wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow TLSv1.3 in a no-ec build

Browse source 
Now that we have TLSv1.3 FFDHE support there is no reason why we should
not allow TLSv1.3 to be used in a no-ec build. This commit enables that
to happen.

It also fixes no-ec which was previously broken.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9156)
This commit is contained in:
Matt Caswell 2019-06-13 11:06:12 +01:00
parent 8013a933da
commit dbc6268f68
23 changed files with 347 additions and 193 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Configure
View file

@ -482,7 +482,7 @@ my @disable_cascades = (
"ssl3-method" => [ "ssl3" ],
"zlib" => [ "zlib-dynamic" ],
"des" => [ "mdc2" ],
"ec" => [ "ecdsa", "ecdh" ],
"ec" => [ "ecdsa", "ecdh", "sm2" ],
"dgram" => [ "dtls", "sctp" ],
"sock" => [ "dgram" ],
@ -526,7 +526,6 @@ my @disable_cascades = (
"apps" => [ "tests" ],
"tests" => [ "external-tests" ],
"comp" => [ "zlib" ],
"ec" => [ "tls1_3", "sm2" ],
"sm3" => [ "sm2" ],
sub { !$disabled{"unit-test"} } => [ "heartbeats" ],

6
ssl/s3_lib.c
View file

@ -3578,7 +3578,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
}
return ssl_cert_set_current(s->cert, larg);
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_GROUPS:
{
uint16_t *clist;
@ -3623,7 +3622,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
}
return id;
}
#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
@ -3899,7 +3898,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
break;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_GROUPS:
return tls1_set_groups(&ctx->ext.supportedgroups,
&ctx->ext.supportedgroups_len,
@ -3909,7 +3907,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return tls1_set_groups_list(&ctx->ext.supportedgroups,
&ctx->ext.supportedgroups_len,
parg);
#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);

3
ssl/ssl_lib.c
View file

@ -780,6 +780,7 @@ SSL *SSL_new(SSL_CTX *ctx)
s->ext.ecpointformats_len =
ctx->ext.ecpointformats_len;
}
#endif
if (ctx->ext.supportedgroups) {
s->ext.supportedgroups =
OPENSSL_memdup(ctx->ext.supportedgroups,
@ -789,7 +790,7 @@ SSL *SSL_new(SSL_CTX *ctx)
goto err;
s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
}
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
s->ext.npn = NULL;
#endif

14
ssl/ssl_locl.h
View file

@ -959,9 +959,10 @@ struct ssl_ctx_st {
/* EC extension values inherited by SSL structure */
size_t ecpointformats_len;
unsigned char *ecpointformats;
# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
uint16_t *supportedgroups;
# endif /* OPENSSL_NO_EC */
/*
* ALPN information (we are in the process of transitioning from NPN to
@ -2525,8 +2526,6 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
# ifndef OPENSSL_NO_EC
__owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id);
__owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves);
__owur uint16_t tls1_shared_group(SSL *s, int nmatch);
@ -2534,15 +2533,16 @@ __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,
int *curves, size_t ncurves);
__owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen,
const char *str);
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
size_t *num_formats);
__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
__owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id);
__owur int tls_valid_group(SSL *s, uint16_t group_id, int version);
__owur EVP_PKEY *ssl_generate_param_group(uint16_t id);
# ifndef OPENSSL_NO_EC
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
size_t *num_formats);
__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
# endif /* OPENSSL_NO_EC */
__owur int tls_curve_allowed(SSL *s, uint16_t curve, int op);
__owur int tls_group_allowed(SSL *s, uint16_t curve, int op);
void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
size_t *pgroupslen);

11
ssl/statem/extensions.c
View file

@ -46,9 +46,7 @@ static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent);
static int init_psk_kex_modes(SSL *s, unsigned int context);
#ifndef OPENSSL_NO_EC
static int final_key_share(SSL *s, unsigned int context, int sent);
#endif
#ifndef OPENSSL_NO_SRTP
static int init_srtp(SSL *s, unsigned int context);
#endif
@ -162,6 +160,10 @@ static const EXTENSION_DEFINITION ext_defs[] = {
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats
},
#else
INVALID_EXTENSION,
#endif
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
{
/*
* "supported_groups" is spread across several specifications.
@ -197,7 +199,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
},
#else
INVALID_EXTENSION,
INVALID_EXTENSION,
#endif
{
TLSEXT_TYPE_session_ticket,
@ -322,7 +323,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
tls_construct_ctos_psk_kex_modes, NULL
},
#ifndef OPENSSL_NO_EC
{
/*
* Must be in this list after supported_groups. We need that to have
@ -336,7 +336,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
tls_construct_stoc_key_share, tls_construct_ctos_key_share,
final_key_share
},
#endif
{
/* Must be after key_share */
TLSEXT_TYPE_cookie,
@ -1266,7 +1265,6 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent)
return 1;
}
#ifndef OPENSSL_NO_EC
static int final_key_share(SSL *s, unsigned int context, int sent)
{
if (!SSL_IS_TLS13(s))
@ -1429,7 +1427,6 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
return 1;
}
#endif
static int init_psk_kex_modes(SSL *s, unsigned int context)
{

48
ssl/statem/extensions_clnt.c
View file

@ -113,11 +113,13 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
#endif
#ifndef OPENSSL_NO_EC
static int use_ecc(SSL *s)
static int use_ecc(SSL *s, int max_version)
{
int i, end, ret = 0;
unsigned long alg_k, alg_a;
STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
const uint16_t *pgroups = NULL;
size_t num_groups, j;
/* See if we support any ECC ciphersuites */
if (s->version == SSL3_VERSION)
@ -137,9 +139,21 @@ static int use_ecc(SSL *s)
break;
}
}
sk_SSL_CIPHER_free(cipher_stack);
return ret;
if (!ret)
return 0;
/* Check we have at least one EC supported group */
tls1_get_supported_groups(s, &pgroups, &num_groups);
for (j = 0; j < num_groups; j++) {
uint16_t ctmp = pgroups[j];
if (tls_valid_group(s, ctmp, max_version)
&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
return 1;
}
return 0;
}
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
@ -148,8 +162,15 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
{
const unsigned char *pformats;
size_t num_formats;
int reason, min_version, max_version;
if (!use_ecc(s))
reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
if (reason != 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, reason);
return EXT_RETURN_FAIL;
}
if (!use_ecc(s, max_version))
return EXT_RETURN_NOT_SENT;
/* Add TLS extension ECPointFormats to the ClientHello message */
@ -167,7 +188,9 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
return EXT_RETURN_SENT;
}
#endif
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
@ -176,9 +199,6 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
size_t num_groups = 0, i;
int min_version, max_version, reason;
if (!use_ecc(s))
return EXT_RETURN_NOT_SENT;
reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
if (reason != 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
@ -186,6 +206,14 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
#if defined(OPENSSL_NO_EC)
if (max_version < TLS1_3_VERSION)
return EXT_RETURN_NOT_SENT;
#else
if (!use_ecc(s, max_version) && max_version < TLS1_3_VERSION)
return EXT_RETURN_NOT_SENT;
#endif
/*
* Add TLS extension supported_groups to the ClientHello message
*/
@ -206,7 +234,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
uint16_t ctmp = pgroups[i];
if (tls_valid_group(s, ctmp, max_version)
&& tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
@ -683,7 +711,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
} else {
for (i = 0; i < num_groups; i++) {
if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
continue;
curve_id = pgroups[i];
@ -1843,7 +1871,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
break;
}
if (i >= num_groups
|| !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
|| !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
return 0;

6
ssl/statem/extensions_srvr.c
View file

@ -946,7 +946,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 1;
}
#ifndef OPENSSL_NO_EC
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
@ -1400,7 +1400,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
}
#endif
#ifndef OPENSSL_NO_EC
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
@ -1425,7 +1425,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
uint16_t group = groups[i];
if (tls_valid_group(s, group, SSL_version(s))
&& tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
&& tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
if (first) {
/*
* Check if the client is already using our preferred group. If

4
ssl/statem/statem_lib.c
View file

@ -2137,7 +2137,6 @@ int ssl_set_client_hello_version(SSL *s)
* used. Returns 1 if the group is in the list (and allowed if |checkallow| is
* 1) or 0 otherwise.
*/
#ifndef OPENSSL_NO_EC
int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
size_t num_groups, int checkallow)
{
@ -2151,14 +2150,13 @@ int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
if (group_id == group
&& (!checkallow
|| tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
|| tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
return 1;
}
}
return 0;
}
#endif
/* Replace ClientHello1 in the transcript hash with a synthetic message */
int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,

5
ssl/statem/statem_locl.h
View file

@ -199,9 +199,9 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_EC
int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx);
#endif
int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidxl);
#endif
int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx);
int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
@ -314,10 +314,11 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X5
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx);
#endif
EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx);
#endif
EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx);

214
ssl/t1_lib.c
View file

@ -128,12 +128,11 @@ int tls1_clear(SSL *s)
return 1;
}
#ifndef OPENSSL_NO_EC
/*
* Table of curve information.
* Table of group information.
*/
static const TLS_GROUP_INFO nid_list[] = {
#ifndef OPENSSL_NO_EC
{NID_sect163k1, 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */
{NID_sect163r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */
{NID_sect163r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */
@ -164,38 +163,49 @@ static const TLS_GROUP_INFO nid_list[] = {
{NID_brainpoolP512r1, 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */
{EVP_PKEY_X25519, 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */
{EVP_PKEY_X448, 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_DH
/* Security bit values for FFDHE groups are updated as per RFC 7919 */
{NID_ffdhe2048, 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */
{NID_ffdhe3072, 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */
{NID_ffdhe4096, 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */
{NID_ffdhe6144, 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */
{NID_ffdhe8192, 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */
#endif /* OPENSSL_NO_DH */
};
#ifndef OPENSSL_NO_EC
static const unsigned char ecformats_default[] = {
TLSEXT_ECPOINTFORMAT_uncompressed,
TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
};
#endif
/* The default curves */
static const uint16_t supported_groups_default[] = {
#ifndef OPENSSL_NO_EC
29, /* X25519 (29) */
23, /* secp256r1 (23) */
30, /* X448 (30) */
25, /* secp521r1 (25) */
24, /* secp384r1 (24) */
#endif
#ifndef OPENSSL_NO_DH
0x100, /* ffdhe2048 (0x100) */
0x101, /* ffdhe3072 (0x101) */
0x102, /* ffdhe4096 (0x102) */
0x103, /* ffdhe6144 (0x103) */
0x104, /* ffdhe8192 (0x104) */
#endif
};
#ifndef OPENSSL_NO_EC
static const uint16_t suiteb_curves[] = {
TLSEXT_curve_P_256,
TLSEXT_curve_P_384
};
#endif
const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
{
@ -230,6 +240,7 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
/* For Suite B mode only include P-256, P-384 */
switch (tls1_suiteb(s)) {
#ifndef OPENSSL_NO_EC
case SSL_CERT_FLAG_SUITEB_128_LOS:
*pgroups = suiteb_curves;
*pgroupslen = OSSL_NELEM(suiteb_curves);
@ -244,6 +255,7 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
*pgroups = suiteb_curves + 1;
*pgroupslen = 1;
break;
#endif
default:
if (s->ext.supportedgroups == NULL) {
@ -268,25 +280,25 @@ int tls_valid_group(SSL *s, uint16_t group_id, int version)
return 1;
}
/* See if curve is allowed by security callback */
int tls_curve_allowed(SSL *s, uint16_t curve, int op)
/* See if group is allowed by security callback */
int tls_group_allowed(SSL *s, uint16_t group, int op)
{
const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve);
unsigned char ctmp[2];
const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group);
unsigned char gtmp[2];
if (cinfo == NULL)
if (ginfo == NULL)
return 0;
# ifdef OPENSSL_NO_EC2M
if (cinfo->flags & TLS_GROUP_CURVE_CHAR2)
#ifdef OPENSSL_NO_EC2M
if (ginfo->flags & TLS_GROUP_CURVE_CHAR2)
return 0;
# endif
# ifdef OPENSSL_NO_DH
if (cinfo->flags & TLS_GROUP_FFDHE)
#endif
#ifdef OPENSSL_NO_DH
if (ginfo->flags & TLS_GROUP_FFDHE)
return 0;
# endif
ctmp[0] = curve >> 8;
ctmp[1] = curve & 0xff;
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
#endif
gtmp[0] = group >> 8;
gtmp[1] = group & 0xff;
return ssl_security(s, op, ginfo->secbits, ginfo->nid, (void *)gtmp);
}
/* Return 1 if "id" is in "list" */
@ -349,7 +361,7 @@ uint16_t tls1_shared_group(SSL *s, int nmatch)
uint16_t id = pref[i];
if (!tls1_in_list(id, supp, num_supp)
|| !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED))
|| !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
continue;
if (nmatch == k)
return id;
@ -404,28 +416,30 @@ err:
return 0;
}
# define MAX_CURVELIST OSSL_NELEM(nid_list)
#define MAX_GROUPLIST OSSL_NELEM(nid_list)
typedef struct {
size_t nidcnt;
int nid_arr[MAX_CURVELIST];
int nid_arr[MAX_GROUPLIST];
} nid_cb_st;
static int nid_cb(const char *elem, int len, void *arg)
{
nid_cb_st *narg = arg;
size_t i;
int nid;
int nid = NID_undef;
char etmp[20];
if (elem == NULL)
return 0;
if (narg->nidcnt == MAX_CURVELIST)
if (narg->nidcnt == MAX_GROUPLIST)
return 0;
if (len > (int)(sizeof(etmp) - 1))
return 0;
memcpy(etmp, elem, len);
etmp[len] = 0;
#ifndef OPENSSL_NO_EC
nid = EC_curve_nist2nid(etmp);
#endif
if (nid == NID_undef)
nid = OBJ_sn2nid(etmp);
if (nid == NID_undef)
@ -450,16 +464,78 @@ int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str)
return 1;
return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
}
/* Return group id of a key */
static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
{
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
const EC_GROUP *grp;
if (ec == NULL)
/* Check a group id matches preferences */
int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
{
const uint16_t *groups;
size_t groups_len;
if (group_id == 0)
return 0;
grp = EC_KEY_get0_group(ec);
return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
/* Check for Suite B compliance */
if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) {
unsigned long cid = s->s3.tmp.new_cipher->id;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
if (group_id != TLSEXT_curve_P_256)
return 0;
} else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
if (group_id != TLSEXT_curve_P_384)
return 0;
} else {
/* Should never happen */
return 0;
}
}
if (check_own_groups) {
/* Check group is one of our preferences */
tls1_get_supported_groups(s, &groups, &groups_len);
if (!tls1_in_list(group_id, groups, groups_len))
return 0;
}
if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
return 0;
/* For clients, nothing more to check */
if (!s->server)
return 1;
/* Check group is one of peers preferences */
tls1_get_peer_groups(s, &groups, &groups_len);
/*
* RFC 4492 does not require the supported elliptic curves extension
* so if it is not sent we can just choose any curve.
* It is invalid to send an empty list in the supported groups
* extension, so groups_len == 0 always means no extension.
*/
if (groups_len == 0)
return 1;
return tls1_in_list(group_id, groups, groups_len);
}
#ifndef OPENSSL_NO_EC
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
size_t *num_formats)
{
/*
* If we have a custom point format list use it otherwise use default
*/
if (s->ext.ecpointformats) {
*pformats = s->ext.ecpointformats;
*num_formats = s->ext.ecpointformats_len;
} else {
*pformats = ecformats_default;
/* For Suite B we don't support char2 fields */
if (tls1_suiteb(s))
*num_formats = sizeof(ecformats_default) - 1;
else
*num_formats = sizeof(ecformats_default);
}
}
/* Check a key is compatible with compression extension */
@ -509,76 +585,16 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
return 0;
}
/* Check a group id matches preferences */
int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
{
const uint16_t *groups;
size_t groups_len;
if (group_id == 0)
return 0;
/* Check for Suite B compliance */
if (tls1_suiteb(s) && s->s3.tmp.new_cipher != NULL) {
unsigned long cid = s->s3.tmp.new_cipher->id;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
if (group_id != TLSEXT_curve_P_256)
return 0;
} else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
if (group_id != TLSEXT_curve_P_384)
return 0;
} else {
/* Should never happen */
return 0;
}
}
if (check_own_groups) {
/* Check group is one of our preferences */
tls1_get_supported_groups(s, &groups, &groups_len);
if (!tls1_in_list(group_id, groups, groups_len))
return 0;
}
if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
return 0;
/* For clients, nothing more to check */
if (!s->server)
return 1;
/* Check group is one of peers preferences */
tls1_get_peer_groups(s, &groups, &groups_len);
/*
* RFC 4492 does not require the supported elliptic curves extension
* so if it is not sent we can just choose any curve.
* It is invalid to send an empty list in the supported groups
* extension, so groups_len == 0 always means no extension.
*/
if (groups_len == 0)
return 1;
return tls1_in_list(group_id, groups, groups_len);
}
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
size_t *num_formats)
/* Return group id of a key */
static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
{
/*
* If we have a custom point format list use it otherwise use default
*/
if (s->ext.ecpointformats) {
*pformats = s->ext.ecpointformats;
*num_formats = s->ext.ecpointformats_len;
} else {
*pformats = ecformats_default;
/* For Suite B we don't support char2 fields */
if (tls1_suiteb(s))
*num_formats = sizeof(ecformats_default) - 1;
else
*num_formats = sizeof(ecformats_default);
}
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
const EC_GROUP *grp;
if (ec == NULL)
return 0;
grp = EC_KEY_get0_group(ec);
return tls1_nid2group_id(EC_GROUP_get_curve_name(grp));
}
/*

4
test/recipes/70-test_clienthello.t
View file

@ -15,6 +15,10 @@ setup("test_clienthello");
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
#No EC with TLSv1.3 confuses the padding calculations in this test
plan skip_all => "No EC with TLSv1.3 is not supported by this test"
if disabled("ec") && !disabled("tls1_3");
plan tests => 1;
ok(run(test(["clienthellotest", srctop_file("test", "session.pem")])),

92
test/recipes/70-test_key_share.t
View file

@ -36,7 +36,9 @@ use constant {
use constant {
X25519 => 0x1d,
P_256 => 0x17
P_256 => 0x17,
FFDHE2048 => 0x0100,
FFDHE3072 => 0x0101
};
my $testtype;
@ -74,7 +76,11 @@ my $proxy = TLSProxy::Proxy->new(
$testtype = EMPTY_EXTENSION;
$direction = CLIENT_TO_SERVER;
$proxy->filter(\&modify_key_shares_filter);
$proxy->serverflags("-curves P-256");
if (disabled("ec")) {
$proxy->serverflags("-groups ffdhe3072");
} else {
$proxy->serverflags("-groups P-256");
}
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 22;
ok(TLSProxy::Message->success(), "Success after HRR");
@ -95,31 +101,52 @@ ok(TLSProxy::Message->fail(), "Missing key_shares extension");
# HelloRetryRequest
$proxy->clear();
$proxy->filter(undef);
$proxy->serverflags("-curves P-256");
if (disabled("ec")) {
$proxy->serverflags("-groups ffdhe3072");
} else {
$proxy->serverflags("-groups P-256");
}
$proxy->start();
ok(TLSProxy::Message->success(), "No initial acceptable key_shares");
#Test 5: No acceptable key_shares and no shared groups should fail
$proxy->clear();
$proxy->filter(undef);
$proxy->serverflags("-curves P-256");
$proxy->clientflags("-curves P-384");
if (disabled("ec")) {
$proxy->serverflags("-groups ffdhe2048");
} else {
$proxy->serverflags("-groups P-256");
}
if (disabled("ec")) {
$proxy->clientflags("-groups ffdhe3072");
} else {
$proxy->clientflags("-groups P-384");
}
$proxy->start();
ok(TLSProxy::Message->fail(), "No acceptable key_shares");
#Test 6: A non preferred but acceptable key_share should succeed
$proxy->clear();
$proxy->clientflags("-curves P-256");
if (disabled("ec")) {
$proxy->clientflags("-groups ffdhe3072");
} else {
$proxy->clientflags("-groups P-256");
}
$proxy->start();
ok(TLSProxy::Message->success(), "Non preferred key_share");
$proxy->filter(\&modify_key_shares_filter);
#Test 7: An acceptable key_share after a list of non-acceptable ones should
#succeed
$proxy->clear();
$testtype = ACCEPTABLE_AT_END;
$proxy->start();
ok(TLSProxy::Message->success(), "Acceptable key_share at end of list");
SKIP: {
skip "No ec support in this OpenSSL build", 1 if disabled("ec");
#Test 7: An acceptable key_share after a list of non-acceptable ones should
#succeed
$proxy->clear();
$testtype = ACCEPTABLE_AT_END;
$proxy->start();
ok(TLSProxy::Message->success(), "Acceptable key_share at end of list");
}
#Test 8: An acceptable key_share but for a group not in supported_groups should
#fail
@ -156,22 +183,45 @@ ok(TLSProxy::Message->fail(), "key_share list trailing data");
$proxy->clear();
$direction = SERVER_TO_CLIENT;
$testtype = LOOK_ONLY;
$proxy->clientflags("-curves P-256:X25519");
$selectedgroupid = 0;
if (disabled("ec")) {
$proxy->clientflags("-groups ffdhe3072:ffdhe2048");
} else {
$proxy->clientflags("-groups P-256:X25519");
}
$proxy->start();
ok(TLSProxy::Message->success() && ($selectedgroupid == P_256),
"Multiple acceptable key_shares");
if (disabled("ec")) {
ok(TLSProxy::Message->success() && ($selectedgroupid == FFDHE3072),
"Multiple acceptable key_shares");
} else {
ok(TLSProxy::Message->success() && ($selectedgroupid == P_256),
"Multiple acceptable key_shares");
}
#Test 14: Multiple acceptable key_shares - we choose the first one (part 2)
$proxy->clear();
$proxy->clientflags("-curves X25519:P-256");
if (disabled("ec")) {
$proxy->clientflags("-curves ffdhe2048:ffdhe3072");
} else {
$proxy->clientflags("-curves X25519:P-256");
}
$proxy->start();
ok(TLSProxy::Message->success() && ($selectedgroupid == X25519),
"Multiple acceptable key_shares (part 2)");
if (disabled("ec")) {
ok(TLSProxy::Message->success() && ($selectedgroupid == FFDHE2048),
"Multiple acceptable key_shares (part 2)");
} else {
ok(TLSProxy::Message->success() && ($selectedgroupid == X25519),
"Multiple acceptable key_shares (part 2)");
}
#Test 15: Server sends key_share that wasn't offered should fail
$proxy->clear();
$testtype = SELECT_X25519;
$proxy->clientflags("-curves P-256");
if (disabled("ec")) {
$proxy->clientflags("-groups ffdhe3072");
} else {
$proxy->clientflags("-groups P-256");
}
$proxy->start();
ok(TLSProxy::Message->fail(), "Non offered key_share");
@ -229,7 +279,11 @@ SKIP: {
$proxy->clear();
$direction = SERVER_TO_CLIENT;
$testtype = NO_KEY_SHARES_IN_HRR;
$proxy->serverflags("-curves X25519");
if (disabled("ec")) {
$proxy->serverflags("-groups ffdhe2048");
} else {
$proxy->serverflags("-groups X25519");
}
$proxy->start();
ok(TLSProxy::Message->fail(), "Server sends HRR with no key_shares");

5
test/recipes/70-test_sslextension.t
View file

@ -217,7 +217,10 @@ SKIP: {
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->start();
ok($fatal_alert, "Unsolicited server name extension");
}
SKIP: {
skip "TLS <= 1.2 disabled or EC disabled", 1
if $no_below_tls13 || disabled("ec");
#Test 5: Inject a noncompliant supported_groups extension (<= TLSv1.2)
$proxy->clear();
$proxy->filter(\&inject_unsolicited_extension);

18
test/recipes/70-test_tls13cookie.t
View file

@ -46,17 +46,27 @@ my $testtype;
#Test 1: Inserting a cookie into an HRR should see it echoed in the ClientHello
$testtype = COOKIE_ONLY;
$proxy->filter(\&cookie_filter);
$proxy->serverflags("-curves X25519");
$proxy->serverflags("-curves X25519") if !disabled("ec");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 2;
ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen");
SKIP: {
skip "EC disabled", 1, if disabled("ec");
ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen");
}
#Test 2: Same as test 1 but should also work where a new key_share is also
# required
$testtype = COOKIE_AND_KEY_SHARE;
$proxy->clear();
$proxy->clientflags("-curves P-256:X25519");
$proxy->serverflags("-curves X25519");
if (disabled("ec")) {
$proxy->clientflags("-curves ffdhe3072:ffdhe2048");
$proxy->serverflags("-curves ffdhe2048");
} else {
$proxy->clientflags("-curves P-256:X25519");
$proxy->serverflags("-curves X25519");
}
$proxy->start();
ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen");

12
test/recipes/70-test_tls13hrr.t
View file

@ -43,7 +43,11 @@ use constant {
#Test 1: A client should fail if the server changes the ciphersuite between the
# HRR and the SH
$proxy->filter(\&hrr_filter);
$proxy->serverflags("-curves P-256");
if (disabled("ec")) {
$proxy->serverflags("-curves ffdhe3072");
} else {
$proxy->serverflags("-curves P-256");
}
my $testtype = CHANGE_HRR_CIPHERSUITE;
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 2;
@ -52,7 +56,11 @@ ok(TLSProxy::Message->fail(), "Server ciphersuite changes");
#Test 2: It is an error if the client changes the offered ciphersuites so that
# we end up selecting a different ciphersuite between HRR and the SH
$proxy->clear();
$proxy->serverflags("-curves P-256");
if (disabled("ec")) {
$proxy->serverflags("-curves ffdhe3072");
} else {
$proxy->serverflags("-curves P-256");
}
$proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
$testtype = CHANGE_CH1_CIPHERSUITE;
$proxy->start();

3
test/recipes/70-test_tls13kexmodes.t
View file

@ -28,6 +28,9 @@ plan skip_all => "$test_name needs the sock feature enabled"
plan skip_all => "$test_name needs TLSv1.3 enabled"
if disabled("tls1_3");
plan skip_all => "$test_name needs EC enabled"
if disabled("ec");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

3
test/recipes/70-test_tls13messages.t
View file

@ -28,6 +28,9 @@ plan skip_all => "$test_name needs the sock feature enabled"
plan skip_all => "$test_name needs TLSv1.3 enabled"
if disabled("tls1_3");
plan skip_all => "$test_name needs EC enabled"
if disabled("ec");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

12
test/recipes/70-test_tls13psk.t
View file

@ -66,7 +66,11 @@ ok(TLSProxy::Message->fail(), "PSK not last");
# ciphersuite. Should see PSK on second ClientHello
$proxy->clear();
$proxy->clientflags("-sess_in ".$session);
$proxy->serverflags("-curves P-256");
if (disabled("ec")) {
$proxy->serverflags("-curves ffdhe3072");
} else {
$proxy->serverflags("-curves P-256");
}
$proxy->filter(undef);
$proxy->start();
#Check if the PSK is present in the second ClientHello
@ -81,7 +85,11 @@ ok($pskseen, "PSK hash matches");
$proxy->clear();
$proxy->clientflags("-sess_in ".$session);
$proxy->filter(\&modify_psk_filter);
$proxy->serverflags("-curves P-256");
if (disabled("ec")) {
$proxy->serverflags("-curves ffdhe3072");
} else {
$proxy->serverflags("-curves P-256");
}
$proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
$proxy->ciphersuitess("TLS_AES_256_GCM_SHA384");
#We force an early failure because TLS Proxy doesn't actually support

2
test/recipes/80-test_ssl_new.t
View file

@ -59,7 +59,7 @@ my %conf_dependent_tests = (
|| !disabled("sctp"),
"05-sni.conf" => disabled("tls1_1"),
"07-dtls-protocol-version.conf" => !$is_default_dtls || !disabled("sctp"),
"10-resumption.conf" => !$is_default_tls,
"10-resumption.conf" => !$is_default_tls || $no_ec,
"11-dtls_resumption.conf" => !$is_default_dtls || !disabled("sctp"),
"16-dtls-certstatus.conf" => !$is_default_dtls || !disabled("sctp"),
"17-renegotiate.conf" => disabled("tls1_2"),

4
test/recipes/90-test_gost.t
View file

@ -21,6 +21,10 @@ plan skip_all => "GOST support is disabled in this OpenSSL build"
plan skip_all => "TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build"
if disabled("tls1_3") || disabled("tls1_2");
plan skip_all => "EC is disabled in this OpenSSL build"
if disabled("ec");
plan skip_all => "No test GOST engine found"
if !$ENV{OPENSSL_GOST_ENGINE_SO};

2
test/ssl-tests/protocol_version.pm
View file

@ -252,7 +252,7 @@ sub generate_resumption_tests {
"client" => {
},
"server" => {
"Curves" => "P-256"
"Curves" => disabled("ec") ? "ffdhe3072" : "P-256"
},
"resume_client" => {
},

64
test/sslapitest.c
View file

@ -2960,8 +2960,13 @@ static int early_data_skip_helper(int testtype, int idx)
if (testtype == 1 || testtype == 2) {
/* Force an HRR to occur */
#if defined(OPENSSL_NO_EC)
if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
goto end;
#else
if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
goto end;
#endif
} else if (idx == 2) {
/*
* We force early_data rejection by ensuring the PSK identity is
@ -3738,8 +3743,8 @@ static int test_ciphersuite_change(void)
/*
* Test TLSv1.3 Key exchange
* Test 0 = Test ECDHE Key exchange
* Test 1 = Test FFDHE Key exchange
* Test 2 = Test ECDHE with TLSv1.2 client and TLSv1.2 server
* Test 1 = Test ECDHE with TLSv1.2 client and TLSv1.2 server
* Test 2 = Test FFDHE Key exchange
* Test 3 = Test FFDHE with TLSv1.2 client and TLSv1.2 server
*/
static int test_tls13_key_exchange(int idx)
@ -3747,8 +3752,10 @@ static int test_tls13_key_exchange(int idx)
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
#ifndef OPENSSL_NO_EC
int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
NID_X25519, NID_X448};
#endif
#ifndef OPENSSL_NO_DH
int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
NID_ffdhe6144, NID_ffdhe8192};
@ -3761,32 +3768,22 @@ static int test_tls13_key_exchange(int idx)
int expected_err_reason = 0;
switch (idx) {
case 0:
kexch_groups = ecdhe_kexch_groups;
kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
break;
#ifndef OPENSSL_NO_DH
case 1:
case 3:
max_version = TLS1_2_VERSION;
/* Fall through */
case 2:
kexch_groups = ffdhe_kexch_groups;
kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
break;
#endif
case 2:
#ifndef OPENSSL_NO_EC
case 1:
max_version = TLS1_2_VERSION;
/* Fall through */
case 0:
kexch_groups = ecdhe_kexch_groups;
kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
max_version = TLS1_2_VERSION;
expected_err_func = SSL_F_TLS_POST_PROCESS_CLIENT_HELLO;
expected_err_reason = SSL_R_NO_SHARED_CIPHER;
want_err = SSL_ERROR_SSL;
break;
#ifndef OPENSSL_NO_DH
case 3:
kexch_groups = ffdhe_kexch_groups;
kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
max_version = TLS1_2_VERSION;
want_err = SSL_ERROR_SSL;
expected_err_func = SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS;
expected_err_reason = ERR_R_INTERNAL_ERROR;
break;
#endif
default:
@ -3805,10 +3802,16 @@ static int test_tls13_key_exchange(int idx)
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
goto end;
if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM)))
if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_RSA_WITH_AES_128_SHA)))
goto end;
if (!TEST_true(SSL_CTX_set_cipher_list(cctx, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM)))
/*
* Must include an EC ciphersuite so that we send supported groups in
* TLSv1.2
*/
if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
TLS1_TXT_RSA_WITH_AES_128_SHA)))
goto end;
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
@ -3828,14 +3831,20 @@ static int test_tls13_key_exchange(int idx)
/* Fail if expected error is not happening for failure testcases */
if (expected_err_func) {
unsigned long err_code = ERR_get_error();
ERR_print_errors_fp(stdout);
if (TEST_int_eq(ERR_GET_FUNC(err_code), expected_err_func)
&& TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason))
testresult = 1;
goto end;
}
/* If Handshake succeeds the negotiated kexch alg should the first one in configured */
if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), kexch_groups[0]))
/*
* If Handshake succeeds the negotiated kexch alg should the first one in
* configured, except in the case of FFDHE groups which are TLSv1.3 only
* so we expect no shared group to exist.
*/
if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
idx == 3 ? 0 : kexch_groups[0]))
goto end;
testresult = 1;
@ -3990,8 +3999,13 @@ static int test_tls13_psk(int idx)
goto end;
/* Force an HRR */
#if defined(OPENSSL_NO_EC)
if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
goto end;
#else
if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
goto end;
#endif
/*
* Check we can create a connection, the PSK is used and the callbacks are

5
test/tls13ccstest.c
View file

@ -315,8 +315,13 @@ static int test_tls13ccs(int tst)
if ((tst >= 3 && tst <= 5) || tst >= 9) {
/* HRR handshake */
#if defined(OPENSSL_NO_EC)
if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "ffdhe3072")))
goto err;
#else
if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "P-256")))
goto err;
#endif
}
s_to_c_fbio = BIO_new(bio_f_watchccs_filter());