mod vairant pt 2

aws · Jan 17, 2025 · 7fda86e · 7fda86e
1 parent 05c5610
commit 7fda86e
Showing 1 changed file with 31 additions and 29 deletions.
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
@@ -260,36 +260,38 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
     return false;
   }
 
-  // Add TLS 1.3 ciphers.
-  if (hs->max_version >= TLS1_3_VERSION && ssl->ctx->tls13_cipher_list) {
-    // Use the configured TLSv1.3 ciphers list.
-    STACK_OF(SSL_CIPHER) *ciphers = ssl->ctx->tls13_cipher_list->ciphers.get();
-    bool any_enabled = false;
-    if (!collect_cipher_protocol_ids(ciphers, &child, mask_k,
-      mask_a, hs->max_version, hs->min_version, &any_enabled)) {
-      return false;
+  if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) {
+    // Add TLS 1.3 ciphers.
+    if (hs->max_version >= TLS1_3_VERSION && ssl->ctx->tls13_cipher_list) {
+      // Use the configured TLSv1.3 ciphers list.
+      STACK_OF(SSL_CIPHER) *ciphers = ssl->ctx->tls13_cipher_list->ciphers.get();
+      bool any_enabled = false;
+      if (!collect_cipher_protocol_ids(ciphers, &child, mask_k,
+        mask_a, hs->max_version, hs->min_version, &any_enabled)) {
+        return false;
+        }
+      // If all ciphers were disabled, return the error to the caller.
+      if (!any_enabled) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
+        return false;
       }
-    // If all ciphers were disabled, return the error to the caller.
-    if (!any_enabled) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
-      return false;
-    }
-  } else if (hs->max_version >= TLS1_3_VERSION) {
-    // Use the built in TLSv1.3 ciphers. Order ChaCha20-Poly1305 relative to
-    // AES-GCM based on hardware support.
-    const bool has_aes_hw = ssl->config->aes_hw_override
-                                ? ssl->config->aes_hw_override_value
-                                : EVP_has_aes_hardware();
-
-    if (!has_aes_hw && !CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
-      return false;
-    }
-    if (!CBB_add_u16(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff) ||
-        !CBB_add_u16(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff)) {
-      return false;
-    }
-    if (has_aes_hw && !CBB_add_u16(&child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
+    } else if (hs->max_version >= TLS1_3_VERSION) {
+      // Use the built in TLSv1.3 ciphers. Order ChaCha20-Poly1305 relative to
+      // AES-GCM based on hardware support.
+      const bool has_aes_hw = ssl->config->aes_hw_override
+                                  ? ssl->config->aes_hw_override_value
+                                  : EVP_has_aes_hardware();
+
+      if (!has_aes_hw && !CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
         return false;
+      }
+      if (!CBB_add_u16(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff) ||
+          !CBB_add_u16(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff)) {
+        return false;
+          }
+      if (has_aes_hw && !CBB_add_u16(&child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
+        return false;
+      }
     }
   }
 
@@ -301,7 +303,7 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
       return false;
     }
     // If all ciphers were disabled, return the error to the caller.
-    if (!any_enabled && hs->max_version < TLS1_3_VERSION) {
+    if (!any_enabled) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
       return false;
     }