Commit 60d685d1 authored by Benjamin Kaduk's avatar Benjamin Kaduk Committed by Richard Levitte
Browse files

Let ssl_get_cipher_by_char yield not-valid ciphers 



Now that we have made SCSVs into more of a first-class object, provide
a way for the bytes-to-SSL_CIPHER conversion to actually return them.
Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want
all the known ciphers, not just the ones valid for encryption.  This will,
in practice, let the caller retrieve the SCSVs.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
parent 650c6e41

ssl/ssl_ciph.c

+3 −2
Original line number Diff line number Diff line
@@ -1915,11 +1915,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) 
    return -1;

}



const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)

const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr,

                                         int all)

{

    const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);



    if (c == NULL || c->valid == 0)

    if (c == NULL || (!all && c->valid == 0))

        return NULL;

    return c;

}

ssl/ssl_locl.h

+2 −1
Original line number Diff line number Diff line
@@ -2001,7 +2001,8 @@ __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, 
                                   size_t *ext_overhead);

__owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c);

__owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,

                                                const unsigned char *ptr);

                                                const unsigned char *ptr,

                                                int all);

__owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);

__owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);

__owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);

ssl/statem/statem_clnt.c

+2 −2
Original line number Diff line number Diff line
@@ -1294,7 +1294,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) 
                     && master_key_length > 0) {

                s->session->master_key_length = master_key_length;

                s->session->cipher = pref_cipher ?

                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars);

                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);

            } else {

                SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);

                al = SSL_AD_INTERNAL_ERROR;
@@ -1353,7 +1353,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) 
        goto f_err;

    }



    c = ssl_get_cipher_by_char(s, cipherchars);

    c = ssl_get_cipher_by_char(s, cipherchars, 0);

    if (c == NULL) {

        /* unknown cipher */

        al = SSL_AD_ILLEGAL_PARAMETER;

ssl/statem/statem_srvr.c

+1 −1
Original line number Diff line number Diff line
@@ -3633,7 +3633,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, 
        }



        /* For SSLv2-compat, ignore leading 0-byte. */

        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);

        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 0);

        if (c != NULL) {

            if (!sk_SSL_CIPHER_push(sk, c)) {

                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);