From ccf6a19e2d825f4039163393023bd15670aee946 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 26 Dec 2012 16:17:40 +0000
Subject: Add three Suite B modes to TLS code, supporting RFC6460. (backport
 from HEAD)

---
 ssl/ssl_ciph.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

(limited to 'ssl/ssl_ciph.c')

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b99870218c..f0cc5b1db6 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1348,10 +1348,49 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 	return(retval);
 	}
 
+static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
+					const char **prule_str)
+	{
+	unsigned int suiteb_flags = 0;
+	if (!strcmp(*prule_str, "SUITEB128"))
+		suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
+	else if (!strcmp(*prule_str, "SUITEB128ONLY"))
+		suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
+	else if (!strcmp(*prule_str, "SUITEB192"))
+		suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
+
+	if (suiteb_flags)
+		{
+		c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS;
+		c->cert_flags |= suiteb_flags;
+		}
+	else
+		suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS;
+
+	if (!suiteb_flags)
+		return 1;
+	/* Check version */
+
+	switch(suiteb_flags)
+		{
+	case SSL_CERT_FLAG_SUITEB_128_LOS:
+		*prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
+		break;
+	case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
+		*prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
+		break;
+	case SSL_CERT_FLAG_SUITEB_192_LOS:
+		*prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
+		break;
+		}
+	return 1;
+	}
+
+
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 		STACK_OF(SSL_CIPHER) **cipher_list,
 		STACK_OF(SSL_CIPHER) **cipher_list_by_id,
-		const char *rule_str)
+		const char *rule_str, CERT *c)
 	{
 	int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
 	unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
@@ -1366,6 +1405,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
 		return NULL;
 
+	if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+		return NULL;
+
+
 	/*
 	 * To reduce the work to do we only want to process the compiled
 	 * in algorithms, so we first get the mask of disabled ciphers.
-- 
cgit v1.2.3