You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl-equal-3.0.0-dev_ciphers.patch 47KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162
  1. diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
  2. index 7c915d4645..d8c8d714b9 100644
  3. --- a/crypto/err/openssl.txt
  4. +++ b/crypto/err/openssl.txt
  5. @@ -2128,7 +2128,6 @@ CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name
  6. CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long
  7. CONF_R_VARIABLE_HAS_NO_VALUE:104:variable has no value
  8. CRMF_R_BAD_PBM_ITERATIONCOUNT:100:bad pbm iterationcount
  9. -CRMF_R_MALFORMED_IV:101:malformed iv
  10. CRMF_R_CRMFERROR:102:crmferror
  11. CRMF_R_ERROR:103:error
  12. CRMF_R_ERROR_DECODING_CERTIFICATE:104:error decoding certificate
  13. @@ -2136,6 +2135,7 @@ CRMF_R_ERROR_DECRYPTING_CERTIFICATE:105:error decrypting certificate
  14. CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY:106:error decrypting symmetric key
  15. CRMF_R_FAILURE_OBTAINING_RANDOM:107:failure obtaining random
  16. CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100
  17. +CRMF_R_MALFORMED_IV:101:malformed iv
  18. CRMF_R_NULL_ARGUMENT:109:null argument
  19. CRMF_R_SETTING_MAC_ALGOR_FAILURE:110:setting mac algor failure
  20. CRMF_R_SETTING_OWF_ALGOR_FAILURE:111:setting owf algor failure
  21. @@ -2865,6 +2865,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
  22. SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
  23. SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
  24. mixed handshake and non handshake data
  25. +SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS:294:mixed special operator with groups
  26. +SSL_R_NESTED_GROUP:295:nested group
  27. SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
  28. SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
  29. SSL_R_NOT_SERVER:284:not server
  30. @@ -2973,7 +2975,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
  31. SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
  32. SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
  33. SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
  34. +SSL_R_UNEXPECTED_GROUP_CLOSE:296:unexpected group close
  35. SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
  36. +SSL_R_UNEXPECTED_OPERATOR_IN_GROUP:297:unexpected operator in group
  37. SSL_R_UNEXPECTED_RECORD:245:unexpected record
  38. SSL_R_UNINITIALIZED:276:uninitialized
  39. SSL_R_UNKNOWN_ALERT_TYPE:246:unknown alert type
  40. diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
  41. index e29c5d7ced..7d795c390e 100644
  42. --- a/doc/man1/ciphers.pod
  43. +++ b/doc/man1/ciphers.pod
  44. @@ -400,6 +400,21 @@ permissible.
  45. =back
  46. +=head1 EQUAL PREFERENCE GROUPS
  47. +
  48. +If configuring a server, one may also configure equal-preference groups to
  49. +partially respect the client's preferences when
  50. +B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
  51. +group have equal priority and use the client order. This may be used to
  52. +enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
  53. +based on client preferences. An equal-preference is specified with square
  54. +brackets, combining multiple selectors separated by |. For example:
  55. +
  56. + [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
  57. +
  58. + Once an equal-preference group is used, future directives must be
  59. + opcode-less.
  60. +
  61. =head1 CIPHER SUITE NAMES
  62. The following lists give the SSL or TLS cipher suites names from the
  63. diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
  64. index 4603ef4274..fac8736d1d 100644
  65. --- a/include/openssl/sslerr.h
  66. +++ b/include/openssl/sslerr.h
  67. @@ -601,6 +601,8 @@ int ERR_load_SSL_strings(void);
  68. # define SSL_R_MISSING_TMP_DH_KEY 171
  69. # define SSL_R_MISSING_TMP_ECDH_KEY 311
  70. # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
  71. +# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 294
  72. +# define SSL_R_NESTED_GROUP 295
  73. # define SSL_R_NOT_ON_RECORD_BOUNDARY 182
  74. # define SSL_R_NOT_REPLACING_CERTIFICATE 289
  75. # define SSL_R_NOT_SERVER 284
  76. @@ -733,7 +735,9 @@ int ERR_load_SSL_strings(void);
  77. # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
  78. # define SSL_R_UNEXPECTED_CCS_MESSAGE 262
  79. # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
  80. +# define SSL_R_UNEXPECTED_GROUP_CLOSE 296
  81. # define SSL_R_UNEXPECTED_MESSAGE 244
  82. +# define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 297
  83. # define SSL_R_UNEXPECTED_RECORD 245
  84. # define SSL_R_UNINITIALIZED 276
  85. # define SSL_R_UNKNOWN_ALERT_TYPE 246
  86. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
  87. index a3639fd18c..3f830c5d40 100644
  88. --- a/ssl/s3_lib.c
  89. +++ b/ssl/s3_lib.c
  90. @@ -32,7 +32,25 @@ const unsigned char tls12downgrade[] = {
  91. };
  92. /* The list of available TLSv1.3 ciphers */
  93. +/* Since nginx can not set the TLS 1.3 cipher, remove it temporarily. */
  94. static SSL_CIPHER tls13_ciphers[] = {
  95. + {
  96. + 0,
  97. + }
  98. +};
  99. +
  100. +/*
  101. + * The list of available ciphers, mostly organized into the following
  102. + * groups:
  103. + * Always there
  104. + * EC
  105. + * PSK
  106. + * SRP (within that: RSA EC PSK)
  107. + * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
  108. + * Weak ciphers
  109. + */
  110. +static SSL_CIPHER ssl3_ciphers[] = {
  111. + /* TLSv1.3 ciphers */
  112. {
  113. 1,
  114. TLS1_3_RFC_AES_128_GCM_SHA256,
  115. @@ -112,20 +130,8 @@ static SSL_CIPHER tls13_ciphers[] = {
  116. SSL_HANDSHAKE_MAC_SHA256,
  117. 128,
  118. 128,
  119. - }
  120. -};
  121. -
  122. -/*
  123. - * The list of available ciphers, mostly organized into the following
  124. - * groups:
  125. - * Always there
  126. - * EC
  127. - * PSK
  128. - * SRP (within that: RSA EC PSK)
  129. - * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
  130. - * Weak ciphers
  131. - */
  132. -static SSL_CIPHER ssl3_ciphers[] = {
  133. + },
  134. + /* List of cipher below TLSv1.3 */
  135. {
  136. 1,
  137. SSL3_TXT_RSA_NULL_MD5,
  138. @@ -168,7 +174,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  139. SSL_aRSA,
  140. SSL_3DES,
  141. SSL_SHA1,
  142. - SSL3_VERSION, TLS1_2_VERSION,
  143. + SSL3_VERSION, TLS1_VERSION,
  144. DTLS1_BAD_VER, DTLS1_2_VERSION,
  145. SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
  146. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  147. @@ -233,7 +239,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  148. SSL_aRSA,
  149. SSL_AES128,
  150. SSL_SHA1,
  151. - SSL3_VERSION, TLS1_2_VERSION,
  152. + SSL3_VERSION, TLS1_VERSION,
  153. DTLS1_BAD_VER, DTLS1_2_VERSION,
  154. SSL_HIGH | SSL_FIPS,
  155. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  156. @@ -297,7 +303,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
  157. SSL_aRSA,
  158. SSL_AES256,
  159. SSL_SHA1,
  160. - SSL3_VERSION, TLS1_2_VERSION,
  161. + SSL3_VERSION, TLS1_VERSION,
  162. DTLS1_BAD_VER, DTLS1_2_VERSION,
  163. SSL_HIGH | SSL_FIPS,
  164. SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  165. @@ -4125,6 +4131,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  166. return 1;
  167. }
  168. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
  169. +{
  170. + if (s->cipher_list != NULL)
  171. + return (s->cipher_list);
  172. +
  173. + if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
  174. + return (s->ctx->cipher_list);
  175. +
  176. + return NULL;
  177. +}
  178. +
  179. /*
  180. * ssl3_choose_cipher - choose a cipher from those offered by the client
  181. * @s: SSL connection
  182. @@ -4134,16 +4151,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
  183. * Returns the selected cipher or NULL when no common ciphers.
  184. */
  185. const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  186. - STACK_OF(SSL_CIPHER) *srvr)
  187. + struct ssl_cipher_preference_list_st
  188. + *server_pref)
  189. {
  190. const SSL_CIPHER *c, *ret = NULL;
  191. - STACK_OF(SSL_CIPHER) *prio, *allow;
  192. - int i, ii, ok, prefer_sha256 = 0;
  193. + STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
  194. + int i, ii, ok, prefer_sha256 = 0, safari_ec = 0;
  195. unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
  196. const EVP_MD *mdsha256 = EVP_sha256();
  197. -#ifndef OPENSSL_NO_CHACHA
  198. - STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
  199. -#endif
  200. +
  201. + /* in_group_flags will either be NULL, or will point to an array of
  202. + * bytes which indicate equal-preference groups in the |prio| stack.
  203. + * See the comment about |in_group_flags| in the
  204. + * |ssl_cipher_preference_list_st| struct. */
  205. + const uint8_t *in_group_flags;
  206. +
  207. + /* group_min contains the minimal index so far found in a group, or -1
  208. + * if no such value exists yet. */
  209. + int group_min = -1;
  210. /* Let's see which ciphers we can support */
  211. @@ -4170,54 +4195,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  212. } OSSL_TRACE_END(TLS_CIPHER);
  213. /* SUITE-B takes precedence over server preference and ChaCha priortiy */
  214. - if (tls1_suiteb(s)) {
  215. + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
  216. prio = srvr;
  217. + in_group_flags = server_pref->in_group_flags;
  218. allow = clnt;
  219. - } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
  220. - prio = srvr;
  221. - allow = clnt;
  222. -#ifndef OPENSSL_NO_CHACHA
  223. - /* If ChaCha20 is at the top of the client preference list,
  224. - and there are ChaCha20 ciphers in the server list, then
  225. - temporarily prioritize all ChaCha20 ciphers in the servers list. */
  226. - if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
  227. - c = sk_SSL_CIPHER_value(clnt, 0);
  228. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  229. - /* ChaCha20 is client preferred, check server... */
  230. - int num = sk_SSL_CIPHER_num(srvr);
  231. - int found = 0;
  232. - for (i = 0; i < num; i++) {
  233. - c = sk_SSL_CIPHER_value(srvr, i);
  234. - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
  235. - found = 1;
  236. - break;
  237. - }
  238. - }
  239. - if (found) {
  240. - prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
  241. - /* if reserve fails, then there's likely a memory issue */
  242. - if (prio_chacha != NULL) {
  243. - /* Put all ChaCha20 at the top, starting with the one we just found */
  244. - sk_SSL_CIPHER_push(prio_chacha, c);
  245. - for (i++; i < num; i++) {
  246. - c = sk_SSL_CIPHER_value(srvr, i);
  247. - if (c->algorithm_enc == SSL_CHACHA20POLY1305)
  248. - sk_SSL_CIPHER_push(prio_chacha, c);
  249. - }
  250. - /* Pull in the rest */
  251. - for (i = 0; i < num; i++) {
  252. - c = sk_SSL_CIPHER_value(srvr, i);
  253. - if (c->algorithm_enc != SSL_CHACHA20POLY1305)
  254. - sk_SSL_CIPHER_push(prio_chacha, c);
  255. - }
  256. - prio = prio_chacha;
  257. - }
  258. - }
  259. - }
  260. - }
  261. -# endif
  262. } else {
  263. prio = clnt;
  264. + in_group_flags = NULL;
  265. allow = srvr;
  266. }
  267. @@ -4248,14 +4232,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  268. for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
  269. c = sk_SSL_CIPHER_value(prio, i);
  270. + ok = 1;
  271. +
  272. /* Skip ciphers not supported by the protocol version */
  273. if (!SSL_IS_DTLS(s) &&
  274. ((s->version < c->min_tls) || (s->version > c->max_tls)))
  275. - continue;
  276. + ok = 0;
  277. if (SSL_IS_DTLS(s) &&
  278. (DTLS_VERSION_LT(s->version, c->min_dtls) ||
  279. DTLS_VERSION_GT(s->version, c->max_dtls)))
  280. - continue;
  281. + ok = 0;
  282. /*
  283. * Since TLS 1.3 ciphersuites can be used with any auth or
  284. @@ -4277,10 +4263,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  285. #ifndef OPENSSL_NO_PSK
  286. /* with PSK there must be server callback set */
  287. if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
  288. - continue;
  289. + ok = 0;
  290. #endif /* OPENSSL_NO_PSK */
  291. - ok = (alg_k & mask_k) && (alg_a & mask_a);
  292. + ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
  293. OSSL_TRACE7(TLS_CIPHER,
  294. "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",
  295. ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name);
  296. @@ -4296,6 +4282,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  297. if (!ok)
  298. continue;
  299. +
  300. + safari_ec = 0;
  301. +#if !defined(OPENSSL_NO_EC)
  302. + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)) {
  303. + if (s->s3->is_probably_safari)
  304. + safari_ec = 1;
  305. + }
  306. +#endif
  307. }
  308. ii = sk_SSL_CIPHER_find(allow, c);
  309. if (ii >= 0) {
  310. @@ -4303,14 +4297,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  311. if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
  312. c->strength_bits, 0, (void *)c))
  313. continue;
  314. -#if !defined(OPENSSL_NO_EC)
  315. - if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
  316. - && s->s3->is_probably_safari) {
  317. - if (!ret)
  318. - ret = sk_SSL_CIPHER_value(allow, ii);
  319. - continue;
  320. - }
  321. -#endif
  322. +
  323. if (prefer_sha256) {
  324. const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
  325. @@ -4322,13 +4309,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  326. ret = tmp;
  327. continue;
  328. }
  329. - ret = sk_SSL_CIPHER_value(allow, ii);
  330. +
  331. + if (in_group_flags != NULL && in_group_flags[i] == 1) {
  332. + /* This element of |prio| is in a group. Update
  333. + * the minimum index found so far and continue
  334. + * looking. */
  335. + if (group_min == -1 || group_min > ii)
  336. + group_min = ii;
  337. + } else {
  338. + if (group_min != -1 && group_min < ii)
  339. + ii = group_min;
  340. + if (safari_ec) {
  341. + if (!ret)
  342. + ret = sk_SSL_CIPHER_value(allow, ii);
  343. + continue;
  344. + }
  345. + ret = sk_SSL_CIPHER_value(allow, ii);
  346. + break;
  347. + }
  348. + }
  349. +
  350. + if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
  351. + /* We are about to leave a group, but we found a match
  352. + * in it, so that's our answer. */
  353. + if (safari_ec) {
  354. + if (!ret)
  355. + ret = sk_SSL_CIPHER_value(allow, group_min);
  356. + continue;
  357. + }
  358. + ret = sk_SSL_CIPHER_value(allow, group_min);
  359. break;
  360. }
  361. }
  362. -#ifndef OPENSSL_NO_CHACHA
  363. - sk_SSL_CIPHER_free(prio_chacha);
  364. -#endif
  365. return ret;
  366. }
  367. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  368. index 5aa04dbd53..655e259c9b 100644
  369. --- a/ssl/ssl_ciph.c
  370. +++ b/ssl/ssl_ciph.c
  371. @@ -193,6 +193,7 @@ typedef struct cipher_order_st {
  372. const SSL_CIPHER *cipher;
  373. int active;
  374. int dead;
  375. + int in_group;
  376. struct cipher_order_st *next, *prev;
  377. } CIPHER_ORDER;
  378. @@ -297,6 +298,7 @@ static const SSL_CIPHER cipher_aliases[] = {
  379. {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  380. {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
  381. {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
  382. + {0, "TLS13", NULL, 0, 0, 0, 0, 0, TLS1_3_VERSION},
  383. /* strength classes */
  384. {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
  385. @@ -682,6 +684,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
  386. co_list[co_list_num].next = NULL;
  387. co_list[co_list_num].prev = NULL;
  388. co_list[co_list_num].active = 0;
  389. + co_list[co_list_num].in_group = 0;
  390. co_list_num++;
  391. }
  392. @@ -775,8 +778,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  393. uint32_t alg_auth, uint32_t alg_enc,
  394. uint32_t alg_mac, int min_tls,
  395. uint32_t algo_strength, int rule,
  396. - int32_t strength_bits, CIPHER_ORDER **head_p,
  397. - CIPHER_ORDER **tail_p)
  398. + int32_t strength_bits, int in_group,
  399. + CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
  400. {
  401. CIPHER_ORDER *head, *tail, *curr, *next, *last;
  402. const SSL_CIPHER *cp;
  403. @@ -784,9 +787,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  404. OSSL_TRACE_BEGIN(TLS_CIPHER){
  405. BIO_printf(trc_out,
  406. - "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
  407. + "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d) g:%d\n",
  408. rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
  409. - algo_strength, strength_bits);
  410. + algo_strength, strength_bits, in_group);
  411. }
  412. if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
  413. @@ -863,6 +866,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  414. if (!curr->active) {
  415. ll_append_tail(&head, curr, &tail);
  416. curr->active = 1;
  417. + curr->in_group = in_group;
  418. }
  419. }
  420. /* Move the added cipher to this location */
  421. @@ -870,6 +874,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  422. /* reverse == 0 */
  423. if (curr->active) {
  424. ll_append_tail(&head, curr, &tail);
  425. + curr->in_group = 0;
  426. }
  427. } else if (rule == CIPHER_DEL) {
  428. /* reverse == 1 */
  429. @@ -881,6 +886,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
  430. */
  431. ll_append_head(&head, curr, &tail);
  432. curr->active = 0;
  433. + curr->in_group = 0;
  434. }
  435. } else if (rule == CIPHER_BUMP) {
  436. if (curr->active)
  437. @@ -950,8 +956,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
  438. */
  439. for (i = max_strength_bits; i >= 0; i--)
  440. if (number_uses[i] > 0)
  441. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
  442. - tail_p);
  443. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0,
  444. + head_p, tail_p);
  445. OPENSSL_free(number_uses);
  446. return 1;
  447. @@ -965,7 +971,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  448. uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
  449. int min_tls;
  450. const char *l, *buf;
  451. - int j, multi, found, rule, retval, ok, buflen;
  452. + int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
  453. uint32_t cipher_id = 0;
  454. char ch;
  455. @@ -976,18 +982,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  456. if (ch == '\0')
  457. break; /* done */
  458. - if (ch == '-') {
  459. + if (in_group) {
  460. + if (ch == ']') {
  461. + if (!in_group) {
  462. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  463. + SSL_R_UNEXPECTED_GROUP_CLOSE);
  464. + retval = found = in_group = 0;
  465. + break;
  466. + }
  467. + if (*tail_p)
  468. + (*tail_p)->in_group = 0;
  469. + in_group = 0;
  470. + l++;
  471. + continue;
  472. + }
  473. + if (ch == '|') {
  474. + rule = CIPHER_ADD;
  475. + l++;
  476. + continue;
  477. + } else if (!(ch >= 'a' && ch <= 'z')
  478. + && !(ch >= 'A' && ch <= 'Z')
  479. + && !(ch >= '0' && ch <= '9')) {
  480. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  481. + SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
  482. + retval = found = in_group = 0;
  483. + break;
  484. + } else {
  485. + rule = CIPHER_ADD;
  486. + }
  487. + } else if (ch == '-') {
  488. rule = CIPHER_DEL;
  489. l++;
  490. } else if (ch == '+') {
  491. rule = CIPHER_ORD;
  492. l++;
  493. + } else if (ch == '!' && has_group) {
  494. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  495. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  496. + retval = found = in_group = 0;
  497. + break;
  498. } else if (ch == '!') {
  499. rule = CIPHER_KILL;
  500. l++;
  501. + } else if (ch == '@' && has_group) {
  502. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
  503. + SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
  504. + retval = found = in_group = 0;
  505. + break;
  506. } else if (ch == '@') {
  507. rule = CIPHER_SPECIAL;
  508. l++;
  509. + } else if (ch == '[') {
  510. + if (in_group) {
  511. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_NESTED_GROUP);
  512. + retval = found = in_group = 0;
  513. + break;
  514. + }
  515. + in_group = 1;
  516. + has_group = 1;
  517. + l++;
  518. + continue;
  519. } else {
  520. rule = CIPHER_ADD;
  521. }
  522. @@ -1012,7 +1066,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  523. while (((ch >= 'A') && (ch <= 'Z')) ||
  524. ((ch >= '0') && (ch <= '9')) ||
  525. ((ch >= 'a') && (ch <= 'z')) ||
  526. - (ch == '-') || (ch == '.') || (ch == '='))
  527. + (ch == '-') || (ch == '.') || (ch == '=') || (ch == '_'))
  528. #else
  529. while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
  530. || (ch == '='))
  531. @@ -1029,7 +1083,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  532. * alphanumeric, so we call this an error.
  533. */
  534. SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  535. - retval = found = 0;
  536. + retval = found = in_group = 0;
  537. l++;
  538. break;
  539. }
  540. @@ -1208,8 +1262,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  541. } else if (found) {
  542. ssl_cipher_apply_rule(cipher_id,
  543. alg_mkey, alg_auth, alg_enc, alg_mac,
  544. - min_tls, algo_strength, rule, -1, head_p,
  545. - tail_p);
  546. + min_tls, algo_strength, rule, -1, in_group,
  547. + head_p, tail_p);
  548. } else {
  549. while ((*l != '\0') && !ITEM_SEP(*l))
  550. l++;
  551. @@ -1218,6 +1272,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  552. break; /* done */
  553. }
  554. + if (in_group) {
  555. + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
  556. + retval = 0;
  557. + }
  558. +
  559. return retval;
  560. }
  561. @@ -1382,7 +1441,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
  562. if (ret && ctx->cipher_list != NULL) {
  563. /* We already have a cipher_list, so we need to update it */
  564. - return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
  565. + return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
  566. ctx->tls13_ciphersuites);
  567. }
  568. @@ -1395,7 +1454,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  569. if (ret && s->cipher_list != NULL) {
  570. /* We already have a cipher_list, so we need to update it */
  571. - return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
  572. + return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
  573. s->tls13_ciphersuites);
  574. }
  575. @@ -1404,17 +1463,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
  576. STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  577. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  578. - STACK_OF(SSL_CIPHER) **cipher_list,
  579. + struct ssl_cipher_preference_list_st **cipher_list,
  580. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  581. const char *rule_str,
  582. CERT *c)
  583. {
  584. - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
  585. + int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
  586. uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
  587. - STACK_OF(SSL_CIPHER) *cipherstack;
  588. + STACK_OF(SSL_CIPHER) *cipherstack = NULL;
  589. const char *rule_p;
  590. CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
  591. const SSL_CIPHER **ca_list = NULL;
  592. + uint8_t *in_group_flags = NULL;
  593. + unsigned int num_in_group_flags = 0;
  594. + struct ssl_cipher_preference_list_st *pref_list = NULL;
  595. /*
  596. * Return with error if nothing to do.
  597. @@ -1463,16 +1525,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  598. * preference).
  599. */
  600. ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
  601. - -1, &head, &tail);
  602. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
  603. - &tail);
  604. - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
  605. - &tail);
  606. + -1, 0, &head, &tail);
  607. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0,
  608. + &head, &tail);
  609. + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0,
  610. + &head, &tail);
  611. /* Within each strength group, we prefer GCM over CHACHA... */
  612. - ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
  613. + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 0,
  614. &head, &tail);
  615. - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
  616. + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 0,
  617. &head, &tail);
  618. /*
  619. @@ -1481,13 +1543,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  620. * strength.
  621. */
  622. ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
  623. - -1, &head, &tail);
  624. + -1, 0, &head, &tail);
  625. /* Temporarily enable everything else for sorting */
  626. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
  627. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
  628. /* Low priority for MD5 */
  629. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
  630. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, 0, &head,
  631. &tail);
  632. /*
  633. @@ -1495,16 +1557,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  634. * disabled. (For applications that allow them, they aren't too bad, but
  635. * we prefer authenticated ciphers.)
  636. */
  637. - ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  638. + ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  639. &tail);
  640. - ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  641. + ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  642. &tail);
  643. - ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
  644. + ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  645. &tail);
  646. /* RC4 is sort-of broken -- move to the end */
  647. - ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
  648. + ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
  649. &tail);
  650. /*
  651. @@ -1520,7 +1582,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  652. * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
  653. * TODO(openssl-team): is there an easier way to accomplish all this?
  654. */
  655. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
  656. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 0,
  657. &head, &tail);
  658. /*
  659. @@ -1536,15 +1598,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  660. * Because we now bump ciphers to the top of the list, we proceed in
  661. * reverse order of preference.
  662. */
  663. - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
  664. + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 0,
  665. &head, &tail);
  666. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
  667. - CIPHER_BUMP, -1, &head, &tail);
  668. + CIPHER_BUMP, -1, 0, &head, &tail);
  669. ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
  670. - CIPHER_BUMP, -1, &head, &tail);
  671. + CIPHER_BUMP, -1, 0, &head, &tail);
  672. +
  673. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_3_VERSION, 0, CIPHER_BUMP, -1, 0,
  674. + &head, &tail);
  675. /* Now disable everything (maintaining the ordering!) */
  676. - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
  677. + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
  678. /*
  679. * We also need cipher aliases for selecting based on the rule_str.
  680. @@ -1558,9 +1623,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  681. num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
  682. ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
  683. if (ca_list == NULL) {
  684. - OPENSSL_free(co_list);
  685. SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
  686. - return NULL; /* Failure */
  687. + goto err; /* Failure */
  688. }
  689. ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
  690. disabled_mkey, disabled_auth, disabled_enc,
  691. @@ -1585,28 +1649,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  692. OPENSSL_free(ca_list); /* Not needed anymore */
  693. - if (!ok) { /* Rule processing failure */
  694. - OPENSSL_free(co_list);
  695. - return NULL;
  696. - }
  697. + if (!ok)
  698. + goto err; /* Rule processing failure */
  699. /*
  700. * Allocate new "cipherstack" for the result, return with error
  701. * if we cannot get one.
  702. */
  703. - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
  704. - OPENSSL_free(co_list);
  705. - return NULL;
  706. - }
  707. + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
  708. + goto err;
  709. - /* Add TLSv1.3 ciphers first - we always prefer those if possible */
  710. - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
  711. - if (!sk_SSL_CIPHER_push(cipherstack,
  712. - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
  713. - sk_SSL_CIPHER_free(cipherstack);
  714. - return NULL;
  715. - }
  716. - }
  717. + in_group_flags = OPENSSL_malloc(num_of_ciphers);
  718. + if (!in_group_flags)
  719. + goto err;
  720. OSSL_TRACE_BEGIN(TLS_CIPHER) {
  721. BIO_printf(trc_out, "cipher selection:\n");
  722. @@ -1618,26 +1673,51 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  723. for (curr = head; curr != NULL; curr = curr->next) {
  724. if (curr->active) {
  725. if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
  726. - OPENSSL_free(co_list);
  727. - sk_SSL_CIPHER_free(cipherstack);
  728. OSSL_TRACE_CANCEL(TLS_CIPHER);
  729. - return NULL;
  730. + goto err;
  731. }
  732. + in_group_flags[num_in_group_flags++] = curr->in_group;
  733. if (trc_out != NULL)
  734. BIO_printf(trc_out, "<%s>\n", curr->cipher->name);
  735. }
  736. }
  737. OPENSSL_free(co_list); /* Not needed any longer */
  738. + co_list = NULL;
  739. OSSL_TRACE_END(TLS_CIPHER);
  740. - if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
  741. - sk_SSL_CIPHER_free(cipherstack);
  742. - return NULL;
  743. - }
  744. - sk_SSL_CIPHER_free(*cipher_list);
  745. - *cipher_list = cipherstack;
  746. + if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack))
  747. + goto err;
  748. +
  749. + pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  750. + if (!pref_list)
  751. + goto err;
  752. + pref_list->ciphers = cipherstack;
  753. + pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
  754. + if (!pref_list->in_group_flags)
  755. + goto err;
  756. + memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
  757. + OPENSSL_free(in_group_flags);
  758. + in_group_flags = NULL;
  759. + if (*cipher_list != NULL)
  760. + ssl_cipher_preference_list_free(*cipher_list);
  761. + *cipher_list = pref_list;
  762. + pref_list = NULL;
  763. return cipherstack;
  764. +
  765. +err:
  766. + if (co_list)
  767. + OPENSSL_free(co_list);
  768. + if (in_group_flags)
  769. + OPENSSL_free(in_group_flags);
  770. + if (cipherstack)
  771. + sk_SSL_CIPHER_free(cipherstack);
  772. + if (pref_list && pref_list->in_group_flags)
  773. + OPENSSL_free(pref_list->in_group_flags);
  774. + if (pref_list)
  775. + OPENSSL_free(pref_list);
  776. + return NULL;
  777. +
  778. }
  779. char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
  780. diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
  781. index ceae87bbc9..10836f3667 100644
  782. --- a/ssl/ssl_err.c
  783. +++ b/ssl/ssl_err.c
  784. @@ -967,6 +967,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  785. "missing tmp ecdh key"},
  786. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
  787. "mixed handshake and non handshake data"},
  788. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
  789. + "mixed special operator with groups"},
  790. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
  791. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
  792. "not on record boundary"},
  793. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
  794. @@ -1205,7 +1208,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
  795. "unexpected ccs message"},
  796. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
  797. "unexpected end of early data"},
  798. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE),
  799. + "unexpected group close"},
  800. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
  801. + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
  802. + "unexpected operator in group"},
  803. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
  804. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
  805. {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
  806. diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
  807. index f63e16b592..9828b43b0c 100644
  808. --- a/ssl/ssl_lib.c
  809. +++ b/ssl/ssl_lib.c
  810. @@ -1120,6 +1120,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
  811. return X509_VERIFY_PARAM_set1(ssl->param, vpm);
  812. }
  813. +void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
  814. + *cipher_list)
  815. +{
  816. + sk_SSL_CIPHER_free(cipher_list->ciphers);
  817. + OPENSSL_free(cipher_list->in_group_flags);
  818. + OPENSSL_free(cipher_list);
  819. +}
  820. +
  821. +struct ssl_cipher_preference_list_st*
  822. +ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
  823. + *cipher_list)
  824. +{
  825. + struct ssl_cipher_preference_list_st* ret = NULL;
  826. + size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
  827. +
  828. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  829. + if (!ret)
  830. + goto err;
  831. + ret->ciphers = NULL;
  832. + ret->in_group_flags = NULL;
  833. + ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
  834. + if (!ret->ciphers)
  835. + goto err;
  836. + ret->in_group_flags = OPENSSL_malloc(n);
  837. + if (!ret->in_group_flags)
  838. + goto err;
  839. + memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
  840. + return ret;
  841. +
  842. +err:
  843. + if (ret->ciphers)
  844. + sk_SSL_CIPHER_free(ret->ciphers);
  845. + if (ret)
  846. + OPENSSL_free(ret);
  847. + return NULL;
  848. +}
  849. +
  850. +struct ssl_cipher_preference_list_st*
  851. +ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
  852. +{
  853. + struct ssl_cipher_preference_list_st* ret = NULL;
  854. + size_t n = sk_SSL_CIPHER_num(ciphers);
  855. +
  856. + ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
  857. + if (!ret)
  858. + goto err;
  859. + ret->ciphers = NULL;
  860. + ret->in_group_flags = NULL;
  861. + ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
  862. + if (!ret->ciphers)
  863. + goto err;
  864. + ret->in_group_flags = OPENSSL_malloc(n);
  865. + if (!ret->in_group_flags)
  866. + goto err;
  867. + memset(ret->in_group_flags, 0, n);
  868. + return ret;
  869. +
  870. +err:
  871. + if (ret->ciphers)
  872. + sk_SSL_CIPHER_free(ret->ciphers);
  873. + if (ret)
  874. + OPENSSL_free(ret);
  875. + return NULL;
  876. +}
  877. +
  878. X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
  879. {
  880. return ctx->param;
  881. @@ -1164,7 +1229,8 @@ void SSL_free(SSL *s)
  882. BUF_MEM_free(s->init_buf);
  883. /* add extra stuff */
  884. - sk_SSL_CIPHER_free(s->cipher_list);
  885. + if (s->cipher_list != NULL)
  886. + ssl_cipher_preference_list_free(s->cipher_list);
  887. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  888. sk_SSL_CIPHER_free(s->tls13_ciphersuites);
  889. @@ -2499,9 +2565,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
  890. {
  891. if (s != NULL) {
  892. if (s->cipher_list != NULL) {
  893. - return s->cipher_list;
  894. + return (s->cipher_list->ciphers);
  895. } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
  896. - return s->ctx->cipher_list;
  897. + return (s->ctx->cipher_list->ciphers);
  898. }
  899. }
  900. return NULL;
  901. @@ -2575,29 +2641,22 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
  902. * preference */
  903. STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
  904. {
  905. - if (ctx != NULL)
  906. - return ctx->cipher_list;
  907. + if (ctx != NULL && ctx->cipher_list != NULL)
  908. + return ctx->cipher_list->ciphers;
  909. return NULL;
  910. }
  911. /*
  912. * Distinguish between ciphers controlled by set_ciphersuite() and
  913. * set_cipher_list() when counting.
  914. + * Enabled "TLS13+AESGCM+AES128" or the others.
  915. */
  916. static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
  917. {
  918. - int i, num = 0;
  919. - const SSL_CIPHER *c;
  920. -
  921. if (sk == NULL)
  922. return 0;
  923. - for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
  924. - c = sk_SSL_CIPHER_value(sk, i);
  925. - if (c->min_tls >= TLS1_3_VERSION)
  926. - continue;
  927. - num++;
  928. - }
  929. - return num;
  930. + else
  931. + return sk_SSL_CIPHER_num(sk);
  932. }
  933. /** specify the ciphers to be used by default by the SSL_CTX */
  934. @@ -3027,7 +3086,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
  935. ret->tls13_ciphersuites,
  936. &ret->cipher_list, &ret->cipher_list_by_id,
  937. SSL_DEFAULT_CIPHER_LIST, ret->cert)
  938. - || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
  939. + || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
  940. SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
  941. goto err2;
  942. }
  943. @@ -3203,7 +3262,7 @@ void SSL_CTX_free(SSL_CTX *a)
  944. #ifndef OPENSSL_NO_CT
  945. CTLOG_STORE_free(a->ctlog_store);
  946. #endif
  947. - sk_SSL_CIPHER_free(a->cipher_list);
  948. + ssl_cipher_preference_list_free(a->cipher_list);
  949. sk_SSL_CIPHER_free(a->cipher_list_by_id);
  950. sk_SSL_CIPHER_free(a->tls13_ciphersuites);
  951. ssl_cert_free(a->cert);
  952. @@ -3879,13 +3938,15 @@ SSL *SSL_dup(SSL *s)
  953. /* dup the cipher_list and cipher_list_by_id stacks */
  954. if (s->cipher_list != NULL) {
  955. - if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
  956. + ret->cipher_list = ssl_cipher_preference_list_dup(s->cipher_list);
  957. + if (ret->cipher_list == NULL)
  958. goto err;
  959. }
  960. - if (s->cipher_list_by_id != NULL)
  961. - if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
  962. - == NULL)
  963. + if (s->cipher_list_by_id != NULL) {
  964. + ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id);
  965. + if (ret->cipher_list_by_id == NULL)
  966. goto err;
  967. + }
  968. /* Dup the client_CA list */
  969. if (!dup_ca_names(&ret->ca_names, s->ca_names)
  970. diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
  971. index 1d3397d880..265c32d15e 100644
  972. --- a/ssl/ssl_locl.h
  973. +++ b/ssl/ssl_locl.h
  974. @@ -744,9 +744,46 @@ typedef struct ssl_ctx_ext_secure_st {
  975. unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
  976. } SSL_CTX_EXT_SECURE;
  977. +/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
  978. + * equal-preference groups. For TLS clients, the groups are moot because the
  979. + * server picks the cipher and groups cannot be expressed on the wire. However,
  980. + * for servers, the equal-preference groups allow the client's preferences to
  981. + * be partially respected. (This only has an effect with
  982. + * SSL_OP_CIPHER_SERVER_PREFERENCE).
  983. + *
  984. + * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
  985. + * All elements of a group have the same priority: no ordering is expressed
  986. + * within a group.
  987. + *
  988. + * The values in |ciphers| are in one-to-one correspondence with
  989. + * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
  990. + * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
  991. + * indicate that the corresponding SSL_CIPHER is not the last element of a
  992. + * group, or 0 to indicate that it is.
  993. + *
  994. + * For example, if |in_group_flags| contains all zeros then that indicates a
  995. + * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
  996. + * of the group (i.e. they are all in a one-element group).
  997. + *
  998. + * For a more complex example, consider:
  999. + * ciphers: A B C D E F
  1000. + * in_group_flags: 1 1 0 0 1 0
  1001. + *
  1002. + * That would express the following, order:
  1003. + *
  1004. + * A E
  1005. + * B -> D -> F
  1006. + * C
  1007. + */
  1008. +struct ssl_cipher_preference_list_st {
  1009. + STACK_OF(SSL_CIPHER) *ciphers;
  1010. + uint8_t *in_group_flags;
  1011. +};
  1012. +
  1013. +
  1014. struct ssl_ctx_st {
  1015. const SSL_METHOD *method;
  1016. - STACK_OF(SSL_CIPHER) *cipher_list;
  1017. + struct ssl_cipher_preference_list_st *cipher_list;
  1018. /* same as above but sorted for lookup */
  1019. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  1020. /* TLSv1.3 specific ciphersuites */
  1021. @@ -1145,7 +1182,7 @@ struct ssl_st {
  1022. /* Per connection DANE state */
  1023. SSL_DANE dane;
  1024. /* crypto */
  1025. - STACK_OF(SSL_CIPHER) *cipher_list;
  1026. + struct ssl_cipher_preference_list_st *cipher_list;
  1027. STACK_OF(SSL_CIPHER) *cipher_list_by_id;
  1028. /* TLSv1.3 specific ciphersuites */
  1029. STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
  1030. @@ -2278,7 +2315,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
  1031. const SSL_CIPHER *const *bp);
  1032. __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  1033. STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
  1034. - STACK_OF(SSL_CIPHER) **cipher_list,
  1035. + struct ssl_cipher_preference_list_st **cipher_list,
  1036. STACK_OF(SSL_CIPHER) **cipher_list_by_id,
  1037. const char *rule_str,
  1038. CERT *c);
  1039. @@ -2288,6 +2325,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
  1040. STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
  1041. int fatal);
  1042. void ssl_update_cache(SSL *s, int mode);
  1043. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_dup(
  1044. + struct ssl_cipher_preference_list_st *cipher_list);
  1045. +void ssl_cipher_preference_list_free(
  1046. + struct ssl_cipher_preference_list_st *cipher_list);
  1047. +struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_from_ciphers(
  1048. + STACK_OF(SSL_CIPHER) *ciphers);
  1049. +struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s);
  1050. __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
  1051. const EVP_MD **md, int *mac_pkey_type,
  1052. size_t *mac_secret_size, SSL_COMP **comp,
  1053. @@ -2371,7 +2415,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
  1054. CERT_PKEY *cpk);
  1055. __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
  1056. STACK_OF(SSL_CIPHER) *clnt,
  1057. - STACK_OF(SSL_CIPHER) *srvr);
  1058. + struct ssl_cipher_preference_list_st *srvr);
  1059. __owur int ssl3_digest_cached_records(SSL *s, int keep);
  1060. __owur int ssl3_new(SSL *s);
  1061. void ssl3_free(SSL *s);
  1062. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
  1063. index e482e2d074..f81fe86291 100644
  1064. --- a/ssl/statem/statem_srvr.c
  1065. +++ b/ssl/statem/statem_srvr.c
  1066. @@ -1751,7 +1751,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  1067. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1068. if (SSL_IS_TLS13(s)) {
  1069. const SSL_CIPHER *cipher =
  1070. - ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  1071. + ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
  1072. if (cipher == NULL) {
  1073. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1074. @@ -1934,7 +1934,7 @@ static int tls_early_post_process_client_hello(SSL *s)
  1075. /* check if some cipher was preferred by call back */
  1076. if (pref_cipher == NULL)
  1077. pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
  1078. - SSL_get_ciphers(s));
  1079. + ssl_get_cipher_preferences(s));
  1080. if (pref_cipher == NULL) {
  1081. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1082. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1083. @@ -1943,8 +1943,9 @@ static int tls_early_post_process_client_hello(SSL *s)
  1084. }
  1085. s->session->cipher = pref_cipher;
  1086. - sk_SSL_CIPHER_free(s->cipher_list);
  1087. - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
  1088. + ssl_cipher_preference_list_free(s->cipher_list);
  1089. + s->cipher_list = ssl_cipher_preference_list_from_ciphers(
  1090. + s->session->ciphers);
  1091. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1092. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
  1093. }
  1094. @@ -2258,7 +2259,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  1095. /* In TLSv1.3 we selected the ciphersuite before resumption */
  1096. if (!SSL_IS_TLS13(s)) {
  1097. cipher =
  1098. - ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
  1099. + ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
  1100. if (cipher == NULL) {
  1101. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,