isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/openssl-1.1.1-tls13-curves.patch

b3353e
diff -up openssl-1.1.1g/ssl/ssl_local.h.tls13-curves openssl-1.1.1g/ssl/ssl_local.h
b3353e
--- openssl-1.1.1g/ssl/ssl_local.h.tls13-curves	2021-04-26 17:11:17.851072025 +0200
b3353e
+++ openssl-1.1.1g/ssl/ssl_local.h	2021-04-26 17:12:11.551756124 +0200
b3353e
@@ -1517,6 +1517,7 @@ typedef struct tls_group_info_st {
b3353e
 # define TLS_CURVE_CHAR2         0x1
b3353e
 # define TLS_CURVE_CUSTOM        0x2
b3353e
 # define TLS_CURVE_FIPS          0x80
b3353e
+# define TLS_CURVE_TLS1_3        0x100
b3353e
 
b3353e
 typedef struct cert_pkey_st CERT_PKEY;
b3353e
 
b3353e
diff -up openssl-1.1.1g/ssl/t1_lib.c.tls13-curves openssl-1.1.1g/ssl/t1_lib.c
b3353e
--- openssl-1.1.1g/ssl/t1_lib.c.tls13-curves	2021-04-26 17:11:30.237999157 +0200
b3353e
+++ openssl-1.1.1g/ssl/t1_lib.c	2021-04-26 17:13:51.161170191 +0200
b3353e
@@ -161,14 +161,14 @@ static const TLS_GROUP_INFO nid_list[] =
b3353e
     {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
b3353e
     {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
b3353e
     {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
b3353e
-    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
b3353e
-    {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
b3353e
-    {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
b3353e
+    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp256r1 (23) */
b3353e
+    {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp384r1 (24) */
b3353e
+    {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp521r1 (25) */
b3353e
     {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
b3353e
     {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
b3353e
     {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
b3353e
-    {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
b3353e
-    {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
b3353e
+    {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X25519 (29) */
b3353e
+    {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X448 (30) */
b3353e
 };
b3353e
 
b3353e
 static const unsigned char ecformats_default[] = {
b3353e
@@ -260,6 +260,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
b3353e
 # endif
b3353e
     if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
b3353e
         return 0;
b3353e
+    if (s->version >= TLS1_3_VERSION && !(cinfo->flags & TLS_CURVE_TLS1_3))
b3353e
+        return 0;
b3353e
     ctmp[0] = curve >> 8;
b3353e
     ctmp[1] = curve & 0xff;
b3353e
     return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);