indentation and documentation

aws · Jan 24, 2025 · a755968 · a755968
1 parent 0e66ad6
commit a755968
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 31 deletions.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -1698,14 +1698,19 @@ OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out,
 // substituted when a cipher string starts with 'DEFAULT'.
 #define SSL_DEFAULT_CIPHER_LIST "ALL"
 
+
 // SSL_CTX_set_strict_cipher_list configures the cipher list for |ctx|,
 // evaluating |str| as a cipher string and returning error if |str| contains
-// anything meaningless. It returns one on success and zero on failure.
+// anything meaningless. It updates |ctx->cipher_list| with any values in
+// |ctx->tls13_cipher_list|.
+//
+// It returns one on success and zero on failure.
 OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
                                                   const char *str);
 
 // SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating
-// |str| as a cipher string. It returns one on success and zero on failure.
+// |str| as a cipher string. It updates |ctx->cipher_list| with any values in
+// |ctx->tls13_cipher_list|. It returns one on success and zero on failure.
 //
 // Prefer to use |SSL_CTX_set_strict_cipher_list|. This function tolerates
 // garbage inputs, unless an empty cipher list results. However, an empty
@@ -1719,24 +1724,34 @@ OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
 
 // SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
 // |str| as a cipher string and returning error if |str| contains anything
-// meaningless. It returns one on success and zero on failure.
+// meaningless.
+// It updates the cipher list |ssl->config->cipher_list| with any configured
+// TLS 1.3 cipher suites by first checking |ssl->config->tls13_cipher_list| and
+// otherwise falling back to |ssl->ctx->tls13_cipher_list|.
+//
+// It returns one on success and zero on failure.
 OPENSSL_EXPORT int SSL_set_strict_cipher_list(SSL *ssl, const char *str);
 
-// SSL_CTX_set_ciphersuites configure the available TLSv1.3 ciphersuites for
-// |ctx|, evaluating |str| as a cipher string. It returns one on success and
+// SSL_CTX_set_ciphersuites configures the available TLSv1.3 ciphersuites on
+// |ctx|, evaluating |str| as a cipher string. It updates |ctx->cipher_list|
+// with any values in |ctx->tls13_cipher_list|. It returns one on success and
 // zero on failure.
 OPENSSL_EXPORT int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
 
-// SSL_set_ciphersuites sets the available TLSv1.3 ciphersuites on an |ssl|,
-// returning one on success and zero on failure. In OpenSSL, the only
-// difference between |SSL_CTX_set_ciphersuites| and |SSL_set_ciphersuites| is
-// that the latter copies the |SSL|'s |cipher_list| to its associated
-// |SSL_CONNECTION|. In AWS-LC, we track everything on the |ssl|'s |config| so
-// duplication is not necessary.
+// SSL_set_ciphersuites configures the available TLSv1.3 ciphersuites on
+// |ssl|, evaluating |str| as a cipher string. It updates
+// |ssl->config->cipher_list| with any values in
+// |ssl->config->tls13_cipher_list|. It returns one on success and zero on
+// failure.
 OPENSSL_EXPORT int SSL_set_ciphersuites(SSL *ssl, const char *str);
 
 // SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as
-// a cipher string. It returns one on success and zero on failure.
+// a cipher string. It updates the cipher list |ssl->config->cipher_list| with
+// any configured TLS 1.3 cipher suites by first checking
+// |ssl->config->tls13_cipher_list| and otherwise falling back to
+// |ssl->ctx->tls13_cipher_list|.
+//
+// It returns one on success and zero on failure.
 //
 // Prefer to use |SSL_set_strict_cipher_list|. This function tolerates garbage
 // inputs, unless an empty cipher list results. However, an empty string which

diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
@@ -273,9 +273,11 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
       return false;
     }
-  } else if (hs->max_version >= TLS1_3_VERSION && ssl->ctx->tls13_cipher_list) {
+  } else if (hs->max_version >= TLS1_3_VERSION) {
     // Only TLS 1.3 ciphers
-    STACK_OF(SSL_CIPHER) *ciphers = ssl->ctx->tls13_cipher_list->ciphers.get();
+    STACK_OF(SSL_CIPHER) *ciphers = (ssl->config && ssl->config->tls13_cipher_list) ?
+      ssl->config->tls13_cipher_list->ciphers.get() : ssl->ctx->tls13_cipher_list->ciphers.get();
+
     bool any_enabled = false;
 
     if (!collect_cipher_protocol_ids(ciphers, &child, mask_k,

diff --git a/ssl/internal.h b/ssl/internal.h
@@ -715,16 +715,27 @@ const EVP_MD *ssl_get_handshake_digest(uint16_t version,
 // rejected. If false, nonsense will be silently ignored. If |config_tls13| is
 // true, only TLS 1.3 ciphers are considered in |ssl_cipher_collect_ciphers|. If
 // false, TLS 1.2 and below ciphers participate in |ssl_cipher_collect_ciphers|.
-// In every invocation, |ctx->cipher_list| is updated with any user-configured
-// or default TLS 1.3 cipher suites in |ctx->tls13_cipher_list|.
-//
 // An empty result is considered an error regardless of |strict| or
 // |config_tls13|. |has_aes_hw| indicates if the list should be ordered based on
 // having support for AES in hardware or not.
 bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
                             const bool has_aes_hw, const char *rule_str,
                             bool strict, bool config_tls13);
 
+// update_cipher_list creates a new |SSLCipherPreferenceList| containing ciphers
+// from both |ciphers| and |tls13_ciphers| and assigns it to |dst|. The function:
+//
+// 1. Creates a copy of |ciphers|
+// 2. Removes any stale TLS 1.3 ciphersuites from the copy
+// 3. Adds any configured TLS 1.3 ciphersuites from |tls13_ciphers| to the
+// front of the list.
+// 3. Combines |in_group_flags| from both input lists into |dst->in_group_flags|
+//
+// Returns one on success, zero on error.
+int update_cipher_list(UniquePtr<SSLCipherPreferenceList> &dst,
+                       UniquePtr<SSLCipherPreferenceList> &ciphers,
+                       UniquePtr<SSLCipherPreferenceList> &tls13_ciphers);
+
 // ssl_get_certificate_slot_index returns the |SSL_PKEY_*| certificate slot
 // index corresponding to the private key type of |pkey|. It returns -1 if not
 // supported. This was |ssl_cert_type| in OpenSSL 1.0.2.
@@ -2374,8 +2385,6 @@ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,
                                                ssl_client_hello_type_t type,
                                                bool empty_session_id);
 
-int update_cipher_list(UniquePtr<SSLCipherPreferenceList> &dst, UniquePtr<SSLCipherPreferenceList> &ciphers, UniquePtr<SSLCipherPreferenceList> &tls13_ciphers);
-
 // ssl_add_client_hello constructs a ClientHello and adds it to the outgoing
 // flight. It returns true on success and false on error.
 bool ssl_add_client_hello(SSL_HANDSHAKE *hs);
@@ -3249,10 +3258,12 @@ struct SSL_CONFIG {
 
   X509_VERIFY_PARAM *param = nullptr;
 
-  // All ciphersuites
+  // cipher_list holds all available cipher suites for tls 1.3,
+  // and 1.2 and below
   UniquePtr<SSLCipherPreferenceList> cipher_list;
 
-  // TLS 1.3 specific ciphersuites
+  // tls13_cipher_list holds the default or configured tls1.3 and above
+  // cipher suites.
   UniquePtr<SSLCipherPreferenceList> tls13_cipher_list;
 
   // This is used to hold the local certificate used (i.e. the server

diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
@@ -1234,14 +1234,9 @@ static bool is_known_default_alias_keyword_filter_rule(const char *rule,
   return false;
 }
 
-// update_cipher_list updates |ctx->cipher_list| by:
-// 1. Removing any existing TLS 1.3 ciphersuites
-// 2. Adding configured ciphersuites from |ctx->tls13_cipher_list|
-// 3. Configuring a new |ctx->cipher_list->in_group_flags|
-// This function maintains the ordering of ciphersuites and places TLS 1.3
-// ciphersuites at the front of the list.
-// Returns one on success and zero on failure.
-int update_cipher_list(UniquePtr<SSLCipherPreferenceList> &dst, UniquePtr<SSLCipherPreferenceList> &ciphers, UniquePtr<SSLCipherPreferenceList> &tls13_ciphers) {
+int update_cipher_list(UniquePtr<SSLCipherPreferenceList> &dst,
+                       UniquePtr<SSLCipherPreferenceList> &ciphers,
+                       UniquePtr<SSLCipherPreferenceList> &tls13_ciphers) {
   bssl::UniquePtr<STACK_OF(SSL_CIPHER)> tmp_cipher_list;
   int num_removed_tls13_ciphers = 0, num_added_tls13_ciphers = 0;
   Array<bool> updated_in_group_flags;
@@ -1266,6 +1261,7 @@ int update_cipher_list(UniquePtr<SSLCipherPreferenceList> &dst, UniquePtr<SSLCip
 
   int num_updated_tls12_ciphers = sk_SSL_CIPHER_num(tmp_cipher_list.get());
 
+  // Add any configure tls 1.3 ciphersuites
   if (tls13_ciphers && tls13_ciphers->ciphers) {
     STACK_OF(SSL_CIPHER) *tls13_cipher_stack = tls13_ciphers->ciphers.get();
     num_added_tls13_ciphers = sk_SSL_CIPHER_num(tls13_cipher_stack);
@@ -1278,10 +1274,12 @@ int update_cipher_list(UniquePtr<SSLCipherPreferenceList> &dst, UniquePtr<SSLCip
   }
 
 
-  if (!updated_in_group_flags.Init(num_added_tls13_ciphers + num_updated_tls12_ciphers)) {
+  if (!updated_in_group_flags.Init(num_added_tls13_ciphers +
+                                   num_updated_tls12_ciphers)) {
     return 0;
   }
-  std::fill(updated_in_group_flags.begin(), updated_in_group_flags.end(), false);
+  std::fill(updated_in_group_flags.begin(), updated_in_group_flags.end(),
+           false);
 
   // Copy in_group_flags from |ctx->tls13_cipher_list|
   if (tls13_ciphers && tls13_ciphers->in_group_flags) {