The branch master has been updated via e401389a0cc8ce807aa52e30cf5aba080a62b2df (commit) via 6021d8ec5affe07116cdae81fa3db81d67996aac (commit) via 3bfa4756bd02659fa9f9a265550862c562749db6 (commit) via f054160a1923845f40d15457d1009420827f4c88 (commit) via a216df599a6076147c27acea6c976fb11f505b1a (commit) from c7e10755fac1d8f4421aa60646d311ab2068752d (commit)
- Log ----------------------------------------------------------------- commit e401389a0cc8ce807aa52e30cf5aba080a62b2df Author: Matt Caswell <m...@openssl.org> Date: Fri Apr 27 12:20:04 2018 +0100 Add a test for SSL_get_shared_ciphers() Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113) commit 6021d8ec5affe07116cdae81fa3db81d67996aac Author: Matt Caswell <m...@openssl.org> Date: Fri Apr 27 12:09:08 2018 +0100 Fix a bug in create_ssl_ctx_pair() The max protocol version was only being set on the server side. It should have been done on both the client and the server. Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113) commit 3bfa4756bd02659fa9f9a265550862c562749db6 Author: Matt Caswell <m...@openssl.org> Date: Fri Apr 27 11:38:19 2018 +0100 Add some documentation for SSL_get_shared_ciphers() Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113) commit f054160a1923845f40d15457d1009420827f4c88 Author: Matt Caswell <m...@openssl.org> Date: Fri Apr 27 11:24:01 2018 +0100 Fix comment in ssl_locl.h The ciphers field in a session contains the stack of ciphers offered by the client. Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113) commit a216df599a6076147c27acea6c976fb11f505b1a Author: Matt Caswell <m...@openssl.org> Date: Fri Apr 27 11:20:52 2018 +0100 Fix SSL_get_shared_ciphers() The function SSL_get_shared_ciphers() is supposed to return ciphers shared by the client and the server. However it only ever returned the client ciphers. Fixes #5317 Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_get_ciphers.pod | 24 ++++++++-- doc/man7/ssl.pod | 2 +- include/openssl/ssl.h | 2 +- ssl/ssl_lib.c | 27 +++++++---- ssl/ssl_locl.h | 2 +- test/sslapitest.c | 104 +++++++++++++++++++++++++++++++++++++++++++ test/ssltestlib.c | 4 +- 7 files changed, 148 insertions(+), 17 deletions(-) diff --git a/doc/man3/SSL_get_ciphers.pod b/doc/man3/SSL_get_ciphers.pod index d91afc2..89d9461 100644 --- a/doc/man3/SSL_get_ciphers.pod +++ b/doc/man3/SSL_get_ciphers.pod @@ -2,9 +2,13 @@ =head1 NAME -SSL_get1_supported_ciphers, SSL_get_client_ciphers, -SSL_get_ciphers, SSL_CTX_get_ciphers, -SSL_bytes_to_cipher_list, SSL_get_cipher_list +SSL_get1_supported_ciphers, +SSL_get_client_ciphers, +SSL_get_ciphers, +SSL_CTX_get_ciphers, +SSL_bytes_to_cipher_list, +SSL_get_cipher_list, +SSL_get_shared_ciphers - get list of available SSL_CIPHERs =head1 SYNOPSIS @@ -19,6 +23,7 @@ SSL_bytes_to_cipher_list, SSL_get_cipher_list int isv2format, STACK_OF(SSL_CIPHER) **sk, STACK_OF(SSL_CIPHER) **scsvs); const char *SSL_get_cipher_list(const SSL *ssl, int priority); + char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); =head1 DESCRIPTION @@ -58,6 +63,19 @@ listed for B<ssl> with B<priority>. If B<ssl> is NULL, no ciphers are available, or there are less ciphers than B<priority> available, NULL is returned. +SSL_get_shared_ciphers() creates a colon separated and NUL terminated list of +SSL_CIPHER names that are available in both the client and the server. B<buf> is +the buffer that should be populated with the list of names and B<size> is the +size of that buffer. A pointer to B<buf> is returned on success or NULL on +error. If the supplied buffer is not large enough to contain the complete list +of names then a truncated list of names will be returned. Note that just because +a ciphersuite is available (i.e. it is configured in the cipher list) and shared +by both the client and the server it does not mean that it is enabled (see the +description of SSL_get1_supported_ciphers() above). This function will return +available shared ciphersuites whether or not they are enabled. This is a server +side function only and must only be called after the completion of the initial +handshake. + =head1 NOTES The details of the ciphers obtained by SSL_get_ciphers(), SSL_CTX_get_ciphers() diff --git a/doc/man7/ssl.pod b/doc/man7/ssl.pod index 7cf7d61..c1e4924 100644 --- a/doc/man7/ssl.pod +++ b/doc/man7/ssl.pod @@ -570,7 +570,7 @@ fresh handle for each connection. =item SSL_SESSION *B<SSL_get_session>(const SSL *ssl); -=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len); +=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int size); =item int B<SSL_get_shutdown>(const SSL *ssl); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 4b45ae7..4bd53fc 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1497,7 +1497,7 @@ __owur int SSL_get_fd(const SSL *s); __owur int SSL_get_rfd(const SSL *s); __owur int SSL_get_wfd(const SSL *s); __owur const char *SSL_get_cipher_list(const SSL *s, int n); -__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len); +__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); __owur int SSL_get_read_ahead(const SSL *s); __owur int SSL_pending(const SSL *s); __owur int SSL_has_pending(const SSL *s); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2a57831..3aefa34 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2549,28 +2549,37 @@ int SSL_set_cipher_list(SSL *s, const char *str) return 1; } -char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) +char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) { char *p; - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; const SSL_CIPHER *c; int i; - if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) + if (!s->server + || s->session == NULL + || s->session->ciphers == NULL + || size < 2) return NULL; p = buf; - sk = s->session->ciphers; + clntsk = s->session->ciphers; + srvrsk = SSL_get_ciphers(s); + if (clntsk == NULL || srvrsk == NULL) + return NULL; - if (sk_SSL_CIPHER_num(sk) == 0) + if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) return NULL; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { int n; - c = sk_SSL_CIPHER_value(sk, i); + c = sk_SSL_CIPHER_value(clntsk, i); + if (sk_SSL_CIPHER_find(srvrsk, c) < 0) + continue; + n = strlen(c->name); - if (n + 1 > len) { + if (n + 1 > size) { if (p != buf) --p; *p = '\0'; @@ -2579,7 +2588,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) strcpy(p, c->name); p += n; *(p++) = ':'; - len -= n + 1; + size -= n + 1; } p[-1] = '\0'; return buf; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index d881458..b32b23b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -550,7 +550,7 @@ struct ssl_session_st { const SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to * load the 'cipher' structure */ - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ + STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */ CRYPTO_EX_DATA ex_data; /* application specific data */ /* * These are used to make removal of session-ids more efficient and to diff --git a/test/sslapitest.c b/test/sslapitest.c index 832746c..0aac80b 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -4452,6 +4452,109 @@ static int test_ssl_pending(int tst) return testresult; } +static struct { + unsigned int maxprot; + const char *clntciphers; + const char *clnttls13ciphers; + const char *srvrciphers; + const char *srvrtls13ciphers; + const char *shared; +} shared_ciphers_data[] = { + { + TLS1_2_VERSION, + "AES128-SHA:AES256-SHA", + NULL, + "AES256-SHA:DHE-RSA-AES128-SHA", + NULL, + "AES256-SHA" + }, + { + TLS1_2_VERSION, + "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA", + NULL, + "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA", + NULL, + "AES128-SHA:AES256-SHA" + }, + { + TLS1_2_VERSION, + "AES128-SHA:AES256-SHA", + NULL, + "AES128-SHA:DHE-RSA-AES128-SHA", + NULL, + "AES128-SHA" + }, +#ifndef OPENSSL_NO_TLS1_3 + { + TLS1_3_VERSION, + "AES128-SHA:AES256-SHA", + NULL, + "AES256-SHA:AES128-SHA256", + NULL, + "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:" + "TLS_AES_128_GCM_SHA256:AES256-SHA" + }, + { + TLS1_3_VERSION, + "AES128-SHA", + "TLS_AES_256_GCM_SHA384", + "AES256-SHA", + "TLS_AES_256_GCM_SHA384", + "TLS_AES_256_GCM_SHA384" + }, +#endif +}; + +static int test_ssl_get_shared_ciphers(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char buf[1024]; + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + TLS1_VERSION, + shared_ciphers_data[tst].maxprot, + &sctx, &cctx, cert, privkey))) + goto end; + + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, + shared_ciphers_data[tst].clntciphers)) + || (shared_ciphers_data[tst].clnttls13ciphers != NULL + && !TEST_true(SSL_CTX_set_ciphersuites(cctx, + shared_ciphers_data[tst].clnttls13ciphers))) + || !TEST_true(SSL_CTX_set_cipher_list(sctx, + shared_ciphers_data[tst].srvrciphers)) + || (shared_ciphers_data[tst].srvrtls13ciphers != NULL + && !TEST_true(SSL_CTX_set_ciphersuites(sctx, + shared_ciphers_data[tst].srvrtls13ciphers)))) + goto end; + + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf))) + || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) { + TEST_info("Shared ciphers are: %s\n", buf); + goto end; + } + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + int setup_tests(void) { if (!TEST_ptr(cert = test_get_argument(0)) @@ -4544,6 +4647,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_info_callback, 6); ADD_ALL_TESTS(test_ssl_pending, 2); + ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data)); return 1; } diff --git a/test/ssltestlib.c b/test/ssltestlib.c index ebd87cc..959e329 100644 --- a/test/ssltestlib.c +++ b/test/ssltestlib.c @@ -531,10 +531,10 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, goto err; if (clientctx != NULL && ((min_proto_version > 0 - && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, + && !TEST_true(SSL_CTX_set_min_proto_version(clientctx, min_proto_version))) || (max_proto_version > 0 - && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, + && !TEST_true(SSL_CTX_set_max_proto_version(clientctx, max_proto_version))))) goto err; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits