Google Git
Sign in
boringssl/boringssl/0b5c1ac8adeb785a025ecc994f93d528750c30ad^!/./ssl/ssl_ciph.c
commit
0b5c1ac8adeb785a025ecc994f93d528750c30ad
[log]
author
Adam Langley <agl@chromium.org>
Fri Jun 20 12:00:00 2014 -0700
committer
Adam Langley <agl@chromium.org>
Fri Jun 20 13:17:34 2014 -0700
tree
8830e7a534d823ab6b392d124d625343eeac5333
parent
acff73f2271ac5a6006077449f421c0b68eaaa39 [diff] [blame]
TLS 1.1 ciphers.

This patch adds support for a different cipher list when the connection
is using TLS 1.1. This is intended to support the case where we want to
use AES with >= TLS 1.1 clients but RC4 otherwise because of the BEAST
attack.

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 1dc6b5a..aac6883 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c

@@ -1268,7 +1268,7 @@
 	/*
 	 * Return with error if nothing to do.
 	 */
-	if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+	if (rule_str == NULL || cipher_list == NULL)
 		return NULL;
 #ifndef OPENSSL_NO_EC
 	if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
@@ -1430,12 +1430,18 @@
 	if (*cipher_list != NULL)
 		sk_SSL_CIPHER_free(*cipher_list);
 	*cipher_list = cipherstack;
-	if (*cipher_list_by_id != NULL)
-		sk_SSL_CIPHER_free(*cipher_list_by_id);
-	*cipher_list_by_id = tmp_cipher_list;
-	(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
+	if (cipher_list_by_id != NULL)
+		{
+		if (*cipher_list_by_id != NULL)
+			sk_SSL_CIPHER_free(*cipher_list_by_id);
+		*cipher_list_by_id = tmp_cipher_list;
+		(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
 
-	sk_SSL_CIPHER_sort(*cipher_list_by_id);
+		sk_SSL_CIPHER_sort(*cipher_list_by_id);
+		}
+	else
+		sk_SSL_CIPHER_free(tmp_cipher_list);
+
 	return(cipherstack);
 	}