diff options
| author | raja-ashok <rashok.svks@gmail.com> | 2019-01-25 21:04:49 +0530 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-06-12 10:18:34 +0100 |
| commit | 9aaecbfc98eb89a03f72b35d343e08f377e7803a (patch) | |
| tree | 4f025a6064a0f8f654a486d9ef6be6c9fcb8b2cf /ssl | |
| parent | a03749a8f14c397f57ef956650f5db5da6523595 (diff) | |
TLS1.3 FFDHE Support
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8178)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_lib.c | 92 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 16 | ||||
| -rw-r--r-- | ssl/statem/extensions_clnt.c | 27 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 3 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 136 |
5 files changed, 192 insertions, 82 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 5ea2c2d029..a75a15802a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4678,25 +4678,39 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) EVP_PKEY_CTX_free(pctx); return pkey; } -#ifndef OPENSSL_NO_EC + /* Generate a private key from a group ID */ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) { + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; - const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); uint16_t gtype; +# ifndef OPENSSL_NO_DH + DH *dh = NULL; +# endif if (ginf == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_INTERNAL_ERROR); goto err; } - gtype = ginf->flags & TLS_CURVE_TYPE; - if (gtype == TLS_CURVE_CUSTOM) - pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL); + gtype = ginf->flags & TLS_GROUP_TYPE; +# ifndef OPENSSL_NO_DH + if (gtype == TLS_GROUP_FFDHE) + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); +# ifndef OPENSSL_NO_EC else - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); +# endif +# endif +# ifndef OPENSSL_NO_EC + { + if (gtype == TLS_GROUP_CURVE_CUSTOM) + pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL); + else + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + } +# endif if (pctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_MALLOC_FAILURE); @@ -4707,12 +4721,40 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) ERR_R_EVP_LIB); goto err; } - if (gtype != TLS_CURVE_CUSTOM - && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, - ERR_R_EVP_LIB); - goto err; +# ifndef OPENSSL_NO_DH + if (gtype == TLS_GROUP_FFDHE) { + if ((pkey = EVP_PKEY_new()) == NULL + || (dh = DH_new_by_nid(ginf->nid)) == NULL + || !EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + DH_free(dh); + EVP_PKEY_free(pkey); + pkey = NULL; + goto err; + } + if (EVP_PKEY_CTX_set_dh_nid(pctx, ginf->nid) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + EVP_PKEY_free(pkey); + pkey = NULL; + goto err; + } + } +# ifndef OPENSSL_NO_EC + else +# endif +# endif +# ifndef OPENSSL_NO_EC + { + if (gtype != TLS_GROUP_CURVE_CUSTOM + && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + goto err; + } } +# endif if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_EVP_LIB); @@ -4733,11 +4775,12 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); + int pkey_ctx_id; if (ginf == NULL) goto err; - if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) { + if ((ginf->flags & TLS_GROUP_TYPE) == TLS_GROUP_CURVE_CUSTOM) { pkey = EVP_PKEY_new(); if (pkey != NULL && EVP_PKEY_set_type(pkey, ginf->nid)) return pkey; @@ -4745,13 +4788,28 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) return NULL; } - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE) + ? EVP_PKEY_DH : EVP_PKEY_EC; + pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL); if (pctx == NULL) goto err; if (EVP_PKEY_paramgen_init(pctx) <= 0) goto err; - if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) - goto err; +# ifndef OPENSSl_NO_DH + if (ginf->flags & TLS_GROUP_FFDHE) { + if (EVP_PKEY_CTX_set_dh_nid(pctx, ginf->nid) <= 0) + goto err; + } +# ifndef OPENSSL_NO_EC + else +# endif +# endif +# ifndef OPENSSL_NO_EC + { + if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) + goto err; + } +# endif if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) { EVP_PKEY_free(pkey); pkey = NULL; @@ -4761,7 +4819,6 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) EVP_PKEY_CTX_free(pctx); return pkey; } -#endif /* Derive secrets for ECDH/DH */ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) @@ -4787,6 +4844,9 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) goto err; } + if (SSL_IS_TLS13(s) && EVP_PKEY_id(privkey) == EVP_PKEY_DH) + EVP_PKEY_CTX_set_dh_pad(pctx, 1); + pms = OPENSSL_malloc(pmslen); if (pms == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 79b78f093d..0e661d00d7 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1685,14 +1685,19 @@ typedef struct sigalg_lookup_st { typedef struct tls_group_info_st { int nid; /* Curve NID */ int secbits; /* Bits of security (from SP800-57) */ - uint16_t flags; /* Flags: currently just group type */ + uint32_t flags; /* For group type and applicable TLS versions */ + uint16_t group_id; /* Group ID */ } TLS_GROUP_INFO; /* flags values */ -# define TLS_CURVE_TYPE 0x3 /* Mask for group type */ -# define TLS_CURVE_PRIME 0x0 -# define TLS_CURVE_CHAR2 0x1 -# define TLS_CURVE_CUSTOM 0x2 +# define TLS_GROUP_TYPE 0x0000000FU /* Mask for group type */ +# define TLS_GROUP_CURVE_PRIME 0x00000001U +# define TLS_GROUP_CURVE_CHAR2 0x00000002U +# define TLS_GROUP_CURVE_CUSTOM 0x00000004U +# define TLS_GROUP_FFDHE 0x00000008U +# define TLS_GROUP_ONLY_FOR_TLS1_3 0x00000010U + +# define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE|TLS_GROUP_ONLY_FOR_TLS1_3) /* * Structure containing table entry of certificate info corresponding to @@ -2533,6 +2538,7 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats); __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); +__owur int tls_valid_group(SSL *s, uint16_t group_id, int version); __owur EVP_PKEY *ssl_generate_param_group(uint16_t id); # endif /* OPENSSL_NO_EC */ diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 979954ff76..a29b7c021a 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -174,36 +174,45 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, { const uint16_t *pgroups = NULL; size_t num_groups = 0, i; + int min_version, max_version, reason; if (!use_ecc(s)) return EXT_RETURN_NOT_SENT; + reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); + if (reason != 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, reason); + return EXT_RETURN_FAIL; + } + /* * Add TLS extension supported_groups to the ClientHello message */ - /* TODO(TLS1.3): Add support for DHE groups */ tls1_get_supported_groups(s, &pgroups, &num_groups); if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) /* Sub-packet for supported_groups extension */ || !WPACKET_start_sub_packet_u16(pkt) - || !WPACKET_start_sub_packet_u16(pkt)) { + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } - /* Copy curve ID if supported */ + /* Copy group ID if supported */ for (i = 0; i < num_groups; i++) { uint16_t ctmp = pgroups[i]; - if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { + if (tls_valid_group(s, ctmp, max_version) + && tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { if (!WPACKET_put_bytes_u16(pkt, ctmp)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, - ERR_R_INTERNAL_ERROR); - return EXT_RETURN_FAIL; - } + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } } } if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index d107af3f87..37f5819346 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1424,7 +1424,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, for (i = 0; i < numgroups; i++) { uint16_t group = groups[i]; - if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { + if (tls_valid_group(s, group, SSL_version(s)) + && tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { if (first) { /* * Check if the client is already using our preferred group. If diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8fad1f20df..52e6d5426a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -132,40 +132,44 @@ int tls1_clear(SSL *s) /* * Table of curve information. - * Do not delete entries or reorder this array! It is used as a lookup - * table: the index of each entry is one less than the TLS curve id. */ static const TLS_GROUP_INFO nid_list[] = { - {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ - {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ - {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ - {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */ - {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */ - {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */ - {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */ - {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */ - {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */ - {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */ - {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */ - {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */ - {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */ - {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */ - {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */ - {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */ - {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */ - {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ - {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ - {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ - {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ - {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ - {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ - {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ - {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ - {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ - {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ - {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ - {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ - {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */ + {NID_sect163k1, 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */ + {NID_sect163r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */ + {NID_sect163r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */ + {NID_sect193r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0004}, /* sect193r1 (4) */ + {NID_sect193r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0005}, /* sect193r2 (5) */ + {NID_sect233k1, 112, TLS_GROUP_CURVE_CHAR2, 0x0006}, /* sect233k1 (6) */ + {NID_sect233r1, 112, TLS_GROUP_CURVE_CHAR2, 0x0007}, /* sect233r1 (7) */ + {NID_sect239k1, 112, TLS_GROUP_CURVE_CHAR2, 0x0008}, /* sect239k1 (8) */ + {NID_sect283k1, 128, TLS_GROUP_CURVE_CHAR2, 0x0009}, /* sect283k1 (9) */ + {NID_sect283r1, 128, TLS_GROUP_CURVE_CHAR2, 0x000A}, /* sect283r1 (10) */ + {NID_sect409k1, 192, TLS_GROUP_CURVE_CHAR2, 0x000B}, /* sect409k1 (11) */ + {NID_sect409r1, 192, TLS_GROUP_CURVE_CHAR2, 0x000C}, /* sect409r1 (12) */ + {NID_sect571k1, 256, TLS_GROUP_CURVE_CHAR2, 0x000D}, /* sect571k1 (13) */ + {NID_sect571r1, 256, TLS_GROUP_CURVE_CHAR2, 0x000E}, /* sect571r1 (14) */ + {NID_secp160k1, 80, TLS_GROUP_CURVE_PRIME, 0x000F}, /* secp160k1 (15) */ + {NID_secp160r1, 80, TLS_GROUP_CURVE_PRIME, 0x0010}, /* secp160r1 (16) */ + {NID_secp160r2, 80, TLS_GROUP_CURVE_PRIME, 0x0011}, /* secp160r2 (17) */ + {NID_secp192k1, 80, TLS_GROUP_CURVE_PRIME, 0x0012}, /* secp192k1 (18) */ + {NID_X9_62_prime192v1, 80, TLS_GROUP_CURVE_PRIME, 0x0013}, /* secp192r1 (19) */ + {NID_secp224k1, 112, TLS_GROUP_CURVE_PRIME, 0x0014}, /* secp224k1 (20) */ + {NID_secp224r1, 112, TLS_GROUP_CURVE_PRIME, 0x0015}, /* secp224r1 (21) */ + {NID_secp256k1, 128, TLS_GROUP_CURVE_PRIME, 0x0016}, /* secp256k1 (22) */ + {NID_X9_62_prime256v1, 128, TLS_GROUP_CURVE_PRIME, 0x0017}, /* secp256r1 (23) */ + {NID_secp384r1, 192, TLS_GROUP_CURVE_PRIME, 0x0018}, /* secp384r1 (24) */ + {NID_secp521r1, 256, TLS_GROUP_CURVE_PRIME, 0x0019}, /* secp521r1 (25) */ + {NID_brainpoolP256r1, 128, TLS_GROUP_CURVE_PRIME, 0x001A}, /* brainpoolP256r1 (26) */ + {NID_brainpoolP384r1, 192, TLS_GROUP_CURVE_PRIME, 0x001B}, /* brainpoolP384r1 (27) */ + {NID_brainpoolP512r1, 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */ + {EVP_PKEY_X25519, 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */ + {EVP_PKEY_X448, 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */ + /* Security bit values for FFDHE groups are updated as per RFC 7919 */ + {NID_ffdhe2048, 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */ + {NID_ffdhe3072, 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */ + {NID_ffdhe4096, 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */ + {NID_ffdhe6144, 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */ + {NID_ffdhe8192, 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */ }; static const unsigned char ecformats_default[] = { @@ -175,12 +179,17 @@ static const unsigned char ecformats_default[] = { }; /* The default curves */ -static const uint16_t eccurves_default[] = { +static const uint16_t supported_groups_default[] = { 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 30, /* X448 (30) */ 25, /* secp521r1 (25) */ 24, /* secp384r1 (24) */ + 0x100, /* ffdhe2048 (0x100) */ + 0x101, /* ffdhe3072 (0x101) */ + 0x102, /* ffdhe4096 (0x102) */ + 0x103, /* ffdhe6144 (0x103) */ + 0x104, /* ffdhe8192 (0x104) */ }; static const uint16_t suiteb_curves[] = { @@ -190,18 +199,23 @@ static const uint16_t suiteb_curves[] = { const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) { - /* ECC curves from RFC 4492 and RFC 7027 */ - if (group_id < 1 || group_id > OSSL_NELEM(nid_list)) - return NULL; - return &nid_list[group_id - 1]; + size_t i; + + /* ECC curves from RFC 4492 and RFC 7027 FFDHE group from RFC 8446 */ + for (i = 0; i < OSSL_NELEM(nid_list); i++) { + if (nid_list[i].group_id == group_id) + return &nid_list[i]; + } + return NULL; } static uint16_t tls1_nid2group_id(int nid) { size_t i; + for (i = 0; i < OSSL_NELEM(nid_list); i++) { if (nid_list[i].nid == nid) - return (uint16_t)(i + 1); + return nid_list[i].group_id; } return 0; } @@ -233,8 +247,8 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, default: if (s->ext.supportedgroups == NULL) { - *pgroups = eccurves_default; - *pgroupslen = OSSL_NELEM(eccurves_default); + *pgroups = supported_groups_default; + *pgroupslen = OSSL_NELEM(supported_groups_default); } else { *pgroups = s->ext.supportedgroups; *pgroupslen = s->ext.supportedgroups_len; @@ -243,6 +257,17 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, } } +int tls_valid_group(SSL *s, uint16_t group_id, int version) +{ + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group_id); + + if (version < TLS1_3_VERSION) { + if ((ginfo->flags & TLS_GROUP_ONLY_FOR_TLS1_3) != 0) + return 0; + } + return 1; +} + /* See if curve is allowed by security callback */ int tls_curve_allowed(SSL *s, uint16_t curve, int op) { @@ -252,7 +277,11 @@ int tls_curve_allowed(SSL *s, uint16_t curve, int op) if (cinfo == NULL) return 0; # ifdef OPENSSL_NO_EC2M - if (cinfo->flags & TLS_CURVE_CHAR2) + if (cinfo->flags & TLS_GROUP_CURVE_CHAR2) + return 0; +# endif +# ifdef OPENSSL_NO_DH + if (cinfo->flags & TLS_GROUP_FFDHE) return 0; # endif ctmp[0] = curve >> 8; @@ -338,10 +367,12 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, uint16_t *glist; size_t i; /* - * Bitmap of groups included to detect duplicates: only works while group - * ids < 32 + * Bitmap of groups included to detect duplicates: two variables are added + * to detect duplicates as some values are more than 32. */ - unsigned long dup_list = 0; + unsigned long *dup_list = NULL; + unsigned long dup_list_egrp = 0; + unsigned long dup_list_dhgrp = 0; if (ngroups == 0) { SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); @@ -354,20 +385,23 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, for (i = 0; i < ngroups; i++) { unsigned long idmask; uint16_t id; - /* TODO(TLS1.3): Convert for DH groups */ id = tls1_nid2group_id(groups[i]); - idmask = 1L << id; - if (!id || (dup_list & idmask)) { - OPENSSL_free(glist); - return 0; - } - dup_list |= idmask; + if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) + goto err; + idmask = 1L << (id & 0x00FF); + dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; + if (!id || ((*dup_list) & idmask)) + goto err; + *dup_list |= idmask; glist[i] = id; } OPENSSL_free(*pext); *pext = glist; *pextlen = ngroups; return 1; +err: + OPENSSL_free(glist); + return 0; } # define MAX_CURVELIST OSSL_NELEM(nid_list) |