Change curves to groups where relevant

author Dr. Stephen Henson <steve@openssl.org>

Tue, 26 Sep 2017 14:41:34 +0000 (15:41 +0100)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 6 Oct 2017 12:23:45 +0000 (13:23 +0100)
author Dr. Stephen Henson <steve@openssl.org>
Tue, 26 Sep 2017 14:41:34 +0000 (15:41 +0100)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 6 Oct 2017 12:23:45 +0000 (13:23 +0100)
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c

index 69214c522c8d92e7ad766c94b91b3ac7016277e1..f6a200fa18caff4c9ee955ab5cecc20b995c540f 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1167,25 +1167,25 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
                  && (!s->hit
                      || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
                         != 0)) {
-            const uint16_t *pcurves, *clntcurves;
-            size_t num_curves, clnt_num_curves, i;
+            const uint16_t *pgroups, *clntgroups;
+            size_t num_groups, clnt_num_groups, i;
              unsigned int group_id = 0;
  
              /* Check if a shared group exists */
  
              /* Get the clients list of supported groups. */
-            tls1_get_peer_groups(s, &clntcurves, &clnt_num_curves);
-            tls1_get_supported_groups(s, &pcurves, &num_curves);
+            tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
+            tls1_get_supported_groups(s, &pgroups, &num_groups);
  
              /* Find the first group we allow that is also in client's list */
-            for (i = 0; i < num_curves; i++) {
-                group_id = pcurves[i];
+            for (i = 0; i < num_groups; i++) {
+                group_id = pgroups[i];
  
-                if (check_in_list(s, group_id, clntcurves, clnt_num_curves, 1))
+                if (check_in_list(s, group_id, clntgroups, clnt_num_groups, 1))
                      break;
              }
  
-            if (i < num_curves) {
+            if (i < num_groups) {
                  /* A shared group exists so send a HelloRetryRequest */
                  s->s3->group_id = group_id;
                  s->hello_retry_request = 1;
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c

index e392ac484b7723f962d28368ed8c8a26c2daabfb..c1f98b42f754902b49947e3892c9ce639135a4ce 100644 (file)
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -139,8 +139,8 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
                                                 unsigned int context, X509 *x,
                                                 size_t chainidx, int *al)
  {
-    const uint16_t *pcurves = NULL;
-    size_t num_curves = 0, i;
+    const uint16_t *pgroups = NULL;
+    size_t num_groups = 0, i;
  
      if (!use_ecc(s))
          return EXT_RETURN_NOT_SENT;
@@ -149,7 +149,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
       * Add TLS extension supported_groups to the ClientHello message
       */
      /* TODO(TLS1.3): Add support for DHE groups */
-    tls1_get_supported_groups(s, &pcurves, &num_curves);
+    tls1_get_supported_groups(s, &pgroups, &num_groups);
  
      if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
                 /* Sub-packet for supported_groups extension */
@@ -160,8 +160,8 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
          return EXT_RETURN_FAIL;
      }
      /* Copy curve ID if supported */
-    for (i = 0; i < num_curves; i++) {
-        uint16_t ctmp = pcurves[i];
+    for (i = 0; i < num_groups; i++) {
+        uint16_t ctmp = pgroups[i];
  
          if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
              if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
@@ -590,8 +590,8 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
                                          size_t chainidx, int *al)
  {
  #ifndef OPENSSL_NO_TLS1_3
-    size_t i, num_curves = 0;
-    const uint16_t *pcurves = NULL;
+    size_t i, num_groups = 0;
+    const uint16_t *pgroups = NULL;
      uint16_t curve_id = 0;
  
      /* key_share extension */
@@ -604,7 +604,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
          return EXT_RETURN_FAIL;
      }
  
-    tls1_get_supported_groups(s, &pcurves, &num_curves);
+    tls1_get_supported_groups(s, &pgroups, &num_groups);
  
      /*
       * TODO(TLS1.3): Make the number of key_shares sent configurable. For
@@ -613,12 +613,12 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
      if (s->s3->group_id != 0) {
          curve_id = s->s3->group_id;
      } else {
-        for (i = 0; i < num_curves; i++) {
+        for (i = 0; i < num_groups; i++) {
  
-            if (!tls_curve_allowed(s, pcurves[i], SSL_SECOP_CURVE_SUPPORTED))
+            if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
                  continue;
  
-            curve_id = pcurves[i];
+            curve_id = pgroups[i];
              break;
          }
      }
@@ -1514,8 +1514,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
      }
  
      if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
-        const uint16_t *pcurves = NULL;
-        size_t i, num_curves;
+        const uint16_t *pgroups = NULL;
+        size_t i, num_groups;
  
          if (PACKET_remaining(pkt) != 0) {
              *al = SSL_AD_DECODE_ERROR;
@@ -1534,12 +1534,12 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
          }
  
          /* Validate the selected group is one we support */
-        tls1_get_supported_groups(s, &pcurves, &num_curves);
-        for (i = 0; i < num_curves; i++) {
-            if (group_id == pcurves[i])
+        tls1_get_supported_groups(s, &pgroups, &num_groups);
+        for (i = 0; i < num_groups; i++) {
+            if (group_id == pgroups[i])
                  break;
          }
-        if (i >= num_curves
+        if (i >= num_groups
                  || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
              *al = SSL_AD_ILLEGAL_PARAMETER;
              SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c

index 8183ea574c920f951152fc6f4c2cd23310eb8dda..8bf3a7678f1db7e2721ae792ac91b39eaa832b5b 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -499,8 +499,8 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  #ifndef OPENSSL_NO_TLS1_3
      unsigned int group_id;
      PACKET key_share_list, encoded_pt;
-    const uint16_t *clntcurves, *srvrcurves;
-    size_t clnt_num_curves, srvr_num_curves;
+    const uint16_t *clntgroups, *srvrgroups;
+    size_t clnt_num_groups, srvr_num_groups;
      int found = 0;
  
      if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
@@ -519,11 +519,11 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
          return 0;
      }
  
-    /* Get our list of supported curves */
-    tls1_get_supported_groups(s, &srvrcurves, &srvr_num_curves);
-    /* Get the clients list of supported curves. */
-    tls1_get_peer_groups(s, &clntcurves, &clnt_num_curves);
-    if (clnt_num_curves == 0) {
+    /* Get our list of supported groups */
+    tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
+    /* Get the clients list of supported groups. */
+    tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
+    if (clnt_num_groups == 0) {
          /*
           * This can only happen if the supported_groups extension was not sent,
           * because we verify that the length is non-zero when we process that
@@ -553,14 +553,14 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
              continue;
  
          /* Check if this share is in supported_groups sent from client */
-        if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
+        if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
              *al = SSL_AD_ILLEGAL_PARAMETER;
              SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
              return 0;
          }
  
          /* Check if this share is for a group we can use */
-        if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
+        if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
              /* Share not suitable */
              continue;
          }
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index e002013d4f0fd0dac9fe8bc4ad8c343420a2c9dd..9582e21eea42dd436159298b2934360c8c908852 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -186,12 +186,12 @@ static const uint16_t suiteb_curves[] = {
      TLSEXT_curve_P_384
  };
  
-const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id)
+const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
  {
      /* ECC curves from RFC 4492 and RFC 7027 */
-    if (curve_id < 1 || curve_id > OSSL_NELEM(nid_list))
+    if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
          return NULL;
-    return &nid_list[curve_id - 1];
+    return &nid_list[group_id - 1];
  }
  
  static uint16_t tls1_nid2group_id(int nid)
author	Dr. Stephen Henson <steve@openssl.org>
	Tue, 26 Sep 2017 14:41:34 +0000 (15:41 +0100)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 6 Oct 2017 12:23:45 +0000 (13:23 +0100)
ssl/statem/extensions.c		patch \| blob \| history
ssl/statem/extensions_clnt.c		patch \| blob \| history
ssl/statem/extensions_srvr.c		patch \| blob \| history
ssl/t1_lib.c		patch \| blob \| history