Align SSL_get_shared_ciphers() with OpenSSL

SSL_get_shared_ciphers() has been quite broken forever (see BUGS). What's maybe even worse than those bugs is that it only ever returned the string representing the client's ciphers which happen to fit into buf. That's kind of odd, given its name. This commit brings it in line with OpenSSL's version which changed behavior almost three years ago. reviewed and stupid bug caught by schwarze ok beck inoguchi jsing commit a216df599a6076147c27acea6c976fb11f505b1a Author: Matt Caswell <matt@openssl.org> Date: Fri Apr 27 11:20:52 2018 +0100 Fix SSL_get_shared_ciphers() The function SSL_get_shared_ciphers() is supposed to return ciphers shared by the client and the server. However it only ever returned the client ciphers. Fixes #5317 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113)
author: tb <> 2021-01-09 10:34:29 +0000
committer: tb <> 2021-01-09 10:34:29 +0000
commit: da5ab60e604de7c7f22df99fa6f45c0328d48ab6 (patch)
tree: dcd75b439ed8bb23d57579666ed25e4eb54c30c8 /src/lib
parent: 6024e76ee2a1f06ab19a72b9a40a78aa7265d0a5 (diff)
download: openbsd-da5ab60e604de7c7f22df99fa6f45c0328d48ab6.tar.gz
openbsd-da5ab60e604de7c7f22df99fa6f45c0328d48ab6.tar.bz2
openbsd-da5ab60e604de7c7f22df99fa6f45c0328d48ab6.zip
1 files changed, 18 insertions, 10 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 69628b48df..0537cf0e46 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.239 2020/12/01 07:46:01 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.240 2021/01/09 10:34:29 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1484,22 +1484,30 @@ SSL_set_ciphersuites(SSL *s, const char *str)
 char *
 SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
 {
-        STACK_OF(SSL_CIPHER) *ciphers;
+        STACK_OF(SSL_CIPHER) *client_ciphers, *server_ciphers;
        const SSL_CIPHER *cipher;
        size_t curlen = 0;
        char *end;
        int i;
-        if (s->session == NULL || s->session->ciphers == NULL || len < 2)
+        if (!s->server || s->session == NULL || len < 2)
-                return (NULL);
+                return NULL;
-        ciphers = s->session->ciphers;
+        if ((client_ciphers = s->session->ciphers) == NULL)
-        if (sk_SSL_CIPHER_num(ciphers) == 0)
+                return NULL;
-                return (NULL);
+        if ((server_ciphers = SSL_get_ciphers(s)) == NULL)
+                return NULL;
+        if (sk_SSL_CIPHER_num(client_ciphers) == 0 ||
+            sk_SSL_CIPHER_num(server_ciphers) == 0)
+                return NULL;
        buf[0] = '\0';
-        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+        for (i = 0; i < sk_SSL_CIPHER_num(client_ciphers); i++) {
-                cipher = sk_SSL_CIPHER_value(ciphers, i);
+                cipher = sk_SSL_CIPHER_value(client_ciphers, i);
+                if (sk_SSL_CIPHER_find(server_ciphers, cipher) < 0)
+                        continue;
                end = buf + curlen;
                if (strlcat(buf, cipher->name, len) >= len ||
                    (curlen = strlcat(buf, ":", len)) >= len) {
@@ -1511,7 +1519,7 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
        /* remove trailing colon */
        if ((end = strrchr(buf, ':')) != NULL)
                *end = '\0';
-        return (buf);
+        return buf;
 }
 /*
author	tb <>	2021-01-09 10:34:29 +0000
committer	tb <>	2021-01-09 10:34:29 +0000
commit	da5ab60e604de7c7f22df99fa6f45c0328d48ab6 (patch)
tree	dcd75b439ed8bb23d57579666ed25e4eb54c30c8 /src/lib
parent	6024e76ee2a1f06ab19a72b9a40a78aa7265d0a5 (diff)
download	openbsd-da5ab60e604de7c7f22df99fa6f45c0328d48ab6.tar.gz openbsd-da5ab60e604de7c7f22df99fa6f45c0328d48ab6.tar.bz2 openbsd-da5ab60e604de7c7f22df99fa6f45c0328d48ab6.zip