Closed Bug 1303648 Opened 8 years ago Closed 8 years ago

Only enable EC groups that are supported by the token

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.27
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mt, Assigned: mt)

Details

Attachments

(1 obsolete file) 

We discovered that the only part of softtoken that knows about keys is the bit that imports a key.  Therefore, if we import a key of a specific type, then it will succeed if the group is supported and fail otherwise.  We can use this to detect what groups are available to us.

Unfortunately, this is a little involved and probably slow, so it's probably best to only do this once.

This can be replaced by something less kludgy if PKCS#11 ever gets a better way to enumerate support for named groups.
Attached patch bug1303648-2.patch (obsolete) — Splinter Review 
Not sure why we are getting some of the curves show up as being present when they shouldn't be.  Investigation required, but that shouldn't stop this from getting a first pass.
Assignee: nobody → martin.thomson
Attachment #8792461 - Flags: review?(rrelyea)
Attachment #8792461 - Flags: review?(franziskuskiefer)
Comment on attachment 8792461 [details] [diff] [review]
bug1303648-2.patch

Review of attachment 8792461 [details] [diff] [review]:
-----------------------------------------------------------------

lgtm

::: lib/ssl/filterec.c
@@ +9,5 @@
> +#include "pk11func.h"
> +#include "ssl.h"
> +#include "sslimpl.h"
> +
> +/* This table contains valid public keys for each of the support EC groups we

... supported EC groups we support.

@@ +17,5 @@
> +    SSLNamedGroup name;
> +    const PRUint8 data[145];
> +    unsigned int len;
> +} ssl_test_public_keys[SSL_NAMED_GROUP_COUNT] = {
> +    { ssl_grp_ec_secp256r1,

add 25519

::: lib/ssl/ssl3ecc.c
@@ +64,5 @@
>  
> +    PORT_Assert(params);
> +    PORT_Assert(ecGroup);
> +    PORT_Assert(ecGroup->type == group_type_ec);
> +    if ((oidData = SECOID_FindOIDByTag(ecGroup->oidTag)) == NULL) {

I think we should keep those null checks. opt builds can run in a null ecGroup here otherwise.
Attachment #8792461 - Flags: review?(franziskuskiefer) → review+
Reviewed here: https://nss-dev.phacility.com/D6

https://hg.mozilla.org/projects/nss/rev/0f1a09d967b3
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
Comment on attachment 8792461 [details] [diff] [review]
bug1303648-2.patch

Overtaken by events.  This isn't that great.
Attachment #8792461 - Attachment is obsolete: true
Attachment #8792461 - Flags: review?(rrelyea)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: