diff options
| -rw-r--r-- | src/lib/libssl/ssl.h | 8 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 17 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_ciphers.c | 129 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 57 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 13 |
5 files changed, 211 insertions, 13 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 4370c84cd7..eb288699b1 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.171 2020/03/16 15:25:13 tb Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.172 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1275,6 +1275,9 @@ void BIO_ssl_shutdown(BIO *ssl_bio); | |||
| 1275 | 1275 | ||
| 1276 | STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); | 1276 | STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); |
| 1277 | int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); | 1277 | int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); |
| 1278 | #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) | ||
| 1279 | int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str); | ||
| 1280 | #endif | ||
| 1278 | SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); | 1281 | SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); |
| 1279 | void SSL_CTX_free(SSL_CTX *); | 1282 | void SSL_CTX_free(SSL_CTX *); |
| 1280 | int SSL_CTX_up_ref(SSL_CTX *ctx); | 1283 | int SSL_CTX_up_ref(SSL_CTX *ctx); |
| @@ -1316,6 +1319,9 @@ void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); | |||
| 1316 | BIO * SSL_get_rbio(const SSL *s); | 1319 | BIO * SSL_get_rbio(const SSL *s); |
| 1317 | BIO * SSL_get_wbio(const SSL *s); | 1320 | BIO * SSL_get_wbio(const SSL *s); |
| 1318 | int SSL_set_cipher_list(SSL *s, const char *str); | 1321 | int SSL_set_cipher_list(SSL *s, const char *str); |
| 1322 | #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) | ||
| 1323 | int SSL_set_ciphersuites(SSL *s, const char *str); | ||
| 1324 | #endif | ||
| 1319 | void SSL_set_read_ahead(SSL *s, int yes); | 1325 | void SSL_set_read_ahead(SSL *s, int yes); |
| 1320 | int SSL_get_verify_mode(const SSL *s); | 1326 | int SSL_get_verify_mode(const SSL *s); |
| 1321 | int SSL_get_verify_depth(const SSL *s); | 1327 | int SSL_get_verify_depth(const SSL *s); |
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 4afbcf9896..fd576cee7b 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.118 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1184,6 +1184,7 @@ ssl_aes_is_accelerated(void) | |||
| 1184 | STACK_OF(SSL_CIPHER) * | 1184 | STACK_OF(SSL_CIPHER) * |
| 1185 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1185 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
| 1186 | STACK_OF(SSL_CIPHER) **cipher_list, | 1186 | STACK_OF(SSL_CIPHER) **cipher_list, |
| 1187 | STACK_OF(SSL_CIPHER) *cipher_list_tls13, | ||
| 1187 | const char *rule_str) | 1188 | const char *rule_str) |
| 1188 | { | 1189 | { |
| 1189 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1190 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; |
| @@ -1192,8 +1193,10 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1192 | const char *rule_p; | 1193 | const char *rule_p; |
| 1193 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; | 1194 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; |
| 1194 | const SSL_CIPHER **ca_list = NULL; | 1195 | const SSL_CIPHER **ca_list = NULL; |
| 1196 | const SSL_CIPHER *cipher; | ||
| 1195 | int tls13_seen = 0; | 1197 | int tls13_seen = 0; |
| 1196 | int any_active; | 1198 | int any_active; |
| 1199 | int i; | ||
| 1197 | 1200 | ||
| 1198 | /* | 1201 | /* |
| 1199 | * Return with error if nothing to do. | 1202 | * Return with error if nothing to do. |
| @@ -1335,11 +1338,21 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1335 | return (NULL); | 1338 | return (NULL); |
| 1336 | } | 1339 | } |
| 1337 | 1340 | ||
| 1341 | /* Prefer TLSv1.3 cipher suites. */ | ||
| 1342 | if (cipher_list_tls13 != NULL) { | ||
| 1343 | for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { | ||
| 1344 | cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); | ||
| 1345 | sk_SSL_CIPHER_push(cipherstack, cipher); | ||
| 1346 | } | ||
| 1347 | tls13_seen = 1; | ||
| 1348 | } | ||
| 1349 | |||
| 1338 | /* | 1350 | /* |
| 1339 | * The cipher selection for the list is done. The ciphers are added | 1351 | * The cipher selection for the list is done. The ciphers are added |
| 1340 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). | 1352 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). |
| 1341 | * | 1353 | * |
| 1342 | * If the rule string did not contain any references to TLSv1.3, | 1354 | * If the rule string did not contain any references to TLSv1.3 and |
| 1355 | * TLSv1.3 cipher suites have not been configured separately, | ||
| 1343 | * include inactive TLSv1.3 cipher suites. This avoids attempts to | 1356 | * include inactive TLSv1.3 cipher suites. This avoids attempts to |
| 1344 | * use TLSv1.3 with an older rule string that does not include | 1357 | * use TLSv1.3 with an older rule string that does not include |
| 1345 | * TLSv1.3 cipher suites. If the rule string resulted in no active | 1358 | * TLSv1.3 cipher suites. If the rule string resulted in no active |
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c index 478238bd10..d84e4c6154 100644 --- a/src/lib/libssl/ssl_ciphers.c +++ b/src/lib/libssl/ssl_ciphers.c | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | /* $OpenBSD: ssl_ciphers.c,v 1.6 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciphers.c,v 1.7 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> | 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> |
| 4 | * Copyright (c) 2015-2018 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> |
| 5 | * Copyright (c) 2019 Theo Buehler <tb@openbsd.org> | 5 | * Copyright (c) 2019 Theo Buehler <tb@openbsd.org> |
| 6 | * | 6 | * |
| 7 | * Permission to use, copy, modify, and distribute this software for any | 7 | * Permission to use, copy, modify, and distribute this software for any |
| @@ -171,3 +171,128 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) | |||
| 171 | 171 | ||
| 172 | return (NULL); | 172 | return (NULL); |
| 173 | } | 173 | } |
| 174 | |||
| 175 | struct ssl_tls13_ciphersuite { | ||
| 176 | const char *name; | ||
| 177 | const char *alias; | ||
| 178 | unsigned long cid; | ||
| 179 | }; | ||
| 180 | |||
| 181 | static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = { | ||
| 182 | { | ||
| 183 | .name = TLS1_3_TXT_AES_128_GCM_SHA256, | ||
| 184 | .alias = "TLS_AES_128_GCM_SHA256", | ||
| 185 | .cid = TLS1_3_CK_AES_128_GCM_SHA256, | ||
| 186 | }, | ||
| 187 | { | ||
| 188 | .name = TLS1_3_TXT_AES_256_GCM_SHA384, | ||
| 189 | .alias = "TLS_AES_256_GCM_SHA384", | ||
| 190 | .cid = TLS1_3_CK_AES_256_GCM_SHA384, | ||
| 191 | }, | ||
| 192 | { | ||
| 193 | .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, | ||
| 194 | .alias = "TLS_CHACHA20_POLY1305_SHA256", | ||
| 195 | .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256, | ||
| 196 | }, | ||
| 197 | { | ||
| 198 | .name = TLS1_3_TXT_AES_128_CCM_SHA256, | ||
| 199 | .alias = "TLS_AES_128_CCM_SHA256", | ||
| 200 | .cid = TLS1_3_CK_AES_128_CCM_SHA256, | ||
| 201 | }, | ||
| 202 | { | ||
| 203 | .name = TLS1_3_TXT_AES_128_CCM_8_SHA256, | ||
| 204 | .alias = "TLS_AES_128_CCM_8_SHA256", | ||
| 205 | .cid = TLS1_3_CK_AES_128_CCM_8_SHA256, | ||
| 206 | }, | ||
| 207 | { | ||
| 208 | .name = NULL, | ||
| 209 | }, | ||
| 210 | }; | ||
| 211 | |||
| 212 | int | ||
| 213 | ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str) | ||
| 214 | { | ||
| 215 | const struct ssl_tls13_ciphersuite *ciphersuite; | ||
| 216 | STACK_OF(SSL_CIPHER) *ciphers; | ||
| 217 | const SSL_CIPHER *cipher; | ||
| 218 | char *s = NULL; | ||
| 219 | char *p, *q; | ||
| 220 | int i; | ||
| 221 | int ret = 0; | ||
| 222 | |||
| 223 | sk_SSL_CIPHER_free(*out_ciphers); | ||
| 224 | *out_ciphers = NULL; | ||
| 225 | |||
| 226 | if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) | ||
| 227 | goto err; | ||
| 228 | |||
| 229 | /* An empty string is valid and means no ciphers. */ | ||
| 230 | if (strcmp(str, "") == 0) | ||
| 231 | goto done; | ||
| 232 | |||
| 233 | if ((s = strdup(str)) == NULL) | ||
| 234 | goto err; | ||
| 235 | |||
| 236 | q = s; | ||
| 237 | while ((p = strsep(&q, ":")) != NULL) { | ||
| 238 | ciphersuite = &ssl_tls13_ciphersuites[0]; | ||
| 239 | for (i = 0; ciphersuite->name != NULL; i++) { | ||
| 240 | ciphersuite = &ssl_tls13_ciphersuites[i]; | ||
| 241 | if (strcmp(p, ciphersuite->name) == 0) | ||
| 242 | break; | ||
| 243 | if (strcmp(p, ciphersuite->alias) == 0) | ||
| 244 | break; | ||
| 245 | } | ||
| 246 | if (ciphersuite->name == NULL) | ||
| 247 | goto err; | ||
| 248 | |||
| 249 | /* We know about the cipher suite, but it is not supported. */ | ||
| 250 | if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL) | ||
| 251 | continue; | ||
| 252 | |||
| 253 | if (!sk_SSL_CIPHER_push(ciphers, cipher)) | ||
| 254 | goto err; | ||
| 255 | } | ||
| 256 | |||
| 257 | done: | ||
| 258 | *out_ciphers = ciphers; | ||
| 259 | ciphers = NULL; | ||
| 260 | ret = 1; | ||
| 261 | |||
| 262 | err: | ||
| 263 | sk_SSL_CIPHER_free(ciphers); | ||
| 264 | free(s); | ||
| 265 | |||
| 266 | return ret; | ||
| 267 | } | ||
| 268 | |||
| 269 | int | ||
| 270 | ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, | ||
| 271 | STACK_OF(SSL_CIPHER) *cipherlist_tls13, | ||
| 272 | STACK_OF(SSL_CIPHER) **out_cipherlist) | ||
| 273 | { | ||
| 274 | STACK_OF(SSL_CIPHER) *ciphers = NULL; | ||
| 275 | const SSL_CIPHER *cipher; | ||
| 276 | int i, ret = 0; | ||
| 277 | |||
| 278 | if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL) | ||
| 279 | goto err; | ||
| 280 | for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) { | ||
| 281 | cipher = sk_SSL_CIPHER_value(cipherlist, i); | ||
| 282 | if (cipher->algorithm_ssl == SSL_TLSV1_3) | ||
| 283 | continue; | ||
| 284 | if (!sk_SSL_CIPHER_push(ciphers, cipher)) | ||
| 285 | goto err; | ||
| 286 | } | ||
| 287 | |||
| 288 | sk_SSL_CIPHER_free(*out_cipherlist); | ||
| 289 | *out_cipherlist = ciphers; | ||
| 290 | ciphers = NULL; | ||
| 291 | |||
| 292 | ret = 1; | ||
| 293 | |||
| 294 | err: | ||
| 295 | sk_SSL_CIPHER_free(ciphers); | ||
| 296 | |||
| 297 | return ret; | ||
| 298 | } | ||
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 5bc759d483..a194e5639a 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.225 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.226 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -230,7 +230,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) | |||
| 230 | ctx->method = meth; | 230 | ctx->method = meth; |
| 231 | 231 | ||
| 232 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, | 232 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, |
| 233 | SSL_DEFAULT_CIPHER_LIST); | 233 | ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST); |
| 234 | if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { | 234 | if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { |
| 235 | SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); | 235 | SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); |
| 236 | return (0); | 236 | return (0); |
| @@ -530,6 +530,7 @@ SSL_free(SSL *s) | |||
| 530 | BUF_MEM_free(s->internal->init_buf); | 530 | BUF_MEM_free(s->internal->init_buf); |
| 531 | 531 | ||
| 532 | sk_SSL_CIPHER_free(s->cipher_list); | 532 | sk_SSL_CIPHER_free(s->cipher_list); |
| 533 | sk_SSL_CIPHER_free(s->internal->cipher_list_tls13); | ||
| 533 | 534 | ||
| 534 | /* Make the next call work :-) */ | 535 | /* Make the next call work :-) */ |
| 535 | if (s->session != NULL) { | 536 | if (s->session != NULL) { |
| @@ -1353,7 +1354,8 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) | |||
| 1353 | * an error as far as ssl_create_cipher_list is concerned, and hence | 1354 | * an error as far as ssl_create_cipher_list is concerned, and hence |
| 1354 | * ctx->cipher_list has been updated. | 1355 | * ctx->cipher_list has been updated. |
| 1355 | */ | 1356 | */ |
| 1356 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str); | 1357 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, |
| 1358 | ctx->internal->cipher_list_tls13, str); | ||
| 1357 | if (ciphers == NULL) { | 1359 | if (ciphers == NULL) { |
| 1358 | return (0); | 1360 | return (0); |
| 1359 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { | 1361 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { |
| @@ -1363,14 +1365,32 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) | |||
| 1363 | return (1); | 1365 | return (1); |
| 1364 | } | 1366 | } |
| 1365 | 1367 | ||
| 1368 | int | ||
| 1369 | SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) | ||
| 1370 | { | ||
| 1371 | if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { | ||
| 1372 | SSLerrorx(SSL_R_NO_CIPHER_MATCH); | ||
| 1373 | return 0; | ||
| 1374 | } | ||
| 1375 | if (!ssl_merge_cipherlists(ctx->cipher_list, | ||
| 1376 | ctx->internal->cipher_list_tls13, &ctx->cipher_list)) | ||
| 1377 | return 0; | ||
| 1378 | |||
| 1379 | return 1; | ||
| 1380 | } | ||
| 1381 | |||
| 1366 | /* Specify the ciphers to be used by the SSL. */ | 1382 | /* Specify the ciphers to be used by the SSL. */ |
| 1367 | int | 1383 | int |
| 1368 | SSL_set_cipher_list(SSL *s, const char *str) | 1384 | SSL_set_cipher_list(SSL *s, const char *str) |
| 1369 | { | 1385 | { |
| 1370 | STACK_OF(SSL_CIPHER) *ciphers; | 1386 | STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13; |
| 1387 | |||
| 1388 | if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL) | ||
| 1389 | ciphers_tls13 = s->ctx->internal->cipher_list_tls13; | ||
| 1371 | 1390 | ||
| 1372 | /* See comment in SSL_CTX_set_cipher_list. */ | 1391 | /* See comment in SSL_CTX_set_cipher_list. */ |
| 1373 | ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, str); | 1392 | ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, |
| 1393 | ciphers_tls13, str); | ||
| 1374 | if (ciphers == NULL) { | 1394 | if (ciphers == NULL) { |
| 1375 | return (0); | 1395 | return (0); |
| 1376 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { | 1396 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { |
| @@ -1380,6 +1400,25 @@ SSL_set_cipher_list(SSL *s, const char *str) | |||
| 1380 | return (1); | 1400 | return (1); |
| 1381 | } | 1401 | } |
| 1382 | 1402 | ||
| 1403 | int | ||
| 1404 | SSL_set_ciphersuites(SSL *s, const char *str) | ||
| 1405 | { | ||
| 1406 | STACK_OF(SSL_CIPHER) *ciphers; | ||
| 1407 | |||
| 1408 | if ((ciphers = s->cipher_list) == NULL) | ||
| 1409 | ciphers = s->ctx->cipher_list; | ||
| 1410 | |||
| 1411 | if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { | ||
| 1412 | SSLerrorx(SSL_R_NO_CIPHER_MATCH); | ||
| 1413 | return (0); | ||
| 1414 | } | ||
| 1415 | if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, | ||
| 1416 | &s->cipher_list)) | ||
| 1417 | return 0; | ||
| 1418 | |||
| 1419 | return 1; | ||
| 1420 | } | ||
| 1421 | |||
| 1383 | char * | 1422 | char * |
| 1384 | SSL_get_shared_ciphers(const SSL *s, char *buf, int len) | 1423 | SSL_get_shared_ciphers(const SSL *s, char *buf, int len) |
| 1385 | { | 1424 | { |
| @@ -1758,7 +1797,7 @@ SSL_CTX_new(const SSL_METHOD *meth) | |||
| 1758 | goto err; | 1797 | goto err; |
| 1759 | 1798 | ||
| 1760 | ssl_create_cipher_list(ret->method, &ret->cipher_list, | 1799 | ssl_create_cipher_list(ret->method, &ret->cipher_list, |
| 1761 | SSL_DEFAULT_CIPHER_LIST); | 1800 | NULL, SSL_DEFAULT_CIPHER_LIST); |
| 1762 | if (ret->cipher_list == NULL || | 1801 | if (ret->cipher_list == NULL || |
| 1763 | sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { | 1802 | sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { |
| 1764 | SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); | 1803 | SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); |
| @@ -1855,6 +1894,7 @@ SSL_CTX_free(SSL_CTX *ctx) | |||
| 1855 | 1894 | ||
| 1856 | X509_STORE_free(ctx->cert_store); | 1895 | X509_STORE_free(ctx->cert_store); |
| 1857 | sk_SSL_CIPHER_free(ctx->cipher_list); | 1896 | sk_SSL_CIPHER_free(ctx->cipher_list); |
| 1897 | sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13); | ||
| 1858 | ssl_cert_free(ctx->internal->cert); | 1898 | ssl_cert_free(ctx->internal->cert); |
| 1859 | sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); | 1899 | sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); |
| 1860 | sk_X509_pop_free(ctx->extra_certs, X509_free); | 1900 | sk_X509_pop_free(ctx->extra_certs, X509_free); |
| @@ -2451,6 +2491,11 @@ SSL_dup(SSL *s) | |||
| 2451 | sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) | 2491 | sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) |
| 2452 | goto err; | 2492 | goto err; |
| 2453 | } | 2493 | } |
| 2494 | if (s->internal->cipher_list_tls13 != NULL) { | ||
| 2495 | if ((ret->internal->cipher_list_tls13 = | ||
| 2496 | sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL) | ||
| 2497 | goto err; | ||
| 2498 | } | ||
| 2454 | 2499 | ||
| 2455 | /* Dup the client_CA list */ | 2500 | /* Dup the client_CA list */ |
| 2456 | if (s->internal->client_CA != NULL) { | 2501 | if (s->internal->client_CA != NULL) { |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index df07ca68a6..540afee004 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.290 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.291 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -599,6 +599,8 @@ typedef struct ssl_ctx_internal_st { | |||
| 599 | 599 | ||
| 600 | CRYPTO_EX_DATA ex_data; | 600 | CRYPTO_EX_DATA ex_data; |
| 601 | 601 | ||
| 602 | STACK_OF(SSL_CIPHER) *cipher_list_tls13; | ||
| 603 | |||
| 602 | struct cert_st /* CERT */ *cert; | 604 | struct cert_st /* CERT */ *cert; |
| 603 | 605 | ||
| 604 | /* Default values used when no per-SSL value is defined follow */ | 606 | /* Default values used when no per-SSL value is defined follow */ |
| @@ -743,6 +745,8 @@ typedef struct ssl_internal_st { | |||
| 743 | 745 | ||
| 744 | int hit; /* reusing a previous session */ | 746 | int hit; /* reusing a previous session */ |
| 745 | 747 | ||
| 748 | STACK_OF(SSL_CIPHER) *cipher_list_tls13; | ||
| 749 | |||
| 746 | /* These are the ones being used, the ones in SSL_SESSION are | 750 | /* These are the ones being used, the ones in SSL_SESSION are |
| 747 | * the ones to be 'copied' into these ones */ | 751 | * the ones to be 'copied' into these ones */ |
| 748 | int mac_flags; | 752 | int mac_flags; |
| @@ -1164,7 +1168,12 @@ SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, | |||
| 1164 | int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); | 1168 | int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); |
| 1165 | STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); | 1169 | STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); |
| 1166 | STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, | 1170 | STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, |
| 1167 | STACK_OF(SSL_CIPHER) **pref, const char *rule_str); | 1171 | STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13, |
| 1172 | const char *rule_str); | ||
| 1173 | int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); | ||
| 1174 | int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, | ||
| 1175 | STACK_OF(SSL_CIPHER) *cipherlist_tls13, | ||
| 1176 | STACK_OF(SSL_CIPHER) **out_cipherlist); | ||
| 1168 | void ssl_update_cache(SSL *s, int mode); | 1177 | void ssl_update_cache(SSL *s, int mode); |
| 1169 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | 1178 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, |
| 1170 | const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); | 1179 | const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); |