1 files changed, 40 insertions, 202 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 0496985351..b66a2c108d 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.130 2022/01/04 12:53:31 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.131 2022/01/07 15:46:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1309,23 +1309,23 @@ ssl3_send_server_done(SSL *s)
 static int
 ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 {
-        DH *dh = NULL;
+        int nid = NID_dhKeyAgreement;
-        int al;
-        if ((dh = DH_new()) == NULL)
+        tls_key_share_free(S3I(s)->hs.key_share);
+        if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
        if (s->cert->dh_tmp_auto != 0) {
                size_t key_bits;
                if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
-                        al = SSL_AD_INTERNAL_ERROR;
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                        goto fatal_err;
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
-                }
+                            SSL_AD_INTERNAL_ERROR);
-                if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
                        goto err;
+                }
+                tls_key_share_set_key_bits(S3I(s)->hs.key_share,
+                    key_bits);
        } else {
                DH *dh_params = s->cert->dh_tmp;
@@ -1334,157 +1334,69 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
                            SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
                if (dh_params == NULL) {
-                        al = SSL_AD_HANDSHAKE_FAILURE;
                        SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-                        goto fatal_err;
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                            SSL_AD_HANDSHAKE_FAILURE);
+                        goto err;
                }
-                if (!ssl_kex_generate_dhe(dh, dh_params))
+                if (!tls_key_share_set_dh_params(S3I(s)->hs.key_share, dh_params))
                        goto err;
        }
-        if (!ssl_kex_params_dhe(dh, cbb))
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
-                goto err;
-        if (!ssl_kex_public_dhe(dh, cbb))
                goto err;
-        if (S3I(s)->tmp.dh != NULL) {
+        if (!tls_key_share_params(S3I(s)->hs.key_share, cbb))
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
                goto err;
-        }
-        S3I(s)->tmp.dh = dh;
        return 1;
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        DH_free(dh);
        return 0;
 }
 static int
-ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
+ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
 {
-        uint16_t curve_id;
+        CBB public;
-        EC_KEY *ecdh;
+        int nid;
-        CBB ecpoint;
-        int al;
-        /*
+        if ((nid = tls1_get_shared_curve(s)) == NID_undef) {
-         * Only named curves are supported in ECDH ephemeral key exchanges.
-         * For supported named curves, curve_id is non-zero.
-         */
-        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                goto err;
        }
-        if (S3I(s)->tmp.ecdh != NULL) {
+        tls_key_share_free(S3I(s)->hs.key_share);
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+        if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
-        }
-        if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) {
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
-                goto fatal_err;
-        }
-        S3I(s)->tmp.ecdh_nid = nid;
-        ecdh = S3I(s)->tmp.ecdh;
-        if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid))
                goto err;
        /*
-         * Encode the public key.
+         * ECC key exchange - see RFC 8422, section 5.4.
-         *
-         * Only named curves are supported in ECDH ephemeral key exchanges.
-         * In this case the ServerKeyExchange message has:
-         * [1 byte CurveType], [2 byte CurveName]
-         * [1 byte length of encoded point], followed by
-         * the actual encoded point itself.
         */
        if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
                goto err;
-        if (!CBB_add_u16(cbb, curve_id))
+        if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share)))
                goto err;
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
+        if (!CBB_add_u8_length_prefixed(cbb, &public))
                goto err;
-        if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
+        if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
                goto err;
        if (!CBB_flush(cbb))
                goto err;
        return 1;
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
        return 0;
 }
-static int
-ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
-{
-        uint8_t *public_key = NULL, *private_key = NULL;
-        uint16_t curve_id;
-        CBB ecpoint;
-        int ret = 0;
-        /* Generate an X25519 key pair. */
-        if (S3I(s)->tmp.x25519 != NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                goto err;
-        }
-        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        X25519_keypair(public_key, private_key);
-        /* Serialize public key. */
-        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
-                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
-                goto err;
-        }
-        if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
-                goto err;
-        if (!CBB_add_u16(cbb, curve_id))
-                goto err;
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
-                goto err;
-        if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
-                goto err;
-        if (!CBB_flush(cbb))
-                goto err;
-        S3I(s)->tmp.x25519 = private_key;
-        private_key = NULL;
-        ret = 1;
- err:
-        free(public_key);
-        freezero(private_key, X25519_KEY_LENGTH);
-        return ret;
-}
-static int
-ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
-{
-        int nid;
-        nid = tls1_get_shared_curve(s);
-        if (nid == NID_X25519)
-                return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);
-        return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);
-}
 int
 ssl3_send_server_key_exchange(SSL *s)
 {
@@ -1791,148 +1703,74 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
 static int
 ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
 {
-        DH *dh_clnt = NULL;
-        DH *dh_srvr;
-        int invalid_key;
        uint8_t *key = NULL;
        size_t key_len = 0;
+        int invalid_key;
        int ret = 0;
-        if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {
+        if (S3I(s)->hs.key_share == NULL) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
                goto err;
        }
-        if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
-                goto err;
+            &invalid_key))
-        if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
                goto err;
-        }
        if (invalid_key) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
                SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
                goto err;
        }
-        if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
-        DH_free(S3I(s)->tmp.dh);
-        S3I(s)->tmp.dh = NULL;
        ret = 1;
 err:
        freezero(key, key_len);
-        DH_free(dh_clnt);
        return ret;
 }
 static int
-ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs)
+ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
 {
        uint8_t *key = NULL;
        size_t key_len = 0;
-        EC_KEY *ecdh_peer = NULL;
-        EC_KEY *ecdh;
        CBS public;
        int ret = 0;
-        /*
+        if (S3I(s)->hs.key_share == NULL) {
-         * Use the ephemeral values we saved when generating the
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-         * ServerKeyExchange message.
+                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-         */
-        if ((ecdh = S3I(s)->tmp.ecdh) == NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
        }
-        /*
-         * Get client's public key from encoded point in the ClientKeyExchange
-         * message.
-         */
        if (!CBS_get_u8_length_prefixed(cbs, &public))
                goto err;
-        if (CBS_len(cbs) != 0)
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
                goto err;
-        if ((ecdh_peer = EC_KEY_new()) == NULL)
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
                goto err;
-        if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid,
-            &public))
-                goto err;
-        /* Derive the shared secret and compute master secret. */
-        if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
-                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
-        EC_KEY_free(S3I(s)->tmp.ecdh);
-        S3I(s)->tmp.ecdh = NULL;
-        S3I(s)->tmp.ecdh_nid = NID_undef;
        ret = 1;
 err:
        freezero(key, key_len);
-        EC_KEY_free(ecdh_peer);
        return ret;
 }
 static int
-ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs)
-{
-        uint8_t *shared_key = NULL;
-        CBS ecpoint;
-        int ret = 0;
-        if (!CBS_get_u8_length_prefixed(cbs, &ecpoint))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)
-                goto err;
-        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if (!X25519(shared_key, S3I(s)->tmp.x25519, CBS_data(&ecpoint)))
-                goto err;
-        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
-        S3I(s)->tmp.x25519 = NULL;
-        if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
-                goto err;
-        ret = 1;
- err:
-        freezero(shared_key, X25519_KEY_LENGTH);
-        return ret;
-}
-static int
-ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
-{
-        if (S3I(s)->tmp.x25519 != NULL)
-                return ssl3_get_client_kex_ecdhe_ecx(s, cbs);
-        return ssl3_get_client_kex_ecdhe_ecp(s, cbs);
-}
-static int
 ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
 {
        EVP_PKEY_CTX *pkey_ctx;

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 0496985351..b66a2c108d 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.130 2022/01/04 12:53:31 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.131 2022/01/07 15:46:30 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1309,23 +1309,23 @@ ssl3_send_server_done(SSL *s)
1309	static int	1309	static int
1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)	1310	ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1311	{	1311	{
1312	DH *dh = NULL;	1312	int nid = NID_dhKeyAgreement;
1313	int al;
1314		1313
1315	if ((dh = DH_new()) == NULL)	1314	tls_key_share_free(S3I(s)->hs.key_share);
		1315	if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1316	goto err;	1316	goto err;
1317		1317
1318	if (s->cert->dh_tmp_auto != 0) {	1318	if (s->cert->dh_tmp_auto != 0) {
1319	size_t key_bits;	1319	size_t key_bits;
1320		1320
1321	if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {	1321	if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
1322	al = SSL_AD_INTERNAL_ERROR;
1323	SSLerror(s, ERR_R_INTERNAL_ERROR);	1322	SSLerror(s, ERR_R_INTERNAL_ERROR);
1324	goto fatal_err;	1323	ssl3_send_alert(s, SSL3_AL_FATAL,
1325	}	1324	SSL_AD_INTERNAL_ERROR);
1326
1327	if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
1328	goto err;	1325	goto err;
		1326	}
		1327	tls_key_share_set_key_bits(S3I(s)->hs.key_share,
		1328	key_bits);
1329	} else {	1329	} else {
1330	DH *dh_params = s->cert->dh_tmp;	1330	DH *dh_params = s->cert->dh_tmp;
1331		1331
@@ -1334,157 +1334,69 @@ ssl3_send_server_kex_dhe(SSL s, CBB cbb)
1334	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));	1334	SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
1335		1335
1336	if (dh_params == NULL) {	1336	if (dh_params == NULL) {
1337	al = SSL_AD_HANDSHAKE_FAILURE;
1338	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1337	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1339	goto fatal_err;	1338	ssl3_send_alert(s, SSL3_AL_FATAL,
		1339	SSL_AD_HANDSHAKE_FAILURE);
		1340	goto err;
1340	}	1341	}
1341		1342
1342	if (!ssl_kex_generate_dhe(dh, dh_params))	1343	if (!tls_key_share_set_dh_params(S3I(s)->hs.key_share, dh_params))
1343	goto err;	1344	goto err;
1344	}	1345	}
1345		1346
1346	if (!ssl_kex_params_dhe(dh, cbb))	1347	if (!tls_key_share_generate(S3I(s)->hs.key_share))
1347	goto err;
1348	if (!ssl_kex_public_dhe(dh, cbb))
1349	goto err;	1348	goto err;
1350		1349
1351	if (S3I(s)->tmp.dh != NULL) {	1350	if (!tls_key_share_params(S3I(s)->hs.key_share, cbb))
1352	SSLerror(s, ERR_R_INTERNAL_ERROR);	1351	goto err;
		1352	if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
1353	goto err;	1353	goto err;
1354	}
1355	S3I(s)->tmp.dh = dh;
1356		1354
1357	return 1;	1355	return 1;
1358		1356
1359	fatal_err:
1360	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1361	err:	1357	err:
1362	DH_free(dh);
1363
1364	return 0;	1358	return 0;
1365	}	1359	}
1366		1360
1367	static int	1361	static int
1368	ssl3_send_server_kex_ecdhe_ecp(SSL s, int nid, CBB cbb)	1362	ssl3_send_server_kex_ecdhe(SSL s, CBB cbb)
1369	{	1363	{
1370	uint16_t curve_id;	1364	CBB public;
1371	EC_KEY *ecdh;	1365	int nid;
1372	CBB ecpoint;
1373	int al;
1374		1366
1375	/*	1367	if ((nid = tls1_get_shared_curve(s)) == NID_undef) {
1376	* Only named curves are supported in ECDH ephemeral key exchanges.
1377	* For supported named curves, curve_id is non-zero.
1378	*/
1379	if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
1380	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);	1368	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
		1369	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1381	goto err;	1370	goto err;
1382	}	1371	}
1383		1372
1384	if (S3I(s)->tmp.ecdh != NULL) {	1373	tls_key_share_free(S3I(s)->hs.key_share);
1385	SSLerror(s, ERR_R_INTERNAL_ERROR);	1374	if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1386	goto err;	1375	goto err;
1387	}
1388		1376
1389	if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) {	1377	if (!tls_key_share_generate(S3I(s)->hs.key_share))
1390	al = SSL_AD_HANDSHAKE_FAILURE;
1391	SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
1392	goto fatal_err;
1393	}
1394	S3I(s)->tmp.ecdh_nid = nid;
1395	ecdh = S3I(s)->tmp.ecdh;
1396
1397	if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid))
1398	goto err;	1378	goto err;
1399		1379
1400	/*	1380	/*
1401	* Encode the public key.	1381	* ECC key exchange - see RFC 8422, section 5.4.
1402	*
1403	* Only named curves are supported in ECDH ephemeral key exchanges.
1404	* In this case the ServerKeyExchange message has:
1405	* [1 byte CurveType], [2 byte CurveName]
1406	* [1 byte length of encoded point], followed by
1407	* the actual encoded point itself.
1408	*/	1382	*/
1409	if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))	1383	if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1410	goto err;	1384	goto err;
1411	if (!CBB_add_u16(cbb, curve_id))	1385	if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share)))
1412	goto err;	1386	goto err;
1413	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))	1387	if (!CBB_add_u8_length_prefixed(cbb, &public))
1414	goto err;	1388	goto err;
1415	if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))	1389	if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
1416	goto err;	1390	goto err;
1417	if (!CBB_flush(cbb))	1391	if (!CBB_flush(cbb))
1418	goto err;	1392	goto err;
1419		1393
1420	return 1;	1394	return 1;
1421		1395
1422	fatal_err:
1423	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1424	err:	1396	err:
1425	return 0;	1397	return 0;
1426	}	1398	}
1427		1399
1428	static int
1429	ssl3_send_server_kex_ecdhe_ecx(SSL s, int nid, CBB cbb)
1430	{
1431	uint8_t public_key = NULL, private_key = NULL;
1432	uint16_t curve_id;
1433	CBB ecpoint;
1434	int ret = 0;
1435
1436	/* Generate an X25519 key pair. */
1437	if (S3I(s)->tmp.x25519 != NULL) {
1438	SSLerror(s, ERR_R_INTERNAL_ERROR);
1439	goto err;
1440	}
1441	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
1442	goto err;
1443	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
1444	goto err;
1445	X25519_keypair(public_key, private_key);
1446
1447	/* Serialize public key. */
1448	if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
1449	SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1450	goto err;
1451	}
1452
1453	if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1454	goto err;
1455	if (!CBB_add_u16(cbb, curve_id))
1456	goto err;
1457	if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
1458	goto err;
1459	if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
1460	goto err;
1461	if (!CBB_flush(cbb))
1462	goto err;
1463
1464	S3I(s)->tmp.x25519 = private_key;
1465	private_key = NULL;
1466	ret = 1;
1467
1468	err:
1469	free(public_key);
1470	freezero(private_key, X25519_KEY_LENGTH);
1471
1472	return ret;
1473	}
1474
1475	static int
1476	ssl3_send_server_kex_ecdhe(SSL s, CBB cbb)
1477	{
1478	int nid;
1479
1480	nid = tls1_get_shared_curve(s);
1481
1482	if (nid == NID_X25519)
1483	return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);
1484
1485	return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);
1486	}
1487
1488	int	1400	int
1489	ssl3_send_server_key_exchange(SSL *s)	1401	ssl3_send_server_key_exchange(SSL *s)
1490	{	1402	{
@@ -1791,148 +1703,74 @@ ssl3_get_client_kex_rsa(SSL s, CBS cbs)
1791	static int	1703	static int
1792	ssl3_get_client_kex_dhe(SSL s, CBS cbs)	1704	ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1793	{	1705	{
1794	DH *dh_clnt = NULL;
1795	DH *dh_srvr;
1796	int invalid_key;
1797	uint8_t *key = NULL;	1706	uint8_t *key = NULL;
1798	size_t key_len = 0;	1707	size_t key_len = 0;
		1708	int invalid_key;
1799	int ret = 0;	1709	int ret = 0;
1800		1710
1801	if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {	1711	if (S3I(s)->hs.key_share == NULL) {
1802	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);	1712	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1803	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);	1713	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1804	goto err;	1714	goto err;
1805	}	1715	}
1806		1716
1807	if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)	1717	if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
1808	goto err;	1718	&invalid_key))
1809
1810	if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
1811	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1812	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1813	goto err;	1719	goto err;
1814	}
1815	if (invalid_key) {	1720	if (invalid_key) {
1816	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);	1721	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1817	SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);	1722	SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1818	goto err;	1723	goto err;
1819	}	1724	}
1820		1725
1821	if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))	1726	if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
1822	goto err;	1727	goto err;
1823		1728
1824	if (!tls12_derive_master_secret(s, key, key_len))	1729	if (!tls12_derive_master_secret(s, key, key_len))
1825	goto err;	1730	goto err;
1826		1731
1827	DH_free(S3I(s)->tmp.dh);
1828	S3I(s)->tmp.dh = NULL;
1829
1830	ret = 1;	1732	ret = 1;
1831		1733
1832	err:	1734	err:
1833	freezero(key, key_len);	1735	freezero(key, key_len);
1834	DH_free(dh_clnt);
1835		1736
1836	return ret;	1737	return ret;
1837	}	1738	}
1838		1739
1839	static int	1740	static int
1840	ssl3_get_client_kex_ecdhe_ecp(SSL s, CBS cbs)	1741	ssl3_get_client_kex_ecdhe(SSL s, CBS cbs)
1841	{	1742	{
1842	uint8_t *key = NULL;	1743	uint8_t *key = NULL;
1843	size_t key_len = 0;	1744	size_t key_len = 0;
1844	EC_KEY *ecdh_peer = NULL;
1845	EC_KEY *ecdh;
1846	CBS public;	1745	CBS public;
1847	int ret = 0;	1746	int ret = 0;
1848		1747
1849	/*	1748	if (S3I(s)->hs.key_share == NULL) {
1850	* Use the ephemeral values we saved when generating the	1749	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1851	* ServerKeyExchange message.	1750	SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1852	*/
1853	if ((ecdh = S3I(s)->tmp.ecdh) == NULL) {
1854	SSLerror(s, ERR_R_INTERNAL_ERROR);
1855	goto err;	1751	goto err;
1856	}	1752	}
1857		1753
1858	/*
1859	* Get client's public key from encoded point in the ClientKeyExchange
1860	* message.
1861	*/
1862	if (!CBS_get_u8_length_prefixed(cbs, &public))	1754	if (!CBS_get_u8_length_prefixed(cbs, &public))
1863	goto err;	1755	goto err;
1864	if (CBS_len(cbs) != 0)	1756	if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
1865	goto err;	1757	goto err;
1866		1758
1867	if ((ecdh_peer = EC_KEY_new()) == NULL)	1759	if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
1868	goto err;	1760	goto err;
1869		1761
1870	if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid,
1871	&public))
1872	goto err;
1873
1874	/* Derive the shared secret and compute master secret. */
1875	if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
1876	goto err;
1877	if (!tls12_derive_master_secret(s, key, key_len))	1762	if (!tls12_derive_master_secret(s, key, key_len))
1878	goto err;	1763	goto err;
1879		1764
1880	EC_KEY_free(S3I(s)->tmp.ecdh);
1881	S3I(s)->tmp.ecdh = NULL;
1882	S3I(s)->tmp.ecdh_nid = NID_undef;
1883
1884	ret = 1;	1765	ret = 1;
1885		1766
1886	err:	1767	err:
1887	freezero(key, key_len);	1768	freezero(key, key_len);
1888	EC_KEY_free(ecdh_peer);
1889		1769
1890	return ret;	1770	return ret;
1891	}	1771	}
1892		1772
1893	static int	1773	static int
1894	ssl3_get_client_kex_ecdhe_ecx(SSL s, CBS cbs)
1895	{
1896	uint8_t *shared_key = NULL;
1897	CBS ecpoint;
1898	int ret = 0;
1899
1900	if (!CBS_get_u8_length_prefixed(cbs, &ecpoint))
1901	goto err;
1902	if (CBS_len(cbs) != 0)
1903	goto err;
1904	if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)
1905	goto err;
1906
1907	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
1908	goto err;
1909	if (!X25519(shared_key, S3I(s)->tmp.x25519, CBS_data(&ecpoint)))
1910	goto err;
1911
1912	freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1913	S3I(s)->tmp.x25519 = NULL;
1914
1915	if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
1916	goto err;
1917
1918	ret = 1;
1919
1920	err:
1921	freezero(shared_key, X25519_KEY_LENGTH);
1922
1923	return ret;
1924	}
1925
1926	static int
1927	ssl3_get_client_kex_ecdhe(SSL s, CBS cbs)
1928	{
1929	if (S3I(s)->tmp.x25519 != NULL)
1930	return ssl3_get_client_kex_ecdhe_ecx(s, cbs);
1931
1932	return ssl3_get_client_kex_ecdhe_ecp(s, cbs);
1933	}
1934
1935	static int
1936	ssl3_get_client_kex_gost(SSL s, CBS cbs)	1774	ssl3_get_client_kex_gost(SSL s, CBS cbs)
1937	{	1775	{
1938	EVP_PKEY_CTX *pkey_ctx;	1776	EVP_PKEY_CTX *pkey_ctx;