diff options
author | Bodo Möller <bodo@openssl.org> | 2005-12-13 07:41:47 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2005-12-13 07:41:47 +0000 |
commit | bc9320452c6846af6b40ee9cbfbb15c17c3dd7ac (patch) | |
tree | c887f9c4eb5e08c60cabede76a5b9ba6b26c25bb /ssl/s3_lib.c | |
parent | 23d43aae27bb16ce35cb4a78598bea67434d5cb9 (diff) |
update TLS-ECC code
Submitted by: Douglas Stebila
Diffstat (limited to 'ssl/s3_lib.c')
-rw-r--r-- | ssl/s3_lib.c | 296 |
1 files changed, 149 insertions, 147 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 33e10770dd..ddd996f829 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -901,8 +901,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, + #ifndef OPENSSL_NO_ECDH - /* Cipher 47 */ + /* Cipher C001 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, @@ -916,7 +917,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 48 */ + /* Cipher C002 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, @@ -930,21 +931,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 49 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_DES_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA, - SSL_kECDH|SSL_aECDSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_LOW, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 4A */ + /* Cipher C003 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, @@ -958,7 +945,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4B */ + /* Cipher C004 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, @@ -972,7 +959,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4C */ + /* Cipher C005 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, @@ -986,12 +973,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4D */ + /* Cipher C006 */ { 1, - TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, - TLS1_CK_ECDH_RSA_WITH_NULL_SHA, - SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, + TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP, 0, 0, @@ -1000,12 +987,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4E */ + /* Cipher C007 */ { 1, - TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, - SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP, 0, 128, @@ -1014,21 +1001,77 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4F */ + /* Cipher C008 */ + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C009 */ + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C00A */ { 1, - TLS1_TXT_ECDH_RSA_WITH_DES_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_DES_CBC_SHA, - SSL_kECDH|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_LOW, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 56, - 56, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 50 */ + /* Cipher C00B */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, + TLS1_CK_ECDH_RSA_WITH_NULL_SHA, + SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, + 0, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C00C */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, + TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, + SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C00D */ { 1, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, @@ -1042,7 +1085,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 51 */ + /* Cipher C00E */ { 1, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, @@ -1056,7 +1099,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 52 */ + /* Cipher C00F */ { 1, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, @@ -1070,35 +1113,77 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 53 */ + /* Cipher C010 */ { 1, - TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_40_SHA, - TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_40_SHA, - SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, + TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, + SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, + 0, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C011 */ + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, 0, - 40, + 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 54 */ + /* Cipher C012 */ { 1, - TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_56_SHA, - TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_56_SHA, - SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, + TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C013 */ + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 56, 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C014 */ + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 55 */ + /* Cipher C015 */ { 1, TLS1_TXT_ECDH_anon_WITH_NULL_SHA, @@ -1112,7 +1197,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 56 */ + /* Cipher C016 */ { 1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, @@ -1126,21 +1211,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 57 */ - { - 1, - TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA, - SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_LOW, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 58 */ + /* Cipher C017 */ { 1, TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, @@ -1154,63 +1225,33 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 59 */ + /* Cipher C018 */ { 1, - TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA, - TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA, - SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, - 0, - 40, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 5A */ - { - 1, - TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA, - TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA, - SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, + TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 5B */ - /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */ - { - 1, - TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA, - TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA, - SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, - 0, - 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 5C */ - /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */ + /* Cipher C019 */ { 1, - TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA, - TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA, - SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, + TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, + SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 56, - 128, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - #endif /* OPENSSL_NO_ECDH */ #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES @@ -1308,45 +1349,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ }, #endif -#ifndef OPENSSL_NO_ECDH - /* Cipher 77 XXX: ECC ciphersuites offering forward secrecy - * are not yet specified in the ECC/TLS draft but our code - * allows them to be implemented very easily. To add such - * a cipher suite, one needs to add two constant definitions - * to tls1.h and a new structure in this file as shown below. We - * illustrate the process for the made-up cipher - * ECDHE-ECDSA-AES128-SHA. - */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 78 XXX: Another made-up ECC cipher suite that - * offers forward secrecy (ECDHE-RSA-AES128-SHA). - */ - { - 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -#endif /* !OPENSSL_NO_ECDH */ - /* end of list */ }; |