
| +#else
|
| + return PR_TRUE;
|
| +#endif
|
| +}
|
| +
|
| /* Send our "canned" (precompiled) Supported Elliptic Curves extension,
|
| * which says that we support all TLS-defined named curves.
|
| */
|
| @@ -1024,10 +1058,22 @@
|
| PRBool append,
|
| PRUint32 maxBytes)
|
| {
|
| + int ECListSize = 0;
|
| + const PRUint8 *ECList = NULL;
|
| +
|
| if (!ss || !ssl3_IsECCEnabled(ss))
|
| return 0;
|
| - if (append && maxBytes >= (sizeof EClist)) {
|
| - SECStatus rv = ssl3_AppendHandshake(ss, EClist, (sizeof EClist));
|
| +
|
| + if (ssl3_SuiteBOnly(ss)) {
|
| + ECListSize = sizeof (suiteBECList);
|
| + ECList = suiteBECList;
|
| + } else {
|
| + ECListSize = sizeof (tlsECList);
|
| + ECList = tlsECList;
|
| + }
|
| +
|
| + if (append && maxBytes >= ECListSize) {
|
| + SECStatus rv = ssl3_AppendHandshake(ss, ECList, ECListSize);
|
| if (rv != SECSuccess)
|
| return -1;
|
| if (!ss->sec.isServer) {
|
| @@ -1036,9 +1082,18 @@
|
| ssl_elliptic_curves_xtn;
|
| }
|
| }
|
| - return (sizeof EClist);
|
| + return ECListSize;
|
| }
|
|
|
| +PRInt32
|
| +ssl3_GetSupportedECCCurveMask(sslSocket *ss)
|
| +{
|
| + if (ssl3_SuiteBOnly(ss)) {
|
| + return SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
|
| + }
|
| + return SSL3_ALL_SUPPORTED_CURVES_MASK;
|
| +}
|
| +
|
| /* Send our "canned" (precompiled) Supported Point Formats extension,
|
| * which says that we only support uncompressed points.
|
| */
|
|
|
Chromium Code Reviews
Issue 14522022:
Update NSS libSSL to NSS_3_15_BETA2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/