AES cipher suites are now official (RFC3268) (ea4f109c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+18 −8

Original line number	Diff line number	Diff line
		@@ -4,6 +4,15 @@

		Changes between 0.9.7 and 0.9.8 [xx XXX 2002]

		*) Change default behaviour of 'openssl asn1parse' so that more
		information is visible when viewing, e.g., a certificate:

		Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
		mode the content of non-printable OCTET STRINGs is output in a
		style similar to INTEGERs, but with '[HEX DUMP]' prepended to
		avoid the appearance of a printable string.
		[Nils Larsch <nla@trustcenter.de>]

		*) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
		functions
		EC_GROUP_set_asn1_flag()
		@@ -1143,13 +1152,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
		handle the new API. Currently only ECB, CBC modes supported. Add new
		AES OIDs.

		Add TLS AES ciphersuites as described in the "AES Ciphersuites
		for TLS" draft-ietf-tls-ciphersuite-06.txt. As these are not yet
		official, they are not enabled by default and are not even part
		of the "ALL" ciphersuite alias; for now, they must be explicitly
		requested by specifying the new "AESdraft" ciphersuite alias. If
		you want the default ciphersuite list plus the new ciphersuites,
		use "DEFAULT:AESdraft:@STRENGTH".
		Add TLS AES ciphersuites as described in RFC3268, "Advanced
		Encryption Standard (AES) Ciphersuites for Transport Layer
		Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were
		not enabled by default and were not part of the "ALL" ciphersuite
		alias because they were not yet official; they could be
		explicitly requested by specifying the "AESdraft" ciphersuite
		group alias. In the final release of OpenSSL 0.9.7, the group
		alias is called "AES" and is part of "ALL".)
		[Ben Laurie, Steve Henson, Bodo Moeller]

		*) New function OCSP_copy_nonce() to copy nonce value (if present) from

NEWS

+1 −1

Original line number	Diff line number	Diff line
		@@ -38,7 +38,7 @@
		o SSL/TLS: support Kerberos cipher suites (RFC2712).
		o SSL/TLS: allow more precise control of renegotiations and sessions.
		o SSL/TLS: add callback to retrieve SSL/TLS messages.
		o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested).
		o SSL/TLS: support AES cipher suites (RFC3268).

		Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:

crypto/asn1/asn1_par.c

+26 −6

Original line number	Diff line number	Diff line
		@@ -261,9 +261,11 @@ static int asn1_parse2(BIO bp, unsigned char *pp, long length, int offset,

		opp=op;
		os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl);
		if (os != NULL)
		if (os != NULL && os->length > 0)
		{
		opp = os->data;
		/* testing whether the octet string is
		* printable */
		for (i=0; i<os->length; i++)
		{
		if (( (opp[i] < ' ') &&
		@@ -276,7 +278,8 @@ static int asn1_parse2(BIO bp, unsigned char *pp, long length, int offset,
		break;
		}
		}
		if (printable && (os->length > 0))
		if (printable)
		/* printable string */
		{
		if (BIO_write(bp,":",1) <= 0)
		goto end;
		@@ -284,8 +287,21 @@ static int asn1_parse2(BIO bp, unsigned char *pp, long length, int offset,
		os->length) <= 0)
		goto end;
		}
		if (!printable && (os->length > 0)
		&& dump)
		else if (!dump)
		/* not printable => print octet string
		* as hex dump */
		{
		if (BIO_write(bp,"[HEX DUMP]:",11) <= 0)
		goto end;
		for (i=0; i<os->length; i++)
		{
		if (BIO_printf(bp,"%02X"
		, opp[i]) <= 0)
		goto end;
		}
		}
		else
		/* print the normal dump */
		{
		if (!nl)
		{
		@@ -293,11 +309,15 @@ static int asn1_parse2(BIO bp, unsigned char *pp, long length, int offset,
		goto end;
		}
		if (BIO_dump_indent(bp,(char *)opp,
		((dump == -1 \|\| dump > os->length)?os->length:dump),
		((dump == -1 \|\| dump >
		os->length)?os->length:dump),
		dump_indent) <= 0)
		goto end;
		nl=1;
		}
		}
		if (os != NULL)
		{
		M_ASN1_OCTET_STRING_free(os);
		os=NULL;
		}

ssl/ssl.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -253,7 +253,7 @@ extern "C" {
		#define SSL_TXT_RC4 "RC4"
		#define SSL_TXT_RC2 "RC2"
		#define SSL_TXT_IDEA "IDEA"
		#define SSL_TXT_AES "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */
		#define SSL_TXT_AES "AES"
		#define SSL_TXT_MD5 "MD5"
		#define SSL_TXT_SHA1 "SHA1"
		#define SSL_TXT_SHA "SHA"

ssl/ssl_ciph.c

+6 −7

Original line number	Diff line number	Diff line
		@@ -100,9 +100,8 @@ typedef struct cipher_order_st
		} CIPHER_ORDER;

		static const SSL_CIPHER cipher_aliases[]={
		/* Don't include eNULL unless specifically enabled.
		* Similarly, don't include AES in ALL because these ciphers are not yet official. */
		{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_AES, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
		/* Don't include eNULL unless specifically enabled. */
		{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
		{0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
		{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
		{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
		@@ -999,10 +998,10 @@ char SSL_CIPHER_description(SSL_CIPHER cipher, char *buf, int len)
		case SSL_AES:
		switch(cipher->strength_bits)
		{
		case 128: enc="AESdraft(128)"; break;
		case 192: enc="AESdraft(192)"; break;
		case 256: enc="AESdraft(256)"; break;
		default: enc="AESdraft(?""?""?)"; break;
		case 128: enc="AES(128)"; break;
		case 192: enc="AES(192)"; break;
		case 256: enc="AES(256)"; break;
		default: enc="AES(?""?""?)"; break;
		}
		break;
		default: