Check that the given ciphers string is syntactically valid and results in

at least one matching cipher suite.

ok doug@

1 files changed, 17 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index cfd054b024..a348b826d5 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.19 2016/07/06 16:16:36 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.20 2016/07/06 16:47:18 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -339,6 +339,8 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
 int
 tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
 {
+        SSL_CTX *ssl_ctx = NULL;
+
         if (ciphers == NULL ||
             strcasecmp(ciphers, "default") == 0 ||
             strcasecmp(ciphers, "secure") == 0)
@@ -347,7 +349,21 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
             strcasecmp(ciphers, "legacy") == 0)
                 ciphers = TLS_CIPHERS_COMPAT;
 
+        if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
+                tls_config_set_errorx(config, "out of memory");
+                goto fail;
+        }
+        if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
+                tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
+                goto fail;
+        }
+
+        SSL_CTX_free(ssl_ctx);
         return set_string(&config->ciphers, ciphers);
+
+ fail:
+        SSL_CTX_free(ssl_ctx);
+        return -1;
 }
 
 int