mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 20:14:20 +08:00
Ignore cipher suites when setting cipher list
set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or failure should not depend on whether set_ciphersuites() has been used to setup TLSv1.3 ciphers. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7759)
This commit is contained in:
parent
f11ffa505f
commit
3c83c5ba4f
@ -2579,6 +2579,26 @@ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Distinguish between ciphers controlled by set_ciphersuite() and
|
||||
* set_cipher_list() when counting.
|
||||
*/
|
||||
static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
|
||||
{
|
||||
int i, num = 0;
|
||||
const SSL_CIPHER *c;
|
||||
|
||||
if (sk == NULL)
|
||||
return 0;
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
|
||||
c = sk_SSL_CIPHER_value(sk, i);
|
||||
if (c->min_tls >= TLS1_3_VERSION)
|
||||
continue;
|
||||
num++;
|
||||
}
|
||||
return num;
|
||||
}
|
||||
|
||||
/** specify the ciphers to be used by default by the SSL_CTX */
|
||||
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
|
||||
{
|
||||
@ -2596,7 +2616,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
|
||||
*/
|
||||
if (sk == NULL)
|
||||
return 0;
|
||||
else if (sk_SSL_CIPHER_num(sk) == 0) {
|
||||
else if (cipher_list_tls12_num(sk) == 0) {
|
||||
SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
|
||||
return 0;
|
||||
}
|
||||
@ -2614,7 +2634,7 @@ int SSL_set_cipher_list(SSL *s, const char *str)
|
||||
/* see comment in SSL_CTX_set_cipher_list */
|
||||
if (sk == NULL)
|
||||
return 0;
|
||||
else if (sk_SSL_CIPHER_num(sk) == 0) {
|
||||
else if (cipher_list_tls12_num(sk) == 0) {
|
||||
SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
|
||||
return 0;
|
||||
}
|
||||
|
@ -215,9 +215,44 @@ static int test_default_cipherlist_explicit(void)
|
||||
return result;
|
||||
}
|
||||
|
||||
/* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */
|
||||
static int test_default_cipherlist_clear(void)
|
||||
{
|
||||
SETUP_CIPHERLIST_TEST_FIXTURE();
|
||||
SSL *s = NULL;
|
||||
|
||||
if (fixture == NULL)
|
||||
return 0;
|
||||
|
||||
if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0))
|
||||
goto end;
|
||||
|
||||
if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH))
|
||||
goto end;
|
||||
|
||||
s = SSL_new(fixture->client);
|
||||
|
||||
if (!TEST_ptr(s))
|
||||
goto end;
|
||||
|
||||
if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0))
|
||||
goto end;
|
||||
|
||||
if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
|
||||
SSL_R_NO_CIPHER_MATCH))
|
||||
goto end;
|
||||
|
||||
result = 1;
|
||||
end:
|
||||
SSL_free(s);
|
||||
tear_down(fixture);
|
||||
return result;
|
||||
}
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
ADD_TEST(test_default_cipherlist_implicit);
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
ADD_TEST(test_default_cipherlist_clear);
|
||||
return 1;
|
||||
}
|
||||
|
@ -99,8 +99,9 @@ static int test_client_hello(int currtest)
|
||||
* ClientHello is already going to be quite long. To avoid getting one
|
||||
* that is too long for this test we use a restricted ciphersuite list
|
||||
*/
|
||||
if (!TEST_true(SSL_CTX_set_cipher_list(ctx, "")))
|
||||
if (!TEST_false(SSL_CTX_set_cipher_list(ctx, "")))
|
||||
goto end;
|
||||
ERR_clear_error();
|
||||
/* Fall through */
|
||||
case TEST_ADD_PADDING:
|
||||
case TEST_PADDING_NOT_NEEDED:
|
||||
|
@ -1382,11 +1382,52 @@ int main(int argc, char *argv[])
|
||||
goto end;
|
||||
|
||||
if (cipher != NULL) {
|
||||
if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
|
||||
|| !SSL_CTX_set_cipher_list(s_ctx, cipher)
|
||||
|| !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
if (strcmp(cipher, "") == 0) {
|
||||
if (!SSL_CTX_set_cipher_list(c_ctx, cipher)) {
|
||||
if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
|
||||
ERR_clear_error();
|
||||
} else {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
/* Should have failed when clearing all TLSv1.2 ciphers. */
|
||||
fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_set_cipher_list(s_ctx, cipher)) {
|
||||
if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
|
||||
ERR_clear_error();
|
||||
} else {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
/* Should have failed when clearing all TLSv1.2 ciphers. */
|
||||
fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
|
||||
if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
|
||||
ERR_clear_error();
|
||||
} else {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
/* Should have failed when clearing all TLSv1.2 ciphers. */
|
||||
fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
|
||||
|| !SSL_CTX_set_cipher_list(s_ctx, cipher)
|
||||
|| !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (ciphersuites != NULL) {
|
||||
|
Loading…
Reference in New Issue
Block a user