1 files changed, 65 insertions, 4 deletions
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index 6e390f4a24..eb30a0ea69 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: tls_key_share.c,v 1.2 2022/01/06 18:23:56 jsing Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.3 2022/01/07 15:46:30 jsing Exp $ */
 /*
- * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,9 @@
 #include <stdlib.h>
 #include <openssl/curve25519.h>
+#include <openssl/dh.h>
 #include <openssl/ec.h>
+#include <openssl/evp.h>
 #include "bytestring.h"
 #include "ssl_locl.h"
@@ -27,6 +29,7 @@
 struct tls_key_share {
        int nid;
        uint16_t group_id;
+        size_t key_bits;
        DH *dhe;
        DH *dhe_peer;
@@ -108,6 +111,28 @@ tls_key_share_nid(struct tls_key_share *ks)
        return ks->nid;
 }
+void
+tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits)
+{
+        ks->key_bits = key_bits;
+}
+int
+tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params)
+{
+        if (ks->nid != NID_dhKeyAgreement)
+                return 0;
+        if (ks->dhe != NULL || ks->dhe_peer != NULL)
+                return 0;
+        if ((ks->dhe = DHparams_dup(dh_params)) == NULL)
+                return 0;
+        if ((ks->dhe_peer = DHparams_dup(dh_params)) == NULL)
+                return 0;
+        return 1;
+}
 int
 tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey)
 {
@@ -126,10 +151,28 @@ tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey)
 static int
 tls_key_share_generate_dhe(struct tls_key_share *ks)
 {
-        if (ks->dhe == NULL)
+        /*
+         * If auto params are not being used then we must already have DH
+         * parameters set.
+         */
+        if (ks->key_bits == 0) {
+                if (ks->dhe == NULL)
+                        return 0;
+                return ssl_kex_generate_dhe(ks->dhe, ks->dhe);
+        }
+        if (ks->dhe != NULL || ks->dhe_peer != NULL)
+                return 0;
+        if ((ks->dhe = DH_new()) == NULL)
+                return 0;
+        if (!ssl_kex_generate_dhe_params_auto(ks->dhe, ks->key_bits))
+                return 0;
+        if ((ks->dhe_peer = DHparams_dup(ks->dhe)) == NULL)
                return 0;
-        return ssl_kex_generate_dhe(ks->dhe, ks->dhe);
+        return 1;
 }
 static int
@@ -200,6 +243,24 @@ tls_key_share_generate(struct tls_key_share *ks)
 }
 static int
+tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb)
+{
+        if (ks->dhe == NULL)
+                return 0;
+        return ssl_kex_params_dhe(ks->dhe, cbb);
+}
+int
+tls_key_share_params(struct tls_key_share *ks, CBB *cbb)
+{
+        if (ks->nid == NID_dhKeyAgreement)
+                return tls_key_share_params_dhe(ks, cbb);
+        return 0;
+}
+static int
 tls_key_share_public_dhe(struct tls_key_share *ks, CBB *cbb)
 {
        if (ks->dhe == NULL)

diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c index 6e390f4a24..eb30a0ea69 100644 --- a/src/lib/libssl/tls_key_share.c +++ b/src/lib/libssl/tls_key_share.c
@@ -1,6 +1,6 @@
1	/* $OpenBSD: tls_key_share.c,v 1.2 2022/01/06 18:23:56 jsing Exp $ */	1	/* $OpenBSD: tls_key_share.c,v 1.3 2022/01/07 15:46:30 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
4	*	4	*
5	* Permission to use, copy, modify, and distribute this software for any	5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above	6	* purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,9 @@
18	#include <stdlib.h>	18	#include <stdlib.h>
19		19
20	#include <openssl/curve25519.h>	20	#include <openssl/curve25519.h>
		21	#include <openssl/dh.h>
21	#include <openssl/ec.h>	22	#include <openssl/ec.h>
		23	#include <openssl/evp.h>
22		24
23	#include "bytestring.h"	25	#include "bytestring.h"
24	#include "ssl_locl.h"	26	#include "ssl_locl.h"
@@ -27,6 +29,7 @@
27	struct tls_key_share {	29	struct tls_key_share {
28	int nid;	30	int nid;
29	uint16_t group_id;	31	uint16_t group_id;
		32	size_t key_bits;
30		33
31	DH *dhe;	34	DH *dhe;
32	DH *dhe_peer;	35	DH *dhe_peer;
@@ -108,6 +111,28 @@ tls_key_share_nid(struct tls_key_share *ks)
108	return ks->nid;	111	return ks->nid;
109	}	112	}
110		113
		114	void
		115	tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits)
		116	{
		117	ks->key_bits = key_bits;
		118	}
		119
		120	int
		121	tls_key_share_set_dh_params(struct tls_key_share ks, DH dh_params)
		122	{
		123	if (ks->nid != NID_dhKeyAgreement)
		124	return 0;
		125	if (ks->dhe != NULL \|\| ks->dhe_peer != NULL)
		126	return 0;
		127
		128	if ((ks->dhe = DHparams_dup(dh_params)) == NULL)
		129	return 0;
		130	if ((ks->dhe_peer = DHparams_dup(dh_params)) == NULL)
		131	return 0;
		132
		133	return 1;
		134	}
		135
111	int	136	int
112	tls_key_share_peer_pkey(struct tls_key_share ks, EVP_PKEY pkey)	137	tls_key_share_peer_pkey(struct tls_key_share ks, EVP_PKEY pkey)
113	{	138	{
@@ -126,10 +151,28 @@ tls_key_share_peer_pkey(struct tls_key_share ks, EVP_PKEY pkey)
126	static int	151	static int
127	tls_key_share_generate_dhe(struct tls_key_share *ks)	152	tls_key_share_generate_dhe(struct tls_key_share *ks)
128	{	153	{
129	if (ks->dhe == NULL)	154	/*
		155	* If auto params are not being used then we must already have DH
		156	* parameters set.
		157	*/
		158	if (ks->key_bits == 0) {
		159	if (ks->dhe == NULL)
		160	return 0;
		161
		162	return ssl_kex_generate_dhe(ks->dhe, ks->dhe);
		163	}
		164
		165	if (ks->dhe != NULL \|\| ks->dhe_peer != NULL)
		166	return 0;
		167
		168	if ((ks->dhe = DH_new()) == NULL)
		169	return 0;
		170	if (!ssl_kex_generate_dhe_params_auto(ks->dhe, ks->key_bits))
		171	return 0;
		172	if ((ks->dhe_peer = DHparams_dup(ks->dhe)) == NULL)
130	return 0;	173	return 0;
131		174
132	return ssl_kex_generate_dhe(ks->dhe, ks->dhe);	175	return 1;
133	}	176	}
134		177
135	static int	178	static int
@@ -200,6 +243,24 @@ tls_key_share_generate(struct tls_key_share *ks)
200	}	243	}
201		244
202	static int	245	static int
		246	tls_key_share_params_dhe(struct tls_key_share ks, CBB cbb)
		247	{
		248	if (ks->dhe == NULL)
		249	return 0;
		250
		251	return ssl_kex_params_dhe(ks->dhe, cbb);
		252	}
		253
		254	int
		255	tls_key_share_params(struct tls_key_share ks, CBB cbb)
		256	{
		257	if (ks->nid == NID_dhKeyAgreement)
		258	return tls_key_share_params_dhe(ks, cbb);
		259
		260	return 0;
		261	}
		262
		263	static int
203	tls_key_share_public_dhe(struct tls_key_share ks, CBB cbb)	264	tls_key_share_public_dhe(struct tls_key_share ks, CBB cbb)
204	{	265	{
205	if (ks->dhe == NULL)	266	if (ks->dhe == NULL)