-#define SSL_EXP_MASK 0x00300000L
-#define SSL_EXP40 0x00100000L
-#define SSL_NOT_EXP 0x00200000L
-#define SSL_EXP56 0x00300000L
-#define SSL_IS_EXPORT(a) ((a)&SSL_EXP40)
-#define SSL_IS_EXPORT56(a) (((a)&SSL_EXP_MASK) == SSL_EXP56)
-#define SSL_IS_EXPORT40(a) (((a)&SSL_EXP_MASK) == SSL_EXP40)
-#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algorithms)
-#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algorithms)
-#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algorithms)
-#define SSL_EXPORT_KEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 5 : \
+#define SSL_SSL_MASK 0x00180000L
+#define SSL_SSLV2 0x00080000L
+#define SSL_SSLV3 0x00100000L
+#define SSL_TLSV1 SSL_SSLV3 /* for now */
+
+/* we have used 001fffff - 11 bits left to go */
+
+/*
+ * Export and cipher strength information. For each cipher we have to decide
+ * whether it is exportable or not. This information is likely to change
+ * over time, since the export control rules are no static technical issue.
+ *
+ * Independent of the export flag the cipher strength is sorted into classes.
+ * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
+ * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
+ * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
+ * since SSL_EXP64 could be similar to SSL_LOW.
+ * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
+ * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
+ * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
+ * be possible.
+ */
+#define SSL_EXP_MASK 0x00000003L
+#define SSL_NOT_EXP 0x00000001L
+#define SSL_EXPORT 0x00000002L
+
+#define SSL_STRONG_MASK 0x0000007cL
+#define SSL_EXP40 0x00000004L
+#define SSL_MICRO (SSL_EXP40)
+#define SSL_EXP56 0x00000008L
+#define SSL_MINI (SSL_EXP56)
+#define SSL_LOW 0x00000010L
+#define SSL_MEDIUM 0x00000020L
+#define SSL_HIGH 0x00000040L
+
+/* we have used 0000007f - 25 bits left to go */
+
+/*
+ * Macros to check the export status and cipher strength for export ciphers.
+ * Even though the macros for EXPORT and EXPORT40/56 have similar names,
+ * their meaning is different:
+ * *_EXPORT macros check the 'exportable' status.
+ * *_EXPORT40/56 macros are used to check whether a certain cipher strength
+ * is given.
+ * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
+ * algorithm structure element to be passed (algorithms, algo_strength) and no
+ * typechecking can be done as they are all of type unsigned long, their
+ * direct usage is discouraged.
+ * Use the SSL_C_* macros instead.
+ */
+#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
+#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
+#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
+#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
+#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
+#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
+
+#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \