From: jsing Date: Sat, 12 Jul 2014 22:33:39 +0000 (+0000) Subject: The correct name for EDH is DHE, likewise EECDH should be ECDHE. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=daecd61139095533ccdd24c7b8fbac1ca439f207;p=openbsd The correct name for EDH is DHE, likewise EECDH should be ECDHE. Based on changes to OpenSSL trunk. ok beck@ miod@ --- diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index 004fd6e04f5..552667f6c13 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.30 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.31 2014/07/12 22:33:39 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -984,7 +984,7 @@ dtls1_send_client_key_exchange(SSL *s) s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); - } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { + } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr, *dh_clnt; if (s->session->sess_cert->peer_dh_tmp != NULL) @@ -1037,7 +1037,7 @@ dtls1_send_client_key_exchange(SSL *s) DH_free(dh_clnt); /* perhaps clean things up a bit EAY EAY EAY EAY*/ - } else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { + } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey; int ecdh_clnt_cert = 0; diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index a94b7ed61b1..ecf4a198b16 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.32 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.33 2014/07/12 22:33:39 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -464,8 +464,8 @@ dtls1_accept(SSL *s) /* only send if a DH key exchange or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp - || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) - || (alg_k & SSL_kEECDH) + || (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) + || (alg_k & SSL_kECDHE) || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL ) @@ -1052,7 +1052,7 @@ dtls1_send_server_key_exchange(SSL *s) r[1] = rsa->e; s->s3->tmp.use_rsa_tmp = 1; } else - if (type & SSL_kEDH) { + if (type & SSL_kDHE) { dhp = cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) dhp = s->cert->dh_tmp_cb(s, 0, 0); @@ -1094,7 +1094,7 @@ dtls1_send_server_key_exchange(SSL *s) r[1] = dh->g; r[2] = dh->pub_key; } else - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { const EC_GROUP *group; ecdhp = cert->ecdh_tmp; @@ -1232,7 +1232,7 @@ dtls1_send_server_key_exchange(SSL *s) p += nr[i]; } - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { /* XXX: For now, we only support named (not generic) curves. * In this situation, the serverKeyExchange message has: * [1 byte CurveType], [2 byte CurveName] diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 252100f587d..b55b2e62c6a 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.82 2014/07/12 22:17:59 jsg Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.83 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1253,7 +1253,7 @@ ssl3_get_key_exchange(SSL *s) } s->session->sess_cert->peer_rsa_tmp = rsa; rsa = NULL; - } else if (alg_k & SSL_kEDH) { + } else if (alg_k & SSL_kDHE) { if ((dh = DH_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB); @@ -1328,7 +1328,7 @@ ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); goto f_err; - } else if (alg_k & SSL_kEECDH) { + } else if (alg_k & SSL_kECDHE) { EC_GROUP *ngroup; const EC_GROUP *group; @@ -1987,7 +1987,7 @@ ssl3_send_client_key_exchange(SSL *s) s->method->ssl3_enc->generate_master_secret( s, s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); - } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { + } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr, *dh_clnt; if (s->session->sess_cert == NULL) { @@ -2051,7 +2051,7 @@ ssl3_send_client_key_exchange(SSL *s) DH_free(dh_clnt); /* perhaps clean things up a bit EAY EAY EAY EAY*/ - } else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { + } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey; int ecdh_clnt_cert = 0; @@ -2640,7 +2640,7 @@ ssl3_check_cert_and_algorithm(SSL *s) SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } - if ((alg_k & SSL_kEDH) && + if ((alg_k & SSL_kDHE) && !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY); diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index f94e207fc4e..decdda90a3d 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.69 2014/07/11 09:24:44 beck Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.70 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -433,7 +433,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, .id = SSL3_CK_EDH_DSS_DES_40_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -449,7 +449,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, .id = SSL3_CK_EDH_DSS_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -465,7 +465,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, .id = SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -481,7 +481,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, .id = SSL3_CK_EDH_RSA_DES_40_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -497,7 +497,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, .id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -513,7 +513,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -529,7 +529,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_ADH_RC4_40_MD5, .id = SSL3_CK_ADH_RC4_40_MD5, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_MD5, @@ -545,7 +545,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_ADH_RC4_128_MD5, .id = SSL3_CK_ADH_RC4_128_MD5, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_MD5, @@ -561,7 +561,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_ADH_DES_40_CBC_SHA, .id = SSL3_CK_ADH_DES_40_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -577,7 +577,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_ADH_DES_64_CBC_SHA, .id = SSL3_CK_ADH_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -593,7 +593,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_ADH_DES_192_CBC_SHA, .id = SSL3_CK_ADH_DES_192_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -655,7 +655,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, .id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -670,7 +670,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -685,7 +685,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_128_SHA, .id = TLS1_CK_ADH_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -748,7 +748,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, .id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -764,7 +764,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -780,7 +780,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_256_SHA, .id = TLS1_CK_ADH_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -877,7 +877,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256, .id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -944,7 +944,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_CAMELLIA128, .algorithm_mac = SSL_SHA1, @@ -960,7 +960,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA128, .algorithm_mac = SSL_SHA1, @@ -976,7 +976,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA128, .algorithm_mac = SSL_SHA1, @@ -994,7 +994,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1042,7 +1042,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256, .id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA256, @@ -1058,7 +1058,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA256, @@ -1074,7 +1074,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, .id = TLS1_CK_ADH_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1090,7 +1090,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, .id = TLS1_CK_ADH_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA256, @@ -1218,7 +1218,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_CAMELLIA256, .algorithm_mac = SSL_SHA1, @@ -1234,7 +1234,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA256, .algorithm_mac = SSL_SHA1, @@ -1250,7 +1250,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA256, .algorithm_mac = SSL_SHA1, @@ -1306,7 +1306,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -1324,7 +1324,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -1378,7 +1378,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -1396,7 +1396,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -1450,7 +1450,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -1468,7 +1468,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -1566,7 +1566,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_eNULL, .algorithm_mac = SSL_SHA1, @@ -1582,7 +1582,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_SHA1, @@ -1598,7 +1598,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -1614,7 +1614,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -1630,7 +1630,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -1726,7 +1726,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_eNULL, .algorithm_mac = SSL_SHA1, @@ -1742,7 +1742,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_SHA1, @@ -1758,7 +1758,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -1774,7 +1774,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -1790,7 +1790,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -1806,7 +1806,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_eNULL, .algorithm_mac = SSL_SHA1, @@ -1822,7 +1822,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_SHA1, @@ -1838,7 +1838,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -1854,7 +1854,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -1870,7 +1870,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -1889,7 +1889,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1905,7 +1905,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA384, @@ -1953,7 +1953,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1969,7 +1969,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA384, @@ -2019,7 +2019,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -2037,7 +2037,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -2091,7 +2091,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -2109,7 +2109,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -2224,7 +2224,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CHACHA20POLY1305, .algorithm_mac = SSL_AEAD, @@ -2240,7 +2240,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_CHACHA20POLY1305, .algorithm_mac = SSL_AEAD, @@ -2256,7 +2256,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CHACHA20POLY1305, .algorithm_mac = SSL_AEAD, @@ -3069,7 +3069,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * if we are considering an ECC cipher suite that uses an * ephemeral EC key */ - (alg_k & SSL_kEECDH) + (alg_k & SSL_kECDHE) /* and we have an ephemeral EC key */ && (s->cert->ecdh_tmp != NULL) /* and the client specified an EllipticCurves extension */ @@ -3108,7 +3108,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; ii = sk_SSL_CIPHER_find(allow, c); if (ii >= 0) { - if ((alg_k & SSL_kEECDH) && + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) { if (!ret) ret = sk_SSL_CIPHER_value(allow, ii); @@ -3139,12 +3139,12 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) } #endif - if (alg_k & (SSL_kDHr|SSL_kEDH)) { + if (alg_k & (SSL_kDHr|SSL_kDHE)) { p[ret++] = SSL3_CT_RSA_FIXED_DH; p[ret++] = SSL3_CT_DSS_FIXED_DH; } if ((s->version == SSL3_VERSION) && - (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { + (alg_k & (SSL_kDHE|SSL_kDHd|SSL_kDHr))) { p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; } @@ -3157,7 +3157,7 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) /* * ECDSA certs can be used with RSA cipher suites as well - * so we don't need to check for SSL_kECDH or SSL_kEECDH + * so we don't need to check for SSL_kECDH or SSL_kECDHE */ if (s->version >= TLS1_VERSION) { p[ret++] = TLS_CT_ECDSA_SIGN; diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index e0a7d78995e..8d47a16b559 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.78 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -422,8 +422,8 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (s->s3->tmp.use_rsa_tmp || - (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) || - (alg_k & SSL_kEECDH) || + (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kDHE)) || + (alg_k & SSL_kECDHE) || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))) { @@ -1416,7 +1416,7 @@ ssl3_send_server_key_exchange(SSL *s) r[1] = rsa->e; s->s3->tmp.use_rsa_tmp = 1; } else - if (type & SSL_kEDH) { + if (type & SSL_kDHE) { dhp = cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) dhp = s->cert->dh_tmp_cb(s, 0, 0); @@ -1463,7 +1463,7 @@ ssl3_send_server_key_exchange(SSL *s) r[1] = dh->g; r[2] = dh->pub_key; } else - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { const EC_GROUP *group; ecdhp = cert->ecdh_tmp; @@ -1614,7 +1614,7 @@ ssl3_send_server_key_exchange(SSL *s) p += nr[i]; } - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { /* * XXX: For now, we only support named (not generic) * curves. @@ -1968,7 +1968,7 @@ ssl3_get_client_key_exchange(SSL *s) p, i); OPENSSL_cleanse(p, i); } else - if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { + if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { if (2 > n) goto truncated; n2s(p, i); @@ -2026,7 +2026,7 @@ ssl3_get_client_key_exchange(SSL *s) OPENSSL_cleanse(p, i); } else - if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { + if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { int ret = 1; int field_size = 0; const EC_KEY *tkey; @@ -2072,7 +2072,7 @@ ssl3_get_client_key_exchange(SSL *s) if (n == 0L) { /* Client Publickey was in Client Certificate */ - if (alg_k & SSL_kEECDH) { + if (alg_k & SSL_kECDHE) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c index 004fd6e04f5..552667f6c13 100644 --- a/lib/libssl/src/ssl/d1_clnt.c +++ b/lib/libssl/src/ssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.30 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.31 2014/07/12 22:33:39 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -984,7 +984,7 @@ dtls1_send_client_key_exchange(SSL *s) s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); - } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { + } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr, *dh_clnt; if (s->session->sess_cert->peer_dh_tmp != NULL) @@ -1037,7 +1037,7 @@ dtls1_send_client_key_exchange(SSL *s) DH_free(dh_clnt); /* perhaps clean things up a bit EAY EAY EAY EAY*/ - } else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { + } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey; int ecdh_clnt_cert = 0; diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c index a94b7ed61b1..ecf4a198b16 100644 --- a/lib/libssl/src/ssl/d1_srvr.c +++ b/lib/libssl/src/ssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.32 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.33 2014/07/12 22:33:39 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -464,8 +464,8 @@ dtls1_accept(SSL *s) /* only send if a DH key exchange or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp - || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) - || (alg_k & SSL_kEECDH) + || (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) + || (alg_k & SSL_kECDHE) || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL ) @@ -1052,7 +1052,7 @@ dtls1_send_server_key_exchange(SSL *s) r[1] = rsa->e; s->s3->tmp.use_rsa_tmp = 1; } else - if (type & SSL_kEDH) { + if (type & SSL_kDHE) { dhp = cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) dhp = s->cert->dh_tmp_cb(s, 0, 0); @@ -1094,7 +1094,7 @@ dtls1_send_server_key_exchange(SSL *s) r[1] = dh->g; r[2] = dh->pub_key; } else - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { const EC_GROUP *group; ecdhp = cert->ecdh_tmp; @@ -1232,7 +1232,7 @@ dtls1_send_server_key_exchange(SSL *s) p += nr[i]; } - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { /* XXX: For now, we only support named (not generic) curves. * In this situation, the serverKeyExchange message has: * [1 byte CurveType], [2 byte CurveName] diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index 252100f587d..b55b2e62c6a 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.82 2014/07/12 22:17:59 jsg Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.83 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1253,7 +1253,7 @@ ssl3_get_key_exchange(SSL *s) } s->session->sess_cert->peer_rsa_tmp = rsa; rsa = NULL; - } else if (alg_k & SSL_kEDH) { + } else if (alg_k & SSL_kDHE) { if ((dh = DH_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB); @@ -1328,7 +1328,7 @@ ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); goto f_err; - } else if (alg_k & SSL_kEECDH) { + } else if (alg_k & SSL_kECDHE) { EC_GROUP *ngroup; const EC_GROUP *group; @@ -1987,7 +1987,7 @@ ssl3_send_client_key_exchange(SSL *s) s->method->ssl3_enc->generate_master_secret( s, s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); - } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { + } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr, *dh_clnt; if (s->session->sess_cert == NULL) { @@ -2051,7 +2051,7 @@ ssl3_send_client_key_exchange(SSL *s) DH_free(dh_clnt); /* perhaps clean things up a bit EAY EAY EAY EAY*/ - } else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { + } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey; int ecdh_clnt_cert = 0; @@ -2640,7 +2640,7 @@ ssl3_check_cert_and_algorithm(SSL *s) SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } - if ((alg_k & SSL_kEDH) && + if ((alg_k & SSL_kDHE) && !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY); diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c index f94e207fc4e..decdda90a3d 100644 --- a/lib/libssl/src/ssl/s3_lib.c +++ b/lib/libssl/src/ssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.69 2014/07/11 09:24:44 beck Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.70 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -433,7 +433,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, .id = SSL3_CK_EDH_DSS_DES_40_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -449,7 +449,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, .id = SSL3_CK_EDH_DSS_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -465,7 +465,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, .id = SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -481,7 +481,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, .id = SSL3_CK_EDH_RSA_DES_40_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -497,7 +497,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, .id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -513,7 +513,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -529,7 +529,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_ADH_RC4_40_MD5, .id = SSL3_CK_ADH_RC4_40_MD5, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_MD5, @@ -545,7 +545,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_ADH_RC4_128_MD5, .id = SSL3_CK_ADH_RC4_128_MD5, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_MD5, @@ -561,7 +561,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 0, /* Weakened 40-bit export cipher. */ .name = SSL3_TXT_ADH_DES_40_CBC_SHA, .id = SSL3_CK_ADH_DES_40_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -577,7 +577,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_ADH_DES_64_CBC_SHA, .id = SSL3_CK_ADH_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_DES, .algorithm_mac = SSL_SHA1, @@ -593,7 +593,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = SSL3_TXT_ADH_DES_192_CBC_SHA, .id = SSL3_CK_ADH_DES_192_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -655,7 +655,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, .id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -670,7 +670,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -685,7 +685,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_128_SHA, .id = TLS1_CK_ADH_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -748,7 +748,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, .id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -764,7 +764,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -780,7 +780,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_256_SHA, .id = TLS1_CK_ADH_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -877,7 +877,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256, .id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -944,7 +944,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_CAMELLIA128, .algorithm_mac = SSL_SHA1, @@ -960,7 +960,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA128, .algorithm_mac = SSL_SHA1, @@ -976,7 +976,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA128, .algorithm_mac = SSL_SHA1, @@ -994,7 +994,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1042,7 +1042,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256, .id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA256, @@ -1058,7 +1058,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA256, @@ -1074,7 +1074,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, .id = TLS1_CK_ADH_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1090,7 +1090,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, .id = TLS1_CK_ADH_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA256, @@ -1218,7 +1218,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_CAMELLIA256, .algorithm_mac = SSL_SHA1, @@ -1234,7 +1234,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA256, .algorithm_mac = SSL_SHA1, @@ -1250,7 +1250,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA256, .algorithm_mac = SSL_SHA1, @@ -1306,7 +1306,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -1324,7 +1324,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -1378,7 +1378,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -1396,7 +1396,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aDSS, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -1450,7 +1450,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -1468,7 +1468,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -1566,7 +1566,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_eNULL, .algorithm_mac = SSL_SHA1, @@ -1582,7 +1582,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_SHA1, @@ -1598,7 +1598,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -1614,7 +1614,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -1630,7 +1630,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -1726,7 +1726,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_eNULL, .algorithm_mac = SSL_SHA1, @@ -1742,7 +1742,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_SHA1, @@ -1758,7 +1758,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -1774,7 +1774,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -1790,7 +1790,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -1806,7 +1806,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_eNULL, .algorithm_mac = SSL_SHA1, @@ -1822,7 +1822,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, .algorithm_mac = SSL_SHA1, @@ -1838,7 +1838,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_3DES, .algorithm_mac = SSL_SHA1, @@ -1854,7 +1854,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA1, @@ -1870,7 +1870,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA1, @@ -1889,7 +1889,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1905,7 +1905,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA384, @@ -1953,7 +1953,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, .algorithm_mac = SSL_SHA256, @@ -1969,7 +1969,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, .algorithm_mac = SSL_SHA384, @@ -2019,7 +2019,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -2037,7 +2037,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -2091,7 +2091,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128GCM, .algorithm_mac = SSL_AEAD, @@ -2109,7 +2109,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256GCM, .algorithm_mac = SSL_AEAD, @@ -2224,7 +2224,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CHACHA20POLY1305, .algorithm_mac = SSL_AEAD, @@ -2240,7 +2240,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_CHACHA20POLY1305, .algorithm_mac = SSL_AEAD, @@ -2256,7 +2256,7 @@ SSL_CIPHER ssl3_ciphers[] = { .valid = 1, .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CHACHA20POLY1305, .algorithm_mac = SSL_AEAD, @@ -3069,7 +3069,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * if we are considering an ECC cipher suite that uses an * ephemeral EC key */ - (alg_k & SSL_kEECDH) + (alg_k & SSL_kECDHE) /* and we have an ephemeral EC key */ && (s->cert->ecdh_tmp != NULL) /* and the client specified an EllipticCurves extension */ @@ -3108,7 +3108,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; ii = sk_SSL_CIPHER_find(allow, c); if (ii >= 0) { - if ((alg_k & SSL_kEECDH) && + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) { if (!ret) ret = sk_SSL_CIPHER_value(allow, ii); @@ -3139,12 +3139,12 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) } #endif - if (alg_k & (SSL_kDHr|SSL_kEDH)) { + if (alg_k & (SSL_kDHr|SSL_kDHE)) { p[ret++] = SSL3_CT_RSA_FIXED_DH; p[ret++] = SSL3_CT_DSS_FIXED_DH; } if ((s->version == SSL3_VERSION) && - (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { + (alg_k & (SSL_kDHE|SSL_kDHd|SSL_kDHr))) { p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; } @@ -3157,7 +3157,7 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) /* * ECDSA certs can be used with RSA cipher suites as well - * so we don't need to check for SSL_kECDH or SSL_kEECDH + * so we don't need to check for SSL_kECDH or SSL_kECDHE */ if (s->version >= TLS1_VERSION) { p[ret++] = TLS_CT_ECDSA_SIGN; diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index e0a7d78995e..8d47a16b559 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.78 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -422,8 +422,8 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (s->s3->tmp.use_rsa_tmp || - (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) || - (alg_k & SSL_kEECDH) || + (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kDHE)) || + (alg_k & SSL_kECDHE) || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))) { @@ -1416,7 +1416,7 @@ ssl3_send_server_key_exchange(SSL *s) r[1] = rsa->e; s->s3->tmp.use_rsa_tmp = 1; } else - if (type & SSL_kEDH) { + if (type & SSL_kDHE) { dhp = cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) dhp = s->cert->dh_tmp_cb(s, 0, 0); @@ -1463,7 +1463,7 @@ ssl3_send_server_key_exchange(SSL *s) r[1] = dh->g; r[2] = dh->pub_key; } else - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { const EC_GROUP *group; ecdhp = cert->ecdh_tmp; @@ -1614,7 +1614,7 @@ ssl3_send_server_key_exchange(SSL *s) p += nr[i]; } - if (type & SSL_kEECDH) { + if (type & SSL_kECDHE) { /* * XXX: For now, we only support named (not generic) * curves. @@ -1968,7 +1968,7 @@ ssl3_get_client_key_exchange(SSL *s) p, i); OPENSSL_cleanse(p, i); } else - if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { + if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { if (2 > n) goto truncated; n2s(p, i); @@ -2026,7 +2026,7 @@ ssl3_get_client_key_exchange(SSL *s) OPENSSL_cleanse(p, i); } else - if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { + if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { int ret = 1; int field_size = 0; const EC_KEY *tkey; @@ -2072,7 +2072,7 @@ ssl3_get_client_key_exchange(SSL *s) if (n == 0L) { /* Client Publickey was in Client Certificate */ - if (alg_k & SSL_kEECDH) { + if (alg_k & SSL_kECDHE) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c index a2dec527ca1..70c91bf6007 100644 --- a/lib/libssl/src/ssl/ssl_ciph.c +++ b/lib/libssl/src/ssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.65 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -233,7 +233,7 @@ static const SSL_CIPHER cipher_aliases[] = { */ { .name = SSL_TXT_CMPDEF, - .algorithm_mkey = SSL_kEDH|SSL_kEECDH, + .algorithm_mkey = SSL_kDHE|SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = ~SSL_eNULL, }, @@ -265,11 +265,11 @@ static const SSL_CIPHER cipher_aliases[] = { }, { .name = SSL_TXT_kEDH, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, }, { .name = SSL_TXT_DH, - .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kEDH, + .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE, }, { @@ -286,11 +286,11 @@ static const SSL_CIPHER cipher_aliases[] = { }, { .name = SSL_TXT_kEECDH, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, }, { .name = SSL_TXT_ECDH, - .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kEECDH, + .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kECDHE, }, { @@ -348,12 +348,12 @@ static const SSL_CIPHER cipher_aliases[] = { /* aliases combining key exchange and server authentication */ { .name = SSL_TXT_EDH, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = ~SSL_aNULL, }, { .name = SSL_TXT_EECDH, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = ~SSL_aNULL, }, { @@ -367,12 +367,12 @@ static const SSL_CIPHER cipher_aliases[] = { }, { .name = SSL_TXT_ADH, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, }, { .name = SSL_TXT_AECDH, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, }, @@ -1451,8 +1451,8 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* Now arrange all ciphers by preference: */ /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */ - ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); /* * CHACHA20 is fast and safe on all hardware and is thus our preferred @@ -1609,7 +1609,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kDHd: kx = "DH/DSS"; break; - case SSL_kEDH: + case SSL_kDHE: kx = "DH"; break; case SSL_kECDHr: @@ -1618,7 +1618,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kECDHe: kx = "ECDH/ECDSA"; break; - case SSL_kEECDH: + case SSL_kECDHE: kx = "ECDH"; break; default: diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index b563071cdad..6b62713bca5 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.77 2014/07/12 19:45:53 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.78 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1973,7 +1973,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) mask_k|=SSL_kRSA; if (dh_tmp) - mask_k|=SSL_kEDH; + mask_k|=SSL_kDHE; if (dh_rsa) mask_k|=SSL_kDHr; @@ -2022,7 +2022,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) } if (have_ecdh_tmp) { - mask_k|=SSL_kEECDH; + mask_k|=SSL_kECDHE; } @@ -2108,10 +2108,10 @@ ssl_get_server_send_pkey(const SSL *s) if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { /* - * We don't need to look at SSL_kEECDH + * We don't need to look at SSL_kECDHE * since no certificate is needed for * anon ECDH and for authenticated - * EECDH, the check for the auth + * ECDHE, the check for the auth * algorithm will set i correctly * NOTE: For ECDH-RSA, we need an ECC * not an RSA cert but for EECDH-RSA diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index 22ba8d926e5..34e6337856b 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.61 2014/07/12 19:45:53 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.62 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -256,10 +256,10 @@ #define SSL_kRSA 0x00000001L /* RSA key exchange */ #define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */ #define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */ -#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */ +#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ #define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ #define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ -#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */ +#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ #define SSL_kGOST 0x00000200L /* GOST key exchange */ /* Bits for algorithm_auth (server authentication) */ @@ -397,7 +397,7 @@ /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) - * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN + * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN * SSL_aRSA <- RSA_ENC | RSA_SIGN * SSL_aDSS <- DSA_SIGN */ diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c index 03af6e29efa..46b47a95b7b 100644 --- a/lib/libssl/src/ssl/t1_lib.c +++ b/lib/libssl/src/ssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.49 2014/07/09 11:10:51 bcook Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.50 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1477,7 +1477,7 @@ ssl_prepare_clienthello_tlsext(SSL *s) alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || + if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1; break; @@ -1524,7 +1524,7 @@ ssl_prepare_serverhello_tlsext(SSL *s) unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); + int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); if (using_ecc) { @@ -1650,7 +1650,7 @@ ssl_check_serverhello_tlsext(SSL *s) (s->tlsext_ecpointformatlist_length > 0) && (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { + ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index a2dec527ca1..70c91bf6007 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.65 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -233,7 +233,7 @@ static const SSL_CIPHER cipher_aliases[] = { */ { .name = SSL_TXT_CMPDEF, - .algorithm_mkey = SSL_kEDH|SSL_kEECDH, + .algorithm_mkey = SSL_kDHE|SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = ~SSL_eNULL, }, @@ -265,11 +265,11 @@ static const SSL_CIPHER cipher_aliases[] = { }, { .name = SSL_TXT_kEDH, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, }, { .name = SSL_TXT_DH, - .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kEDH, + .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE, }, { @@ -286,11 +286,11 @@ static const SSL_CIPHER cipher_aliases[] = { }, { .name = SSL_TXT_kEECDH, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, }, { .name = SSL_TXT_ECDH, - .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kEECDH, + .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kECDHE, }, { @@ -348,12 +348,12 @@ static const SSL_CIPHER cipher_aliases[] = { /* aliases combining key exchange and server authentication */ { .name = SSL_TXT_EDH, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = ~SSL_aNULL, }, { .name = SSL_TXT_EECDH, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = ~SSL_aNULL, }, { @@ -367,12 +367,12 @@ static const SSL_CIPHER cipher_aliases[] = { }, { .name = SSL_TXT_ADH, - .algorithm_mkey = SSL_kEDH, + .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, }, { .name = SSL_TXT_AECDH, - .algorithm_mkey = SSL_kEECDH, + .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, }, @@ -1451,8 +1451,8 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* Now arrange all ciphers by preference: */ /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */ - ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); /* * CHACHA20 is fast and safe on all hardware and is thus our preferred @@ -1609,7 +1609,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kDHd: kx = "DH/DSS"; break; - case SSL_kEDH: + case SSL_kDHE: kx = "DH"; break; case SSL_kECDHr: @@ -1618,7 +1618,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kECDHe: kx = "ECDH/ECDSA"; break; - case SSL_kEECDH: + case SSL_kECDHE: kx = "ECDH"; break; default: diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index b563071cdad..6b62713bca5 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.77 2014/07/12 19:45:53 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.78 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1973,7 +1973,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) mask_k|=SSL_kRSA; if (dh_tmp) - mask_k|=SSL_kEDH; + mask_k|=SSL_kDHE; if (dh_rsa) mask_k|=SSL_kDHr; @@ -2022,7 +2022,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) } if (have_ecdh_tmp) { - mask_k|=SSL_kEECDH; + mask_k|=SSL_kECDHE; } @@ -2108,10 +2108,10 @@ ssl_get_server_send_pkey(const SSL *s) if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { /* - * We don't need to look at SSL_kEECDH + * We don't need to look at SSL_kECDHE * since no certificate is needed for * anon ECDH and for authenticated - * EECDH, the check for the auth + * ECDHE, the check for the auth * algorithm will set i correctly * NOTE: For ECDH-RSA, we need an ECC * not an RSA cert but for EECDH-RSA diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 22ba8d926e5..34e6337856b 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.61 2014/07/12 19:45:53 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.62 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -256,10 +256,10 @@ #define SSL_kRSA 0x00000001L /* RSA key exchange */ #define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */ #define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */ -#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */ +#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ #define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ #define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ -#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */ +#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ #define SSL_kGOST 0x00000200L /* GOST key exchange */ /* Bits for algorithm_auth (server authentication) */ @@ -397,7 +397,7 @@ /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) - * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN + * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN * SSL_aRSA <- RSA_ENC | RSA_SIGN * SSL_aDSS <- DSA_SIGN */ diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 03af6e29efa..46b47a95b7b 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.49 2014/07/09 11:10:51 bcook Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.50 2014/07/12 22:33:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1477,7 +1477,7 @@ ssl_prepare_clienthello_tlsext(SSL *s) alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || + if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1; break; @@ -1524,7 +1524,7 @@ ssl_prepare_serverhello_tlsext(SSL *s) unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); + int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); if (using_ecc) { @@ -1650,7 +1650,7 @@ ssl_check_serverhello_tlsext(SSL *s) (s->tlsext_ecpointformatlist_length > 0) && (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { + ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list;