summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBodo Möller <bodo@openssl.org>2006-06-14 17:40:31 +0000
committerBodo Möller <bodo@openssl.org>2006-06-14 17:40:31 +0000
commit89bbe14c506b9bd2fd00e6bae22a99ef1ee7ad19 (patch)
tree5b2e860f61305a0e06452569743e56d07db61790
parent6635b48cd15942a4ae5b43e638eff1db2b41122b (diff)
Ciphersuite string bugfixes, and ECC-related (re-)definitions.
Diffstat
-rw-r--r--CHANGES33
-rw-r--r--ssl/d1_srvr.c4
-rw-r--r--ssl/s3_clnt.c12
-rw-r--r--ssl/s3_lib.c103
-rw-r--r--ssl/s3_srvr.c21
-rw-r--r--ssl/ssl.h45
-rw-r--r--ssl/ssl3.h22
-rw-r--r--ssl/ssl_ciph.c128
-rw-r--r--ssl/ssl_lib.c18
-rw-r--r--ssl/ssl_locl.h42
-rw-r--r--ssl/t1_lib.c6
11 files changed, 252 insertions, 182 deletions
diff --git a/CHANGES b/CHANGES
index 037c9165f7..2cf3cd22b2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,39 @@
Changes between 0.9.8b and 0.9.9 [xx XXX xxxx]
+ *) Various modifications and fixes to SSL/TLS cipher string
+ handling. For ECC, the code now distinguishes between fixed ECDH
+ with RSA certificates on the one hand and with ECDSA certificates
+ on the other hand, since these are separate ciphersuites. The
+ unused code for Fortezza ciphersuites has been removed.
+
+ For consistency with EDH, ephemeral ECDH is now called "EECDH"
+ (not "ECDHE"). For consistency with the code for DH
+ certificates, use of ECDH certificates is now considered ECDH
+ authentication, not RSA or ECDSA authentication (the latter is
+ merely the CA's signing algorithm and not actively used in the
+ protocol).
+
+ The temporary ciphersuite alias "ECCdraft" is no longer
+ available, and ECC ciphersuites are no longer excluded from "ALL"
+ and "DEFAULT". The following aliases now exist for RFC 4492
+ ciphersuites, most of these by analogy with the DH case:
+
+ kECDHr - ECDH cert, signed with RSA
+ kECDHe - ECDH cert, signed with ECDSA
+ kECDH - ECDH cert (signed with either RSA or ECDSA)
+ kEECDH - ephemeral ECDH
+ ECDH - ECDH cert or ephemeral ECDH
+
+ aECDH - ECDH cert
+ aECDSA - ECDSA cert
+ ECDSA - ECDSA cert
+
+ AECDH - anonymous ECDH
+ EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
+
+ [Bodo Moeller]
+
*) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
Use correct micalg parameters depending on digest(s) in signed message.
[Steve Henson]
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 962ae5688d..67baf80dc2 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -333,10 +333,10 @@ int dtls1_accept(SSL *s)
else
s->s3->tmp.use_rsa_tmp=0;
- /* only send if a DH key exchange, fortezza or
+ /* only send if a DH key exchange or
* RSA but we have a sign only certificate */
if (s->s3->tmp.use_rsa_tmp
- || (l & (SSL_DH|SSL_kFZA))
+ || (l & SSL_DH)
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 1b9b586f96..e84dbf5aa6 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1308,7 +1308,7 @@ int ssl3_get_key_exchange(SSL *s)
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
- else if (alg & SSL_kECDHE)
+ else if (alg & SSL_kEECDH)
{
EC_GROUP *ngroup;
const EC_GROUP *group;
@@ -1407,19 +1407,13 @@ int ssl3_get_key_exchange(SSL *s)
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
- else if (alg & SSL_kECDH)
+ else if (alg)
{
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
goto f_err;
}
#endif /* !OPENSSL_NO_ECDH */
- if (alg & SSL_aFZA)
- {
- al=SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
- goto f_err;
- }
/* p points to the next byte, there are 'n' bytes left */
@@ -2009,7 +2003,7 @@ int ssl3_send_client_key_exchange(SSL *s)
#endif
#ifndef OPENSSL_NO_ECDH
- else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
+ else if ((l & SSL_kECDH) || (l & SSL_kEECDH))
{
const EC_GROUP *srvr_group = NULL;
EC_KEY *tkey;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 63edc36442..e2d2f913db 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
},
/* Cipher 0C */
{
- 0,
+ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
SSL3_CK_DH_DSS_DES_64_CBC_SHA,
SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
@@ -330,7 +330,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
},
/* Cipher 0D */
{
- 0,
+ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
@@ -343,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
},
/* Cipher 0E */
{
- 0,
+ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
SSL3_CK_DH_RSA_DES_40_CBC_SHA,
SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
@@ -356,7 +356,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
},
/* Cipher 0F */
{
- 0,
+ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
SSL3_CK_DH_RSA_DES_64_CBC_SHA,
SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
@@ -369,7 +369,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
},
/* Cipher 10 */
{
- 0,
+ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
@@ -526,7 +526,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Fortezza */
+/* Fortezza ciphersuite from SSL 3.0 spec */
+#if 0
/* Cipher 1C */
{
0,
@@ -555,7 +556,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-#if 0
/* Cipher 1E */
{
0,
@@ -576,7 +576,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
** 20000107 VRS: And the first shall be last,
** in hopes of avoiding the lynx ssl renegotiation problem.
*/
-/* Cipher 1E VRS */
+/* Cipher 1E */
{
1,
SSL3_TXT_KRB5_DES_64_CBC_SHA,
@@ -590,7 +590,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 1F VRS */
+/* Cipher 1F */
{
1,
SSL3_TXT_KRB5_DES_192_CBC3_SHA,
@@ -604,7 +604,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 20 VRS */
+/* Cipher 20 */
{
1,
SSL3_TXT_KRB5_RC4_128_SHA,
@@ -618,7 +618,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 21 VRS */
+/* Cipher 21 */
{
1,
SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
@@ -632,7 +632,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 22 VRS */
+/* Cipher 22 */
{
1,
SSL3_TXT_KRB5_DES_64_CBC_MD5,
@@ -646,7 +646,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 23 VRS */
+/* Cipher 23 */
{
1,
SSL3_TXT_KRB5_DES_192_CBC3_MD5,
@@ -660,7 +660,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 24 VRS */
+/* Cipher 24 */
{
1,
SSL3_TXT_KRB5_RC4_128_MD5,
@@ -674,7 +674,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 25 VRS */
+/* Cipher 25 */
{
1,
SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
@@ -688,7 +688,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 26 VRS */
+/* Cipher 26 */
{
1,
SSL3_TXT_KRB5_DES_40_CBC_SHA,
@@ -702,7 +702,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 27 VRS */
+/* Cipher 27 */
{
1,
SSL3_TXT_KRB5_RC2_40_CBC_SHA,
@@ -716,7 +716,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 28 VRS */
+/* Cipher 28 */
{
1,
SSL3_TXT_KRB5_RC4_40_SHA,
@@ -730,7 +730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 29 VRS */
+/* Cipher 29 */
{
1,
SSL3_TXT_KRB5_DES_40_CBC_MD5,
@@ -744,7 +744,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 2A VRS */
+/* Cipher 2A */
{
1,
SSL3_TXT_KRB5_RC2_40_CBC_MD5,
@@ -758,7 +758,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
-/* Cipher 2B VRS */
+/* Cipher 2B */
{
1,
SSL3_TXT_KRB5_RC4_40_MD5,
@@ -772,8 +772,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
#endif /* OPENSSL_NO_KRB5 */
-/* New AES ciphersuites */
+/* New AES ciphersuites */
/* Cipher 2F */
{
1,
@@ -881,7 +881,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
},
/* Cipher 37 */
{
- 0,
+ 0, /* not implemented (non-ephemeral DH) */
TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
TLS1_CK_DH_RSA_WITH_AES_256_SHA,
SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
@@ -1252,13 +1252,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
#endif /* OPENSSL_NO_PSK */
+
#ifndef OPENSSL_NO_ECDH
/* Cipher C001 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
- SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
@@ -1272,7 +1273,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
- SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
@@ -1286,7 +1287,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
- SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
@@ -1300,7 +1301,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHe|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
@@ -1314,7 +1315,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
- SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHe|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
@@ -1328,7 +1329,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
- SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
@@ -1342,7 +1343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
- SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
@@ -1356,7 +1357,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
- SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
@@ -1370,7 +1371,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
@@ -1384,7 +1385,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
@@ -1398,7 +1399,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
- SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
@@ -1412,7 +1413,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
- SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
@@ -1426,7 +1427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
- SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
@@ -1440,7 +1441,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
- SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHr|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
@@ -1454,7 +1455,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
- SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kECDHr|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
@@ -1468,7 +1469,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
- SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
@@ -1482,7 +1483,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
- SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
@@ -1496,7 +1497,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
- SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
@@ -1510,7 +1511,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
@@ -1524,7 +1525,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
@@ -1538,7 +1539,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
TLS1_CK_ECDH_anon_WITH_NULL_SHA,
- SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
@@ -1552,7 +1553,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
- SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
@@ -1566,7 +1567,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
- SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
@@ -1580,7 +1581,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
- SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
@@ -1594,7 +1595,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
- SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_kEECDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
@@ -2410,7 +2411,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
}
if (
/* if we are considering an ECC cipher suite that uses an ephemeral EC key */
- ((alg & SSL_kECDH) || (alg & SSL_kECDHE))
+ ((alg & SSL_kECDH) || (alg & SSL_kEECDH))
/* and we have an ephemeral EC key */
&& (s->cert->ecdh_tmp != NULL)
/* and the client specified an EllipticCurves extension */
@@ -2505,7 +2506,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
#endif
#ifndef OPENSSL_NO_ECDH
/* We should ask for fixed ECDH certificates only
- * for SSL_kECDH (and not SSL_kECDHE)
+ * for SSL_kECDH (and not SSL_kEECDH)
*/
if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION))
{
@@ -2516,7 +2517,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
#ifndef OPENSSL_NO_ECDSA
/* ECDSA certs can be used with RSA cipher suites as well
- * so we don't need to check for SSL_kECDH or SSL_kECDHE
+ * so we don't need to check for SSL_kECDH or SSL_kEECDH
*/
if (s->version >= TLS1_VERSION)
{
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index bfbf951f72..b4b95c3edb 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -365,7 +365,7 @@ int ssl3_accept(SSL *s)
* For ECC ciphersuites, we send a serverKeyExchange
* message only if the cipher suite is either
* ECDH-anon or ECDHE. In other cases, the
- * server certificate contains the server's
+ * server certificate contains the server's
* public key for key exchange.
*/
if (s->s3->tmp.use_rsa_tmp
@@ -374,8 +374,7 @@ int ssl3_accept(SSL *s)
#ifndef OPENSSL_NO_PSK
|| ((l & SSL_kPSK) && s->ctx->psk_identity_hint)
#endif
- || (l & SSL_kECDHE)
- || (l & (SSL_DH|SSL_kFZA))
+ || (l & SSL_kEECDH)
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
@@ -481,7 +480,7 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_KEY_EXCH_A:
case SSL3_ST_SR_KEY_EXCH_B:
ret=ssl3_get_client_key_exchange(s);
- if (ret <= 0)
+ if (ret <= 0)
goto end;
if (ret == 2)
{
@@ -493,14 +492,14 @@ int ssl3_accept(SSL *s)
s->state=SSL3_ST_SR_FINISHED_A;
s->init_num = 0;
}
- else
+ else
{
s->state=SSL3_ST_SR_CERT_VRFY_A;
s->init_num=0;
/* We need to get hashes here so if there is
* a client cert, it can be verified
- */
+ */
s->method->ssl3_enc->cert_verify_mac(s,
&(s->s3->finish_dgst1),
&(s->s3->tmp.cert_verify_md[0]));
@@ -735,7 +734,7 @@ int ssl3_get_client_hello(SSL *s)
if (s->client_version < s->version)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
- if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
{
/* similar to ssl3_get_record, send alert using remote version number */
s->version = s->client_version;
@@ -1302,7 +1301,7 @@ int ssl3_send_server_key_exchange(SSL *s)
else
#endif
#ifndef OPENSSL_NO_ECDH
- if (type & SSL_kECDHE)
+ if (type & SSL_kEECDH)
{
const EC_GROUP *group;
@@ -1481,7 +1480,7 @@ int ssl3_send_server_key_exchange(SSL *s)
}
#ifndef OPENSSL_NO_ECDH
- if (type & SSL_kECDHE)
+ if (type & SSL_kEECDH)
{
/* XXX: For now, we only support named (not generic) curves.
* In this situation, the serverKeyExchange message has:
@@ -2088,7 +2087,7 @@ int ssl3_get_client_key_exchange(SSL *s)
#endif /* OPENSSL_NO_KRB5 */
#ifndef OPENSSL_NO_ECDH
- if ((l & SSL_kECDH) || (l & SSL_kECDHE))
+ if ((l & SSL_kECDH) || (l & SSL_kEECDH))
{
int ret = 1;
int field_size = 0;
@@ -2141,7 +2140,7 @@ int ssl3_get_client_key_exchange(SSL *s)
{
/* Client Publickey was in Client Certificate */
- if (l & SSL_kECDHE)
+ if (l & SSL_kEECDH)
{
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 0278b03cfd..94724e7fff 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -277,31 +277,43 @@ extern "C" {
#define SSL_TXT_LOW "LOW"
#define SSL_TXT_MEDIUM "MEDIUM"
#define SSL_TXT_HIGH "HIGH"
-#define SSL_TXT_kFZA "kFZA"
-#define SSL_TXT_aFZA "aFZA"
-#define SSL_TXT_eFZA "eFZA"
-#define SSL_TXT_FZA "FZA"
+#define SSL_TXT_kFZA "kFZA" /* unused! */
+#define SSL_TXT_aFZA "aFZA" /* unused! */
+#define SSL_TXT_eFZA "eFZA" /* unused! */
+#define SSL_TXT_FZA "FZA" /* unused! */
#define SSL_TXT_aNULL "aNULL"
#define SSL_TXT_eNULL "eNULL"
#define SSL_TXT_NULL "NULL"
-#define SSL_TXT_kKRB5 "kKRB5"
-#define SSL_TXT_aKRB5 "aKRB5"
-#define SSL_TXT_KRB5 "KRB5"
-
#define SSL_TXT_kRSA "kRSA"
-#define SSL_TXT_kDHr "kDHr"
-#define SSL_TXT_kDHd "kDHd"
+#define SSL_TXT_kDHr "kDHr" /* no such ciphersuites supported! */
+#define SSL_TXT_kDHd "kDHd" /* no such ciphersuites supported! */
#define SSL_TXT_kEDH "kEDH"
+#define SSL_TXT_kKRB5 "kKRB5"
+#define SSL_TXT_kECDHr "kECDHr"
+#define SSL_TXT_kECDHe "kECDHe"
+#define SSL_TXT_kECDH "kECDH"
+#define SSL_TXT_kEECDH "kEECDH"
+#define SSL_TXT_kPSK "kPSK"
+
#define SSL_TXT_aRSA "aRSA"
#define SSL_TXT_aDSS "aDSS"
-#define SSL_TXT_aDH "aDH"
+#define SSL_TXT_aDH "aDH" /* no such ciphersuites supported! */
+#define SSL_TXT_aECDH "aECDH"
+#define SSL_TXT_aKRB5 "aKRB5"
+#define SSL_TXT_aECDSA "aECDSA"
+#define SSL_TXT_aPSK "aPSK"
+
#define SSL_TXT_DSS "DSS"
#define SSL_TXT_DH "DH"
-#define SSL_TXT_EDH "EDH"
+#define SSL_TXT_EDH "EDH" /* same as "kEDH:-ADH" */
#define SSL_TXT_ADH "ADH"
#define SSL_TXT_RSA "RSA"
+#define SSL_TXT_ECDH "ECDH"
+#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
+#define SSL_TXT_AECDH "AECDH"
+#define SSL_TXT_ECDSA "ECDSA"
#define SSL_TXT_DES "DES"
#define SSL_TXT_3DES "3DES"
#define SSL_TXT_RC4 "RC4"
@@ -319,11 +331,10 @@ extern "C" {
#define SSL_TXT_SSLV2 "SSLv2"
#define SSL_TXT_SSLV3 "SSLv3"
#define SSL_TXT_TLSV1 "TLSv1"
-#define SSL_TXT_ALL "ALL"
-#define SSL_TXT_ECC "ECCdraft" /* ECC ciphersuites are not yet official */
+#define SSL_TXT_KRB5 "KRB5"
#define SSL_TXT_PSK "PSK"
-#define SSL_TXT_kPSK "kPSK"
-#define SSL_TXT_aPSK "aPSK"
+
+#define SSL_TXT_ALL "ALL"
/*
* COMPLEMENTOF* definitions. These identifiers are used to (de-select)
@@ -345,7 +356,7 @@ extern "C" {
/* The following cipher list is used by default.
* It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!ADH:!AECDH:+RC4:@STRENGTH" /* low priority for RC4 */
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
#define SSL_SENT_SHUTDOWN 1
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 6475d82af4..2129759623 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -159,12 +159,14 @@ extern "C" {
#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
-#define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
-#define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
-#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
- to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
- of the ietf-tls list */
-#define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
+#if 0
+ #define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
+ #define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
+ #if 0 /* Because it clashes with KRB5, is never used any more, and is safe
+ to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
+ of the ietf-tls list */
+ #define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
+ #endif
#endif
/* VRS Additional Kerberos5 entries
@@ -216,9 +218,11 @@ extern "C" {
#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
-#define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
-#define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
-#define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
+#if 0
+ #define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
+ #define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
+ #define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
+#endif
#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 545303793f..0320e372c0 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -150,15 +150,12 @@
#define SSL_ENC_RC4_IDX 2
#define SSL_ENC_RC2_IDX 3
#define SSL_ENC_IDEA_IDX 4
-#define SSL_ENC_eFZA_IDX 5
-#define SSL_ENC_NULL_IDX 6
-#define SSL_ENC_AES128_IDX 7
-#define SSL_ENC_AES256_IDX 8
-#define SSL_ENC_NUM_IDX 9
-#define SSL_ENC_CAMELLIA128_IDX 9
-#define SSL_ENC_CAMELLIA256_IDX 10
-#undef SSL_ENC_NUM_IDX
-#define SSL_ENC_NUM_IDX 11
+#define SSL_ENC_NULL_IDX 5
+#define SSL_ENC_AES128_IDX 6
+#define SSL_ENC_AES256_IDX 7
+#define SSL_ENC_CAMELLIA128_IDX 8
+#define SSL_ENC_CAMELLIA256_IDX 9
+#define SSL_ENC_NUM_IDX 10
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
@@ -193,31 +190,49 @@ typedef struct cipher_order_st
} CIPHER_ORDER;
static const SSL_CIPHER cipher_aliases[]={
- /* Don't include eNULL unless specifically enabled. */
- /* Don't include ECC in ALL because these ciphers are not yet official. */
- {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
- /* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC cipher suites handled properly. */
- {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */
- {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
+ /* "ALL" must be first; it doesn't include eNULL (must be specifically enabled) */
+ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL},
+ /* "COMPLEMENTOFALL" */
+ {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
+
+ /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
+ {0,SSL_TXT_CMPDEF,0,SSL_ADH|SSL_AECDH|(SSL_ENC_MASK & ~SSL_eNULL), 0,0,0,0,SSL_AUTH_MASK|SSL_ENC_MASK,0},
+
+ /* Single key exchange bits
+ * (some of these are multiple key exchange algs according to the RFCs,
+ * e.g. kEDH combines DHE_DSS and DHE_RSA) */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, /* no such ciphersuites supported! */
+ {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, /* no such ciphersuites supported! */
{0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kECDHr,0,SSL_kECDHr,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kECDHe,0,SSL_kECDHe,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kEECDH,0,SSL_kEECDH,0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kPSK,0,SSL_kPSK, 0,0,0,0,SSL_MKEY_MASK,0},
+
+ /* More key exchange aliases (combined bits) */
{0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_ECC, 0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
- {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */
+ {0,SSL_TXT_kECDH,0,SSL_kECDH,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_ECDH,0,SSL_ECDH, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_EECDH,0,SSL_EECDH,0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
+
+ /* Single authentication bits */
{0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_aPSK,0,SSL_aPSK, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0}, /* no such ciphersuites supported! */
+ {0,SSL_TXT_aECDH, 0,SSL_aECDH,0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aECDSA, 0,SSL_aECDSA,0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aPSK,0,SSL_aPSK, 0,0,0,0,SSL_AUTH_MASK,0},
+
+ /* More authentication aliases */
{0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_ECDSA,0,SSL_ECDSA,0,0,0,0,SSL_AUTH_MASK,0},
+ /* Single encryption bits */
{0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
@@ -226,19 +241,20 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
#endif
{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
- {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_CAMELLIA, 0,SSL_CAMELLIA, 0,0,0,0,SSL_ENC_MASK,0},
+ /* Single MAC bits */
{0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
+ /* More aliases */
{0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
- {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
+ {0,SSL_TXT_AECDH,0,SSL_AECDH,0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_PSK, 0,SSL_PSK, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
@@ -466,7 +482,6 @@ static unsigned long ssl_cipher_get_disabled(void)
{
unsigned long mask;
- mask =