1 /* $OpenBSD: tls_key_share.c,v 1.8 2022/11/26 16:08:56 tb Exp $ */
2 /*
3 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <stdlib.h>
19
20 #include <openssl/curve25519.h>
21 #include <openssl/dh.h>
22 #include <openssl/ec.h>
23 #include <openssl/evp.h>
24
25 #include "bytestring.h"
26 #include "ssl_local.h"
27 #include "tls_internal.h"
28
29 struct tls_key_share {
30 int nid;
31 uint16_t group_id;
32 size_t key_bits;
33
34 DH *dhe;
35 DH *dhe_peer;
36
37 EC_KEY *ecdhe;
38 EC_KEY *ecdhe_peer;
39
40 uint8_t *x25519_public;
41 uint8_t *x25519_private;
42 uint8_t *x25519_peer_public;
43 };
44
45 static struct tls_key_share *
tls_key_share_new_internal(int nid,uint16_t group_id)46 tls_key_share_new_internal(int nid, uint16_t group_id)
47 {
48 struct tls_key_share *ks;
49
50 if ((ks = calloc(1, sizeof(struct tls_key_share))) == NULL)
51 return NULL;
52
53 ks->group_id = group_id;
54 ks->nid = nid;
55
56 return ks;
57 }
58
59 struct tls_key_share *
tls_key_share_new(uint16_t group_id)60 tls_key_share_new(uint16_t group_id)
61 {
62 int nid;
63
64 if (!tls1_ec_group_id2nid(group_id, &nid))
65 return NULL;
66
67 return tls_key_share_new_internal(nid, group_id);
68 }
69
70 struct tls_key_share *
tls_key_share_new_nid(int nid)71 tls_key_share_new_nid(int nid)
72 {
73 uint16_t group_id = 0;
74
75 if (nid != NID_dhKeyAgreement) {
76 if (!tls1_ec_nid2group_id(nid, &group_id))
77 return NULL;
78 }
79
80 return tls_key_share_new_internal(nid, group_id);
81 }
82
83 void
tls_key_share_free(struct tls_key_share * ks)84 tls_key_share_free(struct tls_key_share *ks)
85 {
86 if (ks == NULL)
87 return;
88
89 DH_free(ks->dhe);
90 DH_free(ks->dhe_peer);
91
92 EC_KEY_free(ks->ecdhe);
93 EC_KEY_free(ks->ecdhe_peer);
94
95 freezero(ks->x25519_public, X25519_KEY_LENGTH);
96 freezero(ks->x25519_private, X25519_KEY_LENGTH);
97 freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
98
99 freezero(ks, sizeof(*ks));
100 }
101
102 uint16_t
tls_key_share_group(struct tls_key_share * ks)103 tls_key_share_group(struct tls_key_share *ks)
104 {
105 return ks->group_id;
106 }
107
108 int
tls_key_share_nid(struct tls_key_share * ks)109 tls_key_share_nid(struct tls_key_share *ks)
110 {
111 return ks->nid;
112 }
113
114 void
tls_key_share_set_key_bits(struct tls_key_share * ks,size_t key_bits)115 tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits)
116 {
117 ks->key_bits = key_bits;
118 }
119
120 int
tls_key_share_set_dh_params(struct tls_key_share * ks,DH * dh_params)121 tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params)
122 {
123 if (ks->nid != NID_dhKeyAgreement)
124 return 0;
125 if (ks->dhe != NULL || ks->dhe_peer != NULL)
126 return 0;
127
128 if ((ks->dhe = DHparams_dup(dh_params)) == NULL)
129 return 0;
130 if ((ks->dhe_peer = DHparams_dup(dh_params)) == NULL)
131 return 0;
132
133 return 1;
134 }
135
136 int
tls_key_share_peer_pkey(struct tls_key_share * ks,EVP_PKEY * pkey)137 tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey)
138 {
139 if (ks->nid == NID_dhKeyAgreement && ks->dhe_peer != NULL)
140 return EVP_PKEY_set1_DH(pkey, ks->dhe_peer);
141
142 if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL)
143 return ssl_kex_dummy_ecdhe_x25519(pkey);
144
145 if (ks->ecdhe_peer != NULL)
146 return EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer);
147
148 return 0;
149 }
150
151 static int
tls_key_share_generate_dhe(struct tls_key_share * ks)152 tls_key_share_generate_dhe(struct tls_key_share *ks)
153 {
154 /*
155 * If auto params are not being used then we must already have DH
156 * parameters set.
157 */
158 if (ks->key_bits == 0) {
159 if (ks->dhe == NULL)
160 return 0;
161
162 return ssl_kex_generate_dhe(ks->dhe, ks->dhe);
163 }
164
165 if (ks->dhe != NULL || ks->dhe_peer != NULL)
166 return 0;
167
168 if ((ks->dhe = DH_new()) == NULL)
169 return 0;
170 if (!ssl_kex_generate_dhe_params_auto(ks->dhe, ks->key_bits))
171 return 0;
172 if ((ks->dhe_peer = DHparams_dup(ks->dhe)) == NULL)
173 return 0;
174
175 return 1;
176 }
177
178 static int
tls_key_share_generate_ecdhe_ecp(struct tls_key_share * ks)179 tls_key_share_generate_ecdhe_ecp(struct tls_key_share *ks)
180 {
181 EC_KEY *ecdhe = NULL;
182 int ret = 0;
183
184 if (ks->ecdhe != NULL)
185 goto err;
186
187 if ((ecdhe = EC_KEY_new()) == NULL)
188 goto err;
189 if (!ssl_kex_generate_ecdhe_ecp(ecdhe, ks->nid))
190 goto err;
191
192 ks->ecdhe = ecdhe;
193 ecdhe = NULL;
194
195 ret = 1;
196
197 err:
198 EC_KEY_free(ecdhe);
199
200 return ret;
201 }
202
203 static int
tls_key_share_generate_x25519(struct tls_key_share * ks)204 tls_key_share_generate_x25519(struct tls_key_share *ks)
205 {
206 uint8_t *public = NULL, *private = NULL;
207 int ret = 0;
208
209 if (ks->x25519_public != NULL || ks->x25519_private != NULL)
210 goto err;
211
212 if ((public = calloc(1, X25519_KEY_LENGTH)) == NULL)
213 goto err;
214 if ((private = calloc(1, X25519_KEY_LENGTH)) == NULL)
215 goto err;
216
217 X25519_keypair(public, private);
218
219 ks->x25519_public = public;
220 ks->x25519_private = private;
221 public = NULL;
222 private = NULL;
223
224 ret = 1;
225
226 err:
227 freezero(public, X25519_KEY_LENGTH);
228 freezero(private, X25519_KEY_LENGTH);
229
230 return ret;
231 }
232
233 int
tls_key_share_generate(struct tls_key_share * ks)234 tls_key_share_generate(struct tls_key_share *ks)
235 {
236 if (ks->nid == NID_dhKeyAgreement)
237 return tls_key_share_generate_dhe(ks);
238
239 if (ks->nid == NID_X25519)
240 return tls_key_share_generate_x25519(ks);
241
242 return tls_key_share_generate_ecdhe_ecp(ks);
243 }
244
245 static int
tls_key_share_params_dhe(struct tls_key_share * ks,CBB * cbb)246 tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb)
247 {
248 if (ks->dhe == NULL)
249 return 0;
250
251 return ssl_kex_params_dhe(ks->dhe, cbb);
252 }
253
254 int
tls_key_share_params(struct tls_key_share * ks,CBB * cbb)255 tls_key_share_params(struct tls_key_share *ks, CBB *cbb)
256 {
257 if (ks->nid == NID_dhKeyAgreement)
258 return tls_key_share_params_dhe(ks, cbb);
259
260 return 0;
261 }
262
263 static int
tls_key_share_public_dhe(struct tls_key_share * ks,CBB * cbb)264 tls_key_share_public_dhe(struct tls_key_share *ks, CBB *cbb)
265 {
266 if (ks->dhe == NULL)
267 return 0;
268
269 return ssl_kex_public_dhe(ks->dhe, cbb);
270 }
271
272 static int
tls_key_share_public_ecdhe_ecp(struct tls_key_share * ks,CBB * cbb)273 tls_key_share_public_ecdhe_ecp(struct tls_key_share *ks, CBB *cbb)
274 {
275 if (ks->ecdhe == NULL)
276 return 0;
277
278 return ssl_kex_public_ecdhe_ecp(ks->ecdhe, cbb);
279 }
280
281 static int
tls_key_share_public_x25519(struct tls_key_share * ks,CBB * cbb)282 tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb)
283 {
284 if (ks->x25519_public == NULL)
285 return 0;
286
287 return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
288 }
289
290 int
tls_key_share_public(struct tls_key_share * ks,CBB * cbb)291 tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
292 {
293 if (ks->nid == NID_dhKeyAgreement)
294 return tls_key_share_public_dhe(ks, cbb);
295
296 if (ks->nid == NID_X25519)
297 return tls_key_share_public_x25519(ks, cbb);
298
299 return tls_key_share_public_ecdhe_ecp(ks, cbb);
300 }
301
302 static int
tls_key_share_peer_params_dhe(struct tls_key_share * ks,CBS * cbs,int * decode_error,int * invalid_params)303 tls_key_share_peer_params_dhe(struct tls_key_share *ks, CBS *cbs,
304 int *decode_error, int *invalid_params)
305 {
306 if (ks->dhe != NULL || ks->dhe_peer != NULL)
307 return 0;
308
309 if ((ks->dhe_peer = DH_new()) == NULL)
310 return 0;
311 if (!ssl_kex_peer_params_dhe(ks->dhe_peer, cbs, decode_error,
312 invalid_params))
313 return 0;
314 if ((ks->dhe = DHparams_dup(ks->dhe_peer)) == NULL)
315 return 0;
316
317 return 1;
318 }
319
320 int
tls_key_share_peer_params(struct tls_key_share * ks,CBS * cbs,int * decode_error,int * invalid_params)321 tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
322 int *decode_error, int *invalid_params)
323 {
324 if (ks->nid != NID_dhKeyAgreement)
325 return 0;
326
327 return tls_key_share_peer_params_dhe(ks, cbs, decode_error,
328 invalid_params);
329 }
330
331 static int
tls_key_share_peer_public_dhe(struct tls_key_share * ks,CBS * cbs,int * decode_error,int * invalid_key)332 tls_key_share_peer_public_dhe(struct tls_key_share *ks, CBS *cbs,
333 int *decode_error, int *invalid_key)
334 {
335 if (ks->dhe_peer == NULL)
336 return 0;
337
338 return ssl_kex_peer_public_dhe(ks->dhe_peer, cbs, decode_error,
339 invalid_key);
340 }
341
342 static int
tls_key_share_peer_public_ecdhe_ecp(struct tls_key_share * ks,CBS * cbs)343 tls_key_share_peer_public_ecdhe_ecp(struct tls_key_share *ks, CBS *cbs)
344 {
345 EC_KEY *ecdhe = NULL;
346 int ret = 0;
347
348 if (ks->ecdhe_peer != NULL)
349 goto err;
350
351 if ((ecdhe = EC_KEY_new()) == NULL)
352 goto err;
353 if (!ssl_kex_peer_public_ecdhe_ecp(ecdhe, ks->nid, cbs))
354 goto err;
355
356 ks->ecdhe_peer = ecdhe;
357 ecdhe = NULL;
358
359 ret = 1;
360
361 err:
362 EC_KEY_free(ecdhe);
363
364 return ret;
365 }
366
367 static int
tls_key_share_peer_public_x25519(struct tls_key_share * ks,CBS * cbs,int * decode_error)368 tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs,
369 int *decode_error)
370 {
371 size_t out_len;
372
373 *decode_error = 0;
374
375 if (ks->x25519_peer_public != NULL)
376 return 0;
377
378 if (CBS_len(cbs) != X25519_KEY_LENGTH) {
379 *decode_error = 1;
380 return 0;
381 }
382
383 return CBS_stow(cbs, &ks->x25519_peer_public, &out_len);
384 }
385
386 int
tls_key_share_peer_public(struct tls_key_share * ks,CBS * cbs,int * decode_error,int * invalid_key)387 tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
388 int *invalid_key)
389 {
390 *decode_error = 0;
391
392 if (invalid_key != NULL)
393 *invalid_key = 0;
394
395 if (ks->nid == NID_dhKeyAgreement)
396 return tls_key_share_peer_public_dhe(ks, cbs, decode_error,
397 invalid_key);
398
399 if (ks->nid == NID_X25519)
400 return tls_key_share_peer_public_x25519(ks, cbs, decode_error);
401
402 return tls_key_share_peer_public_ecdhe_ecp(ks, cbs);
403 }
404
405 static int
tls_key_share_derive_dhe(struct tls_key_share * ks,uint8_t ** shared_key,size_t * shared_key_len)406 tls_key_share_derive_dhe(struct tls_key_share *ks,
407 uint8_t **shared_key, size_t *shared_key_len)
408 {
409 if (ks->dhe == NULL || ks->dhe_peer == NULL)
410 return 0;
411
412 return ssl_kex_derive_dhe(ks->dhe, ks->dhe_peer, shared_key,
413 shared_key_len);
414 }
415
416 static int
tls_key_share_derive_ecdhe_ecp(struct tls_key_share * ks,uint8_t ** shared_key,size_t * shared_key_len)417 tls_key_share_derive_ecdhe_ecp(struct tls_key_share *ks,
418 uint8_t **shared_key, size_t *shared_key_len)
419 {
420 if (ks->ecdhe == NULL || ks->ecdhe_peer == NULL)
421 return 0;
422
423 return ssl_kex_derive_ecdhe_ecp(ks->ecdhe, ks->ecdhe_peer,
424 shared_key, shared_key_len);
425 }
426
427 static int
tls_key_share_derive_x25519(struct tls_key_share * ks,uint8_t ** shared_key,size_t * shared_key_len)428 tls_key_share_derive_x25519(struct tls_key_share *ks,
429 uint8_t **shared_key, size_t *shared_key_len)
430 {
431 uint8_t *sk = NULL;
432 int ret = 0;
433
434 if (ks->x25519_private == NULL || ks->x25519_peer_public == NULL)
435 goto err;
436
437 if ((sk = calloc(1, X25519_KEY_LENGTH)) == NULL)
438 goto err;
439 if (!X25519(sk, ks->x25519_private, ks->x25519_peer_public))
440 goto err;
441
442 *shared_key = sk;
443 *shared_key_len = X25519_KEY_LENGTH;
444 sk = NULL;
445
446 ret = 1;
447
448 err:
449 freezero(sk, X25519_KEY_LENGTH);
450
451 return ret;
452 }
453
454 int
tls_key_share_derive(struct tls_key_share * ks,uint8_t ** shared_key,size_t * shared_key_len)455 tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
456 size_t *shared_key_len)
457 {
458 if (*shared_key != NULL)
459 return 0;
460
461 *shared_key_len = 0;
462
463 if (ks->nid == NID_dhKeyAgreement)
464 return tls_key_share_derive_dhe(ks, shared_key,
465 shared_key_len);
466
467 if (ks->nid == NID_X25519)
468 return tls_key_share_derive_x25519(ks, shared_key,
469 shared_key_len);
470
471 return tls_key_share_derive_ecdhe_ecp(ks, shared_key,
472 shared_key_len);
473 }
474
475 int
tls_key_share_peer_security(const SSL * ssl,struct tls_key_share * ks)476 tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks)
477 {
478 switch (ks->nid) {
479 case NID_dhKeyAgreement:
480 return ssl_security_dh(ssl, ks->dhe_peer);
481 default:
482 return 0;
483 }
484 }
485