diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2024-07-19 08:54:32 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2024-07-19 08:54:32 +0000 |
| commit | 3695c7e799243402bf76ed4ad3411bda31422267 (patch) | |
| tree | f8b5155d7f53dd75cea2492bdae17125503c2ac4 /lib | |
| parent | 1208616b7672d7acda58d65766dc13073e9a4889 (diff) | |
Move client ciphers from SSL_SESSION to SSL_HANDSHAKE.
SSL_SESSION has a 'ciphers' member which contains a list of ciphers
that were advertised by the client. Move this from SSL_SESSION to
SSL_HANDSHAKE and rename it to match reality.
ok tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/s3_lib.c | 6 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 10 | ||||
| -rw-r--r-- | lib/libssl/ssl_local.h | 7 | ||||
| -rw-r--r-- | lib/libssl/ssl_sess.c | 9 | ||||
| -rw-r--r-- | lib/libssl/ssl_srvr.c | 16 | ||||
| -rw-r--r-- | lib/libssl/tls13_server.c | 6 |
6 files changed, 26 insertions, 28 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 5fc42ca200b..38e7ba7f192 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.255 2024/07/19 08:54:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1478,6 +1478,8 @@ ssl3_free(SSL *s) tls_buffer_free(s->s3->handshake_fragment); freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); + + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); @@ -1522,6 +1524,8 @@ ssl3_clear(SSL *s) s->s3->hs.sigalgs = NULL; s->s3->hs.sigalgs_len = 0; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = NULL; sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); s->s3->hs.peer_certs = NULL; sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index d78cb2ac3a1..4b86b70db85 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.326 2024/07/11 13:48:52 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.327 2024/07/19 08:54:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1528,9 +1528,9 @@ LSSL_ALIAS(SSL_get_ciphers); STACK_OF(SSL_CIPHER) * SSL_get_client_ciphers(const SSL *s) { - if (s == NULL || s->session == NULL || !s->server) + if (s == NULL || !s->server) return NULL; - return s->session->ciphers; + return s->s3->hs.client_ciphers; } LSSL_ALIAS(SSL_get_client_ciphers); @@ -1713,10 +1713,10 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len) char *end; int i; - if (!s->server || s->session == NULL || len < 2) + if (!s->server || len < 2) return NULL; - if ((client_ciphers = s->session->ciphers) == NULL) + if ((client_ciphers = s->s3->hs.client_ciphers) == NULL) return NULL; if ((server_ciphers = SSL_get_ciphers(s)) == NULL) return NULL; diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index c002c9b34f0..e9b6a62bbe1 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.20 2024/07/19 08:54:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -443,8 +443,6 @@ struct ssl_session_st { * needs to be used to load * the 'cipher' structure */ - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ - char *tlsext_hostname; /* Session resumption - RFC 5077 and RFC 8446. */ @@ -568,6 +566,9 @@ typedef struct ssl_handshake_st { /* Cipher being negotiated in this handshake. */ const SSL_CIPHER *cipher; + /* Ciphers sent by the client. */ + STACK_OF(SSL_CIPHER) *client_ciphers; + /* Extensions seen in this handshake. */ uint32_t extensions_seen; diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index cb985cadb56..76f194ca78c 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.125 2024/03/27 06:47:52 tb Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.126 2024/07/19 08:54:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -290,11 +290,6 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket) copy->cipher = sess->cipher; copy->cipher_id = sess->cipher_id; - if (sess->ciphers != NULL) { - if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL) - goto err; - } - if (sess->tlsext_hostname != NULL) { copy->tlsext_hostname = strdup(sess->tlsext_hostname); if (copy->tlsext_hostname == NULL) @@ -881,8 +876,6 @@ SSL_SESSION_free(SSL_SESSION *ss) X509_free(ss->peer_cert); - sk_SSL_CIPHER_free(ss->ciphers); - free(ss->tlsext_hostname); free(ss->tlsext_tick); free(ss->tlsext_ecpointformatlist); diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index e9f14dc6107..d6b7de1efdd 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.161 2024/06/25 14:10:45 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.162 2024/07/19 08:54:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1078,13 +1078,13 @@ ssl3_get_client_hello(SSL *s) s->hit = 1; s->session->verify_result = X509_V_OK; - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = ciphers; ciphers = NULL; /* Check if some cipher was preferred by the callback. */ if (pref_cipher == NULL) - pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, + pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, SSL_get_ciphers(s)); if (pref_cipher == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; @@ -1094,7 +1094,7 @@ ssl3_get_client_hello(SSL *s) s->session->cipher = pref_cipher; sk_SSL_CIPHER_free(s->cipher_list); - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers); } /* @@ -1108,11 +1108,11 @@ ssl3_get_client_hello(SSL *s) SSLerror(s, SSL_R_NO_CIPHERS_PASSED); goto fatal_err; } - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = ciphers; ciphers = NULL; - if ((c = ssl3_choose_cipher(s, s->session->ciphers, + if ((c = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, SSL_get_ciphers(s))) == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index dfeb1e01663..f9cdbdd690e 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.107 2024/07/19 08:54:31 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -275,8 +275,8 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) } ctx->hs->cipher = cipher; - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = ciphers; ciphers = NULL; /* Ensure only the NULL compression method is advertised. */ |