From c6ccf055ba151c348bb0026e05a83b0135e40518 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Fri, 19 Jul 2002 19:55:34 +0000 Subject: [PATCH] New cipher selection options COMPLEMENTOFALL and COMPLEMENTOFDEFAULT. Submitted by: Reviewed by: PR: 127 --- CHANGES | 5 +++++ doc/apps/ciphers.pod | 24 ++++++++++++++++++++++++ ssl/ssl.h | 17 +++++++++++++++++ ssl/ssl_ciph.c | 2 ++ 4 files changed, 48 insertions(+) diff --git a/CHANGES b/CHANGES index 89ec06fe85..ff7e676a8e 100644 --- a/CHANGES +++ b/CHANGES @@ -101,6 +101,11 @@ Changes between 0.9.6e and 0.9.7 [XX xxx 2002] + *) Add cipher selection rules COMPLEMENTOFALL and COMPLENENTOFDEFAULT + to allow version independent disabling of normally unselected ciphers, + which may be activated as a side-effect of selecting a single cipher. + [Lutz Jaenicke, Bodo Moeller] + *) Add appropriate support for separate platform-dependent build directories. The recommended way to make a platform-dependent build directory is the following (tested on Linux), maybe with diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 21077614a7..c90484b70e 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -108,10 +108,20 @@ the default cipher list. This is determined at compile time and is normally B. This must be the first cipher string specified. +=item B + +the ciphers not enabled by default, currently being B. This rule does not +cover B, which is not included by B and is therefore be handled by +B. + =item B all ciphers suites except the B ciphers which must be explicitly enabled. +=item B + +the cipher suites not enabled by B, currently being B. + =item B "high" encryption cipher suites. This currently means those with key lengths larger @@ -339,8 +349,22 @@ Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' +Include all RC4 ciphers but leave out those without authentication: + + openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' + +Include all chiphers with RSA authentication but leave out ciphers without +encryption. + + openssl ciphers -v 'RSA:!COMPLEMENTOFALL' + =head1 SEE ALSO L, L, L +=head1 HISTORY + +The B and B selection options were +added in version 0.9.7. + =cut diff --git a/ssl/ssl.h b/ssl/ssl.h index bb2eda0b5c..7947a56c64 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -266,6 +266,23 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" +/* + * COMPLEMENTOF* definitions. These identifiers are used to (de-select) + * ciphers normally not being used. + * Example: "RC4" will activate all ciphers using RC4 including ciphers + * without authentication, which would normally disabled by DEFAULT (due + * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" + * will make sure that it is also disabled in the specific selection. + * COMPLEMENTOF* identifiers are portable between version, as adjustments + * to the default cipher setup will also be included here. + * + * COMPLEMENTOFDEFAULT does not experience the same special treatment that + * DEFAULT gets, as only selection is being done and no sorting as needed + * for DEFAULT. + */ +#define SSL_TXT_CMPALL "COMPLEMENTOFALL" +#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" + /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index a1cef72082..37f58886a6 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -102,6 +102,8 @@ typedef struct cipher_order_st static const SSL_CIPHER cipher_aliases[]={ /* Don't include eNULL unless specifically enabled. */ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ + {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ + {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, -- GitLab