move "DEFAULT" handling right into CipherStrings (#136)

MSNexploder · kares · commit 0045ab724b3b · 2017-06-12T07:51:30.000+02:00
move "DEFAULT" special case handling further down and match OpenSSL behaviour fixes jruby/jruby#2193
diff --git a/src/main/java/org/jruby/ext/openssl/CipherStrings.java b/src/main/java/org/jruby/ext/openssl/CipherStrings.java
@@ -488,7 +488,22 @@ static Collection<Def> matchingCiphers(final String cipherString, final String[]
         final List<Def> matchedList = new LinkedList<Def>();
         Set<Def> removed = null;
 
-        for ( final String part : cipherString.split("[:, ]+") ) {
+        /*
+         * If the rule_string begins with DEFAULT, apply the default rule
+         * before using the (possibly available) additional rules.
+         * (Matching OpenSSL behaviour)
+         */
+        int offset = 0;
+        final String[] parts = cipherString.split("[:, ]+");
+        if ( parts.length >= 1 && "DEFAULT".equals(parts[0]) ) {
+            final Collection<Def> matching = matchingCiphers(SSL_DEFAULT_CIPHER_LIST, all, setSuite);
+            matchedList.addAll(matching);
+            offset = offset + 1;
+        }
+
+        for ( int i = offset; i < parts.length; i++ ) {
+            final String part = parts[i];
+
             if ( part.equals("@STRENGTH") ) {
                 Collections.sort(matchedList); continue;
             }
diff --git a/src/main/java/org/jruby/ext/openssl/SSLContext.java b/src/main/java/org/jruby/ext/openssl/SSLContext.java
@@ -499,9 +499,6 @@ else if ( ciphers instanceof RubyArray ) {
         }
         else {
             this.ciphers = ciphers.asString().toString();
-            if ( "DEFAULT".equals( this.ciphers ) ) {
-                this.ciphers = CipherStrings.SSL_DEFAULT_CIPHER_LIST;
-            }
         }
         if ( matchedCiphers(context).isEmpty() ) {
             throw newSSLError(context.runtime, "no cipher match");
diff --git a/src/test/ruby/ssl/test_context.rb b/src/test/ruby/ssl/test_context.rb
@@ -47,6 +47,11 @@ def test_setup
     assert ex.message =~ /\u{ff33 ff33 ff2c}/
   end
 
+  def test_default_handling # GH-2193 JRuby
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_nothing_raised { ctx.ciphers = "DEFAULT:!aNULL" }
+  end
+
   def test_verify_mode
     context = OpenSSL::SSL::SSLContext.new
     assert_nil context.verify_mode

Original file line number	Diff line number	Diff line change
`@@ -499,9 +499,6 @@ else if ( ciphers instanceof RubyArray ) {`
`499`	`499`	`}`
`500`	`500`	`else {`
`501`	`501`	`this.ciphers = ciphers.asString().toString();`
`502`		`- if ( "DEFAULT".equals( this.ciphers ) ) {`
`503`		`- this.ciphers = CipherStrings.SSL_DEFAULT_CIPHER_LIST;`
`504`		`- }`
`505`	`502`	`}`
`506`	`503`	`if ( matchedCiphers(context).isEmpty() ) {`
`507`	`504`	`throw newSSLError(context.runtime, "no cipher match");`