diff options
| author | olszomal <Malgorzata.Olszowka@stunnel.org> | 2021-10-27 12:36:08 +0200 |
|---|---|---|
| committer | Pauli <ppzgs1@gmail.com> | 2021-11-29 03:17:30 +0100 |
| commit | 6cb814de6f276106eea39dbb813b9134b1b72041 (patch) | |
| tree | f3e21020ee622f9ef391d0001a105bf7c9860385 /ssl/ssl_ciph.c | |
| parent | doc: remove non-existent callbacks (diff) | |
| download | openssl-6cb814de6f276106eea39dbb813b9134b1b72041.tar.xz openssl-6cb814de6f276106eea39dbb813b9134b1b72041.zip | |
Don't include any TLSv1.3 ciphersuites that are disabled
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)
Diffstat (limited to 'ssl/ssl_ciph.c')
| -rw-r--r-- | ssl/ssl_ciph.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index e38e1c27e6..046e4aac06 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1370,7 +1370,8 @@ static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id, return 1; } -static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list, +static int update_cipher_list(SSL_CTX *ctx, + STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list_by_id, STACK_OF(SSL_CIPHER) *tls13_ciphersuites) { @@ -1390,9 +1391,17 @@ static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list, (void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0); /* Insert the new TLSv1.3 ciphersuites */ - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) - sk_SSL_CIPHER_insert(tmp_cipher_list, - sk_SSL_CIPHER_value(tls13_ciphersuites, i), i); + for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) { + const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); + + /* Don't include any TLSv1.3 ciphersuites that are disabled */ + if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0 + && (ssl_cipher_table_mac[sslc->algorithm2 + & SSL_HANDSHAKE_MAC_MASK].mask + & ctx->disabled_mac_mask) == 0) { + sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc); + } + } if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) { sk_SSL_CIPHER_free(tmp_cipher_list); @@ -1410,7 +1419,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); if (ret && ctx->cipher_list != NULL) - return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id, + return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id, ctx->tls13_ciphersuites); return ret; @@ -1426,7 +1435,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str) s->cipher_list = sk_SSL_CIPHER_dup(cipher_list); } if (ret && s->cipher_list != NULL) - return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id, + return update_cipher_list(s->ctx, &s->cipher_list, &s->cipher_list_by_id, s->tls13_ciphersuites); return ret; |