[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Thu Nov 8 11:39:52 UTC 2018
The branch OpenSSL_1_1_1-stable has been updated
via efd67e01a5471f9b0745018d7707b69876b070f6 (commit)
via f306b9e62a375add764c7d9de6e311aaa0229865 (commit)
from f7258489d88432dfc431772314ebac1c2997fdf8 (commit)
- Log -----------------------------------------------------------------
commit efd67e01a5471f9b0745018d7707b69876b070f6
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 26 15:29:15 2018 +0100
Give a better error if an attempt is made to set a zero length groups list
Previously we indicated this as a malloc failure which isn't very
helpful.
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7479)
(cherry picked from commit 680bd131b69d57e891888ab70d300176a5a16617)
commit f306b9e62a375add764c7d9de6e311aaa0229865
Author: Matt Caswell <matt at openssl.org>
Date: Wed Oct 24 10:11:00 2018 +0100
Ignore disabled ciphers when deciding if we are using ECC
use_ecc() was always returning 1 because there are default (TLSv1.3)
ciphersuites that use ECC - even if those ciphersuites are disabled by
other options.
Fixes #7471
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7479)
(cherry picked from commit 589b6227a85ea0133fe91d744b16dd72edee929a)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_CTX_set1_curves.pod | 3 +++
ssl/statem/extensions_clnt.c | 13 ++++++++-----
ssl/t1_lib.c | 4 ++++
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
index a250f20..2757ccb 100644
--- a/doc/man3/SSL_CTX_set1_curves.pod
+++ b/doc/man3/SSL_CTX_set1_curves.pod
@@ -32,6 +32,9 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
=head1 DESCRIPTION
+For all of the functions below that set the supported groups there must be at
+least one group in the list.
+
SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen>
groups in the array B<glist>. The array consist of all NIDs of groups in
preference order. For a TLS client the groups are used directly in the
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 4b5e6fe..ab4dbf6 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -115,7 +115,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_EC
static int use_ecc(SSL *s)
{
- int i, end;
+ int i, end, ret = 0;
unsigned long alg_k, alg_a;
STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
@@ -123,7 +123,7 @@ static int use_ecc(SSL *s)
if (s->version == SSL3_VERSION)
return 0;
- cipher_stack = SSL_get_ciphers(s);
+ cipher_stack = SSL_get1_supported_ciphers(s);
end = sk_SSL_CIPHER_num(cipher_stack);
for (i = 0; i < end; i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
@@ -132,11 +132,14 @@ static int use_ecc(SSL *s)
alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
|| (alg_a & SSL_aECDSA)
- || c->min_tls >= TLS1_3_VERSION)
- return 1;
+ || c->min_tls >= TLS1_3_VERSION) {
+ ret = 1;
+ break;
+ }
}
- return 0;
+ sk_SSL_CIPHER_free(cipher_stack);
+ return ret;
}
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 1564979..b8b9fbd 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -343,6 +343,10 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen,
*/
unsigned long dup_list = 0;
+ if (ngroups == 0) {
+ SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH);
+ return 0;
+ }
if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) {
SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE);
return 0;
More information about the openssl-commits
mailing list