}
#ifndef OPENSSL_NO_EC
+
static int nid_list[] =
{
NID_sect163k1, /* sect163k1 (1) */
NID_secp384r1, /* secp384r1 (24) */
NID_secp521r1 /* secp521r1 (25) */
};
-
+
+static int pref_list[] =
+ {
+ NID_sect571r1, /* sect571r1 (14) */
+ NID_sect571k1, /* sect571k1 (13) */
+ NID_secp521r1, /* secp521r1 (25) */
+ NID_sect409k1, /* sect409k1 (11) */
+ NID_sect409r1, /* sect409r1 (12) */
+ NID_secp384r1, /* secp384r1 (24) */
+ NID_sect283k1, /* sect283k1 (9) */
+ NID_sect283r1, /* sect283r1 (10) */
+ NID_secp256k1, /* secp256k1 (22) */
+ NID_X9_62_prime256v1, /* secp256r1 (23) */
+ NID_sect239k1, /* sect239k1 (8) */
+ NID_sect233k1, /* sect233k1 (6) */
+ NID_sect233r1, /* sect233r1 (7) */
+ NID_secp224k1, /* secp224k1 (20) */
+ NID_secp224r1, /* secp224r1 (21) */
+ NID_sect193r1, /* sect193r1 (4) */
+ NID_sect193r2, /* sect193r2 (5) */
+ NID_secp192k1, /* secp192k1 (18) */
+ NID_X9_62_prime192v1, /* secp192r1 (19) */
+ NID_sect163k1, /* sect163k1 (1) */
+ NID_sect163r1, /* sect163r1 (2) */
+ NID_sect163r2, /* sect163r2 (3) */
+ NID_secp160k1, /* secp160k1 (15) */
+ NID_secp160r1, /* secp160r1 (16) */
+ NID_secp160r2, /* secp160r2 (17) */
+ };
+
int tls1_ec_curve_id2nid(int curve_id)
{
/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
#ifdef OPENSSL_NO_ECDSA
#define tlsext_sigalg_ecdsa(md) /* */
#else
-#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_dsa,
+#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
#endif
#define tlsext_sigalg(md) \
int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
{
+ size_t slen = sizeof(tls12_sigalgs);
+#ifdef OPENSSL_FIPS
+ /* If FIPS mode don't include MD5 which is last */
+ if (FIPS_mode())
+ slen -= 2;
+#endif
if (p)
- memcpy(p, tls12_sigalgs, sizeof(tls12_sigalgs));
- return (int)sizeof(tls12_sigalgs);
+ memcpy(p, tls12_sigalgs, slen);
+ return (int)slen;
}
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
}
skip_ext:
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
return NULL;
/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
- s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
+ s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
{
s->tlsext_ellipticcurvelist_length = 0;
SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
return -1;
}
- for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
- sizeof(nid_list)/sizeof(nid_list[0]); i++)
- s2n(i,j);
+ for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
+ sizeof(pref_list)/sizeof(pref_list[0]); i++)
+ {
+ int id = tls1_ec_nid2curve_id(pref_list[i]);
+ s2n(id,j);
+ }
}
#endif /* OPENSSL_NO_EC */
{
#ifndef OPENSSL_NO_MD5
case TLSEXT_hash_md5:
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ return NULL;
+#endif
return EVP_md5();
#endif
#ifndef OPENSSL_NO_SHA
const EVP_MD *md;
CERT *c = s->cert;
/* Extension ignored for TLS versions below 1.2 */
- if (s->version < TLS1_2_VERSION)
+ if (TLS1_get_version(s) < TLS1_2_VERSION)
return 1;
/* Should never happen */
if (!c)