]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
gnutls_priority_get_cipher_suite_index: do not return values for non-existent ciphers
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 1 Mar 2017 12:39:39 +0000 (13:39 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 1 Mar 2017 13:34:43 +0000 (14:34 +0100)
That is, do return only the enabled algorithms in states like FIPS140-2,
rather than returning the set that would have been enabled if these
restrictions wouldn't be in place.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
lib/algorithms/ciphersuites.c

index 3fb417dc70432a695fdf0bd47e3a7607170f10d0..7c8959efafea4fc39024644a01c3e56a3be8b519 100644 (file)
@@ -1674,7 +1674,12 @@ gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache,
                    && cs_algorithms[i].mac_algorithm ==
                    pcache->mac.priority[mac_idx]) {
                        *sidx = i;
-                       return 0;
+
+                       if (_gnutls_cipher_exists(cs_algorithms[i].block_algorithm) &&
+                           _gnutls_mac_exists(cs_algorithms[i].mac_algorithm))
+                               return 0;
+                       else
+                               break;
                }
        }
        return GNUTLS_E_UNKNOWN_CIPHER_SUITE;