From 8841154a90914c6f8cb4649beed36f8d1b82a19c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 22 Sep 2017 23:43:03 +0100 Subject: [PATCH] Return group id in tls1_shared_group Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/=4412) --- ssl/s3_lib.c | 2 +- ssl/ssl_locl.h | 2 +- ssl/statem/statem_srvr.c | 4 +--- ssl/t1_lib.c | 31 ++++++++++++++----------------- 4 files changed, 17 insertions(+), 22 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 4127b28ea4..84e945fc1d 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3633,7 +3633,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) &s->ext.supportedgroups_len, parg); case SSL_CTRL_GET_SHARED_GROUP: - return tls1_shared_group(s, larg); + return tls1_ec_curve_id2nid(tls1_shared_group(s, larg), NULL); #endif case SSL_CTRL_SET_SIGALGS: diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 5eda6362a1..69f547ee10 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2336,7 +2336,7 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); __owur int tls1_ec_curve_id2nid(uint16_t curve_id, unsigned int *pflags); __owur uint16_t tls1_ec_nid2curve_id(int nid); __owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len); -__owur int tls1_shared_group(SSL *s, int nmatch); +__owur uint16_t tls1_shared_group(SSL *s, int nmatch); __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen, int *curves, size_t ncurves); __owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 81c8ee4f21..dc727e1e0f 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2331,7 +2331,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) #endif #ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { - int nid; if (s->s3->tmp.pkey != NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, @@ -2340,8 +2339,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } /* Get NID of appropriate shared curve */ - nid = tls1_shared_group(s, -2); - curve_id = tls1_ec_nid2curve_id(nid); + curve_id = tls1_shared_group(s, -2); if (curve_id == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 994ae85247..4345576ae6 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -197,7 +197,7 @@ int tls1_ec_curve_id2nid(uint16_t curve_id, unsigned int *pflags) const tls_curve_info *cinfo; /* ECC curves from RFC 4492 and RFC 7027 */ if (curve_id < 1 || curve_id > OSSL_NELEM(nid_list)) - return 0; + return NID_undef; cinfo = nid_list + curve_id - 1; if (pflags) *pflags = cinfo->flags; @@ -313,13 +313,13 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) } /*- - * For nmatch >= 0, return the NID of the |nmatch|th shared group or NID_undef + * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 * if there is no match. * For nmatch == -1, return number of matches - * For nmatch == -2, return the NID of the group to use for - * an EC tmp key, or NID_undef if there is no match. + * For nmatch == -2, return the id of the group to use for + * an tmp key, or 0 if there is no match. */ -int tls1_shared_group(SSL *s, int nmatch) +uint16_t tls1_shared_group(SSL *s, int nmatch) { const uint16_t *pref, *supp; size_t num_pref, num_supp, i, j; @@ -327,7 +327,7 @@ int tls1_shared_group(SSL *s, int nmatch) /* Can't do anything on client side */ if (s->server == 0) - return -1; + return 0; if (nmatch == -2) { if (tls1_suiteb(s)) { /* @@ -337,11 +337,11 @@ int tls1_shared_group(SSL *s, int nmatch) unsigned long cid = s->s3->tmp.new_cipher->id; if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) - return NID_X9_62_prime256v1; /* P-256 */ + return TLSEXT_curve_P_256; if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) - return NID_secp384r1; /* P-384 */ + return TLSEXT_curve_P_384; /* Should never happen */ - return NID_undef; + return 0; } /* If not Suite B just return first preference shared curve */ nmatch = 0; @@ -353,12 +353,11 @@ int tls1_shared_group(SSL *s, int nmatch) if (!tls1_get_curvelist(s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp, &num_supp)) - /* In practice, NID_undef == 0 but let's be precise. */ - return nmatch == -1 ? 0 : NID_undef; + return 0; if (!tls1_get_curvelist(s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0, &pref, &num_pref)) - return nmatch == -1 ? 0 : NID_undef; + return 0; for (k = 0, i = 0; i < num_pref; i++) { uint16_t id = pref[i]; @@ -368,7 +367,7 @@ int tls1_shared_group(SSL *s, int nmatch) if (!tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) continue; if (nmatch == k) - return tls1_ec_curve_id2nid(id, NULL); + return id; k++; } } @@ -376,7 +375,7 @@ int tls1_shared_group(SSL *s, int nmatch) if (nmatch == -1) return k; /* Out of range (nmatch > k). */ - return NID_undef; + return 0; } int tls1_set_groups(uint16_t **pext, size_t *pextlen, @@ -643,9 +642,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) return 1; } /* Need a shared curve */ - if (tls1_shared_group(s, 0)) - return 1; - return 0; + return tls1_shared_group(s, 0) != 0; } #else