From d82ca953a5e7d61a103ae2e7c9744db82d74f016 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 18 Apr 2020 14:07:56 +0000
Subject: Expose the peer ephemeral public key used for TLSv1.3 key exchange.

SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().

ok inoguchi@ tb@
---
 src/lib/libssl/s3_lib.c          | 48 ++++++++++++++--------------------------
 src/lib/libssl/ssl_kex.c         | 43 ++++++++++++++++++++++++++++++++++-
 src/lib/libssl/ssl_locl.h        |  3 ++-
 src/lib/libssl/tls13_internal.h  |  3 ++-
 src/lib/libssl/tls13_key_share.c | 18 ++++++++++++++-
 5 files changed, 79 insertions(+), 36 deletions(-)

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index dfd5893a2f..87b43a3521 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.191 2020/02/16 14:33:04 inoguchi Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.192 2020/04/18 14:07:56 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1652,10 +1652,6 @@ static long
 ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
 {
 	EVP_PKEY *pkey = NULL;
-	EC_GROUP *group = NULL;
-	EC_POINT *point = NULL;
-	EC_KEY *ec_key = NULL;
-	BIGNUM *order = NULL;
 	SESS_CERT *sc;
 	int ret = 0;
 
@@ -1672,41 +1668,29 @@ ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
 		return 0;
 
 	if (sc->peer_dh_tmp != NULL) {
-		ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp);
-	} else if (sc->peer_ecdh_tmp) {
-		ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp);
-	} else if (sc->peer_x25519_tmp != NULL) {
-		/* Fudge up an EC_KEY that looks like X25519... */
-		if ((group = EC_GROUP_new_by_curve_name(
-		    NID_X9_62_prime256v1)) == NULL)
-			goto err;
-		if ((point = EC_POINT_new(group)) == NULL)
-			goto err;
-		if ((order = BN_new()) == NULL)
+		if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp))
 			goto err;
-		if (!BN_set_bit(order, 252))
-			goto err;
-		if (!EC_GROUP_set_generator(group, point, order, NULL))
+	} else if (sc->peer_ecdh_tmp) {
+		if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp))
 			goto err;
-		EC_GROUP_set_curve_name(group, NID_X25519);
-		if ((ec_key = EC_KEY_new()) == NULL)
+	} else if (sc->peer_x25519_tmp != NULL) {
+		if (!ssl_kex_dummy_ecdhe_x25519(pkey))
 			goto err;
-		if (!EC_KEY_set_group(ec_key, group))
+	} else if (S3I(s)->hs_tls13.key_share != NULL) {
+		if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share,
+		    pkey))
 			goto err;
-		ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key);
+	} else {
+		goto err;
 	}
 
-	if (ret == 1) {
-		*pkey_tmp = pkey;
-		pkey = NULL;
-	}
+	*pkey_tmp = pkey;
+	pkey = NULL;
 
-  err:
+	ret = 1;
+
+ err:
 	EVP_PKEY_free(pkey);
-	EC_GROUP_free(group);
-	EC_POINT_free(point);
-	EC_KEY_free(ec_key);
-	BN_free(order);
 
 	return (ret);
 }
diff --git a/src/lib/libssl/ssl_kex.c b/src/lib/libssl/ssl_kex.c
index 439c1702b3..9f05fd60c9 100644
--- a/src/lib/libssl/ssl_kex.c
+++ b/src/lib/libssl/ssl_kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_kex.c,v 1.1 2020/01/30 16:25:09 jsing Exp $ */
+/* $OpenBSD: ssl_kex.c,v 1.2 2020/04/18 14:07:56 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  *
@@ -19,9 +19,50 @@
 
 #include <openssl/ec.h>
 #include <openssl/ecdh.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
 
 #include "bytestring.h"
 
+int
+ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey)
+{
+	EC_GROUP *group = NULL;
+	EC_POINT *point = NULL;
+	EC_KEY *ec_key = NULL;
+	BIGNUM *order = NULL;
+	int ret = 0;
+
+	/* Fudge up an EC_KEY that looks like X25519... */
+	if ((group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL)
+		goto err;
+	if ((point = EC_POINT_new(group)) == NULL)
+		goto err;
+	if ((order = BN_new()) == NULL)
+		goto err;
+	if (!BN_set_bit(order, 252))
+		goto err;
+	if (!EC_GROUP_set_generator(group, point, order, NULL))
+		goto err;
+	EC_GROUP_set_curve_name(group, NID_X25519);
+	if ((ec_key = EC_KEY_new()) == NULL)
+		goto err;
+	if (!EC_KEY_set_group(ec_key, group))
+		goto err;
+	if (!EVP_PKEY_set1_EC_KEY(pkey, ec_key))
+		goto err;
+
+	ret = 1;
+
+ err:
+	EC_GROUP_free(group);
+	EC_POINT_free(point);
+	EC_KEY_free(ec_key);
+	BN_free(order);
+
+	return ret;
+}
+
 int
 ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid)
 {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 07240e31a2..0212166678 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.271 2020/03/16 15:25:14 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.272 2020/04/18 14:07:56 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1288,6 +1288,7 @@ int ssl3_get_client_certificate(SSL *s);
 int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
 
+int ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey);
 int ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid);
 int ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb);
 int ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs);
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 8d5d9c4efe..6f5f5197d0 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.62 2020/04/17 17:16:53 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.63 2020/04/18 14:07:56 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -128,6 +128,7 @@ struct tls13_key_share *tls13_key_share_new_nid(int nid);
 void tls13_key_share_free(struct tls13_key_share *ks);
 
 uint16_t tls13_key_share_group(struct tls13_key_share *ks);
+int tls13_key_share_peer_pkey(struct tls13_key_share *ks, EVP_PKEY *pkey);
 int tls13_key_share_generate(struct tls13_key_share *ks);
 int tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb);
 int tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group,
diff --git a/src/lib/libssl/tls13_key_share.c b/src/lib/libssl/tls13_key_share.c
index 58544dc1db..0d1c091462 100644
--- a/src/lib/libssl/tls13_key_share.c
+++ b/src/lib/libssl/tls13_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_key_share.c,v 1.5 2020/04/18 13:43:47 jsing Exp $ */
+/* $OpenBSD: tls13_key_share.c,v 1.6 2020/04/18 14:07:56 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  *
@@ -86,6 +86,22 @@ tls13_key_share_group(struct tls13_key_share *ks)
 	return ks->group_id;
 }
 
+int
+tls13_key_share_peer_pkey(struct tls13_key_share *ks, EVP_PKEY *pkey)
+{
+	if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL) {
+		if (!ssl_kex_dummy_ecdhe_x25519(pkey))
+			return 0;
+	} else if (ks->ecdhe_peer != NULL) {
+		if (!EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer))
+			return 0;
+	} else {
+		return 0;
+	}
+
+	return 1;
+}
+
 static int
 tls13_key_share_generate_ecdhe_ecp(struct tls13_key_share *ks)
 {
-- 
cgit v1.2.3-55-g6feb