diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-08-27 13:06:46 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2015-10-02 16:51:19 -0400 |
commit | 34e1ccecb4a7d5054dba2f92b403af9b6ae1e110 (patch) | |
tree | c1852d3acc7ee28fed82972c5cdb39bbac0ad21a /nss_engine_init.c | |
parent | 696fab562ce0ee31344bcccc85cea3e4eb15bf18 (diff) | |
download | mod_nss-34e1ccecb4a7d5054dba2f92b403af9b6ae1e110.tar.gz mod_nss-34e1ccecb4a7d5054dba2f92b403af9b6ae1e110.tar.xz mod_nss-34e1ccecb4a7d5054dba2f92b403af9b6ae1e110.zip |
Correctly handle disabled ciphers
A cipher value could be -1, 0 or 1 meaning completely disabled,
disabled and enabled. A -1 passed to SSL_CipherPrefSet() could
cause a cipher to actually be enabled. Now pass PR_TRUE if
the cipher is enabled otherwise pass PR_FALSE.
Fix CVE-2015-5244
Diffstat (limited to 'nss_engine_init.c')
-rw-r--r-- | nss_engine_init.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nss_engine_init.c b/nss_engine_init.c index 23653dd..4d82f53 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -987,7 +987,7 @@ static void nss_init_ctx_cipher_suite(server_rec *s, /* Finally actually enable the selected ciphers */ for (i=0; i<ciphernum;i++) { - SSL_CipherPrefSet(mctx->model, ciphers_def[i].num, cipher_state[i]); + SSL_CipherPrefSet(mctx->model, ciphers_def[i].num, cipher_state[i] == 1 ? PR_TRUE : PR_FALSE); } } |