X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=9345838f6ab1ac0abcca52cf8c279601f1c54646;hb=b4f1b7b65871de8f44228e77fc9ab2ac8b6d7918;hp=a59d992e47b3a31b45c69a5c912baf9f78f31a42;hpb=263ff2c9d4c88f19133d21d9956d71edd7401d54;p=openssl.git diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index a59d992e47..9345838f6a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,9 +7,6 @@ * https://www.openssl.org/source/license.html */ -/* We need access to the deprecated low level HMAC APIs */ -#define OPENSSL_SUPPRESS_DEPRECATED - #include #include #include @@ -21,15 +18,14 @@ #include #include #include +#include +#include #include "internal/nelem.h" -#include "internal/evp.h" +#include "internal/sizes.h" +#include "internal/tlsgroups.h" #include "ssl_local.h" #include -DEFINE_STACK_OF_CONST(SSL_CIPHER) -DEFINE_STACK_OF(X509) -DEFINE_STACK_OF(X509_NAME) - static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); @@ -140,82 +136,68 @@ int tls1_clear(SSL *s) return 1; } -/* - * Table of group information. - */ -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) -static const TLS_GROUP_INFO nid_list[] = { -# ifndef OPENSSL_NO_EC - {NID_sect163k1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */ - {NID_sect163r1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */ - {NID_sect163r2, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */ - {NID_sect193r1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0004}, /* sect193r1 (4) */ - {NID_sect193r2, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0005}, /* sect193r2 (5) */ - {NID_sect233k1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0006}, /* sect233k1 (6) */ - {NID_sect233r1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0007}, /* sect233r1 (7) */ - {NID_sect239k1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0008}, /* sect239k1 (8) */ - {NID_sect283k1, "EC", 128, TLS_GROUP_CURVE_CHAR2, 0x0009}, /* sect283k1 (9) */ - {NID_sect283r1, "EC", 128, TLS_GROUP_CURVE_CHAR2, 0x000A}, /* sect283r1 (10) */ - {NID_sect409k1, "EC", 192, TLS_GROUP_CURVE_CHAR2, 0x000B}, /* sect409k1 (11) */ - {NID_sect409r1, "EC", 192, TLS_GROUP_CURVE_CHAR2, 0x000C}, /* sect409r1 (12) */ - {NID_sect571k1, "EC", 256, TLS_GROUP_CURVE_CHAR2, 0x000D}, /* sect571k1 (13) */ - {NID_sect571r1, "EC", 256, TLS_GROUP_CURVE_CHAR2, 0x000E}, /* sect571r1 (14) */ - {NID_secp160k1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x000F}, /* secp160k1 (15) */ - {NID_secp160r1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0010}, /* secp160r1 (16) */ - {NID_secp160r2, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0011}, /* secp160r2 (17) */ - {NID_secp192k1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0012}, /* secp192k1 (18) */ - {NID_X9_62_prime192v1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0013}, /* secp192r1 (19) */ - {NID_secp224k1, "EC", 112, TLS_GROUP_CURVE_PRIME, 0x0014}, /* secp224k1 (20) */ - {NID_secp224r1, "EC", 112, TLS_GROUP_CURVE_PRIME, 0x0015}, /* secp224r1 (21) */ - {NID_secp256k1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x0016}, /* secp256k1 (22) */ - {NID_X9_62_prime256v1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x0017}, /* secp256r1 (23) */ - {NID_secp384r1, "EC", 192, TLS_GROUP_CURVE_PRIME, 0x0018}, /* secp384r1 (24) */ - {NID_secp521r1, "EC", 256, TLS_GROUP_CURVE_PRIME, 0x0019}, /* secp521r1 (25) */ - {NID_brainpoolP256r1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x001A}, /* brainpoolP256r1 (26) */ - {NID_brainpoolP384r1, "EC", 192, TLS_GROUP_CURVE_PRIME, 0x001B}, /* brainpoolP384r1 (27) */ - {NID_brainpoolP512r1, "EC", 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */ - {EVP_PKEY_X25519, "X25519", 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */ - {EVP_PKEY_X448, "X448", 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */ -# endif /* OPENSSL_NO_EC */ -# ifndef OPENSSL_NO_GOST - {NID_id_tc26_gost_3410_2012_256_paramSetA, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0022}, /* GC256A (34) */ - {NID_id_tc26_gost_3410_2012_256_paramSetB, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0023}, /* GC256B (35) */ - {NID_id_tc26_gost_3410_2012_256_paramSetC, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0024}, /* GC256C (36) */ - {NID_id_tc26_gost_3410_2012_256_paramSetD, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0025}, /* GC256D (37) */ - {NID_id_tc26_gost_3410_2012_512_paramSetA, "GOST_2012_512", 256, TLS_GROUP_CURVE_PRIME, 0x0026}, /* GC512A (38) */ - {NID_id_tc26_gost_3410_2012_512_paramSetB, "GOST_2012_512", 256, TLS_GROUP_CURVE_PRIME, 0x0027}, /* GC512B (39) */ - {NID_id_tc26_gost_3410_2012_512_paramSetC, "GOST_2012_512", 256, TLS_GROUP_CURVE_PRIME, 0x0028}, /* GC512C (40) */ -# endif /* OPENSSL_NO_GOST */ -# ifndef OPENSSL_NO_DH - /* Security bit values for FFDHE groups are updated as per RFC 7919 */ - {NID_ffdhe2048, "DH", 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */ - {NID_ffdhe3072, "DH", 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */ - {NID_ffdhe4096, "DH", 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */ - {NID_ffdhe6144, "DH", 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */ - {NID_ffdhe8192, "DH", 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */ -# endif /* OPENSSL_NO_DH */ +/* Legacy NID to group_id mapping. Only works for groups we know about */ +static struct { + int nid; + uint16_t group_id; +} nid_to_group[] = { + {NID_sect163k1, OSSL_TLS_GROUP_ID_sect163k1}, + {NID_sect163r1, OSSL_TLS_GROUP_ID_sect163r1}, + {NID_sect163r2, OSSL_TLS_GROUP_ID_sect163r2}, + {NID_sect193r1, OSSL_TLS_GROUP_ID_sect193r1}, + {NID_sect193r2, OSSL_TLS_GROUP_ID_sect193r2}, + {NID_sect233k1, OSSL_TLS_GROUP_ID_sect233k1}, + {NID_sect233r1, OSSL_TLS_GROUP_ID_sect233r1}, + {NID_sect239k1, OSSL_TLS_GROUP_ID_sect239k1}, + {NID_sect283k1, OSSL_TLS_GROUP_ID_sect283k1}, + {NID_sect283r1, OSSL_TLS_GROUP_ID_sect283r1}, + {NID_sect409k1, OSSL_TLS_GROUP_ID_sect409k1}, + {NID_sect409r1, OSSL_TLS_GROUP_ID_sect409r1}, + {NID_sect571k1, OSSL_TLS_GROUP_ID_sect571k1}, + {NID_sect571r1, OSSL_TLS_GROUP_ID_sect571r1}, + {NID_secp160k1, OSSL_TLS_GROUP_ID_secp160k1}, + {NID_secp160r1, OSSL_TLS_GROUP_ID_secp160r1}, + {NID_secp160r2, OSSL_TLS_GROUP_ID_secp160r2}, + {NID_secp192k1, OSSL_TLS_GROUP_ID_secp192k1}, + {NID_X9_62_prime192v1, OSSL_TLS_GROUP_ID_secp192r1}, + {NID_secp224k1, OSSL_TLS_GROUP_ID_secp224k1}, + {NID_secp224r1, OSSL_TLS_GROUP_ID_secp224r1}, + {NID_secp256k1, OSSL_TLS_GROUP_ID_secp256k1}, + {NID_X9_62_prime256v1, OSSL_TLS_GROUP_ID_secp256r1}, + {NID_secp384r1, OSSL_TLS_GROUP_ID_secp384r1}, + {NID_secp521r1, OSSL_TLS_GROUP_ID_secp521r1}, + {NID_brainpoolP256r1, OSSL_TLS_GROUP_ID_brainpoolP256r1}, + {NID_brainpoolP384r1, OSSL_TLS_GROUP_ID_brainpoolP384r1}, + {NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1}, + {EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519}, + {EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448}, + {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022}, + {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023}, + {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024}, + {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025}, + {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026}, + {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027}, + {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028}, + {NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048}, + {NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072}, + {NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096}, + {NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144}, + {NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192} }; -#endif -#ifndef OPENSSL_NO_EC static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_uncompressed, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ /* The default curves */ -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) static const uint16_t supported_groups_default[] = { -# ifndef OPENSSL_NO_EC 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 30, /* X448 (30) */ 25, /* secp521r1 (25) */ 24, /* secp384r1 (24) */ -# endif -# ifndef OPENSSL_NO_GOST 34, /* GC256A (34) */ 35, /* GC256B (35) */ 36, /* GC256C (36) */ @@ -223,57 +205,283 @@ static const uint16_t supported_groups_default[] = { 38, /* GC512A (38) */ 39, /* GC512B (39) */ 40, /* GC512C (40) */ -# endif -# ifndef OPENSSL_NO_DH 0x100, /* ffdhe2048 (0x100) */ 0x101, /* ffdhe3072 (0x101) */ 0x102, /* ffdhe4096 (0x102) */ 0x103, /* ffdhe6144 (0x103) */ 0x104, /* ffdhe8192 (0x104) */ -# endif }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ -#ifndef OPENSSL_NO_EC static const uint16_t suiteb_curves[] = { TLSEXT_curve_P_256, TLSEXT_curve_P_384 }; -#endif -const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) +struct provider_group_data_st { + SSL_CTX *ctx; + OSSL_PROVIDER *provider; +}; + +#define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 +static OSSL_CALLBACK add_provider_groups; +static int add_provider_groups(const OSSL_PARAM params[], void *data) +{ + struct provider_group_data_st *pgd = data; + SSL_CTX *ctx = pgd->ctx; + OSSL_PROVIDER *provider = pgd->provider; + const OSSL_PARAM *p; + TLS_GROUP_INFO *ginf = NULL; + EVP_KEYMGMT *keymgmt; + unsigned int gid; + unsigned int is_kem = 0; + int ret = 0; + + if (ctx->group_list_max_len == ctx->group_list_len) { + TLS_GROUP_INFO *tmp = NULL; + + if (ctx->group_list_max_len == 0) + tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) + * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); + else + tmp = OPENSSL_realloc(ctx->group_list, + (ctx->group_list_max_len + + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) + * sizeof(TLS_GROUP_INFO)); + if (tmp == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + return 0; + } + ctx->group_list = tmp; + memset(tmp + ctx->group_list_max_len, + 0, + sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); + ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; + } + + ginf = &ctx->group_list[ctx->group_list_len]; + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); + if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->tlsname = OPENSSL_strdup(p->data); + if (ginf->tlsname == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); + if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->realname = OPENSSL_strdup(p->data); + if (ginf->realname == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); + if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->group_id = (uint16_t)gid; + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); + if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->algorithm = OPENSSL_strdup(p->data); + if (ginf->algorithm == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); + if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_IS_KEM); + if (p != NULL && (!OSSL_PARAM_get_uint(p, &is_kem) || is_kem > 1)) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->is_kem = 1 & is_kem; + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { + ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + /* + * Now check that the algorithm is actually usable for our property query + * string. Regardless of the result we still return success because we have + * successfully processed this group, even though we may decide not to use + * it. + */ + ret = 1; + keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); + if (keymgmt != NULL) { + /* + * We have successfully fetched the algorithm - however if the provider + * doesn't match this one then we ignore it. + * + * Note: We're cheating a little here. Technically if the same algorithm + * is available from more than one provider then it is undefined which + * implementation you will get back. Theoretically this could be + * different every time...we assume here that you'll always get the + * same one back if you repeat the exact same fetch. Is this a reasonable + * assumption to make (in which case perhaps we should document this + * behaviour)? + */ + if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { + /* We have a match - so we will use this group */ + ctx->group_list_len++; + ginf = NULL; + } + EVP_KEYMGMT_free(keymgmt); + } + err: + if (ginf != NULL) { + OPENSSL_free(ginf->tlsname); + OPENSSL_free(ginf->realname); + OPENSSL_free(ginf->algorithm); + ginf->tlsname = ginf->realname = NULL; + } + return ret; +} + +static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) +{ + struct provider_group_data_st pgd; + + pgd.ctx = vctx; + pgd.provider = provider; + return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", + add_provider_groups, &pgd); +} + +int ssl_load_groups(SSL_CTX *ctx) +{ + size_t i, j, num_deflt_grps = 0; + uint16_t tmp_supp_groups[OSSL_NELEM(supported_groups_default)]; + + if (!OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx)) + return 0; + + for (i = 0; i < OSSL_NELEM(supported_groups_default); i++) { + for (j = 0; j < ctx->group_list_len; j++) { + if (ctx->group_list[j].group_id == supported_groups_default[i]) { + tmp_supp_groups[num_deflt_grps++] = ctx->group_list[j].group_id; + break; + } + } + } + + if (num_deflt_grps == 0) + return 1; + + ctx->ext.supported_groups_default + = OPENSSL_malloc(sizeof(uint16_t) * num_deflt_grps); + + if (ctx->ext.supported_groups_default == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + return 0; + } + + memcpy(ctx->ext.supported_groups_default, + tmp_supp_groups, + num_deflt_grps * sizeof(tmp_supp_groups[0])); + ctx->ext.supported_groups_default_len = num_deflt_grps; + + return 1; +} + +static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name) +{ + size_t i; + + for (i = 0; i < ctx->group_list_len; i++) { + if (strcmp(ctx->group_list[i].tlsname, name) == 0 + || strcmp(ctx->group_list[i].realname, name) == 0) + return ctx->group_list[i].group_id; + } + + return 0; +} + +const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) { -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) size_t i; - /* ECC curves from RFC 4492 and RFC 7027 FFDHE group from RFC 8446 */ - for (i = 0; i < OSSL_NELEM(nid_list); i++) { - if (nid_list[i].group_id == group_id) - return &nid_list[i]; + for (i = 0; i < ctx->group_list_len; i++) { + if (ctx->group_list[i].group_id == group_id) + return &ctx->group_list[i]; } -#endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */ + return NULL; } -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) -int tls1_group_id2nid(uint16_t group_id) +int tls1_group_id2nid(uint16_t group_id, int include_unknown) { - const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(group_id); + size_t i; - return ginf == NULL ? NID_undef : ginf->nid; + if (group_id == 0) + return NID_undef; + + /* + * Return well known Group NIDs - for backwards compatibility. This won't + * work for groups we don't know about. + */ + for (i = 0; i < OSSL_NELEM(nid_to_group); i++) + { + if (nid_to_group[i].group_id == group_id) + return nid_to_group[i].nid; + } + if (!include_unknown) + return NID_undef; + return TLSEXT_nid_unknown | (int)group_id; } -static uint16_t tls1_nid2group_id(int nid) +uint16_t tls1_nid2group_id(int nid) { size_t i; - for (i = 0; i < OSSL_NELEM(nid_list); i++) { - if (nid_list[i].nid == nid) - return nid_list[i].group_id; + /* + * Return well known Group ids - for backwards compatibility. This won't + * work for groups we don't know about. + */ + for (i = 0; i < OSSL_NELEM(nid_to_group); i++) + { + if (nid_to_group[i].nid == nid) + return nid_to_group[i].group_id; } + return 0; } -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ /* * Set *pgroups to the supported groups list and *pgroupslen to @@ -282,10 +490,8 @@ static uint16_t tls1_nid2group_id(int nid) void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, size_t *pgroupslen) { -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) /* For Suite B mode only include P-256, P-384 */ switch (tls1_suiteb(s)) { -# ifndef OPENSSL_NO_EC case SSL_CERT_FLAG_SUITEB_128_LOS: *pgroups = suiteb_curves; *pgroupslen = OSSL_NELEM(suiteb_curves); @@ -300,54 +506,74 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, *pgroups = suiteb_curves + 1; *pgroupslen = 1; break; -# endif default: if (s->ext.supportedgroups == NULL) { - *pgroups = supported_groups_default; - *pgroupslen = OSSL_NELEM(supported_groups_default); + *pgroups = s->ctx->ext.supported_groups_default; + *pgroupslen = s->ctx->ext.supported_groups_default_len; } else { *pgroups = s->ext.supportedgroups; *pgroupslen = s->ext.supportedgroups_len; } break; } -#else - *pgroups = NULL; - *pgroupslen = 0; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ } -int tls_valid_group(SSL *s, uint16_t group_id, int version) +int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, + int isec, int *okfortls13) { - const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group_id); + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); + int ret; + + if (okfortls13 != NULL) + *okfortls13 = 0; - if (version < TLS1_3_VERSION) { - if ((ginfo->flags & TLS_GROUP_ONLY_FOR_TLS1_3) != 0) + if (ginfo == NULL) + return 0; + + if (SSL_IS_DTLS(s)) { + if (ginfo->mindtls < 0 || ginfo->maxdtls < 0) return 0; - } - return 1; + if (ginfo->maxdtls == 0) + ret = 1; + else + ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls); + if (ginfo->mindtls > 0) + ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls); + } else { + if (ginfo->mintls < 0 || ginfo->maxtls < 0) + return 0; + if (ginfo->maxtls == 0) + ret = 1; + else + ret = (minversion <= ginfo->maxtls); + if (ginfo->mintls > 0) + ret &= (maxversion >= ginfo->mintls); + if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) + *okfortls13 = (ginfo->maxtls == 0) + || (ginfo->maxtls >= TLS1_3_VERSION); + } + ret &= !isec + || strcmp(ginfo->algorithm, "EC") == 0 + || strcmp(ginfo->algorithm, "X25519") == 0 + || strcmp(ginfo->algorithm, "X448") == 0; + + return ret; } /* See if group is allowed by security callback */ int tls_group_allowed(SSL *s, uint16_t group, int op) { - const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group); + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group); unsigned char gtmp[2]; if (ginfo == NULL) return 0; -#ifdef OPENSSL_NO_EC2M - if (ginfo->flags & TLS_GROUP_CURVE_CHAR2) - return 0; -#endif -#ifdef OPENSSL_NO_DH - if (ginfo->flags & TLS_GROUP_FFDHE) - return 0; -#endif + gtmp[0] = group >> 8; gtmp[1] = group & 0xff; - return ssl_security(s, op, ginfo->secbits, ginfo->nid, (void *)gtmp); + return ssl_security(s, op, ginfo->secbits, + tls1_group_id2nid(ginfo->group_id, 0), (void *)gtmp); } /* Return 1 if "id" is in "list" */ @@ -425,7 +651,6 @@ uint16_t tls1_shared_group(SSL *s, int nmatch) int tls1_set_groups(uint16_t **pext, size_t *pextlen, int *groups, size_t ngroups) { -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) uint16_t *glist; size_t i; /* @@ -437,11 +662,11 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, unsigned long dup_list_dhgrp = 0; if (ngroups == 0) { - SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); + ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); return 0; } if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { - SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } for (i = 0; i < ngroups; i++) { @@ -464,64 +689,83 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, err: OPENSSL_free(glist); return 0; -#else - return 0; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ } -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) -# define MAX_GROUPLIST OSSL_NELEM(nid_list) - +# define GROUPLIST_INCREMENT 40 +# define GROUP_NAME_BUFFER_LENGTH 64 typedef struct { - size_t nidcnt; - int nid_arr[MAX_GROUPLIST]; -} nid_cb_st; + SSL_CTX *ctx; + size_t gidcnt; + size_t gidmax; + uint16_t *gid_arr; +} gid_cb_st; -static int nid_cb(const char *elem, int len, void *arg) +static int gid_cb(const char *elem, int len, void *arg) { - nid_cb_st *narg = arg; + gid_cb_st *garg = arg; size_t i; - int nid = NID_undef; - char etmp[20]; + uint16_t gid = 0; + char etmp[GROUP_NAME_BUFFER_LENGTH]; + if (elem == NULL) return 0; - if (narg->nidcnt == MAX_GROUPLIST) - return 0; + if (garg->gidcnt == garg->gidmax) { + uint16_t *tmp = + OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); + if (tmp == NULL) + return 0; + garg->gidmax += GROUPLIST_INCREMENT; + garg->gid_arr = tmp; + } if (len > (int)(sizeof(etmp) - 1)) return 0; memcpy(etmp, elem, len); etmp[len] = 0; -# ifndef OPENSSL_NO_EC - nid = EC_curve_nist2nid(etmp); -# endif - if (nid == NID_undef) - nid = OBJ_sn2nid(etmp); - if (nid == NID_undef) - nid = OBJ_ln2nid(etmp); - if (nid == NID_undef) + + gid = tls1_group_name2id(garg->ctx, etmp); + if (gid == 0) return 0; - for (i = 0; i < narg->nidcnt; i++) - if (narg->nid_arr[i] == nid) + for (i = 0; i < garg->gidcnt; i++) + if (garg->gid_arr[i] == gid) return 0; - narg->nid_arr[narg->nidcnt++] = nid; + garg->gid_arr[garg->gidcnt++] = gid; return 1; } -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ -/* Set groups based on a colon separate list */ -int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) +/* Set groups based on a colon separated list */ +int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, + const char *str) { -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) - nid_cb_st ncb; - ncb.nidcnt = 0; - if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) + gid_cb_st gcb; + uint16_t *tmparr; + int ret = 0; + + gcb.gidcnt = 0; + gcb.gidmax = GROUPLIST_INCREMENT; + gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); + if (gcb.gid_arr == NULL) return 0; - if (pext == NULL) - return 1; - return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); -#else - return 0; -#endif + gcb.ctx = ctx; + if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) + goto end; + if (pext == NULL) { + ret = 1; + goto end; + } + + /* + * gid_cb ensurse there are no duplicates so we can just go ahead and set + * the result + */ + tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); + if (tmparr == NULL) + goto end; + *pext = tmparr; + *pextlen = gcb.gidcnt; + ret = 1; + end: + OPENSSL_free(gcb.gid_arr); + return ret; } /* Check a group id matches preferences */ @@ -577,7 +821,6 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) return tls1_in_list(group_id, groups, groups_len); } -#ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats) { @@ -600,28 +843,29 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats, /* Check a key is compatible with compression extension */ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) { - const EC_KEY *ec; - const EC_GROUP *grp; unsigned char comp_id; size_t i; + int point_conv; /* If not an EC key nothing to check */ if (!EVP_PKEY_is_a(pkey, "EC")) return 1; - ec = EVP_PKEY_get0_EC_KEY(pkey); - grp = EC_KEY_get0_group(ec); + /* Get required compression id */ - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { + point_conv = EVP_PKEY_get_ec_point_conv_form(pkey); + if (point_conv == 0) + return 0; + if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; } else if (SSL_IS_TLS13(s)) { - /* - * ec_point_formats extension is not used in TLSv1.3 so we ignore - * this check. - */ - return 1; + /* + * ec_point_formats extension is not used in TLSv1.3 so we ignore + * this check. + */ + return 1; } else { - int field_type = EC_GROUP_get_field_type(grp); + int field_type = EVP_PKEY_get_field_type(pkey); if (field_type == NID_X9_62_prime_field) comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; @@ -647,7 +891,7 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) /* Return group id of a key */ static uint16_t tls1_get_group_id(EVP_PKEY *pkey) { - int curve_nid = evp_pkey_get_EC_KEY_curve_nid(pkey); + int curve_nid = ssl_get_EC_curve_nid(pkey); if (curve_nid == NID_undef) return 0; @@ -729,24 +973,13 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) return 0; } -#else - -static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) -{ - return 1; -} - -#endif /* OPENSSL_NO_EC */ - /* Default sigalg schemes */ static const uint16_t tls12_sigalgs[] = { -#ifndef OPENSSL_NO_EC TLSEXT_SIGALG_ecdsa_secp256r1_sha256, TLSEXT_SIGALG_ecdsa_secp384r1_sha384, TLSEXT_SIGALG_ecdsa_secp521r1_sha512, TLSEXT_SIGALG_ed25519, TLSEXT_SIGALG_ed448, -#endif TLSEXT_SIGALG_rsa_pss_pss_sha256, TLSEXT_SIGALG_rsa_pss_pss_sha384, @@ -759,20 +992,19 @@ static const uint16_t tls12_sigalgs[] = { TLSEXT_SIGALG_rsa_pkcs1_sha384, TLSEXT_SIGALG_rsa_pkcs1_sha512, -#ifndef OPENSSL_NO_EC TLSEXT_SIGALG_ecdsa_sha224, TLSEXT_SIGALG_ecdsa_sha1, -#endif + TLSEXT_SIGALG_rsa_pkcs1_sha224, TLSEXT_SIGALG_rsa_pkcs1_sha1, -#ifndef OPENSSL_NO_DSA + TLSEXT_SIGALG_dsa_sha224, TLSEXT_SIGALG_dsa_sha1, TLSEXT_SIGALG_dsa_sha256, TLSEXT_SIGALG_dsa_sha384, TLSEXT_SIGALG_dsa_sha512, -#endif + #ifndef OPENSSL_NO_GOST TLSEXT_SIGALG_gostr34102012_256_intrinsic, TLSEXT_SIGALG_gostr34102012_512_intrinsic, @@ -782,15 +1014,13 @@ static const uint16_t tls12_sigalgs[] = { #endif }; -#ifndef OPENSSL_NO_EC + static const uint16_t suiteb_sigalgs[] = { TLSEXT_SIGALG_ecdsa_secp256r1_sha256, TLSEXT_SIGALG_ecdsa_secp384r1_sha384 }; -#endif static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { -#ifndef OPENSSL_NO_EC {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1}, @@ -812,7 +1042,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {NULL, TLSEXT_SIGALG_ecdsa_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, NID_ecdsa_with_SHA1, NID_undef, 1}, -#endif {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, NID_undef, NID_undef, 1}, @@ -846,7 +1075,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, NID_sha1WithRSAEncryption, NID_undef, 1}, -#ifndef OPENSSL_NO_DSA {NULL, TLSEXT_SIGALG_dsa_sha256, NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, NID_dsa_with_SHA256, NID_undef, 1}, @@ -862,7 +1090,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { {NULL, TLSEXT_SIGALG_dsa_sha1, NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, NID_dsaWithSHA1, NID_undef, 1}, -#endif #ifndef OPENSSL_NO_GOST {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic, NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, @@ -931,7 +1158,7 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) /* * Check hash is available. - * TODO(3.0): This test is not perfect. A provider could have support + * This test is not perfect. A provider could have support * for a signature scheme, but not a particular hash. However the hash * could be available from some other loaded provider. In that case it * could be that the signature is available, and the hash is available @@ -974,8 +1201,11 @@ static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL *s, uint16_t sigalg) /* cache should have the same number of elements as sigalg_lookup_tbl */ i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { - if (lu->sigalg == sigalg) + if (lu->sigalg == sigalg) { + if (!lu->enabled) + return NULL; return lu; + } } return NULL; } @@ -1005,7 +1235,7 @@ int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) * SHA512 has a hash length of 64 bytes, which is incompatible * with a 128 byte (1024 bit) key. */ -#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2) +#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, const SIGALG_LOOKUP *lu) { @@ -1015,7 +1245,7 @@ static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, return 0; if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) return 0; - if (EVP_PKEY_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) + if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) return 0; return 1; } @@ -1081,6 +1311,8 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, tls_default_sigalg[idx]); + if (lu == NULL) + return NULL; if (!tls1_lookup_md(s->ctx, lu, NULL)) return NULL; if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) @@ -1112,7 +1344,6 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) * If Suite B mode use Suite B sigalgs only, ignore any other * preferences. */ -#ifndef OPENSSL_NO_EC switch (tls1_suiteb(s)) { case SSL_CERT_FLAG_SUITEB_128_LOS: *psigs = suiteb_sigalgs; @@ -1126,7 +1357,6 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) *psigs = suiteb_sigalgs + 1; return 1; } -#endif /* * We use client_sigalgs (if not NULL) if we're a server * and sending a certificate request or if we're a client and @@ -1144,7 +1374,6 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) } } -#ifndef OPENSSL_NO_EC /* * Called by servers only. Checks that we have a sig alg that supports the * specified EC curve. @@ -1175,7 +1404,6 @@ int tls_check_sigalg_curve(const SSL *s, int curve) return 0; } -#endif /* * Return the number of security bits for the signature algorithm, or 0 on @@ -1190,8 +1418,26 @@ static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) return 0; if (md != NULL) { + int md_type = EVP_MD_get_type(md); + /* Security bits: half digest bits */ - secbits = EVP_MD_size(md) * 4; + secbits = EVP_MD_get_size(md) * 4; + /* + * SHA1 and MD5 are known to be broken. Reduce security bits so that + * they're no longer accepted at security level 1. The real values don't + * really matter as long as they're lower than 80, which is our + * security level 1. + * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for + * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 + * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf + * puts a chosen-prefix attack for MD5 at 2^39. + */ + if (md_type == NID_sha1) + secbits = 64; + else if (md_type == NID_md5_sha1) + secbits = 67; + else if (md_type == NID_md5) + secbits = 39; } else { /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ if (lu->sigalg == TLSEXT_SIGALG_ed25519) @@ -1217,26 +1463,14 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) const SIGALG_LOOKUP *lu; int secbits = 0; - /* - * TODO(3.0) Remove this when we adapted this function for provider - * side keys. We know that EVP_PKEY_get0() downgrades an EVP_PKEY - * to contain a legacy key. - * - * THIS IS TEMPORARY - */ - EVP_PKEY_get0(pkey); - if (EVP_PKEY_id(pkey) == EVP_PKEY_NONE) - return 0; - - pkeyid = EVP_PKEY_id(pkey); + pkeyid = EVP_PKEY_get_id(pkey); /* Should never happen */ if (pkeyid == -1) return -1; if (SSL_IS_TLS13(s)) { /* Disallow DSA for TLS 1.3 */ if (pkeyid == EVP_PKEY_DSA) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_WRONG_SIGNATURE_TYPE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } /* Only allow PSS for TLS 1.3 */ @@ -1252,44 +1486,38 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) || (pkeyid != lu->sig && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_WRONG_SIGNATURE_TYPE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } /* Check the sigalg is consistent with the key OID */ - if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) + if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx) || lu->sig_idx != (int)cidx) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_WRONG_SIGNATURE_TYPE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } -#ifndef OPENSSL_NO_EC if (pkeyid == EVP_PKEY_EC) { /* Check point compression is permitted */ if (!tls1_check_pkey_comp(s, pkey)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_ILLEGAL_POINT_COMPRESSION); return 0; } /* For TLS 1.3 or Suite B check curve matches signature algorithm */ if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { - int curve = evp_pkey_get_EC_KEY_curve_nid(pkey); + int curve = ssl_get_EC_curve_nid(pkey); if (lu->curve != NID_undef && curve != lu->curve) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); return 0; } } if (!SSL_IS_TLS13(s)) { /* Check curve matches extensions */ if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); return 0; } if (tls1_suiteb(s)) { @@ -1297,18 +1525,15 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } } } } else if (tls1_suiteb(s)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_WRONG_SIGNATURE_TYPE); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } -#endif /* Check signature matches a type we sent */ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); @@ -1319,13 +1544,11 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) /* Allow fallback to SHA1 if not strict mode */ if (i == sent_sigslen && (lu->hash != NID_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_WRONG_SIGNATURE_TYPE); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } if (!tls1_lookup_md(s->ctx, lu, &md)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_UNKNOWN_DIGEST); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); return 0; } /* @@ -1337,10 +1560,9 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) secbits = sigalg_security_bits(s->ctx, lu); if (secbits == 0 || !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, - md != NULL ? EVP_MD_type(md) : NID_undef, + md != NULL ? EVP_MD_get_type(md) : NID_undef, (void *)sigalgstr)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_WRONG_SIGNATURE_TYPE); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } /* Store the sigalg the peer uses */ @@ -1480,15 +1702,14 @@ int tls1_set_server_sigalgs(SSL *s) } if (!tls1_process_sigalgs(s)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } if (s->shared_sigalgs != NULL) return 1; /* Fatal error if no shared signature algorithms */ - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS, + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); return 0; } @@ -1672,7 +1893,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, /* Sanity check ticket length: must exceed keyname + IV + HMAC */ if (eticklen <= - TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx) + mlen) { ret = SSL_TICKET_NO_DECRYPT; goto end; } @@ -1690,8 +1911,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ - p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); - eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); + p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx); + eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx); sdec = OPENSSL_malloc(eticklen); if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, (int)eticklen) <= 0) { @@ -1822,7 +2043,10 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) /* DSA is not allowed in TLS 1.3 */ if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) return 0; - /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ + /* + * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 + * spec + */ if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX || lu->hash_idx == SSL_MD_MD5_IDX @@ -1830,7 +2054,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) return 0; /* See if public key algorithm allowed */ - if (ssl_cert_is_disabled(lu->sig_idx)) + if (ssl_cert_is_disabled(s->ctx, lu->sig_idx)) return 0; if (lu->sig == NID_id_GostR3410_2012_256 @@ -1923,7 +2147,8 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, for (i = 0; i < psiglen; i++, psig++) { const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *psig); - if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) + if (lu == NULL + || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) continue; if (!WPACKET_put_bytes_u16(pkt, *psig)) return 0; @@ -1938,7 +2163,7 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, rv = 1; } if (rv == 0) - SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); + ERR_raise(ERR_LIB_SSL, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); return rv; } @@ -1953,7 +2178,8 @@ static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(s, *ptmp); /* Skip disabled hashes or signature algorithms */ - if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) + if (lu == NULL + || !tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) continue; for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { if (*ptmp == *atmp) { @@ -2003,7 +2229,7 @@ static int tls1_set_shared_sigalgs(SSL *s) nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); if (nmatch) { if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { - SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); @@ -2030,7 +2256,7 @@ int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) size >>= 1; if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { - SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) @@ -2087,7 +2313,7 @@ int tls1_process_sigalgs(SSL *s) if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) continue; /* If not disabled indicate we can explicitly sign */ - if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) + if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx)) pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; } return 1; @@ -2260,7 +2486,7 @@ int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, uint16_t *sigalgs; if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { - SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); @@ -2286,7 +2512,7 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) if (salglen & 1) return 0; if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { - SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } for (i = 0, sptr = sigalgs; i < salglen; i += 2) { @@ -2654,51 +2880,69 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) return tls1_check_chain(s, x, pk, chain, -1); } -#ifndef OPENSSL_NO_DH -DH *ssl_get_auto_dh(SSL *s) +EVP_PKEY *ssl_get_auto_dh(SSL *s) { - int dh_secbits = 80; - if (s->cert->dh_tmp_auto == 2) - return DH_get_1024_160(); - if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { - if (s->s3.tmp.new_cipher->strength_bits == 256) - dh_secbits = 128; - else - dh_secbits = 80; - } else { - if (s->s3.tmp.cert == NULL) - return NULL; - dh_secbits = EVP_PKEY_security_bits(s->s3.tmp.cert->privatekey); - } + EVP_PKEY *dhp = NULL; + BIGNUM *p; + int dh_secbits = 80, sec_level_bits; + EVP_PKEY_CTX *pctx = NULL; + OSSL_PARAM_BLD *tmpl = NULL; + OSSL_PARAM *params = NULL; - if (dh_secbits >= 128) { - DH *dhp = DH_new(); - BIGNUM *p, *g; - if (dhp == NULL) - return NULL; - g = BN_new(); - if (g == NULL || !BN_set_word(g, 2)) { - DH_free(dhp); - BN_free(g); - return NULL; - } - if (dh_secbits >= 192) - p = BN_get_rfc3526_prime_8192(NULL); - else - p = BN_get_rfc3526_prime_3072(NULL); - if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { - DH_free(dhp); - BN_free(p); - BN_free(g); - return NULL; + if (s->cert->dh_tmp_auto != 2) { + if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { + if (s->s3.tmp.new_cipher->strength_bits == 256) + dh_secbits = 128; + else + dh_secbits = 80; + } else { + if (s->s3.tmp.cert == NULL) + return NULL; + dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); } - return dhp; } - if (dh_secbits >= 112) - return DH_get_2048_224(); - return DH_get_1024_160(); + + /* Do not pick a prime that is too weak for the current security level */ + sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); + if (dh_secbits < sec_level_bits) + dh_secbits = sec_level_bits; + + if (dh_secbits >= 192) + p = BN_get_rfc3526_prime_8192(NULL); + else if (dh_secbits >= 152) + p = BN_get_rfc3526_prime_4096(NULL); + else if (dh_secbits >= 128) + p = BN_get_rfc3526_prime_3072(NULL); + else if (dh_secbits >= 112) + p = BN_get_rfc3526_prime_2048(NULL); + else + p = BN_get_rfc2409_prime_1024(NULL); + if (p == NULL) + goto err; + + pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); + if (pctx == NULL + || EVP_PKEY_fromdata_init(pctx) != 1) + goto err; + + tmpl = OSSL_PARAM_BLD_new(); + if (tmpl == NULL + || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) + || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) + goto err; + + params = OSSL_PARAM_BLD_to_param(tmpl); + if (params == NULL + || EVP_PKEY_fromdata(pctx, &dhp, EVP_PKEY_KEY_PARAMETERS, params) != 1) + goto err; + +err: + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(tmpl); + EVP_PKEY_CTX_free(pctx); + BN_free(p); + return dhp; } -#endif static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) { @@ -2711,7 +2955,7 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) * reject keys which omit parameters but this only affects DSA and * omission of parameters is never (?) done in practice. */ - secbits = EVP_PKEY_security_bits(pkey); + secbits = EVP_PKEY_get_security_bits(pkey); } if (s) return ssl_security(s, op, secbits, 0, x); @@ -2813,15 +3057,18 @@ static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, const SIGALG_LOOKUP *lu; int mdnid, pknid, supported; size_t i; + const char *mdname = NULL; /* - * If the given EVP_PKEY cannot supporting signing with this sigalg, + * If the given EVP_PKEY cannot support signing with this digest, * the answer is simply 'no'. */ - ERR_set_mark(); - supported = EVP_PKEY_supports_digest_nid(pkey, sig->hash); - ERR_pop_to_mark(); - if (supported == 0) + if (sig->hash != NID_undef) + mdname = OBJ_nid2sn(sig->hash); + supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx, + mdname, + s->ctx->propq); + if (supported <= 0) return 0; /* @@ -2837,7 +3084,7 @@ static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, continue; /* - * TODO this does not differentiate between the + * This does not differentiate between the * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not * have a chain here that lets us look at the key OID in the * signing certificate. @@ -2902,9 +3149,7 @@ static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) { const SIGALG_LOOKUP *lu = NULL; size_t i; -#ifndef OPENSSL_NO_EC int curve = -1; -#endif EVP_PKEY *tmppkey; /* Look for a shared sigalgs matching possible certificates */ @@ -2928,14 +3173,10 @@ static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) : s->cert->pkeys[lu->sig_idx].privatekey; if (lu->sig == EVP_PKEY_EC) { -#ifndef OPENSSL_NO_EC if (curve == -1) - curve = evp_pkey_get_EC_KEY_curve_nid(tmppkey); + curve = ssl_get_EC_curve_nid(tmppkey); if (lu->curve != NID_undef && curve != lu->curve) continue; -#else - continue; -#endif } else if (lu->sig == EVP_PKEY_RSA_PSS) { /* validate that key is large enough for the signature algorithm */ if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu)) @@ -2974,7 +3215,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if (lu == NULL) { if (!fatalerrs) return 1; - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG, + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); return 0; } @@ -2988,15 +3229,12 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if (SSL_USE_SIGALGS(s)) { size_t i; if (s->s3.tmp.peer_sigalgs != NULL) { -#ifndef OPENSSL_NO_EC int curve = -1; /* For Suite B need to match signature algorithm to curve */ if (tls1_suiteb(s)) - curve = - evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] - .privatekey); -#endif + curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] + .privatekey); /* * Find highest preference signature algorithm matching @@ -3025,9 +3263,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu)) continue; } -#ifndef OPENSSL_NO_EC if (curve == -1 || lu->curve == curve) -#endif break; } #ifndef OPENSSL_NO_GOST @@ -3041,7 +3277,6 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if (!fatalerrs) return 1; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_F_TLS_CHOOSE_SIGALG, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); return 0; } else { @@ -3054,7 +3289,6 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if (!fatalerrs) return 1; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_F_TLS_CHOOSE_SIGALG, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); return 0; } @@ -3068,7 +3302,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { if (!fatalerrs) return 1; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); return 0; } @@ -3083,8 +3317,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if (i == sent_sigslen) { if (!fatalerrs) return 1; - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_TLS_CHOOSE_SIGALG, + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } @@ -3093,7 +3326,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { if (!fatalerrs) return 1; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); return 0; } @@ -3111,8 +3344,7 @@ int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) { if (mode != TLSEXT_max_fragment_length_DISABLED && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { - SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, - SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); return 0; } @@ -3124,8 +3356,7 @@ int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) { if (mode != TLSEXT_max_fragment_length_DISABLED && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { - SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, - SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + ERR_raise(ERR_LIB_SSL, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); return 0; } @@ -3151,13 +3382,12 @@ SSL_HMAC *ssl_hmac_new(const SSL_CTX *ctx) #ifndef OPENSSL_NO_DEPRECATED_3_0 if (ctx->ext.ticket_key_evp_cb == NULL && ctx->ext.ticket_key_cb != NULL) { - ret->old_ctx = HMAC_CTX_new(); - if (ret->old_ctx == NULL) + if (!ssl_hmac_old_new(ret)) goto err; return ret; } #endif - mac = EVP_MAC_fetch(ctx->libctx, "HMAC", NULL); + mac = EVP_MAC_fetch(ctx->libctx, "HMAC", ctx->propq); if (mac == NULL || (ret->ctx = EVP_MAC_CTX_new(mac)) == NULL) goto err; EVP_MAC_free(mac); @@ -3174,19 +3404,12 @@ void ssl_hmac_free(SSL_HMAC *ctx) if (ctx != NULL) { EVP_MAC_CTX_free(ctx->ctx); #ifndef OPENSSL_NO_DEPRECATED_3_0 - HMAC_CTX_free(ctx->old_ctx); + ssl_hmac_old_free(ctx); #endif OPENSSL_free(ctx); } } -#ifndef OPENSSL_NO_DEPRECATED_3_0 -HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) -{ - return ctx->old_ctx; -} -#endif - EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) { return ctx->ctx; @@ -3194,19 +3417,17 @@ EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx) int ssl_hmac_init(SSL_HMAC *ctx, void *key, size_t len, char *md) { - OSSL_PARAM params[3], *p = params; + OSSL_PARAM params[2], *p = params; if (ctx->ctx != NULL) { *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, md, 0); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, key, len); *p = OSSL_PARAM_construct_end(); - if (EVP_MAC_CTX_set_params(ctx->ctx, params) && EVP_MAC_init(ctx->ctx)) + if (EVP_MAC_init(ctx->ctx, key, len, params)) return 1; } #ifndef OPENSSL_NO_DEPRECATED_3_0 if (ctx->old_ctx != NULL) - return HMAC_Init_ex(ctx->old_ctx, key, len, - EVP_get_digestbyname(md), NULL); + return ssl_hmac_old_init(ctx, key, len, md); #endif return 0; } @@ -3217,7 +3438,7 @@ int ssl_hmac_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) return EVP_MAC_update(ctx->ctx, data, len); #ifndef OPENSSL_NO_DEPRECATED_3_0 if (ctx->old_ctx != NULL) - return HMAC_Update(ctx->old_ctx, data, len); + return ssl_hmac_old_update(ctx, data, len); #endif return 0; } @@ -3228,15 +3449,8 @@ int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, if (ctx->ctx != NULL) return EVP_MAC_final(ctx->ctx, md, len, max_size); #ifndef OPENSSL_NO_DEPRECATED_3_0 - if (ctx->old_ctx != NULL) { - unsigned int l; - - if (HMAC_Final(ctx->old_ctx, md, &l) > 0) { - if (len != NULL) - *len = l; - return 1; - } - } + if (ctx->old_ctx != NULL) + return ssl_hmac_old_final(ctx, md, len); #endif return 0; } @@ -3244,11 +3458,20 @@ int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, size_t ssl_hmac_size(const SSL_HMAC *ctx) { if (ctx->ctx != NULL) - return EVP_MAC_size(ctx->ctx); + return EVP_MAC_CTX_get_mac_size(ctx->ctx); #ifndef OPENSSL_NO_DEPRECATED_3_0 if (ctx->old_ctx != NULL) - return HMAC_size(ctx->old_ctx); + return ssl_hmac_old_size(ctx); #endif return 0; } +int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) +{ + char gname[OSSL_MAX_NAME_SIZE]; + + if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0) + return OBJ_txt2nid(gname); + + return NID_undef; +}