Convert SSL_ECDH_CTX to C++.
SSLECDHContext has the acronyms problem, so I went with SSLKeyShare to
match the TLS 1.3 terminology. It's also a little shorter. Accept and
Finish, for now, take raw output pointers in anticipation of some
bssl::Array and maybe bssl::CleansedArray types.
Bug: 132
Change-Id: I427c7c0eac95704f3ad093676c504c2848f5acb9
Reviewed-on: https://boringssl-review.googlesource.com/18265
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt
index b6f4451..c228f4a 100644
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@@ -21,8 +21,8 @@
ssl_buffer.cc
ssl_cert.cc
ssl_cipher.cc
- ssl_ecdh.cc
ssl_file.cc
+ ssl_key_share.cc
ssl_lib.cc
ssl_privkey.cc
ssl_session.cc
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index cac65f6..260d3cd0 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -1277,7 +1277,8 @@
}
/* Initialize ECDH and save the peer public key for later. */
- if (!SSL_ECDH_CTX_init(&hs->ecdh_ctx, group_id) ||
+ hs->key_share = SSLKeyShare::Create(group_id);
+ if (!hs->key_share ||
!CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) {
return -1;
}
@@ -1599,8 +1600,8 @@
/* Compute the premaster. */
uint8_t alert = SSL_AD_DECODE_ERROR;
- if (!SSL_ECDH_CTX_accept(&hs->ecdh_ctx, &child, &pms, &pms_len, &alert,
- hs->peer_key, hs->peer_key_len)) {
+ if (!hs->key_share->Accept(&child, &pms, &pms_len, &alert, hs->peer_key,
+ hs->peer_key_len)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
goto err;
}
@@ -1609,7 +1610,7 @@
}
/* The key exchange state may now be discarded. */
- SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
+ hs->key_share.reset();
OPENSSL_free(hs->peer_key);
hs->peer_key = NULL;
hs->peer_key_len = 0;
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index b57b67a..38fbef4 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -1067,11 +1067,12 @@
hs->new_session->group_id = group_id;
/* Set up ECDH, generate a key, and emit the public half. */
- if (!SSL_ECDH_CTX_init(&hs->ecdh_ctx, group_id) ||
+ hs->key_share = SSLKeyShare::Create(group_id);
+ if (!hs->key_share ||
!CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
!CBB_add_u16(cbb.get(), group_id) ||
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
- !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) {
+ !hs->key_share->Offer(&child)) {
return -1;
}
} else {
@@ -1434,15 +1435,14 @@
/* Compute the premaster. */
uint8_t alert = SSL_AD_DECODE_ERROR;
- if (!SSL_ECDH_CTX_finish(&hs->ecdh_ctx, &premaster_secret,
- &premaster_secret_len, &alert, CBS_data(&peer_key),
- CBS_len(&peer_key))) {
+ if (!hs->key_share->Finish(&premaster_secret, &premaster_secret_len, &alert,
+ CBS_data(&peer_key), CBS_len(&peer_key))) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
goto err;
}
/* The key exchange state may now be discarded. */
- SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
+ hs->key_share.reset();
} else if (!(alg_k & SSL_kPSK)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
diff --git a/ssl/internal.h b/ssl/internal.h
index f7d1cde..fb02d35 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -747,48 +747,50 @@
int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions);
-/* ECDH groups. */
+/* Key shares. */
-struct SSL_ECDH_CTX;
+/* SSLKeyShare abstracts over Diffie-Hellman-like key exchanges. */
+class SSLKeyShare {
+ public:
+ virtual ~SSLKeyShare() {}
-/* An SSL_ECDH_METHOD is an implementation of ECDH-like key exchanges for
- * TLS. */
-struct SSL_ECDH_METHOD {
- int nid;
- uint16_t group_id;
- const char name[8];
+ /* Create returns a SSLKeyShare instance for use with group |group_id| or
+ * nullptr on error. */
+ static UniquePtr<SSLKeyShare> Create(uint16_t group_id);
- /* cleanup releases state in |ctx|. */
- void (*cleanup)(SSL_ECDH_CTX *ctx);
+ /* GroupID returns the group ID. */
+ virtual uint16_t GroupID() const = 0;
- /* offer generates a keypair and writes the public value to
- * |out_public_key|. It returns one on success and zero on error. */
- int (*offer)(SSL_ECDH_CTX *ctx, CBB *out_public_key);
+ /* Offer generates a keypair and writes the public value to
+ * |out_public_key|. It returns true on success and false on error. */
+ virtual bool Offer(CBB *out_public_key) = 0;
- /* accept performs a key exchange against the |peer_key| generated by |offer|.
- * On success, it returns one, writes the public value to |out_public_key|,
+ /* Accept performs a key exchange against the |peer_key| generated by |offer|.
+ * On success, it returns true, writes the public value to |out_public_key|,
* and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer
* containing the shared secret. The caller must release this buffer with
- * |OPENSSL_free|. On failure, it returns zero and sets |*out_alert| to an
- * alert to send to the peer. */
- int (*accept)(SSL_ECDH_CTX *ctx, CBB *out_public_key, uint8_t **out_secret,
- size_t *out_secret_len, uint8_t *out_alert,
- const uint8_t *peer_key, size_t peer_key_len);
+ * |OPENSSL_free|. On failure, it returns false and sets |*out_alert| to an
+ * alert to send to the peer.
+ *
+ * The default implementation calls |Offer| and then |Finish|, assuming a key
+ * exchange protocol where the peers are symmetric.
+ *
+ * TODO(davidben): out_secret should be a smart pointer. */
+ virtual bool Accept(CBB *out_public_key, uint8_t **out_secret,
+ size_t *out_secret_len, uint8_t *out_alert,
+ const uint8_t *peer_key, size_t peer_key_len);
- /* finish performs a key exchange against the |peer_key| generated by
- * |accept|. On success, it returns one and sets |*out_secret| and
+ /* Finish performs a key exchange against the |peer_key| generated by
+ * |Accept|. On success, it returns true and sets |*out_secret| and
* |*out_secret_len| to a newly-allocated buffer containing the shared
* secret. The caller must release this buffer with |OPENSSL_free|. On
* failure, it returns zero and sets |*out_alert| to an alert to send to the
- * peer. */
- int (*finish)(SSL_ECDH_CTX *ctx, uint8_t **out_secret, size_t *out_secret_len,
- uint8_t *out_alert, const uint8_t *peer_key,
- size_t peer_key_len);
-};
-
-struct SSL_ECDH_CTX {
- const SSL_ECDH_METHOD *method;
- void *data;
+ * peer.
+ *
+ * TODO(davidben): out_secret should be a smart pointer. */
+ virtual bool Finish(uint8_t **out_secret, size_t *out_secret_len,
+ uint8_t *out_alert, const uint8_t *peer_key,
+ size_t peer_key_len) = 0;
};
/* ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it
@@ -801,36 +803,6 @@
* returns one. Otherwise, it returns zero. */
int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);
-/* SSL_ECDH_CTX_init sets up |ctx| for use with curve |group_id|. It returns one
- * on success and zero on error. */
-int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id);
-
-/* SSL_ECDH_CTX_cleanup releases memory associated with |ctx|. It is legal to
- * call it in the zero state. */
-void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx);
-
-/* SSL_ECDH_CTX_get_id returns the group ID for |ctx|. */
-uint16_t SSL_ECDH_CTX_get_id(const SSL_ECDH_CTX *ctx);
-
-/* SSL_ECDH_CTX_get_key calls the |get_key| method of |SSL_ECDH_METHOD|. */
-int SSL_ECDH_CTX_get_key(SSL_ECDH_CTX *ctx, CBS *cbs, CBS *out);
-
-/* SSL_ECDH_CTX_add_key calls the |add_key| method of |SSL_ECDH_METHOD|. */
-int SSL_ECDH_CTX_add_key(SSL_ECDH_CTX *ctx, CBB *cbb, CBB *out_contents);
-
-/* SSL_ECDH_CTX_offer calls the |offer| method of |SSL_ECDH_METHOD|. */
-int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key);
-
-/* SSL_ECDH_CTX_accept calls the |accept| method of |SSL_ECDH_METHOD|. */
-int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,
- uint8_t **out_secret, size_t *out_secret_len,
- uint8_t *out_alert, const uint8_t *peer_key,
- size_t peer_key_len);
-
-/* SSL_ECDH_CTX_finish the |finish| method of |SSL_ECDH_METHOD|. */
-int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
- size_t *out_secret_len, uint8_t *out_alert,
- const uint8_t *peer_key, size_t peer_key_len);
/* Handshake messages. */
@@ -1148,8 +1120,8 @@
* TLS 1.3. */
uint16_t retry_group = 0;
- /* ecdh_ctx is the current ECDH instance. */
- SSL_ECDH_CTX ecdh_ctx;
+ /* key_share is the current key exchange instance. */
+ UniquePtr<SSLKeyShare> key_share;
/* transcript is the current handshake transcript. */
SSLTranscript transcript;
diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc
index 2ac2837..b9aa3bc 100644
--- a/ssl/s3_both.cc
+++ b/ssl/s3_both.cc
@@ -151,7 +151,6 @@
ticket_expected(0),
extended_master_secret(0),
pending_private_key_op(0) {
- OPENSSL_memset(&ecdh_ctx, 0, sizeof(ecdh_ctx));
}
SSL_HANDSHAKE::~SSL_HANDSHAKE() {
@@ -161,7 +160,6 @@
OPENSSL_cleanse(server_handshake_secret, sizeof(server_handshake_secret));
OPENSSL_cleanse(client_traffic_secret_0, sizeof(client_traffic_secret_0));
OPENSSL_cleanse(server_traffic_secret_0, sizeof(server_traffic_secret_0));
- SSL_ECDH_CTX_cleanup(&ecdh_ctx);
OPENSSL_free(cookie);
OPENSSL_free(key_share_bytes);
OPENSSL_free(ecdh_public_key);
diff --git a/ssl/ssl_ecdh.cc b/ssl/ssl_ecdh.cc
deleted file mode 100644
index d1b31af..0000000
--- a/ssl/ssl_ecdh.cc
+++ /dev/null
@@ -1,348 +0,0 @@
-/* Copyright (c) 2015, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/ssl.h>
-
-#include <assert.h>
-#include <string.h>
-
-#include <openssl/bn.h>
-#include <openssl/bytestring.h>
-#include <openssl/curve25519.h>
-#include <openssl/ec.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/nid.h>
-
-#include "internal.h"
-#include "../crypto/internal.h"
-
-
-namespace bssl {
-
-/* |EC_POINT| implementation. */
-
-static void ssl_ec_point_cleanup(SSL_ECDH_CTX *ctx) {
- BIGNUM *private_key = (BIGNUM *)ctx->data;
- BN_clear_free(private_key);
-}
-
-static int ssl_ec_point_offer(SSL_ECDH_CTX *ctx, CBB *out) {
- /* Set up a shared |BN_CTX| for all operations. */
- UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
- if (!bn_ctx) {
- return 0;
- }
- BN_CTXScope scope(bn_ctx.get());
-
- /* Generate a private key. */
- UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(ctx->method->nid));
- UniquePtr<BIGNUM> private_key(BN_new());
- if (!group || !private_key ||
- !BN_rand_range_ex(private_key.get(), 1,
- EC_GROUP_get0_order(group.get()))) {
- return 0;
- }
-
- /* Compute the corresponding public key and serialize it. */
- UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get()));
- if (!public_key ||
- !EC_POINT_mul(group.get(), public_key.get(), private_key.get(), NULL,
- NULL, bn_ctx.get()) ||
- !EC_POINT_point2cbb(out, group.get(), public_key.get(),
- POINT_CONVERSION_UNCOMPRESSED, bn_ctx.get())) {
- return 0;
- }
-
- assert(ctx->data == NULL);
- ctx->data = private_key.release();
- return 1;
-}
-
-static int ssl_ec_point_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
- size_t *out_secret_len, uint8_t *out_alert,
- const uint8_t *peer_key, size_t peer_key_len) {
- BIGNUM *private_key = (BIGNUM *)ctx->data;
- assert(private_key != NULL);
- *out_alert = SSL_AD_INTERNAL_ERROR;
-
- /* Set up a shared |BN_CTX| for all operations. */
- UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
- if (!bn_ctx) {
- return 0;
- }
- BN_CTXScope scope(bn_ctx.get());
-
- UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(ctx->method->nid));
- if (!group) {
- return 0;
- }
-
- UniquePtr<EC_POINT> peer_point(EC_POINT_new(group.get()));
- UniquePtr<EC_POINT> result(EC_POINT_new(group.get()));
- BIGNUM *x = BN_CTX_get(bn_ctx.get());
- if (!peer_point || !result || !x) {
- return 0;
- }
-
- if (!EC_POINT_oct2point(group.get(), peer_point.get(), peer_key, peer_key_len,
- bn_ctx.get())) {
- *out_alert = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
- /* Compute the x-coordinate of |peer_key| * |private_key|. */
- if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(),
- private_key, bn_ctx.get()) ||
- !EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL,
- bn_ctx.get())) {
- return 0;
- }
-
- /* Encode the x-coordinate left-padded with zeros. */
- size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8;
- UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(secret_len));
- if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) {
- return 0;
- }
-
- *out_secret = secret.release();
- *out_secret_len = secret_len;
- return 1;
-}
-
-static int ssl_ec_point_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,
- uint8_t **out_secret, size_t *out_secret_len,
- uint8_t *out_alert, const uint8_t *peer_key,
- size_t peer_key_len) {
- *out_alert = SSL_AD_INTERNAL_ERROR;
- if (!ssl_ec_point_offer(ctx, out_public_key) ||
- !ssl_ec_point_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,
- peer_key_len)) {
- return 0;
- }
- return 1;
-}
-
-/* X25119 implementation. */
-
-static void ssl_x25519_cleanup(SSL_ECDH_CTX *ctx) {
- if (ctx->data == NULL) {
- return;
- }
- OPENSSL_cleanse(ctx->data, 32);
- OPENSSL_free(ctx->data);
-}
-
-static int ssl_x25519_offer(SSL_ECDH_CTX *ctx, CBB *out) {
- assert(ctx->data == NULL);
-
- ctx->data = OPENSSL_malloc(32);
- if (ctx->data == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- uint8_t public_key[32];
- X25519_keypair(public_key, (uint8_t *)ctx->data);
- return CBB_add_bytes(out, public_key, sizeof(public_key));
-}
-
-static int ssl_x25519_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
- size_t *out_secret_len, uint8_t *out_alert,
- const uint8_t *peer_key, size_t peer_key_len) {
- assert(ctx->data != NULL);
- *out_alert = SSL_AD_INTERNAL_ERROR;
-
- uint8_t *secret = (uint8_t *)OPENSSL_malloc(32);
- if (secret == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- if (peer_key_len != 32 ||
- !X25519(secret, (uint8_t *)ctx->data, peer_key)) {
- OPENSSL_free(secret);
- *out_alert = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
- return 0;
- }
-
- *out_secret = secret;
- *out_secret_len = 32;
- return 1;
-}
-
-static int ssl_x25519_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,
- uint8_t **out_secret, size_t *out_secret_len,
- uint8_t *out_alert, const uint8_t *peer_key,
- size_t peer_key_len) {
- *out_alert = SSL_AD_INTERNAL_ERROR;
- if (!ssl_x25519_offer(ctx, out_public_key) ||
- !ssl_x25519_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,
- peer_key_len)) {
- return 0;
- }
- return 1;
-}
-
-
-static const SSL_ECDH_METHOD kMethods[] = {
- {
- NID_secp224r1,
- SSL_CURVE_SECP224R1,
- "P-224",
- ssl_ec_point_cleanup,
- ssl_ec_point_offer,
- ssl_ec_point_accept,
- ssl_ec_point_finish,
- },
- {
- NID_X9_62_prime256v1,
- SSL_CURVE_SECP256R1,
- "P-256",
- ssl_ec_point_cleanup,
- ssl_ec_point_offer,
- ssl_ec_point_accept,
- ssl_ec_point_finish,
- },
- {
- NID_secp384r1,
- SSL_CURVE_SECP384R1,
- "P-384",
- ssl_ec_point_cleanup,
- ssl_ec_point_offer,
- ssl_ec_point_accept,
- ssl_ec_point_finish,
- },
- {
- NID_secp521r1,
- SSL_CURVE_SECP521R1,
- "P-521",
- ssl_ec_point_cleanup,
- ssl_ec_point_offer,
- ssl_ec_point_accept,
- ssl_ec_point_finish,
- },
- {
- NID_X25519,
- SSL_CURVE_X25519,
- "X25519",
- ssl_x25519_cleanup,
- ssl_x25519_offer,
- ssl_x25519_accept,
- ssl_x25519_finish,
- },
-};
-
-static const SSL_ECDH_METHOD *method_from_group_id(uint16_t group_id) {
- for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {
- if (kMethods[i].group_id == group_id) {
- return &kMethods[i];
- }
- }
- return NULL;
-}
-
-static const SSL_ECDH_METHOD *method_from_nid(int nid) {
- for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {
- if (kMethods[i].nid == nid) {
- return &kMethods[i];
- }
- }
- return NULL;
-}
-
-static const SSL_ECDH_METHOD *method_from_name(const char *name, size_t len) {
- for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {
- if (len == strlen(kMethods[i].name) &&
- !strncmp(kMethods[i].name, name, len)) {
- return &kMethods[i];
- }
- }
- return NULL;
-}
-
-int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {
- const SSL_ECDH_METHOD *method = method_from_nid(nid);
- if (method == NULL) {
- return 0;
- }
- *out_group_id = method->group_id;
- return 1;
-}
-
-int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
- const SSL_ECDH_METHOD *method = method_from_name(name, len);
- if (method == NULL) {
- return 0;
- }
- *out_group_id = method->group_id;
- return 1;
-}
-
-int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id) {
- SSL_ECDH_CTX_cleanup(ctx);
-
- const SSL_ECDH_METHOD *method = method_from_group_id(group_id);
- if (method == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
- return 0;
- }
- ctx->method = method;
- return 1;
-}
-
-void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) {
- if (ctx->method == NULL) {
- return;
- }
- ctx->method->cleanup(ctx);
- ctx->method = NULL;
- ctx->data = NULL;
-}
-
-uint16_t SSL_ECDH_CTX_get_id(const SSL_ECDH_CTX *ctx) {
- return ctx->method->group_id;
-}
-
-int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key) {
- return ctx->method->offer(ctx, out_public_key);
-}
-
-int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,
- uint8_t **out_secret, size_t *out_secret_len,
- uint8_t *out_alert, const uint8_t *peer_key,
- size_t peer_key_len) {
- return ctx->method->accept(ctx, out_public_key, out_secret, out_secret_len,
- out_alert, peer_key, peer_key_len);
-}
-
-int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
- size_t *out_secret_len, uint8_t *out_alert,
- const uint8_t *peer_key, size_t peer_key_len) {
- return ctx->method->finish(ctx, out_secret, out_secret_len, out_alert,
- peer_key, peer_key_len);
-}
-
-} // namespace bssl
-
-using namespace bssl;
-
-const char* SSL_get_curve_name(uint16_t group_id) {
- const SSL_ECDH_METHOD *method = method_from_group_id(group_id);
- if (method == NULL) {
- return NULL;
- }
- return method->name;
-}
diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc
new file mode 100644
index 0000000..eb61535
--- /dev/null
+++ b/ssl/ssl_key_share.cc
@@ -0,0 +1,245 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/ssl.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/bytestring.h>
+#include <openssl/curve25519.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/nid.h>
+
+#include "internal.h"
+#include "../crypto/internal.h"
+
+
+namespace bssl {
+
+namespace {
+
+class ECKeyShare : public SSLKeyShare {
+ public:
+ ECKeyShare(int nid, uint16_t group_id) : nid_(nid), group_id_(group_id) {}
+ ~ECKeyShare() override {}
+
+ uint16_t GroupID() const override { return group_id_; }
+
+ bool Offer(CBB *out) override {
+ assert(!private_key_);
+ /* Set up a shared |BN_CTX| for all operations. */
+ UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
+ if (!bn_ctx) {
+ return false;
+ }
+ BN_CTXScope scope(bn_ctx.get());
+
+ /* Generate a private key. */
+ UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_));
+ private_key_.reset(BN_new());
+ if (!group || !private_key_ ||
+ !BN_rand_range_ex(private_key_.get(), 1,
+ EC_GROUP_get0_order(group.get()))) {
+ return false;
+ }
+
+ /* Compute the corresponding public key and serialize it. */
+ UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get()));
+ if (!public_key ||
+ !EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL,
+ NULL, bn_ctx.get()) ||
+ !EC_POINT_point2cbb(out, group.get(), public_key.get(),
+ POINT_CONVERSION_UNCOMPRESSED, bn_ctx.get())) {
+ return false;
+ }
+
+ return true;
+ }
+
+ bool Finish(uint8_t **out_secret, size_t *out_secret_len, uint8_t *out_alert,
+ const uint8_t *peer_key, size_t peer_key_len) override {
+ assert(private_key_);
+ *out_alert = SSL_AD_INTERNAL_ERROR;
+
+ /* Set up a shared |BN_CTX| for all operations. */
+ UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
+ if (!bn_ctx) {
+ return false;
+ }
+ BN_CTXScope scope(bn_ctx.get());
+
+ UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_));
+ if (!group) {
+ return false;
+ }
+
+ UniquePtr<EC_POINT> peer_point(EC_POINT_new(group.get()));
+ UniquePtr<EC_POINT> result(EC_POINT_new(group.get()));
+ BIGNUM *x = BN_CTX_get(bn_ctx.get());
+ if (!peer_point || !result || !x) {
+ return false;
+ }
+
+ if (!EC_POINT_oct2point(group.get(), peer_point.get(), peer_key,
+ peer_key_len, bn_ctx.get())) {
+ *out_alert = SSL_AD_DECODE_ERROR;
+ return false;
+ }
+
+ /* Compute the x-coordinate of |peer_key| * |private_key_|. */
+ if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(),
+ private_key_.get(), bn_ctx.get()) ||
+ !EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL,
+ bn_ctx.get())) {
+ return false;
+ }
+
+ /* Encode the x-coordinate left-padded with zeros. */
+ size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8;
+ UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(secret_len));
+ if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) {
+ return false;
+ }
+
+ *out_secret = secret.release();
+ *out_secret_len = secret_len;
+ return true;
+ }
+
+ private:
+ UniquePtr<BIGNUM> private_key_;
+ int nid_;
+ uint16_t group_id_;
+};
+
+class X25519KeyShare : public SSLKeyShare {
+ public:
+ X25519KeyShare() {}
+ ~X25519KeyShare() override {
+ OPENSSL_cleanse(private_key_, sizeof(private_key_));
+ }
+
+ uint16_t GroupID() const override { return SSL_CURVE_X25519; }
+
+ bool Offer(CBB *out) override {
+ uint8_t public_key[32];
+ X25519_keypair(public_key, private_key_);
+ return !!CBB_add_bytes(out, public_key, sizeof(public_key));
+ }
+
+ bool Finish(uint8_t **out_secret, size_t *out_secret_len, uint8_t *out_alert,
+ const uint8_t *peer_key, size_t peer_key_len) override {
+ *out_alert = SSL_AD_INTERNAL_ERROR;
+
+ UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(32));
+ if (!secret) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+ return false;
+ }
+
+ if (peer_key_len != 32 || !X25519(secret.get(), private_key_, peer_key)) {
+ *out_alert = SSL_AD_DECODE_ERROR;
+ OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
+ return false;
+ }
+
+ *out_secret = secret.release();
+ *out_secret_len = 32;
+ return true;
+ }
+
+ private:
+ uint8_t private_key_[32];
+};
+
+const struct {
+ int nid;
+ uint16_t group_id;
+ const char name[8];
+} kNamedGroups[] = {
+ {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224"},
+ {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256"},
+ {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384"},
+ {NID_secp521r1, SSL_CURVE_SECP521R1, "P-521"},
+ {NID_X25519, SSL_CURVE_X25519, "X25519"},
+};
+
+} // namespace
+
+UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
+ switch (group_id) {
+ case SSL_CURVE_SECP224R1:
+ return UniquePtr<SSLKeyShare>(
+ New<ECKeyShare>(NID_secp224r1, SSL_CURVE_SECP224R1));
+ case SSL_CURVE_SECP256R1:
+ return UniquePtr<SSLKeyShare>(
+ New<ECKeyShare>(NID_X9_62_prime256v1, SSL_CURVE_SECP256R1));
+ case SSL_CURVE_SECP384R1:
+ return UniquePtr<SSLKeyShare>(
+ New<ECKeyShare>(NID_secp384r1, SSL_CURVE_SECP384R1));
+ case SSL_CURVE_SECP521R1:
+ return UniquePtr<SSLKeyShare>(
+ New<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1));
+ case SSL_CURVE_X25519:
+ return UniquePtr<SSLKeyShare>(New<X25519KeyShare>());
+ default:
+ return nullptr;
+ }
+}
+
+bool SSLKeyShare::Accept(CBB *out_public_key, uint8_t **out_secret,
+ size_t *out_secret_len, uint8_t *out_alert,
+ const uint8_t *peer_key, size_t peer_key_len) {
+ *out_alert = SSL_AD_INTERNAL_ERROR;
+ return Offer(out_public_key) &&
+ Finish(out_secret, out_secret_len, out_alert, peer_key, peer_key_len);
+}
+
+int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {
+ for (const auto &group : kNamedGroups) {
+ if (group.nid == nid) {
+ *out_group_id = group.group_id;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
+ for (const auto &group : kNamedGroups) {
+ if (len == strlen(group.name) &&
+ !strncmp(group.name, name, len)) {
+ *out_group_id = group.group_id;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+} // namespace bssl
+
+using namespace bssl;
+
+const char* SSL_get_curve_name(uint16_t group_id) {
+ for (const auto &group : kNamedGroups) {
+ if (group.group_id == group_id) {
+ return group.name;
+ }
+ }
+ return nullptr;
+}
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index b4cd964..19f256d 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -2135,7 +2135,7 @@
uint16_t group_id = hs->retry_group;
if (hs->received_hello_retry_request) {
/* We received a HelloRetryRequest without a new curve, so there is no new
- * share to append. Leave |ecdh_ctx| as-is. */
+ * share to append. Leave |hs->key_share| as-is. */
if (group_id == 0 &&
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes,
hs->key_share_bytes_len)) {
@@ -2169,11 +2169,12 @@
group_id = groups[0];
}
+ hs->key_share = SSLKeyShare::Create(group_id);
CBB key_exchange;
- if (!CBB_add_u16(&kse_bytes, group_id) ||
+ if (!hs->key_share ||
+ !CBB_add_u16(&kse_bytes, group_id) ||
!CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
- !SSL_ECDH_CTX_init(&hs->ecdh_ctx, group_id) ||
- !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &key_exchange) ||
+ !hs->key_share->Offer(&key_exchange) ||
!CBB_flush(&kse_bytes)) {
return 0;
}
@@ -2204,20 +2205,20 @@
return 0;
}
- if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) != group_id) {
+ if (hs->key_share->GroupID() != group_id) {
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
return 0;
}
- if (!SSL_ECDH_CTX_finish(&hs->ecdh_ctx, out_secret, out_secret_len, out_alert,
- CBS_data(&peer_key), CBS_len(&peer_key))) {
+ if (!hs->key_share->Finish(out_secret, out_secret_len, out_alert,
+ CBS_data(&peer_key), CBS_len(&peer_key))) {
*out_alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
hs->new_session->group_id = group_id;
- SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
+ hs->key_share.reset();
return 1;
}
@@ -2274,24 +2275,19 @@
/* Compute the DH secret. */
uint8_t *secret = NULL;
size_t secret_len;
- SSL_ECDH_CTX group;
- OPENSSL_memset(&group, 0, sizeof(SSL_ECDH_CTX));
ScopedCBB public_key;
- if (!CBB_init(public_key.get(), 32) ||
- !SSL_ECDH_CTX_init(&group, group_id) ||
- !SSL_ECDH_CTX_accept(&group, public_key.get(), &secret, &secret_len,
- out_alert, CBS_data(&peer_key),
- CBS_len(&peer_key)) ||
+ UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
+ if (!key_share ||
+ !CBB_init(public_key.get(), 32) ||
+ !key_share->Accept(public_key.get(), &secret, &secret_len, out_alert,
+ CBS_data(&peer_key), CBS_len(&peer_key)) ||
!CBB_finish(public_key.get(), &hs->ecdh_public_key,
&hs->ecdh_public_key_len)) {
OPENSSL_free(secret);
- SSL_ECDH_CTX_cleanup(&group);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
}
- SSL_ECDH_CTX_cleanup(&group);
-
*out_secret = secret;
*out_secret_len = secret_len;
*out_found = 1;
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 5f8cbe1..4cc7e60 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -130,13 +130,13 @@
/* Check that the HelloRetryRequest does not request the key share that
* was provided in the initial ClientHello. */
- if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {
+ if (hs->key_share->GroupID() == group_id) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
return ssl_hs_error;
}
- SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
+ hs->key_share.reset();
hs->retry_group = group_id;
}
@@ -785,7 +785,7 @@
}
void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {
- SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
+ hs->key_share.reset();
OPENSSL_free(hs->key_share_bytes);
hs->key_share_bytes = NULL;