From: Tobias Brunner Date: Thu, 19 Nov 2020 13:40:30 +0000 (+0100) Subject: tls-server: Determine supported/configured suites and versions early X-Git-Tag: 5.9.2rc1~23^2~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06424efa171f8a2fc339ff7a30463824f7af35c5;p=thirdparty%2Fstrongswan.git tls-server: Determine supported/configured suites and versions early If we don't do this, we might negotiate a TLS version for which we don't have any suites configured, so that the cipher suite negotiation subsequently fails. --- diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 06fd9229f2..f24713de13 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1228,7 +1228,10 @@ METHOD(tls_crypto_t, get_cipher_suites, int, { build_cipher_suite_list(this); } - *suites = this->suites; + if (suites) + { + *suites = this->suites; + } return this->suite_count; } @@ -1376,11 +1379,6 @@ METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t, suite_algs_t *algs; int i, j; - if (!this->suites) - { - build_cipher_suite_list(this); - } - for (i = 0; i < this->suite_count; i++) { for (j = 0; j < count; j++) diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h index b5dd4f9305..958b7db298 100644 --- a/src/libtls/tls_crypto.h +++ b/src/libtls/tls_crypto.h @@ -436,7 +436,7 @@ struct tls_crypto_t { /** * Get a list of supported TLS cipher suites. * - * @param suites list of suites, points to internal data + * @param suites optional list of suites, points to internal data * @return number of suites returned */ int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites); diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 8675dc20ec..990365ff1d 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -235,6 +235,10 @@ static status_t process_client_hello(private_tls_server_t *this, return NEED_MORE; } + /* before we do anything version-related, determine our supported suites + * as that might change the min./max. versions */ + this->crypto->get_cipher_suites(this->crypto, NULL); + if (ext.len) { extensions = bio_reader_create(ext);