From: Nils Larsch Date: Wed, 8 Jun 2005 21:16:32 +0000 (+0000) Subject: ssl_create_cipher_list should return an error if no cipher could be X-Git-Tag: FIPS_TEST_10~35 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=e32b08abc3db7f50effd81507f7ddcd8a1349d80;p=oweals%2Fopenssl.git ssl_create_cipher_list should return an error if no cipher could be collected (see SSL_CTX_set_cipher_list manpage). Fix handling of "cipher1+cipher2" expressions in ssl_cipher_process_rulestr. PR: 836 + 1005 --- diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index b68ed81e52..40644ba880 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -700,9 +700,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str, if (!found) break; /* ignore this entry */ - algorithms |= ca_list[j]->algorithms; + algorithms |= (ca_list[j]->algorithms & ~mask) | + (ca_list[j]->algorithms & algorithms & mask); mask |= ca_list[j]->mask; - algo_strength |= ca_list[j]->algo_strength; + algo_strength |= (ca_list[j]->algo_strength & ~mask_strength) | + (ca_list[j]->algo_strength & algorithms & mask_strength); mask_strength |= ca_list[j]->mask_strength; if (!multi) break; @@ -874,6 +876,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, } } OPENSSL_free(co_list); /* Not needed any longer */ + /* if no ciphers where selected let's return NULL */ + if (sk_SSL_CIPHER_num(cipherstack) == 0) + { + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); + sk_SSL_CIPHER_free(cipherstack); + return NULL; + } /* * The following passage is a little bit odd. If pointer variables