|
|
da7b65 |
diff -up openssl-1.1.1g/ssl/ssl_local.h.tls13-curves openssl-1.1.1g/ssl/ssl_local.h
|
|
|
da7b65 |
--- openssl-1.1.1g/ssl/ssl_local.h.tls13-curves 2021-04-26 17:11:17.851072025 +0200
|
|
|
da7b65 |
+++ openssl-1.1.1g/ssl/ssl_local.h 2021-04-26 17:12:11.551756124 +0200
|
|
|
da7b65 |
@@ -1517,6 +1517,7 @@ typedef struct tls_group_info_st {
|
|
|
da7b65 |
# define TLS_CURVE_CHAR2 0x1
|
|
|
da7b65 |
# define TLS_CURVE_CUSTOM 0x2
|
|
|
da7b65 |
# define TLS_CURVE_FIPS 0x80
|
|
|
da7b65 |
+# define TLS_CURVE_TLS1_3 0x100
|
|
|
da7b65 |
|
|
|
da7b65 |
typedef struct cert_pkey_st CERT_PKEY;
|
|
|
da7b65 |
|
|
|
da7b65 |
diff -up openssl-1.1.1g/ssl/t1_lib.c.tls13-curves openssl-1.1.1g/ssl/t1_lib.c
|
|
|
da7b65 |
--- openssl-1.1.1g/ssl/t1_lib.c.tls13-curves 2021-04-26 17:11:30.237999157 +0200
|
|
|
da7b65 |
+++ openssl-1.1.1g/ssl/t1_lib.c 2021-04-26 17:13:51.161170191 +0200
|
|
|
da7b65 |
@@ -161,14 +161,14 @@ static const TLS_GROUP_INFO nid_list[] =
|
|
|
da7b65 |
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
|
|
|
da7b65 |
{NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
|
|
|
da7b65 |
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
|
|
|
da7b65 |
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
|
|
|
da7b65 |
- {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
|
|
|
da7b65 |
- {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
|
|
|
da7b65 |
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp256r1 (23) */
|
|
|
da7b65 |
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp384r1 (24) */
|
|
|
da7b65 |
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp521r1 (25) */
|
|
|
da7b65 |
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
|
|
|
da7b65 |
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
|
|
|
da7b65 |
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
|
|
|
da7b65 |
- {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
|
|
|
da7b65 |
- {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
|
|
|
da7b65 |
+ {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X25519 (29) */
|
|
|
da7b65 |
+ {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X448 (30) */
|
|
|
da7b65 |
};
|
|
|
da7b65 |
|
|
|
da7b65 |
static const unsigned char ecformats_default[] = {
|
|
|
da7b65 |
@@ -260,6 +260,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
|
|
|
da7b65 |
# endif
|
|
|
da7b65 |
if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
|
|
|
da7b65 |
return 0;
|
|
|
da7b65 |
+ if (s->version >= TLS1_3_VERSION && !(cinfo->flags & TLS_CURVE_TLS1_3))
|
|
|
da7b65 |
+ return 0;
|
|
|
da7b65 |
ctmp[0] = curve >> 8;
|
|
|
da7b65 |
ctmp[1] = curve & 0xff;
|
|
|
da7b65 |
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
|