From: Lutz Jänicke Date: Fri, 19 Jul 2002 19:53:02 +0000 (+0000) Subject: New cipher selection options COMPLEMENTOFALL and COMPLEMENTOFDEFAULT. X-Git-Tag: OpenSSL_0_9_7-beta3~15 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f19b6474fecdced7fcce3b5ff722dd685d4433ff;p=oweals%2Fopenssl.git New cipher selection options COMPLEMENTOFALL and COMPLEMENTOFDEFAULT. Submitted by: Reviewed by: PR: 127 --- diff --git a/CHANGES b/CHANGES index 7b018ba3fa..e0050052b4 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.6e and 0.9.7 [XX xxx 2002] + *) Add cipher selection rules COMPLEMENTOFALL and COMPLENENTOFDEFAULT + to allow version independent disabling of normally unselected ciphers, + which may be activated as a side-effect of selecting a single cipher. + [Lutz Jaenicke, Bodo Moeller] + *) Add appropriate support for separate platform-dependent build directories. The recommended way to make a platform-dependent build directory is the following (tested on Linux), maybe with diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 21077614a7..c90484b70e 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -108,10 +108,20 @@ the default cipher list. This is determined at compile time and is normally B. This must be the first cipher string specified. +=item B + +the ciphers not enabled by default, currently being B. This rule does not +cover B, which is not included by B and is therefore be handled by +B. + =item B all ciphers suites except the B ciphers which must be explicitly enabled. +=item B + +the cipher suites not enabled by B, currently being B. + =item B "high" encryption cipher suites. This currently means those with key lengths larger @@ -339,8 +349,22 @@ Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' +Include all RC4 ciphers but leave out those without authentication: + + openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' + +Include all chiphers with RSA authentication but leave out ciphers without +encryption. + + openssl ciphers -v 'RSA:!COMPLEMENTOFALL' + =head1 SEE ALSO L, L, L +=head1 HISTORY + +The B and B selection options were +added in version 0.9.7. + =cut diff --git a/ssl/ssl.h b/ssl/ssl.h index bb2eda0b5c..7947a56c64 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -266,6 +266,23 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" +/* + * COMPLEMENTOF* definitions. These identifiers are used to (de-select) + * ciphers normally not being used. + * Example: "RC4" will activate all ciphers using RC4 including ciphers + * without authentication, which would normally disabled by DEFAULT (due + * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" + * will make sure that it is also disabled in the specific selection. + * COMPLEMENTOF* identifiers are portable between version, as adjustments + * to the default cipher setup will also be included here. + * + * COMPLEMENTOFDEFAULT does not experience the same special treatment that + * DEFAULT gets, as only selection is being done and no sorting as needed + * for DEFAULT. + */ +#define SSL_TXT_CMPALL "COMPLEMENTOFALL" +#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" + /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index a1cef72082..37f58886a6 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -102,6 +102,8 @@ typedef struct cipher_order_st static const SSL_CIPHER cipher_aliases[]={ /* Don't include eNULL unless specifically enabled. */ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ + {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ + {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},