From: Bodo Möller <bodo@openssl.org>
Date: Thu, 22 Jun 2006 12:35:54 +0000 (+0000)
Subject: Put ECCdraft ciphersuites back into default build (but disabled
X-Git-Tag: OpenSSL_0_9_8c~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aa17ab7e5732f424c143b154fe563580db420784;p=openssl

Put ECCdraft ciphersuites back into default build (but disabled
unless specifically requested)
---

diff --git a/CHANGES b/CHANGES
index 935242efb3..a87ef31e2d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,9 +4,13 @@
 
  Changes between 0.9.8b and 0.9.8c  [xx XXX xxxx]
 
-  *) Disable "ECCdraft" ciphersuites (which were not part of the "ALL"
-     alias).  These are now excluded from compilation by default, since
-     OpenSSL 0.9.9[-dev] should be used for TLS with elliptic curves.
+  *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
+     treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+     cannot be implicitly activated as part of, e.g., the "AES" alias.
+     However, please upgrade to OpenSSL 0.9.9[-dev] for
+     non-experimental use of the ECC ciphersuites to get TLS extension
+     support, which is required for curve and point format negotiation
+     to avoid potential handshake problems.
      [Bodo Moeller]
 
   *) Disable rogue ciphersuites:
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index f08c9932c9..0eff243c12 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1165,7 +1165,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	},
 #endif /* OPENSSL_NO_CAMELLIA */
 
-#if 0 /* please use OpenSSL 0.9.9 branch for ECC ciphersuites */
 #ifndef OPENSSL_NO_ECDH
 	/* Cipher C001 */
 	    {
@@ -1517,7 +1516,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 #endif	/* OPENSSL_NO_ECDH */
-#endif
 
 
 /* end of list */
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 2e3c6a5661..498c28b491 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -635,8 +635,22 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 			{
 			if (!curr->active)
 				{
-				ll_append_tail(&head, curr, &tail);
-				curr->active = 1;
+				int add_this_cipher = 1;
+
+				if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0))
+					{
+					/* Make sure "ECCdraft" ciphersuites are activated only if
+					 * *explicitly* requested, but not implicitly (such as
+					 * as part of the "AES" alias). */
+
+					add_this_cipher = (mask & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0;
+					}
+				
+				if (add_this_cipher)
+					{
+					ll_append_tail(&head, curr, &tail);
+					curr->active = 1;
+					}
 				}
 			}
 		/* Move the added cipher to this location */