move "DEFAULT" handling right into CipherStrings (#136)

move "DEFAULT" special case handling further down and match OpenSSL behaviour fixes jruby/jruby#2193
jruby · Jun 12, 2017 · 0045ab7 · 0045ab7
1 parent 2b883bd
commit 0045ab7
Showing 3 changed files with 21 additions and 4 deletions.
diff --git a/src/main/java/org/jruby/ext/openssl/CipherStrings.java b/src/main/java/org/jruby/ext/openssl/CipherStrings.java
@@ -488,7 +488,22 @@ static Collection<Def> matchingCiphers(final String cipherString, final String[]
         final List<Def> matchedList = new LinkedList<Def>();
         Set<Def> removed = null;
 
-        for ( final String part : cipherString.split("[:, ]+") ) {
+        /*
+         * If the rule_string begins with DEFAULT, apply the default rule
+         * before using the (possibly available) additional rules.
+         * (Matching OpenSSL behaviour)
+         */
+        int offset = 0;
+        final String[] parts = cipherString.split("[:, ]+");
+        if ( parts.length >= 1 && "DEFAULT".equals(parts[0]) ) {
+            final Collection<Def> matching = matchingCiphers(SSL_DEFAULT_CIPHER_LIST, all, setSuite);
+            matchedList.addAll(matching);
+            offset = offset + 1;
+        }
+
+        for ( int i = offset; i < parts.length; i++ ) {
+            final String part = parts[i];
+
             if ( part.equals("@STRENGTH") ) {
                 Collections.sort(matchedList); continue;
             }

diff --git a/src/main/java/org/jruby/ext/openssl/SSLContext.java b/src/main/java/org/jruby/ext/openssl/SSLContext.java
@@ -499,9 +499,6 @@ else if ( ciphers instanceof RubyArray ) {
         }
         else {
             this.ciphers = ciphers.asString().toString();
-            if ( "DEFAULT".equals( this.ciphers ) ) {
-                this.ciphers = CipherStrings.SSL_DEFAULT_CIPHER_LIST;
-            }
         }
         if ( matchedCiphers(context).isEmpty() ) {
             throw newSSLError(context.runtime, "no cipher match");

diff --git a/src/test/ruby/ssl/test_context.rb b/src/test/ruby/ssl/test_context.rb
@@ -47,6 +47,11 @@ def test_setup
     assert ex.message =~ /\u{ff33 ff33 ff2c}/
   end
 
+  def test_default_handling # GH-2193 JRuby
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_nothing_raised { ctx.ciphers = "DEFAULT:!aNULL" }
+  end
+
   def test_verify_mode
     context = OpenSSL::SSL::SSLContext.new
     assert_nil context.verify_mode