Factor out/rewrite the ECDHE EC point key exchange code.

This reduces replication between the existing TLS client/server and allows the code to soon be reused for TLSv1.3. With feedback from inoguchi@ and tb@ ok inoguchi@ tb@
author: jsing <> 2020-01-30 16:25:09 +0000
committer: jsing <> 2020-01-30 16:25:09 +0000
commit: 1f07a6fc3b3b9d44b731e6cf17fd00b540758db8 (patch)
tree: c2c8df4a9c431efa5cc0db8ff09bf1be05c80c4e /src/lib/libssl/ssl_srvr.c
parent: 668fa98385559e6ca53555e32da8e7eb618f0d80 (diff)
download: openbsd-1f07a6fc3b3b9d44b731e6cf17fd00b540758db8.tar.gz
openbsd-1f07a6fc3b3b9d44b731e6cf17fd00b540758db8.tar.bz2
openbsd-1f07a6fc3b3b9d44b731e6cf17fd00b540758db8.zip
1 files changed, 21 insertions, 77 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 6b49afe6a8..843d2ee249 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.70 2020/01/23 10:48:37 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.71 2020/01/30 16:25:09 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1347,12 +1347,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 static int
 ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
 {
-        const EC_GROUP *group;
-        const EC_POINT *pubkey;
-        unsigned char *data;
-        int encoded_len = 0;
        int curve_id = 0;
-        BN_CTX *bn_ctx = NULL;
        EC_KEY *ecdh;
        CBB ecpoint;
        int al;
@@ -1371,39 +1366,20 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
                goto err;
        }
-        if ((S3I(s)->tmp.ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {
+        if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
                goto f_err;
        }
+        S3I(s)->tmp.ecdh_nid = nid;
        ecdh = S3I(s)->tmp.ecdh;
-        if (!EC_KEY_generate_key(ecdh)) {
+        if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid))
-                SSLerror(s, ERR_R_ECDH_LIB);
-                goto err;
-        }
-        if ((group = EC_KEY_get0_group(ecdh)) == NULL ||
-            (pubkey = EC_KEY_get0_public_key(ecdh)) == NULL ||
-            EC_KEY_get0_private_key(ecdh) == NULL) {
-                SSLerror(s, ERR_R_ECDH_LIB);
                goto err;
-        }
        /*
         * Encode the public key.
-         */
+         *
-        encoded_len = EC_POINT_point2oct(group, pubkey,
-            POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
-        if (encoded_len == 0) {
-                SSLerror(s, ERR_R_ECDH_LIB);
-                goto err;
-        }
-        if ((bn_ctx = BN_CTX_new()) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        /*
         * Only named curves are supported in ECDH ephemeral key exchanges.
         * In this case the ServerKeyExchange message has:
         * [1 byte CurveType], [2 byte CurveName]
@@ -1416,25 +1392,16 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
                goto err;
        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
                goto err;
-        if (!CBB_add_space(&ecpoint, &data, encoded_len))
+        if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
                goto err;
-        if (EC_POINT_point2oct(group, pubkey, POINT_CONVERSION_UNCOMPRESSED,
-            data, encoded_len, bn_ctx) == 0) {
-                SSLerror(s, ERR_R_ECDH_LIB);
-                goto err;
-        }
        if (!CBB_flush(cbb))
                goto err;
-        BN_CTX_free(bn_ctx);
        return (1);
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        BN_CTX_free(bn_ctx);
        return (-1);
 }
@@ -1861,20 +1828,13 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
 static int
 ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs)
 {
-        unsigned char *key = NULL;
+        uint8_t *key = NULL;
-        int key_size = 0, key_len;
+        size_t key_len = 0;
-        EC_POINT *point = NULL;
+        EC_KEY *ecdh_peer = NULL;
-        BN_CTX *bn_ctx = NULL;
-        const EC_GROUP *group;
        EC_KEY *ecdh;
        CBS public;
        int ret = -1;
-        if (!CBS_get_u8_length_prefixed(cbs, &public))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
        /*
         * Use the ephemeral values we saved when generating the
         * ServerKeyExchange message.
@@ -1883,54 +1843,38 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs)
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
        }
-        group = EC_KEY_get0_group(ecdh);
        /*
         * Get client's public key from encoded point in the ClientKeyExchange
         * message.
         */
-        if ((bn_ctx = BN_CTX_new()) == NULL) {
+        if (!CBS_get_u8_length_prefixed(cbs, &public))
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((point = EC_POINT_new(group)) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
-        }
+        if (CBS_len(cbs) != 0)
-        if (EC_POINT_oct2point(group, point, CBS_data(&public),
-            CBS_len(&public), bn_ctx) == 0) {
-                SSLerror(s, ERR_R_EC_LIB);
                goto err;
-        }
-        /* Compute the shared pre-master secret */
+        if ((ecdh_peer = EC_KEY_new()) == NULL)
-        if ((key_size = ECDH_size(ecdh)) <= 0) {
-                SSLerror(s, ERR_R_ECDH_LIB);
-                goto err;
-        }
-        if ((key = malloc(key_size)) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
-        }
-        if ((key_len = ECDH_compute_key(key, key_size, point, ecdh,
+        if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid,
-            NULL)) <= 0) {
+            &public))
-                SSLerror(s, ERR_R_ECDH_LIB);
                goto err;
-        }
-        /* Compute the master secret */
+        /* Derive the shared secret and compute master secret. */
+        if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
+                goto err;
        s->session->master_key_length = tls1_generate_master_secret(s,
            s->session->master_key, key, key_len);
        EC_KEY_free(S3I(s)->tmp.ecdh);
        S3I(s)->tmp.ecdh = NULL;
+        S3I(s)->tmp.ecdh_nid = NID_undef;
        ret = 1;
 err:
-        freezero(key, key_size);
+        freezero(key, key_len);
-        EC_POINT_free(point);
+        EC_KEY_free(ecdh_peer);
-        BN_CTX_free(bn_ctx);
        return (ret);
 }
author	jsing <>	2020-01-30 16:25:09 +0000
committer	jsing <>	2020-01-30 16:25:09 +0000
commit	1f07a6fc3b3b9d44b731e6cf17fd00b540758db8 (patch)
tree	c2c8df4a9c431efa5cc0db8ff09bf1be05c80c4e /src/lib/libssl/ssl_srvr.c
parent	668fa98385559e6ca53555e32da8e7eb618f0d80 (diff)
download	openbsd-1f07a6fc3b3b9d44b731e6cf17fd00b540758db8.tar.gz openbsd-1f07a6fc3b3b9d44b731e6cf17fd00b540758db8.tar.bz2 openbsd-1f07a6fc3b3b9d44b731e6cf17fd00b540758db8.zip

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 6b49afe6a8..843d2ee249 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.70 2020/01/23 10:48:37 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.71 2020/01/30 16:25:09 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1347,12 +1347,7 @@ ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1347	static int	1347	static int
1348	ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)	1348	ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)
1349	{	1349	{
1350	const EC_GROUP *group;
1351	const EC_POINT *pubkey;
1352	unsigned char *data;
1353	int encoded_len = 0;
1354	int curve_id = 0;	1350	int curve_id = 0;
1355	BN_CTX *bn_ctx = NULL;
1356	EC_KEY *ecdh;	1351	EC_KEY *ecdh;
1357	CBB ecpoint;	1352	CBB ecpoint;
1358	int al;	1353	int al;
@@ -1371,39 +1366,20 @@ ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)
1371	goto err;	1366	goto err;
1372	}	1367	}
1373		1368
1374	if ((S3I(s)->tmp.ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {	1369	if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) {
1375	al = SSL_AD_HANDSHAKE_FAILURE;	1370	al = SSL_AD_HANDSHAKE_FAILURE;
1376	SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);	1371	SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
1377	goto f_err;	1372	goto f_err;
1378	}	1373	}
		1374	S3I(s)->tmp.ecdh_nid = nid;
1379	ecdh = S3I(s)->tmp.ecdh;	1375	ecdh = S3I(s)->tmp.ecdh;
1380		1376
1381	if (!EC_KEY_generate_key(ecdh)) {	1377	if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid))
1382	SSLerror(s, ERR_R_ECDH_LIB);
1383	goto err;
1384	}
1385	if ((group = EC_KEY_get0_group(ecdh)) == NULL \|\|
1386	(pubkey = EC_KEY_get0_public_key(ecdh)) == NULL \|\|
1387	EC_KEY_get0_private_key(ecdh) == NULL) {
1388	SSLerror(s, ERR_R_ECDH_LIB);
1389	goto err;	1378	goto err;
1390	}
1391		1379
1392	/*	1380	/*
1393	* Encode the public key.	1381	* Encode the public key.
1394	*/	1382	*
1395	encoded_len = EC_POINT_point2oct(group, pubkey,
1396	POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
1397	if (encoded_len == 0) {
1398	SSLerror(s, ERR_R_ECDH_LIB);
1399	goto err;
1400	}
1401	if ((bn_ctx = BN_CTX_new()) == NULL) {
1402	SSLerror(s, ERR_R_MALLOC_FAILURE);
1403	goto err;
1404	}
1405
1406	/*
1407	* Only named curves are supported in ECDH ephemeral key exchanges.	1383	* Only named curves are supported in ECDH ephemeral key exchanges.
1408	* In this case the ServerKeyExchange message has:	1384	* In this case the ServerKeyExchange message has:
1409	* [1 byte CurveType], [2 byte CurveName]	1385	* [1 byte CurveType], [2 byte CurveName]
@@ -1416,25 +1392,16 @@ ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)
1416	goto err;	1392	goto err;
1417	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))	1393	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
1418	goto err;	1394	goto err;
1419	if (!CBB_add_space(&ecpoint, &data, encoded_len))	1395	if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
1420	goto err;	1396	goto err;
1421	if (EC_POINT_point2oct(group, pubkey, POINT_CONVERSION_UNCOMPRESSED,
1422	data, encoded_len, bn_ctx) == 0) {
1423	SSLerror(s, ERR_R_ECDH_LIB);
1424	goto err;
1425	}
1426	if (!CBB_flush(cbb))	1397	if (!CBB_flush(cbb))
1427	goto err;	1398	goto err;
1428		1399
1429	BN_CTX_free(bn_ctx);
1430
1431	return (1);	1400	return (1);
1432		1401
1433	f_err:	1402	f_err:
1434	ssl3_send_alert(s, SSL3_AL_FATAL, al);	1403	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1435	err:	1404	err:
1436	BN_CTX_free(bn_ctx);
1437
1438	return (-1);	1405	return (-1);
1439	}	1406	}
1440		1407
@@ -1861,20 +1828,13 @@ ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1861	static int	1828	static int
1862	ssl3_get_client_kex_ecdhe_ecp(SSL s, CBS cbs)	1829	ssl3_get_client_kex_ecdhe_ecp(SSL s, CBS cbs)
1863	{	1830	{
1864	unsigned char *key = NULL;	1831	uint8_t *key = NULL;
1865	int key_size = 0, key_len;	1832	size_t key_len = 0;
1866	EC_POINT *point = NULL;	1833	EC_KEY *ecdh_peer = NULL;
1867	BN_CTX *bn_ctx = NULL;
1868	const EC_GROUP *group;
1869	EC_KEY *ecdh;	1834	EC_KEY *ecdh;
1870	CBS public;	1835	CBS public;
1871	int ret = -1;	1836	int ret = -1;
1872		1837
1873	if (!CBS_get_u8_length_prefixed(cbs, &public))
1874	goto err;
1875	if (CBS_len(cbs) != 0)
1876	goto err;
1877
1878	/*	1838	/*
1879	* Use the ephemeral values we saved when generating the	1839	* Use the ephemeral values we saved when generating the
1880	* ServerKeyExchange message.	1840	* ServerKeyExchange message.
@@ -1883,54 +1843,38 @@ ssl3_get_client_kex_ecdhe_ecp(SSL s, CBS cbs)
1883	SSLerror(s, ERR_R_INTERNAL_ERROR);	1843	SSLerror(s, ERR_R_INTERNAL_ERROR);
1884	goto err;	1844	goto err;
1885	}	1845	}
1886	group = EC_KEY_get0_group(ecdh);
1887		1846
1888	/*	1847	/*
1889	* Get client's public key from encoded point in the ClientKeyExchange	1848	* Get client's public key from encoded point in the ClientKeyExchange
1890	* message.	1849	* message.
1891	*/	1850	*/
1892	if ((bn_ctx = BN_CTX_new()) == NULL) {	1851	if (!CBS_get_u8_length_prefixed(cbs, &public))
1893	SSLerror(s, ERR_R_MALLOC_FAILURE);
1894	goto err;
1895	}
1896	if ((point = EC_POINT_new(group)) == NULL) {
1897	SSLerror(s, ERR_R_MALLOC_FAILURE);
1898	goto err;	1852	goto err;
1899	}	1853	if (CBS_len(cbs) != 0)
1900	if (EC_POINT_oct2point(group, point, CBS_data(&public),
1901	CBS_len(&public), bn_ctx) == 0) {
1902	SSLerror(s, ERR_R_EC_LIB);
1903	goto err;	1854	goto err;
1904	}
1905		1855
1906	/* Compute the shared pre-master secret */	1856	if ((ecdh_peer = EC_KEY_new()) == NULL)
1907	if ((key_size = ECDH_size(ecdh)) <= 0) {
1908	SSLerror(s, ERR_R_ECDH_LIB);
1909	goto err;
1910	}
1911	if ((key = malloc(key_size)) == NULL) {
1912	SSLerror(s, ERR_R_MALLOC_FAILURE);
1913	goto err;	1857	goto err;
1914	}	1858
1915	if ((key_len = ECDH_compute_key(key, key_size, point, ecdh,	1859	if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid,
1916	NULL)) <= 0) {	1860	&public))
1917	SSLerror(s, ERR_R_ECDH_LIB);
1918	goto err;	1861	goto err;
1919	}
1920		1862
1921	/* Compute the master secret */	1863	/* Derive the shared secret and compute master secret. */
		1864	if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
		1865	goto err;
1922	s->session->master_key_length = tls1_generate_master_secret(s,	1866	s->session->master_key_length = tls1_generate_master_secret(s,
1923	s->session->master_key, key, key_len);	1867	s->session->master_key, key, key_len);
1924		1868
1925	EC_KEY_free(S3I(s)->tmp.ecdh);	1869	EC_KEY_free(S3I(s)->tmp.ecdh);
1926	S3I(s)->tmp.ecdh = NULL;	1870	S3I(s)->tmp.ecdh = NULL;
		1871	S3I(s)->tmp.ecdh_nid = NID_undef;
1927		1872
1928	ret = 1;	1873	ret = 1;
1929		1874
1930	err:	1875	err:
1931	freezero(key, key_size);	1876	freezero(key, key_len);
1932	EC_POINT_free(point);	1877	EC_KEY_free(ecdh_peer);
1933	BN_CTX_free(bn_ctx);
1934		1878
1935	return (ret);	1879	return (ret);
1936	}	1880	}