#include <openssl/engine.h>
#include <openssl/crypto.h>
#include <openssl/conf.h>
+#include <openssl/trace.h>
#include "internal/nelem.h"
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include "internal/thread_once.h"
#include "internal/cryptlib.h"
/*
* Constant SSL_MAX_DIGEST equal to size of digests array should be defined
- * in the ssl_locl.h
+ * in the ssl_local.h
*/
#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
const SSL_CIPHER *cp;
int reverse = 0;
-#ifdef CIPHER_DEBUG
- fprintf(stderr,
- "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
- rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
- algo_strength, strength_bits);
-#endif
+ OSSL_TRACE_BEGIN(TLS_CIPHER){
+ BIO_printf(trc_out,
+ "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
+ rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
+ algo_strength, strength_bits);
+ }
if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
reverse = 1; /* needed to maintain sorting between currently
if (strength_bits != cp->strength_bits)
continue;
} else {
-#ifdef CIPHER_DEBUG
- fprintf(stderr,
- "\nName: %s:\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n",
- cp->name, cp->algorithm_mkey, cp->algorithm_auth,
- cp->algorithm_enc, cp->algorithm_mac, cp->min_tls,
- cp->algo_strength);
-#endif
+ if (trc_out != NULL) {
+ BIO_printf(trc_out,
+ "\nName: %s:"
+ "\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n",
+ cp->name, cp->algorithm_mkey, cp->algorithm_auth,
+ cp->algorithm_enc, cp->algorithm_mac, cp->min_tls,
+ cp->algo_strength);
+ }
if (cipher_id != 0 && (cipher_id != cp->id))
continue;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
}
-#ifdef CIPHER_DEBUG
- fprintf(stderr, "Action = %d\n", rule);
-#endif
+ if (trc_out != NULL)
+ BIO_printf(trc_out, "Action = %d\n", rule);
/* add the cipher if it has not been added yet. */
if (rule == CIPHER_ADD) {
*head_p = head;
*tail_p = tail;
+
+ OSSL_TRACE_END(TLS_CIPHER);
}
static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
{
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
- if (ret && ctx->cipher_list != NULL) {
- /* We already have a cipher_list, so we need to update it */
+ if (ret && ctx->cipher_list != NULL)
return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
ctx->tls13_ciphersuites);
- }
return ret;
}
int SSL_set_ciphersuites(SSL *s, const char *str)
{
+ STACK_OF(SSL_CIPHER) *cipher_list;
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
- if (ret && s->cipher_list != NULL) {
- /* We already have a cipher_list, so we need to update it */
+ if (s->cipher_list == NULL) {
+ if ((cipher_list = SSL_get_ciphers(s)) != NULL)
+ s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
+ }
+ if (ret && s->cipher_list != NULL)
return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
s->tls13_ciphersuites);
- }
return ret;
}
ok = 1;
rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
- ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
+ ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
&head, &tail, ca_list, c);
rule_p += 7;
if (*rule_p == ':')
}
}
+ OSSL_TRACE_BEGIN(TLS_CIPHER) {
+ BIO_printf(trc_out, "cipher selection:\n");
+ }
/*
* The cipher selection for the list is done. The ciphers are added
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
+ OSSL_TRACE_CANCEL(TLS_CIPHER);
return NULL;
}
-#ifdef CIPHER_DEBUG
- fprintf(stderr, "<%s>\n", curr->cipher->name);
-#endif
+ if (trc_out != NULL)
+ BIO_printf(trc_out, "<%s>\n", curr->cipher->name);
}
}
OPENSSL_free(co_list); /* Not needed any longer */
+ OSSL_TRACE_END(TLS_CIPHER);
if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
sk_SSL_CIPHER_free(cipherstack);
const char *ver;
const char *kx, *au, *enc, *mac;
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
- static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
+ static const char *format = "%-30s %-7s Kx=%-8s Au=%-5s Enc=%-9s Mac=%-4s\n";
if (buf == NULL) {
len = 128;
return 1;
return 0;
}
+
+/*
+ * Default list of TLSv1.2 (and earlier) ciphers
+ * SSL_DEFAULT_CIPHER_LIST deprecated in 3.0.0
+ * Update both macro and function simultaneously
+ */
+const char *OSSL_default_cipher_list(void)
+{
+ return "ALL:!COMPLEMENTOFDEFAULT:!eNULL";
+}
+
+/*
+ * Default list of TLSv1.3 (and later) ciphers
+ * TLS_DEFAULT_CIPHERSUITES deprecated in 3.0.0
+ * Update both macro and function simultaneously
+ */
+const char *OSSL_default_ciphersuites(void)
+{
+ return "TLS_AES_256_GCM_SHA384:"
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ "TLS_CHACHA20_POLY1305_SHA256:"
+#endif
+ "TLS_AES_128_GCM_SHA256";
+}