diff options
author | Matt Caswell <matt@openssl.org> | 2018-10-24 10:11:00 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-11-08 11:31:22 +0000 |
commit | f306b9e62a375add764c7d9de6e311aaa0229865 (patch) | |
tree | 7a866fcc2b9646cfa61a5ff7e5208077d3d1b303 /ssl | |
parent | f7258489d88432dfc431772314ebac1c2997fdf8 (diff) |
Ignore disabled ciphers when deciding if we are using ECC
use_ecc() was always returning 1 because there are default (TLSv1.3)
ciphersuites that use ECC - even if those ciphersuites are disabled by
other options.
Fixes #7471
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7479)
(cherry picked from commit 589b6227a85ea0133fe91d744b16dd72edee929a)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 4b5e6fe2b8..ab4dbf6713 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -115,7 +115,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #ifndef OPENSSL_NO_EC static int use_ecc(SSL *s) { - int i, end; + int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; @@ -123,7 +123,7 @@ static int use_ecc(SSL *s) if (s->version == SSL3_VERSION) return 0; - cipher_stack = SSL_get_ciphers(s); + cipher_stack = SSL_get1_supported_ciphers(s); end = sk_SSL_CIPHER_num(cipher_stack); for (i = 0; i < end; i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); @@ -132,11 +132,14 @@ static int use_ecc(SSL *s) alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) || (alg_a & SSL_aECDSA) - || c->min_tls >= TLS1_3_VERSION) - return 1; + || c->min_tls >= TLS1_3_VERSION) { + ret = 1; + break; + } } - return 0; + sk_SSL_CIPHER_free(cipher_stack); + return ret; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, |