Return group id in tls1_shared_group
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
This commit is contained in:
parent
1483b8582c
commit
8841154a90
4 changed files with 17 additions and 22 deletions
|
@ -3633,7 +3633,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||||
&s->ext.supportedgroups_len, parg);
|
&s->ext.supportedgroups_len, parg);
|
||||||
|
|
||||||
case SSL_CTRL_GET_SHARED_GROUP:
|
case SSL_CTRL_GET_SHARED_GROUP:
|
||||||
return tls1_shared_group(s, larg);
|
return tls1_ec_curve_id2nid(tls1_shared_group(s, larg), NULL);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
case SSL_CTRL_SET_SIGALGS:
|
case SSL_CTRL_SET_SIGALGS:
|
||||||
|
|
|
@ -2336,7 +2336,7 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
|
||||||
__owur int tls1_ec_curve_id2nid(uint16_t curve_id, unsigned int *pflags);
|
__owur int tls1_ec_curve_id2nid(uint16_t curve_id, unsigned int *pflags);
|
||||||
__owur uint16_t tls1_ec_nid2curve_id(int nid);
|
__owur uint16_t tls1_ec_nid2curve_id(int nid);
|
||||||
__owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len);
|
__owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len);
|
||||||
__owur int tls1_shared_group(SSL *s, int nmatch);
|
__owur uint16_t tls1_shared_group(SSL *s, int nmatch);
|
||||||
__owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,
|
__owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,
|
||||||
int *curves, size_t ncurves);
|
int *curves, size_t ncurves);
|
||||||
__owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen,
|
__owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen,
|
||||||
|
|
|
@ -2331,7 +2331,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
|
if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
|
||||||
int nid;
|
|
||||||
|
|
||||||
if (s->s3->tmp.pkey != NULL) {
|
if (s->s3->tmp.pkey != NULL) {
|
||||||
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
|
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
|
||||||
|
@ -2340,8 +2339,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Get NID of appropriate shared curve */
|
/* Get NID of appropriate shared curve */
|
||||||
nid = tls1_shared_group(s, -2);
|
curve_id = tls1_shared_group(s, -2);
|
||||||
curve_id = tls1_ec_nid2curve_id(nid);
|
|
||||||
if (curve_id == 0) {
|
if (curve_id == 0) {
|
||||||
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
|
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
|
||||||
SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
|
SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
|
||||||
|
|
31
ssl/t1_lib.c
31
ssl/t1_lib.c
|
@ -197,7 +197,7 @@ int tls1_ec_curve_id2nid(uint16_t curve_id, unsigned int *pflags)
|
||||||
const tls_curve_info *cinfo;
|
const tls_curve_info *cinfo;
|
||||||
/* ECC curves from RFC 4492 and RFC 7027 */
|
/* ECC curves from RFC 4492 and RFC 7027 */
|
||||||
if (curve_id < 1 || curve_id > OSSL_NELEM(nid_list))
|
if (curve_id < 1 || curve_id > OSSL_NELEM(nid_list))
|
||||||
return 0;
|
return NID_undef;
|
||||||
cinfo = nid_list + curve_id - 1;
|
cinfo = nid_list + curve_id - 1;
|
||||||
if (pflags)
|
if (pflags)
|
||||||
*pflags = cinfo->flags;
|
*pflags = cinfo->flags;
|
||||||
|
@ -313,13 +313,13 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
|
||||||
}
|
}
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* For nmatch >= 0, return the NID of the |nmatch|th shared group or NID_undef
|
* For nmatch >= 0, return the id of the |nmatch|th shared group or 0
|
||||||
* if there is no match.
|
* if there is no match.
|
||||||
* For nmatch == -1, return number of matches
|
* For nmatch == -1, return number of matches
|
||||||
* For nmatch == -2, return the NID of the group to use for
|
* For nmatch == -2, return the id of the group to use for
|
||||||
* an EC tmp key, or NID_undef if there is no match.
|
* an tmp key, or 0 if there is no match.
|
||||||
*/
|
*/
|
||||||
int tls1_shared_group(SSL *s, int nmatch)
|
uint16_t tls1_shared_group(SSL *s, int nmatch)
|
||||||
{
|
{
|
||||||
const uint16_t *pref, *supp;
|
const uint16_t *pref, *supp;
|
||||||
size_t num_pref, num_supp, i, j;
|
size_t num_pref, num_supp, i, j;
|
||||||
|
@ -327,7 +327,7 @@ int tls1_shared_group(SSL *s, int nmatch)
|
||||||
|
|
||||||
/* Can't do anything on client side */
|
/* Can't do anything on client side */
|
||||||
if (s->server == 0)
|
if (s->server == 0)
|
||||||
return -1;
|
return 0;
|
||||||
if (nmatch == -2) {
|
if (nmatch == -2) {
|
||||||
if (tls1_suiteb(s)) {
|
if (tls1_suiteb(s)) {
|
||||||
/*
|
/*
|
||||||
|
@ -337,11 +337,11 @@ int tls1_shared_group(SSL *s, int nmatch)
|
||||||
unsigned long cid = s->s3->tmp.new_cipher->id;
|
unsigned long cid = s->s3->tmp.new_cipher->id;
|
||||||
|
|
||||||
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
||||||
return NID_X9_62_prime256v1; /* P-256 */
|
return TLSEXT_curve_P_256;
|
||||||
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
||||||
return NID_secp384r1; /* P-384 */
|
return TLSEXT_curve_P_384;
|
||||||
/* Should never happen */
|
/* Should never happen */
|
||||||
return NID_undef;
|
return 0;
|
||||||
}
|
}
|
||||||
/* If not Suite B just return first preference shared curve */
|
/* If not Suite B just return first preference shared curve */
|
||||||
nmatch = 0;
|
nmatch = 0;
|
||||||
|
@ -353,12 +353,11 @@ int tls1_shared_group(SSL *s, int nmatch)
|
||||||
if (!tls1_get_curvelist(s,
|
if (!tls1_get_curvelist(s,
|
||||||
(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
|
(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
|
||||||
&supp, &num_supp))
|
&supp, &num_supp))
|
||||||
/* In practice, NID_undef == 0 but let's be precise. */
|
return 0;
|
||||||
return nmatch == -1 ? 0 : NID_undef;
|
|
||||||
if (!tls1_get_curvelist(s,
|
if (!tls1_get_curvelist(s,
|
||||||
(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
|
(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
|
||||||
&pref, &num_pref))
|
&pref, &num_pref))
|
||||||
return nmatch == -1 ? 0 : NID_undef;
|
return 0;
|
||||||
|
|
||||||
for (k = 0, i = 0; i < num_pref; i++) {
|
for (k = 0, i = 0; i < num_pref; i++) {
|
||||||
uint16_t id = pref[i];
|
uint16_t id = pref[i];
|
||||||
|
@ -368,7 +367,7 @@ int tls1_shared_group(SSL *s, int nmatch)
|
||||||
if (!tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
|
if (!tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
|
||||||
continue;
|
continue;
|
||||||
if (nmatch == k)
|
if (nmatch == k)
|
||||||
return tls1_ec_curve_id2nid(id, NULL);
|
return id;
|
||||||
k++;
|
k++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -376,7 +375,7 @@ int tls1_shared_group(SSL *s, int nmatch)
|
||||||
if (nmatch == -1)
|
if (nmatch == -1)
|
||||||
return k;
|
return k;
|
||||||
/* Out of range (nmatch > k). */
|
/* Out of range (nmatch > k). */
|
||||||
return NID_undef;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls1_set_groups(uint16_t **pext, size_t *pextlen,
|
int tls1_set_groups(uint16_t **pext, size_t *pextlen,
|
||||||
|
@ -643,9 +642,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
/* Need a shared curve */
|
/* Need a shared curve */
|
||||||
if (tls1_shared_group(s, 0))
|
return tls1_shared_group(s, 0) != 0;
|
||||||
return 1;
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
Loading…
Reference in a new issue