summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2016-11-06 13:35:32 +0000
committerjsing <>2016-11-06 13:35:32 +0000
commit711cbee72a1d7fbbf56d4a876b5b67ee4286aefe (patch)
tree083aff3ab42fcdd9512df4b67c1ee741132ed393
parentbc7d34eca2f9f4525629e595beb4e0cd3a197d06 (diff)
downloadopenbsd-711cbee72a1d7fbbf56d4a876b5b67ee4286aefe.tar.gz
openbsd-711cbee72a1d7fbbf56d4a876b5b67ee4286aefe.tar.bz2
openbsd-711cbee72a1d7fbbf56d4a876b5b67ee4286aefe.zip
Split out the DHE and ECDHE code paths from
ssl3_send_server_key_exchange(). ok beck@ bcook@
Diffstat
-rw-r--r--src/lib/libssl/s3_srvr.c424
1 files changed, 221 insertions, 203 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 2c11d14912..9daed0b52a 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.129 2016/11/05 19:03:39 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.130 2016/11/06 13:35:32 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1170,21 +1170,230 @@ ssl3_send_server_done(SSL *s)
1170} 1170}
1171 1171
1172int 1172int
1173ssl3_send_server_key_exchange(SSL *s) 1173ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1174{ 1174{
1175 CBB cbb, dh_p, dh_g, dh_Ys, ecpoint; 1175 CBB dh_p, dh_g, dh_Ys;
1176 unsigned char *data, *params = NULL;
1177 size_t params_len;
1178 unsigned char *q;
1179 int j, num;
1180 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1181 unsigned int u;
1182 DH *dh = NULL, *dhp; 1176 DH *dh = NULL, *dhp;
1177 unsigned char *data;
1178 int al;
1179
1180 if (s->cert->dh_tmp_auto != 0) {
1181 if ((dhp = ssl_get_auto_dh(s)) == NULL) {
1182 al = SSL_AD_INTERNAL_ERROR;
1183 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1184 ERR_R_INTERNAL_ERROR);
1185 goto f_err;
1186 }
1187 } else
1188 dhp = s->cert->dh_tmp;
1189
1190 if (dhp == NULL && s->cert->dh_tmp_cb != NULL)
1191 dhp = s->cert->dh_tmp_cb(s, 0,
1192 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1193
1194 if (dhp == NULL) {
1195 al = SSL_AD_HANDSHAKE_FAILURE;
1196 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1197 SSL_R_MISSING_TMP_DH_KEY);
1198 goto f_err;
1199 }
1200
1201 if (s->s3->tmp.dh != NULL) {
1202 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1203 ERR_R_INTERNAL_ERROR);
1204 goto err;
1205 }
1206
1207 if (s->cert->dh_tmp_auto != 0) {
1208 dh = dhp;
1209 } else if ((dh = DHparams_dup(dhp)) == NULL) {
1210 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1211 goto err;
1212 }
1213 s->s3->tmp.dh = dh;
1214 if (!DH_generate_key(dh)) {
1215 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1216 goto err;
1217 }
1218
1219 /*
1220 * Serialize the DH parameters and public key.
1221 */
1222 if (!CBB_add_u16_length_prefixed(cbb, &dh_p))
1223 goto err;
1224 if (!CBB_add_space(&dh_p, &data, BN_num_bytes(dh->p)))
1225 goto err;
1226 BN_bn2bin(dh->p, data);
1227
1228 if (!CBB_add_u16_length_prefixed(cbb, &dh_g))
1229 goto err;
1230 if (!CBB_add_space(&dh_g, &data, BN_num_bytes(dh->g)))
1231 goto err;
1232 BN_bn2bin(dh->g, data);
1233
1234 if (!CBB_add_u16_length_prefixed(cbb, &dh_Ys))
1235 goto err;
1236 if (!CBB_add_space(&dh_Ys, &data, BN_num_bytes(dh->pub_key)))
1237 goto err;
1238 BN_bn2bin(dh->pub_key, data);
1239
1240 if (!CBB_flush(cbb))
1241 goto err;
1242
1243 return (1);
1244
1245 f_err:
1246 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1247 err:
1248 return (-1);
1249}
1250
1251int
1252ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1253{
1254 CBB ecpoint;
1255 unsigned char *data;
1183 EC_KEY *ecdh = NULL, *ecdhp; 1256 EC_KEY *ecdh = NULL, *ecdhp;
1257 const EC_GROUP *group;
1184 unsigned char *encodedPoint = NULL; 1258 unsigned char *encodedPoint = NULL;
1185 int encodedlen = 0; 1259 int encodedlen = 0;
1186 int curve_id = 0; 1260 int curve_id = 0;
1187 BN_CTX *bn_ctx = NULL; 1261 BN_CTX *bn_ctx = NULL;
1262 int al;
1263
1264 ecdhp = s->cert->ecdh_tmp;
1265 if (s->cert->ecdh_tmp_auto != 0) {
1266 int nid = tls1_get_shared_curve(s);
1267 if (nid != NID_undef)
1268 ecdhp = EC_KEY_new_by_curve_name(nid);
1269 } else if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL) {
1270 ecdhp = s->cert->ecdh_tmp_cb(s, 0,
1271 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1272 }
1273 if (ecdhp == NULL) {
1274 al = SSL_AD_HANDSHAKE_FAILURE;
1275 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1276 SSL_R_MISSING_TMP_ECDH_KEY);
1277 goto f_err;
1278 }
1279
1280 if (s->s3->tmp.ecdh != NULL) {
1281 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1282 ERR_R_INTERNAL_ERROR);
1283 goto err;
1284 }
1285
1286 /* Duplicate the ECDH structure. */
1287 if (s->cert->ecdh_tmp_auto != 0) {
1288 ecdh = ecdhp;
1289 } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1290 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1291 ERR_R_ECDH_LIB);
1292 goto err;
1293 }
1294 s->s3->tmp.ecdh = ecdh;
1295
1296 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1297 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1298 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1299 if (!EC_KEY_generate_key(ecdh)) {
1300 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1301 ERR_R_ECDH_LIB);
1302 goto err;
1303 }
1304 }
1305
1306 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1307 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1308 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1309 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1310 ERR_R_ECDH_LIB);
1311 goto err;
1312 }
1313
1314 /*
1315 * Only named curves are supported in ECDH ephemeral key exchanges.
1316 * For supported named curves, curve_id is non-zero.
1317 */
1318 if ((curve_id = tls1_ec_nid2curve_id(
1319 EC_GROUP_get_curve_name(group))) == 0) {
1320 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1321 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1322 goto err;
1323 }
1324
1325 /*
1326 * Encode the public key. First check the size of encoding and
1327 * allocate memory accordingly.
1328 */
1329 encodedlen = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
1330 POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
1331
1332 encodedPoint = malloc(encodedlen);
1333
1334 bn_ctx = BN_CTX_new();
1335 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1336 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1337 ERR_R_MALLOC_FAILURE);
1338 goto err;
1339 }
1340
1341 encodedlen = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
1342 POINT_CONVERSION_UNCOMPRESSED, encodedPoint, encodedlen, bn_ctx);
1343
1344 if (encodedlen == 0) {
1345 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1346 goto err;
1347 }
1348
1349 BN_CTX_free(bn_ctx);
1350 bn_ctx = NULL;
1351
1352 /*
1353 * Only named curves are supported in ECDH ephemeral key exchanges.
1354 * In this case the ServerKeyExchange message has:
1355 * [1 byte CurveType], [2 byte CurveName]
1356 * [1 byte length of encoded point], followed by
1357 * the actual encoded point itself.
1358 */
1359 if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1360 goto err;
1361 if (!CBB_add_u16(cbb, curve_id))
1362 goto err;
1363 if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
1364 goto err;
1365 if (!CBB_add_space(&ecpoint, &data, encodedlen))
1366 goto err;
1367
1368 memcpy(data, encodedPoint, encodedlen);
1369
1370 free(encodedPoint);
1371 encodedPoint = NULL;
1372
1373 if (!CBB_flush(cbb))
1374 goto err;
1375
1376 return (1);
1377
1378 f_err:
1379 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1380 err:
1381 free(encodedPoint);
1382 BN_CTX_free(bn_ctx);
1383
1384 return (-1);
1385}
1386
1387int
1388ssl3_send_server_key_exchange(SSL *s)
1389{
1390 CBB cbb;
1391 unsigned char *params = NULL;
1392 size_t params_len;
1393 unsigned char *q;
1394 int j, num;
1395 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1396 unsigned int u;
1188 EVP_PKEY *pkey; 1397 EVP_PKEY *pkey;
1189 const EVP_MD *md = NULL; 1398 const EVP_MD *md = NULL;
1190 unsigned char *p, *d; 1399 unsigned char *p, *d;
@@ -1208,202 +1417,12 @@ ssl3_send_server_key_exchange(SSL *s)
1208 if (!CBB_init(&cbb, 0)) 1417 if (!CBB_init(&cbb, 0))
1209 goto err; 1418 goto err;
1210 1419
1211 n = 0;
1212 if (type & SSL_kDHE) { 1420 if (type & SSL_kDHE) {
1213 if (s->cert->dh_tmp_auto != 0) { 1421 if (ssl3_send_server_kex_dhe(s, &cbb) != 1)
1214 if ((dhp = ssl_get_auto_dh(s)) == NULL) {
1215 al = SSL_AD_INTERNAL_ERROR;
1216 SSLerr(
1217 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1218 ERR_R_INTERNAL_ERROR);
1219 goto f_err;
1220 }
1221 } else
1222 dhp = cert->dh_tmp;
1223
1224 if (dhp == NULL && s->cert->dh_tmp_cb != NULL)
1225 dhp = s->cert->dh_tmp_cb(s, 0,
1226 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1227
1228 if (dhp == NULL) {
1229 al = SSL_AD_HANDSHAKE_FAILURE;
1230 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1231 SSL_R_MISSING_TMP_DH_KEY);
1232 goto f_err;
1233 }
1234
1235 if (s->s3->tmp.dh != NULL) {
1236 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1237 ERR_R_INTERNAL_ERROR);
1238 goto err; 1422 goto err;
1239 }
1240
1241 if (s->cert->dh_tmp_auto != 0) {
1242 dh = dhp;
1243 } else if ((dh = DHparams_dup(dhp)) == NULL) {
1244 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1245 ERR_R_DH_LIB);
1246 goto err;
1247 }
1248 s->s3->tmp.dh = dh;
1249 if (!DH_generate_key(dh)) {
1250 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1251 ERR_R_DH_LIB);
1252 goto err;
1253 }
1254
1255 /*
1256 * Serialize the DH parameters and public key.
1257 */
1258 if (!CBB_add_u16_length_prefixed(&cbb, &dh_p))
1259 goto err;
1260 if (!CBB_add_space(&dh_p, &data, BN_num_bytes(dh->p)))
1261 goto err;
1262 BN_bn2bin(dh->p, data);
1263
1264 if (!CBB_add_u16_length_prefixed(&cbb, &dh_g))
1265 goto err;
1266 if (!CBB_add_space(&dh_g, &data, BN_num_bytes(dh->g)))
1267 goto err;
1268 BN_bn2bin(dh->g, data);
1269
1270 if (!CBB_add_u16_length_prefixed(&cbb, &dh_Ys))
1271 goto err;
1272 if (!CBB_add_space(&dh_Ys, &data, BN_num_bytes(dh->pub_key)))
1273 goto err;
1274 BN_bn2bin(dh->pub_key, data);
1275
1276 } else if (type & SSL_kECDHE) { 1423 } else if (type & SSL_kECDHE) {
1277 const EC_GROUP *group; 1424 if (ssl3_send_server_kex_ecdhe(s, &cbb) != 1)
1278
1279 ecdhp = cert->ecdh_tmp;
1280 if (s->cert->ecdh_tmp_auto != 0) {
1281 int nid = tls1_get_shared_curve(s);
1282 if (nid != NID_undef)
1283 ecdhp = EC_KEY_new_by_curve_name(nid);
1284 } else if (ecdhp == NULL &&
1285 s->cert->ecdh_tmp_cb != NULL) {
1286 ecdhp = s->cert->ecdh_tmp_cb(s, 0,
1287 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1288 }
1289 if (ecdhp == NULL) {
1290 al = SSL_AD_HANDSHAKE_FAILURE;
1291 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1292 SSL_R_MISSING_TMP_ECDH_KEY);
1293 goto f_err;
1294 }
1295
1296 if (s->s3->tmp.ecdh != NULL) {
1297 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1298 ERR_R_INTERNAL_ERROR);
1299 goto err;
1300 }
1301
1302 /* Duplicate the ECDH structure. */
1303 if (s->cert->ecdh_tmp_auto != 0) {
1304 ecdh = ecdhp;
1305 } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1306 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1307 ERR_R_ECDH_LIB);
1308 goto err;
1309 }
1310 s->s3->tmp.ecdh = ecdh;
1311
1312 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1313 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1314 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1315 if (!EC_KEY_generate_key(ecdh)) {
1316 SSLerr(
1317 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1318 ERR_R_ECDH_LIB);
1319 goto err;
1320 }
1321 }
1322
1323 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1324 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1325 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1326 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1327 ERR_R_ECDH_LIB);
1328 goto err;
1329 }
1330
1331 /*
1332 * XXX: For now, we only support ephemeral ECDH
1333 * keys over named (not generic) curves. For
1334 * supported named curves, curve_id is non-zero.
1335 */
1336 if ((curve_id = tls1_ec_nid2curve_id(
1337 EC_GROUP_get_curve_name(group))) == 0) {
1338 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1339 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1340 goto err;
1341 }
1342
1343 /*
1344 * Encode the public key.
1345 * First check the size of encoding and
1346 * allocate memory accordingly.
1347 */
1348 encodedlen = EC_POINT_point2oct(group,
1349 EC_KEY_get0_public_key(ecdh),
1350 POINT_CONVERSION_UNCOMPRESSED,
1351 NULL, 0, NULL);
1352
1353 encodedPoint = malloc(encodedlen);
1354
1355 bn_ctx = BN_CTX_new();
1356 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1357 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1358 ERR_R_MALLOC_FAILURE);
1359 goto err;
1360 }
1361
1362
1363 encodedlen = EC_POINT_point2oct(group,
1364 EC_KEY_get0_public_key(ecdh),
1365 POINT_CONVERSION_UNCOMPRESSED,
1366 encodedPoint, encodedlen, bn_ctx);
1367
1368 if (encodedlen == 0) {
1369 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1370 ERR_R_ECDH_LIB);
1371 goto err; 1425 goto err;
1372 }
1373
1374 BN_CTX_free(bn_ctx);
1375 bn_ctx = NULL;
1376
1377 /*
1378 * XXX: For now, we only support named (not
1379 * generic) curves in ECDH ephemeral key exchanges.
1380 * In this situation, we need four additional bytes
1381 * to encode the entire ServerECDHParams
1382 * structure.
1383 */
1384 n = 4 + encodedlen;
1385
1386 /*
1387 * XXX: For now, we only support named (not generic)
1388 * curves.
1389 * In this situation, the serverKeyExchange message has:
1390 * [1 byte CurveType], [2 byte CurveName]
1391 * [1 byte length of encoded point], followed by
1392 * the actual encoded point itself
1393 */
1394 if (!CBB_add_u8(&cbb, NAMED_CURVE_TYPE))
1395 goto err;
1396 if (!CBB_add_u16(&cbb, curve_id))
1397 goto err;
1398 if (!CBB_add_u8_length_prefixed(&cbb, &ecpoint))
1399 goto err;
1400 if (!CBB_add_space(&ecpoint, &data, encodedlen))
1401 goto err;
1402 memcpy(data, encodedPoint, encodedlen);
1403
1404 free(encodedPoint);
1405 encodedPoint = NULL;
1406
1407 } else { 1426 } else {
1408 al = SSL_AD_HANDSHAKE_FAILURE; 1427 al = SSL_AD_HANDSHAKE_FAILURE;
1409 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1428 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
@@ -1437,6 +1456,7 @@ ssl3_send_server_key_exchange(SSL *s)
1437 SSL3_MT_SERVER_KEY_EXCHANGE); 1456 SSL3_MT_SERVER_KEY_EXCHANGE);
1438 1457
1439 memcpy(p, params, params_len); 1458 memcpy(p, params, params_len);
1459
1440 free(params); 1460 free(params);
1441 params = NULL; 1461 params = NULL;
1442 1462
@@ -1532,8 +1552,6 @@ ssl3_send_server_key_exchange(SSL *s)
1532 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1552 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1533 err: 1553 err:
1534 free(params); 1554 free(params);
1535 free(encodedPoint);
1536 BN_CTX_free(bn_ctx);
1537 EVP_MD_CTX_cleanup(&md_ctx); 1555 EVP_MD_CTX_cleanup(&md_ctx);
1538 CBB_cleanup(&cbb); 1556 CBB_cleanup(&cbb);
1539 1557
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 11:53:01 +0000