The branch OpenSSL_1_1_1-stable has been updated via efd67e01a5471f9b0745018d7707b69876b070f6 (commit) via f306b9e62a375add764c7d9de6e311aaa0229865 (commit) from f7258489d88432dfc431772314ebac1c2997fdf8 (commit)
- Log ----------------------------------------------------------------- commit efd67e01a5471f9b0745018d7707b69876b070f6 Author: Matt Caswell <m...@openssl.org> Date: Fri Oct 26 15:29:15 2018 +0100 Give a better error if an attempt is made to set a zero length groups list Previously we indicated this as a malloc failure which isn't very helpful. Reviewed-by: Kurt Roeckx <k...@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/7479) (cherry picked from commit 680bd131b69d57e891888ab70d300176a5a16617) commit f306b9e62a375add764c7d9de6e311aaa0229865 Author: Matt Caswell <m...@openssl.org> Date: Wed Oct 24 10:11:00 2018 +0100 Ignore disabled ciphers when deciding if we are using ECC use_ecc() was always returning 1 because there are default (TLSv1.3) ciphersuites that use ECC - even if those ciphersuites are disabled by other options. Fixes #7471 Reviewed-by: Kurt Roeckx <k...@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/7479) (cherry picked from commit 589b6227a85ea0133fe91d744b16dd72edee929a) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set1_curves.pod | 3 +++ ssl/statem/extensions_clnt.c | 13 ++++++++----- ssl/t1_lib.c | 4 ++++ 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod index a250f20..2757ccb 100644 --- a/doc/man3/SSL_CTX_set1_curves.pod +++ b/doc/man3/SSL_CTX_set1_curves.pod @@ -32,6 +32,9 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve =head1 DESCRIPTION +For all of the functions below that set the supported groups there must be at +least one group in the list. + SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen> groups in the array B<glist>. The array consist of all NIDs of groups in preference order. For a TLS client the groups are used directly in the diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 4b5e6fe..ab4dbf6 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -115,7 +115,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #ifndef OPENSSL_NO_EC static int use_ecc(SSL *s) { - int i, end; + int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; @@ -123,7 +123,7 @@ static int use_ecc(SSL *s) if (s->version == SSL3_VERSION) return 0; - cipher_stack = SSL_get_ciphers(s); + cipher_stack = SSL_get1_supported_ciphers(s); end = sk_SSL_CIPHER_num(cipher_stack); for (i = 0; i < end; i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); @@ -132,11 +132,14 @@ static int use_ecc(SSL *s) alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) || (alg_a & SSL_aECDSA) - || c->min_tls >= TLS1_3_VERSION) - return 1; + || c->min_tls >= TLS1_3_VERSION) { + ret = 1; + break; + } } - return 0; + sk_SSL_CIPHER_free(cipher_stack); + return ret; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 1564979..b8b9fbd 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -343,6 +343,10 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, */ unsigned long dup_list = 0; + if (ngroups == 0) { + SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); + return 0; + } if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); return 0; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits