Commit 0a05123a authored by Bodo Möller's avatar Bodo Möller
Browse files

Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a 

ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.

Also, change ssl_create_cipher_list() so that it no longer
starts with an arbitrary ciphersuite ordering, but instead
uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST.
SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".
parent 2afe3167

CHANGES

+20 −0
Original line number Diff line number Diff line
@@ -4,6 +4,16 @@ 


 Changes between 0.9.8e and 0.9.9  [xx XXX xxxx]



  *) Change ssl_create_cipher_list() so that it automatically

     arranges the ciphersuites in reasonable order before starting

     to process the rule string.  Thus, the definition for "DEFAULT"

     (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but

     remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".

     This makes it much easier to arrive at a reasonable default order

     in applications for which anonymous ciphers are OK (meaning

     that you can't actually use DEFAULT).

     [Bodo Moeller; suggested by Victor Duchovni]



  *) Split the SSL/TLS algorithm mask (as used for ciphersuite string

     processing) into multiple integers instead of setting

     "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
@@ -452,6 +462,11 @@ 


 Changes between 0.9.8d and 0.9.8e  [XX xxx XXXX]



  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that

     a ciphersuite string such as "DEFAULT:RSA" cannot enable

     authentication-only ciphersuites.

     [Bodo Moeller]



  *) Since AES128 and AES256 (and similarly Camellia128 and

     Camellia256) share a single mask bit in the logic of

     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
@@ -1488,6 +1503,11 @@ 


 Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]



  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that

     a ciphersuite string such as "DEFAULT:RSA" cannot enable

     authentication-only ciphersuites.

     [Bodo Moeller]



  *) Since AES128 and AES256 share a single mask bit in the logic of

     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a

     kludge to work properly if AES128 is available and AES256 isn't.

ssl/ssl.h

+7 −2
Original line number Diff line number Diff line
@@ -315,8 +315,13 @@ extern "C" { 
/* The following cipher list is used by default.

 * It also is substituted when an application-defined cipher list string

 * starts with 'DEFAULT'. */

#define SSL_DEFAULT_CIPHER_LIST	"AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH"

/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key exchange), and for RC4 */

#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL"

/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always

 * starts with a reasonable order, and all we have to do for DEFAULT is

 * throwing out anonymous and unencrypted ciphersuites!

 * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable

 * some of them.)

 */



/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */

#define SSL_SENT_SHUTDOWN	1

ssl/ssl_ciph.c

+35 −0
Original line number Diff line number Diff line
@@ -1120,6 +1120,40 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, 
	                           disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,

	                           co_list, &head, &tail);





	/* Now arrange all ciphers by preference: */



	/* Temporarily enabled AES first (preferred cipher) */

	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);



	/* Temporarily enable everything else */

	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);



	/* Move anonymous ciphers to the end.  Usually, these will remain disabled.

	 * (For applications that allow them, they aren't too bad, but we prefer

	 * authenticated ciphers.) */

	ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);



	/* Move ciphers without forward secrecy to then end */

	ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);

	ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);

	ssl_cipher_apply_rule(0, 0, SSL_kPSK, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);



	/* RC4 is sort-of broken -- move the the end */

	ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);



	/* Now sort by symmetric encryption strength.  The above ordering remains

	 * in force within each class */

	if (!ssl_cipher_strength_sort(&head, &tail))

		{

		OPENSSL_free(co_list);

		return NULL;

		}



	/* Now disable everything (maintaining the ordering!) */

	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);





	/*

	 * We also need cipher aliases for selecting based on the rule_str.

	 * There might be two types of entries in the rule_str: 1) names
@@ -1167,6 +1201,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, 
		OPENSSL_free(co_list);

		return(NULL);

		}

	

	/*

	 * Allocate new "cipherstack" for the result, return with error

	 * if we cannot get one.