From 1aaffff1a658c5b9d5a5e09d4c6ab0a7ed4e1a50 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 21 Sep 2015 15:41:24 -0400
Subject: [PATCH] The OpenSSL DEFAULT cipher macro shouldn't enable NULL
ciphers
---
nss_engine_cipher.c | 13 +++++++++++++
test/test_cipher.py | 8 ++++++++
2 files changed, 21 insertions(+)
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index 012e269..45b8836 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -164,6 +164,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
int i, action;
PRBool merge = PR_FALSE;
PRBool found = PR_FALSE;
+ PRBool first = PR_TRUE;
cipher = ciphers;
while (ciphers && (strlen(ciphers)))
@@ -210,11 +211,22 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
set_cipher_value(cipher_list, i, action);
}
} else if (!strcmp(cipher, "DEFAULT")) {
+ /* In OpenSSL the default cipher list is
+ * ALL:!aNULL:!eNULL:!SSLv2
+ * So we need to disable all the NULL ciphers too.
+ */
+ int mask = SSL_aNULL | SSL_eNULL;
+ PRBool enabled;
found = PR_TRUE;
for (i=0; i < ciphernum; i++) {
if (cipher_list[i] != -1)
SSL_CipherPrefGetDefault(ciphers_def[i].num,
&cipher_list[i]);
+ if (PR_TRUE == first) {
+ if (ciphers_def[i].attr & mask) {
+ set_cipher_value(cipher_list, i, -1);
+ }
+ }
}
} else if (!strcmp(cipher, "COMPLEMENTOFDEFAULT")) {
found = PR_TRUE;
@@ -374,6 +386,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
}
} /* while */
if (PR_TRUE == merge) {
+ first = PR_FALSE;
/* Merge the candidate list into the cipher list */
for (i=0; i<ciphernum; i++) {
if (candidate_list[i])
diff --git a/test/test_cipher.py b/test/test_cipher.py
index a91f411..af9d7eb 100644
--- a/test/test_cipher.py
+++ b/test/test_cipher.py
@@ -54,6 +54,11 @@ def assert_equal_openssl(nss_ciphers, ossl_ciphers):
assert nss_list == ossl_list, '%r != %r. Difference %r' % (':'.join(nss_list), ':'.join(ossl_list), diff)
+def assert_no_NULL(nss_ciphers):
+ (nss, err, rc) = run([exe, "--o", nss_ciphers])
+ assert rc == 0
+ assert('NULL' not in nss)
+
class test_ciphers(object):
@classmethod
def setUpClass(cls):
@@ -212,6 +217,9 @@ class test_ciphers(object):
def test_negative_plus_RSA_MD5(self):
assert_equal_openssl("-RC2:RSA+MD5", "-RC2:RSA+MD5:-SSLv2")
+ def test_DEFAULT_aRSA(self):
+ assert_no_NULL("DEFAULT:aRSA")
+
def test_nss_subtraction(self):
(out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha,-rsa_rc4_128_md5"])
assert rc == 0
--
1.9.3