diff --git a/ChangeLog b/ChangeLog index db25d3c6f..486793f3c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,11 @@ Note: Most of these features have been donated by Fox-IT Changes * x509parse_time_expired() checks time in addition to the existing date check + * The ciphers member of ssl_context and the cipher member + of ssl_session have been renamed to ciphersuites and + ciphersuite respectively. This clarifies the difference + with the generic cipher layer and is better naming + altogether = Version 0.14.0 released on 2010-08-16 Features diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index a4d3af0d9..5931c57d6 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -199,7 +199,7 @@ typedef struct _ssl_context ssl_context; struct _ssl_session { time_t start; /*!< starting time */ - int cipher; /*!< chosen cipher */ + int ciphersuite; /*!< chosen ciphersuite */ int length; /*!< session id length */ unsigned char id[32]; /*!< session identifier */ unsigned char master[48]; /*!< the master secret */ @@ -295,7 +295,7 @@ struct _ssl_context sha1_context fin_sha1; /*!< Finished SHA-1 checksum */ int do_crypt; /*!< en(de)cryption flag */ - int *ciphers; /*!< allowed ciphersuites */ + int *ciphersuites; /*!< allowed ciphersuites */ int pmslen; /*!< premaster length */ int keylen; /*!< symmetric key length */ int minlen; /*!< min. ciphertext length */ @@ -325,27 +325,38 @@ struct _ssl_context extern "C" { #endif -extern int ssl_default_ciphers[]; +extern int ssl_default_ciphersuites[]; /** - * \brief Returns the list of ciphers supported by the SSL/TLS module. + * \brief Returns the list of ciphersuites supported by the SSL/TLS module. * - * \return a statically allocated array of ciphers, the last entry - * is 0. + * \return a statically allocated array of ciphersuites, the last + * entry is 0. */ -static inline const int *ssl_list_ciphers( void ) +static inline const int *ssl_list_ciphersuites( void ) { - return ssl_default_ciphers; + return ssl_default_ciphersuites; } /** - * \brief Return the name of the cipher associated with the given ID + * \brief Return the name of the ciphersuite associated with the given + * ID * - * \param cipher_id SSL cipher ID + * \param ciphersuite_id SSL ciphersuite ID * - * \return a string containing the cipher name + * \return a string containing the ciphersuite name */ -const char *ssl_get_cipher_name( const int cipher_id ); +const char *ssl_get_ciphersuite_name( const int ciphersuite_id ); + +/** + * \brief Return the ID of the ciphersuite associated with the given + * name + * + * \param ciphersuite_name SSL ciphersuite name + * + * \return the ID with the ciphersuite or 0 if not found + */ +int ssl_get_ciphersuite_id( const char *ciphersuite_name ); /** * \brief Initialize an SSL context @@ -458,12 +469,12 @@ void ssl_set_session( ssl_context *ssl, int resume, int timeout, ssl_session *session ); /** - * \brief Set the list of allowed ciphersuites + * \brief Set the list of allowed ciphersuites * - * \param ssl SSL context - * \param ciphers 0-terminated list of allowed ciphers + * \param ssl SSL context + * \param ciphersuites 0-terminated list of allowed ciphersuites */ -void ssl_set_ciphers( ssl_context *ssl, int *ciphers ); +void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites ); /** * \brief Set the data required to verify peer certificate @@ -557,13 +568,13 @@ int ssl_get_bytes_avail( const ssl_context *ssl ); int ssl_get_verify_result( const ssl_context *ssl ); /** - * \brief Return the name of the current cipher + * \brief Return the name of the current ciphersuite * * \param ssl SSL context * - * \return a string containing the cipher name + * \return a string containing the ciphersuite name */ -const char *ssl_get_cipher( const ssl_context *ssl ); +const char *ssl_get_ciphersuite( const ssl_context *ssl ); /** * \brief Return the current SSL version (SSLv3/TLSv1/etc) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b1e5d01b8..2ff09643e 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -88,8 +88,8 @@ static int ssl_write_client_hello( ssl_context *ssl ) /* * 38 . 38 session id length * 39 . 39+n session id - * 40+n . 41+n cipherlist length - * 42+n . .. cipherlist + * 40+n . 41+n ciphersuitelist length + * 42+n . .. ciphersuitelist * .. . .. compression alg. (0) * .. . .. extensions (unused) */ @@ -107,19 +107,19 @@ static int ssl_write_client_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); - for( n = 0; ssl->ciphers[n] != 0; n++ ); + for( n = 0; ssl->ciphersuites[n] != 0; n++ ); *p++ = (unsigned char)( n >> 7 ); *p++ = (unsigned char)( n << 1 ); - SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphers", n ) ); + SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); for( i = 0; i < n; i++ ) { - SSL_DEBUG_MSG( 3, ( "client hello, add cipher: %2d", - ssl->ciphers[i] ) ); + SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", + ssl->ciphersuites[i] ) ); - *p++ = (unsigned char)( ssl->ciphers[i] >> 8 ); - *p++ = (unsigned char)( ssl->ciphers[i] ); + *p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 ); + *p++ = (unsigned char)( ssl->ciphersuites[i] ); } SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); @@ -235,7 +235,7 @@ static int ssl_parse_server_hello( ssl_context *ssl ) /* * 38 . 38 session id length * 39 . 38+n session id - * 39+n . 40+n chosen cipher + * 39+n . 40+n chosen ciphersuite * 41+n . 41+n chosen compression alg. * 42+n . 43+n extensions length * 44+n . 44+n+m extensions @@ -265,14 +265,14 @@ static int ssl_parse_server_hello( ssl_context *ssl ) * Check if the session can be resumed */ if( ssl->resume == 0 || n == 0 || - ssl->session->cipher != i || - ssl->session->length != n || + ssl->session->ciphersuite != i || + ssl->session->length != n || memcmp( ssl->session->id, buf + 39, n ) != 0 ) { ssl->state++; ssl->resume = 0; ssl->session->start = time( NULL ); - ssl->session->cipher = i; + ssl->session->ciphersuite = i; ssl->session->length = n; memcpy( ssl->session->id, buf + 39, n ); } @@ -290,19 +290,19 @@ static int ssl_parse_server_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->resume ? "a" : "no" ) ); - SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d", i ) ); + SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) ); SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) ); i = 0; while( 1 ) { - if( ssl->ciphers[i] == 0 ) + if( ssl->ciphersuites[i] == 0 ) { SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); } - if( ssl->ciphers[i++] == ssl->session->cipher ) + if( ssl->ciphersuites[i++] == ssl->session->ciphersuite ) break; } @@ -329,11 +329,11 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); - if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA && - ssl->session->cipher != SSL_EDH_RSA_AES_128_SHA && - ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA && - ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_128_SHA && - ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA) + if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA) { SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); ssl->state++; @@ -522,11 +522,11 @@ static int ssl_write_client_key_exchange( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); - if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) + if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA) { #if !defined(POLARSSL_DHM_C) SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f51a2de90..4e4c0f9e4 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -112,10 +112,10 @@ static int ssl_parse_client_hello( ssl_context *ssl ) n = ssl->in_left - 5; /* - * 0 . 1 cipherlist length + * 0 . 1 ciphersuitelist length * 2 . 3 session id length * 4 . 5 challenge length - * 6 . .. cipherlist + * 6 . .. ciphersuitelist * .. . .. session id * .. . .. challenge */ @@ -155,7 +155,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); } - SSL_DEBUG_BUF( 3, "client hello, cipherlist", + SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", buf + 6, ciph_len ); SSL_DEBUG_BUF( 3, "client hello, session id", buf + 6 + ciph_len, sess_len ); @@ -171,14 +171,14 @@ static int ssl_parse_client_hello( ssl_context *ssl ) memset( ssl->randbytes, 0, 64 ); memcpy( ssl->randbytes + 32 - chal_len, p, chal_len ); - for( i = 0; ssl->ciphers[i] != 0; i++ ) + for( i = 0; ssl->ciphersuites[i] != 0; i++ ) { for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) { if( p[0] == 0 && p[1] == 0 && - p[2] == ssl->ciphers[i] ) - goto have_cipher; + p[2] == ssl->ciphersuites[i] ) + goto have_ciphersuite; } } } @@ -237,8 +237,8 @@ static int ssl_parse_client_hello( ssl_context *ssl ) * 10 . 37 random bytes * 38 . 38 session id length * 39 . 38+x session id - * 39+x . 40+x cipherlist length - * 41+x . .. cipherlist + * 39+x . 40+x ciphersuitelist length + * 41+x . .. ciphersuitelist * .. . .. compression alg. * .. . .. extensions */ @@ -295,7 +295,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) memcpy( ssl->session->id, buf + 39 , ssl->session->length ); /* - * Check the cipherlist length + * Check the ciphersuitelist length */ ciph_len = ( buf[39 + sess_len] << 8 ) | ( buf[40 + sess_len] ); @@ -321,32 +321,32 @@ static int ssl_parse_client_hello( ssl_context *ssl ) buf + 6, 32 ); SSL_DEBUG_BUF( 3, "client hello, session id", buf + 38, sess_len ); - SSL_DEBUG_BUF( 3, "client hello, cipherlist", + SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", buf + 41 + sess_len, ciph_len ); SSL_DEBUG_BUF( 3, "client hello, compression", buf + 42 + sess_len + ciph_len, comp_len ); /* - * Search for a matching cipher + * Search for a matching ciphersuite */ - for( i = 0; ssl->ciphers[i] != 0; i++ ) + for( i = 0; ssl->ciphersuites[i] != 0; i++ ) { for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) { - if( p[0] == 0 && p[1] == ssl->ciphers[i] ) - goto have_cipher; + if( p[0] == 0 && p[1] == ssl->ciphersuites[i] ) + goto have_ciphersuite; } } } - SSL_DEBUG_MSG( 1, ( "got no ciphers in common" ) ); + SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); -have_cipher: +have_ciphersuite: - ssl->session->cipher = ssl->ciphers[i]; + ssl->session->ciphersuite = ssl->ciphersuites[i]; ssl->in_left = 0; ssl->state++; @@ -397,7 +397,7 @@ static int ssl_write_server_hello( ssl_context *ssl ) /* * 38 . 38 session id length * 39 . 38+n session id - * 39+n . 40+n chosen cipher + * 39+n . 40+n chosen ciphersuite * 41+n . 41+n chosen compression alg. */ ssl->session->length = n = 32; @@ -439,12 +439,12 @@ static int ssl_write_server_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->resume ? "a" : "no" ) ); - *p++ = (unsigned char)( ssl->session->cipher >> 8 ); - *p++ = (unsigned char)( ssl->session->cipher ); + *p++ = (unsigned char)( ssl->session->ciphersuite >> 8 ); + *p++ = (unsigned char)( ssl->session->ciphersuite ); *p++ = SSL_COMPRESS_NULL; - SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d", - ssl->session->cipher ) ); + SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", + ssl->session->ciphersuite ) ); SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) ); ssl->out_msglen = p - buf; @@ -532,11 +532,11 @@ static int ssl_write_server_key_exchange( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); - if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA && - ssl->session->cipher != SSL_EDH_RSA_AES_128_SHA && - ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA && - ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_128_SHA && - ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA) + if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA && + ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA) { SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); ssl->state++; @@ -702,11 +702,11 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); } - if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) + if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA) { #if !defined(POLARSSL_DHM_C) SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3856fff0a..6f36e265b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -214,7 +214,7 @@ int ssl_derive_keys( ssl_context *ssl ) tls1_prf( ssl->session->master, 48, "key expansion", ssl->randbytes, 64, keyblk, 256 ); - SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) ); + SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) ); SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 ); SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 ); SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); @@ -224,7 +224,7 @@ int ssl_derive_keys( ssl_context *ssl ) /* * Determine the appropriate key, IV and MAC length. */ - switch( ssl->session->cipher ) + switch( ssl->session->ciphersuite ) { #if defined(POLARSSL_ARC4_C) case SSL_RSA_RC4_128_MD5: @@ -275,8 +275,8 @@ int ssl_derive_keys( ssl_context *ssl ) #endif default: - SSL_DEBUG_MSG( 1, ( "cipher %s is not available", - ssl_get_cipher( ssl ) ) ); + SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available", + ssl_get_ciphersuite( ssl ) ) ); return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); } @@ -317,7 +317,7 @@ int ssl_derive_keys( ssl_context *ssl ) ssl->ivlen ); } - switch( ssl->session->cipher ) + switch( ssl->session->ciphersuite ) { #if defined(POLARSSL_ARC4_C) case SSL_RSA_RC4_128_MD5: @@ -611,10 +611,10 @@ static int ssl_encrypt_buf( ssl_context *ssl ) case 16: #if defined(POLARSSL_AES_C) - if ( ssl->session->cipher == SSL_RSA_AES_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || - ssl->session->cipher == SSL_RSA_AES_256_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) + if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA || + ssl->session->ciphersuite == SSL_RSA_AES_256_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA) { aes_crypt_cbc( (aes_context *) ssl->ctx_enc, AES_ENCRYPT, enc_msglen, @@ -624,10 +624,10 @@ static int ssl_encrypt_buf( ssl_context *ssl ) #endif #if defined(POLARSSL_CAMELLIA_C) - if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || - ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) + if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA || + ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA) { camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc, CAMELLIA_ENCRYPT, enc_msglen, @@ -716,10 +716,10 @@ static int ssl_decrypt_buf( ssl_context *ssl ) case 16: #if defined(POLARSSL_AES_C) - if ( ssl->session->cipher == SSL_RSA_AES_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || - ssl->session->cipher == SSL_RSA_AES_256_SHA || - ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) + if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA || + ssl->session->ciphersuite == SSL_RSA_AES_256_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA) { aes_crypt_cbc( (aes_context *) ssl->ctx_dec, AES_DECRYPT, dec_msglen, @@ -729,10 +729,10 @@ static int ssl_decrypt_buf( ssl_context *ssl ) #endif #if defined(POLARSSL_CAMELLIA_C) - if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || - ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA || - ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) + if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA || + ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA || + ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA) { camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec, CAMELLIA_DECRYPT, dec_msglen, @@ -1776,9 +1776,9 @@ void ssl_set_session( ssl_context *ssl, int resume, int timeout, ssl->session = session; } -void ssl_set_ciphers( ssl_context *ssl, int *ciphers ) +void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites ) { - ssl->ciphers = ciphers; + ssl->ciphersuites = ciphersuites; } void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, @@ -1872,9 +1872,9 @@ int ssl_get_verify_result( const ssl_context *ssl ) return( ssl->verify_result ); } -const char *ssl_get_cipher_name( const int cipher_id ) +const char *ssl_get_ciphersuite_name( const int ciphersuite_id ) { - switch( cipher_id ) + switch( ciphersuite_id ) { #if defined(POLARSSL_ARC4_C) case SSL_RSA_RC4_128_MD5: @@ -1927,50 +1927,50 @@ const char *ssl_get_cipher_name( const int cipher_id ) return( "unknown" ); } -int ssl_get_cipher_id( const char *cipher_name ) +int ssl_get_ciphersuite_id( const char *ciphersuite_name ) { #if defined(POLARSSL_ARC4_C) - if (0 == strcasecmp(cipher_name, "SSL-RSA-RC4-128-MD5")) + if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5")) return( SSL_RSA_RC4_128_MD5 ); - if (0 == strcasecmp(cipher_name, "SSL-RSA-RC4-128-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA")) return( SSL_RSA_RC4_128_SHA ); #endif #if defined(POLARSSL_DES_C) - if (0 == strcasecmp(cipher_name, "SSL-RSA-DES-168-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA")) return( SSL_RSA_DES_168_SHA ); - if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-DES-168-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA")) return( SSL_EDH_RSA_DES_168_SHA ); #endif #if defined(POLARSSL_AES_C) - if (0 == strcasecmp(cipher_name, "SSL-RSA-AES-128-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA")) return( SSL_RSA_AES_128_SHA ); - if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-AES-128-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA")) return( SSL_EDH_RSA_AES_128_SHA ); - if (0 == strcasecmp(cipher_name, "SSL-RSA-AES-256-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA")) return( SSL_RSA_AES_256_SHA ); - if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-AES-256-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA")) return( SSL_EDH_RSA_AES_256_SHA ); #endif #if defined(POLARSSL_CAMELLIA_C) - if (0 == strcasecmp(cipher_name, "SSL-RSA-CAMELLIA-128-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA")) return( SSL_RSA_CAMELLIA_128_SHA ); - if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-CAMELLIA-128-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA")) return( SSL_EDH_RSA_CAMELLIA_128_SHA ); - if (0 == strcasecmp(cipher_name, "SSL-RSA-CAMELLIA-256-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA")) return( SSL_RSA_CAMELLIA_256_SHA ); - if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-CAMELLIA-256-SHA")) + if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA")) return( SSL_EDH_RSA_CAMELLIA_256_SHA ); #endif return( 0 ); } -const char *ssl_get_cipher( const ssl_context *ssl ) +const char *ssl_get_ciphersuite( const ssl_context *ssl ) { - return ssl_get_cipher_name( ssl->session->cipher ); + return ssl_get_ciphersuite_name( ssl->session->ciphersuite ); } const char *ssl_get_version( const ssl_context *ssl ) @@ -1992,7 +1992,7 @@ const char *ssl_get_version( const ssl_context *ssl ) return( "unknown" ); } -int ssl_default_ciphers[] = +int ssl_default_ciphersuites[] = { #if defined(POLARSSL_DHM_C) #if defined(POLARSSL_AES_C) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 356e6c261..ac02aeb5a 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -101,7 +101,7 @@ int main( void ) ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); - ssl_set_ciphers( &ssl, ssl_default_ciphers ); + ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites ); ssl_set_session( &ssl, 1, 600, &ssn ); /* diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 97f319668..c27aeb8c2 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -248,7 +248,7 @@ int main( int argc, char *argv[] ) ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); - ssl_set_ciphers( &ssl, ssl_default_ciphers ); + ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites ); ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); @@ -271,8 +271,8 @@ int main( int argc, char *argv[] ) } } - printf( " ok\n [ Cipher is %s ]\n", - ssl_get_cipher( &ssl ) ); + printf( " ok\n [ Ciphersuite is %s ]\n", + ssl_get_ciphersuite( &ssl ) ); /* * 5. Verify the server certificate diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index f01cb3c23..c64a83502 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -66,7 +66,7 @@ char *my_dhm_G = "4"; /* * Sorted by order of preference */ -int my_ciphers[] = +int my_ciphersuites[] = { SSL_EDH_RSA_AES_256_SHA, SSL_EDH_RSA_CAMELLIA_256_SHA, @@ -119,7 +119,7 @@ static int my_get_session( ssl_context *ssl ) if( ssl->timeout != 0 && t - prv->start > ssl->timeout ) continue; - if( ssl->session->cipher != prv->cipher || + if( ssl->session->ciphersuite != prv->ciphersuite || ssl->session->length != prv->length ) continue; @@ -287,7 +287,7 @@ accept: ssl_set_scb( &ssl, my_get_session, my_set_session ); - ssl_set_ciphers( &ssl, my_ciphers ); + ssl_set_ciphersuites( &ssl, my_ciphersuites ); ssl_set_session( &ssl, 1, 0, &ssn ); memset( &ssn, 0, sizeof( ssl_session ) ); @@ -360,7 +360,7 @@ accept: fflush( stdout ); len = sprintf( (char *) buf, HTTP_RESPONSE, - ssl_get_cipher( &ssl ) ); + ssl_get_ciphersuite( &ssl ) ); while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c index 15c221e03..61aeb9a8f 100644 --- a/programs/test/ssl_test.c +++ b/programs/test/ssl_test.c @@ -91,7 +91,7 @@ struct options int max_connections; /* max. number of reconnections */ int session_reuse; /* flag to reuse the keying material */ int session_lifetime; /* if reached, session data is expired */ - int force_cipher[2]; /* protocol/cipher to use, or all */ + int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ }; /* @@ -242,9 +242,9 @@ static int ssl_test( struct options *opt ) ssl_set_session( &ssl, opt->session_reuse, opt->session_lifetime, &ssn ); - if( opt->force_cipher[0] == DFL_FORCE_CIPHER ) - ssl_set_ciphers( &ssl, ssl_default_ciphers ); - else ssl_set_ciphers( &ssl, opt->force_cipher ); + if( opt->force_ciphersuite[0] == DFL_FORCE_CIPHER ) + ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites ); + else ssl_set_ciphersuites( &ssl, opt->force_ciphersuite ); if( opt->iomode == IOMODE_NONBLOCK ) net_set_nonblock( client_fd ); @@ -389,17 +389,13 @@ exit: " max_connections=%%d default: 0 (no limit)\n" \ " session_reuse=on/off default: on (enabled)\n" \ " session_lifetime=%%d (s) default: 86400\n" \ - " force_cipher= default: all enabled\n" \ - " acceptable cipher names:\n" \ - " SSL_RSA_RC4_128_MD5 SSL_RSA_RC4_128_SHA\n" \ - " SSL_RSA_DES_168_SHA SSL_EDH_RSA_DES_168_SHA\n" \ - " SSL_RSA_AES_128_SHA SSL_EDH_RSA_AES_256_SHA\n" \ - " SSL_RSA_AES_256_SHA SSL_EDH_RSA_CAMELLIA_256_SHA\n" \ - " SSL_RSA_CAMELLIA_128_SHA SSL_RSA_CAMELLIA_256_SHA\n\n" + " force_ciphersuite= default: all enabled\n" \ + " acceptable ciphersuite names:\n" int main( int argc, char *argv[] ) { int i, j, n; + const int *list; int ret = 1; int nb_conn; char *p, *q; @@ -409,6 +405,14 @@ int main( int argc, char *argv[] ) { usage: printf( USAGE ); + + list = ssl_list_ciphersuites(); + while( *list ) + { + printf(" %s\n", ssl_get_ciphersuite_name( *list ) ); + list++; + } + printf("\n"); goto exit; } @@ -424,7 +428,7 @@ int main( int argc, char *argv[] ) opt.max_connections = DFL_MAX_CONNECTIONS; opt.session_reuse = DFL_SESSION_REUSE; opt.session_lifetime = DFL_SESSION_LIFETIME; - opt.force_cipher[0] = DFL_FORCE_CIPHER; + opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; for( i = 1; i < argc; i++ ) { @@ -520,44 +524,16 @@ int main( int argc, char *argv[] ) if( strcmp( p, "session_lifetime" ) == 0 ) opt.session_lifetime = atoi( q ); - if( strcmp( p, "force_cipher" ) == 0 ) + if( strcmp( p, "force_ciphersuite" ) == 0 ) { - opt.force_cipher[0] = -1; + opt.force_ciphersuite[0] = -1; - if( strcmp( q, "ssl_rsa_rc4_128_md5" ) == 0 ) - opt.force_cipher[0] = SSL_RSA_RC4_128_MD5; + opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q ); - if( strcmp( q, "ssl_rsa_rc4_128_sha" ) == 0 ) - opt.force_cipher[0] = SSL_RSA_RC4_128_SHA; - - if( strcmp( q, "ssl_rsa_des_168_sha" ) == 0 ) - opt.force_cipher[0] = SSL_RSA_DES_168_SHA; - - if( strcmp( q, "ssl_edh_rsa_des_168_sha" ) == 0 ) - opt.force_cipher[0] = SSL_EDH_RSA_DES_168_SHA; - - if( strcmp( q, "ssl_rsa_aes_128_sha" ) == 0 ) - opt.force_cipher[0] = SSL_RSA_AES_128_SHA; - - if( strcmp( q, "ssl_rsa_aes_256_sha" ) == 0 ) - opt.force_cipher[0] = SSL_RSA_AES_256_SHA; - - if( strcmp( q, "ssl_edh_rsa_aes_256_sha" ) == 0 ) - opt.force_cipher[0] = SSL_EDH_RSA_AES_256_SHA; - - if( strcmp( q, "ssl_rsa_camellia_128_sha" ) == 0 ) - opt.force_cipher[0] = SSL_RSA_CAMELLIA_128_SHA; - - if( strcmp( q, "ssl_rsa_camellia_256_sha" ) == 0 ) - opt.force_cipher[0] = SSL_RSA_CAMELLIA_256_SHA; - - if( strcmp( q, "ssl_edh_rsa_camellia_256_sha" ) == 0 ) - opt.force_cipher[0] = SSL_EDH_RSA_CAMELLIA_256_SHA; - - if( opt.force_cipher[0] < 0 ) + if( opt.force_ciphersuite[0] <= 0 ) goto usage; - opt.force_cipher[1] = 0; + opt.force_ciphersuite[1] = 0; } } diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 31f1dfc02..a1db8840e 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -224,7 +224,7 @@ int main( int argc, char *argv[] ) ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); - ssl_set_ciphers( &ssl, ssl_default_ciphers ); + ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites ); ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_own_cert( &ssl, &clicert, &rsa );