Provide struct/functions for handling TLSv1.3 key shares.

Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.

ok beck@ inoguchi@ tb@

8 files changed, 299 insertions, 130 deletions

diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 489c4fd217..afbd6d148e 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.61 2020/01/30 16:25:09 jsing Exp $
+# $OpenBSD: Makefile,v 1.62 2020/01/30 17:09:23 jsing Exp $
 
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -73,6 +73,7 @@ SRCS= \
         tls13_handshake.c \
         tls13_handshake_msg.c \
         tls13_key_schedule.c \
+        tls13_key_share.c \
         tls13_lib.c \
         tls13_record.c \
         tls13_record_layer.c \
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 252242e053..2832ef4a93 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.189 2020/01/23 10:40:59 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.190 2020/01/30 17:09:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1564,12 +1564,8 @@ ssl3_free(SSL *s)
         DH_free(S3I(s)->tmp.dh);
         EC_KEY_free(S3I(s)->tmp.ecdh);
 
-        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
-
+        tls13_key_share_free(S3I(s)->hs_tls13.key_share);
         tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
-        freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
-        freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
-        freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
         freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
 
         sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
@@ -1599,21 +1595,17 @@ ssl3_clear(SSL *s)
         S3I(s)->tmp.dh = NULL;
         EC_KEY_free(S3I(s)->tmp.ecdh);
         S3I(s)->tmp.ecdh = NULL;
+        S3I(s)->tmp.ecdh_nid = NID_undef;
+
         freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
         S3I(s)->hs.sigalgs = NULL;
         S3I(s)->hs.sigalgs_len = 0;
 
-        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
-        S3I(s)->tmp.x25519 = NULL;
+        tls13_key_share_free(S3I(s)->hs_tls13.key_share);
+        S3I(s)->hs_tls13.key_share = NULL;
 
         tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
         S3I(s)->hs_tls13.secrets = NULL;
-        freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
-        S3I(s)->hs_tls13.x25519_private = NULL;
-        freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
-        S3I(s)->hs_tls13.x25519_public = NULL;
-        freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
-        S3I(s)->hs_tls13.x25519_peer_public = NULL;
         freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
         S3I(s)->hs_tls13.cookie = NULL;
         S3I(s)->hs_tls13.cookie_len = 0;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 5ff6f39b45..476381c165 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.258 2020/01/30 16:25:09 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.259 2020/01/30 17:09:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -458,11 +458,7 @@ typedef struct ssl_handshake_tls13_st {
         /* Version proposed by peer server. */
         uint16_t server_version;
 
-        /* X25519 key share. */
-        uint8_t *x25519_public;
-        uint8_t *x25519_private;
-        uint8_t *x25519_peer_public;
-
+        struct tls13_key_share *key_share;
         struct tls13_secrets *secrets;
 
         uint8_t *cookie;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 5cebd1d630..46f30aa47e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.57 2020/01/26 03:29:30 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.58 2020/01/30 17:09:23 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -16,6 +16,7 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+
 #include <openssl/curve25519.h>
 #include <openssl/ocsp.h>
 
@@ -1255,82 +1256,46 @@ tlsext_keyshare_client_needs(SSL *s)
 int
 tlsext_keyshare_client_build(SSL *s, CBB *cbb)
 {
-        uint8_t *public_key = NULL, *private_key = NULL;
-        CBB client_shares, key_exchange;
+        CBB client_shares;
 
-        /* Generate and provide key shares. */
         if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                 return 0;
 
-        /* XXX - other groups. */
-
-        /* Generate X25519 key pair. */
-        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        X25519_keypair(public_key, private_key);
-
-        /* Add the group and serialize the public key. */
-        if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519)))
-                goto err;
-        if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
-                goto err;
-        if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
-                goto err;
+        if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share,
+            &client_shares))
+                return 0;
 
         if (!CBB_flush(cbb))
-                goto err;
-
-        S3I(s)->hs_tls13.x25519_public = public_key;
-        S3I(s)->hs_tls13.x25519_private = private_key;
+                return 0;
 
         return 1;
-
- err:
-        freezero(public_key, X25519_KEY_LENGTH);
-        freezero(private_key, X25519_KEY_LENGTH);
-
-        return 0;
 }
 
 int
 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
 {
         CBS client_shares;
-        CBS key_exchange;
         uint16_t group;
-        size_t out_len;
 
         if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
                 goto err;
 
-        if (CBS_len(cbs) != 0)
-                goto err;
-
         while (CBS_len(&client_shares) > 0) {
 
                 /* Unpack client share. */
                 if (!CBS_get_u16(&client_shares, &group))
                         goto err;
 
-                if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
-                        goto err;
-
                 /*
-                 * Skip this client share if not X25519
                  * XXX support other groups later.
                  * XXX enforce group can only appear once.
                  */
-                if (S3I(s)->hs_tls13.x25519_peer_public != NULL ||
-                    group != tls1_ec_nid2curve_id(NID_X25519))
+                if (S3I(s)->hs_tls13.key_share == NULL ||
+                    tls13_key_share_group(S3I(s)->hs_tls13.key_share) != group)
                         continue;
 
-                if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
-                        goto err;
-
-                if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
-                    &out_len))
+                if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+                    group, &client_shares))
                         goto err;
         }
 
@@ -1353,68 +1318,28 @@ tlsext_keyshare_server_needs(SSL *s)
 int
 tlsext_keyshare_server_build(SSL *s, CBB *cbb)
 {
-        uint8_t *public_key = NULL, *private_key = NULL;
-        CBB key_exchange;
-
-        /* XXX deduplicate with client code */
-
-        /* X25519 */
-        if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
+        if (S3I(s)->hs_tls13.key_share == NULL)
                 return 0;
 
-        /* Generate X25519 key pair. */
-        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        X25519_keypair(public_key, private_key);
-
-        /* Add the group and serialize the public key. */
-        if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
-                goto err;
-        if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
-                goto err;
-        if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
-                goto err;
-
-        if (!CBB_flush(cbb))
-                goto err;
-
-        S3I(s)->hs_tls13.x25519_public = public_key;
-        S3I(s)->hs_tls13.x25519_private = private_key;
+        if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb))
+                return 0;
 
         return 1;
-
- err:
-        freezero(public_key, X25519_KEY_LENGTH);
-        freezero(private_key, X25519_KEY_LENGTH);
-
-        return 0;
 }
 
 int
 tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
 {
-        CBS key_exchange;
         uint16_t group;
-        size_t out_len;
 
         /* Unpack server share. */
         if (!CBS_get_u16(cbs, &group))
                 goto err;
 
-        /* Handle other groups and verify that they're valid. */
-        if (group != tls1_ec_nid2curve_id(NID_X25519))
-                goto err;
-
-        if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
-                goto err;
-
-        if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
-                goto err;
+        /* XXX - Handle other groups and verify that they're valid. */
 
-        if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
-            &out_len))
+        if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+            group, cbs))
                 goto err;
 
         return 1;
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 3c55be6e68..69e75558dc 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.38 2020/01/29 17:03:58 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.39 2020/01/30 17:09:23 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -52,6 +52,11 @@ tls13_client_init(struct tls13_ctx *ctx)
         if (!tls1_transcript_init(s))
                 return 0;
 
+        if ((ctx->hs->key_share = tls13_key_share_new(NID_X25519)) == NULL)
+                return 0;
+        if (!tls13_key_share_generate(ctx->hs->key_share))
+                return 0;
+
         arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
 
         return 1;
@@ -394,6 +399,7 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
         struct tls13_secret context;
         unsigned char buf[EVP_MAX_MD_SIZE];
         uint8_t *shared_key = NULL;
+        size_t shared_key_len = 0;
         size_t hash_len;
         SSL *s = ctx->ssl;
         int ret = 0;
@@ -406,14 +412,12 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
                 return 1;
 
         /* XXX - handle other key share types. */
-        if (ctx->hs->x25519_peer_public == NULL) {
+        if (ctx->hs->key_share == NULL) {
                 /* XXX - alert. */
                 goto err;
         }
-        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if (!X25519(shared_key, ctx->hs->x25519_private,
-            ctx->hs->x25519_peer_public))
+        if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key,
+            &shared_key_len))
                 goto err;
 
         s->session->cipher = S3I(s)->hs.new_cipher;
@@ -443,7 +447,7 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 
         /* Handshake secrets. */
         if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
-            X25519_KEY_LENGTH, &context))
+            shared_key_len, &context))
                 goto err;
 
         tls13_record_layer_set_aead(ctx->rl, ctx->aead);
@@ -460,7 +464,8 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
         ret = 1;
 
  err:
-        freezero(shared_key, X25519_KEY_LENGTH);
+        freezero(shared_key, shared_key_len);
+
         return ret;
 }
 
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index ec58525c2b..00035ea36e 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.57 2020/01/26 02:45:27 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.58 2020/01/30 17:09:23 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -52,6 +52,9 @@ typedef ssize_t (*tls13_write_cb)(const void *_buf, size_t _buflen,
     void *_cb_arg);
 typedef void (*tls13_handshake_message_cb)(void *_cb_arg, CBS *_cbs);
 
+/*
+ * Buffers.
+ */
 struct tls13_buffer;
 
 struct tls13_buffer *tls13_buffer_new(size_t init_size);
@@ -63,6 +66,9 @@ void tls13_buffer_cbs(struct tls13_buffer *buf, CBS *cbs);
 int tls13_buffer_finish(struct tls13_buffer *buf, uint8_t **out,
     size_t *out_len);
 
+/*
+ * Secrets.
+ */
 struct tls13_secret {
         uint8_t *data;
         size_t len;
@@ -113,6 +119,22 @@ int tls13_update_client_traffic_secret(struct tls13_secrets *secrets);
 int tls13_update_server_traffic_secret(struct tls13_secrets *secrets);
 
 /*
+ * Key shares.
+ */
+struct tls13_key_share;
+
+struct tls13_key_share *tls13_key_share_new(int nid);
+void tls13_key_share_free(struct tls13_key_share *ks);
+
+uint16_t tls13_key_share_group(struct tls13_key_share *ks);
+int tls13_key_share_generate(struct tls13_key_share *ks);
+int tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb);
+int tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group,
+    CBS *cbs);
+int tls13_key_share_derive(struct tls13_key_share *ks, uint8_t **shared_key,
+    size_t *shared_key_len);
+
+/*
  * Record Layer.
  */
 struct tls13_record_layer;
diff --git a/src/lib/libssl/tls13_key_share.c b/src/lib/libssl/tls13_key_share.c
new file mode 100644
index 0000000000..9a83b9f9f7
--- /dev/null
+++ b/src/lib/libssl/tls13_key_share.c
@@ -0,0 +1,224 @@
+/* $OpenBSD: tls13_key_share.c,v 1.1 2020/01/30 17:09:23 jsing Exp $ */
+/*
+ * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdlib.h>
+
+#include <openssl/curve25519.h>
+
+#include "bytestring.h"
+#include "ssl_locl.h"
+#include "tls13_internal.h"
+
+struct tls13_key_share {
+        int nid;
+        uint16_t group_id;
+
+        uint8_t *x25519_public;
+        uint8_t *x25519_private;
+        uint8_t *x25519_peer_public;
+};
+
+struct tls13_key_share *
+tls13_key_share_new(int nid)
+{
+        struct tls13_key_share *ks;
+
+        if ((ks = calloc(1, sizeof(struct tls13_key_share))) == NULL)
+                goto err;
+
+        if ((ks->group_id = tls1_ec_nid2curve_id(nid)) == 0)
+                goto err;
+
+        ks->nid = nid;
+
+        return ks;
+
+ err:
+        tls13_key_share_free(ks);
+
+        return NULL;
+}
+
+void
+tls13_key_share_free(struct tls13_key_share *ks)
+{
+        if (ks == NULL)
+                return;
+
+        freezero(ks->x25519_public, X25519_KEY_LENGTH);
+        freezero(ks->x25519_private, X25519_KEY_LENGTH);
+        freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
+
+        freezero(ks, sizeof(*ks));
+}
+
+uint16_t
+tls13_key_share_group(struct tls13_key_share *ks)
+{
+        return ks->group_id;
+}
+
+static int
+tls13_key_share_generate_x25519(struct tls13_key_share *ks)
+{
+        uint8_t *public = NULL, *private = NULL;
+        int ret = 0;
+
+        if (ks->x25519_public != NULL || ks->x25519_private != NULL)
+                goto err;
+
+        if ((public = calloc(1, X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if ((private = calloc(1, X25519_KEY_LENGTH)) == NULL)
+                goto err;
+
+        X25519_keypair(public, private);
+
+        ks->x25519_public = public;
+        ks->x25519_private = private;
+        public = NULL;
+        private = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(public, X25519_KEY_LENGTH);
+        freezero(private, X25519_KEY_LENGTH);
+
+        return ret;
+}
+
+int
+tls13_key_share_generate(struct tls13_key_share *ks)
+{
+        if (ks->nid == NID_X25519)
+                return tls13_key_share_generate_x25519(ks);
+
+        return 0;
+}
+
+static int
+tls13_key_share_public_x25519(struct tls13_key_share *ks, CBB *cbb)
+{
+        if (ks->x25519_public == NULL)
+                return 0;
+
+        return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
+}
+
+int
+tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb)
+{
+        CBB key_exchange;
+
+        if (!CBB_add_u16(cbb, ks->group_id))
+                goto err;
+        if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
+                goto err;
+
+        if (ks->nid == NID_X25519) {
+                if (!tls13_key_share_public_x25519(ks, &key_exchange))
+                        goto err;
+        } else {
+                goto err;
+        }
+
+        if (!CBB_flush(cbb))
+                goto err;
+
+        return 1;
+
+ err:
+        return 0;
+}
+
+static int
+tls13_key_share_peer_public_x25519(struct tls13_key_share *ks, CBS *cbs)
+{
+        size_t out_len;
+
+        if (CBS_len(cbs) != X25519_KEY_LENGTH)
+                return 0;
+
+        return CBS_stow(cbs, &ks->x25519_peer_public, &out_len);
+}
+
+int
+tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group,
+    CBS *cbs)
+{
+        CBS key_exchange;
+
+        if (ks->group_id != group)
+                return 0;
+
+        if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
+                return 0;
+
+        if (ks->nid == NID_X25519) {
+                if (!tls13_key_share_peer_public_x25519(ks, &key_exchange))
+                        return 0;
+        }
+
+        if (CBS_len(cbs) != 0)
+                return 0;
+
+        return 1;
+}
+
+static int
+tls13_key_share_derive_x25519(struct tls13_key_share *ks,
+    uint8_t **shared_key, size_t *shared_key_len)
+{
+        uint8_t *sk = NULL;
+        int ret = 0;
+
+        if (ks->x25519_private == NULL || ks->x25519_peer_public == NULL)
+                goto err;
+
+        if ((sk = calloc(1, X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if (!X25519(sk, ks->x25519_private, ks->x25519_peer_public))
+                goto err;
+
+        *shared_key = sk;
+        *shared_key_len = X25519_KEY_LENGTH;
+        sk = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(sk, X25519_KEY_LENGTH);
+
+        return ret;
+}
+
+int
+tls13_key_share_derive(struct tls13_key_share *ks, uint8_t **shared_key,
+    size_t *shared_key_len)
+{
+        if (*shared_key != NULL)
+                return 0;
+
+        *shared_key_len = 0;
+
+        if (ks->nid == NID_X25519)
+                return tls13_key_share_derive_x25519(ks, shared_key,
+                    shared_key_len);
+
+        return 0;
+}
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index a559e03219..1f17fe4ab0 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.21 2020/01/29 17:03:58 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.22 2020/01/30 17:09:23 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -51,6 +51,11 @@ tls13_server_init(struct tls13_ctx *ctx)
         if ((s->session = SSL_SESSION_new()) == NULL)
                 return 0;
 
+        if ((ctx->hs->key_share = tls13_key_share_new(NID_X25519)) == NULL)
+                return 0;
+        if (!tls13_key_share_generate(ctx->hs->key_share))
+                return 0;
+
         arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
 
         return 1;
@@ -552,19 +557,18 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
         struct tls13_secret context;
         unsigned char buf[EVP_MAX_MD_SIZE];
         uint8_t *shared_key = NULL;
+        size_t shared_key_len = 0;
         size_t hash_len;
         SSL *s = ctx->ssl;
         int ret = 0;
 
         /* XXX - handle other key share types. */
-        if (ctx->hs->x25519_peer_public == NULL) {
+        if (ctx->hs->key_share == NULL) {
                 /* XXX - alert. */
                 goto err;
         }
-        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if (!X25519(shared_key, ctx->hs->x25519_private,
-            ctx->hs->x25519_peer_public))
+        if (!tls13_key_share_derive(ctx->hs->key_share,
+            &shared_key, &shared_key_len))
                 goto err;
 
         s->session->cipher = S3I(s)->hs.new_cipher;
@@ -594,7 +598,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
 
         /* Handshake secrets. */
         if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
-            X25519_KEY_LENGTH, &context))
+            shared_key_len, &context))
                 goto err;
 
         tls13_record_layer_set_aead(ctx->rl, ctx->aead);
@@ -614,7 +618,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
         ret = 1;
 
  err:
-        freezero(shared_key, X25519_KEY_LENGTH);
+        freezero(shared_key, shared_key_len);
         return ret;
 }