Check that the given ciphers string is syntactically valid and results in

at least one matching cipher suite.

ok doug@

diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index cfd054b..a348b82 100644 (file)
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.19 2016/07/06 16:16:36 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.20 2016/07/06 16:47:18 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -339,6 +339,8 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
 int
 tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
 {
+       SSL_CTX *ssl_ctx = NULL;
+
        if (ciphers == NULL ||
            strcasecmp(ciphers, "default") == 0 ||
            strcasecmp(ciphers, "secure") == 0)
@@ -347,7 +349,21 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
            strcasecmp(ciphers, "legacy") == 0)
                ciphers = TLS_CIPHERS_COMPAT;
 
+       if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
+               tls_config_set_errorx(config, "out of memory");
+               goto fail;
+       }
+       if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
+               tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
+               goto fail;
+       }
+
+       SSL_CTX_free(ssl_ctx);
        return set_string(&config->ciphers, ciphers);
+
+ fail:
+       SSL_CTX_free(ssl_ctx);
+       return -1;
 }
 
 int