#include <openssl/rand.h>
#include "internal/cryptlib.h"
+#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers)
#define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs)
0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
};
+/* The list of available TLSv1.3 ciphers */
+static SSL_CIPHER tls13_ciphers[] = {
+ {
+ 1,
+ TLS1_3_RFC_AES_128_GCM_SHA256,
+ TLS1_3_RFC_AES_128_GCM_SHA256,
+ TLS1_3_CK_AES_128_GCM_SHA256,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_AES128GCM,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+ }, {
+ 1,
+ TLS1_3_RFC_AES_256_GCM_SHA384,
+ TLS1_3_RFC_AES_256_GCM_SHA384,
+ TLS1_3_CK_AES_256_GCM_SHA384,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_AES256GCM,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384,
+ 256,
+ 256,
+ },
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ {
+ 1,
+ TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ TLS1_3_CK_CHACHA20_POLY1305_SHA256,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 256,
+ 256,
+ },
+#endif
+ {
+ 1,
+ TLS1_3_RFC_AES_128_CCM_SHA256,
+ TLS1_3_RFC_AES_128_CCM_SHA256,
+ TLS1_3_CK_AES_128_CCM_SHA256,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_AES128CCM,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+ }, {
+ 1,
+ TLS1_3_RFC_AES_128_CCM_8_SHA256,
+ TLS1_3_RFC_AES_128_CCM_8_SHA256,
+ TLS1_3_CK_AES_128_CCM_8_SHA256,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_AES128CCM8,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+ }
+};
+
/*
* The list of available ciphers, mostly organized into the following
* groups:
256,
256,
},
- {
- 1,
- TLS1_3_TXT_AES_128_GCM_SHA256,
- TLS1_3_RFC_AES_128_GCM_SHA256,
- TLS1_3_CK_AES_128_GCM_SHA256,
- 0, 0,
- SSL_AES128GCM,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- SSL_kANY,
- SSL_aANY,
- SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 128,
- 128,
- },
- {
- 1,
- TLS1_3_TXT_AES_256_GCM_SHA384,
- TLS1_3_RFC_AES_256_GCM_SHA384,
- TLS1_3_CK_AES_256_GCM_SHA384,
- SSL_kANY,
- SSL_aANY,
- SSL_AES256GCM,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA384,
- 256,
- 256,
- },
-#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
- {
- 1,
- TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
- TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
- TLS1_3_CK_CHACHA20_POLY1305_SHA256,
- SSL_kANY,
- SSL_aANY,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 256,
- 256,
- },
-#endif
- {
- 1,
- TLS1_3_TXT_AES_128_CCM_SHA256,
- TLS1_3_RFC_AES_128_CCM_SHA256,
- TLS1_3_CK_AES_128_CCM_SHA256,
- SSL_kANY,
- SSL_aANY,
- SSL_AES128CCM,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_NOT_DEFAULT | SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 128,
- 128,
- },
- {
- 1,
- TLS1_3_TXT_AES_128_CCM_8_SHA256,
- TLS1_3_RFC_AES_128_CCM_8_SHA256,
- TLS1_3_CK_AES_128_CCM_8_SHA256,
- SSL_kANY,
- SSL_aANY,
- SSL_AES128CCM8,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_NOT_DEFAULT | SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 128,
- 128,
- },
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
void ssl_sort_cipher_list(void)
{
+ qsort(tls13_ciphers, TLS13_NUM_CIPHERS, sizeof(tls13_ciphers[0]),
+ cipher_compare);
qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(ssl3_ciphers[0]),
cipher_compare);
qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof(ssl3_scsvs[0]), cipher_compare);
{
unsigned char *keys = parg;
long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
- sizeof(ctx->ext.tick_hmac_key) +
- sizeof(ctx->ext.tick_aes_key));
+ sizeof(ctx->ext.secure->tick_hmac_key) +
+ sizeof(ctx->ext.secure->tick_aes_key));
if (keys == NULL)
return tick_keylen;
if (larg != tick_keylen) {
if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
memcpy(ctx->ext.tick_key_name, keys,
sizeof(ctx->ext.tick_key_name));
- memcpy(ctx->ext.tick_hmac_key,
+ memcpy(ctx->ext.secure->tick_hmac_key,
keys + sizeof(ctx->ext.tick_key_name),
- sizeof(ctx->ext.tick_hmac_key));
- memcpy(ctx->ext.tick_aes_key,
+ sizeof(ctx->ext.secure->tick_hmac_key));
+ memcpy(ctx->ext.secure->tick_aes_key,
keys + sizeof(ctx->ext.tick_key_name) +
- sizeof(ctx->ext.tick_hmac_key),
- sizeof(ctx->ext.tick_aes_key));
+ sizeof(ctx->ext.secure->tick_hmac_key),
+ sizeof(ctx->ext.secure->tick_aes_key));
} else {
memcpy(keys, ctx->ext.tick_key_name,
sizeof(ctx->ext.tick_key_name));
memcpy(keys + sizeof(ctx->ext.tick_key_name),
- ctx->ext.tick_hmac_key,
- sizeof(ctx->ext.tick_hmac_key));
+ ctx->ext.secure->tick_hmac_key,
+ sizeof(ctx->ext.secure->tick_hmac_key));
memcpy(keys + sizeof(ctx->ext.tick_key_name) +
- sizeof(ctx->ext.tick_hmac_key),
- ctx->ext.tick_aes_key,
- sizeof(ctx->ext.tick_aes_key));
+ sizeof(ctx->ext.secure->tick_hmac_key),
+ ctx->ext.secure->tick_aes_key,
+ sizeof(ctx->ext.secure->tick_aes_key));
}
return 1;
}
const SSL_CIPHER *cp;
c.id = id;
+ cp = OBJ_bsearch_ssl_cipher_id(&c, tls13_ciphers, TLS13_NUM_CIPHERS);
+ if (cp != NULL)
+ return cp;
cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
if (cp != NULL)
return cp;
const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
{
- SSL_CIPHER *c = NULL;
- SSL_CIPHER *tbl = ssl3_ciphers;
- size_t i;
+ SSL_CIPHER *c = NULL, *tbl;
+ SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers};
+ size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS};
/* this is not efficient, necessary to optimize this? */
- for (i = 0; i < SSL3_NUM_CIPHERS; i++, tbl++) {
- if (tbl->stdname == NULL)
- continue;
- if (strcmp(stdname, tbl->stdname) == 0) {
- c = tbl;
- break;
+ for (j = 0; j < OSSL_NELEM(alltabs); j++) {
+ for (i = 0, tbl = alltabs[j]; i < tblsize[j]; i++, tbl++) {
+ if (tbl->stdname == NULL)
+ continue;
+ if (strcmp(stdname, tbl->stdname) == 0) {
+ c = tbl;
+ break;
+ }
}
}
if (c == NULL) {
{
const SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *prio, *allow;
- int i, ii, ok;
+ int i, ii, ok, prefer_sha256 = 0;
unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
+ const EVP_MD *mdsha256 = EVP_sha256();
#ifndef OPENSSL_NO_CHACHA
STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
#endif
allow = srvr;
}
- if (!SSL_IS_TLS13(s)) {
+ if (SSL_IS_TLS13(s)) {
+#ifndef OPENSSL_NO_PSK
+ int j;
+
+ /*
+ * If we allow "old" style PSK callbacks, and we have no certificate (so
+ * we're not going to succeed without a PSK anyway), and we're in
+ * TLSv1.3 then the default hash for a PSK is SHA-256 (as per the
+ * TLSv1.3 spec). Therefore we should prioritise ciphersuites using
+ * that.
+ */
+ if (s->psk_server_callback != NULL) {
+ for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++);
+ if (j == SSL_PKEY_NUM) {
+ /* There are no certificates */
+ prefer_sha256 = 1;
+ }
+ }
+#endif
+ } else {
tls1_set_cert_validity(s);
ssl_set_masks(s);
}
continue;
}
#endif
+ if (prefer_sha256) {
+ const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
+
+ if (ssl_md(tmp->algorithm2) == mdsha256) {
+ ret = tmp;
+ break;
+ }
+ if (ret == NULL)
+ ret = tmp;
+ continue;
+ }
ret = sk_SSL_CIPHER_value(allow, ii);
break;
}
unsigned char *p = result;
l2n(Time, p);
- ret = ssl_randbytes(s, p, len - 4);
+ ret = RAND_bytes(p, len - 4);
} else {
- ret = ssl_randbytes(s, result, len);
+ ret = RAND_bytes(result, len);
}
#ifndef OPENSSL_NO_TLS13DOWNGRADE
- if (ret) {
+ if (ret > 0) {
if (!ossl_assert(sizeof(tls11downgrade) < len)
|| !ossl_assert(sizeof(tls12downgrade) < len))
return 0;