From 9aaecbfc98eb89a03f72b35d343e08f377e7803a Mon Sep 17 00:00:00 2001 From: raja-ashok Date: Fri, 25 Jan 2019 21:04:49 +0530 Subject: [PATCH] TLS1.3 FFDHE Support Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8178) --- crypto/dh/dh_ameth.c | 16 ++++- crypto/dh/dh_err.c | 4 +- crypto/dh/dh_key.c | 63 ++++++++++++++++ crypto/dh/dh_locl.h | 3 + crypto/err/openssl.txt | 2 + include/openssl/dherr.h | 2 + ssl/s3_lib.c | 92 +++++++++++++++++++----- ssl/ssl_locl.h | 16 +++-- ssl/statem/extensions_clnt.c | 27 ++++--- ssl/statem/extensions_srvr.c | 3 +- ssl/t1_lib.c | 136 ++++++++++++++++++++++------------- 11 files changed, 279 insertions(+), 85 deletions(-) diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 1424c41abe..524cac5bd8 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -488,6 +488,18 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri); #endif static int dh_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) +{ + switch (op) { + case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: + return dh_buf2key(EVP_PKEY_get0_DH(pkey), arg2, arg1); + case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: + return dh_key2buf(EVP_PKEY_get0_DH(pkey), arg2); + default: + return -2; + } +} + +static int dhx_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { switch (op) { #ifndef OPENSSL_NO_CMS @@ -558,7 +570,7 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { 0, int_dh_free, - 0, + dh_pkey_ctrl, 0, 0, 0, 0, 0, @@ -597,7 +609,7 @@ const EVP_PKEY_ASN1_METHOD dhx_asn1_meth = { 0, int_dh_free, - dh_pkey_ctrl, + dhx_pkey_ctrl, 0, 0, 0, 0, 0, diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c index 66bf6b5ad8..a78a6a9c3f 100644 --- a/crypto/dh/dh_err.c +++ b/crypto/dh/dh_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { {ERR_PACK(ERR_LIB_DH, DH_F_COMPUTE_KEY, 0), "compute_key"}, {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUF2KEY, 0), "dh_buf2key"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0), "dh_builtin_genparams"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, @@ -25,6 +26,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), "dh_cms_set_shared_info"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_KEY2BUF, 0), "dh_key2buf"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 4b0b1f3255..6b3a1247b2 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -228,3 +228,66 @@ static int dh_finish(DH *dh) BN_MONT_CTX_free(dh->method_mont_p); return 1; } + +int dh_buf2key(DH *dh, const unsigned char *buf, size_t len) +{ + int err_reason = DH_R_BN_ERROR; + BIGNUM *pubkey = NULL; + const BIGNUM *p; + size_t p_size; + + if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL) + goto err; + DH_get0_pqg(dh, &p, NULL, NULL); + if (p == NULL || (p_size = BN_num_bytes(p)) == 0) { + err_reason = DH_R_NO_PARAMETERS_SET; + goto err; + } + /* + * As per Section 4.2.8.1 of RFC 8446 fail if DHE's + * public key is of size not equal to size of p + */ + if (BN_is_zero(pubkey) || p_size != len) { + err_reason = DH_R_INVALID_PUBKEY; + goto err; + } + if (DH_set0_key(dh, pubkey, NULL) != 1) + goto err; + return 1; +err: + DHerr(DH_F_DH_BUF2KEY, err_reason); + BN_free(pubkey); + return 0; +} + +size_t dh_key2buf(const DH *dh, unsigned char **pbuf_out) +{ + const BIGNUM *pubkey; + unsigned char *pbuf; + const BIGNUM *p; + int p_size; + + DH_get0_pqg(dh, &p, NULL, NULL); + DH_get0_key(dh, &pubkey, NULL); + if (p == NULL || pubkey == NULL + || (p_size = BN_num_bytes(p)) == 0 + || BN_num_bytes(pubkey) == 0) { + DHerr(DH_F_DH_KEY2BUF, DH_R_INVALID_PUBKEY); + return 0; + } + if ((pbuf = OPENSSL_malloc(p_size)) == NULL) { + DHerr(DH_F_DH_KEY2BUF, ERR_R_MALLOC_FAILURE); + return 0; + } + /* + * As per Section 4.2.8.1 of RFC 8446 left pad public + * key with zeros to the size of p + */ + if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) { + OPENSSL_free(pbuf); + DHerr(DH_F_DH_KEY2BUF, DH_R_BN_ERROR); + return 0; + } + *pbuf_out = pbuf; + return p_size; +} diff --git a/crypto/dh/dh_locl.h b/crypto/dh/dh_locl.h index 6186901ee7..bb64cde9f7 100644 --- a/crypto/dh/dh_locl.h +++ b/crypto/dh/dh_locl.h @@ -55,3 +55,6 @@ struct dh_method { int (*generate_params) (DH *dh, int prime_len, int generator, BN_GENCB *cb); }; + +int dh_buf2key(DH *key, const unsigned char *buf, size_t len); +size_t dh_key2buf(const DH *dh, unsigned char **pbuf); diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 1457bc0e99..23c0ddae4f 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -439,6 +439,7 @@ CT_F_SCT_SET_SIGNATURE_NID:103:SCT_set_signature_nid CT_F_SCT_SET_VERSION:104:SCT_set_version DH_F_COMPUTE_KEY:102:compute_key DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp +DH_F_DH_BUF2KEY:126:dh_buf2key DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams DH_F_DH_CHECK_EX:121:DH_check_ex DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex @@ -446,6 +447,7 @@ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey DH_F_DH_CMS_SET_SHARED_INFO:116:dh_cms_set_shared_info +DH_F_DH_KEY2BUF:127:dh_key2buf DH_F_DH_METH_DUP:117:DH_meth_dup DH_F_DH_METH_NEW:118:DH_meth_new DH_F_DH_METH_SET1_NAME:119:DH_meth_set1_name diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h index 2203554292..83f0e591c0 100644 --- a/include/openssl/dherr.h +++ b/include/openssl/dherr.h @@ -29,6 +29,7 @@ int ERR_load_DH_strings(void); */ # define DH_F_COMPUTE_KEY 102 # define DH_F_DHPARAMS_PRINT_FP 101 +# define DH_F_DH_BUF2KEY 126 # define DH_F_DH_BUILTIN_GENPARAMS 106 # define DH_F_DH_CHECK_EX 121 # define DH_F_DH_CHECK_PARAMS_EX 122 @@ -36,6 +37,7 @@ int ERR_load_DH_strings(void); # define DH_F_DH_CMS_DECRYPT 114 # define DH_F_DH_CMS_SET_PEERKEY 115 # define DH_F_DH_CMS_SET_SHARED_INFO 116 +# define DH_F_DH_KEY2BUF 127 # define DH_F_DH_METH_DUP 117 # define DH_F_DH_METH_NEW 118 # define DH_F_DH_METH_SET1_NAME 119 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 5ea2c2d029..a75a15802a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4678,25 +4678,39 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) EVP_PKEY_CTX_free(pctx); return pkey; } -#ifndef OPENSSL_NO_EC + /* Generate a private key from a group ID */ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) { + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; - const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); uint16_t gtype; +# ifndef OPENSSL_NO_DH + DH *dh = NULL; +# endif if (ginf == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_INTERNAL_ERROR); goto err; } - gtype = ginf->flags & TLS_CURVE_TYPE; - if (gtype == TLS_CURVE_CUSTOM) - pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL); + gtype = ginf->flags & TLS_GROUP_TYPE; +# ifndef OPENSSL_NO_DH + if (gtype == TLS_GROUP_FFDHE) + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); +# ifndef OPENSSL_NO_EC else - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); +# endif +# endif +# ifndef OPENSSL_NO_EC + { + if (gtype == TLS_GROUP_CURVE_CUSTOM) + pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL); + else + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + } +# endif if (pctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_MALLOC_FAILURE); @@ -4707,12 +4721,40 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) ERR_R_EVP_LIB); goto err; } - if (gtype != TLS_CURVE_CUSTOM - && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, - ERR_R_EVP_LIB); - goto err; +# ifndef OPENSSL_NO_DH + if (gtype == TLS_GROUP_FFDHE) { + if ((pkey = EVP_PKEY_new()) == NULL + || (dh = DH_new_by_nid(ginf->nid)) == NULL + || !EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + DH_free(dh); + EVP_PKEY_free(pkey); + pkey = NULL; + goto err; + } + if (EVP_PKEY_CTX_set_dh_nid(pctx, ginf->nid) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + EVP_PKEY_free(pkey); + pkey = NULL; + goto err; + } + } +# ifndef OPENSSL_NO_EC + else +# endif +# endif +# ifndef OPENSSL_NO_EC + { + if (gtype != TLS_GROUP_CURVE_CUSTOM + && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + goto err; + } } +# endif if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_EVP_LIB); @@ -4733,11 +4775,12 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); + int pkey_ctx_id; if (ginf == NULL) goto err; - if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) { + if ((ginf->flags & TLS_GROUP_TYPE) == TLS_GROUP_CURVE_CUSTOM) { pkey = EVP_PKEY_new(); if (pkey != NULL && EVP_PKEY_set_type(pkey, ginf->nid)) return pkey; @@ -4745,13 +4788,28 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) return NULL; } - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE) + ? EVP_PKEY_DH : EVP_PKEY_EC; + pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL); if (pctx == NULL) goto err; if (EVP_PKEY_paramgen_init(pctx) <= 0) goto err; - if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) - goto err; +# ifndef OPENSSl_NO_DH + if (ginf->flags & TLS_GROUP_FFDHE) { + if (EVP_PKEY_CTX_set_dh_nid(pctx, ginf->nid) <= 0) + goto err; + } +# ifndef OPENSSL_NO_EC + else +# endif +# endif +# ifndef OPENSSL_NO_EC + { + if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) + goto err; + } +# endif if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) { EVP_PKEY_free(pkey); pkey = NULL; @@ -4761,7 +4819,6 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) EVP_PKEY_CTX_free(pctx); return pkey; } -#endif /* Derive secrets for ECDH/DH */ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) @@ -4787,6 +4844,9 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) goto err; } + if (SSL_IS_TLS13(s) && EVP_PKEY_id(privkey) == EVP_PKEY_DH) + EVP_PKEY_CTX_set_dh_pad(pctx, 1); + pms = OPENSSL_malloc(pmslen); if (pms == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 79b78f093d..0e661d00d7 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1685,14 +1685,19 @@ typedef struct sigalg_lookup_st { typedef struct tls_group_info_st { int nid; /* Curve NID */ int secbits; /* Bits of security (from SP800-57) */ - uint16_t flags; /* Flags: currently just group type */ + uint32_t flags; /* For group type and applicable TLS versions */ + uint16_t group_id; /* Group ID */ } TLS_GROUP_INFO; /* flags values */ -# define TLS_CURVE_TYPE 0x3 /* Mask for group type */ -# define TLS_CURVE_PRIME 0x0 -# define TLS_CURVE_CHAR2 0x1 -# define TLS_CURVE_CUSTOM 0x2 +# define TLS_GROUP_TYPE 0x0000000FU /* Mask for group type */ +# define TLS_GROUP_CURVE_PRIME 0x00000001U +# define TLS_GROUP_CURVE_CHAR2 0x00000002U +# define TLS_GROUP_CURVE_CUSTOM 0x00000004U +# define TLS_GROUP_FFDHE 0x00000008U +# define TLS_GROUP_ONLY_FOR_TLS1_3 0x00000010U + +# define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE|TLS_GROUP_ONLY_FOR_TLS1_3) /* * Structure containing table entry of certificate info corresponding to @@ -2533,6 +2538,7 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats); __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); +__owur int tls_valid_group(SSL *s, uint16_t group_id, int version); __owur EVP_PKEY *ssl_generate_param_group(uint16_t id); # endif /* OPENSSL_NO_EC */ diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 979954ff76..a29b7c021a 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -174,36 +174,45 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, { const uint16_t *pgroups = NULL; size_t num_groups = 0, i; + int min_version, max_version, reason; if (!use_ecc(s)) return EXT_RETURN_NOT_SENT; + reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); + if (reason != 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, reason); + return EXT_RETURN_FAIL; + } + /* * Add TLS extension supported_groups to the ClientHello message */ - /* TODO(TLS1.3): Add support for DHE groups */ tls1_get_supported_groups(s, &pgroups, &num_groups); if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) /* Sub-packet for supported_groups extension */ || !WPACKET_start_sub_packet_u16(pkt) - || !WPACKET_start_sub_packet_u16(pkt)) { + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } - /* Copy curve ID if supported */ + /* Copy group ID if supported */ for (i = 0; i < num_groups; i++) { uint16_t ctmp = pgroups[i]; - if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { + if (tls_valid_group(s, ctmp, max_version) + && tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { if (!WPACKET_put_bytes_u16(pkt, ctmp)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, - ERR_R_INTERNAL_ERROR); - return EXT_RETURN_FAIL; - } + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } } } if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index d107af3f87..37f5819346 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1424,7 +1424,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, for (i = 0; i < numgroups; i++) { uint16_t group = groups[i]; - if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { + if (tls_valid_group(s, group, SSL_version(s)) + && tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { if (first) { /* * Check if the client is already using our preferred group. If diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8fad1f20df..52e6d5426a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -132,40 +132,44 @@ int tls1_clear(SSL *s) /* * Table of curve information. - * Do not delete entries or reorder this array! It is used as a lookup - * table: the index of each entry is one less than the TLS curve id. */ static const TLS_GROUP_INFO nid_list[] = { - {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ - {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ - {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ - {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */ - {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */ - {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */ - {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */ - {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */ - {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */ - {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */ - {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */ - {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */ - {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */ - {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */ - {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */ - {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */ - {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */ - {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ - {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ - {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ - {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ - {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ - {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ - {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ - {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ - {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ - {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ - {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ - {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ - {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */ + {NID_sect163k1, 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */ + {NID_sect163r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */ + {NID_sect163r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */ + {NID_sect193r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0004}, /* sect193r1 (4) */ + {NID_sect193r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0005}, /* sect193r2 (5) */ + {NID_sect233k1, 112, TLS_GROUP_CURVE_CHAR2, 0x0006}, /* sect233k1 (6) */ + {NID_sect233r1, 112, TLS_GROUP_CURVE_CHAR2, 0x0007}, /* sect233r1 (7) */ + {NID_sect239k1, 112, TLS_GROUP_CURVE_CHAR2, 0x0008}, /* sect239k1 (8) */ + {NID_sect283k1, 128, TLS_GROUP_CURVE_CHAR2, 0x0009}, /* sect283k1 (9) */ + {NID_sect283r1, 128, TLS_GROUP_CURVE_CHAR2, 0x000A}, /* sect283r1 (10) */ + {NID_sect409k1, 192, TLS_GROUP_CURVE_CHAR2, 0x000B}, /* sect409k1 (11) */ + {NID_sect409r1, 192, TLS_GROUP_CURVE_CHAR2, 0x000C}, /* sect409r1 (12) */ + {NID_sect571k1, 256, TLS_GROUP_CURVE_CHAR2, 0x000D}, /* sect571k1 (13) */ + {NID_sect571r1, 256, TLS_GROUP_CURVE_CHAR2, 0x000E}, /* sect571r1 (14) */ + {NID_secp160k1, 80, TLS_GROUP_CURVE_PRIME, 0x000F}, /* secp160k1 (15) */ + {NID_secp160r1, 80, TLS_GROUP_CURVE_PRIME, 0x0010}, /* secp160r1 (16) */ + {NID_secp160r2, 80, TLS_GROUP_CURVE_PRIME, 0x0011}, /* secp160r2 (17) */ + {NID_secp192k1, 80, TLS_GROUP_CURVE_PRIME, 0x0012}, /* secp192k1 (18) */ + {NID_X9_62_prime192v1, 80, TLS_GROUP_CURVE_PRIME, 0x0013}, /* secp192r1 (19) */ + {NID_secp224k1, 112, TLS_GROUP_CURVE_PRIME, 0x0014}, /* secp224k1 (20) */ + {NID_secp224r1, 112, TLS_GROUP_CURVE_PRIME, 0x0015}, /* secp224r1 (21) */ + {NID_secp256k1, 128, TLS_GROUP_CURVE_PRIME, 0x0016}, /* secp256k1 (22) */ + {NID_X9_62_prime256v1, 128, TLS_GROUP_CURVE_PRIME, 0x0017}, /* secp256r1 (23) */ + {NID_secp384r1, 192, TLS_GROUP_CURVE_PRIME, 0x0018}, /* secp384r1 (24) */ + {NID_secp521r1, 256, TLS_GROUP_CURVE_PRIME, 0x0019}, /* secp521r1 (25) */ + {NID_brainpoolP256r1, 128, TLS_GROUP_CURVE_PRIME, 0x001A}, /* brainpoolP256r1 (26) */ + {NID_brainpoolP384r1, 192, TLS_GROUP_CURVE_PRIME, 0x001B}, /* brainpoolP384r1 (27) */ + {NID_brainpoolP512r1, 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */ + {EVP_PKEY_X25519, 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */ + {EVP_PKEY_X448, 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */ + /* Security bit values for FFDHE groups are updated as per RFC 7919 */ + {NID_ffdhe2048, 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */ + {NID_ffdhe3072, 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */ + {NID_ffdhe4096, 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */ + {NID_ffdhe6144, 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */ + {NID_ffdhe8192, 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */ }; static const unsigned char ecformats_default[] = { @@ -175,12 +179,17 @@ static const unsigned char ecformats_default[] = { }; /* The default curves */ -static const uint16_t eccurves_default[] = { +static const uint16_t supported_groups_default[] = { 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 30, /* X448 (30) */ 25, /* secp521r1 (25) */ 24, /* secp384r1 (24) */ + 0x100, /* ffdhe2048 (0x100) */ + 0x101, /* ffdhe3072 (0x101) */ + 0x102, /* ffdhe4096 (0x102) */ + 0x103, /* ffdhe6144 (0x103) */ + 0x104, /* ffdhe8192 (0x104) */ }; static const uint16_t suiteb_curves[] = { @@ -190,18 +199,23 @@ static const uint16_t suiteb_curves[] = { const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) { - /* ECC curves from RFC 4492 and RFC 7027 */ - if (group_id < 1 || group_id > OSSL_NELEM(nid_list)) - return NULL; - return &nid_list[group_id - 1]; + size_t i; + + /* ECC curves from RFC 4492 and RFC 7027 FFDHE group from RFC 8446 */ + for (i = 0; i < OSSL_NELEM(nid_list); i++) { + if (nid_list[i].group_id == group_id) + return &nid_list[i]; + } + return NULL; } static uint16_t tls1_nid2group_id(int nid) { size_t i; + for (i = 0; i < OSSL_NELEM(nid_list); i++) { if (nid_list[i].nid == nid) - return (uint16_t)(i + 1); + return nid_list[i].group_id; } return 0; } @@ -233,8 +247,8 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, default: if (s->ext.supportedgroups == NULL) { - *pgroups = eccurves_default; - *pgroupslen = OSSL_NELEM(eccurves_default); + *pgroups = supported_groups_default; + *pgroupslen = OSSL_NELEM(supported_groups_default); } else { *pgroups = s->ext.supportedgroups; *pgroupslen = s->ext.supportedgroups_len; @@ -243,6 +257,17 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, } } +int tls_valid_group(SSL *s, uint16_t group_id, int version) +{ + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group_id); + + if (version < TLS1_3_VERSION) { + if ((ginfo->flags & TLS_GROUP_ONLY_FOR_TLS1_3) != 0) + return 0; + } + return 1; +} + /* See if curve is allowed by security callback */ int tls_curve_allowed(SSL *s, uint16_t curve, int op) { @@ -252,7 +277,11 @@ int tls_curve_allowed(SSL *s, uint16_t curve, int op) if (cinfo == NULL) return 0; # ifdef OPENSSL_NO_EC2M - if (cinfo->flags & TLS_CURVE_CHAR2) + if (cinfo->flags & TLS_GROUP_CURVE_CHAR2) + return 0; +# endif +# ifdef OPENSSL_NO_DH + if (cinfo->flags & TLS_GROUP_FFDHE) return 0; # endif ctmp[0] = curve >> 8; @@ -338,10 +367,12 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, uint16_t *glist; size_t i; /* - * Bitmap of groups included to detect duplicates: only works while group - * ids < 32 + * Bitmap of groups included to detect duplicates: two variables are added + * to detect duplicates as some values are more than 32. */ - unsigned long dup_list = 0; + unsigned long *dup_list = NULL; + unsigned long dup_list_egrp = 0; + unsigned long dup_list_dhgrp = 0; if (ngroups == 0) { SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); @@ -354,20 +385,23 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, for (i = 0; i < ngroups; i++) { unsigned long idmask; uint16_t id; - /* TODO(TLS1.3): Convert for DH groups */ id = tls1_nid2group_id(groups[i]); - idmask = 1L << id; - if (!id || (dup_list & idmask)) { - OPENSSL_free(glist); - return 0; - } - dup_list |= idmask; + if ((id & 0x00FF) >= (sizeof(unsigned long) * 8)) + goto err; + idmask = 1L << (id & 0x00FF); + dup_list = (id < 0x100) ? &dup_list_egrp : &dup_list_dhgrp; + if (!id || ((*dup_list) & idmask)) + goto err; + *dup_list |= idmask; glist[i] = id; } OPENSSL_free(*pext); *pext = glist; *pextlen = ngroups; return 1; +err: + OPENSSL_free(glist); + return 0; } # define MAX_CURVELIST OSSL_NELEM(nid_list) -- 2.25.1