From: Pascal Knecht Date: Wed, 30 Sep 2020 12:57:14 +0000 (+0200) Subject: tls-crypto: Generalizing DH group to TLS group mapping X-Git-Tag: 5.9.2rc1~23^2~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=066ac8809c3c38ab5b0a175183ec83497c4d2802;p=thirdparty%2Fstrongswan.git tls-crypto: Generalizing DH group to TLS group mapping This simplifies writing the key share extension as the TLS group does not have to be cached. --- diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 52140f672f..16aed5c8ca 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -2319,3 +2319,20 @@ int tls_crypto_get_supported_suites(bool null, tls_version_t version, } return count; } + +/** + * See header. + */ +tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group) +{ + int i; + + for (i = 0; i < countof(curves); i++) + { + if (curves[i].group == group) + { + return curves[i].curve; + } + } + return 0; +} diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h index 354329b8ab..784f661676 100644 --- a/src/libtls/tls_crypto.h +++ b/src/libtls/tls_crypto.h @@ -669,4 +669,12 @@ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache); int tls_crypto_get_supported_suites(bool null, tls_version_t version, tls_cipher_suite_t **suites); +/** + * Get the TLS curve of a given EC DH group + * + * @param group diffie hellman group indicator + * @return TLS group indicator + */ +tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group); + #endif /** TLS_CRYPTO_H_ @}*/ diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index 7d6c1ff7b7..4da8914f46 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -158,8 +158,7 @@ struct private_tls_peer_t { }; /* Implemented in tls_server.c */ -bool tls_write_key_share(bio_writer_t **key_share, tls_named_group_t group, - diffie_hellman_t *dh); +bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh); /** * Verify the DH group/key type requested by the server is valid. @@ -1202,7 +1201,7 @@ static status_t send_client_hello(private_tls_peer_t *this, bio_writer_t *extensions, *curves = NULL, *versions, *key_share, *signatures; tls_version_t version_max, version_min; diffie_hellman_group_t group; - tls_named_group_t curve, selected_curve = 0; + tls_named_group_t curve; enumerator_t *enumerator; int count, i, v; rng_t *rng; @@ -1296,7 +1295,6 @@ static status_t send_client_hello(private_tls_peer_t *this, { continue; } - selected_curve = curve; } curves->write_uint16(curves, curve); } @@ -1355,13 +1353,12 @@ static status_t send_client_hello(private_tls_peer_t *this, extensions->write_data16(extensions, signatures->get_buf(signatures)); signatures->destroy(signatures); - if (this->tls->get_version_max(this->tls) >= TLS_1_3 && - this->dh) + if (this->tls->get_version_max(this->tls) >= TLS_1_3) { DBG2(DBG_TLS, "sending extension: %N", tls_extension_names, TLS_EXT_KEY_SHARE); extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE); - if (!tls_write_key_share(&key_share, selected_curve, this->dh)) + if (!tls_write_key_share(&key_share, this->dh)) { this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); extensions->destroy(extensions); diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 48344a1770..e6ef207b27 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -954,20 +954,25 @@ METHOD(tls_handshake_t, process, status_t, /** * Write public key into key share extension */ -bool tls_write_key_share(bio_writer_t **key_share, tls_named_group_t group, - diffie_hellman_t *dh) +bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh) { bio_writer_t *writer; + tls_named_group_t curve; chunk_t pub; - if (!dh || !dh->get_my_public_value(dh, &pub)) + if (!dh) + { + return FALSE; + } + curve = tls_ec_group_to_curve(dh->get_dh_group(dh)); + if (!curve || !dh->get_my_public_value(dh, &pub)) { return FALSE; } *key_share = writer = bio_writer_create(pub.len + 7); - writer->write_uint16(writer, group); - if (group == TLS_CURVE25519 || - group == TLS_CURVE448) + writer->write_uint16(writer, curve); + if (curve == TLS_CURVE25519 || + curve == TLS_CURVE448) { writer->write_data16(writer, pub); } @@ -1019,7 +1024,7 @@ static status_t send_server_hello(private_tls_server_t *this, tls_extension_names, TLS_EXT_KEY_SHARE); extensions->write_uint16(extensions, TLS_EXT_KEY_SHARE); - if (!tls_write_key_share(&key_share, this->requested_curve, this->dh)) + if (!tls_write_key_share(&key_share, this->dh)) { this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); extensions->destroy(extensions); @@ -1197,29 +1202,6 @@ static status_t send_certificate_request(private_tls_server_t *this, return NEED_MORE; } -/** - * Get the TLS curve of a given EC DH group - */ -static tls_named_group_t ec_group_to_curve(private_tls_server_t *this, - diffie_hellman_group_t group) -{ - diffie_hellman_group_t current; - tls_named_group_t curve; - enumerator_t *enumerator; - - enumerator = this->crypto->create_ec_enumerator(this->crypto); - while (enumerator->enumerate(enumerator, ¤t, &curve)) - { - if (current == group) - { - enumerator->destroy(enumerator); - return curve; - } - } - enumerator->destroy(enumerator); - return 0; -} - /** * Try to find a curve supported by both, client and server */ @@ -1256,7 +1238,7 @@ static status_t send_server_key_exchange(private_tls_server_t *this, if (diffie_hellman_group_is_ec(group)) { - curve = ec_group_to_curve(this, group); + curve = tls_ec_group_to_curve(group); if (!curve || (!peer_supports_curve(this, curve) && !find_supported_curve(this, &curve))) {