Commit f306b9e6 authored by Matt Caswell's avatar Matt Caswell
Browse files

Ignore disabled ciphers when deciding if we are using ECC 



use_ecc() was always returning 1 because there are default (TLSv1.3)
ciphersuites that use ECC - even if those ciphersuites are disabled by
other options.

Fixes #7471

Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7479)

(cherry picked from commit 589b6227a85ea0133fe91d744b16dd72edee929a)
parent f7258489

ssl/statem/extensions_clnt.c

+8 −5
Original line number Diff line number Diff line
@@ -115,7 +115,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, 
#ifndef OPENSSL_NO_EC

static int use_ecc(SSL *s)

{

    int i, end;

    int i, end, ret = 0;

    unsigned long alg_k, alg_a;

    STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
@@ -123,7 +123,7 @@ static int use_ecc(SSL *s) 
    if (s->version == SSL3_VERSION)

        return 0;



    cipher_stack = SSL_get_ciphers(s);

    cipher_stack = SSL_get1_supported_ciphers(s);

    end = sk_SSL_CIPHER_num(cipher_stack);

    for (i = 0; i < end; i++) {

        const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
@@ -132,11 +132,14 @@ static int use_ecc(SSL *s) 
        alg_a = c->algorithm_auth;

        if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))

                || (alg_a & SSL_aECDSA)

                || c->min_tls >= TLS1_3_VERSION)

            return 1;

                || c->min_tls >= TLS1_3_VERSION) {

            ret = 1;

            break;

        }

    }



    return 0;

    sk_SSL_CIPHER_free(cipher_stack);

    return ret;

}



EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,