Google Git
Sign in
flutter / third_party / openssl / 60d685d196e8d594d754751e4852f01d80d8c0cc^! / . / ssl
commit60d685d196e8d594d754751e4852f01d80d8c0cc[log] [tgz]
authorBenjamin Kaduk <bkaduk@akamai.com>Mon Feb 06 11:30:16 2017 -0600
committerRichard Levitte <levitte@openssl.org>Thu Feb 23 19:24:37 2017 +0100
treef8e7d0739c62f6a312fcc85004ebe811dba68aad
parent650c6e41d60905fa1396dff2c7fe4d6fbb7239ba [diff]
Let ssl_get_cipher_by_char yield not-valid ciphers

Now that we have made SCSVs into more of a first-class object, provide
a way for the bytes-to-SSL_CIPHER conversion to actually return them.
Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want
all the known ciphers, not just the ones valid for encryption.  This will,
in practice, let the caller retrieve the SCSVs.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 2d2395c..e64e3da 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c

@@ -1915,11 +1915,12 @@
     return -1;
 }
 
-const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
+const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr,
+                                         int all)
 {
     const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
 
-    if (c == NULL || c->valid == 0)
+    if (c == NULL || (!all && c->valid == 0))
         return NULL;
     return c;
 }

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index fa0d2a2..ff1f598 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h

@@ -2001,7 +2001,8 @@
                                    size_t *ext_overhead);
 __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
 __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,
-                                                const unsigned char *ptr);
+                                                const unsigned char *ptr,
+                                                int all);
 __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 614da1b..bc35a3e 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c

@@ -1294,7 +1294,7 @@
                      && master_key_length > 0) {
                 s->session->master_key_length = master_key_length;
                 s->session->cipher = pref_cipher ?
-                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
+                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
             } else {
                 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
                 al = SSL_AD_INTERNAL_ERROR;
@@ -1353,7 +1353,7 @@
         goto f_err;
     }
 
-    c = ssl_get_cipher_by_char(s, cipherchars);
+    c = ssl_get_cipher_by_char(s, cipherchars, 0);
     if (c == NULL) {
         /* unknown cipher */
         al = SSL_AD_ILLEGAL_PARAMETER;

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index ca020c5..2cbc219 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c

@@ -3633,7 +3633,7 @@
         }
 
         /* For SSLv2-compat, ignore leading 0-byte. */
-        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
+        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 0);
         if (c != NULL) {
             if (!sk_SSL_CIPHER_push(sk, c)) {
                 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);