From e7bae7a0b620485407a34018709e9a1ad865e7a5 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 30 Oct 2023 18:08:16 +0100
Subject: [PATCH] BUG/MEDIUM: ssl: segfault when cipher is NULL

The patch which fixes the certificate selection uses
SSL_CIPHER_get_id() to skip the SCSV ciphers without checking if cipher
is NULL. This patch fixes the issue by skipping any NULL cipher in the
iteration.

Problem was reported in #2329.

Need to be backported where 23093c72f139eddfce68ea5580193ee131901591 was
backported. No release was made with this patch so the severity is
MEDIUM.
---
 src/ssl_sock.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0e8325346..d025d6eae 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2506,13 +2506,16 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 #else
 			cipher = SSL_CIPHER_find(ssl, cipher_suites);
 #endif
+			if (!cipher)
+				continue;
+
 			cipher_id = SSL_CIPHER_get_id(cipher);
 			/* skip the SCSV "fake" signaling ciphersuites because they are NID_auth_any (RFC 7507) */
 			if (cipher_id == SSL3_CK_SCSV || cipher_id == SSL3_CK_FALLBACK_SCSV)
 				continue;
 
-			if (cipher && (   SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
-			               || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any)) {
+			if (SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
+			    || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any) {
 				has_ecdsa_sig = 1;
 				break;
 			}