diff options
| author | jsing <> | 2024-07-19 08:54:31 +0000 |
|---|---|---|
| committer | jsing <> | 2024-07-19 08:54:31 +0000 |
| commit | f8eff50c9ac6772239e96a6d2031a83bac497a15 (patch) | |
| tree | faf36fc4d6d297dc2dbbbf4f2ae929c52d7b8659 | |
| parent | 3fa5af1454ae7609f20a01e928e9cbba8f9df68f (diff) | |
| download | openbsd-f8eff50c9ac6772239e96a6d2031a83bac497a15.tar.gz openbsd-f8eff50c9ac6772239e96a6d2031a83bac497a15.tar.bz2 openbsd-f8eff50c9ac6772239e96a6d2031a83bac497a15.zip | |
Move client ciphers from SSL_SESSION to SSL_HANDSHAKE.
SSL_SESSION has a 'ciphers' member which contains a list of ciphers
that were advertised by the client. Move this from SSL_SESSION to
SSL_HANDSHAKE and rename it to match reality.
ok tb@
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_local.h | 7 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_sess.c | 9 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 16 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 6 |
6 files changed, 26 insertions, 28 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 5fc42ca200..38e7ba7f19 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.255 2024/07/19 08:54:31 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1478,6 +1478,8 @@ ssl3_free(SSL *s) | |||
| 1478 | tls_buffer_free(s->s3->handshake_fragment); | 1478 | tls_buffer_free(s->s3->handshake_fragment); |
| 1479 | 1479 | ||
| 1480 | freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); | 1480 | freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); |
| 1481 | |||
| 1482 | sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); | ||
| 1481 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); | 1483 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); |
| 1482 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); | 1484 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); |
| 1483 | sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); | 1485 | sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); |
| @@ -1522,6 +1524,8 @@ ssl3_clear(SSL *s) | |||
| 1522 | s->s3->hs.sigalgs = NULL; | 1524 | s->s3->hs.sigalgs = NULL; |
| 1523 | s->s3->hs.sigalgs_len = 0; | 1525 | s->s3->hs.sigalgs_len = 0; |
| 1524 | 1526 | ||
| 1527 | sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); | ||
| 1528 | s->s3->hs.client_ciphers = NULL; | ||
| 1525 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); | 1529 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); |
| 1526 | s->s3->hs.peer_certs = NULL; | 1530 | s->s3->hs.peer_certs = NULL; |
| 1527 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); | 1531 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index d78cb2ac3a..4b86b70db8 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.326 2024/07/11 13:48:52 tb Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.327 2024/07/19 08:54:31 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1528,9 +1528,9 @@ LSSL_ALIAS(SSL_get_ciphers); | |||
| 1528 | STACK_OF(SSL_CIPHER) * | 1528 | STACK_OF(SSL_CIPHER) * |
| 1529 | SSL_get_client_ciphers(const SSL *s) | 1529 | SSL_get_client_ciphers(const SSL *s) |
| 1530 | { | 1530 | { |
| 1531 | if (s == NULL || s->session == NULL || !s->server) | 1531 | if (s == NULL || !s->server) |
| 1532 | return NULL; | 1532 | return NULL; |
| 1533 | return s->session->ciphers; | 1533 | return s->s3->hs.client_ciphers; |
| 1534 | } | 1534 | } |
| 1535 | LSSL_ALIAS(SSL_get_client_ciphers); | 1535 | LSSL_ALIAS(SSL_get_client_ciphers); |
| 1536 | 1536 | ||
| @@ -1713,10 +1713,10 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len) | |||
| 1713 | char *end; | 1713 | char *end; |
| 1714 | int i; | 1714 | int i; |
| 1715 | 1715 | ||
| 1716 | if (!s->server || s->session == NULL || len < 2) | 1716 | if (!s->server || len < 2) |
| 1717 | return NULL; | 1717 | return NULL; |
| 1718 | 1718 | ||
| 1719 | if ((client_ciphers = s->session->ciphers) == NULL) | 1719 | if ((client_ciphers = s->s3->hs.client_ciphers) == NULL) |
| 1720 | return NULL; | 1720 | return NULL; |
| 1721 | if ((server_ciphers = SSL_get_ciphers(s)) == NULL) | 1721 | if ((server_ciphers = SSL_get_ciphers(s)) == NULL) |
| 1722 | return NULL; | 1722 | return NULL; |
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h index c002c9b34f..e9b6a62bbe 100644 --- a/src/lib/libssl/ssl_local.h +++ b/src/lib/libssl/ssl_local.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_local.h,v 1.20 2024/07/19 08:54:31 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -443,8 +443,6 @@ struct ssl_session_st { | |||
| 443 | * needs to be used to load | 443 | * needs to be used to load |
| 444 | * the 'cipher' structure */ | 444 | * the 'cipher' structure */ |
| 445 | 445 | ||
| 446 | STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ | ||
| 447 | |||
| 448 | char *tlsext_hostname; | 446 | char *tlsext_hostname; |
| 449 | 447 | ||
| 450 | /* Session resumption - RFC 5077 and RFC 8446. */ | 448 | /* Session resumption - RFC 5077 and RFC 8446. */ |
| @@ -568,6 +566,9 @@ typedef struct ssl_handshake_st { | |||
| 568 | /* Cipher being negotiated in this handshake. */ | 566 | /* Cipher being negotiated in this handshake. */ |
| 569 | const SSL_CIPHER *cipher; | 567 | const SSL_CIPHER *cipher; |
| 570 | 568 | ||
| 569 | /* Ciphers sent by the client. */ | ||
| 570 | STACK_OF(SSL_CIPHER) *client_ciphers; | ||
| 571 | |||
| 571 | /* Extensions seen in this handshake. */ | 572 | /* Extensions seen in this handshake. */ |
| 572 | uint32_t extensions_seen; | 573 | uint32_t extensions_seen; |
| 573 | 574 | ||
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index cb985cadb5..76f194ca78 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sess.c,v 1.125 2024/03/27 06:47:52 tb Exp $ */ | 1 | /* $OpenBSD: ssl_sess.c,v 1.126 2024/07/19 08:54:31 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -290,11 +290,6 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket) | |||
| 290 | copy->cipher = sess->cipher; | 290 | copy->cipher = sess->cipher; |
| 291 | copy->cipher_id = sess->cipher_id; | 291 | copy->cipher_id = sess->cipher_id; |
| 292 | 292 | ||
| 293 | if (sess->ciphers != NULL) { | ||
| 294 | if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL) | ||
| 295 | goto err; | ||
| 296 | } | ||
| 297 | |||
| 298 | if (sess->tlsext_hostname != NULL) { | 293 | if (sess->tlsext_hostname != NULL) { |
| 299 | copy->tlsext_hostname = strdup(sess->tlsext_hostname); | 294 | copy->tlsext_hostname = strdup(sess->tlsext_hostname); |
| 300 | if (copy->tlsext_hostname == NULL) | 295 | if (copy->tlsext_hostname == NULL) |
| @@ -881,8 +876,6 @@ SSL_SESSION_free(SSL_SESSION *ss) | |||
| 881 | 876 | ||
| 882 | X509_free(ss->peer_cert); | 877 | X509_free(ss->peer_cert); |
| 883 | 878 | ||
| 884 | sk_SSL_CIPHER_free(ss->ciphers); | ||
| 885 | |||
| 886 | free(ss->tlsext_hostname); | 879 | free(ss->tlsext_hostname); |
| 887 | free(ss->tlsext_tick); | 880 | free(ss->tlsext_tick); |
| 888 | free(ss->tlsext_ecpointformatlist); | 881 | free(ss->tlsext_ecpointformatlist); |
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index e9f14dc610..d6b7de1efd 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.161 2024/06/25 14:10:45 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.162 2024/07/19 08:54:31 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1078,13 +1078,13 @@ ssl3_get_client_hello(SSL *s) | |||
| 1078 | s->hit = 1; | 1078 | s->hit = 1; |
| 1079 | s->session->verify_result = X509_V_OK; | 1079 | s->session->verify_result = X509_V_OK; |
| 1080 | 1080 | ||
| 1081 | sk_SSL_CIPHER_free(s->session->ciphers); | 1081 | sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); |
| 1082 | s->session->ciphers = ciphers; | 1082 | s->s3->hs.client_ciphers = ciphers; |
| 1083 | ciphers = NULL; | 1083 | ciphers = NULL; |
| 1084 | 1084 | ||
| 1085 | /* Check if some cipher was preferred by the callback. */ | 1085 | /* Check if some cipher was preferred by the callback. */ |
| 1086 | if (pref_cipher == NULL) | 1086 | if (pref_cipher == NULL) |
| 1087 | pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, | 1087 | pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, |
| 1088 | SSL_get_ciphers(s)); | 1088 | SSL_get_ciphers(s)); |
| 1089 | if (pref_cipher == NULL) { | 1089 | if (pref_cipher == NULL) { |
| 1090 | al = SSL_AD_HANDSHAKE_FAILURE; | 1090 | al = SSL_AD_HANDSHAKE_FAILURE; |
| @@ -1094,7 +1094,7 @@ ssl3_get_client_hello(SSL *s) | |||
| 1094 | s->session->cipher = pref_cipher; | 1094 | s->session->cipher = pref_cipher; |
| 1095 | 1095 | ||
| 1096 | sk_SSL_CIPHER_free(s->cipher_list); | 1096 | sk_SSL_CIPHER_free(s->cipher_list); |
| 1097 | s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); | 1097 | s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers); |
| 1098 | } | 1098 | } |
| 1099 | 1099 | ||
| 1100 | /* | 1100 | /* |
| @@ -1108,11 +1108,11 @@ ssl3_get_client_hello(SSL *s) | |||
| 1108 | SSLerror(s, SSL_R_NO_CIPHERS_PASSED); | 1108 | SSLerror(s, SSL_R_NO_CIPHERS_PASSED); |
| 1109 | goto fatal_err; | 1109 | goto fatal_err; |
| 1110 | } | 1110 | } |
| 1111 | sk_SSL_CIPHER_free(s->session->ciphers); | 1111 | sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); |
| 1112 | s->session->ciphers = ciphers; | 1112 | s->s3->hs.client_ciphers = ciphers; |
| 1113 | ciphers = NULL; | 1113 | ciphers = NULL; |
| 1114 | 1114 | ||
| 1115 | if ((c = ssl3_choose_cipher(s, s->session->ciphers, | 1115 | if ((c = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, |
| 1116 | SSL_get_ciphers(s))) == NULL) { | 1116 | SSL_get_ciphers(s))) == NULL) { |
| 1117 | al = SSL_AD_HANDSHAKE_FAILURE; | 1117 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1118 | SSLerror(s, SSL_R_NO_SHARED_CIPHER); | 1118 | SSLerror(s, SSL_R_NO_SHARED_CIPHER); |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index dfeb1e0166..f9cdbdd690 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.107 2024/07/19 08:54:31 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -275,8 +275,8 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) | |||
| 275 | } | 275 | } |
| 276 | ctx->hs->cipher = cipher; | 276 | ctx->hs->cipher = cipher; |
| 277 | 277 | ||
| 278 | sk_SSL_CIPHER_free(s->session->ciphers); | 278 | sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); |
| 279 | s->session->ciphers = ciphers; | 279 | s->s3->hs.client_ciphers = ciphers; |
| 280 | ciphers = NULL; | 280 | ciphers = NULL; |
| 281 | 281 | ||
| 282 | /* Ensure only the NULL compression method is advertised. */ | 282 | /* Ensure only the NULL compression method is advertised. */ |