Delete NULL ciphers from 'ALL' in the cipher list aliases. This means that

NULL ciphers specifically have to be enabled with e.g. "DEFAULT:eNULL". This
prevents cipher lists from inadvertantly having NULL ciphers at the top
of their list (e.g. the default ones) because they didn't have to be taken
into account before.

diff --git a/CHANGES b/CHANGES
index 277b54083429d232cf973821f1f0257917c629b7..a1217540f2f10ffbee635e753722bb4ac6c5bead 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,12 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Change the meaning of 'ALL' in the cipher list. It now means "everything
+     except NULL ciphers". This means the default cipher list will no longer
+     enable NULL ciphers. They need to be specifically enabled e.g. with
+     the string "DEFAULT:eNULL".
+     [Steve Henson]
+
   *) Fix to RSA private encryption routines: if p < q then it would
      occasionally produce an invalid result. This will only happen with
      externally generated keys because OpenSSL (and SSLeay) ensure p > q.

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index cb48f36e66c403d9457f83d88fcf73fcf85e56ab..29058d7f15dc82eb8390fbb52b5a27386a5beefb 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -111,7 +111,8 @@ typedef struct cipher_order_st
        } CIPHER_ORDER;
 
 static SSL_CIPHER cipher_aliases[]={
-       {0,SSL_TXT_ALL, 0,SSL_ALL,   0,SSL_ALL},        /* must be first */
+       /* Don't include eNULL unless specifically enabled */
+       {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */
        {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,SSL_MKEY_MASK},
        {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,SSL_MKEY_MASK},
        {0,SSL_TXT_kDHd,0,SSL_kDHd,  0,SSL_MKEY_MASK},
@@ -403,7 +404,7 @@ char *str;
                }
 
        /* special case */
-       cipher_aliases[0].algorithms= ~mask;
+       cipher_aliases[0].algorithms &= ~mask;
 
        /* get the aliases */
        k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);