diff options
author | Matt Caswell <matt@openssl.org> | 2018-10-24 10:11:00 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-11-08 11:27:03 +0000 |
commit | 589b6227a85ea0133fe91d744b16dd72edee929a (patch) | |
tree | 7400827cbdc48f9a7481d0b84c624480da33c28e /ssl | |
parent | ac765685d4b08a48cefffc71c434760045154dad (diff) | |
download | openssl-589b6227a85ea0133fe91d744b16dd72edee929a.zip openssl-589b6227a85ea0133fe91d744b16dd72edee929a.tar.gz openssl-589b6227a85ea0133fe91d744b16dd72edee929a.tar.bz2 |
Ignore disabled ciphers when deciding if we are using ECC
use_ecc() was always returning 1 because there are default (TLSv1.3)
ciphersuites that use ECC - even if those ciphersuites are disabled by
other options.
Fixes #7471
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7479)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 4b5e6fe..ab4dbf6 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -115,7 +115,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #ifndef OPENSSL_NO_EC static int use_ecc(SSL *s) { - int i, end; + int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; @@ -123,7 +123,7 @@ static int use_ecc(SSL *s) if (s->version == SSL3_VERSION) return 0; - cipher_stack = SSL_get_ciphers(s); + cipher_stack = SSL_get1_supported_ciphers(s); end = sk_SSL_CIPHER_num(cipher_stack); for (i = 0; i < end; i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); @@ -132,11 +132,14 @@ static int use_ecc(SSL *s) alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) || (alg_a & SSL_aECDSA) - || c->min_tls >= TLS1_3_VERSION) - return 1; + || c->min_tls >= TLS1_3_VERSION) { + ret = 1; + break; + } } - return 0; + sk_SSL_CIPHER_free(cipher_stack); + return ret; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, |