From 295bf02f8211b77feb0bc6963c1b7ec49122ce18 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 17 Apr 2020 17:16:53 +0000
Subject: Generate client key share using our preferred group.

Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via
SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list().

ok beck@
---
 src/lib/libssl/tls13_client.c    | 27 +++++++++++++++------------
 src/lib/libssl/tls13_internal.h  |  5 +++--
 src/lib/libssl/tls13_key_share.c | 26 +++++++++++++++++---------
 src/lib/libssl/tls13_server.c    |  4 ++--
 4 files changed, 37 insertions(+), 25 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 22cda1e6be..5cd588875e 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.48 2020/04/08 16:23:58 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.49 2020/04/17 17:16:53 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -36,6 +36,8 @@ tls13_connect(struct tls13_ctx *ctx)
 static int
 tls13_client_init(struct tls13_ctx *ctx)
 {
+	const uint16_t *groups;
+	size_t groups_len;
 	SSL *s = ctx->ssl;
 
 	if (!ssl_supported_version_range(s, &ctx->hs->min_version,
@@ -51,7 +53,11 @@ tls13_client_init(struct tls13_ctx *ctx)
 	if (!tls1_transcript_init(s))
 		return 0;
 
-	if ((ctx->hs->key_share = tls13_key_share_new(NID_X25519)) == NULL)
+	/* Generate a key share using our preferred group. */
+	tls1_get_group_list(s, 0, &groups, &groups_len);
+	if (groups_len < 1)
+		return 0;
+	if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL)
 		return 0;
 	if (!tls13_key_share_generate(ctx->hs->key_share))
 		return 0;
@@ -560,23 +566,20 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-	int nid;
-
 	/*
-	 * Ensure that the server supported group is not the same
-	 * as the one we previously offered and that it was one that
-	 * we listed in our supported groups.
+	 * Ensure that the server supported group is one that we listed in our
+	 * supported groups and is not the same as the key share we previously
+	 * offered.
 	 */
-	if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
+	if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group))
 		return 0; /* XXX alert */
-	if ((nid = tls1_ec_curve_id2nid(ctx->hs->server_group)) == 0)
-		return 0;
-	if (nid != NID_X25519 && nid != NID_X9_62_prime256v1 && nid != NID_secp384r1)
+	if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
 		return 0; /* XXX alert */
 
 	/* Switch to new key share. */
 	tls13_key_share_free(ctx->hs->key_share);
-	if ((ctx->hs->key_share = tls13_key_share_new(nid)) == NULL)
+	if ((ctx->hs->key_share =
+	    tls13_key_share_new(ctx->hs->server_group)) == NULL)
 		return 0;
 	if (!tls13_key_share_generate(ctx->hs->key_share))
 		return 0;
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 053a7972a0..8d5d9c4efe 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.61 2020/03/10 17:15:02 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.62 2020/04/17 17:16:53 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -123,7 +123,8 @@ int tls13_update_server_traffic_secret(struct tls13_secrets *secrets);
  */
 struct tls13_key_share;
 
-struct tls13_key_share *tls13_key_share_new(int nid);
+struct tls13_key_share *tls13_key_share_new(uint16_t group_id);
+struct tls13_key_share *tls13_key_share_new_nid(int nid);
 void tls13_key_share_free(struct tls13_key_share *ks);
 
 uint16_t tls13_key_share_group(struct tls13_key_share *ks);
diff --git a/src/lib/libssl/tls13_key_share.c b/src/lib/libssl/tls13_key_share.c
index c38a3e3cb8..5404c04070 100644
--- a/src/lib/libssl/tls13_key_share.c
+++ b/src/lib/libssl/tls13_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_key_share.c,v 1.3 2020/02/04 18:06:26 jsing Exp $ */
+/* $OpenBSD: tls13_key_share.c,v 1.4 2020/04/17 17:16:53 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  *
@@ -36,24 +36,32 @@ struct tls13_key_share {
 };
 
 struct tls13_key_share *
-tls13_key_share_new(int nid)
+tls13_key_share_new(uint16_t group_id)
 {
 	struct tls13_key_share *ks;
+	int nid;
 
-	if ((ks = calloc(1, sizeof(struct tls13_key_share))) == NULL)
-		goto err;
+	if ((nid = tls1_ec_curve_id2nid(group_id)) == 0)
+		return NULL;
 
-	if ((ks->group_id = tls1_ec_nid2curve_id(nid)) == 0)
-		goto err;
+	if ((ks = calloc(1, sizeof(struct tls13_key_share))) == NULL)
+		return NULL;
 
+	ks->group_id = group_id;
 	ks->nid = nid;
 
 	return ks;
+}
 
- err:
-	tls13_key_share_free(ks);
+struct tls13_key_share *
+tls13_key_share_new_nid(int nid)
+{
+	uint16_t group_id;
+
+	if ((group_id = tls1_ec_nid2curve_id(nid)) == 0)
+		return NULL;
 
-	return NULL;
+	return tls13_key_share_new(group_id);
 }
 
 void
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 3b170f9370..1aebf5840c 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.28 2020/03/10 17:23:25 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.29 2020/04/17 17:16:53 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -49,7 +49,7 @@ tls13_server_init(struct tls13_ctx *ctx)
 	if ((s->session = SSL_SESSION_new()) == NULL)
 		return 0;
 
-	if ((ctx->hs->key_share = tls13_key_share_new(NID_X25519)) == NULL)
+	if ((ctx->hs->key_share = tls13_key_share_new_nid(NID_X25519)) == NULL)
 		return 0;
 	if (!tls13_key_share_generate(ctx->hs->key_share))
 		return 0;
-- 
cgit v1.2.3-55-g6feb