diff options
author | Emilia Kasper <emilia@openssl.org> | 2015-04-15 14:18:55 +0200 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2015-04-17 18:47:25 +0200 |
commit | 31d085ca74a7305f83663d19eaa0bf1469953b0e (patch) | |
tree | 3986efa61ac92d6c92ee2e873d6fc4d147211981 | |
parent | c70908d247d1f6866139185b8c6940412bcdd87f (diff) |
Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb)
-rw-r--r-- | ssl/s3_srvr.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 3cdc73c07a..92acb0ab06 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1160,8 +1160,8 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } n2s(p, i); - if ((i == 0) && (j != 0)) { - /* we need a cipher if we are not resuming a session */ + + if (i == 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; @@ -1174,14 +1174,13 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } - if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) - == NULL)) { + if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) { goto err; } p += i; /* If it is a hit, check that the cipher is in the list */ - if ((s->hit) && (i > 0)) { + if (s->hit) { j = 0; id = s->session->cipher->id; @@ -1417,8 +1416,8 @@ int ssl3_get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto f_err; } ciphers = NULL; |