disable AES ciphersuites unless explicitly requested
authorBodo Möller <bodo@openssl.org>
Sun, 5 May 2002 23:44:27 +0000 (23:44 +0000)
committerBodo Möller <bodo@openssl.org>
Sun, 5 May 2002 23:44:27 +0000 (23:44 +0000)
ssl/ssl.h
ssl/ssl_ciph.c
ssl/tls1.h

index 27d3564..ba9dc4a 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -253,7 +253,7 @@ extern "C" {
 #define SSL_TXT_RC4            "RC4"
 #define SSL_TXT_RC2            "RC2"
 #define SSL_TXT_IDEA           "IDEA"
-#define SSL_TXT_AES            "AES"
+#define SSL_TXT_AES            "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */
 #define SSL_TXT_MD5            "MD5"
 #define SSL_TXT_SHA1           "SHA1"
 #define SSL_TXT_SHA            "SHA"
@@ -266,9 +266,10 @@ extern "C" {
 #define SSL_TXT_TLSV1          "TLSv1"
 #define SSL_TXT_ALL            "ALL"
 
-/* 'DEFAULT' at the start of the cipher list insert the following string
- * in addition to this being the default cipher string */
-#define SSL_DEFAULT_CIPHER_LIST        "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
+/* The following cipher list is used by default.
+ * It also is substituted when an application-defined cipher list string
+ * starts with 'DEFAULT'. */
+#define SSL_DEFAULT_CIPHER_LIST        "ALL:!ADH:@STRENGTH"
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN      1
index a7e2ef6..cdd8dde 100644 (file)
@@ -100,8 +100,9 @@ typedef struct cipher_order_st
        } CIPHER_ORDER;
 
 static const SSL_CIPHER cipher_aliases[]={
-       /* Don't include eNULL unless specifically enabled */
-       {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+       /* Don't include eNULL unless specifically enabled.
+        * Similarly, don't include AES in ALL because these ciphers are not yet official. */
+       {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_AES, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
         {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},  /* VRS Kerberos5 */
        {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
        {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
@@ -998,10 +999,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        case SSL_AES:
                switch(cipher->strength_bits)
                        {
-               case 128: enc="AES(128)"; break;
-               case 192: enc="AES(192)"; break;
-               case 256: enc="AES(256)"; break;
-               default: enc="AES(?""?""?)"; break;
+               case 128: enc="AESdraft(128)"; break;
+               case 192: enc="AESdraft(192)"; break;
+               case 256: enc="AESdraft(256)"; break;
+               default: enc="AESdraft(?""?""?)"; break;
                        }
                break;
        default:
index ac5410b..7f59758 100644 (file)
@@ -127,19 +127,19 @@ extern "C" {
 #define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA    "EXP1024-DHE-DSS-RC4-SHA"
 #define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA              "DHE-DSS-RC4-SHA"
   /* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */
-#define TLS1_TXT_RSA_WITH_AES_128_SHA                  "AES128-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA               "DH-DSS-AES128-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA               "DH-RSA-AES128-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA              "DHE-DSS-AES128-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA              "DHE-RSA-AES128-SHA"
-#define TLS1_TXT_ADH_WITH_AES_128_SHA                  "ADH-AES128-SHA"
-
-#define TLS1_TXT_RSA_WITH_AES_256_SHA                  "AES256-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA               "DH-DSS-AES256-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA               "DH-RSA-AES256-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA              "DHE-DSS-AES256-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA              "DHE-RSA-AES256-SHA"
-#define TLS1_TXT_ADH_WITH_AES_256_SHA                  "ADH-AES256-SHA"
+#define TLS1_TXT_RSA_WITH_AES_128_SHA                  "AESdraft128-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA               "DH-DSS-AESdraft128-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA               "DH-RSA-AESdraft128-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA              "DHE-DSS-AESdraft128-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA              "DHE-RSA-AESdraft128-SHA"
+#define TLS1_TXT_ADH_WITH_AES_128_SHA                  "ADH-AESdraft128-SHA"
+
+#define TLS1_TXT_RSA_WITH_AES_256_SHA                  "AESdraft256-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA               "DH-DSS-AESdraft256-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA               "DH-RSA-AESdraft256-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA              "DHE-DSS-AESdraft256-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA              "DHE-RSA-AESdraft256-SHA"
+#define TLS1_TXT_ADH_WITH_AES_256_SHA                  "ADH-AESdraft256-SHA"
 
 
 #define TLS_CT_RSA_SIGN                        1