Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH

see RT #3203

Future versions of OpenSSL use the canonical terms "ECDHE" and "DHE"
as configuration strings and compilation constants.  This patch
introduces aliases so that the stable 1.0.2 branch can be
forward-compatible with code and configuration scripts that use the
normalized terms, while avoiding changing any library output for
stable users.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 695a7df12b443f501b628e0804cd6e736348ccd5..4eeb55be2cd00d19790ce01b183e514ef5426671 100644 (file)
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -177,12 +177,12 @@ cipher suites using RSA key exchange.
 cipher suites using DH key agreement and DH certificates signed by CAs with RSA
 and DSS keys or either respectively.
 
-=item B<kEDH>
+=item B<kDHE>, B<kEDH>
 
 cipher suites using ephemeral DH key agreement, including anonymous cipher
 suites.
 
-=item B<EDH>
+=item B<DHE>, B<EDH>
 
 cipher suites using authenticated ephemeral DH key agreement.
 
@@ -200,12 +200,12 @@ cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.
 cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA
 keys or either respectively.
 
-=item B<kEECDH>
+=item B<kECDHE>, B<kEECDH>
 
 cipher suites using ephemeral ECDH key agreement, including anonymous
 cipher suites.
 
-=item B<EECDHE>
+=item B<ECDHE>, B<EECDH>
 
 cipher suites using authenticated ephemeral ECDH key agreement.
 

diff --git a/doc/ssl/SSL_CIPHER_get_name.pod b/doc/ssl/SSL_CIPHER_get_name.pod
index 2e113be6065cd3174dbfcec1ac5145fd39e928bf..c598f4d4ce2631a4408ef54dabb26e884c12e3d4 100644 (file)
--- a/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/doc/ssl/SSL_CIPHER_get_name.pod
@@ -109,6 +109,16 @@ If SSL_CIPHER_description() cannot handle a built-in cipher, the according
 description of the cipher property is B<unknown>. This case should not
 occur.
 
+The standard terminology for ephemeral Diffie-Hellman schemes is DHE
+(finite field) or ECDHE (elliptic curve).  This version of OpenSSL
+idiosyncratically reports these schemes as EDH and EECDH, even though
+it also accepts the standard terminology.
+
+It is recommended to use the standard terminology (DHE and ECDHE)
+during configuration (e.g. via SSL_CTX_set_cipher_list) for clarity of
+configuration.  OpenSSL versions after 1.0.2 will report the standard
+terms via SSL_CIPHER_get_name and SSL_CIPHER_description.
+
 =head1 RETURN VALUES
 
 See DESCRIPTION
@@ -116,6 +126,7 @@ See DESCRIPTION
 =head1 SEE ALSO
 
 L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>,
-L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)>
+L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)>,
+L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>
 
 =cut

diff --git a/doc/ssl/SSL_CTX_set_cipher_list.pod b/doc/ssl/SSL_CTX_set_cipher_list.pod
index bd4df4abd461556300709bbe94ac3a407a46d442..c84a8314beec14a1c2eadf3dc86f822526d7e042 100644 (file)
--- a/doc/ssl/SSL_CTX_set_cipher_list.pod
+++ b/doc/ssl/SSL_CTX_set_cipher_list.pod
@@ -41,7 +41,7 @@ RSA export ciphers with a keylength of 512 bits for the RSA key require
 a temporary 512 bit RSA key, as typically the supplied key has a length
 of 1024 bit (see
 L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
-RSA ciphers using EDH need a certificate and key and additional DH-parameters
+RSA ciphers using DHE need a certificate and key and additional DH-parameters
 (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
 
 A DSA cipher can only be chosen, when a DSA certificate is available.

diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 6e6b5e6d808218ad934f7c2ebae4383b8801e3db..7551755f6f8b5853cf1a2a1b3e277c0e8df3dde3 100644 (file)
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -165,7 +165,7 @@ can only be used for signature operations (namely under export ciphers
 with restricted RSA keylength). By setting this option, ephemeral
 RSA keys are always used. This option breaks compatibility with the
 SSL/TLS specifications and may lead to interoperability problems with
-clients and should therefore never be used. Ciphers with EDH (ephemeral
+clients and should therefore never be used. Ciphers with DHE (ephemeral
 Diffie-Hellman) key exchange should be used instead.
 
 =item SSL_OP_CIPHER_SERVER_PREFERENCE

diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
index 534643cd9de4a2fd05192036502650d0f6642999..b23e43a963d9021a5763028c86c1b6eed479c7e7 100644 (file)
--- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
@@ -70,7 +70,7 @@ the TLS standard, when the RSA key can be used for signing only, that is
 for export ciphers. Using ephemeral RSA key exchange for other purposes
 violates the standard and can break interoperability with clients.
 It is therefore strongly recommended to not use ephemeral RSA key
-exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
+exchange and use DHE (Ephemeral Diffie-Hellman) key exchange instead
 in order to achieve forward secrecy (see
 L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
 

diff --git a/doc/ssleay.txt b/doc/ssleay.txt
index 4d2e7148681dc4d794ba1c42793b446a61551bc5..c9b29bd97fc4edb8388e7c92422929ceef659a18 100644 (file)
--- a/doc/ssleay.txt
+++ b/doc/ssleay.txt
@@ -6026,7 +6026,7 @@ one at a time, or use 'aliases' to specify the preference and order for
 the ciphers.
 
 There are a large number of aliases, but the most importaint are
-kRSA, kDHr, kDHd and kEDH for key exchange types.
+kRSA, kDHr, kDHd and kDHE for key exchange types.
 
 aRSA, aDSS, aNULL and aDH for authentication
 DES, 3DES, RC4, RC2, IDEA and eNULL for ciphers

diff --git a/ssl/ssl.h b/ssl/ssl.h
index bbf31802767a69fa1ff2ca743057f29fbb9150ad..7da0b212b86b9aebe96bb80304c850e5f1c35d1e 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -245,11 +245,13 @@ extern "C" {
 #define SSL_TXT_kDHd           "kDHd"
 #define SSL_TXT_kDH            "kDH"
 #define SSL_TXT_kEDH           "kEDH"
+#define SSL_TXT_kDHE           "kDHE" /* alias for kEDH */
 #define SSL_TXT_kKRB5          "kKRB5"
 #define SSL_TXT_kECDHr         "kECDHr"
 #define SSL_TXT_kECDHe         "kECDHe"
 #define SSL_TXT_kECDH          "kECDH"
 #define SSL_TXT_kEECDH         "kEECDH"
+#define SSL_TXT_kECDHE         "kECDHE" /* alias for kEECDH */
 #define SSL_TXT_kPSK            "kPSK"
 #define SSL_TXT_kGOST          "kGOST"
 #define SSL_TXT_kSRP           "kSRP"
@@ -269,10 +271,12 @@ extern "C" {
 #define        SSL_TXT_DSS             "DSS"
 #define SSL_TXT_DH             "DH"
 #define SSL_TXT_EDH            "EDH" /* same as "kEDH:-ADH" */
+#define SSL_TXT_DHE            "DHE" /* alias for EDH */
 #define SSL_TXT_ADH            "ADH"
 #define SSL_TXT_RSA            "RSA"
 #define SSL_TXT_ECDH           "ECDH"
 #define SSL_TXT_EECDH          "EECDH" /* same as "kEECDH:-AECDH" */
+#define SSL_TXT_ECDHE          "ECDHE" /* alias for ECDHE" */
 #define SSL_TXT_AECDH          "AECDH"
 #define SSL_TXT_ECDSA          "ECDSA"
 #define SSL_TXT_KRB5           "KRB5"

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index a4823d3308f30f106fb99fd5d10d47d012a61c84..274e6773c868e09623debaa97acc4f089af68250 100644 (file)
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -155,11 +155,17 @@ extern "C" {
 #define SSL3_CK_DH_RSA_DES_192_CBC3_SHA        0x03000010
 
 #define SSL3_CK_EDH_DSS_DES_40_CBC_SHA         0x03000011
+#define SSL3_CK_DHE_DSS_DES_40_CBC_SHA          SSL3_CK_EDH_DSS_DES_40_CBC_SHA
 #define SSL3_CK_EDH_DSS_DES_64_CBC_SHA         0x03000012
+#define SSL3_CK_DHE_DSS_DES_64_CBC_SHA         SSL3_CK_EDH_DSS_DES_64_CBC_SHA
 #define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA       0x03000013
+#define SSL3_CK_DHE_DSS_DES_192_CBC3_SHA       SSL3_CK_EDH_DSS_DES_192_CBC3_SHA
 #define SSL3_CK_EDH_RSA_DES_40_CBC_SHA         0x03000014
+#define SSL3_CK_DHE_RSA_DES_40_CBC_SHA         SSL3_CK_EDH_RSA_DES_40_CBC_SHA
 #define SSL3_CK_EDH_RSA_DES_64_CBC_SHA         0x03000015
+#define SSL3_CK_DHE_RSA_DES_64_CBC_SHA         SSL3_CK_EDH_RSA_DES_64_CBC_SHA
 #define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA       0x03000016
+#define SSL3_CK_DHE_RSA_DES_192_CBC3_SHA       SSL3_CK_EDH_RSA_DES_192_CBC3_SHA
 
 #define SSL3_CK_ADH_RC4_40_MD5                 0x03000017
 #define SSL3_CK_ADH_RC4_128_MD5                        0x03000018
@@ -213,6 +219,17 @@ extern "C" {
 #define SSL3_TXT_DH_RSA_DES_64_CBC_SHA         "DH-RSA-DES-CBC-SHA"
 #define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA       "DH-RSA-DES-CBC3-SHA"
 
+#define SSL3_TXT_DHE_DSS_DES_40_CBC_SHA                "EXP-DHE-DSS-DES-CBC-SHA"
+#define SSL3_TXT_DHE_DSS_DES_64_CBC_SHA                "DHE-DSS-DES-CBC-SHA"
+#define SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA      "DHE-DSS-DES-CBC3-SHA"
+#define SSL3_TXT_DHE_RSA_DES_40_CBC_SHA                "EXP-DHE-RSA-DES-CBC-SHA"
+#define SSL3_TXT_DHE_RSA_DES_64_CBC_SHA                "DHE-RSA-DES-CBC-SHA"
+#define SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA      "DHE-RSA-DES-CBC3-SHA"
+
+/* This next block of six "EDH" labels is for backward compatibility
+   with older versions of OpenSSL.  New code should use the six "DHE"
+   labels above instead:
+ */
 #define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA                "EXP-EDH-DSS-DES-CBC-SHA"
 #define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA                "EDH-DSS-DES-CBC-SHA"
 #define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA      "EDH-DSS-DES-CBC3-SHA"

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index eb1acf17cd6a913e713740a3e11c592ec02d2577..d961903d37f496bd42cf76d8ef45fad7f4202d00 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -242,6 +242,7 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_kDHd,0,    SSL_kDHd,  0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kDH,0,     SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kEDH,0,    SSL_kEDH,  0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kDHE,0,    SSL_kEDH,  0,0,0,0,0,0,0,0},
        {0,SSL_TXT_DH,0,      SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
 
        {0,SSL_TXT_kKRB5,0,   SSL_kKRB5, 0,0,0,0,0,0,0,0},
@@ -250,6 +251,7 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_kECDHe,0,  SSL_kECDHe,0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kECDH,0,   SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kEECDH,0,  SSL_kEECDH,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kECDHE,0,  SSL_kEECDH,0,0,0,0,0,0,0,0},
        {0,SSL_TXT_ECDH,0,    SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
 
         {0,SSL_TXT_kPSK,0,    SSL_kPSK,  0,0,0,0,0,0,0,0},
@@ -274,7 +276,9 @@ static const SSL_CIPHER cipher_aliases[]={
 
        /* aliases combining key exchange and server authentication */
        {0,SSL_TXT_EDH,0,     SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_DHE,0,     SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
        {0,SSL_TXT_EECDH,0,   SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_ECDHE,0,   SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
        {0,SSL_TXT_NULL,0,    0,0,SSL_eNULL, 0,0,0,0,0,0},
        {0,SSL_TXT_KRB5,0,    SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
        {0,SSL_TXT_RSA,0,     SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
@@ -327,6 +331,19 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_HIGH,0,    0,0,0,0,0,SSL_HIGH,  0,0,0},
        /* FIPS 140-2 approved ciphersuite */
        {0,SSL_TXT_FIPS,0,    0,0,~SSL_eNULL,0,0,SSL_FIPS,  0,0,0},
+       /* "DHE-" aliases to "EDH-" labels (for forward compatibility) */
+       {0,SSL3_TXT_DHE_DSS_DES_40_CBC_SHA,0,
+         SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,},
+       {0,SSL3_TXT_DHE_DSS_DES_64_CBC_SHA,0,
+         SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,},
+       {0,SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA,0,
+         SSL_kDHE,SSL_aDSS,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,},
+       {0,SSL3_TXT_DHE_RSA_DES_40_CBC_SHA,0,
+         SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,},
+       {0,SSL3_TXT_DHE_RSA_DES_64_CBC_SHA,0,
+         SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,},
+       {0,SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA,0,
+         SSL_kDHE,SSL_aRSA,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,},
        };
 /* Search for public key algorithm with given name and 
  * return its pkey_id if it is available. Otherwise return 0

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 6d8047c91cf72b8396c8d645de95d75eae558a5c..afd144645b31b580bdc47294f8ef7dc2262ddacc 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -292,10 +292,12 @@
 #define SSL_kDHr               0x00000002L /* DH cert, RSA CA cert */
 #define SSL_kDHd               0x00000004L /* DH cert, DSA CA cert */
 #define SSL_kEDH               0x00000008L /* tmp DH key no DH cert */
+#define SSL_kDHE               SSL_kEDH /* forward-compatible synonym */
 #define SSL_kKRB5              0x00000010L /* Kerberos5 key exchange */
 #define SSL_kECDHr             0x00000020L /* ECDH cert, RSA CA cert */
 #define SSL_kECDHe             0x00000040L /* ECDH cert, ECDSA CA cert */
 #define SSL_kEECDH             0x00000080L /* ephemeral ECDH */
+#define SSL_kECDHE             SSL_kEECDH /* forward-compatible synonym */
 #define SSL_kPSK               0x00000100L /* PSK */
 #define SSL_kGOST       0x00000200L /* GOST key exchange */
 #define SSL_kSRP        0x00000400L /* SRP */

diff --git a/ssl/tls1.h b/ssl/tls1.h
index 3c8de7303273b3942dee13f8e6db7743bf15d855..874479b820fe128719c17842b130fda4fa1bfc69 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -555,12 +555,12 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384        0x0300C032
 
 /* XXX
- * Inconsistency alert:
- * The OpenSSL names of ciphers with ephemeral DH here include the string
- * "DHE", while elsewhere it has always been "EDH".
- * (The alias for the list of all such ciphers also is "EDH".)
- * The specifications speak of "EDH"; maybe we should allow both forms
- * for everything. */
+* Backward compatibility alert:
++ * Older versions of OpenSSL gave some DHE ciphers names with "EDH"
++ * instead of "DHE".  Going forward, we should be using DHE
++ * everywhere, though we may indefinitely maintain aliases for users
++ * or configurations that used "EDH"
++ */
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5                "EXP1024-RC4-MD5"
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5    "EXP1024-RC2-CBC-MD5"
 #define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA       "EXP1024-DES-CBC-SHA"