Clean up the EC key/curve configuration handling.

Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
author: jsing <> 2017-08-10 17:18:38 +0000
committer: jsing <> 2017-08-10 17:18:38 +0000
commit: f6039d62295a1c6b1188b531731d233d196faf0d (patch)
tree: aa09a427af12b5b2e6c7178a34d25bab71b31269 /src/lib/libssl/ssl_srvr.c
parent: 53bebfdbe69d92a9d3e68a860900ff0ebd428792 (diff)
download: openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.tar.gz
openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.tar.bz2
openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.zip
1 files changed, 27 insertions, 49 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 730d4ed1ad..575621a0ce 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.17 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.18 2017/08/10 17:18:38 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1267,27 +1267,23 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 static int
 ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
 {
-        CBB ecpoint;
-        unsigned char *data;
-        EC_KEY *ecdh = NULL, *ecdhp;
        const EC_GROUP *group;
+        const EC_POINT *pubkey;
+        unsigned char *data;
        int encoded_len = 0;
        int curve_id = 0;
        BN_CTX *bn_ctx = NULL;
+        EC_KEY *ecdh;
+        CBB ecpoint;
        int al;
-        ecdhp = s->cert->ecdh_tmp;
+        /*
-        if (s->cert->ecdh_tmp_auto != 0) {
+         * Only named curves are supported in ECDH ephemeral key exchanges.
-                if (nid != NID_undef)
+         * For supported named curves, curve_id is non-zero.
-                        ecdhp = EC_KEY_new_by_curve_name(nid);
+         */
-        } else if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL) {
+        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
-                ecdhp = s->cert->ecdh_tmp_cb(s, 0,
+                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
-                    SSL_C_PKEYLENGTH(S3I(s)->hs.new_cipher));
+                goto err;
-        }
-        if (ecdhp == NULL) {
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
-                goto f_err;
        }
        if (S3I(s)->tmp.ecdh != NULL) {
@@ -1295,46 +1291,28 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
                goto err;
        }
-        /* Duplicate the ECDH structure. */
+        if ((S3I(s)->tmp.ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {
-        if (s->cert->ecdh_tmp_auto != 0) {
+                al = SSL_AD_HANDSHAKE_FAILURE;
-                ecdh = ecdhp;
+                SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
-        } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
+                goto f_err;
-                SSLerror(s, ERR_R_ECDH_LIB);
-                goto err;
-        }
-        S3I(s)->tmp.ecdh = ecdh;
-        if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
-            (EC_KEY_get0_private_key(ecdh) == NULL) ||
-            (s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
-                if (!EC_KEY_generate_key(ecdh)) {
-                        SSLerror(s, ERR_R_ECDH_LIB);
-                        goto err;
-                }
        }
+        ecdh = S3I(s)->tmp.ecdh;
-        if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
+        if (!EC_KEY_generate_key(ecdh)) {
-            (EC_KEY_get0_public_key(ecdh)  == NULL) ||
-            (EC_KEY_get0_private_key(ecdh) == NULL)) {
                SSLerror(s, ERR_R_ECDH_LIB);
                goto err;
        }
+        if ((group = EC_KEY_get0_group(ecdh)) == NULL ||
-        /*
+            (pubkey = EC_KEY_get0_public_key(ecdh)) == NULL ||
-         * Only named curves are supported in ECDH ephemeral key exchanges.
+            EC_KEY_get0_private_key(ecdh) == NULL) {
-         * For supported named curves, curve_id is non-zero.
+                SSLerror(s, ERR_R_ECDH_LIB);
-         */
-        if ((curve_id = tls1_ec_nid2curve_id(
-            EC_GROUP_get_curve_name(group))) == 0) {
-                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
                goto err;
        }
        /*
-         * Encode the public key. First check the size of encoding and
+         * Encode the public key.
-         * allocate memory accordingly.
         */
-        encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
+        encoded_len = EC_POINT_point2oct(group, pubkey,
            POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
        if (encoded_len == 0) {
                SSLerror(s, ERR_R_ECDH_LIB);
@@ -1360,8 +1338,8 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
                goto err;
        if (!CBB_add_space(&ecpoint, &data, encoded_len))
                goto err;
-        if (EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
+        if (EC_POINT_point2oct(group, pubkey, POINT_CONVERSION_UNCOMPRESSED,
-            POINT_CONVERSION_UNCOMPRESSED, data, encoded_len, bn_ctx) == 0) {
+            data, encoded_len, bn_ctx) == 0) {
                SSLerror(s, ERR_R_ECDH_LIB);
                goto err;
        }
@@ -1431,7 +1409,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
        nid = tls1_get_shared_curve(s);
-        if (s->cert->ecdh_tmp_auto != 0 && nid == NID_X25519)
+        if (nid == NID_X25519)
                return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);
        return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);
author	jsing <>	2017-08-10 17:18:38 +0000
committer	jsing <>	2017-08-10 17:18:38 +0000
commit	f6039d62295a1c6b1188b531731d233d196faf0d (patch)
tree	aa09a427af12b5b2e6c7178a34d25bab71b31269 /src/lib/libssl/ssl_srvr.c
parent	53bebfdbe69d92a9d3e68a860900ff0ebd428792 (diff)
download	openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.tar.gz openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.tar.bz2 openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.zip

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 730d4ed1ad..575621a0ce 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.17 2017/05/07 04:22:24 beck Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.18 2017/08/10 17:18:38 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1267,27 +1267,23 @@ ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1267	static int	1267	static int
1268	ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)	1268	ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)
1269	{	1269	{
1270	CBB ecpoint;
1271	unsigned char *data;
1272	EC_KEY ecdh = NULL, ecdhp;
1273	const EC_GROUP *group;	1270	const EC_GROUP *group;
		1271	const EC_POINT *pubkey;
		1272	unsigned char *data;
1274	int encoded_len = 0;	1273	int encoded_len = 0;
1275	int curve_id = 0;	1274	int curve_id = 0;
1276	BN_CTX *bn_ctx = NULL;	1275	BN_CTX *bn_ctx = NULL;
		1276	EC_KEY *ecdh;
		1277	CBB ecpoint;
1277	int al;	1278	int al;
1278		1279
1279	ecdhp = s->cert->ecdh_tmp;	1280	/*
1280	if (s->cert->ecdh_tmp_auto != 0) {	1281	* Only named curves are supported in ECDH ephemeral key exchanges.
1281	if (nid != NID_undef)	1282	* For supported named curves, curve_id is non-zero.
1282	ecdhp = EC_KEY_new_by_curve_name(nid);	1283	*/
1283	} else if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL) {	1284	if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
1284	ecdhp = s->cert->ecdh_tmp_cb(s, 0,	1285	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1285	SSL_C_PKEYLENGTH(S3I(s)->hs.new_cipher));	1286	goto err;
1286	}
1287	if (ecdhp == NULL) {
1288	al = SSL_AD_HANDSHAKE_FAILURE;
1289	SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
1290	goto f_err;
1291	}	1287	}
1292		1288
1293	if (S3I(s)->tmp.ecdh != NULL) {	1289	if (S3I(s)->tmp.ecdh != NULL) {
@@ -1295,46 +1291,28 @@ ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)
1295	goto err;	1291	goto err;
1296	}	1292	}
1297		1293
1298	/* Duplicate the ECDH structure. */	1294	if ((S3I(s)->tmp.ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {
1299	if (s->cert->ecdh_tmp_auto != 0) {	1295	al = SSL_AD_HANDSHAKE_FAILURE;
1300	ecdh = ecdhp;	1296	SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
1301	} else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {	1297	goto f_err;
1302	SSLerror(s, ERR_R_ECDH_LIB);
1303	goto err;
1304	}
1305	S3I(s)->tmp.ecdh = ecdh;
1306
1307	if ((EC_KEY_get0_public_key(ecdh) == NULL) \|\|
1308	(EC_KEY_get0_private_key(ecdh) == NULL) \|\|
1309	(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
1310	if (!EC_KEY_generate_key(ecdh)) {
1311	SSLerror(s, ERR_R_ECDH_LIB);
1312	goto err;
1313	}
1314	}	1298	}
		1299	ecdh = S3I(s)->tmp.ecdh;
1315		1300
1316	if (((group = EC_KEY_get0_group(ecdh)) == NULL) \|\|	1301	if (!EC_KEY_generate_key(ecdh)) {
1317	(EC_KEY_get0_public_key(ecdh) == NULL) \|\|
1318	(EC_KEY_get0_private_key(ecdh) == NULL)) {
1319	SSLerror(s, ERR_R_ECDH_LIB);	1302	SSLerror(s, ERR_R_ECDH_LIB);
1320	goto err;	1303	goto err;
1321	}	1304	}
1322		1305	if ((group = EC_KEY_get0_group(ecdh)) == NULL \|\|
1323	/*	1306	(pubkey = EC_KEY_get0_public_key(ecdh)) == NULL \|\|
1324	* Only named curves are supported in ECDH ephemeral key exchanges.	1307	EC_KEY_get0_private_key(ecdh) == NULL) {
1325	* For supported named curves, curve_id is non-zero.	1308	SSLerror(s, ERR_R_ECDH_LIB);
1326	*/
1327	if ((curve_id = tls1_ec_nid2curve_id(
1328	EC_GROUP_get_curve_name(group))) == 0) {
1329	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1330	goto err;	1309	goto err;
1331	}	1310	}
1332		1311
1333	/*	1312	/*
1334	* Encode the public key. First check the size of encoding and	1313	* Encode the public key.
1335	* allocate memory accordingly.
1336	*/	1314	*/
1337	encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),	1315	encoded_len = EC_POINT_point2oct(group, pubkey,
1338	POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);	1316	POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
1339	if (encoded_len == 0) {	1317	if (encoded_len == 0) {
1340	SSLerror(s, ERR_R_ECDH_LIB);	1318	SSLerror(s, ERR_R_ECDH_LIB);
@@ -1360,8 +1338,8 @@ ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)
1360	goto err;	1338	goto err;
1361	if (!CBB_add_space(&ecpoint, &data, encoded_len))	1339	if (!CBB_add_space(&ecpoint, &data, encoded_len))
1362	goto err;	1340	goto err;
1363	if (EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),	1341	if (EC_POINT_point2oct(group, pubkey, POINT_CONVERSION_UNCOMPRESSED,
1364	POINT_CONVERSION_UNCOMPRESSED, data, encoded_len, bn_ctx) == 0) {	1342	data, encoded_len, bn_ctx) == 0) {
1365	SSLerror(s, ERR_R_ECDH_LIB);	1343	SSLerror(s, ERR_R_ECDH_LIB);
1366	goto err;	1344	goto err;
1367	}	1345	}
@@ -1431,7 +1409,7 @@ ssl3_send_server_kex_ecdhe(SSL s, CBB cbb)
1431		1409
1432	nid = tls1_get_shared_curve(s);	1410	nid = tls1_get_shared_curve(s);
1433		1411
1434	if (s->cert->ecdh_tmp_auto != 0 && nid == NID_X25519)	1412	if (nid == NID_X25519)
1435	return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);	1413	return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);
1436		1414
1437	return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);	1415	return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);