You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl-equal-1.1.1b_ciphers.patch 44KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106
  1. diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
  2. index faf9e53814..428df515f1 100644
  3. --- a/doc/man1/ciphers.pod
  4. +++ b/doc/man1/ciphers.pod
  5. @@ -400,6 +400,21 @@ permissible.
  6. =back
  7. +=head1 EQUAL PREFERENCE GROUPS
  8. +
  9. +If configuring a server, one may also configure equal-preference groups to
  10. +partially respect the client's preferences when
  11. +B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
  12. +group have equal priority and use the client order. This may be used to
  13. +enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
  14. +based on client preferences. An equal-preference is specified with square
  15. +brackets, combining multiple selectors separated by |. For example:
  16. +
  17. + [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
  18. +
  19. + Once an equal-preference group is used, future directives must be
  20. + opcode-less.
  21. +
  22. =head1 CIPHER SUITE NAMES
  23. The following lists give the SSL or TLS cipher suites names from the
  24. diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
  25. index a50a075b42..e9abb98d4f 100644
  26. --- a/include/openssl/sslerr.h
  27. +++ b/include/openssl/sslerr.h
  28. @@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
  29. # define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209
  30. # define SSL_R_MISSING_TMP_DH_KEY 171
  31. # define SSL_R_MISSING_TMP_ECDH_KEY 311
  32. +# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 101
  33. +# define SSL_R_NESTED_GROUP 108
  34. # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
  35. # define SSL_R_NOT_ON_RECORD_BOUNDARY 182
  36. # define SSL_R_NOT_REPLACING_CERTIFICATE 289
  37. @@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
  38. # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
  39. # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
  40. # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
  41. +# define SSL_R_UNEXPECTED_GROUP_CLOSE 109
  42. # define SSL_R_UNEXPECTED_CCS_MESSAGE 262
  43. # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
  44. # define SSL_R_UNEXPECTED_MESSAGE 244
  45. +# define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 110
  46. # define SSL_R_UNEXPECTED_RECORD 245
  47. # define SSL_R_UNINITIALIZED 276
  48. # define SSL_R_UNKNOWN_ALERT_TYPE 246
  49. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
  50. index 99ae48199c..6641c6cdee 100644
  51. --- a/ssl/s3_lib.c
  52. +++ b/ssl/s3_lib.c
  53. @@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
  54. };
  55. /* The list of available TLSv1.3 ciphers */
  56. +/* Since nginx can not set the TLS 1.3 cipher, remove it temporarily. */
  57. static SSL_CIPHER tls13_ciphers[] = {
  58. + {
  59. + 0,
  60. + }
  61. +};
  62. +
  63. +/*
  64. + * The list of available ciphers, mostly organized into the following
  65. + * groups:
  66. + * Always there
  67. + * EC
  68. + * PSK
  69. + * SRP (within that: RSA EC PSK)
  70. + * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
  71. + * Weak ciphers
  72. + */
  73. +static SSL_CIPHER ssl3_ciphers[] = {
  74. + /* TLSv1.3 ciphers */
  75. {
  76. 1,
  77. TLS1_3_RFC_AES_128_GCM_SHA256,
  78. @@ -111,20 +129,8 @@ static SSL_CIPHER tls13_ciphers[] = {
  79. SSL_HANDSHAKE_MAC_SHA256,
  80. 128,
  81. 128,
  82. - }
  83. -};
  84. -
  85. -/*
  86. - * The list of available ciphers, mostly organized into the following
  87. - * groups:
  88. - * Always there
  89. - * EC
  90. - * PSK
  91. - * SRP (within that: RSA EC PSK)
  92. - * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
  93. - * Weak ciphers
  94. - */
  95. -static SSL_CIPHER ssl3_ciphers[] = {
  96. + },
  97. + /* List of cipher below TLSv1.3 */
  98. {
  99. 1,
  100. SSL3_TXT_RSA_NULL_MD5,
  101. @@ -167,7 +173,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  102. SSL_aRSA,
  103. SSL_3DES,
  104. SSL_SHA1,
  105. - SSL3_VERSION, TLS1_2_VERSION,
  106. + SSL3_VERSION, TLS1_VERSION,
  107. DTLS1_BAD_VER, DTLS1_2_VERSION,
  108. SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
  109. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  110. @@ -232,7 +238,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  111. SSL_aRSA,
  112. SSL_AES128,
  113. SSL_SHA1,
  114. - SSL3_VERSION, TLS1_2_VERSION,
  115. + SSL3_VERSION, TLS1_VERSION,
  116. DTLS1_BAD_VER, DTLS1_2_VERSION,
  117. SSL_HIGH | SSL_FIPS,
  118. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  119. @@ -296,7 +302,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  120. SSL_aRSA,
  121. SSL_AES256,
  122. SSL_SHA1,
  123. - SSL3_VERSION, TLS1_2_VERSION,
  124. + SSL3_VERSION, TLS1_VERSION,
  125. DTLS1_BAD_VER, DTLS1_2_VERSION,
  126. SSL_HIGH | SSL_FIPS,
  127. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  128. @@ -4124,6 +4130,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  129. return 1;
  130. }
  131. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
  132. +{
  133. + if (s->cipher_list != NULL)
  134. + return (s->cipher_list);
  135. +
  136. + if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
  137. + return (s->ctx->cipher_list);
  138. +
  139. + return NULL;
  140. +}
  141. +
  142. /*
  143. * ssl3_choose_cipher - choose a cipher from those offered by the client
  144. * @s: SSL connection
  145. @@ -4133,16 +4150,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  146. * Returns the selected cipher or NULL when no common ciphers.
  147. */
  148. const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  149. - STACK_OF(SSL_CIPHER) *srvr)
  150. + struct ssl_cipher_preference_list_st
  151. + *server_pref)
  152. {
  153. const SSL_CIPHER *c, *ret = NULL;
  154. - STACK_OF(SSL_CIPHER) *prio, *allow;
  155. - int i, ii, ok, prefer_sha256 = 0;
  156. + STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
  157. + int i, ii, ok, prefer_sha256 = 0, safari_ec = 0;
  158. unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
  159. const EVP_MD *mdsha256 = EVP_sha256();
  160. -#ifndef OPENSSL_NO_CHACHA
  161. - STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
  162. -#endif
  163. +
  164. + /* in_group_flags will either be NULL, or will point to an array of
  165. + * bytes which indicate equal-preference groups in the |prio| stack.
  166. + * See the comment about |in_group_flags| in the
  167. + * |ssl_cipher_preference_list_st| struct. */
  168. + const uint8_t *in_group_flags;
  169. +
  170. + /* group_min contains the minimal index so far found in a group, or -1
  171. + * if no such value exists yet. */
  172. + int group_min = -1;
  173. /* Let's see which ciphers we can support */
  174. @@ -4169,54 +4194,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  175. #endif
  176. /* SUITE-B takes precedence over server preference and ChaCha priortiy */
  177. - if (tls1_suiteb(s)) {
  178. + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
  179. prio = srvr;
  180. + in_group_flags = server_pref->in_group_flags;
  181. allow = clnt;
  182. - } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  183. - prio = srvr;
  184. - allow = clnt;
  185. -#ifndef OPENSSL_NO_CHACHA
  186. - /* If ChaCha20 is at the top of the client preference list,
  187. - and there are ChaCha20 ciphers in the server list, then
  188. - temporarily prioritize all ChaCha20 ciphers in the servers list. */
  189. - if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
  190. - c = sk_SSL_CIPHER_value(clnt, 0);
  191. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  192. - /* ChaCha20 is client preferred, check server... */
  193. - int num = sk_SSL_CIPHER_num(srvr);
  194. - int found = 0;
  195. - for (i = 0; i < num; i++) {
  196. - c = sk_SSL_CIPHER_value(srvr, i);
  197. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  198. - found = 1;
  199. - break;
  200. - }
  201. - }
  202. - if (found) {
  203. - prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
  204. - /* if reserve fails, then there's likely a memory issue */
  205. - if (prio_chacha != NULL) {
  206. - /* Put all ChaCha20 at the top, starting with the one we just found */
  207. - sk_SSL_CIPHER_push(prio_chacha, c);
  208. - for (i++; i < num; i++) {
  209. - c = sk_SSL_CIPHER_value(srvr, i);
  210. - if (c->algorithm_enc == SSL_CHACHA20POLY1305)
  211. - sk_SSL_CIPHER_push(prio_chacha, c);
  212. - }
  213. - /* Pull in the rest */
  214. - for (i = 0; i < num; i++) {
  215. - c = sk_SSL_CIPHER_value(srvr, i);
  216. - if (c->algorithm_enc != SSL_CHACHA20POLY1305)
  217. - sk_SSL_CIPHER_push(prio_chacha, c);
  218. - }
  219. - prio = prio_chacha;
  220. - }
  221. - }
  222. - }
  223. - }
  224. -# endif
  225. } else {
  226. prio = clnt;
  227. + in_group_flags = NULL;
  228. allow = srvr;
  229. }
  230. @@ -4247,14 +4231,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  231. for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
  232. c = sk_SSL_CIPHER_value(prio, i);
  233. + ok = 1;
  234. +
  235. /* Skip ciphers not supported by the protocol version */
  236. if (!SSL_IS_DTLS(s) &&
  237. ((s->version < c->min_tls) || (s->version > c->max_tls)))
  238. - continue;
  239. + ok = 0;
  240. if (SSL_IS_DTLS(s) &&
  241. (DTLS_VERSION_LT(s->version, c->min_dtls) ||
  242. DTLS_VERSION_GT(s->version, c->max_dtls)))
  243. - continue;
  244. + ok = 0;
  245. /*
  246. * Since TLS 1.3 ciphersuites can be used with any auth or
  247. @@ -4276,10 +4262,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  248. #ifndef OPENSSL_NO_PSK
  249. /* with PSK there must be server callback set */
  250. if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
  251. - continue;
  252. + ok = 0;
  253. #endif /* OPENSSL_NO_PSK */
  254. - ok = (alg_k & mask_k) && (alg_a & mask_a);
  255. + ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
  256. #ifdef CIPHER_DEBUG
  257. fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
  258. alg_a, mask_k, mask_a, (void *)c, c->name);
  259. @@ -4296,6 +4282,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  260. if (!ok)
  261. continue;
  262. +
  263. + safari_ec = 0;
  264. +#if !defined(OPENSSL_NO_EC)
  265. + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)) {
  266. + if (s->s3->is_probably_safari)
  267. + safari_ec = 1;
  268. + }
  269. +#endif
  270. }
  271. ii = sk_SSL_CIPHER_find(allow, c);
  272. if (ii >= 0) {
  273. @@ -4303,14 +4297,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  274. if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
  275. c->strength_bits, 0, (void *)c))
  276. continue;
  277. -#if !defined(OPENSSL_NO_EC)
  278. - if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
  279. - && s->s3->is_probably_safari) {
  280. - if (!ret)
  281. - ret = sk_SSL_CIPHER_value(allow, ii);
  282. - continue;
  283. - }
  284. -#endif
  285. +
  286. if (prefer_sha256) {
  287. const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
  288. @@ -4322,13 +4309,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  289. ret = tmp;
  290. continue;
  291. }
  292. - ret = sk_SSL_CIPHER_value(allow, ii);
  293. +
  294. + if (in_group_flags != NULL && in_group_flags[i] == 1) {
  295. + /* This element of |prio| is in a group. Update
  296. + * the minimum index found so far and continue
  297. + * looking. */
  298. + if (group_min == -1 || group_min > ii)
  299. + group_min = ii;
  300. + } else {
  301. + if (group_min != -1 && group_min < ii)
  302. + ii = group_min;
  303. + if (safari_ec) {
  304. + if (!ret)
  305. + ret = sk_SSL_CIPHER_value(allow, ii);
  306. + continue;
  307. + }
  308. + ret = sk_SSL_CIPHER_value(allow, ii);
  309. + break;
  310. + }
  311. + }
  312. +
  313. + if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
  314. + /* We are about to leave a group, but we found a match
  315. + * in it, so that's our answer. */
  316. + if (safari_ec) {
  317. + if (!ret)
  318. + ret = sk_SSL_CIPHER_value(allow, group_min);
  319. + continue;
  320. + }
  321. + ret = sk_SSL_CIPHER_value(allow, group_min);
  322. break;
  323. }
  324. }
  325. -#ifndef OPENSSL_NO_CHACHA
  326. - sk_SSL_CIPHER_free(prio_chacha);
  327. -#endif
  328. return ret;
  329. }
  330. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  331. index 044dd3af92..53e272e7b2 100644
  332. --- a/ssl/ssl_ciph.c
  333. +++ b/ssl/ssl_ciph.c
  334. @@ -192,6 +192,7 @@ typedef struct cipher_order_st {
  335. const SSL_CIPHER *cipher;
  336. int active;
  337. int dead;
  338. + int in_group;
  339. struct cipher_order_st *next, *prev;
  340. } CIPHER_ORDER;
  341. @@ -296,6 +297,7 @@ static const SSL_CIPHER cipher_aliases[] = {
  342. {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  343. {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  344. {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
  345. + {0, "TLS13", NULL, 0, 0, 0, 0, 0, TLS1_3_VERSION},
  346. /* strength classes */
  347. {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
  348. @@ -681,6 +683,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
  349. co_list[co_list_num].next = NULL;
  350. co_list[co_list_num].prev = NULL;
  351. co_list[co_list_num].active = 0;
  352. + co_list[co_list_num].in_group = 0;
  353. co_list_num++;
  354. }
  355. @@ -774,8 +777,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  356. uint32_t alg_auth, uint32_t alg_enc,
  357. uint32_t alg_mac, int min_tls,
  358. uint32_t algo_strength, int rule,
  359. - int32_t strength_bits, CIPHER_ORDER **head_p,
  360. - CIPHER_ORDER **tail_p)
  361. + int32_t strength_bits, int in_group,
  362. + CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
  363. {
  364. CIPHER_ORDER *head, *tail, *curr, *next, *last;
  365. const SSL_CIPHER *cp;
  366. @@ -783,9 +786,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  367. #ifdef CIPHER_DEBUG
  368. fprintf(stderr,
  369. - "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
  370. + "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d) g:%d\n",
  371. rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
  372. - algo_strength, strength_bits);
  373. + algo_strength, strength_bits, in_group);
  374. #endif
  375. if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
  376. @@ -862,6 +865,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  377. if (!curr->active) {
  378. ll_append_tail(&head, curr, &tail);
  379. curr->active = 1;
  380. + curr->in_group = in_group;
  381. }
  382. }
  383. /* Move the added cipher to this location */
  384. @@ -869,6 +873,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  385. /* reverse == 0 */
  386. if (curr->active) {
  387. ll_append_tail(&head, curr, &tail);
  388. + curr->in_group = 0;
  389. }
  390. } else if (rule == CIPHER_DEL) {
  391. /* reverse == 1 */
  392. @@ -880,6 +885,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  393. */
  394. ll_append_head(&head, curr, &tail);
  395. curr->active = 0;
  396. + curr->in_group = 0;
  397. }
  398. } else if (rule == CIPHER_BUMP) {
  399. if (curr->active)
  400. @@ -947,8 +953,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
  401. */
  402. for (i = max_strength_bits; i >= 0; i--)
  403. if (number_uses[i] > 0)
  404. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
  405. - tail_p);
  406. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0,
  407. + head_p, tail_p);
  408. OPENSSL_free(number_uses);
  409. return 1;
  410. @@ -962,7 +968,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  411. uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
  412. int min_tls;
  413. const char *l, *buf;
  414. - int j, multi, found, rule, retval, ok, buflen;
  415. + int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
  416. uint32_t cipher_id = 0;
  417. char ch;
  418. @@ -973,18 +979,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  419. if (ch == '\0')
  420. break; /* done */
  421. - if (ch == '-') {
  422. + if (in_group) {
  423. + if (ch == ']') {
  424. + if (!in_group) {
  425. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  426. + SSL_R_UNEXPECTED_GROUP_CLOSE);
  427. + retval = found = in_group = 0;
  428. + break;
  429. + }
  430. + if (*tail_p)
  431. + (*tail_p)->in_group = 0;
  432. + in_group = 0;
  433. + l++;
  434. + continue;
  435. + }
  436. + if (ch == '|') {
  437. + rule = CIPHER_ADD;
  438. + l++;
  439. + continue;
  440. + } else if (!(ch >= 'a' && ch <= 'z')
  441. + && !(ch >= 'A' && ch <= 'Z')
  442. + && !(ch >= '0' && ch <= '9')) {
  443. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  444. + SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
  445. + retval = found = in_group = 0;
  446. + break;
  447. + } else {
  448. + rule = CIPHER_ADD;
  449. + }
  450. + } else if (ch == '-') {
  451. rule = CIPHER_DEL;
  452. l++;
  453. } else if (ch == '+') {
  454. rule = CIPHER_ORD;
  455. l++;
  456. + } else if (ch == '!' && has_group) {
  457. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  458. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  459. + retval = found = in_group = 0;
  460. + break;
  461. } else if (ch == '!') {
  462. rule = CIPHER_KILL;
  463. l++;
  464. + } else if (ch == '@' && has_group) {
  465. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  466. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  467. + retval = found = in_group = 0;
  468. + break;
  469. } else if (ch == '@') {
  470. rule = CIPHER_SPECIAL;
  471. l++;
  472. + } else if (ch == '[') {
  473. + if (in_group) {
  474. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_NESTED_GROUP);
  475. + retval = found = in_group = 0;
  476. + break;
  477. + }
  478. + in_group = 1;
  479. + has_group = 1;
  480. + l++;
  481. + continue;
  482. } else {
  483. rule = CIPHER_ADD;
  484. }
  485. @@ -1009,7 +1063,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  486. while (((ch >= 'A') && (ch <= 'Z')) ||
  487. ((ch >= '0') && (ch <= '9')) ||
  488. ((ch >= 'a') && (ch <= 'z')) ||
  489. - (ch == '-') || (ch == '.') || (ch == '='))
  490. + (ch == '-') || (ch == '.') || (ch == '=') || (ch == '_'))
  491. #else
  492. while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
  493. || (ch == '='))
  494. @@ -1026,7 +1080,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  495. * alphanumeric, so we call this an error.
  496. */
  497. SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  498. - retval = found = 0;
  499. + retval = found = in_group = 0;
  500. l++;
  501. break;
  502. }
  503. @@ -1205,8 +1259,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  504. } else if (found) {
  505. ssl_cipher_apply_rule(cipher_id,
  506. alg_mkey, alg_auth, alg_enc, alg_mac,
  507. - min_tls, algo_strength, rule, -1, head_p,
  508. - tail_p);
  509. + min_tls, algo_strength, rule, -1, in_group,
  510. + head_p, tail_p);
  511. } else {
  512. while ((*l != '\0') && !ITEM_SEP(*l))
  513. l++;
  514. @@ -1215,6 +1269,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  515. break; /* done */
  516. }
  517. + if (in_group) {
  518. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  519. + retval = 0;
  520. + }
  521. +
  522. return retval;
  523. }
  524. @@ -1379,7 +1438,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
  525. if (ret && ctx->cipher_list != NULL) {
  526. /* We already have a cipher_list, so we need to update it */
  527. - return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
  528. + return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
  529. ctx->tls13_ciphersuites);
  530. }
  531. @@ -1392,7 +1451,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  532. if (ret && s->cipher_list != NULL) {
  533. /* We already have a cipher_list, so we need to update it */
  534. - return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
  535. + return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
  536. s->tls13_ciphersuites);
  537. }
  538. @@ -1401,17 +1460,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  539. STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  540. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  541. - STACK_OF(SSL_CIPHER) **cipher_list,
  542. + struct ssl_cipher_preference_list_st **cipher_list,
  543. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  544. const char *rule_str,
  545. CERT *c)
  546. {
  547. - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
  548. + int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
  549. uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
  550. - STACK_OF(SSL_CIPHER) *cipherstack;
  551. + STACK_OF(SSL_CIPHER) *cipherstack = NULL;
  552. const char *rule_p;
  553. CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
  554. const SSL_CIPHER **ca_list = NULL;
  555. + uint8_t *in_group_flags = NULL;
  556. + unsigned int num_in_group_flags = 0;
  557. + struct ssl_cipher_preference_list_st *pref_list = NULL;
  558. /*
  559. * Return with error if nothing to do.
  560. @@ -1460,16 +1522,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  561. * preference).
  562. */
  563. ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
  564. - -1, &head, &tail);
  565. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
  566. - &tail);
  567. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
  568. - &tail);
  569. + -1, 0, &head, &tail);
  570. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0,
  571. + &head, &tail);
  572. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0,
  573. + &head, &tail);
  574. /* Within each strength group, we prefer GCM over CHACHA... */
  575. - ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
  576. + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 0,
  577. &head, &tail);
  578. - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
  579. + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 0,
  580. &head, &tail);
  581. /*
  582. @@ -1478,13 +1540,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  583. * strength.
  584. */
  585. ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
  586. - -1, &head, &tail);
  587. + -1, 0, &head, &tail);
  588. /* Temporarily enable everything else for sorting */
  589. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
  590. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
  591. /* Low priority for MD5 */
  592. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
  593. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, 0, &head,
  594. &tail);
  595. /*
  596. @@ -1492,16 +1554,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  597. * disabled. (For applications that allow them, they aren't too bad, but
  598. * we prefer authenticated ciphers.)
  599. */
  600. - ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  601. + ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  602. &tail);
  603. - ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  604. + ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  605. &tail);
  606. - ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  607. + ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  608. &tail);
  609. /* RC4 is sort-of broken -- move to the end */
  610. - ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
  611. + ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  612. &tail);
  613. /*
  614. @@ -1517,7 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  615. * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
  616. * TODO(openssl-team): is there an easier way to accomplish all this?
  617. */
  618. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
  619. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 0,
  620. &head, &tail);
  621. /*
  622. @@ -1533,15 +1595,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  623. * Because we now bump ciphers to the top of the list, we proceed in
  624. * reverse order of preference.
  625. */
  626. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
  627. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 0,
  628. &head, &tail);
  629. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
  630. - CIPHER_BUMP, -1, &head, &tail);
  631. + CIPHER_BUMP, -1, 0, &head, &tail);
  632. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
  633. - CIPHER_BUMP, -1, &head, &tail);
  634. + CIPHER_BUMP, -1, 0, &head, &tail);
  635. +
  636. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_3_VERSION, 0, CIPHER_BUMP, -1, 0,
  637. + &head, &tail);
  638. /* Now disable everything (maintaining the ordering!) */
  639. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
  640. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
  641. /*
  642. * We also need cipher aliases for selecting based on the rule_str.
  643. @@ -1555,9 +1620,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  644. num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
  645. ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
  646. if (ca_list == NULL) {
  647. - OPENSSL_free(co_list);
  648. SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
  649. - return NULL; /* Failure */
  650. + goto err; /* Failure */
  651. }
  652. ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
  653. disabled_mkey, disabled_auth, disabled_enc,
  654. @@ -1582,28 +1646,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  655. OPENSSL_free(ca_list); /* Not needed anymore */
  656. - if (!ok) { /* Rule processing failure */
  657. - OPENSSL_free(co_list);
  658. - return NULL;
  659. - }
  660. + if (!ok)
  661. + goto err; /* Rule processing failure */
  662. /*
  663. * Allocate new "cipherstack" for the result, return with error
  664. * if we cannot get one.
  665. */
  666. - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
  667. - OPENSSL_free(co_list);
  668. - return NULL;
  669. - }
  670. + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
  671. + goto err;
  672. - /* Add TLSv1.3 ciphers first - we always prefer those if possible */
  673. - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
  674. - if (!sk_SSL_CIPHER_push(cipherstack,
  675. - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
  676. - sk_SSL_CIPHER_free(cipherstack);
  677. - return NULL;
  678. - }
  679. - }
  680. + in_group_flags = OPENSSL_malloc(num_of_ciphers);
  681. + if (!in_group_flags)
  682. + goto err;
  683. /*
  684. * The cipher selection for the list is done. The ciphers are added
  685. @@ -1611,26 +1666,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  686. */
  687. for (curr = head; curr != NULL; curr = curr->next) {
  688. if (curr->active) {
  689. - if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
  690. - OPENSSL_free(co_list);
  691. - sk_SSL_CIPHER_free(cipherstack);
  692. - return NULL;
  693. - }
  694. + if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
  695. + goto err;
  696. + in_group_flags[num_in_group_flags++] = curr->in_group;
  697. #ifdef CIPHER_DEBUG
  698. fprintf(stderr, "<%s>\n", curr->cipher->name);
  699. #endif
  700. }
  701. }
  702. - OPENSSL_free(co_list); /* Not needed any longer */
  703. - if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
  704. - sk_SSL_CIPHER_free(cipherstack);
  705. - return NULL;
  706. - }
  707. - sk_SSL_CIPHER_free(*cipher_list);
  708. - *cipher_list = cipherstack;
  709. + OPENSSL_free(co_list); /* Not needed any longer */
  710. + co_list = NULL;
  711. +
  712. + if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack))
  713. + goto err;
  714. +
  715. + pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  716. + if (!pref_list)
  717. + goto err;
  718. + pref_list->ciphers = cipherstack;
  719. + pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
  720. + if (!pref_list->in_group_flags)
  721. + goto err;
  722. + memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
  723. + OPENSSL_free(in_group_flags);
  724. + in_group_flags = NULL;
  725. + if (*cipher_list != NULL)
  726. + ssl_cipher_preference_list_free(*cipher_list);
  727. + *cipher_list = pref_list;
  728. + pref_list = NULL;
  729. return cipherstack;
  730. +
  731. +err:
  732. + if (co_list)
  733. + OPENSSL_free(co_list);
  734. + if (in_group_flags)
  735. + OPENSSL_free(in_group_flags);
  736. + if (cipherstack)
  737. + sk_SSL_CIPHER_free(cipherstack);
  738. + if (pref_list && pref_list->in_group_flags)
  739. + OPENSSL_free(pref_list->in_group_flags);
  740. + if (pref_list)
  741. + OPENSSL_free(pref_list);
  742. + return NULL;
  743. }
  744. char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
  745. diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
  746. index 4b12ed1485..cd1a95d1d2 100644
  747. --- a/ssl/ssl_err.c
  748. +++ b/ssl/ssl_err.c
  749. @@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  750. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
  751. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
  752. "missing tmp ecdh key"},
  753. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
  754. + "mixed special operator with groups"},
  755. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
  756. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
  757. "mixed handshake and non handshake data"},
  758. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
  759. @@ -1201,11 +1204,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  760. "unable to load ssl3 md5 routines"},
  761. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
  762. "unable to load ssl3 sha1 routines"},
  763. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE), "unexpected group close"},
  764. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE),
  765. "unexpected ccs message"},
  766. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
  767. "unexpected end of early data"},
  768. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
  769. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
  770. + "unexpected operator in group"},
  771. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
  772. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
  773. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
  774. diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
  775. index 5bd2fcf5d5..91623b5612 100644
  776. --- a/ssl/ssl_lib.c
  777. +++ b/ssl/ssl_lib.c
  778. @@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
  779. return X509_VERIFY_PARAM_set1(ssl->param, vpm);
  780. }
  781. +void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
  782. + *cipher_list)
  783. +{
  784. + sk_SSL_CIPHER_free(cipher_list->ciphers);
  785. + OPENSSL_free(cipher_list->in_group_flags);
  786. + OPENSSL_free(cipher_list);
  787. +}
  788. +
  789. +struct ssl_cipher_preference_list_st*
  790. +ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
  791. + *cipher_list)
  792. +{
  793. + struct ssl_cipher_preference_list_st* ret = NULL;
  794. + size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
  795. +
  796. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  797. + if (!ret)
  798. + goto err;
  799. + ret->ciphers = NULL;
  800. + ret->in_group_flags = NULL;
  801. + ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
  802. + if (!ret->ciphers)
  803. + goto err;
  804. + ret->in_group_flags = OPENSSL_malloc(n);
  805. + if (!ret->in_group_flags)
  806. + goto err;
  807. + memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
  808. + return ret;
  809. +
  810. +err:
  811. + if (ret->ciphers)
  812. + sk_SSL_CIPHER_free(ret->ciphers);
  813. + if (ret)
  814. + OPENSSL_free(ret);
  815. + return NULL;
  816. +}
  817. +
  818. +struct ssl_cipher_preference_list_st*
  819. +ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
  820. +{
  821. + struct ssl_cipher_preference_list_st* ret = NULL;
  822. + size_t n = sk_SSL_CIPHER_num(ciphers);
  823. +
  824. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  825. + if (!ret)
  826. + goto err;
  827. + ret->ciphers = NULL;
  828. + ret->in_group_flags = NULL;
  829. + ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
  830. + if (!ret->ciphers)
  831. + goto err;
  832. + ret->in_group_flags = OPENSSL_malloc(n);
  833. + if (!ret->in_group_flags)
  834. + goto err;
  835. + memset(ret->in_group_flags, 0, n);
  836. + return ret;
  837. +
  838. +err:
  839. + if (ret->ciphers)
  840. + sk_SSL_CIPHER_free(ret->ciphers);
  841. + if (ret)
  842. + OPENSSL_free(ret);
  843. + return NULL;
  844. +}
  845. +
  846. X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
  847. {
  848. return ctx->param;
  849. @@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
  850. BUF_MEM_free(s->init_buf);
  851. /* add extra stuff */
  852. - sk_SSL_CIPHER_free(s->cipher_list);
  853. + if (s->cipher_list != NULL)
  854. + ssl_cipher_preference_list_free(s->cipher_list);
  855. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  856. sk_SSL_CIPHER_free(s->tls13_ciphersuites);
  857. @@ -2427,9 +2493,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
  858. {
  859. if (s != NULL) {
  860. if (s->cipher_list != NULL) {
  861. - return s->cipher_list;
  862. + return (s->cipher_list->ciphers);
  863. } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
  864. - return s->ctx->cipher_list;
  865. + return (s->ctx->cipher_list->ciphers);
  866. }
  867. }
  868. return NULL;
  869. @@ -2503,8 +2569,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
  870. * preference */
  871. STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
  872. {
  873. - if (ctx != NULL)
  874. - return ctx->cipher_list;
  875. + if (ctx != NULL && ctx->cipher_list != NULL)
  876. + return ctx->cipher_list->ciphers;
  877. return NULL;
  878. }
  879. @@ -2955,7 +3021,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
  880. ret->tls13_ciphersuites,
  881. &ret->cipher_list, &ret->cipher_list_by_id,
  882. SSL_DEFAULT_CIPHER_LIST, ret->cert)
  883. - || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
  884. + || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
  885. SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
  886. goto err2;
  887. }
  888. @@ -3131,7 +3197,7 @@ void SSL_CTX_free(SSL_CTX *a)
  889. #ifndef OPENSSL_NO_CT
  890. CTLOG_STORE_free(a->ctlog_store);
  891. #endif
  892. - sk_SSL_CIPHER_free(a->cipher_list);
  893. + ssl_cipher_preference_list_free(a->cipher_list);
  894. sk_SSL_CIPHER_free(a->cipher_list_by_id);
  895. sk_SSL_CIPHER_free(a->tls13_ciphersuites);
  896. ssl_cert_free(a->cert);
  897. @@ -3809,13 +3875,15 @@ SSL *SSL_dup(SSL *s)
  898. /* dup the cipher_list and cipher_list_by_id stacks */
  899. if (s->cipher_list != NULL) {
  900. - if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
  901. + ret->cipher_list = ssl_cipher_preference_list_dup(s->cipher_list);
  902. + if (ret->cipher_list == NULL)
  903. goto err;
  904. }
  905. - if (s->cipher_list_by_id != NULL)
  906. - if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
  907. - == NULL)
  908. + if (s->cipher_list_by_id != NULL) {
  909. + ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id);
  910. + if (ret->cipher_list_by_id == NULL)
  911. goto err;
  912. + }
  913. /* Dup the client_CA list */
  914. if (!dup_ca_names(&ret->ca_names, s->ca_names)
  915. diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
  916. index 6559012f30..1e0cddfa7b 100644
  917. --- a/ssl/ssl_locl.h
  918. +++ b/ssl/ssl_locl.h
  919. @@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
  920. unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
  921. } SSL_CTX_EXT_SECURE;
  922. +/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
  923. + * equal-preference groups. For TLS clients, the groups are moot because the
  924. + * server picks the cipher and groups cannot be expressed on the wire. However,
  925. + * for servers, the equal-preference groups allow the client's preferences to
  926. + * be partially respected. (This only has an effect with
  927. + * SSL_OP_CIPHER_SERVER_PREFERENCE).
  928. + *
  929. + * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
  930. + * All elements of a group have the same priority: no ordering is expressed
  931. + * within a group.
  932. + *
  933. + * The values in |ciphers| are in one-to-one correspondence with
  934. + * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
  935. + * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
  936. + * indicate that the corresponding SSL_CIPHER is not the last element of a
  937. + * group, or 0 to indicate that it is.
  938. + *
  939. + * For example, if |in_group_flags| contains all zeros then that indicates a
  940. + * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
  941. + * of the group (i.e. they are all in a one-element group).
  942. + *
  943. + * For a more complex example, consider:
  944. + * ciphers: A B C D E F
  945. + * in_group_flags: 1 1 0 0 1 0
  946. + *
  947. + * That would express the following, order:
  948. + *
  949. + * A E
  950. + * B -> D -> F
  951. + * C
  952. + */
  953. +struct ssl_cipher_preference_list_st {
  954. + STACK_OF(SSL_CIPHER) *ciphers;
  955. + uint8_t *in_group_flags;
  956. +};
  957. +
  958. +
  959. struct ssl_ctx_st {
  960. const SSL_METHOD *method;
  961. - STACK_OF(SSL_CIPHER) *cipher_list;
  962. + struct ssl_cipher_preference_list_st *cipher_list;
  963. /* same as above but sorted for lookup */
  964. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  965. /* TLSv1.3 specific ciphersuites */
  966. @@ -1138,7 +1175,7 @@ struct ssl_st {
  967. /* Per connection DANE state */
  968. SSL_DANE dane;
  969. /* crypto */
  970. - STACK_OF(SSL_CIPHER) *cipher_list;
  971. + struct ssl_cipher_preference_list_st *cipher_list;
  972. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  973. /* TLSv1.3 specific ciphersuites */
  974. STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
  975. @@ -2263,7 +2300,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
  976. const SSL_CIPHER *const *bp);
  977. __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  978. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  979. - STACK_OF(SSL_CIPHER) **cipher_list,
  980. + struct ssl_cipher_preference_list_st **cipher_list,
  981. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  982. const char *rule_str,
  983. CERT *c);
  984. @@ -2273,6 +2310,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
  985. STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
  986. int fatal);
  987. void ssl_update_cache(SSL *s, int mode);
  988. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_dup(
  989. + struct ssl_cipher_preference_list_st *cipher_list);
  990. +void ssl_cipher_preference_list_free(
  991. + struct ssl_cipher_preference_list_st *cipher_list);
  992. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_from_ciphers(
  993. + STACK_OF(SSL_CIPHER) *ciphers);
  994. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s);
  995. __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
  996. const EVP_MD **md, int *mac_pkey_type,
  997. size_t *mac_secret_size, SSL_COMP **comp,
  998. @@ -2356,7 +2400,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
  999. CERT_PKEY *cpk);
  1000. __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
  1001. STACK_OF(SSL_CIPHER) *clnt,
  1002. - STACK_OF(SSL_CIPHER) *srvr);
  1003. + struct ssl_cipher_preference_list_st *srvr);
  1004. __owur int ssl3_digest_cached_records(SSL *s, int keep);
  1005. __owur int ssl3_new(SSL *s);
  1006. void ssl3_free(SSL *s);
  1007. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
  1008. index 0eab35c5c8..21f3dd707e 100644
  1009. --- a/ssl/statem/statem_srvr.c
  1010. +++ b/ssl/statem/statem_srvr.c
  1011. @@ -1750,7 +1750,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  1012. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1013. if (SSL_IS_TLS13(s)) {
  1014. const SSL_CIPHER *cipher =
  1015. - ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  1016. + ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
  1017. if (cipher == NULL) {
  1018. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1019. @@ -1931,7 +1931,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  1020. /* check if some cipher was preferred by call back */
  1021. if (pref_cipher == NULL)
  1022. pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
  1023. - SSL_get_ciphers(s));
  1024. + ssl_get_cipher_preferences(s));
  1025. if (pref_cipher == NULL) {
  1026. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1027. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1028. @@ -1940,8 +1940,9 @@ static int tls_early_post_process_client_hello(SSL *s)
  1029. }
  1030. s->session->cipher = pref_cipher;
  1031. - sk_SSL_CIPHER_free(s->cipher_list);
  1032. - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
  1033. + ssl_cipher_preference_list_free(s->cipher_list);
  1034. + s->cipher_list = ssl_cipher_preference_list_from_ciphers(
  1035. + s->session->ciphers);
  1036. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1037. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
  1038. }
  1039. @@ -2255,7 +2256,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  1040. /* In TLSv1.3 we selected the ciphersuite before resumption */
  1041. if (!SSL_IS_TLS13(s)) {
  1042. cipher =
  1043. - ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
  1044. + ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
  1045. if (cipher == NULL) {
  1046. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,