diff options
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 13 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 5 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 10 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_lib.c | 7 |
4 files changed, 30 insertions, 5 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 9adf257ff3..252242e053 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.188 2020/01/02 06:37:13 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.189 2020/01/23 10:40:59 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2502,6 +2502,16 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, | |||
| 2502 | !SSL_USE_TLS1_2_CIPHERS(s)) | 2502 | !SSL_USE_TLS1_2_CIPHERS(s)) |
| 2503 | continue; | 2503 | continue; |
| 2504 | 2504 | ||
| 2505 | /* Skip TLS v1.3 only ciphersuites if not supported. */ | ||
| 2506 | if ((c->algorithm_ssl & SSL_TLSV1_3) && | ||
| 2507 | !SSL_USE_TLS1_3_CIPHERS(s)) | ||
| 2508 | continue; | ||
| 2509 | |||
| 2510 | /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ | ||
| 2511 | if (SSL_USE_TLS1_3_CIPHERS(s) && | ||
| 2512 | !(c->algorithm_ssl & SSL_TLSV1_3)) | ||
| 2513 | continue; | ||
| 2514 | |||
| 2505 | ssl_set_cert_masks(cert, c); | 2515 | ssl_set_cert_masks(cert, c); |
| 2506 | mask_k = cert->mask_k; | 2516 | mask_k = cert->mask_k; |
| 2507 | mask_a = cert->mask_a; | 2517 | mask_a = cert->mask_a; |
| @@ -2509,7 +2519,6 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, | |||
| 2509 | alg_k = c->algorithm_mkey; | 2519 | alg_k = c->algorithm_mkey; |
| 2510 | alg_a = c->algorithm_auth; | 2520 | alg_a = c->algorithm_auth; |
| 2511 | 2521 | ||
| 2512 | |||
| 2513 | ok = (alg_k & mask_k) && (alg_a & mask_a); | 2522 | ok = (alg_k & mask_k) && (alg_a & mask_a); |
| 2514 | 2523 | ||
| 2515 | /* | 2524 | /* |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 1b141b6e2c..a6bdfaa4a1 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.209 2020/01/23 03:17:40 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.210 2020/01/23 10:40:59 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2006,6 +2006,9 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 2006 | mask_a |= SSL_aRSA; | 2006 | mask_a |= SSL_aRSA; |
| 2007 | 2007 | ||
| 2008 | mask_a |= SSL_aNULL; | 2008 | mask_a |= SSL_aNULL; |
| 2009 | mask_a |= SSL_aTLS1_3; | ||
| 2010 | |||
| 2011 | mask_k |= SSL_kTLS1_3; | ||
| 2009 | 2012 | ||
| 2010 | /* | 2013 | /* |
| 2011 | * An ECC certificate may be usable for ECDH and/or | 2014 | * An ECC certificate may be usable for ECDH and/or |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 2c774a3d77..6703e8feee 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.254 2020/01/23 06:15:44 beck Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.255 2020/01/23 10:40:59 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -342,6 +342,10 @@ __BEGIN_HIDDEN_DECLS | |||
| 342 | #define SSL_USE_TLS1_2_CIPHERS(s) \ | 342 | #define SSL_USE_TLS1_2_CIPHERS(s) \ |
| 343 | (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) | 343 | (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) |
| 344 | 344 | ||
| 345 | /* Allow TLS 1.3 ciphersuites only. */ | ||
| 346 | #define SSL_USE_TLS1_3_CIPHERS(s) \ | ||
| 347 | (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) | ||
| 348 | |||
| 345 | #define SSL_PKEY_RSA_ENC 0 | 349 | #define SSL_PKEY_RSA_ENC 0 |
| 346 | #define SSL_PKEY_RSA_SIGN 1 | 350 | #define SSL_PKEY_RSA_SIGN 1 |
| 347 | #define SSL_PKEY_DH_RSA 2 | 351 | #define SSL_PKEY_DH_RSA 2 |
| @@ -1046,6 +1050,9 @@ typedef struct ssl3_enc_method { | |||
| 1046 | /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ | 1050 | /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ |
| 1047 | #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) | 1051 | #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) |
| 1048 | 1052 | ||
| 1053 | /* Allow TLS 1.3 ciphersuites only. */ | ||
| 1054 | #define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5) | ||
| 1055 | |||
| 1049 | /* | 1056 | /* |
| 1050 | * ssl_aead_ctx_st contains information about an AEAD that is being used to | 1057 | * ssl_aead_ctx_st contains information about an AEAD that is being used to |
| 1051 | * encrypt an SSL connection. | 1058 | * encrypt an SSL connection. |
| @@ -1094,6 +1101,7 @@ extern SSL3_ENC_METHOD DTLSv1_enc_data; | |||
| 1094 | extern SSL3_ENC_METHOD TLSv1_enc_data; | 1101 | extern SSL3_ENC_METHOD TLSv1_enc_data; |
| 1095 | extern SSL3_ENC_METHOD TLSv1_1_enc_data; | 1102 | extern SSL3_ENC_METHOD TLSv1_1_enc_data; |
| 1096 | extern SSL3_ENC_METHOD TLSv1_2_enc_data; | 1103 | extern SSL3_ENC_METHOD TLSv1_2_enc_data; |
| 1104 | extern SSL3_ENC_METHOD TLSv1_3_enc_data; | ||
| 1097 | 1105 | ||
| 1098 | void ssl_clear_cipher_state(SSL *s); | 1106 | void ssl_clear_cipher_state(SSL *s); |
| 1099 | void ssl_clear_cipher_read_state(SSL *s); | 1107 | void ssl_clear_cipher_read_state(SSL *s); |
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 5d8c359014..91dd566864 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_lib.c,v 1.24 2020/01/23 07:30:55 beck Exp $ */ | 1 | /* $OpenBSD: tls13_lib.c,v 1.25 2020/01/23 10:40:59 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> |
| @@ -24,6 +24,11 @@ | |||
| 24 | #include "ssl_locl.h" | 24 | #include "ssl_locl.h" |
| 25 | #include "tls13_internal.h" | 25 | #include "tls13_internal.h" |
| 26 | 26 | ||
| 27 | SSL3_ENC_METHOD TLSv1_3_enc_data = { | ||
| 28 | .enc = NULL, | ||
| 29 | .enc_flags = SSL_ENC_FLAG_TLS1_3_CIPHERS, | ||
| 30 | }; | ||
| 31 | |||
| 27 | /* | 32 | /* |
| 28 | * RFC 8446 section 4.1.3, magic values which must be set by the | 33 | * RFC 8446 section 4.1.3, magic values which must be set by the |
| 29 | * server in server random if it is willing to downgrade but supports | 34 | * server in server random if it is willing to downgrade but supports |