diff options
| author | jsing <> | 2020-09-13 16:49:05 +0000 |
|---|---|---|
| committer | jsing <> | 2020-09-13 16:49:05 +0000 |
| commit | 0aa52b54c9a57f9625af2c4445b991cfdd4ad228 (patch) | |
| tree | e245dcd6ff9d7a9822feff50c7792c76ecfa9dba /src | |
| parent | a328631fddec2556ad8af08ce4de240790c537c9 (diff) | |
| download | openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.tar.gz openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.tar.bz2 openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.zip | |
Implement SSL_{CTX_,}set_ciphersuites().
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl.h | 8 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 17 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_ciphers.c | 129 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 57 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 13 |
5 files changed, 211 insertions, 13 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 4370c84cd7..eb288699b1 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.171 2020/03/16 15:25:13 tb Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.172 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1275,6 +1275,9 @@ void BIO_ssl_shutdown(BIO *ssl_bio); | |||
| 1275 | 1275 | ||
| 1276 | STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); | 1276 | STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); |
| 1277 | int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); | 1277 | int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); |
| 1278 | #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) | ||
| 1279 | int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str); | ||
| 1280 | #endif | ||
| 1278 | SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); | 1281 | SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); |
| 1279 | void SSL_CTX_free(SSL_CTX *); | 1282 | void SSL_CTX_free(SSL_CTX *); |
| 1280 | int SSL_CTX_up_ref(SSL_CTX *ctx); | 1283 | int SSL_CTX_up_ref(SSL_CTX *ctx); |
| @@ -1316,6 +1319,9 @@ void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); | |||
| 1316 | BIO * SSL_get_rbio(const SSL *s); | 1319 | BIO * SSL_get_rbio(const SSL *s); |
| 1317 | BIO * SSL_get_wbio(const SSL *s); | 1320 | BIO * SSL_get_wbio(const SSL *s); |
| 1318 | int SSL_set_cipher_list(SSL *s, const char *str); | 1321 | int SSL_set_cipher_list(SSL *s, const char *str); |
| 1322 | #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) | ||
| 1323 | int SSL_set_ciphersuites(SSL *s, const char *str); | ||
| 1324 | #endif | ||
| 1319 | void SSL_set_read_ahead(SSL *s, int yes); | 1325 | void SSL_set_read_ahead(SSL *s, int yes); |
| 1320 | int SSL_get_verify_mode(const SSL *s); | 1326 | int SSL_get_verify_mode(const SSL *s); |
| 1321 | int SSL_get_verify_depth(const SSL *s); | 1327 | int SSL_get_verify_depth(const SSL *s); |
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 4afbcf9896..fd576cee7b 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.118 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1184,6 +1184,7 @@ ssl_aes_is_accelerated(void) | |||
| 1184 | STACK_OF(SSL_CIPHER) * | 1184 | STACK_OF(SSL_CIPHER) * |
| 1185 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1185 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
| 1186 | STACK_OF(SSL_CIPHER) **cipher_list, | 1186 | STACK_OF(SSL_CIPHER) **cipher_list, |
| 1187 | STACK_OF(SSL_CIPHER) *cipher_list_tls13, | ||
| 1187 | const char *rule_str) | 1188 | const char *rule_str) |
| 1188 | { | 1189 | { |
| 1189 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1190 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; |
| @@ -1192,8 +1193,10 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1192 | const char *rule_p; | 1193 | const char *rule_p; |
| 1193 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; | 1194 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; |
| 1194 | const SSL_CIPHER **ca_list = NULL; | 1195 | const SSL_CIPHER **ca_list = NULL; |
| 1196 | const SSL_CIPHER *cipher; | ||
| 1195 | int tls13_seen = 0; | 1197 | int tls13_seen = 0; |
| 1196 | int any_active; | 1198 | int any_active; |
| 1199 | int i; | ||
| 1197 | 1200 | ||
| 1198 | /* | 1201 | /* |
| 1199 | * Return with error if nothing to do. | 1202 | * Return with error if nothing to do. |
| @@ -1335,11 +1338,21 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1335 | return (NULL); | 1338 | return (NULL); |
| 1336 | } | 1339 | } |
| 1337 | 1340 | ||
| 1341 | /* Prefer TLSv1.3 cipher suites. */ | ||
| 1342 | if (cipher_list_tls13 != NULL) { | ||
| 1343 | for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { | ||
| 1344 | cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); | ||
| 1345 | sk_SSL_CIPHER_push(cipherstack, cipher); | ||
| 1346 | } | ||
| 1347 | tls13_seen = 1; | ||
| 1348 | } | ||
| 1349 | |||
| 1338 | /* | 1350 | /* |
| 1339 | * The cipher selection for the list is done. The ciphers are added | 1351 | * The cipher selection for the list is done. The ciphers are added |
| 1340 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). | 1352 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). |
| 1341 | * | 1353 | * |
| 1342 | * If the rule string did not contain any references to TLSv1.3, | 1354 | * If the rule string did not contain any references to TLSv1.3 and |
| 1355 | * TLSv1.3 cipher suites have not been configured separately, | ||
| 1343 | * include inactive TLSv1.3 cipher suites. This avoids attempts to | 1356 | * include inactive TLSv1.3 cipher suites. This avoids attempts to |
| 1344 | * use TLSv1.3 with an older rule string that does not include | 1357 | * use TLSv1.3 with an older rule string that does not include |
| 1345 | * TLSv1.3 cipher suites. If the rule string resulted in no active | 1358 | * TLSv1.3 cipher suites. If the rule string resulted in no active |
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c index 478238bd10..d84e4c6154 100644 --- a/src/lib/libssl/ssl_ciphers.c +++ b/src/lib/libssl/ssl_ciphers.c | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | /* $OpenBSD: ssl_ciphers.c,v 1.6 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciphers.c,v 1.7 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> | 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> |
| 4 | * Copyright (c) 2015-2018 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> |
| 5 | * Copyright (c) 2019 Theo Buehler <tb@openbsd.org> | 5 | * Copyright (c) 2019 Theo Buehler <tb@openbsd.org> |
| 6 | * | 6 | * |
| 7 | * Permission to use, copy, modify, and distribute this software for any | 7 | * Permission to use, copy, modify, and distribute this software for any |
| @@ -171,3 +171,128 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) | |||
| 171 | 171 | ||
| 172 | return (NULL); | 172 | return (NULL); |
| 173 | } | 173 | } |
| 174 | |||
| 175 | struct ssl_tls13_ciphersuite { | ||
| 176 | const char *name; | ||
| 177 | const char *alias; | ||
| 178 | unsigned long cid; | ||
| 179 | }; | ||
| 180 | |||
| 181 | static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = { | ||
| 182 | { | ||
| 183 | .name = TLS1_3_TXT_AES_128_GCM_SHA256, | ||
| 184 | .alias = "TLS_AES_128_GCM_SHA256", | ||
| 185 | .cid = TLS1_3_CK_AES_128_GCM_SHA256, | ||
| 186 | }, | ||
| 187 | { | ||
| 188 | .name = TLS1_3_TXT_AES_256_GCM_SHA384, | ||
| 189 | .alias = "TLS_AES_256_GCM_SHA384", | ||
| 190 | .cid = TLS1_3_CK_AES_256_GCM_SHA384, | ||
| 191 | }, | ||
| 192 | { | ||
| 193 | .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, | ||
| 194 | .alias = "TLS_CHACHA20_POLY1305_SHA256", | ||
| 195 | .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256, | ||
| 196 | }, | ||
| 197 | { | ||
| 198 | .name = TLS1_3_TXT_AES_128_CCM_SHA256, | ||
| 199 | .alias = "TLS_AES_128_CCM_SHA256", | ||
| 200 | .cid = TLS1_3_CK_AES_128_CCM_SHA256, | ||
| 201 | }, | ||
| 202 | { | ||
| 203 | .name = TLS1_3_TXT_AES_128_CCM_8_SHA256, | ||
| 204 | .alias = "TLS_AES_128_CCM_8_SHA256", | ||
| 205 | .cid = TLS1_3_CK_AES_128_CCM_8_SHA256, | ||
| 206 | }, | ||
| 207 | { | ||
| 208 | .name = NULL, | ||
| 209 | }, | ||
| 210 | }; | ||
| 211 | |||
| 212 | int | ||
| 213 | ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str) | ||
| 214 | { | ||
| 215 | const struct ssl_tls13_ciphersuite *ciphersuite; | ||
| 216 | STACK_OF(SSL_CIPHER) *ciphers; | ||
| 217 | const SSL_CIPHER *cipher; | ||
| 218 | char *s = NULL; | ||
| 219 | char *p, *q; | ||
| 220 | int i; | ||
| 221 | int ret = 0; | ||
| 222 | |||
| 223 | sk_SSL_CIPHER_free(*out_ciphers); | ||
| 224 | *out_ciphers = NULL; | ||
| 225 | |||
| 226 | if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) | ||
| 227 | goto err; | ||
| 228 | |||
| 229 | /* An empty string is valid and means no ciphers. */ | ||
| 230 | if (strcmp(str, "") == 0) | ||
| 231 | goto done; | ||
| 232 | |||
| 233 | if ((s = strdup(str)) == NULL) | ||
| 234 | goto err; | ||
| 235 | |||
| 236 | q = s; | ||
| 237 | while ((p = strsep(&q, ":")) != NULL) { | ||
| 238 | ciphersuite = &ssl_tls13_ciphersuites[0]; | ||
| 239 | for (i = 0; ciphersuite->name != NULL; i++) { | ||
| 240 | ciphersuite = &ssl_tls13_ciphersuites[i]; | ||
| 241 | if (strcmp(p, ciphersuite->name) == 0) | ||
| 242 | break; | ||
| 243 | if (strcmp(p, ciphersuite->alias) == 0) | ||
| 244 | break; | ||
| 245 | } | ||
| 246 | if (ciphersuite->name == NULL) | ||
| 247 | goto err; | ||
| 248 | |||
| 249 | /* We know about the cipher suite, but it is not supported. */ | ||
| 250 | if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL) | ||
| 251 | continue; | ||
| 252 | |||
| 253 | if (!sk_SSL_CIPHER_push(ciphers, cipher)) | ||
| 254 | goto err; | ||
| 255 | } | ||
| 256 | |||
| 257 | done: | ||
| 258 | *out_ciphers = ciphers; | ||
| 259 | ciphers = NULL; | ||
| 260 | ret = 1; | ||
| 261 | |||
| 262 | err: | ||
| 263 | sk_SSL_CIPHER_free(ciphers); | ||
| 264 | free(s); | ||
| 265 | |||
| 266 | return ret; | ||
| 267 | } | ||
| 268 | |||
| 269 | int | ||
| 270 | ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, | ||
| 271 | STACK_OF(SSL_CIPHER) *cipherlist_tls13, | ||
| 272 | STACK_OF(SSL_CIPHER) **out_cipherlist) | ||
| 273 | { | ||
| 274 | STACK_OF(SSL_CIPHER) *ciphers = NULL; | ||
| 275 | const SSL_CIPHER *cipher; | ||
| 276 | int i, ret = 0; | ||
| 277 | |||
| 278 | if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL) | ||
| 279 | goto err; | ||
| 280 | for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) { | ||
| 281 | cipher = sk_SSL_CIPHER_value(cipherlist, i); | ||
| 282 | if (cipher->algorithm_ssl == SSL_TLSV1_3) | ||
| 283 | continue; | ||
| 284 | if (!sk_SSL_CIPHER_push(ciphers, cipher)) | ||
| 285 | goto err; | ||
| 286 | } | ||
| 287 | |||
| 288 | sk_SSL_CIPHER_free(*out_cipherlist); | ||
| 289 | *out_cipherlist = ciphers; | ||
| 290 | ciphers = NULL; | ||
| 291 | |||
| 292 | ret = 1; | ||
| 293 | |||
| 294 | err: | ||
| 295 | sk_SSL_CIPHER_free(ciphers); | ||
| 296 | |||
| 297 | return ret; | ||
| 298 | } | ||
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 5bc759d483..a194e5639a 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.225 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.226 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -230,7 +230,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) | |||
| 230 | ctx->method = meth; | 230 | ctx->method = meth; |
| 231 | 231 | ||
| 232 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, | 232 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, |
| 233 | SSL_DEFAULT_CIPHER_LIST); | 233 | ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST); |
| 234 | if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { | 234 | if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { |
| 235 | SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); | 235 | SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); |
| 236 | return (0); | 236 | return (0); |
| @@ -530,6 +530,7 @@ SSL_free(SSL *s) | |||
| 530 | BUF_MEM_free(s->internal->init_buf); | 530 | BUF_MEM_free(s->internal->init_buf); |
| 531 | 531 | ||
| 532 | sk_SSL_CIPHER_free(s->cipher_list); | 532 | sk_SSL_CIPHER_free(s->cipher_list); |
| 533 | sk_SSL_CIPHER_free(s->internal->cipher_list_tls13); | ||
| 533 | 534 | ||
| 534 | /* Make the next call work :-) */ | 535 | /* Make the next call work :-) */ |
| 535 | if (s->session != NULL) { | 536 | if (s->session != NULL) { |
| @@ -1353,7 +1354,8 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) | |||
| 1353 | * an error as far as ssl_create_cipher_list is concerned, and hence | 1354 | * an error as far as ssl_create_cipher_list is concerned, and hence |
| 1354 | * ctx->cipher_list has been updated. | 1355 | * ctx->cipher_list has been updated. |
| 1355 | */ | 1356 | */ |
| 1356 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str); | 1357 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, |
| 1358 | ctx->internal->cipher_list_tls13, str); | ||
| 1357 | if (ciphers == NULL) { | 1359 | if (ciphers == NULL) { |
| 1358 | return (0); | 1360 | return (0); |
| 1359 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { | 1361 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { |
| @@ -1363,14 +1365,32 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) | |||
| 1363 | return (1); | 1365 | return (1); |
| 1364 | } | 1366 | } |
| 1365 | 1367 | ||
| 1368 | int | ||
| 1369 | SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) | ||
| 1370 | { | ||
| 1371 | if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { | ||
| 1372 | SSLerrorx(SSL_R_NO_CIPHER_MATCH); | ||
| 1373 | return 0; | ||
| 1374 | } | ||
| 1375 | if (!ssl_merge_cipherlists(ctx->cipher_list, | ||
| 1376 | ctx->internal->cipher_list_tls13, &ctx->cipher_list)) | ||
| 1377 | return 0; | ||
| 1378 | |||
| 1379 | return 1; | ||
| 1380 | } | ||
| 1381 | |||
| 1366 | /* Specify the ciphers to be used by the SSL. */ | 1382 | /* Specify the ciphers to be used by the SSL. */ |
| 1367 | int | 1383 | int |
| 1368 | SSL_set_cipher_list(SSL *s, const char *str) | 1384 | SSL_set_cipher_list(SSL *s, const char *str) |
| 1369 | { | 1385 | { |
| 1370 | STACK_OF(SSL_CIPHER) *ciphers; | 1386 | STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13; |
| 1387 | |||
| 1388 | if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL) | ||
| 1389 | ciphers_tls13 = s->ctx->internal->cipher_list_tls13; | ||
| 1371 | 1390 | ||
| 1372 | /* See comment in SSL_CTX_set_cipher_list. */ | 1391 | /* See comment in SSL_CTX_set_cipher_list. */ |
| 1373 | ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, str); | 1392 | ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, |
| 1393 | ciphers_tls13, str); | ||
| 1374 | if (ciphers == NULL) { | 1394 | if (ciphers == NULL) { |
| 1375 | return (0); | 1395 | return (0); |
| 1376 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { | 1396 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { |
| @@ -1380,6 +1400,25 @@ SSL_set_cipher_list(SSL *s, const char *str) | |||
| 1380 | return (1); | 1400 | return (1); |
| 1381 | } | 1401 | } |
| 1382 | 1402 | ||
| 1403 | int | ||
| 1404 | SSL_set_ciphersuites(SSL *s, const char *str) | ||
| 1405 | { | ||
| 1406 | STACK_OF(SSL_CIPHER) *ciphers; | ||
| 1407 | |||
| 1408 | if ((ciphers = s->cipher_list) == NULL) | ||
| 1409 | ciphers = s->ctx->cipher_list; | ||
| 1410 | |||
| 1411 | if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { | ||
| 1412 | SSLerrorx(SSL_R_NO_CIPHER_MATCH); | ||
| 1413 | return (0); | ||
| 1414 | } | ||
| 1415 | if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, | ||
| 1416 | &s->cipher_list)) | ||
| 1417 | return 0; | ||
| 1418 | |||
| 1419 | return 1; | ||
| 1420 | } | ||
| 1421 | |||
| 1383 | char * | 1422 | char * |
| 1384 | SSL_get_shared_ciphers(const SSL *s, char *buf, int len) | 1423 | SSL_get_shared_ciphers(const SSL *s, char *buf, int len) |
| 1385 | { | 1424 | { |
| @@ -1758,7 +1797,7 @@ SSL_CTX_new(const SSL_METHOD *meth) | |||
| 1758 | goto err; | 1797 | goto err; |
| 1759 | 1798 | ||
| 1760 | ssl_create_cipher_list(ret->method, &ret->cipher_list, | 1799 | ssl_create_cipher_list(ret->method, &ret->cipher_list, |
| 1761 | SSL_DEFAULT_CIPHER_LIST); | 1800 | NULL, SSL_DEFAULT_CIPHER_LIST); |
| 1762 | if (ret->cipher_list == NULL || | 1801 | if (ret->cipher_list == NULL || |
| 1763 | sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { | 1802 | sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { |
| 1764 | SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); | 1803 | SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); |
| @@ -1855,6 +1894,7 @@ SSL_CTX_free(SSL_CTX *ctx) | |||
| 1855 | 1894 | ||
| 1856 | X509_STORE_free(ctx->cert_store); | 1895 | X509_STORE_free(ctx->cert_store); |
| 1857 | sk_SSL_CIPHER_free(ctx->cipher_list); | 1896 | sk_SSL_CIPHER_free(ctx->cipher_list); |
| 1897 | sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13); | ||
| 1858 | ssl_cert_free(ctx->internal->cert); | 1898 | ssl_cert_free(ctx->internal->cert); |
| 1859 | sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); | 1899 | sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); |
| 1860 | sk_X509_pop_free(ctx->extra_certs, X509_free); | 1900 | sk_X509_pop_free(ctx->extra_certs, X509_free); |
| @@ -2451,6 +2491,11 @@ SSL_dup(SSL *s) | |||
| 2451 | sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) | 2491 | sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) |
| 2452 | goto err; | 2492 | goto err; |
| 2453 | } | 2493 | } |
| 2494 | if (s->internal->cipher_list_tls13 != NULL) { | ||
| 2495 | if ((ret->internal->cipher_list_tls13 = | ||
| 2496 | sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL) | ||
| 2497 | goto err; | ||
| 2498 | } | ||
| 2454 | 2499 | ||
| 2455 | /* Dup the client_CA list */ | 2500 | /* Dup the client_CA list */ |
| 2456 | if (s->internal->client_CA != NULL) { | 2501 | if (s->internal->client_CA != NULL) { |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index df07ca68a6..540afee004 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.290 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.291 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -599,6 +599,8 @@ typedef struct ssl_ctx_internal_st { | |||
| 599 | 599 | ||
| 600 | CRYPTO_EX_DATA ex_data; | 600 | CRYPTO_EX_DATA ex_data; |
| 601 | 601 | ||
| 602 | STACK_OF(SSL_CIPHER) *cipher_list_tls13; | ||
| 603 | |||
| 602 | struct cert_st /* CERT */ *cert; | 604 | struct cert_st /* CERT */ *cert; |
| 603 | 605 | ||
| 604 | /* Default values used when no per-SSL value is defined follow */ | 606 | /* Default values used when no per-SSL value is defined follow */ |
| @@ -743,6 +745,8 @@ typedef struct ssl_internal_st { | |||
| 743 | 745 | ||
| 744 | int hit; /* reusing a previous session */ | 746 | int hit; /* reusing a previous session */ |
| 745 | 747 | ||
| 748 | STACK_OF(SSL_CIPHER) *cipher_list_tls13; | ||
| 749 | |||
| 746 | /* These are the ones being used, the ones in SSL_SESSION are | 750 | /* These are the ones being used, the ones in SSL_SESSION are |
| 747 | * the ones to be 'copied' into these ones */ | 751 | * the ones to be 'copied' into these ones */ |
| 748 | int mac_flags; | 752 | int mac_flags; |
| @@ -1164,7 +1168,12 @@ SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, | |||
| 1164 | int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); | 1168 | int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); |
| 1165 | STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); | 1169 | STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); |
| 1166 | STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, | 1170 | STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, |
| 1167 | STACK_OF(SSL_CIPHER) **pref, const char *rule_str); | 1171 | STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13, |
| 1172 | const char *rule_str); | ||
| 1173 | int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); | ||
| 1174 | int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, | ||
| 1175 | STACK_OF(SSL_CIPHER) *cipherlist_tls13, | ||
| 1176 | STACK_OF(SSL_CIPHER) **out_cipherlist); | ||
| 1168 | void ssl_update_cache(SSL *s, int mode); | 1177 | void ssl_update_cache(SSL *s, int mode); |
| 1169 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | 1178 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, |
| 1170 | const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); | 1179 | const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); |