From 9d2d857f135abd281591ee0c2b58e01a710c3cea Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 18 May 2020 23:37:18 +0100 Subject: [PATCH] Modify libssl to discover supported groups based on available providers Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported group list based on the loaded providers. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11914) --- ssl/s3_lib.c | 94 ++------ ssl/ssl_lib.c | 18 +- ssl/ssl_local.h | 50 ++-- ssl/statem/extensions_clnt.c | 10 +- ssl/statem/extensions_srvr.c | 4 +- ssl/t1_lib.c | 349 ++++++++++++++++++++------- test/filterprov.c | 9 + test/ssl-tests/20-cert-select.cnf | 2 - test/ssl-tests/20-cert-select.cnf.in | 2 - test/sslapitest.c | 2 + 10 files changed, 352 insertions(+), 188 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 054fc468ed..8004c6483a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3650,12 +3650,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) int *cptr = parg; for (i = 0; i < clistlen; i++) { - const TLS_GROUP_INFO *cinf = tls1_group_id_lookup(clist[i]); - - if (cinf != NULL) - cptr[i] = cinf->nid; - else + const TLS_GROUP_INFO *cinf + = tls1_group_id_lookup(s->ctx, clist[i]); + + if (cinf != NULL) { + cptr[i] = tls1_group_id2nid(cinf->group_id); + if (cptr[i] == NID_undef) + cptr[i] = TLSEXT_nid_unknown | clist[i]; + } else { cptr[i] = TLSEXT_nid_unknown | clist[i]; + } } } return (int)clistlen; @@ -4764,25 +4768,19 @@ EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm) } /* Generate a private key from a group ID */ -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) { - const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(s->ctx, id); EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; - uint16_t gtype; -# ifndef OPENSSL_NO_DH - DH *dh = NULL; -# endif if (ginf == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_INTERNAL_ERROR); goto err; } - gtype = ginf->flags & TLS_GROUP_TYPE; - pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, ginf->keytype, + pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, ginf->algorithm, s->ctx->propq); if (pctx == NULL) { @@ -4795,40 +4793,11 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) ERR_R_EVP_LIB); goto err; } -# ifndef OPENSSL_NO_DH - if (gtype == TLS_GROUP_FFDHE) { - if ((pkey = EVP_PKEY_new()) == NULL - || (dh = DH_new_by_nid(ginf->nid)) == NULL - || !EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, - ERR_R_EVP_LIB); - DH_free(dh); - EVP_PKEY_free(pkey); - pkey = NULL; - goto err; - } - if (EVP_PKEY_CTX_set_dh_nid(pctx, ginf->nid) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, - ERR_R_EVP_LIB); - EVP_PKEY_free(pkey); - pkey = NULL; - goto err; - } - } -# ifndef OPENSSL_NO_EC - else -# endif -# endif -# ifndef OPENSSL_NO_EC - { - if (gtype != TLS_GROUP_CURVE_CUSTOM - && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, - ERR_R_EVP_LIB); - goto err; - } + if (!EVP_PKEY_CTX_set_group_name(pctx, ginf->realname)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + goto err; } -# endif if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, ERR_R_EVP_LIB); @@ -4840,7 +4809,6 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) EVP_PKEY_CTX_free(pctx); return pkey; } -#endif /* * Generate parameters from a group ID @@ -4849,43 +4817,23 @@ EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id) { EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; - const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); - const char *pkey_ctx_name; + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(s->ctx, id); if (ginf == NULL) goto err; - if ((ginf->flags & TLS_GROUP_TYPE) == TLS_GROUP_CURVE_CUSTOM) { - pkey = EVP_PKEY_new(); - if (pkey != NULL && EVP_PKEY_set_type(pkey, ginf->nid)) - return pkey; - EVP_PKEY_free(pkey); - return NULL; - } - - pkey_ctx_name = (ginf->flags & TLS_GROUP_FFDHE) != 0 ? "DH" : "EC"; - pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, pkey_ctx_name, + pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, ginf->algorithm, s->ctx->propq); if (pctx == NULL) goto err; if (EVP_PKEY_paramgen_init(pctx) <= 0) goto err; -# ifndef OPENSSL_NO_DH - if (ginf->flags & TLS_GROUP_FFDHE) { - if (EVP_PKEY_CTX_set_dh_nid(pctx, ginf->nid) <= 0) - goto err; - } -# ifndef OPENSSL_NO_EC - else -# endif -# endif -# ifndef OPENSSL_NO_EC - { - if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) - goto err; + if (!EVP_PKEY_CTX_set_group_name(pctx, ginf->realname)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + goto err; } -# endif if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) { EVP_PKEY_free(pkey); pkey = NULL; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9fb65b6825..0473433c46 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3171,6 +3171,9 @@ SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq, goto err2; + if (!ssl_load_groups(ret)) + goto err2; + if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) goto err; @@ -3326,6 +3329,7 @@ int SSL_CTX_up_ref(SSL_CTX *ctx) void SSL_CTX_free(SSL_CTX *a) { int i; + size_t j; if (a == NULL) return; @@ -3385,10 +3389,16 @@ void SSL_CTX_free(SSL_CTX *a) ssl_evp_md_free(a->md5); ssl_evp_md_free(a->sha1); - for (i = 0; i < SSL_ENC_NUM_IDX; i++) - ssl_evp_cipher_free(a->ssl_cipher_methods[i]); - for (i = 0; i < SSL_MD_NUM_IDX; i++) - ssl_evp_md_free(a->ssl_digest_methods[i]); + for (j = 0; j < SSL_ENC_NUM_IDX; j++) + ssl_evp_cipher_free(a->ssl_cipher_methods[j]); + for (j = 0; j < SSL_MD_NUM_IDX; j++) + ssl_evp_md_free(a->ssl_digest_methods[j]); + for (j = 0; j < a->group_list_len; j++) { + OPENSSL_free(a->group_list[j].tlsname); + OPENSSL_free(a->group_list[j].realname); + OPENSSL_free(a->group_list[j].algorithm); + } + OPENSSL_free(a->group_list); OPENSSL_free(a->sigalg_lookup_cache); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index d2e8e23e23..017e8f95c9 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -807,6 +807,28 @@ int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, size_t max_size); size_t ssl_hmac_size(const SSL_HMAC *ctx); +typedef struct tls_group_info_st { + char *tlsname; /* Curve Name as in TLS specs */ + char *realname; /* Curve Name according to provider */ + char *algorithm; /* Algorithm name to fetch */ + unsigned int secbits; /* Bits of security (from SP800-57) */ + uint16_t group_id; /* Group ID */ + int mintls; /* Minimum TLS version, -1 unsupported */ + int maxtls; /* Maximum TLS version (or 0 for undefined) */ + int mindtls; /* Minimum DTLS version, -1 unsupported */ + int maxdtls; /* Maximum DTLS version (or 0 for undefined) */ +} TLS_GROUP_INFO; + +/* flags values */ +# define TLS_GROUP_TYPE 0x0000000FU /* Mask for group type */ +# define TLS_GROUP_CURVE_PRIME 0x00000001U +# define TLS_GROUP_CURVE_CHAR2 0x00000002U +# define TLS_GROUP_CURVE_CUSTOM 0x00000004U +# define TLS_GROUP_FFDHE 0x00000008U +# define TLS_GROUP_ONLY_FOR_TLS1_3 0x00000010U + +# define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE|TLS_GROUP_ONLY_FOR_TLS1_3) + struct ssl_ctx_st { OPENSSL_CTX *libctx; @@ -1160,6 +1182,10 @@ struct ssl_ctx_st { /* Cache of all sigalgs we know and whether they are available or not */ struct sigalg_lookup_st *sigalg_lookup_cache; + + TLS_GROUP_INFO *group_list; + size_t group_list_len; + size_t group_list_max_len; }; typedef struct cert_pkey_st CERT_PKEY; @@ -1783,24 +1809,6 @@ typedef struct sigalg_lookup_st { int enabled; } SIGALG_LOOKUP; -typedef struct tls_group_info_st { - int nid; /* Curve NID */ - const char *keytype; - int secbits; /* Bits of security (from SP800-57) */ - uint32_t flags; /* For group type and applicable TLS versions */ - uint16_t group_id; /* Group ID */ -} TLS_GROUP_INFO; - -/* flags values */ -# define TLS_GROUP_TYPE 0x0000000FU /* Mask for group type */ -# define TLS_GROUP_CURVE_PRIME 0x00000001U -# define TLS_GROUP_CURVE_CHAR2 0x00000002U -# define TLS_GROUP_CURVE_CUSTOM 0x00000004U -# define TLS_GROUP_FFDHE 0x00000008U -# define TLS_GROUP_ONLY_FOR_TLS1_3 0x00000010U - -# define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE|TLS_GROUP_ONLY_FOR_TLS1_3) - /* * Structure containing table entry of certificate info corresponding to * CERT_PKEY entries @@ -2438,6 +2446,7 @@ __owur int ssl_x509err2alert(int type); void ssl_sort_cipher_list(void); int ssl_load_ciphers(SSL_CTX *ctx); __owur int ssl_setup_sig_algs(SSL_CTX *ctx); +int ssl_load_groups(SSL_CTX *ctx); __owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, size_t len, DOWNGRADE dgrd); __owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, @@ -2626,7 +2635,7 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); -__owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id); +__owur const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t curve_id); __owur int tls1_group_id2nid(uint16_t group_id); __owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves); __owur uint16_t tls1_shared_group(SSL *s, int nmatch); @@ -2635,7 +2644,8 @@ __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen, __owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str); __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); -__owur int tls_valid_group(SSL *s, uint16_t group_id, int version); +__owur int tls_valid_group(SSL *s, uint16_t group_id, int minversion, + int maxversion); __owur EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id); # ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index ab2d98de60..c83e18e84d 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -117,7 +117,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #endif #ifndef OPENSSL_NO_EC -static int use_ecc(SSL *s, int max_version) +static int use_ecc(SSL *s, int min_version, int max_version) { int i, end, ret = 0; unsigned long alg_k, alg_a; @@ -152,7 +152,7 @@ static int use_ecc(SSL *s, int max_version) for (j = 0; j < num_groups; j++) { uint16_t ctmp = pgroups[j]; - if (tls_valid_group(s, ctmp, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) return 1; } @@ -174,7 +174,7 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, reason); return EXT_RETURN_FAIL; } - if (!use_ecc(s, max_version)) + if (!use_ecc(s, min_version, max_version)) return EXT_RETURN_NOT_SENT; /* Add TLS extension ECPointFormats to the ClientHello message */ @@ -214,7 +214,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, if (max_version < TLS1_3_VERSION) return EXT_RETURN_NOT_SENT; #else - if (!use_ecc(s, max_version) && max_version < TLS1_3_VERSION) + if (!use_ecc(s, min_version, max_version) && max_version < TLS1_3_VERSION) return EXT_RETURN_NOT_SENT; #endif @@ -237,7 +237,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, for (i = 0; i < num_groups; i++) { uint16_t ctmp = pgroups[i]; - if (tls_valid_group(s, ctmp, max_version) + if (tls_valid_group(s, ctmp, min_version, max_version) && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { if (!WPACKET_put_bytes_u16(pkt, ctmp)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 3a0fee6ebc..27ddef9aaf 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1424,6 +1424,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, { const uint16_t *groups; size_t numgroups, i, first = 1; + int version; /* s->s3.group_id is non zero if we accepted a key_share */ if (s->s3.group_id == 0) @@ -1438,10 +1439,11 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, } /* Copy group ID if supported */ + version = SSL_version(s); for (i = 0; i < numgroups; i++) { uint16_t group = groups[i]; - if (tls_valid_group(s, group, SSL_version(s)) + if (tls_valid_group(s, group, version, version) && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { if (first) { /* diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index b80ac35d3a..7f8fc5e615 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "internal/nelem.h" #include "internal/evp.h" #include "ssl_local.h" @@ -140,60 +141,54 @@ int tls1_clear(SSL *s) return 1; } -/* - * Table of group information. - */ #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) -static const TLS_GROUP_INFO nid_list[] = { -# ifndef OPENSSL_NO_EC - {NID_sect163k1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */ - {NID_sect163r1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */ - {NID_sect163r2, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */ - {NID_sect193r1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0004}, /* sect193r1 (4) */ - {NID_sect193r2, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0005}, /* sect193r2 (5) */ - {NID_sect233k1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0006}, /* sect233k1 (6) */ - {NID_sect233r1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0007}, /* sect233r1 (7) */ - {NID_sect239k1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0008}, /* sect239k1 (8) */ - {NID_sect283k1, "EC", 128, TLS_GROUP_CURVE_CHAR2, 0x0009}, /* sect283k1 (9) */ - {NID_sect283r1, "EC", 128, TLS_GROUP_CURVE_CHAR2, 0x000A}, /* sect283r1 (10) */ - {NID_sect409k1, "EC", 192, TLS_GROUP_CURVE_CHAR2, 0x000B}, /* sect409k1 (11) */ - {NID_sect409r1, "EC", 192, TLS_GROUP_CURVE_CHAR2, 0x000C}, /* sect409r1 (12) */ - {NID_sect571k1, "EC", 256, TLS_GROUP_CURVE_CHAR2, 0x000D}, /* sect571k1 (13) */ - {NID_sect571r1, "EC", 256, TLS_GROUP_CURVE_CHAR2, 0x000E}, /* sect571r1 (14) */ - {NID_secp160k1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x000F}, /* secp160k1 (15) */ - {NID_secp160r1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0010}, /* secp160r1 (16) */ - {NID_secp160r2, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0011}, /* secp160r2 (17) */ - {NID_secp192k1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0012}, /* secp192k1 (18) */ - {NID_X9_62_prime192v1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0013}, /* secp192r1 (19) */ - {NID_secp224k1, "EC", 112, TLS_GROUP_CURVE_PRIME, 0x0014}, /* secp224k1 (20) */ - {NID_secp224r1, "EC", 112, TLS_GROUP_CURVE_PRIME, 0x0015}, /* secp224r1 (21) */ - {NID_secp256k1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x0016}, /* secp256k1 (22) */ - {NID_X9_62_prime256v1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x0017}, /* secp256r1 (23) */ - {NID_secp384r1, "EC", 192, TLS_GROUP_CURVE_PRIME, 0x0018}, /* secp384r1 (24) */ - {NID_secp521r1, "EC", 256, TLS_GROUP_CURVE_PRIME, 0x0019}, /* secp521r1 (25) */ - {NID_brainpoolP256r1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x001A}, /* brainpoolP256r1 (26) */ - {NID_brainpoolP384r1, "EC", 192, TLS_GROUP_CURVE_PRIME, 0x001B}, /* brainpoolP384r1 (27) */ - {NID_brainpoolP512r1, "EC", 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */ - {EVP_PKEY_X25519, "X25519", 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */ - {EVP_PKEY_X448, "X448", 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */ -# endif /* OPENSSL_NO_EC */ -# ifndef OPENSSL_NO_GOST - {NID_id_tc26_gost_3410_2012_256_paramSetA, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0022}, /* GC256A (34) */ - {NID_id_tc26_gost_3410_2012_256_paramSetB, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0023}, /* GC256B (35) */ - {NID_id_tc26_gost_3410_2012_256_paramSetC, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0024}, /* GC256C (36) */ - {NID_id_tc26_gost_3410_2012_256_paramSetD, "GOST_2012_256", 128, TLS_GROUP_CURVE_PRIME, 0x0025}, /* GC256D (37) */ - {NID_id_tc26_gost_3410_2012_512_paramSetA, "GOST_2012_512", 256, TLS_GROUP_CURVE_PRIME, 0x0026}, /* GC512A (38) */ - {NID_id_tc26_gost_3410_2012_512_paramSetB, "GOST_2012_512", 256, TLS_GROUP_CURVE_PRIME, 0x0027}, /* GC512B (39) */ - {NID_id_tc26_gost_3410_2012_512_paramSetC, "GOST_2012_512", 256, TLS_GROUP_CURVE_PRIME, 0x0028}, /* GC512C (40) */ -# endif /* OPENSSL_NO_GOST */ -# ifndef OPENSSL_NO_DH - /* Security bit values for FFDHE groups are updated as per RFC 7919 */ - {NID_ffdhe2048, "DH", 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */ - {NID_ffdhe3072, "DH", 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */ - {NID_ffdhe4096, "DH", 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */ - {NID_ffdhe6144, "DH", 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */ - {NID_ffdhe8192, "DH", 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */ -# endif /* OPENSSL_NO_DH */ +/* Legacy NID to group_id mapping. Only works for groups we know about */ +static struct { + int nid; + uint16_t group_id; +} nid_to_group[] = { + {NID_sect163k1, 0x0001}, + {NID_sect163r1, 0x0002}, + {NID_sect163r2, 0x0003}, + {NID_sect193r1, 0x0004}, + {NID_sect193r2, 0x0005}, + {NID_sect233k1, 0x0006}, + {NID_sect233r1, 0x0007}, + {NID_sect239k1, 0x0008}, + {NID_sect283k1, 0x0009}, + {NID_sect283r1, 0x000A}, + {NID_sect409k1, 0x000B}, + {NID_sect409r1, 0x000C}, + {NID_sect571k1, 0x000D}, + {NID_sect571r1, 0x000E}, + {NID_secp160k1, 0x000F}, + {NID_secp160r1, 0x0010}, + {NID_secp160r2, 0x0011}, + {NID_secp192k1, 0x0012}, + {NID_X9_62_prime192v1, 0x0013}, + {NID_secp224k1, 0x0014}, + {NID_secp224r1, 0x0015}, + {NID_secp256k1, 0x0016}, + {NID_X9_62_prime256v1, 0x0017}, + {NID_secp384r1, 0x0018}, + {NID_secp521r1, 0x0019}, + {NID_brainpoolP256r1, 0x001A}, + {NID_brainpoolP384r1, 0x001B}, + {NID_brainpoolP512r1, 0x001C}, + {EVP_PKEY_X25519, 0x001D}, + {EVP_PKEY_X448, 0x001E}, + {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022}, + {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023}, + {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024}, + {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025}, + {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026}, + {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027}, + {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028}, + {NID_ffdhe2048, 0x0100}, + {NID_ffdhe3072, 0x0101}, + {NID_ffdhe4096, 0x0102}, + {NID_ffdhe6144, 0x0103}, + {NID_ffdhe8192, 0x0104} }; #endif @@ -241,36 +236,213 @@ static const uint16_t suiteb_curves[] = { }; #endif -const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) +struct provider_group_data_st { + SSL_CTX *ctx; + OSSL_PROVIDER *provider; +}; + +#define TLS_GROUP_LIST_MALLOC_BLOCK_SIZE 10 +static OSSL_CALLBACK add_provider_groups; +static int add_provider_groups(const OSSL_PARAM params[], void *data) +{ + struct provider_group_data_st *pgd = data; + SSL_CTX *ctx = pgd->ctx; + OSSL_PROVIDER *provider = pgd->provider; + const OSSL_PARAM *p; + TLS_GROUP_INFO *ginf = NULL; + EVP_KEYMGMT *keymgmt; + unsigned int gid; + int ret = 0; + + if (ctx->group_list_max_len == ctx->group_list_len) { + TLS_GROUP_INFO *tmp = NULL; + + if (ctx->group_list_max_len == 0) + tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) + * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); + else + tmp = OPENSSL_realloc(ctx->group_list, + (ctx->group_list_max_len + + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) + * sizeof(TLS_GROUP_INFO)); + if (tmp == NULL) { + SSLerr(0, ERR_R_MALLOC_FAILURE); + return 0; + } + ctx->group_list = tmp; + memset(tmp + ctx->group_list_max_len, + 0, + sizeof(TLS_GROUP_INFO) * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); + ctx->group_list_max_len += TLS_GROUP_LIST_MALLOC_BLOCK_SIZE; + } + + ginf = &ctx->group_list[ctx->group_list_len]; + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME); + if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->tlsname = OPENSSL_strdup(p->data); + if (ginf->tlsname == NULL) { + SSLerr(0, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL); + if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->realname = OPENSSL_strdup(p->data); + if (ginf->realname == NULL) { + SSLerr(0, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ID); + if (p == NULL || !OSSL_PARAM_get_uint(p, &gid) || gid > UINT16_MAX) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->group_id = (uint16_t)gid; + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_ALG); + if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + ginf->algorithm = OPENSSL_strdup(p->data); + if (ginf->algorithm == NULL) { + SSLerr(0, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS); + if (p == NULL || !OSSL_PARAM_get_uint(p, &ginf->secbits)) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_TLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mintls)) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxtls)) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->mindtls)) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS); + if (p == NULL || !OSSL_PARAM_get_int(p, &ginf->maxdtls)) { + SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + /* + * Now check that the algorithm is actually usable for our property query + * string. Regardless of the result we still return success because we have + * successfully processed this group, even though we may decide not to use + * it. + */ + ret = 1; + keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); + if (keymgmt != NULL) { + /* + * We have successfully fetched the algorithm - however if the provider + * doesn't match this one then we ignore it. + * + * Note: We're cheating a little here. Technically if the same algorithm + * is available from more than one provider then it is undefined which + * implementation you will get back. Theoretically this could be + * different every time...we assume here that you'll always get the + * same one back if you repeat the exact same fetch. Is this a reasonable + * assumption to make (in which case perhaps we should document this + * behaviour)? + */ + if (EVP_KEYMGMT_provider(keymgmt) == provider) { + /* We have a match - so we will use this group */ + ctx->group_list_len++; + ginf = NULL; + } + EVP_KEYMGMT_free(keymgmt); + } + err: + if (ginf != NULL) { + OPENSSL_free(ginf->tlsname); + OPENSSL_free(ginf->realname); + OPENSSL_free(ginf->algorithm); + ginf->tlsname = ginf->realname = NULL; + } + return ret; +} + +static int discover_provider_groups(OSSL_PROVIDER *provider, void *vctx) +{ + struct provider_group_data_st pgd; + + pgd.ctx = vctx; + pgd.provider = provider; + return OSSL_PROVIDER_get_capabilities(provider, "TLS-GROUP", + add_provider_groups, &pgd); +} + +int ssl_load_groups(SSL_CTX *ctx) +{ + return OSSL_PROVIDER_do_all(ctx->libctx, discover_provider_groups, ctx); +} + +const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id) { -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) size_t i; - /* ECC curves from RFC 4492 and RFC 7027 FFDHE group from RFC 8446 */ - for (i = 0; i < OSSL_NELEM(nid_list); i++) { - if (nid_list[i].group_id == group_id) - return &nid_list[i]; + for (i = 0; i < ctx->group_list_len; i++) { + if (ctx->group_list[i].group_id == group_id) + return &ctx->group_list[i]; } -#endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */ + return NULL; } #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) int tls1_group_id2nid(uint16_t group_id) { - const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(group_id); + size_t i; - return ginf == NULL ? NID_undef : ginf->nid; + /* + * Return well known Group NIDs - for backwards compatibility. This won't + * work for groups we don't know about. + */ + for (i = 0; i < OSSL_NELEM(nid_to_group); i++) + { + if (nid_to_group[i].group_id == group_id) + return nid_to_group[i].nid; + } + return NID_undef; } static uint16_t tls1_nid2group_id(int nid) { size_t i; - for (i = 0; i < OSSL_NELEM(nid_list); i++) { - if (nid_list[i].nid == nid) - return nid_list[i].group_id; + /* + * Return well known Group ids - for backwards compatibility. This won't + * work for groups we don't know about. + */ + for (i = 0; i < OSSL_NELEM(nid_to_group); i++) + { + if (nid_to_group[i].nid == nid) + return nid_to_group[i].group_id; } + return 0; } #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ @@ -318,36 +490,50 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ } -int tls_valid_group(SSL *s, uint16_t group_id, int version) +int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion) { - const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group_id); + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group_id); + int ret; + + if (ginfo == NULL) + return 0; - if (version < TLS1_3_VERSION) { - if ((ginfo->flags & TLS_GROUP_ONLY_FOR_TLS1_3) != 0) + if (SSL_IS_DTLS(s)) { + if (ginfo->mindtls < 0 || ginfo->maxdtls < 0) return 0; + if (ginfo->maxdtls == 0) + ret = 1; + else + ret = DTLS_VERSION_LE(minversion, ginfo->maxdtls); + if (ginfo->mindtls > 0) + ret &= DTLS_VERSION_GE(maxversion, ginfo->mindtls); + } else { + if (ginfo->mintls < 0 || ginfo->maxtls < 0) + return 0; + if (ginfo->maxtls == 0) + ret = 1; + else + ret = (minversion <= ginfo->maxtls); + if (ginfo->mintls > 0) + ret &= (maxversion >= ginfo->mintls); } - return 1; + + return ret; } /* See if group is allowed by security callback */ int tls_group_allowed(SSL *s, uint16_t group, int op) { - const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group); + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(s->ctx, group); unsigned char gtmp[2]; if (ginfo == NULL) return 0; -#ifdef OPENSSL_NO_EC2M - if (ginfo->flags & TLS_GROUP_CURVE_CHAR2) - return 0; -#endif -#ifdef OPENSSL_NO_DH - if (ginfo->flags & TLS_GROUP_FFDHE) - return 0; -#endif + gtmp[0] = group >> 8; gtmp[1] = group & 0xff; - return ssl_security(s, op, ginfo->secbits, ginfo->nid, (void *)gtmp); + return ssl_security(s, op, ginfo->secbits, + tls1_group_id2nid(ginfo->group_id), (void *)gtmp); } /* Return 1 if "id" is in "list" */ @@ -470,7 +656,8 @@ err: } #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) -# define MAX_GROUPLIST OSSL_NELEM(nid_list) +/* TODO(3.0): An arbitrary amount for now. Take another look at this */ +# define MAX_GROUPLIST 40 typedef struct { size_t nidcnt; diff --git a/test/filterprov.c b/test/filterprov.c index 9fe6690e50..c2189e25a8 100644 --- a/test/filterprov.c +++ b/test/filterprov.c @@ -66,6 +66,14 @@ static int filter_get_params(void *provctx, OSSL_PARAM params[]) return OSSL_PROVIDER_get_params(globs->deflt, params); } +static int filter_get_capabilities(void *provctx, const char *capability, + OSSL_CALLBACK *cb, void *arg) +{ + struct filter_prov_globals_st *globs = get_globals(); + + return OSSL_PROVIDER_get_capabilities(globs->deflt, capability, cb, arg); +} + static const OSSL_ALGORITHM *filter_query(void *provctx, int operation_id, int *no_cache) @@ -97,6 +105,7 @@ static const OSSL_DISPATCH filter_dispatch_table[] = { { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))filter_gettable_params }, { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))filter_get_params }, { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))filter_query }, + { OSSL_FUNC_PROVIDER_GET_CAPABILITIES, (void (*)(void))filter_get_capabilities }, { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))filter_teardown }, { 0, NULL } }; diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index f788069f56..d1cfcb6f46 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -1715,12 +1715,10 @@ client = 52-TLS 1.3 ECDSA with brainpool-client [52-TLS 1.3 ECDSA with brainpool-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem CipherString = DEFAULT -Groups = brainpoolP256r1 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem [52-TLS 1.3 ECDSA with brainpool-client] CipherString = DEFAULT -Groups = brainpoolP256r1 MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in index 79325e71c1..38cac87cea 100644 --- a/test/ssl-tests/20-cert-select.cnf.in +++ b/test/ssl-tests/20-cert-select.cnf.in @@ -890,11 +890,9 @@ my @tests_tls_1_3_non_fips = ( server => { "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", }, client => { "RequestCAFile" => test_pem("root-cert.pem"), - "Groups" => "brainpoolP256r1", "MinProtocol" => "TLSv1.3", "MaxProtocol" => "TLSv1.3" }, diff --git a/test/sslapitest.c b/test/sslapitest.c index 4665569054..e8ecf1ce56 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8039,6 +8039,8 @@ static int test_sigalgs_available(int idx) cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method()); sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method()); + if (!TEST_ptr(cctx) || !TEST_ptr(sctx)) + goto end; if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), -- 2.25.1