Ensure default supported groups works even with no-ec and no-dh

author Matt Caswell <matt@openssl.org>

Wed, 13 Jan 2021 15:50:36 +0000 (15:50 +0000)

committer Matt Caswell <matt@openssl.org>

Fri, 5 Feb 2021 15:20:36 +0000 (15:20 +0000)
author Matt Caswell <matt@openssl.org>
Wed, 13 Jan 2021 15:50:36 +0000 (15:50 +0000)
committer Matt Caswell <matt@openssl.org>
Fri, 5 Feb 2021 15:20:36 +0000 (15:20 +0000)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index a87da32c625ff16d04cd2bb7a34cc0fe76c8f372..daba82ebfe893a26a7e1bc5154f71f105b3fc04d 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3396,6 +3396,7 @@ void SSL_CTX_free(SSL_CTX *a)
      OPENSSL_free(a->ext.ecpointformats);
  #endif
      OPENSSL_free(a->ext.supportedgroups);
+    OPENSSL_free(a->ext.supported_groups_default);
      OPENSSL_free(a->ext.alpn);
      OPENSSL_secure_free(a->ext.secure);
  
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h

index fa1130e59df619c520289959f7cfa4fe9c0a2a7a..4138f4eaa32f900464c900e61a72ede5750788e1 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -1060,6 +1060,8 @@ struct ssl_ctx_st {
          size_t supportedgroups_len;
          uint16_t *supportedgroups;
  
+        uint16_t *supported_groups_default;
+        size_t supported_groups_default_len;
          /*
           * ALPN information (we are in the process of transitioning from NPN to
           * ALPN.)
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c

index 1a3435a949feef00d25d09ecd52bb7b778d5539a..6bd7a693645344a9607e5238b535a7926f097670 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -163,7 +163,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
  #else
      INVALID_EXTENSION,
  #endif
-#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
      {
          /*
           * "supported_groups" is spread across several specifications.
@@ -197,9 +196,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
          tls_construct_stoc_supported_groups,
          tls_construct_ctos_supported_groups, NULL
      },
-#else
-    INVALID_EXTENSION,
-#endif
      {
          TLSEXT_TYPE_session_ticket,
          SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c

index 14dd7cfc763d43c33108fd1f5927bdd1822f5921..89e1422bbd4f21a5c2c313f1d090eada613e2d15 100644 (file)
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -184,7 +184,6 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
  }
  #endif
  
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
  EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
                                                 unsigned int context, X509 *x,
                                                 size_t chainidx)
@@ -239,7 +238,6 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
  
      return EXT_RETURN_SENT;
  }
-#endif
  
  EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
                                               unsigned int context, X509 *x,
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c

index 2a6d89558b27c6632c26b0f3590884304a8a5fb9..99cd515386fdc8f1b00d27c5afde473badb6e9ff 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -893,7 +893,6 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
      return 1;
  }
  
-#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
  int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
                                      X509 *x, size_t chainidx)
  {
@@ -921,7 +920,6 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
  
      return 1;
  }
-#endif
  
  int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                         size_t chainidx)
@@ -1333,7 +1331,6 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
  }
  #endif
  
-#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
  EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
                                                 unsigned int context, X509 *x,
                                                 size_t chainidx)
@@ -1393,7 +1390,6 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
  
      return EXT_RETURN_SENT;
  }
-#endif
  
  EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
                                               unsigned int context, X509 *x,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 1438244d320c6151c5db4c032852ff4200c26260..24bfa96382f867363712bd91fa90acd4ff2cc726 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -194,16 +194,12 @@ static const unsigned char ecformats_default[] = {
  #endif /* !defined(OPENSSL_NO_EC) */
  
  /* The default curves */
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
  static const uint16_t supported_groups_default[] = {
-# ifndef OPENSSL_NO_EC
      29,                      /* X25519 (29) */
      23,                      /* secp256r1 (23) */
      30,                      /* X448 (30) */
      25,                      /* secp521r1 (25) */
      24,                      /* secp384r1 (24) */
-# endif
-# ifndef OPENSSL_NO_GOST
      34,                      /* GC256A (34) */
      35,                      /* GC256B (35) */
      36,                      /* GC256C (36) */
@@ -211,16 +207,12 @@ static const uint16_t supported_groups_default[] = {
      38,                      /* GC512A (38) */
      39,                      /* GC512B (39) */
      40,                      /* GC512C (40) */
-# endif
-# ifndef OPENSSL_NO_DH
      0x100,                   /* ffdhe2048 (0x100) */
      0x101,                   /* ffdhe3072 (0x101) */
      0x102,                   /* ffdhe4096 (0x102) */
      0x103,                   /* ffdhe6144 (0x103) */
      0x104,                   /* ffdhe8192 (0x104) */
-# endif
  };
-#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
  
  #ifndef OPENSSL_NO_EC
  static const uint16_t suiteb_curves[] = {
@@ -398,7 +390,34 @@ static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx)
  
  int ssl_load_groups(SSL_CTX *ctx)
  {
-    return OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx);
+    size_t i, j, num_deflt_grps = 0;
+    uint16_t tmp_supp_groups[sizeof(supported_groups_default)];
+
+    if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx))
+        return 0;
+
+    for (i = 0; i < sizeof(supported_groups_default); i++) {
+        for (j = 0; j < ctx->group_list_len; j++) {
+            if (ctx->group_list[j].group_id == supported_groups_default[i])
+                tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id;
+        }
+    }
+
+    if (num_deflt_grps == 0)
+        return 1;
+
+    ctx->ext.supported_groups_default
+        = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps);
+
+    if (ctx->ext.supported_groups_default == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
+
+    memcpy(ctx->ext.supported_groups_default, tmp_supp_groups, num_deflt_grps);
+    ctx->ext.supported_groups_default_len = num_deflt_grps;
+
+    return 1;
  }
  
  static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name)
@@ -484,7 +503,6 @@ uint16_t tls1_nid2group_id(int nid)
  void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
                                 size_t *pgroupslen)
  {
-#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
      /* For Suite B mode only include P-256, P-384 */
      switch (tls1_suiteb(s)) {
  # ifndef OPENSSL_NO_EC
@@ -506,18 +524,14 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
  
      default:
          if (s->ext.supportedgroups == NULL) {
-            *pgroups = supported_groups_default;
-            *pgroupslen = OSSL_NELEM(supported_groups_default);
+            *pgroups = s->ctx->ext.supported_groups_default;
+            *pgroupslen = s->ctx->ext.supported_groups_default_len;
          } else {
              *pgroups = s->ext.supportedgroups;
              *pgroupslen = s->ext.supportedgroups_len;
          }
          break;
      }
-#else
-    *pgroups = NULL;
-    *pgroupslen = 0;
-#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
  }
  
  int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion)
author	Matt Caswell <matt@openssl.org>
	Wed, 13 Jan 2021 15:50:36 +0000 (15:50 +0000)
committer	Matt Caswell <matt@openssl.org>
	Fri, 5 Feb 2021 15:20:36 +0000 (15:20 +0000)
ssl/ssl_lib.c		patch \| blob \| blame \| history
ssl/ssl_local.h		patch \| blob \| blame \| history
ssl/statem/extensions.c		patch \| blob \| blame \| history
ssl/statem/extensions_clnt.c		patch \| blob \| blame \| history
ssl/statem/extensions_srvr.c		patch \| blob \| blame \| history
ssl/t1_lib.c		patch \| blob \| blame \| history