diff --git a/certs/include.am b/certs/include.am index a027c57b4..fcedd005b 100644 --- a/certs/include.am +++ b/certs/include.am @@ -16,6 +16,7 @@ EXTRA_DIST += \ certs/dh2048.pem \ certs/server-cert.pem \ certs/server-ecc.pem \ + certs/server-ecc-rsa.pem \ certs/server-keyEnc.pem \ certs/server-key.pem \ certs/server-keyPkcs8Enc12.pem \ diff --git a/certs/server-ecc-rsa.pem b/certs/server-ecc-rsa.pem new file mode 100644 index 000000000..5f25d9df8 --- /dev/null +++ b/certs/server-ecc-rsa.pem @@ -0,0 +1,54 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 9 (0x9) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.yassl.com/emailAddress=info@yassl.com + Validity + Not Before: Aug 8 21:58:29 2012 GMT + Not After : May 5 21:58:29 2015 GMT + Subject: C=US, ST=Washington, L=Seattle, O=Elliptic - RSAsig, OU=ECC-RSAsig, CN=www.yassl.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + EC Public Key: + pub: + 04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de: + 9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c: + 16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92: + 21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33: + 0b:80:34:89:d8 + ASN1 OID: prime256v1 + Signature Algorithm: sha1WithRSAEncryption + a0:1c:de:98:e8:61:c8:fb:0a:0e:af:ea:99:4b:c0:49:e6:66: + 68:5e:7a:18:b8:0c:e3:0f:16:86:bc:b5:86:79:02:69:1c:b7: + e7:ff:53:d9:05:5d:27:39:24:54:67:14:de:ef:8e:c2:a0:11: + ca:c8:27:99:b9:d6:e9:71:1f:86:c9:8f:b1:74:a2:9f:93:6a: + 0c:74:cf:17:77:8c:26:08:6e:a8:ac:69:d4:55:15:a2:95:87: + 43:7a:ab:72:93:73:40:58:c2:bb:9c:89:f2:73:20:69:df:f1: + f3:65:08:9c:00:67:97:a6:71:00:2b:31:84:10:ac:bd:54:ac: + fd:b3:eb:12:36:77:f6:0a:e3:9a:96:d2:a6:22:bc:1d:6b:ce: + 3c:0d:7b:d9:1c:1d:f1:ee:ec:ce:83:c8:98:c9:65:3e:06:31: + c3:b2:87:da:09:b4:90:0b:e2:6b:29:0e:d6:ae:53:1d:10:98: + e2:dc:f9:63:38:a1:a2:af:46:23:a4:4c:ab:0c:0b:08:be:cd: + a4:a6:6d:46:f0:f8:e0:31:99:85:39:10:4a:a0:04:54:3b:21: + e1:e9:b4:f3:a5:06:cd:37:ae:2c:ca:5d:ac:90:b5:ab:92:81: + aa:bf:2d:3f:8e:ee:4d:12:81:0a:8e:a4:ca:87:93:af:b0:25: + 7e:e2:07:f7 +-----BEGIN CERTIFICATE----- +MIIC1zCCAb8CAQkwDQYJKoZIhvcNAQEFBQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhTYXd0b290 +aDETMBEGA1UECxMKQ29uc3VsdGluZzEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEd +MBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20wHhcNMTIwODA4MjE1ODI5WhcN +MTUwNTA1MjE1ODI5WjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 +b24xEDAOBgNVBAcTB1NlYXR0bGUxGjAYBgNVBAoTEUVsbGlwdGljIC0gUlNBc2ln +MRMwEQYDVQQLEwpFQ0MtUlNBc2lnMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w +GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5ox +W5eSIX/wzxjakRECNIboIFgzC4A0idgwDQYJKoZIhvcNAQEFBQADggEBAKAc3pjo +Ycj7Cg6v6plLwEnmZmheehi4DOMPFoa8tYZ5Amkct+f/U9kFXSc5JFRnFN7vjsKg +EcrIJ5m51ulxH4bJj7F0op+Tagx0zxd3jCYIbqisadRVFaKVh0N6q3KTc0BYwruc +ifJzIGnf8fNlCJwAZ5emcQArMYQQrL1UrP2z6xI2d/YK45qW0qYivB1rzjwNe9kc +HfHu7M6DyJjJZT4GMcOyh9oJtJAL4mspDtauUx0QmOLc+WM4oaKvRiOkTKsMCwi+ +zaSmbUbw+OAxmYU5EEqgBFQ7IeHptPOlBs03rizKXayQtauSgaq/LT+O7k0SgQqO +pMqHk6+wJX7iB/c= +-----END CERTIFICATE----- diff --git a/cyassl/internal.h b/cyassl/internal.h index 7081430eb..372ca4a82 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -784,7 +784,7 @@ struct CYASSL_CTX { byte sendVerify; /* for client side */ byte haveDH; /* server DH parms set by user */ byte haveNTRU; /* server private NTRU key loaded */ - byte haveECDSA; /* server cert signed w/ ECDSA loaded */ + byte haveECDSAsig; /* server cert signed w/ ECDSA */ byte haveStaticECC; /* static server ECC private key */ byte partialWrite; /* only one msg per write call */ byte quietShutdown; /* don't send close notify */ @@ -1104,7 +1104,7 @@ typedef struct Options { byte usingCompression; /* are we using compression */ byte haveDH; /* server DH parms set by user */ byte haveNTRU; /* server NTRU private key loaded */ - byte haveECDSA; /* server ECDSA signed cert */ + byte haveECDSAsig; /* server ECDSA signed cert */ byte haveStaticECC; /* static server ECC private key */ byte havePeerCert; /* do we have peer's cert */ byte usingPSK_cipher; /* whether we're using psk as cipher */ diff --git a/src/internal.c b/src/internal.c index 11f4df2a6..b99309a17 100644 --- a/src/internal.c +++ b/src/internal.c @@ -321,7 +321,7 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) ctx->serverDH_G.buffer = 0; ctx->haveDH = 0; ctx->haveNTRU = 0; /* start off */ - ctx->haveECDSA = 0; /* start off */ + ctx->haveECDSAsig = 0; /* start off */ ctx->haveStaticECC = 0; /* start off */ ctx->heap = ctx; /* defaults to self */ #ifndef NO_PSK @@ -360,14 +360,14 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) #endif #ifdef HAVE_ECC if (method->side == CLIENT_END) { - ctx->haveECDSA = 1; /* always on cliet side */ + ctx->haveECDSAsig = 1; /* always on cliet side */ ctx->haveStaticECC = 1; /* server can turn on by loading key */ } #endif ctx->suites.setSuites = 0; /* user hasn't set yet */ /* remove DH later if server didn't set, add psk later */ InitSuites(&ctx->suites, method->version, TRUE, FALSE, ctx->haveNTRU, - ctx->haveECDSA, ctx->haveStaticECC, method->side); + ctx->haveECDSAsig, ctx->haveStaticECC, method->side); ctx->verifyPeer = 0; ctx->verifyNone = 0; ctx->failNoCert = 0; @@ -436,12 +436,13 @@ void FreeSSL_Ctx(CYASSL_CTX* ctx) void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, - byte haveNTRU, byte haveStaticECC, byte haveECDSA, int side) + byte haveNTRU, byte haveECDSAsig, byte haveStaticECC, int side) { word16 idx = 0; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR; int haveRSA = 1; + int haveRSAsig = 1; (void)tls; /* shut up compiler */ (void)haveDH; @@ -452,8 +453,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, if (suites->setSuites) return; /* trust user settings, don't override */ - if (side == SERVER_END && haveECDSA) - haveRSA = 0; /* can't do RSA with ECDSA cert */ + if (side == SERVER_END && haveStaticECC) + haveRSA = 0; /* can't do RSA with ECDSA key */ + + if (side == SERVER_END && haveECDSAsig) + haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */ #ifdef CYASSL_DTLS if (pv.major == DTLS_MAJOR && pv.minor == DTLS_MINOR) @@ -489,84 +493,84 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSA) { + if (tls1_2 && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSA && haveStaticECC) { + if (tls1_2 && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSA) { + if (tls1_2 && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSA && haveStaticECC) { + if (tls1_2 && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; } @@ -587,14 +591,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSA && haveStaticECC) { + if (tls1_2 && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA; } @@ -615,14 +619,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSA && haveStaticECC) { + if (tls1_2 && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256; } #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA; } @@ -636,7 +640,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA; } @@ -650,7 +654,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA; } @@ -889,8 +893,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->options.haveDH = ctx->haveDH; else ssl->options.haveDH = 0; - ssl->options.haveNTRU = ctx->haveNTRU; - ssl->options.haveECDSA = ctx->haveECDSA; + ssl->options.haveNTRU = ctx->haveNTRU; + ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveStaticECC = ctx->haveStaticECC; ssl->options.havePeerCert = 0; ssl->options.usingPSK_cipher = 0; @@ -1004,11 +1008,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) /* make sure server has DH parms, and add PSK if there, add NTRU too */ if (ssl->options.side == SERVER_END) InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); else InitSuites(&ssl->suites, ssl->version, TRUE, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); return 0; @@ -5812,7 +5816,8 @@ int SetCipherList(Suites* s, const char* list) REQUIRES_ECC_DSA, REQUIRES_ECC_STATIC, REQUIRES_PSK, - REQUIRES_NTRU + REQUIRES_NTRU, + REQUIRES_RSA_SIG }; @@ -5835,6 +5840,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : @@ -5845,6 +5852,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_RSA_WITH_RC4_128_SHA : @@ -5855,6 +5864,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_RC4_128_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : @@ -5885,6 +5896,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : @@ -5940,11 +5953,15 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : if (requirement == ecc_static_diffie_hellman_kea) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : if (requirement == ecc_static_diffie_hellman_kea) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; default: @@ -6093,7 +6110,7 @@ int SetCipherList(Suites* s, const char* list) /* Make sure cert/key are valid for this suite, true on success */ static int VerifySuite(CYASSL* ssl, word16 idx) { - int haveRSA = !ssl->options.haveECDSA; + int haveRSA = !ssl->options.haveStaticECC; int havePSK = 0; byte first = ssl->suites.suites[idx]; byte second = ssl->suites.suites[idx+1]; @@ -6113,7 +6130,6 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have RSA"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_DHE)) { @@ -6122,16 +6138,14 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have DHE"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_ECC_DSA)) { CYASSL_MSG("Requires ECCDSA"); - if (ssl->options.haveECDSA == 0) { + if (ssl->options.haveECDSAsig == 0) { CYASSL_MSG("Don't have ECCDSA"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) { @@ -6140,7 +6154,6 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have static ECC"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_PSK)) { @@ -6149,7 +6162,6 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have PSK"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_NTRU)) { @@ -6158,7 +6170,14 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have NTRU"); return 0; } - return 1; + } + + if (CipherRequires(first, second, REQUIRES_RSA_SIG)) { + CYASSL_MSG("Requires RSA Signature"); + if (ssl->options.side == SERVER_END && ssl->options.haveECDSAsig == 1) { + CYASSL_MSG("Don't have RSA Signature"); + return 0; + } } /* ECCDHE is always supported if ECC on */ @@ -6262,7 +6281,7 @@ int SetCipherList(Suites* s, const char* list) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } @@ -6393,7 +6412,7 @@ int SetCipherList(Suites* s, const char* list) havePSK = ssl->options.havePSK; #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } /* random */ diff --git a/src/ssl.c b/src/ssl.c index b6c75a64c..1518c69aa 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -245,7 +245,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz, havePSK = ssl->options.havePSK; #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, - havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, + havePSK, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); CYASSL_LEAVE("CyaSSL_SetTmpDH", 0); @@ -529,7 +529,7 @@ int CyaSSL_SetVersion(CYASSL* ssl, int version) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); return SSL_SUCCESS; @@ -1148,9 +1148,9 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) case CTC_SHA384wECDSA: case CTC_SHA512wECDSA: CYASSL_MSG("ECDSA cert signature"); - ctx->haveECDSA = 1; + ctx->haveECDSAsig = 1; if (ssl) - ssl->options.haveECDSA = 1; + ssl->options.haveECDSAsig = 1; break; default: CYASSL_MSG("Not ECDSA cert signature"); @@ -2135,7 +2135,7 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); return SSL_SUCCESS; @@ -3159,7 +3159,7 @@ int CyaSSL_set_compression(CYASSL* ssl) ssl->options.client_psk_cb = cb; InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU, - ssl->options.haveECDSA, ssl->options.haveStaticECC, + ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } @@ -3180,7 +3180,7 @@ int CyaSSL_set_compression(CYASSL* ssl) ssl->options.server_psk_cb = cb; InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } @@ -3405,7 +3405,7 @@ int CyaSSL_set_compression(CYASSL* ssl) havePSK = ssl->options.havePSK; #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } diff --git a/tests/test-ecc.conf b/tests/test-ecc.conf index f21a8eeab..ca1bc56f5 100644 --- a/tests/test-ecc.conf +++ b/tests/test-ecc.conf @@ -226,3 +226,255 @@ -l ECDHE-ECDSA-AES256-SHA -A ./certs/server-ecc.pem +# server TLSv1 ECDH-RSA-RC4 +-v 1 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-RC4 +-v 1 +-l ECDH-RSA-RC4-SHA + +# server TLSv1 ECDH-RSA-DES3 +-v 1 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-DES3 +-v 1 +-l ECDH-RSA-DES-CBC3-SHA + +# server TLSv1 ECDH-RSA-AES128 +-v 1 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-AES128 +-v 1 +-l ECDH-RSA-AES128-SHA + +# server TLSv1 ECDH-RSA-AES256 +-v 1 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-AES256 +-v 1 +-l ECDH-RSA-AES256-SHA + +# server TLSv1.1 ECDH-RSA-RC4 +-v 2 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-RC4 +-v 2 +-l ECDH-RSA-RC4-SHA + +# server TLSv1.1 ECDH-RSA-DES3 +-v 2 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-DES3 +-v 2 +-l ECDH-RSA-DES-CBC3-SHA + +# server TLSv1.1 ECDH-RSA-AES128 +-v 2 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-AES128 +-v 2 +-l ECDH-RSA-AES128-SHA + +# server TLSv1.1 ECDH-RSA-AES256 +-v 2 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-AES256 +-v 2 +-l ECDH-RSA-AES256-SHA + +# server TLSv1.2 ECDH-RSA-RC4 +-v 3 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-RC4 +-v 3 +-l ECDH-RSA-RC4-SHA + +# server TLSv1.2 ECDH-RSA-DES3 +-v 3 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-DES3 +-v 3 +-l ECDH-RSA-DES-CBC3-SHA + +# server TLSv1.2 ECDH-RSA-AES128 +-v 3 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES128 +-v 3 +-l ECDH-RSA-AES128-SHA + +# server TLSv1.2 ECDH-RSA-AES256 +-v 3 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES256 +-v 3 +-l ECDH-RSA-AES256-SHA + +# server TLSv1 ECDH-ECDSA-RC4 +-v 1 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-RC4 +-v 1 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-DES3 +-v 1 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-DES3 +-v 1 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-AES128 +-v 1 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-AES128 +-v 1 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-AES256 +-v 1 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-AES256 +-v 1 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-EDCSA-RC4 +-v 2 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-RC4 +-v 2 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-DES3 +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-DES3 +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-AES128 +-v 2 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-AES128 +-v 2 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-AES256 +-v 2 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-AES256 +-v 2 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-RC4 +-v 3 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-RC4 +-v 3 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-DES3 +-v 3 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-DES3 +-v 3 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES128 +-v 3 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES128 +-v 3 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem +