diff options
| author | jsing <> | 2024-07-22 14:47:15 +0000 |
|---|---|---|
| committer | jsing <> | 2024-07-22 14:47:15 +0000 |
| commit | 4fbee6b90386fa14be274db8ba947f951bc6de4c (patch) | |
| tree | 888e24c700579e2d75b6c8c0c8c7543008acc2ae /src/lib/libssl/ssl_ciph.c | |
| parent | de2497dade37f29dbde49f4162d9cba984e350cf (diff) | |
| download | openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.tar.gz openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.tar.bz2 openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.zip | |
Use cipher suite values instead of IDs.
OpenSSL has had the concept of cipher IDs, which were a way of working
around overlapping cipher suite values between SSLv2 and SSLv3. Given
that we no longer have to deal with this issue, replace the use of IDs
with cipher suite values. In particular, this means that we can stop
mapping back and forth between the two, simplifying things considerably.
While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[]
table is no longer mutable, meaning that ciphers cannot be disabled at
runtime (and we have `#if 0' if we want to do it at compile time).
Clean up the comments and add/update RFC references for cipher suites.
ok tb@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 56 |
1 files changed, 26 insertions, 30 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 7c32354902..dce141101d 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.145 2024/07/20 04:04:23 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.146 2024/07/22 14:47:15 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -373,21 +373,18 @@ static const SSL_CIPHER cipher_aliases[] = { | |||
| 373 | /* cipher suite aliases */ | 373 | /* cipher suite aliases */ |
| 374 | #ifdef LIBRESSL_HAS_TLS1_3 | 374 | #ifdef LIBRESSL_HAS_TLS1_3 |
| 375 | { | 375 | { |
| 376 | .valid = 1, | 376 | .value = 0x1301, |
| 377 | .name = "TLS_AES_128_GCM_SHA256", | 377 | .name = "TLS_AES_128_GCM_SHA256", |
| 378 | .id = TLS1_3_CK_AES_128_GCM_SHA256, | ||
| 379 | .algorithm_ssl = SSL_TLSV1_3, | 378 | .algorithm_ssl = SSL_TLSV1_3, |
| 380 | }, | 379 | }, |
| 381 | { | 380 | { |
| 382 | .valid = 1, | 381 | .value = 0x1302, |
| 383 | .name = "TLS_AES_256_GCM_SHA384", | 382 | .name = "TLS_AES_256_GCM_SHA384", |
| 384 | .id = TLS1_3_CK_AES_256_GCM_SHA384, | ||
| 385 | .algorithm_ssl = SSL_TLSV1_3, | 383 | .algorithm_ssl = SSL_TLSV1_3, |
| 386 | }, | 384 | }, |
| 387 | { | 385 | { |
| 388 | .valid = 1, | 386 | .value = 0x1303, |
| 389 | .name = "TLS_CHACHA20_POLY1305_SHA256", | 387 | .name = "TLS_CHACHA20_POLY1305_SHA256", |
| 390 | .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, | ||
| 391 | .algorithm_ssl = SSL_TLSV1_3, | 388 | .algorithm_ssl = SSL_TLSV1_3, |
| 392 | }, | 389 | }, |
| 393 | #endif | 390 | #endif |
| @@ -619,7 +616,7 @@ ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, | |||
| 619 | * Drop any invalid ciphers and any which use unavailable | 616 | * Drop any invalid ciphers and any which use unavailable |
| 620 | * algorithms. | 617 | * algorithms. |
| 621 | */ | 618 | */ |
| 622 | if ((c != NULL) && c->valid && | 619 | if ((c != NULL) && |
| 623 | !(c->algorithm_mkey & disabled_mkey) && | 620 | !(c->algorithm_mkey & disabled_mkey) && |
| 624 | !(c->algorithm_auth & disabled_auth) && | 621 | !(c->algorithm_auth & disabled_auth) && |
| 625 | !(c->algorithm_enc & disabled_enc) && | 622 | !(c->algorithm_enc & disabled_enc) && |
| @@ -725,7 +722,7 @@ ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases, | |||
| 725 | } | 722 | } |
| 726 | 723 | ||
| 727 | static void | 724 | static void |
| 728 | ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, | 725 | ssl_cipher_apply_rule(uint16_t cipher_value, unsigned long alg_mkey, |
| 729 | unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac, | 726 | unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac, |
| 730 | unsigned long alg_ssl, unsigned long algo_strength, int rule, | 727 | unsigned long alg_ssl, unsigned long algo_strength, int rule, |
| 731 | int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 728 | int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) |
| @@ -757,7 +754,7 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, | |||
| 757 | 754 | ||
| 758 | cp = curr->cipher; | 755 | cp = curr->cipher; |
| 759 | 756 | ||
| 760 | if (cipher_id && cp->id != cipher_id) | 757 | if (cipher_value != 0 && cp->value != cipher_value) |
| 761 | continue; | 758 | continue; |
| 762 | 759 | ||
| 763 | /* | 760 | /* |
| @@ -882,7 +879,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 882 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; | 879 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; |
| 883 | unsigned long algo_strength; | 880 | unsigned long algo_strength; |
| 884 | int j, multi, found, rule, retval, ok, buflen; | 881 | int j, multi, found, rule, retval, ok, buflen; |
| 885 | unsigned long cipher_id = 0; | 882 | uint16_t cipher_value = 0; |
| 886 | const char *l, *buf; | 883 | const char *l, *buf; |
| 887 | char ch; | 884 | char ch; |
| 888 | 885 | ||
| @@ -974,7 +971,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 974 | * '\0' terminated.) | 971 | * '\0' terminated.) |
| 975 | */ | 972 | */ |
| 976 | j = found = 0; | 973 | j = found = 0; |
| 977 | cipher_id = 0; | 974 | cipher_value = 0; |
| 978 | while (ca_list[j]) { | 975 | while (ca_list[j]) { |
| 979 | if (!strncmp(buf, ca_list[j]->name, buflen) && | 976 | if (!strncmp(buf, ca_list[j]->name, buflen) && |
| 980 | (ca_list[j]->name[buflen] == '\0')) { | 977 | (ca_list[j]->name[buflen] == '\0')) { |
| @@ -1047,13 +1044,13 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 1047 | SSL_STRONG_MASK; | 1044 | SSL_STRONG_MASK; |
| 1048 | } | 1045 | } |
| 1049 | 1046 | ||
| 1050 | if (ca_list[j]->valid) { | 1047 | if (ca_list[j]->value != 0) { |
| 1051 | /* | 1048 | /* |
| 1052 | * explicit ciphersuite found; its protocol | 1049 | * explicit ciphersuite found; its protocol |
| 1053 | * version does not become part of the search | 1050 | * version does not become part of the search |
| 1054 | * pattern! | 1051 | * pattern! |
| 1055 | */ | 1052 | */ |
| 1056 | cipher_id = ca_list[j]->id; | 1053 | cipher_value = ca_list[j]->value; |
| 1057 | if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3) | 1054 | if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3) |
| 1058 | *tls13_seen = 1; | 1055 | *tls13_seen = 1; |
| 1059 | } else { | 1056 | } else { |
| @@ -1109,7 +1106,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 1109 | } else if (found) { | 1106 | } else if (found) { |
| 1110 | if (alg_ssl == SSL_TLSV1_3) | 1107 | if (alg_ssl == SSL_TLSV1_3) |
| 1111 | *tls13_seen = 1; | 1108 | *tls13_seen = 1; |
| 1112 | ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, | 1109 | ssl_cipher_apply_rule(cipher_value, alg_mkey, alg_auth, |
| 1113 | alg_enc, alg_mac, alg_ssl, algo_strength, rule, | 1110 | alg_enc, alg_mac, alg_ssl, algo_strength, rule, |
| 1114 | -1, head_p, tail_p); | 1111 | -1, head_p, tail_p); |
| 1115 | } else { | 1112 | } else { |
| @@ -1470,24 +1467,23 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1470 | LSSL_ALIAS(SSL_CIPHER_description); | 1467 | LSSL_ALIAS(SSL_CIPHER_description); |
| 1471 | 1468 | ||
| 1472 | const char * | 1469 | const char * |
| 1473 | SSL_CIPHER_get_version(const SSL_CIPHER *c) | 1470 | SSL_CIPHER_get_version(const SSL_CIPHER *cipher) |
| 1474 | { | 1471 | { |
| 1475 | if (c == NULL) | 1472 | if (cipher == NULL) |
| 1476 | return("(NONE)"); | 1473 | return "(NONE)"; |
| 1477 | if ((c->id >> 24) == 3) | 1474 | |
| 1478 | return("TLSv1/SSLv3"); | 1475 | return "TLSv1/SSLv3"; |
| 1479 | else | ||
| 1480 | return("unknown"); | ||
| 1481 | } | 1476 | } |
| 1482 | LSSL_ALIAS(SSL_CIPHER_get_version); | 1477 | LSSL_ALIAS(SSL_CIPHER_get_version); |
| 1483 | 1478 | ||
| 1484 | /* return the actual cipher being used */ | 1479 | /* return the actual cipher being used */ |
| 1485 | const char * | 1480 | const char * |
| 1486 | SSL_CIPHER_get_name(const SSL_CIPHER *c) | 1481 | SSL_CIPHER_get_name(const SSL_CIPHER *cipher) |
| 1487 | { | 1482 | { |
| 1488 | if (c != NULL) | 1483 | if (cipher == NULL) |
| 1489 | return (c->name); | 1484 | return "(NONE)"; |
| 1490 | return("(NONE)"); | 1485 | |
| 1486 | return cipher->name; | ||
| 1491 | } | 1487 | } |
| 1492 | LSSL_ALIAS(SSL_CIPHER_get_name); | 1488 | LSSL_ALIAS(SSL_CIPHER_get_name); |
| 1493 | 1489 | ||
| @@ -1507,16 +1503,16 @@ SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) | |||
| 1507 | LSSL_ALIAS(SSL_CIPHER_get_bits); | 1503 | LSSL_ALIAS(SSL_CIPHER_get_bits); |
| 1508 | 1504 | ||
| 1509 | unsigned long | 1505 | unsigned long |
| 1510 | SSL_CIPHER_get_id(const SSL_CIPHER *c) | 1506 | SSL_CIPHER_get_id(const SSL_CIPHER *cipher) |
| 1511 | { | 1507 | { |
| 1512 | return c->id; | 1508 | return SSL3_CK_ID | cipher->value; |
| 1513 | } | 1509 | } |
| 1514 | LSSL_ALIAS(SSL_CIPHER_get_id); | 1510 | LSSL_ALIAS(SSL_CIPHER_get_id); |
| 1515 | 1511 | ||
| 1516 | uint16_t | 1512 | uint16_t |
| 1517 | SSL_CIPHER_get_value(const SSL_CIPHER *c) | 1513 | SSL_CIPHER_get_value(const SSL_CIPHER *cipher) |
| 1518 | { | 1514 | { |
| 1519 | return ssl3_cipher_get_value(c); | 1515 | return cipher->value; |
| 1520 | } | 1516 | } |
| 1521 | LSSL_ALIAS(SSL_CIPHER_get_value); | 1517 | LSSL_ALIAS(SSL_CIPHER_get_value); |
| 1522 | 1518 | ||