[tls] Allow for NIST elliptic curve point formats

The elliptic curve point representation for the x25519 curve includes
only the X value, since the curve is designed such that the Montgomery
ladder does not need to ever know or calculate a Y value.  There is no
curve point format byte: the public key data is simply the X value.
The pre-master secret is also simply the X value of the shared secret
curve point.

The point representation for the NIST curves includes both X and Y
values, and a single curve point format byte that must indicate that
the format is uncompressed.  The pre-master secret for the NIST curves
does not include both X and Y values: only the X value is used.

Extend the definition of an elliptic curve to allow the point size to
be specified separately from the key size, and extend the definition
of a TLS named curve to include an optional curve point format byte
and a pre-master secret length.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/net/tls.c

@@ -1671,6 +1671,9 @@ static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
 		uint8_t public[0];
 	} __attribute__ (( packed )) *ecdh;
 	size_t param_len;
+	size_t pointsize;
+	size_t keysize;
+	size_t offset;
 	int rc;
 
 	/* Parse ServerKeyExchange record */
@@ -1706,9 +1709,13 @@ static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
 			   tls->server.exchange_len );
 		return -ENOTSUP_CURVE;
 	}
+	DBGC ( tls, "TLS %p using named curve %s\n", tls, curve->curve->name );
+	pointsize = curve->curve->pointsize;
+	keysize = curve->curve->keysize;
+	offset = ( curve->format ? 1 : 0 );
 
 	/* Check key length */
-	if ( ecdh->public_len != curve->curve->keysize ) {
+	if ( ecdh->public_len != ( offset + pointsize ) ) {
 		DBGC ( tls, "TLS %p invalid %s key\n",
 		       tls, curve->curve->name );
 		DBGC_HDA ( tls, 0, tls->server.exchange,
@@ -1716,15 +1723,23 @@ static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
 		return -EINVAL_KEY_EXCHANGE;
 	}
 
+	/* Check curve point format byte (if present) */
+	if ( curve->format && ( ecdh->public[0] != curve->format ) ) {
+		DBGC ( tls, "TLS %p invalid %s curve point format\n",
+		       tls, curve->curve->name );
+		DBGC_HDA ( tls, 0, tls->server.exchange,
+			   tls->server.exchange_len );
+		return -EINVAL_KEY_EXCHANGE;
+	}
+
 	/* Construct pre-master secret and ClientKeyExchange record */
 	{
-		size_t len = curve->curve->keysize;
-		uint8_t private[len];
-		uint8_t pre_master_secret[len];
+		uint8_t private[keysize];
+		uint8_t pre_master_secret[pointsize];
 		struct {
 			uint32_t type_length;
 			uint8_t public_len;
-			uint8_t public[len];
+			uint8_t public[ecdh->public_len];
 		} __attribute__ (( packed )) key_xchg;
 
 		/* Generate ephemeral private key */
@@ -1733,9 +1748,9 @@ static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
 			return rc;
 		}
 
-		/* Calculate pre-master secret */
-		if ( ( rc = ecdhe_key ( curve->curve, ecdh->public,
-					private, key_xchg.public,
+		/* Exchange keys */
+		if ( ( rc = ecdhe_key ( curve->curve, ( ecdh->public + offset ),
+					private, ( key_xchg.public + offset ),
 					pre_master_secret ) ) != 0 ) {
 			DBGC ( tls, "TLS %p could not exchange ECDHE key: %s\n",
 			       tls, strerror ( rc ) );
@@ -1743,14 +1758,17 @@ static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
 		}
 
 		/* Generate master secret */
-		tls_generate_master_secret ( tls, pre_master_secret, len );
+		tls_generate_master_secret ( tls, pre_master_secret,
+					     curve->pre_master_secret_len );
 
 		/* Generate Client Key Exchange record */
 		key_xchg.type_length =
 			( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
 			  htonl ( sizeof ( key_xchg ) -
 				  sizeof ( key_xchg.type_length ) ) );
-		key_xchg.public_len = len;
+		key_xchg.public_len = sizeof ( key_xchg.public );
+		if ( curve->format )
+			key_xchg.public[0] = curve->format;
 
 		/* Transmit Client Key Exchange record */
 		if ( ( rc = tls_send_handshake ( tls, &key_xchg,