use SSL_kECDHE throughout instead of SSL_kEECDH

			    || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)

#endif

			    || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))

			    || (alg_k & SSL_kEECDH)

			    || (alg_k & SSL_kECDHE)

			    || ((alg_k & SSL_kRSA)

				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL

				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)

#endif /* !OPENSSL_NO_DH */

#ifndef OPENSSL_NO_ECDH

	else if (alg_k & SSL_kEECDH)

	else if (alg_k & SSL_kECDHE)

		{

		EC_GROUP *ngroup;

		const EC_GROUP *group;

#endif

#ifndef OPENSSL_NO_ECDH 

		else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))

		else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe))

			{

			const EC_GROUP *srvr_group = NULL;

			EC_KEY *tkey;

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,

	TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_eNULL,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,

	TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_RC4,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,

	TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_3DES,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_AES128,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_AES256,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,

	TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_eNULL,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,

	TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_RC4,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,

	TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_3DES,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,

	TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_AES128,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,

	TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_AES256,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDH_anon_WITH_NULL_SHA,

	TLS1_CK_ECDH_anon_WITH_NULL_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aNULL,

	SSL_eNULL,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,

	TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aNULL,

	SSL_RC4,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,

	TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aNULL,

	SSL_3DES,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,

	TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aNULL,

	SSL_AES128,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,

	TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aNULL,

	SSL_AES256,

	SSL_SHA1,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,

	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_AES128,

	SSL_SHA256,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,

	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_AES256,

	SSL_SHA384,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,

	TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_AES128,

	SSL_SHA256,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,

	TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_AES256,

	SSL_SHA384,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_AES128GCM,

	SSL_AEAD,

	1,

	TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aECDSA,

	SSL_AES256GCM,

	SSL_AEAD,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

	TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_AES128GCM,

	SSL_AEAD,

	1,

	TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

	TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

	SSL_kEECDH,

	SSL_kECDHE,

	SSL_aRSA,

	SSL_AES256GCM,

	SSL_AEAD,

#ifndef OPENSSL_NO_EC

		/* if we are considering an ECC cipher suite that uses

		 * an ephemeral EC key check it */

		if (alg_k & SSL_kEECDH)

		if (alg_k & SSL_kECDHE)

			ok = ok && tls1_check_ec_tmp_key(s, c->id);

#endif /* OPENSSL_NO_EC */

#endif /* OPENSSL_NO_TLSEXT */

		if (ii >= 0)

			{

#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)

			if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)

			if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)

				{

				if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);

				continue;

#ifndef OPENSSL_NO_ECDSA

	/* ECDSA certs can be used with RSA cipher suites as well 

	 * so we don't need to check for SSL_kECDH or SSL_kEECDH

	 * so we don't need to check for SSL_kECDH or SSL_kECDHE

	 */

	if (s->version >= TLS1_VERSION)

		{

			    || (alg_k & SSL_kSRP)

#endif

			    || (alg_k & SSL_kEDH)

			    || (alg_k & SSL_kEECDH)

			    || (alg_k & SSL_kECDHE)

			    || ((alg_k & SSL_kRSA)

				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL

				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)

		/* check whether we should disable session resumption */

		if (s->not_resumable_session_cb != NULL)

			s->session->not_resumable=s->not_resumable_session_cb(s,

				((c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)) != 0));

				((c->algorithm_mkey & (SSL_kEDH | SSL_kECDHE)) != 0));

		if (s->session->not_resumable)

			/* do not send a session ticket */

			s->tlsext_ticket_expected = 0;

		else 

#endif

#ifndef OPENSSL_NO_ECDH

			if (type & SSL_kEECDH)

			if (type & SSL_kECDHE)

			{

			const EC_GROUP *group;

			}

#ifndef OPENSSL_NO_ECDH

		if (type & SSL_kEECDH) 

		if (type & SSL_kECDHE) 

			{

			/* XXX: For now, we only support named (not generic) curves.

			 * In this situation, the serverKeyExchange message has:

#endif	/* OPENSSL_NO_KRB5 */

#ifndef OPENSSL_NO_ECDH

		if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))

		if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe))

		{

		int ret = 1;

		int field_size = 0;

			{

			/* Client Publickey was in Client Certificate */

			 if (alg_k & SSL_kEECDH)

			 if (alg_k & SSL_kECDHE)

				 {

				 al=SSL_AD_HANDSHAKE_FAILURE;

				 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);

	{0,SSL_TXT_CMPALL,0,  0,0,SSL_eNULL,0,0,0,0,0,0},

	/* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */

	{0,SSL_TXT_CMPDEF,0,  SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},

	{0,SSL_TXT_CMPDEF,0,  SSL_kEDH|SSL_kECDHE,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},

	/* key exchange aliases

	 * (some of those using only a single bit here combine

	{0,SSL_TXT_kECDHr,0,  SSL_kECDHr,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_kECDHe,0,  SSL_kECDHe,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_kECDH,0,   SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_kEECDH,0,  SSL_kEECDH,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_kECDHE,0,  SSL_kEECDH,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_ECDH,0,    SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_kEECDH,0,  SSL_kECDHE,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_kECDHE,0,  SSL_kECDHE,0,0,0,0,0,0,0,0},

	{0,SSL_TXT_ECDH,0,    SSL_kECDHr|SSL_kECDHe|SSL_kECDHE,0,0,0,0,0,0,0,0},

        {0,SSL_TXT_kPSK,0,    SSL_kPSK,  0,0,0,0,0,0,0,0},

	{0,SSL_TXT_kSRP,0,    SSL_kSRP,  0,0,0,0,0,0,0,0},

	/* aliases combining key exchange and server authentication */

	{0,SSL_TXT_EDH,0,     SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},

	{0,SSL_TXT_EECDH,0,   SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},

	{0,SSL_TXT_ECDHE,0,   SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},

	{0,SSL_TXT_EECDH,0,   SSL_kECDHE,~SSL_aNULL,0,0,0,0,0,0,0},

	{0,SSL_TXT_ECDHE,0,   SSL_kECDHE,~SSL_aNULL,0,0,0,0,0,0,0},

	{0,SSL_TXT_NULL,0,    0,0,SSL_eNULL, 0,0,0,0,0,0},

	{0,SSL_TXT_KRB5,0,    SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},

	{0,SSL_TXT_RSA,0,     SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},

	{0,SSL_TXT_ADH,0,     SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},

	{0,SSL_TXT_AECDH,0,   SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},

	{0,SSL_TXT_AECDH,0,   SSL_kECDHE,SSL_aNULL,0,0,0,0,0,0,0},

        {0,SSL_TXT_PSK,0,     SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},

	{0,SSL_TXT_SRP,0,     SSL_kSRP,0,0,0,0,0,0,0,0},

	/* Now arrange all ciphers by preference: */

	/* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */

	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);

	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);

	ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);

	ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);

	/* AES is our preferred symmetric cipher */

	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);

	case SSL_kECDHe:

		kx="ECDH/ECDSA";

		break;

	case SSL_kEECDH:

	case SSL_kECDHE:

		kx="ECDH";

		break;

	case SSL_kPSK:

	if (alg_k & (SSL_kECDHr|SSL_kECDHe))

		{

		/* we don't need to look at SSL_kEECDH

		/* we don't need to look at SSL_kECDHE

		 * since no certificate is needed for

		 * anon ECDH and for authenticated

		 * EECDH, the check for the auth

		 * ECDHE, the check for the auth

		 * algorithm will set i correctly

		 * NOTE: For ECDH-RSA, we need an ECC

		 * not an RSA cert but for EECDH-RSA

		 * not an RSA cert but for ECDHE-RSA

		 * we need an RSA cert. Placing the

		 * checks for SSL_kECDH before RSA

		 * checks ensures the correct cert is chosen.