diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/Symbols.list | 4 | ||||
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 31 | ||||
| -rw-r--r-- | src/lib/libssl/ssl.h | 15 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 35 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 21 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_sess.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 109 |
7 files changed, 197 insertions, 26 deletions
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list index 1938c21509..042f553959 100644 --- a/src/lib/libssl/Symbols.list +++ b/src/lib/libssl/Symbols.list | |||
| @@ -78,6 +78,8 @@ SSL_CTX_sess_set_get_cb | |||
| 78 | SSL_CTX_sess_set_new_cb | 78 | SSL_CTX_sess_set_new_cb |
| 79 | SSL_CTX_sess_set_remove_cb | 79 | SSL_CTX_sess_set_remove_cb |
| 80 | SSL_CTX_sessions | 80 | SSL_CTX_sessions |
| 81 | SSL_CTX_set1_groups | ||
| 82 | SSL_CTX_set1_groups_list | ||
| 81 | SSL_CTX_set1_param | 83 | SSL_CTX_set1_param |
| 82 | SSL_CTX_set_alpn_protos | 84 | SSL_CTX_set_alpn_protos |
| 83 | SSL_CTX_set_alpn_select_cb | 85 | SSL_CTX_set_alpn_select_cb |
| @@ -212,6 +214,8 @@ SSL_renegotiate_pending | |||
| 212 | SSL_rstate_string | 214 | SSL_rstate_string |
| 213 | SSL_rstate_string_long | 215 | SSL_rstate_string_long |
| 214 | SSL_select_next_proto | 216 | SSL_select_next_proto |
| 217 | SSL_set1_groups | ||
| 218 | SSL_set1_groups_list | ||
| 215 | SSL_set1_param | 219 | SSL_set1_param |
| 216 | SSL_set_SSL_CTX | 220 | SSL_set_SSL_CTX |
| 217 | SSL_set_accept_state | 221 | SSL_set_accept_state |
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 1b0ddc702f..9d0217e95f 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.129 2017/01/24 03:00:54 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.130 2017/01/24 09:03:21 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2154,9 +2154,24 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
| 2154 | default: | 2154 | default: |
| 2155 | break; | 2155 | break; |
| 2156 | } | 2156 | } |
| 2157 | |||
| 2157 | return (ret); | 2158 | return (ret); |
| 2158 | } | 2159 | } |
| 2159 | 2160 | ||
| 2161 | int | ||
| 2162 | SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) | ||
| 2163 | { | ||
| 2164 | return tls1_set_groups(&s->internal->tlsext_supportedgroups, | ||
| 2165 | &s->internal->tlsext_supportedgroups_length, groups, groups_len); | ||
| 2166 | } | ||
| 2167 | |||
| 2168 | int | ||
| 2169 | SSL_set1_groups_list(SSL *s, const char *groups) | ||
| 2170 | { | ||
| 2171 | return tls1_set_groups_list(&s->internal->tlsext_supportedgroups, | ||
| 2172 | &s->internal->tlsext_supportedgroups_length, groups); | ||
| 2173 | } | ||
| 2174 | |||
| 2160 | long | 2175 | long |
| 2161 | ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | 2176 | ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) |
| 2162 | { | 2177 | { |
| @@ -2327,6 +2342,20 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
| 2327 | return (1); | 2342 | return (1); |
| 2328 | } | 2343 | } |
| 2329 | 2344 | ||
| 2345 | int | ||
| 2346 | SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) | ||
| 2347 | { | ||
| 2348 | return tls1_set_groups(&ctx->internal->tlsext_supportedgroups, | ||
| 2349 | &ctx->internal->tlsext_supportedgroups_length, groups, groups_len); | ||
| 2350 | } | ||
| 2351 | |||
| 2352 | int | ||
| 2353 | SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) | ||
| 2354 | { | ||
| 2355 | return tls1_set_groups_list(&ctx->internal->tlsext_supportedgroups, | ||
| 2356 | &ctx->internal->tlsext_supportedgroups_length, groups); | ||
| 2357 | } | ||
| 2358 | |||
| 2330 | long | 2359 | long |
| 2331 | ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | 2360 | ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) |
| 2332 | { | 2361 | { |
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 80e7558a2a..cf75130faf 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.121 2017/01/24 02:56:17 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.122 2017/01/24 09:03:21 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1169,6 +1169,19 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); | |||
| 1169 | #define SSL_set_ecdh_auto(s, onoff) \ | 1169 | #define SSL_set_ecdh_auto(s, onoff) \ |
| 1170 | SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) | 1170 | SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) |
| 1171 | 1171 | ||
| 1172 | int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len); | ||
| 1173 | int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups); | ||
| 1174 | |||
| 1175 | int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len); | ||
| 1176 | int SSL_set1_groups_list(SSL *ssl, const char *groups); | ||
| 1177 | |||
| 1178 | #ifndef LIBRESSL_INTERNAL | ||
| 1179 | #define SSL_CTX_set1_curves SSL_CTX_set1_groups | ||
| 1180 | #define SSL_CTX_set1_curves_list SSL_CTX_set1_groups_list | ||
| 1181 | #define SSL_set1_curves SSL_set1_groups | ||
| 1182 | #define SSL_set1_curves_list SSL_set1_groups_list | ||
| 1183 | #endif | ||
| 1184 | |||
| 1172 | #define SSL_CTX_add_extra_chain_cert(ctx,x509) \ | 1185 | #define SSL_CTX_add_extra_chain_cert(ctx,x509) \ |
| 1173 | SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) | 1186 | SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) |
| 1174 | #define SSL_CTX_get_extra_chain_certs(ctx,px509) \ | 1187 | #define SSL_CTX_get_extra_chain_certs(ctx,px509) \ |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index b9bfd7e24d..bc04ea7f9c 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.144 2017/01/24 01:47:22 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.145 2017/01/24 09:03:21 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -336,6 +336,34 @@ SSL_new(SSL_CTX *ctx) | |||
| 336 | s->internal->tlsext_ocsp_resplen = -1; | 336 | s->internal->tlsext_ocsp_resplen = -1; |
| 337 | CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); | 337 | CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); |
| 338 | s->initial_ctx = ctx; | 338 | s->initial_ctx = ctx; |
| 339 | |||
| 340 | if (ctx->internal->tlsext_ecpointformatlist != NULL) { | ||
| 341 | s->internal->tlsext_ecpointformatlist = | ||
| 342 | calloc(ctx->internal->tlsext_ecpointformatlist_length, | ||
| 343 | sizeof(ctx->internal->tlsext_ecpointformatlist[0])); | ||
| 344 | if (s->internal->tlsext_ecpointformatlist == NULL) | ||
| 345 | goto err; | ||
| 346 | memcpy(s->internal->tlsext_ecpointformatlist, | ||
| 347 | ctx->internal->tlsext_ecpointformatlist, | ||
| 348 | ctx->internal->tlsext_ecpointformatlist_length * | ||
| 349 | sizeof(ctx->internal->tlsext_ecpointformatlist[0])); | ||
| 350 | s->internal->tlsext_ecpointformatlist_length = | ||
| 351 | ctx->internal->tlsext_ecpointformatlist_length; | ||
| 352 | } | ||
| 353 | if (ctx->internal->tlsext_supportedgroups != NULL) { | ||
| 354 | s->internal->tlsext_supportedgroups = | ||
| 355 | calloc(ctx->internal->tlsext_supportedgroups_length, | ||
| 356 | sizeof(ctx->internal->tlsext_supportedgroups)); | ||
| 357 | if (s->internal->tlsext_supportedgroups == NULL) | ||
| 358 | goto err; | ||
| 359 | memcpy(s->internal->tlsext_supportedgroups, | ||
| 360 | ctx->internal->tlsext_supportedgroups, | ||
| 361 | ctx->internal->tlsext_supportedgroups_length * | ||
| 362 | sizeof(ctx->internal->tlsext_supportedgroups[0])); | ||
| 363 | s->internal->tlsext_supportedgroups_length = | ||
| 364 | ctx->internal->tlsext_supportedgroups_length; | ||
| 365 | } | ||
| 366 | |||
| 339 | s->internal->next_proto_negotiated = NULL; | 367 | s->internal->next_proto_negotiated = NULL; |
| 340 | 368 | ||
| 341 | if (s->ctx->internal->alpn_client_proto_list != NULL) { | 369 | if (s->ctx->internal->alpn_client_proto_list != NULL) { |
| @@ -534,7 +562,7 @@ SSL_free(SSL *s) | |||
| 534 | free(s->tlsext_hostname); | 562 | free(s->tlsext_hostname); |
| 535 | SSL_CTX_free(s->initial_ctx); | 563 | SSL_CTX_free(s->initial_ctx); |
| 536 | free(s->internal->tlsext_ecpointformatlist); | 564 | free(s->internal->tlsext_ecpointformatlist); |
| 537 | free(s->internal->tlsext_ellipticcurvelist); | 565 | free(s->internal->tlsext_supportedgroups); |
| 538 | if (s->internal->tlsext_ocsp_exts) | 566 | if (s->internal->tlsext_ocsp_exts) |
| 539 | sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, | 567 | sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, |
| 540 | X509_EXTENSION_free); | 568 | X509_EXTENSION_free); |
| @@ -1998,6 +2026,9 @@ SSL_CTX_free(SSL_CTX *a) | |||
| 1998 | ENGINE_finish(a->internal->client_cert_engine); | 2026 | ENGINE_finish(a->internal->client_cert_engine); |
| 1999 | #endif | 2027 | #endif |
| 2000 | 2028 | ||
| 2029 | free(a->internal->tlsext_ecpointformatlist); | ||
| 2030 | free(a->internal->tlsext_supportedgroups); | ||
| 2031 | |||
| 2001 | free(a->internal->alpn_client_proto_list); | 2032 | free(a->internal->alpn_client_proto_list); |
| 2002 | 2033 | ||
| 2003 | free(a->internal); | 2034 | free(a->internal); |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 231e0ba333..0cda709da6 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.163 2017/01/23 22:34:38 beck Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.164 2017/01/24 09:03:21 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -425,8 +425,8 @@ typedef struct ssl_session_internal_st { | |||
| 425 | 425 | ||
| 426 | size_t tlsext_ecpointformatlist_length; | 426 | size_t tlsext_ecpointformatlist_length; |
| 427 | uint8_t *tlsext_ecpointformatlist; /* peer's list */ | 427 | uint8_t *tlsext_ecpointformatlist; /* peer's list */ |
| 428 | size_t tlsext_ellipticcurvelist_length; | 428 | size_t tlsext_supportedgroups_length; |
| 429 | uint16_t *tlsext_ellipticcurvelist; /* peer's list */ | 429 | uint16_t *tlsext_supportedgroups; /* peer's list */ |
| 430 | } SSL_SESSION_INTERNAL; | 430 | } SSL_SESSION_INTERNAL; |
| 431 | #define SSI(s) (s->session->internal) | 431 | #define SSI(s) (s->session->internal) |
| 432 | 432 | ||
| @@ -603,6 +603,11 @@ typedef struct ssl_ctx_internal_st { | |||
| 603 | /* Client list of supported protocols in wire format. */ | 603 | /* Client list of supported protocols in wire format. */ |
| 604 | unsigned char *alpn_client_proto_list; | 604 | unsigned char *alpn_client_proto_list; |
| 605 | unsigned int alpn_client_proto_list_len; | 605 | unsigned int alpn_client_proto_list_len; |
| 606 | |||
| 607 | size_t tlsext_ecpointformatlist_length; | ||
| 608 | uint8_t *tlsext_ecpointformatlist; /* our list */ | ||
| 609 | size_t tlsext_supportedgroups_length; | ||
| 610 | uint16_t *tlsext_supportedgroups; /* our list */ | ||
| 606 | } SSL_CTX_INTERNAL; | 611 | } SSL_CTX_INTERNAL; |
| 607 | 612 | ||
| 608 | typedef struct ssl_internal_st { | 613 | typedef struct ssl_internal_st { |
| @@ -745,10 +750,11 @@ typedef struct ssl_internal_st { | |||
| 745 | 750 | ||
| 746 | /* RFC4507 session ticket expected to be received or sent */ | 751 | /* RFC4507 session ticket expected to be received or sent */ |
| 747 | int tlsext_ticket_expected; | 752 | int tlsext_ticket_expected; |
| 753 | |||
| 748 | size_t tlsext_ecpointformatlist_length; | 754 | size_t tlsext_ecpointformatlist_length; |
| 749 | uint8_t *tlsext_ecpointformatlist; /* our list */ | 755 | uint8_t *tlsext_ecpointformatlist; /* our list */ |
| 750 | size_t tlsext_ellipticcurvelist_length; | 756 | size_t tlsext_supportedgroups_length; |
| 751 | uint16_t *tlsext_ellipticcurvelist; /* our list */ | 757 | uint16_t *tlsext_supportedgroups; /* our list */ |
| 752 | 758 | ||
| 753 | /* TLS Session Ticket extension override */ | 759 | /* TLS Session Ticket extension override */ |
| 754 | TLS_SESSION_TICKET_EXT *tlsext_session_ticket; | 760 | TLS_SESSION_TICKET_EXT *tlsext_session_ticket; |
| @@ -1304,6 +1310,11 @@ int ssl_ok(SSL *s); | |||
| 1304 | 1310 | ||
| 1305 | int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); | 1311 | int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); |
| 1306 | 1312 | ||
| 1313 | int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, | ||
| 1314 | const int *groups, size_t ngroups); | ||
| 1315 | int tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len, | ||
| 1316 | const char *groups); | ||
| 1317 | |||
| 1307 | int tls1_ec_curve_id2nid(const uint16_t curve_id); | 1318 | int tls1_ec_curve_id2nid(const uint16_t curve_id); |
| 1308 | uint16_t tls1_ec_nid2curve_id(const int nid); | 1319 | uint16_t tls1_ec_nid2curve_id(const int nid); |
| 1309 | int tls1_check_curve(SSL *s, const uint16_t curve_id); | 1320 | int tls1_check_curve(SSL *s, const uint16_t curve_id); |
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 307c730e3f..8c802b170e 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sess.c,v 1.66 2017/01/24 01:44:00 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sess.c,v 1.67 2017/01/24 09:03:21 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -219,8 +219,8 @@ SSL_SESSION_new(void) | |||
| 219 | 219 | ||
| 220 | ss->internal->tlsext_ecpointformatlist_length = 0; | 220 | ss->internal->tlsext_ecpointformatlist_length = 0; |
| 221 | ss->internal->tlsext_ecpointformatlist = NULL; | 221 | ss->internal->tlsext_ecpointformatlist = NULL; |
| 222 | ss->internal->tlsext_ellipticcurvelist_length = 0; | 222 | ss->internal->tlsext_supportedgroups_length = 0; |
| 223 | ss->internal->tlsext_ellipticcurvelist = NULL; | 223 | ss->internal->tlsext_supportedgroups = NULL; |
| 224 | 224 | ||
| 225 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->internal->ex_data); | 225 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->internal->ex_data); |
| 226 | 226 | ||
| @@ -709,7 +709,7 @@ SSL_SESSION_free(SSL_SESSION *ss) | |||
| 709 | free(ss->tlsext_hostname); | 709 | free(ss->tlsext_hostname); |
| 710 | free(ss->tlsext_tick); | 710 | free(ss->tlsext_tick); |
| 711 | free(ss->internal->tlsext_ecpointformatlist); | 711 | free(ss->internal->tlsext_ecpointformatlist); |
| 712 | free(ss->internal->tlsext_ellipticcurvelist); | 712 | free(ss->internal->tlsext_supportedgroups); |
| 713 | 713 | ||
| 714 | explicit_bzero(ss->internal, sizeof(*ss->internal)); | 714 | explicit_bzero(ss->internal, sizeof(*ss->internal)); |
| 715 | free(ss->internal); | 715 | free(ss->internal); |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index b69e52a85c..be7c5b72a9 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.108 2017/01/24 08:41:53 jsing Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.109 2017/01/24 09:03:21 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -245,13 +245,17 @@ static int nid_list[] = { | |||
| 245 | NID_X25519, /* X25519 (29) */ | 245 | NID_X25519, /* X25519 (29) */ |
| 246 | }; | 246 | }; |
| 247 | 247 | ||
| 248 | static const uint8_t ecformats_default[] = { | 248 | static const uint8_t ecformats_list[] = { |
| 249 | TLSEXT_ECPOINTFORMAT_uncompressed, | 249 | TLSEXT_ECPOINTFORMAT_uncompressed, |
| 250 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, | 250 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, |
| 251 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 | 251 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 |
| 252 | }; | 252 | }; |
| 253 | 253 | ||
| 254 | static const uint16_t eccurves_default[] = { | 254 | static const uint8_t ecformats_default[] = { |
| 255 | TLSEXT_ECPOINTFORMAT_uncompressed, | ||
| 256 | }; | ||
| 257 | |||
| 258 | static const uint16_t eccurves_list[] = { | ||
| 255 | 29, /* X25519 (29) */ | 259 | 29, /* X25519 (29) */ |
| 256 | 14, /* sect571r1 (14) */ | 260 | 14, /* sect571r1 (14) */ |
| 257 | 13, /* sect571k1 (13) */ | 261 | 13, /* sect571k1 (13) */ |
| @@ -283,6 +287,12 @@ static const uint16_t eccurves_default[] = { | |||
| 283 | 17, /* secp160r2 (17) */ | 287 | 17, /* secp160r2 (17) */ |
| 284 | }; | 288 | }; |
| 285 | 289 | ||
| 290 | static const uint16_t eccurves_default[] = { | ||
| 291 | 29, /* X25519 (29) */ | ||
| 292 | 23, /* secp256r1 (23) */ | ||
| 293 | 24, /* secp384r1 (24) */ | ||
| 294 | }; | ||
| 295 | |||
| 286 | int | 296 | int |
| 287 | tls1_ec_curve_id2nid(const uint16_t curve_id) | 297 | tls1_ec_curve_id2nid(const uint16_t curve_id) |
| 288 | { | 298 | { |
| @@ -394,19 +404,93 @@ tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, | |||
| 394 | size_t *pcurveslen) | 404 | size_t *pcurveslen) |
| 395 | { | 405 | { |
| 396 | if (client_curves != 0) { | 406 | if (client_curves != 0) { |
| 397 | *pcurves = SSI(s)->tlsext_ellipticcurvelist; | 407 | *pcurves = SSI(s)->tlsext_supportedgroups; |
| 398 | *pcurveslen = SSI(s)->tlsext_ellipticcurvelist_length; | 408 | *pcurveslen = SSI(s)->tlsext_supportedgroups_length; |
| 399 | return; | 409 | return; |
| 400 | } | 410 | } |
| 401 | 411 | ||
| 402 | *pcurves = s->internal->tlsext_ellipticcurvelist; | 412 | *pcurves = s->internal->tlsext_supportedgroups; |
| 403 | *pcurveslen = s->internal->tlsext_ellipticcurvelist_length; | 413 | *pcurveslen = s->internal->tlsext_supportedgroups_length; |
| 404 | if (*pcurves == NULL) { | 414 | if (*pcurves == NULL) { |
| 405 | *pcurves = eccurves_default; | 415 | *pcurves = eccurves_default; |
| 406 | *pcurveslen = sizeof(eccurves_default) / 2; | 416 | *pcurveslen = sizeof(eccurves_default) / 2; |
| 407 | } | 417 | } |
| 408 | } | 418 | } |
| 409 | 419 | ||
| 420 | int | ||
| 421 | tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, | ||
| 422 | const int *groups, size_t ngroups) | ||
| 423 | { | ||
| 424 | uint16_t *group_ids; | ||
| 425 | size_t i; | ||
| 426 | |||
| 427 | group_ids = calloc(ngroups, sizeof(uint16_t)); | ||
| 428 | if (group_ids == NULL) | ||
| 429 | return 0; | ||
| 430 | |||
| 431 | for (i = 0; i < ngroups; i++) { | ||
| 432 | group_ids[i] = tls1_ec_nid2curve_id(groups[i]); | ||
| 433 | if (group_ids[i] == 0) { | ||
| 434 | free(group_ids); | ||
| 435 | return 0; | ||
| 436 | } | ||
| 437 | } | ||
| 438 | |||
| 439 | free(*out_group_ids); | ||
| 440 | *out_group_ids = group_ids; | ||
| 441 | *out_group_ids_len = ngroups; | ||
| 442 | |||
| 443 | return 1; | ||
| 444 | } | ||
| 445 | |||
| 446 | int | ||
| 447 | tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len, | ||
| 448 | const char *groups) | ||
| 449 | { | ||
| 450 | uint16_t *new_group_ids, *group_ids = NULL; | ||
| 451 | size_t ngroups = 0; | ||
| 452 | char *gs, *p, *q; | ||
| 453 | int nid; | ||
| 454 | |||
| 455 | if ((gs = strdup(groups)) == NULL) | ||
| 456 | return 0; | ||
| 457 | |||
| 458 | q = gs; | ||
| 459 | while ((p = strsep(&q, ":")) != NULL) { | ||
| 460 | nid = OBJ_sn2nid(p); | ||
| 461 | if (nid == NID_undef) | ||
| 462 | nid = OBJ_ln2nid(p); | ||
| 463 | if (nid == NID_undef) | ||
| 464 | nid = EC_curve_nist2nid(p); | ||
| 465 | if (nid == NID_undef) | ||
| 466 | goto err; | ||
| 467 | |||
| 468 | if ((new_group_ids = reallocarray(group_ids, ngroups + 1, | ||
| 469 | sizeof(uint16_t))) == NULL) | ||
| 470 | goto err; | ||
| 471 | group_ids = new_group_ids; | ||
| 472 | |||
| 473 | group_ids[ngroups] = tls1_ec_nid2curve_id(nid); | ||
| 474 | if (group_ids[ngroups] == 0) | ||
| 475 | goto err; | ||
| 476 | |||
| 477 | ngroups++; | ||
| 478 | } | ||
| 479 | |||
| 480 | free(gs); | ||
| 481 | free(*out_group_ids); | ||
| 482 | *out_group_ids = group_ids; | ||
| 483 | *out_group_ids_len = ngroups; | ||
| 484 | |||
| 485 | return 1; | ||
| 486 | |||
| 487 | err: | ||
| 488 | free(gs); | ||
| 489 | free(group_ids); | ||
| 490 | |||
| 491 | return 0; | ||
| 492 | } | ||
| 493 | |||
| 410 | /* Check that a curve is one of our preferences. */ | 494 | /* Check that a curve is one of our preferences. */ |
| 411 | int | 495 | int |
| 412 | tls1_check_curve(SSL *s, const uint16_t curve_id) | 496 | tls1_check_curve(SSL *s, const uint16_t curve_id) |
| @@ -1378,11 +1462,11 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1378 | curveslen /= 2; | 1462 | curveslen /= 2; |
| 1379 | 1463 | ||
| 1380 | if (!s->internal->hit) { | 1464 | if (!s->internal->hit) { |
| 1381 | if (SSI(s)->tlsext_ellipticcurvelist) { | 1465 | if (SSI(s)->tlsext_supportedgroups) { |
| 1382 | *al = TLS1_AD_DECODE_ERROR; | 1466 | *al = TLS1_AD_DECODE_ERROR; |
| 1383 | return 0; | 1467 | return 0; |
| 1384 | } | 1468 | } |
| 1385 | SSI(s)->tlsext_ellipticcurvelist_length = 0; | 1469 | SSI(s)->tlsext_supportedgroups_length = 0; |
| 1386 | if ((curves = reallocarray(NULL, curveslen, | 1470 | if ((curves = reallocarray(NULL, curveslen, |
| 1387 | sizeof(uint16_t))) == NULL) { | 1471 | sizeof(uint16_t))) == NULL) { |
| 1388 | *al = TLS1_AD_INTERNAL_ERROR; | 1472 | *al = TLS1_AD_INTERNAL_ERROR; |
| @@ -1390,11 +1474,10 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1390 | } | 1474 | } |
| 1391 | for (i = 0; i < curveslen; i++) | 1475 | for (i = 0; i < curveslen; i++) |
| 1392 | n2s(sdata, curves[i]); | 1476 | n2s(sdata, curves[i]); |
| 1393 | SSI(s)->tlsext_ellipticcurvelist = curves; | 1477 | SSI(s)->tlsext_supportedgroups = curves; |
| 1394 | SSI(s)->tlsext_ellipticcurvelist_length = curveslen; | 1478 | SSI(s)->tlsext_supportedgroups_length = curveslen; |
| 1395 | } | 1479 | } |
| 1396 | } | 1480 | } else if (type == TLSEXT_TYPE_session_ticket) { |
| 1397 | else if (type == TLSEXT_TYPE_session_ticket) { | ||
| 1398 | if (s->internal->tls_session_ticket_ext_cb && | 1481 | if (s->internal->tls_session_ticket_ext_cb && |
| 1399 | !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { | 1482 | !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { |
| 1400 | *al = TLS1_AD_INTERNAL_ERROR; | 1483 | *al = TLS1_AD_INTERNAL_ERROR; |