Convert legacy server to tls_key_share.

This requires a few more additions to the DHE key share code - we need to be able to either set the DHE parameters or specify the number of key bits for use with auto DHE parameters. Additionally, we need to be able to serialise the DHE parameters to send to the client. This removes the infamous 'tmp' struct from ssl3_state_internal_st. ok inoguchi@ tb@
author: jsing <> 2022-01-07 15:46:30 +0000
committer: jsing <> 2022-01-07 15:46:30 +0000
commit: 3f7702534a377e0a3b33a6681df0af8a57adbc57 (patch)
tree: 270b59705c9d4efa145c0649cce3fa41750939d9 /src/lib/libssl/ssl_srvr.c
parent: a42b07afac78ec75467b5a5ca9fcbbdaf9d093a4 (diff)
download: openbsd-3f7702534a377e0a3b33a6681df0af8a57adbc57.tar.gz
openbsd-3f7702534a377e0a3b33a6681df0af8a57adbc57.tar.bz2
openbsd-3f7702534a377e0a3b33a6681df0af8a57adbc57.zip
1 files changed, 40 insertions, 202 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 0496985351..b66a2c108d 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.130 2022/01/04 12:53:31 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.131 2022/01/07 15:46:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1309,23 +1309,23 @@ ssl3_send_server_done(SSL *s)
 static int
 ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 {
-        DH *dh = NULL;
+        int nid = NID_dhKeyAgreement;
-        int al;
-        if ((dh = DH_new()) == NULL)
+        tls_key_share_free(S3I(s)->hs.key_share);
+        if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
        if (s->cert->dh_tmp_auto != 0) {
                size_t key_bits;
                if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
-                        al = SSL_AD_INTERNAL_ERROR;
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                        goto fatal_err;
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
-                }
+                            SSL_AD_INTERNAL_ERROR);
-                if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
                        goto err;
+                }
+                tls_key_share_set_key_bits(S3I(s)->hs.key_share,
+                    key_bits);
        } else {
                DH *dh_params = s->cert->dh_tmp;
@@ -1334,157 +1334,69 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
                            SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
                if (dh_params == NULL) {
-                        al = SSL_AD_HANDSHAKE_FAILURE;
                        SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-                        goto fatal_err;
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                            SSL_AD_HANDSHAKE_FAILURE);
+                        goto err;
                }
-                if (!ssl_kex_generate_dhe(dh, dh_params))
+                if (!tls_key_share_set_dh_params(S3I(s)->hs.key_share, dh_params))
                        goto err;
        }
-        if (!ssl_kex_params_dhe(dh, cbb))
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
-                goto err;
-        if (!ssl_kex_public_dhe(dh, cbb))
                goto err;
-        if (S3I(s)->tmp.dh != NULL) {
+        if (!tls_key_share_params(S3I(s)->hs.key_share, cbb))
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
                goto err;
-        }
-        S3I(s)->tmp.dh = dh;
        return 1;
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        DH_free(dh);
        return 0;
 }
 static int
-ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
+ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
 {
-        uint16_t curve_id;
+        CBB public;
-        EC_KEY *ecdh;
+        int nid;
-        CBB ecpoint;
-        int al;
-        /*
+        if ((nid = tls1_get_shared_curve(s)) == NID_undef) {
-         * Only named curves are supported in ECDH ephemeral key exchanges.
-         * For supported named curves, curve_id is non-zero.
-         */
-        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                goto err;
        }
-        if (S3I(s)->tmp.ecdh != NULL) {
+        tls_key_share_free(S3I(s)->hs.key_share);
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+        if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
-        }
-        if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) {
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
-                goto fatal_err;
-        }
-        S3I(s)->tmp.ecdh_nid = nid;
-        ecdh = S3I(s)->tmp.ecdh;
-        if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid))
                goto err;
        /*
-         * Encode the public key.
+         * ECC key exchange - see RFC 8422, section 5.4.
-         *
-         * Only named curves are supported in ECDH ephemeral key exchanges.
-         * In this case the ServerKeyExchange message has:
-         * [1 byte CurveType], [2 byte CurveName]
-         * [1 byte length of encoded point], followed by
-         * the actual encoded point itself.
         */
        if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
                goto err;
-        if (!CBB_add_u16(cbb, curve_id))
+        if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share)))
                goto err;
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
+        if (!CBB_add_u8_length_prefixed(cbb, &public))
                goto err;
-        if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
+        if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
                goto err;
        if (!CBB_flush(cbb))
                goto err;
        return 1;
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
        return 0;
 }
-static int
-ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
-{
-        uint8_t *public_key = NULL, *private_key = NULL;
-        uint16_t curve_id;
-        CBB ecpoint;
-        int ret = 0;
-        /* Generate an X25519 key pair. */
-        if (S3I(s)->tmp.x25519 != NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                goto err;
-        }
-        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        X25519_keypair(public_key, private_key);
-        /* Serialize public key. */
-        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
-                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
-                goto err;
-        }
-        if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
-                goto err;
-        if (!CBB_add_u16(cbb, curve_id))
-                goto err;
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
-                goto err;
-        if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
-                goto err;
-        if (!CBB_flush(cbb))
-                goto err;
-        S3I(s)->tmp.x25519 = private_key;
-        private_key = NULL;
-        ret = 1;
- err:
-        free(public_key);
-        freezero(private_key, X25519_KEY_LENGTH);
-        return ret;
-}
-static int
-ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
-{
-        int nid;
-        nid = tls1_get_shared_curve(s);
-        if (nid == NID_X25519)
-                return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);
-        return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);
-}
 int
 ssl3_send_server_key_exchange(SSL *s)
 {
@@ -1791,148 +1703,74 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
 static int
 ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
 {
-        DH *dh_clnt = NULL;
-        DH *dh_srvr;
-        int invalid_key;
        uint8_t *key = NULL;
        size_t key_len = 0;
+        int invalid_key;
        int ret = 0;
-        if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {
+        if (S3I(s)->hs.key_share == NULL) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
                goto err;
        }
-        if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
-                goto err;
+            &invalid_key))
-        if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
                goto err;
-        }
        if (invalid_key) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
                SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
                goto err;
        }
-        if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
-        DH_free(S3I(s)->tmp.dh);
-        S3I(s)->tmp.dh = NULL;
        ret = 1;
 err:
        freezero(key, key_len);
-        DH_free(dh_clnt);
        return ret;
 }
 static int
-ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs)
+ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
 {
        uint8_t *key = NULL;
        size_t key_len = 0;
-        EC_KEY *ecdh_peer = NULL;
-        EC_KEY *ecdh;
        CBS public;
        int ret = 0;
-        /*
+        if (S3I(s)->hs.key_share == NULL) {
-         * Use the ephemeral values we saved when generating the
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-         * ServerKeyExchange message.
+                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-         */
-        if ((ecdh = S3I(s)->tmp.ecdh) == NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
        }
-        /*
-         * Get client's public key from encoded point in the ClientKeyExchange
-         * message.
-         */
        if (!CBS_get_u8_length_prefixed(cbs, &public))
                goto err;
-        if (CBS_len(cbs) != 0)
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
                goto err;
-        if ((ecdh_peer = EC_KEY_new()) == NULL)
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
                goto err;
-        if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid,
-            &public))
-                goto err;
-        /* Derive the shared secret and compute master secret. */
-        if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
-                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
-        EC_KEY_free(S3I(s)->tmp.ecdh);
-        S3I(s)->tmp.ecdh = NULL;
-        S3I(s)->tmp.ecdh_nid = NID_undef;
        ret = 1;
 err:
        freezero(key, key_len);
-        EC_KEY_free(ecdh_peer);
        return ret;
 }
 static int
-ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs)
-{
-        uint8_t *shared_key = NULL;
-        CBS ecpoint;
-        int ret = 0;
-        if (!CBS_get_u8_length_prefixed(cbs, &ecpoint))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)
-                goto err;
-        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if (!X25519(shared_key, S3I(s)->tmp.x25519, CBS_data(&ecpoint)))
-                goto err;
-        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
-        S3I(s)->tmp.x25519 = NULL;
-        if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
-                goto err;
-        ret = 1;
- err:
-        freezero(shared_key, X25519_KEY_LENGTH);
-        return ret;
-}
-static int
-ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
-{
-        if (S3I(s)->tmp.x25519 != NULL)
-                return ssl3_get_client_kex_ecdhe_ecx(s, cbs);
-        return ssl3_get_client_kex_ecdhe_ecp(s, cbs);
-}
-static int
 ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
 {
        EVP_PKEY_CTX *pkey_ctx;
author	jsing <>	2022-01-07 15:46:30 +0000
committer	jsing <>	2022-01-07 15:46:30 +0000
commit	3f7702534a377e0a3b33a6681df0af8a57adbc57 (patch)
tree	270b59705c9d4efa145c0649cce3fa41750939d9 /src/lib/libssl/ssl_srvr.c
parent	a42b07afac78ec75467b5a5ca9fcbbdaf9d093a4 (diff)
download	openbsd-3f7702534a377e0a3b33a6681df0af8a57adbc57.tar.gz openbsd-3f7702534a377e0a3b33a6681df0af8a57adbc57.tar.bz2 openbsd-3f7702534a377e0a3b33a6681df0af8a57adbc57.zip

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 0496985351..b66a2c108d 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.130 2022/01/04 12:53:31 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.131 2022/01/07 15:46:30 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1309,23 +1309,23 @@ ssl3_send_server_done(SSL *s)
1309	static int	1309	static int
1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)	1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1311	{	1311	{
1312	DH *dh = NULL;	1312	int nid = NID_dhKeyAgreement;
1313	int al;
1314		1313
1315	if ((dh = DH_new()) == NULL)	1314	tls_key_share_free(S3I(s)->hs.key_share);
		1315	if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1316	goto err;	1316	goto err;
1317		1317
1318	if (s->cert->dh_tmp_auto != 0) {	1318	if (s->cert->dh_tmp_auto != 0) {
1319	size_t key_bits;	1319	size_t key_bits;
1320		1320
1321	if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {	1321	if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
1322	al = SSL_AD_INTERNAL_ERROR;
1323	SSLerror(s, ERR_R_INTERNAL_ERROR);	1322	SSLerror(s, ERR_R_INTERNAL_ERROR);
1324	goto fatal_err;	1323	ssl3_send_alert(s, SSL3_AL_FATAL,
1325	}	1324	SSL_AD_INTERNAL_ERROR);
1326
1327	if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
1328	goto err;	1325	goto err;
		1326	}
		1327	tls_key_share_set_key_bits(S3I(s)->hs.key_share,
		1328	key_bits);
1329	} else {	1329	} else {
1330	DH *dh_params = s->cert->dh_tmp;	1330	DH *dh_params = s->cert->dh_tmp;
1331		1331
@@ -1334,157 +1334,69 @@ ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1334	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));	1334	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
1335		1335
1336	if (dh_params == NULL) {	1336	if (dh_params == NULL) {
1337	al = SSL_AD_HANDSHAKE_FAILURE;
1338	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1337	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1339	goto fatal_err;	1338	ssl3_send_alert(s, SSL3_AL_FATAL,
		1339	SSL_AD_HANDSHAKE_FAILURE);
		1340	goto err;
1340	}	1341	}
1341		1342
1342	if (!ssl_kex_generate_dhe(dh, dh_params))	1343	if (!tls_key_share_set_dh_params(S3I(s)->hs.key_share, dh_params))
1343	goto err;	1344	goto err;
1344	}	1345	}
1345		1346
1346	if (!ssl_kex_params_dhe(dh, cbb))	1347	if (!tls_key_share_generate(S3I(s)->hs.key_share))
1347	goto err;
1348	if (!ssl_kex_public_dhe(dh, cbb))
1349	goto err;	1348	goto err;
1350		1349
1351	if (S3I(s)->tmp.dh != NULL) {	1350	if (!tls_key_share_params(S3I(s)->hs.key_share, cbb))
1352	SSLerror(s, ERR_R_INTERNAL_ERROR);	1351	goto err;
		1352	if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
1353	goto err;	1353	goto err;
1354	}
1355	S3I(s)->tmp.dh = dh;
1356		1354
1357	return 1;	1355	return 1;
1358		1356
1359	fatal_err:
1360	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1361	err:	1357	err:
1362	DH_free(dh);
1363
1364	return 0;	1358	return 0;
1365	}	1359	}
1366		1360
1367	static int	1361	static int
1368	ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)	1362	ssl3_send_server_kex_ecdhe(SSL s, CBB cbb)
1369	{	1363	{
1370	uint16_t curve_id;	1364	CBB public;
1371	EC_KEY *ecdh;	1365	int nid;
1372	CBB ecpoint;
1373	int al;
1374		1366
1375	/*	1367	if ((nid = tls1_get_shared_curve(s)) == NID_undef) {
1376	* Only named curves are supported in ECDH ephemeral key exchanges.
1377	* For supported named curves, curve_id is non-zero.
1378	*/
1379	if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
1380	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);	1368	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
		1369	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1381	goto err;	1370	goto err;
1382	}	1371	}
1383		1372
1384	if (S3I(s)->tmp.ecdh != NULL) {	1373	tls_key_share_free(S3I(s)->hs.key_share);
1385	SSLerror(s, ERR_R_INTERNAL_ERROR);	1374	if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1386	goto err;	1375	goto err;
1387	}
1388		1376
1389	if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) {	1377	if (!tls_key_share_generate(S3I(s)->hs.key_share))
1390	al = SSL_AD_HANDSHAKE_FAILURE;
1391	SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
1392	goto fatal_err;
1393	}
1394	S3I(s)->tmp.ecdh_nid = nid;
1395	ecdh = S3I(s)->tmp.ecdh;
1396
1397	if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid))
1398	goto err;	1378	goto err;
1399		1379
1400	/*	1380	/*
1401	* Encode the public key.	1381	* ECC key exchange - see RFC 8422, section 5.4.
1402	*
1403	* Only named curves are supported in ECDH ephemeral key exchanges.
1404	* In this case the ServerKeyExchange message has:
1405	* [1 byte CurveType], [2 byte CurveName]
1406	* [1 byte length of encoded point], followed by
1407	* the actual encoded point itself.
1408	*/	1382	*/
1409	if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))	1383	if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1410	goto err;	1384	goto err;
1411	if (!CBB_add_u16(cbb, curve_id))	1385	if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share)))
1412	goto err;	1386	goto err;
1413	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))	1387	if (!CBB_add_u8_length_prefixed(cbb, &public))
1414	goto err;	1388	goto err;
1415	if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))	1389	if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
1416	goto err;	1390	goto err;
1417	if (!CBB_flush(cbb))	1391	if (!CBB_flush(cbb))
1418	goto err;	1392	goto err;
1419		1393
1420	return 1;	1394	return 1;
1421		1395
1422	fatal_err:
1423	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1424	err:	1396	err:
1425	return 0;	1397	return 0;
1426	}	1398	}
1427		1399
1428	static int
1429	ssl3_send_server_kex_ecdhe_ecx(SSL s, int nid, CBB cbb)
1430	{
1431	uint8_t public_key = NULL, private_key = NULL;
1432	uint16_t curve_id;
1433	CBB ecpoint;
1434	int ret = 0;
1435
1436	/* Generate an X25519 key pair. */
1437	if (S3I(s)->tmp.x25519 != NULL) {
1438	SSLerror(s, ERR_R_INTERNAL_ERROR);
1439	goto err;
1440	}
1441	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
1442	goto err;
1443	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
1444	goto err;
1445	X25519_keypair(public_key, private_key);
1446
1447	/* Serialize public key. */
1448	if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
1449	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1450	goto err;
1451	}
1452
1453	if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1454	goto err;
1455	if (!CBB_add_u16(cbb, curve_id))
1456	goto err;
1457	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
1458	goto err;
1459	if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
1460	goto err;
1461	if (!CBB_flush(cbb))
1462	goto err;
1463
1464	S3I(s)->tmp.x25519 = private_key;
1465	private_key = NULL;
1466	ret = 1;
1467
1468	err:
1469	free(public_key);
1470	freezero(private_key, X25519_KEY_LENGTH);
1471
1472	return ret;
1473	}
1474
1475	static int
1476	ssl3_send_server_kex_ecdhe(SSL s, CBB cbb)
1477	{
1478	int nid;
1479
1480	nid = tls1_get_shared_curve(s);
1481
1482	if (nid == NID_X25519)
1483	return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);
1484
1485	return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);
1486	}
1487
1488	int	1400	int
1489	ssl3_send_server_key_exchange(SSL *s)	1401	ssl3_send_server_key_exchange(SSL *s)
1490	{	1402	{
@@ -1791,148 +1703,74 @@ ssl3_get_client_kex_rsa(SSL s, CBS cbs)
1791	static int	1703	static int
1792	ssl3_get_client_kex_dhe(SSL s, CBS cbs)	1704	ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1793	{	1705	{
1794	DH *dh_clnt = NULL;
1795	DH *dh_srvr;
1796	int invalid_key;
1797	uint8_t *key = NULL;	1706	uint8_t *key = NULL;
1798	size_t key_len = 0;	1707	size_t key_len = 0;
		1708	int invalid_key;
1799	int ret = 0;	1709	int ret = 0;
1800		1710
1801	if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {	1711	if (S3I(s)->hs.key_share == NULL) {
1802	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);	1712	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1803	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1713	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1804	goto err;	1714	goto err;
1805	}	1715	}
1806		1716
1807	if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)	1717	if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
1808	goto err;	1718	&invalid_key))
1809
1810	if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
1811	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1812	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1813	goto err;	1719	goto err;
1814	}
1815	if (invalid_key) {	1720	if (invalid_key) {
1816	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);	1721	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1817	SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);	1722	SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1818	goto err;	1723	goto err;
1819	}	1724	}
1820		1725
1821	if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))	1726	if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
1822	goto err;	1727	goto err;
1823		1728
1824	if (!tls12_derive_master_secret(s, key, key_len))	1729	if (!tls12_derive_master_secret(s, key, key_len))
1825	goto err;	1730	goto err;
1826		1731
1827	DH_free(S3I(s)->tmp.dh);
1828	S3I(s)->tmp.dh = NULL;
1829
1830	ret = 1;	1732	ret = 1;
1831		1733
1832	err:	1734	err:
1833	freezero(key, key_len);	1735	freezero(key, key_len);
1834	DH_free(dh_clnt);
1835		1736
1836	return ret;	1737	return ret;
1837	}	1738	}
1838		1739
1839	static int	1740	static int
1840	ssl3_get_client_kex_ecdhe_ecp(SSL s, CBS cbs)	1741	ssl3_get_client_kex_ecdhe(SSL s, CBS cbs)
1841	{	1742	{
1842	uint8_t *key = NULL;	1743	uint8_t *key = NULL;
1843	size_t key_len = 0;	1744	size_t key_len = 0;
1844	EC_KEY *ecdh_peer = NULL;
1845	EC_KEY *ecdh;
1846	CBS public;	1745	CBS public;
1847	int ret = 0;	1746	int ret = 0;
1848		1747
1849	/*	1748	if (S3I(s)->hs.key_share == NULL) {
1850	* Use the ephemeral values we saved when generating the	1749	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1851	* ServerKeyExchange message.	1750	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1852	*/
1853	if ((ecdh = S3I(s)->tmp.ecdh) == NULL) {
1854	SSLerror(s, ERR_R_INTERNAL_ERROR);
1855	goto err;	1751	goto err;
1856	}	1752	}
1857		1753
1858	/*
1859	* Get client's public key from encoded point in the ClientKeyExchange
1860	* message.
1861	*/
1862	if (!CBS_get_u8_length_prefixed(cbs, &public))	1754	if (!CBS_get_u8_length_prefixed(cbs, &public))
1863	goto err;	1755	goto err;
1864	if (CBS_len(cbs) != 0)	1756	if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
1865	goto err;	1757	goto err;
1866		1758
1867	if ((ecdh_peer = EC_KEY_new()) == NULL)	1759	if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
1868	goto err;	1760	goto err;
1869		1761
1870	if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid,
1871	&public))
1872	goto err;
1873
1874	/* Derive the shared secret and compute master secret. */
1875	if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
1876	goto err;
1877	if (!tls12_derive_master_secret(s, key, key_len))	1762	if (!tls12_derive_master_secret(s, key, key_len))
1878	goto err;	1763	goto err;
1879		1764
1880	EC_KEY_free(S3I(s)->tmp.ecdh);
1881	S3I(s)->tmp.ecdh = NULL;
1882	S3I(s)->tmp.ecdh_nid = NID_undef;
1883
1884	ret = 1;	1765	ret = 1;
1885		1766
1886	err:	1767	err:
1887	freezero(key, key_len);	1768	freezero(key, key_len);
1888	EC_KEY_free(ecdh_peer);
1889		1769
1890	return ret;	1770	return ret;
1891	}	1771	}
1892		1772
1893	static int	1773	static int
1894	ssl3_get_client_kex_ecdhe_ecx(SSL s, CBS cbs)
1895	{
1896	uint8_t *shared_key = NULL;
1897	CBS ecpoint;
1898	int ret = 0;
1899
1900	if (!CBS_get_u8_length_prefixed(cbs, &ecpoint))
1901	goto err;
1902	if (CBS_len(cbs) != 0)
1903	goto err;
1904	if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)
1905	goto err;
1906
1907	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
1908	goto err;
1909	if (!X25519(shared_key, S3I(s)->tmp.x25519, CBS_data(&ecpoint)))
1910	goto err;
1911
1912	freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1913	S3I(s)->tmp.x25519 = NULL;
1914
1915	if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
1916	goto err;
1917
1918	ret = 1;
1919
1920	err:
1921	freezero(shared_key, X25519_KEY_LENGTH);
1922
1923	return ret;
1924	}
1925
1926	static int
1927	ssl3_get_client_kex_ecdhe(SSL s, CBS cbs)
1928	{
1929	if (S3I(s)->tmp.x25519 != NULL)
1930	return ssl3_get_client_kex_ecdhe_ecx(s, cbs);
1931
1932	return ssl3_get_client_kex_ecdhe_ecp(s, cbs);
1933	}
1934
1935	static int
1936	ssl3_get_client_kex_gost(SSL s, CBS cbs)	1774	ssl3_get_client_kex_gost(SSL s, CBS cbs)
1937	{	1775	{
1938	EVP_PKEY_CTX *pkey_ctx;	1776	EVP_PKEY_CTX *pkey_ctx;