From 0a05123a6c90390c1290fe3bc119f1daf256b834 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Mon, 19 Feb 2007 18:41:41 +0000
Subject: [PATCH] Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
 a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only
 ciphersuites.

Also, change ssl_create_cipher_list() so that it no longer
starts with an arbitrary ciphersuite ordering, but instead
uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST.
SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".
---
 CHANGES        | 20 ++++++++++++++++++++
 ssl/ssl.h      |  9 +++++++--
 ssl/ssl_ciph.c | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 80db3ae58d..44200d6f2e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,16 @@
 
  Changes between 0.9.8e and 0.9.9  [xx XXX xxxx]
 
+  *) Change ssl_create_cipher_list() so that it automatically
+     arranges the ciphersuites in reasonable order before starting
+     to process the rule string.  Thus, the definition for "DEFAULT"
+     (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
+     remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
+     This makes it much easier to arrive at a reasonable default order
+     in applications for which anonymous ciphers are OK (meaning
+     that you can't actually use DEFAULT).
+     [Bodo Moeller; suggested by Victor Duchovni]
+
   *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
      processing) into multiple integers instead of setting
      "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
@@ -452,6 +462,11 @@
 
  Changes between 0.9.8d and 0.9.8e  [XX xxx XXXX]
 
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
   *) Since AES128 and AES256 (and similarly Camellia128 and
      Camellia256) share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
@@ -1488,6 +1503,11 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
   *) Since AES128 and AES256 share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
      kludge to work properly if AES128 is available and AES256 isn't.
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 0581256d8c..b97b35e9c3 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -315,8 +315,13 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH"
-/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key exchange), and for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL"
+/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+ * starts with a reasonable order, and all we have to do for DEFAULT is
+ * throwing out anonymous and unencrypted ciphersuites!
+ * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
+ * some of them.)
+ */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 3e94de8f83..787aec1e31 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1120,6 +1120,40 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	                           disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
 	                           co_list, &head, &tail);
 
+
+	/* Now arrange all ciphers by preference: */
+
+	/* Temporarily enabled AES first (preferred cipher) */
+	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+
+	/* Temporarily enable everything else */
+	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+
+	/* Move anonymous ciphers to the end.  Usually, these will remain disabled.
+	 * (For applications that allow them, they aren't too bad, but we prefer
+	 * authenticated ciphers.) */
+	ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
+	/* Move ciphers without forward secrecy to then end */
+	ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+	ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+	ssl_cipher_apply_rule(0, 0, SSL_kPSK, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
+	/* RC4 is sort-of broken -- move the the end */
+	ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
+	/* Now sort by symmetric encryption strength.  The above ordering remains
+	 * in force within each class */
+	if (!ssl_cipher_strength_sort(&head, &tail))
+		{
+		OPENSSL_free(co_list);
+		return NULL;
+		}
+
+	/* Now disable everything (maintaining the ordering!) */
+	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
+
+
 	/*
 	 * We also need cipher aliases for selecting based on the rule_str.
 	 * There might be two types of entries in the rule_str: 1) names
@@ -1167,6 +1201,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 		OPENSSL_free(co_list);
 		return(NULL);
 		}
+	
 	/*
 	 * Allocate new "cipherstack" for the result, return with error
 	 * if we cannot get one.
-- 
GitLab