diff options
| author |   jsing <jsing@openbsd.org> | 2016-07-06 16:47:18 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2016-07-06 16:47:18 +0000 |
| commit | c3bcced57f80ef0a15b9bf2d4c44d5f8e931391d (patch) | |
| tree | b007550396ae0f4a0efb0bc13773b1e9813dc6ff /lib | |
| parent | route6d spring cleanup (diff) | |
| download | wireguard-openbsd-c3bcced57f80ef0a15b9bf2d4c44d5f8e931391d.tar.xz wireguard-openbsd-c3bcced57f80ef0a15b9bf2d4c44d5f8e931391d.zip | |
Check that the given ciphers string is syntactically valid and results in
at least one matching cipher suite.
ok doug@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libtls/tls_config.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index cfd054b024e..a348b826d57 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.19 2016/07/06 16:16:36 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.20 2016/07/06 16:47:18 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -339,6 +339,8 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, int tls_config_set_ciphers(struct tls_config *config, const char *ciphers) { + SSL_CTX *ssl_ctx = NULL; + if (ciphers == NULL || strcasecmp(ciphers, "default") == 0 || strcasecmp(ciphers, "secure") == 0) @@ -347,7 +349,21 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers) strcasecmp(ciphers, "legacy") == 0) ciphers = TLS_CIPHERS_COMPAT; + if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { + tls_config_set_errorx(config, "out of memory"); + goto fail; + } + if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { + tls_config_set_errorx(config, "no ciphers for '%s'", ciphers); + goto fail; + } + + SSL_CTX_free(ssl_ctx); return set_string(&config->ciphers, ciphers); + + fail: + SSL_CTX_free(ssl_ctx); + return -1; } int |