From 4fbee6b90386fa14be274db8ba947f951bc6de4c Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 22 Jul 2024 14:47:15 +0000
Subject: Use cipher suite values instead of IDs.

OpenSSL has had the concept of cipher IDs, which were a way of working
around overlapping cipher suite values between SSLv2 and SSLv3. Given
that we no longer have to deal with this issue, replace the use of IDs
with cipher suite values. In particular, this means that we can stop
mapping back and forth between the two, simplifying things considerably.

While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[]
table is no longer mutable, meaning that ciphers cannot be disabled at
runtime (and we have `#if 0' if we want to do it at compile time).

Clean up the comments and add/update RFC references for cipher suites.

ok tb@
---
 src/lib/libssl/ssl_ciphers.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'src/lib/libssl/ssl_ciphers.c')

diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 4ec1b099bc..503ef9d03c 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_ciphers.c,v 1.17 2022/11/26 16:08:55 tb Exp $ */
+/*	$OpenBSD: ssl_ciphers.c,v 1.18 2024/07/22 14:47:15 jsing Exp $ */
 /*
  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
  * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -28,7 +28,7 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
 	int i;
 
 	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
-		if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id)
+		if (sk_SSL_CIPHER_value(ciphers, i)->value == cipher->value)
 			return 1;
 	}
 
@@ -72,7 +72,7 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
 			continue;
 		if (!ssl_security_cipher_check(s, cipher))
 			continue;
-		if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
+		if (!CBB_add_u16(cbb, cipher->value))
 			return 0;
 
 		num_ciphers++;
@@ -165,34 +165,34 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
 struct ssl_tls13_ciphersuite {
 	const char *name;
 	const char *alias;
-	unsigned long cid;
+	uint16_t value;
 };
 
 static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = {
 	{
 		.name = TLS1_3_RFC_AES_128_GCM_SHA256,
 		.alias = TLS1_3_TXT_AES_128_GCM_SHA256,
-		.cid = TLS1_3_CK_AES_128_GCM_SHA256,
+		.value = 0x1301,
 	},
 	{
 		.name = TLS1_3_RFC_AES_256_GCM_SHA384,
 		.alias = TLS1_3_TXT_AES_256_GCM_SHA384,
-		.cid = TLS1_3_CK_AES_256_GCM_SHA384,
+		.value = 0x1302,
 	},
 	{
 		.name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
 		.alias = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
-		.cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
+		.value = 0x1303,
 	},
 	{
 		.name = TLS1_3_RFC_AES_128_CCM_SHA256,
 		.alias = TLS1_3_TXT_AES_128_CCM_SHA256,
-		.cid = TLS1_3_CK_AES_128_CCM_SHA256,
+		.value = 0x1304,
 	},
 	{
 		.name = TLS1_3_RFC_AES_128_CCM_8_SHA256,
 		.alias = TLS1_3_TXT_AES_128_CCM_8_SHA256,
-		.cid = TLS1_3_CK_AES_128_CCM_8_SHA256,
+		.value = 0x1305,
 	},
 	{
 		.name = NULL,
@@ -234,7 +234,7 @@ ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str)
 			goto err;
 
 		/* We know about the cipher suite, but it is not supported. */
-		if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL)
+		if ((cipher = ssl3_get_cipher_by_value(ciphersuite->value)) == NULL)
 			continue;
 
 		if (!sk_SSL_CIPHER_push(ciphers, cipher))
-- 
cgit v1.2.3-55-g6feb