Include changes from 0.9.7-stable.

10 files changed, 68 insertions, 27 deletions

diff --git a/CHANGES b/CHANGES
index 4e53b4efe8..5df10ebc7b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -25,6 +25,20 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Cleanse PEM buffers before freeing them since they may contain 
+     sensitive data.
+     [Benjamin Bennett <ben@psc.edu>]
+
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
+  *) Since AES128 and AES256 share a single mask bit in the logic of
+     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
+     kludge to work properly if AES128 is available and AES256 isn't.
+     [Victor Duchovni]
+
   *) Expand security boundary to match 1.1.1 module.
      [Steve Henson]
 
diff --git a/LICENSE b/LICENSE
index c21f132db5..ff99d97241 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/README b/README
index cf32b19b06..6e198b179c 100644
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
 
  OpenSSL 0.9.7m-dev xx XXX xxxx
 
- Copyright (c) 1998-2006 The OpenSSL Project
+ Copyright (c) 1998-2007 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 0dcbab6f35..54262cc8f0 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -577,6 +577,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
 		}
 	EVP_EncodeFinal(&ctx,buf,&outl);
 	if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err;
+	OPENSSL_cleanse(buf, PEM_BUFSIZE*8);
 	OPENSSL_free(buf);
 	buf = NULL;
 	if (	(BIO_write(bp,"-----END ",9) != 9) ||
@@ -585,8 +586,10 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
 		goto err;
 	return(i+outl);
 err:
-	if (buf)
+	if (buf) {
+		OPENSSL_cleanse(buf, PEM_BUFSIZE*8);
 		OPENSSL_free(buf);
+	}
 	PEMerr(PEM_F_PEM_WRITE_BIO,reason);
 	return(0);
 	}
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 9ecdbd5419..69300ba5e1 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -122,6 +122,7 @@ p8err:
 		PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
 err:
 	OPENSSL_free(nm);
+	OPENSSL_cleanse(data, len);
 	OPENSSL_free(data);
 	return(ret);
 	}
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 50343cd685..d15d3a618d 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -394,13 +394,13 @@ B<sep_comma_plus>, B<dn_rev> and B<sname>.
 
 a oneline format which is more readable than RFC2253. It is equivalent to
 specifying the  B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, B<dump_nostr>,
-B<dump_der>, B<use_quote>, B<sep_comma_plus_spc>, B<spc_eq> and B<sname>
+B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, B<space_eq> and B<sname>
 options.
 
 =item B<multiline>
 
 a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
-B<spc_eq>, B<lname> and B<align>.
+B<space_eq>, B<lname> and B<align>.
 
 =item B<esc_2253>
 
@@ -500,7 +500,7 @@ diagnostic purpose.
 align field values for a more readable output. Only usable with
 B<sep_multiline>.
 
-=item B<spc_eq>
+=item B<space_eq>
 
 places spaces round the B<=> character which follows the field
 name.
@@ -610,7 +610,7 @@ Display the certificate subject name in RFC2253 form:
 Display the certificate subject name in oneline form on a terminal
 supporting UTF8:
 
- openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb
+ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
 
 Display the certificate MD5 fingerprint:
 
diff --git a/doc/crypto/ASN1_STRING_print_ex.pod b/doc/crypto/ASN1_STRING_print_ex.pod
index d662225b87..3891b88791 100644
--- a/doc/crypto/ASN1_STRING_print_ex.pod
+++ b/doc/crypto/ASN1_STRING_print_ex.pod
@@ -43,9 +43,9 @@ interprets UTF8 sequences.
 
 Escaping takes several forms.
 
-If the character being escaped is a 16 bit character then the form "\WXXXX" is used
+If the character being escaped is a 16 bit character then the form "\UXXXX" is used
 using exactly four characters for the hex representation. If it is 32 bits then
-"\UXXXXXXXX" is used using eight characters of its hex representation. These forms
+"\WXXXXXXXX" is used using eight characters of its hex representation. These forms
 will only be used if UTF8 conversion is not set (see below).
 
 Printable characters are normally escaped using the backslash '\' character. If
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 98e7630b0f..bdb8923972 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -557,7 +557,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	0,
-	112,
+	168,
 	168,
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
@@ -613,7 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH,
 	0,
-	112,
+	168,
 	168,
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
@@ -683,7 +683,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
 	SSL_EXPORT|SSL_EXP40,
 	0,
-	128,
+	40,
 	128,
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
@@ -725,7 +725,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
 	SSL_EXPORT|SSL_EXP40,
 	0,
-	128,
+	40,
 	128,
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 99e188086b..37f8d0171b 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -303,7 +303,7 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL+RC4:@STRENGTH" /* low priority for RC4 */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b6b727f333..495b1ce0e5 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -415,9 +415,18 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
 	*tail=curr;
 	}
 
-static unsigned long ssl_cipher_get_disabled(void)
+struct disabled_masks { /* This is a kludge no longer needed with OpenSSL 0.9.9,
+                         * where 128-bit and 256-bit algorithms simply will get
+                         * separate bits. */
+  unsigned long mask; /* everything except m256 */
+  unsigned long m256; /* applies to 256-bit algorithms only */
+};
+
+struct disabled_masks ssl_cipher_get_disabled(void)
 	{
 	unsigned long mask;
+	unsigned long m256;
+	struct disabled_masks ret;
 
 	mask = SSL_kFZA;
 #ifdef OPENSSL_NO_RSA
@@ -443,17 +452,24 @@ static unsigned long ssl_cipher_get_disabled(void)
 	mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
 	mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
 	mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
-	mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
 
 	mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
 	mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
 
-	return(mask);
+	/* finally consider algorithms where mask and m256 differ */
+	m256 = mask;
+	mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
+	m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0;
+
+	ret.mask = mask;
+	ret.m256 = m256;
+	return ret;
 	}
 
 static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
-		int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list,
-		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+		int num_of_ciphers, unsigned long mask, unsigned long m256,
+		CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
+		CIPHER_ORDER **tail_p)
 	{
 	int i, co_list_num;
 	SSL_CIPHER *c;
@@ -471,11 +487,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 		{
 		c = ssl_method->get_cipher(i);
 		/* drop those that use any of that is not available */
+#define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
 #ifdef OPENSSL_FIPS
-		if ((c != NULL) && c->valid && !(c->algorithms & mask)
+		if ((c != NULL) && c->valid && !IS_MASKED(c))
 			&& (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
 #else
-		if ((c != NULL) && c->valid && !(c->algorithms & mask))
+		if ((c != NULL) && c->valid && !IS_MASKED(c))
 #endif
 			{
 			co_list[co_list_num].cipher = c;
@@ -869,7 +886,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			 * rest of the command, if any left, until
 			 * end or ':' is found.
 			 */
-			while ((*l != '\0') && ITEM_SEP(*l))
+			while ((*l != '\0') && !ITEM_SEP(*l))
 				l++;
 			}
 		else if (found)
@@ -880,7 +897,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			}
 		else
 			{
-			while ((*l != '\0') && ITEM_SEP(*l))
+			while ((*l != '\0') && !ITEM_SEP(*l))
 				l++;
 			}
 		if (*l == '\0') break; /* done */
@@ -896,6 +913,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	{
 	int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
 	unsigned long disabled_mask;
+	unsigned long disabled_m256;
 	STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
 	const char *rule_p;
 	CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
@@ -918,7 +936,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 * To reduce the work to do we only want to process the compiled
 	 * in algorithms, so we first get the mask of disabled ciphers.
 	 */
-	disabled_mask = ssl_cipher_get_disabled();
+	{
+		struct disabled_masks d;
+		d = ssl_cipher_get_disabled();
+		disabled_mask = d.mask;
+		disabled_m256 = d.m256;
+	}
 
 	/*
 	 * Now we have to collect the available ciphers from the compiled
@@ -937,7 +960,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 		}
 
 	ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
-				   co_list, &head, &tail);
+				   disabled_m256, co_list, &head, &tail);
 
 	/*
 	 * We also need cipher aliases for selecting based on the rule_str.
@@ -957,8 +980,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 		SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
 		return(NULL);	/* Failure */
 		}
-	ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
-				   head);
+	ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
+				   (disabled_mask & disabled_m256), head);
 
 	/*
 	 * If the rule_string begins with DEFAULT, apply the default rule