tls-server: Determine supported/configured suites and versions early
authorTobias Brunner <tobias@strongswan.org>
Thu, 19 Nov 2020 13:40:30 +0000 (14:40 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
If we don't do this, we might negotiate a TLS version for which we don't
have any suites configured, so that the cipher suite negotiation
subsequently fails.

src/libtls/tls_crypto.c
src/libtls/tls_crypto.h
src/libtls/tls_server.c

index 06fd922..f24713d 100644 (file)
@@ -1228,7 +1228,10 @@ METHOD(tls_crypto_t, get_cipher_suites, int,
        {
                build_cipher_suite_list(this);
        }
-       *suites = this->suites;
+       if (suites)
+       {
+               *suites = this->suites;
+       }
        return this->suite_count;
 }
 
@@ -1376,11 +1379,6 @@ METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
        suite_algs_t *algs;
        int i, j;
 
-       if (!this->suites)
-       {
-               build_cipher_suite_list(this);
-       }
-
        for (i = 0; i < this->suite_count; i++)
        {
                for (j = 0; j < count; j++)
index b5dd4f9..958b7db 100644 (file)
@@ -436,7 +436,7 @@ struct tls_crypto_t {
        /**
         * Get a list of supported TLS cipher suites.
         *
-        * @param suites                list of suites, points to internal data
+        * @param suites                optional list of suites, points to internal data
         * @return                              number of suites returned
         */
        int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites);
index 8675dc2..990365f 100644 (file)
@@ -235,6 +235,10 @@ static status_t process_client_hello(private_tls_server_t *this,
                return NEED_MORE;
        }
 
+       /* before we do anything version-related, determine our supported suites
+        * as that might change the min./max. versions */
+       this->crypto->get_cipher_suites(this->crypto, NULL);
+
        if (ext.len)
        {
                extensions = bio_reader_create(ext);