Closed Bug 195135 Opened 21 years ago Closed 21 years ago

Add support for Elliptic Curve Cryptography to NSS & SSL


(NSS :: Libraries, enhancement, P2)



(Not tracked)



(Reporter: nelson, Assigned: nelson)





(2 files)

Add ECC to NSS in freebl (blapi), softoken, pk11wrap and libSSL to implement 
all or part of the Internet Draft draft-ietf-tls-ecc-02.txt
Marking P2 for NSS 3.8.  Highly desirable, not must have.  

Sun Labs has contributed code to implement this.   
The contribution is being reviewed and tested now.  
It consists of 5 new sources files and a large patch to other files in NSS.
The 5 new source files are:
Patch forthcoming.
Priority: -- → P2
Target Milestone: --- → 3.8
New code is checked in.  The tree has gone green.  Marking this fixed.

The new code implements numerous new ciphersuites, including:

    TLS_ECDH_ECDSA_WITH_NULL_SHA,               /* G */
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,            /* H */
    TLS_ECDH_ECDSA_WITH_DES_CBC_SHA,            /* I */
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,        /* K */
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,        /* L */
    TLS_ECDH_RSA_WITH_NULL_SHA,                 /* M */
    TLS_ECDH_RSA_WITH_RC4_128_SHA,              /* N */
    TLS_ECDH_RSA_WITH_DES_CBC_SHA,              /* O */
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,         /* P */
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,          /* Q */
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,          /* R */
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,       /* S */
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,         /* T */

Only the last of these is implemented for both client and server. 
The others are all client-side only at present.

This implementation presently supports only the subset of the Elliptic Curves 
named in the draft cited above.  It supports only the curves over integer
prime fields, not curves over polynomial fields.  An NSS-based client can
interoperate with an OpenSSL-based server when the server uses a curve that
is supported by NSS.

The existing draft for ECC support in TLS does not provide for negotiation 
of supported curves.  An implementation (such as this one) that does not 
support all the curves defined in that draft is likely to have 
interoperability problems with other implementations that do support them
all.  When a server chooses and uses a curve that is not supported by the 
client, the TLS handshake fails completely.  The client's only recourse 
is to disable the ECC ciphersuites and try again.  Therefore, I recommend 
that all the elliptic curve TLS cipher suites be disabled by default in any
client, and only enabled by people who understand how to deal with any
interoperability problems that may occur.  

Hopefully, curve negotiation will be added to the next draft of the spec 
for ECC TLS.  (Note that the current draft expired yesterday.)

Note that most of the ECC code is conditionally compiled.  To enable it in 
an NSS build, define the environment variable XCFLAGS, and set it to the 
value -DNSS_ENABLE_ECC .  For NSS 3.8, the QA'ed binary shared libraries
will not have ECC enabled.  Others building NSS from sources are free to 
enable it.  
Closed: 21 years ago
Resolution: --- → FIXED
This patch contains the changes contributed by 
Vipul Gupta <Vipul.Gupta@Sun.COM>
that enable the new GF2m code that was previously contributed by 
Sheueling Chang Shantz <> and
Douglas Stebila <>, Sun Microsystems Laboratories

Checked into NSS 3.8 (trunk) today.
You need to log in before you can comment on or make changes to this bug.