BUG/MEDIUM: ssl: segfault when cipher is NULL

The patch which fixes the certificate selection uses SSL_CIPHER_get_id() to skip the SCSV ciphers without checking if cipher is NULL. This patch fixes the issue by skipping any NULL cipher in the iteration. Problem was reported in haproxy#2329. Need to be backported where 23093c7 was backported. No release was made with this patch so the severity is MEDIUM.
FireBurn · Oct 30, 2023 · e7bae7a · e7bae7a
1 parent 47ed118
commit e7bae7a
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
@@ -2506,13 +2506,16 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 #else
 			cipher = SSL_CIPHER_find(ssl, cipher_suites);
 #endif
+			if (!cipher)
+				continue;
+
 			cipher_id = SSL_CIPHER_get_id(cipher);
 			/* skip the SCSV "fake" signaling ciphersuites because they are NID_auth_any (RFC 7507) */
 			if (cipher_id == SSL3_CK_SCSV || cipher_id == SSL3_CK_FALLBACK_SCSV)
 				continue;
 
-			if (cipher && (   SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
-			               || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any)) {
+			if (SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
+			    || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any) {
 				has_ecdsa_sig = 1;
 				break;
 			}