fixing conditionals in collecting ciphers

aws · Jan 9, 2025 · 3f467ff · 3f467ff
1 parent 849bf37
commit 3f467ff
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 14 deletions.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -1691,8 +1691,8 @@ OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out,
 // opcode-less. Inside an equal-preference group, spaces are not allowed.
 //
 // Note: TLS 1.3 ciphersuites are only configurable via
-// |SSL_[CTX]_set_ciphersuites|. Other setter functions have no impact on
-// TLS 1.3 ciphersuites.
+// |SSL_CTX_set_ciphersuites| or |SSL_set_ciphersuites|. Other setter functions have
+// no impact on TLS 1.3 ciphersuites.
 
 // SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is
 // substituted when a cipher string starts with 'DEFAULT'.

diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
@@ -264,23 +264,32 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
     return false;
   }
 
-  bool any_enabled = false;
-  STACK_OF(SSL_CIPHER) *ciphers = NULL;
-  if (type != ssl_client_hello_inner) {
-    ciphers = SSL_get_ciphers(ssl);
+  if (hs->min_version <= TLS1_3_VERSION && type != ssl_client_hello_inner) {
+    bool any_enabled = false;
+    if (!collect_cipher_protocol_ids(SSL_get_ciphers(ssl), &child, mask_k,
+    mask_a, hs->max_version, hs->min_version, &any_enabled)) {
+      return false;
+    }
+
+    // If all ciphers were disabled, return the error to the caller.
+    if (!any_enabled) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
+      return false;
+    }
   } else if (hs->max_version >= TLS1_3_VERSION && ssl->ctx->tls13_cipher_list) {
-    ciphers = ssl->ctx->tls13_cipher_list->ciphers.get();
-  }
+    STACK_OF(SSL_CIPHER) *ciphers = ssl->ctx->tls13_cipher_list->ciphers.get();
+    bool any_enabled = false;
 
-  if (!collect_cipher_protocol_ids(ciphers, &child, mask_k,
+    if (!collect_cipher_protocol_ids(ciphers, &child, mask_k,
     mask_a, hs->max_version, hs->min_version, &any_enabled)) {
       return false;
-  }
+    }
 
-  // If all ciphers were disabled, return the error to the caller.
-  if (!any_enabled) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
-    return false;
+    // If all ciphers were disabled, return the error to the caller.
+    if (!any_enabled) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
+      return false;
+    }
   }
 
   if (ssl->mode & SSL_MODE_SEND_FALLBACK_SCSV) {