X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fstatem%2Fextensions_clnt.c;h=dbdedad1abc196f36778f073d87e4f6e48fc04fa;hb=db9592c1f723841586960912c387a925e4547a26;hp=764c52322d9b6ca75c6e06f542e761796e7c157b;hpb=852c2ed260860b6b85c84f9fe96fb4d23d49c9f2;p=openssl.git diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 764c52322d..dbdedad1ab 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -117,7 +117,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #endif #ifndef OPENSSL_NO_EC -static int use_ecc(SSL *s, int max_version) +static int use_ecc(SSL *s, int min_version, int max_version) { int i, end, ret = 0; unsigned long alg_k, alg_a; @@ -152,7 +152,7 @@ static int use_ecc(SSL *s, int max_version) for (j = 0; j < num_groups; j++) { uint16_t ctmp = pgroups[j]; - if (tls_valid_group(s, ctmp, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) return 1; } @@ -174,7 +174,7 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, reason); return EXT_RETURN_FAIL; } - if (!use_ecc(s, max_version)) + if (!use_ecc(s, min_version, max_version)) return EXT_RETURN_NOT_SENT; /* Add TLS extension ECPointFormats to the ClientHello message */ @@ -214,7 +214,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, if (max_version < TLS1_3_VERSION) return EXT_RETURN_NOT_SENT; #else - if (!use_ecc(s, max_version) && max_version < TLS1_3_VERSION) + if (!use_ecc(s, min_version, max_version) && max_version < TLS1_3_VERSION) return EXT_RETURN_NOT_SENT; #endif @@ -237,7 +237,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, for (i = 0; i < num_groups; i++) { uint16_t ctmp = pgroups[i]; - if (tls_valid_group(s, ctmp, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { if (!WPACKET_put_bytes_u16(pkt, ctmp)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, @@ -648,21 +648,6 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) /* SSLfatal() already called */ return 0; } - - /* - * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint() - * knows how to get a key from an encoded point with the help of - * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0() - * downgrades an EVP_PKEY to contain a legacy key. - * - * THIS IS TEMPORARY - */ - EVP_PKEY_get0(key_share_key); - if (EVP_PKEY_id(key_share_key) == EVP_PKEY_NONE) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, - ERR_R_EC_LIB); - goto err; - } } /* Encode the public key. */ @@ -1922,23 +1907,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, skey = EVP_PKEY_new(); if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, - ERR_R_MALLOC_FAILURE); - return 0; - } - - /* - * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint() - * knows how to get a key from an encoded point with the help of - * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0() - * downgrades an EVP_PKEY to contain a legacy key. - * - * THIS IS TEMPORARY - */ - EVP_PKEY_get0(skey); - if (EVP_PKEY_id(skey) == EVP_PKEY_NONE) { - EVP_PKEY_free(skey); - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, - ERR_R_INTERNAL_ERROR); + SSL_R_COPY_PARAMETERS_FAILED); return 0; }