Skip to content

refactor to EcMakeKey #9339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 31, 2025
+98 −170
Merged

refactor to EcMakeKey #9339

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
268 changes: 98 additions & 170 deletions src/internal.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33250,6 +33250,97 @@ static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key)
}
#endif /*!NO_PSK*/

#if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448))
static int EcMakeKey(WOLFSSL* ssl)
{
int ret = 0;
#ifdef HAVE_ECC
int kea = ssl->specs.kea;
ecc_key* peerKey;
#endif
#ifdef HAVE_CURVE25519
if (ssl->peerX25519KeyPresent) {
/* Check client ECC public key */
if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) {
return NO_PEER_KEY;
}
/* if callback then use it for shared secret */
#ifdef HAVE_PK_CALLBACKS
if (ssl->ecdhCurveOID == ECC_X25519_OID) {
if (ssl->ctx->X25519SharedSecretCb != NULL)
return 0;
}
#endif
/* create private key */
ssl->hsType = DYNAMIC_TYPE_CURVE25519;
ret = AllocKey(ssl, (int)(ssl->hsType), &ssl->hsKey);
if (ret != 0) {
return ret;
}
ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey,
ssl->peerX25519Key);
return ret;
}
#endif
#ifdef HAVE_CURVE448
if (ssl->peerX448KeyPresent) {
/* Check client ECC public key */
if (!ssl->peerX448Key) {
return NO_PEER_KEY;
}
#ifdef HAVE_PK_CALLBACKS
if (ssl->ecdhCurveOID == ECC_X448_OID) {
if (ssl->ctx->X448SharedSecretCb != NULL)
return 0;
}
#endif
/* create private key */
ssl->hsType = DYNAMIC_TYPE_CURVE448;
ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
if (ret != 0) {
return ret;
}
ret = X448MakeKey(ssl, (curve448_key*)ssl->hsKey,
ssl->peerX448Key);
return ret;
}
#endif
#ifdef HAVE_ECC
if (kea == ecc_diffie_hellman_kea && ssl->specs.static_ecdh) {
/* Note: EccDsa is really fixed Ecc key here */
if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent) {
return NO_PEER_KEY;
}
peerKey = ssl->peerEccDsaKey;
}
else {
/* Check client ECC public key */
if (!ssl->peerEccKey || !ssl->peerEccKeyPresent ||
!ssl->peerEccKey->dp) {
return NO_PEER_KEY;
}
peerKey = ssl->peerEccKey;
}
if (peerKey == NULL) {
return NO_PEER_KEY;
}
#ifdef HAVE_PK_CALLBACKS
if (ssl->ctx->EccSharedSecretCb != NULL) {
return 0;
}
#endif /* HAVE_PK_CALLBACKS*/
/* create ephemeral private key */
ssl->hsType = DYNAMIC_TYPE_ECC;
ret = AllocKey(ssl, (int)(ssl->hsType), &ssl->hsKey);
if (ret != 0) {
return ret;
}
ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, ssl->peerEccKey);
#endif /*HAVE_ECC*/
return ret;
}
#endif /*defined(HAVE_ECC)||defined(HAVE_CURVE25519)||defined(HAVE_CURVE448)*/

/* handle generation client_key_exchange (16) */
int SendClientKeyExchange(WOLFSSL* ssl)
{
Expand Down Expand Up @@ -33363,181 +33454,18 @@ int SendClientKeyExchange(WOLFSSL* ssl)
WOLFSSL_MSG("No client PSK callback set");
ERROR_OUT(PSK_KEY_ERROR, exit_scke);
}

#ifdef HAVE_CURVE25519
if (ssl->peerX25519KeyPresent) {
/* Check client ECC public key */
if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}

#ifdef HAVE_PK_CALLBACKS
/* if callback then use it for shared secret */
if (ssl->ctx->X25519SharedSecretCb != NULL) {
break;
}
#endif

/* create private key */
ssl->hsType = DYNAMIC_TYPE_CURVE25519;
ret = AllocKey(ssl, (int)(ssl->hsType), &ssl->hsKey);
if (ret != 0) {
goto exit_scke;
}

ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey,
ssl->peerX25519Key);
break;
}
#endif
#ifdef HAVE_CURVE448
if (ssl->peerX448KeyPresent) {
/* Check client ECC public key */
if (!ssl->peerX448Key) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}

#ifdef HAVE_PK_CALLBACKS
/* if callback then use it for shared secret */
if (ssl->ctx->X448SharedSecretCb != NULL) {
break;
}
#endif

/* create private key */
ssl->hsType = DYNAMIC_TYPE_CURVE448;
ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
if (ret != 0) {
goto exit_scke;
}

ret = X448MakeKey(ssl, (curve448_key*)ssl->hsKey,
ssl->peerX448Key);
break;
}
#endif
/* Check client ECC public key */
if (!ssl->peerEccKey || !ssl->peerEccKeyPresent ||
!ssl->peerEccKey->dp) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}

#ifdef HAVE_PK_CALLBACKS
/* if callback then use it for shared secret */
if (ssl->ctx->EccSharedSecretCb != NULL) {
break;
}
#endif

/* create ephemeral private key */
ssl->hsType = DYNAMIC_TYPE_ECC;
ret = AllocKey(ssl, (int)(ssl->hsType), &ssl->hsKey);
if (ret != 0) {
goto exit_scke;
}

ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, ssl->peerEccKey);

ret = EcMakeKey(ssl);
if (ret)
ERROR_OUT(ret, exit_scke);
break;
#endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
#endif /* (HAVE_ECC||HAVE_CURVE25519||HAVE_CURVE448) && !NO_PSK */
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)
case ecc_diffie_hellman_kea:
{
#ifdef HAVE_ECC
ecc_key* peerKey;
#endif

#ifdef HAVE_PK_CALLBACKS
/* if callback then use it for shared secret */
#ifdef HAVE_CURVE25519
if (ssl->ecdhCurveOID == ECC_X25519_OID) {
if (ssl->ctx->X25519SharedSecretCb != NULL)
break;
}
else
#endif
#ifdef HAVE_CURVE448
if (ssl->ecdhCurveOID == ECC_X448_OID) {
if (ssl->ctx->X448SharedSecretCb != NULL)
break;
}
else
#endif
#ifdef HAVE_ECC
if (ssl->ctx->EccSharedSecretCb != NULL) {
break;
}
else
#endif
{
}
#endif /* HAVE_PK_CALLBACKS */

#ifdef HAVE_CURVE25519
if (ssl->peerX25519KeyPresent) {
if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}

/* create private key */
ssl->hsType = DYNAMIC_TYPE_CURVE25519;
ret = AllocKey(ssl, (int)(ssl->hsType), &ssl->hsKey);
if (ret != 0) {
goto exit_scke;
}

ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey,
ssl->peerX25519Key);
break;
}
#endif
#ifdef HAVE_CURVE448
if (ssl->peerX448KeyPresent) {
if (!ssl->peerX448Key) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}

/* create private key */
ssl->hsType = DYNAMIC_TYPE_CURVE448;
ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
if (ret != 0) {
goto exit_scke;
}

ret = X448MakeKey(ssl, (curve448_key*)ssl->hsKey,
ssl->peerX448Key);
break;
}
#endif
#ifdef HAVE_ECC
if (ssl->specs.static_ecdh) {
/* Note: EccDsa is really fixed Ecc key here */
if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}
peerKey = ssl->peerEccDsaKey;
}
else {
if (!ssl->peerEccKey || !ssl->peerEccKeyPresent) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}
peerKey = ssl->peerEccKey;
}
if (peerKey == NULL) {
ERROR_OUT(NO_PEER_KEY, exit_scke);
}

/* create ephemeral private key */
ssl->hsType = DYNAMIC_TYPE_ECC;
ret = AllocKey(ssl, (int)ssl->hsType, &ssl->hsKey);
if (ret != 0) {
goto exit_scke;
}

ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, peerKey);
#endif /* HAVE_ECC */

ret = EcMakeKey(ssl);
if (ret)
ERROR_OUT(ret, exit_scke);
break;
}
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
Expand Down