Add support for SSL_get_server_tmp_key().

ok doug@
author: jsing <> 2016-12-30 17:20:51 +0000
committer: jsing <> 2016-12-30 17:20:51 +0000
commit: c6852449efeadbfc5a05c733da7136ce72a68a35 (patch)
tree: df6feaced005fb3195d597d5bfcbe8ecc80acbc8 /src
parent: 1aa07a55f7c4b5aa54a98dad9ca25ef5ca7cb37a (diff)
download: openbsd-c6852449efeadbfc5a05c733da7136ce72a68a35.tar.gz
openbsd-c6852449efeadbfc5a05c733da7136ce72a68a35.tar.bz2
openbsd-c6852449efeadbfc5a05c733da7136ce72a68a35.zip
2 files changed, 74 insertions, 3 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 212de5f7a4..5c7f2cb27c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.114 2016/12/21 16:44:31 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.115 2016/12/30 17:20:51 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -151,6 +151,7 @@
 #include <limits.h>
 #include <stdio.h>
+#include <openssl/bn.h>
 #include <openssl/curve25519.h>
 #include <openssl/dh.h>
 #include <openssl/md5.h>
@@ -1904,6 +1905,67 @@ ssl3_clear(SSL *s)
        s->next_proto_negotiated_len = 0;
 }
+static long
+ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
+{
+        EVP_PKEY *pkey = NULL;
+        EC_GROUP *group = NULL;
+        EC_POINT *point = NULL;
+        EC_KEY *ec_key = NULL;
+        BIGNUM *order = NULL;
+        SESS_CERT *sc;
+        int ret = 0;
+        *pkey_tmp = NULL;
+        if (s->server != 0)
+                return 0;
+        if (s->session == NULL || s->session->sess_cert == NULL)
+                return 0;
+        sc = s->session->sess_cert;
+        if ((pkey = EVP_PKEY_new()) == NULL)
+                return 0;
+        if (sc->peer_dh_tmp != NULL) {
+                ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp);
+        } else if (sc->peer_ecdh_tmp) {
+                ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp);
+        } else if (sc->peer_x25519_tmp != NULL) {
+                /* Fudge up an EC_KEY that looks like X25519... */
+                if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL)
+                        goto err;
+                if ((point = EC_POINT_new(group)) == NULL)
+                        goto err;
+                if ((order = BN_new()) == NULL)
+                        goto err;
+                if (!BN_set_bit(order, 252))
+                        goto err;
+                if (!EC_GROUP_set_generator(group, point, order, NULL))
+                        goto err;
+                EC_GROUP_set_curve_name(group, NID_X25519);
+                if ((ec_key = EC_KEY_new()) == NULL)
+                        goto err;
+                if (!EC_KEY_set_group(ec_key, group))
+                        goto err;
+                ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key);
+        }
+        if (ret == 1) {
+                *pkey_tmp = pkey;
+                pkey = NULL;
+        }
+  err:
+        EVP_PKEY_free(pkey);
+        EC_GROUP_free(group);
+        EC_POINT_free(point);
+        EC_KEY_free(ec_key);
+        BN_free(order);
+        return (ret);
+}
 long
 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
@@ -2077,6 +2139,10 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                ret = 1;
                break;
+        case SSL_CTRL_GET_SERVER_TMP_KEY:
+                ret = ssl_ctrl_get_server_tmp_key(s, parg);
+                break;
        default:
                break;
        }
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index d8c25cac42..37844bdeaa 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.101 2016/12/21 16:51:10 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.102 2016/12/30 17:20:51 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1469,7 +1469,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS          82
 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS        83
-#define SSL_CTRL_SET_ECDH_AUTO                          94
+#define SSL_CTRL_SET_ECDH_AUTO                  94
+#define SSL_CTRL_GET_SERVER_TMP_KEY             109
 #define SSL_CTRL_SET_DH_AUTO                    118
@@ -1522,6 +1524,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTX_clear_extra_chain_certs(ctx) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
+#define SSL_get_server_tmp_key(s, pk) \
+        SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
author	jsing <>	2016-12-30 17:20:51 +0000
committer	jsing <>	2016-12-30 17:20:51 +0000
commit	c6852449efeadbfc5a05c733da7136ce72a68a35 (patch)
tree	df6feaced005fb3195d597d5bfcbe8ecc80acbc8 /src
parent	1aa07a55f7c4b5aa54a98dad9ca25ef5ca7cb37a (diff)
download	openbsd-c6852449efeadbfc5a05c733da7136ce72a68a35.tar.gz openbsd-c6852449efeadbfc5a05c733da7136ce72a68a35.tar.bz2 openbsd-c6852449efeadbfc5a05c733da7136ce72a68a35.zip

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 212de5f7a4..5c7f2cb27c 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.114 2016/12/21 16:44:31 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.115 2016/12/30 17:20:51 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -151,6 +151,7 @@
151	#include <limits.h>	151	#include <limits.h>
152	#include <stdio.h>	152	#include <stdio.h>
153		153
		154	#include <openssl/bn.h>
154	#include <openssl/curve25519.h>	155	#include <openssl/curve25519.h>
155	#include <openssl/dh.h>	156	#include <openssl/dh.h>
156	#include <openssl/md5.h>	157	#include <openssl/md5.h>
@@ -1904,6 +1905,67 @@ ssl3_clear(SSL *s)
1904	s->next_proto_negotiated_len = 0;	1905	s->next_proto_negotiated_len = 0;
1905	}	1906	}
1906		1907
		1908	static long
		1909	ssl_ctrl_get_server_tmp_key(SSL s, EVP_PKEY *pkey_tmp)
		1910	{
		1911	EVP_PKEY *pkey = NULL;
		1912	EC_GROUP *group = NULL;
		1913	EC_POINT *point = NULL;
		1914	EC_KEY *ec_key = NULL;
		1915	BIGNUM *order = NULL;
		1916	SESS_CERT *sc;
		1917	int ret = 0;
		1918
		1919	*pkey_tmp = NULL;
		1920
		1921	if (s->server != 0)
		1922	return 0;
		1923	if (s->session == NULL \|\| s->session->sess_cert == NULL)
		1924	return 0;
		1925
		1926	sc = s->session->sess_cert;
		1927
		1928	if ((pkey = EVP_PKEY_new()) == NULL)
		1929	return 0;
		1930
		1931	if (sc->peer_dh_tmp != NULL) {
		1932	ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp);
		1933	} else if (sc->peer_ecdh_tmp) {
		1934	ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp);
		1935	} else if (sc->peer_x25519_tmp != NULL) {
		1936	/* Fudge up an EC_KEY that looks like X25519... */
		1937	if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL)
		1938	goto err;
		1939	if ((point = EC_POINT_new(group)) == NULL)
		1940	goto err;
		1941	if ((order = BN_new()) == NULL)
		1942	goto err;
		1943	if (!BN_set_bit(order, 252))
		1944	goto err;
		1945	if (!EC_GROUP_set_generator(group, point, order, NULL))
		1946	goto err;
		1947	EC_GROUP_set_curve_name(group, NID_X25519);
		1948	if ((ec_key = EC_KEY_new()) == NULL)
		1949	goto err;
		1950	if (!EC_KEY_set_group(ec_key, group))
		1951	goto err;
		1952	ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key);
		1953	}
		1954
		1955	if (ret == 1) {
		1956	*pkey_tmp = pkey;
		1957	pkey = NULL;
		1958	}
		1959
		1960	err:
		1961	EVP_PKEY_free(pkey);
		1962	EC_GROUP_free(group);
		1963	EC_POINT_free(point);
		1964	EC_KEY_free(ec_key);
		1965	BN_free(order);
		1966
		1967	return (ret);
		1968	}
1907		1969
1908	long	1970	long
1909	ssl3_ctrl(SSL s, int cmd, long larg, void parg)	1971	ssl3_ctrl(SSL s, int cmd, long larg, void parg)
@@ -2077,6 +2139,10 @@ ssl3_ctrl(SSL s, int cmd, long larg, void parg)
2077	ret = 1;	2139	ret = 1;
2078	break;	2140	break;
2079		2141
		2142	case SSL_CTRL_GET_SERVER_TMP_KEY:
		2143	ret = ssl_ctrl_get_server_tmp_key(s, parg);
		2144	break;
		2145
2080	default:	2146	default:
2081	break;	2147	break;
2082	}	2148	}


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index d8c25cac42..37844bdeaa 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.101 2016/12/21 16:51:10 jsing Exp $ */	1	/* $OpenBSD: ssl.h,v 1.102 2016/12/30 17:20:51 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1469,7 +1469,9 @@ int PEM_write_SSL_SESSION(FILE fp, SSL_SESSION x);
1469	#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82	1469	#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
1470	#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83	1470	#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
1471		1471
1472	#define SSL_CTRL_SET_ECDH_AUTO 94	1472	#define SSL_CTRL_SET_ECDH_AUTO 94
		1473
		1474	#define SSL_CTRL_GET_SERVER_TMP_KEY 109
1473		1475
1474	#define SSL_CTRL_SET_DH_AUTO 118	1476	#define SSL_CTRL_SET_DH_AUTO 118
1475		1477
@@ -1522,6 +1524,9 @@ int PEM_write_SSL_SESSION(FILE fp, SSL_SESSION x);
1522	#define SSL_CTX_clear_extra_chain_certs(ctx) \	1524	#define SSL_CTX_clear_extra_chain_certs(ctx) \
1523	SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)	1525	SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
1524		1526
		1527	#define SSL_get_server_tmp_key(s, pk) \
		1528	SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
		1529
1525	#ifndef OPENSSL_NO_BIO	1530	#ifndef OPENSSL_NO_BIO
1526	BIO_METHOD *BIO_f_ssl(void);	1531	BIO_METHOD *BIO_f_ssl(void);
1527	BIO BIO_new_ssl(SSL_CTX ctx, int client);	1532	BIO BIO_new_ssl(SSL_CTX ctx, int client);