From a7559689a95fcd8be11e971440f12e41aead9c73 Mon Sep 17 00:00:00 2001 From: Shubham Mittal Date: Thu, 23 Jan 2025 17:04:02 -0800 Subject: [PATCH] indentation and documentation --- include/openssl/ssl.h | 39 +++++++++++++++++++++++++++------------ ssl/handshake_client.cc | 6 ++++-- ssl/internal.h | 25 ++++++++++++++++++------- ssl/ssl_cipher.cc | 18 ++++++++---------- 4 files changed, 57 insertions(+), 31 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 05ae69a131..c31f1acea3 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1698,14 +1698,19 @@ OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out, // substituted when a cipher string starts with 'DEFAULT'. #define SSL_DEFAULT_CIPHER_LIST "ALL" + // SSL_CTX_set_strict_cipher_list configures the cipher list for |ctx|, // evaluating |str| as a cipher string and returning error if |str| contains -// anything meaningless. It returns one on success and zero on failure. +// anything meaningless. It updates |ctx->cipher_list| with any values in +// |ctx->tls13_cipher_list|. +// +// It returns one on success and zero on failure. OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str); // SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating -// |str| as a cipher string. It returns one on success and zero on failure. +// |str| as a cipher string. It updates |ctx->cipher_list| with any values in +// |ctx->tls13_cipher_list|. It returns one on success and zero on failure. // // Prefer to use |SSL_CTX_set_strict_cipher_list|. This function tolerates // garbage inputs, unless an empty cipher list results. However, an empty @@ -1719,24 +1724,34 @@ OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); // SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating // |str| as a cipher string and returning error if |str| contains anything -// meaningless. It returns one on success and zero on failure. +// meaningless. +// It updates the cipher list |ssl->config->cipher_list| with any configured +// TLS 1.3 cipher suites by first checking |ssl->config->tls13_cipher_list| and +// otherwise falling back to |ssl->ctx->tls13_cipher_list|. +// +// It returns one on success and zero on failure. OPENSSL_EXPORT int SSL_set_strict_cipher_list(SSL *ssl, const char *str); -// SSL_CTX_set_ciphersuites configure the available TLSv1.3 ciphersuites for -// |ctx|, evaluating |str| as a cipher string. It returns one on success and +// SSL_CTX_set_ciphersuites configures the available TLSv1.3 ciphersuites on +// |ctx|, evaluating |str| as a cipher string. It updates |ctx->cipher_list| +// with any values in |ctx->tls13_cipher_list|. It returns one on success and // zero on failure. OPENSSL_EXPORT int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str); -// SSL_set_ciphersuites sets the available TLSv1.3 ciphersuites on an |ssl|, -// returning one on success and zero on failure. In OpenSSL, the only -// difference between |SSL_CTX_set_ciphersuites| and |SSL_set_ciphersuites| is -// that the latter copies the |SSL|'s |cipher_list| to its associated -// |SSL_CONNECTION|. In AWS-LC, we track everything on the |ssl|'s |config| so -// duplication is not necessary. +// SSL_set_ciphersuites configures the available TLSv1.3 ciphersuites on +// |ssl|, evaluating |str| as a cipher string. It updates +// |ssl->config->cipher_list| with any values in +// |ssl->config->tls13_cipher_list|. It returns one on success and zero on +// failure. OPENSSL_EXPORT int SSL_set_ciphersuites(SSL *ssl, const char *str); // SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as -// a cipher string. It returns one on success and zero on failure. +// a cipher string. It updates the cipher list |ssl->config->cipher_list| with +// any configured TLS 1.3 cipher suites by first checking +// |ssl->config->tls13_cipher_list| and otherwise falling back to +// |ssl->ctx->tls13_cipher_list|. +// +// It returns one on success and zero on failure. // // Prefer to use |SSL_set_strict_cipher_list|. This function tolerates garbage // inputs, unless an empty cipher list results. However, an empty string which diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index 47ee4670de..b785d96a80 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc @@ -273,9 +273,11 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out, OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE); return false; } - } else if (hs->max_version >= TLS1_3_VERSION && ssl->ctx->tls13_cipher_list) { + } else if (hs->max_version >= TLS1_3_VERSION) { // Only TLS 1.3 ciphers - STACK_OF(SSL_CIPHER) *ciphers = ssl->ctx->tls13_cipher_list->ciphers.get(); + STACK_OF(SSL_CIPHER) *ciphers = (ssl->config && ssl->config->tls13_cipher_list) ? + ssl->config->tls13_cipher_list->ciphers.get() : ssl->ctx->tls13_cipher_list->ciphers.get(); + bool any_enabled = false; if (!collect_cipher_protocol_ids(ciphers, &child, mask_k, diff --git a/ssl/internal.h b/ssl/internal.h index 2370907ec2..e16e958651 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -715,9 +715,6 @@ const EVP_MD *ssl_get_handshake_digest(uint16_t version, // rejected. If false, nonsense will be silently ignored. If |config_tls13| is // true, only TLS 1.3 ciphers are considered in |ssl_cipher_collect_ciphers|. If // false, TLS 1.2 and below ciphers participate in |ssl_cipher_collect_ciphers|. -// In every invocation, |ctx->cipher_list| is updated with any user-configured -// or default TLS 1.3 cipher suites in |ctx->tls13_cipher_list|. -// // An empty result is considered an error regardless of |strict| or // |config_tls13|. |has_aes_hw| indicates if the list should be ordered based on // having support for AES in hardware or not. @@ -725,6 +722,20 @@ bool ssl_create_cipher_list(UniquePtr *out_cipher_list, const bool has_aes_hw, const char *rule_str, bool strict, bool config_tls13); +// update_cipher_list creates a new |SSLCipherPreferenceList| containing ciphers +// from both |ciphers| and |tls13_ciphers| and assigns it to |dst|. The function: +// +// 1. Creates a copy of |ciphers| +// 2. Removes any stale TLS 1.3 ciphersuites from the copy +// 3. Adds any configured TLS 1.3 ciphersuites from |tls13_ciphers| to the +// front of the list. +// 3. Combines |in_group_flags| from both input lists into |dst->in_group_flags| +// +// Returns one on success, zero on error. +int update_cipher_list(UniquePtr &dst, + UniquePtr &ciphers, + UniquePtr &tls13_ciphers); + // ssl_get_certificate_slot_index returns the |SSL_PKEY_*| certificate slot // index corresponding to the private key type of |pkey|. It returns -1 if not // supported. This was |ssl_cert_type| in OpenSSL 1.0.2. @@ -2374,8 +2385,6 @@ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs, ssl_client_hello_type_t type, bool empty_session_id); -int update_cipher_list(UniquePtr &dst, UniquePtr &ciphers, UniquePtr &tls13_ciphers); - // ssl_add_client_hello constructs a ClientHello and adds it to the outgoing // flight. It returns true on success and false on error. bool ssl_add_client_hello(SSL_HANDSHAKE *hs); @@ -3249,10 +3258,12 @@ struct SSL_CONFIG { X509_VERIFY_PARAM *param = nullptr; - // All ciphersuites + // cipher_list holds all available cipher suites for tls 1.3, + // and 1.2 and below UniquePtr cipher_list; - // TLS 1.3 specific ciphersuites + // tls13_cipher_list holds the default or configured tls1.3 and above + // cipher suites. UniquePtr tls13_cipher_list; // This is used to hold the local certificate used (i.e. the server diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc index 9de4bbb852..495a1013e0 100644 --- a/ssl/ssl_cipher.cc +++ b/ssl/ssl_cipher.cc @@ -1234,14 +1234,9 @@ static bool is_known_default_alias_keyword_filter_rule(const char *rule, return false; } -// update_cipher_list updates |ctx->cipher_list| by: -// 1. Removing any existing TLS 1.3 ciphersuites -// 2. Adding configured ciphersuites from |ctx->tls13_cipher_list| -// 3. Configuring a new |ctx->cipher_list->in_group_flags| -// This function maintains the ordering of ciphersuites and places TLS 1.3 -// ciphersuites at the front of the list. -// Returns one on success and zero on failure. -int update_cipher_list(UniquePtr &dst, UniquePtr &ciphers, UniquePtr &tls13_ciphers) { +int update_cipher_list(UniquePtr &dst, + UniquePtr &ciphers, + UniquePtr &tls13_ciphers) { bssl::UniquePtr tmp_cipher_list; int num_removed_tls13_ciphers = 0, num_added_tls13_ciphers = 0; Array updated_in_group_flags; @@ -1266,6 +1261,7 @@ int update_cipher_list(UniquePtr &dst, UniquePtrciphers) { STACK_OF(SSL_CIPHER) *tls13_cipher_stack = tls13_ciphers->ciphers.get(); num_added_tls13_ciphers = sk_SSL_CIPHER_num(tls13_cipher_stack); @@ -1278,10 +1274,12 @@ int update_cipher_list(UniquePtr &dst, UniquePtrtls13_cipher_list| if (tls13_ciphers && tls13_ciphers->in_group_flags) {