QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-05-06 14:39:40 +00:00
Code Issues Projects Releases Wiki Activity

Move some libssl global variables into SSL_CTX

Browse Source 
disabled_enc_mask et al were global. Now that cipher loading is done
individually for each SSL_CTX, based on the libctx configured for that
SSL_CTX this means that some things will be disabled for one SSL_CTX but
not for another. The global variables set up the potential for different
SSL_CTXs to trample on each other. We move these variables into the SSL_CTX
structure.

Fixes #12040

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13465)
This commit is contained in:
Matt Caswell 2020-11-20 17:23:57 +00:00
parent 97485aec7f
commit a68eee679a
4 changed files with 49 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
ssl/ssl_ciph.c
View File

@ -319,18 +319,12 @@ static int get_optional_pkey_id(const char *pkey_name)
#endif #endif
/* masks of disabled algorithms */
static uint32_t disabled_enc_mask;
static uint32_t disabled_mac_mask;
static uint32_t disabled_mkey_mask;
static uint32_t disabled_auth_mask;
int ssl_load_ciphers(SSL_CTX *ctx) int ssl_load_ciphers(SSL_CTX *ctx)
{ {
size_t i; size_t i;
const ssl_cipher_table *t; const ssl_cipher_table *t;
disabled_enc_mask = 0; ctx->disabled_enc_mask = 0;
for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) { for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {
if (t->nid != NID_undef) { if (t->nid != NID_undef) {
const EVP_CIPHER *cipher const EVP_CIPHER *cipher
@ -338,17 +332,17 @@ int ssl_load_ciphers(SSL_CTX *ctx)
ctx->ssl_cipher_methods[i] = cipher; ctx->ssl_cipher_methods[i] = cipher;
if (cipher == NULL) if (cipher == NULL)
disabled_enc_mask |= t->mask; ctx->disabled_enc_mask |= t->mask;
} }
} }
disabled_mac_mask = 0; ctx->disabled_mac_mask = 0;
for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) { for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
const EVP_MD *md const EVP_MD *md
= ssl_evp_md_fetch(ctx->libctx, t->nid, ctx->propq); = ssl_evp_md_fetch(ctx->libctx, t->nid, ctx->propq);
ctx->ssl_digest_methods[i] = md; ctx->ssl_digest_methods[i] = md;
if (md == NULL) { if (md == NULL) {
disabled_mac_mask |= t->mask; ctx->disabled_mac_mask |= t->mask;
} else { } else {
int tmpsize = EVP_MD_size(md); int tmpsize = EVP_MD_size(md);
if (!ossl_assert(tmpsize >= 0)) if (!ossl_assert(tmpsize >= 0))
@ -357,29 +351,29 @@ int ssl_load_ciphers(SSL_CTX *ctx)
} }
} }
disabled_mkey_mask = 0; ctx->disabled_mkey_mask = 0;
disabled_auth_mask = 0; ctx->disabled_auth_mask = 0;
#ifdef OPENSSL_NO_RSA #ifdef OPENSSL_NO_RSA
disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
disabled_auth_mask |= SSL_aRSA; dctx->isabled_auth_mask |= SSL_aRSA;
#endif #endif
#ifdef OPENSSL_NO_DSA #ifdef OPENSSL_NO_DSA
disabled_auth_mask |= SSL_aDSS; ctx->disabled_auth_mask |= SSL_aDSS;
#endif #endif
#ifdef OPENSSL_NO_DH #ifdef OPENSSL_NO_DH
disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK;
#endif #endif
#ifdef OPENSSL_NO_EC #ifdef OPENSSL_NO_EC
disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK; ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK;
disabled_auth_mask |= SSL_aECDSA; ctx->disabled_auth_mask |= SSL_aECDSA;
#endif #endif
#ifdef OPENSSL_NO_PSK #ifdef OPENSSL_NO_PSK
disabled_mkey_mask |= SSL_PSK; ctx->disabled_mkey_mask |= SSL_PSK;
disabled_auth_mask |= SSL_aPSK; ctx->disabled_auth_mask |= SSL_aPSK;
#endif #endif
#ifdef OPENSSL_NO_SRP #ifdef OPENSSL_NO_SRP
disabled_mkey_mask |= SSL_kSRP; ctx->disabled_mkey_mask |= SSL_kSRP;
#endif #endif
/* /*
@ -390,44 +384,44 @@ int ssl_load_ciphers(SSL_CTX *ctx)
if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
else else
disabled_mac_mask |= SSL_GOST89MAC; ctx->disabled_mac_mask |= SSL_GOST89MAC;
ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] = ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
get_optional_pkey_id(SN_gost_mac_12); get_optional_pkey_id(SN_gost_mac_12);
if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32; ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
else else
disabled_mac_mask |= SSL_GOST89MAC12; ctx->disabled_mac_mask |= SSL_GOST89MAC12;
ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] = ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] =
get_optional_pkey_id(SN_magma_mac); get_optional_pkey_id(SN_magma_mac);
if (ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX]) if (ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX])
ctx->ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32; ctx->ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32;
else else
disabled_mac_mask |= SSL_MAGMAOMAC; ctx->disabled_mac_mask |= SSL_MAGMAOMAC;
ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] = ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] =
get_optional_pkey_id(SN_kuznyechik_mac); get_optional_pkey_id(SN_kuznyechik_mac);
if (ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX]) if (ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX])
ctx->ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32; ctx->ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32;
else else
disabled_mac_mask |= SSL_KUZNYECHIKOMAC; ctx->disabled_mac_mask |= SSL_KUZNYECHIKOMAC;
if (!get_optional_pkey_id(SN_id_GostR3410_2001)) if (!get_optional_pkey_id(SN_id_GostR3410_2001))
disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12; ctx->disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
if (!get_optional_pkey_id(SN_id_GostR3410_2012_256)) if (!get_optional_pkey_id(SN_id_GostR3410_2012_256))
disabled_auth_mask |= SSL_aGOST12; ctx->disabled_auth_mask |= SSL_aGOST12;
if (!get_optional_pkey_id(SN_id_GostR3410_2012_512)) if (!get_optional_pkey_id(SN_id_GostR3410_2012_512))
disabled_auth_mask |= SSL_aGOST12; ctx->disabled_auth_mask |= SSL_aGOST12;
/* /*
* Disable GOST key exchange if no GOST signature algs are available * * Disable GOST key exchange if no GOST signature algs are available *
*/ */
if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) == if ((ctx->disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) ==
(SSL_aGOST01 | SSL_aGOST12)) (SSL_aGOST01 | SSL_aGOST12))
disabled_mkey_mask |= SSL_kGOST; ctx->disabled_mkey_mask |= SSL_kGOST;
if ((disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12) if ((ctx->disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12)
disabled_mkey_mask |= SSL_kGOST18; ctx->disabled_mkey_mask |= SSL_kGOST18;
return 1; return 1;
} }
@ -1417,7 +1411,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
return ret; return ret;
} }
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) **cipher_list_by_id, STACK_OF(SSL_CIPHER) **cipher_list_by_id,
@ -1430,6 +1424,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
const char *rule_p; const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL; const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
/* /*
* Return with error if nothing to do. * Return with error if nothing to do.
@ -1446,10 +1441,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* in algorithms, so we first get the mask of disabled ciphers. * in algorithms, so we first get the mask of disabled ciphers.
*/ */
disabled_mkey = disabled_mkey_mask; disabled_mkey = ctx->disabled_mkey_mask;
disabled_auth = disabled_auth_mask; disabled_auth = ctx->disabled_auth_mask;
disabled_enc = disabled_enc_mask; disabled_enc = ctx->disabled_enc_mask;
disabled_mac = disabled_mac_mask; disabled_mac = ctx->disabled_mac_mask;
/* /*
* Now we have to collect the available ciphers from the compiled * Now we have to collect the available ciphers from the compiled
@ -1622,7 +1617,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if ((sslc->algorithm_enc & disabled_enc) != 0 if ((sslc->algorithm_enc & disabled_enc) != 0
|| (ssl_cipher_table_mac[sslc->algorithm2 || (ssl_cipher_table_mac[sslc->algorithm2
& SSL_HANDSHAKE_MAC_MASK].mask & SSL_HANDSHAKE_MAC_MASK].mask
& disabled_mac_mask) != 0) & ctx->disabled_mac_mask) != 0)
continue; continue;
if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
@ -2185,11 +2180,11 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
return 1; return 1;
} }
int ssl_cert_is_disabled(size_t idx) int ssl_cert_is_disabled(SSL_CTX *ctx, size_t idx)
{ {
const SSL_CERT_LOOKUP *cl = ssl_cert_lookup_by_idx(idx); const SSL_CERT_LOOKUP *cl = ssl_cert_lookup_by_idx(idx);
if (cl == NULL || (cl->amask & disabled_auth_mask) != 0) if (cl == NULL || (cl->amask & ctx->disabled_auth_mask) != 0)
return 1; return 1;
return 0; return 0;
} }

8
ssl/ssl_lib.c
View File

@ -656,7 +656,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0; return 0;
} }
sk = ssl_create_cipher_list(ctx->method, sk = ssl_create_cipher_list(ctx,
ctx->tls13_ciphersuites, ctx->tls13_ciphersuites,
&(ctx->cipher_list), &(ctx->cipher_list),
&(ctx->cipher_list_by_id), &(ctx->cipher_list_by_id),
@ -2701,7 +2701,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
{ {
STACK_OF(SSL_CIPHER) *sk; STACK_OF(SSL_CIPHER) *sk;
sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, sk = ssl_create_cipher_list(ctx, ctx->tls13_ciphersuites,
&ctx->cipher_list, &ctx->cipher_list_by_id, str, &ctx->cipher_list, &ctx->cipher_list_by_id, str,
ctx->cert); ctx->cert);
/* /*
@ -2725,7 +2725,7 @@ int SSL_set_cipher_list(SSL *s, const char *str)
{ {
STACK_OF(SSL_CIPHER) *sk; STACK_OF(SSL_CIPHER) *sk;
sk = ssl_create_cipher_list(s->ctx->method, s->tls13_ciphersuites, sk = ssl_create_cipher_list(s->ctx, s->tls13_ciphersuites,
&s->cipher_list, &s->cipher_list_by_id, str, &s->cipher_list, &s->cipher_list_by_id, str,
s->cert); s->cert);
/* see comment in SSL_CTX_set_cipher_list */ /* see comment in SSL_CTX_set_cipher_list */
@ -3190,7 +3190,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites()))
goto err; goto err;
if (!ssl_create_cipher_list(ret->method, if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites, ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id, &ret->cipher_list, &ret->cipher_list_by_id,
OSSL_default_cipher_list(), ret->cert) OSSL_default_cipher_list(), ret->cert)

10
ssl/ssl_local.h
View File

@ -1187,6 +1187,12 @@ struct ssl_ctx_st {
TLS_GROUP_INFO *group_list; TLS_GROUP_INFO *group_list;
size_t group_list_len; size_t group_list_len;
size_t group_list_max_len; size_t group_list_max_len;
/* masks of disabled algorithms */
uint32_t disabled_enc_mask;
uint32_t disabled_mac_mask;
uint32_t disabled_mkey_mask;
uint32_t disabled_auth_mask;
}; };
typedef struct cert_pkey_st CERT_PKEY; typedef struct cert_pkey_st CERT_PKEY;
@ -2389,7 +2395,7 @@ __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
__owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp); const SSL_CIPHER *const *bp);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) **cipher_list_by_id, STACK_OF(SSL_CIPHER) **cipher_list_by_id,
@ -2410,7 +2416,7 @@ __owur int ssl_cipher_get_evp(SSL_CTX *ctxc, const SSL_SESSION *s,
__owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
size_t *int_overhead, size_t *blocksize, size_t *int_overhead, size_t *blocksize,
size_t *ext_overhead); size_t *ext_overhead);
__owur int ssl_cert_is_disabled(size_t idx); __owur int ssl_cert_is_disabled(SSL_CTX *ctx, size_t idx);
__owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,
const unsigned char *ptr, const unsigned char *ptr,
int all); int all);

4
ssl/t1_lib.c
View File

@ -2050,7 +2050,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
return 0; return 0;
/* See if public key algorithm allowed */ /* See if public key algorithm allowed */
if (ssl_cert_is_disabled(lu->sig_idx)) if (ssl_cert_is_disabled(s->ctx, lu->sig_idx))
return 0; return 0;
if (lu->sig == NID_id_GostR3410_2012_256 if (lu->sig == NID_id_GostR3410_2012_256
@ -2307,7 +2307,7 @@ int tls1_process_sigalgs(SSL *s)
if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA)
continue; continue;
/* If not disabled indicate we can explicitly sign */ /* If not disabled indicate we can explicitly sign */
if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) if (pvalid[idx] == 0 && !ssl_cert_is_disabled(s->ctx, idx))
pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
} }
return 1; return 1;