6 files changed, 115 insertions, 233 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 54261c575a..899432e947 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.221 2022/01/06 18:23:56 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.222 2022/01/07 15:46:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1565,10 +1565,6 @@ ssl3_free(SSL *s)
        ssl3_release_write_buffer(s);
        freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
-        DH_free(S3I(s)->tmp.dh);
-        EC_KEY_free(S3I(s)->tmp.ecdh);
-        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
        tls_key_share_free(S3I(s)->hs.key_share);
        tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
@@ -1601,14 +1597,6 @@ ssl3_clear(SSL *s)
        sk_X509_pop_free(s->internal->verified_chain, X509_free);
        s->internal->verified_chain = NULL;
-        DH_free(S3I(s)->tmp.dh);
-        S3I(s)->tmp.dh = NULL;
-        EC_KEY_free(S3I(s)->tmp.ecdh);
-        S3I(s)->tmp.ecdh = NULL;
-        S3I(s)->tmp.ecdh_nid = NID_undef;
-        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
-        S3I(s)->tmp.x25519 = NULL;
        freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
        S3I(s)->hs.sigalgs = NULL;
        S3I(s)->hs.sigalgs_len = 0;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 83b40d2dd3..cc7b342247 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.374 2022/01/06 18:23:56 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.375 2022/01/07 15:46:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1168,15 +1168,6 @@ typedef struct ssl3_state_internal_st {
        SSL_HANDSHAKE hs;
-        struct  {
-                DH *dh;
-                EC_KEY *ecdh; /* holds short lived ECDH key */
-                int ecdh_nid;
-                uint8_t *x25519;
-        } tmp;
        /* Connection binding to prevent renegotiation attacks */
        unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
        unsigned char previous_client_finished_len;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 0496985351..b66a2c108d 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.130 2022/01/04 12:53:31 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.131 2022/01/07 15:46:30 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1309,23 +1309,23 @@ ssl3_send_server_done(SSL *s)
 static int
 ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 {
-        DH *dh = NULL;
+        int nid = NID_dhKeyAgreement;
-        int al;
-        if ((dh = DH_new()) == NULL)
+        tls_key_share_free(S3I(s)->hs.key_share);
+        if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
        if (s->cert->dh_tmp_auto != 0) {
                size_t key_bits;
                if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
-                        al = SSL_AD_INTERNAL_ERROR;
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                        goto fatal_err;
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
-                }
+                            SSL_AD_INTERNAL_ERROR);
-                if (!ssl_kex_generate_dhe_params_auto(dh, key_bits))
                        goto err;
+                }
+                tls_key_share_set_key_bits(S3I(s)->hs.key_share,
+                    key_bits);
        } else {
                DH *dh_params = s->cert->dh_tmp;
@@ -1334,157 +1334,69 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
                            SSL_C_PKEYLENGTH(S3I(s)->hs.cipher));
                if (dh_params == NULL) {
-                        al = SSL_AD_HANDSHAKE_FAILURE;
                        SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-                        goto fatal_err;
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                            SSL_AD_HANDSHAKE_FAILURE);
+                        goto err;
                }
-                if (!ssl_kex_generate_dhe(dh, dh_params))
+                if (!tls_key_share_set_dh_params(S3I(s)->hs.key_share, dh_params))
                        goto err;
        }
-        if (!ssl_kex_params_dhe(dh, cbb))
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
-                goto err;
-        if (!ssl_kex_public_dhe(dh, cbb))
                goto err;
-        if (S3I(s)->tmp.dh != NULL) {
+        if (!tls_key_share_params(S3I(s)->hs.key_share, cbb))
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                goto err;
+        if (!tls_key_share_public(S3I(s)->hs.key_share, cbb))
                goto err;
-        }
-        S3I(s)->tmp.dh = dh;
        return 1;
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-        DH_free(dh);
        return 0;
 }
 static int
-ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
+ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
 {
-        uint16_t curve_id;
+        CBB public;
-        EC_KEY *ecdh;
+        int nid;
-        CBB ecpoint;
-        int al;
-        /*
+        if ((nid = tls1_get_shared_curve(s)) == NID_undef) {
-         * Only named curves are supported in ECDH ephemeral key exchanges.
-         * For supported named curves, curve_id is non-zero.
-         */
-        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                goto err;
        }
-        if (S3I(s)->tmp.ecdh != NULL) {
+        tls_key_share_free(S3I(s)->hs.key_share);
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
+        if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
-        }
-        if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) {
+        if (!tls_key_share_generate(S3I(s)->hs.key_share))
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY);
-                goto fatal_err;
-        }
-        S3I(s)->tmp.ecdh_nid = nid;
-        ecdh = S3I(s)->tmp.ecdh;
-        if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid))
                goto err;
        /*
-         * Encode the public key.
+         * ECC key exchange - see RFC 8422, section 5.4.
-         *
-         * Only named curves are supported in ECDH ephemeral key exchanges.
-         * In this case the ServerKeyExchange message has:
-         * [1 byte CurveType], [2 byte CurveName]
-         * [1 byte length of encoded point], followed by
-         * the actual encoded point itself.
         */
        if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
                goto err;
-        if (!CBB_add_u16(cbb, curve_id))
+        if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share)))
                goto err;
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
+        if (!CBB_add_u8_length_prefixed(cbb, &public))
                goto err;
-        if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint))
+        if (!tls_key_share_public(S3I(s)->hs.key_share, &public))
                goto err;
        if (!CBB_flush(cbb))
                goto err;
        return 1;
- fatal_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
        return 0;
 }
-static int
-ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
-{
-        uint8_t *public_key = NULL, *private_key = NULL;
-        uint16_t curve_id;
-        CBB ecpoint;
-        int ret = 0;
-        /* Generate an X25519 key pair. */
-        if (S3I(s)->tmp.x25519 != NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                goto err;
-        }
-        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        X25519_keypair(public_key, private_key);
-        /* Serialize public key. */
-        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
-                SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
-                goto err;
-        }
-        if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
-                goto err;
-        if (!CBB_add_u16(cbb, curve_id))
-                goto err;
-        if (!CBB_add_u8_length_prefixed(cbb, &ecpoint))
-                goto err;
-        if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH))
-                goto err;
-        if (!CBB_flush(cbb))
-                goto err;
-        S3I(s)->tmp.x25519 = private_key;
-        private_key = NULL;
-        ret = 1;
- err:
-        free(public_key);
-        freezero(private_key, X25519_KEY_LENGTH);
-        return ret;
-}
-static int
-ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
-{
-        int nid;
-        nid = tls1_get_shared_curve(s);
-        if (nid == NID_X25519)
-                return ssl3_send_server_kex_ecdhe_ecx(s, nid, cbb);
-        return ssl3_send_server_kex_ecdhe_ecp(s, nid, cbb);
-}
 int
 ssl3_send_server_key_exchange(SSL *s)
 {
@@ -1791,148 +1703,74 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
 static int
 ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
 {
-        DH *dh_clnt = NULL;
-        DH *dh_srvr;
-        int invalid_key;
        uint8_t *key = NULL;
        size_t key_len = 0;
+        int invalid_key;
        int ret = 0;
-        if ((dh_srvr = S3I(s)->tmp.dh) == NULL) {
+        if (S3I(s)->hs.key_share == NULL) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
                goto err;
        }
-        if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL)
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs,
-                goto err;
+            &invalid_key))
-        if (!ssl_kex_peer_public_dhe(dh_clnt, cbs, &invalid_key)) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
                goto err;
-        }
        if (invalid_key) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
                SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
                goto err;
        }
-        if (!ssl_kex_derive_dhe(dh_srvr, dh_clnt, &key, &key_len))
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
-        DH_free(S3I(s)->tmp.dh);
-        S3I(s)->tmp.dh = NULL;
        ret = 1;
 err:
        freezero(key, key_len);
-        DH_free(dh_clnt);
        return ret;
 }
 static int
-ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs)
+ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
 {
        uint8_t *key = NULL;
        size_t key_len = 0;
-        EC_KEY *ecdh_peer = NULL;
-        EC_KEY *ecdh;
        CBS public;
        int ret = 0;
-        /*
+        if (S3I(s)->hs.key_share == NULL) {
-         * Use the ephemeral values we saved when generating the
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-         * ServerKeyExchange message.
+                SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
-         */
-        if ((ecdh = S3I(s)->tmp.ecdh) == NULL) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
                goto err;
        }
-        /*
-         * Get client's public key from encoded point in the ClientKeyExchange
-         * message.
-         */
        if (!CBS_get_u8_length_prefixed(cbs, &public))
                goto err;
-        if (CBS_len(cbs) != 0)
+        if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL))
                goto err;
-        if ((ecdh_peer = EC_KEY_new()) == NULL)
+        if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len))
                goto err;
-        if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid,
-            &public))
-                goto err;
-        /* Derive the shared secret and compute master secret. */
-        if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
-                goto err;
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;
-        EC_KEY_free(S3I(s)->tmp.ecdh);
-        S3I(s)->tmp.ecdh = NULL;
-        S3I(s)->tmp.ecdh_nid = NID_undef;
        ret = 1;
 err:
        freezero(key, key_len);
-        EC_KEY_free(ecdh_peer);
        return ret;
 }
 static int
-ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs)
-{
-        uint8_t *shared_key = NULL;
-        CBS ecpoint;
-        int ret = 0;
-        if (!CBS_get_u8_length_prefixed(cbs, &ecpoint))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)
-                goto err;
-        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if (!X25519(shared_key, S3I(s)->tmp.x25519, CBS_data(&ecpoint)))
-                goto err;
-        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
-        S3I(s)->tmp.x25519 = NULL;
-        if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
-                goto err;
-        ret = 1;
- err:
-        freezero(shared_key, X25519_KEY_LENGTH);
-        return ret;
-}
-static int
-ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
-{
-        if (S3I(s)->tmp.x25519 != NULL)
-                return ssl3_get_client_kex_ecdhe_ecx(s, cbs);
-        return ssl3_get_client_kex_ecdhe_ecp(s, cbs);
-}
-static int
 ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
 {
        EVP_PKEY_CTX *pkey_ctx;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 739ef06609..c32ae22779 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.90 2022/01/05 17:10:02 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.91 2022/01/07 15:46:30 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -360,8 +360,8 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
        SSL *s = ctx->ssl;
        int ret = 0;
-        if (!tls_key_share_derive(ctx->hs->key_share,
+        if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
-            &shared_key, &shared_key_len))
+            &shared_key_len))
                goto err;
        s->session->cipher = ctx->hs->cipher;
diff --git a/src/lib/libssl/tls_internal.h b/src/lib/libssl/tls_internal.h
index 7e2beadeac..f7f939215a 100644
--- a/src/lib/libssl/tls_internal.h
+++ b/src/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.3 2022/01/06 18:23:56 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.4 2022/01/07 15:46:30 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -18,6 +18,7 @@
 #ifndef HEADER_TLS_INTERNAL_H
 #define HEADER_TLS_INTERNAL_H
+#include <openssl/dh.h>
 #include <openssl/evp.h>
 #include "bytestring.h"
@@ -64,8 +65,11 @@ void tls_key_share_free(struct tls_key_share *ks);
 uint16_t tls_key_share_group(struct tls_key_share *ks);
 int tls_key_share_nid(struct tls_key_share *ks);
+void tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits);
+int tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params);
 int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey);
 int tls_key_share_generate(struct tls_key_share *ks);
+int tls_key_share_params(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_public(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
    int *invalid_params);
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index 6e390f4a24..eb30a0ea69 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: tls_key_share.c,v 1.2 2022/01/06 18:23:56 jsing Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.3 2022/01/07 15:46:30 jsing Exp $ */
 /*
- * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,9 @@
 #include <stdlib.h>
 #include <openssl/curve25519.h>
+#include <openssl/dh.h>
 #include <openssl/ec.h>
+#include <openssl/evp.h>
 #include "bytestring.h"
 #include "ssl_locl.h"
@@ -27,6 +29,7 @@
 struct tls_key_share {
        int nid;
        uint16_t group_id;
+        size_t key_bits;
        DH *dhe;
        DH *dhe_peer;
@@ -108,6 +111,28 @@ tls_key_share_nid(struct tls_key_share *ks)
        return ks->nid;
 }
+void
+tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits)
+{
+        ks->key_bits = key_bits;
+}
+int
+tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params)
+{
+        if (ks->nid != NID_dhKeyAgreement)
+                return 0;
+        if (ks->dhe != NULL || ks->dhe_peer != NULL)
+                return 0;
+        if ((ks->dhe = DHparams_dup(dh_params)) == NULL)
+                return 0;
+        if ((ks->dhe_peer = DHparams_dup(dh_params)) == NULL)
+                return 0;
+        return 1;
+}
 int
 tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey)
 {
@@ -126,10 +151,28 @@ tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey)
 static int
 tls_key_share_generate_dhe(struct tls_key_share *ks)
 {
-        if (ks->dhe == NULL)
+        /*
+         * If auto params are not being used then we must already have DH
+         * parameters set.
+         */
+        if (ks->key_bits == 0) {
+                if (ks->dhe == NULL)
+                        return 0;
+                return ssl_kex_generate_dhe(ks->dhe, ks->dhe);
+        }
+        if (ks->dhe != NULL || ks->dhe_peer != NULL)
+                return 0;
+        if ((ks->dhe = DH_new()) == NULL)
+                return 0;
+        if (!ssl_kex_generate_dhe_params_auto(ks->dhe, ks->key_bits))
+                return 0;
+        if ((ks->dhe_peer = DHparams_dup(ks->dhe)) == NULL)
                return 0;
-        return ssl_kex_generate_dhe(ks->dhe, ks->dhe);
+        return 1;
 }
 static int
@@ -200,6 +243,24 @@ tls_key_share_generate(struct tls_key_share *ks)
 }
 static int
+tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb)
+{
+        if (ks->dhe == NULL)
+                return 0;
+        return ssl_kex_params_dhe(ks->dhe, cbb);
+}
+int
+tls_key_share_params(struct tls_key_share *ks, CBB *cbb)
+{
+        if (ks->nid == NID_dhKeyAgreement)
+                return tls_key_share_params_dhe(ks, cbb);
+        return 0;
+}
+static int
 tls_key_share_public_dhe(struct tls_key_share *ks, CBB *cbb)
 {
        if (ks->dhe == NULL)