rpms / mod_nss

Clone
Source Code
GIT

Files

  1.   b7538d7d21fa98950e139ed7c53b8c4426d37c7b
  2.   SOURCES
  3.   mod_nss-default-null.patch
Blob Blame History Raw 
From 1aaffff1a658c5b9d5a5e09d4c6ab0a7ed4e1a50 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 21 Sep 2015 15:41:24 -0400
Subject: [PATCH] The OpenSSL DEFAULT cipher macro shouldn't enable NULL
 ciphers

---
 nss_engine_cipher.c | 13 +++++++++++++
 test/test_cipher.py |  8 ++++++++
 2 files changed, 21 insertions(+)

diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index 012e269..45b8836 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -164,6 +164,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
     int i, action;
     PRBool merge = PR_FALSE;
     PRBool found = PR_FALSE;
+    PRBool first = PR_TRUE;
 
     cipher = ciphers;
     while (ciphers && (strlen(ciphers)))
@@ -210,11 +211,22 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
                     set_cipher_value(cipher_list, i, action);
             }
         } else if (!strcmp(cipher, "DEFAULT")) {
+            /* In OpenSSL the default cipher list is
+             *    ALL:!aNULL:!eNULL:!SSLv2
+             * So we need to disable all the NULL ciphers too.
+             */
+            int mask = SSL_aNULL | SSL_eNULL;
+            PRBool enabled;
             found = PR_TRUE;
             for (i=0; i < ciphernum; i++) {
                 if (cipher_list[i] != -1)
                     SSL_CipherPrefGetDefault(ciphers_def[i].num,
                                              &cipher_list[i]);
+                if (PR_TRUE == first) {
+                    if (ciphers_def[i].attr & mask) {
+                        set_cipher_value(cipher_list, i, -1);
+                    }
+                }
             }
         } else if (!strcmp(cipher, "COMPLEMENTOFDEFAULT")) {
             found = PR_TRUE;
@@ -374,6 +386,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
                 }
             } /* while */
             if (PR_TRUE == merge) {
+                first = PR_FALSE;
                 /* Merge the candidate list into the cipher list */
                 for (i=0; i<ciphernum; i++) {
                     if (candidate_list[i])
diff --git a/test/test_cipher.py b/test/test_cipher.py
index a91f411..af9d7eb 100644
--- a/test/test_cipher.py
+++ b/test/test_cipher.py
@@ -54,6 +54,11 @@ def assert_equal_openssl(nss_ciphers, ossl_ciphers):
 
     assert nss_list == ossl_list, '%r != %r. Difference %r' % (':'.join(nss_list), ':'.join(ossl_list), diff)
 
+def assert_no_NULL(nss_ciphers):
+    (nss, err, rc) = run([exe, "--o", nss_ciphers])
+    assert rc == 0
+    assert('NULL' not in nss)
+
 class test_ciphers(object):
     @classmethod
     def setUpClass(cls):
@@ -212,6 +217,9 @@ class test_ciphers(object):
     def test_negative_plus_RSA_MD5(self):
         assert_equal_openssl("-RC2:RSA+MD5", "-RC2:RSA+MD5:-SSLv2")
 
+    def test_DEFAULT_aRSA(self):
+        assert_no_NULL("DEFAULT:aRSA")
+
     def test_nss_subtraction(self):
         (out, err, rc) = run([exe, "+rsa_rc4_128_md5,+rsa_rc4_128_sha,-rsa_rc4_128_md5"])
         assert rc == 0
-- 
1.9.3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation