From 0a05123a6c90390c1290fe3bc119f1daf256b834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Mon, 19 Feb 2007 18:41:41 +0000 Subject: [PATCH] Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. Also, change ssl_create_cipher_list() so that it no longer starts with an arbitrary ciphersuite ordering, but instead uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST. SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL". --- CHANGES | 20 ++++++++++++++++++++ ssl/ssl.h | 9 +++++++-- ssl/ssl_ciph.c | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 62 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 80db3ae58..44200d6f2 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,16 @@ Changes between 0.9.8e and 0.9.9 [xx XXX xxxx] + *) Change ssl_create_cipher_list() so that it automatically + arranges the ciphersuites in reasonable order before starting + to process the rule string. Thus, the definition for "DEFAULT" + (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but + remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". + This makes it much easier to arrive at a reasonable default order + in applications for which anonymous ciphers are OK (meaning + that you can't actually use DEFAULT). + [Bodo Moeller; suggested by Victor Duchovni] + *) Split the SSL/TLS algorithm mask (as used for ciphersuite string processing) into multiple integers instead of setting "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", @@ -452,6 +462,11 @@ Changes between 0.9.8d and 0.9.8e [XX xxx XXXX] + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that + a ciphersuite string such as "DEFAULT:RSA" cannot enable + authentication-only ciphersuites. + [Bodo Moeller] + *) Since AES128 and AES256 (and similarly Camellia128 and Camellia256) share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a @@ -1488,6 +1503,11 @@ Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that + a ciphersuite string such as "DEFAULT:RSA" cannot enable + authentication-only ciphersuites. + [Bodo Moeller] + *) Since AES128 and AES256 share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a kludge to work properly if AES128 is available and AES256 isn't. diff --git a/ssl/ssl.h b/ssl/ssl.h index 0581256d8..b97b35e9c 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -315,8 +315,13 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ -#define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH" -/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key exchange), and for RC4 */ +#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL" +/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always + * starts with a reasonable order, and all we have to do for DEFAULT is + * throwing out anonymous and unencrypted ciphersuites! + * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable + * some of them.) + */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 3e94de8f8..787aec1e3 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1120,6 +1120,40 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, co_list, &head, &tail); + + /* Now arrange all ciphers by preference: */ + + /* Temporarily enabled AES first (preferred cipher) */ + ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); + + /* Temporarily enable everything else */ + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); + + /* Move anonymous ciphers to the end. Usually, these will remain disabled. + * (For applications that allow them, they aren't too bad, but we prefer + * authenticated ciphers.) */ + ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); + + /* Move ciphers without forward secrecy to then end */ + ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); + ssl_cipher_apply_rule(0, 0, SSL_kPSK, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); + + /* RC4 is sort-of broken -- move the the end */ + ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); + + /* Now sort by symmetric encryption strength. The above ordering remains + * in force within each class */ + if (!ssl_cipher_strength_sort(&head, &tail)) + { + OPENSSL_free(co_list); + return NULL; + } + + /* Now disable everything (maintaining the ordering!) */ + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); + + /* * We also need cipher aliases for selecting based on the rule_str. * There might be two types of entries in the rule_str: 1) names @@ -1167,6 +1201,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, OPENSSL_free(co_list); return(NULL); } + /* * Allocate new "cipherstack" for the result, return with error * if we cannot get one.