int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, int *al) { unsigned char *encodedPoint; size_t encoded_pt_len = 0; EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL; if (s->hit) return 1; if (ckey == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return 0; } if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return 0; } skey = ssl_generate_pkey(ckey); if (skey == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); return 0; } /* Generate encoding of server key */ encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint); if (encoded_pt_len == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB); EVP_PKEY_free(skey); return 0; } if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); EVP_PKEY_free(skey); OPENSSL_free(encodedPoint); return 0; } OPENSSL_free(encodedPoint); /* This causes the crypto state to be updated based on the derived keys */ s->s3->tmp.pkey = skey; if (ssl_derive(s, skey, ckey, 1) == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return 0; } return 1; }
static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) { unsigned char *encoded_point; EVP_PKEY *key_share_key; size_t encodedlen; key_share_key = ssl_generate_pkey_curve(curve_id); if (key_share_key == NULL) { SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EVP_LIB); return 0; } /* Encode the public key. */ encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, &encoded_point); if (encodedlen == 0) { SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB); EVP_PKEY_free(key_share_key); return 0; } /* Create KeyShareEntry */ if (!WPACKET_put_bytes_u16(pkt, curve_id) || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR); EVP_PKEY_free(key_share_key); OPENSSL_free(encoded_point); return 0; } /* * TODO(TLS1.3): When changing to send more than one key_share we're * going to need to be able to save more than one EVP_PKEY. For now * we reuse the existing tmp.pkey */ s->s3->tmp.pkey = key_share_key; s->s3->group_id = curve_id; OPENSSL_free(encoded_point); return 1; }
EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) { #ifndef OPENSSL_NO_TLS1_3 unsigned char *encodedPoint; size_t encoded_pt_len = 0; EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL; if (ckey == NULL) { /* No key_share received from client */ if (s->hello_retry_request) { if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_put_bytes_u16(pkt, s->s3->group_id) || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } return EXT_RETURN_SENT; } /* Must be resuming. */ if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } return EXT_RETURN_NOT_SENT; } if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } skey = ssl_generate_pkey(ckey); if (skey == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); return EXT_RETURN_FAIL; } /* Generate encoding of server key */ encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint); if (encoded_pt_len == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB); EVP_PKEY_free(skey); return EXT_RETURN_FAIL; } if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); EVP_PKEY_free(skey); OPENSSL_free(encodedPoint); return EXT_RETURN_FAIL; } OPENSSL_free(encodedPoint); /* This causes the crypto state to be updated based on the derived keys */ s->s3->tmp.pkey = skey; if (ssl_derive(s, skey, ckey, 1) == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } #endif return EXT_RETURN_SENT; }
int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, int *al) { size_t i, sharessent = 0, num_curves = 0; const unsigned char *pcurves = NULL; /* key_share extension */ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) /* Extension data sub-packet */ || !WPACKET_start_sub_packet_u16(pkt) /* KeyShare list sub-packet */ || !WPACKET_start_sub_packet_u16(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); return 0; } pcurves = s->tlsext_supportedgroupslist; if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) { SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); return 0; } /* * TODO(TLS1.3): Make the number of key_shares sent configurable. For * now, just send one */ for (i = 0; i < num_curves && sharessent < 1; i++, pcurves += 2) { unsigned char *encodedPoint = NULL; unsigned int curve_id = 0; EVP_PKEY *key_share_key = NULL; size_t encodedlen; if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) continue; if (s->s3->tmp.pkey != NULL) { /* Shouldn't happen! */ SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); return 0; } /* Generate a key for this key_share */ curve_id = (pcurves[0] << 8) | pcurves[1]; key_share_key = ssl_generate_pkey_curve(curve_id); if (key_share_key == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_EVP_LIB); return 0; } /* Encode the public key. */ encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, &encodedPoint); if (encodedlen == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_EC_LIB); EVP_PKEY_free(key_share_key); return 0; } /* Create KeyShareEntry */ if (!WPACKET_put_bytes_u16(pkt, curve_id) || !WPACKET_sub_memcpy_u16(pkt, encodedPoint, encodedlen)) { SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); EVP_PKEY_free(key_share_key); OPENSSL_free(encodedPoint); return 0; } /* * TODO(TLS1.3): When changing to send more than one key_share we're * going to need to be able to save more than one EVP_PKEY. For now * we reuse the existing tmp.pkey */ s->s3->group_id = curve_id; s->s3->tmp.pkey = key_share_key; sharessent++; OPENSSL_free(encodedPoint); } if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); return 0; } return 1; }