X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fssl_ciph.c;h=afdc8ff5df57803e410909ae420cce35066bb2e6;hb=8a97a33063d93be1130b762daefd729346af4d29;hp=fbd0c212075c486b850606436b62ecdcda62df54;hpb=8ab92fc646763364b0a9fb6b17f9759c56ccad77;p=openssl.git

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index fbd0c21207..afdc8ff5df 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -638,6 +638,14 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 			 c->algorithm_mac == SSL_SHA1 &&
 			 (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
 			*enc = evp, *md = NULL;
+		else if (c->algorithm_enc == SSL_AES128 &&
+			 c->algorithm_mac == SSL_SHA256 &&
+			 (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA256")))
+			*enc = evp, *md = NULL;
+		else if (c->algorithm_enc == SSL_AES256 &&
+			 c->algorithm_mac == SSL_SHA256 &&
+			 (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
+			*enc = evp, *md = NULL;
 		return(1);
 		}
 	else
@@ -1354,11 +1362,16 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 					const char **prule_str)
 	{
-	unsigned int suiteb_flags = 0;
+	unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
 	if (!strcmp(*prule_str, "SUITEB128"))
 		suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
 	else if (!strcmp(*prule_str, "SUITEB128ONLY"))
 		suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
+	else if (!strcmp(*prule_str, "SUITEB128C2"))
+		{
+		suiteb_comb2 = 1;
+		suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
+		}
 	else if (!strcmp(*prule_str, "SUITEB192"))
 		suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
 
@@ -1372,12 +1385,26 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 
 	if (!suiteb_flags)
 		return 1;
-	/* Check version */
+	/* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
+
+	if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS))
+		{
+		if (meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
+			SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+				SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+		else
+			SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+				SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+		return 0;
+		}
 
 	switch(suiteb_flags)
 		{
 	case SSL_CERT_FLAG_SUITEB_128_LOS:
-		*prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
+		if (suiteb_comb2)
+			*prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
+		else
+			*prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
 		break;
 	case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
 		*prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
@@ -1386,6 +1413,8 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 		*prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
 		break;
 		}
+	/* Set auto ECDH parameter determination */
+	c->ecdh_tmp_auto = 1;
 	return 1;
 	}