nss: do not fail if NSS does not implement a cipher

author Kamil Dudka <kdudka@redhat.com>

Wed, 29 Jan 2014 11:55:36 +0000 (12:55 +0100)

committer Kamil Dudka <kdudka@redhat.com>

Wed, 29 Jan 2014 12:46:17 +0000 (13:46 +0100)
author Kamil Dudka <kdudka@redhat.com>
Wed, 29 Jan 2014 11:55:36 +0000 (12:55 +0100)
committer Kamil Dudka <kdudka@redhat.com>
Wed, 29 Jan 2014 12:46:17 +0000 (13:46 +0100)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c

index cd4bf1b82fac050b418a79a185b354801b1d883a..8e6627b31e955e933d6c5fe0193c1dc40a231eda 100644 (file)
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -191,14 +191,13 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
    PRBool cipher_state[NUM_OF_CIPHERS];
    PRBool found;
    char *cipher;
-  SECStatus rv;
  
    /* First disable all ciphers. This uses a different max value in case
     * NSS adds more ciphers later we don't want them available by
     * accident
     */
    for(i=0; i<SSL_NumImplementedCiphers; i++) {
-    SSL_CipherPrefSet(model, SSL_ImplementedCiphers[i], SSL_NOT_ALLOWED);
+    SSL_CipherPrefSet(model, SSL_ImplementedCiphers[i], PR_FALSE);
    }
  
    /* Set every entry in our list to false */
@@ -238,8 +237,10 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
  
    /* Finally actually enable the selected ciphers */
    for(i=0; i<NUM_OF_CIPHERS; i++) {
-    rv = SSL_CipherPrefSet(model, cipherlist[i].num, cipher_state[i]);
-    if(rv != SECSuccess) {
+    if(!cipher_state[i])
+      continue;
+
+    if(SSL_CipherPrefSet(model, cipherlist[i].num, PR_TRUE) != SECSuccess) {
        failf(data, "cipher-suite not supported by NSS: %s", cipherlist[i].name);
        return SECFailure;
      }
author	Kamil Dudka <kdudka@redhat.com>
	Wed, 29 Jan 2014 11:55:36 +0000 (12:55 +0100)
committer	Kamil Dudka <kdudka@redhat.com>
	Wed, 29 Jan 2014 12:46:17 +0000 (13:46 +0100)