[openssl] master update

kaduk at mit.edu kaduk at mit.edu
Wed Feb 24 00:40:23 UTC 2021

The branch master has been updated
       via  ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df (commit)
      from  6eb7c748d115bd6ba89ceefd642de3deca8773ea (commit)

- Log -----------------------------------------------------------------
commit ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed May 27 11:17:07 2020 -0700

    Remove disabled TLS 1.3 ciphers from the SSL(_CTX)
    In ssl_create_cipher_list() we make a pass through the ciphers to
    remove those which are disabled in the current libctx.  We are
    careful to not include such disabled TLS 1.3 ciphers in the final
    consolidated cipher list that we produce, but the disabled ciphers
    are still kept in the separate stack of TLS 1.3 ciphers associated
    with the SSL or SSL_CTX in question.  This leads to confusing
    results where a cipher is present in the tls13_cipherlist but absent
    from the actual cipher list in use.  Keep the books in order and
    remove the disabled ciphers from the 1.3 cipherlist at the same time
    we skip adding them to the active cipher list.
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/12037)


Summary of changes:
 ssl/ssl_ciph.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index d517799895..0b6f01ccc1 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1625,8 +1625,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
         if ((sslc->algorithm_enc & disabled_enc) != 0
                 || (ssl_cipher_table_mac[sslc->algorithm2
                                          & SSL_HANDSHAKE_MAC_MASK].mask
-                    & ctx->disabled_mac_mask) != 0)
+                    & ctx->disabled_mac_mask) != 0) {
+            sk_SSL_CIPHER_delete(tls13_ciphersuites, i);
+            i--;
+        }
         if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {

More information about the openssl-commits mailing list