Add the key_share processing to the server side

At the moment the server doesn't yet do anything with this information.
We still need to send the server's key_share info back to the client. That
will happen in subsequent commits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Matt Caswell 2016-11-01 10:53:32 +00:00
parent d2c27a28c0
commit b1834ad781
4 changed files with 112 additions and 1 deletions

View file

@ -2427,6 +2427,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_NO_SHARED_CIPHER 193
# define SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS 376
# define SSL_R_NO_SRTP_PROFILES 359
# define SSL_R_NO_SUITABLE_KEY_SHARE 101
# define SSL_R_NO_VALID_SCTS 216
# define SSL_R_NO_VERIFY_COOKIE_CALLBACK 403
# define SSL_R_NULL_SSL_CTX 195

View file

@ -488,6 +488,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS),
"no shared signature algorithms"},
{ERR_REASON(SSL_R_NO_SRTP_PROFILES), "no srtp profiles"},
{ERR_REASON(SSL_R_NO_SUITABLE_KEY_SHARE), "no suitable key share"},
{ERR_REASON(SSL_R_NO_VALID_SCTS), "no valid scts"},
{ERR_REASON(SSL_R_NO_VERIFY_COOKIE_CALLBACK),
"no verify cookie callback"},

View file

@ -1263,6 +1263,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
goto err;
}
/* Check we've got a key_share for TLSv1.3 */
if (s->version == TLS1_3_VERSION && s->s3->peer_tmp == NULL) {
/* No suitable share */
/* TODO(1.3): Send a HelloRetryRequest */
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SUITABLE_KEY_SHARE);
goto f_err;
}
/*
* Check if we want to use external pre-shared secret for this handshake
* for not reused session only. We need to generate server_random before

View file

@ -2201,8 +2201,108 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello, int *al)
}
#endif
else if (currext->type == TLSEXT_TYPE_encrypt_then_mac
&& !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
&& !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
} else if (currext->type == TLSEXT_TYPE_key_share
&& s->version == TLS1_3_VERSION) {
unsigned int group_id;
PACKET key_share_list, encoded_pt;
const unsigned char *curves;
size_t num_curves, i;
int group_nid;
unsigned int curve_flags;
/* Sanity check */
if (s->s3->peer_tmp != NULL) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return 0;
}
if (!PACKET_as_length_prefixed_2(&currext->data, &key_share_list)) {
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
SSL_R_LENGTH_MISMATCH);
return 0;
}
while (PACKET_remaining(&key_share_list) > 0) {
if (!PACKET_get_net_2(&key_share_list, &group_id)
|| !PACKET_get_length_prefixed_2(&key_share_list,
&encoded_pt)) {
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
SSL_R_LENGTH_MISMATCH);
return 0;
}
/* Find a share that we can use */
if (!tls1_get_curvelist(s, 0, &curves, &num_curves)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
ERR_R_INTERNAL_ERROR);
return 0;
}
for (i = 0; i < num_curves; i++, curves += 2) {
unsigned int share_id = (curves[0] << 8) | (curves[1]);
if (group_id == share_id
&& tls_curve_allowed(s, curves,
SSL_SECOP_CURVE_CHECK)) {
break;
}
}
if (i == num_curves) {
/* Share not suitable */
continue;
}
group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
if (group_nid == 0) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
return 0;
}
if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
/* Can happen for some curves, e.g. X25519 */
EVP_PKEY *key = EVP_PKEY_new();
if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, ERR_R_EVP_LIB);
EVP_PKEY_free(key);
return 0;
}
s->s3->peer_tmp = key;
} else {
/* Set up EVP_PKEY with named curve as parameters */
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
if (pctx == NULL
|| EVP_PKEY_paramgen_init(pctx) <= 0
|| EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
group_nid) <= 0
|| EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, ERR_R_EVP_LIB);
EVP_PKEY_CTX_free(pctx);
return 0;
}
EVP_PKEY_CTX_free(pctx);
pctx = NULL;
}
if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
PACKET_data(&encoded_pt),
PACKET_remaining(&encoded_pt))) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, SSL_R_BAD_ECPOINT);
return 0;
}
}
}
/*
* Note: extended master secret extension handled in
* tls_check_client_ems_support()