[git] NTBTLS - branch, master, updated. ntbtls-0.1.1-4-g387f2fd

by Werner Koch cvs at cvs.gnupg.org
Mon Sep 18 22:57:25 CEST 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Not Too Bad TLS".

The branch, master has been updated
       via  387f2fda683bfa4e01c7ef5165c1f675ae2ff248 (commit)
       via  55071ab71133333ebabbf40ca872829dc9089bf7 (commit)
      from  455fbea598c528c17f6a961dbe52414fc845c0d9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 387f2fda683bfa4e01c7ef5165c1f675ae2ff248
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Sep 18 20:05:26 2017 +0200

    Support the other two NIST curves and their Brainpool counterparts.
    
    * src/ecdh.c (_ntbtls_ecdh_read_params): Add new curves.
    * src/protocol-cli.c (write_supported_elliptic_curves_ext): Ditto.
    --
    
    GnuPG-bug-id: 3411
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/src/ecdh.c b/src/ecdh.c
index da7e5a2..85b58f0 100644
--- a/src/ecdh.c
+++ b/src/ecdh.c
@@ -108,13 +108,21 @@ _ntbtls_ecdh_read_params (ecdh_context_t ecdh,
     return gpg_error (GPG_ERR_UNKNOWN_CURVE);
   der++;
   derlen--;
-  /* And only the secp256r1 curve (23).  */
-  if (buf16_to_uint (der) != 23)
-    return gpg_error (GPG_ERR_UNKNOWN_CURVE);
+
+  switch (buf16_to_uint (der))
+    {
+    case 23: ecdh->curve_name = "secp256r1"; break;
+    case 24: ecdh->curve_name = "secp384r1"; break;
+    case 25: ecdh->curve_name = "secp521r1"; break;
+    case 26: ecdh->curve_name = "brainpoolP256r1"; break;
+    case 27: ecdh->curve_name = "brainpoolP384r1"; break;
+    case 28: ecdh->curve_name = "brainpoolP512r1"; break;
+    default:
+      return gpg_error (GPG_ERR_UNKNOWN_CURVE);
+    }
   der += 2;
   derlen -= 2;
 
-  ecdh->curve_name = "secp256r1";
   err = gcry_mpi_ec_new (&ecdh->ecctx, NULL, ecdh->curve_name);
   if (err)
     return err;
diff --git a/src/protocol-cli.c b/src/protocol-cli.c
index 54e8244..f34a7a0 100644
--- a/src/protocol-cli.c
+++ b/src/protocol-cli.c
@@ -195,9 +195,19 @@ write_supported_elliptic_curves_ext (ntbtls_t tls,
 
   debug_msg (3, "client hello, adding supported_elliptic_curves extension");
 
-  /* We only support curve secp256r1 (23).  */
+  /* The 6 curves we support; see _ntbtls_ecdh_read_params.  */
   elliptic_curve_list[elliptic_curve_len++] = 0;
   elliptic_curve_list[elliptic_curve_len++] = 23;
+  elliptic_curve_list[elliptic_curve_len++] = 0;
+  elliptic_curve_list[elliptic_curve_len++] = 24;
+  elliptic_curve_list[elliptic_curve_len++] = 0;
+  elliptic_curve_list[elliptic_curve_len++] = 25;
+  elliptic_curve_list[elliptic_curve_len++] = 0;
+  elliptic_curve_list[elliptic_curve_len++] = 26;
+  elliptic_curve_list[elliptic_curve_len++] = 0;
+  elliptic_curve_list[elliptic_curve_len++] = 27;
+  elliptic_curve_list[elliptic_curve_len++] = 0;
+  elliptic_curve_list[elliptic_curve_len++] = 28;
 
   *p++ = (unsigned char) ((TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8) & 0xFF);
   *p++ = (unsigned char) ((TLS_EXT_SUPPORTED_ELLIPTIC_CURVES) & 0xFF);

commit 55071ab71133333ebabbf40ca872829dc9089bf7
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Sep 18 22:02:07 2017 +0200

    Print "handshake failure" debug msg for the the 2:40 alert.
    
    * src/protocol.c (_ntbtls_read_record): Explain error message.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/src/protocol.c b/src/protocol.c
index 658cdbd..147c5c3 100644
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -1706,6 +1706,15 @@ read_record_header:
         {
           debug_msg (1, "is a fatal alert message (msg %d)",
                      tls->in_msg[1]);
+          switch (tls->in_msg[1])
+            {
+            case TLS_ALERT_MSG_HANDSHAKE_FAILURE:
+              debug_msg (1, "(handshake failed)");
+              break;
+            default:
+              break;
+            }
+
           /**
            * Subtract from error code as tls->in_msg[1] is 7-bit positive
            * error identifier.

-----------------------------------------------------------------------

Summary of changes:
 src/ecdh.c         | 16 ++++++++++++----
 src/protocol-cli.c | 12 +++++++++++-
 src/protocol.c     |  9 +++++++++
 3 files changed, 32 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
Not Too Bad TLS
http://git.gnupg.org

More information about the Gnupg-commits mailing list