#endif
int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
- const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
+ const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp, int use_etm)
{
int i;
const SSL_CIPHER *c;
{
const EVP_CIPHER *evp;
+ if (use_etm)
+ return 1;
+
if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
s->ssl_version < TLS1_VERSION)
return 1;
c->algorithm_mac == SSL_SHA1 &&
(evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
*enc = evp, *md = NULL;
+ else if (c->algorithm_enc == SSL_AES128 &&
+ c->algorithm_mac == SSL_SHA256 &&
+ (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA256")))
+ *enc = evp, *md = NULL;
+ else if (c->algorithm_enc == SSL_AES256 &&
+ c->algorithm_mac == SSL_SHA256 &&
+ (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
+ *enc = evp, *md = NULL;
return(1);
}
else
return(retval);
}
-
+#ifndef OPENSSL_NO_EC
static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
const char **prule_str)
{
if (!suiteb_flags)
return 1;
- /* Check version */
+ /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
- if (meth->version != TLS1_2_VERSION)
+ if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS))
{
- SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+ if (meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
+ SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+ SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+ else
+ SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
return 0;
}
c->ecdh_tmp_auto = 1;
return 1;
}
+#endif
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
return NULL;
-
+#ifndef OPENSSL_NO_EC
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
return NULL;
-
+#endif
/*
* To reduce the work to do we only want to process the compiled