1 files changed, 26 insertions, 30 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 7c32354902..dce141101d 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.145 2024/07/20 04:04:23 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.146 2024/07/22 14:47:15 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -373,21 +373,18 @@ static const SSL_CIPHER cipher_aliases[] = {
        /* cipher suite aliases */
 #ifdef LIBRESSL_HAS_TLS1_3
        {
-                .valid = 1,
+                .value = 0x1301,
                .name = "TLS_AES_128_GCM_SHA256",
-                .id = TLS1_3_CK_AES_128_GCM_SHA256,
                .algorithm_ssl = SSL_TLSV1_3,
        },
        {
-                .valid = 1,
+                .value = 0x1302,
                .name = "TLS_AES_256_GCM_SHA384",
-                .id = TLS1_3_CK_AES_256_GCM_SHA384,
                .algorithm_ssl = SSL_TLSV1_3,
        },
        {
-                .valid = 1,
+                .value = 0x1303,
                .name = "TLS_CHACHA20_POLY1305_SHA256",
-                .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
                .algorithm_ssl = SSL_TLSV1_3,
        },
 #endif
@@ -619,7 +616,7 @@ ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers,
                 * Drop any invalid ciphers and any which use unavailable
                 * algorithms.
                 */
-                if ((c != NULL) && c->valid &&
+                if ((c != NULL) &&
                    !(c->algorithm_mkey & disabled_mkey) &&
                    !(c->algorithm_auth & disabled_auth) &&
                    !(c->algorithm_enc & disabled_enc) &&
@@ -725,7 +722,7 @@ ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases,
 }
 static void
-ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
+ssl_cipher_apply_rule(uint16_t cipher_value, unsigned long alg_mkey,
    unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac,
    unsigned long alg_ssl, unsigned long algo_strength, int rule,
    int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
@@ -757,7 +754,7 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
                cp = curr->cipher;
-                if (cipher_id && cp->id != cipher_id)
+                if (cipher_value != 0 && cp->value != cipher_value)
                        continue;
                /*
@@ -882,7 +879,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
        unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
        unsigned long algo_strength;
        int j, multi, found, rule, retval, ok, buflen;
-        unsigned long cipher_id = 0;
+        uint16_t cipher_value = 0;
        const char *l, *buf;
        char ch;
@@ -974,7 +971,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                         * '\0' terminated.)
                         */
                        j = found = 0;
-                        cipher_id = 0;
+                        cipher_value = 0;
                        while (ca_list[j]) {
                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
                                    (ca_list[j]->name[buflen] == '\0')) {
@@ -1047,13 +1044,13 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                                            SSL_STRONG_MASK;
                        }
-                        if (ca_list[j]->valid) {
+                        if (ca_list[j]->value != 0) {
                                /*
                                 * explicit ciphersuite found; its protocol
                                 * version does not become part of the search
                                 * pattern!
                                 */
-                                cipher_id = ca_list[j]->id;
+                                cipher_value = ca_list[j]->value;
                                if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3)
                                        *tls13_seen = 1;
                        } else {
@@ -1109,7 +1106,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                } else if (found) {
                        if (alg_ssl == SSL_TLSV1_3)
                                *tls13_seen = 1;
-                        ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth,
+                        ssl_cipher_apply_rule(cipher_value, alg_mkey, alg_auth,
                            alg_enc, alg_mac, alg_ssl, algo_strength, rule,
                            -1, head_p, tail_p);
                } else {
@@ -1470,24 +1467,23 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 LSSL_ALIAS(SSL_CIPHER_description);
 const char *
-SSL_CIPHER_get_version(const SSL_CIPHER *c)
+SSL_CIPHER_get_version(const SSL_CIPHER *cipher)
 {
-        if (c == NULL)
+        if (cipher == NULL)
-                return("(NONE)");
+                return "(NONE)";
-        if ((c->id >> 24) == 3)
-                return("TLSv1/SSLv3");
+        return "TLSv1/SSLv3";
-        else
-                return("unknown");
 }
 LSSL_ALIAS(SSL_CIPHER_get_version);
 /* return the actual cipher being used */
 const char *
-SSL_CIPHER_get_name(const SSL_CIPHER *c)
+SSL_CIPHER_get_name(const SSL_CIPHER *cipher)
 {
-        if (c != NULL)
+        if (cipher == NULL)
-                return (c->name);
+                return "(NONE)";
-        return("(NONE)");
+        return cipher->name;
 }
 LSSL_ALIAS(SSL_CIPHER_get_name);
@@ -1507,16 +1503,16 @@ SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
 LSSL_ALIAS(SSL_CIPHER_get_bits);
 unsigned long
-SSL_CIPHER_get_id(const SSL_CIPHER *c)
+SSL_CIPHER_get_id(const SSL_CIPHER *cipher)
 {
-        return c->id;
+        return SSL3_CK_ID | cipher->value;
 }
 LSSL_ALIAS(SSL_CIPHER_get_id);
 uint16_t
-SSL_CIPHER_get_value(const SSL_CIPHER *c)
+SSL_CIPHER_get_value(const SSL_CIPHER *cipher)
 {
-        return ssl3_cipher_get_value(c);
+        return cipher->value;
 }
 LSSL_ALIAS(SSL_CIPHER_get_value);

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 7c32354902..dce141101d 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_ciph.c,v 1.145 2024/07/20 04:04:23 jsing Exp $ */	1	/* $OpenBSD: ssl_ciph.c,v 1.146 2024/07/22 14:47:15 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -373,21 +373,18 @@ static const SSL_CIPHER cipher_aliases[] = {
373	/* cipher suite aliases */	373	/* cipher suite aliases */
374	#ifdef LIBRESSL_HAS_TLS1_3	374	#ifdef LIBRESSL_HAS_TLS1_3
375	{	375	{
376	.valid = 1,	376	.value = 0x1301,
377	.name = "TLS_AES_128_GCM_SHA256",	377	.name = "TLS_AES_128_GCM_SHA256",
378	.id = TLS1_3_CK_AES_128_GCM_SHA256,
379	.algorithm_ssl = SSL_TLSV1_3,	378	.algorithm_ssl = SSL_TLSV1_3,
380	},	379	},
381	{	380	{
382	.valid = 1,	381	.value = 0x1302,
383	.name = "TLS_AES_256_GCM_SHA384",	382	.name = "TLS_AES_256_GCM_SHA384",
384	.id = TLS1_3_CK_AES_256_GCM_SHA384,
385	.algorithm_ssl = SSL_TLSV1_3,	383	.algorithm_ssl = SSL_TLSV1_3,
386	},	384	},
387	{	385	{
388	.valid = 1,	386	.value = 0x1303,
389	.name = "TLS_CHACHA20_POLY1305_SHA256",	387	.name = "TLS_CHACHA20_POLY1305_SHA256",
390	.id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
391	.algorithm_ssl = SSL_TLSV1_3,	388	.algorithm_ssl = SSL_TLSV1_3,
392	},	389	},
393	#endif	390	#endif
@@ -619,7 +616,7 @@ ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers,
619	* Drop any invalid ciphers and any which use unavailable	616	* Drop any invalid ciphers and any which use unavailable
620	* algorithms.	617	* algorithms.
621	*/	618	*/
622	if ((c != NULL) && c->valid &&	619	if ((c != NULL) &&
623	!(c->algorithm_mkey & disabled_mkey) &&	620	!(c->algorithm_mkey & disabled_mkey) &&
624	!(c->algorithm_auth & disabled_auth) &&	621	!(c->algorithm_auth & disabled_auth) &&
625	!(c->algorithm_enc & disabled_enc) &&	622	!(c->algorithm_enc & disabled_enc) &&
@@ -725,7 +722,7 @@ ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases,
725	}	722	}
726		723
727	static void	724	static void
728	ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,	725	ssl_cipher_apply_rule(uint16_t cipher_value, unsigned long alg_mkey,
729	unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac,	726	unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac,
730	unsigned long alg_ssl, unsigned long algo_strength, int rule,	727	unsigned long alg_ssl, unsigned long algo_strength, int rule,
731	int strength_bits, CIPHER_ORDER head_p, CIPHER_ORDER tail_p)	728	int strength_bits, CIPHER_ORDER head_p, CIPHER_ORDER tail_p)
@@ -757,7 +754,7 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
757		754
758	cp = curr->cipher;	755	cp = curr->cipher;
759		756
760	if (cipher_id && cp->id != cipher_id)	757	if (cipher_value != 0 && cp->value != cipher_value)
761	continue;	758	continue;
762		759
763	/*	760	/*
@@ -882,7 +879,7 @@ ssl_cipher_process_rulestr(const char rule_str, CIPHER_ORDER *head_p,
882	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;	879	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
883	unsigned long algo_strength;	880	unsigned long algo_strength;
884	int j, multi, found, rule, retval, ok, buflen;	881	int j, multi, found, rule, retval, ok, buflen;
885	unsigned long cipher_id = 0;	882	uint16_t cipher_value = 0;
886	const char l, buf;	883	const char l, buf;
887	char ch;	884	char ch;
888		885
@@ -974,7 +971,7 @@ ssl_cipher_process_rulestr(const char rule_str, CIPHER_ORDER *head_p,
974	* '\0' terminated.)	971	* '\0' terminated.)
975	*/	972	*/
976	j = found = 0;	973	j = found = 0;
977	cipher_id = 0;	974	cipher_value = 0;
978	while (ca_list[j]) {	975	while (ca_list[j]) {
979	if (!strncmp(buf, ca_list[j]->name, buflen) &&	976	if (!strncmp(buf, ca_list[j]->name, buflen) &&
980	(ca_list[j]->name[buflen] == '\0')) {	977	(ca_list[j]->name[buflen] == '\0')) {
@@ -1047,13 +1044,13 @@ ssl_cipher_process_rulestr(const char rule_str, CIPHER_ORDER *head_p,
1047	SSL_STRONG_MASK;	1044	SSL_STRONG_MASK;
1048	}	1045	}
1049		1046
1050	if (ca_list[j]->valid) {	1047	if (ca_list[j]->value != 0) {
1051	/*	1048	/*
1052	* explicit ciphersuite found; its protocol	1049	* explicit ciphersuite found; its protocol
1053	* version does not become part of the search	1050	* version does not become part of the search
1054	* pattern!	1051	* pattern!
1055	*/	1052	*/
1056	cipher_id = ca_list[j]->id;	1053	cipher_value = ca_list[j]->value;
1057	if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3)	1054	if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3)
1058	*tls13_seen = 1;	1055	*tls13_seen = 1;
1059	} else {	1056	} else {
@@ -1109,7 +1106,7 @@ ssl_cipher_process_rulestr(const char rule_str, CIPHER_ORDER *head_p,
1109	} else if (found) {	1106	} else if (found) {
1110	if (alg_ssl == SSL_TLSV1_3)	1107	if (alg_ssl == SSL_TLSV1_3)
1111	*tls13_seen = 1;	1108	*tls13_seen = 1;
1112	ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth,	1109	ssl_cipher_apply_rule(cipher_value, alg_mkey, alg_auth,
1113	alg_enc, alg_mac, alg_ssl, algo_strength, rule,	1110	alg_enc, alg_mac, alg_ssl, algo_strength, rule,
1114	-1, head_p, tail_p);	1111	-1, head_p, tail_p);
1115	} else {	1112	} else {
@@ -1470,24 +1467,23 @@ SSL_CIPHER_description(const SSL_CIPHER cipher, char buf, int len)
1470	LSSL_ALIAS(SSL_CIPHER_description);	1467	LSSL_ALIAS(SSL_CIPHER_description);
1471		1468
1472	const char *	1469	const char *
1473	SSL_CIPHER_get_version(const SSL_CIPHER *c)	1470	SSL_CIPHER_get_version(const SSL_CIPHER *cipher)
1474	{	1471	{
1475	if (c == NULL)	1472	if (cipher == NULL)
1476	return("(NONE)");	1473	return "(NONE)";
1477	if ((c->id >> 24) == 3)	1474
1478	return("TLSv1/SSLv3");	1475	return "TLSv1/SSLv3";
1479	else
1480	return("unknown");
1481	}	1476	}
1482	LSSL_ALIAS(SSL_CIPHER_get_version);	1477	LSSL_ALIAS(SSL_CIPHER_get_version);
1483		1478
1484	/* return the actual cipher being used */	1479	/* return the actual cipher being used */
1485	const char *	1480	const char *
1486	SSL_CIPHER_get_name(const SSL_CIPHER *c)	1481	SSL_CIPHER_get_name(const SSL_CIPHER *cipher)
1487	{	1482	{
1488	if (c != NULL)	1483	if (cipher == NULL)
1489	return (c->name);	1484	return "(NONE)";
1490	return("(NONE)");	1485
		1486	return cipher->name;
1491	}	1487	}
1492	LSSL_ALIAS(SSL_CIPHER_get_name);	1488	LSSL_ALIAS(SSL_CIPHER_get_name);
1493		1489
@@ -1507,16 +1503,16 @@ SSL_CIPHER_get_bits(const SSL_CIPHER c, int alg_bits)
1507	LSSL_ALIAS(SSL_CIPHER_get_bits);	1503	LSSL_ALIAS(SSL_CIPHER_get_bits);
1508		1504
1509	unsigned long	1505	unsigned long
1510	SSL_CIPHER_get_id(const SSL_CIPHER *c)	1506	SSL_CIPHER_get_id(const SSL_CIPHER *cipher)
1511	{	1507	{
1512	return c->id;	1508	return SSL3_CK_ID \| cipher->value;
1513	}	1509	}
1514	LSSL_ALIAS(SSL_CIPHER_get_id);	1510	LSSL_ALIAS(SSL_CIPHER_get_id);
1515		1511
1516	uint16_t	1512	uint16_t
1517	SSL_CIPHER_get_value(const SSL_CIPHER *c)	1513	SSL_CIPHER_get_value(const SSL_CIPHER *cipher)
1518	{	1514	{
1519	return ssl3_cipher_get_value(c);	1515	return cipher->value;
1520	}	1516	}
1521	LSSL_ALIAS(SSL_CIPHER_get_value);	1517	LSSL_ALIAS(SSL_CIPHER_get_value);
1522		1518