QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-29 19:24:37 +00:00
Code Issues Projects Releases Wiki Activity

TLS: Use EVP_PKEY_get_group_name() to get the group name

Browse Source 
For the moment, we translate the result to a NID, because that's still
used in several locations in libssl.  Future development should change
all the internals to be name based instead.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13436)
This commit is contained in:
Richard Levitte 2020-11-18 10:43:50 +01:00
parent 88bddad42e
commit d8975dec0c
3 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/ssl_local.h
View File

@ -807,6 +807,8 @@ int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len,
size_t max_size); size_t max_size);
size_t ssl_hmac_size(const SSL_HMAC *ctx); size_t ssl_hmac_size(const SSL_HMAC *ctx);
int ssl_get_EC_curve_nid(const EVP_PKEY *pkey);
typedef struct tls_group_info_st { typedef struct tls_group_info_st {
char *tlsname; /* Curve Name as in TLS specs */ char *tlsname; /* Curve Name as in TLS specs */
char *realname; /* Curve Name according to provider */ char *realname; /* Curve Name according to provider */

4
ssl/statem/statem_lib.c
View File

@ -14,7 +14,6 @@
#include "../ssl_local.h" #include "../ssl_local.h"
#include "statem_local.h" #include "statem_local.h"
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
#include "internal/evp.h"
#include <openssl/buffer.h> #include <openssl/buffer.h>
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/evp.h> #include <openssl/evp.h>
@ -1555,8 +1554,7 @@ static int is_tls13_capable(const SSL *s)
* more restrictive so check that our sig algs are consistent with this * more restrictive so check that our sig algs are consistent with this
* EC cert. See section 4.2.3 of RFC8446. * EC cert. See section 4.2.3 of RFC8446.
*/ */
curve = evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC] curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
.privatekey);
if (tls_check_sigalg_curve(s, curve)) if (tls_check_sigalg_curve(s, curve))
return 1; return 1;
#else #else

28
ssl/t1_lib.c
View File

@ -21,7 +21,7 @@
#include <openssl/provider.h> #include <openssl/provider.h>
#include <openssl/param_build.h> #include <openssl/param_build.h>
#include "internal/nelem.h" #include "internal/nelem.h"
#include "internal/evp.h" #include "internal/sizes.h"
#include "internal/tlsgroups.h" #include "internal/tlsgroups.h"
#include "ssl_local.h" #include "ssl_local.h"
#include <openssl/ct.h> #include <openssl/ct.h>
@ -865,7 +865,7 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
/* Return group id of a key */ /* Return group id of a key */
static uint16_t tls1_get_group_id(EVP_PKEY *pkey) static uint16_t tls1_get_group_id(EVP_PKEY *pkey)
{ {
int curve_nid = evp_pkey_get_EC_KEY_curve_nid(pkey); int curve_nid = ssl_get_EC_curve_nid(pkey);
if (curve_nid == NID_undef) if (curve_nid == NID_undef)
return 0; return 0;
@ -1498,7 +1498,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
/* For TLS 1.3 or Suite B check curve matches signature algorithm */ /* For TLS 1.3 or Suite B check curve matches signature algorithm */
if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { if (SSL_IS_TLS13(s) || tls1_suiteb(s)) {
int curve = evp_pkey_get_EC_KEY_curve_nid(pkey); int curve = ssl_get_EC_curve_nid(pkey);
if (lu->curve != NID_undef && curve != lu->curve) { if (lu->curve != NID_undef && curve != lu->curve) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
@ -3151,14 +3151,10 @@ static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
: s->cert->pkeys[lu->sig_idx].privatekey; : s->cert->pkeys[lu->sig_idx].privatekey;
if (lu->sig == EVP_PKEY_EC) { if (lu->sig == EVP_PKEY_EC) {
#ifndef OPENSSL_NO_EC
if (curve == -1) if (curve == -1)
curve = evp_pkey_get_EC_KEY_curve_nid(tmppkey); curve = ssl_get_EC_curve_nid(tmppkey);
if (lu->curve != NID_undef && curve != lu->curve) if (lu->curve != NID_undef && curve != lu->curve)
continue; continue;
#else
continue;
#endif
} else if (lu->sig == EVP_PKEY_RSA_PSS) { } else if (lu->sig == EVP_PKEY_RSA_PSS) {
/* validate that key is large enough for the signature algorithm */ /* validate that key is large enough for the signature algorithm */
if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu)) if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu))
@ -3211,15 +3207,12 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
if (SSL_USE_SIGALGS(s)) { if (SSL_USE_SIGALGS(s)) {
size_t i; size_t i;
if (s->s3.tmp.peer_sigalgs != NULL) { if (s->s3.tmp.peer_sigalgs != NULL) {
#ifndef OPENSSL_NO_EC
int curve = -1; int curve = -1;
/* For Suite B need to match signature algorithm to curve */ /* For Suite B need to match signature algorithm to curve */
if (tls1_suiteb(s)) if (tls1_suiteb(s))
curve = curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
.privatekey); .privatekey);
#endif
/* /*
* Find highest preference signature algorithm matching * Find highest preference signature algorithm matching
@ -3248,9 +3241,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu)) if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu))
continue; continue;
} }
#ifndef OPENSSL_NO_EC
if (curve == -1 || lu->curve == curve) if (curve == -1 || lu->curve == curve)
#endif
break; break;
} }
#ifndef OPENSSL_NO_GOST #ifndef OPENSSL_NO_GOST
@ -3454,3 +3445,12 @@ size_t ssl_hmac_size(const SSL_HMAC *ctx)
return 0; return 0;
} }
int ssl_get_EC_curve_nid(const EVP_PKEY *pkey)
{
char gname[OSSL_MAX_NAME_SIZE];
if (EVP_PKEY_get_group_name(pkey, gname, sizeof(gname), NULL) > 0)
return OBJ_txt2nid(gname);
return NID_undef;
}