Let ssl_get_cipher_by_char yield not-valid ciphers

Now that we have made SCSVs into more of a first-class object, provide
a way for the bytes-to-SSL_CIPHER conversion to actually return them.
Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want
all the known ciphers, not just the ones valid for encryption.  This will,
in practice, let the caller retrieve the SCSVs.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 2d2395c5c15c516201012f875bbbc23062cc9f79..e64e3da32ee21cac085060adaff3196df2720601 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1915,11 +1915,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
     return -1;
 }
 
-const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
+const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr,
+                                         int all)
 {
     const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
 
-    if (c == NULL || c->valid == 0)
+    if (c == NULL || (!all && c->valid == 0))
         return NULL;
     return c;
 }

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index fa0d2a2549b5846e7ad41dce24de7b399632bbb4..ff1f598fb434d94c72f0d6310c413751929b769d 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2001,7 +2001,8 @@ __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
                                    size_t *ext_overhead);
 __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
 __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,
-                                                const unsigned char *ptr);
+                                                const unsigned char *ptr,
+                                                int all);
 __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 614da1b6a7c9309421be7432552395dae5ae155f..bc35a3ea25bb96da176b70c81b4aad3b6c549586 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1294,7 +1294,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
                      && master_key_length > 0) {
                 s->session->master_key_length = master_key_length;
                 s->session->cipher = pref_cipher ?
-                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
+                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
             } else {
                 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
                 al = SSL_AD_INTERNAL_ERROR;
@@ -1353,7 +1353,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
         goto f_err;
     }
 
-    c = ssl_get_cipher_by_char(s, cipherchars);
+    c = ssl_get_cipher_by_char(s, cipherchars, 0);
     if (c == NULL) {
         /* unknown cipher */
         al = SSL_AD_ILLEGAL_PARAMETER;

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index ca020c551106a2ed9f6f9094d4cadd0c33573082..2cbc219a3a694b050bcc7044c0dbb979954be183 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3633,7 +3633,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
         }
 
         /* For SSLv2-compat, ignore leading 0-byte. */
-        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
+        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 0);
         if (c != NULL) {
             if (!sk_SSL_CIPHER_push(sk, c)) {
                 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);