AES cipher suites are now official (RFC3268)

diff --git a/CHANGES b/CHANGES
index 19d5c346ae42154edcc732ece25ddf6c49b59b69..c61871907aa88b78142834f244029691068e2cdf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,15 @@
 
  Changes between 0.9.7 and 0.9.8  [xx XXX 2002]
 
+  *) Change default behaviour of 'openssl asn1parse' so that more
+     information is visible when viewing, e.g., a certificate:
+
+     Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
+     mode the content of non-printable OCTET STRINGs is output in a
+     style similar to INTEGERs, but with '[HEX DUMP]' prepended to
+     avoid the appearance of a printable string.
+     [Nils Larsch <nla@trustcenter.de>]
+
   *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
      functions
           EC_GROUP_set_asn1_flag()
@@ -1143,14 +1152,15 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      handle the new API. Currently only ECB, CBC modes supported. Add new
      AES OIDs.
 
-     Add TLS AES ciphersuites as described in the "AES Ciphersuites
-     for TLS" draft-ietf-tls-ciphersuite-06.txt. As these are not yet
-     official, they are not enabled by default and are not even part
-     of the "ALL" ciphersuite alias; for now, they must be explicitly
-     requested by specifying the new "AESdraft" ciphersuite alias. If
-     you want the default ciphersuite list plus the new ciphersuites,
-     use "DEFAULT:AESdraft:@STRENGTH".
-     [Ben Laurie, Steve Henson, Bodo Moeller]
+     Add TLS AES ciphersuites as described in RFC3268, "Advanced
+     Encryption Standard (AES) Ciphersuites for Transport Layer
+     Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
+     not enabled by default and were not part of the "ALL" ciphersuite
+     alias because they were not yet official; they could be
+     explicitly requested by specifying the "AESdraft" ciphersuite
+     group alias.  In the final release of OpenSSL 0.9.7, the group
+     alias is called "AES" and is part of "ALL".)
+     [Ben Laurie, Steve  Henson, Bodo Moeller]
 
   *) New function OCSP_copy_nonce() to copy nonce value (if present) from
      request to response.

diff --git a/NEWS b/NEWS
index 06e165a45f477b1e768990bc5f4bd22df98c6d0e..27792864c5786298e81cd1b9d203a1afe5efba06 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -38,7 +38,7 @@
       o SSL/TLS: support Kerberos cipher suites (RFC2712).
       o SSL/TLS: allow more precise control of renegotiations and sessions.
       o SSL/TLS: add callback to retrieve SSL/TLS messages.
-      o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested).
+      o SSL/TLS: support AES cipher suites (RFC3268).
 
   Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
 

diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index facfdd27fca0159f28f39e6d4fb50a2381985cc7..10c8946769f29feec5a1ad2b19e328fedfd4eb07 100644 (file)
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -261,9 +261,11 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 
                                opp=op;
                                os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl);
-                               if (os != NULL)
+                               if (os != NULL && os->length > 0)
                                        {
-                                       opp=os->data;
+                                       opp = os->data;
+                                       /* testing whether the octet string is
+                                        * printable */
                                        for (i=0; i<os->length; i++)
                                                {
                                                if ((   (opp[i] < ' ') &&
@@ -276,7 +278,8 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
                                                        break;
                                                        }
                                                }
-                                       if (printable && (os->length > 0))
+                                       if (printable)
+                                       /* printable string */
                                                {
                                                if (BIO_write(bp,":",1) <= 0)
                                                        goto end;
@@ -284,8 +287,21 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
                                                        os->length) <= 0)
                                                        goto end;
                                                }
-                                       if (!printable && (os->length > 0)
-                                               && dump)
+                                       else if (!dump)
+                                       /* not printable => print octet string
+                                        * as hex dump */
+                                               {
+                                               if (BIO_write(bp,"[HEX DUMP]:",11) <= 0)
+                                                       goto end;
+                                               for (i=0; i<os->length; i++)
+                                                       {
+                                                       if (BIO_printf(bp,"%02X"
+                                                               , opp[i]) <= 0)
+                                                               goto end;
+                                                       }
+                                               }
+                                       else
+                                       /* print the normal dump */
                                                {
                                                if (!nl) 
                                                        {
@@ -293,11 +309,15 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
                                                                goto end;
                                                        }
                                                if (BIO_dump_indent(bp,(char *)opp,
-                                                       ((dump == -1 || dump > os->length)?os->length:dump),
+                                                       ((dump == -1 || dump > 
+                                                       os->length)?os->length:dump),
                                                        dump_indent) <= 0)
                                                        goto end;
                                                nl=1;
                                                }
+                                       }
+                               if (os != NULL)
+                                       {
                                        M_ASN1_OCTET_STRING_free(os);
                                        os=NULL;
                                        }

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 474e5a76efffc36aa665d0b35f08941e924b7824..bb2eda0b5c41d3145b541163f4b1215a39ec7436 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -253,7 +253,7 @@ extern "C" {
 #define SSL_TXT_RC4            "RC4"
 #define SSL_TXT_RC2            "RC2"
 #define SSL_TXT_IDEA           "IDEA"
-#define SSL_TXT_AES            "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */
+#define SSL_TXT_AES            "AES"
 #define SSL_TXT_MD5            "MD5"
 #define SSL_TXT_SHA1           "SHA1"
 #define SSL_TXT_SHA            "SHA"

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index cdd8dde128bdca9815194a618df0608086d3629a..a1cef720829676959eba3300b0781fbc1d103be3 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -100,9 +100,8 @@ typedef struct cipher_order_st
        } CIPHER_ORDER;
 
 static const SSL_CIPHER cipher_aliases[]={
-       /* Don't include eNULL unless specifically enabled.
-        * Similarly, don't include AES in ALL because these ciphers are not yet official. */
-       {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_AES, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+       /* Don't include eNULL unless specifically enabled. */
+       {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
         {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},  /* VRS Kerberos5 */
        {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
        {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
@@ -999,10 +998,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        case SSL_AES:
                switch(cipher->strength_bits)
                        {
-               case 128: enc="AESdraft(128)"; break;
-               case 192: enc="AESdraft(192)"; break;
-               case 256: enc="AESdraft(256)"; break;
-               default: enc="AESdraft(?""?""?)"; break;
+               case 128: enc="AES(128)"; break;
+               case 192: enc="AES(192)"; break;
+               case 256: enc="AES(256)"; break;
+               default: enc="AES(?""?""?)"; break;
                        }
                break;
        default:

diff --git a/ssl/tls1.h b/ssl/tls1.h
index 1da2c9c9ae75ba5768f843da603bf8c0b6b6b5cf..38838ea9a5dacb425390bba3c6758fef175a7188 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -96,7 +96,7 @@ extern "C" {
 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA     0x03000065
 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA               0x03000066
 
-  /* AES ciphersuites from draft-ietf-tls-ciphersuite-06.txt */
+/* AES ciphersuites from RFC3268 */
 
 #define TLS1_CK_RSA_WITH_AES_128_SHA                   0x0300002F
 #define TLS1_CK_DH_DSS_WITH_AES_128_SHA                        0x03000030
@@ -126,20 +126,21 @@ extern "C" {
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA                "EXP1024-RC4-SHA"
 #define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA    "EXP1024-DHE-DSS-RC4-SHA"
 #define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA              "DHE-DSS-RC4-SHA"
-  /* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */
-#define TLS1_TXT_RSA_WITH_AES_128_SHA                  "AESdraft128-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA               "DH-DSS-AESdraft128-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA               "DH-RSA-AESdraft128-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA              "DHE-DSS-AESdraft128-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA              "DHE-RSA-AESdraft128-SHA"
-#define TLS1_TXT_ADH_WITH_AES_128_SHA                  "ADH-AESdraft128-SHA"
-
-#define TLS1_TXT_RSA_WITH_AES_256_SHA                  "AESdraft256-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA               "DH-DSS-AESdraft256-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA               "DH-RSA-AESdraft256-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA              "DHE-DSS-AESdraft256-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA              "DHE-RSA-AESdraft256-SHA"
-#define TLS1_TXT_ADH_WITH_AES_256_SHA                  "ADH-AESdraft256-SHA"
+
+/* AES ciphersuites from RFC3268 */
+#define TLS1_TXT_RSA_WITH_AES_128_SHA                  "AES128-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA               "DH-DSS-AES128-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA               "DH-RSA-AES128-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA              "DHE-DSS-AES128-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA              "DHE-RSA-AES128-SHA"
+#define TLS1_TXT_ADH_WITH_AES_128_SHA                  "ADH-AES128-SHA"
+
+#define TLS1_TXT_RSA_WITH_AES_256_SHA                  "AES256-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA               "DH-DSS-AES256-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA               "DH-RSA-AES256-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA              "DHE-DSS-AES256-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA              "DHE-RSA-AES256-SHA"
+#define TLS1_TXT_ADH_WITH_AES_256_SHA                  "ADH-AES256-SHA"
 
 
 #define TLS_CT_RSA_SIGN                        1