summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2015-09-10 09:10:42 +0000
committerjsing <>2015-09-10 09:10:42 +0000
commitbb55b96be5873414f5139ee6f86706b2f219123a (patch)
tree7e607278f29d9ff6cd6a4157a2b2362498680e58
parentf4a4d0ccce6152a6e48d345c33b3db9dbdaad529 (diff)
downloadopenbsd-bb55b96be5873414f5139ee6f86706b2f219123a.tar.gz
openbsd-bb55b96be5873414f5139ee6f86706b2f219123a.tar.bz2
openbsd-bb55b96be5873414f5139ee6f86706b2f219123a.zip
Add support for preferring the server's cipher list or the client's cipher
list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@
Diffstat
-rw-r--r--src/lib/libtls/tls.h9
-rw-r--r--src/lib/libtls/tls_config.c16
-rw-r--r--src/lib/libtls/tls_init.321
-rw-r--r--src/lib/libtls/tls_internal.h3
-rw-r--r--src/lib/libtls/tls_server.c6
5 files changed, 47 insertions, 8 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 1a6257232c..579a97798e 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.14 2015/09/09 19:23:04 beck Exp $ */ 1/* $OpenBSD: tls.h,v 1.15 2015/09/10 09:10:42 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -66,8 +66,8 @@ int tls_config_set_key_mem(struct tls_config *_config, const uint8_t *_key,
66void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols); 66void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
67void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth); 67void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth);
68 68
69void tls_config_clear_keys(struct tls_config *_config); 69void tls_config_prefer_ciphers_client(struct tls_config *_config);
70int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr); 70void tls_config_prefer_ciphers_server(struct tls_config *_config);
71 71
72void tls_config_insecure_noverifycert(struct tls_config *_config); 72void tls_config_insecure_noverifycert(struct tls_config *_config);
73void tls_config_insecure_noverifyname(struct tls_config *_config); 73void tls_config_insecure_noverifyname(struct tls_config *_config);
@@ -76,6 +76,9 @@ void tls_config_verify(struct tls_config *_config);
76void tls_config_verify_client(struct tls_config *_config); 76void tls_config_verify_client(struct tls_config *_config);
77void tls_config_verify_client_optional(struct tls_config *_config); 77void tls_config_verify_client_optional(struct tls_config *_config);
78 78
79void tls_config_clear_keys(struct tls_config *_config);
80int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr);
81
79struct tls *tls_client(void); 82struct tls *tls_client(void);
80struct tls *tls_server(void); 83struct tls *tls_server(void);
81int tls_configure(struct tls *_ctx, struct tls_config *_config); 84int tls_configure(struct tls *_ctx, struct tls_config *_config);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 2a0033b3bd..4d536853c8 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.11 2015/09/09 19:49:07 jsing Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.12 2015/09/10 09:10:42 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -80,6 +80,8 @@ tls_config_new(void)
80 tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); 80 tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
81 tls_config_set_verify_depth(config, 6); 81 tls_config_set_verify_depth(config, 6);
82 82
83 tls_config_prefer_ciphers_server(config);
84
83 tls_config_verify(config); 85 tls_config_verify(config);
84 86
85 return (config); 87 return (config);
@@ -283,6 +285,18 @@ tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
283} 285}
284 286
285void 287void
288tls_config_prefer_ciphers_client(struct tls_config *config)
289{
290 config->ciphers_server = 0;
291}
292
293void
294tls_config_prefer_ciphers_server(struct tls_config *config)
295{
296 config->ciphers_server = 1;
297}
298
299void
286tls_config_insecure_noverifycert(struct tls_config *config) 300tls_config_insecure_noverifycert(struct tls_config *config)
287{ 301{
288 config->verify_cert = 0; 302 config->verify_cert = 0;
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 16495112ff..17822d444d 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_init.3,v 1.25 2015/07/19 17:10:23 jmc Exp $ 1.\" $OpenBSD: tls_init.3,v 1.26 2015/09/10 09:10:42 jsing Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: July 19 2015 $ 17.Dd $Mdocdate: September 10 2015 $
18.Dt TLS_INIT 3 18.Dt TLS_INIT 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -35,6 +35,8 @@
35.Nm tls_config_set_key_mem , 35.Nm tls_config_set_key_mem ,
36.Nm tls_config_set_protocols , 36.Nm tls_config_set_protocols ,
37.Nm tls_config_set_verify_depth , 37.Nm tls_config_set_verify_depth ,
38.Nm tls_config_prefer_ciphers_client ,
39.Nm tls_config_prefer_ciphers_server ,
38.Nm tls_config_clear_keys , 40.Nm tls_config_clear_keys ,
39.Nm tls_config_insecure_noverifycert , 41.Nm tls_config_insecure_noverifycert ,
40.Nm tls_config_insecure_noverifyname , 42.Nm tls_config_insecure_noverifyname ,
@@ -92,6 +94,10 @@
92.Ft "void" 94.Ft "void"
93.Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth" 95.Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth"
94.Ft "void" 96.Ft "void"
97.Fn tls_config_prefer_ciphers_client "struct tls_config *config"
98.Ft "void"
99.Fn tls_config_prefer_ciphers_server "struct tls_config *config"
100.Ft "void"
95.Fn tls_config_clear_keys "struct tls_config *config" 101.Fn tls_config_clear_keys "struct tls_config *config"
96.Ft "void" 102.Ft "void"
97.Fn tls_config_insecure_noverifycert "struct tls_config *config" 103.Fn tls_config_insecure_noverifycert "struct tls_config *config"
@@ -291,6 +297,17 @@ Additionally, the values
291(TLSv1.2 only) may be used. 297(TLSv1.2 only) may be used.
292.Em (Client and server) 298.Em (Client and server)
293.It 299.It
300.Fn tls_config_prefer_ciphers_client
301prefers ciphers in the client's cipher list when selecting a cipher suite.
302This is considered to be less secure than preferring the server's list.
303.Em (Server)
304.It
305.Fn tls_config_prefer_ciphers_server
306prefers ciphers in the server's cipher list when selecting a cipher suite.
307This is considered to be more secure than preferring the client's list and is
308the default.
309.Em (Server)
310.It
294.Fn tls_config_clear_keys 311.Fn tls_config_clear_keys
295clears any secret keys from memory. 312clears any secret keys from memory.
296.Em (Server) 313.Em (Server)
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 58834c999f..78ae542cb6 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.16 2015/09/09 19:23:04 beck Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.17 2015/09/10 09:10:42 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -35,6 +35,7 @@ struct tls_config {
35 char *cert_mem; 35 char *cert_mem;
36 size_t cert_len; 36 size_t cert_len;
37 const char *ciphers; 37 const char *ciphers;
38 int ciphers_server;
38 int dheparams; 39 int dheparams;
39 int ecdhecurve; 40 int ecdhecurve;
40 const char *key_file; 41 const char *key_file;
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 8fa876c6fd..a3cee09596 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_server.c,v 1.13 2015/09/09 19:49:07 jsing Exp $ */ 1/* $OpenBSD: tls_server.c,v 1.14 2015/09/10 09:10:42 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -88,6 +88,10 @@ tls_configure_server(struct tls *ctx)
88 EC_KEY_free(ecdh_key); 88 EC_KEY_free(ecdh_key);
89 } 89 }
90 90
91 if (ctx->config->ciphers_server == 1)
92 SSL_CTX_set_options(ctx->ssl_ctx,
93 SSL_OP_CIPHER_SERVER_PREFERENCE);
94
91 /* 95 /*
92 * Set session ID context to a random value. We don't support 96 * Set session ID context to a random value. We don't support
93 * persistent caching of sessions so it is OK to set a temporary 97 * persistent caching of sessions so it is OK to set a temporary
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 01:01:01 +0000