[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Wed May 2 22:42:01 UTC 2018 

The branch OpenSSL_1_0_2-stable has been updated
       via  bd05644df71602f76db5335b8077ba4dbbb6b427 (commit)
       via  d7d6d9531a0a9bb40a5f8b0256c04fa7a3e9b0c6 (commit)
       via  3f5b23403cfa893f51b8def07a430a25ec607fc8 (commit)
      from  7e6c0f56e65af0727d87615342df1272cd017e9f (commit)


- Log -----------------------------------------------------------------
commit bd05644df71602f76db5335b8077ba4dbbb6b427
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Apr 27 11:38:19 2018 +0100

    Add some documentation for SSL_get_shared_ciphers()
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6115)

commit d7d6d9531a0a9bb40a5f8b0256c04fa7a3e9b0c6
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Apr 27 11:24:01 2018 +0100

    Fix comment in ssl.h
    
    The ciphers field in a session contains the stack of ciphers offered by
    the client.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6115)

commit 3f5b23403cfa893f51b8def07a430a25ec607fc8
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Apr 27 11:20:52 2018 +0100

    Fix SSL_get_shared_ciphers()
    
    The function SSL_get_shared_ciphers() is supposed to return ciphers shared
    by the client and the server. However it only ever returned the client
    ciphers.
    
    Fixes #5317
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6115)

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_get_ciphers.pod | 19 ++++++++++++++++++-
 doc/ssl/ssl.pod             |  2 +-
 ssl/ssl.h                   |  4 ++--
 ssl/ssl_lib.c               | 29 +++++++++++++++++++----------
 4 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/doc/ssl/SSL_get_ciphers.pod b/doc/ssl/SSL_get_ciphers.pod
index aecadd9..7697d27 100644
--- a/doc/ssl/SSL_get_ciphers.pod
+++ b/doc/ssl/SSL_get_ciphers.pod
@@ -2,7 +2,10 @@
 
 =head1 NAME
 
-SSL_get_ciphers, SSL_get_cipher_list - get list of available SSL_CIPHERs
+SSL_get_ciphers,
+SSL_get_cipher_list,
+SSL_get_shared_ciphers
+- get list of available SSL_CIPHERs
 
 =head1 SYNOPSIS
 
@@ -10,6 +13,7 @@ SSL_get_ciphers, SSL_get_cipher_list - get list of available SSL_CIPHERs
 
  STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
  const char *SSL_get_cipher_list(const SSL *ssl, int priority);
+ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size);
 
 =head1 DESCRIPTION
 
@@ -22,6 +26,19 @@ listed for B<ssl> with B<priority>. If B<ssl> is NULL, no ciphers are
 available, or there are less ciphers than B<priority> available, NULL
 is returned.
 
+SSL_get_shared_ciphers() creates a colon separated and NUL terminated list of
+SSL_CIPHER names that are available in both the client and the server. B<buf> is
+the buffer that should be populated with the list of names and B<size> is the
+size of that buffer. A pointer to B<buf> is returned on success or NULL on
+error. If the supplied buffer is not large enough to contain the complete list
+of names then a truncated list of names will be returned. Note that just because
+a ciphersuite is available (i.e. it is configured in the cipher list) and shared
+by both the client and the server it does not mean that it is enabled (for
+example some ciphers may not be usable by a server if there is not a suitable
+certificate configured). This function will return available shared ciphersuites
+whether or not they are enabled. This is a server side function only and must
+only be called after the completion of the initial handshake.
+
 =head1 NOTES
 
 The details of the ciphers obtained by SSL_get_ciphers() can be obtained using
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 70cca17..5408d61 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -572,7 +572,7 @@ connection defined in the B<SSL> structure.
 
 =item SSL_SESSION *B<SSL_get_session>(const SSL *ssl);
 
-=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len);
+=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int size);
 
 =item int B<SSL_get_shutdown>(const SSL *ssl);
 
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 3cf96a2..30a9471 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -548,7 +548,7 @@ struct ssl_session_st {
     const SSL_CIPHER *cipher;
     unsigned long cipher_id;    /* when ASN.1 loaded, this needs to be used
                                  * to load the 'cipher' structure */
-    STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
+    STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */
     CRYPTO_EX_DATA ex_data;     /* application specific data */
     /*
      * These are used to make removal of session-ids more efficient and to
@@ -2149,7 +2149,7 @@ int SSL_get_fd(const SSL *s);
 int SSL_get_rfd(const SSL *s);
 int SSL_get_wfd(const SSL *s);
 const char *SSL_get_cipher_list(const SSL *s, int n);
-char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
+char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size);
 int SSL_get_read_ahead(const SSL *s);
 int SSL_pending(const SSL *s);
 # ifndef OPENSSL_NO_SOCK
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 3a6c1b1..3956dce 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1404,28 +1404,37 @@ int SSL_set_cipher_list(SSL *s, const char *str)
 }
 
 /* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
+char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
 {
     char *p;
-    STACK_OF(SSL_CIPHER) *sk;
+    STACK_OF(SSL_CIPHER) *clntsk, *srvrsk;
     SSL_CIPHER *c;
     int i;
 
-    if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2))
-        return (NULL);
+    if (!s->server
+            || s->session == NULL
+            || s->session->ciphers == NULL
+            || size < 2)
+        return NULL;
 
     p = buf;
-    sk = s->session->ciphers;
+    clntsk = s->session->ciphers;
+    srvrsk = SSL_get_ciphers(s);
+    if (clntsk == NULL || srvrsk == NULL)
+        return NULL;
 
-    if (sk_SSL_CIPHER_num(sk) == 0)
+    if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0)
         return NULL;
 
-    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
+    for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) {
         int n;
 
-        c = sk_SSL_CIPHER_value(sk, i);
+        c = sk_SSL_CIPHER_value(clntsk, i);
+        if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
+            continue;
+
         n = strlen(c->name);
-        if (n + 1 > len) {
+        if (n + 1 > size) {
             if (p != buf)
                 --p;
             *p = '\0';
@@ -1434,7 +1443,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
         strcpy(p, c->name);
         p += n;
         *(p++) = ':';
-        len -= n + 1;
+        size -= n + 1;
     }
     p[-1] = '\0';
     return (buf);

More information about the openssl-commits mailing list