Add support for TLSv1.3 key shares with secp256r1 and secp384r1 groups.

ok inoguchi@ tb@
author: jsing <> 2020-02-04 18:06:26 +0000
committer: jsing <> 2020-02-04 18:06:26 +0000
commit: 55e955577ce91cf9355af5e89ceb0e839a704456 (patch)
tree: 99b2819753242cb6779e4bed47311ae633ca0077
parent: 6041dfa614c5e169b07a97efb50f07ee9b27b3b3 (diff)
download: openbsd-55e955577ce91cf9355af5e89ceb0e839a704456.tar.gz
openbsd-55e955577ce91cf9355af5e89ceb0e839a704456.tar.bz2
openbsd-55e955577ce91cf9355af5e89ceb0e839a704456.zip
1 files changed, 98 insertions, 5 deletions
diff --git a/src/lib/libssl/tls13_key_share.c b/src/lib/libssl/tls13_key_share.c
index 3fe38ecc37..c38a3e3cb8 100644
--- a/src/lib/libssl/tls13_key_share.c
+++ b/src/lib/libssl/tls13_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_key_share.c,v 1.2 2020/02/01 12:41:58 jsing Exp $ */
+/* $OpenBSD: tls13_key_share.c,v 1.3 2020/02/04 18:06:26 jsing Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 *
@@ -27,6 +27,9 @@ struct tls13_key_share {
        int nid;
        uint16_t group_id;
+        EC_KEY *ecdhe;
+        EC_KEY *ecdhe_peer;
        uint8_t *x25519_public;
        uint8_t *x25519_private;
        uint8_t *x25519_peer_public;
@@ -59,6 +62,9 @@ tls13_key_share_free(struct tls13_key_share *ks)
        if (ks == NULL)
                return;
+        EC_KEY_free(ks->ecdhe);
+        EC_KEY_free(ks->ecdhe_peer);
        freezero(ks->x25519_public, X25519_KEY_LENGTH);
        freezero(ks->x25519_private, X25519_KEY_LENGTH);
        freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
@@ -73,6 +79,31 @@ tls13_key_share_group(struct tls13_key_share *ks)
 }
 static int
+tls13_key_share_generate_ecdhe_ecp(struct tls13_key_share *ks)
+{
+        EC_KEY *ecdhe = NULL;
+        int ret = 0;
+        if (ks->ecdhe != NULL)
+                goto err;
+        if ((ecdhe = EC_KEY_new()) == NULL)
+                goto err;
+        if (!ssl_kex_generate_ecdhe_ecp(ecdhe, ks->nid))
+                goto err;
+        ks->ecdhe = ecdhe;
+        ecdhe = NULL;
+        ret = 1;
+ err:
+        EC_KEY_free(ecdhe);
+        return ret;
+}
+static int
 tls13_key_share_generate_x25519(struct tls13_key_share *ks)
 {
        uint8_t *public = NULL, *private = NULL;
@@ -105,13 +136,24 @@ tls13_key_share_generate_x25519(struct tls13_key_share *ks)
 int
 tls13_key_share_generate(struct tls13_key_share *ks)
 {
-        if (ks->nid == NID_X25519)
+        if (ks->nid == NID_X9_62_prime256v1 || ks->nid == NID_secp384r1)
+                return tls13_key_share_generate_ecdhe_ecp(ks);
+        else if (ks->nid == NID_X25519)
                return tls13_key_share_generate_x25519(ks);
        return 0;
 }
 static int
+tls13_key_share_public_ecdhe_ecp(struct tls13_key_share *ks, CBB *cbb)
+{
+        if (ks->ecdhe == NULL)
+                return 0;
+        return ssl_kex_public_ecdhe_ecp(ks->ecdhe, cbb);
+}
+static int
 tls13_key_share_public_x25519(struct tls13_key_share *ks, CBB *cbb)
 {
        if (ks->x25519_public == NULL)
@@ -130,7 +172,10 @@ tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
                goto err;
-        if (ks->nid == NID_X25519) {
+        if (ks->nid == NID_X9_62_prime256v1 || ks->nid == NID_secp384r1) {
+                if (!tls13_key_share_public_ecdhe_ecp(ks, &key_exchange))
+                        goto err;
+        } else if (ks->nid == NID_X25519) {
                if (!tls13_key_share_public_x25519(ks, &key_exchange))
                        goto err;
        } else {
@@ -147,10 +192,38 @@ tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb)
 }
 static int
+tls13_key_share_peer_public_ecdhe_ecp(struct tls13_key_share *ks, CBS *cbs)
+{
+        EC_KEY *ecdhe = NULL;
+        int ret = 0;
+        if (ks->ecdhe_peer != NULL)
+                goto err;
+        if ((ecdhe = EC_KEY_new()) == NULL)
+                goto err;
+        if (!ssl_kex_peer_public_ecdhe_ecp(ecdhe, ks->nid, cbs))
+                goto err;
+        ks->ecdhe_peer = ecdhe;
+        ecdhe = NULL;
+        ret = 1;
+ err:
+        EC_KEY_free(ecdhe);
+        return ret;
+}
+static int
 tls13_key_share_peer_public_x25519(struct tls13_key_share *ks, CBS *cbs)
 {
        size_t out_len;
+        if (ks->x25519_peer_public != NULL)
+                return 0;
        if (CBS_len(cbs) != X25519_KEY_LENGTH)
                return 0;
@@ -164,15 +237,31 @@ tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group,
        if (ks->group_id != group)
                return 0;
-        if (ks->nid == NID_X25519) {
+        if (ks->nid == NID_X9_62_prime256v1 || ks->nid == NID_secp384r1) {
+                if (!tls13_key_share_peer_public_ecdhe_ecp(ks, cbs))
+                        return 0;
+        } else if (ks->nid == NID_X25519) {
                if (!tls13_key_share_peer_public_x25519(ks, cbs))
                        return 0;
+        } else {
+                return 0;
        }
        return 1;
 }
 static int
+tls13_key_share_derive_ecdhe_ecp(struct tls13_key_share *ks,
+    uint8_t **shared_key, size_t *shared_key_len)
+{
+        if (ks->ecdhe == NULL || ks->ecdhe_peer == NULL)
+                return 0;
+        return ssl_kex_derive_ecdhe_ecp(ks->ecdhe, ks->ecdhe_peer,
+            shared_key, shared_key_len);
+}
+static int
 tls13_key_share_derive_x25519(struct tls13_key_share *ks,
    uint8_t **shared_key, size_t *shared_key_len)
 {
@@ -208,9 +297,13 @@ tls13_key_share_derive(struct tls13_key_share *ks, uint8_t **shared_key,
        *shared_key_len = 0;
-        if (ks->nid == NID_X25519)
+        if (ks->nid == NID_X9_62_prime256v1 || ks->nid == NID_secp384r1) {
+                return tls13_key_share_derive_ecdhe_ecp(ks, shared_key,
+                    shared_key_len);
+        } else if (ks->nid == NID_X25519) {
                return tls13_key_share_derive_x25519(ks, shared_key,
                    shared_key_len);
+        }
        return 0;
 }
author	jsing <>	2020-02-04 18:06:26 +0000
committer	jsing <>	2020-02-04 18:06:26 +0000
commit	55e955577ce91cf9355af5e89ceb0e839a704456 (patch)
tree	99b2819753242cb6779e4bed47311ae633ca0077
parent	6041dfa614c5e169b07a97efb50f07ee9b27b3b3 (diff)
download	openbsd-55e955577ce91cf9355af5e89ceb0e839a704456.tar.gz openbsd-55e955577ce91cf9355af5e89ceb0e839a704456.tar.bz2 openbsd-55e955577ce91cf9355af5e89ceb0e839a704456.zip

diff --git a/src/lib/libssl/tls13_key_share.c b/src/lib/libssl/tls13_key_share.c index 3fe38ecc37..c38a3e3cb8 100644 --- a/src/lib/libssl/tls13_key_share.c +++ b/src/lib/libssl/tls13_key_share.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_key_share.c,v 1.2 2020/02/01 12:41:58 jsing Exp $ */	1	/* $OpenBSD: tls13_key_share.c,v 1.3 2020/02/04 18:06:26 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -27,6 +27,9 @@ struct tls13_key_share {
27	int nid;	27	int nid;
28	uint16_t group_id;	28	uint16_t group_id;
29		29
		30	EC_KEY *ecdhe;
		31	EC_KEY *ecdhe_peer;
		32
30	uint8_t *x25519_public;	33	uint8_t *x25519_public;
31	uint8_t *x25519_private;	34	uint8_t *x25519_private;
32	uint8_t *x25519_peer_public;	35	uint8_t *x25519_peer_public;
@@ -59,6 +62,9 @@ tls13_key_share_free(struct tls13_key_share *ks)
59	if (ks == NULL)	62	if (ks == NULL)
60	return;	63	return;
61		64
		65	EC_KEY_free(ks->ecdhe);
		66	EC_KEY_free(ks->ecdhe_peer);
		67
62	freezero(ks->x25519_public, X25519_KEY_LENGTH);	68	freezero(ks->x25519_public, X25519_KEY_LENGTH);
63	freezero(ks->x25519_private, X25519_KEY_LENGTH);	69	freezero(ks->x25519_private, X25519_KEY_LENGTH);
64	freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);	70	freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
@@ -73,6 +79,31 @@ tls13_key_share_group(struct tls13_key_share *ks)
73	}	79	}
74		80
75	static int	81	static int
		82	tls13_key_share_generate_ecdhe_ecp(struct tls13_key_share *ks)
		83	{
		84	EC_KEY *ecdhe = NULL;
		85	int ret = 0;
		86
		87	if (ks->ecdhe != NULL)
		88	goto err;
		89
		90	if ((ecdhe = EC_KEY_new()) == NULL)
		91	goto err;
		92	if (!ssl_kex_generate_ecdhe_ecp(ecdhe, ks->nid))
		93	goto err;
		94
		95	ks->ecdhe = ecdhe;
		96	ecdhe = NULL;
		97
		98	ret = 1;
		99
		100	err:
		101	EC_KEY_free(ecdhe);
		102
		103	return ret;
		104	}
		105
		106	static int
76	tls13_key_share_generate_x25519(struct tls13_key_share *ks)	107	tls13_key_share_generate_x25519(struct tls13_key_share *ks)
77	{	108	{
78	uint8_t public = NULL, private = NULL;	109	uint8_t public = NULL, private = NULL;
@@ -105,13 +136,24 @@ tls13_key_share_generate_x25519(struct tls13_key_share *ks)
105	int	136	int
106	tls13_key_share_generate(struct tls13_key_share *ks)	137	tls13_key_share_generate(struct tls13_key_share *ks)
107	{	138	{
108	if (ks->nid == NID_X25519)	139	if (ks->nid == NID_X9_62_prime256v1 \|\| ks->nid == NID_secp384r1)
		140	return tls13_key_share_generate_ecdhe_ecp(ks);
		141	else if (ks->nid == NID_X25519)
109	return tls13_key_share_generate_x25519(ks);	142	return tls13_key_share_generate_x25519(ks);
110		143
111	return 0;	144	return 0;
112	}	145	}
113		146
114	static int	147	static int
		148	tls13_key_share_public_ecdhe_ecp(struct tls13_key_share ks, CBB cbb)
		149	{
		150	if (ks->ecdhe == NULL)
		151	return 0;
		152
		153	return ssl_kex_public_ecdhe_ecp(ks->ecdhe, cbb);
		154	}
		155
		156	static int
115	tls13_key_share_public_x25519(struct tls13_key_share ks, CBB cbb)	157	tls13_key_share_public_x25519(struct tls13_key_share ks, CBB cbb)
116	{	158	{
117	if (ks->x25519_public == NULL)	159	if (ks->x25519_public == NULL)
@@ -130,7 +172,10 @@ tls13_key_share_public(struct tls13_key_share ks, CBB cbb)
130	if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))	172	if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
131	goto err;	173	goto err;
132		174
133	if (ks->nid == NID_X25519) {	175	if (ks->nid == NID_X9_62_prime256v1 \|\| ks->nid == NID_secp384r1) {
		176	if (!tls13_key_share_public_ecdhe_ecp(ks, &key_exchange))
		177	goto err;
		178	} else if (ks->nid == NID_X25519) {
134	if (!tls13_key_share_public_x25519(ks, &key_exchange))	179	if (!tls13_key_share_public_x25519(ks, &key_exchange))
135	goto err;	180	goto err;
136	} else {	181	} else {
@@ -147,10 +192,38 @@ tls13_key_share_public(struct tls13_key_share ks, CBB cbb)
147	}	192	}
148		193
149	static int	194	static int
		195	tls13_key_share_peer_public_ecdhe_ecp(struct tls13_key_share ks, CBS cbs)
		196	{
		197	EC_KEY *ecdhe = NULL;
		198	int ret = 0;
		199
		200	if (ks->ecdhe_peer != NULL)
		201	goto err;
		202
		203	if ((ecdhe = EC_KEY_new()) == NULL)
		204	goto err;
		205	if (!ssl_kex_peer_public_ecdhe_ecp(ecdhe, ks->nid, cbs))
		206	goto err;
		207
		208	ks->ecdhe_peer = ecdhe;
		209	ecdhe = NULL;
		210
		211	ret = 1;
		212
		213	err:
		214	EC_KEY_free(ecdhe);
		215
		216	return ret;
		217	}
		218
		219	static int
150	tls13_key_share_peer_public_x25519(struct tls13_key_share ks, CBS cbs)	220	tls13_key_share_peer_public_x25519(struct tls13_key_share ks, CBS cbs)
151	{	221	{
152	size_t out_len;	222	size_t out_len;
153		223
		224	if (ks->x25519_peer_public != NULL)
		225	return 0;
		226
154	if (CBS_len(cbs) != X25519_KEY_LENGTH)	227	if (CBS_len(cbs) != X25519_KEY_LENGTH)
155	return 0;	228	return 0;
156		229
@@ -164,15 +237,31 @@ tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group,
164	if (ks->group_id != group)	237	if (ks->group_id != group)
165	return 0;	238	return 0;
166		239
167	if (ks->nid == NID_X25519) {	240	if (ks->nid == NID_X9_62_prime256v1 \|\| ks->nid == NID_secp384r1) {
		241	if (!tls13_key_share_peer_public_ecdhe_ecp(ks, cbs))
		242	return 0;
		243	} else if (ks->nid == NID_X25519) {
168	if (!tls13_key_share_peer_public_x25519(ks, cbs))	244	if (!tls13_key_share_peer_public_x25519(ks, cbs))
169	return 0;	245	return 0;
		246	} else {
		247	return 0;
170	}	248	}
171		249
172	return 1;	250	return 1;
173	}	251	}
174		252
175	static int	253	static int
		254	tls13_key_share_derive_ecdhe_ecp(struct tls13_key_share *ks,
		255	uint8_t *shared_key, size_t shared_key_len)
		256	{
		257	if (ks->ecdhe == NULL \|\| ks->ecdhe_peer == NULL)
		258	return 0;
		259
		260	return ssl_kex_derive_ecdhe_ecp(ks->ecdhe, ks->ecdhe_peer,
		261	shared_key, shared_key_len);
		262	}
		263
		264	static int
176	tls13_key_share_derive_x25519(struct tls13_key_share *ks,	265	tls13_key_share_derive_x25519(struct tls13_key_share *ks,
177	uint8_t *shared_key, size_t shared_key_len)	266	uint8_t *shared_key, size_t shared_key_len)
178	{	267	{
@@ -208,9 +297,13 @@ tls13_key_share_derive(struct tls13_key_share ks, uint8_t *shared_key,
208		297
209	*shared_key_len = 0;	298	*shared_key_len = 0;
210		299
211	if (ks->nid == NID_X25519)	300	if (ks->nid == NID_X9_62_prime256v1 \|\| ks->nid == NID_secp384r1) {
		301	return tls13_key_share_derive_ecdhe_ecp(ks, shared_key,
		302	shared_key_len);
		303	} else if (ks->nid == NID_X25519) {
212	return tls13_key_share_derive_x25519(ks, shared_key,	304	return tls13_key_share_derive_x25519(ks, shared_key,
213	shared_key_len);	305	shared_key_len);
		306	}
214		307
215	return 0;	308	return 0;
216	}	309	}