From ed65f7dc342297abbad9ad5662bca588f904b4f6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Mon, 11 Sep 2006 09:49:03 +0000 Subject: [PATCH] ensure that ciphersuite strings such as "RC4-MD5" match the SSL 2.0 ciphersuite as well --- CHANGES | 28 +++++++++++++++++++++++++++- ssl/ssl_ciph.c | 28 ++++++++++++++++------------ 2 files changed, 43 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index 18eb27eebe..054c6a7a7f 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,7 @@ OpenSSL CHANGES _______________ - Changes between 0.9.8c and 0.9.9 [xx XXX xxxx] + Changes between 0.9.8d and 0.9.9 [xx XXX xxxx] *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. Modify get_crl() to find a valid (unexpired) CRL if possible. @@ -379,6 +379,32 @@ Changes between 0.9.8c and 0.9.8d [xx XXX xxxx] + *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites + match only those. Before that, "AES256-SHA" would be interpreted + as a pattern and match "AES128-SHA" too since we currently only + have a single AES bit in the ciphersuite description bitmap. + That change, however, also applied to ciphersuite strings such as + "RC4-MD5" that intentionally matched multiple ciphersuites -- + namely, SSL 2.0 ciphersuites in addition to the more common ones + from SSL 3.0/TLS 1.0. + + So we change the selection algorithm again: Naming an explicit + ciphersuite selects this one ciphersuite, and any other similar + ciphersuite (same bitmap) from *other* protocol versions. + Thus, "RC4-MD5" again will properly select both the SSL 2.0 + ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. + + Since SSL 2.0 does not have any ciphersuites for which the + 128/256 bit distinction would be relevant, this works for now. + The proper fix will be to use different bits for AES128 and + AES256, which would have avoided the problems from the beginning; + however, bits are scarce, so we can only do this in a new release + (not just a patchlevel) when we can change the SSL_CIPHER + definition to split the single 'unsigned long mask' bitmap into + multiple values to extend the available space. + + [Bodo Moeller] + Changes between 0.9.8b and 0.9.8c [05 Sep 2006] *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index c85ea030fe..87aa83a314 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -638,7 +638,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, *ca_curr = NULL; /* end of list */ } -static void ssl_cipher_apply_rule(unsigned long cipher_id, +static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version, unsigned long algorithms, unsigned long mask, unsigned long algo_strength, unsigned long mask_strength, int rule, int strength_bits, @@ -665,9 +665,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, cp = curr->cipher; - /* If explicit cipher suite match that one only */ + /* If explicit cipher suite, match only that one for its own protocol version. + * Usual selection criteria will be used for similar ciphersuites from other version! */ - if (cipher_id) + if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version) { if (cp->id != cipher_id) continue; @@ -789,7 +790,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, */ for (i = max_strength_bits; i >= 0; i--) if (number_uses[i] > 0) - ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i, + ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p); OPENSSL_free(number_uses); @@ -803,7 +804,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, unsigned long algorithms, mask, algo_strength, mask_strength; const char *l, *start, *buf; int j, multi, found, rule, retval, ok, buflen; - unsigned long cipher_id = 0; + unsigned long cipher_id = 0, ssl_version = 0; char ch; retval = 1; @@ -894,6 +895,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, */ j = found = 0; cipher_id = 0; + ssl_version = 0; while (ca_list[j]) { if (!strncmp(buf, ca_list[j]->name, buflen) && @@ -908,12 +910,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str, if (!found) break; /* ignore this entry */ - if (ca_list[j]->valid) - { - cipher_id = ca_list[j]->id; - break; - } - /* New algorithms: * 1 - any old restrictions apply outside new mask * 2 - any new restrictions apply outside old mask @@ -928,6 +924,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str, (algo_strength & ca_list[j]->algo_strength); mask_strength |= ca_list[j]->mask_strength; + /* explicit ciphersuite found */ + if (ca_list[j]->valid) + { + cipher_id = ca_list[j]->id; + ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK; + break; + } + if (!multi) break; } @@ -956,7 +960,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, } else if (found) { - ssl_cipher_apply_rule(cipher_id, algorithms, mask, + ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask, algo_strength, mask_strength, rule, -1, head_p, tail_p); } -- 2.25.1