diff options
| author | Matt Caswell <matt@openssl.org> | 2021-01-15 16:43:28 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-02-05 16:22:42 +0100 |
| commit | 05b4b85d4bb9f54fa7ed5e964595308f1f87d5b8 (patch) | |
| tree | f4caaeb9fb37931f770f519b35c718a2c662aee9 /ssl/ssl_ciph.c | |
| parent | Stop disabling TLSv1.3 if ec and dh are disabled (diff) | |
| download | openssl-05b4b85d4bb9f54fa7ed5e964595308f1f87d5b8.tar.xz openssl-05b4b85d4bb9f54fa7ed5e964595308f1f87d5b8.zip | |
Check for availability of ciphersuites at run time
In 1.1.1 and below we would check for the availability of certain
algorithms based on compile time guards. However with 3.0 this is no
longer sufficient. Some algorithms that are unavailable at compile time
may become available later if 3rd party providers are loaded. Similarly,
algorithms that exist in our built-in providers at compile time may not
be available at run time if those providers are not loaded.
Fixes #13184
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
Diffstat (limited to 'ssl/ssl_ciph.c')
| -rw-r--r-- | ssl/ssl_ciph.c | 39 |
1 files changed, 29 insertions, 10 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index ec366707e5..398e4616ed 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -323,6 +323,8 @@ int ssl_load_ciphers(SSL_CTX *ctx) { size_t i; const ssl_cipher_table *t; + EVP_KEYEXCH *kex = NULL; + EVP_SIGNATURE *sig = NULL; ctx->disabled_enc_mask = 0; for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) { @@ -354,16 +356,33 @@ int ssl_load_ciphers(SSL_CTX *ctx) ctx->disabled_mkey_mask = 0; ctx->disabled_auth_mask = 0; -#ifdef OPENSSL_NO_DSA - ctx->disabled_auth_mask |= SSL_aDSS; -#endif -#ifdef OPENSSL_NO_DH - ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; -#endif -#ifdef OPENSSL_NO_EC - ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK; - ctx->disabled_auth_mask |= SSL_aECDSA; -#endif + /* + * We ignore any errors from the fetches below. They are expected to fail + * if theose algorithms are not available. + */ + ERR_set_mark(); + sig = EVP_SIGNATURE_fetch(ctx->libctx, "DSA", ctx->propq); + if (sig == NULL) + ctx->disabled_auth_mask |= SSL_aDSS; + else + EVP_SIGNATURE_free(sig); + kex = EVP_KEYEXCH_fetch(ctx->libctx, "DH", ctx->propq); + if (kex == NULL) + ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; + else + EVP_KEYEXCH_free(kex); + kex = EVP_KEYEXCH_fetch(ctx->libctx, "ECDH", ctx->propq); + if (kex == NULL) + ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK; + else + EVP_KEYEXCH_free(kex); + sig = EVP_SIGNATURE_fetch(ctx->libctx, "ECDSA", ctx->propq); + if (sig == NULL) + ctx->disabled_auth_mask |= SSL_aECDSA; + else + EVP_SIGNATURE_free(sig); + ERR_pop_to_mark(); + #ifdef OPENSSL_NO_PSK ctx->disabled_mkey_mask |= SSL_PSK; ctx->disabled_auth_mask |= SSL_aPSK; |