Make s_server, s_client check cipher list return codes.

Update docs.

5 files changed, 41 insertions, 16 deletions

diff --git a/CHANGES b/CHANGES
index d9be214926..a1bae7ee6d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -20,15 +20,27 @@
      (instead of parameters) in future.
      [Steve Henson]
 
-  *) Apply Lutz Jaenicke's 56bit cipher patch. This should fix the problems
-     with cipher ordering and the new EXPORT1024 ciphers. Only two minor
-     changes have been made, the error reason codes have been altered and the
-     @STRENGTH sorting behaviour changed so eNULL ciphers are also sorted
-     (if present).
-
-     One other addition: the "ciphers" program didn't check the return code
-     of SSL_CTX_set_cipher_list().
-     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> modified by Steve Henson]
+  *) Make the ciphers, s_server and s_client programs check the return values
+     when a new cipher list is set.
+     [Steve Henson]
+
+  *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
+     ciphers. Before when the 56bit ciphers were enabled the sorting was
+     wrong.
+
+     The syntax for the cipher sorting has been extended to support sorting by
+     cipher-strength (using the strength_bits hard coded in the tables).
+     The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
+
+     Fix a bug in the cipher-command parser: when supplying a cipher command
+     string with an "undefined" symbol (neither command nor alphanumeric
+     [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
+     an error is flagged.
+
+     Due to the strength-sorting extension, the code of the
+     ssl_create_cipher_list() function was completely rearranged. I hope that
+     the readability was also increased :-)
+     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
 
   *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
      for the first serial number and places 2 in the serial number file. This
diff --git a/apps/s_client.c b/apps/s_client.c
index 84a475d7b8..c9b52e6a99 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -338,6 +338,7 @@ bad:
 		}
 
 	SSLeay_add_ssl_algorithms();
+	SSL_load_error_strings();
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -352,7 +353,11 @@ bad:
 
 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
 	if (cipher != NULL)
-		SSL_CTX_set_cipher_list(ctx,cipher);
+		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+		BIO_printf(bio_err,"error seting cipher list\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
 #if 0
 	else
 		SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
@@ -370,7 +375,6 @@ bad:
 		/* goto end; */
 		}
 
-	SSL_load_error_strings();
 
 	con=(SSL *)SSL_new(ctx);
 /*	SSL_set_cipher_list(con,"RC4-MD5"); */
diff --git a/apps/s_server.c b/apps/s_server.c
index ff0354acc8..bbb651b6ea 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -697,7 +697,11 @@ bad:
 #endif
 
 	if (cipher != NULL)
-		SSL_CTX_set_cipher_list(ctx,cipher);
+		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+		BIO_printf(bio_err,"error seting cipher list\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
 	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
 	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
 		sizeof s_server_session_id_context);
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index cd9093eaba..5145bb65a9 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -144,8 +144,10 @@ option enables various workarounds.
 
 =item B<-cipher cipherlist>
 
-this allows the cipher list sent by the client to be modified. See the
-B<ciphers> command for more information.
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client. See the B<ciphers>
+command for more information.
 
 =back
 
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index ddd08c990e..e07d066bc7 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -167,8 +167,11 @@ SSL code (?).
 
 =item B<-cipher cipherlist>
 
-this allows the cipher list sent by the client to be modified. See the
-B<ciphers> command for more information.
+this allows the cipher list used by the server to be modified.  When
+the client sends a list of supported ciphers the first client cipher
+also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist irrelevant. See
+the B<ciphers> command for more information.
 
 =item B<-www>