early-access version 2698
This commit is contained in:
pineappleEA
56
externals/libressl/ssl/ssl_ciphers.c
vendored
56
externals/libressl/ssl/ssl_ciphers.c
vendored
@@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */
|
||||
/* $OpenBSD: ssl_ciphers.c,v 1.13 2022/02/05 18:18:18 tb Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
|
||||
* Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
|
||||
@@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
|
||||
}
|
||||
|
||||
int
|
||||
ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
|
||||
ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
|
||||
uint16_t max_ver)
|
||||
{
|
||||
/* XXX: We only support DTLSv1 which is effectively TLSv1.1 */
|
||||
if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION)
|
||||
min_ver = max_ver = TLS1_1_VERSION;
|
||||
|
||||
switch(cipher->algorithm_ssl) {
|
||||
case SSL_SSLV3:
|
||||
if (min_ver <= TLS1_2_VERSION)
|
||||
return 1;
|
||||
break;
|
||||
return (min_ver <= TLS1_2_VERSION);
|
||||
case SSL_TLSV1_2:
|
||||
if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver)
|
||||
return 1;
|
||||
break;
|
||||
return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
|
||||
case SSL_TLSV1_3:
|
||||
if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver)
|
||||
return 1;
|
||||
break;
|
||||
return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
|
||||
if (ciphers == NULL)
|
||||
return 0;
|
||||
|
||||
if (!ssl_supported_version_range(s, &min_vers, &max_vers))
|
||||
if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
|
||||
return 0;
|
||||
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
|
||||
if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
|
||||
return 0;
|
||||
if (!ssl_cipher_allowed_in_version_range(cipher, min_vers,
|
||||
if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
|
||||
max_vers))
|
||||
continue;
|
||||
if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
|
||||
@@ -104,10 +93,10 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
|
||||
{
|
||||
STACK_OF(SSL_CIPHER) *ciphers = NULL;
|
||||
const SSL_CIPHER *cipher;
|
||||
uint16_t cipher_value, max_version;
|
||||
uint16_t cipher_value;
|
||||
unsigned long cipher_id;
|
||||
|
||||
S3I(s)->send_connection_binding = 0;
|
||||
s->s3->send_connection_binding = 0;
|
||||
|
||||
if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
SSLerror(s, ERR_R_MALLOC_FAILURE);
|
||||
@@ -134,7 +123,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
|
||||
|
||||
goto err;
|
||||
}
|
||||
S3I(s)->send_connection_binding = 1;
|
||||
s->s3->send_connection_binding = 1;
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -145,9 +134,8 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
|
||||
* Fail if the current version is an unexpected
|
||||
* downgrade.
|
||||
*/
|
||||
if (!ssl_downgrade_max_version(s, &max_version))
|
||||
goto err;
|
||||
if (s->version < max_version) {
|
||||
if (s->s3->hs.negotiated_tls_version <
|
||||
s->s3->hs.our_max_tls_version) {
|
||||
SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
|
||||
ssl3_send_alert(s, SSL3_AL_FATAL,
|
||||
SSL_AD_INAPPROPRIATE_FALLBACK);
|
||||
@@ -180,28 +168,28 @@ struct ssl_tls13_ciphersuite {
|
||||
|
||||
static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = {
|
||||
{
|
||||
.name = TLS1_3_TXT_AES_128_GCM_SHA256,
|
||||
.alias = "TLS_AES_128_GCM_SHA256",
|
||||
.name = TLS1_3_RFC_AES_128_GCM_SHA256,
|
||||
.alias = TLS1_3_TXT_AES_128_GCM_SHA256,
|
||||
.cid = TLS1_3_CK_AES_128_GCM_SHA256,
|
||||
},
|
||||
{
|
||||
.name = TLS1_3_TXT_AES_256_GCM_SHA384,
|
||||
.alias = "TLS_AES_256_GCM_SHA384",
|
||||
.name = TLS1_3_RFC_AES_256_GCM_SHA384,
|
||||
.alias = TLS1_3_TXT_AES_256_GCM_SHA384,
|
||||
.cid = TLS1_3_CK_AES_256_GCM_SHA384,
|
||||
},
|
||||
{
|
||||
.name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
|
||||
.alias = "TLS_CHACHA20_POLY1305_SHA256",
|
||||
.name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
|
||||
.alias = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
|
||||
.cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
|
||||
},
|
||||
{
|
||||
.name = TLS1_3_TXT_AES_128_CCM_SHA256,
|
||||
.alias = "TLS_AES_128_CCM_SHA256",
|
||||
.name = TLS1_3_RFC_AES_128_CCM_SHA256,
|
||||
.alias = TLS1_3_TXT_AES_128_CCM_SHA256,
|
||||
.cid = TLS1_3_CK_AES_128_CCM_SHA256,
|
||||
},
|
||||
{
|
||||
.name = TLS1_3_TXT_AES_128_CCM_8_SHA256,
|
||||
.alias = "TLS_AES_128_CCM_8_SHA256",
|
||||
.name = TLS1_3_RFC_AES_128_CCM_8_SHA256,
|
||||
.alias = TLS1_3_TXT_AES_128_CCM_8_SHA256,
|
||||
.cid = TLS1_3_CK_AES_128_CCM_8_SHA256,
|
||||
},
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user