From: Otto Hollmann Date: Tue, 9 Jun 2020 13:50:12 +0000 (+0200) Subject: Fix set_ciphersuites ignore unknown ciphers. X-Git-Tag: openssl-3.0.0-alpha11~164 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9;p=thirdparty%2Fopenssl.git Fix set_ciphersuites ignore unknown ciphers. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) --- diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index 2fdebdf51d2..c2786295b7d 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -65,11 +65,11 @@ cipher string for TLSv1.3 ciphersuites. =head1 NOTES -The control string B for SSL_CTX_set_cipher_list() and -SSL_set_cipher_list() should be universally usable and not depend -on details of the library configuration (ciphers compiled in). Thus no -syntax checking takes place. Items that are not recognized, because the -corresponding ciphers are not compiled in or because they are mistyped, +The control string B for SSL_CTX_set_cipher_list(), SSL_set_cipher_list(), +SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() should be universally +usable and not depend on details of the library configuration (ciphers compiled +in). Thus no syntax checking takes place. Items that are not recognized, because +the corresponding ciphers are not compiled in or because they are mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64ecc543bad..abbe6b71e09 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1300,6 +1300,8 @@ static int ciphersuite_cb(const char *elem, int len, void *arg) if (cipher == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); return 0; + /* Ciphersuite not found but return 1 to parse rest of the list */ + return 1; } if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { @@ -1319,7 +1321,8 @@ static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const cha /* Parse the list. We explicitly allow an empty list */ if (*str != '\0' - && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { + && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0 + || sk_SSL_CIPHER_num(newciphers) == 0 )) { sk_SSL_CIPHER_free(newciphers); return 0; }