kris
/
boringssl
1
0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
2891 Commity
12 Gałęzie
38 MiB
 
 
 
 
 
 
Drzewo: 71dd6660e8
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '71dd6660e8'
${ noResults }
boringssl/ssl/ssl_ecdh.c

611 wiersze
16 KiB
Czysty Wina Historia 

  1. /* Copyright (c) 2015, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bn.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/curve25519.h>

  23. #include <openssl/ec.h>

  24. #include <openssl/err.h>

  25. #include <openssl/mem.h>

  26. #include <openssl/newhope.h>

  27. #include <openssl/nid.h>

  28. 

  29. #include "internal.h"

  30. 

  31. 

  32. /* |EC_POINT| implementation. */

  33. 

  34. static void ssl_ec_point_cleanup(SSL_ECDH_CTX *ctx) {

  35.   BIGNUM *private_key = (BIGNUM *)ctx->data;

  36.   BN_clear_free(private_key);

  37. }

  38. 

  39. static int ssl_ec_point_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  40.   assert(ctx->data == NULL);

  41.   BIGNUM *private_key = BN_new();

  42.   if (private_key == NULL) {

  43.     return 0;

  44.   }

  45.   ctx->data = private_key;

  46. 

  47.   /* Set up a shared |BN_CTX| for all operations. */

  48.   BN_CTX *bn_ctx = BN_CTX_new();

  49.   if (bn_ctx == NULL) {

  50.     return 0;

  51.   }

  52.   BN_CTX_start(bn_ctx);

  53. 

  54.   int ret = 0;

  55.   EC_POINT *public_key = NULL;

  56.   EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);

  57.   if (group == NULL) {

  58.     goto err;

  59.   }

  60. 

  61.   /* Generate a private key. */

  62.   const BIGNUM *order = EC_GROUP_get0_order(group);

  63.   do {

  64.     if (!BN_rand_range(private_key, order)) {

  65.       goto err;

  66.     }

  67.   } while (BN_is_zero(private_key));

  68. 

  69.   /* Compute the corresponding public key and serialize it. */

  70.   public_key = EC_POINT_new(group);

  71.   if (public_key == NULL ||

  72.       !EC_POINT_mul(group, public_key, private_key, NULL, NULL, bn_ctx) ||

  73.       !EC_POINT_point2cbb(out, group, public_key, POINT_CONVERSION_UNCOMPRESSED,

  74.                           bn_ctx)) {

  75.     goto err;

  76.   }

  77. 

  78.   ret = 1;

  79. 

  80. err:

  81.   EC_GROUP_free(group);

  82.   EC_POINT_free(public_key);

  83.   BN_CTX_end(bn_ctx);

  84.   BN_CTX_free(bn_ctx);

  85.   return ret;

  86. }

  87. 

  88. static int ssl_ec_point_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  89.                                size_t *out_secret_len, uint8_t *out_alert,

  90.                                const uint8_t *peer_key, size_t peer_key_len) {

  91.   BIGNUM *private_key = (BIGNUM *)ctx->data;

  92.   assert(private_key != NULL);

  93.   *out_alert = SSL_AD_INTERNAL_ERROR;

  94. 

  95.   /* Set up a shared |BN_CTX| for all operations. */

  96.   BN_CTX *bn_ctx = BN_CTX_new();

  97.   if (bn_ctx == NULL) {

  98.     return 0;

  99.   }

  100.   BN_CTX_start(bn_ctx);

  101. 

  102.   int ret = 0;

  103.   EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);

  104.   EC_POINT *peer_point = NULL, *result = NULL;

  105.   uint8_t *secret = NULL;

  106.   if (group == NULL) {

  107.     goto err;

  108.   }

  109. 

  110.   /* Compute the x-coordinate of |peer_key| * |private_key|. */

  111.   peer_point = EC_POINT_new(group);

  112.   result = EC_POINT_new(group);

  113.   if (peer_point == NULL || result == NULL) {

  114.     goto err;

  115.   }

  116.   BIGNUM *x = BN_CTX_get(bn_ctx);

  117.   if (x == NULL) {

  118.     goto err;

  119.   }

  120.   if (!EC_POINT_oct2point(group, peer_point, peer_key, peer_key_len, bn_ctx)) {

  121.     *out_alert = SSL_AD_DECODE_ERROR;

  122.     goto err;

  123.   }

  124.   if (!EC_POINT_mul(group, result, NULL, peer_point, private_key, bn_ctx) ||

  125.       !EC_POINT_get_affine_coordinates_GFp(group, result, x, NULL, bn_ctx)) {

  126.     goto err;

  127.   }

  128. 

  129.   /* Encode the x-coordinate left-padded with zeros. */

  130.   size_t secret_len = (EC_GROUP_get_degree(group) + 7) / 8;

  131.   secret = OPENSSL_malloc(secret_len);

  132.   if (secret == NULL || !BN_bn2bin_padded(secret, secret_len, x)) {

  133.     goto err;

  134.   }

  135. 

  136.   *out_secret = secret;

  137.   *out_secret_len = secret_len;

  138.   secret = NULL;

  139.   ret = 1;

  140. 

  141. err:

  142.   EC_GROUP_free(group);

  143.   EC_POINT_free(peer_point);

  144.   EC_POINT_free(result);

  145.   BN_CTX_end(bn_ctx);

  146.   BN_CTX_free(bn_ctx);

  147.   OPENSSL_free(secret);

  148.   return ret;

  149. }

  150. 

  151. static int ssl_ec_point_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  152.                                uint8_t **out_secret, size_t *out_secret_len,

  153.                                uint8_t *out_alert, const uint8_t *peer_key,

  154.                                size_t peer_key_len) {

  155.   *out_alert = SSL_AD_INTERNAL_ERROR;

  156.   if (!ssl_ec_point_offer(ctx, out_public_key) ||

  157.       !ssl_ec_point_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  158.                            peer_key_len)) {

  159.     return 0;

  160.   }

  161.   return 1;

  162. }

  163. 

  164. /* X25119 implementation. */

  165. 

  166. static void ssl_x25519_cleanup(SSL_ECDH_CTX *ctx) {

  167.   if (ctx->data == NULL) {

  168.     return;

  169.   }

  170.   OPENSSL_cleanse(ctx->data, 32);

  171.   OPENSSL_free(ctx->data);

  172. }

  173. 

  174. static int ssl_x25519_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  175.   assert(ctx->data == NULL);

  176. 

  177.   ctx->data = OPENSSL_malloc(32);

  178.   if (ctx->data == NULL) {

  179.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  180.     return 0;

  181.   }

  182.   uint8_t public_key[32];

  183.   X25519_keypair(public_key, (uint8_t *)ctx->data);

  184.   return CBB_add_bytes(out, public_key, sizeof(public_key));

  185. }

  186. 

  187. static int ssl_x25519_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  188.                              size_t *out_secret_len, uint8_t *out_alert,

  189.                              const uint8_t *peer_key, size_t peer_key_len) {

  190.   assert(ctx->data != NULL);

  191.   *out_alert = SSL_AD_INTERNAL_ERROR;

  192. 

  193.   uint8_t *secret = OPENSSL_malloc(32);

  194.   if (secret == NULL) {

  195.     return 0;

  196.   }

  197. 

  198.   if (peer_key_len != 32 ||

  199.       !X25519(secret, (uint8_t *)ctx->data, peer_key)) {

  200.     OPENSSL_free(secret);

  201.     *out_alert = SSL_AD_DECODE_ERROR;

  202.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  203.     return 0;

  204.   }

  205. 

  206.   *out_secret = secret;

  207.   *out_secret_len = 32;

  208.   return 1;

  209. }

  210. 

  211. static int ssl_x25519_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  212.                              uint8_t **out_secret, size_t *out_secret_len,

  213.                              uint8_t *out_alert, const uint8_t *peer_key,

  214.                              size_t peer_key_len) {

  215.   *out_alert = SSL_AD_INTERNAL_ERROR;

  216.   if (!ssl_x25519_offer(ctx, out_public_key) ||

  217.       !ssl_x25519_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  218.                          peer_key_len)) {

  219.     return 0;

  220.   }

  221.   return 1;

  222. }

  223. 

  224. 

  225. /* Combined X25119 + New Hope (post-quantum) implementation. */

  226. 

  227. typedef struct {

  228.   uint8_t x25519_key[32];

  229.   NEWHOPE_POLY *newhope_sk;

  230. } cecpq1_data;

  231. 

  232. #define CECPQ1_OFFERMSG_LENGTH (32 + NEWHOPE_OFFERMSG_LENGTH)

  233. #define CECPQ1_ACCEPTMSG_LENGTH (32 + NEWHOPE_ACCEPTMSG_LENGTH)

  234. #define CECPQ1_SECRET_LENGTH (32 + SHA256_DIGEST_LENGTH)

  235. 

  236. static void ssl_cecpq1_cleanup(SSL_ECDH_CTX *ctx) {

  237.   if (ctx->data == NULL) {

  238.     return;

  239.   }

  240.   cecpq1_data *data = ctx->data;

  241.   NEWHOPE_POLY_free(data->newhope_sk);

  242.   OPENSSL_cleanse(data, sizeof(cecpq1_data));

  243.   OPENSSL_free(data);

  244. }

  245. 

  246. static int ssl_cecpq1_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  247.   assert(ctx->data == NULL);

  248.   cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));

  249.   if (data == NULL) {

  250.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  251.     return 0;

  252.   }

  253.   ctx->data = data;

  254.   data->newhope_sk = NEWHOPE_POLY_new();

  255.   if (data->newhope_sk == NULL) {

  256.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  257.     return 0;

  258.   }

  259. 

  260.   uint8_t x25519_public_key[32];

  261.   X25519_keypair(x25519_public_key, data->x25519_key);

  262. 

  263.   uint8_t newhope_offermsg[NEWHOPE_OFFERMSG_LENGTH];

  264.   NEWHOPE_offer(newhope_offermsg, data->newhope_sk);

  265. 

  266.   if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||

  267.       !CBB_add_bytes(out, newhope_offermsg, sizeof(newhope_offermsg))) {

  268.     return 0;

  269.   }

  270.   return 1;

  271. }

  272. 

  273. static int ssl_cecpq1_accept(SSL_ECDH_CTX *ctx, CBB *cbb, uint8_t **out_secret,

  274.                              size_t *out_secret_len, uint8_t *out_alert,

  275.                              const uint8_t *peer_key, size_t peer_key_len) {

  276.   if (peer_key_len != CECPQ1_OFFERMSG_LENGTH) {

  277.     *out_alert = SSL_AD_DECODE_ERROR;

  278.     return 0;

  279.   }

  280. 

  281.   *out_alert = SSL_AD_INTERNAL_ERROR;

  282. 

  283.   assert(ctx->data == NULL);

  284.   cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));

  285.   if (data == NULL) {

  286.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  287.     return 0;

  288.   }

  289.   data->newhope_sk = NULL;

  290.   ctx->data = data;

  291. 

  292.   uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);

  293.   if (secret == NULL) {

  294.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  295.     return 0;

  296.   }

  297. 

  298.   /* Generate message to server, and secret key, at once. */

  299. 

  300.   uint8_t x25519_public_key[32];

  301.   X25519_keypair(x25519_public_key, data->x25519_key);

  302.   if (!X25519(secret, data->x25519_key, peer_key)) {

  303.     *out_alert = SSL_AD_DECODE_ERROR;

  304.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  305.     goto err;

  306.   }

  307. 

  308.   uint8_t newhope_acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];

  309.   if (!NEWHOPE_accept(secret + 32, newhope_acceptmsg, peer_key + 32,

  310.                       NEWHOPE_OFFERMSG_LENGTH)) {

  311.     *out_alert = SSL_AD_DECODE_ERROR;

  312.     goto err;

  313.   }

  314. 

  315.   if (!CBB_add_bytes(cbb, x25519_public_key, sizeof(x25519_public_key)) ||

  316.       !CBB_add_bytes(cbb, newhope_acceptmsg, sizeof(newhope_acceptmsg))) {

  317.     goto err;

  318.   }

  319. 

  320.   *out_secret = secret;

  321.   *out_secret_len = CECPQ1_SECRET_LENGTH;

  322.   return 1;

  323. 

  324.  err:

  325.   OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);

  326.   OPENSSL_free(secret);

  327.   return 0;

  328. }

  329. 

  330. static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  331.                              size_t *out_secret_len, uint8_t *out_alert,

  332.                              const uint8_t *peer_key, size_t peer_key_len) {

  333.   if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) {

  334.     *out_alert = SSL_AD_DECODE_ERROR;

  335.     return 0;

  336.   }

  337. 

  338.   *out_alert = SSL_AD_INTERNAL_ERROR;

  339. 

  340.   assert(ctx->data != NULL);

  341.   cecpq1_data *data = ctx->data;

  342. 

  343.   uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);

  344.   if (secret == NULL) {

  345.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  346.     return 0;

  347.   }

  348. 

  349.   if (!X25519(secret, data->x25519_key, peer_key)) {

  350.     *out_alert = SSL_AD_DECODE_ERROR;

  351.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);

  352.     goto err;

  353.   }

  354. 

  355.   if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32,

  356.                       NEWHOPE_ACCEPTMSG_LENGTH)) {

  357.     *out_alert = SSL_AD_DECODE_ERROR;

  358.     goto err;

  359.   }

  360. 

  361.   *out_secret = secret;

  362.   *out_secret_len = CECPQ1_SECRET_LENGTH;

  363.   return 1;

  364. 

  365.  err:

  366.   OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);

  367.   OPENSSL_free(secret);

  368.   return 0;

  369. }

  370. 

  371. 

  372. /* Legacy DHE-based implementation. */

  373. 

  374. static void ssl_dhe_cleanup(SSL_ECDH_CTX *ctx) {

  375.   DH_free((DH *)ctx->data);

  376. }

  377. 

  378. static int ssl_dhe_offer(SSL_ECDH_CTX *ctx, CBB *out) {

  379.   DH *dh = (DH *)ctx->data;

  380.   /* The group must have been initialized already, but not the key. */

  381.   assert(dh != NULL);

  382.   assert(dh->priv_key == NULL);

  383. 

  384.   /* Due to a bug in yaSSL, the public key must be zero padded to the size of

  385.    * the prime. */

  386.   return DH_generate_key(dh) &&

  387.          BN_bn2cbb_padded(out, BN_num_bytes(dh->p), dh->pub_key);

  388. }

  389. 

  390. static int ssl_dhe_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  391.                           size_t *out_secret_len, uint8_t *out_alert,

  392.                           const uint8_t *peer_key, size_t peer_key_len) {

  393.   DH *dh = (DH *)ctx->data;

  394.   assert(dh != NULL);

  395.   assert(dh->priv_key != NULL);

  396.   *out_alert = SSL_AD_INTERNAL_ERROR;

  397. 

  398.   int secret_len = 0;

  399.   uint8_t *secret = NULL;

  400.   BIGNUM *peer_point = BN_bin2bn(peer_key, peer_key_len, NULL);

  401.   if (peer_point == NULL) {

  402.     goto err;

  403.   }

  404. 

  405.   secret = OPENSSL_malloc(DH_size(dh));

  406.   if (secret == NULL) {

  407.     goto err;

  408.   }

  409.   secret_len = DH_compute_key(secret, peer_point, dh);

  410.   if (secret_len <= 0) {

  411.     goto err;

  412.   }

  413. 

  414.   *out_secret = secret;

  415.   *out_secret_len = (size_t)secret_len;

  416.   BN_free(peer_point);

  417.   return 1;

  418. 

  419. err:

  420.   if (secret_len > 0) {

  421.     OPENSSL_cleanse(secret, (size_t)secret_len);

  422.   }

  423.   OPENSSL_free(secret);

  424.   BN_free(peer_point);

  425.   return 0;

  426. }

  427. 

  428. static int ssl_dhe_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  429.                           uint8_t **out_secret, size_t *out_secret_len,

  430.                           uint8_t *out_alert, const uint8_t *peer_key,

  431.                           size_t peer_key_len) {

  432.   *out_alert = SSL_AD_INTERNAL_ERROR;

  433.   if (!ssl_dhe_offer(ctx, out_public_key) ||

  434.       !ssl_dhe_finish(ctx, out_secret, out_secret_len, out_alert, peer_key,

  435.                       peer_key_len)) {

  436.     return 0;

  437.   }

  438.   return 1;

  439. }

  440. 

  441. static const SSL_ECDH_METHOD kDHEMethod = {

  442.     NID_undef, 0, "",

  443.     ssl_dhe_cleanup,

  444.     ssl_dhe_offer,

  445.     ssl_dhe_accept,

  446.     ssl_dhe_finish,

  447.     CBS_get_u16_length_prefixed,

  448.     CBB_add_u16_length_prefixed,

  449. };

  450. 

  451. static const SSL_ECDH_METHOD kCECPQ1Method = {

  452.     NID_undef, 0, "",

  453.     ssl_cecpq1_cleanup,

  454.     ssl_cecpq1_offer,

  455.     ssl_cecpq1_accept,

  456.     ssl_cecpq1_finish,

  457.     CBS_get_u16_length_prefixed,

  458.     CBB_add_u16_length_prefixed,

  459. };

  460. 

  461. static const SSL_ECDH_METHOD kMethods[] = {

  462.     {

  463.         NID_X9_62_prime256v1,

  464.         SSL_CURVE_SECP256R1,

  465.         "P-256",

  466.         ssl_ec_point_cleanup,

  467.         ssl_ec_point_offer,

  468.         ssl_ec_point_accept,

  469.         ssl_ec_point_finish,

  470.         CBS_get_u8_length_prefixed,

  471.         CBB_add_u8_length_prefixed,

  472.     },

  473.     {

  474.         NID_secp384r1,

  475.         SSL_CURVE_SECP384R1,

  476.         "P-384",

  477.         ssl_ec_point_cleanup,

  478.         ssl_ec_point_offer,

  479.         ssl_ec_point_accept,

  480.         ssl_ec_point_finish,

  481.         CBS_get_u8_length_prefixed,

  482.         CBB_add_u8_length_prefixed,

  483.     },

  484.     {

  485.         NID_secp521r1,

  486.         SSL_CURVE_SECP521R1,

  487.         "P-521",

  488.         ssl_ec_point_cleanup,

  489.         ssl_ec_point_offer,

  490.         ssl_ec_point_accept,

  491.         ssl_ec_point_finish,

  492.         CBS_get_u8_length_prefixed,

  493.         CBB_add_u8_length_prefixed,

  494.     },

  495.     {

  496.         NID_X25519,

  497.         SSL_CURVE_X25519,

  498.         "X25519",

  499.         ssl_x25519_cleanup,

  500.         ssl_x25519_offer,

  501.         ssl_x25519_accept,

  502.         ssl_x25519_finish,

  503.         CBS_get_u8_length_prefixed,

  504.         CBB_add_u8_length_prefixed,

  505.     },

  506. };

  507. 

  508. static const SSL_ECDH_METHOD *method_from_group_id(uint16_t group_id) {

  509.   size_t i;

  510.   for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); i++) {

  511.     if (kMethods[i].group_id == group_id) {

  512.       return &kMethods[i];

  513.     }

  514.   }

  515.   return NULL;

  516. }

  517. 

  518. static const SSL_ECDH_METHOD *method_from_nid(int nid) {

  519.   size_t i;

  520.   for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); i++) {

  521.     if (kMethods[i].nid == nid) {

  522.       return &kMethods[i];

  523.     }

  524.   }

  525.   return NULL;

  526. }

  527. 

  528. const char* SSL_get_curve_name(uint16_t group_id) {

  529.   const SSL_ECDH_METHOD *method = method_from_group_id(group_id);

  530.   if (method == NULL) {

  531.     return NULL;

  532.   }

  533.   return method->name;

  534. }

  535. 

  536. int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {

  537.   const SSL_ECDH_METHOD *method = method_from_nid(nid);

  538.   if (method == NULL) {

  539.     return 0;

  540.   }

  541.   *out_group_id = method->group_id;

  542.   return 1;

  543. }

  544. 

  545. int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id) {

  546.   SSL_ECDH_CTX_cleanup(ctx);

  547. 

  548.   const SSL_ECDH_METHOD *method = method_from_group_id(group_id);

  549.   if (method == NULL) {

  550.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);

  551.     return 0;

  552.   }

  553.   ctx->method = method;

  554.   return 1;

  555. }

  556. 

  557. void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params) {

  558.   SSL_ECDH_CTX_cleanup(ctx);

  559. 

  560.   ctx->method = &kDHEMethod;

  561.   ctx->data = params;

  562. }

  563. 

  564. void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx) {

  565.   SSL_ECDH_CTX_cleanup(ctx);

  566. 

  567.   ctx->method = &kCECPQ1Method;

  568. }

  569. 

  570. int SSL_ECDH_CTX_get_key(SSL_ECDH_CTX *ctx, CBS *cbs, CBS *out) {

  571.   if (ctx->method == NULL) {

  572.     return 0;

  573.   }

  574.   return ctx->method->get_key(cbs, out);

  575. }

  576. 

  577. int SSL_ECDH_CTX_add_key(SSL_ECDH_CTX *ctx, CBB *cbb, CBB *out_contents) {

  578.   if (ctx->method == NULL) {

  579.     return 0;

  580.   }

  581.   return ctx->method->add_key(cbb, out_contents);

  582. }

  583. 

  584. void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) {

  585.   if (ctx->method == NULL) {

  586.     return;

  587.   }

  588.   ctx->method->cleanup(ctx);

  589.   ctx->method = NULL;

  590.   ctx->data = NULL;

  591. }

  592. 

  593. int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key) {

  594.   return ctx->method->offer(ctx, out_public_key);

  595. }

  596. 

  597. int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,

  598.                         uint8_t **out_secret, size_t *out_secret_len,

  599.                         uint8_t *out_alert, const uint8_t *peer_key,

  600.                         size_t peer_key_len) {

  601.   return ctx->method->accept(ctx, out_public_key, out_secret, out_secret_len,

  602.                              out_alert, peer_key, peer_key_len);

  603. }

  604. 

  605. int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,

  606.                         size_t *out_secret_len, uint8_t *out_alert,

  607.                         const uint8_t *peer_key, size_t peer_key_len) {

  608.   return ctx->method->finish(ctx, out_secret, out_secret_len, out_alert,

  609.                              peer_key, peer_key_len);

  610. }