Skip to content

Describe bug in DEFAULT "cipher string" behavior#5455

Closed
AloisMahdal wants to merge 1 commit intoopenssl:masterfrom
AloisMahdal:default_as_bugs
Closed

Describe bug in DEFAULT "cipher string" behavior#5455
AloisMahdal wants to merge 1 commit intoopenssl:masterfrom
AloisMahdal:default_as_bugs

Conversation

@AloisMahdal
Copy link
Contributor

@AloisMahdal AloisMahdal commented Feb 23, 2018

Actual behavior of DEFAULT is different than currently described.
Rather than acting as cipher string, DEFAULT cannot be combined using
logical operators, etc.

Fixes #5420.

Checklist
  • documentation is added or updated

@AloisMahdal
Copy link
Contributor Author

AloisMahdal commented Feb 23, 2018

Probably a better alternative to #5428, this describes the DEFAULT keyword mess in terms of BUGS section and also with greater detail (it mentions two particular counter-intuitive examples).

@AloisMahdal AloisMahdal mentioned this pull request Feb 23, 2018
Closed
1 task
kroeckx
kroeckx reviewed Feb 24, 2018
View reviewed changes
doc/man1/ciphers.pod Outdated
Copy link
Member

@kroeckx kroeckx Feb 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+ECDH does not enable ECDH ciphers, it just moves them to the end. Just "ECDH" would add them, but the !COMPLEMENTOFDEFAULT doesn't allow adding any ciphers not in DEFAULT.

Copy link
Contributor Author

@AloisMahdal AloisMahdal Feb 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch. I'll fix it in a sec. (See below for comment about the !)

@AloisMahdal
Copy link
Contributor Author

AloisMahdal commented Feb 26, 2018
edited
Loading

This probably does not have direc bearing on this PR, but I just realized that the original definition of DEFAULT is ambiguous:

DEFAULT

The default cipher list. This is determined at compile time and is normally ALL:!COMPLEMENTOFDEFAULT:!eNULL. See BUGS section, though.

This allows two ways to understand:

  • (A) DEFAULT just stands for the list of ciphers that would be selected by ALL:!COMPLEMENTOFDEFAULT:!eNULL, ie. the permanent effect of ! would not apply.

  • (B) whole expression is just included, ie. the effect is preserved.

So far I've read it as (A), but @kroeckx's comment seems to suggest (B). I'm not sure which one is it. (Haven't read what the code does.)

Describe bug in DEFAULT "cipher string" behavior
33cbe83 
Actual behavior of DEFAULT is different than currently described.
Rather than acting as cipher string, DEFAULT cannot be combined using
logical operators, etc.

Fixes #5420.
@mattcaswell
Copy link
Member

mattcaswell commented Feb 26, 2018

So far I've read it as (A), but @kroeckx's comment seems to suggest (B). I'm not sure which one is it.

It's (B).

@vdukhovni
Copy link

vdukhovni commented Mar 8, 2018

This version is confusing the non-BUGS and BUGS behaviours, putting everything in BUGS.

The fact that DEFAULT is special, and can only be listed first is NOT a bug. The fact that "DEFAULTfoo" is treated the same as "DEFAULT:foo" is a BUG, that we might not fix, since it might break existing practice,
Correct behaviour would be to only recognize "DEFAULT" if it is the entire cipherlist or when it is "DEFAULT:rest-of-cipherlist". All other strings starting with "DEFAULT" are just invalid constructs, and should have been skipped (restarting parsing after the first ":").

@vdukhovni
Copy link

vdukhovni commented Mar 8, 2018

So #5428 is closer to the right fix, but is "missing" the "BUGS" documentation, namely, funny syntax of "DEFFAULT+FOO", "DEFAULT-FOO", and "DEFAULTFOO", where these instead become:
"DEFAULT:+FOO", "DEFAULT:-FOO" and "DEFAULT:FOO" respectively. That's "wrong", but we might need to maintain backwards-compatible buggy parsing.

levitte
levitte requested changes Apr 19, 2018
View reviewed changes
doc/man1/ciphers.pod
This is determined at compile time and is normally
B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>.
When used, this must be the first cipherstring specified.
B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>. See BUGS section, though.
Copy link
Member

@levitte levitte Apr 19, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The BUGS section clarifies quite a bit, but some small part of could be transfered here, such as an added sentence, like:

Note that B<DEFAULT> isn't a cipher string like the others. It may only appear at the beginning of a cipher list and cannot be combined in an expression with anything else. See L</BUGS> for further explanations.

@levitte levitte added this to the 1.1.1 milestone Apr 19, 2018
@levitte levitte added branch: master Applies to master branch 1.1.0 branch: 1.1.1 Applies to OpenSSL_1_1_1-stable branch (EOL) labels Apr 19, 2018
@levitte
Copy link
Member

levitte commented Apr 19, 2018

#5428 was merged in preference of this. Closing.

@levitte levitte closed this Apr 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kroeckx kroeckx kroeckx left review comments

@levitte levitte levitte requested changes

Assignees

No one assigned

Labels

branch: master Applies to master branch branch: 1.1.1 Applies to OpenSSL_1_1_1-stable branch (EOL)

Projects

None yet

Milestone

1.1.1

Development

Successfully merging this pull request may close these issues.

5 participants

@AloisMahdal @mattcaswell @vdukhovni @levitte @kroeckx