ECC ciphersuite support

[openssl.git] / ssl / s3_both.c

diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 89b54b71d3650dd6c0e328092e2739a57b676a12..a5588360e53686d43ba28751650e689d8373670b 100644 (file)
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -108,16 +108,21 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #include <limits.h>
 #include <string.h>
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "ssl_locl.h"
 
 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
 int ssl3_do_write(SSL *s, int type)
@@ -520,6 +525,23 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
                        else ret= -1;
                        }
                }
+#ifndef OPENSSL_NO_EC
+       /* XXX: Structurally, there is no distinction between 
+        * ECDSA and ECDH public keys (both are ECPoints).
+        * So EVP_PKEY_ECDSA should really be renamed EVP_PKEY_ECC
+        * (or similar). As for ECC certificates, additional
+        * information (e.g. in the optional key usage X509v3 
+        * extension) could be used when available to distinguish
+        * between ECDH and ECDSA certificates. For now, we do not
+        * make that distinction here. Instead, we shift the burden
+        * of checking for appropriate key usage to the SSL code
+        * responsible for sending/processing ECC certificates.
+        */
+       else if (i == EVP_PKEY_ECDSA)
+               {
+               ret = SSL_PKEY_ECC;
+               }
+#endif
        else
                ret= -1;
 
@@ -592,6 +614,7 @@ int ssl3_setup_buffers(SSL *s)
        {
        unsigned char *p;
        unsigned int extra;
+       size_t len;
 
        if (s->s3->rbuf.buf == NULL)
                {
@@ -599,18 +622,21 @@ int ssl3_setup_buffers(SSL *s)
                        extra=SSL3_RT_MAX_EXTRA;
                else
                        extra=0;
-               if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE+extra))
-                       == NULL)
+               len = SSL3_RT_MAX_PACKET_SIZE + extra;
+               if ((p=OPENSSL_malloc(len)) == NULL)
                        goto err;
-               s->s3->rbuf.buf=p;
+               s->s3->rbuf.buf = p;
+               s->s3->rbuf.len = len;
                }
 
        if (s->s3->wbuf.buf == NULL)
                {
-               if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE))
-                       == NULL)
+               len = SSL3_RT_MAX_PACKET_SIZE;
+               len += SSL3_RT_HEADER_LENGTH + 256; /* extra space for empty fragment */
+               if ((p=OPENSSL_malloc(len)) == NULL)
                        goto err;
-               s->s3->wbuf.buf=p;
+               s->s3->wbuf.buf = p;
+               s->s3->wbuf.len = len;
                }
        s->packet= &(s->s3->rbuf.buf[0]);
        return(1);