diff options
| author | jsing <> | 2020-04-17 17:26:00 +0000 |
|---|---|---|
| committer | jsing <> | 2020-04-17 17:26:00 +0000 |
| commit | a9bc7234aaecd31be6481a2563a57757f5099da6 (patch) | |
| tree | 0ef4b41b3b6be88b54b24ea04d0e051f1d5a126e /src/lib | |
| parent | 7a3cfa245326507331603cc00b8ea8a30966684d (diff) | |
| download | openbsd-a9bc7234aaecd31be6481a2563a57757f5099da6.tar.gz openbsd-a9bc7234aaecd31be6481a2563a57757f5099da6.tar.bz2 openbsd-a9bc7234aaecd31be6481a2563a57757f5099da6.zip | |
Only include TLSv1.3 cipher suites if there are active cipher suites.
Revise the previous so that we only include TLSv1.3 cipher suites if the
cipher rule string resulted in at least one active cipher suite. This more
closely matches OpenSSL behaviour.
Noted and fix tested by schwarze@
ok beck@ tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 664ff5456b..08ddc86c3c 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.113 2020/04/09 17:54:38 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.114 2020/04/17 17:26:00 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1171,6 +1171,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1171 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; | 1171 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; |
| 1172 | const SSL_CIPHER **ca_list = NULL; | 1172 | const SSL_CIPHER **ca_list = NULL; |
| 1173 | int tls13_seen = 0; | 1173 | int tls13_seen = 0; |
| 1174 | int active; | ||
| 1174 | 1175 | ||
| 1175 | /* | 1176 | /* |
| 1176 | * Return with error if nothing to do. | 1177 | * Return with error if nothing to do. |
| @@ -1320,13 +1321,20 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1320 | * If the rule string did not contain any references to TLSv1.3, | 1321 | * If the rule string did not contain any references to TLSv1.3, |
| 1321 | * include inactive TLSv1.3 cipher suites. This avoids attempts to | 1322 | * include inactive TLSv1.3 cipher suites. This avoids attempts to |
| 1322 | * use TLSv1.3 with an older rule string that does not include | 1323 | * use TLSv1.3 with an older rule string that does not include |
| 1323 | * TLSv1.3 cipher suites. | 1324 | * TLSv1.3 cipher suites. If the rule string resulted in no active |
| 1325 | * cipher suites then we return an empty stack. | ||
| 1324 | */ | 1326 | */ |
| 1327 | active = 0; | ||
| 1325 | for (curr = head; curr != NULL; curr = curr->next) { | 1328 | for (curr = head; curr != NULL; curr = curr->next) { |
| 1326 | if (curr->active || | 1329 | if (curr->active || |
| 1327 | (!tls13_seen && curr->cipher->algorithm_ssl == SSL_TLSV1_3)) | 1330 | (!tls13_seen && curr->cipher->algorithm_ssl == SSL_TLSV1_3)) |
| 1328 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); | 1331 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); |
| 1332 | if (curr->active) | ||
| 1333 | active++; | ||
| 1329 | } | 1334 | } |
| 1335 | if (active == 0) | ||
| 1336 | sk_SSL_CIPHER_zero(cipherstack); | ||
| 1337 | |||
| 1330 | free(co_list); /* Not needed any longer */ | 1338 | free(co_list); /* Not needed any longer */ |
| 1331 | 1339 | ||
| 1332 | tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); | 1340 | tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); |