Error out immediately on empty ciphers list.

A 0-length ciphers list is never permitted. The old code only used to reject an empty ciphers list for connections with a session ID. It would later error out on a NULL structure, so this change just moves the alert closer to the problem source. Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-15 14:18:55 +02:00 · 2015-04-15 14:18:55 +02:00 · 3ae91cfb32
commit 3ae91cfb32
parent 13efe9d17e
1 changed files with 6 additions and 7 deletions
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@ -1126,8 +1126,8 @@ int ssl3_get_client_hello(SSL *s)
        goto f_err;
    }
    n2s(p, i);
-    if ((i == 0) && (j != 0)) {
-        /* we need a cipher if we are not resuming a session */
+
+    if (i == 0) {
        al = SSL_AD_ILLEGAL_PARAMETER;
        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
        goto f_err;
@ -1140,14 +1140,13 @@ int ssl3_get_client_hello(SSL *s)
        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }
-    if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers))
-                    == NULL)) {
+    if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) {
        goto err;
    }
    p += i;

    /* If it is a hit, check that the cipher is in the list */
-    if ((s->hit) && (i > 0)) {
+    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;

@ -1376,8 +1375,8 @@ int ssl3_get_client_hello(SSL *s)
            sk_SSL_CIPHER_free(s->session->ciphers);
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED);
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
        ciphers = NULL;