mirror of https://github.com/openssl/openssl
Support TLS 1.3 kexs and groups with DTLS 1.3
SSL_CONNECTION_IS_VERSION13 macro is used where appropriate. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22364)
This commit is contained in:
parent
e0490029c1
commit
2ccbedf081
|
@ -86,15 +86,15 @@ static const TLS_GROUP_CONSTANTS group_list[] = {
|
|||
DTLS1_VERSION, DTLS1_2_VERSION },
|
||||
{ OSSL_TLS_GROUP_ID_x25519, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_x448, 224, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
/* Security bit values as given by BN_security_bits() */
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, -1, -1 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
{ OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 },
|
||||
};
|
||||
|
||||
#define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \
|
||||
|
|
22
ssl/s3_lib.c
22
ssl/s3_lib.c
|
@ -45,7 +45,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
|||
SSL_AES128GCM,
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
DTLS1_3_VERSION, DTLS1_3_VERSION,
|
||||
SSL_HIGH,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
|
||||
128,
|
||||
|
@ -60,7 +60,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
|||
SSL_AES256GCM,
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
DTLS1_3_VERSION, DTLS1_3_VERSION,
|
||||
SSL_HIGH,
|
||||
SSL_HANDSHAKE_MAC_SHA384 | SSL_QUIC,
|
||||
256,
|
||||
|
@ -76,7 +76,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
|||
SSL_CHACHA20POLY1305,
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
DTLS1_3_VERSION, DTLS1_3_VERSION,
|
||||
SSL_HIGH,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC,
|
||||
256,
|
||||
|
@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
|||
SSL_AES128CCM,
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
DTLS1_3_VERSION, DTLS1_3_VERSION,
|
||||
SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
SSL_HANDSHAKE_MAC_SHA256,
|
||||
128,
|
||||
|
@ -107,7 +107,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
|||
SSL_AES128CCM8,
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
DTLS1_3_VERSION, DTLS1_3_VERSION,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_SHA256,
|
||||
64, /* CCM8 uses a short tag, so we have a low security strength */
|
||||
|
@ -3674,7 +3674,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
|||
{
|
||||
unsigned int id;
|
||||
|
||||
if (SSL_CONNECTION_IS_TLS13(sc) && sc->s3.did_kex)
|
||||
if (SSL_CONNECTION_IS_VERSION13(sc) && sc->s3.did_kex)
|
||||
id = sc->s3.group_id;
|
||||
else
|
||||
id = sc->session->kex_group;
|
||||
|
@ -4262,7 +4262,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl
|
|||
allow = srvr;
|
||||
}
|
||||
|
||||
if (SSL_CONNECTION_IS_TLS13(s)) {
|
||||
if (SSL_CONNECTION_IS_VERSION13(s)) {
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
size_t j;
|
||||
|
||||
|
@ -4302,7 +4302,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl
|
|||
* Since TLS 1.3 ciphersuites can be used with any auth or
|
||||
* key exchange scheme skip tests.
|
||||
*/
|
||||
if (!SSL_CONNECTION_IS_TLS13(s)) {
|
||||
if (!SSL_CONNECTION_IS_VERSION13(s)) {
|
||||
mask_k = s->s3.tmp.mask_k;
|
||||
mask_a = s->s3.tmp.mask_a;
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
|
@ -4845,7 +4845,7 @@ int ssl_gensecret(SSL_CONNECTION *s, unsigned char *pms, size_t pmslen)
|
|||
int rv = 0;
|
||||
|
||||
/* SSLfatal() called as appropriate in the below functions */
|
||||
if (SSL_CONNECTION_IS_TLS13(s)) {
|
||||
if (SSL_CONNECTION_IS_VERSION13(s)) {
|
||||
/*
|
||||
* If we are resuming then we already generated the early secret
|
||||
* when we created the ClientHello, so don't recreate it.
|
||||
|
@ -4888,7 +4888,7 @@ int ssl_derive(SSL_CONNECTION *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gense
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (SSL_CONNECTION_IS_TLS13(s) && EVP_PKEY_is_a(privkey, "DH"))
|
||||
if (SSL_CONNECTION_IS_VERSION13(s) && EVP_PKEY_is_a(privkey, "DH"))
|
||||
EVP_PKEY_CTX_set_dh_pad(pctx, 1);
|
||||
|
||||
pms = OPENSSL_malloc(pmslen);
|
||||
|
@ -5040,7 +5040,7 @@ const char *SSL_get0_group_name(SSL *s)
|
|||
if (sc == NULL)
|
||||
return NULL;
|
||||
|
||||
if (SSL_CONNECTION_IS_TLS13(sc) && sc->s3.did_kex)
|
||||
if (SSL_CONNECTION_IS_VERSION13(sc) && sc->s3.did_kex)
|
||||
id = sc->s3.group_id;
|
||||
else
|
||||
id = sc->session->kex_group;
|
||||
|
|
|
@ -562,7 +562,7 @@ int extension_is_relevant(SSL_CONNECTION *s, unsigned int extctx,
|
|||
if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
|
||||
is_version13 = 1;
|
||||
else
|
||||
is_version13 = SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s);
|
||||
is_version13 = SSL_CONNECTION_IS_VERSION13(s);
|
||||
|
||||
if ((SSL_CONNECTION_IS_DTLS(s)
|
||||
&& (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
|
||||
|
@ -1070,7 +1070,7 @@ static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent)
|
|||
|
||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
/* (D)TLSv1.3 doesn't have warning alerts so we suppress this */
|
||||
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
|
||||
if (!SSL_CONNECTION_IS_VERSION13(s))
|
||||
ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
|
||||
s->servername_done = 0;
|
||||
return 1;
|
||||
|
@ -1177,7 +1177,7 @@ static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent)
|
|||
if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
|
||||
s->ext.early_data_ok = 0;
|
||||
|
||||
if (!s->server || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
|
||||
if (!s->server || !SSL_CONNECTION_IS_VERSION13(s))
|
||||
return 1;
|
||||
|
||||
/*
|
||||
|
@ -1337,7 +1337,7 @@ static int init_srtp(SSL_CONNECTION *s, unsigned int context)
|
|||
|
||||
static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent)
|
||||
{
|
||||
if (!sent && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->hit) {
|
||||
if (!sent && SSL_CONNECTION_IS_VERSION13(s) && !s->hit) {
|
||||
SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
|
||||
SSL_R_MISSING_SIGALGS_EXTENSION);
|
||||
return 0;
|
||||
|
@ -1349,7 +1349,7 @@ static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent)
|
|||
static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
|
||||
{
|
||||
#if !defined(OPENSSL_NO_TLS1_3)
|
||||
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
|
||||
if (!SSL_CONNECTION_IS_VERSION13(s))
|
||||
return 1;
|
||||
|
||||
/* Nothing to do for key_share in an HRR */
|
||||
|
|
|
@ -1475,12 +1475,12 @@ int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
|
|||
SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && PACKET_remaining(pkt) > 0) {
|
||||
if (!SSL_CONNECTION_IS_VERSION13(s) && PACKET_remaining(pkt) > 0) {
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
|
||||
if (SSL_CONNECTION_IS_VERSION13(s)) {
|
||||
/* We only know how to handle this if it's for the first Certificate in
|
||||
* the chain. We ignore any other responses.
|
||||
*/
|
||||
|
|
|
@ -136,7 +136,7 @@ int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
|
|||
* In (D)TLSv1.2 and below the SNI is associated with the session. In (D)TLSv1.3
|
||||
* we always use the SNI value from the handshake.
|
||||
*/
|
||||
if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
|
||||
if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) {
|
||||
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
|
||||
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
|
@ -942,7 +942,7 @@ int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
|
||||
if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) {
|
||||
OPENSSL_free(s->ext.peer_supportedgroups);
|
||||
s->ext.peer_supportedgroups = NULL;
|
||||
s->ext.peer_supportedgroups_len = 0;
|
||||
|
@ -1315,7 +1315,7 @@ EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
|
|||
* Prior to (D)TLSv1.3 we ignore any SNI in the current handshake if resuming.
|
||||
* We just use the servername from the initial handshake.
|
||||
*/
|
||||
if (s->hit && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
|
||||
if (s->hit && !SSL_CONNECTION_IS_VERSION13(s))
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
|
||||
|
@ -1466,7 +1466,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
|
|||
if (!s->ext.status_expected)
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
||||
if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && chainidx != 0)
|
||||
if (SSL_CONNECTION_IS_VERSION13(s) && chainidx != 0)
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
|
||||
|
@ -1480,7 +1480,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
|
|||
* send back an empty extension, with the certificate status appearing as a
|
||||
* separate message
|
||||
*/
|
||||
if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|
||||
if (SSL_CONNECTION_IS_VERSION13(s)
|
||||
&& !tls_construct_cert_status_body(s, pkt)) {
|
||||
/* SSLfatal() already called */
|
||||
return EXT_RETURN_FAIL;
|
||||
|
@ -1617,7 +1617,7 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt
|
|||
unsigned int context, X509 *x,
|
||||
size_t chainidx)
|
||||
{
|
||||
if (!ossl_assert((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) {
|
||||
if (!ossl_assert(SSL_CONNECTION_IS_VERSION13(s))) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
return EXT_RETURN_FAIL;
|
||||
}
|
||||
|
|
11
ssl/t1_lib.c
11
ssl/t1_lib.c
|
@ -870,11 +870,10 @@ int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id,
|
|||
if (group_minversion > 0)
|
||||
ret &= (ssl_version_cmp(s, maxversion, group_minversion) >= 0);
|
||||
|
||||
if (!SSL_CONNECTION_IS_DTLS(s)) {
|
||||
if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION)
|
||||
*okfortls13 = (group_maxversion == 0)
|
||||
|| (group_maxversion >= TLS1_3_VERSION);
|
||||
}
|
||||
if (ret && okfortls13 != NULL && (maxversion == DTLS1_3_VERSION
|
||||
|| maxversion == TLS1_3_VERSION))
|
||||
*okfortls13 = (group_maxversion == 0)
|
||||
|| (ssl_version_cmp(s, group_maxversion, maxversion) >= 0);
|
||||
ret &= !isec
|
||||
|| strcmp(ginfo->algorithm, "EC") == 0
|
||||
|| strcmp(ginfo->algorithm, "X25519") == 0
|
||||
|
@ -1215,7 +1214,7 @@ static int tls1_check_pkey_comp(SSL_CONNECTION *s, EVP_PKEY *pkey)
|
|||
return 0;
|
||||
if (point_conv == POINT_CONVERSION_UNCOMPRESSED) {
|
||||
comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
|
||||
} else if (SSL_CONNECTION_IS_TLS13(s)) {
|
||||
} else if (SSL_CONNECTION_IS_VERSION13(s)) {
|
||||
/*
|
||||
* ec_point_formats extension is not used in TLSv1.3 so we ignore
|
||||
* this check.
|
||||
|
|
Loading…
Reference in New Issue