summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/s3_lib.c28
-rw-r--r--src/lib/libssl/ssl_cert.c6
-rw-r--r--src/lib/libssl/ssl_clnt.c210
-rw-r--r--src/lib/libssl/ssl_locl.h7
-rw-r--r--src/lib/libssl/ssl_tlsext.c20
-rw-r--r--src/lib/libssl/tls_internal.h9
-rw-r--r--src/lib/libssl/tls_key_share.c157
7 files changed, 181 insertions, 256 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index b83a380547..54261c575a 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.220 2022/01/05 17:10:02 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.221 2022/01/06 18:23:56 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1665,35 +1665,17 @@ long
1665_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1665_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1666{ 1666{
1667 EVP_PKEY *pkey = NULL; 1667 EVP_PKEY *pkey = NULL;
1668 SESS_CERT *sc;
1669 int ret = 0; 1668 int ret = 0;
1670 1669
1671 *key = NULL; 1670 *key = NULL;
1672 1671
1673 if (s->session == NULL || s->session->sess_cert == NULL) 1672 if (S3I(s)->hs.key_share == NULL)
1674 return 0; 1673 goto err;
1675
1676 sc = s->session->sess_cert;
1677 1674
1678 if ((pkey = EVP_PKEY_new()) == NULL) 1675 if ((pkey = EVP_PKEY_new()) == NULL)
1679 return 0;
1680
1681 if (sc->peer_dh_tmp != NULL) {
1682 if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp))
1683 goto err;
1684 } else if (sc->peer_ecdh_tmp) {
1685 if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp))
1686 goto err;
1687 } else if (sc->peer_x25519_tmp != NULL) {
1688 if (!ssl_kex_dummy_ecdhe_x25519(pkey))
1689 goto err;
1690 } else if (S3I(s)->hs.key_share != NULL) {
1691 if (!tls_key_share_peer_pkey(S3I(s)->hs.key_share,
1692 pkey))
1693 goto err;
1694 } else {
1695 goto err; 1676 goto err;
1696 } 1677 if (!tls_key_share_peer_pkey(S3I(s)->hs.key_share, pkey))
1678 goto err;
1697 1679
1698 *key = pkey; 1680 *key = pkey;
1699 pkey = NULL; 1681 pkey = NULL;
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 3b388201ac..6eece6d944 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.88 2021/11/29 18:36:27 tb Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.89 2022/01/06 18:23:56 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -395,10 +395,6 @@ ssl_sess_cert_free(SESS_CERT *sc)
395 for (i = 0; i < SSL_PKEY_NUM; i++) 395 for (i = 0; i < SSL_PKEY_NUM; i++)
396 X509_free(sc->peer_pkeys[i].x509); 396 X509_free(sc->peer_pkeys[i].x509);
397 397
398 DH_free(sc->peer_dh_tmp);
399 EC_KEY_free(sc->peer_ecdh_tmp);
400 free(sc->peer_x25519_tmp);
401
402 free(sc); 398 free(sc);
403} 399}
404 400
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 80a16f1042..c3912c3ebd 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.126 2022/01/04 12:53:31 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.127 2022/01/06 18:23:56 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1223,20 +1223,23 @@ ssl3_get_server_certificate(SSL *s)
1223static int 1223static int
1224ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) 1224ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
1225{ 1225{
1226 int nid = NID_dhKeyAgreement;
1226 int invalid_params, invalid_key; 1227 int invalid_params, invalid_key;
1227 SESS_CERT *sc = NULL; 1228 SESS_CERT *sc;
1228 DH *dh = NULL;
1229 long alg_a; 1229 long alg_a;
1230 1230
1231 alg_a = S3I(s)->hs.cipher->algorithm_auth; 1231 alg_a = S3I(s)->hs.cipher->algorithm_auth;
1232 sc = s->session->sess_cert; 1232 sc = s->session->sess_cert;
1233 1233
1234 if ((dh = DH_new()) == NULL) 1234 tls_key_share_free(S3I(s)->hs.key_share);
1235 if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1235 goto err; 1236 goto err;
1236 1237
1237 if (!ssl_kex_peer_params_dhe(dh, cbs, &invalid_params)) 1238 if (!tls_key_share_peer_params(S3I(s)->hs.key_share, cbs,
1239 &invalid_params))
1238 goto decode_err; 1240 goto decode_err;
1239 if (!ssl_kex_peer_public_dhe(dh, cbs, &invalid_key)) 1241 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
1242 &invalid_key))
1240 goto decode_err; 1243 goto decode_err;
1241 1244
1242 if (invalid_params) { 1245 if (invalid_params) {
@@ -1256,8 +1259,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
1256 /* XXX - Anonymous DH, so no certificate or pkey. */ 1259 /* XXX - Anonymous DH, so no certificate or pkey. */
1257 *pkey = NULL; 1260 *pkey = NULL;
1258 1261
1259 sc->peer_dh_tmp = dh;
1260
1261 return 1; 1262 return 1;
1262 1263
1263 decode_err: 1264 decode_err:
@@ -1265,64 +1266,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
1265 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1266 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1266 1267
1267 err: 1268 err:
1268 DH_free(dh);
1269
1270 return 0;
1271}
1272
1273static int
1274ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public)
1275{
1276 EC_KEY *ecdh = NULL;
1277 int ret = 0;
1278
1279 /* Extract the server's ephemeral ECDH public key. */
1280 if ((ecdh = EC_KEY_new()) == NULL) {
1281 SSLerror(s, ERR_R_MALLOC_FAILURE);
1282 goto err;
1283 }
1284 if (!ssl_kex_peer_public_ecdhe_ecp(ecdh, nid, public)) {
1285 SSLerror(s, SSL_R_BAD_ECPOINT);
1286 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1287 goto err;
1288 }
1289
1290 sc->peer_nid = nid;
1291 sc->peer_ecdh_tmp = ecdh;
1292 ecdh = NULL;
1293
1294 ret = 1;
1295
1296 err:
1297 EC_KEY_free(ecdh);
1298
1299 return (ret);
1300}
1301
1302static int
1303ssl3_get_server_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, int nid, CBS *public)
1304{
1305 size_t outlen;
1306
1307 if (nid != NID_X25519) {
1308 SSLerror(s, ERR_R_INTERNAL_ERROR);
1309 goto err;
1310 }
1311
1312 if (CBS_len(public) != X25519_KEY_LENGTH) {
1313 SSLerror(s, SSL_R_BAD_ECPOINT);
1314 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1315 goto err;
1316 }
1317
1318 if (!CBS_stow(public, &sc->peer_x25519_tmp, &outlen)) {
1319 SSLerror(s, ERR_R_MALLOC_FAILURE);
1320 goto err;
1321 }
1322
1323 return 1;
1324
1325 err:
1326 return 0; 1269 return 0;
1327} 1270}
1328 1271
@@ -1334,7 +1277,6 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
1334 uint16_t curve_id; 1277 uint16_t curve_id;
1335 SESS_CERT *sc; 1278 SESS_CERT *sc;
1336 long alg_a; 1279 long alg_a;
1337 int nid;
1338 1280
1339 alg_a = S3I(s)->hs.cipher->algorithm_auth; 1281 alg_a = S3I(s)->hs.cipher->algorithm_auth;
1340 sc = s->session->sess_cert; 1282 sc = s->session->sess_cert;
@@ -1346,8 +1288,8 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
1346 1288
1347 /* Only named curves are supported. */ 1289 /* Only named curves are supported. */
1348 if (curve_type != NAMED_CURVE_TYPE) { 1290 if (curve_type != NAMED_CURVE_TYPE) {
1349 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1350 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1291 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1292 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1351 goto err; 1293 goto err;
1352 } 1294 }
1353 1295
@@ -1364,19 +1306,12 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
1364 goto err; 1306 goto err;
1365 } 1307 }
1366 1308
1367 if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) { 1309 tls_key_share_free(S3I(s)->hs.key_share);
1368 SSLerror(s, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1310 if ((S3I(s)->hs.key_share = tls_key_share_new(curve_id)) == NULL)
1369 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1370 goto err; 1311 goto err;
1371 }
1372 1312
1373 if (nid == NID_X25519) { 1313 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
1374 if (!ssl3_get_server_kex_ecdhe_ecx(s, sc, nid, &public)) 1314 goto err;
1375 goto err;
1376 } else {
1377 if (!ssl3_get_server_kex_ecdhe_ecp(s, sc, nid, &public))
1378 goto err;
1379 }
1380 1315
1381 /* 1316 /*
1382 * The ECC/TLS specification does not mention the use of DSA to sign 1317 * The ECC/TLS specification does not mention the use of DSA to sign
@@ -1446,16 +1381,7 @@ ssl3_get_server_key_exchange(SSL *s)
1446 return (1); 1381 return (1);
1447 } 1382 }
1448 1383
1449 if (s->session->sess_cert != NULL) { 1384 if (s->session->sess_cert == NULL) {
1450 DH_free(s->session->sess_cert->peer_dh_tmp);
1451 s->session->sess_cert->peer_dh_tmp = NULL;
1452
1453 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1454 s->session->sess_cert->peer_ecdh_tmp = NULL;
1455
1456 free(s->session->sess_cert->peer_x25519_tmp);
1457 s->session->sess_cert->peer_x25519_tmp = NULL;
1458 } else {
1459 s->session->sess_cert = ssl_sess_cert_new(); 1385 s->session->sess_cert = ssl_sess_cert_new();
1460 if (s->session->sess_cert == NULL) 1386 if (s->session->sess_cert == NULL)
1461 goto err; 1387 goto err;
@@ -1966,28 +1892,22 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1966static int 1892static int
1967ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) 1893ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1968{ 1894{
1969 DH *dh_clnt = NULL;
1970 DH *dh_srvr;
1971 uint8_t *key = NULL; 1895 uint8_t *key = NULL;
1972 size_t key_len = 0; 1896 size_t key_len = 0;
1973 int ret = 0; 1897 int ret = 0;
1974 1898
1975 /* Ensure that we have an ephemeral key from the server for DHE. */ 1899 /* Ensure that we have an ephemeral key from the server for DHE. */
1976 if ((dh_srvr = sess_cert->peer_dh_tmp) == NULL) { 1900 if (S3I(s)->hs.key_share == NULL) {
1977 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1901 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1978 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1902 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1979 goto err; 1903 goto err;
1980 } 1904 }
1981 1905
1982 if ((dh_clnt = DH_new()) == NULL) 1906 if (!tls_key_share_generate(S3I(s)->hs.key_share))
1983 goto err; 1907 goto err;
1984 1908 if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
1985 if (!ssl_kex_generate_dhe(dh_clnt, dh_srvr))
1986 goto err; 1909 goto err;
1987 if (!ssl_kex_public_dhe(dh_clnt, cbb)) 1910 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
1988 goto err;
1989
1990 if (!ssl_kex_derive_dhe(dh_clnt, dh_srvr, &key, &key_len))
1991 goto err; 1911 goto err;
1992 1912
1993 if (!tls12_derive_master_secret(s, key, key_len)) 1913 if (!tls12_derive_master_secret(s, key, key_len))
@@ -1996,38 +1916,37 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
1996 ret = 1; 1916 ret = 1;
1997 1917
1998 err: 1918 err:
1999 DH_free(dh_clnt);
2000 freezero(key, key_len); 1919 freezero(key, key_len);
2001 1920
2002 return ret; 1921 return ret;
2003} 1922}
2004 1923
2005static int 1924static int
2006ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) 1925ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)
2007{ 1926{
2008 EC_KEY *ecdh = NULL;
2009 uint8_t *key = NULL; 1927 uint8_t *key = NULL;
2010 size_t key_len = 0; 1928 size_t key_len = 0;
1929 CBB public;
2011 int ret = 0; 1930 int ret = 0;
2012 CBB ecpoint;
2013 1931
2014 if ((ecdh = EC_KEY_new()) == NULL) { 1932 /* Ensure that we have an ephemeral key for ECDHE. */
2015 SSLerror(s, ERR_R_MALLOC_FAILURE); 1933 if (S3I(s)->hs.key_share == NULL) {
1934 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1935 SSLerror(s, ERR_R_INTERNAL_ERROR);
2016 goto err; 1936 goto err;
2017 } 1937 }
2018 1938
2019 if (!ssl_kex_generate_ecdhe_ecp(ecdh, sc->peer_nid)) 1939 if (!tls_key_share_generate(S3I(s)->hs.key_share))
2020 goto err; 1940 goto err;
2021 1941
2022 /* Encode our public key. */ 1942 if (!CBB_add_u8_length_prefixed(cbb, &public))
2023 if (!CBB_add_u8_length_prefixed(cbb, &ecpoint)) 1943 return 0;
2024 goto err; 1944 if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
2025 if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
2026 goto err; 1945 goto err;
2027 if (!CBB_flush(cbb)) 1946 if (!CBB_flush(cbb))
2028 goto err; 1947 goto err;
2029 1948
2030 if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len)) 1949 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
2031 goto err; 1950 goto err;
2032 1951
2033 if (!tls12_derive_master_secret(s, key, key_len)) 1952 if (!tls12_derive_master_secret(s, key, key_len))
@@ -2037,72 +1956,11 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
2037 1956
2038 err: 1957 err:
2039 freezero(key, key_len); 1958 freezero(key, key_len);
2040 EC_KEY_free(ecdh);
2041
2042 return ret;
2043}
2044
2045static int
2046ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb)
2047{
2048 uint8_t *public_key = NULL, *private_key = NULL, *shared_key = NULL;
2049 int ret = 0;
2050 CBB ecpoint;
2051
2052 /* Generate X25519 key pair and derive shared key. */
2053 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
2054 goto err;
2055 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
2056 goto err;
2057 if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
2058 goto err;
2059 X25519_keypair(public_key, private_key);
2060 if (!X25519(shared_key, private_key, sc->peer_x25519_tmp))
2061 goto err;
2062
2063 /* Serialize the public key. */
2064 if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
2065 goto err;
2066 if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
2067 goto err;
2068 if (!CBB_flush(cbb))
2069 goto err;
2070
2071 if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
2072 goto err;
2073
2074 ret = 1;
2075
2076 err:
2077 free(public_key);
2078 freezero(private_key, X25519_KEY_LENGTH);
2079 freezero(shared_key, X25519_KEY_LENGTH);
2080 1959
2081 return ret; 1960 return ret;
2082} 1961}
2083 1962
2084static int 1963static int
2085ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)
2086{
2087 if (sc->peer_x25519_tmp != NULL) {
2088 if (ssl3_send_client_kex_ecdhe_ecx(s, sc, cbb) != 1)
2089 goto err;
2090 } else if (sc->peer_ecdh_tmp != NULL) {
2091 if (ssl3_send_client_kex_ecdhe_ecp(s, sc, cbb) != 1)
2092 goto err;
2093 } else {
2094 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2095 SSLerror(s, ERR_R_INTERNAL_ERROR);
2096 goto err;
2097 }
2098
2099 return 1;
2100
2101 err:
2102 return 0;
2103}
2104
2105static int
2106ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) 1964ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
2107{ 1965{
2108 unsigned char premaster_secret[32], shared_ukm[32], tmp[256]; 1966 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
@@ -2627,7 +2485,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2627 long alg_k, alg_a; 2485 long alg_k, alg_a;
2628 EVP_PKEY *pkey = NULL; 2486 EVP_PKEY *pkey = NULL;
2629 SESS_CERT *sc; 2487 SESS_CERT *sc;
2630 DH *dh; 2488 int nid = NID_undef;
2631 2489
2632 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 2490 alg_k = S3I(s)->hs.cipher->algorithm_mkey;
2633 alg_a = S3I(s)->hs.cipher->algorithm_auth; 2491 alg_a = S3I(s)->hs.cipher->algorithm_auth;
@@ -2641,7 +2499,9 @@ ssl3_check_cert_and_algorithm(SSL *s)
2641 SSLerror(s, ERR_R_INTERNAL_ERROR); 2499 SSLerror(s, ERR_R_INTERNAL_ERROR);
2642 goto err; 2500 goto err;
2643 } 2501 }
2644 dh = s->session->sess_cert->peer_dh_tmp; 2502
2503 if (S3I(s)->hs.key_share != NULL)
2504 nid = tls_key_share_nid(S3I(s)->hs.key_share);
2645 2505
2646 /* This is the passed certificate. */ 2506 /* This is the passed certificate. */
2647 2507
@@ -2670,7 +2530,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2670 goto fatal_err; 2530 goto fatal_err;
2671 } 2531 }
2672 if ((alg_k & SSL_kDHE) && 2532 if ((alg_k & SSL_kDHE) &&
2673 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { 2533 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) {
2674 SSLerror(s, SSL_R_MISSING_DH_KEY); 2534 SSLerror(s, SSL_R_MISSING_DH_KEY);
2675 goto fatal_err; 2535 goto fatal_err;
2676 } 2536 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index d6d20c2ceb..83b40d2dd3 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.373 2022/01/05 17:10:02 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.374 2022/01/06 18:23:56 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1242,11 +1242,6 @@ typedef struct sess_cert_st {
1242 /* Obviously we don't have the private keys of these, 1242 /* Obviously we don't have the private keys of these,
1243 * so maybe we shouldn't even use the CERT_PKEY type here. */ 1243 * so maybe we shouldn't even use the CERT_PKEY type here. */
1244 1244
1245 int peer_nid;
1246 DH *peer_dh_tmp;
1247 EC_KEY *peer_ecdh_tmp;
1248 uint8_t *peer_x25519_tmp;
1249
1250 int references; /* actually always 1 at the moment */ 1245 int references; /* actually always 1 at the moment */
1251} SESS_CERT; 1246} SESS_CERT;
1252 1247
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 4cc406526d..71955d9295 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.104 2022/01/05 17:10:02 jsing Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.105 2022/01/06 18:23:56 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1510,11 +1510,10 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1510 continue; 1510 continue;
1511 1511
1512 /* Decode and store the selected key share. */ 1512 /* Decode and store the selected key share. */
1513 S3I(s)->hs.key_share = tls_key_share_new(group); 1513 if ((S3I(s)->hs.key_share = tls_key_share_new(group)) == NULL)
1514 if (S3I(s)->hs.key_share == NULL)
1515 goto err; 1514 goto err;
1516 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, 1515 if (!tls_key_share_peer_public(S3I(s)->hs.key_share,
1517 group, &key_exchange)) 1516 &key_exchange, NULL))
1518 goto err; 1517 goto err;
1519 } 1518 }
1520 1519
@@ -1568,7 +1567,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1568 1567
1569 /* Unpack server share. */ 1568 /* Unpack server share. */
1570 if (!CBS_get_u16(cbs, &group)) 1569 if (!CBS_get_u16(cbs, &group))
1571 goto err; 1570 return 0;
1572 1571
1573 if (CBS_len(cbs) == 0) { 1572 if (CBS_len(cbs) == 0) {
1574 /* HRR does not include an actual key share, only the group. */ 1573 /* HRR does not include an actual key share, only the group. */
@@ -1584,16 +1583,13 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1584 1583
1585 if (S3I(s)->hs.key_share == NULL) 1584 if (S3I(s)->hs.key_share == NULL)
1586 return 0; 1585 return 0;
1587 1586 if (tls_key_share_group(S3I(s)->hs.key_share) != group)
1587 return 0;
1588 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, 1588 if (!tls_key_share_peer_public(S3I(s)->hs.key_share,
1589 group, &key_exchange)) 1589 &key_exchange, NULL))
1590 goto err; 1590 return 0;
1591 1591
1592 return 1; 1592 return 1;
1593
1594 err:
1595 *alert = SSL_AD_DECODE_ERROR;
1596 return 0;
1597} 1593}
1598 1594
1599/* 1595/*
diff --git a/src/lib/libssl/tls_internal.h b/src/lib/libssl/tls_internal.h
index 87c7f3b7dd..7e2beadeac 100644
--- a/src/lib/libssl/tls_internal.h
+++ b/src/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.2 2022/01/05 17:10:03 jsing Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.3 2022/01/06 18:23:56 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -63,11 +63,14 @@ struct tls_key_share *tls_key_share_new_nid(int nid);
63void tls_key_share_free(struct tls_key_share *ks); 63void tls_key_share_free(struct tls_key_share *ks);
64 64
65uint16_t tls_key_share_group(struct tls_key_share *ks); 65uint16_t tls_key_share_group(struct tls_key_share *ks);
66int tls_key_share_nid(struct tls_key_share *ks);
66int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey); 67int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey);
67int tls_key_share_generate(struct tls_key_share *ks); 68int tls_key_share_generate(struct tls_key_share *ks);
68int tls_key_share_public(struct tls_key_share *ks, CBB *cbb); 69int tls_key_share_public(struct tls_key_share *ks, CBB *cbb);
69int tls_key_share_peer_public(struct tls_key_share *ks, uint16_t group, 70int tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
70 CBS *cbs); 71 int *invalid_params);
72int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs,
73 int *invalid_key);
71int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key, 74int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
72 size_t *shared_key_len); 75 size_t *shared_key_len);
73 76
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index 1bce651e10..6e390f4a24 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_key_share.c,v 1.1 2022/01/05 17:10:03 jsing Exp $ */ 1/* $OpenBSD: tls_key_share.c,v 1.2 2022/01/06 18:23:56 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -28,6 +28,9 @@ struct tls_key_share {
28 int nid; 28 int nid;
29 uint16_t group_id; 29 uint16_t group_id;
30 30
31 DH *dhe;
32 DH *dhe_peer;
33
31 EC_KEY *ecdhe; 34 EC_KEY *ecdhe;
32 EC_KEY *ecdhe_peer; 35 EC_KEY *ecdhe_peer;
33 36
@@ -36,14 +39,10 @@ struct tls_key_share {
36 uint8_t *x25519_peer_public; 39 uint8_t *x25519_peer_public;
37}; 40};
38 41
39struct tls_key_share * 42static struct tls_key_share *
40tls_key_share_new(uint16_t group_id) 43tls_key_share_new_internal(int nid, uint16_t group_id)
41{ 44{
42 struct tls_key_share *ks; 45 struct tls_key_share *ks;
43 int nid;
44
45 if ((nid = tls1_ec_curve_id2nid(group_id)) == 0)
46 return NULL;
47 46
48 if ((ks = calloc(1, sizeof(struct tls_key_share))) == NULL) 47 if ((ks = calloc(1, sizeof(struct tls_key_share))) == NULL)
49 return NULL; 48 return NULL;
@@ -55,14 +54,27 @@ tls_key_share_new(uint16_t group_id)
55} 54}
56 55
57struct tls_key_share * 56struct tls_key_share *
58tls_key_share_new_nid(int nid) 57tls_key_share_new(uint16_t group_id)
59{ 58{
60 uint16_t group_id; 59 int nid;
61 60
62 if ((group_id = tls1_ec_nid2curve_id(nid)) == 0) 61 if ((nid = tls1_ec_curve_id2nid(group_id)) == 0)
63 return NULL; 62 return NULL;
64 63
65 return tls_key_share_new(group_id); 64 return tls_key_share_new_internal(nid, group_id);
65}
66
67struct tls_key_share *
68tls_key_share_new_nid(int nid)
69{
70 uint16_t group_id = 0;
71
72 if (nid != NID_dhKeyAgreement) {
73 if ((group_id = tls1_ec_nid2curve_id(nid)) == 0)
74 return NULL;
75 }
76
77 return tls_key_share_new_internal(nid, group_id);
66} 78}
67 79
68void 80void
@@ -71,6 +83,9 @@ tls_key_share_free(struct tls_key_share *ks)
71 if (ks == NULL) 83 if (ks == NULL)
72 return; 84 return;
73 85
86 DH_free(ks->dhe);
87 DH_free(ks->dhe_peer);
88
74 EC_KEY_free(ks->ecdhe); 89 EC_KEY_free(ks->ecdhe);
75 EC_KEY_free(ks->ecdhe_peer); 90 EC_KEY_free(ks->ecdhe_peer);
76 91
@@ -88,19 +103,33 @@ tls_key_share_group(struct tls_key_share *ks)
88} 103}
89 104
90int 105int
106tls_key_share_nid(struct tls_key_share *ks)
107{
108 return ks->nid;
109}
110
111int
91tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey) 112tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey)
92{ 113{
93 if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL) { 114 if (ks->nid == NID_dhKeyAgreement && ks->dhe_peer != NULL)
94 if (!ssl_kex_dummy_ecdhe_x25519(pkey)) 115 return EVP_PKEY_set1_DH(pkey, ks->dhe_peer);
95 return 0; 116
96 } else if (ks->ecdhe_peer != NULL) { 117 if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL)
97 if (!EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer)) 118 return ssl_kex_dummy_ecdhe_x25519(pkey);
98 return 0; 119
99 } else { 120 if (ks->ecdhe_peer != NULL)
121 return EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer);
122
123 return 0;
124}
125
126static int
127tls_key_share_generate_dhe(struct tls_key_share *ks)
128{
129 if (ks->dhe == NULL)
100 return 0; 130 return 0;
101 }
102 131
103 return 1; 132 return ssl_kex_generate_dhe(ks->dhe, ks->dhe);
104} 133}
105 134
106static int 135static int
@@ -161,6 +190,9 @@ tls_key_share_generate_x25519(struct tls_key_share *ks)
161int 190int
162tls_key_share_generate(struct tls_key_share *ks) 191tls_key_share_generate(struct tls_key_share *ks)
163{ 192{
193 if (ks->nid == NID_dhKeyAgreement)
194 return tls_key_share_generate_dhe(ks);
195
164 if (ks->nid == NID_X25519) 196 if (ks->nid == NID_X25519)
165 return tls_key_share_generate_x25519(ks); 197 return tls_key_share_generate_x25519(ks);
166 198
@@ -168,6 +200,15 @@ tls_key_share_generate(struct tls_key_share *ks)
168} 200}
169 201
170static int 202static int
203tls_key_share_public_dhe(struct tls_key_share *ks, CBB *cbb)
204{
205 if (ks->dhe == NULL)
206 return 0;
207
208 return ssl_kex_public_dhe(ks->dhe, cbb);
209}
210
211static int
171tls_key_share_public_ecdhe_ecp(struct tls_key_share *ks, CBB *cbb) 212tls_key_share_public_ecdhe_ecp(struct tls_key_share *ks, CBB *cbb)
172{ 213{
173 if (ks->ecdhe == NULL) 214 if (ks->ecdhe == NULL)
@@ -188,6 +229,9 @@ tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb)
188int 229int
189tls_key_share_public(struct tls_key_share *ks, CBB *cbb) 230tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
190{ 231{
232 if (ks->nid == NID_dhKeyAgreement)
233 return tls_key_share_public_dhe(ks, cbb);
234
191 if (ks->nid == NID_X25519) 235 if (ks->nid == NID_X25519)
192 return tls_key_share_public_x25519(ks, cbb); 236 return tls_key_share_public_x25519(ks, cbb);
193 237
@@ -195,6 +239,43 @@ tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
195} 239}
196 240
197static int 241static int
242tls_key_share_peer_params_dhe(struct tls_key_share *ks, CBS *cbs,
243 int *invalid_params)
244{
245 if (ks->dhe != NULL || ks->dhe_peer != NULL)
246 return 0;
247
248 if ((ks->dhe_peer = DH_new()) == NULL)
249 return 0;
250 if (!ssl_kex_peer_params_dhe(ks->dhe_peer, cbs, invalid_params))
251 return 0;
252 if ((ks->dhe = DHparams_dup(ks->dhe_peer)) == NULL)
253 return 0;
254
255 return 1;
256}
257
258int
259tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
260 int *invalid_params)
261{
262 if (ks->nid != NID_dhKeyAgreement)
263 return 0;
264
265 return tls_key_share_peer_params_dhe(ks, cbs, invalid_params);
266}
267
268static int
269tls_key_share_peer_public_dhe(struct tls_key_share *ks, CBS *cbs,
270 int *invalid_key)
271{
272 if (ks->dhe_peer == NULL)
273 return 0;
274
275 return ssl_kex_peer_public_dhe(ks->dhe_peer, cbs, invalid_key);
276}
277
278static int
198tls_key_share_peer_public_ecdhe_ecp(struct tls_key_share *ks, CBS *cbs) 279tls_key_share_peer_public_ecdhe_ecp(struct tls_key_share *ks, CBS *cbs)
199{ 280{
200 EC_KEY *ecdhe = NULL; 281 EC_KEY *ecdhe = NULL;
@@ -234,21 +315,29 @@ tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs)
234} 315}
235 316
236int 317int
237tls_key_share_peer_public(struct tls_key_share *ks, uint16_t group, 318tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *invalid_key)
238 CBS *cbs)
239{ 319{
240 if (ks->group_id != group) 320 if (invalid_key != NULL)
241 return 0; 321 *invalid_key = 0;
242 322
243 if (ks->nid == NID_X25519) { 323 if (ks->nid == NID_dhKeyAgreement)
244 if (!tls_key_share_peer_public_x25519(ks, cbs)) 324 return tls_key_share_peer_public_dhe(ks, cbs, invalid_key);
245 return 0;
246 } else {
247 if (!tls_key_share_peer_public_ecdhe_ecp(ks, cbs))
248 return 0;
249 }
250 325
251 return 1; 326 if (ks->nid == NID_X25519)
327 return tls_key_share_peer_public_x25519(ks, cbs);
328
329 return tls_key_share_peer_public_ecdhe_ecp(ks, cbs);
330}
331
332static int
333tls_key_share_derive_dhe(struct tls_key_share *ks,
334 uint8_t **shared_key, size_t *shared_key_len)
335{
336 if (ks->dhe == NULL || ks->dhe_peer == NULL)
337 return 0;
338
339 return ssl_kex_derive_dhe(ks->dhe, ks->dhe_peer, shared_key,
340 shared_key_len);
252} 341}
253 342
254static int 343static int
@@ -298,6 +387,10 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
298 387
299 *shared_key_len = 0; 388 *shared_key_len = 0;
300 389
390 if (ks->nid == NID_dhKeyAgreement)
391 return tls_key_share_derive_dhe(ks, shared_key,
392 shared_key_len);
393
301 if (ks->nid == NID_X25519) 394 if (ks->nid == NID_X25519)
302 return tls_key_share_derive_x25519(ks, shared_key, 395 return tls_key_share_derive_x25519(ks, shared_key,
303 shared_key_len); 396 shared_key_len);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 20:01:39 +0000