From: Pascal Knecht <pascal.knecht@hsr.ch>
Date: Thu, 3 Sep 2020 19:53:52 +0000 (+0200)
Subject: tls-peer: Don't initiate TLS connection if no cipher suites are supported
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f920125304d2799c9c270f27bcaca457c19b3926;p=people%2Fms%2Fstrongswan.git

tls-peer: Don't initiate TLS connection if no cipher suites are supported

If zero cipher suites are left after all filters, tls-peer does not
try to establish a connection to the server anymore.
---

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 002b84c7a..8e75eecf5 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -1237,6 +1237,12 @@ static status_t send_client_hello(private_tls_peer_t *this,
 
 	/* add TLS cipher suites */
 	count = this->crypto->get_cipher_suites(this->crypto, &suites);
+	if (count <= 0)
+	{
+		DBG1(DBG_TLS, "no supported TLS cipher suite available");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
 	writer->write_uint16(writer, count * 2);
 	for (i = 0; i < count; i++)
 	{