Latest update.
parent
e76cdf9b20
commit
6889043035
|
@ -31,7 +31,7 @@ Default support is in bold type.
|
|||
- [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ **final**
|
||||
- [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ **final**
|
||||
|
||||
[Compatible OpenSSL-3.0.0-dev (OpenSSL, 24031 commits)](https://github.com/openssl/openssl/tree/3bbec1afed1c65b6f7f645b27808b070e6e7a509)
|
||||
[Compatible OpenSSL-3.0.0-dev (OpenSSL, 24488 commits)](https://github.com/openssl/openssl/tree/20bf3d8b22f8c1a3529034007d3618fd1fc4fa16)
|
||||
|
||||
## Patch files
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ index a97eaa1685..24112723f0 100644
|
|||
#endif
|
||||
}
|
||||
diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
|
||||
index ccef031b89..083179398c 100644
|
||||
index 570378b1af..46eb33910a 100644
|
||||
--- a/crypto/evp/e_chacha20_poly1305.c
|
||||
+++ b/crypto/evp/e_chacha20_poly1305.c
|
||||
@@ -156,6 +156,7 @@ typedef struct {
|
||||
|
@ -171,7 +171,7 @@ index ccef031b89..083179398c 100644
|
|||
}
|
||||
Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
|
||||
: temp);
|
||||
@@ -535,12 +576,14 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
||||
@@ -539,12 +580,14 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_SET_IVLEN:
|
||||
|
@ -186,7 +186,7 @@ index ccef031b89..083179398c 100644
|
|||
if (arg != 12)
|
||||
return 0;
|
||||
actx->nonce[0] = actx->key.counter[1]
|
||||
@@ -624,9 +667,32 @@ static EVP_CIPHER chacha20_poly1305 = {
|
||||
@@ -629,9 +672,32 @@ static EVP_CIPHER chacha20_poly1305 = {
|
||||
NULL /* app_data */
|
||||
};
|
||||
|
||||
|
@ -220,66 +220,66 @@ index ccef031b89..083179398c 100644
|
|||
# endif
|
||||
#endif
|
||||
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
|
||||
index 876bab2a7f..0e825e5b8b 100644
|
||||
index 0beeacfa40..8b3737f363 100644
|
||||
--- a/crypto/objects/obj_dat.h
|
||||
+++ b/crypto/objects/obj_dat.h
|
||||
@@ -1080,7 +1080,7 @@ static const unsigned char so[7775] = {
|
||||
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x75, /* [ 7766] OBJ_SM2_with_SM3 */
|
||||
@@ -1084,7 +1084,7 @@ static const unsigned char so[7813] = {
|
||||
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x75, /* [ 7804] OBJ_SM2_with_SM3 */
|
||||
};
|
||||
|
||||
-#define NUM_NID 1207
|
||||
+#define NUM_NID 1208
|
||||
-#define NUM_NID 1208
|
||||
+#define NUM_NID 1209
|
||||
static const ASN1_OBJECT nid_objs[NUM_NID] = {
|
||||
{"UNDEF", "undefined", NID_undef},
|
||||
{"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
|
||||
@@ -2289,9 +2289,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
|
||||
{"SM2-SM3", "SM2-with-SM3", NID_SM2_with_SM3, 8, &so[7766]},
|
||||
@@ -2294,9 +2294,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
|
||||
{"SSKDF", "sskdf", NID_sskdf},
|
||||
{"X963KDF", "x963kdf", NID_x963kdf},
|
||||
{"X942KDF", "x942kdf", NID_x942kdf},
|
||||
+ {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft},
|
||||
};
|
||||
|
||||
-#define NUM_SN 1198
|
||||
+#define NUM_SN 1199
|
||||
-#define NUM_SN 1199
|
||||
+#define NUM_SN 1200
|
||||
static const unsigned int sn_objs[NUM_SN] = {
|
||||
364, /* "AD_DVCS" */
|
||||
419, /* "AES-128-CBC" */
|
||||
@@ -2414,6 +2415,7 @@ static const unsigned int sn_objs[NUM_SN] = {
|
||||
@@ -2419,6 +2420,7 @@ static const unsigned int sn_objs[NUM_SN] = {
|
||||
417, /* "CSPName" */
|
||||
1019, /* "ChaCha20" */
|
||||
1018, /* "ChaCha20-Poly1305" */
|
||||
+ 1207, /* "ChaCha20-Poly1305-D" */
|
||||
+ 1208, /* "ChaCha20-Poly1305-D" */
|
||||
367, /* "CrlID" */
|
||||
391, /* "DC" */
|
||||
31, /* "DES-CBC" */
|
||||
@@ -3493,7 +3495,7 @@ static const unsigned int sn_objs[NUM_SN] = {
|
||||
@@ -3499,7 +3501,7 @@ static const unsigned int sn_objs[NUM_SN] = {
|
||||
1093, /* "x509ExtAdmission" */
|
||||
};
|
||||
|
||||
-#define NUM_LN 1198
|
||||
+#define NUM_LN 1199
|
||||
-#define NUM_LN 1199
|
||||
+#define NUM_LN 1200
|
||||
static const unsigned int ln_objs[NUM_LN] = {
|
||||
363, /* "AD Time Stamping" */
|
||||
405, /* "ANSI X9.62" */
|
||||
@@ -3878,6 +3880,7 @@ static const unsigned int ln_objs[NUM_LN] = {
|
||||
@@ -3884,6 +3886,7 @@ static const unsigned int ln_objs[NUM_LN] = {
|
||||
883, /* "certificateRevocationList" */
|
||||
1019, /* "chacha20" */
|
||||
1018, /* "chacha20-poly1305" */
|
||||
+ 1207, /* "chacha20-poly1305-draft" */
|
||||
+ 1208, /* "chacha20-poly1305-draft" */
|
||||
54, /* "challengePassword" */
|
||||
407, /* "characteristic-two-field" */
|
||||
395, /* "clearance" */
|
||||
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
|
||||
index e0969fe1fd..957a28d47a 100644
|
||||
index 022e64277c..4751e56115 100644
|
||||
--- a/crypto/objects/obj_mac.num
|
||||
+++ b/crypto/objects/obj_mac.num
|
||||
@@ -1204,3 +1204,4 @@ sshkdf 1203
|
||||
SM2_with_SM3 1204
|
||||
@@ -1205,3 +1205,4 @@ SM2_with_SM3 1204
|
||||
sskdf 1205
|
||||
x963kdf 1206
|
||||
+chacha20_poly1305_draft 1207
|
||||
x942kdf 1207
|
||||
+chacha20_poly1305_draft 1208
|
||||
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
|
||||
index 566438948f..92f235d5d5 100644
|
||||
index 47cf2f183d..660bcd8521 100644
|
||||
--- a/crypto/objects/objects.txt
|
||||
+++ b/crypto/objects/objects.txt
|
||||
@@ -1545,6 +1545,7 @@ sm-scheme 104 7 : SM4-CTR : sm4-ctr
|
||||
|
@ -291,10 +291,10 @@ index 566438948f..92f235d5d5 100644
|
|||
|
||||
ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 8195d11250..16dca70c30 100644
|
||||
index 69d70e5e9c..d451c574c0 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -936,6 +936,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
|
||||
@@ -957,6 +957,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
|
||||
const EVP_CIPHER *EVP_chacha20(void);
|
||||
# ifndef OPENSSL_NO_POLY1305
|
||||
const EVP_CIPHER *EVP_chacha20_poly1305(void);
|
||||
|
@ -303,22 +303,22 @@ index 8195d11250..16dca70c30 100644
|
|||
# endif
|
||||
|
||||
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
|
||||
index 147bad12db..6e9f141ba5 100644
|
||||
index 930a7a919e..d08a9e3b26 100644
|
||||
--- a/include/openssl/obj_mac.h
|
||||
+++ b/include/openssl/obj_mac.h
|
||||
@@ -4833,6 +4833,10 @@
|
||||
@@ -4837,6 +4837,10 @@
|
||||
#define LN_chacha20_poly1305 "chacha20-poly1305"
|
||||
#define NID_chacha20_poly1305 1018
|
||||
|
||||
+#define SN_chacha20_poly1305_draft "ChaCha20-Poly1305-D"
|
||||
+#define LN_chacha20_poly1305_draft "chacha20-poly1305-draft"
|
||||
+#define NID_chacha20_poly1305_draft 1207
|
||||
+#define NID_chacha20_poly1305_draft 1208
|
||||
+
|
||||
#define SN_chacha20 "ChaCha20"
|
||||
#define LN_chacha20 "chacha20"
|
||||
#define NID_chacha20 1019
|
||||
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
|
||||
index 7219d83420..b569270f84 100644
|
||||
index 93f6bbc8f8..f11e312b54 100644
|
||||
--- a/include/openssl/ssl.h
|
||||
+++ b/include/openssl/ssl.h
|
||||
@@ -125,6 +125,7 @@ extern "C" {
|
||||
|
@ -330,7 +330,7 @@ index 7219d83420..b569270f84 100644
|
|||
# define SSL_TXT_ARIA "ARIA"
|
||||
# define SSL_TXT_ARIA_GCM "ARIAGCM"
|
||||
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
|
||||
index 4db2b6a0db..5b07fb3cba 100644
|
||||
index f587f2a488..37ea3bdca4 100644
|
||||
--- a/include/openssl/tls1.h
|
||||
+++ b/include/openssl/tls1.h
|
||||
@@ -567,7 +567,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
|
||||
|
@ -372,7 +372,7 @@ index 4db2b6a0db..5b07fb3cba 100644
|
|||
# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
|
||||
# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
|
||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||
index 3238fd9b7e..c281fed428 100644
|
||||
index d23f932ce9..b02cc2d895 100644
|
||||
--- a/ssl/s3_lib.c
|
||||
+++ b/ssl/s3_lib.c
|
||||
@@ -2083,6 +2083,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
|
@ -431,7 +431,7 @@ index 3238fd9b7e..c281fed428 100644
|
|||
1,
|
||||
TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index 6cb8b33b5b..d94adfc6a2 100644
|
||||
index e427c407fc..0eb10f35b1 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -44,7 +44,8 @@
|
||||
|
@ -460,7 +460,7 @@ index 6cb8b33b5b..d94adfc6a2 100644
|
|||
|
||||
{0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
|
||||
{0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
|
||||
@@ -1798,6 +1801,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
@@ -1799,6 +1802,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
case SSL_CHACHA20POLY1305:
|
||||
enc = "CHACHA20/POLY1305(256)";
|
||||
break;
|
||||
|
@ -470,7 +470,7 @@ index 6cb8b33b5b..d94adfc6a2 100644
|
|||
default:
|
||||
enc = "unknown";
|
||||
break;
|
||||
@@ -2122,7 +2128,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
|
||||
@@ -2123,7 +2129,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
|
||||
out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
|
||||
} else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
|
||||
out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
|
||||
|
@ -480,7 +480,7 @@ index 6cb8b33b5b..d94adfc6a2 100644
|
|||
} else if (c->algorithm_mac & SSL_AEAD) {
|
||||
/* We're supposed to have handled all the AEAD modes above */
|
||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||
index a61987f327..898932910f 100644
|
||||
index b66979b4da..195267cb5e 100644
|
||||
--- a/ssl/ssl_locl.h
|
||||
+++ b/ssl/ssl_locl.h
|
||||
@@ -234,12 +234,13 @@
|
||||
|
@ -499,11 +499,11 @@ index a61987f327..898932910f 100644
|
|||
# define SSL_ARIA (SSL_ARIAGCM)
|
||||
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 766c735b2f..c41dd36456 100644
|
||||
index e5c869af44..e50f80c2d1 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -4833,3 +4833,4 @@ BN_CTX_new_ex 4777 3_0_0 EXIST::FUNCTION:
|
||||
BN_CTX_secure_new_ex 4778 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_thread_stop_ex 4779 3_0_0 EXIST::FUNCTION:
|
||||
OSSL_PARAM_locate_const 4780 3_0_0 EXIST::FUNCTION:
|
||||
+EVP_chacha20_poly1305_draft 4781 3_0_0 EXIST::FUNCTION:CHACHA,POLY1305
|
||||
@@ -4752,3 +4752,4 @@ EVP_PKEY_CTX_get_signature_md 4868 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_CTX_get_params 4869 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_CTX_gettable_params 4870 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_CTX_settable_params 4871 3_0_0 EXIST::FUNCTION:
|
||||
+EVP_chacha20_poly1305_draft 4872 3_0_0 EXIST::FUNCTION:CHACHA,POLY1305
|
||||
|
|
|
@ -46,10 +46,10 @@ index 6724ccf2d2..81a5538977 100644
|
|||
/*
|
||||
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
||||
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
|
||||
index a50a075b42..e9abb98d4f 100644
|
||||
index 3d6850dea3..a3ab4b925f 100644
|
||||
--- a/include/openssl/sslerr.h
|
||||
+++ b/include/openssl/sslerr.h
|
||||
@@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -600,6 +600,8 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209
|
||||
# define SSL_R_MISSING_TMP_DH_KEY 171
|
||||
# define SSL_R_MISSING_TMP_ECDH_KEY 311
|
||||
|
@ -58,7 +58,7 @@ index a50a075b42..e9abb98d4f 100644
|
|||
# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
|
||||
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
|
||||
# define SSL_R_NOT_REPLACING_CERTIFICATE 289
|
||||
@@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -731,9 +733,11 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
|
||||
# define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
|
||||
# define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
|
||||
|
@ -71,7 +71,7 @@ index a50a075b42..e9abb98d4f 100644
|
|||
# define SSL_R_UNINITIALIZED 276
|
||||
# define SSL_R_UNKNOWN_ALERT_TYPE 246
|
||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||
index d7dbf99954..7abac4dda1 100644
|
||||
index 066bf47221..517eda6630 100644
|
||||
--- a/ssl/s3_lib.c
|
||||
+++ b/ssl/s3_lib.c
|
||||
@@ -167,7 +167,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
|
@ -101,7 +101,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
DTLS1_BAD_VER, DTLS1_2_VERSION,
|
||||
SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
@@ -4123,6 +4123,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4124,6 +4124,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -119,7 +119,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
/*
|
||||
* ssl3_choose_cipher - choose a cipher from those offered by the client
|
||||
* @s: SSL connection
|
||||
@@ -4132,16 +4143,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4133,16 +4144,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
* Returns the selected cipher or NULL when no common ciphers.
|
||||
*/
|
||||
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
@ -150,7 +150,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
|
||||
/* Let's see which ciphers we can support */
|
||||
|
||||
@@ -4168,54 +4187,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4169,54 +4188,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
#endif
|
||||
|
||||
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
|
||||
|
@ -208,7 +208,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
allow = srvr;
|
||||
}
|
||||
|
||||
@@ -4246,14 +4224,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4247,14 +4225,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
|
||||
c = sk_SSL_CIPHER_value(prio, i);
|
||||
|
||||
|
@ -227,7 +227,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
|
||||
/*
|
||||
* Since TLS 1.3 ciphersuites can be used with any auth or
|
||||
@@ -4275,10 +4255,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4276,10 +4256,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
/* with PSK there must be server callback set */
|
||||
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
|
||||
|
@ -240,7 +240,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
#ifdef CIPHER_DEBUG
|
||||
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
|
||||
alg_a, mask_k, mask_a, (void *)c, c->name);
|
||||
@@ -4295,6 +4275,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4296,6 +4276,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
||||
if (!ok)
|
||||
continue;
|
||||
|
@ -255,7 +255,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
}
|
||||
ii = sk_SSL_CIPHER_find(allow, c);
|
||||
if (ii >= 0) {
|
||||
@@ -4302,14 +4290,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4303,14 +4291,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
|
||||
c->strength_bits, 0, (void *)c))
|
||||
continue;
|
||||
|
@ -271,7 +271,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
if (prefer_sha256) {
|
||||
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
|
||||
|
||||
@@ -4321,13 +4302,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4322,13 +4303,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
ret = tmp;
|
||||
continue;
|
||||
}
|
||||
|
@ -315,7 +315,7 @@ index d7dbf99954..7abac4dda1 100644
|
|||
}
|
||||
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index b60d67aa0d..4607b776de 100644
|
||||
index 27a1b2ec68..dffc0623b6 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -192,6 +192,7 @@ typedef struct cipher_order_st {
|
||||
|
@ -501,25 +501,35 @@ index b60d67aa0d..4607b776de 100644
|
|||
return retval;
|
||||
}
|
||||
|
||||
@@ -1379,7 +1437,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
@@ -1377,8 +1435,8 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
{
|
||||
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
|
||||
|
||||
if (ret && ctx->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && ctx->cipher_list != NULL)
|
||||
- return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
|
||||
+ if (ret && ctx->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
|
||||
ctx->tls13_ciphersuites);
|
||||
|
||||
return ret;
|
||||
@@ -1389,12 +1447,12 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
STACK_OF(SSL_CIPHER) *cipher_list;
|
||||
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
|
||||
|
||||
- if (s->cipher_list == NULL) {
|
||||
+ if (s->cipher_list->ciphers == NULL) {
|
||||
if ((cipher_list = SSL_get_ciphers(s)) != NULL)
|
||||
- s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
|
||||
+ s->cipher_list->ciphers = sk_SSL_CIPHER_dup(cipher_list);
|
||||
}
|
||||
|
||||
@@ -1392,7 +1450,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
if (ret && s->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && s->cipher_list != NULL)
|
||||
- return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
|
||||
+ if (ret && s->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
|
||||
s->tls13_ciphersuites);
|
||||
}
|
||||
|
||||
@@ -1401,17 +1459,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
@@ -1402,17 +1460,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
|
@ -544,7 +554,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
|
||||
/*
|
||||
* Return with error if nothing to do.
|
||||
@@ -1460,16 +1521,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1461,16 +1522,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* preference).
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -568,7 +578,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1478,13 +1539,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1479,13 +1540,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* strength.
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -585,7 +595,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1492,16 +1553,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1493,16 +1554,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* disabled. (For applications that allow them, they aren't too bad, but
|
||||
* we prefer authenticated ciphers.)
|
||||
*/
|
||||
|
@ -606,7 +616,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1517,7 +1578,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1518,7 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
|
||||
* TODO(openssl-team): is there an easier way to accomplish all this?
|
||||
*/
|
||||
|
@ -615,7 +625,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1533,15 +1594,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1534,15 +1595,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Because we now bump ciphers to the top of the list, we proceed in
|
||||
* reverse order of preference.
|
||||
*/
|
||||
|
@ -635,7 +645,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
|
||||
/*
|
||||
* We also need cipher aliases for selecting based on the rule_str.
|
||||
@@ -1555,9 +1616,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1556,9 +1617,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
|
@ -646,7 +656,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1582,27 +1642,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1583,27 +1643,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
|
@ -694,7 +704,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
}
|
||||
|
||||
/*
|
||||
@@ -1611,26 +1679,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1612,26 +1680,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
*/
|
||||
for (curr = head; curr != NULL; curr = curr->next) {
|
||||
if (curr->active) {
|
||||
|
@ -787,10 +797,10 @@ index 4b12ed1485..cd1a95d1d2 100644
|
|||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index 40ab87480d..78fcb80035 100644
|
||||
index ac820cf9fe..141308584c 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
@@ -1122,6 +1122,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
||||
}
|
||||
|
||||
|
@ -862,7 +872,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
||||
{
|
||||
return ctx->param;
|
||||
@@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
|
||||
@@ -1162,7 +1227,8 @@ void SSL_free(SSL *s)
|
||||
BUF_MEM_free(s->init_buf);
|
||||
|
||||
/* add extra stuff */
|
||||
|
@ -872,7 +882,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
||||
sk_SSL_CIPHER_free(s->peer_ciphers);
|
||||
@@ -2430,9 +2496,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
@@ -2436,9 +2502,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
{
|
||||
if (s != NULL) {
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -884,7 +894,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
}
|
||||
}
|
||||
return NULL;
|
||||
@@ -2506,8 +2572,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
@@ -2512,8 +2578,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
* preference */
|
||||
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
||||
{
|
||||
|
@ -895,7 +905,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2957,7 +3023,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
@@ -2963,7 +3029,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|
@ -904,7 +914,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
}
|
||||
@@ -3133,7 +3199,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
@@ -3139,7 +3205,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
#ifndef OPENSSL_NO_CT
|
||||
CTLOG_STORE_free(a->ctlog_store);
|
||||
#endif
|
||||
|
@ -913,7 +923,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
||||
ssl_cert_free(a->cert);
|
||||
@@ -3811,13 +3877,15 @@ SSL *SSL_dup(SSL *s)
|
||||
@@ -3817,13 +3883,15 @@ SSL *SSL_dup(SSL *s)
|
||||
|
||||
/* dup the cipher_list and cipher_list_by_id stacks */
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -934,7 +944,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
/* Dup the client_CA list */
|
||||
if (!dup_ca_names(&ret->ca_names, s->ca_names)
|
||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||
index fa0f6d018c..3ffc46efd9 100644
|
||||
index 25875c9f6d..23a6093580 100644
|
||||
--- a/ssl/ssl_locl.h
|
||||
+++ b/ssl/ssl_locl.h
|
||||
@@ -733,9 +733,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
||||
|
@ -1027,7 +1037,7 @@ index fa0f6d018c..3ffc46efd9 100644
|
|||
__owur int ssl3_new(SSL *s);
|
||||
void ssl3_free(SSL *s);
|
||||
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||||
index e7e95c74e7..543d00b1d0 100644
|
||||
index 8cf9c40d15..46391a7f05 100644
|
||||
--- a/ssl/statem/statem_srvr.c
|
||||
+++ b/ssl/statem/statem_srvr.c
|
||||
@@ -1748,7 +1748,7 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
|
@ -1060,7 +1070,7 @@ index e7e95c74e7..543d00b1d0 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
|
||||
}
|
||||
@@ -2253,7 +2254,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
@@ -2251,7 +2252,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
/* In TLSv1.3 we selected the ciphersuite before resumption */
|
||||
if (!SSL_IS_TLS13(s)) {
|
||||
cipher =
|
||||
|
|
|
@ -46,10 +46,10 @@ index 6724ccf2d2..81a5538977 100644
|
|||
/*
|
||||
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
||||
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
|
||||
index a50a075b42..e9abb98d4f 100644
|
||||
index 3d6850dea3..a3ab4b925f 100644
|
||||
--- a/include/openssl/sslerr.h
|
||||
+++ b/include/openssl/sslerr.h
|
||||
@@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -600,6 +600,8 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209
|
||||
# define SSL_R_MISSING_TMP_DH_KEY 171
|
||||
# define SSL_R_MISSING_TMP_ECDH_KEY 311
|
||||
|
@ -58,7 +58,7 @@ index a50a075b42..e9abb98d4f 100644
|
|||
# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
|
||||
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
|
||||
# define SSL_R_NOT_REPLACING_CERTIFICATE 289
|
||||
@@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -731,9 +733,11 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
|
||||
# define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
|
||||
# define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
|
||||
|
@ -71,7 +71,7 @@ index a50a075b42..e9abb98d4f 100644
|
|||
# define SSL_R_UNINITIALIZED 276
|
||||
# define SSL_R_UNKNOWN_ALERT_TYPE 246
|
||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||
index d7dbf99954..da73406940 100644
|
||||
index 066bf47221..28d8887f97 100644
|
||||
--- a/ssl/s3_lib.c
|
||||
+++ b/ssl/s3_lib.c
|
||||
@@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
|
||||
|
@ -177,7 +177,7 @@ index d7dbf99954..da73406940 100644
|
|||
DTLS1_BAD_VER, DTLS1_2_VERSION,
|
||||
SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
@@ -4123,6 +4129,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4124,6 +4130,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -195,7 +195,7 @@ index d7dbf99954..da73406940 100644
|
|||
/*
|
||||
* ssl3_choose_cipher - choose a cipher from those offered by the client
|
||||
* @s: SSL connection
|
||||
@@ -4132,16 +4149,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4133,16 +4150,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
* Returns the selected cipher or NULL when no common ciphers.
|
||||
*/
|
||||
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
@ -226,7 +226,7 @@ index d7dbf99954..da73406940 100644
|
|||
|
||||
/* Let's see which ciphers we can support */
|
||||
|
||||
@@ -4168,54 +4193,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4169,54 +4194,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
#endif
|
||||
|
||||
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
|
||||
|
@ -284,7 +284,7 @@ index d7dbf99954..da73406940 100644
|
|||
allow = srvr;
|
||||
}
|
||||
|
||||
@@ -4246,14 +4230,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4247,14 +4231,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
|
||||
c = sk_SSL_CIPHER_value(prio, i);
|
||||
|
||||
|
@ -303,7 +303,7 @@ index d7dbf99954..da73406940 100644
|
|||
|
||||
/*
|
||||
* Since TLS 1.3 ciphersuites can be used with any auth or
|
||||
@@ -4275,10 +4261,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4276,10 +4262,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
/* with PSK there must be server callback set */
|
||||
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
|
||||
|
@ -316,7 +316,7 @@ index d7dbf99954..da73406940 100644
|
|||
#ifdef CIPHER_DEBUG
|
||||
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
|
||||
alg_a, mask_k, mask_a, (void *)c, c->name);
|
||||
@@ -4295,6 +4281,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4296,6 +4282,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
||||
if (!ok)
|
||||
continue;
|
||||
|
@ -331,7 +331,7 @@ index d7dbf99954..da73406940 100644
|
|||
}
|
||||
ii = sk_SSL_CIPHER_find(allow, c);
|
||||
if (ii >= 0) {
|
||||
@@ -4302,14 +4296,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4303,14 +4297,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
|
||||
c->strength_bits, 0, (void *)c))
|
||||
continue;
|
||||
|
@ -347,7 +347,7 @@ index d7dbf99954..da73406940 100644
|
|||
if (prefer_sha256) {
|
||||
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
|
||||
|
||||
@@ -4321,13 +4308,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4322,13 +4309,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
ret = tmp;
|
||||
continue;
|
||||
}
|
||||
|
@ -391,7 +391,7 @@ index d7dbf99954..da73406940 100644
|
|||
}
|
||||
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index b60d67aa0d..4607b776de 100644
|
||||
index 27a1b2ec68..dffc0623b6 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -192,6 +192,7 @@ typedef struct cipher_order_st {
|
||||
|
@ -577,25 +577,35 @@ index b60d67aa0d..4607b776de 100644
|
|||
return retval;
|
||||
}
|
||||
|
||||
@@ -1379,7 +1437,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
@@ -1377,8 +1435,8 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
{
|
||||
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
|
||||
|
||||
if (ret && ctx->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && ctx->cipher_list != NULL)
|
||||
- return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
|
||||
+ if (ret && ctx->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
|
||||
ctx->tls13_ciphersuites);
|
||||
|
||||
return ret;
|
||||
@@ -1389,12 +1447,12 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
STACK_OF(SSL_CIPHER) *cipher_list;
|
||||
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
|
||||
|
||||
- if (s->cipher_list == NULL) {
|
||||
+ if (s->cipher_list->ciphers == NULL) {
|
||||
if ((cipher_list = SSL_get_ciphers(s)) != NULL)
|
||||
- s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
|
||||
+ s->cipher_list->ciphers = sk_SSL_CIPHER_dup(cipher_list);
|
||||
}
|
||||
|
||||
@@ -1392,7 +1450,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
if (ret && s->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && s->cipher_list != NULL)
|
||||
- return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
|
||||
+ if (ret && s->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
|
||||
s->tls13_ciphersuites);
|
||||
}
|
||||
|
||||
@@ -1401,17 +1459,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
@@ -1402,17 +1460,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
|
@ -620,7 +630,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
|
||||
/*
|
||||
* Return with error if nothing to do.
|
||||
@@ -1460,16 +1521,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1461,16 +1522,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* preference).
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -644,7 +654,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1478,13 +1539,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1479,13 +1540,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* strength.
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -661,7 +671,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1492,16 +1553,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1493,16 +1554,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* disabled. (For applications that allow them, they aren't too bad, but
|
||||
* we prefer authenticated ciphers.)
|
||||
*/
|
||||
|
@ -682,7 +692,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1517,7 +1578,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1518,7 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
|
||||
* TODO(openssl-team): is there an easier way to accomplish all this?
|
||||
*/
|
||||
|
@ -691,7 +701,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1533,15 +1594,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1534,15 +1595,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Because we now bump ciphers to the top of the list, we proceed in
|
||||
* reverse order of preference.
|
||||
*/
|
||||
|
@ -711,7 +721,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
|
||||
/*
|
||||
* We also need cipher aliases for selecting based on the rule_str.
|
||||
@@ -1555,9 +1616,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1556,9 +1617,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
|
@ -722,7 +732,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1582,27 +1642,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1583,27 +1643,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
|
@ -770,7 +780,7 @@ index b60d67aa0d..4607b776de 100644
|
|||
}
|
||||
|
||||
/*
|
||||
@@ -1611,26 +1679,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1612,26 +1680,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
*/
|
||||
for (curr = head; curr != NULL; curr = curr->next) {
|
||||
if (curr->active) {
|
||||
|
@ -863,10 +873,10 @@ index 4b12ed1485..cd1a95d1d2 100644
|
|||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index 40ab87480d..78fcb80035 100644
|
||||
index ac820cf9fe..141308584c 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
@@ -1122,6 +1122,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
||||
}
|
||||
|
||||
|
@ -938,7 +948,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
||||
{
|
||||
return ctx->param;
|
||||
@@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
|
||||
@@ -1162,7 +1227,8 @@ void SSL_free(SSL *s)
|
||||
BUF_MEM_free(s->init_buf);
|
||||
|
||||
/* add extra stuff */
|
||||
|
@ -948,7 +958,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
||||
sk_SSL_CIPHER_free(s->peer_ciphers);
|
||||
@@ -2430,9 +2496,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
@@ -2436,9 +2502,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
{
|
||||
if (s != NULL) {
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -960,7 +970,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
}
|
||||
}
|
||||
return NULL;
|
||||
@@ -2506,8 +2572,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
@@ -2512,8 +2578,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
* preference */
|
||||
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
||||
{
|
||||
|
@ -971,7 +981,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2957,7 +3023,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
@@ -2963,7 +3029,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|
@ -980,7 +990,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
}
|
||||
@@ -3133,7 +3199,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
@@ -3139,7 +3205,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
#ifndef OPENSSL_NO_CT
|
||||
CTLOG_STORE_free(a->ctlog_store);
|
||||
#endif
|
||||
|
@ -989,7 +999,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
||||
ssl_cert_free(a->cert);
|
||||
@@ -3811,13 +3877,15 @@ SSL *SSL_dup(SSL *s)
|
||||
@@ -3817,13 +3883,15 @@ SSL *SSL_dup(SSL *s)
|
||||
|
||||
/* dup the cipher_list and cipher_list_by_id stacks */
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -1010,7 +1020,7 @@ index 40ab87480d..78fcb80035 100644
|
|||
/* Dup the client_CA list */
|
||||
if (!dup_ca_names(&ret->ca_names, s->ca_names)
|
||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||
index fa0f6d018c..3ffc46efd9 100644
|
||||
index 25875c9f6d..23a6093580 100644
|
||||
--- a/ssl/ssl_locl.h
|
||||
+++ b/ssl/ssl_locl.h
|
||||
@@ -733,9 +733,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
||||
|
@ -1103,7 +1113,7 @@ index fa0f6d018c..3ffc46efd9 100644
|
|||
__owur int ssl3_new(SSL *s);
|
||||
void ssl3_free(SSL *s);
|
||||
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||||
index e7e95c74e7..543d00b1d0 100644
|
||||
index 8cf9c40d15..46391a7f05 100644
|
||||
--- a/ssl/statem/statem_srvr.c
|
||||
+++ b/ssl/statem/statem_srvr.c
|
||||
@@ -1748,7 +1748,7 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
|
@ -1136,7 +1146,7 @@ index e7e95c74e7..543d00b1d0 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
|
||||
}
|
||||
@@ -2253,7 +2254,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
@@ -2251,7 +2252,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
/* In TLSv1.3 we selected the ciphersuite before resumption */
|
||||
if (!SSL_IS_TLS13(s)) {
|
||||
cipher =
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index 23c0ddae4f..f1663dec44 100644
|
||||
index f74659c599..159fcea0b1 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -2943,6 +2943,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
|
||||
@@ -2998,6 +2998,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
|
||||
SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
|
||||
SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
|
||||
mixed handshake and non handshake data
|
||||
|
@ -11,7 +11,7 @@ index 23c0ddae4f..f1663dec44 100644
|
|||
SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
|
||||
SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
|
||||
SSL_R_NOT_SERVER:284:not server
|
||||
@@ -3049,7 +3051,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
|
||||
@@ -3104,7 +3106,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
|
||||
SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
|
||||
SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
|
||||
SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
|
||||
|
@ -21,11 +21,11 @@ index 23c0ddae4f..f1663dec44 100644
|
|||
SSL_R_UNEXPECTED_RECORD:245:unexpected record
|
||||
SSL_R_UNINITIALIZED:276:uninitialized
|
||||
SSL_R_UNKNOWN_ALERT_TYPE:246:unknown alert type
|
||||
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
|
||||
index e29c5d7ced..7d795c390e 100644
|
||||
--- a/doc/man1/ciphers.pod
|
||||
+++ b/doc/man1/ciphers.pod
|
||||
@@ -400,6 +400,21 @@ permissible.
|
||||
diff --git a/doc/man1/openssl-ciphers.pod b/doc/man1/openssl-ciphers.pod
|
||||
index 7e498333c6..1d4e0a894e 100644
|
||||
--- a/doc/man1/openssl-ciphers.pod
|
||||
+++ b/doc/man1/openssl-ciphers.pod
|
||||
@@ -399,6 +399,21 @@ permissible.
|
||||
|
||||
=back
|
||||
|
||||
|
@ -48,10 +48,10 @@ index e29c5d7ced..7d795c390e 100644
|
|||
|
||||
The following lists give the SSL or TLS cipher suites names from the
|
||||
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
|
||||
index 385fda37a4..ece73c495c 100644
|
||||
index d8d3cea5d8..d260e0bcde 100644
|
||||
--- a/include/openssl/sslerr.h
|
||||
+++ b/include/openssl/sslerr.h
|
||||
@@ -601,6 +601,8 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -603,6 +603,8 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_MISSING_TMP_DH_KEY 171
|
||||
# define SSL_R_MISSING_TMP_ECDH_KEY 311
|
||||
# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
|
||||
|
@ -60,7 +60,7 @@ index 385fda37a4..ece73c495c 100644
|
|||
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
|
||||
# define SSL_R_NOT_REPLACING_CERTIFICATE 289
|
||||
# define SSL_R_NOT_SERVER 284
|
||||
@@ -731,7 +733,9 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -733,7 +735,9 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
|
||||
# define SSL_R_UNEXPECTED_CCS_MESSAGE 262
|
||||
# define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
|
||||
|
@ -71,7 +71,7 @@ index 385fda37a4..ece73c495c 100644
|
|||
# define SSL_R_UNINITIALIZED 276
|
||||
# define SSL_R_UNKNOWN_ALERT_TYPE 246
|
||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||
index 3238fd9b7e..3bcb63886b 100644
|
||||
index d23f932ce9..8ec4166c6d 100644
|
||||
--- a/ssl/s3_lib.c
|
||||
+++ b/ssl/s3_lib.c
|
||||
@@ -168,7 +168,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
|
@ -101,7 +101,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
DTLS1_BAD_VER, DTLS1_2_VERSION,
|
||||
SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
@@ -4110,6 +4110,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4111,6 +4111,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -119,7 +119,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
/*
|
||||
* ssl3_choose_cipher - choose a cipher from those offered by the client
|
||||
* @s: SSL connection
|
||||
@@ -4119,16 +4130,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4120,16 +4131,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
* Returns the selected cipher or NULL when no common ciphers.
|
||||
*/
|
||||
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
@ -150,7 +150,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
|
||||
/* Let's see which ciphers we can support */
|
||||
|
||||
@@ -4155,54 +4174,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4156,54 +4175,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
} OSSL_TRACE_END(TLS_CIPHER);
|
||||
|
||||
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
|
||||
|
@ -208,7 +208,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
allow = srvr;
|
||||
}
|
||||
|
||||
@@ -4233,14 +4211,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4234,14 +4212,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
|
||||
c = sk_SSL_CIPHER_value(prio, i);
|
||||
|
||||
|
@ -227,7 +227,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
|
||||
/*
|
||||
* Since TLS 1.3 ciphersuites can be used with any auth or
|
||||
@@ -4262,10 +4242,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4263,10 +4243,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
/* with PSK there must be server callback set */
|
||||
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
|
||||
|
@ -240,7 +240,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
OSSL_TRACE7(TLS_CIPHER,
|
||||
"%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",
|
||||
ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name);
|
||||
@@ -4281,6 +4261,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4282,6 +4262,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
||||
if (!ok)
|
||||
continue;
|
||||
|
@ -255,7 +255,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
}
|
||||
ii = sk_SSL_CIPHER_find(allow, c);
|
||||
if (ii >= 0) {
|
||||
@@ -4288,14 +4276,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4289,14 +4277,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
|
||||
c->strength_bits, 0, (void *)c))
|
||||
continue;
|
||||
|
@ -271,7 +271,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
if (prefer_sha256) {
|
||||
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
|
||||
|
||||
@@ -4307,13 +4288,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4308,13 +4289,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
ret = tmp;
|
||||
continue;
|
||||
}
|
||||
|
@ -315,7 +315,7 @@ index 3238fd9b7e..3bcb63886b 100644
|
|||
}
|
||||
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index 6cb8b33b5b..7cb418a0d6 100644
|
||||
index e427c407fc..f3eb8a6b9f 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -193,6 +193,7 @@ typedef struct cipher_order_st {
|
||||
|
@ -518,25 +518,35 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
return retval;
|
||||
}
|
||||
|
||||
@@ -1382,7 +1441,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
@@ -1380,8 +1439,8 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
{
|
||||
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
|
||||
|
||||
if (ret && ctx->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && ctx->cipher_list != NULL)
|
||||
- return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
|
||||
+ if (ret && ctx->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
|
||||
ctx->tls13_ciphersuites);
|
||||
|
||||
return ret;
|
||||
@@ -1392,12 +1451,12 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
STACK_OF(SSL_CIPHER) *cipher_list;
|
||||
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
|
||||
|
||||
- if (s->cipher_list == NULL) {
|
||||
+ if (s->cipher_list->ciphers == NULL) {
|
||||
if ((cipher_list = SSL_get_ciphers(s)) != NULL)
|
||||
- s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
|
||||
+ s->cipher_list->ciphers = sk_SSL_CIPHER_dup(cipher_list);
|
||||
}
|
||||
|
||||
@@ -1395,7 +1454,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
if (ret && s->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && s->cipher_list != NULL)
|
||||
- return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
|
||||
+ if (ret && s->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
|
||||
s->tls13_ciphersuites);
|
||||
}
|
||||
|
||||
@@ -1404,17 +1463,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
@@ -1405,17 +1464,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
|
@ -560,7 +570,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
/*
|
||||
* Return with error if nothing to do.
|
||||
@@ -1463,16 +1525,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1464,16 +1526,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* preference).
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -584,7 +594,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1481,13 +1543,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1482,13 +1544,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* strength.
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -601,7 +611,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1495,16 +1557,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1496,16 +1558,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* disabled. (For applications that allow them, they aren't too bad, but
|
||||
* we prefer authenticated ciphers.)
|
||||
*/
|
||||
|
@ -622,7 +632,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1520,7 +1582,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1521,7 +1583,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
|
||||
* TODO(openssl-team): is there an easier way to accomplish all this?
|
||||
*/
|
||||
|
@ -631,7 +641,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1536,15 +1598,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1537,15 +1599,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Because we now bump ciphers to the top of the list, we proceed in
|
||||
* reverse order of preference.
|
||||
*/
|
||||
|
@ -654,7 +664,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
/*
|
||||
* We also need cipher aliases for selecting based on the rule_str.
|
||||
@@ -1558,9 +1623,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1559,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
|
@ -665,7 +675,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1585,28 +1649,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1586,28 +1650,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
|
@ -701,7 +711,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
OSSL_TRACE_BEGIN(TLS_CIPHER) {
|
||||
BIO_printf(trc_out, "cipher selection:\n");
|
||||
@@ -1618,26 +1673,51 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1619,26 +1674,51 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
for (curr = head; curr != NULL; curr = curr->next) {
|
||||
if (curr->active) {
|
||||
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
|
||||
|
@ -763,10 +773,10 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
|
||||
index daeee1ecc4..485f8b7eb5 100644
|
||||
index ef9b95a0c9..29a36730cc 100644
|
||||
--- a/ssl/ssl_err.c
|
||||
+++ b/ssl/ssl_err.c
|
||||
@@ -967,6 +967,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
@@ -255,6 +255,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
"missing tmp ecdh key"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
|
||||
"mixed handshake and non handshake data"},
|
||||
|
@ -776,7 +786,7 @@ index daeee1ecc4..485f8b7eb5 100644
|
|||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
|
||||
"not on record boundary"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
|
||||
@@ -1201,7 +1204,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
@@ -489,7 +492,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
"unexpected ccs message"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
|
||||
"unexpected end of early data"},
|
||||
|
@ -789,10 +799,10 @@ index daeee1ecc4..485f8b7eb5 100644
|
|||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index d15b743f50..0759bc639b 100644
|
||||
index 0d40ecaec9..1f1ed9b714 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -1122,6 +1122,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
@@ -1127,6 +1127,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
||||
}
|
||||
|
||||
|
@ -864,7 +874,7 @@ index d15b743f50..0759bc639b 100644
|
|||
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
||||
{
|
||||
return ctx->param;
|
||||
@@ -1166,7 +1231,8 @@ void SSL_free(SSL *s)
|
||||
@@ -1171,7 +1236,8 @@ void SSL_free(SSL *s)
|
||||
BUF_MEM_free(s->init_buf);
|
||||
|
||||
/* add extra stuff */
|
||||
|
@ -874,7 +884,7 @@ index d15b743f50..0759bc639b 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
||||
sk_SSL_CIPHER_free(s->peer_ciphers);
|
||||
@@ -2563,9 +2629,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
@@ -2570,9 +2636,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
{
|
||||
if (s != NULL) {
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -886,7 +896,7 @@ index d15b743f50..0759bc639b 100644
|
|||
}
|
||||
}
|
||||
return NULL;
|
||||
@@ -2639,8 +2705,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
@@ -2646,8 +2712,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
* preference */
|
||||
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
||||
{
|
||||
|
@ -897,7 +907,7 @@ index d15b743f50..0759bc639b 100644
|
|||
return NULL;
|
||||
}
|
||||
|
||||
@@ -3088,7 +3154,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
@@ -3095,7 +3161,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
OSSL_default_cipher_list(), ret->cert)
|
||||
|
@ -906,7 +916,7 @@ index d15b743f50..0759bc639b 100644
|
|||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
}
|
||||
@@ -3264,7 +3330,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
@@ -3271,7 +3337,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
#ifndef OPENSSL_NO_CT
|
||||
CTLOG_STORE_free(a->ctlog_store);
|
||||
#endif
|
||||
|
@ -915,7 +925,7 @@ index d15b743f50..0759bc639b 100644
|
|||
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
||||
ssl_cert_free(a->cert);
|
||||
@@ -3940,13 +4006,15 @@ SSL *SSL_dup(SSL *s)
|
||||
@@ -3947,13 +4013,15 @@ SSL *SSL_dup(SSL *s)
|
||||
|
||||
/* dup the cipher_list and cipher_list_by_id stacks */
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -936,7 +946,7 @@ index d15b743f50..0759bc639b 100644
|
|||
/* Dup the client_CA list */
|
||||
if (!dup_ca_names(&ret->ca_names, s->ca_names)
|
||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||
index a61987f327..e03be541e1 100644
|
||||
index b66979b4da..80109b925c 100644
|
||||
--- a/ssl/ssl_locl.h
|
||||
+++ b/ssl/ssl_locl.h
|
||||
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
||||
|
@ -1029,7 +1039,7 @@ index a61987f327..e03be541e1 100644
|
|||
__owur int ssl3_new(SSL *s);
|
||||
void ssl3_free(SSL *s);
|
||||
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||||
index 79c2aa0ede..0be033fd90 100644
|
||||
index acd3e27087..840006dd47 100644
|
||||
--- a/ssl/statem/statem_srvr.c
|
||||
+++ b/ssl/statem/statem_srvr.c
|
||||
@@ -1749,7 +1749,7 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
|
@ -1062,7 +1072,7 @@ index 79c2aa0ede..0be033fd90 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
|
||||
}
|
||||
@@ -2256,7 +2257,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
@@ -2254,7 +2255,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
/* In TLSv1.3 we selected the ciphersuite before resumption */
|
||||
if (!SSL_IS_TLS13(s)) {
|
||||
cipher =
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index 23c0ddae4f..f1663dec44 100644
|
||||
index f74659c599..159fcea0b1 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -2943,6 +2943,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
|
||||
@@ -2998,6 +2998,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
|
||||
SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
|
||||
SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
|
||||
mixed handshake and non handshake data
|
||||
|
@ -11,7 +11,7 @@ index 23c0ddae4f..f1663dec44 100644
|
|||
SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
|
||||
SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
|
||||
SSL_R_NOT_SERVER:284:not server
|
||||
@@ -3049,7 +3051,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
|
||||
@@ -3104,7 +3106,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
|
||||
SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
|
||||
SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
|
||||
SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
|
||||
|
@ -21,11 +21,11 @@ index 23c0ddae4f..f1663dec44 100644
|
|||
SSL_R_UNEXPECTED_RECORD:245:unexpected record
|
||||
SSL_R_UNINITIALIZED:276:uninitialized
|
||||
SSL_R_UNKNOWN_ALERT_TYPE:246:unknown alert type
|
||||
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
|
||||
index e29c5d7ced..7d795c390e 100644
|
||||
--- a/doc/man1/ciphers.pod
|
||||
+++ b/doc/man1/ciphers.pod
|
||||
@@ -400,6 +400,21 @@ permissible.
|
||||
diff --git a/doc/man1/openssl-ciphers.pod b/doc/man1/openssl-ciphers.pod
|
||||
index 7e498333c6..1d4e0a894e 100644
|
||||
--- a/doc/man1/openssl-ciphers.pod
|
||||
+++ b/doc/man1/openssl-ciphers.pod
|
||||
@@ -399,6 +399,21 @@ permissible.
|
||||
|
||||
=back
|
||||
|
||||
|
@ -48,10 +48,10 @@ index e29c5d7ced..7d795c390e 100644
|
|||
|
||||
The following lists give the SSL or TLS cipher suites names from the
|
||||
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
|
||||
index 385fda37a4..ece73c495c 100644
|
||||
index d8d3cea5d8..d260e0bcde 100644
|
||||
--- a/include/openssl/sslerr.h
|
||||
+++ b/include/openssl/sslerr.h
|
||||
@@ -601,6 +601,8 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -603,6 +603,8 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_MISSING_TMP_DH_KEY 171
|
||||
# define SSL_R_MISSING_TMP_ECDH_KEY 311
|
||||
# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
|
||||
|
@ -60,7 +60,7 @@ index 385fda37a4..ece73c495c 100644
|
|||
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
|
||||
# define SSL_R_NOT_REPLACING_CERTIFICATE 289
|
||||
# define SSL_R_NOT_SERVER 284
|
||||
@@ -731,7 +733,9 @@ int ERR_load_SSL_strings(void);
|
||||
@@ -733,7 +735,9 @@ int ERR_load_SSL_strings(void);
|
||||
# define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
|
||||
# define SSL_R_UNEXPECTED_CCS_MESSAGE 262
|
||||
# define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
|
||||
|
@ -71,7 +71,7 @@ index 385fda37a4..ece73c495c 100644
|
|||
# define SSL_R_UNINITIALIZED 276
|
||||
# define SSL_R_UNKNOWN_ALERT_TYPE 246
|
||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||
index 3238fd9b7e..07136c6976 100644
|
||||
index d23f932ce9..16240d337b 100644
|
||||
--- a/ssl/s3_lib.c
|
||||
+++ b/ssl/s3_lib.c
|
||||
@@ -32,7 +32,25 @@ const unsigned char tls12downgrade[] = {
|
||||
|
@ -177,7 +177,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
DTLS1_BAD_VER, DTLS1_2_VERSION,
|
||||
SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
@@ -4110,6 +4116,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4111,6 +4117,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -195,7 +195,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
/*
|
||||
* ssl3_choose_cipher - choose a cipher from those offered by the client
|
||||
* @s: SSL connection
|
||||
@@ -4119,16 +4136,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
@@ -4120,16 +4137,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
|
||||
* Returns the selected cipher or NULL when no common ciphers.
|
||||
*/
|
||||
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
@ -226,7 +226,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
|
||||
/* Let's see which ciphers we can support */
|
||||
|
||||
@@ -4155,54 +4180,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4156,54 +4181,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
} OSSL_TRACE_END(TLS_CIPHER);
|
||||
|
||||
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
|
||||
|
@ -284,7 +284,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
allow = srvr;
|
||||
}
|
||||
|
||||
@@ -4233,14 +4217,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4234,14 +4218,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
|
||||
c = sk_SSL_CIPHER_value(prio, i);
|
||||
|
||||
|
@ -303,7 +303,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
|
||||
/*
|
||||
* Since TLS 1.3 ciphersuites can be used with any auth or
|
||||
@@ -4262,10 +4248,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4263,10 +4249,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
/* with PSK there must be server callback set */
|
||||
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
|
||||
|
@ -316,7 +316,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
OSSL_TRACE7(TLS_CIPHER,
|
||||
"%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",
|
||||
ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name);
|
||||
@@ -4281,6 +4267,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4282,6 +4268,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
|
||||
if (!ok)
|
||||
continue;
|
||||
|
@ -331,7 +331,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
}
|
||||
ii = sk_SSL_CIPHER_find(allow, c);
|
||||
if (ii >= 0) {
|
||||
@@ -4288,14 +4282,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4289,14 +4283,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
|
||||
c->strength_bits, 0, (void *)c))
|
||||
continue;
|
||||
|
@ -347,7 +347,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
if (prefer_sha256) {
|
||||
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
|
||||
|
||||
@@ -4307,13 +4294,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
@@ -4308,13 +4295,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||
ret = tmp;
|
||||
continue;
|
||||
}
|
||||
|
@ -391,7 +391,7 @@ index 3238fd9b7e..07136c6976 100644
|
|||
}
|
||||
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index 6cb8b33b5b..7cb418a0d6 100644
|
||||
index e427c407fc..f3eb8a6b9f 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -193,6 +193,7 @@ typedef struct cipher_order_st {
|
||||
|
@ -594,25 +594,35 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
return retval;
|
||||
}
|
||||
|
||||
@@ -1382,7 +1441,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
@@ -1380,8 +1439,8 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
|
||||
{
|
||||
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
|
||||
|
||||
if (ret && ctx->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && ctx->cipher_list != NULL)
|
||||
- return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
|
||||
+ if (ret && ctx->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
|
||||
ctx->tls13_ciphersuites);
|
||||
|
||||
return ret;
|
||||
@@ -1392,12 +1451,12 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
STACK_OF(SSL_CIPHER) *cipher_list;
|
||||
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
|
||||
|
||||
- if (s->cipher_list == NULL) {
|
||||
+ if (s->cipher_list->ciphers == NULL) {
|
||||
if ((cipher_list = SSL_get_ciphers(s)) != NULL)
|
||||
- s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
|
||||
+ s->cipher_list->ciphers = sk_SSL_CIPHER_dup(cipher_list);
|
||||
}
|
||||
|
||||
@@ -1395,7 +1454,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
if (ret && s->cipher_list != NULL) {
|
||||
/* We already have a cipher_list, so we need to update it */
|
||||
- if (ret && s->cipher_list != NULL)
|
||||
- return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
|
||||
+ if (ret && s->cipher_list->ciphers != NULL)
|
||||
+ return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
|
||||
s->tls13_ciphersuites);
|
||||
}
|
||||
|
||||
@@ -1404,17 +1463,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
@@ -1405,17 +1464,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
|
@ -636,7 +646,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
/*
|
||||
* Return with error if nothing to do.
|
||||
@@ -1463,16 +1525,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1464,16 +1526,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* preference).
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -660,7 +670,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1481,13 +1543,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1482,13 +1544,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* strength.
|
||||
*/
|
||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
|
||||
|
@ -677,7 +687,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1495,16 +1557,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1496,16 +1558,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* disabled. (For applications that allow them, they aren't too bad, but
|
||||
* we prefer authenticated ciphers.)
|
||||
*/
|
||||
|
@ -698,7 +708,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&tail);
|
||||
|
||||
/*
|
||||
@@ -1520,7 +1582,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1521,7 +1583,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
|
||||
* TODO(openssl-team): is there an easier way to accomplish all this?
|
||||
*/
|
||||
|
@ -707,7 +717,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
&head, &tail);
|
||||
|
||||
/*
|
||||
@@ -1536,15 +1598,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1537,15 +1599,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
* Because we now bump ciphers to the top of the list, we proceed in
|
||||
* reverse order of preference.
|
||||
*/
|
||||
|
@ -730,7 +740,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
/*
|
||||
* We also need cipher aliases for selecting based on the rule_str.
|
||||
@@ -1558,9 +1623,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1559,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
|
@ -741,7 +751,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1585,28 +1649,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1586,28 +1650,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
|
@ -777,7 +787,7 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
OSSL_TRACE_BEGIN(TLS_CIPHER) {
|
||||
BIO_printf(trc_out, "cipher selection:\n");
|
||||
@@ -1618,26 +1673,51 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
@@ -1619,26 +1674,51 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
for (curr = head; curr != NULL; curr = curr->next) {
|
||||
if (curr->active) {
|
||||
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
|
||||
|
@ -839,10 +849,10 @@ index 6cb8b33b5b..7cb418a0d6 100644
|
|||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
|
||||
index daeee1ecc4..485f8b7eb5 100644
|
||||
index ef9b95a0c9..29a36730cc 100644
|
||||
--- a/ssl/ssl_err.c
|
||||
+++ b/ssl/ssl_err.c
|
||||
@@ -967,6 +967,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
@@ -255,6 +255,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
"missing tmp ecdh key"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
|
||||
"mixed handshake and non handshake data"},
|
||||
|
@ -852,7 +862,7 @@ index daeee1ecc4..485f8b7eb5 100644
|
|||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
|
||||
"not on record boundary"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
|
||||
@@ -1201,7 +1204,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
@@ -489,7 +492,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
"unexpected ccs message"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
|
||||
"unexpected end of early data"},
|
||||
|
@ -865,10 +875,10 @@ index daeee1ecc4..485f8b7eb5 100644
|
|||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index d15b743f50..0759bc639b 100644
|
||||
index 0d40ecaec9..1f1ed9b714 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -1122,6 +1122,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
@@ -1127,6 +1127,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
||||
}
|
||||
|
||||
|
@ -940,7 +950,7 @@ index d15b743f50..0759bc639b 100644
|
|||
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
||||
{
|
||||
return ctx->param;
|
||||
@@ -1166,7 +1231,8 @@ void SSL_free(SSL *s)
|
||||
@@ -1171,7 +1236,8 @@ void SSL_free(SSL *s)
|
||||
BUF_MEM_free(s->init_buf);
|
||||
|
||||
/* add extra stuff */
|
||||
|
@ -950,7 +960,7 @@ index d15b743f50..0759bc639b 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
||||
sk_SSL_CIPHER_free(s->peer_ciphers);
|
||||
@@ -2563,9 +2629,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
@@ -2570,9 +2636,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||
{
|
||||
if (s != NULL) {
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -962,7 +972,7 @@ index d15b743f50..0759bc639b 100644
|
|||
}
|
||||
}
|
||||
return NULL;
|
||||
@@ -2639,8 +2705,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
@@ -2646,8 +2712,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||
* preference */
|
||||
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
||||
{
|
||||
|
@ -973,7 +983,7 @@ index d15b743f50..0759bc639b 100644
|
|||
return NULL;
|
||||
}
|
||||
|
||||
@@ -3088,7 +3154,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
@@ -3095,7 +3161,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
OSSL_default_cipher_list(), ret->cert)
|
||||
|
@ -982,7 +992,7 @@ index d15b743f50..0759bc639b 100644
|
|||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
}
|
||||
@@ -3264,7 +3330,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
@@ -3271,7 +3337,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||
#ifndef OPENSSL_NO_CT
|
||||
CTLOG_STORE_free(a->ctlog_store);
|
||||
#endif
|
||||
|
@ -991,7 +1001,7 @@ index d15b743f50..0759bc639b 100644
|
|||
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
||||
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
||||
ssl_cert_free(a->cert);
|
||||
@@ -3940,13 +4006,15 @@ SSL *SSL_dup(SSL *s)
|
||||
@@ -3947,13 +4013,15 @@ SSL *SSL_dup(SSL *s)
|
||||
|
||||
/* dup the cipher_list and cipher_list_by_id stacks */
|
||||
if (s->cipher_list != NULL) {
|
||||
|
@ -1012,7 +1022,7 @@ index d15b743f50..0759bc639b 100644
|
|||
/* Dup the client_CA list */
|
||||
if (!dup_ca_names(&ret->ca_names, s->ca_names)
|
||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||
index a61987f327..e03be541e1 100644
|
||||
index b66979b4da..80109b925c 100644
|
||||
--- a/ssl/ssl_locl.h
|
||||
+++ b/ssl/ssl_locl.h
|
||||
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
||||
|
@ -1105,7 +1115,7 @@ index a61987f327..e03be541e1 100644
|
|||
__owur int ssl3_new(SSL *s);
|
||||
void ssl3_free(SSL *s);
|
||||
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||||
index 79c2aa0ede..0be033fd90 100644
|
||||
index acd3e27087..840006dd47 100644
|
||||
--- a/ssl/statem/statem_srvr.c
|
||||
+++ b/ssl/statem/statem_srvr.c
|
||||
@@ -1749,7 +1749,7 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
|
@ -1138,7 +1148,7 @@ index 79c2aa0ede..0be033fd90 100644
|
|||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
|
||||
}
|
||||
@@ -2256,7 +2257,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
@@ -2254,7 +2255,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
||||
/* In TLSv1.3 we selected the ciphersuite before resumption */
|
||||
if (!SSL_IS_TLS13(s)) {
|
||||
cipher =
|
||||
|
|
Loading…
Reference in New Issue