Ciphers with NULL encryption were not properly handled because they were

not covered by the strength bit mask.
Submitted by:
Reviewed by:
PR: 130

diff --git a/CHANGES b/CHANGES
index 655517a4b2b6df17740d72902877087cb80a2937..349e3fd890319a0cc9a47c6d890758ede2dd6da1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.6d and 0.9.6e  [XX xxx XXXX]
 
+  *) Fix cipher selection routines: ciphers without encryption had no flags
+     for the cipher strength set and where therefore not handled correctly
+     by the selection routines (PR #130).
+     [Lutz Jaenicke]
+
   *) Fix EVP_dsa_sha macro.
      [Nils Larsch]
 

diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index a590dbfa5ca6809919d0de60aaac301a3a3bfdb5..8bcd7f490389b5af57d591dc3676748f682f8e42 100644 (file)
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -76,7 +76,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
        SSL2_TXT_NULL_WITH_MD5,
        SSL2_CK_NULL_WITH_MD5,
        SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2,
-       SSL_EXPORT|SSL_EXP40,
+       SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE,
+       0,
        0,
        0,
        SSL_ALL_CIPHERS,
@@ -196,6 +197,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
        SSL2_TXT_NULL,
        SSL2_CK_NULL,
        0,
+       SSL_STRONG_NONE,
        0,
        0,
        0,

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 57a3fa4f8156ccebf4fbde6ecf3fe92089e5e866..9951ebb4191ea62cb1d469597abdcba015cc9c86 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_MD5,
        SSL3_CK_RSA_NULL_MD5,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
-       SSL_NOT_EXP,
+       SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_SHA,
        SSL3_CK_RSA_NULL_SHA,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP,
+       SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -490,7 +490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_FZA_DMS_NULL_SHA,
        SSL3_CK_FZA_DMS_NULL_SHA,
        SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP,
+       SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_FZA_DMS_FZA_SHA,
        SSL3_CK_FZA_DMS_FZA_SHA,
        SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP,
+       SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 516d3cc5ae20f177f46f34b49b7933ee851069ea..9297cd2dc34a519768389e6f6a94981351948e19 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -283,16 +283,17 @@
 #define SSL_NOT_EXP            0x00000001L
 #define SSL_EXPORT             0x00000002L
 
-#define SSL_STRONG_MASK                0x0000007cL
-#define SSL_EXP40              0x00000004L
+#define SSL_STRONG_MASK                0x000000fcL
+#define SSL_STRONG_NONE                0x00000004L
+#define SSL_EXP40              0x00000008L
 #define SSL_MICRO              (SSL_EXP40)
-#define SSL_EXP56              0x00000008L
+#define SSL_EXP56              0x00000010L
 #define SSL_MINI               (SSL_EXP56)
-#define SSL_LOW                        0x00000010L
-#define SSL_MEDIUM             0x00000020L
-#define SSL_HIGH               0x00000040L
+#define SSL_LOW                        0x00000020L
+#define SSL_MEDIUM             0x00000040L
+#define SSL_HIGH               0x00000080L
 
-/* we have used 0000007f - 25 bits left to go */
+/* we have used 000000ff - 24 bits left to go */
 
 /*
  * Macros to check the export status and cipher strength for export ciphers.