diff options
| author | Matt Caswell <matt@openssl.org> | 2015-09-29 11:14:35 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2015-09-30 19:15:06 +0100 |
| commit | c84f7f4a7405d69be4227d4766290b0950122b3c (patch) | |
| tree | 3ae21ee691960e88e3291d10eef5d9540f70b992 /ssl/ssl_ciph.c | |
| parent | 8eed3289b21d25583ed44742db43a2d727b79643 (diff) | |
| download | openssl-c84f7f4a7405d69be4227d4766290b0950122b3c.tar.gz | |
Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2
This patch updates the "DEFAULT" cipherstring to be
"ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
internally by a flag on each ciphersuite indicating whether it should be
excluded from DEFAULT or not. This gives us control at an individual
ciphersuite level as to exactly what is in DEFAULT and what is not.
Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
and hence removed from DEFAULT.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'ssl/ssl_ciph.c')
| -rw-r--r-- | ssl/ssl_ciph.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 12dac046a8..46763d7db4 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -295,8 +295,7 @@ static const SSL_CIPHER cipher_aliases[] = { * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * ALL!) */ - {0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, ~SSL_eNULL, 0, 0, - 0, 0, 0, 0}, + {0, SSL_TXT_CMPDEF, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0}, /* * key exchange aliases (some of those using only a single bit here @@ -966,6 +965,9 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) continue; + if ((algo_strength & SSL_DEFAULT_MASK) + && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength)) + continue; } #ifdef CIPHER_DEBUG @@ -1251,6 +1253,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str, ca_list[j]->algo_strength & SSL_STRONG_MASK; } + if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) { + if (algo_strength & SSL_DEFAULT_MASK) { + algo_strength &= + (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) | + ~SSL_DEFAULT_MASK; + if (!(algo_strength & SSL_DEFAULT_MASK)) { + found = 0; + break; + } + } else + algo_strength |= + ca_list[j]->algo_strength & SSL_DEFAULT_MASK; + } + if (ca_list[j]->valid) { /* * explicit ciphersuite found; its protocol version does not |