From 60d685d196e8d594d754751e4852f01d80d8c0cc Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Mon, 6 Feb 2017 11:30:16 -0600 Subject: [PATCH] Let ssl_get_cipher_by_char yield not-valid ciphers Now that we have made SCSVs into more of a first-class object, provide a way for the bytes-to-SSL_CIPHER conversion to actually return them. Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want all the known ciphers, not just the ones valid for encryption. This will, in practice, let the caller retrieve the SCSVs. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/2279) --- ssl/ssl_ciph.c | 5 +++-- ssl/ssl_locl.h | 3 ++- ssl/statem/statem_clnt.c | 4 ++-- ssl/statem/statem_srvr.c | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 2d2395c5c1..e64e3da32e 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1915,11 +1915,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) return -1; } -const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr) +const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr, + int all) { const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr); - if (c == NULL || c->valid == 0) + if (c == NULL || (!all && c->valid == 0)) return NULL; return c; } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index fa0d2a2549..ff1f598fb4 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2001,7 +2001,8 @@ __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, size_t *ext_overhead); __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c); __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, - const unsigned char *ptr); + const unsigned char *ptr, + int all); __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x); diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 614da1b6a7..bc35a3ea25 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1294,7 +1294,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) && master_key_length > 0) { s->session->master_key_length = master_key_length; s->session->cipher = pref_cipher ? - pref_cipher : ssl_get_cipher_by_char(s, cipherchars); + pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); } else { SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; @@ -1353,7 +1353,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) goto f_err; } - c = ssl_get_cipher_by_char(s, cipherchars); + c = ssl_get_cipher_by_char(s, cipherchars, 0); if (c == NULL) { /* unknown cipher */ al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index ca020c5511..2cbc219a3a 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3633,7 +3633,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, } /* For SSLv2-compat, ignore leading 0-byte. */ - c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher); + c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 0); if (c != NULL) { if (!sk_SSL_CIPHER_push(sk, c)) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); -- 2.25.1