Google Git
Sign in
boringssl / boringssl / 4298d773794dcfef675aeeacd970bcc8f2fe406d^! / . / include / openssl / ssl.h
commit4298d773794dcfef675aeeacd970bcc8f2fe406d[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Sat Dec 19 00:18:25 2015 -0500
committerAdam Langley <agl@google.com>Tue Dec 22 21:51:30 2015 +0000
treefd5f4ff6a373fe3453f27f940c9adbd5f9c94cf7
parentc18ef750ee7f6c5a6abdca8b7848286250784a06 [diff] [blame]
Implement draft-ietf-tls-curve25519-01 in C.

The new curve is not enabled by default.

As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an
SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It
also tidies up some of the curve code which kept converting back and
force between NIDs and curve IDs. Now everything transits as curve IDs
except for API entry points (SSL_set1_curves) which take NIDs. Those
convert immediately and act on curve IDs from then on.

Note that, like the Go implementation, this slightly tweaks the order of
operations. The client sees the server public key before sending its
own. To keep the abstraction simple, SSL_ECDH_METHOD expects to
generate a keypair before consuming the peer's public key. Instead, the
client handshake stashes the serialized peer public value and defers
parsing it until it comes time to send ClientKeyExchange. (This is
analogous to what it was doing before where it stashed the parsed peer
public value instead.)

It still uses TLS 1.2 terminology everywhere, but this abstraction should also
be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges.
(Accordingly, this abstraction intentionally does not handle parsing the
ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous
plain RSA or the authentication bits.)

BUG=571231

Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932
Reviewed-on: https://boringssl-review.googlesource.com/6780
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index bce981c..589f4c4 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -3324,6 +3324,12 @@
   uint32_t algorithm_prf;
 };
 
+typedef struct ssl_ecdh_method_st SSL_ECDH_METHOD;
+typedef struct ssl_ecdh_ctx_st {
+  const SSL_ECDH_METHOD *method;
+  void *data;
+} SSL_ECDH_CTX;
+
 #define SSL_MAX_SSL_SESSION_ID_LENGTH 32
 #define SSL_MAX_SID_CTX_LENGTH 32
 #define SSL_MAX_MASTER_KEY_LENGTH 48
@@ -3990,8 +3996,6 @@
     const SSL_CIPHER *new_cipher;
     DH *dh;
 
-    EC_KEY *ecdh; /* holds short lived ECDH key */
-
     /* used when SSL_ST_FLUSH_DATA is entered */
     int next_state;
 
@@ -4094,8 +4098,12 @@
     /* peer_dh_tmp, on a client, is the server's DHE public key. */
     DH *peer_dh_tmp;
 
-    /* peer_ecdh_tmp, on a client, is the server's ECDHE public key. */
-    EC_KEY *peer_ecdh_tmp;
+    /* ecdh_ctx is the current ECDH instance. */
+    SSL_ECDH_CTX ecdh_ctx;
+
+    /* peer_key is the peer's ECDH key. */
+    uint8_t *peer_key;
+    uint8_t peer_key_len;
   } tmp;
 
   /* Connection binding to prevent renegotiation attacks */