From c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Tue, 9 Jun 2020 15:50:12 +0200 Subject: [PATCH] Fix set_ciphersuites ignore unknown ciphers. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) --- doc/man3/SSL_CTX_set_cipher_list.pod | 10 +++++----- ssl/ssl_ciph.c | 5 ++++- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index 2fdebdf51d2..c2786295b7d 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -65,11 +65,11 @@ cipher string for TLSv1.3 ciphersuites. =head1 NOTES -The control string B for SSL_CTX_set_cipher_list() and -SSL_set_cipher_list() should be universally usable and not depend -on details of the library configuration (ciphers compiled in). Thus no -syntax checking takes place. Items that are not recognized, because the -corresponding ciphers are not compiled in or because they are mistyped, +The control string B for SSL_CTX_set_cipher_list(), SSL_set_cipher_list(), +SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() should be universally +usable and not depend on details of the library configuration (ciphers compiled +in). Thus no syntax checking takes place. Items that are not recognized, because +the corresponding ciphers are not compiled in or because they are mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64ecc543bad..abbe6b71e09 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1300,6 +1300,8 @@ static int ciphersuite_cb(const char *elem, int len, void *arg) if (cipher == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); return 0; + /* Ciphersuite not found but return 1 to parse rest of the list */ + return 1; } if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { @@ -1319,7 +1321,8 @@ static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const cha /* Parse the list. We explicitly allow an empty list */ if (*str != '\0' - && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { + && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0 + || sk_SSL_CIPHER_num(newciphers) == 0 )) { sk_SSL_CIPHER_free(newciphers); return 0; } -- 2.47.2