1 /* $OpenBSD: tls_key_share.c,v 1.7 2022/07/02 16:00:12 tb Exp $ */ 2 /* 3 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <stdlib.h> 19 20 #include <openssl/curve25519.h> 21 #include <openssl/dh.h> 22 #include <openssl/ec.h> 23 #include <openssl/evp.h> 24 25 #include "bytestring.h" 26 #include "ssl_locl.h" 27 #include "tls_internal.h" 28 29 struct tls_key_share { 30 int nid; 31 uint16_t group_id; 32 size_t key_bits; 33 34 DH *dhe; 35 DH *dhe_peer; 36 37 EC_KEY *ecdhe; 38 EC_KEY *ecdhe_peer; 39 40 uint8_t *x25519_public; 41 uint8_t *x25519_private; 42 uint8_t *x25519_peer_public; 43 }; 44 45 static struct tls_key_share * 46 tls_key_share_new_internal(int nid, uint16_t group_id) 47 { 48 struct tls_key_share *ks; 49 50 if ((ks = calloc(1, sizeof(struct tls_key_share))) == NULL) 51 return NULL; 52 53 ks->group_id = group_id; 54 ks->nid = nid; 55 56 return ks; 57 } 58 59 struct tls_key_share * 60 tls_key_share_new(uint16_t group_id) 61 { 62 int nid; 63 64 if (!tls1_ec_group_id2nid(group_id, &nid)) 65 return NULL; 66 67 return tls_key_share_new_internal(nid, group_id); 68 } 69 70 struct tls_key_share * 71 tls_key_share_new_nid(int nid) 72 { 73 uint16_t group_id = 0; 74 75 if (nid != NID_dhKeyAgreement) { 76 if (!tls1_ec_nid2group_id(nid, &group_id)) 77 return NULL; 78 } 79 80 return tls_key_share_new_internal(nid, group_id); 81 } 82 83 void 84 tls_key_share_free(struct tls_key_share *ks) 85 { 86 if (ks == NULL) 87 return; 88 89 DH_free(ks->dhe); 90 DH_free(ks->dhe_peer); 91 92 EC_KEY_free(ks->ecdhe); 93 EC_KEY_free(ks->ecdhe_peer); 94 95 freezero(ks->x25519_public, X25519_KEY_LENGTH); 96 freezero(ks->x25519_private, X25519_KEY_LENGTH); 97 freezero(ks->x25519_peer_public, X25519_KEY_LENGTH); 98 99 freezero(ks, sizeof(*ks)); 100 } 101 102 uint16_t 103 tls_key_share_group(struct tls_key_share *ks) 104 { 105 return ks->group_id; 106 } 107 108 int 109 tls_key_share_nid(struct tls_key_share *ks) 110 { 111 return ks->nid; 112 } 113 114 void 115 tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits) 116 { 117 ks->key_bits = key_bits; 118 } 119 120 int 121 tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params) 122 { 123 if (ks->nid != NID_dhKeyAgreement) 124 return 0; 125 if (ks->dhe != NULL || ks->dhe_peer != NULL) 126 return 0; 127 128 if ((ks->dhe = DHparams_dup(dh_params)) == NULL) 129 return 0; 130 if ((ks->dhe_peer = DHparams_dup(dh_params)) == NULL) 131 return 0; 132 133 return 1; 134 } 135 136 int 137 tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey) 138 { 139 if (ks->nid == NID_dhKeyAgreement && ks->dhe_peer != NULL) 140 return EVP_PKEY_set1_DH(pkey, ks->dhe_peer); 141 142 if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL) 143 return ssl_kex_dummy_ecdhe_x25519(pkey); 144 145 if (ks->ecdhe_peer != NULL) 146 return EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer); 147 148 return 0; 149 } 150 151 static int 152 tls_key_share_generate_dhe(struct tls_key_share *ks) 153 { 154 /* 155 * If auto params are not being used then we must already have DH 156 * parameters set. 157 */ 158 if (ks->key_bits == 0) { 159 if (ks->dhe == NULL) 160 return 0; 161 162 return ssl_kex_generate_dhe(ks->dhe, ks->dhe); 163 } 164 165 if (ks->dhe != NULL || ks->dhe_peer != NULL) 166 return 0; 167 168 if ((ks->dhe = DH_new()) == NULL) 169 return 0; 170 if (!ssl_kex_generate_dhe_params_auto(ks->dhe, ks->key_bits)) 171 return 0; 172 if ((ks->dhe_peer = DHparams_dup(ks->dhe)) == NULL) 173 return 0; 174 175 return 1; 176 } 177 178 static int 179 tls_key_share_generate_ecdhe_ecp(struct tls_key_share *ks) 180 { 181 EC_KEY *ecdhe = NULL; 182 int ret = 0; 183 184 if (ks->ecdhe != NULL) 185 goto err; 186 187 if ((ecdhe = EC_KEY_new()) == NULL) 188 goto err; 189 if (!ssl_kex_generate_ecdhe_ecp(ecdhe, ks->nid)) 190 goto err; 191 192 ks->ecdhe = ecdhe; 193 ecdhe = NULL; 194 195 ret = 1; 196 197 err: 198 EC_KEY_free(ecdhe); 199 200 return ret; 201 } 202 203 static int 204 tls_key_share_generate_x25519(struct tls_key_share *ks) 205 { 206 uint8_t *public = NULL, *private = NULL; 207 int ret = 0; 208 209 if (ks->x25519_public != NULL || ks->x25519_private != NULL) 210 goto err; 211 212 if ((public = calloc(1, X25519_KEY_LENGTH)) == NULL) 213 goto err; 214 if ((private = calloc(1, X25519_KEY_LENGTH)) == NULL) 215 goto err; 216 217 X25519_keypair(public, private); 218 219 ks->x25519_public = public; 220 ks->x25519_private = private; 221 public = NULL; 222 private = NULL; 223 224 ret = 1; 225 226 err: 227 freezero(public, X25519_KEY_LENGTH); 228 freezero(private, X25519_KEY_LENGTH); 229 230 return ret; 231 } 232 233 int 234 tls_key_share_generate(struct tls_key_share *ks) 235 { 236 if (ks->nid == NID_dhKeyAgreement) 237 return tls_key_share_generate_dhe(ks); 238 239 if (ks->nid == NID_X25519) 240 return tls_key_share_generate_x25519(ks); 241 242 return tls_key_share_generate_ecdhe_ecp(ks); 243 } 244 245 static int 246 tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb) 247 { 248 if (ks->dhe == NULL) 249 return 0; 250 251 return ssl_kex_params_dhe(ks->dhe, cbb); 252 } 253 254 int 255 tls_key_share_params(struct tls_key_share *ks, CBB *cbb) 256 { 257 if (ks->nid == NID_dhKeyAgreement) 258 return tls_key_share_params_dhe(ks, cbb); 259 260 return 0; 261 } 262 263 static int 264 tls_key_share_public_dhe(struct tls_key_share *ks, CBB *cbb) 265 { 266 if (ks->dhe == NULL) 267 return 0; 268 269 return ssl_kex_public_dhe(ks->dhe, cbb); 270 } 271 272 static int 273 tls_key_share_public_ecdhe_ecp(struct tls_key_share *ks, CBB *cbb) 274 { 275 if (ks->ecdhe == NULL) 276 return 0; 277 278 return ssl_kex_public_ecdhe_ecp(ks->ecdhe, cbb); 279 } 280 281 static int 282 tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb) 283 { 284 if (ks->x25519_public == NULL) 285 return 0; 286 287 return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH); 288 } 289 290 int 291 tls_key_share_public(struct tls_key_share *ks, CBB *cbb) 292 { 293 if (ks->nid == NID_dhKeyAgreement) 294 return tls_key_share_public_dhe(ks, cbb); 295 296 if (ks->nid == NID_X25519) 297 return tls_key_share_public_x25519(ks, cbb); 298 299 return tls_key_share_public_ecdhe_ecp(ks, cbb); 300 } 301 302 static int 303 tls_key_share_peer_params_dhe(struct tls_key_share *ks, CBS *cbs, 304 int *decode_error, int *invalid_params) 305 { 306 if (ks->dhe != NULL || ks->dhe_peer != NULL) 307 return 0; 308 309 if ((ks->dhe_peer = DH_new()) == NULL) 310 return 0; 311 if (!ssl_kex_peer_params_dhe(ks->dhe_peer, cbs, decode_error, 312 invalid_params)) 313 return 0; 314 if ((ks->dhe = DHparams_dup(ks->dhe_peer)) == NULL) 315 return 0; 316 317 return 1; 318 } 319 320 int 321 tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs, 322 int *decode_error, int *invalid_params) 323 { 324 if (ks->nid != NID_dhKeyAgreement) 325 return 0; 326 327 return tls_key_share_peer_params_dhe(ks, cbs, decode_error, 328 invalid_params); 329 } 330 331 static int 332 tls_key_share_peer_public_dhe(struct tls_key_share *ks, CBS *cbs, 333 int *decode_error, int *invalid_key) 334 { 335 if (ks->dhe_peer == NULL) 336 return 0; 337 338 return ssl_kex_peer_public_dhe(ks->dhe_peer, cbs, decode_error, 339 invalid_key); 340 } 341 342 static int 343 tls_key_share_peer_public_ecdhe_ecp(struct tls_key_share *ks, CBS *cbs) 344 { 345 EC_KEY *ecdhe = NULL; 346 int ret = 0; 347 348 if (ks->ecdhe_peer != NULL) 349 goto err; 350 351 if ((ecdhe = EC_KEY_new()) == NULL) 352 goto err; 353 if (!ssl_kex_peer_public_ecdhe_ecp(ecdhe, ks->nid, cbs)) 354 goto err; 355 356 ks->ecdhe_peer = ecdhe; 357 ecdhe = NULL; 358 359 ret = 1; 360 361 err: 362 EC_KEY_free(ecdhe); 363 364 return ret; 365 } 366 367 static int 368 tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs, 369 int *decode_error) 370 { 371 size_t out_len; 372 373 *decode_error = 0; 374 375 if (ks->x25519_peer_public != NULL) 376 return 0; 377 378 if (CBS_len(cbs) != X25519_KEY_LENGTH) { 379 *decode_error = 1; 380 return 0; 381 } 382 383 return CBS_stow(cbs, &ks->x25519_peer_public, &out_len); 384 } 385 386 int 387 tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error, 388 int *invalid_key) 389 { 390 *decode_error = 0; 391 392 if (invalid_key != NULL) 393 *invalid_key = 0; 394 395 if (ks->nid == NID_dhKeyAgreement) 396 return tls_key_share_peer_public_dhe(ks, cbs, decode_error, 397 invalid_key); 398 399 if (ks->nid == NID_X25519) 400 return tls_key_share_peer_public_x25519(ks, cbs, decode_error); 401 402 return tls_key_share_peer_public_ecdhe_ecp(ks, cbs); 403 } 404 405 static int 406 tls_key_share_derive_dhe(struct tls_key_share *ks, 407 uint8_t **shared_key, size_t *shared_key_len) 408 { 409 if (ks->dhe == NULL || ks->dhe_peer == NULL) 410 return 0; 411 412 return ssl_kex_derive_dhe(ks->dhe, ks->dhe_peer, shared_key, 413 shared_key_len); 414 } 415 416 static int 417 tls_key_share_derive_ecdhe_ecp(struct tls_key_share *ks, 418 uint8_t **shared_key, size_t *shared_key_len) 419 { 420 if (ks->ecdhe == NULL || ks->ecdhe_peer == NULL) 421 return 0; 422 423 return ssl_kex_derive_ecdhe_ecp(ks->ecdhe, ks->ecdhe_peer, 424 shared_key, shared_key_len); 425 } 426 427 static int 428 tls_key_share_derive_x25519(struct tls_key_share *ks, 429 uint8_t **shared_key, size_t *shared_key_len) 430 { 431 uint8_t *sk = NULL; 432 int ret = 0; 433 434 if (ks->x25519_private == NULL || ks->x25519_peer_public == NULL) 435 goto err; 436 437 if ((sk = calloc(1, X25519_KEY_LENGTH)) == NULL) 438 goto err; 439 if (!X25519(sk, ks->x25519_private, ks->x25519_peer_public)) 440 goto err; 441 442 *shared_key = sk; 443 *shared_key_len = X25519_KEY_LENGTH; 444 sk = NULL; 445 446 ret = 1; 447 448 err: 449 freezero(sk, X25519_KEY_LENGTH); 450 451 return ret; 452 } 453 454 int 455 tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key, 456 size_t *shared_key_len) 457 { 458 if (*shared_key != NULL) 459 return 0; 460 461 *shared_key_len = 0; 462 463 if (ks->nid == NID_dhKeyAgreement) 464 return tls_key_share_derive_dhe(ks, shared_key, 465 shared_key_len); 466 467 if (ks->nid == NID_X25519) 468 return tls_key_share_derive_x25519(ks, shared_key, 469 shared_key_len); 470 471 return tls_key_share_derive_ecdhe_ecp(ks, shared_key, 472 shared_key_len); 473 } 474 475 int 476 tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks) 477 { 478 switch (ks->nid) { 479 case NID_dhKeyAgreement: 480 return ssl_security_dh(ssl, ks->dhe_peer); 481 default: 482 return 0; 483 } 484 } 485