Split configuration of TLSv1.3 ciphers from older ciphers
With the current mechanism, old cipher strings that used to work in 1.1.0,
may inadvertently disable all TLSv1.3 ciphersuites causing connections to
fail. This is confusing for users.
In reality TLSv1.3 are quite different to older ciphers. They are much
simpler and there are only a small number of them so, arguably, they don't
need the same level of control that the older ciphers have.
This change splits the configuration of TLSv1.3 ciphers from older ones.
By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable
them through your existing config.
Fixes #5359
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8f0d3e1..f230b5f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -18,6 +18,7 @@
#include <openssl/rand.h>
#include "internal/cryptlib.h"
+#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers)
#define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs)
@@ -29,6 +30,90 @@
0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
};
+/* The list of available TLSv1.3 ciphers */
+static SSL_CIPHER tls13_ciphers[] = {
+ {
+ 1,
+ TLS1_3_RFC_AES_128_GCM_SHA256,
+ TLS1_3_RFC_AES_128_GCM_SHA256,
+ TLS1_3_CK_AES_128_GCM_SHA256,
+ 0, 0,
+ SSL_AES128GCM,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+ }, {
+ 1,
+ TLS1_3_RFC_AES_256_GCM_SHA384,
+ TLS1_3_RFC_AES_256_GCM_SHA384,
+ TLS1_3_CK_AES_256_GCM_SHA384,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_AES256GCM,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384,
+ 256,
+ 256,
+ },
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ {
+ 1,
+ TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ TLS1_3_CK_CHACHA20_POLY1305_SHA256,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 256,
+ 256,
+ },
+#endif
+ {
+ 1,
+ TLS1_3_RFC_AES_128_CCM_SHA256,
+ TLS1_3_RFC_AES_128_CCM_SHA256,
+ TLS1_3_CK_AES_128_CCM_SHA256,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_AES128CCM,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+ }, {
+ 1,
+ TLS1_3_RFC_AES_128_CCM_8_SHA256,
+ TLS1_3_RFC_AES_128_CCM_8_SHA256,
+ TLS1_3_CK_AES_128_CCM_8_SHA256,
+ SSL_kANY,
+ SSL_aANY,
+ SSL_AES128CCM8,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+ }
+};
+
/*
* The list of available ciphers, mostly organized into the following
* groups:
@@ -860,88 +945,6 @@
},
{
1,
- TLS1_3_TXT_AES_128_GCM_SHA256,
- TLS1_3_RFC_AES_128_GCM_SHA256,
- TLS1_3_CK_AES_128_GCM_SHA256,
- 0, 0,
- SSL_AES128GCM,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- SSL_kANY,
- SSL_aANY,
- SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 128,
- 128,
- },
- {
- 1,
- TLS1_3_TXT_AES_256_GCM_SHA384,
- TLS1_3_RFC_AES_256_GCM_SHA384,
- TLS1_3_CK_AES_256_GCM_SHA384,
- SSL_kANY,
- SSL_aANY,
- SSL_AES256GCM,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA384,
- 256,
- 256,
- },
-#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
- {
- 1,
- TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
- TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
- TLS1_3_CK_CHACHA20_POLY1305_SHA256,
- SSL_kANY,
- SSL_aANY,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 256,
- 256,
- },
-#endif
- {
- 1,
- TLS1_3_TXT_AES_128_CCM_SHA256,
- TLS1_3_RFC_AES_128_CCM_SHA256,
- TLS1_3_CK_AES_128_CCM_SHA256,
- SSL_kANY,
- SSL_aANY,
- SSL_AES128CCM,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_NOT_DEFAULT | SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 128,
- 128,
- },
- {
- 1,
- TLS1_3_TXT_AES_128_CCM_8_SHA256,
- TLS1_3_RFC_AES_128_CCM_8_SHA256,
- TLS1_3_CK_AES_128_CCM_8_SHA256,
- SSL_kANY,
- SSL_aANY,
- SSL_AES128CCM8,
- SSL_AEAD,
- TLS1_3_VERSION, TLS1_3_VERSION,
- 0, 0,
- SSL_NOT_DEFAULT | SSL_HIGH,
- SSL_HANDSHAKE_MAC_SHA256,
- 128,
- 128,
- },
- {
- 1,
TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
TLS1_RFC_ECDHE_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
@@ -3207,6 +3210,8 @@
void ssl_sort_cipher_list(void)
{
+ qsort(tls13_ciphers, TLS13_NUM_CIPHERS, sizeof(tls13_ciphers[0]),
+ cipher_compare);
qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(ssl3_ciphers[0]),
cipher_compare);
qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof(ssl3_scsvs[0]), cipher_compare);
@@ -4027,6 +4032,9 @@
const SSL_CIPHER *cp;
c.id = id;
+ cp = OBJ_bsearch_ssl_cipher_id(&c, tls13_ciphers, TLS13_NUM_CIPHERS);
+ if (cp != NULL)
+ return cp;
cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
if (cp != NULL)
return cp;
@@ -4035,17 +4043,19 @@
const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
{
- SSL_CIPHER *c = NULL;
- SSL_CIPHER *tbl = ssl3_ciphers;
- size_t i;
+ SSL_CIPHER *c = NULL, *tbl;
+ SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers};
+ size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS};
/* this is not efficient, necessary to optimize this? */
- for (i = 0; i < SSL3_NUM_CIPHERS; i++, tbl++) {
- if (tbl->stdname == NULL)
- continue;
- if (strcmp(stdname, tbl->stdname) == 0) {
- c = tbl;
- break;
+ for (j = 0; j < OSSL_NELEM(alltabs); j++) {
+ for (i = 0, tbl = alltabs[j]; i < tblsize[j]; i++, tbl++) {
+ if (tbl->stdname == NULL)
+ continue;
+ if (strcmp(stdname, tbl->stdname) == 0) {
+ c = tbl;
+ break;
+ }
}
}
if (c == NULL) {
