diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-10-15 13:41:59 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-01-26 15:22:14 +0100 |
commit | 5b5eea4b60b682009d2b15587c9ceeae5e9c73f8 (patch) | |
tree | 4a3261cb27a582770270a07b40ecf05ecb71c89a /ssl | |
parent | 98dbf2c1c8143c0cc6dd05be7950d90bc6792064 (diff) | |
download | openssl-5b5eea4b60b682009d2b15587c9ceeae5e9c73f8.tar.gz |
Deprecate EC_KEY + Update ec apps to use EVP_PKEY
Co-author: Richard Levitte <levitte@openssl.org>
Co-author: Tomas Mraz <tmraz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_lib.c | 67 | ||||
-rw-r--r-- | ssl/ssl_local.h | 3 | ||||
-rw-r--r-- | ssl/t1_lib.c | 35 | ||||
-rw-r--r-- | ssl/tls_depr.c | 18 |
4 files changed, 82 insertions, 41 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 0739bc9082..34980b0bc6 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -18,6 +18,7 @@ #include <openssl/rand.h> #include <openssl/trace.h> #include <openssl/x509v3.h> +#include <openssl/core_names.h> #include "internal/cryptlib.h" #define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) @@ -3429,6 +3430,29 @@ static char *srp_password_from_info_cb(SSL *s, void *arg) } #endif +#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +static int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, + EVP_PKEY *pkey) +{ + char name[80]; + int nid, ret = 0; + size_t name_len; + + if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, + name, sizeof(name), &name_len)) { + SSLerr(0, EC_R_MISSING_PARAMETERS); + return 0; + } + nid = OBJ_txt2nid(name); + if (nid == NID_undef) + goto end; + ret = tls1_set_groups(pext, pextlen, &nid, 1); +end: + EVP_PKEY_free(pkey); + return ret; +} +#endif + static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len); long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) @@ -3472,33 +3496,28 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return ret; } -# endif +#endif case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; -#ifndef OPENSSL_NO_EC +#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { - const EC_GROUP *group = NULL; - int nid; + EVP_PKEY *pkecdh = NULL; if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - group = EC_KEY_get0_group((const EC_KEY *)parg); - if (group == NULL) { - ERR_raise(ERR_LIB_SSL, EC_R_MISSING_PARAMETERS); + pkecdh = ssl_ecdh_to_pkey(parg); + if (pkecdh == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } - nid = EC_GROUP_get_curve_name(group); - if (nid == NID_undef) - return 0; - return tls1_set_groups(&s->ext.supportedgroups, - &s->ext.supportedgroups_len, - &nid, 1); + return ssl_set_tmp_ecdh_groups(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, + pkecdh); } - break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: /* @@ -3816,27 +3835,23 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; return 1; -#ifndef OPENSSL_NO_EC +#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { - const EC_GROUP *group = NULL; - int nid; + EVP_PKEY *pkecdh = NULL; if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - group = EC_KEY_get0_group((const EC_KEY *)parg); - if (group == NULL) { - ERR_raise(ERR_LIB_SSL, EC_R_MISSING_PARAMETERS); + pkecdh = ssl_ecdh_to_pkey(parg); + if (pkecdh == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } - nid = EC_GROUP_get_curve_name(group); - if (nid == NID_undef) - return 0; - return tls1_set_groups(&ctx->ext.supportedgroups, - &ctx->ext.supportedgroups_len, - &nid, 1); + return ssl_set_tmp_ecdh_groups(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, + pkecdh); } #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 22ab387422..1819ccd981 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2468,6 +2468,9 @@ __owur int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey, unsigned char **ctp, size_t *ctlenp, int gensecret); __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh); +# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +__owur EVP_PKEY *ssl_ecdh_to_pkey(EC_KEY *ec); +# endif __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl); __owur unsigned int ssl_get_split_send_fragment(const SSL *ssl); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 60c17dd809..799ff357f8 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -818,32 +818,39 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats, /* Check a key is compatible with compression extension */ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) { - const EC_KEY *ec; - const EC_GROUP *grp; unsigned char comp_id; size_t i; + char name[80]; + size_t name_len; + /* If not an EC key nothing to check */ if (!EVP_PKEY_is_a(pkey, "EC")) return 1; - ec = EVP_PKEY_get0_EC_KEY(pkey); - grp = EC_KEY_get0_group(ec); + + if (!EVP_PKEY_get_utf8_string_param(pkey, + OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, + name, sizeof(name), &name_len)) + return 0; /* Get required compression id */ - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { - comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; + if (strcasecmp(name, "uncompressed") == 0) { + comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; } else if (SSL_IS_TLS13(s)) { - /* - * ec_point_formats extension is not used in TLSv1.3 so we ignore - * this check. - */ - return 1; + /* + * ec_point_formats extension is not used in TLSv1.3 so we ignore + * this check. + */ + return 1; } else { - int field_type = EC_GROUP_get_field_type(grp); + if (!EVP_PKEY_get_utf8_string_param(pkey, + OSSL_PKEY_PARAM_EC_FIELD_TYPE, + name, sizeof(name), &name_len)) + return 0; - if (field_type == NID_X9_62_prime_field) + if (strcasecmp(name, SN_X9_62_prime_field) == 0) comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - else if (field_type == NID_X9_62_characteristic_two_field) + else if (strcasecmp(name, SN_X9_62_characteristic_two_field) == 0) comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; else return 0; diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 6f2103ad91..68b007b12d 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -159,5 +159,21 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh) return ret; } # endif -#endif +/* Some deprecated public APIs pass EC_KEY objects */ +# ifndef OPENSSL_NO_EC +EVP_PKEY *ssl_ecdh_to_pkey(EC_KEY *ec) +{ + EVP_PKEY *ret; + + if (ec == NULL) + return NULL; + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_EC_KEY(ret, ec) <= 0) { + EVP_PKEY_free(ret); + return NULL; + } + return ret; +} +# endif +#endif |