Commit bc420ac5 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Delete NULL ciphers from 'ALL' in the cipher list aliases. This means that 

NULL ciphers specifically have to be enabled with e.g. "DEFAULT:eNULL". This
prevents cipher lists from inadvertantly having NULL ciphers at the top
of their list (e.g. the default ones) because they didn't have to be taken
into account before.
parent abd4c915

CHANGES

+6 −0
Original line number Diff line number Diff line
@@ -5,6 +5,12 @@ 


 Changes between 0.9.1c and 0.9.2



  *) Change the meaning of 'ALL' in the cipher list. It now means "everything

     except NULL ciphers". This means the default cipher list will no longer

     enable NULL ciphers. They need to be specifically enabled e.g. with

     the string "DEFAULT:eNULL".

     [Steve Henson]



  *) Fix to RSA private encryption routines: if p < q then it would

     occasionally produce an invalid result. This will only happen with

     externally generated keys because OpenSSL (and SSLeay) ensure p > q.

ssl/ssl_ciph.c

+3 −2
Original line number Diff line number Diff line
@@ -111,7 +111,8 @@ typedef struct cipher_order_st 
	} CIPHER_ORDER;



static SSL_CIPHER cipher_aliases[]={

	{0,SSL_TXT_ALL, 0,SSL_ALL,   0,SSL_ALL},	/* must be first */

	/* Don't include eNULL unless specifically enabled */

	{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */

	{0,SSL_TXT_kRSA,0,SSL_kRSA,  0,SSL_MKEY_MASK},

	{0,SSL_TXT_kDHr,0,SSL_kDHr,  0,SSL_MKEY_MASK},

	{0,SSL_TXT_kDHd,0,SSL_kDHd,  0,SSL_MKEY_MASK},
@@ -403,7 +404,7 @@ char *str; 
		}



	/* special case */

	cipher_aliases[0].algorithms= ~mask;

	cipher_aliases[0].algorithms &= ~mask;



	/* get the aliases */

	k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);