summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_lib.c6
-rw-r--r--src/lib/libssl/ssl_clnt.c14
-rw-r--r--src/lib/libssl/ssl_locl.h14
-rw-r--r--src/lib/libssl/ssl_seclevel.c16
-rw-r--r--src/lib/libssl/ssl_sigalgs.c14
-rw-r--r--src/lib/libssl/ssl_sigalgs.h4
-rw-r--r--src/lib/libssl/ssl_srvr.c4
-rw-r--r--src/lib/libssl/ssl_tlsext.c4
-rw-r--r--src/lib/libssl/t1_lib.c274
-rw-r--r--src/lib/libssl/tls13_client.c4
-rw-r--r--src/lib/libssl/tls13_server.c6
-rw-r--r--src/lib/libssl/tls_key_share.c6
12 files changed, 204 insertions, 162 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 4575a141cf..cfd50e66be 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.233 2022/06/29 21:18:04 tb Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.234 2022/07/02 16:00:12 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2494,13 +2494,13 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2494 STACK_OF(SSL_CIPHER) *prio, *allow; 2494 STACK_OF(SSL_CIPHER) *prio, *allow;
2495 SSL_CIPHER *c, *ret = NULL; 2495 SSL_CIPHER *c, *ret = NULL;
2496 int can_use_ecc; 2496 int can_use_ecc;
2497 int i, ii, ok; 2497 int i, ii, nid, ok;
2498 SSL_CERT *cert; 2498 SSL_CERT *cert;
2499 2499
2500 /* Let's see which ciphers we can support */ 2500 /* Let's see which ciphers we can support */
2501 cert = s->cert; 2501 cert = s->cert;
2502 2502
2503 can_use_ecc = (tls1_get_shared_curve(s) != NID_undef); 2503 can_use_ecc = tls1_get_supported_group(s, &nid);
2504 2504
2505 /* 2505 /*
2506 * Do not set the compare functions, because this may lead to a 2506 * Do not set the compare functions, because this may lead to a
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 604b55277c..8fe416b74a 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.149 2022/06/30 11:17:49 tb Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.150 2022/07/02 16:00:12 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1271,13 +1271,13 @@ static int
1271ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs) 1271ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1272{ 1272{
1273 uint8_t curve_type; 1273 uint8_t curve_type;
1274 uint16_t curve_id; 1274 uint16_t group_id;
1275 int decode_error; 1275 int decode_error;
1276 CBS public; 1276 CBS public;
1277 1277
1278 if (!CBS_get_u8(cbs, &curve_type)) 1278 if (!CBS_get_u8(cbs, &curve_type))
1279 goto decode_err; 1279 goto decode_err;
1280 if (!CBS_get_u16(cbs, &curve_id)) 1280 if (!CBS_get_u16(cbs, &group_id))
1281 goto decode_err; 1281 goto decode_err;
1282 1282
1283 /* Only named curves are supported. */ 1283 /* Only named curves are supported. */
@@ -1291,17 +1291,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1291 goto decode_err; 1291 goto decode_err;
1292 1292
1293 /* 1293 /*
1294 * Check that the curve is one of our preferences - if it is not, 1294 * Check that the group is one of our preferences - if it is not,
1295 * the server has sent us an invalid curve. 1295 * the server has sent us an invalid group.
1296 */ 1296 */
1297 if (!tls1_check_curve(s, curve_id)) { 1297 if (!tls1_check_group(s, group_id)) {
1298 SSLerror(s, SSL_R_WRONG_CURVE); 1298 SSLerror(s, SSL_R_WRONG_CURVE);
1299 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 1299 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1300 goto err; 1300 goto err;
1301 } 1301 }
1302 1302
1303 tls_key_share_free(s->s3->hs.key_share); 1303 tls_key_share_free(s->s3->hs.key_share);
1304 if ((s->s3->hs.key_share = tls_key_share_new(curve_id)) == NULL) 1304 if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
1305 goto err; 1305 goto err;
1306 1306
1307 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public, 1307 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index d3e600b6b7..a2ca99c02d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.409 2022/06/30 16:05:07 tb Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.410 2022/07/02 16:00:12 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1306,7 +1306,7 @@ int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
1306 int is_peer, int *out_error); 1306 int is_peer, int *out_error);
1307int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, 1307int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
1308 X509 *x509, int *out_error); 1308 X509 *x509, int *out_error);
1309int ssl_security_supported_group(const SSL *ssl, uint16_t curve_id); 1309int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
1310 1310
1311int ssl_get_new_session(SSL *s, int session); 1311int ssl_get_new_session(SSL *s, int session);
1312int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, 1312int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
@@ -1515,11 +1515,11 @@ int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
1515int tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, 1515int tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
1516 const char *groups); 1516 const char *groups);
1517 1517
1518int tls1_ec_curve_id2nid(const uint16_t curve_id); 1518int tls1_ec_group_id2nid(uint16_t group_id, int *out_nid);
1519int tls1_ec_curve_id2bits(const uint16_t curve_id); 1519int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits);
1520uint16_t tls1_ec_nid2curve_id(const int nid); 1520int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id);
1521int tls1_check_curve(SSL *s, const uint16_t group_id); 1521int tls1_check_group(SSL *s, uint16_t group_id);
1522int tls1_get_shared_curve(SSL *s); 1522int tls1_get_supported_group(SSL *s, int *group_nid);
1523 1523
1524int ssl_check_clienthello_tlsext_early(SSL *s); 1524int ssl_check_clienthello_tlsext_early(SSL *s);
1525int ssl_check_clienthello_tlsext_late(SSL *s); 1525int ssl_check_clienthello_tlsext_late(SSL *s);
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 35f8b8891b..2e0b74141f 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_seclevel.c,v 1.14 2022/06/30 16:05:07 tb Exp $ */ 1/* $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> 3 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
4 * 4 *
@@ -401,23 +401,23 @@ ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
401} 401}
402 402
403int 403int
404ssl_security_supported_group(const SSL *ssl, uint16_t curve_id) 404ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
405{ 405{
406 CBB cbb; 406 CBB cbb;
407 int bits, nid; 407 int bits, nid;
408 uint8_t curve[2]; 408 uint8_t group[2];
409 409
410 if ((bits = tls1_ec_curve_id2bits(curve_id)) == 0) 410 if (!tls1_ec_group_id2bits(group_id, &bits))
411 return 0; 411 return 0;
412 if ((nid = tls1_ec_curve_id2nid(curve_id)) == NID_undef) 412 if (!tls1_ec_group_id2nid(group_id, &nid))
413 return 0; 413 return 0;
414 414
415 if (!CBB_init_fixed(&cbb, curve, sizeof(curve))) 415 if (!CBB_init_fixed(&cbb, group, sizeof(group)))
416 return 0; 416 return 0;
417 if (!CBB_add_u16(&cbb, curve_id)) 417 if (!CBB_add_u16(&cbb, group_id))
418 return 0; 418 return 0;
419 if (!CBB_finish(&cbb, NULL, NULL)) 419 if (!CBB_finish(&cbb, NULL, NULL))
420 return 0; 420 return 0;
421 421
422 return ssl_security(ssl, SSL_SECOP_CURVE_SUPPORTED, bits, nid, curve); 422 return ssl_security(ssl, SSL_SECOP_CURVE_SUPPORTED, bits, nid, group);
423} 423}
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 9c38a076ac..754d76e72a 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.45 2022/06/29 07:55:59 tb Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.46 2022/07/02 16:00:12 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -39,7 +39,7 @@ const struct ssl_sigalg sigalgs[] = {
39 .key_type = EVP_PKEY_EC, 39 .key_type = EVP_PKEY_EC,
40 .md = EVP_sha512, 40 .md = EVP_sha512,
41 .security_level = 5, 41 .security_level = 5,
42 .curve_nid = NID_secp521r1, 42 .group_nid = NID_secp521r1,
43 }, 43 },
44#ifndef OPENSSL_NO_GOST 44#ifndef OPENSSL_NO_GOST
45 { 45 {
@@ -60,7 +60,7 @@ const struct ssl_sigalg sigalgs[] = {
60 .key_type = EVP_PKEY_EC, 60 .key_type = EVP_PKEY_EC,
61 .md = EVP_sha384, 61 .md = EVP_sha384,
62 .security_level = 4, 62 .security_level = 4,
63 .curve_nid = NID_secp384r1, 63 .group_nid = NID_secp384r1,
64 }, 64 },
65 { 65 {
66 .value = SIGALG_RSA_PKCS1_SHA256, 66 .value = SIGALG_RSA_PKCS1_SHA256,
@@ -73,7 +73,7 @@ const struct ssl_sigalg sigalgs[] = {
73 .key_type = EVP_PKEY_EC, 73 .key_type = EVP_PKEY_EC,
74 .md = EVP_sha256, 74 .md = EVP_sha256,
75 .security_level = 3, 75 .security_level = 3,
76 .curve_nid = NID_X9_62_prime256v1, 76 .group_nid = NID_X9_62_prime256v1,
77 }, 77 },
78#ifndef OPENSSL_NO_GOST 78#ifndef OPENSSL_NO_GOST
79 { 79 {
@@ -321,12 +321,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
321 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) 321 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
322 return 0; 322 return 0;
323 323
324 /* Ensure that curve matches for EC keys. */ 324 /* Ensure that group matches for EC keys. */
325 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { 325 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
326 if (sigalg->curve_nid == 0) 326 if (sigalg->group_nid == 0)
327 return 0; 327 return 0;
328 if (EC_GROUP_get_curve_name(EC_KEY_get0_group( 328 if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
329 EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) 329 EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
330 return 0; 330 return 0;
331 } 331 }
332 332
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 5be2122906..21a54d642b 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.h,v 1.25 2022/06/29 07:53:58 tb Exp $ */ 1/* $OpenBSD: ssl_sigalgs.h,v 1.26 2022/07/02 16:00:12 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -65,7 +65,7 @@ struct ssl_sigalg {
65 int key_type; 65 int key_type;
66 const EVP_MD *(*md)(void); 66 const EVP_MD *(*md)(void);
67 int security_level; 67 int security_level;
68 int curve_nid; 68 int group_nid;
69 int flags; 69 int flags;
70}; 70};
71 71
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 8f110831e4..526d9e678b 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.146 2022/06/30 11:17:50 tb Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.147 2022/07/02 16:00:12 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1380,7 +1380,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1380 CBB public; 1380 CBB public;
1381 int nid; 1381 int nid;
1382 1382
1383 if ((nid = tls1_get_shared_curve(s)) == NID_undef) { 1383 if (!tls1_get_supported_group(s, &nid)) {
1384 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1384 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1385 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1385 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1386 goto err; 1386 goto err;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 88d26fd326..7457925572 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.117 2022/06/30 16:05:07 tb Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.118 2022/07/02 16:00:12 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1516,7 +1516,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1516 continue; 1516 continue;
1517 1517
1518 /* XXX - consider implementing server preference. */ 1518 /* XXX - consider implementing server preference. */
1519 if (!tls1_check_curve(s, group)) 1519 if (!tls1_check_group(s, group))
1520 continue; 1520 continue;
1521 1521
1522 /* Decode and store the selected key share. */ 1522 /* Decode and store the selected key share. */
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 9748901268..beaaae1eb0 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.190 2022/07/02 15:53:37 tb Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.191 2022/07/02 16:00:12 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -150,12 +150,16 @@ tls1_clear(SSL *s)
150 s->version = s->method->version; 150 s->version = s->method->version;
151} 151}
152 152
153struct curve { 153struct supported_group {
154 int nid; 154 int nid;
155 int bits; 155 int bits;
156}; 156};
157 157
158static const struct curve nid_list[] = { 158/*
159 * Supported groups (formerly known as named curves)
160 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
161 */
162static const struct supported_group nid_list[] = {
159 [1] = { 163 [1] = {
160 .nid = NID_sect163k1, 164 .nid = NID_sect163k1,
161 .bits = 80, 165 .bits = 80,
@@ -274,6 +278,8 @@ static const struct curve nid_list[] = {
274 }, 278 },
275}; 279};
276 280
281#define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
282
277#if 0 283#if 0
278static const uint8_t ecformats_list[] = { 284static const uint8_t ecformats_list[] = {
279 TLSEXT_ECPOINTFORMAT_uncompressed, 285 TLSEXT_ECPOINTFORMAT_uncompressed,
@@ -287,7 +293,7 @@ static const uint8_t ecformats_default[] = {
287}; 293};
288 294
289#if 0 295#if 0
290static const uint16_t eccurves_list[] = { 296static const uint16_t ecgroups_list[] = {
291 29, /* X25519 (29) */ 297 29, /* X25519 (29) */
292 14, /* sect571r1 (14) */ 298 14, /* sect571r1 (14) */
293 13, /* sect571k1 (13) */ 299 13, /* sect571k1 (13) */
@@ -320,116 +326,155 @@ static const uint16_t eccurves_list[] = {
320}; 326};
321#endif 327#endif
322 328
323static const uint16_t eccurves_client_default[] = { 329static const uint16_t ecgroups_client_default[] = {
324 29, /* X25519 (29) */ 330 29, /* X25519 (29) */
325 23, /* secp256r1 (23) */ 331 23, /* secp256r1 (23) */
326 24, /* secp384r1 (24) */ 332 24, /* secp384r1 (24) */
327 25, /* secp521r1 (25) */ 333 25, /* secp521r1 (25) */
328}; 334};
329 335
330static const uint16_t eccurves_server_default[] = { 336static const uint16_t ecgroups_server_default[] = {
331 29, /* X25519 (29) */ 337 29, /* X25519 (29) */
332 23, /* secp256r1 (23) */ 338 23, /* secp256r1 (23) */
333 24, /* secp384r1 (24) */ 339 24, /* secp384r1 (24) */
334}; 340};
335 341
336int 342int
337tls1_ec_curve_id2nid(const uint16_t curve_id) 343tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
338{ 344{
339 const struct curve *curve; 345 const struct supported_group *group;
340 346
341 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 347 if (group_id < 1 || group_id >= NID_LIST_LEN)
342 if ((curve_id < 1) || 348 return 0;
343 ((unsigned int)curve_id >= sizeof(nid_list) / sizeof(nid_list[0]))) 349
344 return NID_undef; 350 if ((group = &nid_list[group_id]) == NULL)
351 return 0;
345 352
346 if ((curve = &nid_list[curve_id]) == NULL) 353 *out_nid = group->nid;
347 return NID_undef;
348 354
349 return curve->nid; 355 return 1;
350} 356}
351 357
352int 358int
353tls1_ec_curve_id2bits(const uint16_t curve_id) 359tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
354{ 360{
355 const struct curve *curve; 361 const struct supported_group *group;
356 362
357 if ((curve_id < 1) || 363 if (group_id < 1 || group_id >= NID_LIST_LEN)
358 ((unsigned int)curve_id >= sizeof(nid_list) / sizeof(nid_list[0])))
359 return 0; 364 return 0;
360 365
361 if ((curve = &nid_list[curve_id]) == NULL) 366 if ((group = &nid_list[group_id]) == NULL)
362 return 0; 367 return 0;
363 368
364 return curve->bits; 369 *out_bits = group->bits;
370
371 return 1;
365} 372}
366 373
367uint16_t 374int
368tls1_ec_nid2curve_id(const int nid) 375tls1_ec_nid2group_id(const int nid, uint16_t *out_group_id)
369{ 376{
370 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 377 uint16_t group_id;
378
371 switch (nid) { 379 switch (nid) {
372 case NID_sect163k1: /* sect163k1 (1) */ 380 case NID_sect163k1:
373 return 1; 381 group_id = 1;
374 case NID_sect163r1: /* sect163r1 (2) */ 382 break;
375 return 2; 383 case NID_sect163r1:
376 case NID_sect163r2: /* sect163r2 (3) */ 384 group_id = 2;
377 return 3; 385 break;
378 case NID_sect193r1: /* sect193r1 (4) */ 386 case NID_sect163r2:
379 return 4; 387 group_id = 3;
380 case NID_sect193r2: /* sect193r2 (5) */ 388 break;
381 return 5; 389 case NID_sect193r1:
382 case NID_sect233k1: /* sect233k1 (6) */ 390 group_id = 4;
383 return 6; 391 break;
384 case NID_sect233r1: /* sect233r1 (7) */ 392 case NID_sect193r2:
385 return 7; 393 group_id = 5;
386 case NID_sect239k1: /* sect239k1 (8) */ 394 break;
387 return 8; 395 case NID_sect233k1:
388 case NID_sect283k1: /* sect283k1 (9) */ 396 group_id = 6;
389 return 9; 397 break;
390 case NID_sect283r1: /* sect283r1 (10) */ 398 case NID_sect233r1:
391 return 10; 399 group_id = 7;
392 case NID_sect409k1: /* sect409k1 (11) */ 400 break;
393 return 11; 401 case NID_sect239k1:
394 case NID_sect409r1: /* sect409r1 (12) */ 402 group_id = 8;
395 return 12; 403 break;
396 case NID_sect571k1: /* sect571k1 (13) */ 404 case NID_sect283k1:
397 return 13; 405 group_id = 9;
398 case NID_sect571r1: /* sect571r1 (14) */ 406 break;
399 return 14; 407 case NID_sect283r1:
400 case NID_secp160k1: /* secp160k1 (15) */ 408 group_id = 10;
401 return 15; 409 break;
402 case NID_secp160r1: /* secp160r1 (16) */ 410 case NID_sect409k1:
403 return 16; 411 group_id = 11;
404 case NID_secp160r2: /* secp160r2 (17) */ 412 break;
405 return 17; 413 case NID_sect409r1:
406 case NID_secp192k1: /* secp192k1 (18) */ 414 group_id = 12;
407 return 18; 415 break;
408 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 416 case NID_sect571k1:
409 return 19; 417 group_id = 13;
410 case NID_secp224k1: /* secp224k1 (20) */ 418 break;
411 return 20; 419 case NID_sect571r1:
412 case NID_secp224r1: /* secp224r1 (21) */ 420 group_id = 14;
413 return 21; 421 break;
414 case NID_secp256k1: /* secp256k1 (22) */ 422 case NID_secp160k1:
415 return 22; 423 group_id = 15;
416 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 424 break;
417 return 23; 425 case NID_secp160r1:
418 case NID_secp384r1: /* secp384r1 (24) */ 426 group_id = 16;
419 return 24; 427 break;
420 case NID_secp521r1: /* secp521r1 (25) */ 428 case NID_secp160r2:
421 return 25; 429 group_id = 17;
422 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 430 break;
423 return 26; 431 case NID_secp192k1:
424 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 432 group_id = 18;
425 return 27; 433 break;
426 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 434 case NID_X9_62_prime192v1: /* aka secp192r1 */
427 return 28; 435 group_id = 19;
428 case NID_X25519: /* X25519 (29) */ 436 break;
429 return 29; 437 case NID_secp224k1:
438 group_id = 20;
439 break;
440 case NID_secp224r1:
441 group_id = 21;
442 break;
443 case NID_secp256k1:
444 group_id = 22;
445 break;
446 case NID_X9_62_prime256v1: /* aka secp256r1 */
447 group_id = 23;
448 break;
449 case NID_secp384r1:
450 group_id = 24;
451 break;
452 case NID_secp521r1:
453 group_id = 25;
454 break;
455 case NID_brainpoolP256r1:
456 group_id = 26;
457 break;
458 case NID_brainpoolP384r1:
459 group_id = 27;
460 break;
461 case NID_brainpoolP512r1:
462 group_id = 28;
463 break;
464 case NID_X25519:
465 group_id = 29;
466 break;
430 default: 467 default:
431 return 0; 468 group_id = 0;
469 break;
432 } 470 }
471
472 if (group_id == 0)
473 return 0;
474
475 *out_group_id = group_id;
476
477 return 1;
433} 478}
434 479
435/* 480/*
@@ -476,11 +521,11 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups,
476 return; 521 return;
477 522
478 if (!s->server) { 523 if (!s->server) {
479 *pgroups = eccurves_client_default; 524 *pgroups = ecgroups_client_default;
480 *pgroupslen = sizeof(eccurves_client_default) / 2; 525 *pgroupslen = sizeof(ecgroups_client_default) / 2;
481 } else { 526 } else {
482 *pgroups = eccurves_server_default; 527 *pgroups = ecgroups_server_default;
483 *pgroupslen = sizeof(eccurves_server_default) / 2; 528 *pgroupslen = sizeof(ecgroups_server_default) / 2;
484 } 529 }
485} 530}
486 531
@@ -491,13 +536,11 @@ tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
491 uint16_t *group_ids; 536 uint16_t *group_ids;
492 size_t i; 537 size_t i;
493 538
494 group_ids = calloc(ngroups, sizeof(uint16_t)); 539 if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL)
495 if (group_ids == NULL)
496 return 0; 540 return 0;
497 541
498 for (i = 0; i < ngroups; i++) { 542 for (i = 0; i < ngroups; i++) {
499 group_ids[i] = tls1_ec_nid2curve_id(groups[i]); 543 if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) {
500 if (group_ids[i] == 0) {
501 free(group_ids); 544 free(group_ids);
502 return 0; 545 return 0;
503 } 546 }
@@ -537,8 +580,7 @@ tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
537 goto err; 580 goto err;
538 group_ids = new_group_ids; 581 group_ids = new_group_ids;
539 582
540 group_ids[ngroups] = tls1_ec_nid2curve_id(nid); 583 if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups]))
541 if (group_ids[ngroups] == 0)
542 goto err; 584 goto err;
543 585
544 ngroups++; 586 ngroups++;
@@ -558,9 +600,9 @@ tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
558 return 0; 600 return 0;
559} 601}
560 602
561/* Check that a curve is one of our preferences. */ 603/* Check that a group is one of our preferences. */
562int 604int
563tls1_check_curve(SSL *s, const uint16_t curve_id) 605tls1_check_group(SSL *s, uint16_t group_id)
564{ 606{
565 const uint16_t *groups; 607 const uint16_t *groups;
566 size_t groupslen, i; 608 size_t groupslen, i;
@@ -570,14 +612,14 @@ tls1_check_curve(SSL *s, const uint16_t curve_id)
570 for (i = 0; i < groupslen; i++) { 612 for (i = 0; i < groupslen; i++) {
571 if (!ssl_security_supported_group(s, groups[i])) 613 if (!ssl_security_supported_group(s, groups[i]))
572 continue; 614 continue;
573 if (groups[i] == curve_id) 615 if (groups[i] == group_id)
574 return (1); 616 return 1;
575 } 617 }
576 return (0); 618 return 0;
577} 619}
578 620
579int 621int
580tls1_get_shared_curve(SSL *s) 622tls1_get_supported_group(SSL *s, int *out_nid)
581{ 623{
582 size_t preflen, supplen, i, j; 624 size_t preflen, supplen, i, j;
583 const uint16_t *pref, *supp; 625 const uint16_t *pref, *supp;
@@ -585,9 +627,9 @@ tls1_get_shared_curve(SSL *s)
585 627
586 /* Cannot do anything on the client side. */ 628 /* Cannot do anything on the client side. */
587 if (s->server == 0) 629 if (s->server == 0)
588 return (NID_undef); 630 return 0;
589 631
590 /* Return first preference shared curve. */ 632 /* Return first preference supported group. */
591 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 633 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
592 tls1_get_group_list(s, (server_pref == 0), &pref, &preflen); 634 tls1_get_group_list(s, (server_pref == 0), &pref, &preflen);
593 tls1_get_group_list(s, (server_pref != 0), &supp, &supplen); 635 tls1_get_group_list(s, (server_pref != 0), &supp, &supplen);
@@ -597,15 +639,15 @@ tls1_get_shared_curve(SSL *s)
597 continue; 639 continue;
598 for (j = 0; j < supplen; j++) { 640 for (j = 0; j < supplen; j++) {
599 if (pref[i] == supp[j]) 641 if (pref[i] == supp[j])
600 return (tls1_ec_curve_id2nid(pref[i])); 642 return tls1_ec_group_id2nid(pref[i], out_nid);
601 } 643 }
602 } 644 }
603 return (NID_undef); 645 return 0;
604} 646}
605 647
606/* For an EC key set TLS ID and required compression based on parameters. */ 648/* For an EC key set TLS ID and required compression based on parameters. */
607static int 649static int
608tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 650tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec)
609{ 651{
610 const EC_GROUP *grp; 652 const EC_GROUP *grp;
611 const EC_METHOD *meth; 653 const EC_METHOD *meth;
@@ -615,18 +657,18 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
615 if (ec == NULL) 657 if (ec == NULL)
616 return (0); 658 return (0);
617 659
618 /* Determine whether the curve is defined over a prime field. */ 660 /* Determine whether the group is defined over a prime field. */
619 if ((grp = EC_KEY_get0_group(ec)) == NULL) 661 if ((grp = EC_KEY_get0_group(ec)) == NULL)
620 return (0); 662 return (0);
621 if ((meth = EC_GROUP_method_of(grp)) == NULL) 663 if ((meth = EC_GROUP_method_of(grp)) == NULL)
622 return (0); 664 return (0);
623 prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field); 665 prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
624 666
625 /* Determine curve ID - NID_undef results in a curve ID of zero. */ 667 /* Determine group ID. */
626 nid = EC_GROUP_get_curve_name(grp); 668 nid = EC_GROUP_get_curve_name(grp);
627 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 669 /* If we have an ID set it, otherwise set arbitrary explicit group. */
628 if ((*curve_id = tls1_ec_nid2curve_id(nid)) == 0) 670 if (!tls1_ec_nid2group_id(nid, group_id))
629 *curve_id = prime_field ? 0xff01 : 0xff02; 671 *group_id = prime_field ? 0xff01 : 0xff02;
630 672
631 if (comp_id == NULL) 673 if (comp_id == NULL)
632 return (1); 674 return (1);
@@ -646,7 +688,7 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
646 688
647/* Check that an EC key is compatible with extensions. */ 689/* Check that an EC key is compatible with extensions. */
648static int 690static int
649tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 691tls1_check_ec_key(SSL *s, const uint16_t *group_id, const uint8_t *comp_id)
650{ 692{
651 size_t groupslen, formatslen, i; 693 size_t groupslen, formatslen, i;
652 const uint16_t *groups; 694 const uint16_t *groups;
@@ -667,12 +709,12 @@ tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
667 } 709 }
668 710
669 /* 711 /*
670 * Check curve list if present, otherwise everything is supported. 712 * Check group list if present, otherwise everything is supported.
671 */ 713 */
672 tls1_get_group_list(s, 1, &groups, &groupslen); 714 tls1_get_group_list(s, 1, &groups, &groupslen);
673 if (curve_id != NULL && groups != NULL) { 715 if (group_id != NULL && groups != NULL) {
674 for (i = 0; i < groupslen; i++) { 716 for (i = 0; i < groupslen; i++) {
675 if (groups[i] == *curve_id) 717 if (groups[i] == *group_id)
676 break; 718 break;
677 } 719 }
678 if (i == groupslen) 720 if (i == groupslen)
@@ -687,7 +729,7 @@ int
687tls1_check_ec_server_key(SSL *s) 729tls1_check_ec_server_key(SSL *s)
688{ 730{
689 SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 731 SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
690 uint16_t curve_id; 732 uint16_t group_id;
691 uint8_t comp_id; 733 uint8_t comp_id;
692 EC_KEY *eckey; 734 EC_KEY *eckey;
693 EVP_PKEY *pkey; 735 EVP_PKEY *pkey;
@@ -698,10 +740,10 @@ tls1_check_ec_server_key(SSL *s)
698 return (0); 740 return (0);
699 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) 741 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
700 return (0); 742 return (0);
701 if (!tls1_set_ec_id(&curve_id, &comp_id, eckey)) 743 if (!tls1_set_ec_id(&group_id, &comp_id, eckey))
702 return (0); 744 return (0);
703 745
704 return tls1_check_ec_key(s, &curve_id, &comp_id); 746 return tls1_check_ec_key(s, &group_id, &comp_id);
705} 747}
706 748
707int 749int
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 11eb880a6e..fb2dd69eb2 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_client.c,v 1.94 2022/02/03 16:33:12 jsing Exp $ */ 1/* $OpenBSD: tls13_client.c,v 1.95 2022/07/02 16:00:12 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -440,7 +440,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
440 * supported groups and is not the same as the key share we previously 440 * supported groups and is not the same as the key share we previously
441 * offered. 441 * offered.
442 */ 442 */
443 if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group)) 443 if (!tls1_check_group(ctx->ssl, ctx->hs->tls13.server_group))
444 return 0; /* XXX alert */ 444 return 0; /* XXX alert */
445 if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share)) 445 if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share))
446 return 0; /* XXX alert */ 446 return 0; /* XXX alert */
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 2c1c12ff25..c5c86ab95f 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_server.c,v 1.98 2022/06/04 01:14:43 tb Exp $ */ 1/* $OpenBSD: tls13_server.c,v 1.99 2022/07/02 16:00:12 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -432,9 +432,9 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
432 432
433 if (ctx->hs->key_share != NULL) 433 if (ctx->hs->key_share != NULL)
434 return 0; 434 return 0;
435 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 435 if (!tls1_get_supported_group(ctx->ssl, &nid))
436 return 0; 436 return 0;
437 if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) 437 if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
438 return 0; 438 return 0;
439 439
440 if (!tls13_server_hello_build(ctx, cbb, 1)) 440 if (!tls13_server_hello_build(ctx, cbb, 1))
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index c170f08649..048db25bd5 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_key_share.c,v 1.6 2022/07/02 09:33:20 tb Exp $ */ 1/* $OpenBSD: tls_key_share.c,v 1.7 2022/07/02 16:00:12 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -61,7 +61,7 @@ tls_key_share_new(uint16_t group_id)
61{ 61{
62 int nid; 62 int nid;
63 63
64 if ((nid = tls1_ec_curve_id2nid(group_id)) == NID_undef) 64 if (!tls1_ec_group_id2nid(group_id, &nid))
65 return NULL; 65 return NULL;
66 66
67 return tls_key_share_new_internal(nid, group_id); 67 return tls_key_share_new_internal(nid, group_id);
@@ -73,7 +73,7 @@ tls_key_share_new_nid(int nid)
73 uint16_t group_id = 0; 73 uint16_t group_id = 0;
74 74
75 if (nid != NID_dhKeyAgreement) { 75 if (nid != NID_dhKeyAgreement) {
76 if ((group_id = tls1_ec_nid2curve_id(nid)) == 0) 76 if (!tls1_ec_nid2group_id(nid, &group_id))
77 return NULL; 77 return NULL;
78 } 78 }
79 79
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-01 01:50:32 +0000