diff options
Diffstat (limited to 'src/lib/libssl/ssl_lib.c')
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 57 |
1 files changed, 51 insertions, 6 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 5bc759d483..a194e5639a 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.225 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.226 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -230,7 +230,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) | |||
| 230 | ctx->method = meth; | 230 | ctx->method = meth; |
| 231 | 231 | ||
| 232 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, | 232 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, |
| 233 | SSL_DEFAULT_CIPHER_LIST); | 233 | ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST); |
| 234 | if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { | 234 | if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { |
| 235 | SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); | 235 | SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); |
| 236 | return (0); | 236 | return (0); |
| @@ -530,6 +530,7 @@ SSL_free(SSL *s) | |||
| 530 | BUF_MEM_free(s->internal->init_buf); | 530 | BUF_MEM_free(s->internal->init_buf); |
| 531 | 531 | ||
| 532 | sk_SSL_CIPHER_free(s->cipher_list); | 532 | sk_SSL_CIPHER_free(s->cipher_list); |
| 533 | sk_SSL_CIPHER_free(s->internal->cipher_list_tls13); | ||
| 533 | 534 | ||
| 534 | /* Make the next call work :-) */ | 535 | /* Make the next call work :-) */ |
| 535 | if (s->session != NULL) { | 536 | if (s->session != NULL) { |
| @@ -1353,7 +1354,8 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) | |||
| 1353 | * an error as far as ssl_create_cipher_list is concerned, and hence | 1354 | * an error as far as ssl_create_cipher_list is concerned, and hence |
| 1354 | * ctx->cipher_list has been updated. | 1355 | * ctx->cipher_list has been updated. |
| 1355 | */ | 1356 | */ |
| 1356 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str); | 1357 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, |
| 1358 | ctx->internal->cipher_list_tls13, str); | ||
| 1357 | if (ciphers == NULL) { | 1359 | if (ciphers == NULL) { |
| 1358 | return (0); | 1360 | return (0); |
| 1359 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { | 1361 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { |
| @@ -1363,14 +1365,32 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) | |||
| 1363 | return (1); | 1365 | return (1); |
| 1364 | } | 1366 | } |
| 1365 | 1367 | ||
| 1368 | int | ||
| 1369 | SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) | ||
| 1370 | { | ||
| 1371 | if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { | ||
| 1372 | SSLerrorx(SSL_R_NO_CIPHER_MATCH); | ||
| 1373 | return 0; | ||
| 1374 | } | ||
| 1375 | if (!ssl_merge_cipherlists(ctx->cipher_list, | ||
| 1376 | ctx->internal->cipher_list_tls13, &ctx->cipher_list)) | ||
| 1377 | return 0; | ||
| 1378 | |||
| 1379 | return 1; | ||
| 1380 | } | ||
| 1381 | |||
| 1366 | /* Specify the ciphers to be used by the SSL. */ | 1382 | /* Specify the ciphers to be used by the SSL. */ |
| 1367 | int | 1383 | int |
| 1368 | SSL_set_cipher_list(SSL *s, const char *str) | 1384 | SSL_set_cipher_list(SSL *s, const char *str) |
| 1369 | { | 1385 | { |
| 1370 | STACK_OF(SSL_CIPHER) *ciphers; | 1386 | STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13; |
| 1387 | |||
| 1388 | if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL) | ||
| 1389 | ciphers_tls13 = s->ctx->internal->cipher_list_tls13; | ||
| 1371 | 1390 | ||
| 1372 | /* See comment in SSL_CTX_set_cipher_list. */ | 1391 | /* See comment in SSL_CTX_set_cipher_list. */ |
| 1373 | ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, str); | 1392 | ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, |
| 1393 | ciphers_tls13, str); | ||
| 1374 | if (ciphers == NULL) { | 1394 | if (ciphers == NULL) { |
| 1375 | return (0); | 1395 | return (0); |
| 1376 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { | 1396 | } else if (sk_SSL_CIPHER_num(ciphers) == 0) { |
| @@ -1380,6 +1400,25 @@ SSL_set_cipher_list(SSL *s, const char *str) | |||
| 1380 | return (1); | 1400 | return (1); |
| 1381 | } | 1401 | } |
| 1382 | 1402 | ||
| 1403 | int | ||
| 1404 | SSL_set_ciphersuites(SSL *s, const char *str) | ||
| 1405 | { | ||
| 1406 | STACK_OF(SSL_CIPHER) *ciphers; | ||
| 1407 | |||
| 1408 | if ((ciphers = s->cipher_list) == NULL) | ||
| 1409 | ciphers = s->ctx->cipher_list; | ||
| 1410 | |||
| 1411 | if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { | ||
| 1412 | SSLerrorx(SSL_R_NO_CIPHER_MATCH); | ||
| 1413 | return (0); | ||
| 1414 | } | ||
| 1415 | if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, | ||
| 1416 | &s->cipher_list)) | ||
| 1417 | return 0; | ||
| 1418 | |||
| 1419 | return 1; | ||
| 1420 | } | ||
| 1421 | |||
| 1383 | char * | 1422 | char * |
| 1384 | SSL_get_shared_ciphers(const SSL *s, char *buf, int len) | 1423 | SSL_get_shared_ciphers(const SSL *s, char *buf, int len) |
| 1385 | { | 1424 | { |
| @@ -1758,7 +1797,7 @@ SSL_CTX_new(const SSL_METHOD *meth) | |||
| 1758 | goto err; | 1797 | goto err; |
| 1759 | 1798 | ||
| 1760 | ssl_create_cipher_list(ret->method, &ret->cipher_list, | 1799 | ssl_create_cipher_list(ret->method, &ret->cipher_list, |
| 1761 | SSL_DEFAULT_CIPHER_LIST); | 1800 | NULL, SSL_DEFAULT_CIPHER_LIST); |
| 1762 | if (ret->cipher_list == NULL || | 1801 | if (ret->cipher_list == NULL || |
| 1763 | sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { | 1802 | sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { |
| 1764 | SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); | 1803 | SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); |
| @@ -1855,6 +1894,7 @@ SSL_CTX_free(SSL_CTX *ctx) | |||
| 1855 | 1894 | ||
| 1856 | X509_STORE_free(ctx->cert_store); | 1895 | X509_STORE_free(ctx->cert_store); |
| 1857 | sk_SSL_CIPHER_free(ctx->cipher_list); | 1896 | sk_SSL_CIPHER_free(ctx->cipher_list); |
| 1897 | sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13); | ||
| 1858 | ssl_cert_free(ctx->internal->cert); | 1898 | ssl_cert_free(ctx->internal->cert); |
| 1859 | sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); | 1899 | sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); |
| 1860 | sk_X509_pop_free(ctx->extra_certs, X509_free); | 1900 | sk_X509_pop_free(ctx->extra_certs, X509_free); |
| @@ -2451,6 +2491,11 @@ SSL_dup(SSL *s) | |||
| 2451 | sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) | 2491 | sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) |
| 2452 | goto err; | 2492 | goto err; |
| 2453 | } | 2493 | } |
| 2494 | if (s->internal->cipher_list_tls13 != NULL) { | ||
| 2495 | if ((ret->internal->cipher_list_tls13 = | ||
| 2496 | sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL) | ||
| 2497 | goto err; | ||
| 2498 | } | ||
| 2454 | 2499 | ||
| 2455 | /* Dup the client_CA list */ | 2500 | /* Dup the client_CA list */ |
| 2456 | if (s->internal->client_CA != NULL) { | 2501 | if (s->internal->client_CA != NULL) { |