From c3bcced57f80ef0a15b9bf2d4c44d5f8e931391d Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Wed, 6 Jul 2016 16:47:18 +0000
Subject: [PATCH] Check that the given ciphers string is syntactically valid
 and results in at least one matching cipher suite.

ok doug@
---
 lib/libtls/tls_config.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index cfd054b024e..a348b826d57 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.19 2016/07/06 16:16:36 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.20 2016/07/06 16:47:18 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -339,6 +339,8 @@ tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
 int
 tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
 {
+	SSL_CTX *ssl_ctx = NULL;
+
 	if (ciphers == NULL ||
 	    strcasecmp(ciphers, "default") == 0 ||
 	    strcasecmp(ciphers, "secure") == 0)
@@ -347,7 +349,21 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
 	    strcasecmp(ciphers, "legacy") == 0)
 		ciphers = TLS_CIPHERS_COMPAT;
 
+	if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
+		tls_config_set_errorx(config, "out of memory");
+		goto fail;
+	}
+	if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
+		tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
+		goto fail;
+	}
+
+	SSL_CTX_free(ssl_ctx);
 	return set_string(&config->ciphers, ciphers);
+
+ fail:
+	SSL_CTX_free(ssl_ctx);
+	return -1;
 }
 
 int
-- 
2.20.1