[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Wed Sep 30 18:18:33 UTC 2015


The branch master has been updated
       via  c84f7f4a7405d69be4227d4766290b0950122b3c (commit)
      from  8eed3289b21d25583ed44742db43a2d727b79643 (commit)


- Log -----------------------------------------------------------------
commit c84f7f4a7405d69be4227d4766290b0950122b3c
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Sep 29 11:14:35 2015 +0100

    Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2
    
    This patch updates the "DEFAULT" cipherstring to be
    "ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
    internally by a flag on each ciphersuite indicating whether it should be
    excluded from DEFAULT or not. This gives us control at an individual
    ciphersuite level as to exactly what is in DEFAULT and what is not.
    
    Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
    and hence removed from DEFAULT.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES               |   6 +++
 doc/apps/ciphers.pod  |  11 +++--
 include/openssl/ssl.h |   2 +-
 ssl/s3_lib.c          | 126 +++++++++++++++++++++++++-------------------------
 ssl/ssl_ciph.c        |  20 +++++++-
 ssl/ssl_locl.h        |   5 +-
 6 files changed, 98 insertions(+), 72 deletions(-)

diff --git a/CHANGES b/CHANGES
index 220ab60..ec55dc3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
 
+  *) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
+     in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
+     an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
+     DES and RC4 ciphersuites.
+     [Matt Caswell]
+
   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
      This changes the decoding behaviour for some invalid messages,
      though the change is mostly in the more lenient direction, and
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 64f122f..7598276 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -117,15 +117,16 @@ The following is a list of all permitted cipher strings and their meanings.
 
 =item B<DEFAULT>
 
-the default cipher list. This is determined at compile time and, as of OpenSSL
-1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string
-specified.
+the default cipher list. This is determined at compile time and
+is B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>. This must be the first cipher
+string specified.
 
 =item B<COMPLEMENTOFDEFAULT>
 
 the ciphers included in B<ALL>, but not enabled by default. Currently
-this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>,
-which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
+this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
+not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
+necessary).
 
 =item B<ALL>
 
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index d488aa5..8fa9363 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -290,7 +290,7 @@ extern "C" {
  * The following cipher list is used by default. It also is substituted when
  * an application-defined cipher list string starts with 'DEFAULT'.
  */
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
 /*
  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index bb090ef..4b11e60 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -173,7 +173,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_STRONG_NONE,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -189,7 +189,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -205,7 +205,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -221,7 +221,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -253,7 +253,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC2,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -287,7 +287,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -303,7 +303,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -336,7 +336,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -352,7 +352,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -400,7 +400,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -433,7 +433,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -449,7 +449,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -481,7 +481,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -497,7 +497,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -529,7 +529,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -545,7 +545,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -561,7 +561,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -577,7 +577,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -593,7 +593,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_3DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      112,
      168,
@@ -609,7 +609,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -624,7 +624,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -639,7 +639,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -732,7 +732,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -827,7 +827,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
@@ -844,7 +844,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA256,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -1023,7 +1023,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_CAMELLIA128,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1121,7 +1121,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128,
      SSL_SHA256,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1137,7 +1137,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256,
      SSL_SHA256,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
@@ -1168,7 +1168,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_GOST94,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE,
      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
      0,
      0
@@ -1266,7 +1266,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_CAMELLIA256,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
@@ -1285,7 +1285,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1349,7 +1349,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1413,7 +1413,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1561,7 +1561,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_SEED,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1741,7 +1741,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128GCM,
      SSL_AEAD,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
      128,
      128,
@@ -1757,7 +1757,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256GCM,
      SSL_AEAD,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
      256,
@@ -1903,7 +1903,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA256,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -1919,7 +1919,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA384,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      0,
      0,
@@ -1967,7 +1967,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA256,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -1983,7 +1983,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA384,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      0,
      0,
@@ -2031,7 +2031,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA256,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -2047,7 +2047,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA384,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      0,
      0,
@@ -2147,7 +2147,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_CAMELLIA128,
      SSL_SHA256,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
      128,
      128,
@@ -2243,7 +2243,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_CAMELLIA256,
      SSL_SHA256,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
      256,
      256,
@@ -2278,7 +2278,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -2294,7 +2294,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2358,7 +2358,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -2374,7 +2374,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2438,7 +2438,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -2454,7 +2454,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2518,7 +2518,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -2534,7 +2534,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2598,7 +2598,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -2614,7 +2614,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2630,7 +2630,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_3DES,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      112,
      168,
@@ -2646,7 +2646,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2662,7 +2662,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
@@ -3087,7 +3087,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -3183,7 +3183,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -3199,7 +3199,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA256,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      0,
      0,
@@ -3215,7 +3215,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_eNULL,
      SSL_SHA384,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      0,
      0,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 12dac04..46763d7 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -295,8 +295,7 @@ static const SSL_CIPHER cipher_aliases[] = {
      * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
      * ALL!)
      */
-    {0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, ~SSL_eNULL, 0, 0,
-     0, 0, 0, 0},
+    {0, SSL_TXT_CMPDEF, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
 
     /*
      * key exchange aliases (some of those using only a single bit here
@@ -966,6 +965,9 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
             if ((algo_strength & SSL_STRONG_MASK)
                 && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
                 continue;
+            if ((algo_strength & SSL_DEFAULT_MASK)
+                && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
+                continue;
         }
 
 #ifdef CIPHER_DEBUG
@@ -1251,6 +1253,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                         ca_list[j]->algo_strength & SSL_STRONG_MASK;
             }
 
+            if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
+                if (algo_strength & SSL_DEFAULT_MASK) {
+                    algo_strength &=
+                        (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) |
+                        ~SSL_DEFAULT_MASK;
+                    if (!(algo_strength & SSL_DEFAULT_MASK)) {
+                        found = 0;
+                        break;
+                    }
+                } else
+                    algo_strength |=
+                        ca_list[j]->algo_strength & SSL_DEFAULT_MASK;
+            }
+
             if (ca_list[j]->valid) {
                 /*
                  * explicit ciphersuite found; its protocol version does not
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index b7c4fe7..544c1ad 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -429,6 +429,7 @@
  */
 # define SSL_EXP_MASK            0x00000003L
 # define SSL_STRONG_MASK         0x000001fcL
+# define SSL_DEFAULT_MASK        0X00000200L
 
 # define SSL_NOT_EXP             0x00000001L
 # define SSL_EXPORT              0x00000002L
@@ -443,7 +444,9 @@
 # define SSL_HIGH                0x00000080L
 # define SSL_FIPS                0x00000100L
 
-/* we have used 000001ff - 23 bits left to go */
+# define SSL_NOT_DEFAULT         0x00000200L
+
+/* we have used 000003ff - 22 bits left to go */
 
 /*-
  * Macros to check the export status and cipher strength for export ciphers.


More information about the openssl-commits mailing list