Let ssl_get_cipher_by_char yield not-valid ciphers

Now that we have made SCSVs into more of a first-class object, provide a way for the bytes-to-SSL_CIPHER conversion to actually return them. Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want all the known ciphers, not just the ones valid for encryption. This will, in practice, let the caller retrieve the SCSVs. Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)

Let ssl_get_cipher_by_char yield not-valid ciphers
Now that we have made SCSVs into more of a first-class object, provide a way for the bytes-to-SSL_CIPHER conversion to actually return them. Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want all the known ciphers, not just the ones valid for encryption. This will, in practice, let the caller retrieve the SCSVs. Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
60d685d1 · Benjamin Kaduk · Richard Levitte · 650c6e41 · 60d685d1 · 60d685d1
Showing with 8 addition and 6 deletion

ssl/ssl_ciph.c ssl/ssl_ciph.c +3 -2

ssl/ssl_locl.h ssl/ssl_locl.h +2 -1

ssl/statem/statem_clnt.c ssl/statem/statem_clnt.c +2 -2

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +1 -1

未找到文件。
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1915,11 +1915,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
    return -1;
 }

-const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
+const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr,
+                                         int all)
 {
    const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);

-    if (c == NULL || c->valid == 0)
+    if (c == NULL || (!all && c->valid == 0))
        return NULL;
    return c;
 }

--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2001,7 +2001,8 @@ __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
                                   size_t *ext_overhead);
 __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
 __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,
-                                                const unsigned char *ptr);
+                                                const unsigned char *ptr,
+                                                int all);
 __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);

--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1294,7 +1294,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
                     && master_key_length > 0) {
                s->session->master_key_length = master_key_length;
                s->session->cipher = pref_cipher ?
-                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
+                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
            } else {
                SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
                al = SSL_AD_INTERNAL_ERROR;
@@ -1353,7 +1353,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
        goto f_err;
    }

-    c = ssl_get_cipher_by_char(s, cipherchars);
+    c = ssl_get_cipher_by_char(s, cipherchars, 0);
    if (c == NULL) {
        /* unknown cipher */
        al = SSL_AD_ILLEGAL_PARAMETER;

--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3633,7 +3633,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
        }

        /* For SSLv2-compat, ignore leading 0-byte. */
-        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
+        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 0);
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);