Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame^] | 1 | /* Copyright (c) 2015, Google Inc. |
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
| 15 | #include <openssl/ssl.h> |
| 16 | |
| 17 | #include <assert.h> |
| 18 | #include <string.h> |
| 19 | |
| 20 | #include <openssl/bn.h> |
| 21 | #include <openssl/bytestring.h> |
| 22 | #include <openssl/curve25519.h> |
| 23 | #include <openssl/ec.h> |
| 24 | #include <openssl/err.h> |
| 25 | #include <openssl/mem.h> |
| 26 | #include <openssl/nid.h> |
| 27 | |
| 28 | #include "internal.h" |
| 29 | #include "../crypto/internal.h" |
| 30 | |
| 31 | |
| 32 | namespace bssl { |
| 33 | |
| 34 | namespace { |
| 35 | |
| 36 | class ECKeyShare : public SSLKeyShare { |
| 37 | public: |
| 38 | ECKeyShare(int nid, uint16_t group_id) : nid_(nid), group_id_(group_id) {} |
| 39 | ~ECKeyShare() override {} |
| 40 | |
| 41 | uint16_t GroupID() const override { return group_id_; } |
| 42 | |
| 43 | bool Offer(CBB *out) override { |
| 44 | assert(!private_key_); |
| 45 | /* Set up a shared |BN_CTX| for all operations. */ |
| 46 | UniquePtr<BN_CTX> bn_ctx(BN_CTX_new()); |
| 47 | if (!bn_ctx) { |
| 48 | return false; |
| 49 | } |
| 50 | BN_CTXScope scope(bn_ctx.get()); |
| 51 | |
| 52 | /* Generate a private key. */ |
| 53 | UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_)); |
| 54 | private_key_.reset(BN_new()); |
| 55 | if (!group || !private_key_ || |
| 56 | !BN_rand_range_ex(private_key_.get(), 1, |
| 57 | EC_GROUP_get0_order(group.get()))) { |
| 58 | return false; |
| 59 | } |
| 60 | |
| 61 | /* Compute the corresponding public key and serialize it. */ |
| 62 | UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get())); |
| 63 | if (!public_key || |
| 64 | !EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL, |
| 65 | NULL, bn_ctx.get()) || |
| 66 | !EC_POINT_point2cbb(out, group.get(), public_key.get(), |
| 67 | POINT_CONVERSION_UNCOMPRESSED, bn_ctx.get())) { |
| 68 | return false; |
| 69 | } |
| 70 | |
| 71 | return true; |
| 72 | } |
| 73 | |
| 74 | bool Finish(uint8_t **out_secret, size_t *out_secret_len, uint8_t *out_alert, |
| 75 | const uint8_t *peer_key, size_t peer_key_len) override { |
| 76 | assert(private_key_); |
| 77 | *out_alert = SSL_AD_INTERNAL_ERROR; |
| 78 | |
| 79 | /* Set up a shared |BN_CTX| for all operations. */ |
| 80 | UniquePtr<BN_CTX> bn_ctx(BN_CTX_new()); |
| 81 | if (!bn_ctx) { |
| 82 | return false; |
| 83 | } |
| 84 | BN_CTXScope scope(bn_ctx.get()); |
| 85 | |
| 86 | UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_)); |
| 87 | if (!group) { |
| 88 | return false; |
| 89 | } |
| 90 | |
| 91 | UniquePtr<EC_POINT> peer_point(EC_POINT_new(group.get())); |
| 92 | UniquePtr<EC_POINT> result(EC_POINT_new(group.get())); |
| 93 | BIGNUM *x = BN_CTX_get(bn_ctx.get()); |
| 94 | if (!peer_point || !result || !x) { |
| 95 | return false; |
| 96 | } |
| 97 | |
| 98 | if (!EC_POINT_oct2point(group.get(), peer_point.get(), peer_key, |
| 99 | peer_key_len, bn_ctx.get())) { |
| 100 | *out_alert = SSL_AD_DECODE_ERROR; |
| 101 | return false; |
| 102 | } |
| 103 | |
| 104 | /* Compute the x-coordinate of |peer_key| * |private_key_|. */ |
| 105 | if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(), |
| 106 | private_key_.get(), bn_ctx.get()) || |
| 107 | !EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL, |
| 108 | bn_ctx.get())) { |
| 109 | return false; |
| 110 | } |
| 111 | |
| 112 | /* Encode the x-coordinate left-padded with zeros. */ |
| 113 | size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8; |
| 114 | UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(secret_len)); |
| 115 | if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) { |
| 116 | return false; |
| 117 | } |
| 118 | |
| 119 | *out_secret = secret.release(); |
| 120 | *out_secret_len = secret_len; |
| 121 | return true; |
| 122 | } |
| 123 | |
| 124 | private: |
| 125 | UniquePtr<BIGNUM> private_key_; |
| 126 | int nid_; |
| 127 | uint16_t group_id_; |
| 128 | }; |
| 129 | |
| 130 | class X25519KeyShare : public SSLKeyShare { |
| 131 | public: |
| 132 | X25519KeyShare() {} |
| 133 | ~X25519KeyShare() override { |
| 134 | OPENSSL_cleanse(private_key_, sizeof(private_key_)); |
| 135 | } |
| 136 | |
| 137 | uint16_t GroupID() const override { return SSL_CURVE_X25519; } |
| 138 | |
| 139 | bool Offer(CBB *out) override { |
| 140 | uint8_t public_key[32]; |
| 141 | X25519_keypair(public_key, private_key_); |
| 142 | return !!CBB_add_bytes(out, public_key, sizeof(public_key)); |
| 143 | } |
| 144 | |
| 145 | bool Finish(uint8_t **out_secret, size_t *out_secret_len, uint8_t *out_alert, |
| 146 | const uint8_t *peer_key, size_t peer_key_len) override { |
| 147 | *out_alert = SSL_AD_INTERNAL_ERROR; |
| 148 | |
| 149 | UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(32)); |
| 150 | if (!secret) { |
| 151 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
| 152 | return false; |
| 153 | } |
| 154 | |
| 155 | if (peer_key_len != 32 || !X25519(secret.get(), private_key_, peer_key)) { |
| 156 | *out_alert = SSL_AD_DECODE_ERROR; |
| 157 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); |
| 158 | return false; |
| 159 | } |
| 160 | |
| 161 | *out_secret = secret.release(); |
| 162 | *out_secret_len = 32; |
| 163 | return true; |
| 164 | } |
| 165 | |
| 166 | private: |
| 167 | uint8_t private_key_[32]; |
| 168 | }; |
| 169 | |
| 170 | const struct { |
| 171 | int nid; |
| 172 | uint16_t group_id; |
| 173 | const char name[8]; |
| 174 | } kNamedGroups[] = { |
| 175 | {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224"}, |
| 176 | {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256"}, |
| 177 | {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384"}, |
| 178 | {NID_secp521r1, SSL_CURVE_SECP521R1, "P-521"}, |
| 179 | {NID_X25519, SSL_CURVE_X25519, "X25519"}, |
| 180 | }; |
| 181 | |
| 182 | } // namespace |
| 183 | |
| 184 | UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) { |
| 185 | switch (group_id) { |
| 186 | case SSL_CURVE_SECP224R1: |
| 187 | return UniquePtr<SSLKeyShare>( |
| 188 | New<ECKeyShare>(NID_secp224r1, SSL_CURVE_SECP224R1)); |
| 189 | case SSL_CURVE_SECP256R1: |
| 190 | return UniquePtr<SSLKeyShare>( |
| 191 | New<ECKeyShare>(NID_X9_62_prime256v1, SSL_CURVE_SECP256R1)); |
| 192 | case SSL_CURVE_SECP384R1: |
| 193 | return UniquePtr<SSLKeyShare>( |
| 194 | New<ECKeyShare>(NID_secp384r1, SSL_CURVE_SECP384R1)); |
| 195 | case SSL_CURVE_SECP521R1: |
| 196 | return UniquePtr<SSLKeyShare>( |
| 197 | New<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1)); |
| 198 | case SSL_CURVE_X25519: |
| 199 | return UniquePtr<SSLKeyShare>(New<X25519KeyShare>()); |
| 200 | default: |
| 201 | return nullptr; |
| 202 | } |
| 203 | } |
| 204 | |
| 205 | bool SSLKeyShare::Accept(CBB *out_public_key, uint8_t **out_secret, |
| 206 | size_t *out_secret_len, uint8_t *out_alert, |
| 207 | const uint8_t *peer_key, size_t peer_key_len) { |
| 208 | *out_alert = SSL_AD_INTERNAL_ERROR; |
| 209 | return Offer(out_public_key) && |
| 210 | Finish(out_secret, out_secret_len, out_alert, peer_key, peer_key_len); |
| 211 | } |
| 212 | |
| 213 | int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) { |
| 214 | for (const auto &group : kNamedGroups) { |
| 215 | if (group.nid == nid) { |
| 216 | *out_group_id = group.group_id; |
| 217 | return 1; |
| 218 | } |
| 219 | } |
| 220 | return 0; |
| 221 | } |
| 222 | |
| 223 | int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) { |
| 224 | for (const auto &group : kNamedGroups) { |
| 225 | if (len == strlen(group.name) && |
| 226 | !strncmp(group.name, name, len)) { |
| 227 | *out_group_id = group.group_id; |
| 228 | return 1; |
| 229 | } |
| 230 | } |
| 231 | return 0; |
| 232 | } |
| 233 | |
| 234 | } // namespace bssl |
| 235 | |
| 236 | using namespace bssl; |
| 237 | |
| 238 | const char* SSL_get_curve_name(uint16_t group_id) { |
| 239 | for (const auto &group : kNamedGroups) { |
| 240 | if (group.group_id == group_id) { |
| 241 | return group.name; |
| 242 | } |
| 243 | } |
| 244 | return nullptr; |
| 245 | } |