gnutls_priority_get_cipher_suite_index: do not return values for non-existent ciphers

That is, do return only the enabled algorithms in states like FIPS140-2,
rather than returning the set that would have been enabled if these
restrictions wouldn't be in place.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index 3fb417dc70432a695fdf0bd47e3a7607170f10d0..7c8959efafea4fc39024644a01c3e56a3be8b519 100644 (file)
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -1674,7 +1674,12 @@ gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache,
                    && cs_algorithms[i].mac_algorithm ==
                    pcache->mac.priority[mac_idx]) {
                        *sidx = i;
-                       return 0;
+
+                       if (_gnutls_cipher_exists(cs_algorithms[i].block_algorithm) &&
+                           _gnutls_mac_exists(cs_algorithms[i].mac_algorithm))
+                               return 0;
+                       else
+                               break;
                }
        }
        return GNUTLS_E_UNKNOWN_CIPHER_SUITE;