diff options
author | Otto Hollmann <otto@hollmann.cz> | 2020-06-09 15:50:12 +0200 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2021-01-07 17:38:56 +0100 |
commit | c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9 (patch) | |
tree | 1785488db8b67f7baa03d42e0f0cf3a99858dcb9 | |
parent | a86add03abf7ebdf63d79971b9feb396931b8697 (diff) | |
download | openssl-new-c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9.tar.gz |
Fix set_ciphersuites ignore unknown ciphers.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12100)
-rw-r--r-- | doc/man3/SSL_CTX_set_cipher_list.pod | 10 | ||||
-rw-r--r-- | ssl/ssl_ciph.c | 5 |
2 files changed, 9 insertions, 6 deletions
diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index 2fdebdf51d..c2786295b7 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -65,11 +65,11 @@ cipher string for TLSv1.3 ciphersuites. =head1 NOTES -The control string B<str> for SSL_CTX_set_cipher_list() and -SSL_set_cipher_list() should be universally usable and not depend -on details of the library configuration (ciphers compiled in). Thus no -syntax checking takes place. Items that are not recognized, because the -corresponding ciphers are not compiled in or because they are mistyped, +The control string B<str> for SSL_CTX_set_cipher_list(), SSL_set_cipher_list(), +SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() should be universally +usable and not depend on details of the library configuration (ciphers compiled +in). Thus no syntax checking takes place. Items that are not recognized, because +the corresponding ciphers are not compiled in or because they are mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64ecc543ba..abbe6b71e0 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1300,6 +1300,8 @@ static int ciphersuite_cb(const char *elem, int len, void *arg) if (cipher == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); return 0; + /* Ciphersuite not found but return 1 to parse rest of the list */ + return 1; } if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { @@ -1319,7 +1321,8 @@ static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const cha /* Parse the list. We explicitly allow an empty list */ if (*str != '\0' - && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { + && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0 + || sk_SSL_CIPHER_num(newciphers) == 0 )) { sk_SSL_CIPHER_free(newciphers); return 0; } |