diff options
| author | jsing <> | 2024-07-22 14:47:15 +0000 |
|---|---|---|
| committer | jsing <> | 2024-07-22 14:47:15 +0000 |
| commit | 4fbee6b90386fa14be274db8ba947f951bc6de4c (patch) | |
| tree | 888e24c700579e2d75b6c8c0c8c7543008acc2ae /src/lib/libssl/ssl_asn1.c | |
| parent | de2497dade37f29dbde49f4162d9cba984e350cf (diff) | |
| download | openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.tar.gz openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.tar.bz2 openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.zip | |
Use cipher suite values instead of IDs.
OpenSSL has had the concept of cipher IDs, which were a way of working
around overlapping cipher suite values between SSLv2 and SSLv3. Given
that we no longer have to deal with this issue, replace the use of IDs
with cipher suite values. In particular, this means that we can stop
mapping back and forth between the two, simplifying things considerably.
While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[]
table is no longer mutable, meaning that ciphers cannot be disabled at
runtime (and we have `#if 0' if we want to do it at compile time).
Clean up the comments and add/update RFC references for cipher suites.
ok tb@
Diffstat (limited to 'src/lib/libssl/ssl_asn1.c')
| -rw-r--r-- | src/lib/libssl/ssl_asn1.c | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index ef34cbdb04..fcf4631a59 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_asn1.c,v 1.68 2024/07/20 04:04:23 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_asn1.c,v 1.69 2024/07/22 14:47:15 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -51,7 +51,6 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, | |||
| 51 | CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket, value; | 51 | CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket, value; |
| 52 | unsigned char *peer_cert_bytes = NULL; | 52 | unsigned char *peer_cert_bytes = NULL; |
| 53 | int len, rv = 0; | 53 | int len, rv = 0; |
| 54 | uint16_t cid; | ||
| 55 | 54 | ||
| 56 | if (!CBB_init(&cbb, 0)) | 55 | if (!CBB_init(&cbb, 0)) |
| 57 | goto err; | 56 | goto err; |
| @@ -69,11 +68,10 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, | |||
| 69 | if (!CBB_add_asn1_uint64(&session, s->ssl_version)) | 68 | if (!CBB_add_asn1_uint64(&session, s->ssl_version)) |
| 70 | goto err; | 69 | goto err; |
| 71 | 70 | ||
| 72 | /* Cipher suite ID. */ | 71 | /* Cipher suite value. */ |
| 73 | cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK); | ||
| 74 | if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) | 72 | if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) |
| 75 | goto err; | 73 | goto err; |
| 76 | if (!CBB_add_u16(&cipher_suite, cid)) | 74 | if (!CBB_add_u16(&cipher_suite, s->cipher_value)) |
| 77 | goto err; | 75 | goto err; |
| 78 | 76 | ||
| 79 | /* Session ID - zero length for a ticket. */ | 77 | /* Session ID - zero length for a ticket. */ |
| @@ -193,7 +191,7 @@ SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len) | |||
| 193 | if (ss == NULL) | 191 | if (ss == NULL) |
| 194 | return 0; | 192 | return 0; |
| 195 | 193 | ||
| 196 | if (ss->cipher_id == 0) | 194 | if (ss->cipher_value == 0) |
| 197 | return 0; | 195 | return 0; |
| 198 | 196 | ||
| 199 | return SSL_SESSION_encode(ss, out, out_len, 1); | 197 | return SSL_SESSION_encode(ss, out, out_len, 1); |
| @@ -209,7 +207,7 @@ i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp) | |||
| 209 | if (ss == NULL) | 207 | if (ss == NULL) |
| 210 | return 0; | 208 | return 0; |
| 211 | 209 | ||
| 212 | if (ss->cipher_id == 0) | 210 | if (ss->cipher_value == 0) |
| 213 | return 0; | 211 | return 0; |
| 214 | 212 | ||
| 215 | if (!SSL_SESSION_encode(ss, &data, &data_len, 0)) | 213 | if (!SSL_SESSION_encode(ss, &data, &data_len, 0)) |
| @@ -244,7 +242,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) | |||
| 244 | CBS hostname, ticket; | 242 | CBS hostname, ticket; |
| 245 | uint64_t version, tls_version, stime, timeout, verify_result, lifetime; | 243 | uint64_t version, tls_version, stime, timeout, verify_result, lifetime; |
| 246 | const unsigned char *peer_cert_bytes; | 244 | const unsigned char *peer_cert_bytes; |
| 247 | uint16_t cipher_value; | ||
| 248 | SSL_SESSION *s = NULL; | 245 | SSL_SESSION *s = NULL; |
| 249 | size_t data_len; | 246 | size_t data_len; |
| 250 | int present; | 247 | int present; |
| @@ -277,14 +274,13 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) | |||
| 277 | goto err; | 274 | goto err; |
| 278 | s->ssl_version = (int)tls_version; | 275 | s->ssl_version = (int)tls_version; |
| 279 | 276 | ||
| 280 | /* Cipher suite. */ | 277 | /* Cipher suite value. */ |
| 281 | if (!CBS_get_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) | 278 | if (!CBS_get_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) |
| 282 | goto err; | 279 | goto err; |
| 283 | if (!CBS_get_u16(&cipher_suite, &cipher_value)) | 280 | if (!CBS_get_u16(&cipher_suite, &s->cipher_value)) |
| 284 | goto err; | 281 | goto err; |
| 285 | if (CBS_len(&cipher_suite) != 0) | 282 | if (CBS_len(&cipher_suite) != 0) |
| 286 | goto err; | 283 | goto err; |
| 287 | s->cipher_id = SSL3_CK_ID | cipher_value; | ||
| 288 | 284 | ||
| 289 | /* Session ID. */ | 285 | /* Session ID. */ |
| 290 | if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) | 286 | if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) |