s3/s3_cbc.c: allow for compilations with NO_SHA256|512.

[openssl.git] / ssl / ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index bac2515789ba965648a9aa6770c134452c44a32d..4d87d2dbc4bf7f4b0b8a8f13c39e9cf41fe79e9b 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -972,7 +972,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 #ifdef CIPHER_DEBUG
                        printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
 #endif
-
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+                       if (cipher_id && cipher_id != cp->id)
+                               continue;
+#endif
                        if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
                                continue;
                        if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -1351,11 +1354,16 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                                        const char **prule_str)
        {
-       unsigned int suiteb_flags = 0;
+       unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
        if (!strcmp(*prule_str, "SUITEB128"))
                suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
        else if (!strcmp(*prule_str, "SUITEB128ONLY"))
                suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
+       else if (!strcmp(*prule_str, "SUITEB128C2"))
+               {
+               suiteb_comb2 = 1;
+               suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
+               }
        else if (!strcmp(*prule_str, "SUITEB192"))
                suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
 
@@ -1371,10 +1379,20 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                return 1;
        /* Check version */
 
+       if (meth->version != TLS1_2_VERSION)
+               {
+               SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+                               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               return 0;
+               }
+
        switch(suiteb_flags)
                {
        case SSL_CERT_FLAG_SUITEB_128_LOS:
-               *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
+               if (suiteb_comb2)
+                       *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
+               else
+                       *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
                break;
        case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
                *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
@@ -1383,6 +1401,8 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
                break;
                }
+       /* Set auto ECDH parameter determination */
+       c->ecdh_tmp_auto = 1;
        return 1;
        }
 
@@ -1934,3 +1954,16 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
        return -1;
        }
 
+const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
+       {
+       const SSL_CIPHER *c;
+       c = ssl->method->get_cipher_by_char(ptr);
+       if (c == NULL || c->valid == 0)
+               return NULL;
+       return c;
+       }
+
+const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
+       {
+       return ssl->method->get_cipher_by_char(ptr);
+       }