[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Mon Nov 29 02:17:44 UTC 2021
The branch master has been updated
via 6cb814de6f276106eea39dbb813b9134b1b72041 (commit)
from 6d770c5ba36d43f495b232392cfaa8fa460f17af (commit)
- Log -----------------------------------------------------------------
commit 6cb814de6f276106eea39dbb813b9134b1b72041
Author: olszomal <Malgorzata.Olszowka at stunnel.org>
Date: Wed Oct 27 12:36:08 2021 +0200
Don't include any TLSv1.3 ciphersuites that are disabled
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_ciph.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index e38e1c27e6..046e4aac06 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1370,7 +1370,8 @@ static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id,
return 1;
}
-static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
+static int update_cipher_list(SSL_CTX *ctx,
+ STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites)
{
@@ -1390,9 +1391,17 @@ static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
(void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0);
/* Insert the new TLSv1.3 ciphersuites */
- for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++)
- sk_SSL_CIPHER_insert(tmp_cipher_list,
- sk_SSL_CIPHER_value(tls13_ciphersuites, i), i);
+ for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) {
+ const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
+
+ /* Don't include any TLSv1.3 ciphersuites that are disabled */
+ if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0
+ && (ssl_cipher_table_mac[sslc->algorithm2
+ & SSL_HANDSHAKE_MAC_MASK].mask
+ & ctx->disabled_mac_mask) == 0) {
+ sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc);
+ }
+ }
if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) {
sk_SSL_CIPHER_free(tmp_cipher_list);
@@ -1410,7 +1419,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
if (ret && ctx->cipher_list != NULL)
- return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
+ return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id,
ctx->tls13_ciphersuites);
return ret;
@@ -1426,7 +1435,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
}
if (ret && s->cipher_list != NULL)
- return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
+ return update_cipher_list(s->ctx, &s->cipher_list, &s->cipher_list_by_id,
s->tls13_ciphersuites);
return ret;
More information about the openssl-commits
mailing list