diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2022-01-06 18:23:57 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2022-01-06 18:23:57 +0000 |
commit | 73a3d75ac39f0546dacabe67c0af85d3ded2e2c1 (patch) | |
tree | 16d0c2ee8bb53f3beb9d578ba367da4264f7b3ba /lib/libssl | |
parent | 2b45f939e790ecf3c9519272bdda92f13979d782 (diff) |
Convert legacy TLS client to tls_key_share.
This requires adding DHE support to tls_key_share. In doing so,
tls_key_share_peer_public() has to lose the group argument and gains
an invalid_key argument. The one place that actually needs the group
check is tlsext_keyshare_client_parse(), so add code to do this.
ok inoguchi@ tb@
Diffstat (limited to 'lib/libssl')
-rw-r--r-- | lib/libssl/s3_lib.c | 28 | ||||
-rw-r--r-- | lib/libssl/ssl_cert.c | 6 | ||||
-rw-r--r-- | lib/libssl/ssl_clnt.c | 210 | ||||
-rw-r--r-- | lib/libssl/ssl_locl.h | 7 | ||||
-rw-r--r-- | lib/libssl/ssl_tlsext.c | 20 | ||||
-rw-r--r-- | lib/libssl/tls_internal.h | 9 | ||||
-rw-r--r-- | lib/libssl/tls_key_share.c | 157 |
7 files changed, 181 insertions, 256 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index b83a3805479..54261c575a2 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.220 2022/01/05 17:10:02 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.221 2022/01/06 18:23:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1665,35 +1665,17 @@ long _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) { EVP_PKEY *pkey = NULL; - SESS_CERT *sc; int ret = 0; *key = NULL; - if (s->session == NULL || s->session->sess_cert == NULL) - return 0; - - sc = s->session->sess_cert; + if (S3I(s)->hs.key_share == NULL) + goto err; if ((pkey = EVP_PKEY_new()) == NULL) - return 0; - - if (sc->peer_dh_tmp != NULL) { - if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp)) - goto err; - } else if (sc->peer_ecdh_tmp) { - if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp)) - goto err; - } else if (sc->peer_x25519_tmp != NULL) { - if (!ssl_kex_dummy_ecdhe_x25519(pkey)) - goto err; - } else if (S3I(s)->hs.key_share != NULL) { - if (!tls_key_share_peer_pkey(S3I(s)->hs.key_share, - pkey)) - goto err; - } else { goto err; - } + if (!tls_key_share_peer_pkey(S3I(s)->hs.key_share, pkey)) + goto err; *key = pkey; pkey = NULL; diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 3b388201ac4..6eece6d9442 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.88 2021/11/29 18:36:27 tb Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.89 2022/01/06 18:23:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -395,10 +395,6 @@ ssl_sess_cert_free(SESS_CERT *sc) for (i = 0; i < SSL_PKEY_NUM; i++) X509_free(sc->peer_pkeys[i].x509); - DH_free(sc->peer_dh_tmp); - EC_KEY_free(sc->peer_ecdh_tmp); - free(sc->peer_x25519_tmp); - free(sc); } diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 80a16f1042d..c3912c3ebde 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.126 2022/01/04 12:53:31 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.127 2022/01/06 18:23:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1223,20 +1223,23 @@ ssl3_get_server_certificate(SSL *s) static int ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) { + int nid = NID_dhKeyAgreement; int invalid_params, invalid_key; - SESS_CERT *sc = NULL; - DH *dh = NULL; + SESS_CERT *sc; long alg_a; alg_a = S3I(s)->hs.cipher->algorithm_auth; sc = s->session->sess_cert; - if ((dh = DH_new()) == NULL) + tls_key_share_free(S3I(s)->hs.key_share); + if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL) goto err; - if (!ssl_kex_peer_params_dhe(dh, cbs, &invalid_params)) + if (!tls_key_share_peer_params(S3I(s)->hs.key_share, cbs, + &invalid_params)) goto decode_err; - if (!ssl_kex_peer_public_dhe(dh, cbs, &invalid_key)) + if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs, + &invalid_key)) goto decode_err; if (invalid_params) { @@ -1256,8 +1259,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) /* XXX - Anonymous DH, so no certificate or pkey. */ *pkey = NULL; - sc->peer_dh_tmp = dh; - return 1; decode_err: @@ -1265,64 +1266,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); err: - DH_free(dh); - - return 0; -} - -static int -ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public) -{ - EC_KEY *ecdh = NULL; - int ret = 0; - - /* Extract the server's ephemeral ECDH public key. */ - if ((ecdh = EC_KEY_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - if (!ssl_kex_peer_public_ecdhe_ecp(ecdh, nid, public)) { - SSLerror(s, SSL_R_BAD_ECPOINT); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - goto err; - } - - sc->peer_nid = nid; - sc->peer_ecdh_tmp = ecdh; - ecdh = NULL; - - ret = 1; - - err: - EC_KEY_free(ecdh); - - return (ret); -} - -static int -ssl3_get_server_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, int nid, CBS *public) -{ - size_t outlen; - - if (nid != NID_X25519) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - - if (CBS_len(public) != X25519_KEY_LENGTH) { - SSLerror(s, SSL_R_BAD_ECPOINT); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - goto err; - } - - if (!CBS_stow(public, &sc->peer_x25519_tmp, &outlen)) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - return 1; - - err: return 0; } @@ -1334,7 +1277,6 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) uint16_t curve_id; SESS_CERT *sc; long alg_a; - int nid; alg_a = S3I(s)->hs.cipher->algorithm_auth; sc = s->session->sess_cert; @@ -1346,8 +1288,8 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) /* Only named curves are supported. */ if (curve_type != NAMED_CURVE_TYPE) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); goto err; } @@ -1364,19 +1306,12 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) goto err; } - if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) { - SSLerror(s, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + tls_key_share_free(S3I(s)->hs.key_share); + if ((S3I(s)->hs.key_share = tls_key_share_new(curve_id)) == NULL) goto err; - } - if (nid == NID_X25519) { - if (!ssl3_get_server_kex_ecdhe_ecx(s, sc, nid, &public)) - goto err; - } else { - if (!ssl3_get_server_kex_ecdhe_ecp(s, sc, nid, &public)) - goto err; - } + if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, NULL)) + goto err; /* * The ECC/TLS specification does not mention the use of DSA to sign @@ -1446,16 +1381,7 @@ ssl3_get_server_key_exchange(SSL *s) return (1); } - if (s->session->sess_cert != NULL) { - DH_free(s->session->sess_cert->peer_dh_tmp); - s->session->sess_cert->peer_dh_tmp = NULL; - - EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); - s->session->sess_cert->peer_ecdh_tmp = NULL; - - free(s->session->sess_cert->peer_x25519_tmp); - s->session->sess_cert->peer_x25519_tmp = NULL; - } else { + if (s->session->sess_cert == NULL) { s->session->sess_cert = ssl_sess_cert_new(); if (s->session->sess_cert == NULL) goto err; @@ -1966,28 +1892,22 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) static int ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) { - DH *dh_clnt = NULL; - DH *dh_srvr; uint8_t *key = NULL; size_t key_len = 0; int ret = 0; /* Ensure that we have an ephemeral key from the server for DHE. */ - if ((dh_srvr = sess_cert->peer_dh_tmp) == NULL) { + if (S3I(s)->hs.key_share == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); goto err; } - if ((dh_clnt = DH_new()) == NULL) + if (!tls_key_share_generate(S3I(s)->hs.key_share)) goto err; - - if (!ssl_kex_generate_dhe(dh_clnt, dh_srvr)) + if (!tls_key_share_public(S3I(s)->hs.key_share, cbb)) goto err; - if (!ssl_kex_public_dhe(dh_clnt, cbb)) - goto err; - - if (!ssl_kex_derive_dhe(dh_clnt, dh_srvr, &key, &key_len)) + if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) goto err; if (!tls12_derive_master_secret(s, key, key_len)) @@ -1996,38 +1916,37 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) ret = 1; err: - DH_free(dh_clnt); freezero(key, key_len); return ret; } static int -ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) +ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb) { - EC_KEY *ecdh = NULL; uint8_t *key = NULL; size_t key_len = 0; + CBB public; int ret = 0; - CBB ecpoint; - if ((ecdh = EC_KEY_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); + /* Ensure that we have an ephemeral key for ECDHE. */ + if (S3I(s)->hs.key_share == NULL) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - if (!ssl_kex_generate_ecdhe_ecp(ecdh, sc->peer_nid)) + if (!tls_key_share_generate(S3I(s)->hs.key_share)) goto err; - /* Encode our public key. */ - if (!CBB_add_u8_length_prefixed(cbb, &ecpoint)) - goto err; - if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint)) + if (!CBB_add_u8_length_prefixed(cbb, &public)) + return 0; + if (!tls_key_share_public(S3I(s)->hs.key_share, &public)) goto err; if (!CBB_flush(cbb)) goto err; - if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len)) + if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) goto err; if (!tls12_derive_master_secret(s, key, key_len)) @@ -2037,72 +1956,11 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) err: freezero(key, key_len); - EC_KEY_free(ecdh); - - return ret; -} - -static int -ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb) -{ - uint8_t *public_key = NULL, *private_key = NULL, *shared_key = NULL; - int ret = 0; - CBB ecpoint; - - /* Generate X25519 key pair and derive shared key. */ - if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL) - goto err; - X25519_keypair(public_key, private_key); - if (!X25519(shared_key, private_key, sc->peer_x25519_tmp)) - goto err; - - /* Serialize the public key. */ - if (!CBB_add_u8_length_prefixed(cbb, &ecpoint)) - goto err; - if (!CBB_add_bytes(&ecpoint, public_key, X25519_KEY_LENGTH)) - goto err; - if (!CBB_flush(cbb)) - goto err; - - if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH)) - goto err; - - ret = 1; - - err: - free(public_key); - freezero(private_key, X25519_KEY_LENGTH); - freezero(shared_key, X25519_KEY_LENGTH); return ret; } static int -ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb) -{ - if (sc->peer_x25519_tmp != NULL) { - if (ssl3_send_client_kex_ecdhe_ecx(s, sc, cbb) != 1) - goto err; - } else if (sc->peer_ecdh_tmp != NULL) { - if (ssl3_send_client_kex_ecdhe_ecp(s, sc, cbb) != 1) - goto err; - } else { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - - return 1; - - err: - return 0; -} - -static int ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) { unsigned char premaster_secret[32], shared_ukm[32], tmp[256]; @@ -2627,7 +2485,7 @@ ssl3_check_cert_and_algorithm(SSL *s) long alg_k, alg_a; EVP_PKEY *pkey = NULL; SESS_CERT *sc; - DH *dh; + int nid = NID_undef; alg_k = S3I(s)->hs.cipher->algorithm_mkey; alg_a = S3I(s)->hs.cipher->algorithm_auth; @@ -2641,7 +2499,9 @@ ssl3_check_cert_and_algorithm(SSL *s) SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - dh = s->session->sess_cert->peer_dh_tmp; + + if (S3I(s)->hs.key_share != NULL) + nid = tls_key_share_nid(S3I(s)->hs.key_share); /* This is the passed certificate. */ @@ -2670,7 +2530,7 @@ ssl3_check_cert_and_algorithm(SSL *s) goto fatal_err; } if ((alg_k & SSL_kDHE) && - !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { + !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) { SSLerror(s, SSL_R_MISSING_DH_KEY); goto fatal_err; } diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index d6d20c2ceba..83b40d2dd3a 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.373 2022/01/05 17:10:02 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.374 2022/01/06 18:23:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1242,11 +1242,6 @@ typedef struct sess_cert_st { /* Obviously we don't have the private keys of these, * so maybe we shouldn't even use the CERT_PKEY type here. */ - int peer_nid; - DH *peer_dh_tmp; - EC_KEY *peer_ecdh_tmp; - uint8_t *peer_x25519_tmp; - int references; /* actually always 1 at the moment */ } SESS_CERT; diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 4cc406526dc..71955d92952 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.104 2022/01/05 17:10:02 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.105 2022/01/06 18:23:56 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> @@ -1510,11 +1510,10 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) continue; /* Decode and store the selected key share. */ - S3I(s)->hs.key_share = tls_key_share_new(group); - if (S3I(s)->hs.key_share == NULL) + if ((S3I(s)->hs.key_share = tls_key_share_new(group)) == NULL) goto err; if (!tls_key_share_peer_public(S3I(s)->hs.key_share, - group, &key_exchange)) + &key_exchange, NULL)) goto err; } @@ -1568,7 +1567,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* Unpack server share. */ if (!CBS_get_u16(cbs, &group)) - goto err; + return 0; if (CBS_len(cbs) == 0) { /* HRR does not include an actual key share, only the group. */ @@ -1584,16 +1583,13 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (S3I(s)->hs.key_share == NULL) return 0; - + if (tls_key_share_group(S3I(s)->hs.key_share) != group) + return 0; if (!tls_key_share_peer_public(S3I(s)->hs.key_share, - group, &key_exchange)) - goto err; + &key_exchange, NULL)) + return 0; return 1; - - err: - *alert = SSL_AD_DECODE_ERROR; - return 0; } /* diff --git a/lib/libssl/tls_internal.h b/lib/libssl/tls_internal.h index 87c7f3b7dd5..7e2beadeacf 100644 --- a/lib/libssl/tls_internal.h +++ b/lib/libssl/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.2 2022/01/05 17:10:03 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.3 2022/01/06 18:23:56 jsing Exp $ */ /* * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org> * @@ -63,11 +63,14 @@ struct tls_key_share *tls_key_share_new_nid(int nid); void tls_key_share_free(struct tls_key_share *ks); uint16_t tls_key_share_group(struct tls_key_share *ks); +int tls_key_share_nid(struct tls_key_share *ks); int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey); int tls_key_share_generate(struct tls_key_share *ks); int tls_key_share_public(struct tls_key_share *ks, CBB *cbb); -int tls_key_share_peer_public(struct tls_key_share *ks, uint16_t group, - CBS *cbs); +int tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs, + int *invalid_params); +int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, + int *invalid_key); int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key, size_t *shared_key_len); diff --git a/lib/libssl/tls_key_share.c b/lib/libssl/tls_key_share.c index 1bce651e10e..6e390f4a24e 100644 --- a/lib/libssl/tls_key_share.c +++ b/lib/libssl/tls_key_share.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_key_share.c,v 1.1 2022/01/05 17:10:03 jsing Exp $ */ +/* $OpenBSD: tls_key_share.c,v 1.2 2022/01/06 18:23:56 jsing Exp $ */ /* * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> * @@ -28,6 +28,9 @@ struct tls_key_share { int nid; uint16_t group_id; + DH *dhe; + DH *dhe_peer; + EC_KEY *ecdhe; EC_KEY *ecdhe_peer; @@ -36,14 +39,10 @@ struct tls_key_share { uint8_t *x25519_peer_public; }; -struct tls_key_share * -tls_key_share_new(uint16_t group_id) +static struct tls_key_share * +tls_key_share_new_internal(int nid, uint16_t group_id) { struct tls_key_share *ks; - int nid; - - if ((nid = tls1_ec_curve_id2nid(group_id)) == 0) - return NULL; if ((ks = calloc(1, sizeof(struct tls_key_share))) == NULL) return NULL; @@ -55,14 +54,27 @@ tls_key_share_new(uint16_t group_id) } struct tls_key_share * -tls_key_share_new_nid(int nid) +tls_key_share_new(uint16_t group_id) { - uint16_t group_id; + int nid; - if ((group_id = tls1_ec_nid2curve_id(nid)) == 0) + if ((nid = tls1_ec_curve_id2nid(group_id)) == 0) return NULL; - return tls_key_share_new(group_id); + return tls_key_share_new_internal(nid, group_id); +} + +struct tls_key_share * +tls_key_share_new_nid(int nid) +{ + uint16_t group_id = 0; + + if (nid != NID_dhKeyAgreement) { + if ((group_id = tls1_ec_nid2curve_id(nid)) == 0) + return NULL; + } + + return tls_key_share_new_internal(nid, group_id); } void @@ -71,6 +83,9 @@ tls_key_share_free(struct tls_key_share *ks) if (ks == NULL) return; + DH_free(ks->dhe); + DH_free(ks->dhe_peer); + EC_KEY_free(ks->ecdhe); EC_KEY_free(ks->ecdhe_peer); @@ -88,19 +103,33 @@ tls_key_share_group(struct tls_key_share *ks) } int +tls_key_share_nid(struct tls_key_share *ks) +{ + return ks->nid; +} + +int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey) { - if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL) { - if (!ssl_kex_dummy_ecdhe_x25519(pkey)) - return 0; - } else if (ks->ecdhe_peer != NULL) { - if (!EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer)) - return 0; - } else { + if (ks->nid == NID_dhKeyAgreement && ks->dhe_peer != NULL) + return EVP_PKEY_set1_DH(pkey, ks->dhe_peer); + + if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL) + return ssl_kex_dummy_ecdhe_x25519(pkey); + + if (ks->ecdhe_peer != NULL) + return EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer); + + return 0; +} + +static int +tls_key_share_generate_dhe(struct tls_key_share *ks) +{ + if (ks->dhe == NULL) return 0; - } - return 1; + return ssl_kex_generate_dhe(ks->dhe, ks->dhe); } static int @@ -161,6 +190,9 @@ tls_key_share_generate_x25519(struct tls_key_share *ks) int tls_key_share_generate(struct tls_key_share *ks) { + if (ks->nid == NID_dhKeyAgreement) + return tls_key_share_generate_dhe(ks); + if (ks->nid == NID_X25519) return tls_key_share_generate_x25519(ks); @@ -168,6 +200,15 @@ tls_key_share_generate(struct tls_key_share *ks) } static int +tls_key_share_public_dhe(struct tls_key_share *ks, CBB *cbb) +{ + if (ks->dhe == NULL) + return 0; + + return ssl_kex_public_dhe(ks->dhe, cbb); +} + +static int tls_key_share_public_ecdhe_ecp(struct tls_key_share *ks, CBB *cbb) { if (ks->ecdhe == NULL) @@ -188,6 +229,9 @@ tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb) int tls_key_share_public(struct tls_key_share *ks, CBB *cbb) { + if (ks->nid == NID_dhKeyAgreement) + return tls_key_share_public_dhe(ks, cbb); + if (ks->nid == NID_X25519) return tls_key_share_public_x25519(ks, cbb); @@ -195,6 +239,43 @@ tls_key_share_public(struct tls_key_share *ks, CBB *cbb) } static int +tls_key_share_peer_params_dhe(struct tls_key_share *ks, CBS *cbs, + int *invalid_params) +{ + if (ks->dhe != NULL || ks->dhe_peer != NULL) + return 0; + + if ((ks->dhe_peer = DH_new()) == NULL) + return 0; + if (!ssl_kex_peer_params_dhe(ks->dhe_peer, cbs, invalid_params)) + return 0; + if ((ks->dhe = DHparams_dup(ks->dhe_peer)) == NULL) + return 0; + + return 1; +} + +int +tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs, + int *invalid_params) +{ + if (ks->nid != NID_dhKeyAgreement) + return 0; + + return tls_key_share_peer_params_dhe(ks, cbs, invalid_params); +} + +static int +tls_key_share_peer_public_dhe(struct tls_key_share *ks, CBS *cbs, + int *invalid_key) +{ + if (ks->dhe_peer == NULL) + return 0; + + return ssl_kex_peer_public_dhe(ks->dhe_peer, cbs, invalid_key); +} + +static int tls_key_share_peer_public_ecdhe_ecp(struct tls_key_share *ks, CBS *cbs) { EC_KEY *ecdhe = NULL; @@ -234,21 +315,29 @@ tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs) } int -tls_key_share_peer_public(struct tls_key_share *ks, uint16_t group, - CBS *cbs) +tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *invalid_key) { - if (ks->group_id != group) - return 0; + if (invalid_key != NULL) + *invalid_key = 0; - if (ks->nid == NID_X25519) { - if (!tls_key_share_peer_public_x25519(ks, cbs)) - return 0; - } else { - if (!tls_key_share_peer_public_ecdhe_ecp(ks, cbs)) - return 0; - } + if (ks->nid == NID_dhKeyAgreement) + return tls_key_share_peer_public_dhe(ks, cbs, invalid_key); - return 1; + if (ks->nid == NID_X25519) + return tls_key_share_peer_public_x25519(ks, cbs); + + return tls_key_share_peer_public_ecdhe_ecp(ks, cbs); +} + +static int +tls_key_share_derive_dhe(struct tls_key_share *ks, + uint8_t **shared_key, size_t *shared_key_len) +{ + if (ks->dhe == NULL || ks->dhe_peer == NULL) + return 0; + + return ssl_kex_derive_dhe(ks->dhe, ks->dhe_peer, shared_key, + shared_key_len); } static int @@ -298,6 +387,10 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key, *shared_key_len = 0; + if (ks->nid == NID_dhKeyAgreement) + return tls_key_share_derive_dhe(ks, shared_key, + shared_key_len); + if (ks->nid == NID_X25519) return tls_key_share_derive_x25519(ks, shared_key, shared_key_len); |