Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2

This patch updates the "DEFAULT" cipherstring to be "ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined internally by a flag on each ciphersuite indicating whether it should be excluded from DEFAULT or not. This gives us control at an individual ciphersuite level as to exactly what is in DEFAULT and what is not. Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT and hence removed from DEFAULT. Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-29 11:14:35 +01:00
parent 8eed3289b2
commit c84f7f4a74
6 changed files with 98 additions and 72 deletions
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -295,8 +295,7 @@ static const SSL_CIPHER cipher_aliases[] = {
     * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
     * ALL!)
     */
-    {0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, ~SSL_eNULL, 0, 0,
-     0, 0, 0, 0},
+    {0, SSL_TXT_CMPDEF, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},

    /*
     * key exchange aliases (some of those using only a single bit here
@@ -966,6 +965,9 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
            if ((algo_strength & SSL_STRONG_MASK)
                && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
                continue;
+            if ((algo_strength & SSL_DEFAULT_MASK)
+                && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
+                continue;
        }

 #ifdef CIPHER_DEBUG
@@ -1251,6 +1253,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        ca_list[j]->algo_strength & SSL_STRONG_MASK;
            }

+            if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
+                if (algo_strength & SSL_DEFAULT_MASK) {
+                    algo_strength &=
+                        (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) |
+                        ~SSL_DEFAULT_MASK;
+                    if (!(algo_strength & SSL_DEFAULT_MASK)) {
+                        found = 0;
+                        break;
+                    }
+                } else
+                    algo_strength |=
+                        ca_list[j]->algo_strength & SSL_DEFAULT_MASK;
+            }
+
            if (ca_list[j]->valid) {
                /*
                 * explicit ciphersuite found; its protocol version does not