openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Support TLS 1.3 kexs and groups with DTLS 1.3 

SSL_CONNECTION_IS_VERSION13 macro is used where appropriate.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22364)
This commit is contained in:
Frederik Wedel-Heinen 2023-10-12 14:35:37 +02:00 committed by Matt Caswell
parent e0490029c1
commit 2ccbedf081
6 changed files with 37 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
providers/common/capabilities.c
View File

@ -86,15 +86,15 @@ static const TLS_GROUP_CONSTANTS group_list[] = {
DTLS1_VERSION, DTLS1_2_VERSION },
{ OSSL_TLS_GROUP_ID_x25519, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_x448, 224, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
/* Security bit values as given by BN_security_bits() */
{ OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
};
#define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \

22
ssl/s3_lib.c
View File

@ -45,7 +45,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
DTLS1_3_VERSION, DTLS1_3_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
128,
@ -60,7 +60,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
DTLS1_3_VERSION, DTLS1_3_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | SSL_QUIC,
256,
@ -76,7 +76,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
DTLS1_3_VERSION, DTLS1_3_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
256,
@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AES128CCM,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
DTLS1_3_VERSION, DTLS1_3_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256,
128,
@ -107,7 +107,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AES128CCM8,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
DTLS1_3_VERSION, DTLS1_3_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_SHA256,
64, /* CCM8 uses a short tag, so we have a low security strength */
@ -3674,7 +3674,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
unsigned int id;
if (SSL_CONNECTION_IS_TLS13(sc) && sc->s3.did_kex)
if (SSL_CONNECTION_IS_VERSION13(sc) && sc->s3.did_kex)
id = sc->s3.group_id;
else
id = sc->session->kex_group;
@ -4262,7 +4262,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl
allow = srvr;
}
if (SSL_CONNECTION_IS_TLS13(s)) {
if (SSL_CONNECTION_IS_VERSION13(s)) {
#ifndef OPENSSL_NO_PSK
size_t j;
@ -4302,7 +4302,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl
* Since TLS 1.3 ciphersuites can be used with any auth or
* key exchange scheme skip tests.
*/
if (!SSL_CONNECTION_IS_TLS13(s)) {
if (!SSL_CONNECTION_IS_VERSION13(s)) {
mask_k = s->s3.tmp.mask_k;
mask_a = s->s3.tmp.mask_a;
#ifndef OPENSSL_NO_SRP
@ -4845,7 +4845,7 @@ int ssl_gensecret(SSL_CONNECTION *s, unsigned char *pms, size_t pmslen)
int rv = 0;
/* SSLfatal() called as appropriate in the below functions */
if (SSL_CONNECTION_IS_TLS13(s)) {
if (SSL_CONNECTION_IS_VERSION13(s)) {
/*
* If we are resuming then we already generated the early secret
* when we created the ClientHello, so don't recreate it.
@ -4888,7 +4888,7 @@ int ssl_derive(SSL_CONNECTION *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gense
goto err;
}
if (SSL_CONNECTION_IS_TLS13(s) && EVP_PKEY_is_a(privkey, "DH"))
if (SSL_CONNECTION_IS_VERSION13(s) && EVP_PKEY_is_a(privkey, "DH"))
EVP_PKEY_CTX_set_dh_pad(pctx, 1);
pms = OPENSSL_malloc(pmslen);
@ -5040,7 +5040,7 @@ const char *SSL_get0_group_name(SSL *s)
if (sc == NULL)
return NULL;
if (SSL_CONNECTION_IS_TLS13(sc) && sc->s3.did_kex)
if (SSL_CONNECTION_IS_VERSION13(sc) && sc->s3.did_kex)
id = sc->s3.group_id;
else
id = sc->session->kex_group;

10
ssl/statem/extensions.c
View File

@ -562,7 +562,7 @@ int extension_is_relevant(SSL_CONNECTION *s, unsigned int extctx,
if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
is_version13 = 1;
else
is_version13 = SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s);
is_version13 = SSL_CONNECTION_IS_VERSION13(s);
if ((SSL_CONNECTION_IS_DTLS(s)
&& (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
@ -1070,7 +1070,7 @@ static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent)
case SSL_TLSEXT_ERR_ALERT_WARNING:
/* (D)TLSv1.3 doesn't have warning alerts so we suppress this */
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
if (!SSL_CONNECTION_IS_VERSION13(s))
ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
s->servername_done = 0;
return 1;
@ -1177,7 +1177,7 @@ static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent)
if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
s->ext.early_data_ok = 0;
if (!s->server || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
if (!s->server || !SSL_CONNECTION_IS_VERSION13(s))
return 1;
/*
@ -1337,7 +1337,7 @@ static int init_srtp(SSL_CONNECTION *s, unsigned int context)
static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent)
{
if (!sent && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->hit) {
if (!sent && SSL_CONNECTION_IS_VERSION13(s) && !s->hit) {
SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
SSL_R_MISSING_SIGALGS_EXTENSION);
return 0;
@ -1349,7 +1349,7 @@ static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent)
static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
{
#if !defined(OPENSSL_NO_TLS1_3)
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
if (!SSL_CONNECTION_IS_VERSION13(s))
return 1;
/* Nothing to do for key_share in an HRR */

4
ssl/statem/extensions_clnt.c
View File

@ -1475,12 +1475,12 @@ int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
return 0;
}
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && PACKET_remaining(pkt) > 0) {
if (!SSL_CONNECTION_IS_VERSION13(s) && PACKET_remaining(pkt) > 0) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (SSL_CONNECTION_IS_VERSION13(s)) {
/* We only know how to handle this if it's for the first Certificate in
* the chain. We ignore any other responses.
*/

12
ssl/statem/extensions_srvr.c
View File

@ -136,7 +136,7 @@ int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
* In (D)TLSv1.2 and below the SNI is associated with the session. In (D)TLSv1.3
* we always use the SNI value from the handshake.
*/
if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
return 0;
@ -942,7 +942,7 @@ int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
return 0;
}
if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) {
OPENSSL_free(s->ext.peer_supportedgroups);
s->ext.peer_supportedgroups = NULL;
s->ext.peer_supportedgroups_len = 0;
@ -1315,7 +1315,7 @@ EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
* Prior to (D)TLSv1.3 we ignore any SNI in the current handshake if resuming.
* We just use the servername from the initial handshake.
*/
if (s->hit && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
if (s->hit && !SSL_CONNECTION_IS_VERSION13(s))
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
@ -1466,7 +1466,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;
if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && chainidx != 0)
if (SSL_CONNECTION_IS_VERSION13(s) && chainidx != 0)
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
@ -1480,7 +1480,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
* send back an empty extension, with the certificate status appearing as a
* separate message
*/
if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
if (SSL_CONNECTION_IS_VERSION13(s)
&& !tls_construct_cert_status_body(s, pkt)) {
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
@ -1617,7 +1617,7 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt
unsigned int context, X509 *x,
size_t chainidx)
{
if (!ossl_assert((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) {
if (!ossl_assert(SSL_CONNECTION_IS_VERSION13(s))) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
}

11
ssl/t1_lib.c
View File

@ -870,11 +870,10 @@ int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id,
if (group_minversion > 0)
ret &= (ssl_version_cmp(s, maxversion, group_minversion) >= 0);
if (!SSL_CONNECTION_IS_DTLS(s)) {
if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION)
*okfortls13 = (group_maxversion == 0)
|| (group_maxversion >= TLS1_3_VERSION);
}
if (ret && okfortls13 != NULL && (maxversion == DTLS1_3_VERSION
|| maxversion == TLS1_3_VERSION))
*okfortls13 = (group_maxversion == 0)
|| (ssl_version_cmp(s, group_maxversion, maxversion) >= 0);
ret &= !isec
|| strcmp(ginfo->algorithm, "EC") == 0
|| strcmp(ginfo->algorithm, "X25519") == 0
@ -1215,7 +1214,7 @@ static int tls1_check_pkey_comp(SSL_CONNECTION *s, EVP_PKEY *pkey)
return 0;
if (point_conv == POINT_CONVERSION_UNCOMPRESSED) {
comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
} else if (SSL_CONNECTION_IS_TLS13(s)) {
} else if (SSL_CONNECTION_IS_VERSION13(s)) {
/*
* ec_point_formats extension is not used in TLSv1.3 so we ignore
* this check.