tor-browser

ssl3ecc.c (32137B)

---

/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* SSL3 Protocol
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/* ECC code moved here from ssl3con.c */

#include "cert.h"
#include "ssl.h"
#include "cryptohi.h" /* for DSAU_ stuff */
#include "keyhi.h"
#include "secder.h"
#include "secitem.h"

#include "sslimpl.h"
#include "sslproto.h"
#include "sslerr.h"
#include "ssl3ext.h"
#include "prtime.h"
#include "prinrval.h"
#include "prerror.h"
#include "pratom.h"
#include "prthread.h"
#include "prinit.h"

#include "pk11func.h"
#include "secmod.h"

#include <stdio.h>

SECStatus
ssl_NamedGroup2ECParams(PLArenaPool *arena, const sslNamedGroupDef *ecGroup,
                       SECKEYECParams *params)
{
   SECOidData *oidData = NULL;

   if (!params) {
       PORT_Assert(0);
       PORT_SetError(SEC_ERROR_INVALID_ARGS);
       return SECFailure;
   }

   if (!ecGroup || ecGroup->keaType != ssl_kea_ecdh ||
       (oidData = SECOID_FindOIDByTag(ecGroup->oidTag)) == NULL) {
       PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
       return SECFailure;
   }

   if (SECITEM_AllocItem(arena, params, (2 + oidData->oid.len)) == NULL) {
       PORT_SetError(SEC_ERROR_NO_MEMORY);
       return SECFailure;
   }

   /*
    * params->data needs to contain the ASN encoding of an object ID (OID)
    * representing the named curve. The actual OID is in
    * oidData->oid.data so we simply prepend 0x06 and OID length
    */
   params->data[0] = SEC_ASN1_OBJECT_ID;
   params->data[1] = oidData->oid.len;
   memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);

   return SECSuccess;
}

const sslNamedGroupDef *
ssl_ECPubKey2NamedGroup(const SECKEYPublicKey *pubKey)
{
   SECItem oid = { siBuffer, NULL, 0 };
   SECOidData *oidData = NULL;
   PRUint32 policyFlags = 0;
   unsigned int i;
   const SECKEYECParams *params;

   if (pubKey->keyType != ecKey) {
       PORT_Assert(0);
       return NULL;
   }

   params = &pubKey->u.ec.DEREncodedParams;

   /*
    * params->data needs to contain the ASN encoding of an object ID (OID)
    * representing a named curve. Here, we strip away everything
    * before the actual OID and use the OID to look up a named curve.
    */
   if (params->data[0] != SEC_ASN1_OBJECT_ID)
       return NULL;
   oid.len = params->len - 2;
   oid.data = params->data + 2;
   if ((oidData = SECOID_FindOID(&oid)) == NULL)
       return NULL;
   if ((NSS_GetAlgorithmPolicy(oidData->offset, &policyFlags) ==
        SECSuccess) &&
       !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
       return NULL;
   }
   for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
       if (ssl_named_groups[i].oidTag == oidData->offset) {
           return &ssl_named_groups[i];
       }
   }

   return NULL;
}

/* Caller must set hiLevel error code. */
static SECStatus
ssl3_ComputeECDHKeyHash(SSLHashType hashAlg,
                       SECItem ec_params, SECItem server_ecpoint,
                       PRUint8 *client_rand, PRUint8 *server_rand,
                       SSL3Hashes *hashes)
{
   PRUint8 *hashBuf;
   PRUint8 *pBuf;
   SECStatus rv = SECSuccess;
   unsigned int bufLen;
   /*
    * We only support named curves (the appropriate checks are made before this
    * method is called) so ec_params takes up only two bytes. ECPoint needs to
    * fit in 256 bytes because the spec says the length must fit in one byte.
    */
   PRUint8 buf[2 * SSL3_RANDOM_LENGTH + 2 + 1 + 256];

   bufLen = 2 * SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
   if (bufLen <= sizeof buf) {
       hashBuf = buf;
   } else {
       hashBuf = PORT_Alloc(bufLen);
       if (!hashBuf) {
           return SECFailure;
       }
   }

   memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
   pBuf = hashBuf + SSL3_RANDOM_LENGTH;
   memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
   pBuf += SSL3_RANDOM_LENGTH;
   memcpy(pBuf, ec_params.data, ec_params.len);
   pBuf += ec_params.len;
   pBuf[0] = (PRUint8)(server_ecpoint.len);
   pBuf += 1;
   memcpy(pBuf, server_ecpoint.data, server_ecpoint.len);
   pBuf += server_ecpoint.len;
   PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);

   rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes);

   PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen));
   PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result",
                  hashes->u.s.md5, MD5_LENGTH));
   PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result",
                  hashes->u.s.sha, SHA1_LENGTH));

   if (hashBuf != buf)
       PORT_Free(hashBuf);
   return rv;
}

/* Called from ssl3_SendClientKeyExchange(). */
SECStatus
ssl3_SendECDHClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey)
{
   PK11SymKey *pms = NULL;
   SECStatus rv = SECFailure;
   PRBool isTLS, isTLS12;
   CK_MECHANISM_TYPE target;
   const sslNamedGroupDef *groupDef;
   sslEphemeralKeyPair *keyPair = NULL;
   SECKEYPublicKey *pubKey;

   PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
   PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));

   isTLS = (PRBool)(ss->version > SSL_LIBRARY_VERSION_3_0);
   isTLS12 = (PRBool)(ss->version >= SSL_LIBRARY_VERSION_TLS_1_2);

   /* Generate ephemeral EC keypair */
   if (svrPubKey->keyType != ecKey) {
       PORT_SetError(SEC_ERROR_BAD_KEY);
       goto loser;
   }
   groupDef = ssl_ECPubKey2NamedGroup(svrPubKey);
   if (!groupDef) {
       PORT_SetError(SEC_ERROR_BAD_KEY);
       goto loser;
   }
   ss->sec.keaGroup = groupDef;
   rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, &keyPair);
   if (rv != SECSuccess) {
       ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
       goto loser;
   }

   pubKey = keyPair->keys->pubKey;
   PRINT_BUF(50, (ss, "ECDH public value:",
                  pubKey->u.ec.publicValue.data,
                  pubKey->u.ec.publicValue.len));

   if (isTLS12) {
       target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
   } else if (isTLS) {
       target = CKM_TLS_MASTER_KEY_DERIVE_DH;
   } else {
       target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
   }

   /* Determine the PMS */
   pms = PK11_PubDeriveWithKDF(keyPair->keys->privKey, svrPubKey,
                               PR_FALSE, NULL, NULL, CKM_ECDH1_DERIVE, target,
                               CKA_DERIVE, 0, CKD_NULL, NULL, NULL);

   if (pms == NULL) {
       (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
       ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
       goto loser;
   }

   rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_client_key_exchange,
                                   pubKey->u.ec.publicValue.len + 1);
   if (rv != SECSuccess) {
       goto loser; /* err set by ssl3_AppendHandshake* */
   }

   rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.ec.publicValue.data,
                                     pubKey->u.ec.publicValue.len, 1);

   if (rv != SECSuccess) {
       goto loser; /* err set by ssl3_AppendHandshake* */
   }

   rv = ssl3_InitPendingCipherSpecs(ss, pms, PR_TRUE);
   if (rv != SECSuccess) {
       ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
       goto loser;
   }

   PK11_FreeSymKey(pms);
   ssl_FreeEphemeralKeyPair(keyPair);
   return SECSuccess;

loser:
   if (pms)
       PK11_FreeSymKey(pms);
   if (keyPair)
       ssl_FreeEphemeralKeyPair(keyPair);
   return SECFailure;
}

/*
** Called from ssl3_HandleClientKeyExchange()
*/
SECStatus
ssl3_HandleECDHClientKeyExchange(sslSocket *ss, PRUint8 *b,
                                PRUint32 length,
                                sslKeyPair *serverKeyPair)
{
   PK11SymKey *pms;
   SECStatus rv;
   SECKEYPublicKey clntPubKey;
   CK_MECHANISM_TYPE target;
   PRBool isTLS, isTLS12;
   int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH;

   PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
   PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));

   clntPubKey.keyType = ecKey;
   clntPubKey.u.ec.DEREncodedParams.len =
       serverKeyPair->pubKey->u.ec.DEREncodedParams.len;
   clntPubKey.u.ec.DEREncodedParams.data =
       serverKeyPair->pubKey->u.ec.DEREncodedParams.data;
   clntPubKey.u.ec.encoding = ECPoint_Undefined;

   rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue,
                                      1, &b, &length);
   if (rv != SECSuccess) {
       PORT_SetError(errCode);
       return SECFailure;
   }

   /* we have to catch the case when the client's public key has length 0. */
   if (!clntPubKey.u.ec.publicValue.len) {
       (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
       PORT_SetError(errCode);
       return SECFailure;
   }

   isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
   isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);

   if (isTLS12) {
       target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
   } else if (isTLS) {
       target = CKM_TLS_MASTER_KEY_DERIVE_DH;
   } else {
       target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
   }

   /*  Determine the PMS */
   pms = PK11_PubDeriveWithKDF(serverKeyPair->privKey, &clntPubKey,
                               PR_FALSE, NULL, NULL,
                               CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
                               CKD_NULL, NULL, NULL);

   if (pms == NULL) {
       /* last gasp.  */
       errCode = ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
       PORT_SetError(errCode);
       return SECFailure;
   }

   rv = ssl3_InitPendingCipherSpecs(ss, pms, PR_TRUE);
   PK11_FreeSymKey(pms);
   if (rv != SECSuccess) {
       /* error code set by ssl3_InitPendingCipherSpec */
       return SECFailure;
   }
   ss->sec.keaGroup = ssl_ECPubKey2NamedGroup(&clntPubKey);
   return SECSuccess;
}

/*
** Take an encoded key share and make a public key out of it.
*/
SECStatus
ssl_ImportECDHKeyShare(SECKEYPublicKey *peerKey,
                      PRUint8 *b, PRUint32 length,
                      const sslNamedGroupDef *ecGroup)
{
   SECStatus rv;
   SECItem ecPoint = { siBuffer, NULL, 0 };

   if (!length) {
       PORT_SetError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE);
       return SECFailure;
   }

   /* Fail if the ec point uses compressed representation */
   if (b[0] != EC_POINT_FORM_UNCOMPRESSED &&
       ecGroup->name != ssl_grp_ec_curve25519) {
       PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
       return SECFailure;
   }

   peerKey->keyType = ecKey;
   /* Set up the encoded params */
   rv = ssl_NamedGroup2ECParams(peerKey->arena, ecGroup,
                                &peerKey->u.ec.DEREncodedParams);
   if (rv != SECSuccess) {
       ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE);
       return SECFailure;
   }
   peerKey->u.ec.encoding = ECPoint_Undefined;

   /* copy publicValue in peerKey */
   ecPoint.data = b;
   ecPoint.len = length;

   rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.ec.publicValue, &ecPoint);
   if (rv != SECSuccess) {
       return SECFailure;
   }

   return SECSuccess;
}

const sslNamedGroupDef *
ssl_GetECGroupWithStrength(sslSocket *ss, unsigned int requiredECCbits)
{
   int i;

   PORT_Assert(ss);

   for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
       const sslNamedGroupDef *group = ss->namedGroupPreferences[i];
       if (group && group->keaType == ssl_kea_ecdh &&
           group->bits >= requiredECCbits) {
           return group;
       }
   }

   PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
   return NULL;
}

/* Find the "weakest link".  Get the strength of the signature and symmetric
* keys and choose a curve based on the weakest of those two. */
const sslNamedGroupDef *
ssl_GetECGroupForServerSocket(sslSocket *ss)
{
   const sslServerCert *cert = ss->sec.serverCert;
   unsigned int certKeySize;
   const ssl3BulkCipherDef *bulkCipher;
   unsigned int requiredECCbits;

   PORT_Assert(cert);
   if (!cert || !cert->serverKeyPair || !cert->serverKeyPair->pubKey) {
       PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
       return NULL;
   }

   if (SSL_CERT_IS(cert, ssl_auth_rsa_sign) ||
       SSL_CERT_IS(cert, ssl_auth_rsa_pss)) {
       certKeySize = SECKEY_PublicKeyStrengthInBits(cert->serverKeyPair->pubKey);
       certKeySize = SSL_RSASTRENGTH_TO_ECSTRENGTH(certKeySize);
   } else if (SSL_CERT_IS_EC(cert)) {
       /* We won't select a certificate unless the named curve has been
        * negotiated (or supported_curves was absent), double check that. */
       PORT_Assert(cert->namedCurve->keaType == ssl_kea_ecdh);
       PORT_Assert(ssl_NamedGroupEnabled(ss, cert->namedCurve));
       if (!ssl_NamedGroupEnabled(ss, cert->namedCurve)) {
           return NULL;
       }
       certKeySize = cert->namedCurve->bits;
   } else {
       PORT_Assert(0);
       return NULL;
   }
   bulkCipher = ssl_GetBulkCipherDef(ss->ssl3.hs.suite_def);
   requiredECCbits = bulkCipher->key_size * BPB * 2;
   PORT_Assert(requiredECCbits ||
               ss->ssl3.hs.suite_def->bulk_cipher_alg == cipher_null);
   if (requiredECCbits > certKeySize) {
       requiredECCbits = certKeySize;
   }

   return ssl_GetECGroupWithStrength(ss, requiredECCbits);
}

/* ssl_CreateECDHEPrivateKey is a variant of SECKEY_CreateECPrivateKey that
* tries to use CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN instead of CKM_EC_KEY_PAIR_GEN.
* Softoken's implementation of CKM_EC_KEY_PAIR_GEN always performs the
* SP800-56A pairwise consistency check, even though Section 5.6.2.1.4 of that
* document only requires that check for static keys. The
* CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN mechanism skips the pairwise consistency
* check, but is otherwise identical to CKM_EC_KEY_PAIR_GEN. */
static SECKEYPrivateKey *
ssl_CreateECDHEPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *cx)
{
   SECKEYPrivateKey *privk = NULL;
   CK_MECHANISM_TYPE type = CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN;

   PK11SlotInfo *slot = PK11_GetInternalSlot();
   if (!slot || !PK11_DoesMechanism(slot, type) || PK11_IsFIPS()) {
       if (slot) {
           PK11_FreeSlot(slot);
       }
       return SECKEY_CreateECPrivateKey(param, pubk, cx);
   }

   privk = PK11_GenerateKeyPairWithOpFlags(slot, type, param, pubk,
                                           PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC,
                                           CKF_DERIVE, CKF_DERIVE, cx);
   if (!privk) {
       privk = PK11_GenerateKeyPairWithOpFlags(slot, type, param, pubk,
                                               PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE,
                                               CKF_DERIVE, CKF_DERIVE, cx);
   }

   PK11_FreeSlot(slot);
   return privk;
}

/* Create an ECDHE key pair for a given curve */
SECStatus
ssl_CreateECDHEphemeralKeyPair(const sslSocket *ss,
                              const sslNamedGroupDef *ecGroup,
                              sslEphemeralKeyPair **keyPair)
{
   SECKEYPrivateKey *privKey = NULL;
   SECKEYPublicKey *pubKey = NULL;
   SECKEYECParams ecParams = { siBuffer, NULL, 0 };
   sslEphemeralKeyPair *pair;

   if (ssl_NamedGroup2ECParams(NULL, ecGroup, &ecParams) != SECSuccess) {
       return SECFailure;
   }
   privKey = ssl_CreateECDHEPrivateKey(&ecParams, &pubKey, ss->pkcs11PinArg);
   SECITEM_FreeItem(&ecParams, PR_FALSE);

   if (!privKey || !pubKey ||
       !(pair = ssl_NewEphemeralKeyPair(ecGroup, privKey, pubKey))) {
       if (privKey) {
           SECKEY_DestroyPrivateKey(privKey);
       }
       if (pubKey) {
           SECKEY_DestroyPublicKey(pubKey);
       }
       ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
       return SECFailure;
   }

   *keyPair = pair;
   SSL_TRC(50, ("%d: SSL[%d]: Create ECDH ephemeral key %d",
                SSL_GETPID(), ss ? ss->fd : NULL, ecGroup->name));
   PRINT_BUF(50, (ss, "Public Key", pubKey->u.ec.publicValue.data,
                  pubKey->u.ec.publicValue.len));
#ifdef TRACE
   if (ssl_trace >= 50) {
       SECItem d = { siBuffer, NULL, 0 };
       SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey,
                                            CKA_VALUE, &d);
       if (rv == SECSuccess) {
           PRINT_BUF(50, (ss, "Private Key", d.data, d.len));
           SECITEM_FreeItem(&d, PR_FALSE);
       } else {
           SSL_TRC(50, ("Error extracting private key"));
       }
   }
#endif
   return SECSuccess;
}

SECStatus
ssl3_HandleECDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
{
   PLArenaPool *arena = NULL;
   SECKEYPublicKey *peerKey = NULL;
   PRBool isTLS;
   SECStatus rv;
   int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
   SSL3AlertDescription desc = illegal_parameter;
   SSL3Hashes hashes;
   SECItem signature = { siBuffer, NULL, 0 };
   SSLHashType hashAlg;
   SSLSignatureScheme sigScheme;

   SECItem ec_params = { siBuffer, NULL, 0 };
   SECItem ec_point = { siBuffer, NULL, 0 };
   unsigned char paramBuf[3];
   const sslNamedGroupDef *ecGroup;

   isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);

   ec_params.len = sizeof paramBuf;
   ec_params.data = paramBuf;
   rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length);
   if (rv != SECSuccess) {
       goto loser; /* malformed. */
   }

   /* Fail if the curve is not a named curve */
   if (ec_params.data[0] != ec_type_named) {
       errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
       desc = handshake_failure;
       goto alert_loser;
   }
   ecGroup = ssl_LookupNamedGroup(ec_params.data[1] << 8 | ec_params.data[2]);
   if (!ecGroup || ecGroup->keaType != ssl_kea_ecdh) {
       errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
       desc = handshake_failure;
       goto alert_loser;
   }

   rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length);
   if (rv != SECSuccess) {
       goto loser; /* malformed. */
   }

   /* Fail if the provided point has length 0. */
   if (!ec_point.len) {
       /* desc and errCode are initialized already */
       goto alert_loser;
   }

   /* Fail if the ec point is not uncompressed for any curve that's not 25519. */
   if (ecGroup->name != ssl_grp_ec_curve25519 &&
       ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
       errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
       desc = handshake_failure;
       goto alert_loser;
   }

   PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2);
   if (ss->ssl3.prSpec->version == SSL_LIBRARY_VERSION_TLS_1_2) {
       rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
       if (rv != SECSuccess) {
           errCode = PORT_GetError();
           goto alert_loser; /* malformed or unsupported. */
       }
       rv = ssl_CheckSignatureSchemeConsistency(
           ss, sigScheme, &ss->sec.peerCert->subjectPublicKeyInfo);
       if (rv != SECSuccess) {
           errCode = PORT_GetError();
           goto alert_loser;
       }
       hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
   } else {
       /* Use ssl_hash_none to represent the MD5+SHA1 combo. */
       hashAlg = ssl_hash_none;
       sigScheme = ssl_sig_none;
   }

   rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
   if (rv != SECSuccess) {
       goto loser; /* malformed. */
   }

   if (length != 0) {
       if (isTLS)
           desc = decode_error;
       goto alert_loser; /* malformed. */
   }

   PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, ec_params.len));
   PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len));

   /* failures after this point are not malformed handshakes. */
   /* TLS: send decrypt_error if signature failed. */
   desc = isTLS ? decrypt_error : handshake_failure;

   /*
    *  check to make sure the hash is signed by right guy
    */
   rv = ssl3_ComputeECDHKeyHash(hashAlg, ec_params, ec_point,
                                ss->ssl3.hs.client_random,
                                ss->ssl3.hs.server_random,
                                &hashes);

   if (rv != SECSuccess) {
       errCode =
           ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
       goto alert_loser;
   }
   rv = ssl3_VerifySignedHashes(ss, sigScheme, &hashes, &signature);
   if (rv != SECSuccess) {
       errCode =
           ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
       goto alert_loser;
   }

   arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (arena == NULL) {
       errCode = SEC_ERROR_NO_MEMORY;
       goto loser;
   }

   peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
   if (peerKey == NULL) {
       errCode = SEC_ERROR_NO_MEMORY;
       goto loser;
   }
   peerKey->arena = arena;

   /* create public key from point data */
   rv = ssl_ImportECDHKeyShare(peerKey, ec_point.data, ec_point.len,
                               ecGroup);
   if (rv != SECSuccess) {
       /* error code is set */
       desc = handshake_failure;
       errCode = PORT_GetError();
       goto alert_loser;
   }
   peerKey->pkcs11Slot = NULL;
   peerKey->pkcs11ID = CK_INVALID_HANDLE;

   ss->sec.peerKey = peerKey;
   return SECSuccess;

alert_loser:
   (void)SSL3_SendAlert(ss, alert_fatal, desc);
loser:
   if (arena) {
       PORT_FreeArena(arena, PR_FALSE);
   }
   PORT_SetError(errCode);
   return SECFailure;
}

SECStatus
ssl3_SendECDHServerKeyExchange(sslSocket *ss)
{
   SECStatus rv = SECFailure;
   int length;
   PRBool isTLS12;
   SECItem signed_hash = { siBuffer, NULL, 0 };
   SSLHashType hashAlg;
   SSL3Hashes hashes;

   SECItem ec_params = { siBuffer, NULL, 0 };
   unsigned char paramBuf[3];
   const sslNamedGroupDef *ecGroup;
   sslEphemeralKeyPair *keyPair;
   SECKEYPublicKey *pubKey;

   /* Generate ephemeral ECDH key pair and send the public key */
   ecGroup = ssl_GetECGroupForServerSocket(ss);
   if (!ecGroup) {
       goto loser;
   }

   PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));
   if (ss->opt.reuseServerECDHEKey) {
       rv = ssl_CreateStaticECDHEKey(ss, ecGroup);
       if (rv != SECSuccess) {
           goto loser;
       }
       keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs);
   } else {
       rv = ssl_CreateECDHEphemeralKeyPair(ss, ecGroup, &keyPair);
       if (rv != SECSuccess) {
           goto loser;
       }
       PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);
   }

   PORT_Assert(keyPair);
   if (!keyPair) {
       PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
       return SECFailure;
   }

   ec_params.len = sizeof(paramBuf);
   ec_params.data = paramBuf;
   PORT_Assert(keyPair->group);
   PORT_Assert(keyPair->group->keaType == ssl_kea_ecdh);
   ec_params.data[0] = ec_type_named;
   ec_params.data[1] = keyPair->group->name >> 8;
   ec_params.data[2] = keyPair->group->name & 0xff;

   pubKey = keyPair->keys->pubKey;
   if (ss->version == SSL_LIBRARY_VERSION_TLS_1_2) {
       hashAlg = ssl_SignatureSchemeToHashType(ss->ssl3.hs.signatureScheme);
   } else {
       /* Use ssl_hash_none to represent the MD5+SHA1 combo. */
       hashAlg = ssl_hash_none;
   }
   rv = ssl3_ComputeECDHKeyHash(hashAlg, ec_params,
                                pubKey->u.ec.publicValue,
                                ss->ssl3.hs.client_random,
                                ss->ssl3.hs.server_random,
                                &hashes);
   if (rv != SECSuccess) {
       ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
       goto loser;
   }

   isTLS12 = (PRBool)(ss->version >= SSL_LIBRARY_VERSION_TLS_1_2);

   rv = ssl3_SignHashes(ss, &hashes,
                        ss->sec.serverCert->serverKeyPair->privKey, &signed_hash);
   if (rv != SECSuccess) {
       goto loser; /* ssl3_SignHashes has set err. */
   }

   length = ec_params.len +
            1 + pubKey->u.ec.publicValue.len +
            (isTLS12 ? 2 : 0) + 2 + signed_hash.len;

   rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_server_key_exchange, length);
   if (rv != SECSuccess) {
       goto loser; /* err set by AppendHandshake. */
   }

   rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len);
   if (rv != SECSuccess) {
       goto loser; /* err set by AppendHandshake. */
   }

   rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.ec.publicValue.data,
                                     pubKey->u.ec.publicValue.len, 1);
   if (rv != SECSuccess) {
       goto loser; /* err set by AppendHandshake. */
   }

   if (isTLS12) {
       rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.signatureScheme, 2);
       if (rv != SECSuccess) {
           goto loser; /* err set by AppendHandshake. */
       }
   }

   rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
                                     signed_hash.len, 2);
   if (rv != SECSuccess) {
       goto loser; /* err set by AppendHandshake. */
   }

   PORT_Free(signed_hash.data);
   return SECSuccess;

loser:
   if (signed_hash.data != NULL)
       PORT_Free(signed_hash.data);
   return SECFailure;
}

/* List of all ECC cipher suites */
static const ssl3CipherSuite ssl_all_ec_suites[] = {
   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
   TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
   TLS_ECDHE_ECDSA_WITH_NULL_SHA,
   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
   TLS_ECDHE_RSA_WITH_NULL_SHA,
   TLS_ECDHE_RSA_WITH_RC4_128_SHA,
   TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
   TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_ECDSA_WITH_NULL_SHA,
   TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_RSA_WITH_NULL_SHA,
   TLS_ECDH_RSA_WITH_RC4_128_SHA,
   0 /* end of list marker */
};

static const ssl3CipherSuite ssl_dhe_suites[] = {
   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
   TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
   TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
   TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
   TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
   TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
   TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
   TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
   TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
   TLS_DHE_DSS_WITH_RC4_128_SHA,
   TLS_DHE_RSA_WITH_DES_CBC_SHA,
   TLS_DHE_DSS_WITH_DES_CBC_SHA,
   0
};

/* Order(N^2).  Yuk. */
static PRBool
ssl_IsSuiteEnabled(const sslSocket *ss, const ssl3CipherSuite *list)
{
   const ssl3CipherSuite *suite;

   for (suite = list; *suite; ++suite) {
       PRBool enabled = PR_FALSE;
       SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled);

       PORT_Assert(rv == SECSuccess); /* else is coding error */
       if (rv == SECSuccess && enabled)
           return PR_TRUE;
   }
   return PR_FALSE;
}

/* Ask: is ANY ECC cipher suite enabled on this socket? */
PRBool
ssl_IsECCEnabled(const sslSocket *ss)
{
   PK11SlotInfo *slot;

   /* make sure we can do ECC */
   slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE, ss->pkcs11PinArg);
   if (!slot) {
       return PR_FALSE;
   }
   PK11_FreeSlot(slot);

   /* make sure an ECC cipher is enabled */
   return ssl_IsSuiteEnabled(ss, ssl_all_ec_suites);
}

PRBool
ssl_IsDHEEnabled(const sslSocket *ss)
{
   return ssl_IsSuiteEnabled(ss, ssl_dhe_suites);
}

/* Send our Supported Groups extension. */
SECStatus
ssl_SendSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
                          sslBuffer *buf, PRBool *added)
{
   unsigned int i;
   PRBool ec;
   PRBool ec_hybrid = PR_FALSE;
   PRBool ff = PR_FALSE;
   PRBool found = PR_FALSE;
   SECStatus rv;
   unsigned int lengthOffset;

   /* We only send FF supported groups if we require DH named groups
    * or if TLS 1.3 is a possibility. */
   if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) {
       ec = ssl_IsECCEnabled(ss);
       if (ss->opt.requireDHENamedGroups) {
           ff = ssl_IsDHEEnabled(ss);
       }
       if (!ec && !ff) {
           return SECSuccess;
       }
   } else {
       ec = ec_hybrid = ff = PR_TRUE;
   }

   /* Mark the location of the length. */
   rv = sslBuffer_Skip(buf, 2, &lengthOffset);
   if (rv != SECSuccess) {
       return SECFailure;
   }

   for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
       const sslNamedGroupDef *group = ss->namedGroupPreferences[i];
       if (!group) {
           continue;
       }
       if (group->keaType == ssl_kea_ecdh && !ec) {
           continue;
       }
       if (group->keaType == ssl_kea_ecdh_hybrid && !ec_hybrid) {
           continue;
       }
       if (group->keaType == ssl_kea_dh && !ff) {
           continue;
       }

       found = PR_TRUE;
       rv = sslBuffer_AppendNumber(buf, group->name, 2);
       if (rv != SECSuccess) {
           return SECFailure;
       }
   }

   /* GREASE SupportedGroups:
    * A client MAY select one or more GREASE named group values and advertise
    * them in the "supported_groups" extension, if sent [RFC8701, Section 3.1].
    */
   if (!ss->sec.isServer &&
       ss->opt.enableGrease &&
       ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
       rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_group], 2);
       if (rv != SECSuccess) {
           return SECFailure;
       }
       found = PR_TRUE;
   }

   if (!found) {
       /* We added nothing, don't send the extension. */
       return SECSuccess;
   }

   rv = sslBuffer_InsertLength(buf, lengthOffset, 2);
   if (rv != SECSuccess) {
       return SECFailure;
   }

   *added = PR_TRUE;
   return SECSuccess;
}

/* Send our "canned" (precompiled) Supported Point Formats extension,
* which says that we only support uncompressed points.
*/
SECStatus
ssl3_SendSupportedPointFormatsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
                                 sslBuffer *buf, PRBool *added)
{
   SECStatus rv;

   /* No point in doing this unless we have a socket that supports ECC.
    * Similarly, no point if we are going to do TLS 1.3 only or we have already
    * picked TLS 1.3 (server) given that it doesn't use point formats. */
   if (!ss || !ssl_IsECCEnabled(ss) ||
       ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_3 ||
       (ss->sec.isServer && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {
       return SECSuccess;
   }
   rv = sslBuffer_AppendNumber(buf, 1, 1); /* length */
   if (rv != SECSuccess) {
       return SECFailure;
   }
   rv = sslBuffer_AppendNumber(buf, 0, 1); /* uncompressed type only */
   if (rv != SECSuccess) {
       return SECFailure;
   }

   *added = PR_TRUE;
   return SECSuccess;
}