1 files changed, 35 insertions, 175 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 80a16f1042..c3912c3ebd 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.126 2022/01/04 12:53:31 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.127 2022/01/06 18:23:56 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1223,20 +1223,23 @@ ssl3_get_server_certificate(SSL *s)
 static int
 ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
 {
+        int nid = NID_dhKeyAgreement;
        int invalid_params, invalid_key;
-        SESS_CERT *sc = NULL;
+        SESS_CERT *sc;
-        DH *dh = NULL;
        long alg_a;
        alg_a = S3I(s)->hs.cipher->algorithm_auth;
        sc = s->session->sess_cert;
-        if ((dh = DH_new()) == NULL)
+        tls_key_share_free(S3I(s)->hs.key_share);
+        if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
-        if (!ssl_kex_peer_params_dhe(dh, cbs, &invalid_params))
+        if (!tls_key_share_peer_params(S3I(s)->hs.key_share, cbs,
+            &invalid_params))
                goto decode_err;
-        if (!ssl_kex_peer_public_dhe(dh, cbs, &invalid_key))
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
+            &invalid_key))
                goto decode_err;
        if (invalid_params) {
@@ -1256,8 +1259,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
                /* XXX - Anonymous DH, so no certificate or pkey. */
                *pkey = NULL;
-        sc->peer_dh_tmp = dh;
        return 1;
 decode_err:
@@ -1265,64 +1266,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
 err:
-        DH_free(dh);
-        return 0;
-}
-static int
-ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public)
-{
-        EC_KEY *ecdh = NULL;
-        int ret = 0;
-        /* Extract the server's ephemeral ECDH public key. */
-        if ((ecdh = EC_KEY_new()) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!ssl_kex_peer_public_ecdhe_ecp(ecdh, nid, public)) {
-                SSLerror(s, SSL_R_BAD_ECPOINT);
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                goto err;
-        }
-        sc->peer_nid = nid;
-        sc->peer_ecdh_tmp = ecdh;
-        ecdh = NULL;
-        ret = 1;
- err:
-        EC_KEY_free(ecdh);
-        return (ret);
-}
-static int
-ssl3_get_server_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, int nid, CBS *public)
-{
-        size_t outlen;
-        if (nid != NID_X25519) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                goto err;
-        }
-        if (CBS_len(public) != X25519_KEY_LENGTH) {
-                SSLerror(s, SSL_R_BAD_ECPOINT);
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                goto err;
-        }
-        if (!CBS_stow(public, &sc->peer_x25519_tmp, &outlen)) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        return 1;
- err:
        return 0;
 }
@@ -1334,7 +1277,6 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
        uint16_t curve_id;
        SESS_CERT *sc;
        long alg_a;
-        int nid;
        alg_a = S3I(s)->hs.cipher->algorithm_auth;
        sc = s->session->sess_cert;
@@ -1346,8 +1288,8 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
        /* Only named curves are supported. */
        if (curve_type != NAMED_CURVE_TYPE) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                goto err;
        }
@@ -1364,19 +1306,12 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)
                goto err;
        }
-        if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) {
+        tls_key_share_free(S3I(s)->hs.key_share);
-                SSLerror(s, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
+        if ((S3I(s)->hs.key_share = tls_key_share_new(curve_id)) == NULL)
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
                goto err;
-        }
-        if (nid == NID_X25519) {
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
-                if (!ssl3_get_server_kex_ecdhe_ecx(s, sc, nid, &public))
+                goto err;
-                        goto err;
-        } else {
-                if (!ssl3_get_server_kex_ecdhe_ecp(s, sc, nid, &public))
-                        goto err;
-        }
        /*
         * The ECC/TLS specification does not mention the use of DSA to sign
@@ -1446,16 +1381,7 @@ ssl3_get_server_key_exchange(SSL *s)
                return (1);
        }
-        if (s->session->sess_cert != NULL) {
+        if (s->session->sess_cert == NULL) {
-                DH_free(s->session->sess_cert->peer_dh_tmp);
-                s->session->sess_cert->peer_dh_tmp = NULL;
-                EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
-                s->session->sess_cert->peer_ecdh_tmp = NULL;
-                free(s->session->sess_cert->peer_x25519_tmp);
-                s->session->sess_cert->peer_x25519_tmp = NULL;
-        } else {
                s->session->sess_cert = ssl_sess_cert_new();
                if (s->session->sess_cert == NULL)
                        goto err;
@@ -1966,28 +1892,22 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 static int
 ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 {
-        DH *dh_clnt = NULL;
-        DH *dh_srvr;
        uint8_t *key = NULL;
        size_t key_len = 0;
        int ret = 0;
        /* Ensure that we have an ephemeral key from the server for DHE. */
-        if ((dh_srvr = sess_cert->peer_dh_tmp) == NULL) {
+        if (S3I(s)->hs.key_share == NULL) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
                goto err;
        }
-        if ((dh_clnt = DH_new()) == NULL)
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
                goto err;
+        if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
-        if (!ssl_kex_generate_dhe(dh_clnt, dh_srvr))
                goto err;
-        if (!ssl_kex_public_dhe(dh_clnt, cbb))
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
-                goto err;
-        if (!ssl_kex_derive_dhe(dh_clnt, dh_srvr, &key, &key_len))
                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
@@ -1996,38 +1916,37 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        ret = 1;
 err:
-        DH_free(dh_clnt);
        freezero(key, key_len);
        return ret;
 }
 static int
-ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
+ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)
 {
-        EC_KEY *ecdh = NULL;
        uint8_t *key = NULL;
        size_t key_len = 0;
+        CBB public;
        int ret = 0;
-        CBB ecpoint;
-        if ((ecdh = EC_KEY_new()) == NULL) {
+        /* Ensure that we have an ephemeral key for ECDHE. */
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
+        if (S3I(s)->hs.key_share == NULL) {
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
        }
-        if (!ssl_kex_generate_ecdhe_ecp(ecdh, sc->peer_nid))
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
                goto err;
-        /* Encode our public key. */
+        if (!CBB_add_u8_length_prefixed(cbb, &public))
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
+                return 0;
-                goto err;
+        if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
-        if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
                goto err;
        if (!CBB_flush(cbb))
                goto err;
-        if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
@@ -2037,72 +1956,11 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
 err:
        freezero(key, key_len);
-        EC_KEY_free(ecdh);
-        return ret;
-}
-static int
-ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb)
-{
-        uint8_t *public_key = NULL, *private_key = NULL, *shared_key = NULL;
-        int ret = 0;
-        CBB ecpoint;
-        /* Generate X25519 key pair and derive shared key. */
-        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        X25519_keypair(public_key, private_key);
-        if (!X25519(shared_key, private_key, sc->peer_x25519_tmp))
-                goto err;
-        /* Serialize the public key. */
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
-                goto err;
-        if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
-                goto err;
-        if (!CBB_flush(cbb))
-                goto err;
-        if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
-                goto err;
-        ret = 1;
- err:
-        free(public_key);
-        freezero(private_key, X25519_KEY_LENGTH);
-        freezero(shared_key, X25519_KEY_LENGTH);
        return ret;
 }
 static int
-ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)
-{
-        if (sc->peer_x25519_tmp != NULL) {
-                if (ssl3_send_client_kex_ecdhe_ecx(s, sc, cbb) != 1)
-                        goto err;
-        } else if (sc->peer_ecdh_tmp != NULL) {
-                if (ssl3_send_client_kex_ecdhe_ecp(s, sc, cbb) != 1)
-                        goto err;
-        } else {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                goto err;
-        }
-        return 1;
- err:
-        return 0;
-}
-static int
 ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 {
        unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
@@ -2627,7 +2485,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
        long             alg_k, alg_a;
        EVP_PKEY        *pkey = NULL;
        SESS_CERT       *sc;
-        DH              *dh;
+        int nid = NID_undef;
        alg_k = S3I(s)->hs.cipher->algorithm_mkey;
        alg_a = S3I(s)->hs.cipher->algorithm_auth;
@@ -2641,7 +2499,9 @@ ssl3_check_cert_and_algorithm(SSL *s)
                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
        }
-        dh = s->session->sess_cert->peer_dh_tmp;
+        if (S3I(s)->hs.key_share != NULL)
+                nid = tls_key_share_nid(S3I(s)->hs.key_share);
        /* This is the passed certificate. */
@@ -2670,7 +2530,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
                goto fatal_err;
        }
        if ((alg_k & SSL_kDHE) &&
-            !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
+            !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) {
                SSLerror(s, SSL_R_MISSING_DH_KEY);
                goto fatal_err;
        }

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 80a16f1042..c3912c3ebd 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.126 2022/01/04 12:53:31 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.127 2022/01/06 18:23:56 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1223,20 +1223,23 @@ ssl3_get_server_certificate(SSL *s)
1223	static int	1223	static int
1224	ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)	1224	ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)
1225	{	1225	{
		1226	int nid = NID_dhKeyAgreement;
1226	int invalid_params, invalid_key;	1227	int invalid_params, invalid_key;
1227	SESS_CERT *sc = NULL;	1228	SESS_CERT *sc;
1228	DH *dh = NULL;
1229	long alg_a;	1229	long alg_a;
1230		1230
1231	alg_a = S3I(s)->hs.cipher->algorithm_auth;	1231	alg_a = S3I(s)->hs.cipher->algorithm_auth;
1232	sc = s->session->sess_cert;	1232	sc = s->session->sess_cert;
1233		1233
1234	if ((dh = DH_new()) == NULL)	1234	tls_key_share_free(S3I(s)->hs.key_share);
		1235	if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1235	goto err;	1236	goto err;
1236		1237
1237	if (!ssl_kex_peer_params_dhe(dh, cbs, &invalid_params))	1238	if (!tls_key_share_peer_params(S3I(s)->hs.key_share, cbs,
		1239	&invalid_params))
1238	goto decode_err;	1240	goto decode_err;
1239	if (!ssl_kex_peer_public_dhe(dh, cbs, &invalid_key))	1241	if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
		1242	&invalid_key))
1240	goto decode_err;	1243	goto decode_err;
1241		1244
1242	if (invalid_params) {	1245	if (invalid_params) {
@@ -1256,8 +1259,6 @@ ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)
1256	/* XXX - Anonymous DH, so no certificate or pkey. */	1259	/* XXX - Anonymous DH, so no certificate or pkey. */
1257	*pkey = NULL;	1260	*pkey = NULL;
1258		1261
1259	sc->peer_dh_tmp = dh;
1260
1261	return 1;	1262	return 1;
1262		1263
1263	decode_err:	1264	decode_err:
@@ -1265,64 +1266,6 @@ ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, CBS cbs)
1265	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);	1266	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1266		1267
1267	err:	1268	err:
1268	DH_free(dh);
1269
1270	return 0;
1271	}
1272
1273	static int
1274	ssl3_get_server_kex_ecdhe_ecp(SSL s, SESS_CERT sc, int nid, CBS *public)
1275	{
1276	EC_KEY *ecdh = NULL;
1277	int ret = 0;
1278
1279	/* Extract the server's ephemeral ECDH public key. */
1280	if ((ecdh = EC_KEY_new()) == NULL) {
1281	SSLerror(s, ERR_R_MALLOC_FAILURE);
1282	goto err;
1283	}
1284	if (!ssl_kex_peer_public_ecdhe_ecp(ecdh, nid, public)) {
1285	SSLerror(s, SSL_R_BAD_ECPOINT);
1286	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1287	goto err;
1288	}
1289
1290	sc->peer_nid = nid;
1291	sc->peer_ecdh_tmp = ecdh;
1292	ecdh = NULL;
1293
1294	ret = 1;
1295
1296	err:
1297	EC_KEY_free(ecdh);
1298
1299	return (ret);
1300	}
1301
1302	static int
1303	ssl3_get_server_kex_ecdhe_ecx(SSL s, SESS_CERT sc, int nid, CBS *public)
1304	{
1305	size_t outlen;
1306
1307	if (nid != NID_X25519) {
1308	SSLerror(s, ERR_R_INTERNAL_ERROR);
1309	goto err;
1310	}
1311
1312	if (CBS_len(public) != X25519_KEY_LENGTH) {
1313	SSLerror(s, SSL_R_BAD_ECPOINT);
1314	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1315	goto err;
1316	}
1317
1318	if (!CBS_stow(public, &sc->peer_x25519_tmp, &outlen)) {
1319	SSLerror(s, ERR_R_MALLOC_FAILURE);
1320	goto err;
1321	}
1322
1323	return 1;
1324
1325	err:
1326	return 0;	1269	return 0;
1327	}	1270	}
1328		1271
@@ -1334,7 +1277,6 @@ ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, CBS cbs)
1334	uint16_t curve_id;	1277	uint16_t curve_id;
1335	SESS_CERT *sc;	1278	SESS_CERT *sc;
1336	long alg_a;	1279	long alg_a;
1337	int nid;
1338		1280
1339	alg_a = S3I(s)->hs.cipher->algorithm_auth;	1281	alg_a = S3I(s)->hs.cipher->algorithm_auth;
1340	sc = s->session->sess_cert;	1282	sc = s->session->sess_cert;
@@ -1346,8 +1288,8 @@ ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, CBS cbs)
1346		1288
1347	/* Only named curves are supported. */	1289	/* Only named curves are supported. */
1348	if (curve_type != NAMED_CURVE_TYPE) {	1290	if (curve_type != NAMED_CURVE_TYPE) {
1349	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1350	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);	1291	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
		1292	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1351	goto err;	1293	goto err;
1352	}	1294	}
1353		1295
@@ -1364,19 +1306,12 @@ ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, CBS cbs)
1364	goto err;	1306	goto err;
1365	}	1307	}
1366		1308
1367	if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) {	1309	tls_key_share_free(S3I(s)->hs.key_share);
1368	SSLerror(s, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);	1310	if ((S3I(s)->hs.key_share = tls_key_share_new(curve_id)) == NULL)
1369	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1370	goto err;	1311	goto err;
1371	}
1372		1312
1373	if (nid == NID_X25519) {	1313	if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
1374	if (!ssl3_get_server_kex_ecdhe_ecx(s, sc, nid, &public))	1314	goto err;
1375	goto err;
1376	} else {
1377	if (!ssl3_get_server_kex_ecdhe_ecp(s, sc, nid, &public))
1378	goto err;
1379	}
1380		1315
1381	/*	1316	/*
1382	* The ECC/TLS specification does not mention the use of DSA to sign	1317	* The ECC/TLS specification does not mention the use of DSA to sign
@@ -1446,16 +1381,7 @@ ssl3_get_server_key_exchange(SSL *s)
1446	return (1);	1381	return (1);
1447	}	1382	}
1448		1383
1449	if (s->session->sess_cert != NULL) {	1384	if (s->session->sess_cert == NULL) {
1450	DH_free(s->session->sess_cert->peer_dh_tmp);
1451	s->session->sess_cert->peer_dh_tmp = NULL;
1452
1453	EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1454	s->session->sess_cert->peer_ecdh_tmp = NULL;
1455
1456	free(s->session->sess_cert->peer_x25519_tmp);
1457	s->session->sess_cert->peer_x25519_tmp = NULL;
1458	} else {
1459	s->session->sess_cert = ssl_sess_cert_new();	1385	s->session->sess_cert = ssl_sess_cert_new();
1460	if (s->session->sess_cert == NULL)	1386	if (s->session->sess_cert == NULL)
1461	goto err;	1387	goto err;
@@ -1966,28 +1892,22 @@ ssl3_send_client_kex_rsa(SSL s, SESS_CERT sess_cert, CBB *cbb)
1966	static int	1892	static int
1967	ssl3_send_client_kex_dhe(SSL s, SESS_CERT sess_cert, CBB *cbb)	1893	ssl3_send_client_kex_dhe(SSL s, SESS_CERT sess_cert, CBB *cbb)
1968	{	1894	{
1969	DH *dh_clnt = NULL;
1970	DH *dh_srvr;
1971	uint8_t *key = NULL;	1895	uint8_t *key = NULL;
1972	size_t key_len = 0;	1896	size_t key_len = 0;
1973	int ret = 0;	1897	int ret = 0;
1974		1898
1975	/* Ensure that we have an ephemeral key from the server for DHE. */	1899	/* Ensure that we have an ephemeral key from the server for DHE. */
1976	if ((dh_srvr = sess_cert->peer_dh_tmp) == NULL) {	1900	if (S3I(s)->hs.key_share == NULL) {
1977	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);	1901	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1978	SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);	1902	SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1979	goto err;	1903	goto err;
1980	}	1904	}
1981		1905
1982	if ((dh_clnt = DH_new()) == NULL)	1906	if (!tls_key_share_generate(S3I(s)->hs.key_share))
1983	goto err;	1907	goto err;
1984		1908	if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
1985	if (!ssl_kex_generate_dhe(dh_clnt, dh_srvr))
1986	goto err;	1909	goto err;
1987	if (!ssl_kex_public_dhe(dh_clnt, cbb))	1910	if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
1988	goto err;
1989
1990	if (!ssl_kex_derive_dhe(dh_clnt, dh_srvr, &key, &key_len))
1991	goto err;	1911	goto err;
1992		1912
1993	if (!tls12_derive_master_secret(s, key, key_len))	1913	if (!tls12_derive_master_secret(s, key, key_len))
@@ -1996,38 +1916,37 @@ ssl3_send_client_kex_dhe(SSL s, SESS_CERT sess_cert, CBB *cbb)
1996	ret = 1;	1916	ret = 1;
1997		1917
1998	err:	1918	err:
1999	DH_free(dh_clnt);
2000	freezero(key, key_len);	1919	freezero(key, key_len);
2001		1920
2002	return ret;	1921	return ret;
2003	}	1922	}
2004		1923
2005	static int	1924	static int
2006	ssl3_send_client_kex_ecdhe_ecp(SSL s, SESS_CERT sc, CBB *cbb)	1925	ssl3_send_client_kex_ecdhe(SSL s, SESS_CERT sc, CBB *cbb)
2007	{	1926	{
2008	EC_KEY *ecdh = NULL;
2009	uint8_t *key = NULL;	1927	uint8_t *key = NULL;
2010	size_t key_len = 0;	1928	size_t key_len = 0;
		1929	CBB public;
2011	int ret = 0;	1930	int ret = 0;
2012	CBB ecpoint;
2013		1931
2014	if ((ecdh = EC_KEY_new()) == NULL) {	1932	/* Ensure that we have an ephemeral key for ECDHE. */
2015	SSLerror(s, ERR_R_MALLOC_FAILURE);	1933	if (S3I(s)->hs.key_share == NULL) {
		1934	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
		1935	SSLerror(s, ERR_R_INTERNAL_ERROR);
2016	goto err;	1936	goto err;
2017	}	1937	}
2018		1938
2019	if (!ssl_kex_generate_ecdhe_ecp(ecdh, sc->peer_nid))	1939	if (!tls_key_share_generate(S3I(s)->hs.key_share))
2020	goto err;	1940	goto err;
2021		1941
2022	/* Encode our public key. */	1942	if (!CBB_add_u8_length_prefixed(cbb, &public))
2023	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))	1943	return 0;
2024	goto err;	1944	if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
2025	if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
2026	goto err;	1945	goto err;
2027	if (!CBB_flush(cbb))	1946	if (!CBB_flush(cbb))
2028	goto err;	1947	goto err;
2029		1948
2030	if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))	1949	if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
2031	goto err;	1950	goto err;
2032		1951
2033	if (!tls12_derive_master_secret(s, key, key_len))	1952	if (!tls12_derive_master_secret(s, key, key_len))
@@ -2037,72 +1956,11 @@ ssl3_send_client_kex_ecdhe_ecp(SSL s, SESS_CERT sc, CBB *cbb)
2037		1956
2038	err:	1957	err:
2039	freezero(key, key_len);	1958	freezero(key, key_len);
2040	EC_KEY_free(ecdh);
2041
2042	return ret;
2043	}
2044
2045	static int
2046	ssl3_send_client_kex_ecdhe_ecx(SSL s, SESS_CERT sc, CBB *cbb)
2047	{
2048	uint8_t public_key = NULL, private_key = NULL, *shared_key = NULL;
2049	int ret = 0;
2050	CBB ecpoint;
2051
2052	/* Generate X25519 key pair and derive shared key. */
2053	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
2054	goto err;
2055	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
2056	goto err;
2057	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
2058	goto err;
2059	X25519_keypair(public_key, private_key);
2060	if (!X25519(shared_key, private_key, sc->peer_x25519_tmp))
2061	goto err;
2062
2063	/* Serialize the public key. */
2064	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
2065	goto err;
2066	if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
2067	goto err;
2068	if (!CBB_flush(cbb))
2069	goto err;
2070
2071	if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
2072	goto err;
2073
2074	ret = 1;
2075
2076	err:
2077	free(public_key);
2078	freezero(private_key, X25519_KEY_LENGTH);
2079	freezero(shared_key, X25519_KEY_LENGTH);
2080		1959
2081	return ret;	1960	return ret;
2082	}	1961	}
2083		1962
2084	static int	1963	static int
2085	ssl3_send_client_kex_ecdhe(SSL s, SESS_CERT sc, CBB *cbb)
2086	{
2087	if (sc->peer_x25519_tmp != NULL) {
2088	if (ssl3_send_client_kex_ecdhe_ecx(s, sc, cbb) != 1)
2089	goto err;
2090	} else if (sc->peer_ecdh_tmp != NULL) {
2091	if (ssl3_send_client_kex_ecdhe_ecp(s, sc, cbb) != 1)
2092	goto err;
2093	} else {
2094	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2095	SSLerror(s, ERR_R_INTERNAL_ERROR);
2096	goto err;
2097	}
2098
2099	return 1;
2100
2101	err:
2102	return 0;
2103	}
2104
2105	static int
2106	ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, CBB *cbb)	1964	ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, CBB *cbb)
2107	{	1965	{
2108	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];	1966	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
@@ -2627,7 +2485,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2627	long alg_k, alg_a;	2485	long alg_k, alg_a;
2628	EVP_PKEY *pkey = NULL;	2486	EVP_PKEY *pkey = NULL;
2629	SESS_CERT *sc;	2487	SESS_CERT *sc;
2630	DH *dh;	2488	int nid = NID_undef;
2631		2489
2632	alg_k = S3I(s)->hs.cipher->algorithm_mkey;	2490	alg_k = S3I(s)->hs.cipher->algorithm_mkey;
2633	alg_a = S3I(s)->hs.cipher->algorithm_auth;	2491	alg_a = S3I(s)->hs.cipher->algorithm_auth;
@@ -2641,7 +2499,9 @@ ssl3_check_cert_and_algorithm(SSL *s)
2641	SSLerror(s, ERR_R_INTERNAL_ERROR);	2499	SSLerror(s, ERR_R_INTERNAL_ERROR);
2642	goto err;	2500	goto err;
2643	}	2501	}
2644	dh = s->session->sess_cert->peer_dh_tmp;	2502
		2503	if (S3I(s)->hs.key_share != NULL)
		2504	nid = tls_key_share_nid(S3I(s)->hs.key_share);
2645		2505
2646	/* This is the passed certificate. */	2506	/* This is the passed certificate. */
2647		2507
@@ -2670,7 +2530,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2670	goto fatal_err;	2530	goto fatal_err;
2671	}	2531	}
2672	if ((alg_k & SSL_kDHE) &&	2532	if ((alg_k & SSL_kDHE) &&
2673	!(has_bits(i, EVP_PK_DH\|EVP_PKT_EXCH) \|\| (dh != NULL))) {	2533	!(has_bits(i, EVP_PK_DH\|EVP_PKT_EXCH) \|\| (nid == NID_dhKeyAgreement))) {
2674	SSLerror(s, SSL_R_MISSING_DH_KEY);	2534	SSLerror(s, SSL_R_MISSING_DH_KEY);
2675	goto fatal_err;	2535	goto fatal_err;
2676	}	2536	}