update TLS-ECC code
authorBodo Möller <bodo@openssl.org>
Tue, 13 Dec 2005 07:41:47 +0000 (07:41 +0000)
committerBodo Möller <bodo@openssl.org>
Tue, 13 Dec 2005 07:41:47 +0000 (07:41 +0000)
Submitted by: Douglas Stebila

CHANGES
demos/ssltest-ecc/ssltest.sh
ssl/s3_clnt.c
ssl/s3_lib.c
ssl/s3_srvr.c
ssl/tls1.h

diff --git a/CHANGES b/CHANGES
index 20cfc05927f98a2b12670e0b2aceb26232b5e8b4..2a20a223d6cf34fa5a2331fd801db9e53a28bcec 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8a and 0.9.8b  [XX xxx XXXX]
 
+  *) Update support for ECC-based TLS ciphersuites according to
+     draft-ietf-tls-ecc-12.txt with proposed changes.
+     [Douglas Stebila]
+
   *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
      opaque EVP_CIPHER_CTX handling.
      [Steve Henson]
index 2d6ff167f5a0218ea97f9edcf78036e4746cacdb..923ca43824e6a14a3d827e312110177e55e485da 100755 (executable)
@@ -20,23 +20,23 @@ SSLTEST=$OPENSSL_DIR/test/ssltest
 SSLVERSION=
 
 # These don't really require any certificates
-AECDH_CIPHER_LIST="EXP-AECDH-RC4-40-SHA EXP-AECDH-DES-40-CBC-SHA AECDH-DES-CBC3-SHA AECDH-DES-CBC-SHA AECDH-RC4-SHA AECDH-NULL-SHA"
+AECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA"
 
 # These require ECC certificates signed with ECDSA
 # The EC public key must be authorized for key agreement.
-ECDH_ECDSA_CIPHER_LIST="EXP-ECDH-ECDSA-RC4-56-SHA EXP-ECDH-ECDSA-RC4-40-SHA ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"
+ECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"
 
 # These require ECC certificates.
 # The EC public key must be authorized for digital signature.
-ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES128-SHA"
+ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA"
 
 # These require ECC certificates signed with RSA.
 # The EC public key must be authorized for key agreement.
-ECDH_RSA_CIPHER_LIST="EXP-ECDH-RSA-RC4-56-SHA EXP-ECDH-RSA-RC4-40-SHA ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-DES-CBC-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"
+ECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"
 
 # These require RSA certificates.
 # The RSA public key must be authorized for digital signature.
-ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES128-SHA"
+ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA"
 
 # List of Elliptic curves over which we wish to test generation of
 # ephemeral ECDH keys when using AECDH or ECDHE ciphers
@@ -78,9 +78,9 @@ done
 
 for curve in $ELLIPTIC_CURVE_LIST
 do
-    echo "Testing EXP-AECDH-RC4-40-SHA (with $curve)"
+    echo "Testing AECDH-RC4-SHA (with $curve)"
     $SSLTEST $SSL_VERSION -cert $SERVER_PEM \
-       -named_curve $curve -cipher EXP-AECDH-RC4-40-SHA
+       -named_curve $curve -cipher AECDH-RC4-SHA
 done
 fi
 
@@ -167,6 +167,9 @@ if [ "$1" = "ecdhe-rsa" ]; then
 for cipher in $ECDHE_RSA_CIPHER_LIST
 do
     echo "Testing $cipher (with server authentication)"
+    echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+       -cert $SERVER_PEM -server_auth \
+       -cipher $cipher -named_curve $DEFAULT_CURVE
     $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
        -cert $SERVER_PEM -server_auth \
        -cipher $cipher -named_curve $DEFAULT_CURVE
index 9f0a7f9ac3ef5793e8716485c1048d05274640d0..26788858d7576e4bbfd63656531287e3ce882edc 100644 (file)
@@ -1211,12 +1211,12 @@ int ssl3_get_key_exchange(SSL *s)
                 */
 
                /* XXX: For now we only support named (not generic) curves
-                * and the ECParameters in this case is just two bytes.
+                * and the ECParameters in this case is just three bytes.
                 */
-               param_len=2;
+               param_len=3;
                if ((param_len > n) ||
                    (*p != NAMED_CURVE_TYPE) || 
-                   ((curve_nid = curve_id2nid(*(p + 1))) == 0)) 
+                   ((curve_nid = curve_id2nid(*(p + 2))) == 0)) 
                        {
                        al=SSL_AD_INTERNAL_ERROR;
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
@@ -1246,7 +1246,7 @@ int ssl3_get_key_exchange(SSL *s)
                        goto f_err;
                        }
 
-               p+=2;
+               p+=3;
 
                /* Next, get the encoded ECPoint */
                if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
@@ -1614,22 +1614,6 @@ int ssl3_get_server_done(SSL *s)
        }
 
 
-#ifndef OPENSSL_NO_ECDH
-static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
-       {
-#ifndef OPENSSL_NO_SHA
-       if (*outlen < SHA_DIGEST_LENGTH)
-               return NULL;
-       else
-               *outlen = SHA_DIGEST_LENGTH;
-       return SHA1(in, inlen, out);
-#else
-       return NULL;
-#endif /* OPENSSL_NO_SHA */
-       }
-#endif /* OPENSSL_NO_ECDH */
-
 int ssl3_send_client_key_exchange(SSL *s)
        {
        unsigned char *p,*d;
@@ -2027,14 +2011,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                                       ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       /* If field size is not more than 24 octets, then use SHA-1 hash of result;
-                        * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt;
-                        * this is new with this version of the Internet Draft).
-                        */
-                       if (field_size <= 24 * 8)
-                               n=ECDH_compute_key(p, KDF1_SHA1_len, srvr_ecpoint, clnt_ecdh, KDF1_SHA1);
-                       else
-                               n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
+                       n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
                        if (n <= 0)
                                {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
index 33e10770dd22ce4a7031e6485e7585c336ad3204..ddd996f8291718ef1766ee0a0bac63cc6e42551b 100644 (file)
@@ -901,8 +901,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
+
 #ifndef OPENSSL_NO_ECDH
-       /* Cipher 47 */
+       /* Cipher C001 */
            {
             1,
             TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
@@ -916,7 +917,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 48 */
+       /* Cipher C002 */
            {
             1,
             TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
@@ -930,21 +931,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 49 */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_WITH_DES_CBC_SHA,
-            TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA,
-            SSL_kECDH|SSL_aECDSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_LOW,
-            0,
-            56,
-            56,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-
-       /* Cipher 4A */
+       /* Cipher C003 */
            {
             1,
             TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
@@ -958,7 +945,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 4B */
+       /* Cipher C004 */
            {
             1,
             TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
@@ -972,7 +959,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 4C */
+       /* Cipher C005 */
            {
             1,
             TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
@@ -986,12 +973,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 4D */
+       /* Cipher C006 */
            {
             1,
-            TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
-            TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
-            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
             SSL_NOT_EXP,
             0,
             0,
@@ -1000,12 +987,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 4E */
+       /* Cipher C007 */
            {
             1,
-            TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
-            TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
-            SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
             SSL_NOT_EXP,
             0,
             128,
@@ -1014,21 +1001,77 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 4F */
+       /* Cipher C008 */
+           {
+            1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            168,
+            168,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher C009 */
+           {
+            1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher C00A */
            {
             1,
-            TLS1_TXT_ECDH_RSA_WITH_DES_CBC_SHA,
-            TLS1_CK_ECDH_RSA_WITH_DES_CBC_SHA,
-            SSL_kECDH|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_LOW,
+            TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
             0,
-            56,
-            56,
+            256,
+            256,
             SSL_ALL_CIPHERS,
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 50 */
+       /* Cipher C00B */
+           {
+            1,
+            TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
+            TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
+            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            0,
+            0,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher C00C */
+           {
+            1,
+            TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
+            TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
+            SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher C00D */
            {
             1,
             TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
@@ -1042,7 +1085,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 51 */
+       /* Cipher C00E */
            {
             1,
             TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
@@ -1056,7 +1099,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 52 */
+       /* Cipher C00F */
            {
             1,
             TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
@@ -1070,35 +1113,77 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 53 */
+       /* Cipher C010 */
            {
             1,
-            TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_40_SHA,
-            TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_40_SHA,
-            SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP40,
+            TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            0,
+            0,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher C011 */
+           {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
             0,
-            40,
+            128,
             128,
             SSL_ALL_CIPHERS,
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 54 */
+       /* Cipher C012 */
            {
             1,
-            TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_56_SHA,
-            TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_56_SHA,
-            SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
+            TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            168,
+            168,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher C013 */
+           {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
             0,
-            56,
             128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher C014 */
+           {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            256,
+            256,
             SSL_ALL_CIPHERS,
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 55 */
+       /* Cipher C015 */
             {
             1,
             TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
@@ -1112,7 +1197,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
            },
 
-       /* Cipher 56 */
+       /* Cipher C016 */
             {
             1,
             TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
@@ -1126,21 +1211,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
            },
 
-       /* Cipher 57 */
-           {
-            1,
-            TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA,
-            TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA,
-            SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_LOW,
-            0,
-            56,
-            56,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-
-       /* Cipher 58 */
+       /* Cipher C017 */
            {
             1,
             TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
@@ -1154,63 +1225,33 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 59 */
+       /* Cipher C018 */
            {
             1,
-            TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
-            TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
-            SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP40,
-            0,
-            40,
-            56,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-
-       /* Cipher 5A */
-           {
-            1,
-            TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
-            TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
-            SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP40,
+            TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
+            SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
             0,
-            40,
             128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-       /* Cipher 5B */
-       /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
-            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
-            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP40,
-            0,
-            40,
             128,
             SSL_ALL_CIPHERS,
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 5C */
-       /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */
+       /* Cipher C019 */
            {
             1,
-            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
-            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
-            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
+            TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
+            SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
             0,
-            56,
-            128,
+            256,
+            256,
             SSL_ALL_CIPHERS,
             SSL_ALL_STRENGTHS,
             },
-
 #endif /* OPENSSL_NO_ECDH */
 
 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
@@ -1308,45 +1349,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            },
 #endif
 
-#ifndef OPENSSL_NO_ECDH
-       /* Cipher 77 XXX: ECC ciphersuites offering forward secrecy
-        * are not yet specified in the ECC/TLS draft but our code
-        * allows them to be implemented very easily. To add such
-        * a cipher suite, one needs to add two constant definitions
-        * to tls1.h and a new structure in this file as shown below. We 
-        * illustrate the process for the made-up cipher
-        * ECDHE-ECDSA-AES128-SHA.
-        */
-           {
-            1,
-            TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-            TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-            SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-
-       /* Cipher 78 XXX: Another made-up ECC cipher suite that
-        * offers forward secrecy (ECDHE-RSA-AES128-SHA).
-        */
-           {
-            1,
-            TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-            TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-            SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-#endif /* !OPENSSL_NO_ECDH */
-
 /* end of list */
        };
 
index 39a6aeba68ead38ba04911886122f175d391969d..1a52d1b7ff3c4047fc26d33688241b3bdd900ad5 100644 (file)
@@ -1366,11 +1366,11 @@ int ssl3_send_server_key_exchange(SSL *s)
 
                        /* XXX: For now, we only support named (not 
                         * generic) curves in ECDH ephemeral key exchanges.
-                        * In this situation, we need three additional bytes
+                        * In this situation, we need four additional bytes
                         * to encode the entire ServerECDHParams
                         * structure. 
                         */
-                       n = 3 + encodedlen;
+                       n = 4 + encodedlen;
 
                        /* We'll generate the serverKeyExchange message
                         * explicitly so we can set these to NULLs
@@ -1378,6 +1378,7 @@ int ssl3_send_server_key_exchange(SSL *s)
                        r[0]=NULL;
                        r[1]=NULL;
                        r[2]=NULL;
+                       r[3]=NULL;
                        }
                else 
 #endif /* !OPENSSL_NO_ECDH */
@@ -1428,12 +1429,14 @@ int ssl3_send_server_key_exchange(SSL *s)
                        {
                        /* XXX: For now, we only support named (not generic) curves.
                         * In this situation, the serverKeyExchange message has:
-                        * [1 byte CurveType], [1 byte CurveName]
+                        * [1 byte CurveType], [2 byte CurveName]
                         * [1 byte length of encoded point], followed by
                         * the actual encoded point itself
                         */
                        *p = NAMED_CURVE_TYPE;
                        p += 1;
+                       *p = 0;
+                       p += 1;
                        *p = curve_id;
                        p += 1;
                        *p = encodedlen;
@@ -1637,23 +1640,6 @@ err:
        return(-1);
        }
 
-
-#ifndef OPENSSL_NO_ECDH
-static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
-       {
-#ifndef OPENSSL_NO_SHA
-       if (*outlen < SHA_DIGEST_LENGTH)
-               return NULL;
-       else
-               *outlen = SHA_DIGEST_LENGTH;
-       return SHA1(in, inlen, out);
-#else
-       return NULL;
-#endif /* OPENSSL_NO_SHA */
-       }
-#endif /* OPENSSL_NO_ECDH */
-
 int ssl3_get_client_key_exchange(SSL *s)
        {
        int i,al,ok;
@@ -2156,14 +2142,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                               ERR_R_ECDH_LIB);
                        goto err;
                        }
-               /* If field size is not more than 24 octets, then use SHA-1 hash of result;
-                * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt;
-                * this is new with this version of the Internet Draft).
-                */
-               if (field_size <= 24 * 8)
-                   i = ECDH_compute_key(p, KDF1_SHA1_len, clnt_ecpoint, srvr_ecdh, KDF1_SHA1);
-               else
-                   i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
+               i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
                 if (i <= 0)
                         {
                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
index be15445384122f7a3ddfdf2455c28274a52ce4f3..f8a215e6e9118f933e4975daebe50b19d39c5bfd 100644 (file)
@@ -125,51 +125,36 @@ extern "C" {
 #define TLS1_CK_DHE_RSA_WITH_AES_256_SHA               0x03000039
 #define TLS1_CK_ADH_WITH_AES_256_SHA                   0x0300003A
 
-/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001).
- * XXX NOTE: There is a bug in the draft, cipher numbers 4B, and 4C
- * are defined twice so we define ECDH_ECDSA_EXPORT cipher
- * suites to use 5B and 5C instead (this may change with future
- * updates to the IETF draft).
- */
-/* draft-ietf-tls-ecc-03.txt (June 2003) gives a changed list of
- * ciphersuites, but does not define numbers for all of them
- * because of possible conflicts with other Internet Drafts;
- * most numbers are still subject to change. */
-#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA                0x03000047
-#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA             0x03000048
-#define TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA             0x03000049
-#define TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA        0x0300004A
-#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA         0x0300004B
-#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA         0x0300004C
-#define TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA       0x0300005B
-#define TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA       0x0300005C
+/* ECC ciphersuites from draft-ietf-tls-ecc-12.txt with changes soon to be in draft 13 */
+#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA                0x0300C001
+#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA             0x0300C002
+#define TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA        0x0300C003
+#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA         0x0300C004
+#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA         0x0300C005
 
-#define TLS1_CK_ECDH_RSA_WITH_NULL_SHA                  0x0300004D
-#define TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA               0x0300004E
-#define TLS1_CK_ECDH_RSA_WITH_DES_CBC_SHA               0x0300004F
-#define TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA          0x03000050
-#define TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA           0x03000051
-#define TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA           0x03000052
-#define TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_40_SHA         0x03000053
-#define TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_56_SHA         0x03000054
+#define TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA               0x0300C006
+#define TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA            0x0300C007
+#define TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA       0x0300C008
+#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA        0x0300C009
+#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA        0x0300C00A
 
-#define TLS1_CK_ECDH_anon_WITH_NULL_SHA                 0x03000055
-#define TLS1_CK_ECDH_anon_WITH_RC4_128_SHA              0x03000056
-#define TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA              0x03000057
-#define TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA         0x03000058
-#define TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA    0x03000059
-#define TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA        0x0300005A
+#define TLS1_CK_ECDH_RSA_WITH_NULL_SHA                  0x0300C00B
+#define TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA               0x0300C00C
+#define TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA          0x0300C00D
+#define TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA           0x0300C00E
+#define TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA           0x0300C00F
 
-/* XXX: ECC ciphersuites offering forward secrecy are not yet specified
- * in the ECC/TLS draft but our code allows them to be implemented
- * very easily. To add such a cipher suite, one needs to add two constant
- * definitions to this file and a new structure in s3_lib.c. We illustrate
- * the process for the made-up ciphers ECDHE-ECDSA-AES128-SHA and
- * ECDHE-RSA-AES128-SHA.
- */
-#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA        0x03000077
-#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA          0x03000078
+#define TLS1_CK_ECDHE_RSA_WITH_NULL_SHA                 0x0300C010
+#define TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA              0x0300C011
+#define TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA         0x0300C012
+#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA          0x0300C013
+#define TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA          0x0300C014
 
+#define TLS1_CK_ECDH_anon_WITH_NULL_SHA                 0x0300C015
+#define TLS1_CK_ECDH_anon_WITH_RC4_128_SHA              0x0300C016
+#define TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA         0x0300C017
+#define TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA          0x0300C018
+#define TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA          0x0300C019
 
 /* XXX
  * Inconsistency alert:
@@ -204,43 +189,41 @@ extern "C" {
 /* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
 #define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA               "ECDH-ECDSA-NULL-SHA"
 #define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA            "ECDH-ECDSA-RC4-SHA"
-#define TLS1_TXT_ECDH_ECDSA_WITH_DES_CBC_SHA            "ECDH-ECDSA-DES-CBC-SHA"
 #define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA       "ECDH-ECDSA-DES-CBC3-SHA"
 #define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA        "ECDH-ECDSA-AES128-SHA"
 #define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA        "ECDH-ECDSA-AES256-SHA"
-#define TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA      "EXP-ECDH-ECDSA-RC4-40-SHA"
-#define TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA      "EXP-ECDH-ECDSA-RC4-56-SHA"
+
+#define TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA              "ECDHE-ECDSA-NULL-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA           "ECDHE-ECDSA-RC4-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA      "ECDHE-ECDSA-DES-CBC3-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA       "ECDHE-ECDSA-AES128-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA       "ECDHE-ECDSA-AES256-SHA"
 
 #define TLS1_TXT_ECDH_RSA_WITH_NULL_SHA                 "ECDH-RSA-NULL-SHA"
 #define TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA              "ECDH-RSA-RC4-SHA"
-#define TLS1_TXT_ECDH_RSA_WITH_DES_CBC_SHA              "ECDH-RSA-DES-CBC-SHA"
 #define TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA         "ECDH-RSA-DES-CBC3-SHA"
 #define TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA          "ECDH-RSA-AES128-SHA"
 #define TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA          "ECDH-RSA-AES256-SHA"
-#define TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_40_SHA        "EXP-ECDH-RSA-RC4-40-SHA"
-#define TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_56_SHA        "EXP-ECDH-RSA-RC4-56-SHA"
+
+#define TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA                "ECDHE-RSA-NULL-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA             "ECDHE-RSA-RC4-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA        "ECDHE-RSA-DES-CBC3-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA         "ECDHE-RSA-AES128-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA         "ECDHE-RSA-AES256-SHA"
 
 #define TLS1_TXT_ECDH_anon_WITH_NULL_SHA                "AECDH-NULL-SHA"
 #define TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA             "AECDH-RC4-SHA"
-#define TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA             "AECDH-DES-CBC-SHA"
 #define TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA        "AECDH-DES-CBC3-SHA"
-#define TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA   "EXP-AECDH-DES-40-CBC-SHA"
-#define TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA       "EXP-AECDH-RC4-40-SHA"
-
-/* XXX: Made-up ECC cipher suites offering forward secrecy. This is for 
- * illustration only. 
- */
-#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA       "ECDHE-ECDSA-AES128-SHA"
-#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA         "ECDHE-RSA-AES128-SHA"
-
+#define TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA         "AECDH-AES128-SHA"
+#define TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA         "AECDH-AES256-SHA"
 
 #define TLS_CT_RSA_SIGN                        1
 #define TLS_CT_DSS_SIGN                        2
 #define TLS_CT_RSA_FIXED_DH            3
 #define TLS_CT_DSS_FIXED_DH            4
-#define TLS_CT_ECDSA_SIGN              5
-#define TLS_CT_RSA_FIXED_ECDH          6
-#define TLS_CT_ECDSA_FIXED_ECDH        7
+#define TLS_CT_ECDSA_SIGN              64
+#define TLS_CT_RSA_FIXED_ECDH          65
+#define TLS_CT_ECDSA_FIXED_ECDH        66
 #define TLS_CT_NUMBER                  7
 
 #define TLS1_FINISH_MAC_LENGTH         12