|
 |
b7538d |
From 1aaffff1a658c5b9d5a5e09d4c6ab0a7ed4e1a50 Mon Sep 17 00:00:00 2001
|
|
|
b7538d |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
b7538d |
Date: Mon, 21 Sep 2015 15:41:24 -0400
|
|
|
b7538d |
Subject: [PATCH] The OpenSSL DEFAULT cipher macro shouldn't enable NULL
|
|
|
b7538d |
ciphers
|
|
|
b7538d |
|
|
|
b7538d |
---
|
|
|
b7538d |
nss_engine_cipher.c | 13 +++++++++++++
|
|
|
b7538d |
test/test_cipher.py | 8 ++++++++
|
|
|
b7538d |
2 files changed, 21 insertions(+)
|
|
|
b7538d |
|
|
|
b7538d |
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
|
|
|
b7538d |
index 012e269..45b8836 100644
|
|
|
b7538d |
--- a/nss_engine_cipher.c
|
|
|
b7538d |
+++ b/nss_engine_cipher.c
|
|
|
b7538d |
@@ -164,6 +164,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
int i, action;
|
|
|
b7538d |
PRBool merge = PR_FALSE;
|
|
|
b7538d |
PRBool found = PR_FALSE;
|
|
|
b7538d |
+ PRBool first = PR_TRUE;
|
|
|
b7538d |
|
|
|
b7538d |
cipher = ciphers;
|
|
|
b7538d |
while (ciphers && (strlen(ciphers)))
|
|
|
b7538d |
@@ -210,11 +211,22 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
set_cipher_value(cipher_list, i, action);
|
|
|
b7538d |
}
|
|
|
b7538d |
} else if (!strcmp(cipher, "DEFAULT")) {
|
|
|
b7538d |
+ /* In OpenSSL the default cipher list is
|
|
|
b7538d |
+ * ALL:!aNULL:!eNULL:!SSLv2
|
|
|
b7538d |
+ * So we need to disable all the NULL ciphers too.
|
|
|
b7538d |
+ */
|
|
|
b7538d |
+ int mask = SSL_aNULL | SSL_eNULL;
|
|
|
b7538d |
+ PRBool enabled;
|
|
|
b7538d |
found = PR_TRUE;
|
|
|
b7538d |
for (i=0; i < ciphernum; i++) {
|
|
|
b7538d |
if (cipher_list[i] != -1)
|
|
|
b7538d |
SSL_CipherPrefGetDefault(ciphers_def[i].num,
|
|
|
b7538d |
&cipher_list[i]);
|
|
|
b7538d |
+ if (PR_TRUE == first) {
|
|
|
b7538d |
+ if (ciphers_def[i].attr & mask) {
|
|
|
b7538d |
+ set_cipher_value(cipher_list, i, -1);
|
|
|
b7538d |
+ }
|
|
|
b7538d |
+ }
|
|
|
b7538d |
}
|
|
|
b7538d |
} else if (!strcmp(cipher, "COMPLEMENTOFDEFAULT")) {
|
|
|
b7538d |
found = PR_TRUE;
|
|
|
b7538d |
@@ -374,6 +386,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
}
|
|
|
b7538d |
} /* while */
|
|
|
b7538d |
if (PR_TRUE == merge) {
|
|
|
b7538d |
+ first = PR_FALSE;
|
|
|
b7538d |
/* Merge the candidate list into the cipher list */
|
|
|
b7538d |
for (i=0; i
|
|
|
b7538d |
if (candidate_list[i])
|
|
|
b7538d |
diff --git a/test/test_cipher.py b/test/test_cipher.py
|
|
|
b7538d |
index a91f411..af9d7eb 100644
|
|
|
b7538d |
--- a/test/test_cipher.py
|
|
|
b7538d |
+++ b/test/test_cipher.py
|
|
|
b7538d |
@@ -54,6 +54,11 @@ def assert_equal_openssl(nss_ciphers, ossl_ciphers):
|
|
|
b7538d |
|
|
|
b7538d |
assert nss_list == ossl_list, '%r != %r. Difference %r' % (':'.join(nss_list), ':'.join(ossl_list), diff)
|
|
|
b7538d |
|
|
|
b7538d |
+def assert_no_NULL(nss_ciphers):
|
|
|
b7538d |
+ (nss, err, rc) = run([exe, "--o", nss_ciphers])
|
|
|
b7538d |
+ assert rc == 0
|
|
|
b7538d |
+ assert('NULL' not in nss)
|
|
|
b7538d |
+
|
|
|
b7538d |
class test_ciphers(object):
|
|
|
b7538d |
@classmethod
|
|
|
b7538d |
def setUpClass(cls):
|
|
|
b7538d |
@@ -212,6 +217,9 @@ class test_ciphers(object):
|
|
|
b7538d |
def test_negative_plus_RSA_MD5(self):
|
|
|
b7538d |
assert_equal_openssl("-RC2:RSA+MD5", "-RC2:RSA+MD5:-SSLv2")
|
|
|
b7538d |
|
|
|
b7538d |
+ def test_DEFAULT_aRSA(self):
|
|
|
b7538d |
+ assert_no_NULL("DEFAULT:aRSA")
|
|
|
b7538d |
+
|
|
|
b7538d |
def test_nss_subtraction(self):
|
|
|
b7538d |
(out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha,-rsa_rc4_128_md5"])
|
|
|
b7538d |
assert rc == 0
|
|
|
b7538d |
--
|
|
|
b7538d |
1.9.3
|
|
|
b7538d |
|