[openssl] openssl-3.0 update
Dr. Paul Dale
pauli at openssl.org
Mon Nov 29 02:18:12 UTC 2021
The branch openssl-3.0 has been updated
via 94b45c31533421d33d4180b65ebeabfec50a1485 (commit)
from 4c71c52a6e26f5f1372191f12e418ba8a4a759c9 (commit)
- Log -----------------------------------------------------------------
commit 94b45c31533421d33d4180b65ebeabfec50a1485
Author: olszomal <Malgorzata.Olszowka at stunnel.org>
Date: Wed Oct 27 12:36:08 2021 +0200
Don't include any TLSv1.3 ciphersuites that are disabled
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)
(cherry picked from commit 6cb814de6f276106eea39dbb813b9134b1b72041)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_ciph.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index be7a969071..54431b79c6 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1365,7 +1365,8 @@ static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id,
return 1;
}
-static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
+static int update_cipher_list(SSL_CTX *ctx,
+ STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites)
{
@@ -1385,9 +1386,17 @@ static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
(void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0);
/* Insert the new TLSv1.3 ciphersuites */
- for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++)
- sk_SSL_CIPHER_insert(tmp_cipher_list,
- sk_SSL_CIPHER_value(tls13_ciphersuites, i), i);
+ for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) {
+ const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
+
+ /* Don't include any TLSv1.3 ciphersuites that are disabled */
+ if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0
+ && (ssl_cipher_table_mac[sslc->algorithm2
+ & SSL_HANDSHAKE_MAC_MASK].mask
+ & ctx->disabled_mac_mask) == 0) {
+ sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc);
+ }
+ }
if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) {
sk_SSL_CIPHER_free(tmp_cipher_list);
@@ -1405,7 +1414,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
if (ret && ctx->cipher_list != NULL)
- return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
+ return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id,
ctx->tls13_ciphersuites);
return ret;
@@ -1421,7 +1430,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
}
if (ret && s->cipher_list != NULL)
- return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
+ return update_cipher_list(s->ctx, &s->cipher_list, &s->cipher_list_by_id,
s->tls13_ciphersuites);
return ret;
More information about the openssl-commits
mailing list