updates for draft-ietf-tls-ecc-03.txt

Submitted by: Douglas Stebila
Reviewed by: Bodo Moeller

3 files changed, 40 insertions, 4 deletions

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 211dd03b11..7eff4f1d5e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1870,6 +1870,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
 			{
 			EC_GROUP *srvr_group = NULL;
 			int ecdh_clnt_cert = 0;
+			int field_size = 0;
 
 			/* Did we send out the client's
 			 * ECDH share for use in premaster
@@ -1962,7 +1963,21 @@ static int ssl3_send_client_key_exchange(SSL *s)
 			 * make sure to clear it out afterwards
 			 */
 
-			n=ECDH_compute_key(p, KDF1_SHA1_len, srvr_ecpoint, clnt_ecdh, KDF1_SHA1);
+			field_size = EC_GROUP_get_degree(clnt_ecdh->group);
+			if (field_size <= 0)
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
+				       ERR_R_ECDH_LIB);
+				goto err;
+				}
+			/* If field size is not more than 24 octets, then use SHA-1 hash of result;
+			 * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt;
+			 * this is new with this version of the Internet Draft).
+			 */
+			if (field_size <= 24 * 8)
+				n=ECDH_compute_key(p, KDF1_SHA1_len, srvr_ecpoint, clnt_ecdh, KDF1_SHA1);
+			else
+				n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
 			if (n <= 0)
 				{
 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
@@ -2375,7 +2390,8 @@ err:
 /* This is the complement of nid2curve_id in s3_srvr.c. */
 static int curve_id2nid(int curve_id)
 {
-	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
+	 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
 	static int nid_list[26] =
 	{
 		0,
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c2ac8cb2fc..32ddc48090 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1962,6 +1962,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		if ((l & SSL_kECDH) || (l & SSL_kECDHE))
 		{
 		int ret = 1;
+		int field_size = 0;
 
                 /* initialize structures for server's ECDH key pair */
 		if ((srvr_ecdh = EC_KEY_new()) == NULL) 
@@ -2062,7 +2063,21 @@ static int ssl3_get_client_key_exchange(SSL *s)
                         }
 
 		/* Compute the shared pre-master secret */
-                i = ECDH_compute_key(p, KDF1_SHA1_len, clnt_ecpoint, srvr_ecdh, KDF1_SHA1);
+		field_size = EC_GROUP_get_degree(srvr_ecdh->group);
+		if (field_size <= 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 
+			       ERR_R_ECDH_LIB);
+			goto err;
+			}
+		/* If field size is not more than 24 octets, then use SHA-1 hash of result;
+		 * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt;
+		 * this is new with this version of the Internet Draft).
+		 */
+		if (field_size <= 24 * 8)
+		    i = ECDH_compute_key(p, KDF1_SHA1_len, clnt_ecpoint, srvr_ecdh, KDF1_SHA1);
+		else
+		    i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
                 if (i <= 0)
                         {
                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2459,7 +2474,8 @@ int ssl3_send_server_certificate(SSL *s)
 /* This is the complement of curve_id2nid in s3_clnt.c. */
 static int nid2curve_id(int nid)
 {
-	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
+	 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
 	switch (nid) {
 	case NID_sect163k1: /* sect163k1 (1) */
 		return 1;
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 7f4a2f3085..be15445384 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -131,6 +131,10 @@ extern "C" {
  * suites to use 5B and 5C instead (this may change with future
  * updates to the IETF draft).
  */
+/* draft-ietf-tls-ecc-03.txt (June 2003) gives a changed list of
+ * ciphersuites, but does not define numbers for all of them
+ * because of possible conflicts with other Internet Drafts;
+ * most numbers are still subject to change. */
 #define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA                0x03000047
 #define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA             0x03000048
 #define TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA             0x03000049