[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Emilia Kasper emilia at openssl.org
Fri Apr 17 16:52:58 UTC 2015 

The branch OpenSSL_1_0_2-stable has been updated
       via  e697a4c3d7d2267e9d82d88dbfa5084475794cb3 (commit)
      from  5613feaacc1334dce9809d60bc23f3081e6d35e6 (commit)


- Log -----------------------------------------------------------------
commit e697a4c3d7d2267e9d82d88dbfa5084475794cb3
Author: Emilia Kasper <emilia at openssl.org>
Date:   Wed Apr 15 14:18:55 2015 +0200

    Error out immediately on empty ciphers list.
    
    A 0-length ciphers list is never permitted. The old code only used to
    reject an empty ciphers list for connections with a session ID. It
    would later error out on a NULL structure, so this change just moves
    the alert closer to the problem source.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb)

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 00bc757..2e7cb7a 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1125,8 +1125,8 @@ int ssl3_get_client_hello(SSL *s)
         goto f_err;
     }
     n2s(p, i);
-    if ((i == 0) && (j != 0)) {
-        /* we need a cipher if we are not resuming a session */
+
+    if (i == 0) {
         al = SSL_AD_ILLEGAL_PARAMETER;
         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
         goto f_err;
@@ -1139,14 +1139,13 @@ int ssl3_get_client_hello(SSL *s)
         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
         goto f_err;
     }
-    if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers))
-                    == NULL)) {
+    if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) {
         goto err;
     }
     p += i;
 
     /* If it is a hit, check that the cipher is in the list */
-    if ((s->hit) && (i > 0)) {
+    if (s->hit) {
         j = 0;
         id = s->session->cipher->id;
 
@@ -1375,8 +1374,8 @@ int ssl3_get_client_hello(SSL *s)
             sk_SSL_CIPHER_free(s->session->ciphers);
         s->session->ciphers = ciphers;
         if (ciphers == NULL) {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED);
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
             goto f_err;
         }
         ciphers = NULL;

More information about the openssl-commits mailing list