mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Enable brainpool curves for TLS1.3

Browse Source 
See the recently assigned brainpool code points at:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7485)
This commit is contained in:
Bernd Edlinger 2018-10-24 23:10:38 +02:00
parent 8e22f9d6d9
commit 0a10825a00
11 changed files with 153 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
include/internal/tlsgroups.h
View File

@ -41,6 +41,16 @@
# define OSSL_TLS_GROUP_ID_brainpoolP512r1 0x001C
# define OSSL_TLS_GROUP_ID_x25519 0x001D
# define OSSL_TLS_GROUP_ID_x448 0x001E
# define OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13 0x001F
# define OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13 0x0020
# define OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13 0x0021
# define OSSL_TLS_GROUP_ID_gc256A 0x0022
# define OSSL_TLS_GROUP_ID_gc256B 0x0023
# define OSSL_TLS_GROUP_ID_gc256C 0x0024
# define OSSL_TLS_GROUP_ID_gc256D 0x0025
# define OSSL_TLS_GROUP_ID_gc512A 0x0026
# define OSSL_TLS_GROUP_ID_gc512B 0x0027
# define OSSL_TLS_GROUP_ID_gc512C 0x0028
# define OSSL_TLS_GROUP_ID_ffdhe2048 0x0100
# define OSSL_TLS_GROUP_ID_ffdhe3072 0x0101
# define OSSL_TLS_GROUP_ID_ffdhe4096 0x0102

5
ssl/s3_lib.c
View File

@ -3607,8 +3607,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
int *cptr = parg;
for (i = 0; i < clistlen; i++) {
uint16_t cid = SSL_IS_TLS13(s)
? ssl_group_id_tls13_to_internal(clist[i])
: clist[i];
const TLS_GROUP_INFO *cinf
= tls1_group_id_lookup(s->ctx, clist[i]);
= tls1_group_id_lookup(s->ctx, cid);
if (cinf != NULL)
cptr[i] = tls1_group_id2nid(cinf->group_id, 1);

5
ssl/ssl_local.h
View File

@ -2169,6 +2169,9 @@ typedef enum downgrade_en {
#define TLSEXT_SIGALG_ed25519 0x0807
#define TLSEXT_SIGALG_ed448 0x0808
#define TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256 0x081a
#define TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384 0x081b
#define TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512 0x081c
/* Known PSK key exchange modes */
#define TLSEXT_KEX_MODE_KE 0x00
@ -2642,6 +2645,8 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
__owur uint16_t ssl_group_id_internal_to_tls13(uint16_t curve_id);
__owur uint16_t ssl_group_id_tls13_to_internal(uint16_t curve_id);
__owur const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t curve_id);
__owur int tls1_group_id2nid(uint16_t group_id, int include_unknown);
__owur uint16_t tls1_nid2group_id(int nid);

2
ssl/statem/extensions.c
View File

@ -1369,7 +1369,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
group_id = pgroups[i];
if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
1))
2))
break;
}

20
ssl/statem/extensions_clnt.c
View File

@ -224,6 +224,21 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
#ifndef OPENSSL_NO_TLS1_3
int ctmp13 = ssl_group_id_internal_to_tls13(ctmp);
if (ctmp13 != 0 && ctmp13 != ctmp
&& max_version == TLS1_3_VERSION) {
if (!WPACKET_put_bytes_u16(pkt, ctmp13)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
}
tls13added++;
added++;
if (min_version == TLS1_3_VERSION)
continue;
}
#endif
if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
@ -622,7 +637,7 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
}
/* Create KeyShareEntry */
if (!WPACKET_put_bytes_u16(pkt, curve_id)
if (!WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(curve_id))
|| !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
@ -675,6 +690,8 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
curve_id = s->s3.group_id;
} else {
for (i = 0; i < num_groups; i++) {
if (ssl_group_id_internal_to_tls13(pgroups[i]) == 0)
continue;
if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
continue;
@ -1747,6 +1764,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
group_id = ssl_group_id_tls13_to_internal(group_id);
if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
const uint16_t *pgroups = NULL;
size_t i, num_groups;

15
ssl/statem/extensions_srvr.c
View File

@ -635,7 +635,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* we requested, and must be the only key_share sent.
*/
if (s->s3.group_id != 0
&& (group_id != s->s3.group_id
&& (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
|| PACKET_remaining(&key_share_list) != 0)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
return 0;
@ -653,16 +653,18 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
continue;
}
s->s3.group_id = group_id;
/* Cache the selected group ID in the SSL_SESSION */
s->session->kex_group = group_id;
group_id = ssl_group_id_tls13_to_internal(group_id);
if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
return 0;
}
s->s3.group_id = group_id;
/* Cache the selected group ID in the SSL_SESSION */
s->session->kex_group = group_id;
if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
PACKET_data(&encoded_pt),
PACKET_remaining(&encoded_pt)) <= 0) {
@ -1591,7 +1593,8 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
}
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
|| !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
s->s3.group_id))
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;

6
ssl/statem/statem_lib.c
View File

@ -2165,9 +2165,15 @@ int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
if (groups == NULL || num_groups == 0)
return 0;
if (checkallow == 1)
group_id = ssl_group_id_tls13_to_internal(group_id);
for (i = 0; i < num_groups; i++) {
uint16_t group = groups[i];
if (checkallow == 2)
group = ssl_group_id_tls13_to_internal(group);
if (group_id == group
&& (!checkallow
|| tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {

129
ssl/t1_lib.c
View File

@ -171,13 +171,13 @@ static struct {
{NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1},
{EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519},
{EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448},
{NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022},
{NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023},
{NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024},
{NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025},
{NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026},
{NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027},
{NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028},
{NID_id_tc26_gost_3410_2012_256_paramSetA, OSSL_TLS_GROUP_ID_gc256A},
{NID_id_tc26_gost_3410_2012_256_paramSetB, OSSL_TLS_GROUP_ID_gc256B},
{NID_id_tc26_gost_3410_2012_256_paramSetC, OSSL_TLS_GROUP_ID_gc256C},
{NID_id_tc26_gost_3410_2012_256_paramSetD, OSSL_TLS_GROUP_ID_gc256D},
{NID_id_tc26_gost_3410_2012_512_paramSetA, OSSL_TLS_GROUP_ID_gc512A},
{NID_id_tc26_gost_3410_2012_512_paramSetB, OSSL_TLS_GROUP_ID_gc512B},
{NID_id_tc26_gost_3410_2012_512_paramSetC, OSSL_TLS_GROUP_ID_gc512C},
{NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048},
{NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072},
{NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096},
@ -193,28 +193,28 @@ static const unsigned char ecformats_default[] = {
/* The default curves */
static const uint16_t supported_groups_default[] = {
29, /* X25519 (29) */
23, /* secp256r1 (23) */
30, /* X448 (30) */
25, /* secp521r1 (25) */
24, /* secp384r1 (24) */
34, /* GC256A (34) */
35, /* GC256B (35) */
36, /* GC256C (36) */
37, /* GC256D (37) */
38, /* GC512A (38) */
39, /* GC512B (39) */
40, /* GC512C (40) */
0x100, /* ffdhe2048 (0x100) */
0x101, /* ffdhe3072 (0x101) */
0x102, /* ffdhe4096 (0x102) */
0x103, /* ffdhe6144 (0x103) */
0x104, /* ffdhe8192 (0x104) */
OSSL_TLS_GROUP_ID_x25519, /* X25519 (29) */
OSSL_TLS_GROUP_ID_secp256r1, /* secp256r1 (23) */
OSSL_TLS_GROUP_ID_x448, /* X448 (30) */
OSSL_TLS_GROUP_ID_secp521r1, /* secp521r1 (25) */
OSSL_TLS_GROUP_ID_secp384r1, /* secp384r1 (24) */
OSSL_TLS_GROUP_ID_gc256A, /* GC256A (34) */
OSSL_TLS_GROUP_ID_gc256B, /* GC256B (35) */
OSSL_TLS_GROUP_ID_gc256C, /* GC256C (36) */
OSSL_TLS_GROUP_ID_gc256D, /* GC256D (37) */
OSSL_TLS_GROUP_ID_gc512A, /* GC512A (38) */
OSSL_TLS_GROUP_ID_gc512B, /* GC512B (39) */
OSSL_TLS_GROUP_ID_gc512C, /* GC512C (40) */
OSSL_TLS_GROUP_ID_ffdhe2048, /* ffdhe2048 (0x100) */
OSSL_TLS_GROUP_ID_ffdhe3072, /* ffdhe3072 (0x101) */
OSSL_TLS_GROUP_ID_ffdhe4096, /* ffdhe4096 (0x102) */
OSSL_TLS_GROUP_ID_ffdhe6144, /* ffdhe6144 (0x103) */
OSSL_TLS_GROUP_ID_ffdhe8192, /* ffdhe8192 (0x104) */
};
static const uint16_t suiteb_curves[] = {
TLSEXT_curve_P_256,
TLSEXT_curve_P_384
OSSL_TLS_GROUP_ID_secp256r1,
OSSL_TLS_GROUP_ID_secp384r1,
};
struct provider_group_data_st {
@ -433,6 +433,42 @@ static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name)
return 0;
}
uint16_t ssl_group_id_internal_to_tls13(uint16_t curve_id)
{
switch(curve_id) {
case OSSL_TLS_GROUP_ID_brainpoolP256r1:
return OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13;
case OSSL_TLS_GROUP_ID_brainpoolP384r1:
return OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13;
case OSSL_TLS_GROUP_ID_brainpoolP512r1:
return OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13;
case OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13:
case OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13:
case OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13:
return 0;
default:
return curve_id;
}
}
uint16_t ssl_group_id_tls13_to_internal(uint16_t curve_id)
{
switch(curve_id) {
case OSSL_TLS_GROUP_ID_brainpoolP256r1:
case OSSL_TLS_GROUP_ID_brainpoolP384r1:
case OSSL_TLS_GROUP_ID_brainpoolP512r1:
return 0;
case OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13:
return OSSL_TLS_GROUP_ID_brainpoolP256r1;
case OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13:
return OSSL_TLS_GROUP_ID_brainpoolP384r1;
case OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13:
return OSSL_TLS_GROUP_ID_brainpoolP512r1;
default:
return curve_id;
}
}
const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id)
{
size_t i;
@ -611,9 +647,9 @@ uint16_t tls1_shared_group(SSL *s, int nmatch)
unsigned long cid = s->s3.tmp.new_cipher->id;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
return TLSEXT_curve_P_256;
return OSSL_TLS_GROUP_ID_secp256r1;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
return TLSEXT_curve_P_384;
return OSSL_TLS_GROUP_ID_secp384r1;
/* Should never happen */
return 0;
}
@ -634,10 +670,17 @@ uint16_t tls1_shared_group(SSL *s, int nmatch)
for (k = 0, i = 0; i < num_pref; i++) {
uint16_t id = pref[i];
uint16_t cid = id;
if (!tls1_in_list(id, supp, num_supp)
|| !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
continue;
if (SSL_IS_TLS13(s)) {
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
cid = ssl_group_id_internal_to_tls13(id);
else
cid = id = ssl_group_id_tls13_to_internal(id);
}
if (!tls1_in_list(cid, supp, num_supp)
|| !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
continue;
if (nmatch == k)
return id;
k++;
@ -782,10 +825,10 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
unsigned long cid = s->s3.tmp.new_cipher->id;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
if (group_id != TLSEXT_curve_P_256)
if (group_id != OSSL_TLS_GROUP_ID_secp256r1)
return 0;
} else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
if (group_id != TLSEXT_curve_P_384)
if (group_id != OSSL_TLS_GROUP_ID_secp384r1)
return 0;
} else {
/* Should never happen */
@ -931,9 +974,9 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
size_t i;
/* Check to see we have necessary signing algorithm */
if (group_id == TLSEXT_curve_P_256)
if (group_id == OSSL_TLS_GROUP_ID_secp256r1)
check_md = NID_ecdsa_with_SHA256;
else if (group_id == TLSEXT_curve_P_384)
else if (group_id == OSSL_TLS_GROUP_ID_secp384r1)
check_md = NID_ecdsa_with_SHA384;
else
return 0; /* Should never happen */
@ -966,9 +1009,9 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
* curves permitted.
*/
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp256r1, 1);
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp384r1, 1);
return 0;
}
@ -980,6 +1023,9 @@ static const uint16_t tls12_sigalgs[] = {
TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
TLSEXT_SIGALG_ed25519,
TLSEXT_SIGALG_ed448,
TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
TLSEXT_SIGALG_rsa_pss_pss_sha256,
TLSEXT_SIGALG_rsa_pss_pss_sha384,
@ -1042,6 +1088,15 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
{NULL, TLSEXT_SIGALG_ecdsa_sha1,
NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA1, NID_undef, 1},
{"ecdsa_brainpoolP256r1_sha256", TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA256, NID_brainpoolP256r1, 1},
{"ecdsa_brainpoolP384r1_sha384", TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA384, NID_brainpoolP384r1, 1},
{"ecdsa_brainpoolP512r1_sha512", TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA512, NID_brainpoolP512r1, 1},
{"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
NID_undef, NID_undef, 1},

3
ssl/t1_trce.c
View File

@ -584,6 +584,9 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = {
{TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
{TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
{TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"},
{TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, "ecdsa_brainpoolP256r1_sha256"},
{TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, "ecdsa_brainpoolP384r1_sha384"},
{TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, "ecdsa_brainpoolP512r1_sha512"},
};
static const ssl_trace_tbl ssl_ctype_tbl[] = {

4
test/ssl-tests/20-cert-select.cnf
View File

@ -1728,7 +1728,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-52]
ExpectedResult = ClientFail
ExpectedResult = ServerFail
# ===========================================================
@ -1754,7 +1754,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-53]
ExpectedResult = ServerFail
ExpectedResult = Success
# ===========================================================

4
test/ssl-tests/20-cert-select.cnf.in
View File

@ -909,7 +909,7 @@ my @tests_tls_1_3_non_fips = (
#We only configured brainpoolP256r1 on the client side, but TLSv1.3
#is enabled and this group is not allowed in TLSv1.3. Therefore this
#should fail
"ExpectedResult" => "ClientFail"
"ExpectedResult" => "ServerFail"
},
},
{
@ -924,7 +924,7 @@ my @tests_tls_1_3_non_fips = (
"MaxProtocol" => "TLSv1.3"
},
test => {
"ExpectedResult" => "ServerFail"
"ExpectedResult" => "Success"
},
},
);