From a53b5be6a056e998fb119dbf035d1df68083a951 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 3 Apr 2018 15:31:38 +0100 Subject: Fix configuration of TLSv1.3 ciphersuites Configuration of TLSv1.3 ciphersuites wasn't working in some cases. Fixes #5740 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5855) --- ssl/ssl_lib.c | 93 ----------------------------------------------------------- 1 file changed, 93 deletions(-) (limited to 'ssl/ssl_lib.c') diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ae157300ae..b1d78dc35e 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2549,99 +2549,6 @@ int SSL_set_cipher_list(SSL *s, const char *str) return 1; } -static int ciphersuite_cb(const char *elem, int len, void *arg) -{ - STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg; - const SSL_CIPHER *cipher; - /* Arbitrary sized temp buffer for the cipher name. Should be big enough */ - char name[80]; - - if (len > (int)(sizeof(name) - 1)) { - SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); - return 0; - } - - memcpy(name, elem, len); - name[len] = '\0'; - - cipher = ssl3_get_cipher_by_std_name(name); - if (cipher == NULL) { - SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); - return 0; - } - - if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { - SSLerr(SSL_F_CIPHERSUITE_CB, ERR_R_INTERNAL_ERROR); - return 0; - } - - return 1; -} - -static int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) -{ - STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null(); - - if (newciphers == NULL) - return 0; - - /* Parse the list. We explicitly allow an empty list */ - if (*str != '\0' - && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { - sk_SSL_CIPHER_free(newciphers); - return 0; - } - sk_SSL_CIPHER_free(*currciphers); - *currciphers = newciphers; - - return 1; -} - -static int update_cipher_list(STACK_OF(SSL_CIPHER) *cipher_list, - STACK_OF(SSL_CIPHER) *tls13_ciphersuites) -{ - int i; - - /* - * Delete any existing TLSv1.3 ciphersuites. These are always first in the - * list. - */ - while (sk_SSL_CIPHER_num(cipher_list) > 0 - && sk_SSL_CIPHER_value(cipher_list, 0)->min_tls == TLS1_3_VERSION) - sk_SSL_CIPHER_delete(cipher_list, 0); - - /* Insert the new TLSv1.3 ciphersuites */ - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) - sk_SSL_CIPHER_insert(cipher_list, - sk_SSL_CIPHER_value(tls13_ciphersuites, i), i); - - return 1; -} - -int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) -{ - int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); - - if (ret && ctx->cipher_list != NULL) { - /* We already have a cipher_list, so we need to update it */ - return update_cipher_list(ctx->cipher_list, ctx->tls13_ciphersuites); - } - - return ret; -} - -int SSL_set_ciphersuites(SSL *s, const char *str) -{ - int ret = set_ciphersuites(&(s->tls13_ciphersuites), str); - - if (ret && s->cipher_list != NULL) { - /* We already have a cipher_list, so we need to update it */ - return update_cipher_list(s->cipher_list, s->tls13_ciphersuites); - } - - return ret; -} - char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { char *p; -- cgit v1.2.3