You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl-equal-1.1.1b.patch 44KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071
  1. diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
  2. index faf9e53814..428df515f1 100644
  3. --- a/doc/man1/ciphers.pod
  4. +++ b/doc/man1/ciphers.pod
  5. @@ -400,6 +400,21 @@ permissible.
  6. =back
  7. +=head1 EQUAL PREFERENCE GROUPS
  8. +
  9. +If configuring a server, one may also configure equal-preference groups to
  10. +partially respect the client's preferences when
  11. +B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
  12. +group have equal priority and use the client order. This may be used to
  13. +enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
  14. +based on client preferences. An equal-preference is specified with square
  15. +brackets, combining multiple selectors separated by |. For example:
  16. +
  17. + [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
  18. +
  19. + Once an equal-preference group is used, future directives must be
  20. + opcode-less.
  21. +
  22. =head1 CIPHER SUITE NAMES
  23. The following lists give the SSL or TLS cipher suites names from the
  24. diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
  25. index 4b7757395f..8ff91f7570 100644
  26. --- a/include/openssl/ssl.h
  27. +++ b/include/openssl/ssl.h
  28. @@ -173,12 +173,12 @@ extern "C" {
  29. # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
  30. /* This is the default set of TLSv1.3 ciphersuites */
  31. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  32. -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
  33. +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
  34. "TLS_CHACHA20_POLY1305_SHA256:" \
  35. - "TLS_AES_128_GCM_SHA256"
  36. + "TLS_AES_256_GCM_SHA384"
  37. # else
  38. -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
  39. - "TLS_AES_128_GCM_SHA256"
  40. +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
  41. + "TLS_AES_256_GCM_SHA384"
  42. #endif
  43. /*
  44. * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  45. diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
  46. index a50a075b42..e9abb98d4f 100644
  47. --- a/include/openssl/sslerr.h
  48. +++ b/include/openssl/sslerr.h
  49. @@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
  50. # define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209
  51. # define SSL_R_MISSING_TMP_DH_KEY 171
  52. # define SSL_R_MISSING_TMP_ECDH_KEY 311
  53. +# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 101
  54. +# define SSL_R_NESTED_GROUP 108
  55. # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
  56. # define SSL_R_NOT_ON_RECORD_BOUNDARY 182
  57. # define SSL_R_NOT_REPLACING_CERTIFICATE 289
  58. @@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
  59. # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
  60. # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
  61. # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
  62. +# define SSL_R_UNEXPECTED_GROUP_CLOSE 109
  63. # define SSL_R_UNEXPECTED_CCS_MESSAGE 262
  64. # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
  65. # define SSL_R_UNEXPECTED_MESSAGE 244
  66. +# define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 110
  67. # define SSL_R_UNEXPECTED_RECORD 245
  68. # define SSL_R_UNINITIALIZED 276
  69. # define SSL_R_UNKNOWN_ALERT_TYPE 246
  70. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
  71. index 99ae48199c..0c326fec0d 100644
  72. --- a/ssl/s3_lib.c
  73. +++ b/ssl/s3_lib.c
  74. @@ -167,7 +167,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  75. SSL_aRSA,
  76. SSL_3DES,
  77. SSL_SHA1,
  78. - SSL3_VERSION, TLS1_2_VERSION,
  79. + SSL3_VERSION, TLS1_VERSION,
  80. DTLS1_BAD_VER, DTLS1_2_VERSION,
  81. SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
  82. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  83. @@ -232,7 +232,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  84. SSL_aRSA,
  85. SSL_AES128,
  86. SSL_SHA1,
  87. - SSL3_VERSION, TLS1_2_VERSION,
  88. + SSL3_VERSION, TLS1_VERSION,
  89. DTLS1_BAD_VER, DTLS1_2_VERSION,
  90. SSL_HIGH | SSL_FIPS,
  91. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  92. @@ -296,7 +296,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  93. SSL_aRSA,
  94. SSL_AES256,
  95. SSL_SHA1,
  96. - SSL3_VERSION, TLS1_2_VERSION,
  97. + SSL3_VERSION, TLS1_VERSION,
  98. DTLS1_BAD_VER, DTLS1_2_VERSION,
  99. SSL_HIGH | SSL_FIPS,
  100. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  101. @@ -4124,6 +4124,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  102. return 1;
  103. }
  104. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
  105. +{
  106. + if (s->cipher_list != NULL)
  107. + return (s->cipher_list);
  108. +
  109. + if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
  110. + return (s->ctx->cipher_list);
  111. +
  112. + return NULL;
  113. +}
  114. +
  115. /*
  116. * ssl3_choose_cipher - choose a cipher from those offered by the client
  117. * @s: SSL connection
  118. @@ -4133,16 +4144,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  119. * Returns the selected cipher or NULL when no common ciphers.
  120. */
  121. const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  122. - STACK_OF(SSL_CIPHER) *srvr)
  123. + struct ssl_cipher_preference_list_st
  124. + *server_pref)
  125. {
  126. const SSL_CIPHER *c, *ret = NULL;
  127. - STACK_OF(SSL_CIPHER) *prio, *allow;
  128. - int i, ii, ok, prefer_sha256 = 0;
  129. + STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
  130. + int i, ii, ok, prefer_sha256 = 0, safari_ec = 0;
  131. unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
  132. const EVP_MD *mdsha256 = EVP_sha256();
  133. -#ifndef OPENSSL_NO_CHACHA
  134. - STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
  135. -#endif
  136. +
  137. + /* in_group_flags will either be NULL, or will point to an array of
  138. + * bytes which indicate equal-preference groups in the |prio| stack.
  139. + * See the comment about |in_group_flags| in the
  140. + * |ssl_cipher_preference_list_st| struct. */
  141. + const uint8_t *in_group_flags;
  142. +
  143. + /* group_min contains the minimal index so far found in a group, or -1
  144. + * if no such value exists yet. */
  145. + int group_min = -1;
  146. /* Let's see which ciphers we can support */
  147. @@ -4169,54 +4188,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  148. #endif
  149. /* SUITE-B takes precedence over server preference and ChaCha priortiy */
  150. - if (tls1_suiteb(s)) {
  151. + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
  152. prio = srvr;
  153. + in_group_flags = server_pref->in_group_flags;
  154. allow = clnt;
  155. - } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  156. - prio = srvr;
  157. - allow = clnt;
  158. -#ifndef OPENSSL_NO_CHACHA
  159. - /* If ChaCha20 is at the top of the client preference list,
  160. - and there are ChaCha20 ciphers in the server list, then
  161. - temporarily prioritize all ChaCha20 ciphers in the servers list. */
  162. - if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
  163. - c = sk_SSL_CIPHER_value(clnt, 0);
  164. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  165. - /* ChaCha20 is client preferred, check server... */
  166. - int num = sk_SSL_CIPHER_num(srvr);
  167. - int found = 0;
  168. - for (i = 0; i < num; i++) {
  169. - c = sk_SSL_CIPHER_value(srvr, i);
  170. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  171. - found = 1;
  172. - break;
  173. - }
  174. - }
  175. - if (found) {
  176. - prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
  177. - /* if reserve fails, then there's likely a memory issue */
  178. - if (prio_chacha != NULL) {
  179. - /* Put all ChaCha20 at the top, starting with the one we just found */
  180. - sk_SSL_CIPHER_push(prio_chacha, c);
  181. - for (i++; i < num; i++) {
  182. - c = sk_SSL_CIPHER_value(srvr, i);
  183. - if (c->algorithm_enc == SSL_CHACHA20POLY1305)
  184. - sk_SSL_CIPHER_push(prio_chacha, c);
  185. - }
  186. - /* Pull in the rest */
  187. - for (i = 0; i < num; i++) {
  188. - c = sk_SSL_CIPHER_value(srvr, i);
  189. - if (c->algorithm_enc != SSL_CHACHA20POLY1305)
  190. - sk_SSL_CIPHER_push(prio_chacha, c);
  191. - }
  192. - prio = prio_chacha;
  193. - }
  194. - }
  195. - }
  196. - }
  197. -# endif
  198. } else {
  199. prio = clnt;
  200. + in_group_flags = NULL;
  201. allow = srvr;
  202. }
  203. @@ -4247,14 +4225,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  204. for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
  205. c = sk_SSL_CIPHER_value(prio, i);
  206. + ok = 1;
  207. +
  208. /* Skip ciphers not supported by the protocol version */
  209. if (!SSL_IS_DTLS(s) &&
  210. ((s->version < c->min_tls) || (s->version > c->max_tls)))
  211. - continue;
  212. + ok = 0;
  213. if (SSL_IS_DTLS(s) &&
  214. (DTLS_VERSION_LT(s->version, c->min_dtls) ||
  215. DTLS_VERSION_GT(s->version, c->max_dtls)))
  216. - continue;
  217. + ok = 0;
  218. /*
  219. * Since TLS 1.3 ciphersuites can be used with any auth or
  220. @@ -4276,10 +4256,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  221. #ifndef OPENSSL_NO_PSK
  222. /* with PSK there must be server callback set */
  223. if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
  224. - continue;
  225. + ok = 0;
  226. #endif /* OPENSSL_NO_PSK */
  227. - ok = (alg_k & mask_k) && (alg_a & mask_a);
  228. + ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
  229. #ifdef CIPHER_DEBUG
  230. fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
  231. alg_a, mask_k, mask_a, (void *)c, c->name);
  232. @@ -4296,6 +4276,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  233. if (!ok)
  234. continue;
  235. +
  236. + safari_ec = 0;
  237. +#if !defined(OPENSSL_NO_EC)
  238. + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)) {
  239. + if (s->s3->is_probably_safari)
  240. + safari_ec = 1;
  241. + }
  242. +#endif
  243. }
  244. ii = sk_SSL_CIPHER_find(allow, c);
  245. if (ii >= 0) {
  246. @@ -4303,14 +4291,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  247. if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
  248. c->strength_bits, 0, (void *)c))
  249. continue;
  250. -#if !defined(OPENSSL_NO_EC)
  251. - if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
  252. - && s->s3->is_probably_safari) {
  253. - if (!ret)
  254. - ret = sk_SSL_CIPHER_value(allow, ii);
  255. - continue;
  256. - }
  257. -#endif
  258. +
  259. if (prefer_sha256) {
  260. const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
  261. @@ -4322,13 +4303,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  262. ret = tmp;
  263. continue;
  264. }
  265. - ret = sk_SSL_CIPHER_value(allow, ii);
  266. +
  267. + if (in_group_flags != NULL && in_group_flags[i] == 1) {
  268. + /* This element of |prio| is in a group. Update
  269. + * the minimum index found so far and continue
  270. + * looking. */
  271. + if (group_min == -1 || group_min > ii)
  272. + group_min = ii;
  273. + } else {
  274. + if (group_min != -1 && group_min < ii)
  275. + ii = group_min;
  276. + if (safari_ec) {
  277. + if (!ret)
  278. + ret = sk_SSL_CIPHER_value(allow, ii);
  279. + continue;
  280. + }
  281. + ret = sk_SSL_CIPHER_value(allow, ii);
  282. + break;
  283. + }
  284. + }
  285. +
  286. + if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
  287. + /* We are about to leave a group, but we found a match
  288. + * in it, so that's our answer. */
  289. + if (safari_ec) {
  290. + if (!ret)
  291. + ret = sk_SSL_CIPHER_value(allow, group_min);
  292. + continue;
  293. + }
  294. + ret = sk_SSL_CIPHER_value(allow, group_min);
  295. break;
  296. }
  297. }
  298. -#ifndef OPENSSL_NO_CHACHA
  299. - sk_SSL_CIPHER_free(prio_chacha);
  300. -#endif
  301. return ret;
  302. }
  303. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  304. index 044dd3af92..f9dbd0b2ad 100644
  305. --- a/ssl/ssl_ciph.c
  306. +++ b/ssl/ssl_ciph.c
  307. @@ -192,6 +192,7 @@ typedef struct cipher_order_st {
  308. const SSL_CIPHER *cipher;
  309. int active;
  310. int dead;
  311. + int in_group;
  312. struct cipher_order_st *next, *prev;
  313. } CIPHER_ORDER;
  314. @@ -681,6 +682,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
  315. co_list[co_list_num].next = NULL;
  316. co_list[co_list_num].prev = NULL;
  317. co_list[co_list_num].active = 0;
  318. + co_list[co_list_num].in_group = 0;
  319. co_list_num++;
  320. }
  321. @@ -774,8 +776,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  322. uint32_t alg_auth, uint32_t alg_enc,
  323. uint32_t alg_mac, int min_tls,
  324. uint32_t algo_strength, int rule,
  325. - int32_t strength_bits, CIPHER_ORDER **head_p,
  326. - CIPHER_ORDER **tail_p)
  327. + int32_t strength_bits, int in_group,
  328. + CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
  329. {
  330. CIPHER_ORDER *head, *tail, *curr, *next, *last;
  331. const SSL_CIPHER *cp;
  332. @@ -783,9 +785,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  333. #ifdef CIPHER_DEBUG
  334. fprintf(stderr,
  335. - "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
  336. + "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d) g:%d\n",
  337. rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
  338. - algo_strength, strength_bits);
  339. + algo_strength, strength_bits, in_group);
  340. #endif
  341. if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
  342. @@ -862,6 +864,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  343. if (!curr->active) {
  344. ll_append_tail(&head, curr, &tail);
  345. curr->active = 1;
  346. + curr->in_group = in_group;
  347. }
  348. }
  349. /* Move the added cipher to this location */
  350. @@ -869,6 +872,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  351. /* reverse == 0 */
  352. if (curr->active) {
  353. ll_append_tail(&head, curr, &tail);
  354. + curr->in_group = 0;
  355. }
  356. } else if (rule == CIPHER_DEL) {
  357. /* reverse == 1 */
  358. @@ -880,6 +884,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  359. */
  360. ll_append_head(&head, curr, &tail);
  361. curr->active = 0;
  362. + curr->in_group = 0;
  363. }
  364. } else if (rule == CIPHER_BUMP) {
  365. if (curr->active)
  366. @@ -947,8 +952,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
  367. */
  368. for (i = max_strength_bits; i >= 0; i--)
  369. if (number_uses[i] > 0)
  370. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
  371. - tail_p);
  372. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0,
  373. + head_p, tail_p);
  374. OPENSSL_free(number_uses);
  375. return 1;
  376. @@ -962,7 +967,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  377. uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
  378. int min_tls;
  379. const char *l, *buf;
  380. - int j, multi, found, rule, retval, ok, buflen;
  381. + int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
  382. uint32_t cipher_id = 0;
  383. char ch;
  384. @@ -973,18 +978,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  385. if (ch == '\0')
  386. break; /* done */
  387. - if (ch == '-') {
  388. + if (in_group) {
  389. + if (ch == ']') {
  390. + if (!in_group) {
  391. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  392. + SSL_R_UNEXPECTED_GROUP_CLOSE);
  393. + retval = found = in_group = 0;
  394. + break;
  395. + }
  396. + if (*tail_p)
  397. + (*tail_p)->in_group = 0;
  398. + in_group = 0;
  399. + l++;
  400. + continue;
  401. + }
  402. + if (ch == '|') {
  403. + rule = CIPHER_ADD;
  404. + l++;
  405. + continue;
  406. + } else if (!(ch >= 'a' && ch <= 'z')
  407. + && !(ch >= 'A' && ch <= 'Z')
  408. + && !(ch >= '0' && ch <= '9')) {
  409. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  410. + SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
  411. + retval = found = in_group = 0;
  412. + break;
  413. + } else {
  414. + rule = CIPHER_ADD;
  415. + }
  416. + } else if (ch == '-') {
  417. rule = CIPHER_DEL;
  418. l++;
  419. } else if (ch == '+') {
  420. rule = CIPHER_ORD;
  421. l++;
  422. + } else if (ch == '!' && has_group) {
  423. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  424. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  425. + retval = found = in_group = 0;
  426. + break;
  427. } else if (ch == '!') {
  428. rule = CIPHER_KILL;
  429. l++;
  430. + } else if (ch == '@' && has_group) {
  431. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  432. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  433. + retval = found = in_group = 0;
  434. + break;
  435. } else if (ch == '@') {
  436. rule = CIPHER_SPECIAL;
  437. l++;
  438. + } else if (ch == '[') {
  439. + if (in_group) {
  440. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_NESTED_GROUP);
  441. + retval = found = in_group = 0;
  442. + break;
  443. + }
  444. + in_group = 1;
  445. + has_group = 1;
  446. + l++;
  447. + continue;
  448. } else {
  449. rule = CIPHER_ADD;
  450. }
  451. @@ -1026,7 +1079,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  452. * alphanumeric, so we call this an error.
  453. */
  454. SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  455. - retval = found = 0;
  456. + retval = found = in_group = 0;
  457. l++;
  458. break;
  459. }
  460. @@ -1205,8 +1258,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  461. } else if (found) {
  462. ssl_cipher_apply_rule(cipher_id,
  463. alg_mkey, alg_auth, alg_enc, alg_mac,
  464. - min_tls, algo_strength, rule, -1, head_p,
  465. - tail_p);
  466. + min_tls, algo_strength, rule, -1, in_group,
  467. + head_p, tail_p);
  468. } else {
  469. while ((*l != '\0') && !ITEM_SEP(*l))
  470. l++;
  471. @@ -1215,6 +1268,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  472. break; /* done */
  473. }
  474. + if (in_group) {
  475. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  476. + retval = 0;
  477. + }
  478. +
  479. return retval;
  480. }
  481. @@ -1379,7 +1437,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
  482. if (ret && ctx->cipher_list != NULL) {
  483. /* We already have a cipher_list, so we need to update it */
  484. - return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
  485. + return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
  486. ctx->tls13_ciphersuites);
  487. }
  488. @@ -1392,7 +1450,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  489. if (ret && s->cipher_list != NULL) {
  490. /* We already have a cipher_list, so we need to update it */
  491. - return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
  492. + return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
  493. s->tls13_ciphersuites);
  494. }
  495. @@ -1401,17 +1459,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  496. STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  497. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  498. - STACK_OF(SSL_CIPHER) **cipher_list,
  499. + struct ssl_cipher_preference_list_st **cipher_list,
  500. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  501. const char *rule_str,
  502. CERT *c)
  503. {
  504. - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
  505. + int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i, tls13_len;
  506. uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
  507. - STACK_OF(SSL_CIPHER) *cipherstack;
  508. + STACK_OF(SSL_CIPHER) *cipherstack = NULL;
  509. const char *rule_p;
  510. CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
  511. - const SSL_CIPHER **ca_list = NULL;
  512. + const SSL_CIPHER **ca_list = NULL, *tmp = NULL;
  513. + uint8_t *in_group_flags = NULL;
  514. + unsigned int num_in_group_flags = 0;
  515. + struct ssl_cipher_preference_list_st *pref_list = NULL;
  516. /*
  517. * Return with error if nothing to do.
  518. @@ -1460,16 +1521,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  519. * preference).
  520. */
  521. ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
  522. - -1, &head, &tail);
  523. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
  524. - &tail);
  525. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
  526. - &tail);
  527. + -1, 0, &head, &tail);
  528. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0,
  529. + &head, &tail);
  530. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0,
  531. + &head, &tail);
  532. /* Within each strength group, we prefer GCM over CHACHA... */
  533. - ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
  534. + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 0,
  535. &head, &tail);
  536. - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
  537. + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 0,
  538. &head, &tail);
  539. /*
  540. @@ -1478,13 +1539,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  541. * strength.
  542. */
  543. ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
  544. - -1, &head, &tail);
  545. + -1, 0, &head, &tail);
  546. /* Temporarily enable everything else for sorting */
  547. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
  548. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
  549. /* Low priority for MD5 */
  550. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
  551. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, 0, &head,
  552. &tail);
  553. /*
  554. @@ -1492,16 +1553,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  555. * disabled. (For applications that allow them, they aren't too bad, but
  556. * we prefer authenticated ciphers.)
  557. */
  558. - ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  559. + ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  560. &tail);
  561. - ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  562. + ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  563. &tail);
  564. - ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  565. + ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  566. &tail);
  567. /* RC4 is sort-of broken -- move to the end */
  568. - ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
  569. + ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  570. &tail);
  571. /*
  572. @@ -1517,7 +1578,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  573. * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
  574. * TODO(openssl-team): is there an easier way to accomplish all this?
  575. */
  576. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
  577. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 0,
  578. &head, &tail);
  579. /*
  580. @@ -1533,15 +1594,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  581. * Because we now bump ciphers to the top of the list, we proceed in
  582. * reverse order of preference.
  583. */
  584. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
  585. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 0,
  586. &head, &tail);
  587. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
  588. - CIPHER_BUMP, -1, &head, &tail);
  589. + CIPHER_BUMP, -1, 0, &head, &tail);
  590. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
  591. - CIPHER_BUMP, -1, &head, &tail);
  592. + CIPHER_BUMP, -1, 0, &head, &tail);
  593. /* Now disable everything (maintaining the ordering!) */
  594. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
  595. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
  596. /*
  597. * We also need cipher aliases for selecting based on the rule_str.
  598. @@ -1555,9 +1616,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  599. num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
  600. ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
  601. if (ca_list == NULL) {
  602. - OPENSSL_free(co_list);
  603. SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
  604. - return NULL; /* Failure */
  605. + goto err; /* Failure */
  606. }
  607. ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
  608. disabled_mkey, disabled_auth, disabled_enc,
  609. @@ -1582,27 +1642,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  610. OPENSSL_free(ca_list); /* Not needed anymore */
  611. - if (!ok) { /* Rule processing failure */
  612. - OPENSSL_free(co_list);
  613. - return NULL;
  614. - }
  615. + if (!ok)
  616. + goto err; /* Rule processing failure */
  617. /*
  618. * Allocate new "cipherstack" for the result, return with error
  619. * if we cannot get one.
  620. */
  621. - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
  622. - OPENSSL_free(co_list);
  623. - return NULL;
  624. - }
  625. + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
  626. + goto err;
  627. +
  628. + in_group_flags = OPENSSL_malloc(num_of_ciphers);
  629. + if (!in_group_flags)
  630. + goto err;
  631. /* Add TLSv1.3 ciphers first - we always prefer those if possible */
  632. - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
  633. + tls13_len = sk_SSL_CIPHER_num(tls13_ciphersuites);
  634. + for (i = 0; i < tls13_len; i++) {
  635. + tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
  636. if (!sk_SSL_CIPHER_push(cipherstack,
  637. - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
  638. - sk_SSL_CIPHER_free(cipherstack);
  639. - return NULL;
  640. + tmp))
  641. + goto err;
  642. + /* Temporary - AES128, CHACHA20 priority adjustment of TLS 1.3. */
  643. + if (tmp->algorithm_enc == SSL_AES128GCM &&
  644. + tls13_len > (i + 1)) {
  645. + tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i + 1);
  646. + in_group_flags[num_in_group_flags++] = (tmp->algorithm_enc == SSL_CHACHA20POLY1305) ? 1 : 0;
  647. }
  648. + else
  649. + in_group_flags[num_in_group_flags++] = 0;
  650. }
  651. /*
  652. @@ -1611,26 +1679,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  653. */
  654. for (curr = head; curr != NULL; curr = curr->next) {
  655. if (curr->active) {
  656. - if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
  657. - OPENSSL_free(co_list);
  658. - sk_SSL_CIPHER_free(cipherstack);
  659. - return NULL;
  660. - }
  661. + if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
  662. + goto err;
  663. + in_group_flags[num_in_group_flags++] = curr->in_group;
  664. #ifdef CIPHER_DEBUG
  665. fprintf(stderr, "<%s>\n", curr->cipher->name);
  666. #endif
  667. }
  668. }
  669. - OPENSSL_free(co_list); /* Not needed any longer */
  670. - if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
  671. - sk_SSL_CIPHER_free(cipherstack);
  672. - return NULL;
  673. - }
  674. - sk_SSL_CIPHER_free(*cipher_list);
  675. - *cipher_list = cipherstack;
  676. + OPENSSL_free(co_list); /* Not needed any longer */
  677. + co_list = NULL;
  678. +
  679. + if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack))
  680. + goto err;
  681. +
  682. + pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  683. + if (!pref_list)
  684. + goto err;
  685. + pref_list->ciphers = cipherstack;
  686. + pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
  687. + if (!pref_list->in_group_flags)
  688. + goto err;
  689. + memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
  690. + OPENSSL_free(in_group_flags);
  691. + in_group_flags = NULL;
  692. + if (*cipher_list != NULL)
  693. + ssl_cipher_preference_list_free(*cipher_list);
  694. + *cipher_list = pref_list;
  695. + pref_list = NULL;
  696. return cipherstack;
  697. +
  698. +err:
  699. + if (co_list)
  700. + OPENSSL_free(co_list);
  701. + if (in_group_flags)
  702. + OPENSSL_free(in_group_flags);
  703. + if (cipherstack)
  704. + sk_SSL_CIPHER_free(cipherstack);
  705. + if (pref_list && pref_list->in_group_flags)
  706. + OPENSSL_free(pref_list->in_group_flags);
  707. + if (pref_list)
  708. + OPENSSL_free(pref_list);
  709. + return NULL;
  710. }
  711. char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
  712. diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
  713. index 4b12ed1485..cd1a95d1d2 100644
  714. --- a/ssl/ssl_err.c
  715. +++ b/ssl/ssl_err.c
  716. @@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  717. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
  718. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
  719. "missing tmp ecdh key"},
  720. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
  721. + "mixed special operator with groups"},
  722. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
  723. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
  724. "mixed handshake and non handshake data"},
  725. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
  726. @@ -1201,11 +1204,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  727. "unable to load ssl3 md5 routines"},
  728. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
  729. "unable to load ssl3 sha1 routines"},
  730. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE), "unexpected group close"},
  731. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE),
  732. "unexpected ccs message"},
  733. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
  734. "unexpected end of early data"},
  735. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
  736. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
  737. + "unexpected operator in group"},
  738. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
  739. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
  740. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
  741. diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
  742. index 5bd2fcf5d5..91623b5612 100644
  743. --- a/ssl/ssl_lib.c
  744. +++ b/ssl/ssl_lib.c
  745. @@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
  746. return X509_VERIFY_PARAM_set1(ssl->param, vpm);
  747. }
  748. +void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
  749. + *cipher_list)
  750. +{
  751. + sk_SSL_CIPHER_free(cipher_list->ciphers);
  752. + OPENSSL_free(cipher_list->in_group_flags);
  753. + OPENSSL_free(cipher_list);
  754. +}
  755. +
  756. +struct ssl_cipher_preference_list_st*
  757. +ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
  758. + *cipher_list)
  759. +{
  760. + struct ssl_cipher_preference_list_st* ret = NULL;
  761. + size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
  762. +
  763. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  764. + if (!ret)
  765. + goto err;
  766. + ret->ciphers = NULL;
  767. + ret->in_group_flags = NULL;
  768. + ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
  769. + if (!ret->ciphers)
  770. + goto err;
  771. + ret->in_group_flags = OPENSSL_malloc(n);
  772. + if (!ret->in_group_flags)
  773. + goto err;
  774. + memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
  775. + return ret;
  776. +
  777. +err:
  778. + if (ret->ciphers)
  779. + sk_SSL_CIPHER_free(ret->ciphers);
  780. + if (ret)
  781. + OPENSSL_free(ret);
  782. + return NULL;
  783. +}
  784. +
  785. +struct ssl_cipher_preference_list_st*
  786. +ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
  787. +{
  788. + struct ssl_cipher_preference_list_st* ret = NULL;
  789. + size_t n = sk_SSL_CIPHER_num(ciphers);
  790. +
  791. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  792. + if (!ret)
  793. + goto err;
  794. + ret->ciphers = NULL;
  795. + ret->in_group_flags = NULL;
  796. + ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
  797. + if (!ret->ciphers)
  798. + goto err;
  799. + ret->in_group_flags = OPENSSL_malloc(n);
  800. + if (!ret->in_group_flags)
  801. + goto err;
  802. + memset(ret->in_group_flags, 0, n);
  803. + return ret;
  804. +
  805. +err:
  806. + if (ret->ciphers)
  807. + sk_SSL_CIPHER_free(ret->ciphers);
  808. + if (ret)
  809. + OPENSSL_free(ret);
  810. + return NULL;
  811. +}
  812. +
  813. X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
  814. {
  815. return ctx->param;
  816. @@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
  817. BUF_MEM_free(s->init_buf);
  818. /* add extra stuff */
  819. - sk_SSL_CIPHER_free(s->cipher_list);
  820. + if (s->cipher_list != NULL)
  821. + ssl_cipher_preference_list_free(s->cipher_list);
  822. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  823. sk_SSL_CIPHER_free(s->tls13_ciphersuites);
  824. @@ -2427,9 +2493,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
  825. {
  826. if (s != NULL) {
  827. if (s->cipher_list != NULL) {
  828. - return s->cipher_list;
  829. + return (s->cipher_list->ciphers);
  830. } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
  831. - return s->ctx->cipher_list;
  832. + return (s->ctx->cipher_list->ciphers);
  833. }
  834. }
  835. return NULL;
  836. @@ -2503,8 +2569,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
  837. * preference */
  838. STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
  839. {
  840. - if (ctx != NULL)
  841. - return ctx->cipher_list;
  842. + if (ctx != NULL && ctx->cipher_list != NULL)
  843. + return ctx->cipher_list->ciphers;
  844. return NULL;
  845. }
  846. @@ -2955,7 +3021,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
  847. ret->tls13_ciphersuites,
  848. &ret->cipher_list, &ret->cipher_list_by_id,
  849. SSL_DEFAULT_CIPHER_LIST, ret->cert)
  850. - || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
  851. + || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
  852. SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
  853. goto err2;
  854. }
  855. @@ -3131,7 +3197,7 @@ void SSL_CTX_free(SSL_CTX *a)
  856. #ifndef OPENSSL_NO_CT
  857. CTLOG_STORE_free(a->ctlog_store);
  858. #endif
  859. - sk_SSL_CIPHER_free(a->cipher_list);
  860. + ssl_cipher_preference_list_free(a->cipher_list);
  861. sk_SSL_CIPHER_free(a->cipher_list_by_id);
  862. sk_SSL_CIPHER_free(a->tls13_ciphersuites);
  863. ssl_cert_free(a->cert);
  864. @@ -3809,13 +3875,15 @@ SSL *SSL_dup(SSL *s)
  865. /* dup the cipher_list and cipher_list_by_id stacks */
  866. if (s->cipher_list != NULL) {
  867. - if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
  868. + ret->cipher_list = ssl_cipher_preference_list_dup(s->cipher_list);
  869. + if (ret->cipher_list == NULL)
  870. goto err;
  871. }
  872. - if (s->cipher_list_by_id != NULL)
  873. - if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
  874. - == NULL)
  875. + if (s->cipher_list_by_id != NULL) {
  876. + ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id);
  877. + if (ret->cipher_list_by_id == NULL)
  878. goto err;
  879. + }
  880. /* Dup the client_CA list */
  881. if (!dup_ca_names(&ret->ca_names, s->ca_names)
  882. diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
  883. index 6559012f30..1e0cddfa7b 100644
  884. --- a/ssl/ssl_locl.h
  885. +++ b/ssl/ssl_locl.h
  886. @@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
  887. unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
  888. } SSL_CTX_EXT_SECURE;
  889. +/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
  890. + * equal-preference groups. For TLS clients, the groups are moot because the
  891. + * server picks the cipher and groups cannot be expressed on the wire. However,
  892. + * for servers, the equal-preference groups allow the client's preferences to
  893. + * be partially respected. (This only has an effect with
  894. + * SSL_OP_CIPHER_SERVER_PREFERENCE).
  895. + *
  896. + * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
  897. + * All elements of a group have the same priority: no ordering is expressed
  898. + * within a group.
  899. + *
  900. + * The values in |ciphers| are in one-to-one correspondence with
  901. + * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
  902. + * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
  903. + * indicate that the corresponding SSL_CIPHER is not the last element of a
  904. + * group, or 0 to indicate that it is.
  905. + *
  906. + * For example, if |in_group_flags| contains all zeros then that indicates a
  907. + * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
  908. + * of the group (i.e. they are all in a one-element group).
  909. + *
  910. + * For a more complex example, consider:
  911. + * ciphers: A B C D E F
  912. + * in_group_flags: 1 1 0 0 1 0
  913. + *
  914. + * That would express the following, order:
  915. + *
  916. + * A E
  917. + * B -> D -> F
  918. + * C
  919. + */
  920. +struct ssl_cipher_preference_list_st {
  921. + STACK_OF(SSL_CIPHER) *ciphers;
  922. + uint8_t *in_group_flags;
  923. +};
  924. +
  925. +
  926. struct ssl_ctx_st {
  927. const SSL_METHOD *method;
  928. - STACK_OF(SSL_CIPHER) *cipher_list;
  929. + struct ssl_cipher_preference_list_st *cipher_list;
  930. /* same as above but sorted for lookup */
  931. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  932. /* TLSv1.3 specific ciphersuites */
  933. @@ -1138,7 +1175,7 @@ struct ssl_st {
  934. /* Per connection DANE state */
  935. SSL_DANE dane;
  936. /* crypto */
  937. - STACK_OF(SSL_CIPHER) *cipher_list;
  938. + struct ssl_cipher_preference_list_st *cipher_list;
  939. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  940. /* TLSv1.3 specific ciphersuites */
  941. STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
  942. @@ -2263,7 +2300,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
  943. const SSL_CIPHER *const *bp);
  944. __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  945. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  946. - STACK_OF(SSL_CIPHER) **cipher_list,
  947. + struct ssl_cipher_preference_list_st **cipher_list,
  948. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  949. const char *rule_str,
  950. CERT *c);
  951. @@ -2273,6 +2310,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
  952. STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
  953. int fatal);
  954. void ssl_update_cache(SSL *s, int mode);
  955. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_dup(
  956. + struct ssl_cipher_preference_list_st *cipher_list);
  957. +void ssl_cipher_preference_list_free(
  958. + struct ssl_cipher_preference_list_st *cipher_list);
  959. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_from_ciphers(
  960. + STACK_OF(SSL_CIPHER) *ciphers);
  961. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s);
  962. __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
  963. const EVP_MD **md, int *mac_pkey_type,
  964. size_t *mac_secret_size, SSL_COMP **comp,
  965. @@ -2356,7 +2400,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
  966. CERT_PKEY *cpk);
  967. __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
  968. STACK_OF(SSL_CIPHER) *clnt,
  969. - STACK_OF(SSL_CIPHER) *srvr);
  970. + struct ssl_cipher_preference_list_st *srvr);
  971. __owur int ssl3_digest_cached_records(SSL *s, int keep);
  972. __owur int ssl3_new(SSL *s);
  973. void ssl3_free(SSL *s);
  974. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
  975. index 0eab35c5c8..21f3dd707e 100644
  976. --- a/ssl/statem/statem_srvr.c
  977. +++ b/ssl/statem/statem_srvr.c
  978. @@ -1750,7 +1750,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  979. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  980. if (SSL_IS_TLS13(s)) {
  981. const SSL_CIPHER *cipher =
  982. - ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  983. + ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
  984. if (cipher == NULL) {
  985. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  986. @@ -1931,7 +1931,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  987. /* check if some cipher was preferred by call back */
  988. if (pref_cipher == NULL)
  989. pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
  990. - SSL_get_ciphers(s));
  991. + ssl_get_cipher_preferences(s));
  992. if (pref_cipher == NULL) {
  993. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  994. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  995. @@ -1940,8 +1940,9 @@ static int tls_early_post_process_client_hello(SSL *s)
  996. }
  997. s->session->cipher = pref_cipher;
  998. - sk_SSL_CIPHER_free(s->cipher_list);
  999. - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
  1000. + ssl_cipher_preference_list_free(s->cipher_list);
  1001. + s->cipher_list = ssl_cipher_preference_list_from_ciphers(
  1002. + s->session->ciphers);
  1003. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1004. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
  1005. }
  1006. @@ -2255,7 +2256,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  1007. /* In TLSv1.3 we selected the ciphersuite before resumption */
  1008. if (!SSL_IS_TLS13(s)) {
  1009. cipher =
  1010. - ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
  1011. + ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
  1012. if (cipher == NULL) {
  1013. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,