From 1cb5d3ccbbcee7bdfddc42c67cbd271fb1fc95be Mon Sep 17 00:00:00 2001
From: "wtchang%redhat.com"
 <wtchang%redhat.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Fri, 8 Dec 2006 22:37:29 +0000
Subject: [PATCH] Bugzilla Bug 363073: verify that the peer's ephemeral public
 key is the type we expect before using it.  r=nelsonb Modified Files:
 ssl3con.c ssl3ecc.c

git-svn-id: svn://10.0.0.236/trunk@216773 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/security/nss/lib/ssl/ssl3con.c | 6 +++++-
 mozilla/security/nss/lib/ssl/ssl3ecc.c | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
index 9409d634d02..65e11cdbe71 100644
--- a/mozilla/security/nss/lib/ssl/ssl3con.c
+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
@@ -39,7 +39,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.98 2006-10-09 22:26:44 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: ssl3con.c,v 1.99 2006-12-08 22:37:29 wtchang%redhat.com Exp $ */
 
 #include "nssrenam.h"
 #include "cert.h"
@@ -4195,6 +4195,10 @@ sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
 
     /* Copy DH parameters from server key */
 
+    if (svrPubKey->keyType != dhKey) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	goto loser;
+    }
     dhParam.prime.data = svrPubKey->u.dh.prime.data;
     dhParam.prime.len = svrPubKey->u.dh.prime.len;
     dhParam.base.data = svrPubKey->u.dh.base.data;
diff --git a/mozilla/security/nss/lib/ssl/ssl3ecc.c b/mozilla/security/nss/lib/ssl/ssl3ecc.c
index f45c72d6cec..8c2ab6b2669 100644
--- a/mozilla/security/nss/lib/ssl/ssl3ecc.c
+++ b/mozilla/security/nss/lib/ssl/ssl3ecc.c
@@ -40,7 +40,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 /* ECC code moved here from ssl3con.c */
-/* $Id: ssl3ecc.c,v 1.17 2006-12-06 23:00:17 wtchang%redhat.com Exp $ */
+/* $Id: ssl3ecc.c,v 1.18 2006-12-08 22:37:29 wtchang%redhat.com Exp $ */
 
 #include "nssrenam.h"
 #include "nss.h"
@@ -346,6 +346,10 @@ ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     /* Generate ephemeral EC keypair */
+    if (svrPubKey->keyType != ecKey) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	goto loser;
+    }
     /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */
     privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, 
 	                                &pubKey, NULL);