kris
/
boringssl
1
0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3469 提交
12 分支
38 MiB
 
 
 
 
 
 
目錄樹: 4008c7a80d
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 '4008c7a80d'
${ noResults }
boringssl/ssl/ssl_ecdh.c

630 line
17 KiB
原始文件 Blame 歷史記錄 

  1. /* Copyright (c) 2015, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bn.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/curve25519.h>

  23. #include <openssl/ec.h>

  24. #include <openssl/err.h>

  25. #include <openssl/mem.h>

  26. #include <openssl/newhope.h>

  27. #include <openssl/nid.h>

  28. 

  29. #include "internal.h"

  30. #include "../crypto/internal.h"

  31. 

  32. 

  33. /* |EC_POINT| implementation. */

  34. 

  35. static void ssl_ec_point_cleanup(SSL_ECDH_CTX *ctx) {

  36.   BIGNUM *private_key = (BIGNUM *)ctx->data;

  37.   BN_clear_free(private_key);

  38. }

  39. 

  40. static int ssl_ec_point_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  41.   assert(ctx->data == NULL);

  42.   BIGNUM *private_key = BN_new();

  43.   if (private_key == NULL) {

  44.     return 0;

  45.   }

  46.   ctx->data = private_key;

  47. 

  48.   /* Set up a shared |BN_CTX| for all operations. */

  49.   BN_CTX *bn_ctx = BN_CTX_new();

  50.   if (bn_ctx == NULL) {

  51.     return 0;

  52.   }

  53.   BN_CTX_start(bn_ctx);

  54. 

  55.   int ret = 0;

  56.   EC_POINT *public_key = NULL;

  57.   EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);

  58.   if (group == NULL) {

  59.     goto err;

  60.   }

  61. 

  62.   /* Generate a private key. */

  63.   if (!BN_rand_range_ex(private_key, 1, EC_GROUP_get0_order(group))) {

  64.     goto err;

  65.   }

  66. 

  67.   /* Compute the corresponding public key and serialize it. */

  68.   public_key = EC_POINT_new(group);

  69.   if (public_key == NULL ||

  70.       !EC_POINT_mul(group, public_key, private_key, NULL, NULL, bn_ctx) ||

  71.       !EC_POINT_point2cbb(out, group, public_key, POINT_CONVERSION_UNCOMPRESSED,

  72.                           bn_ctx)) {

  73.     goto err;

  74.   }

  75. 

  76.   ret = 1;

  77. 

  78. err:

  79.   EC_GROUP_free(group);

  80.   EC_POINT_free(public_key);

  81.   BN_CTX_end(bn_ctx);

  82.   BN_CTX_free(bn_ctx);

  83.   return ret;

  84. }

  85. 

  86. static int ssl_ec_point_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  87.                                size_t *out_secret_len, uint8_t *out_alert,

  88.                                const uint8_t *peer_key, size_t peer_key_len) {

  89.   BIGNUM *private_key = (BIGNUM *)ctx->data;

  90.   assert(private_key != NULL);

  91.   *out_alert = SSL_AD_INTERNAL_ERROR;

  92. 

  93.   /* Set up a shared |BN_CTX| for all operations. */

  94.   BN_CTX *bn_ctx = BN_CTX_new();

  95.   if (bn_ctx == NULL) {

  96.     return 0;

  97.   }

  98.   BN_CTX_start(bn_ctx);

  99. 

  100.   int ret = 0;

  101.   EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);

  102.   EC_POINT *peer_point = NULL, *result = NULL;

  103.   uint8_t *secret = NULL;

  104.   if (group == NULL) {

  105.     goto err;

  106.   }

  107. 

  108.   /* Compute the x-coordinate of |peer_key| * |private_key|. */

  109.   peer_point = EC_POINT_new(group);

  110.   result = EC_POINT_new(group);

  111.   if (peer_point == NULL || result == NULL) {

  112.     goto err;

  113.   }

  114.   BIGNUM *x = BN_CTX_get(bn_ctx);

  115.   if (x == NULL) {

  116.     goto err;

  117.   }

  118.   if (!EC_POINT_oct2point(group, peer_point, peer_key, peer_key_len, bn_ctx)) {

  119.     *out_alert = SSL_AD_DECODE_ERROR;

  120.     goto err;

  121.   }

  122.   if (!EC_POINT_mul(group, result, NULL, peer_point, private_key, bn_ctx) ||

  123.       !EC_POINT_get_affine_coordinates_GFp(group, result, x, NULL, bn_ctx)) {

  124.     goto err;

  125.   }

  126. 

  127.   /* Encode the x-coordinate left-padded with zeros. */

  128.   size_t secret_len = (EC_GROUP_get_degree(group) + 7) / 8;

  129.   secret = OPENSSL_malloc(secret_len);

  130.   if (secret == NULL || !BN_bn2bin_padded(secret, secret_len, x)) {

  131.     goto err;

  132.   }

  133. 

  134.   *out_secret = secret;

  135.   *out_secret_len = secret_len;

  136.   secret = NULL;

  137.   ret = 1;

  138. 

  139. err:

  140.   EC_GROUP_free(group);

  141.   EC_POINT_free(peer_point);

  142.   EC_POINT_free(result);

  143.   BN_CTX_end(bn_ctx);

  144.   BN_CTX_free(bn_ctx);

  145.   OPENSSL_free(secret);

  146.   return ret;

  147. }

  148. 

  149. static int ssl_ec_point_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  150.                                uint8_t **out_secret, size_t *out_secret_len,

  151.                                uint8_t *out_alert, const uint8_t *peer_key,

  152.                                size_t peer_key_len) {

  153.   *out_alert = SSL_AD_INTERNAL_ERROR;

  154.   if (!ssl_ec_point_offer(ctx, out_public_key) ||

  155.       !ssl_ec_point_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  156.                            peer_key_len)) {

  157.     return 0;

  158.   }

  159.   return 1;

  160. }

  161. 

  162. /* X25119 implementation. */

  163. 

  164. static void ssl_x25519_cleanup(SSL_ECDH_CTX *ctx) {

  165.   if (ctx->data == NULL) {

  166.     return;

  167.   }

  168.   OPENSSL_cleanse(ctx->data, 32);

  169.   OPENSSL_free(ctx->data);

  170. }

  171. 

  172. static int ssl_x25519_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  173.   assert(ctx->data == NULL);

  174. 

  175.   ctx->data = OPENSSL_malloc(32);

  176.   if (ctx->data == NULL) {

  177.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  178.     return 0;

  179.   }

  180.   uint8_t public_key[32];

  181.   X25519_keypair(public_key, (uint8_t *)ctx->data);

  182.   return CBB_add_bytes(out, public_key, sizeof(public_key));

  183. }

  184. 

  185. static int ssl_x25519_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  186.                              size_t *out_secret_len, uint8_t *out_alert,

  187.                              const uint8_t *peer_key, size_t peer_key_len) {

  188.   assert(ctx->data != NULL);

  189.   *out_alert = SSL_AD_INTERNAL_ERROR;

  190. 

  191.   uint8_t *secret = OPENSSL_malloc(32);

  192.   if (secret == NULL) {

  193.     return 0;

  194.   }

  195. 

  196.   if (peer_key_len != 32 ||

  197.       !X25519(secret, (uint8_t *)ctx->data, peer_key)) {

  198.     OPENSSL_free(secret);

  199.     *out_alert = SSL_AD_DECODE_ERROR;

  200.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  201.     return 0;

  202.   }

  203. 

  204.   *out_secret = secret;

  205.   *out_secret_len = 32;

  206.   return 1;

  207. }

  208. 

  209. static int ssl_x25519_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  210.                              uint8_t **out_secret, size_t *out_secret_len,

  211.                              uint8_t *out_alert, const uint8_t *peer_key,

  212.                              size_t peer_key_len) {

  213.   *out_alert = SSL_AD_INTERNAL_ERROR;

  214.   if (!ssl_x25519_offer(ctx, out_public_key) ||

  215.       !ssl_x25519_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  216.                          peer_key_len)) {

  217.     return 0;

  218.   }

  219.   return 1;

  220. }

  221. 

  222. 

  223. /* Combined X25119 + New Hope (post-quantum) implementation. */

  224. 

  225. typedef struct {

  226.   uint8_t x25519_key[32];

  227.   NEWHOPE_POLY *newhope_sk;

  228. } cecpq1_data;

  229. 

  230. #define CECPQ1_OFFERMSG_LENGTH (32 + NEWHOPE_OFFERMSG_LENGTH)

  231. #define CECPQ1_ACCEPTMSG_LENGTH (32 + NEWHOPE_ACCEPTMSG_LENGTH)

  232. #define CECPQ1_SECRET_LENGTH (32 + SHA256_DIGEST_LENGTH)

  233. 

  234. static void ssl_cecpq1_cleanup(SSL_ECDH_CTX *ctx) {

  235.   if (ctx->data == NULL) {

  236.     return;

  237.   }

  238.   cecpq1_data *data = ctx->data;

  239.   NEWHOPE_POLY_free(data->newhope_sk);

  240.   OPENSSL_cleanse(data, sizeof(cecpq1_data));

  241.   OPENSSL_free(data);

  242. }

  243. 

  244. static int ssl_cecpq1_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  245.   assert(ctx->data == NULL);

  246.   cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));

  247.   if (data == NULL) {

  248.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  249.     return 0;

  250.   }

  251.   ctx->data = data;

  252.   data->newhope_sk = NEWHOPE_POLY_new();

  253.   if (data->newhope_sk == NULL) {

  254.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  255.     return 0;

  256.   }

  257. 

  258.   uint8_t x25519_public_key[32];

  259.   X25519_keypair(x25519_public_key, data->x25519_key);

  260. 

  261.   uint8_t newhope_offermsg[NEWHOPE_OFFERMSG_LENGTH];

  262.   NEWHOPE_offer(newhope_offermsg, data->newhope_sk);

  263. 

  264.   if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||

  265.       !CBB_add_bytes(out, newhope_offermsg, sizeof(newhope_offermsg))) {

  266.     return 0;

  267.   }

  268.   return 1;

  269. }

  270. 

  271. static int ssl_cecpq1_accept(SSL_ECDH_CTX *ctx, CBB *cbb, uint8_t **out_secret,

  272.                              size_t *out_secret_len, uint8_t *out_alert,

  273.                              const uint8_t *peer_key, size_t peer_key_len) {

  274.   if (peer_key_len != CECPQ1_OFFERMSG_LENGTH) {

  275.     *out_alert = SSL_AD_DECODE_ERROR;

  276.     return 0;

  277.   }

  278. 

  279.   *out_alert = SSL_AD_INTERNAL_ERROR;

  280. 

  281.   assert(ctx->data == NULL);

  282.   cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));

  283.   if (data == NULL) {

  284.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  285.     return 0;

  286.   }

  287.   data->newhope_sk = NULL;

  288.   ctx->data = data;

  289. 

  290.   uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);

  291.   if (secret == NULL) {

  292.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  293.     return 0;

  294.   }

  295. 

  296.   /* Generate message to server, and secret key, at once. */

  297. 

  298.   uint8_t x25519_public_key[32];

  299.   X25519_keypair(x25519_public_key, data->x25519_key);

  300.   if (!X25519(secret, data->x25519_key, peer_key)) {

  301.     *out_alert = SSL_AD_DECODE_ERROR;

  302.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  303.     goto err;

  304.   }

  305. 

  306.   uint8_t newhope_acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];

  307.   if (!NEWHOPE_accept(secret + 32, newhope_acceptmsg, peer_key + 32,

  308.                       NEWHOPE_OFFERMSG_LENGTH)) {

  309.     *out_alert = SSL_AD_DECODE_ERROR;

  310.     goto err;

  311.   }

  312. 

  313.   if (!CBB_add_bytes(cbb, x25519_public_key, sizeof(x25519_public_key)) ||

  314.       !CBB_add_bytes(cbb, newhope_acceptmsg, sizeof(newhope_acceptmsg))) {

  315.     goto err;

  316.   }

  317. 

  318.   *out_secret = secret;

  319.   *out_secret_len = CECPQ1_SECRET_LENGTH;

  320.   return 1;

  321. 

  322.  err:

  323.   OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);

  324.   OPENSSL_free(secret);

  325.   return 0;

  326. }

  327. 

  328. static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  329.                              size_t *out_secret_len, uint8_t *out_alert,

  330.                              const uint8_t *peer_key, size_t peer_key_len) {

  331.   if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) {

  332.     *out_alert = SSL_AD_DECODE_ERROR;

  333.     return 0;

  334.   }

  335. 

  336.   *out_alert = SSL_AD_INTERNAL_ERROR;

  337. 

  338.   assert(ctx->data != NULL);

  339.   cecpq1_data *data = ctx->data;

  340. 

  341.   uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);

  342.   if (secret == NULL) {

  343.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  344.     return 0;

  345.   }

  346. 

  347.   if (!X25519(secret, data->x25519_key, peer_key)) {

  348.     *out_alert = SSL_AD_DECODE_ERROR;

  349.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  350.     goto err;

  351.   }

  352. 

  353.   if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32,

  354.                       NEWHOPE_ACCEPTMSG_LENGTH)) {

  355.     *out_alert = SSL_AD_DECODE_ERROR;

  356.     goto err;

  357.   }

  358. 

  359.   *out_secret = secret;

  360.   *out_secret_len = CECPQ1_SECRET_LENGTH;

  361.   return 1;

  362. 

  363.  err:

  364.   OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);

  365.   OPENSSL_free(secret);

  366.   return 0;

  367. }

  368. 

  369. 

  370. /* Legacy DHE-based implementation. */

  371. 

  372. static void ssl_dhe_cleanup(SSL_ECDH_CTX *ctx) {

  373.   DH_free((DH *)ctx->data);

  374. }

  375. 

  376. static int ssl_dhe_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  377.   DH *dh = (DH *)ctx->data;

  378.   /* The group must have been initialized already, but not the key. */

  379.   assert(dh != NULL);

  380.   assert(dh->priv_key == NULL);

  381. 

  382.   /* Due to a bug in yaSSL, the public key must be zero padded to the size of

  383.    * the prime. */

  384.   return DH_generate_key(dh) &&

  385.          BN_bn2cbb_padded(out, BN_num_bytes(dh->p), dh->pub_key);

  386. }

  387. 

  388. static int ssl_dhe_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  389.                           size_t *out_secret_len, uint8_t *out_alert,

  390.                           const uint8_t *peer_key, size_t peer_key_len) {

  391.   DH *dh = (DH *)ctx->data;

  392.   assert(dh != NULL);

  393.   assert(dh->priv_key != NULL);

  394.   *out_alert = SSL_AD_INTERNAL_ERROR;

  395. 

  396.   int secret_len = 0;

  397.   uint8_t *secret = NULL;

  398.   BIGNUM *peer_point = BN_bin2bn(peer_key, peer_key_len, NULL);

  399.   if (peer_point == NULL) {

  400.     goto err;

  401.   }

  402. 

  403.   secret = OPENSSL_malloc(DH_size(dh));

  404.   if (secret == NULL) {

  405.     goto err;

  406.   }

  407.   secret_len = DH_compute_key(secret, peer_point, dh);

  408.   if (secret_len <= 0) {

  409.     goto err;

  410.   }

  411. 

  412.   *out_secret = secret;

  413.   *out_secret_len = (size_t)secret_len;

  414.   BN_free(peer_point);

  415.   return 1;

  416. 

  417. err:

  418.   if (secret_len > 0) {

  419.     OPENSSL_cleanse(secret, (size_t)secret_len);

  420.   }

  421.   OPENSSL_free(secret);

  422.   BN_free(peer_point);

  423.   return 0;

  424. }

  425. 

  426. static int ssl_dhe_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  427.                           uint8_t **out_secret, size_t *out_secret_len,

  428.                           uint8_t *out_alert, const uint8_t *peer_key,

  429.                           size_t peer_key_len) {

  430.   *out_alert = SSL_AD_INTERNAL_ERROR;

  431.   if (!ssl_dhe_offer(ctx, out_public_key) ||

  432.       !ssl_dhe_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  433.                       peer_key_len)) {

  434.     return 0;

  435.   }

  436.   return 1;

  437. }

  438. 

  439. static const SSL_ECDH_METHOD kDHEMethod = {

  440.     NID_undef, 0, "",

  441.     ssl_dhe_cleanup,

  442.     ssl_dhe_offer,

  443.     ssl_dhe_accept,

  444.     ssl_dhe_finish,

  445.     CBS_get_u16_length_prefixed,

  446.     CBB_add_u16_length_prefixed,

  447. };

  448. 

  449. static const SSL_ECDH_METHOD kCECPQ1Method = {

  450.     NID_undef, 0, "",

  451.     ssl_cecpq1_cleanup,

  452.     ssl_cecpq1_offer,

  453.     ssl_cecpq1_accept,

  454.     ssl_cecpq1_finish,

  455.     CBS_get_u16_length_prefixed,

  456.     CBB_add_u16_length_prefixed,

  457. };

  458. 

  459. static const SSL_ECDH_METHOD kMethods[] = {

  460.     {

  461.         NID_X9_62_prime256v1,

  462.         SSL_CURVE_SECP256R1,

  463.         "P-256",

  464.         ssl_ec_point_cleanup,

  465.         ssl_ec_point_offer,

  466.         ssl_ec_point_accept,

  467.         ssl_ec_point_finish,

  468.         CBS_get_u8_length_prefixed,

  469.         CBB_add_u8_length_prefixed,

  470.     },

  471.     {

  472.         NID_secp384r1,

  473.         SSL_CURVE_SECP384R1,

  474.         "P-384",

  475.         ssl_ec_point_cleanup,

  476.         ssl_ec_point_offer,

  477.         ssl_ec_point_accept,

  478.         ssl_ec_point_finish,

  479.         CBS_get_u8_length_prefixed,

  480.         CBB_add_u8_length_prefixed,

  481.     },

  482.     {

  483.         NID_secp521r1,

  484.         SSL_CURVE_SECP521R1,

  485.         "P-521",

  486.         ssl_ec_point_cleanup,

  487.         ssl_ec_point_offer,

  488.         ssl_ec_point_accept,

  489.         ssl_ec_point_finish,

  490.         CBS_get_u8_length_prefixed,

  491.         CBB_add_u8_length_prefixed,

  492.     },

  493.     {

  494.         NID_X25519,

  495.         SSL_CURVE_X25519,

  496.         "X25519",

  497.         ssl_x25519_cleanup,

  498.         ssl_x25519_offer,

  499.         ssl_x25519_accept,

  500.         ssl_x25519_finish,

  501.         CBS_get_u8_length_prefixed,

  502.         CBB_add_u8_length_prefixed,

  503.     },

  504. };

  505. 

  506. static const SSL_ECDH_METHOD *method_from_group_id(uint16_t group_id) {

  507.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {

  508.     if (kMethods[i].group_id == group_id) {

  509.       return &kMethods[i];

  510.     }

  511.   }

  512.   return NULL;

  513. }

  514. 

  515. static const SSL_ECDH_METHOD *method_from_nid(int nid) {

  516.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {

  517.     if (kMethods[i].nid == nid) {

  518.       return &kMethods[i];

  519.     }

  520.   }

  521.   return NULL;

  522. }

  523. 

  524. static const SSL_ECDH_METHOD *method_from_name(const char *name, size_t len) {

  525.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMethods); i++) {

  526.     if (len == strlen(kMethods[i].name) &&

  527.         !strncmp(kMethods[i].name, name, len)) {

  528.       return &kMethods[i];

  529.     }

  530.   }

  531.   return NULL;

  532. }

  533. 

  534. const char* SSL_get_curve_name(uint16_t group_id) {

  535.   const SSL_ECDH_METHOD *method = method_from_group_id(group_id);

  536.   if (method == NULL) {

  537.     return NULL;

  538.   }

  539.   return method->name;

  540. }

  541. 

  542. int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {

  543.   const SSL_ECDH_METHOD *method = method_from_nid(nid);

  544.   if (method == NULL) {

  545.     return 0;

  546.   }

  547.   *out_group_id = method->group_id;

  548.   return 1;

  549. }

  550. 

  551. int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {

  552.   const SSL_ECDH_METHOD *method = method_from_name(name, len);

  553.   if (method == NULL) {

  554.     return 0;

  555.   }

  556.   *out_group_id = method->group_id;

  557.   return 1;

  558. }

  559. 

  560. int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id) {

  561.   SSL_ECDH_CTX_cleanup(ctx);

  562. 

  563.   const SSL_ECDH_METHOD *method = method_from_group_id(group_id);

  564.   if (method == NULL) {

  565.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);

  566.     return 0;

  567.   }

  568.   ctx->method = method;

  569.   return 1;

  570. }

  571. 

  572. void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params) {

  573.   SSL_ECDH_CTX_cleanup(ctx);

  574. 

  575.   ctx->method = &kDHEMethod;

  576.   ctx->data = params;

  577. }

  578. 

  579. void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx) {

  580.   SSL_ECDH_CTX_cleanup(ctx);

  581. 

  582.   ctx->method = &kCECPQ1Method;

  583. }

  584. 

  585. void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) {

  586.   if (ctx->method == NULL) {

  587.     return;

  588.   }

  589.   ctx->method->cleanup(ctx);

  590.   ctx->method = NULL;

  591.   ctx->data = NULL;

  592. }

  593. 

  594. uint16_t SSL_ECDH_CTX_get_id(const SSL_ECDH_CTX *ctx) {

  595.   return ctx->method->group_id;

  596. }

  597. 

  598. int SSL_ECDH_CTX_get_key(SSL_ECDH_CTX *ctx, CBS *cbs, CBS *out) {

  599.   if (ctx->method == NULL) {

  600.     return 0;

  601.   }

  602.   return ctx->method->get_key(cbs, out);

  603. }

  604. 

  605. int SSL_ECDH_CTX_add_key(SSL_ECDH_CTX *ctx, CBB *cbb, CBB *out_contents) {

  606.   if (ctx->method == NULL) {

  607.     return 0;

  608.   }

  609.   return ctx->method->add_key(cbb, out_contents);

  610. }

  611. 

  612. int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key) {

  613.   return ctx->method->offer(ctx, out_public_key);

  614. }

  615. 

  616. int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  617.                         uint8_t **out_secret, size_t *out_secret_len,

  618.                         uint8_t *out_alert, const uint8_t *peer_key,

  619.                         size_t peer_key_len) {

  620.   return ctx->method->accept(ctx, out_public_key, out_secret, out_secret_len,

  621.                              out_alert, peer_key, peer_key_len);

  622. }

  623. 

  624. int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  625.                         size_t *out_secret_len, uint8_t *out_alert,

  626.                         const uint8_t *peer_key, size_t peer_key_len) {

  627.   return ctx->method->finish(ctx, out_secret, out_secret_len, out_alert,

  628.                              peer_key, peer_key_len);

  629. }