You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl-equal-3.0.0-dev.patch 45KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089
  1. diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
  2. index 7c915d4645..d8c8d714b9 100644
  3. --- a/crypto/err/openssl.txt
  4. +++ b/crypto/err/openssl.txt
  5. @@ -2128,7 +2128,6 @@ CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name
  6. CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long
  7. CONF_R_VARIABLE_HAS_NO_VALUE:104:variable has no value
  8. CRMF_R_BAD_PBM_ITERATIONCOUNT:100:bad pbm iterationcount
  9. -CRMF_R_MALFORMED_IV:101:malformed iv
  10. CRMF_R_CRMFERROR:102:crmferror
  11. CRMF_R_ERROR:103:error
  12. CRMF_R_ERROR_DECODING_CERTIFICATE:104:error decoding certificate
  13. @@ -2136,6 +2135,7 @@ CRMF_R_ERROR_DECRYPTING_CERTIFICATE:105:error decrypting certificate
  14. CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY:106:error decrypting symmetric key
  15. CRMF_R_FAILURE_OBTAINING_RANDOM:107:failure obtaining random
  16. CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100
  17. +CRMF_R_MALFORMED_IV:101:malformed iv
  18. CRMF_R_NULL_ARGUMENT:109:null argument
  19. CRMF_R_SETTING_MAC_ALGOR_FAILURE:110:setting mac algor failure
  20. CRMF_R_SETTING_OWF_ALGOR_FAILURE:111:setting owf algor failure
  21. @@ -2865,6 +2865,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
  22. SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
  23. SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
  24. mixed handshake and non handshake data
  25. +SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS:294:mixed special operator with groups
  26. +SSL_R_NESTED_GROUP:295:nested group
  27. SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
  28. SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
  29. SSL_R_NOT_SERVER:284:not server
  30. @@ -2973,7 +2975,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
  31. SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
  32. SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
  33. SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
  34. +SSL_R_UNEXPECTED_GROUP_CLOSE:296:unexpected group close
  35. SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
  36. +SSL_R_UNEXPECTED_OPERATOR_IN_GROUP:297:unexpected operator in group
  37. SSL_R_UNEXPECTED_RECORD:245:unexpected record
  38. SSL_R_UNINITIALIZED:276:uninitialized
  39. SSL_R_UNKNOWN_ALERT_TYPE:246:unknown alert type
  40. diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
  41. index e29c5d7ced..7d795c390e 100644
  42. --- a/doc/man1/ciphers.pod
  43. +++ b/doc/man1/ciphers.pod
  44. @@ -400,6 +400,21 @@ permissible.
  45. =back
  46. +=head1 EQUAL PREFERENCE GROUPS
  47. +
  48. +If configuring a server, one may also configure equal-preference groups to
  49. +partially respect the client's preferences when
  50. +B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
  51. +group have equal priority and use the client order. This may be used to
  52. +enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
  53. +based on client preferences. An equal-preference is specified with square
  54. +brackets, combining multiple selectors separated by |. For example:
  55. +
  56. + [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
  57. +
  58. + Once an equal-preference group is used, future directives must be
  59. + opcode-less.
  60. +
  61. =head1 CIPHER SUITE NAMES
  62. The following lists give the SSL or TLS cipher suites names from the
  63. diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
  64. index 4603ef4274..fac8736d1d 100644
  65. --- a/include/openssl/sslerr.h
  66. +++ b/include/openssl/sslerr.h
  67. @@ -601,6 +601,8 @@ int ERR_load_SSL_strings(void);
  68. # define SSL_R_MISSING_TMP_DH_KEY 171
  69. # define SSL_R_MISSING_TMP_ECDH_KEY 311
  70. # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
  71. +# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 294
  72. +# define SSL_R_NESTED_GROUP 295
  73. # define SSL_R_NOT_ON_RECORD_BOUNDARY 182
  74. # define SSL_R_NOT_REPLACING_CERTIFICATE 289
  75. # define SSL_R_NOT_SERVER 284
  76. @@ -733,7 +735,9 @@ int ERR_load_SSL_strings(void);
  77. # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
  78. # define SSL_R_UNEXPECTED_CCS_MESSAGE 262
  79. # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
  80. +# define SSL_R_UNEXPECTED_GROUP_CLOSE 296
  81. # define SSL_R_UNEXPECTED_MESSAGE 244
  82. +# define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 297
  83. # define SSL_R_UNEXPECTED_RECORD 245
  84. # define SSL_R_UNINITIALIZED 276
  85. # define SSL_R_UNKNOWN_ALERT_TYPE 246
  86. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
  87. index a3639fd18c..c24b5154ac 100644
  88. --- a/ssl/s3_lib.c
  89. +++ b/ssl/s3_lib.c
  90. @@ -168,7 +168,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  91. SSL_aRSA,
  92. SSL_3DES,
  93. SSL_SHA1,
  94. - SSL3_VERSION, TLS1_2_VERSION,
  95. + SSL3_VERSION, TLS1_VERSION,
  96. DTLS1_BAD_VER, DTLS1_2_VERSION,
  97. SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
  98. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  99. @@ -233,7 +233,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  100. SSL_aRSA,
  101. SSL_AES128,
  102. SSL_SHA1,
  103. - SSL3_VERSION, TLS1_2_VERSION,
  104. + SSL3_VERSION, TLS1_VERSION,
  105. DTLS1_BAD_VER, DTLS1_2_VERSION,
  106. SSL_HIGH | SSL_FIPS,
  107. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  108. @@ -297,7 +297,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  109. SSL_aRSA,
  110. SSL_AES256,
  111. SSL_SHA1,
  112. - SSL3_VERSION, TLS1_2_VERSION,
  113. + SSL3_VERSION, TLS1_VERSION,
  114. DTLS1_BAD_VER, DTLS1_2_VERSION,
  115. SSL_HIGH | SSL_FIPS,
  116. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  117. @@ -4125,6 +4125,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  118. return 1;
  119. }
  120. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
  121. +{
  122. + if (s->cipher_list != NULL)
  123. + return (s->cipher_list);
  124. +
  125. + if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
  126. + return (s->ctx->cipher_list);
  127. +
  128. + return NULL;
  129. +}
  130. +
  131. /*
  132. * ssl3_choose_cipher - choose a cipher from those offered by the client
  133. * @s: SSL connection
  134. @@ -4134,16 +4145,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  135. * Returns the selected cipher or NULL when no common ciphers.
  136. */
  137. const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  138. - STACK_OF(SSL_CIPHER) *srvr)
  139. + struct ssl_cipher_preference_list_st
  140. + *server_pref)
  141. {
  142. const SSL_CIPHER *c, *ret = NULL;
  143. - STACK_OF(SSL_CIPHER) *prio, *allow;
  144. - int i, ii, ok, prefer_sha256 = 0;
  145. + STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
  146. + int i, ii, ok, prefer_sha256 = 0, safari_ec = 0;
  147. unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
  148. const EVP_MD *mdsha256 = EVP_sha256();
  149. -#ifndef OPENSSL_NO_CHACHA
  150. - STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
  151. -#endif
  152. +
  153. + /* in_group_flags will either be NULL, or will point to an array of
  154. + * bytes which indicate equal-preference groups in the |prio| stack.
  155. + * See the comment about |in_group_flags| in the
  156. + * |ssl_cipher_preference_list_st| struct. */
  157. + const uint8_t *in_group_flags;
  158. +
  159. + /* group_min contains the minimal index so far found in a group, or -1
  160. + * if no such value exists yet. */
  161. + int group_min = -1;
  162. /* Let's see which ciphers we can support */
  163. @@ -4170,54 +4189,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  164. } OSSL_TRACE_END(TLS_CIPHER);
  165. /* SUITE-B takes precedence over server preference and ChaCha priortiy */
  166. - if (tls1_suiteb(s)) {
  167. + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
  168. prio = srvr;
  169. + in_group_flags = server_pref->in_group_flags;
  170. allow = clnt;
  171. - } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  172. - prio = srvr;
  173. - allow = clnt;
  174. -#ifndef OPENSSL_NO_CHACHA
  175. - /* If ChaCha20 is at the top of the client preference list,
  176. - and there are ChaCha20 ciphers in the server list, then
  177. - temporarily prioritize all ChaCha20 ciphers in the servers list. */
  178. - if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
  179. - c = sk_SSL_CIPHER_value(clnt, 0);
  180. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  181. - /* ChaCha20 is client preferred, check server... */
  182. - int num = sk_SSL_CIPHER_num(srvr);
  183. - int found = 0;
  184. - for (i = 0; i < num; i++) {
  185. - c = sk_SSL_CIPHER_value(srvr, i);
  186. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  187. - found = 1;
  188. - break;
  189. - }
  190. - }
  191. - if (found) {
  192. - prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
  193. - /* if reserve fails, then there's likely a memory issue */
  194. - if (prio_chacha != NULL) {
  195. - /* Put all ChaCha20 at the top, starting with the one we just found */
  196. - sk_SSL_CIPHER_push(prio_chacha, c);
  197. - for (i++; i < num; i++) {
  198. - c = sk_SSL_CIPHER_value(srvr, i);
  199. - if (c->algorithm_enc == SSL_CHACHA20POLY1305)
  200. - sk_SSL_CIPHER_push(prio_chacha, c);
  201. - }
  202. - /* Pull in the rest */
  203. - for (i = 0; i < num; i++) {
  204. - c = sk_SSL_CIPHER_value(srvr, i);
  205. - if (c->algorithm_enc != SSL_CHACHA20POLY1305)
  206. - sk_SSL_CIPHER_push(prio_chacha, c);
  207. - }
  208. - prio = prio_chacha;
  209. - }
  210. - }
  211. - }
  212. - }
  213. -# endif
  214. } else {
  215. prio = clnt;
  216. + in_group_flags = NULL;
  217. allow = srvr;
  218. }
  219. @@ -4248,14 +4226,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  220. for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
  221. c = sk_SSL_CIPHER_value(prio, i);
  222. + ok = 1;
  223. +
  224. /* Skip ciphers not supported by the protocol version */
  225. if (!SSL_IS_DTLS(s) &&
  226. ((s->version < c->min_tls) || (s->version > c->max_tls)))
  227. - continue;
  228. + ok = 0;
  229. if (SSL_IS_DTLS(s) &&
  230. (DTLS_VERSION_LT(s->version, c->min_dtls) ||
  231. DTLS_VERSION_GT(s->version, c->max_dtls)))
  232. - continue;
  233. + ok = 0;
  234. /*
  235. * Since TLS 1.3 ciphersuites can be used with any auth or
  236. @@ -4277,10 +4257,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  237. #ifndef OPENSSL_NO_PSK
  238. /* with PSK there must be server callback set */
  239. if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
  240. - continue;
  241. + ok = 0;
  242. #endif /* OPENSSL_NO_PSK */
  243. - ok = (alg_k & mask_k) && (alg_a & mask_a);
  244. + ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
  245. OSSL_TRACE7(TLS_CIPHER,
  246. "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",
  247. ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name);
  248. @@ -4296,6 +4276,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  249. if (!ok)
  250. continue;
  251. +
  252. + safari_ec = 0;
  253. +#if !defined(OPENSSL_NO_EC)
  254. + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)) {
  255. + if (s->s3->is_probably_safari)
  256. + safari_ec = 1;
  257. + }
  258. +#endif
  259. }
  260. ii = sk_SSL_CIPHER_find(allow, c);
  261. if (ii >= 0) {
  262. @@ -4303,14 +4291,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  263. if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
  264. c->strength_bits, 0, (void *)c))
  265. continue;
  266. -#if !defined(OPENSSL_NO_EC)
  267. - if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
  268. - && s->s3->is_probably_safari) {
  269. - if (!ret)
  270. - ret = sk_SSL_CIPHER_value(allow, ii);
  271. - continue;
  272. - }
  273. -#endif
  274. +
  275. if (prefer_sha256) {
  276. const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
  277. @@ -4322,13 +4303,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  278. ret = tmp;
  279. continue;
  280. }
  281. - ret = sk_SSL_CIPHER_value(allow, ii);
  282. +
  283. + if (in_group_flags != NULL && in_group_flags[i] == 1) {
  284. + /* This element of |prio| is in a group. Update
  285. + * the minimum index found so far and continue
  286. + * looking. */
  287. + if (group_min == -1 || group_min > ii)
  288. + group_min = ii;
  289. + } else {
  290. + if (group_min != -1 && group_min < ii)
  291. + ii = group_min;
  292. + if (safari_ec) {
  293. + if (!ret)
  294. + ret = sk_SSL_CIPHER_value(allow, ii);
  295. + continue;
  296. + }
  297. + ret = sk_SSL_CIPHER_value(allow, ii);
  298. + break;
  299. + }
  300. + }
  301. +
  302. + if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
  303. + /* We are about to leave a group, but we found a match
  304. + * in it, so that's our answer. */
  305. + if (safari_ec) {
  306. + if (!ret)
  307. + ret = sk_SSL_CIPHER_value(allow, group_min);
  308. + continue;
  309. + }
  310. + ret = sk_SSL_CIPHER_value(allow, group_min);
  311. break;
  312. }
  313. }
  314. -#ifndef OPENSSL_NO_CHACHA
  315. - sk_SSL_CIPHER_free(prio_chacha);
  316. -#endif
  317. return ret;
  318. }
  319. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  320. index 5aa04dbd53..655e259c9b 100644
  321. --- a/ssl/ssl_ciph.c
  322. +++ b/ssl/ssl_ciph.c
  323. @@ -193,6 +193,7 @@ typedef struct cipher_order_st {
  324. const SSL_CIPHER *cipher;
  325. int active;
  326. int dead;
  327. + int in_group;
  328. struct cipher_order_st *next, *prev;
  329. } CIPHER_ORDER;
  330. @@ -297,6 +298,7 @@ static const SSL_CIPHER cipher_aliases[] = {
  331. {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  332. {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  333. {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
  334. + {0, "TLS13", NULL, 0, 0, 0, 0, 0, TLS1_3_VERSION},
  335. /* strength classes */
  336. {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
  337. @@ -682,6 +684,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
  338. co_list[co_list_num].next = NULL;
  339. co_list[co_list_num].prev = NULL;
  340. co_list[co_list_num].active = 0;
  341. + co_list[co_list_num].in_group = 0;
  342. co_list_num++;
  343. }
  344. @@ -775,8 +778,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  345. uint32_t alg_auth, uint32_t alg_enc,
  346. uint32_t alg_mac, int min_tls,
  347. uint32_t algo_strength, int rule,
  348. - int32_t strength_bits, CIPHER_ORDER **head_p,
  349. - CIPHER_ORDER **tail_p)
  350. + int32_t strength_bits, int in_group,
  351. + CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
  352. {
  353. CIPHER_ORDER *head, *tail, *curr, *next, *last;
  354. const SSL_CIPHER *cp;
  355. @@ -784,9 +787,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  356. OSSL_TRACE_BEGIN(TLS_CIPHER){
  357. BIO_printf(trc_out,
  358. - "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
  359. + "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d) g:%d\n",
  360. rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
  361. - algo_strength, strength_bits);
  362. + algo_strength, strength_bits, in_group);
  363. }
  364. if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
  365. @@ -863,6 +866,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  366. if (!curr->active) {
  367. ll_append_tail(&head, curr, &tail);
  368. curr->active = 1;
  369. + curr->in_group = in_group;
  370. }
  371. }
  372. /* Move the added cipher to this location */
  373. @@ -870,6 +874,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  374. /* reverse == 0 */
  375. if (curr->active) {
  376. ll_append_tail(&head, curr, &tail);
  377. + curr->in_group = 0;
  378. }
  379. } else if (rule == CIPHER_DEL) {
  380. /* reverse == 1 */
  381. @@ -881,6 +886,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  382. */
  383. ll_append_head(&head, curr, &tail);
  384. curr->active = 0;
  385. + curr->in_group = 0;
  386. }
  387. } else if (rule == CIPHER_BUMP) {
  388. if (curr->active)
  389. @@ -950,8 +956,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
  390. */
  391. for (i = max_strength_bits; i >= 0; i--)
  392. if (number_uses[i] > 0)
  393. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
  394. - tail_p);
  395. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0,
  396. + head_p, tail_p);
  397. OPENSSL_free(number_uses);
  398. return 1;
  399. @@ -965,7 +971,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  400. uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
  401. int min_tls;
  402. const char *l, *buf;
  403. - int j, multi, found, rule, retval, ok, buflen;
  404. + int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
  405. uint32_t cipher_id = 0;
  406. char ch;
  407. @@ -976,18 +982,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  408. if (ch == '\0')
  409. break; /* done */
  410. - if (ch == '-') {
  411. + if (in_group) {
  412. + if (ch == ']') {
  413. + if (!in_group) {
  414. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  415. + SSL_R_UNEXPECTED_GROUP_CLOSE);
  416. + retval = found = in_group = 0;
  417. + break;
  418. + }
  419. + if (*tail_p)
  420. + (*tail_p)->in_group = 0;
  421. + in_group = 0;
  422. + l++;
  423. + continue;
  424. + }
  425. + if (ch == '|') {
  426. + rule = CIPHER_ADD;
  427. + l++;
  428. + continue;
  429. + } else if (!(ch >= 'a' && ch <= 'z')
  430. + && !(ch >= 'A' && ch <= 'Z')
  431. + && !(ch >= '0' && ch <= '9')) {
  432. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  433. + SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
  434. + retval = found = in_group = 0;
  435. + break;
  436. + } else {
  437. + rule = CIPHER_ADD;
  438. + }
  439. + } else if (ch == '-') {
  440. rule = CIPHER_DEL;
  441. l++;
  442. } else if (ch == '+') {
  443. rule = CIPHER_ORD;
  444. l++;
  445. + } else if (ch == '!' && has_group) {
  446. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  447. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  448. + retval = found = in_group = 0;
  449. + break;
  450. } else if (ch == '!') {
  451. rule = CIPHER_KILL;
  452. l++;
  453. + } else if (ch == '@' && has_group) {
  454. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  455. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  456. + retval = found = in_group = 0;
  457. + break;
  458. } else if (ch == '@') {
  459. rule = CIPHER_SPECIAL;
  460. l++;
  461. + } else if (ch == '[') {
  462. + if (in_group) {
  463. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_NESTED_GROUP);
  464. + retval = found = in_group = 0;
  465. + break;
  466. + }
  467. + in_group = 1;
  468. + has_group = 1;
  469. + l++;
  470. + continue;
  471. } else {
  472. rule = CIPHER_ADD;
  473. }
  474. @@ -1012,7 +1066,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  475. while (((ch >= 'A') && (ch <= 'Z')) ||
  476. ((ch >= '0') && (ch <= '9')) ||
  477. ((ch >= 'a') && (ch <= 'z')) ||
  478. - (ch == '-') || (ch == '.') || (ch == '='))
  479. + (ch == '-') || (ch == '.') || (ch == '=') || (ch == '_'))
  480. #else
  481. while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
  482. || (ch == '='))
  483. @@ -1029,7 +1083,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  484. * alphanumeric, so we call this an error.
  485. */
  486. SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  487. - retval = found = 0;
  488. + retval = found = in_group = 0;
  489. l++;
  490. break;
  491. }
  492. @@ -1208,8 +1262,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  493. } else if (found) {
  494. ssl_cipher_apply_rule(cipher_id,
  495. alg_mkey, alg_auth, alg_enc, alg_mac,
  496. - min_tls, algo_strength, rule, -1, head_p,
  497. - tail_p);
  498. + min_tls, algo_strength, rule, -1, in_group,
  499. + head_p, tail_p);
  500. } else {
  501. while ((*l != '\0') && !ITEM_SEP(*l))
  502. l++;
  503. @@ -1218,6 +1272,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  504. break; /* done */
  505. }
  506. + if (in_group) {
  507. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  508. + retval = 0;
  509. + }
  510. +
  511. return retval;
  512. }
  513. @@ -1382,7 +1441,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
  514. if (ret && ctx->cipher_list != NULL) {
  515. /* We already have a cipher_list, so we need to update it */
  516. - return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
  517. + return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
  518. ctx->tls13_ciphersuites);
  519. }
  520. @@ -1395,7 +1454,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  521. if (ret && s->cipher_list != NULL) {
  522. /* We already have a cipher_list, so we need to update it */
  523. - return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
  524. + return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
  525. s->tls13_ciphersuites);
  526. }
  527. @@ -1404,17 +1463,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  528. STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  529. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  530. - STACK_OF(SSL_CIPHER) **cipher_list,
  531. + struct ssl_cipher_preference_list_st **cipher_list,
  532. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  533. const char *rule_str,
  534. CERT *c)
  535. {
  536. - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
  537. + int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
  538. uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
  539. - STACK_OF(SSL_CIPHER) *cipherstack;
  540. + STACK_OF(SSL_CIPHER) *cipherstack = NULL;
  541. const char *rule_p;
  542. CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
  543. const SSL_CIPHER **ca_list = NULL;
  544. + uint8_t *in_group_flags = NULL;
  545. + unsigned int num_in_group_flags = 0;
  546. + struct ssl_cipher_preference_list_st *pref_list = NULL;
  547. /*
  548. * Return with error if nothing to do.
  549. @@ -1463,16 +1525,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  550. * preference).
  551. */
  552. ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
  553. - -1, &head, &tail);
  554. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
  555. - &tail);
  556. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
  557. - &tail);
  558. + -1, 0, &head, &tail);
  559. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0,
  560. + &head, &tail);
  561. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0,
  562. + &head, &tail);
  563. /* Within each strength group, we prefer GCM over CHACHA... */
  564. - ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
  565. + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 0,
  566. &head, &tail);
  567. - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
  568. + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 0,
  569. &head, &tail);
  570. /*
  571. @@ -1481,13 +1543,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  572. * strength.
  573. */
  574. ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
  575. - -1, &head, &tail);
  576. + -1, 0, &head, &tail);
  577. /* Temporarily enable everything else for sorting */
  578. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
  579. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
  580. /* Low priority for MD5 */
  581. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
  582. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, 0, &head,
  583. &tail);
  584. /*
  585. @@ -1495,16 +1557,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  586. * disabled. (For applications that allow them, they aren't too bad, but
  587. * we prefer authenticated ciphers.)
  588. */
  589. - ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  590. + ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  591. &tail);
  592. - ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  593. + ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  594. &tail);
  595. - ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  596. + ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  597. &tail);
  598. /* RC4 is sort-of broken -- move to the end */
  599. - ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
  600. + ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  601. &tail);
  602. /*
  603. @@ -1520,7 +1582,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  604. * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
  605. * TODO(openssl-team): is there an easier way to accomplish all this?
  606. */
  607. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
  608. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 0,
  609. &head, &tail);
  610. /*
  611. @@ -1536,15 +1598,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  612. * Because we now bump ciphers to the top of the list, we proceed in
  613. * reverse order of preference.
  614. */
  615. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
  616. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 0,
  617. &head, &tail);
  618. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
  619. - CIPHER_BUMP, -1, &head, &tail);
  620. + CIPHER_BUMP, -1, 0, &head, &tail);
  621. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
  622. - CIPHER_BUMP, -1, &head, &tail);
  623. + CIPHER_BUMP, -1, 0, &head, &tail);
  624. +
  625. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_3_VERSION, 0, CIPHER_BUMP, -1, 0,
  626. + &head, &tail);
  627. /* Now disable everything (maintaining the ordering!) */
  628. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
  629. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
  630. /*
  631. * We also need cipher aliases for selecting based on the rule_str.
  632. @@ -1558,9 +1623,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  633. num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
  634. ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
  635. if (ca_list == NULL) {
  636. - OPENSSL_free(co_list);
  637. SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
  638. - return NULL; /* Failure */
  639. + goto err; /* Failure */
  640. }
  641. ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
  642. disabled_mkey, disabled_auth, disabled_enc,
  643. @@ -1585,28 +1649,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  644. OPENSSL_free(ca_list); /* Not needed anymore */
  645. - if (!ok) { /* Rule processing failure */
  646. - OPENSSL_free(co_list);
  647. - return NULL;
  648. - }
  649. + if (!ok)
  650. + goto err; /* Rule processing failure */
  651. /*
  652. * Allocate new "cipherstack" for the result, return with error
  653. * if we cannot get one.
  654. */
  655. - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
  656. - OPENSSL_free(co_list);
  657. - return NULL;
  658. - }
  659. + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
  660. + goto err;
  661. - /* Add TLSv1.3 ciphers first - we always prefer those if possible */
  662. - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
  663. - if (!sk_SSL_CIPHER_push(cipherstack,
  664. - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
  665. - sk_SSL_CIPHER_free(cipherstack);
  666. - return NULL;
  667. - }
  668. - }
  669. + in_group_flags = OPENSSL_malloc(num_of_ciphers);
  670. + if (!in_group_flags)
  671. + goto err;
  672. OSSL_TRACE_BEGIN(TLS_CIPHER) {
  673. BIO_printf(trc_out, "cipher selection:\n");
  674. @@ -1618,26 +1673,51 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  675. for (curr = head; curr != NULL; curr = curr->next) {
  676. if (curr->active) {
  677. if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
  678. - OPENSSL_free(co_list);
  679. - sk_SSL_CIPHER_free(cipherstack);
  680. OSSL_TRACE_CANCEL(TLS_CIPHER);
  681. - return NULL;
  682. + goto err;
  683. }
  684. + in_group_flags[num_in_group_flags++] = curr->in_group;
  685. if (trc_out != NULL)
  686. BIO_printf(trc_out, "<%s>\n", curr->cipher->name);
  687. }
  688. }
  689. OPENSSL_free(co_list); /* Not needed any longer */
  690. + co_list = NULL;
  691. OSSL_TRACE_END(TLS_CIPHER);
  692. - if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
  693. - sk_SSL_CIPHER_free(cipherstack);
  694. - return NULL;
  695. - }
  696. - sk_SSL_CIPHER_free(*cipher_list);
  697. - *cipher_list = cipherstack;
  698. + if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack))
  699. + goto err;
  700. +
  701. + pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  702. + if (!pref_list)
  703. + goto err;
  704. + pref_list->ciphers = cipherstack;
  705. + pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
  706. + if (!pref_list->in_group_flags)
  707. + goto err;
  708. + memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
  709. + OPENSSL_free(in_group_flags);
  710. + in_group_flags = NULL;
  711. + if (*cipher_list != NULL)
  712. + ssl_cipher_preference_list_free(*cipher_list);
  713. + *cipher_list = pref_list;
  714. + pref_list = NULL;
  715. return cipherstack;
  716. +
  717. +err:
  718. + if (co_list)
  719. + OPENSSL_free(co_list);
  720. + if (in_group_flags)
  721. + OPENSSL_free(in_group_flags);
  722. + if (cipherstack)
  723. + sk_SSL_CIPHER_free(cipherstack);
  724. + if (pref_list && pref_list->in_group_flags)
  725. + OPENSSL_free(pref_list->in_group_flags);
  726. + if (pref_list)
  727. + OPENSSL_free(pref_list);
  728. + return NULL;
  729. +
  730. }
  731. char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
  732. diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
  733. index ceae87bbc9..10836f3667 100644
  734. --- a/ssl/ssl_err.c
  735. +++ b/ssl/ssl_err.c
  736. @@ -967,6 +967,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  737. "missing tmp ecdh key"},
  738. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
  739. "mixed handshake and non handshake data"},
  740. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
  741. + "mixed special operator with groups"},
  742. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
  743. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
  744. "not on record boundary"},
  745. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
  746. @@ -1205,7 +1208,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  747. "unexpected ccs message"},
  748. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
  749. "unexpected end of early data"},
  750. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE),
  751. + "unexpected group close"},
  752. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
  753. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
  754. + "unexpected operator in group"},
  755. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
  756. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
  757. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
  758. diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
  759. index f63e16b592..8f462b7108 100644
  760. --- a/ssl/ssl_lib.c
  761. +++ b/ssl/ssl_lib.c
  762. @@ -1120,6 +1120,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
  763. return X509_VERIFY_PARAM_set1(ssl->param, vpm);
  764. }
  765. +void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
  766. + *cipher_list)
  767. +{
  768. + sk_SSL_CIPHER_free(cipher_list->ciphers);
  769. + OPENSSL_free(cipher_list->in_group_flags);
  770. + OPENSSL_free(cipher_list);
  771. +}
  772. +
  773. +struct ssl_cipher_preference_list_st*
  774. +ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
  775. + *cipher_list)
  776. +{
  777. + struct ssl_cipher_preference_list_st* ret = NULL;
  778. + size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
  779. +
  780. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  781. + if (!ret)
  782. + goto err;
  783. + ret->ciphers = NULL;
  784. + ret->in_group_flags = NULL;
  785. + ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
  786. + if (!ret->ciphers)
  787. + goto err;
  788. + ret->in_group_flags = OPENSSL_malloc(n);
  789. + if (!ret->in_group_flags)
  790. + goto err;
  791. + memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
  792. + return ret;
  793. +
  794. +err:
  795. + if (ret->ciphers)
  796. + sk_SSL_CIPHER_free(ret->ciphers);
  797. + if (ret)
  798. + OPENSSL_free(ret);
  799. + return NULL;
  800. +}
  801. +
  802. +struct ssl_cipher_preference_list_st*
  803. +ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
  804. +{
  805. + struct ssl_cipher_preference_list_st* ret = NULL;
  806. + size_t n = sk_SSL_CIPHER_num(ciphers);
  807. +
  808. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  809. + if (!ret)
  810. + goto err;
  811. + ret->ciphers = NULL;
  812. + ret->in_group_flags = NULL;
  813. + ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
  814. + if (!ret->ciphers)
  815. + goto err;
  816. + ret->in_group_flags = OPENSSL_malloc(n);
  817. + if (!ret->in_group_flags)
  818. + goto err;
  819. + memset(ret->in_group_flags, 0, n);
  820. + return ret;
  821. +
  822. +err:
  823. + if (ret->ciphers)
  824. + sk_SSL_CIPHER_free(ret->ciphers);
  825. + if (ret)
  826. + OPENSSL_free(ret);
  827. + return NULL;
  828. +}
  829. +
  830. X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
  831. {
  832. return ctx->param;
  833. @@ -1164,7 +1229,8 @@ void SSL_free(SSL *s)
  834. BUF_MEM_free(s->init_buf);
  835. /* add extra stuff */
  836. - sk_SSL_CIPHER_free(s->cipher_list);
  837. + if (s->cipher_list != NULL)
  838. + ssl_cipher_preference_list_free(s->cipher_list);
  839. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  840. sk_SSL_CIPHER_free(s->tls13_ciphersuites);
  841. @@ -2499,9 +2565,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
  842. {
  843. if (s != NULL) {
  844. if (s->cipher_list != NULL) {
  845. - return s->cipher_list;
  846. + return (s->cipher_list->ciphers);
  847. } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
  848. - return s->ctx->cipher_list;
  849. + return (s->ctx->cipher_list->ciphers);
  850. }
  851. }
  852. return NULL;
  853. @@ -2575,8 +2641,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
  854. * preference */
  855. STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
  856. {
  857. - if (ctx != NULL)
  858. - return ctx->cipher_list;
  859. + if (ctx != NULL && ctx->cipher_list != NULL)
  860. + return ctx->cipher_list->ciphers;
  861. return NULL;
  862. }
  863. @@ -3027,7 +3093,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
  864. ret->tls13_ciphersuites,
  865. &ret->cipher_list, &ret->cipher_list_by_id,
  866. SSL_DEFAULT_CIPHER_LIST, ret->cert)
  867. - || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
  868. + || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
  869. SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
  870. goto err2;
  871. }
  872. @@ -3203,7 +3269,7 @@ void SSL_CTX_free(SSL_CTX *a)
  873. #ifndef OPENSSL_NO_CT
  874. CTLOG_STORE_free(a->ctlog_store);
  875. #endif
  876. - sk_SSL_CIPHER_free(a->cipher_list);
  877. + ssl_cipher_preference_list_free(a->cipher_list);
  878. sk_SSL_CIPHER_free(a->cipher_list_by_id);
  879. sk_SSL_CIPHER_free(a->tls13_ciphersuites);
  880. ssl_cert_free(a->cert);
  881. @@ -3879,13 +3945,15 @@ SSL *SSL_dup(SSL *s)
  882. /* dup the cipher_list and cipher_list_by_id stacks */
  883. if (s->cipher_list != NULL) {
  884. - if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
  885. + ret->cipher_list = ssl_cipher_preference_list_dup(s->cipher_list);
  886. + if (ret->cipher_list == NULL)
  887. goto err;
  888. }
  889. - if (s->cipher_list_by_id != NULL)
  890. - if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
  891. - == NULL)
  892. + if (s->cipher_list_by_id != NULL) {
  893. + ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id);
  894. + if (ret->cipher_list_by_id == NULL)
  895. goto err;
  896. + }
  897. /* Dup the client_CA list */
  898. if (!dup_ca_names(&ret->ca_names, s->ca_names)
  899. diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
  900. index 1d3397d880..265c32d15e 100644
  901. --- a/ssl/ssl_locl.h
  902. +++ b/ssl/ssl_locl.h
  903. @@ -744,9 +744,46 @@ typedef struct ssl_ctx_ext_secure_st {
  904. unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
  905. } SSL_CTX_EXT_SECURE;
  906. +/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
  907. + * equal-preference groups. For TLS clients, the groups are moot because the
  908. + * server picks the cipher and groups cannot be expressed on the wire. However,
  909. + * for servers, the equal-preference groups allow the client's preferences to
  910. + * be partially respected. (This only has an effect with
  911. + * SSL_OP_CIPHER_SERVER_PREFERENCE).
  912. + *
  913. + * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
  914. + * All elements of a group have the same priority: no ordering is expressed
  915. + * within a group.
  916. + *
  917. + * The values in |ciphers| are in one-to-one correspondence with
  918. + * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
  919. + * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
  920. + * indicate that the corresponding SSL_CIPHER is not the last element of a
  921. + * group, or 0 to indicate that it is.
  922. + *
  923. + * For example, if |in_group_flags| contains all zeros then that indicates a
  924. + * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
  925. + * of the group (i.e. they are all in a one-element group).
  926. + *
  927. + * For a more complex example, consider:
  928. + * ciphers: A B C D E F
  929. + * in_group_flags: 1 1 0 0 1 0
  930. + *
  931. + * That would express the following, order:
  932. + *
  933. + * A E
  934. + * B -> D -> F
  935. + * C
  936. + */
  937. +struct ssl_cipher_preference_list_st {
  938. + STACK_OF(SSL_CIPHER) *ciphers;
  939. + uint8_t *in_group_flags;
  940. +};
  941. +
  942. +
  943. struct ssl_ctx_st {
  944. const SSL_METHOD *method;
  945. - STACK_OF(SSL_CIPHER) *cipher_list;
  946. + struct ssl_cipher_preference_list_st *cipher_list;
  947. /* same as above but sorted for lookup */
  948. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  949. /* TLSv1.3 specific ciphersuites */
  950. @@ -1145,7 +1182,7 @@ struct ssl_st {
  951. /* Per connection DANE state */
  952. SSL_DANE dane;
  953. /* crypto */
  954. - STACK_OF(SSL_CIPHER) *cipher_list;
  955. + struct ssl_cipher_preference_list_st *cipher_list;
  956. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  957. /* TLSv1.3 specific ciphersuites */
  958. STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
  959. @@ -2278,7 +2315,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
  960. const SSL_CIPHER *const *bp);
  961. __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  962. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  963. - STACK_OF(SSL_CIPHER) **cipher_list,
  964. + struct ssl_cipher_preference_list_st **cipher_list,
  965. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  966. const char *rule_str,
  967. CERT *c);
  968. @@ -2288,6 +2325,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
  969. STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
  970. int fatal);
  971. void ssl_update_cache(SSL *s, int mode);
  972. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_dup(
  973. + struct ssl_cipher_preference_list_st *cipher_list);
  974. +void ssl_cipher_preference_list_free(
  975. + struct ssl_cipher_preference_list_st *cipher_list);
  976. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_from_ciphers(
  977. + STACK_OF(SSL_CIPHER) *ciphers);
  978. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s);
  979. __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
  980. const EVP_MD **md, int *mac_pkey_type,
  981. size_t *mac_secret_size, SSL_COMP **comp,
  982. @@ -2371,7 +2415,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
  983. CERT_PKEY *cpk);
  984. __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
  985. STACK_OF(SSL_CIPHER) *clnt,
  986. - STACK_OF(SSL_CIPHER) *srvr);
  987. + struct ssl_cipher_preference_list_st *srvr);
  988. __owur int ssl3_digest_cached_records(SSL *s, int keep);
  989. __owur int ssl3_new(SSL *s);
  990. void ssl3_free(SSL *s);
  991. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
  992. index e482e2d074..f81fe86291 100644
  993. --- a/ssl/statem/statem_srvr.c
  994. +++ b/ssl/statem/statem_srvr.c
  995. @@ -1751,7 +1751,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  996. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  997. if (SSL_IS_TLS13(s)) {
  998. const SSL_CIPHER *cipher =
  999. - ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  1000. + ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
  1001. if (cipher == NULL) {
  1002. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1003. @@ -1934,7 +1934,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  1004. /* check if some cipher was preferred by call back */
  1005. if (pref_cipher == NULL)
  1006. pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
  1007. - SSL_get_ciphers(s));
  1008. + ssl_get_cipher_preferences(s));
  1009. if (pref_cipher == NULL) {
  1010. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1011. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1012. @@ -1943,8 +1943,9 @@ static int tls_early_post_process_client_hello(SSL *s)
  1013. }
  1014. s->session->cipher = pref_cipher;
  1015. - sk_SSL_CIPHER_free(s->cipher_list);
  1016. - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
  1017. + ssl_cipher_preference_list_free(s->cipher_list);
  1018. + s->cipher_list = ssl_cipher_preference_list_from_ciphers(
  1019. + s->session->ciphers);
  1020. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1021. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
  1022. }
  1023. @@ -2258,7 +2259,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  1024. /* In TLSv1.3 we selected the ciphersuite before resumption */
  1025. if (!SSL_IS_TLS13(s)) {
  1026. cipher =
  1027. - ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
  1028. + ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
  1029. if (cipher == NULL) {
  1030. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,