diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:17:40 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 16:17:40 +0000 |
| commit | ccf6a19e2d825f4039163393023bd15670aee946 (patch) | |
| tree | dd5bb510651fbdaf23fdcef6c4cbf55489dfb7c4 /ssl/ssl_ciph.c | |
| parent | 28fbbe3b1bc89cd5dba6a0d9e74a3cf24d341002 (diff) | |
Add three Suite B modes to TLS code, supporting RFC6460.
(backport from HEAD)
Diffstat (limited to 'ssl/ssl_ciph.c')
| -rw-r--r-- | ssl/ssl_ciph.c | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index b99870218c..f0cc5b1db6 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1348,10 +1348,49 @@ static int ssl_cipher_process_rulestr(const char *rule_str, return(retval); } +static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, + const char **prule_str) + { + unsigned int suiteb_flags = 0; + if (!strcmp(*prule_str, "SUITEB128")) + suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; + else if (!strcmp(*prule_str, "SUITEB128ONLY")) + suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY; + else if (!strcmp(*prule_str, "SUITEB192")) + suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS; + + if (suiteb_flags) + { + c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS; + c->cert_flags |= suiteb_flags; + } + else + suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS; + + if (!suiteb_flags) + return 1; + /* Check version */ + + switch(suiteb_flags) + { + case SSL_CERT_FLAG_SUITEB_128_LOS: + *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384"; + break; + case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: + *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256"; + break; + case SSL_CERT_FLAG_SUITEB_192_LOS: + *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384"; + break; + } + return 1; + } + + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list_by_id, - const char *rule_str) + const char *rule_str, CERT *c) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; @@ -1366,6 +1405,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) return NULL; + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) + return NULL; + + /* * To reduce the work to do we only want to process the compiled * in algorithms, so we first get the mask of disabled ciphers. |