diff options
| author | Matt Caswell <matt@openssl.org> | 2021-01-13 17:27:10 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-02-05 15:20:37 +0000 |
| commit | 8b1db5d329740bd5363fd1763d4030d0e015b521 (patch) | |
| tree | 2bc4baa1f7ebf82da6fb5278c808f2d22e08115a /ssl/t1_lib.c | |
| parent | ddf8f1ce634b9a3bd30603d9e0eaec1990a0d586 (diff) | |
Make supported_groups code independent of EC and DH
The supported groups code was checking the OPENSSL_NO_EC and
OPENSSL_NO_DH guards in order to work, and the list of default groups was
based on those guards. However we now need it to work even in a no-ec
and no-dh build, because new groups might be added from providers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 24bfa96382..6bc33215c1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -391,15 +391,17 @@ static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) int ssl_load_groups(SSL_CTX *ctx) { size_t i, j, num_deflt_grps = 0; - uint16_t tmp_supp_groups[sizeof(supported_groups_default)]; + uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) return 0; - for (i = 0; i < sizeof(supported_groups_default); i++) { + for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { for (j = 0; j < ctx->group_list_len; j++) { - if (ctx->group_list[j].group_id == supported_groups_default[i]) + if (ctx->group_list[j].group_id == supported_groups_default[i]) { tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; + break; + } } } @@ -414,7 +416,9 @@ int ssl_load_groups(SSL_CTX *ctx) return 0; } - memcpy(ctx->ext.supported_groups_default, tmp_supp_groups, num_deflt_grps); + memcpy(ctx->ext.supported_groups_default, + tmp_supp_groups, + num_deflt_grps * sizeof(tmp_supp_groups[0])); ctx->ext.supported_groups_default_len = num_deflt_grps; return 1; @@ -534,11 +538,15 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, } } -int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion) +int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, + int isec, int *okfortls13) { const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); int ret; + if (okfortls13 != NULL) + okfortls13 = 0; + if (ginfo == NULL) return 0; @@ -560,7 +568,14 @@ int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion) ret = (minversion <= ginfo->maxtls); if (ginfo->mintls > 0) ret &= (maxversion >= ginfo->mintls); - } + if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) + *okfortls13 = (ginfo->maxtls == 0) + || (ginfo->maxtls >= TLS1_3_VERSION); + } + ret &= !isec + || strcmp(ginfo->algorithm, "EC") == 0 + || strcmp(ginfo->algorithm, "X25519") == 0 + || strcmp(ginfo->algorithm, "X448") == 0; return ret; } |