From 6ed1a438e76e4b38c933c65009239e991044c6b7 Mon Sep 17 00:00:00 2001 From: beck <> Date: Fri, 15 Nov 2019 15:14:02 +0000 Subject: Deduplicate some extension processing code. ok tb@ inoguchi@ --- src/lib/libssl/ssl_tlsext.c | 105 ++++++++++++++++++++------------------------ 1 file changed, 47 insertions(+), 58 deletions(-) diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 91b74b5d3f..f91b790f99 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.49 2019/05/29 17:28:37 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.50 2019/11/15 15:14:02 beck Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -1223,17 +1223,11 @@ tlsext_keyshare_client_needs(SSL *s) TLS1_3_VERSION); } -int -tlsext_keyshare_client_build(SSL *s, CBB *cbb) +static int +tlsext_keyshare_x25519_internal(SSL *s, CBB *cbb) { uint8_t *public_key = NULL, *private_key = NULL; - CBB client_shares, key_exchange; - - /* Generate and provide key shares. */ - if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) - return 0; - - /* XXX - other groups. */ + CBB key_exchange; /* Generate X25519 key pair. */ if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) @@ -1243,16 +1237,13 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb) X25519_keypair(public_key, private_key); /* Add the group and serialize the public key. */ - if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519))) + if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519))) goto err; - if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) + if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) goto err; if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) goto err; - if (!CBB_flush(cbb)) - goto err; - S3I(s)->hs_tls13.x25519_public = public_key; S3I(s)->hs_tls13.x25519_private = private_key; @@ -1265,6 +1256,32 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb) return 0; } +int +tlsext_keyshare_client_build(SSL *s, CBB *cbb) +{ + CBB client_shares; + + /* Generate and provide key shares. */ + if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) + return 0; + + /* XXX - other groups. */ + + if (!tlsext_keyshare_x25519_internal(s, &client_shares)) + return 0; + + if (!CBB_flush(cbb)) + goto err; + + return 1; + + err: + freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); + freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); + + return 0; +} + int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) { @@ -1324,41 +1341,21 @@ tlsext_keyshare_server_needs(SSL *s) int tlsext_keyshare_server_build(SSL *s, CBB *cbb) { - uint8_t *public_key = NULL, *private_key = NULL; - CBB key_exchange; - - /* XXX deduplicate with client code */ - /* X25519 */ if (S3I(s)->hs_tls13.x25519_peer_public == NULL) return 0; - /* Generate X25519 key pair. */ - if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - X25519_keypair(public_key, private_key); - - /* Add the group and serialize the public key. */ - if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519))) - goto err; - if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) - goto err; - if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) - goto err; + if (!tlsext_keyshare_x25519_internal(s, cbb)) + return 0; if (!CBB_flush(cbb)) goto err; - S3I(s)->hs_tls13.x25519_public = public_key; - S3I(s)->hs_tls13.x25519_private = private_key; - return 1; err: - freezero(public_key, X25519_KEY_LENGTH); - freezero(private_key, X25519_KEY_LENGTH); + freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); + freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); return 0; } @@ -1534,8 +1531,8 @@ tlsext_cookie_client_needs(SSL *s) S3I(s)->hs_tls13.cookie != NULL); } -int -tlsext_cookie_client_build(SSL *s, CBB *cbb) +static int +tlsext_cookie_build_internal(SSL *s, CBB *cbb) { CBB cookie; @@ -1552,6 +1549,12 @@ tlsext_cookie_client_build(SSL *s, CBB *cbb) return 1; } +int +tlsext_cookie_client_build(SSL *s, CBB *cbb) +{ + return tlsext_cookie_build_internal(s, cbb); +} + int tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) { @@ -1599,25 +1602,11 @@ tlsext_cookie_server_needs(SSL *s) } int -tlsext_cookie_server_build(SSL *s, CBB *cbb) -{ - CBB cookie; - - /* XXX deduplicate with client code */ - - if (!CBB_add_u16_length_prefixed(cbb, &cookie)) - return 0; - - if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) - return 0; - - if (!CBB_flush(cbb)) - return 0; - - return 1; +tlsext_cookie_server_build(SSL *s, CBB *cbb) { + return tlsext_cookie_build_internal(s, cbb); } + int tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) { -- cgit v1.2.3-55-g6feb