diff options
-rw-r--r-- | ssl/ssl_lib.c | 1 | ||||
-rw-r--r-- | ssl/ssl_local.h | 2 | ||||
-rw-r--r-- | ssl/statem/extensions.c | 4 | ||||
-rw-r--r-- | ssl/statem/extensions_clnt.c | 2 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 4 | ||||
-rw-r--r-- | ssl/t1_lib.c | 46 |
6 files changed, 33 insertions, 26 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a87da32c62..daba82ebfe 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3396,6 +3396,7 @@ void SSL_CTX_free(SSL_CTX *a) OPENSSL_free(a->ext.ecpointformats); #endif OPENSSL_free(a->ext.supportedgroups); + OPENSSL_free(a->ext.supported_groups_default); OPENSSL_free(a->ext.alpn); OPENSSL_secure_free(a->ext.secure); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index fa1130e59d..4138f4eaa3 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1060,6 +1060,8 @@ struct ssl_ctx_st { size_t supportedgroups_len; uint16_t *supportedgroups; + uint16_t *supported_groups_default; + size_t supported_groups_default_len; /* * ALPN information (we are in the process of transitioning from NPN to * ALPN.) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 1a3435a949..6bd7a69364 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -163,7 +163,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { #else INVALID_EXTENSION, #endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) { /* * "supported_groups" is spread across several specifications. @@ -197,9 +196,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_supported_groups, tls_construct_ctos_supported_groups, NULL }, -#else - INVALID_EXTENSION, -#endif { TLSEXT_TYPE_session_ticket, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 14dd7cfc76..89e1422bbd 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -184,7 +184,6 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, } #endif -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -239,7 +238,6 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#endif EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 2a6d89558b..99cd515386 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -893,7 +893,6 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 1; } -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -921,7 +920,6 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#endif int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1333,7 +1331,6 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, } #endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1393,7 +1390,6 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#endif EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 1438244d32..24bfa96382 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -194,16 +194,12 @@ static const unsigned char ecformats_default[] = { #endif /* !defined(OPENSSL_NO_EC) */ /* The default curves */ -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) static const uint16_t supported_groups_default[] = { -# ifndef OPENSSL_NO_EC 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 30, /* X448 (30) */ 25, /* secp521r1 (25) */ 24, /* secp384r1 (24) */ -# endif -# ifndef OPENSSL_NO_GOST 34, /* GC256A (34) */ 35, /* GC256B (35) */ 36, /* GC256C (36) */ @@ -211,16 +207,12 @@ static const uint16_t supported_groups_default[] = { 38, /* GC512A (38) */ 39, /* GC512B (39) */ 40, /* GC512C (40) */ -# endif -# ifndef OPENSSL_NO_DH 0x100, /* ffdhe2048 (0x100) */ 0x101, /* ffdhe3072 (0x101) */ 0x102, /* ffdhe4096 (0x102) */ 0x103, /* ffdhe6144 (0x103) */ 0x104, /* ffdhe8192 (0x104) */ -# endif }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ #ifndef OPENSSL_NO_EC static const uint16_t suiteb_curves[] = { @@ -398,7 +390,34 @@ static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) int ssl_load_groups(SSL_CTX *ctx) { - return OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx); + size_t i, j, num_deflt_grps = 0; + uint16_t tmp_supp_groups[sizeof(supported_groups_default)]; + + if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) + return 0; + + for (i = 0; i < sizeof(supported_groups_default); i++) { + for (j = 0; j < ctx->group_list_len; j++) { + if (ctx->group_list[j].group_id == supported_groups_default[i]) + tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; + } + } + + if (num_deflt_grps == 0) + return 1; + + ctx->ext.supported_groups_default + = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); + + if (ctx->ext.supported_groups_default == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + return 0; + } + + memcpy(ctx->ext.supported_groups_default, tmp_supp_groups, num_deflt_grps); + ctx->ext.supported_groups_default_len = num_deflt_grps; + + return 1; } static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) @@ -484,7 +503,6 @@ uint16_t tls1_nid2group_id(int nid) void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, size_t *pgroupslen) { -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) /* For Suite B mode only include P-256, P-384 */ switch (tls1_suiteb(s)) { # ifndef OPENSSL_NO_EC @@ -506,18 +524,14 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, default: if (s->ext.supportedgroups == NULL) { - *pgroups = supported_groups_default; - *pgroupslen = OSSL_NELEM(supported_groups_default); + *pgroups = s->ctx->ext.supported_groups_default; + *pgroupslen = s->ctx->ext.supported_groups_default_len; } else { *pgroups = s->ext.supportedgroups; *pgroupslen = s->ext.supportedgroups_len; } break; } -#else - *pgroups = NULL; - *pgroupslen = 0; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ } int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion) |