Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2

This patch updates the "DEFAULT" cipherstring to be "ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined internally by a flag on each ciphersuite indicating whether it should be excluded from DEFAULT or not. This gives us control at an individual ciphersuite level as to exactly what is in DEFAULT and what is not. Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT and hence removed from DEFAULT. Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-29 11:14:35 +01:00
parent 8eed3289b2
commit c84f7f4a74
6 changed files with 98 additions and 72 deletions
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -429,6 +429,7 @@
 */
 # define SSL_EXP_MASK            0x00000003L
 # define SSL_STRONG_MASK         0x000001fcL
+# define SSL_DEFAULT_MASK        0X00000200L

 # define SSL_NOT_EXP             0x00000001L
 # define SSL_EXPORT              0x00000002L
@@ -443,7 +444,9 @@
 # define SSL_HIGH                0x00000080L
 # define SSL_FIPS                0x00000100L

-/* we have used 000001ff - 23 bits left to go */
+# define SSL_NOT_DEFAULT         0x00000200L
+
+/* we have used 000003ff - 22 bits left to go */

 /*-
 * Macros to check the export status and cipher strength for export ciphers.