From: Nick Mathewson <nickm@torproject.org>
Date: Tue, 23 Sep 2025 15:44:28 +0000 (-0400)
Subject: Bulletproof the "get_mozilla_ciphers" script
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fmerge-requests%2F933%2Fhead;p=thirdparty%2Ftor.git

Bulletproof the "get_mozilla_ciphers" script

Reviewers have noted that the script's logic treats all "enabled"
flags in StaticPrefList.yaml (other than an explicit False) as True.
That's not so great, since the flag can also be a string, and we
don't necessarily want to treat all strings as meaning that a
ciphersuite is enabled.  (Although we do in fact want to treat
the only string used in _current_ firefox git main that way.)

This change has no effect on the generated ciphers.inc.

Closes #41117.

ci
---

diff --git a/scripts/codegen/get_mozilla_ciphers.py b/scripts/codegen/get_mozilla_ciphers.py
index 1c80144f5a..e1149e7d75 100755
--- a/scripts/codegen/get_mozilla_ciphers.py
+++ b/scripts/codegen/get_mozilla_ciphers.py
@@ -136,9 +136,13 @@ for entry in yaml_file:
 
 used_ciphers = []
 for k, v in enabled_ciphers.items():
-    if v != False: # there are strings we want to allow.
-
+    if v in (True, "True", "true", "IS_NOT_EARLY_BETA_OR_EARLIER"):
         used_ciphers.append(ciphers[k])
+    elif v == False:
+        pass
+    else:
+        print(f"Warning: unexpected value {v!r} for 'enabled'", file=sys.stderr)
+        sys.exit(1)
 
 #oSSLinclude = ('/usr/include/openssl/ssl3.h', '/usr/include/openssl/ssl.h',
 #               '/usr/include/openssl/ssl2.h', '/usr/include/openssl/ssl23.h',