kris
/
boringssl
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
3469 Cometimentos
12 Ramos
38 MiB
Árvore: 4008c7a80d
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de '4008c7a80d'
${ noResults }
boringssl/ssl/ssl_ecdh.c

ssl_ecdh.c 17 KiB
Em bruto Vista normal Histórico

Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Remove some easy obj.h dependencies. A lot of consumers of obj.h only want the NID values. Others didn't need it at all. This also removes some OBJ_nid2sn and OBJ_nid2ln calls in EVP error paths which isn't worth pulling a large table in for. BUG=chromium:499653 Change-Id: Id6dff578f993012e35b740a13b8e4f9c2edc0744 Reviewed-on: https://boringssl-review.googlesource.com/7563 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Adding ARRAY_SIZE macro for getting the size of constant arrays. Change-Id: Ie60744761f5aa434a71a998f5ca98a8f8b1c25d5 Reviewed-on: https://boringssl-review.googlesource.com/10447 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Add BN_rand_range_ex and use internally. There are many cases where we need |BN_rand_range| but with a minimum value other than 0. |BN_rand_range_ex| provides that. Change-Id: I564326c9206bf4e20a37414bdbce16a951c148ce Reviewed-on: https://boringssl-review.googlesource.com/8921 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Add EC_POINT_point2cbb. This slightly simplifies the SSL_ECDH code and will be useful later on in reimplementing the key parsing logic. Change-Id: Ie41ea5fd3a9a734b3879b715fbf57bd991e23799 Reviewed-on: https://boringssl-review.googlesource.com/6858 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Add EC_POINT_point2cbb. This slightly simplifies the SSL_ECDH code and will be useful later on in reimplementing the key parsing logic. Change-Id: Ie41ea5fd3a9a734b3879b715fbf57bd991e23799 Reviewed-on: https://boringssl-review.googlesource.com/6858 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Route DHE through the SSL_ECDH abstraction as well. This unifies the ClientKeyExchange code rather nicely. ServerKeyExchange is still pretty specialized. For simplicity, I've extended the yaSSL bug workaround for clients as well as servers rather than route in a boolean. Chrome's already banished DHE to a fallback with intention to remove altogether later, and the spec doesn't say anything useful about ClientDiffieHellmanPublic encoding, so this is unlikely to cause problems. Change-Id: I0355cd1fd0fab5729e8812e4427dd689124f53a2 Reviewed-on: https://boringssl-review.googlesource.com/6784 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Route DHE through the SSL_ECDH abstraction as well. This unifies the ClientKeyExchange code rather nicely. ServerKeyExchange is still pretty specialized. For simplicity, I've extended the yaSSL bug workaround for clients as well as servers rather than route in a boolean. Chrome's already banished DHE to a fallback with intention to remove altogether later, and the spec doesn't say anything useful about ClientDiffieHellmanPublic encoding, so this is unlikely to cause problems. Change-Id: I0355cd1fd0fab5729e8812e4427dd689124f53a2 Reviewed-on: https://boringssl-review.googlesource.com/6784 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Route DHE through the SSL_ECDH abstraction as well. This unifies the ClientKeyExchange code rather nicely. ServerKeyExchange is still pretty specialized. For simplicity, I've extended the yaSSL bug workaround for clients as well as servers rather than route in a boolean. Chrome's already banished DHE to a fallback with intention to remove altogether later, and the spec doesn't say anything useful about ClientDiffieHellmanPublic encoding, so this is unlikely to cause problems. Change-Id: I0355cd1fd0fab5729e8812e4427dd689124f53a2 Reviewed-on: https://boringssl-review.googlesource.com/6784 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Route DHE through the SSL_ECDH abstraction as well. This unifies the ClientKeyExchange code rather nicely. ServerKeyExchange is still pretty specialized. For simplicity, I've extended the yaSSL bug workaround for clients as well as servers rather than route in a boolean. Chrome's already banished DHE to a fallback with intention to remove altogether later, and the spec doesn't say anything useful about ClientDiffieHellmanPublic encoding, so this is unlikely to cause problems. Change-Id: I0355cd1fd0fab5729e8812e4427dd689124f53a2 Reviewed-on: https://boringssl-review.googlesource.com/6784 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Route DHE through the SSL_ECDH abstraction as well. This unifies the ClientKeyExchange code rather nicely. ServerKeyExchange is still pretty specialized. For simplicity, I've extended the yaSSL bug workaround for clients as well as servers rather than route in a boolean. Chrome's already banished DHE to a fallback with intention to remove altogether later, and the spec doesn't say anything useful about ClientDiffieHellmanPublic encoding, so this is unlikely to cause problems. Change-Id: I0355cd1fd0fab5729e8812e4427dd689124f53a2 Reviewed-on: https://boringssl-review.googlesource.com/6784 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Don't allocate a group/curve ID for CECPQ1. We ended up switching this from a curve to a cipher suite, so the group ID isn't used. This is in preparation for adding an API for the curve ID, at which point leaving the protocol constants undefined seems somewhat bad manners. Change-Id: Icb8bf4594879dbbc24177551868ecfe89bc2f8c3 Reviewed-on: https://boringssl-review.googlesource.com/8563 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Add SSL_get_curve_id and SSL_get_dhe_group_size. This replaces the old key_exchange_info APIs and does not require the caller be aware of the mess around SSL_SESSION management. They currently have the same bugs around renegotiation as before, but later work to fix up SSL_SESSION tracking will fix their internals. For consistency with the existing functions, I've kept the public API at 'curve' rather than 'group' for now. I think it's probably better to have only one name with a single explanation in the section header rather than half and half. (I also wouldn't be surprised if the IETF ends up renaming 'group' again to 'key exchange' at some point. We'll see what happens.) Change-Id: I8e90a503bc4045d12f30835c86de64ef9f2d07c8 Reviewed-on: https://boringssl-review.googlesource.com/8565 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Add SSL_get_curve_id and SSL_get_dhe_group_size. This replaces the old key_exchange_info APIs and does not require the caller be aware of the mess around SSL_SESSION management. They currently have the same bugs around renegotiation as before, but later work to fix up SSL_SESSION tracking will fix their internals. For consistency with the existing functions, I've kept the public API at 'curve' rather than 'group' for now. I think it's probably better to have only one name with a single explanation in the section header rather than half and half. (I also wouldn't be surprised if the IETF ends up renaming 'group' again to 'key exchange' at some point. We'll see what happens.) Change-Id: I8e90a503bc4045d12f30835c86de64ef9f2d07c8 Reviewed-on: https://boringssl-review.googlesource.com/8565 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Add SSL_get_curve_id and SSL_get_dhe_group_size. This replaces the old key_exchange_info APIs and does not require the caller be aware of the mess around SSL_SESSION management. They currently have the same bugs around renegotiation as before, but later work to fix up SSL_SESSION tracking will fix their internals. For consistency with the existing functions, I've kept the public API at 'curve' rather than 'group' for now. I think it's probably better to have only one name with a single explanation in the section header rather than half and half. (I also wouldn't be surprised if the IETF ends up renaming 'group' again to 'key exchange' at some point. We'll see what happens.) Change-Id: I8e90a503bc4045d12f30835c86de64ef9f2d07c8 Reviewed-on: https://boringssl-review.googlesource.com/8565 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Rename NID_x25519 to NID_X25519. I went with NID_x25519 to match NID_sha1 and friends in being lowercase. However, upstream seems to have since chosen NID_X25519. Match their name. Change-Id: Icc7b183a2e2dfbe42c88e08e538fcbd242478ac3 Reviewed-on: https://boringssl-review.googlesource.com/7331 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Add SSL_get_curve_id and SSL_get_dhe_group_size. This replaces the old key_exchange_info APIs and does not require the caller be aware of the mess around SSL_SESSION management. They currently have the same bugs around renegotiation as before, but later work to fix up SSL_SESSION tracking will fix their internals. For consistency with the existing functions, I've kept the public API at 'curve' rather than 'group' for now. I think it's probably better to have only one name with a single explanation in the section header rather than half and half. (I also wouldn't be surprised if the IETF ends up renaming 'group' again to 'key exchange' at some point. We'll see what happens.) Change-Id: I8e90a503bc4045d12f30835c86de64ef9f2d07c8 Reviewed-on: https://boringssl-review.googlesource.com/8565 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Generalizing curves to groups in preparation for TLS 1.3. The 'elliptic_curves' extension is being renamed to 'supported_groups' in the TLS 1.3 draft, and most of the curve-specific methods are generalized to groups/group IDs. Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb Reviewed-on: https://boringssl-review.googlesource.com/7955 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Use C99 for size_t loops. This was done just by grepping for 'size_t i;' and 'size_t j;'. I left everything in crypto/x509 and friends alone. There's some instances in gcm.c that are non-trivial and pulled into a separate CL for ease of review. Change-Id: I6515804e3097f7e90855f1e7610868ee87117223 Reviewed-on: https://boringssl-review.googlesource.com/10801 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
há 8 anos
Generalizing curves to groups in preparation for TLS 1.3. The 'elliptic_curves' extension is being renamed to 'supported_groups' in the TLS 1.3 draft, and most of the curve-specific methods are generalized to groups/group IDs. Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb Reviewed-on: https://boringssl-review.googlesource.com/7955 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Use C99 for size_t loops. This was done just by grepping for 'size_t i;' and 'size_t j;'. I left everything in crypto/x509 and friends alone. There's some instances in gcm.c that are non-trivial and pulled into a separate CL for ease of review. Change-Id: I6515804e3097f7e90855f1e7610868ee87117223 Reviewed-on: https://boringssl-review.googlesource.com/10801 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Implement SSL_CTX_set1_curves_list() This function is used by NGINX to enable specific curves for ECDH from a configuration file. However when building with BoringSSL, since it's not implmeneted, it falls back to using EC_KEY_new_by_curve_name() wich doesn't support X25519. Change-Id: I533df4ef302592c1a9f9fc8880bd85f796ce0ef3 Reviewed-on: https://boringssl-review.googlesource.com/11382 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
há 8 anos
Generalizing curves to groups in preparation for TLS 1.3. The 'elliptic_curves' extension is being renamed to 'supported_groups' in the TLS 1.3 draft, and most of the curve-specific methods are generalized to groups/group IDs. Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb Reviewed-on: https://boringssl-review.googlesource.com/7955 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Generalizing curves to groups in preparation for TLS 1.3. The 'elliptic_curves' extension is being renamed to 'supported_groups' in the TLS 1.3 draft, and most of the curve-specific methods are generalized to groups/group IDs. Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb Reviewed-on: https://boringssl-review.googlesource.com/7955 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Generalizing curves to groups in preparation for TLS 1.3. The 'elliptic_curves' extension is being renamed to 'supported_groups' in the TLS 1.3 draft, and most of the curve-specific methods are generalized to groups/group IDs. Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb Reviewed-on: https://boringssl-review.googlesource.com/7955 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement SSL_CTX_set1_curves_list() This function is used by NGINX to enable specific curves for ECDH from a configuration file. However when building with BoringSSL, since it's not implmeneted, it falls back to using EC_KEY_new_by_curve_name() wich doesn't support X25519. Change-Id: I533df4ef302592c1a9f9fc8880bd85f796ce0ef3 Reviewed-on: https://boringssl-review.googlesource.com/11382 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Generalizing curves to groups in preparation for TLS 1.3. The 'elliptic_curves' extension is being renamed to 'supported_groups' in the TLS 1.3 draft, and most of the curve-specific methods are generalized to groups/group IDs. Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb Reviewed-on: https://boringssl-review.googlesource.com/7955 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Generalizing curves to groups in preparation for TLS 1.3. The 'elliptic_curves' extension is being renamed to 'supported_groups' in the TLS 1.3 draft, and most of the curve-specific methods are generalized to groups/group IDs. Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb Reviewed-on: https://boringssl-review.googlesource.com/7955 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Route DHE through the SSL_ECDH abstraction as well. This unifies the ClientKeyExchange code rather nicely. ServerKeyExchange is still pretty specialized. For simplicity, I've extended the yaSSL bug workaround for clients as well as servers rather than route in a boolean. Chrome's already banished DHE to a fallback with intention to remove altogether later, and the spec doesn't say anything useful about ClientDiffieHellmanPublic encoding, so this is unlikely to cause problems. Change-Id: I0355cd1fd0fab5729e8812e4427dd689124f53a2 Reviewed-on: https://boringssl-review.googlesource.com/6784 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Don't allocate a group/curve ID for CECPQ1. We ended up switching this from a curve to a cipher suite, so the group ID isn't used. This is in preparation for adding an API for the curve ID, at which point leaving the protocol constants undefined seems somewhat bad manners. Change-Id: Icb8bf4594879dbbc24177551868ecfe89bc2f8c3 Reviewed-on: https://boringssl-review.googlesource.com/8563 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Add TLS 1.3 1-RTT. This adds the machinery for doing TLS 1.3 1RTT. Change-Id: I736921ffe9dc6f6e64a08a836df6bb166d20f504 Reviewed-on: https://boringssl-review.googlesource.com/8720 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
há 8 anos
Elliptic curve + post-quantum key exchange CECPQ1 is a new key exchange that concatenates the results of an X25519 key agreement and a NEWHOPE key agreement. Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb Reviewed-on: https://boringssl-review.googlesource.com/7962 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
Refactor ECDH key exchange to make it asymmetrical Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a public key to be sent to the peer, and another to produce the shared key upon receipt of the peer's message. This API does not work for NEWHOPE, because the client-to-server message cannot be produced until the server's message has been received by the client. Solve this by introducing a new method which consumes data from the server key exchange message and produces data for the client key exchange message. Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a Reviewed-on: https://boringssl-review.googlesource.com/7961 Reviewed-by: David Benjamin <davidben@google.com>
há 8 anos
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
há 8 anos
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629 
  1. /* Copyright (c) 2015, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bn.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/curve25519.h>

  23. #include <openssl/ec.h>

  24. #include <openssl/err.h>

  25. #include <openssl/mem.h>

  26. #include <openssl/newhope.h>

  27. #include <openssl/nid.h>

  28. 

  29. #include "internal.h"

  30. #include "../crypto/internal.h"

  31. 

  32. 

  33. /* |EC_POINT| implementation. */

  34. 

  35. static void ssl_ec_point_cleanup(SSL_ECDH_CTX *ctx) {

  36.   BIGNUM *private_key = (BIGNUM *)ctx->data;

  37.   BN_clear_free(private_key);

  38. }

  39. 

  40. static int ssl_ec_point_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  41.   assert(ctx->data == NULL);

  42.   BIGNUM *private_key = BN_new();

  43.   if (private_key == NULL) {

  44.     return 0;

  45.   }

  46.   ctx->data = private_key;

  47. 

  48.   /* Set up a shared |BN_CTX| for all operations. */

  49.   BN_CTX *bn_ctx = BN_CTX_new();

  50.   if (bn_ctx == NULL) {

  51.     return 0;

  52.   }

  53.   BN_CTX_start(bn_ctx);

  54. 

  55.   int ret = 0;

  56.   EC_POINT *public_key = NULL;

  57.   EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);

  58.   if (group == NULL) {

  59.     goto err;

  60.   }

  61. 

  62.   /* Generate a private key. */

  63.   if (!BN_rand_range_ex(private_key, 1, EC_GROUP_get0_order(group))) {

  64.     goto err;

  65.   }

  66. 

  67.   /* Compute the corresponding public key and serialize it. */

  68.   public_key = EC_POINT_new(group);

  69.   if (public_key == NULL ||

  70.       !EC_POINT_mul(group, public_key, private_key, NULL, NULL, bn_ctx) ||

  71.       !EC_POINT_point2cbb(out, group, public_key, POINT_CONVERSION_UNCOMPRESSED,

  72.                           bn_ctx)) {

  73.     goto err;

  74.   }

  75. 

  76.   ret = 1;

  77. 

  78. err:

  79.   EC_GROUP_free(group);

  80.   EC_POINT_free(public_key);

  81.   BN_CTX_end(bn_ctx);

  82.   BN_CTX_free(bn_ctx);

  83.   return ret;

  84. }

  85. 

  86. static int ssl_ec_point_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  87.                                size_t *out_secret_len, uint8_t *out_alert,

  88.                                const uint8_t *peer_key, size_t peer_key_len) {

  89.   BIGNUM *private_key = (BIGNUM *)ctx->data;

  90.   assert(private_key != NULL);

  91.   *out_alert = SSL_AD_INTERNAL_ERROR;

  92. 

  93.   /* Set up a shared |BN_CTX| for all operations. */

  94.   BN_CTX *bn_ctx = BN_CTX_new();

  95.   if (bn_ctx == NULL) {

  96.     return 0;

  97.   }

  98.   BN_CTX_start(bn_ctx);

  99. 

  100.   int ret = 0;

  101.   EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);

  102.   EC_POINT *peer_point = NULL, *result = NULL;

  103.   uint8_t *secret = NULL;

  104.   if (group == NULL) {

  105.     goto err;

  106.   }

  107. 

  108.   /* Compute the x-coordinate of |peer_key| * |private_key|. */

  109.   peer_point = EC_POINT_new(group);

  110.   result = EC_POINT_new(group);

  111.   if (peer_point == NULL || result == NULL) {

  112.     goto err;

  113.   }

  114.   BIGNUM *x = BN_CTX_get(bn_ctx);

  115.   if (x == NULL) {

  116.     goto err;

  117.   }

  118.   if (!EC_POINT_oct2point(group, peer_point, peer_key, peer_key_len, bn_ctx)) {

  119.     *out_alert = SSL_AD_DECODE_ERROR;

  120.     goto err;

  121.   }

  122.   if (!EC_POINT_mul(group, result, NULL, peer_point, private_key, bn_ctx) ||

  123.       !EC_POINT_get_affine_coordinates_GFp(group, result, x, NULL, bn_ctx)) {

  124.     goto err;

  125.   }

  126. 

  127.   /* Encode the x-coordinate left-padded with zeros. */

  128.   size_t secret_len = (EC_GROUP_get_degree(group) + 7) / 8;

  129.   secret = OPENSSL_malloc(secret_len);

  130.   if (secret == NULL || !BN_bn2bin_padded(secret, secret_len, x)) {

  131.     goto err;

  132.   }

  133. 

  134.   *out_secret = secret;

  135.   *out_secret_len = secret_len;

  136.   secret = NULL;

  137.   ret = 1;

  138. 

  139. err:

  140.   EC_GROUP_free(group);

  141.   EC_POINT_free(peer_point);

  142.   EC_POINT_free(result);

  143.   BN_CTX_end(bn_ctx);

  144.   BN_CTX_free(bn_ctx);

  145.   OPENSSL_free(secret);

  146.   return ret;

  147. }

  148. 

  149. static int ssl_ec_point_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  150.                                uint8_t **out_secret, size_t *out_secret_len,

  151.                                uint8_t *out_alert, const uint8_t *peer_key,

  152.                                size_t peer_key_len) {

  153.   *out_alert = SSL_AD_INTERNAL_ERROR;

  154.   if (!ssl_ec_point_offer(ctx, out_public_key) ||

  155.       !ssl_ec_point_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  156.                            peer_key_len)) {

  157.     return 0;

  158.   }

  159.   return 1;

  160. }

  161. 

  162. /* X25119 implementation. */

  163. 

  164. static void ssl_x25519_cleanup(SSL_ECDH_CTX *ctx) {

  165.   if (ctx->data == NULL) {

  166.     return;

  167.   }

  168.   OPENSSL_cleanse(ctx->data, 32);

  169.   OPENSSL_free(ctx->data);

  170. }

  171. 

  172. static int ssl_x25519_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  173.   assert(ctx->data == NULL);

  174. 

  175.   ctx->data = OPENSSL_malloc(32);

  176.   if (ctx->data == NULL) {

  177.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  178.     return 0;

  179.   }

  180.   uint8_t public_key[32];

  181.   X25519_keypair(public_key, (uint8_t *)ctx->data);

  182.   return CBB_add_bytes(out, public_key, sizeof(public_key));

  183. }

  184. 

  185. static int ssl_x25519_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  186.                              size_t *out_secret_len, uint8_t *out_alert,

  187.                              const uint8_t *peer_key, size_t peer_key_len) {

  188.   assert(ctx->data != NULL);

  189.   *out_alert = SSL_AD_INTERNAL_ERROR;

  190. 

  191.   uint8_t *secret = OPENSSL_malloc(32);

  192.   if (secret == NULL) {

  193.     return 0;

  194.   }

  195. 

  196.   if (peer_key_len != 32 ||

  197.       !X25519(secret, (uint8_t *)ctx->data, peer_key)) {

  198.     OPENSSL_free(secret);

  199.     *out_alert = SSL_AD_DECODE_ERROR;

  200.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  201.     return 0;

  202.   }

  203. 

  204.   *out_secret = secret;

  205.   *out_secret_len = 32;

  206.   return 1;

  207. }

  208. 

  209. static int ssl_x25519_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  210.                              uint8_t **out_secret, size_t *out_secret_len,

  211.                              uint8_t *out_alert, const uint8_t *peer_key,

  212.                              size_t peer_key_len) {

  213.   *out_alert = SSL_AD_INTERNAL_ERROR;

  214.   if (!ssl_x25519_offer(ctx, out_public_key) ||

  215.       !ssl_x25519_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  216.                          peer_key_len)) {

  217.     return 0;

  218.   }

  219.   return 1;

  220. }

  221. 

  222. 

  223. /* Combined X25119 + New Hope (post-quantum) implementation. */

  224. 

  225. typedef struct {

  226.   uint8_t x25519_key[32];

  227.   NEWHOPE_POLY *newhope_sk;

  228. } cecpq1_data;

  229. 

  230. #define CECPQ1_OFFERMSG_LENGTH (32 + NEWHOPE_OFFERMSG_LENGTH)

  231. #define CECPQ1_ACCEPTMSG_LENGTH (32 + NEWHOPE_ACCEPTMSG_LENGTH)

  232. #define CECPQ1_SECRET_LENGTH (32 + SHA256_DIGEST_LENGTH)

  233. 

  234. static void ssl_cecpq1_cleanup(SSL_ECDH_CTX *ctx) {

  235.   if (ctx->data == NULL) {

  236.     return;

  237.   }

  238.   cecpq1_data *data = ctx->data;

  239.   NEWHOPE_POLY_free(data->newhope_sk);

  240.   OPENSSL_cleanse(data, sizeof(cecpq1_data));

  241.   OPENSSL_free(data);

  242. }

  243. 

  244. static int ssl_cecpq1_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  245.   assert(ctx->data == NULL);

  246.   cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));

  247.   if (data == NULL) {

  248.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  249.     return 0;

  250.   }

  251.   ctx->data = data;

  252.   data->newhope_sk = NEWHOPE_POLY_new();

  253.   if (data->newhope_sk == NULL) {

  254.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  255.     return 0;

  256.   }

  257. 

  258.   uint8_t x25519_public_key[32];

  259.   X25519_keypair(x25519_public_key, data->x25519_key);

  260. 

  261.   uint8_t newhope_offermsg[NEWHOPE_OFFERMSG_LENGTH];

  262.   NEWHOPE_offer(newhope_offermsg, data->newhope_sk);

  263. 

  264.   if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||

  265.       !CBB_add_bytes(out, newhope_offermsg, sizeof(newhope_offermsg))) {

  266.     return 0;

  267.   }

  268.   return 1;

  269. }

  270. 

  271. static int ssl_cecpq1_accept(SSL_ECDH_CTX *ctx, CBB *cbb, uint8_t **out_secret,

  272.                              size_t *out_secret_len, uint8_t *out_alert,

  273.                              const uint8_t *peer_key, size_t peer_key_len) {

  274.   if (peer_key_len != CECPQ1_OFFERMSG_LENGTH) {

  275.     *out_alert = SSL_AD_DECODE_ERROR;

  276.     return 0;

  277.   }

  278. 

  279.   *out_alert = SSL_AD_INTERNAL_ERROR;

  280. 

  281.   assert(ctx->data == NULL);

  282.   cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));

  283.   if (data == NULL) {

  284.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  285.     return 0;

  286.   }

  287.   data->newhope_sk = NULL;

  288.   ctx->data = data;

  289. 

  290.   uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);

  291.   if (secret == NULL) {

  292.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  293.     return 0;

  294.   }

  295. 

  296.   /* Generate message to server, and secret key, at once. */

  297. 

  298.   uint8_t x25519_public_key[32];

  299.   X25519_keypair(x25519_public_key, data->x25519_key);

  300.   if (!X25519(secret, data->x25519_key, peer_key)) {

  301.     *out_alert = SSL_AD_DECODE_ERROR;

  302.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  303.     goto err;

  304.   }

  305. 

  306.   uint8_t newhope_acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];

  307.   if (!NEWHOPE_accept(secret + 32, newhope_acceptmsg, peer_key + 32,

  308.                       NEWHOPE_OFFERMSG_LENGTH)) {

  309.     *out_alert = SSL_AD_DECODE_ERROR;

  310.     goto err;

  311.   }

  312. 

  313.   if (!CBB_add_bytes(cbb, x25519_public_key, sizeof(x25519_public_key)) ||

  314.       !CBB_add_bytes(cbb, newhope_acceptmsg, sizeof(newhope_acceptmsg))) {

  315.     goto err;

  316.   }

  317. 

  318.   *out_secret = secret;

  319.   *out_secret_len = CECPQ1_SECRET_LENGTH;

  320.   return 1;

  321. 

  322.  err:

  323.   OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);

  324.   OPENSSL_free(secret);

  325.   return 0;

  326. }

  327. 

  328. static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  329.                              size_t *out_secret_len, uint8_t *out_alert,

  330.                              const uint8_t *peer_key, size_t peer_key_len) {

  331.   if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) {

  332.     *out_alert = SSL_AD_DECODE_ERROR;

  333.     return 0;

  334.   }

  335. 

  336.   *out_alert = SSL_AD_INTERNAL_ERROR;

  337. 

  338.   assert(ctx->data != NULL);

  339.   cecpq1_data *data = ctx->data;

  340. 

  341.   uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);

  342.   if (secret == NULL) {

  343.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  344.     return 0;

  345.   }

  346. 

  347.   if (!X25519(secret, data->x25519_key, peer_key)) {

  348.     *out_alert = SSL_AD_DECODE_ERROR;

  349.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  350.     goto err;

  351.   }

  352. 

  353.   if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32,

  354.                       NEWHOPE_ACCEPTMSG_LENGTH)) {

  355.     *out_alert = SSL_AD_DECODE_ERROR;

  356.     goto err;

  357.   }

  358. 

  359.   *out_secret = secret;

  360.   *out_secret_len = CECPQ1_SECRET_LENGTH;

  361.   return 1;

  362. 

  363.  err:

  364.   OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);

  365.   OPENSSL_free(secret);

  366.   return 0;

  367. }

  368. 

  369. 

  370. /* Legacy DHE-based implementation. */

  371. 

  372. static void ssl_dhe_cleanup(SSL_ECDH_CTX *ctx) {

  373.   DH_free((DH *)ctx->data);

  374. }

  375. 

  376. static int ssl_dhe_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  377.   DH *dh = (DH *)ctx->data;

  378.   /* The group must have been initialized already, but not the key. */

  379.   assert(dh != NULL);

  380.   assert(dh->priv_key == NULL);

  381. 

  382.   /* Due to a bug in yaSSL, the public key must be zero padded to the size of

  383.    * the prime. */

  384.   return DH_generate_key(dh) &&

  385.          BN_bn2cbb_padded(out, BN_num_bytes(dh->p), dh->pub_key);

  386. }

  387. 

  388. static int ssl_dhe_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  389.                           size_t *out_secret_len, uint8_t *out_alert,

  390.                           const uint8_t *peer_key, size_t peer_key_len) {

  391.   DH *dh = (DH *)ctx->data;

  392.   assert(dh != NULL);

  393.   assert(dh->priv_key != NULL);

  394.   *out_alert = SSL_AD_INTERNAL_ERROR;

  395. 

  396.   int secret_len = 0;

  397.   uint8_t *secret = NULL;

  398.   BIGNUM *peer_point = BN_bin2bn(peer_key, peer_key_len, NULL);

  399.   if (peer_point == NULL) {

  400.     goto err;

  401.   }

  402. 

  403.   secret = OPENSSL_malloc(DH_size(dh));

  404.   if (secret == NULL) {

  405.     goto err;

  406.   }

  407.   secret_len = DH_compute_key(secret, peer_point, dh);

  408.   if (secret_len <= 0) {

  409.     goto err;

  410.   }

  411. 

  412.   *out_secret = secret;

  413.   *out_secret_len = (size_t)secret_len;

  414.   BN_free(peer_point);

  415.   return 1;

  416. 

  417. err:

  418.   if (secret_len > 0) {

  419.     OPENSSL_cleanse(secret, (size_t)secret_len);

  420.   }

  421.   OPENSSL_free(secret);

  422.   BN_free(peer_point);

  423.   return 0;

  424. }

  425. 

  426. static int ssl_dhe_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  427.                           uint8_t **out_secret, size_t *out_secret_len,

  428.                           uint8_t *out_alert, const uint8_t *peer_key,

  429.                           size_t peer_key_len) {

  430.   *out_alert = SSL_AD_INTERNAL_ERROR;

  431.   if (!ssl_dhe_offer(ctx, out_public_key) ||

  432.       !ssl_dhe_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  433.                       peer_key_len)) {

  434.     return 0;

  435.   }

  436.   return 1;

  437. }

  438. 

  439. static const SSL_ECDH_METHOD kDHEMethod = {

  440.     NID_undef, 0, "",

  441.     ssl_dhe_cleanup,

  442.     ssl_dhe_offer,

  443.     ssl_dhe_accept,

  444.     ssl_dhe_finish,

  445.     CBS_get_u16_length_prefixed,

  446.     CBB_add_u16_length_prefixed,

  447. };

  448. 

  449. static const SSL_ECDH_METHOD kCECPQ1Method = {

  450.     NID_undef, 0, "",

  451.     ssl_cecpq1_cleanup,

  452.     ssl_cecpq1_offer,

  453.     ssl_cecpq1_accept,

  454.     ssl_cecpq1_finish,

  455.     CBS_get_u16_length_prefixed,

  456.     CBB_add_u16_length_prefixed,

  457. };

  458. 

  459. static const SSL_ECDH_METHOD kMethods[] = {

  460.     {

  461.         NID_X9_62_prime256v1,

  462.         SSL_CURVE_SECP256R1,

  463.         "P-256",

  464.         ssl_ec_point_cleanup,

  465.         ssl_ec_point_offer,

  466.         ssl_ec_point_accept,

  467.         ssl_ec_point_finish,

  468.         CBS_get_u8_length_prefixed,

  469.         CBB_add_u8_length_prefixed,

  470.     },

  471.     {

  472.         NID_secp384r1,

  473.         SSL_CURVE_SECP384R1,

  474.         "P-384",

  475.         ssl_ec_point_cleanup,

  476.         ssl_ec_point_offer,

  477.         ssl_ec_point_accept,

  478.         ssl_ec_point_finish,

  479.         CBS_get_u8_length_prefixed,

  480.         CBB_add_u8_length_prefixed,

  481.     },

  482.     {

  483.         NID_secp521r1,

  484.         SSL_CURVE_SECP521R1,

  485.         "P-521",

  486.         ssl_ec_point_cleanup,

  487.         ssl_ec_point_offer,

  488.         ssl_ec_point_accept,

  489.         ssl_ec_point_finish,

  490.         CBS_get_u8_length_prefixed,

  491.         CBB_add_u8_length_prefixed,

  492.     },

  493.     {

  494.         NID_X25519,

  495.         SSL_CURVE_X25519,

  496.         "X25519",

  497.         ssl_x25519_cleanup,

  498.         ssl_x25519_offer,

  499.         ssl_x25519_accept,

  500.         ssl_x25519_finish,

  501.         CBS_get_u8_length_prefixed,

  502.         CBB_add_u8_length_prefixed,

  503.     },

  504. };

  505. 

  506. static const SSL_ECDH_METHOD *method_from_group_id(uint16_t group_id) {

  507.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {

  508.     if (kMethods[i].group_id == group_id) {

  509.       return &kMethods[i];

  510.     }

  511.   }

  512.   return NULL;

  513. }

  514. 

  515. static const SSL_ECDH_METHOD *method_from_nid(int nid) {

  516.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {

  517.     if (kMethods[i].nid == nid) {

  518.       return &kMethods[i];

  519.     }

  520.   }

  521.   return NULL;

  522. }

  523. 

  524. static const SSL_ECDH_METHOD *method_from_name(const char *name, size_t len) {

  525.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {

  526.     if (len == strlen(kMethods[i].name) &&

  527.         !strncmp(kMethods[i].name, name, len)) {

  528.       return &kMethods[i];

  529.     }

  530.   }

  531.   return NULL;

  532. }

  533. 

  534. const char* SSL_get_curve_name(uint16_t group_id) {

  535.   const SSL_ECDH_METHOD *method = method_from_group_id(group_id);

  536.   if (method == NULL) {

  537.     return NULL;

  538.   }

  539.   return method->name;

  540. }

  541. 

  542. int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {

  543.   const SSL_ECDH_METHOD *method = method_from_nid(nid);

  544.   if (method == NULL) {

  545.     return 0;

  546.   }

  547.   *out_group_id = method->group_id;

  548.   return 1;

  549. }

  550. 

  551. int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {

  552.   const SSL_ECDH_METHOD *method = method_from_name(name, len);

  553.   if (method == NULL) {

  554.     return 0;

  555.   }

  556.   *out_group_id = method->group_id;

  557.   return 1;

  558. }

  559. 

  560. int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id) {

  561.   SSL_ECDH_CTX_cleanup(ctx);

  562. 

  563.   const SSL_ECDH_METHOD *method = method_from_group_id(group_id);

  564.   if (method == NULL) {

  565.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);

  566.     return 0;

  567.   }

  568.   ctx->method = method;

  569.   return 1;

  570. }

  571. 

  572. void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params) {

  573.   SSL_ECDH_CTX_cleanup(ctx);

  574. 

  575.   ctx->method = &kDHEMethod;

  576.   ctx->data = params;

  577. }

  578. 

  579. void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx) {

  580.   SSL_ECDH_CTX_cleanup(ctx);

  581. 

  582.   ctx->method = &kCECPQ1Method;

  583. }

  584. 

  585. void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) {

  586.   if (ctx->method == NULL) {

  587.     return;

  588.   }

  589.   ctx->method->cleanup(ctx);

  590.   ctx->method = NULL;

  591.   ctx->data = NULL;

  592. }

  593. 

  594. uint16_t SSL_ECDH_CTX_get_id(const SSL_ECDH_CTX *ctx) {

  595.   return ctx->method->group_id;

  596. }

  597. 

  598. int SSL_ECDH_CTX_get_key(SSL_ECDH_CTX *ctx, CBS *cbs, CBS *out) {

  599.   if (ctx->method == NULL) {

  600.     return 0;

  601.   }

  602.   return ctx->method->get_key(cbs, out);

  603. }

  604. 

  605. int SSL_ECDH_CTX_add_key(SSL_ECDH_CTX *ctx, CBB *cbb, CBB *out_contents) {

  606.   if (ctx->method == NULL) {

  607.     return 0;

  608.   }

  609.   return ctx->method->add_key(cbb, out_contents);

  610. }

  611. 

  612. int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key) {

  613.   return ctx->method->offer(ctx, out_public_key);

  614. }

  615. 

  616. int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  617.                         uint8_t **out_secret, size_t *out_secret_len,

  618.                         uint8_t *out_alert, const uint8_t *peer_key,

  619.                         size_t peer_key_len) {

  620.   return ctx->method->accept(ctx, out_public_key, out_secret, out_secret_len,

  621.                              out_alert, peer_key, peer_key_len);

  622. }

  623. 

  624. int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  625.                         size_t *out_secret_len, uint8_t *out_alert,

  626.                         const uint8_t *peer_key, size_t peer_key_len) {

  627.   return ctx->method->finish(ctx, out_secret, out_secret_len, out_alert,

  628.                              peer_key, peer_key_len);

  629. }