add Suite B 128 bit mode offering only combination 2

author Dr. Stephen Henson <steve@openssl.org>

Wed, 26 Dec 2012 17:34:50 +0000 (17:34 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 26 Dec 2012 17:34:50 +0000 (17:34 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 17:34:50 +0000 (17:34 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 17:34:50 +0000 (17:34 +0000)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c

index 12c0bf2c3d807b7800638b14b46156e9ac4a7758..8018d11e65a9af5d1e4aa3f01ce481d886627f0d 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1351,11 +1351,16 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
  static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                                         const char **prule_str)
         {
  static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                                         const char **prule_str)
         {
-       unsigned int suiteb_flags = 0;
+       unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
         if (!strcmp(*prule_str, "SUITEB128"))
                 suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
         else if (!strcmp(*prule_str, "SUITEB128ONLY"))
                 suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
         if (!strcmp(*prule_str, "SUITEB128"))
                 suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
         else if (!strcmp(*prule_str, "SUITEB128ONLY"))
                 suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
+       else if (!strcmp(*prule_str, "SUITEB128C2"))
+               {
+               suiteb_comb2 = 1;
+               suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
+               }
         else if (!strcmp(*prule_str, "SUITEB192"))
                 suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
  
         else if (!strcmp(*prule_str, "SUITEB192"))
                 suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
  
@@ -1374,7 +1379,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
         switch(suiteb_flags)
                 {
         case SSL_CERT_FLAG_SUITEB_128_LOS:
         switch(suiteb_flags)
                 {
         case SSL_CERT_FLAG_SUITEB_128_LOS:
-               *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
+               if (suiteb_comb2)
+                       *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
+               else
+                       *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
                 break;
         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
                 *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
                 break;
         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
                 *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 26 Dec 2012 17:34:50 +0000 (17:34 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 26 Dec 2012 17:34:50 +0000 (17:34 +0000)