diff options
| author | jsing <> | 2024-07-22 14:47:15 +0000 |
|---|---|---|
| committer | jsing <> | 2024-07-22 14:47:15 +0000 |
| commit | 4fbee6b90386fa14be274db8ba947f951bc6de4c (patch) | |
| tree | 888e24c700579e2d75b6c8c0c8c7543008acc2ae /src/lib/libssl/ssl_clnt.c | |
| parent | de2497dade37f29dbde49f4162d9cba984e350cf (diff) | |
| download | openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.tar.gz openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.tar.bz2 openbsd-4fbee6b90386fa14be274db8ba947f951bc6de4c.zip | |
Use cipher suite values instead of IDs.
OpenSSL has had the concept of cipher IDs, which were a way of working
around overlapping cipher suite values between SSLv2 and SSLv3. Given
that we no longer have to deal with this issue, replace the use of IDs
with cipher suite values. In particular, this means that we can stop
mapping back and forth between the two, simplifying things considerably.
While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[]
table is no longer mutable, meaning that ciphers cannot be disabled at
runtime (and we have `#if 0' if we want to do it at compile time).
Clean up the comments and add/update RFC references for cipher suites.
ok tb@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 7b2e05d23d..593ed553d3 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.167 2024/07/20 04:04:23 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.168 2024/07/22 14:47:15 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -481,7 +481,7 @@ ssl3_connect(SSL *s) | |||
| 481 | 481 | ||
| 482 | s->s3->hs.state = SSL3_ST_CW_FINISHED_A; | 482 | s->s3->hs.state = SSL3_ST_CW_FINISHED_A; |
| 483 | s->init_num = 0; | 483 | s->init_num = 0; |
| 484 | s->session->cipher_id = s->s3->hs.cipher->id; | 484 | s->session->cipher_value = s->s3->hs.cipher->value; |
| 485 | 485 | ||
| 486 | if (!tls1_setup_key_block(s)) { | 486 | if (!tls1_setup_key_block(s)) { |
| 487 | ret = -1; | 487 | ret = -1; |
| @@ -1016,13 +1016,13 @@ ssl3_get_server_hello(SSL *s) | |||
| 1016 | * and/or cipher_id values may not be set. Make sure that | 1016 | * and/or cipher_id values may not be set. Make sure that |
| 1017 | * cipher_id is set and use it for comparison. | 1017 | * cipher_id is set and use it for comparison. |
| 1018 | */ | 1018 | */ |
| 1019 | if (s->hit && (s->session->cipher_id != cipher->id)) { | 1019 | if (s->hit && (s->session->cipher_value != cipher->value)) { |
| 1020 | al = SSL_AD_ILLEGAL_PARAMETER; | 1020 | al = SSL_AD_ILLEGAL_PARAMETER; |
| 1021 | SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); | 1021 | SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); |
| 1022 | goto fatal_err; | 1022 | goto fatal_err; |
| 1023 | } | 1023 | } |
| 1024 | s->s3->hs.cipher = cipher; | 1024 | s->s3->hs.cipher = cipher; |
| 1025 | s->session->cipher_id = cipher->id; | 1025 | s->session->cipher_value = cipher->value; |
| 1026 | 1026 | ||
| 1027 | if (!tls1_transcript_hash_init(s)) | 1027 | if (!tls1_transcript_hash_init(s)) |
| 1028 | goto err; | 1028 | goto err; |