diff options
author | Rich Salz <rsalz@akamai.com> | 2021-05-11 10:51:13 -0400 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-05-14 09:59:38 +0100 |
commit | 56bd17830f2d5855b533d923d4e0649d3ed61d11 (patch) | |
tree | ce86ed934d883339d8f53d9f5933cc064d95c46e | |
parent | 8a0f65f06b0b0fa0411175bcd764c818d9c52469 (diff) |
Convert SSL_{CTX}_[gs]et_options to 64
Less tersely: converted SSL_get_options, SSL_set_options,
SSL_CTX_get_options and SSL_CTX_get_options to take and return uint64_t
since we were running out of 32 bits.
Fixes: 15145
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15230)
-rw-r--r-- | doc/man3/SSL_CTX_set_options.pod | 12 | ||||
-rw-r--r-- | include/openssl/ssl.h.in | 76 | ||||
-rw-r--r-- | ssl/ssl_conf.c | 16 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 17 | ||||
-rw-r--r-- | ssl/ssl_local.h | 4 |
5 files changed, 62 insertions, 63 deletions
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index e84aaac8a8..497dd270f5 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -10,14 +10,14 @@ SSL_get_secure_renegotiation_support - manipulate SSL options #include <openssl/ssl.h> - long SSL_CTX_set_options(SSL_CTX *ctx, long options); - long SSL_set_options(SSL *ssl, long options); + uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t options); + uint64_t SSL_set_options(SSL *ssl, uint64_t options); - long SSL_CTX_clear_options(SSL_CTX *ctx, long options); - long SSL_clear_options(SSL *ssl, long options); + uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options); + uint64_t SSL_clear_options(SSL *ssuint64_t, long options); - long SSL_CTX_get_options(SSL_CTX *ctx); - long SSL_get_options(SSL *ssl); + uint64_t SSL_CTX_get_options(SSL_CTX *ctx); + uint64_t SSL_get_options(SSL *ssl); long SSL_get_secure_renegotiation_support(SSL *ssl); diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 5dd473c9bd..4d31bda6f7 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -317,25 +317,25 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); /* Disable Extended master secret */ -# define SSL_OP_NO_EXTENDED_MASTER_SECRET 0x00000001U +# define SSL_OP_NO_EXTENDED_MASTER_SECRET (uint64_t)0x00000001 /* Cleanse plaintext copies of data delivered to the application */ -# define SSL_OP_CLEANSE_PLAINTEXT 0x00000002U +# define SSL_OP_CLEANSE_PLAINTEXT (uint64_t)0x00000002 /* Allow initial connection to servers that don't support RI */ -# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U +# define SSL_OP_LEGACY_SERVER_CONNECT (uint64_t)0x00000004 /* Enable support for Kernel TLS */ -# define SSL_OP_ENABLE_KTLS 0x00000008U +# define SSL_OP_ENABLE_KTLS (uint64_t)0x00000008 -# define SSL_OP_TLSEXT_PADDING 0x00000010U -# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U -# define SSL_OP_IGNORE_UNEXPECTED_EOF 0x00000080U +# define SSL_OP_TLSEXT_PADDING (uint64_t)0x00000010 +# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG (uint64_t)0x00000040 +# define SSL_OP_IGNORE_UNEXPECTED_EOF (uint64_t)0x00000080 -# define SSL_OP_DISABLE_TLSEXT_CA_NAMES 0x00000200U +# define SSL_OP_DISABLE_TLSEXT_CA_NAMES (uint64_t)0x00000200 /* In TLSv1.3 allow a non-(ec)dhe based kex_mode */ -# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000400U +# define SSL_OP_ALLOW_NO_DHE_KEX (uint64_t)0x00000400 /* * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in @@ -344,79 +344,79 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); * implementations cannot handle it at all, which is why we include it in * SSL_OP_ALL. Added in 0.9.6e */ -# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800U +# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (uint64_t)0x00000800 /* DTLS options */ -# define SSL_OP_NO_QUERY_MTU 0x00001000U +# define SSL_OP_NO_QUERY_MTU (uint64_t)0x00001000 /* Turn on Cookie Exchange (on relevant for servers) */ -# define SSL_OP_COOKIE_EXCHANGE 0x00002000U +# define SSL_OP_COOKIE_EXCHANGE (uint64_t)0x00002000 /* Don't use RFC4507 ticket extension */ -# define SSL_OP_NO_TICKET 0x00004000U +# define SSL_OP_NO_TICKET (uint64_t)0x00004000 # ifndef OPENSSL_NO_DTLS1_METHOD /* Use Cisco's "speshul" version of DTLS_BAD_VER * (only with deprecated DTLSv1_client_method()) */ -# define SSL_OP_CISCO_ANYCONNECT 0x00008000U +# define SSL_OP_CISCO_ANYCONNECT (uint64_t)0x00008000 # endif /* As server, disallow session resumption on renegotiation */ -# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000U +# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (uint64_t)0x00010000 /* Don't use compression even if supported */ -# define SSL_OP_NO_COMPRESSION 0x00020000U +# define SSL_OP_NO_COMPRESSION (uint64_t)0x00020000 /* Permit unsafe legacy renegotiation */ -# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U +# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION (uint64_t)0x00040000 /* Disable encrypt-then-mac */ -# define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U +# define SSL_OP_NO_ENCRYPT_THEN_MAC (uint64_t)0x00080000 /* * Enable TLSv1.3 Compatibility mode. This is on by default. A future version * of OpenSSL may have this disabled by default. */ -# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0x00100000U +# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT (uint64_t)0x00100000 /* Prioritize Chacha20Poly1305 when client does. * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE */ -# define SSL_OP_PRIORITIZE_CHACHA 0x00200000U +# define SSL_OP_PRIORITIZE_CHACHA (uint64_t)0x00200000 /* * Set on servers to choose the cipher according to the server's preferences */ -# define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000U +# define SSL_OP_CIPHER_SERVER_PREFERENCE (uint64_t)0x00400000 /* * If set, a server will allow a client to issue a SSLv3.0 version number as * latest version supported in the premaster secret, even when TLSv1.0 * (version 3.1) was announced in the client hello. Normally this is * forbidden to prevent version rollback attacks. */ -# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000U +# define SSL_OP_TLS_ROLLBACK_BUG (uint64_t)0x00800000 /* * Switches off automatic TLSv1.3 anti-replay protection for early data. This * is a server-side option only (no effect on the client). */ -# define SSL_OP_NO_ANTI_REPLAY 0x01000000U +# define SSL_OP_NO_ANTI_REPLAY (uint64_t)0x01000000 -# define SSL_OP_NO_SSLv3 0x02000000U -# define SSL_OP_NO_TLSv1 0x04000000U -# define SSL_OP_NO_TLSv1_2 0x08000000U -# define SSL_OP_NO_TLSv1_1 0x10000000U -# define SSL_OP_NO_TLSv1_3 0x20000000U +# define SSL_OP_NO_SSLv3 (uint64_t)0x02000000 +# define SSL_OP_NO_TLSv1 (uint64_t)0x04000000 +# define SSL_OP_NO_TLSv1_2 (uint64_t)0x08000000 +# define SSL_OP_NO_TLSv1_1 (uint64_t)0x10000000 +# define SSL_OP_NO_TLSv1_3 (uint64_t)0x20000000 -# define SSL_OP_NO_DTLSv1 0x04000000U -# define SSL_OP_NO_DTLSv1_2 0x08000000U +# define SSL_OP_NO_DTLSv1 (uint64_t)0x04000000 +# define SSL_OP_NO_DTLSv1_2 (uint64_t)0x08000000 # define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\ SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3) # define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2) /* Disallow all renegotiation */ -# define SSL_OP_NO_RENEGOTIATION 0x40000000U +# define SSL_OP_NO_RENEGOTIATION (uint64_t)0x40000000 /* * Make server add server-hello extension from early version of cryptopro * draft, when GOST ciphersuite is negotiated. Required for interoperability * with CryptoPro CSP 3.x */ -# define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000U +# define SSL_OP_CRYPTOPRO_TLSEXT_BUG (uint64_t)0x80000000 /* * SSL_OP_ALL: various bug workarounds that should be rather harmless. @@ -601,12 +601,12 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); * cannot be used to clear bits. */ -unsigned long SSL_CTX_get_options(const SSL_CTX *ctx); -unsigned long SSL_get_options(const SSL *s); -unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op); -unsigned long SSL_clear_options(SSL *s, unsigned long op); -unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); -unsigned long SSL_set_options(SSL *s, unsigned long op); +uint64_t SSL_CTX_get_options(const SSL_CTX *ctx); +uint64_t SSL_get_options(const SSL *s); +uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op); +uint64_t SSL_clear_options(SSL *s, uint64_t op); +uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op); +uint64_t SSL_set_options(SSL *s, uint64_t op); # define SSL_CTX_set_mode(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 1f288b5e06..832026c4ce 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -24,12 +24,12 @@ typedef struct { const char *name; int namelen; unsigned int name_flags; - unsigned long option_value; + uint64_t option_value; } ssl_flag_tbl; /* Switch table: use for single command line switches like no_tls2 */ typedef struct { - unsigned long option_value; + uint64_t option_value; unsigned int name_flags; } ssl_switch_tbl; @@ -84,7 +84,7 @@ struct ssl_conf_ctx_st { SSL_CTX *ctx; SSL *ssl; /* Pointer to SSL or SSL_CTX options field or NULL if none */ - uint32_t *poptions; + uint64_t *poptions; /* Certificate filenames for each type */ char *cert_filename[SSL_PKEY_NUM]; /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ @@ -107,6 +107,7 @@ static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, unsigned long option_value, int onoff) { uint32_t *pflags; + if (cctx->poptions == NULL) return; if (name_flags & SSL_TFLAG_INV) @@ -120,10 +121,13 @@ static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, case SSL_TFLAG_VFY: pflags = cctx->pvfy_flags; break; - + case SSL_TFLAG_OPTION: - pflags = cctx->poptions; - break; + if (onoff) + *cctx->poptions |= option_value; + else + *cctx->poptions &= ~option_value; + return; default: return; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c9b49279c5..047fa1a07d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4874,37 +4874,32 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) return ctx->cert->sec_ex; } -/* - * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that - * can return unsigned long, instead of the generic long return value from the - * control interface. - */ -unsigned long SSL_CTX_get_options(const SSL_CTX *ctx) +uint64_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; } -unsigned long SSL_get_options(const SSL *s) +uint64_t SSL_get_options(const SSL *s) { return s->options; } -unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op) +uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op) { return ctx->options |= op; } -unsigned long SSL_set_options(SSL *s, unsigned long op) +uint64_t SSL_set_options(SSL *s, uint64_t op) { return s->options |= op; } -unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) +uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op) { return ctx->options &= ~op; } -unsigned long SSL_clear_options(SSL *s, unsigned long op) +uint64_t SSL_clear_options(SSL *s, uint64_t op) { return s->options &= ~op; } diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 023e6f4378..0a6c4bf9ec 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -957,7 +957,7 @@ struct ssl_ctx_st { * SSL_new) */ - uint32_t options; + uint64_t options; uint32_t mode; int min_proto_version; int max_proto_version; @@ -1535,7 +1535,7 @@ struct ssl_st { STACK_OF(X509_NAME) *client_ca_names; CRYPTO_REF_COUNT references; /* protocol behaviour */ - uint32_t options; + uint64_t options; /* API behaviour */ uint32_t mode; int min_proto_version; |