Don't include any TLSv1.3 ciphersuites that are disabled

author olszomal <Malgorzata.Olszowka@stunnel.org>

Wed, 27 Oct 2021 10:36:08 +0000 (12:36 +0200)

committer Pauli <ppzgs1@gmail.com>

Mon, 29 Nov 2021 02:17:30 +0000 (12:17 +1000)
author olszomal <Malgorzata.Olszowka@stunnel.org>
Wed, 27 Oct 2021 10:36:08 +0000 (12:36 +0200)
committer Pauli <ppzgs1@gmail.com>
Mon, 29 Nov 2021 02:17:30 +0000 (12:17 +1000)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c

index e38e1c27e6cf16b04d468f8349d89a3ab7a67e21..046e4aac06f54bdac2e3e3281a18004b21b9b871 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1370,7 +1370,8 @@ static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id,
      return 1;
  }
  
-static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
+static int update_cipher_list(SSL_CTX *ctx,
+                              STACK_OF(SSL_CIPHER) **cipher_list,
                                STACK_OF(SSL_CIPHER) **cipher_list_by_id,
                                STACK_OF(SSL_CIPHER) *tls13_ciphersuites)
  {
@@ -1390,9 +1391,17 @@ static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
          (void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0);
  
      /* Insert the new TLSv1.3 ciphersuites */
-    for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++)
-        sk_SSL_CIPHER_insert(tmp_cipher_list,
-                             sk_SSL_CIPHER_value(tls13_ciphersuites, i), i);
+    for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) {
+        const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
+
+        /* Don't include any TLSv1.3 ciphersuites that are disabled */
+        if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0
+                && (ssl_cipher_table_mac[sslc->algorithm2
+                                         & SSL_HANDSHAKE_MAC_MASK].mask
+                    & ctx->disabled_mac_mask) == 0) {
+            sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc);
+        }
+    }
  
      if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) {
          sk_SSL_CIPHER_free(tmp_cipher_list);
@@ -1410,7 +1419,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
      int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
  
      if (ret && ctx->cipher_list != NULL)
-        return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
+        return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id,
                                    ctx->tls13_ciphersuites);
  
      return ret;
@@ -1426,7 +1435,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
              s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
      }
      if (ret && s->cipher_list != NULL)
-        return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
+        return update_cipher_list(s->ctx, &s->cipher_list, &s->cipher_list_by_id,
                                    s->tls13_ciphersuites);
  
      return ret;
author	olszomal <Malgorzata.Olszowka@stunnel.org>
	Wed, 27 Oct 2021 10:36:08 +0000 (12:36 +0200)
committer	Pauli <ppzgs1@gmail.com>
	Mon, 29 Nov 2021 02:17:30 +0000 (12:17 +1000)