From dbc6268f68e50b2e49d7c5b1157b4f6bcea5d6f9 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 13 Jun 2019 11:06:12 +0100 Subject: Allow TLSv1.3 in a no-ec build Now that we have TLSv1.3 FFDHE support there is no reason why we should not allow TLSv1.3 to be used in a no-ec build. This commit enables that to happen. It also fixes no-ec which was previously broken. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9156) --- ssl/t1_lib.c | 178 ++++++++++++++++++++++++++++++++--------------------------- 1 file changed, 97 insertions(+), 81 deletions(-) (limited to 'ssl/t1_lib.c') diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 52e6d5426a..373f1c58d6 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -128,12 +128,11 @@ int tls1_clear(SSL *s) return 1; } -#ifndef OPENSSL_NO_EC - /* - * Table of curve information. + * Table of group information. */ static const TLS_GROUP_INFO nid_list[] = { +#ifndef OPENSSL_NO_EC {NID_sect163k1, 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */ {NID_sect163r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */ {NID_sect163r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */ @@ -164,38 +163,49 @@ static const TLS_GROUP_INFO nid_list[] = { {NID_brainpoolP512r1, 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */ {EVP_PKEY_X25519, 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */ {EVP_PKEY_X448, 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */ +#endif /* OPENSSL_NO_EC */ +#ifndef OPENSSL_NO_DH /* Security bit values for FFDHE groups are updated as per RFC 7919 */ {NID_ffdhe2048, 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */ {NID_ffdhe3072, 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */ {NID_ffdhe4096, 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */ {NID_ffdhe6144, 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */ {NID_ffdhe8192, 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */ +#endif /* OPENSSL_NO_DH */ }; +#ifndef OPENSSL_NO_EC static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_uncompressed, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; +#endif /* The default curves */ static const uint16_t supported_groups_default[] = { +#ifndef OPENSSL_NO_EC 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 30, /* X448 (30) */ 25, /* secp521r1 (25) */ 24, /* secp384r1 (24) */ +#endif +#ifndef OPENSSL_NO_DH 0x100, /* ffdhe2048 (0x100) */ 0x101, /* ffdhe3072 (0x101) */ 0x102, /* ffdhe4096 (0x102) */ 0x103, /* ffdhe6144 (0x103) */ 0x104, /* ffdhe8192 (0x104) */ +#endif }; +#ifndef OPENSSL_NO_EC static const uint16_t suiteb_curves[] = { TLSEXT_curve_P_256, TLSEXT_curve_P_384 }; +#endif const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) { @@ -230,6 +240,7 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, /* For Suite B mode only include P-256, P-384 */ switch (tls1_suiteb(s)) { +#ifndef OPENSSL_NO_EC case SSL_CERT_FLAG_SUITEB_128_LOS: *pgroups = suiteb_curves; *pgroupslen = OSSL_NELEM(suiteb_curves); @@ -244,6 +255,7 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, *pgroups = suiteb_curves + 1; *pgroupslen = 1; break; +#endif default: if (s->ext.supportedgroups == NULL) { @@ -268,25 +280,25 @@ int tls_valid_group(SSL *s, uint16_t group_id, int version) return 1; } -/* See if curve is allowed by security callback */ -int tls_curve_allowed(SSL *s, uint16_t curve, int op) +/* See if group is allowed by security callback */ +int tls_group_allowed(SSL *s, uint16_t group, int op) { - const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve); - unsigned char ctmp[2]; + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group); + unsigned char gtmp[2]; - if (cinfo == NULL) + if (ginfo == NULL) return 0; -# ifdef OPENSSL_NO_EC2M - if (cinfo->flags & TLS_GROUP_CURVE_CHAR2) +#ifdef OPENSSL_NO_EC2M + if (ginfo->flags & TLS_GROUP_CURVE_CHAR2) return 0; -# endif -# ifdef OPENSSL_NO_DH - if (cinfo->flags & TLS_GROUP_FFDHE) +#endif +#ifdef OPENSSL_NO_DH + if (ginfo->flags & TLS_GROUP_FFDHE) return 0; -# endif - ctmp[0] = curve >> 8; - ctmp[1] = curve & 0xff; - return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); +#endif + gtmp[0] = group >> 8; + gtmp[1] = group & 0xff; + return ssl_security(s, op, ginfo->secbits, ginfo->nid, (void *)gtmp); } /* Return 1 if "id" is in "list" */ @@ -349,7 +361,7 @@ uint16_t tls1_shared_group(SSL *s, int nmatch) uint16_t id = pref[i]; if (!tls1_in_list(id, supp, num_supp) - || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) + || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) continue; if (nmatch == k) return id; @@ -404,28 +416,30 @@ err: return 0; } -# define MAX_CURVELIST OSSL_NELEM(nid_list) +#define MAX_GROUPLIST OSSL_NELEM(nid_list) typedef struct { size_t nidcnt; - int nid_arr[MAX_CURVELIST]; + int nid_arr[MAX_GROUPLIST]; } nid_cb_st; static int nid_cb(const char *elem, int len, void *arg) { nid_cb_st *narg = arg; size_t i; - int nid; + int nid = NID_undef; char etmp[20]; if (elem == NULL) return 0; - if (narg->nidcnt == MAX_CURVELIST) + if (narg->nidcnt == MAX_GROUPLIST) return 0; if (len > (int)(sizeof(etmp) - 1)) return 0; memcpy(etmp, elem, len); etmp[len] = 0; +#ifndef OPENSSL_NO_EC nid = EC_curve_nist2nid(etmp); +#endif if (nid == NID_undef) nid = OBJ_sn2nid(etmp); if (nid == NID_undef) @@ -450,64 +464,6 @@ int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) return 1; return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); } -/* Return group id of a key */ -static uint16_t tls1_get_group_id(EVP_PKEY *pkey) -{ - EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); - const EC_GROUP *grp; - - if (ec == NULL) - return 0; - grp = EC_KEY_get0_group(ec); - return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); -} - -/* Check a key is compatible with compression extension */ -static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) -{ - const EC_KEY *ec; - const EC_GROUP *grp; - unsigned char comp_id; - size_t i; - - /* If not an EC key nothing to check */ - if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) - return 1; - ec = EVP_PKEY_get0_EC_KEY(pkey); - grp = EC_KEY_get0_group(ec); - - /* Get required compression id */ - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { - comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; - } else if (SSL_IS_TLS13(s)) { - /* - * ec_point_formats extension is not used in TLSv1.3 so we ignore - * this check. - */ - return 1; - } else { - int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); - - if (field_type == NID_X9_62_prime_field) - comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - else if (field_type == NID_X9_62_characteristic_two_field) - comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - else - return 0; - } - /* - * If point formats extension present check it, otherwise everything is - * supported (see RFC4492). - */ - if (s->session->ext.ecpointformats == NULL) - return 1; - - for (i = 0; i < s->session->ext.ecpointformats_len; i++) { - if (s->session->ext.ecpointformats[i] == comp_id) - return 1; - } - return 0; -} /* Check a group id matches preferences */ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) @@ -541,7 +497,7 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) return 0; } - if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) + if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) return 0; /* For clients, nothing more to check */ @@ -562,6 +518,7 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) return tls1_in_list(group_id, groups, groups_len); } +#ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats) { @@ -581,6 +538,65 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats, } } +/* Check a key is compatible with compression extension */ +static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) +{ + const EC_KEY *ec; + const EC_GROUP *grp; + unsigned char comp_id; + size_t i; + + /* If not an EC key nothing to check */ + if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) + return 1; + ec = EVP_PKEY_get0_EC_KEY(pkey); + grp = EC_KEY_get0_group(ec); + + /* Get required compression id */ + if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { + comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; + } else if (SSL_IS_TLS13(s)) { + /* + * ec_point_formats extension is not used in TLSv1.3 so we ignore + * this check. + */ + return 1; + } else { + int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); + + if (field_type == NID_X9_62_prime_field) + comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; + else if (field_type == NID_X9_62_characteristic_two_field) + comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; + else + return 0; + } + /* + * If point formats extension present check it, otherwise everything is + * supported (see RFC4492). + */ + if (s->session->ext.ecpointformats == NULL) + return 1; + + for (i = 0; i < s->session->ext.ecpointformats_len; i++) { + if (s->session->ext.ecpointformats[i] == comp_id) + return 1; + } + return 0; +} + +/* Return group id of a key */ +static uint16_t tls1_get_group_id(EVP_PKEY *pkey) +{ + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); + const EC_GROUP *grp; + + if (ec == NULL) + return 0; + grp = EC_KEY_get0_group(ec); + return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); +} + /* * Check cert parameters compatible with extensions: currently just checks EC * certificates have compatible curves and compression. -- cgit v1.2.3