AES cipher suites are now official (RFC3268) (5af9fcaf) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+9 −8

Original line number	Diff line number	Diff line
		@@ -1055,13 +1055,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
		handle the new API. Currently only ECB, CBC modes supported. Add new
		AES OIDs.

		Add TLS AES ciphersuites as described in the "AES Ciphersuites
		for TLS" draft-ietf-tls-ciphersuite-06.txt. As these are not yet
		official, they are not enabled by default and are not even part
		of the "ALL" ciphersuite alias; for now, they must be explicitly
		requested by specifying the new "AESdraft" ciphersuite alias. If
		you want the default ciphersuite list plus the new ciphersuites,
		use "DEFAULT:AESdraft:@STRENGTH".
		Add TLS AES ciphersuites as described in RFC3268, "Advanced
		Encryption Standard (AES) Ciphersuites for Transport Layer
		Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were
		not enabled by default and were not part of the "ALL" ciphersuite
		alias because they were not yet official; they could be
		explicitly requested by specifying the "AESdraft" ciphersuite
		group alias. In the final release of OpenSSL 0.9.7, the group
		alias is called "AES" and is part of "ALL".)
		[Ben Laurie, Steve Henson, Bodo Moeller]

		*) New function OCSP_copy_nonce() to copy nonce value (if present) from

NEWS

+1 −1

Original line number	Diff line number	Diff line
		@@ -38,7 +38,7 @@
		o SSL/TLS: support Kerberos cipher suites (RFC2712).
		o SSL/TLS: allow more precise control of renegotiations and sessions.
		o SSL/TLS: add callback to retrieve SSL/TLS messages.
		o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested).
		o SSL/TLS: support AES cipher suites (RFC3268).

		Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:

ssl/ssl.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -253,7 +253,7 @@ extern "C" {
		#define SSL_TXT_RC4 "RC4"
		#define SSL_TXT_RC2 "RC2"
		#define SSL_TXT_IDEA "IDEA"
		#define SSL_TXT_AES "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */
		#define SSL_TXT_AES "AES"
		#define SSL_TXT_MD5 "MD5"
		#define SSL_TXT_SHA1 "SHA1"
		#define SSL_TXT_SHA "SHA"

ssl/ssl_ciph.c

+6 −7

Original line number	Diff line number	Diff line
		@@ -100,9 +100,8 @@ typedef struct cipher_order_st
		} CIPHER_ORDER;

		static const SSL_CIPHER cipher_aliases[]={
		/* Don't include eNULL unless specifically enabled.
		* Similarly, don't include AES in ALL because these ciphers are not yet official. */
		{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_AES, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
		/* Don't include eNULL unless specifically enabled. */
		{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
		{0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
		{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
		{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
		@@ -999,10 +998,10 @@ char SSL_CIPHER_description(SSL_CIPHER cipher, char *buf, int len)
		case SSL_AES:
		switch(cipher->strength_bits)
		{
		case 128: enc="AESdraft(128)"; break;
		case 192: enc="AESdraft(192)"; break;
		case 256: enc="AESdraft(256)"; break;
		default: enc="AESdraft(?""?""?)"; break;
		case 128: enc="AES(128)"; break;
		case 192: enc="AES(192)"; break;
		case 256: enc="AES(256)"; break;
		default: enc="AES(?""?""?)"; break;
		}
		break;
		default:

ssl/tls1.h

+16 −15

Original line number	Diff line number	Diff line
		@@ -96,7 +96,7 @@ extern "C" {
		#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
		#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066

		/* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */
		/* AES ciphersuites from RFC3268 */

		#define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F
		#define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030
		@@ -126,20 +126,21 @@ extern "C" {
		#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA "EXP1024-RC4-SHA"
		#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA"
		#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA"
		/* AES ciphersuites from draft-ietf-tls-ciphersuite-06.txt */
		#define TLS1_TXT_RSA_WITH_AES_128_SHA "AESdraft128-SHA"
		#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AESdraft128-SHA"
		#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AESdraft128-SHA"
		#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AESdraft128-SHA"
		#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AESdraft128-SHA"
		#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AESdraft128-SHA"

		#define TLS1_TXT_RSA_WITH_AES_256_SHA "AESdraft256-SHA"
		#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AESdraft256-SHA"
		#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AESdraft256-SHA"
		#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AESdraft256-SHA"
		#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AESdraft256-SHA"
		#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AESdraft256-SHA"

		/* AES ciphersuites from RFC3268 */
		#define TLS1_TXT_RSA_WITH_AES_128_SHA "AES128-SHA"
		#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AES128-SHA"
		#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AES128-SHA"
		#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AES128-SHA"
		#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AES128-SHA"
		#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AES128-SHA"

		#define TLS1_TXT_RSA_WITH_AES_256_SHA "AES256-SHA"
		#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AES256-SHA"
		#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AES256-SHA"
		#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AES256-SHA"
		#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA"
		#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA"


		#define TLS_CT_RSA_SIGN 1