diff options
author | Matt Caswell <matt@openssl.org> | 2020-05-18 23:37:18 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-06-19 10:19:31 +0100 |
commit | 9d2d857f135abd281591ee0c2b58e01a710c3cea (patch) | |
tree | 6b0bab33c78f0366d0448f633d43333fc991fb51 /ssl/statem | |
parent | 82ec09ec6d4e35ef359a7cb22c0cb46662f18155 (diff) |
Modify libssl to discover supported groups based on available providers
Now that we have added the TLS-GROUP capability to the default provider
we can use that to discover the supported group list based on the loaded
providers.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 10 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 4 |
2 files changed, 8 insertions, 6 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index ab2d98de60..c83e18e84d 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -117,7 +117,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #endif #ifndef OPENSSL_NO_EC -static int use_ecc(SSL *s, int max_version) +static int use_ecc(SSL *s, int min_version, int max_version) { int i, end, ret = 0; unsigned long alg_k, alg_a; @@ -152,7 +152,7 @@ static int use_ecc(SSL *s, int max_version) for (j = 0; j < num_groups; j++) { uint16_t ctmp = pgroups[j]; - if (tls_valid_group(s, ctmp, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) return 1; } @@ -174,7 +174,7 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, reason); return EXT_RETURN_FAIL; } - if (!use_ecc(s, max_version)) + if (!use_ecc(s, min_version, max_version)) return EXT_RETURN_NOT_SENT; /* Add TLS extension ECPointFormats to the ClientHello message */ @@ -214,7 +214,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, if (max_version < TLS1_3_VERSION) return EXT_RETURN_NOT_SENT; #else - if (!use_ecc(s, max_version) && max_version < TLS1_3_VERSION) + if (!use_ecc(s, min_version, max_version) && max_version < TLS1_3_VERSION) return EXT_RETURN_NOT_SENT; #endif @@ -237,7 +237,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, for (i = 0; i < num_groups; i++) { uint16_t ctmp = pgroups[i]; - if (tls_valid_group(s, ctmp, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { if (!WPACKET_put_bytes_u16(pkt, ctmp)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 3a0fee6ebc..27ddef9aaf 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1424,6 +1424,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, { const uint16_t *groups; size_t numgroups, i, first = 1; + int version; /* s->s3.group_id is non zero if we accepted a key_share */ if (s->s3.group_id == 0) @@ -1438,10 +1439,11 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, } /* Copy group ID if supported */ + version = SSL_version(s); for (i = 0; i < numgroups; i++) { uint16_t group = groups[i]; - if (tls_valid_group(s, group, SSL_version(s)) + if (tls_valid_group(s, group, version, version) && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { if (first) { /* |