[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Thu Jan 7 16:40:09 UTC 2021 

The branch master has been updated
       via  3d0b6494d5a973d516e0944bc02b22385fca318a (commit)
       via  981b4b95721907384f4add9de72bf90e0ba39288 (commit)
       via  1c47539a2331ff0b58a4e8663bcc6db0dc2c6449 (commit)
       via  c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9 (commit)
      from  a86add03abf7ebdf63d79971b9feb396931b8697 (commit)


- Log -----------------------------------------------------------------
commit 3d0b6494d5a973d516e0944bc02b22385fca318a
Author: Otto Hollmann <otto at hollmann.cz>
Date:   Tue Oct 20 12:47:55 2020 +0200

    Remove extra space.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12100)

commit 981b4b95721907384f4add9de72bf90e0ba39288
Author: Otto Hollmann <otto at hollmann.cz>
Date:   Mon Oct 19 16:25:26 2020 +0200

    Fixed error and return code.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12100)

commit 1c47539a2331ff0b58a4e8663bcc6db0dc2c6449
Author: Otto Hollmann <otto at hollmann.cz>
Date:   Mon Oct 19 10:05:57 2020 +0200

    Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12100)

commit c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9
Author: Otto Hollmann <otto at hollmann.cz>
Date:   Tue Jun 9 15:50:12 2020 +0200

    Fix set_ciphersuites ignore unknown ciphers.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12100)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES.md                           |  5 +++++
 doc/man3/SSL_CTX_set_cipher_list.pod | 10 +++++-----
 ssl/ssl_ciph.c                       | 18 +++++++++---------
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index a296406137..94bf750ffc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,11 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites()
+   to ignore unknown ciphers.
+
+   *Otto Hollmann*
+
  * The -cipher-commands and -digest-commands options of the command line
    utility list has been deprecated.
    Instead use the -cipher-algorithms and -digest-algorithms options.
diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod
index 2fdebdf51d..c2786295b7 100644
--- a/doc/man3/SSL_CTX_set_cipher_list.pod
+++ b/doc/man3/SSL_CTX_set_cipher_list.pod
@@ -65,11 +65,11 @@ cipher string for TLSv1.3 ciphersuites.
 
 =head1 NOTES
 
-The control string B<str> for SSL_CTX_set_cipher_list() and
-SSL_set_cipher_list() should be universally usable and not depend
-on details of the library configuration (ciphers compiled in). Thus no
-syntax checking takes place. Items that are not recognized, because the
-corresponding ciphers are not compiled in or because they are mistyped,
+The control string B<str> for SSL_CTX_set_cipher_list(), SSL_set_cipher_list(),
+SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() should be universally
+usable and not depend on details of the library configuration (ciphers compiled
+in). Thus no syntax checking takes place. Items that are not recognized, because
+the corresponding ciphers are not compiled in or because they are mistyped,
 are simply ignored. Failure is only flagged if no ciphers could be collected
 at all.
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 64ecc543ba..6c77cd3d40 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1288,19 +1288,17 @@ static int ciphersuite_cb(const char *elem, int len, void *arg)
     /* Arbitrary sized temp buffer for the cipher name. Should be big enough */
     char name[80];
 
-    if (len > (int)(sizeof(name) - 1)) {
-        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
-        return 0;
-    }
+    if (len > (int)(sizeof(name) - 1))
+        /* Anyway return 1 so we can parse rest of the list */
+        return 1;
 
     memcpy(name, elem, len);
     name[len] = '\0';
 
     cipher = ssl3_get_cipher_by_std_name(name);
-    if (cipher == NULL) {
-        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
-        return 0;
-    }
+    if (cipher == NULL)
+        /* Ciphersuite not found but return 1 to parse rest of the list */
+        return 1;
 
     if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) {
         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
@@ -1319,7 +1317,9 @@ static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const cha
 
     /* Parse the list. We explicitly allow an empty list */
     if (*str != '\0'
-            && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) {
+            && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0
+                || sk_SSL_CIPHER_num(newciphers) == 0)) {
+        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
         sk_SSL_CIPHER_free(newciphers);
         return 0;
     }

More information about the openssl-commits mailing list