diff options
author | Emilia Kasper <emilia@openssl.org> | 2015-04-15 14:18:55 +0200 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2015-04-17 18:43:30 +0200 |
commit | 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb (patch) | |
tree | 5cfd1f3bb141239f8d809567777fe0d7711c0c2c /ssl | |
parent | 13efe9d17e7ee522c5aaa07f3076184161ede61f (diff) | |
download | openssl-3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb.tar.gz |
Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_srvr.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 223a76428e..6c1ba3ae48 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1126,8 +1126,8 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } n2s(p, i); - if ((i == 0) && (j != 0)) { - /* we need a cipher if we are not resuming a session */ + + if (i == 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; @@ -1140,14 +1140,13 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } - if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) - == NULL)) { + if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) { goto err; } p += i; /* If it is a hit, check that the cipher is in the list */ - if ((s->hit) && (i > 0)) { + if (s->hit) { j = 0; id = s->session->cipher->id; @@ -1376,8 +1375,8 @@ int ssl3_get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto f_err; } ciphers = NULL; |