1 files changed, 3 insertions, 303 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index e873c17c87..92beeae3c4 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.109 2016/10/19 16:38:40 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1129,86 +1129,6 @@ SSL_CIPHER ssl3_ciphers[] = {
        },
 #endif /* OPENSSL_NO_CAMELLIA */
-        /* Cipher C001 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_eNULL,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_STRONG_NONE,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 0,
-                .alg_bits = 0,
-        },
-        /* Cipher C002 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_RC4,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_MEDIUM,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C003 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_3DES,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 112,
-                .alg_bits = 168,
-        },
-        /* Cipher C004 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES128,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C005 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES256,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 256,
-                .alg_bits = 256,
-        },
        /* Cipher C006 */
        {
                .valid = 1,
@@ -1289,86 +1209,6 @@ SSL_CIPHER ssl3_ciphers[] = {
                .alg_bits = 256,
        },
-        /* Cipher C00B */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
-                .id = TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_eNULL,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_STRONG_NONE,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 0,
-                .alg_bits = 0,
-        },
-        /* Cipher C00C */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
-                .id = TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_RC4,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_MEDIUM,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C00D */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
-                .id = TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_3DES,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 112,
-                .alg_bits = 168,
-        },
-        /* Cipher C00E */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
-                .id = TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES128,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C00F */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
-                .id = TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES256,
-                .algorithm_mac = SSL_SHA1,
-                .algorithm_ssl = SSL_TLSV1,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                .strength_bits = 256,
-                .alg_bits = 256,
-        },
        /* Cipher C010 */
        {
                .valid = 1,
@@ -1564,38 +1404,6 @@ SSL_CIPHER ssl3_ciphers[] = {
                .alg_bits = 256,
        },
-        /* Cipher C025 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES128,
-                .algorithm_mac = SSL_SHA256,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C026 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES256,
-                .algorithm_mac = SSL_SHA384,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
-                .strength_bits = 256,
-                .alg_bits = 256,
-        },
        /* Cipher C027 */
        {
                .valid = 1,
@@ -1628,38 +1436,6 @@ SSL_CIPHER ssl3_ciphers[] = {
                .alg_bits = 256,
        },
-        /* Cipher C029 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
-                .id = TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES128,
-                .algorithm_mac = SSL_SHA256,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C02A */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
-                .id = TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES256,
-                .algorithm_mac = SSL_SHA384,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
-                .strength_bits = 256,
-                .alg_bits = 256,
-        },
        /* GCM based TLS v1.2 ciphersuites from RFC5289 */
        /* Cipher C02B */
@@ -1698,42 +1474,6 @@ SSL_CIPHER ssl3_ciphers[] = {
                .alg_bits = 256,
        },
-        /* Cipher C02D */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES128GCM,
-                .algorithm_mac = SSL_AEAD,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-                    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C02E */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
-                .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
-                .algorithm_mkey = SSL_kECDHe,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES256GCM,
-                .algorithm_mac = SSL_AEAD,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-                    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-                    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-                .strength_bits = 256,
-                .alg_bits = 256,
-        },
        /* Cipher C02F */
        {
                .valid = 1,
@@ -1770,42 +1510,6 @@ SSL_CIPHER ssl3_ciphers[] = {
                .alg_bits = 256,
        },
-        /* Cipher C031 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-                .id = TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES128GCM,
-                .algorithm_mac = SSL_AEAD,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-                    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-                .strength_bits = 128,
-                .alg_bits = 128,
-        },
-        /* Cipher C032 */
-        {
-                .valid = 1,
-                .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
-                .id = TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
-                .algorithm_mkey = SSL_kECDHr,
-                .algorithm_auth = SSL_aECDH,
-                .algorithm_enc = SSL_AES256GCM,
-                .algorithm_mac = SSL_AEAD,
-                .algorithm_ssl = SSL_TLSV1_2,
-                .algo_strength = SSL_HIGH,
-                .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-                    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-                    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-                .strength_bits = 256,
-                .alg_bits = 256,
-        },
 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
        /* Cipher CC13 */
        {
@@ -2604,7 +2308,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                 * If we are considering an ECC cipher suite that uses our
                 * certificate check it.
                 */
-                if (alg_a & (SSL_aECDSA|SSL_aECDH))
+                if (alg_a & SSL_aECDSA)
                        ok = ok && tls1_check_ec_server_key(s);
                /*
                 * If we are considering an ECC cipher suite that uses
@@ -2647,14 +2351,10 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
        }
        p[ret++] = SSL3_CT_RSA_SIGN;
        p[ret++] = SSL3_CT_DSS_SIGN;
-        if ((alg_k & (SSL_kECDHr|SSL_kECDHe))) {
-                p[ret++] = TLS_CT_RSA_FIXED_ECDH;
-                p[ret++] = TLS_CT_ECDSA_FIXED_ECDH;
-        }
        /*
         * ECDSA certs can be used with RSA cipher suites as well
-         * so we don't need to check for SSL_kECDH or SSL_kECDHE
+         * so we don't need to check for SSL_kECDH or SSL_kECDHE.
         */
        p[ret++] = TLS_CT_ECDSA_SIGN;

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index e873c17c87..92beeae3c4 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.109 2016/10/19 16:38:40 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1129,86 +1129,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1129	},	1129	},
1130	#endif /* OPENSSL_NO_CAMELLIA */	1130	#endif /* OPENSSL_NO_CAMELLIA */
1131		1131
1132	/* Cipher C001 */
1133	{
1134	.valid = 1,
1135	.name = TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
1136	.id = TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
1137	.algorithm_mkey = SSL_kECDHe,
1138	.algorithm_auth = SSL_aECDH,
1139	.algorithm_enc = SSL_eNULL,
1140	.algorithm_mac = SSL_SHA1,
1141	.algorithm_ssl = SSL_TLSV1,
1142	.algo_strength = SSL_STRONG_NONE,
1143	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1144	.strength_bits = 0,
1145	.alg_bits = 0,
1146	},
1147
1148	/* Cipher C002 */
1149	{
1150	.valid = 1,
1151	.name = TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
1152	.id = TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
1153	.algorithm_mkey = SSL_kECDHe,
1154	.algorithm_auth = SSL_aECDH,
1155	.algorithm_enc = SSL_RC4,
1156	.algorithm_mac = SSL_SHA1,
1157	.algorithm_ssl = SSL_TLSV1,
1158	.algo_strength = SSL_MEDIUM,
1159	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1160	.strength_bits = 128,
1161	.alg_bits = 128,
1162	},
1163
1164	/* Cipher C003 */
1165	{
1166	.valid = 1,
1167	.name = TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
1168	.id = TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
1169	.algorithm_mkey = SSL_kECDHe,
1170	.algorithm_auth = SSL_aECDH,
1171	.algorithm_enc = SSL_3DES,
1172	.algorithm_mac = SSL_SHA1,
1173	.algorithm_ssl = SSL_TLSV1,
1174	.algo_strength = SSL_HIGH,
1175	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1176	.strength_bits = 112,
1177	.alg_bits = 168,
1178	},
1179
1180	/* Cipher C004 */
1181	{
1182	.valid = 1,
1183	.name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
1184	.id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
1185	.algorithm_mkey = SSL_kECDHe,
1186	.algorithm_auth = SSL_aECDH,
1187	.algorithm_enc = SSL_AES128,
1188	.algorithm_mac = SSL_SHA1,
1189	.algorithm_ssl = SSL_TLSV1,
1190	.algo_strength = SSL_HIGH,
1191	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1192	.strength_bits = 128,
1193	.alg_bits = 128,
1194	},
1195
1196	/* Cipher C005 */
1197	{
1198	.valid = 1,
1199	.name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
1200	.id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
1201	.algorithm_mkey = SSL_kECDHe,
1202	.algorithm_auth = SSL_aECDH,
1203	.algorithm_enc = SSL_AES256,
1204	.algorithm_mac = SSL_SHA1,
1205	.algorithm_ssl = SSL_TLSV1,
1206	.algo_strength = SSL_HIGH,
1207	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1208	.strength_bits = 256,
1209	.alg_bits = 256,
1210	},
1211
1212	/* Cipher C006 */	1132	/* Cipher C006 */
1213	{	1133	{
1214	.valid = 1,	1134	.valid = 1,
@@ -1289,86 +1209,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1289	.alg_bits = 256,	1209	.alg_bits = 256,
1290	},	1210	},
1291		1211
1292	/* Cipher C00B */
1293	{
1294	.valid = 1,
1295	.name = TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
1296	.id = TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
1297	.algorithm_mkey = SSL_kECDHr,
1298	.algorithm_auth = SSL_aECDH,
1299	.algorithm_enc = SSL_eNULL,
1300	.algorithm_mac = SSL_SHA1,
1301	.algorithm_ssl = SSL_TLSV1,
1302	.algo_strength = SSL_STRONG_NONE,
1303	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1304	.strength_bits = 0,
1305	.alg_bits = 0,
1306	},
1307
1308	/* Cipher C00C */
1309	{
1310	.valid = 1,
1311	.name = TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
1312	.id = TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
1313	.algorithm_mkey = SSL_kECDHr,
1314	.algorithm_auth = SSL_aECDH,
1315	.algorithm_enc = SSL_RC4,
1316	.algorithm_mac = SSL_SHA1,
1317	.algorithm_ssl = SSL_TLSV1,
1318	.algo_strength = SSL_MEDIUM,
1319	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1320	.strength_bits = 128,
1321	.alg_bits = 128,
1322	},
1323
1324	/* Cipher C00D */
1325	{
1326	.valid = 1,
1327	.name = TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1328	.id = TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1329	.algorithm_mkey = SSL_kECDHr,
1330	.algorithm_auth = SSL_aECDH,
1331	.algorithm_enc = SSL_3DES,
1332	.algorithm_mac = SSL_SHA1,
1333	.algorithm_ssl = SSL_TLSV1,
1334	.algo_strength = SSL_HIGH,
1335	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1336	.strength_bits = 112,
1337	.alg_bits = 168,
1338	},
1339
1340	/* Cipher C00E */
1341	{
1342	.valid = 1,
1343	.name = TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
1344	.id = TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
1345	.algorithm_mkey = SSL_kECDHr,
1346	.algorithm_auth = SSL_aECDH,
1347	.algorithm_enc = SSL_AES128,
1348	.algorithm_mac = SSL_SHA1,
1349	.algorithm_ssl = SSL_TLSV1,
1350	.algo_strength = SSL_HIGH,
1351	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1352	.strength_bits = 128,
1353	.alg_bits = 128,
1354	},
1355
1356	/* Cipher C00F */
1357	{
1358	.valid = 1,
1359	.name = TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
1360	.id = TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
1361	.algorithm_mkey = SSL_kECDHr,
1362	.algorithm_auth = SSL_aECDH,
1363	.algorithm_enc = SSL_AES256,
1364	.algorithm_mac = SSL_SHA1,
1365	.algorithm_ssl = SSL_TLSV1,
1366	.algo_strength = SSL_HIGH,
1367	.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
1368	.strength_bits = 256,
1369	.alg_bits = 256,
1370	},
1371
1372	/* Cipher C010 */	1212	/* Cipher C010 */
1373	{	1213	{
1374	.valid = 1,	1214	.valid = 1,
@@ -1564,38 +1404,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1564	.alg_bits = 256,	1404	.alg_bits = 256,
1565	},	1405	},
1566		1406
1567	/* Cipher C025 */
1568	{
1569	.valid = 1,
1570	.name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256,
1571	.id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
1572	.algorithm_mkey = SSL_kECDHe,
1573	.algorithm_auth = SSL_aECDH,
1574	.algorithm_enc = SSL_AES128,
1575	.algorithm_mac = SSL_SHA256,
1576	.algorithm_ssl = SSL_TLSV1_2,
1577	.algo_strength = SSL_HIGH,
1578	.algorithm2 = SSL_HANDSHAKE_MAC_SHA256\|TLS1_PRF_SHA256,
1579	.strength_bits = 128,
1580	.alg_bits = 128,
1581	},
1582
1583	/* Cipher C026 */
1584	{
1585	.valid = 1,
1586	.name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384,
1587	.id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
1588	.algorithm_mkey = SSL_kECDHe,
1589	.algorithm_auth = SSL_aECDH,
1590	.algorithm_enc = SSL_AES256,
1591	.algorithm_mac = SSL_SHA384,
1592	.algorithm_ssl = SSL_TLSV1_2,
1593	.algo_strength = SSL_HIGH,
1594	.algorithm2 = SSL_HANDSHAKE_MAC_SHA384\|TLS1_PRF_SHA384,
1595	.strength_bits = 256,
1596	.alg_bits = 256,
1597	},
1598
1599	/* Cipher C027 */	1407	/* Cipher C027 */
1600	{	1408	{
1601	.valid = 1,	1409	.valid = 1,
@@ -1628,38 +1436,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1628	.alg_bits = 256,	1436	.alg_bits = 256,
1629	},	1437	},
1630		1438
1631	/* Cipher C029 */
1632	{
1633	.valid = 1,
1634	.name = TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
1635	.id = TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
1636	.algorithm_mkey = SSL_kECDHr,
1637	.algorithm_auth = SSL_aECDH,
1638	.algorithm_enc = SSL_AES128,
1639	.algorithm_mac = SSL_SHA256,
1640	.algorithm_ssl = SSL_TLSV1_2,
1641	.algo_strength = SSL_HIGH,
1642	.algorithm2 = SSL_HANDSHAKE_MAC_SHA256\|TLS1_PRF_SHA256,
1643	.strength_bits = 128,
1644	.alg_bits = 128,
1645	},
1646
1647	/* Cipher C02A */
1648	{
1649	.valid = 1,
1650	.name = TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
1651	.id = TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
1652	.algorithm_mkey = SSL_kECDHr,
1653	.algorithm_auth = SSL_aECDH,
1654	.algorithm_enc = SSL_AES256,
1655	.algorithm_mac = SSL_SHA384,
1656	.algorithm_ssl = SSL_TLSV1_2,
1657	.algo_strength = SSL_HIGH,
1658	.algorithm2 = SSL_HANDSHAKE_MAC_SHA384\|TLS1_PRF_SHA384,
1659	.strength_bits = 256,
1660	.alg_bits = 256,
1661	},
1662
1663	/* GCM based TLS v1.2 ciphersuites from RFC5289 */	1439	/* GCM based TLS v1.2 ciphersuites from RFC5289 */
1664		1440
1665	/* Cipher C02B */	1441	/* Cipher C02B */
@@ -1698,42 +1474,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1698	.alg_bits = 256,	1474	.alg_bits = 256,
1699	},	1475	},
1700		1476
1701	/* Cipher C02D */
1702	{
1703	.valid = 1,
1704	.name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
1705	.id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
1706	.algorithm_mkey = SSL_kECDHe,
1707	.algorithm_auth = SSL_aECDH,
1708	.algorithm_enc = SSL_AES128GCM,
1709	.algorithm_mac = SSL_AEAD,
1710	.algorithm_ssl = SSL_TLSV1_2,
1711	.algo_strength = SSL_HIGH,
1712	.algorithm2 = SSL_HANDSHAKE_MAC_SHA256\|TLS1_PRF_SHA256\|
1713	SSL_CIPHER_ALGORITHM2_AEAD\|FIXED_NONCE_LEN(4)\|
1714	SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1715	.strength_bits = 128,
1716	.alg_bits = 128,
1717	},
1718
1719	/* Cipher C02E */
1720	{
1721	.valid = 1,
1722	.name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
1723	.id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
1724	.algorithm_mkey = SSL_kECDHe,
1725	.algorithm_auth = SSL_aECDH,
1726	.algorithm_enc = SSL_AES256GCM,
1727	.algorithm_mac = SSL_AEAD,
1728	.algorithm_ssl = SSL_TLSV1_2,
1729	.algo_strength = SSL_HIGH,
1730	.algorithm2 = SSL_HANDSHAKE_MAC_SHA384\|TLS1_PRF_SHA384\|
1731	SSL_CIPHER_ALGORITHM2_AEAD\|FIXED_NONCE_LEN(4)\|
1732	SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1733	.strength_bits = 256,
1734	.alg_bits = 256,
1735	},
1736
1737	/* Cipher C02F */	1477	/* Cipher C02F */
1738	{	1478	{
1739	.valid = 1,	1479	.valid = 1,
@@ -1770,42 +1510,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1770	.alg_bits = 256,	1510	.alg_bits = 256,
1771	},	1511	},
1772		1512
1773	/* Cipher C031 */
1774	{
1775	.valid = 1,
1776	.name = TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
1777	.id = TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
1778	.algorithm_mkey = SSL_kECDHr,
1779	.algorithm_auth = SSL_aECDH,
1780	.algorithm_enc = SSL_AES128GCM,
1781	.algorithm_mac = SSL_AEAD,
1782	.algorithm_ssl = SSL_TLSV1_2,
1783	.algo_strength = SSL_HIGH,
1784	.algorithm2 = SSL_HANDSHAKE_MAC_SHA256\|TLS1_PRF_SHA256\|
1785	SSL_CIPHER_ALGORITHM2_AEAD\|FIXED_NONCE_LEN(4)\|
1786	SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1787	.strength_bits = 128,
1788	.alg_bits = 128,
1789	},
1790
1791	/* Cipher C032 */
1792	{
1793	.valid = 1,
1794	.name = TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
1795	.id = TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
1796	.algorithm_mkey = SSL_kECDHr,
1797	.algorithm_auth = SSL_aECDH,
1798	.algorithm_enc = SSL_AES256GCM,
1799	.algorithm_mac = SSL_AEAD,
1800	.algorithm_ssl = SSL_TLSV1_2,
1801	.algo_strength = SSL_HIGH,
1802	.algorithm2 = SSL_HANDSHAKE_MAC_SHA384\|TLS1_PRF_SHA384\|
1803	SSL_CIPHER_ALGORITHM2_AEAD\|FIXED_NONCE_LEN(4)\|
1804	SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1805	.strength_bits = 256,
1806	.alg_bits = 256,
1807	},
1808
1809	#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)	1513	#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
1810	/* Cipher CC13 */	1514	/* Cipher CC13 */
1811	{	1515	{
@@ -2604,7 +2308,7 @@ ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) clnt,
2604	* If we are considering an ECC cipher suite that uses our	2308	* If we are considering an ECC cipher suite that uses our
2605	* certificate check it.	2309	* certificate check it.
2606	*/	2310	*/
2607	if (alg_a & (SSL_aECDSA\|SSL_aECDH))	2311	if (alg_a & SSL_aECDSA)
2608	ok = ok && tls1_check_ec_server_key(s);	2312	ok = ok && tls1_check_ec_server_key(s);
2609	/*	2313	/*
2610	* If we are considering an ECC cipher suite that uses	2314	* If we are considering an ECC cipher suite that uses
@@ -2647,14 +2351,10 @@ ssl3_get_req_cert_type(SSL s, unsigned char p)
2647	}	2351	}
2648	p[ret++] = SSL3_CT_RSA_SIGN;	2352	p[ret++] = SSL3_CT_RSA_SIGN;
2649	p[ret++] = SSL3_CT_DSS_SIGN;	2353	p[ret++] = SSL3_CT_DSS_SIGN;
2650	if ((alg_k & (SSL_kECDHr\|SSL_kECDHe))) {
2651	p[ret++] = TLS_CT_RSA_FIXED_ECDH;
2652	p[ret++] = TLS_CT_ECDSA_FIXED_ECDH;
2653	}
2654		2354
2655	/*	2355	/*
2656	* ECDSA certs can be used with RSA cipher suites as well	2356	* ECDSA certs can be used with RSA cipher suites as well
2657	* so we don't need to check for SSL_kECDH or SSL_kECDHE	2357	* so we don't need to check for SSL_kECDH or SSL_kECDHE.
2658	*/	2358	*/
2659	p[ret++] = TLS_CT_ECDSA_SIGN;	2359	p[ret++] = TLS_CT_ECDSA_SIGN;
2660		2360