Modify libssl to discover supported groups based on available providers

Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported group list based on the loaded providers. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
author: Matt Caswell <matt@openssl.org> 2020-05-18 23:37:18 +0100
committer: Matt Caswell <matt@openssl.org> 2020-06-19 10:19:31 +0100
commit: 9d2d857f135abd281591ee0c2b58e01a710c3cea (patch)
tree: 6b0bab33c78f0366d0448f633d43333fc991fb51 /ssl/statem
parent: 82ec09ec6d4e35ef359a7cb22c0cb46662f18155 (diff)
2 files changed, 8 insertions, 6 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index ab2d98de60..c83e18e84d 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -117,7 +117,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
 #endif
 
 #ifndef OPENSSL_NO_EC
-static int use_ecc(SSL *s, int max_version)
+static int use_ecc(SSL *s, int min_version, int max_version)
 {
     int i, end, ret = 0;
     unsigned long alg_k, alg_a;
@@ -152,7 +152,7 @@ static int use_ecc(SSL *s, int max_version)
     for (j = 0; j < num_groups; j++) {
         uint16_t ctmp = pgroups[j];
 
-        if (tls_valid_group(s, ctmp, max_version)
+        if (tls_valid_group(s, ctmp, min_version, max_version)
                 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
             return 1;
     }
@@ -174,7 +174,7 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
                  SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, reason);
         return EXT_RETURN_FAIL;
     }
-    if (!use_ecc(s, max_version))
+    if (!use_ecc(s, min_version, max_version))
         return EXT_RETURN_NOT_SENT;
 
     /* Add TLS extension ECPointFormats to the ClientHello message */
@@ -214,7 +214,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
     if (max_version < TLS1_3_VERSION)
         return EXT_RETURN_NOT_SENT;
 #else
-    if (!use_ecc(s, max_version) && max_version < TLS1_3_VERSION)
+    if (!use_ecc(s, min_version, max_version) && max_version < TLS1_3_VERSION)
         return EXT_RETURN_NOT_SENT;
 #endif
 
@@ -237,7 +237,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
     for (i = 0; i < num_groups; i++) {
         uint16_t ctmp = pgroups[i];
 
-        if (tls_valid_group(s, ctmp, max_version)
+        if (tls_valid_group(s, ctmp, min_version, max_version)
                 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
             if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 3a0fee6ebc..27ddef9aaf 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1424,6 +1424,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
 {
     const uint16_t *groups;
     size_t numgroups, i, first = 1;
+    int version;
 
     /* s->s3.group_id is non zero if we accepted a key_share */
     if (s->s3.group_id == 0)
@@ -1438,10 +1439,11 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
     }
 
     /* Copy group ID if supported */
+    version = SSL_version(s);
     for (i = 0; i < numgroups; i++) {
         uint16_t group = groups[i];
 
-        if (tls_valid_group(s, group, SSL_version(s))
+        if (tls_valid_group(s, group, version, version)
                 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
             if (first) {
                 /*
author	Matt Caswell <matt@openssl.org>	2020-05-18 23:37:18 +0100
committer	Matt Caswell <matt@openssl.org>	2020-06-19 10:19:31 +0100
commit	9d2d857f135abd281591ee0c2b58e01a710c3cea (patch)
tree	6b0bab33c78f0366d0448f633d43333fc991fb51 /ssl/statem
parent	82ec09ec6d4e35ef359a7cb22c0cb46662f18155 (diff)