summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2014-09-30 15:40:09 +0000
committerjsing <>2014-09-30 15:40:09 +0000
commit4196588ba36e0ba5fa0fcb814fd943e5e3e60b62 (patch)
treed873b0b07130bc5a612941a794bb70a5fe3fa790 /src
parent1941d182bb9d2e71dc7619fd201822ed48b85d33 (diff)
downloadopenbsd-4196588ba36e0ba5fa0fcb814fd943e5e3e60b62.tar.gz
openbsd-4196588ba36e0ba5fa0fcb814fd943e5e3e60b62.tar.bz2
openbsd-4196588ba36e0ba5fa0fcb814fd943e5e3e60b62.zip
Clean up EC cipher handling in ssl3_choose_cipher().
The existing code reaches around into various internals of EC, which it should not know anything about. Replace this with a set of functions that that can correctly extract the necessary details and handle the comparisions. Based on a commit to OpenSSL, with some inspiration from boringssl. ok miod@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_lib.c157
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c157
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h5
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c135
-rw-r--r--src/lib/libssl/ssl_locl.h5
-rw-r--r--src/lib/libssl/t1_lib.c135
6 files changed, 304 insertions, 290 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index d8b923afd4..246aa6f23d 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.80 2014/09/07 12:16:23 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.81 2014/09/30 15:40:09 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -149,11 +149,12 @@
149 */ 149 */
150 150
151#include <stdio.h> 151#include <stdio.h>
152
153#include <openssl/dh.h>
154#include <openssl/md5.h>
152#include <openssl/objects.h> 155#include <openssl/objects.h>
156
153#include "ssl_locl.h" 157#include "ssl_locl.h"
154#include "../crypto/ec/ec_lcl.h"
155#include <openssl/md5.h>
156#include <openssl/dh.h>
157 158
158#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 159#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
159 160
@@ -2394,14 +2395,11 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2394SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2395SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2395 STACK_OF(SSL_CIPHER) *srvr) 2396 STACK_OF(SSL_CIPHER) *srvr)
2396{ 2397{
2397 SSL_CIPHER *c, *ret = NULL;
2398 STACK_OF(SSL_CIPHER) *prio, *allow;
2399 int i, ii, ok;
2400 unsigned int j;
2401 int ec_ok, ec_nid;
2402 unsigned char ec_search1 = 0, ec_search2 = 0;
2403 CERT *cert;
2404 unsigned long alg_k, alg_a, mask_k, mask_a; 2398 unsigned long alg_k, alg_a, mask_k, mask_a;
2399 STACK_OF(SSL_CIPHER) *prio, *allow;
2400 SSL_CIPHER *c, *ret = NULL;
2401 int i, ii, ok;
2402 CERT *cert;
2405 2403
2406 /* Let's see which ciphers we can support */ 2404 /* Let's see which ciphers we can support */
2407 cert = s->cert; 2405 cert = s->cert;
@@ -2439,141 +2437,18 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2439 2437
2440 ok = (alg_k & mask_k) && (alg_a & mask_a); 2438 ok = (alg_k & mask_k) && (alg_a & mask_a);
2441 2439
2442 if (
2443 /*
2444 * if we are considering an ECC cipher suite that uses our
2445 * certificate
2446 */
2447 (alg_a & SSL_aECDSA || alg_a & SSL_aECDH)
2448 /* and we have an ECC certificate */
2449 && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL)
2450 /*
2451 * and the client specified a Supported Point Formats
2452 * extension
2453 */
2454 && ((s->session->tlsext_ecpointformatlist_length > 0) &&
2455 (s->session->tlsext_ecpointformatlist != NULL))
2456 /* and our certificate's point is compressed */
2457 && (
2458 (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info != NULL)
2459 && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key != NULL)
2460 && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key != NULL)
2461 && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data != NULL)
2462 && (
2463 (*(s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data) == POINT_CONVERSION_COMPRESSED)
2464 || (*(s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data) == POINT_CONVERSION_COMPRESSED + 1)
2465 )
2466 )
2467 ) {
2468 ec_ok = 0;
2469 /*
2470 * If our certificate's curve is over a field type
2471 * that the client does not support then do not allow
2472 * this cipher suite to be negotiated
2473 */
2474 if (
2475 (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec != NULL)
2476 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group != NULL)
2477 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth != NULL)
2478 && (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_prime_field)
2479 ) {
2480 for (j = 0; j < s->session->tlsext_ecpointformatlist_length; j++) {
2481 if (s->session->tlsext_ecpointformatlist[j] == TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime) {
2482 ec_ok = 1;
2483 break;
2484 }
2485 }
2486 } else if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_characteristic_two_field) {
2487 for (j = 0; j < s->session->tlsext_ecpointformatlist_length; j++) {
2488 if (s->session->tlsext_ecpointformatlist[j] == TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2) {
2489 ec_ok = 1;
2490 break;
2491 }
2492 }
2493 }
2494 ok = ok && ec_ok;
2495 }
2496 if (
2497 /* 2440 /*
2498 * If we are considering an ECC cipher suite that uses our 2441 * If we are considering an ECC cipher suite that uses our
2499 * certificate 2442 * certificate check it.
2500 */ 2443 */
2501 (alg_a & SSL_aECDSA || alg_a & SSL_aECDH) 2444 if (alg_a & (SSL_aECDSA|SSL_aECDH))
2502 /* and we have an ECC certificate */ 2445 ok = ok && tls1_check_ec_server_key(s);
2503 && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL)
2504 /* and the client specified an EllipticCurves extension */
2505 && ((s->session->tlsext_ellipticcurvelist_length > 0) && (s->session->tlsext_ellipticcurvelist != NULL))
2506 ) {
2507 ec_ok = 0;
2508 if (
2509 (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec != NULL)
2510 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group != NULL)
2511 ) {
2512 ec_nid = EC_GROUP_get_curve_name(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group);
2513 if ((ec_nid == 0)
2514 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth != NULL)
2515 ) {
2516 if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_prime_field) {
2517 ec_search1 = 0xFF;
2518 ec_search2 = 0x01;
2519 } else if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_characteristic_two_field) {
2520 ec_search1 = 0xFF;
2521 ec_search2 = 0x02;
2522 }
2523 } else {
2524 ec_search1 = 0x00;
2525 ec_search2 = tls1_ec_nid2curve_id(ec_nid);
2526 }
2527 if ((ec_search1 != 0) || (ec_search2 != 0)) {
2528 for (j = 0; j < s->session->tlsext_ellipticcurvelist_length / 2; j++) {
2529 if ((s->session->tlsext_ellipticcurvelist[2*j] == ec_search1) && (s->session->tlsext_ellipticcurvelist[2*j + 1] == ec_search2)) {
2530 ec_ok = 1;
2531 break;
2532 }
2533 }
2534 }
2535 }
2536 ok = ok && ec_ok;
2537 }
2538 if (
2539 /* 2446 /*
2540 * if we are considering an ECC cipher suite that uses an 2447 * If we are considering an ECC cipher suite that uses
2541 * ephemeral EC key 2448 * an ephemeral EC key check it.
2542 */ 2449 */
2543 (alg_k & SSL_kECDHE) 2450 if (alg_k & SSL_kECDHE)
2544 /* and we have an ephemeral EC key */ 2451 ok = ok && tls1_check_ec_tmp_key(s);
2545 && (s->cert->ecdh_tmp != NULL)
2546 /* and the client specified an EllipticCurves extension */
2547 && ((s->session->tlsext_ellipticcurvelist_length > 0) && (s->session->tlsext_ellipticcurvelist != NULL))
2548 ) {
2549 ec_ok = 0;
2550 if (s->cert->ecdh_tmp->group != NULL) {
2551 ec_nid = EC_GROUP_get_curve_name(s->cert->ecdh_tmp->group);
2552 if ((ec_nid == 0)
2553 && (s->cert->ecdh_tmp->group->meth != NULL)
2554 ) {
2555 if (EC_METHOD_get_field_type(s->cert->ecdh_tmp->group->meth) == NID_X9_62_prime_field) {
2556 ec_search1 = 0xFF;
2557 ec_search2 = 0x01;
2558 } else if (EC_METHOD_get_field_type(s->cert->ecdh_tmp->group->meth) == NID_X9_62_characteristic_two_field) {
2559 ec_search1 = 0xFF;
2560 ec_search2 = 0x02;
2561 }
2562 } else {
2563 ec_search1 = 0x00;
2564 ec_search2 = tls1_ec_nid2curve_id(ec_nid);
2565 }
2566 if ((ec_search1 != 0) || (ec_search2 != 0)) {
2567 for (j = 0; j < s->session->tlsext_ellipticcurvelist_length / 2; j++) {
2568 if ((s->session->tlsext_ellipticcurvelist[2*j] == ec_search1) && (s->session->tlsext_ellipticcurvelist[2*j + 1] == ec_search2)) {
2569 ec_ok = 1;
2570 break;
2571 }
2572 }
2573 }
2574 }
2575 ok = ok && ec_ok;
2576 }
2577 2452
2578 if (!ok) 2453 if (!ok)
2579 continue; 2454 continue;
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index d8b923afd4..246aa6f23d 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.80 2014/09/07 12:16:23 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.81 2014/09/30 15:40:09 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -149,11 +149,12 @@
149 */ 149 */
150 150
151#include <stdio.h> 151#include <stdio.h>
152
153#include <openssl/dh.h>
154#include <openssl/md5.h>
152#include <openssl/objects.h> 155#include <openssl/objects.h>
156
153#include "ssl_locl.h" 157#include "ssl_locl.h"
154#include "../crypto/ec/ec_lcl.h"
155#include <openssl/md5.h>
156#include <openssl/dh.h>
157 158
158#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 159#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
159 160
@@ -2394,14 +2395,11 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2394SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2395SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2395 STACK_OF(SSL_CIPHER) *srvr) 2396 STACK_OF(SSL_CIPHER) *srvr)
2396{ 2397{
2397 SSL_CIPHER *c, *ret = NULL;
2398 STACK_OF(SSL_CIPHER) *prio, *allow;
2399 int i, ii, ok;
2400 unsigned int j;
2401 int ec_ok, ec_nid;
2402 unsigned char ec_search1 = 0, ec_search2 = 0;
2403 CERT *cert;
2404 unsigned long alg_k, alg_a, mask_k, mask_a; 2398 unsigned long alg_k, alg_a, mask_k, mask_a;
2399 STACK_OF(SSL_CIPHER) *prio, *allow;
2400 SSL_CIPHER *c, *ret = NULL;
2401 int i, ii, ok;
2402 CERT *cert;
2405 2403
2406 /* Let's see which ciphers we can support */ 2404 /* Let's see which ciphers we can support */
2407 cert = s->cert; 2405 cert = s->cert;
@@ -2439,141 +2437,18 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2439 2437
2440 ok = (alg_k & mask_k) && (alg_a & mask_a); 2438 ok = (alg_k & mask_k) && (alg_a & mask_a);
2441 2439
2442 if (
2443 /*
2444 * if we are considering an ECC cipher suite that uses our
2445 * certificate
2446 */
2447 (alg_a & SSL_aECDSA || alg_a & SSL_aECDH)
2448 /* and we have an ECC certificate */
2449 && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL)
2450 /*
2451 * and the client specified a Supported Point Formats
2452 * extension
2453 */
2454 && ((s->session->tlsext_ecpointformatlist_length > 0) &&
2455 (s->session->tlsext_ecpointformatlist != NULL))
2456 /* and our certificate's point is compressed */
2457 && (
2458 (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info != NULL)
2459 && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key != NULL)
2460 && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key != NULL)
2461 && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data != NULL)
2462 && (
2463 (*(s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data) == POINT_CONVERSION_COMPRESSED)
2464 || (*(s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data) == POINT_CONVERSION_COMPRESSED + 1)
2465 )
2466 )
2467 ) {
2468 ec_ok = 0;
2469 /*
2470 * If our certificate's curve is over a field type
2471 * that the client does not support then do not allow
2472 * this cipher suite to be negotiated
2473 */
2474 if (
2475 (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec != NULL)
2476 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group != NULL)
2477 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth != NULL)
2478 && (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_prime_field)
2479 ) {
2480 for (j = 0; j < s->session->tlsext_ecpointformatlist_length; j++) {
2481 if (s->session->tlsext_ecpointformatlist[j] == TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime) {
2482 ec_ok = 1;
2483 break;
2484 }
2485 }
2486 } else if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_characteristic_two_field) {
2487 for (j = 0; j < s->session->tlsext_ecpointformatlist_length; j++) {
2488 if (s->session->tlsext_ecpointformatlist[j] == TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2) {
2489 ec_ok = 1;
2490 break;
2491 }
2492 }
2493 }
2494 ok = ok && ec_ok;
2495 }
2496 if (
2497 /* 2440 /*
2498 * If we are considering an ECC cipher suite that uses our 2441 * If we are considering an ECC cipher suite that uses our
2499 * certificate 2442 * certificate check it.
2500 */ 2443 */
2501 (alg_a & SSL_aECDSA || alg_a & SSL_aECDH) 2444 if (alg_a & (SSL_aECDSA|SSL_aECDH))
2502 /* and we have an ECC certificate */ 2445 ok = ok && tls1_check_ec_server_key(s);
2503 && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL)
2504 /* and the client specified an EllipticCurves extension */
2505 && ((s->session->tlsext_ellipticcurvelist_length > 0) && (s->session->tlsext_ellipticcurvelist != NULL))
2506 ) {
2507 ec_ok = 0;
2508 if (
2509 (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec != NULL)
2510 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group != NULL)
2511 ) {
2512 ec_nid = EC_GROUP_get_curve_name(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group);
2513 if ((ec_nid == 0)
2514 && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth != NULL)
2515 ) {
2516 if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_prime_field) {
2517 ec_search1 = 0xFF;
2518 ec_search2 = 0x01;
2519 } else if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_characteristic_two_field) {
2520 ec_search1 = 0xFF;
2521 ec_search2 = 0x02;
2522 }
2523 } else {
2524 ec_search1 = 0x00;
2525 ec_search2 = tls1_ec_nid2curve_id(ec_nid);
2526 }
2527 if ((ec_search1 != 0) || (ec_search2 != 0)) {
2528 for (j = 0; j < s->session->tlsext_ellipticcurvelist_length / 2; j++) {
2529 if ((s->session->tlsext_ellipticcurvelist[2*j] == ec_search1) && (s->session->tlsext_ellipticcurvelist[2*j + 1] == ec_search2)) {
2530 ec_ok = 1;
2531 break;
2532 }
2533 }
2534 }
2535 }
2536 ok = ok && ec_ok;
2537 }
2538 if (
2539 /* 2446 /*
2540 * if we are considering an ECC cipher suite that uses an 2447 * If we are considering an ECC cipher suite that uses
2541 * ephemeral EC key 2448 * an ephemeral EC key check it.
2542 */ 2449 */
2543 (alg_k & SSL_kECDHE) 2450 if (alg_k & SSL_kECDHE)
2544 /* and we have an ephemeral EC key */ 2451 ok = ok && tls1_check_ec_tmp_key(s);
2545 && (s->cert->ecdh_tmp != NULL)
2546 /* and the client specified an EllipticCurves extension */
2547 && ((s->session->tlsext_ellipticcurvelist_length > 0) && (s->session->tlsext_ellipticcurvelist != NULL))
2548 ) {
2549 ec_ok = 0;
2550 if (s->cert->ecdh_tmp->group != NULL) {
2551 ec_nid = EC_GROUP_get_curve_name(s->cert->ecdh_tmp->group);
2552 if ((ec_nid == 0)
2553 && (s->cert->ecdh_tmp->group->meth != NULL)
2554 ) {
2555 if (EC_METHOD_get_field_type(s->cert->ecdh_tmp->group->meth) == NID_X9_62_prime_field) {
2556 ec_search1 = 0xFF;
2557 ec_search2 = 0x01;
2558 } else if (EC_METHOD_get_field_type(s->cert->ecdh_tmp->group->meth) == NID_X9_62_characteristic_two_field) {
2559 ec_search1 = 0xFF;
2560 ec_search2 = 0x02;
2561 }
2562 } else {
2563 ec_search1 = 0x00;
2564 ec_search2 = tls1_ec_nid2curve_id(ec_nid);
2565 }
2566 if ((ec_search1 != 0) || (ec_search2 != 0)) {
2567 for (j = 0; j < s->session->tlsext_ellipticcurvelist_length / 2; j++) {
2568 if ((s->session->tlsext_ellipticcurvelist[2*j] == ec_search1) && (s->session->tlsext_ellipticcurvelist[2*j + 1] == ec_search2)) {
2569 ec_ok = 1;
2570 break;
2571 }
2572 }
2573 }
2574 }
2575 ok = ok && ec_ok;
2576 }
2577 2452
2578 if (!ok) 2453 if (!ok)
2579 continue; 2454 continue;
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 3eee18cbd6..8ec4c69d5b 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.69 2014/09/27 11:01:06 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.70 2014/09/30 15:40:09 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -839,6 +839,9 @@ long ssl_get_algorithm2(SSL *s);
839int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); 839int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
840int tls12_get_req_sig_algs(SSL *s, unsigned char *p); 840int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
841 841
842int tls1_check_ec_server_key(SSL *s);
843int tls1_check_ec_tmp_key(SSL *s);
844
842int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, 845int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p,
843 int *len, int maxlen); 846 int *len, int maxlen);
844int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, 847int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d,
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 20f576e796..d40768560c 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.58 2014/09/27 11:01:06 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.59 2014/09/30 15:40:09 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -110,11 +110,13 @@
110 */ 110 */
111 111
112#include <stdio.h> 112#include <stdio.h>
113#include <openssl/objects.h> 113
114#include <openssl/evp.h> 114#include <openssl/evp.h>
115#include <openssl/hmac.h> 115#include <openssl/hmac.h>
116#include <openssl/objects.h>
116#include <openssl/ocsp.h> 117#include <openssl/ocsp.h>
117#include <openssl/rand.h> 118#include <openssl/rand.h>
119
118#include "ssl_locl.h" 120#include "ssl_locl.h"
119 121
120static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 122static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
@@ -406,6 +408,134 @@ tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
406 return (0); 408 return (0);
407} 409}
408 410
411/* For an EC key set TLS ID and required compression based on parameters. */
412static int
413tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, EC_KEY *ec)
414{
415 const EC_GROUP *grp;
416 const EC_METHOD *meth;
417 int is_prime = 0;
418 int nid, id;
419
420 if (ec == NULL)
421 return (0);
422
423 if (EC_KEY_get0_public_key(ec) == NULL)
424 return (0);
425
426 /* Determine if it is a prime field. */
427 if ((grp = EC_KEY_get0_group(ec)) == NULL)
428 return (0);
429 if ((meth = EC_GROUP_method_of(grp)) == NULL)
430 return (0);
431 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
432 is_prime = 1;
433
434 /* Determine curve ID. */
435 nid = EC_GROUP_get_curve_name(grp);
436 id = tls1_ec_nid2curve_id(nid);
437
438 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
439 if (id != 0) {
440 curve_id[0] = 0;
441 curve_id[1] = (unsigned char)id;
442 } else {
443 curve_id[0] = 0xff;
444 curve_id[1] = is_prime ? 0x01 : 0x02;
445 }
446
447 /* Specify the compression identifier. */
448 if (comp_id != NULL) {
449 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
450 *comp_id = is_prime ?
451 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
452 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
453 } else {
454 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
455 }
456 }
457 return (1);
458}
459
460/* Check that an EC key is compatible with extensions. */
461static int
462tls1_check_ec_key(SSL *s, unsigned char *curve_id, unsigned char *comp_id)
463{
464 const unsigned char *p;
465 size_t plen, i;
466
467 /*
468 * Check point formats extension if present, otherwise everything
469 * is supported (see RFC4492).
470 */
471 if (comp_id != NULL && s->session->tlsext_ecpointformatlist != NULL) {
472 p = s->session->tlsext_ecpointformatlist;
473 plen = s->session->tlsext_ecpointformatlist_length;
474 for (i = 0; i < plen; i++, p++) {
475 if (*comp_id == *p)
476 break;
477 }
478 if (i == plen)
479 return (0);
480 }
481
482 /*
483 * Check curve list if present, otherwise everything is supported.
484 */
485 if (s->session->tlsext_ellipticcurvelist != NULL) {
486 p = s->session->tlsext_ellipticcurvelist;
487 plen = s->session->tlsext_ellipticcurvelist_length;
488 for (i = 0; i < plen; i += 2, p += 2) {
489 if (p[0] == curve_id[0] && p[1] == curve_id[1])
490 break;
491 }
492 if (i == plen)
493 return (0);
494 }
495
496 return (1);
497}
498
499/* Check EC server key is compatible with client extensions. */
500int
501tls1_check_ec_server_key(SSL *s)
502{
503 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
504 unsigned char comp_id, curve_id[2];
505 EVP_PKEY *pkey;
506 int rv;
507
508 if (cpk->x509 == NULL || cpk->privatekey == NULL)
509 return (0);
510 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
511 return (0);
512 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
513 EVP_PKEY_free(pkey);
514 if (rv != 1)
515 return (0);
516
517 return tls1_check_ec_key(s, curve_id, &comp_id);
518}
519
520/* Check EC temporary key is compatible with client extensions. */
521int
522tls1_check_ec_tmp_key(SSL *s)
523{
524 EC_KEY *ec = s->cert->ecdh_tmp;
525 unsigned char curve_id[2];
526
527 if (ec == NULL) {
528 if (s->cert->ecdh_tmp_cb != NULL)
529 return (1);
530 else
531 return (0);
532 }
533 if (tls1_set_ec_id(curve_id, NULL, ec) != 1)
534 return (0);
535
536 return tls1_check_ec_key(s, curve_id, NULL);
537}
538
409/* 539/*
410 * List of supported signature algorithms and hashes. Should make this 540 * List of supported signature algorithms and hashes. Should make this
411 * customisable at some point, for now include everything we support. 541 * customisable at some point, for now include everything we support.
@@ -2132,4 +2262,3 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2132 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2262 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2133 return 1; 2263 return 1;
2134} 2264}
2135
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3eee18cbd6..8ec4c69d5b 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.69 2014/09/27 11:01:06 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.70 2014/09/30 15:40:09 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -839,6 +839,9 @@ long ssl_get_algorithm2(SSL *s);
839int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); 839int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
840int tls12_get_req_sig_algs(SSL *s, unsigned char *p); 840int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
841 841
842int tls1_check_ec_server_key(SSL *s);
843int tls1_check_ec_tmp_key(SSL *s);
844
842int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, 845int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p,
843 int *len, int maxlen); 846 int *len, int maxlen);
844int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, 847int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d,
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 20f576e796..d40768560c 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.58 2014/09/27 11:01:06 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.59 2014/09/30 15:40:09 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -110,11 +110,13 @@
110 */ 110 */
111 111
112#include <stdio.h> 112#include <stdio.h>
113#include <openssl/objects.h> 113
114#include <openssl/evp.h> 114#include <openssl/evp.h>
115#include <openssl/hmac.h> 115#include <openssl/hmac.h>
116#include <openssl/objects.h>
116#include <openssl/ocsp.h> 117#include <openssl/ocsp.h>
117#include <openssl/rand.h> 118#include <openssl/rand.h>
119
118#include "ssl_locl.h" 120#include "ssl_locl.h"
119 121
120static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 122static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
@@ -406,6 +408,134 @@ tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
406 return (0); 408 return (0);
407} 409}
408 410
411/* For an EC key set TLS ID and required compression based on parameters. */
412static int
413tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, EC_KEY *ec)
414{
415 const EC_GROUP *grp;
416 const EC_METHOD *meth;
417 int is_prime = 0;
418 int nid, id;
419
420 if (ec == NULL)
421 return (0);
422
423 if (EC_KEY_get0_public_key(ec) == NULL)
424 return (0);
425
426 /* Determine if it is a prime field. */
427 if ((grp = EC_KEY_get0_group(ec)) == NULL)
428 return (0);
429 if ((meth = EC_GROUP_method_of(grp)) == NULL)
430 return (0);
431 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
432 is_prime = 1;
433
434 /* Determine curve ID. */
435 nid = EC_GROUP_get_curve_name(grp);
436 id = tls1_ec_nid2curve_id(nid);
437
438 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
439 if (id != 0) {
440 curve_id[0] = 0;
441 curve_id[1] = (unsigned char)id;
442 } else {
443 curve_id[0] = 0xff;
444 curve_id[1] = is_prime ? 0x01 : 0x02;
445 }
446
447 /* Specify the compression identifier. */
448 if (comp_id != NULL) {
449 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
450 *comp_id = is_prime ?
451 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
452 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
453 } else {
454 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
455 }
456 }
457 return (1);
458}
459
460/* Check that an EC key is compatible with extensions. */
461static int
462tls1_check_ec_key(SSL *s, unsigned char *curve_id, unsigned char *comp_id)
463{
464 const unsigned char *p;
465 size_t plen, i;
466
467 /*
468 * Check point formats extension if present, otherwise everything
469 * is supported (see RFC4492).
470 */
471 if (comp_id != NULL && s->session->tlsext_ecpointformatlist != NULL) {
472 p = s->session->tlsext_ecpointformatlist;
473 plen = s->session->tlsext_ecpointformatlist_length;
474 for (i = 0; i < plen; i++, p++) {
475 if (*comp_id == *p)
476 break;
477 }
478 if (i == plen)
479 return (0);
480 }
481
482 /*
483 * Check curve list if present, otherwise everything is supported.
484 */
485 if (s->session->tlsext_ellipticcurvelist != NULL) {
486 p = s->session->tlsext_ellipticcurvelist;
487 plen = s->session->tlsext_ellipticcurvelist_length;
488 for (i = 0; i < plen; i += 2, p += 2) {
489 if (p[0] == curve_id[0] && p[1] == curve_id[1])
490 break;
491 }
492 if (i == plen)
493 return (0);
494 }
495
496 return (1);
497}
498
499/* Check EC server key is compatible with client extensions. */
500int
501tls1_check_ec_server_key(SSL *s)
502{
503 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
504 unsigned char comp_id, curve_id[2];
505 EVP_PKEY *pkey;
506 int rv;
507
508 if (cpk->x509 == NULL || cpk->privatekey == NULL)
509 return (0);
510 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
511 return (0);
512 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
513 EVP_PKEY_free(pkey);
514 if (rv != 1)
515 return (0);
516
517 return tls1_check_ec_key(s, curve_id, &comp_id);
518}
519
520/* Check EC temporary key is compatible with client extensions. */
521int
522tls1_check_ec_tmp_key(SSL *s)
523{
524 EC_KEY *ec = s->cert->ecdh_tmp;
525 unsigned char curve_id[2];
526
527 if (ec == NULL) {
528 if (s->cert->ecdh_tmp_cb != NULL)
529 return (1);
530 else
531 return (0);
532 }
533 if (tls1_set_ec_id(curve_id, NULL, ec) != 1)
534 return (0);
535
536 return tls1_check_ec_key(s, curve_id, NULL);
537}
538
409/* 539/*
410 * List of supported signature algorithms and hashes. Should make this 540 * List of supported signature algorithms and hashes. Should make this
411 * customisable at some point, for now include everything we support. 541 * customisable at some point, for now include everything we support.
@@ -2132,4 +2262,3 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2132 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2262 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2133 return 1; 2263 return 1;
2134} 2264}
2135
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 16:01:34 +0000