- Added support for the SHA256 ciphersuites of AES and Camellia
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 61a73d2..610448e 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -115,22 +115,32 @@
#define SSL_RSA_NULL_MD5 0x01 /**< Weak! */
#define SSL_RSA_NULL_SHA 0x02 /**< Weak! */
#define SSL_RSA_NULL_SHA256 0x3B /**< Weak! */
-#define SSL_RSA_DES_SHA 0x09 /**< Weak! */
-#define SSL_EDH_RSA_DES_SHA 0x15 /**< Weak! */
+#define SSL_RSA_DES_SHA 0x09 /**< Weak! Not in TLS 1.2 */
+#define SSL_EDH_RSA_DES_SHA 0x15 /**< Weak! Not in TLS 1.2 */
#define SSL_RSA_RC4_128_MD5 0x04
#define SSL_RSA_RC4_128_SHA 0x05
+
#define SSL_RSA_DES_168_SHA 0x0A
#define SSL_EDH_RSA_DES_168_SHA 0x16
+
#define SSL_RSA_AES_128_SHA 0x2F
#define SSL_EDH_RSA_AES_128_SHA 0x33
#define SSL_RSA_AES_256_SHA 0x35
#define SSL_EDH_RSA_AES_256_SHA 0x39
+#define SSL_RSA_AES_128_SHA256 0x3C /**< TLS 1.2 */
+#define SSL_RSA_AES_256_SHA256 0x3D /**< TLS 1.2 */
+#define SSL_EDH_RSA_AES_128_SHA256 0x67 /**< TLS 1.2 */
+#define SSL_EDH_RSA_AES_256_SHA256 0x6B /**< TLS 1.2 */
-#define SSL_RSA_CAMELLIA_128_SHA 0x41
-#define SSL_EDH_RSA_CAMELLIA_128_SHA 0x45
-#define SSL_RSA_CAMELLIA_256_SHA 0x84
-#define SSL_EDH_RSA_CAMELLIA_256_SHA 0x88
+#define SSL_RSA_CAMELLIA_128_SHA 0x41
+#define SSL_EDH_RSA_CAMELLIA_128_SHA 0x45
+#define SSL_RSA_CAMELLIA_256_SHA 0x84
+#define SSL_EDH_RSA_CAMELLIA_256_SHA 0x88
+#define SSL_RSA_CAMELLIA_128_SHA256 0xBA /**< TLS 1.2 */
+#define SSL_EDH_RSA_CAMELLIA_128_SHA256 0xBE /**< TLS 1.2 */
+#define SSL_RSA_CAMELLIA_256_SHA256 0xC0 /**< TLS 1.2 */
+#define SSL_EDH_RSA_CAMELLIA_256_SHA256 0xC4 /**< TLS 1.2 */
/*
* Supported Signature and Hash algorithms (For TLS 1.2)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 977684e..6f9206f 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -448,8 +448,12 @@
ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA256 &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
- ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
+ ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA256 &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA256 )
{
SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
ssl->state++;
@@ -777,8 +781,12 @@
ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
- ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
{
#if !defined(POLARSSL_DHM_C)
SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 67fe130..2d8b0b8 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -552,8 +552,12 @@
ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA256 &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
- ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
+ ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA256 &&
+ ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA256 )
{
SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
ssl->state++;
@@ -761,8 +765,12 @@
ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
- ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
{
#if !defined(POLARSSL_DHM_C)
SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b5c89a9..e697f4e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -323,6 +323,20 @@
ssl->keylen = 32; ssl->minlen = 32;
ssl->ivlen = 16; ssl->maclen = 20;
break;
+
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_AES_128_SHA256:
+ case SSL_EDH_RSA_AES_128_SHA256:
+ ssl->keylen = 16; ssl->minlen = 32;
+ ssl->ivlen = 16; ssl->maclen = 32;
+ break;
+
+ case SSL_RSA_AES_256_SHA256:
+ case SSL_EDH_RSA_AES_256_SHA256:
+ ssl->keylen = 32; ssl->minlen = 32;
+ ssl->ivlen = 16; ssl->maclen = 32;
+ break;
+#endif
#endif
#if defined(POLARSSL_CAMELLIA_C)
@@ -337,6 +351,20 @@
ssl->keylen = 32; ssl->minlen = 32;
ssl->ivlen = 16; ssl->maclen = 20;
break;
+
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_CAMELLIA_128_SHA256:
+ case SSL_EDH_RSA_CAMELLIA_128_SHA256:
+ ssl->keylen = 16; ssl->minlen = 32;
+ ssl->ivlen = 16; ssl->maclen = 32;
+ break;
+
+ case SSL_RSA_CAMELLIA_256_SHA256:
+ case SSL_EDH_RSA_CAMELLIA_256_SHA256:
+ ssl->keylen = 32; ssl->minlen = 32;
+ ssl->ivlen = 16; ssl->maclen = 32;
+ break;
+#endif
#endif
#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
@@ -430,12 +458,20 @@
#if defined(POLARSSL_AES_C)
case SSL_RSA_AES_128_SHA:
case SSL_EDH_RSA_AES_128_SHA:
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_AES_128_SHA256:
+ case SSL_EDH_RSA_AES_128_SHA256:
+#endif
aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
break;
case SSL_RSA_AES_256_SHA:
case SSL_EDH_RSA_AES_256_SHA:
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_AES_256_SHA256:
+ case SSL_EDH_RSA_AES_256_SHA256:
+#endif
aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
break;
@@ -444,12 +480,20 @@
#if defined(POLARSSL_CAMELLIA_C)
case SSL_RSA_CAMELLIA_128_SHA:
case SSL_EDH_RSA_CAMELLIA_128_SHA:
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_CAMELLIA_128_SHA256:
+ case SSL_EDH_RSA_CAMELLIA_128_SHA256:
+#endif
camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
break;
case SSL_RSA_CAMELLIA_256_SHA:
case SSL_EDH_RSA_CAMELLIA_256_SHA:
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_CAMELLIA_256_SHA256:
+ case SSL_EDH_RSA_CAMELLIA_256_SHA256:
+#endif
camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
break;
@@ -755,7 +799,11 @@
if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
- ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
+ ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
{
aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
AES_ENCRYPT, enc_msglen,
@@ -768,7 +816,11 @@
if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
- ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
+ ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
{
camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
CAMELLIA_ENCRYPT, enc_msglen,
@@ -885,7 +937,11 @@
if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
- ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
+ ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
{
aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
AES_DECRYPT, dec_msglen,
@@ -898,7 +954,11 @@
if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
- ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
+ ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
+ ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
+ ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
{
camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
CAMELLIA_DECRYPT, dec_msglen,
@@ -2212,6 +2272,20 @@
case SSL_EDH_RSA_AES_256_SHA:
return( "SSL-EDH-RSA-AES-256-SHA" );
+
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_AES_128_SHA256:
+ return( "SSL-RSA-AES-128-SHA256" );
+
+ case SSL_EDH_RSA_AES_128_SHA256:
+ return( "SSL-EDH-RSA-AES-128-SHA256" );
+
+ case SSL_RSA_AES_256_SHA256:
+ return( "SSL-RSA-AES-256-SHA256" );
+
+ case SSL_EDH_RSA_AES_256_SHA256:
+ return( "SSL-EDH-RSA-AES-256-SHA256" );
+#endif
#endif
#if defined(POLARSSL_CAMELLIA_C)
@@ -2226,6 +2300,20 @@
case SSL_EDH_RSA_CAMELLIA_256_SHA:
return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
+
+#if defined(POLARSSL_SHA2_C)
+ case SSL_RSA_CAMELLIA_128_SHA256:
+ return( "SSL-RSA-CAMELLIA-128-SHA256" );
+
+ case SSL_EDH_RSA_CAMELLIA_128_SHA256:
+ return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
+
+ case SSL_RSA_CAMELLIA_256_SHA256:
+ return( "SSL-RSA-CAMELLIA-256-SHA256" );
+
+ case SSL_EDH_RSA_CAMELLIA_256_SHA256:
+ return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
+#endif
#endif
#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
@@ -2278,6 +2366,17 @@
return( SSL_RSA_AES_256_SHA );
if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
return( SSL_EDH_RSA_AES_256_SHA );
+
+#if defined(POLARSSL_SHA2_C)
+ if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
+ return( SSL_RSA_AES_128_SHA256 );
+ if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
+ return( SSL_EDH_RSA_AES_128_SHA256 );
+ if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
+ return( SSL_RSA_AES_256_SHA256 );
+ if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
+ return( SSL_EDH_RSA_AES_256_SHA256 );
+#endif
#endif
#if defined(POLARSSL_CAMELLIA_C)
@@ -2289,6 +2388,17 @@
return( SSL_RSA_CAMELLIA_256_SHA );
if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
return( SSL_EDH_RSA_CAMELLIA_256_SHA );
+
+#if defined(POLARSSL_SHA2_C)
+ if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
+ return( SSL_RSA_CAMELLIA_128_SHA256 );
+ if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
+ return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
+ if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
+ return( SSL_RSA_CAMELLIA_256_SHA256 );
+ if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
+ return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
+#endif
#endif
#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
@@ -2343,12 +2453,20 @@
{
#if defined(POLARSSL_DHM_C)
#if defined(POLARSSL_AES_C)
- SSL_EDH_RSA_AES_128_SHA,
+#if defined(POLARSSL_SHA2_C)
+ SSL_EDH_RSA_AES_256_SHA256,
+ SSL_EDH_RSA_AES_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_EDH_RSA_AES_256_SHA,
+ SSL_EDH_RSA_AES_128_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
- SSL_EDH_RSA_CAMELLIA_128_SHA,
+#if defined(POLARSSL_SHA2_C)
+ SSL_EDH_RSA_CAMELLIA_256_SHA256,
+ SSL_EDH_RSA_CAMELLIA_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_EDH_RSA_CAMELLIA_256_SHA,
+ SSL_EDH_RSA_CAMELLIA_128_SHA,
#endif
#if defined(POLARSSL_DES_C)
SSL_EDH_RSA_DES_168_SHA,
@@ -2356,15 +2474,27 @@
#endif
#if defined(POLARSSL_AES_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_AES_256_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_AES_256_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_CAMELLIA_256_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_CAMELLIA_256_SHA,
#endif
#if defined(POLARSSL_AES_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_AES_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_AES_128_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_CAMELLIA_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_CAMELLIA_128_SHA,
#endif
#if defined(POLARSSL_DES_C)
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index f3ad42f..833c74a 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -72,21 +72,64 @@
*/
int my_ciphersuites[] =
{
+#if defined(POLARSSL_DHM_C)
+#if defined(POLARSSL_AES_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_EDH_RSA_AES_256_SHA256,
+ SSL_EDH_RSA_AES_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_EDH_RSA_AES_256_SHA,
- SSL_EDH_RSA_CAMELLIA_256_SHA,
SSL_EDH_RSA_AES_128_SHA,
+#endif
+#if defined(POLARSSL_CAMELLIA_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_EDH_RSA_CAMELLIA_256_SHA256,
+ SSL_EDH_RSA_CAMELLIA_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
+ SSL_EDH_RSA_CAMELLIA_256_SHA,
SSL_EDH_RSA_CAMELLIA_128_SHA,
+#endif
+#if defined(POLARSSL_DES_C)
SSL_EDH_RSA_DES_168_SHA,
+#endif
+#endif
+
+#if defined(POLARSSL_AES_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_AES_256_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_AES_256_SHA,
+#endif
+#if defined(POLARSSL_CAMELLIA_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_CAMELLIA_256_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_CAMELLIA_256_SHA,
+#endif
+#if defined(POLARSSL_AES_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_AES_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_AES_128_SHA,
+#endif
+#if defined(POLARSSL_CAMELLIA_C)
+#if defined(POLARSSL_SHA2_C)
+ SSL_RSA_CAMELLIA_128_SHA256,
+#endif /* POLARSSL_SHA2_C */
SSL_RSA_CAMELLIA_128_SHA,
+#endif
+#if defined(POLARSSL_DES_C)
SSL_RSA_DES_168_SHA,
+#endif
+#if defined(POLARSSL_ARC4_C)
SSL_RSA_RC4_128_SHA,
SSL_RSA_RC4_128_MD5,
+#endif
#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
+#if defined(POLARSSL_DES_C)
SSL_EDH_RSA_DES_SHA,
SSL_RSA_DES_SHA,
+#endif
#if defined(POLARSSL_CIPHER_NULL_CIPHER)
SSL_RSA_NULL_MD5,
SSL_RSA_NULL_SHA,
diff --git a/tests/compat.sh b/tests/compat.sh
index 0495ad3..ac41ec3 100644
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -1,19 +1,21 @@
killall -q openssl ssl_server
-#MODES="ssl2 ssl3 tls1 tls1_1 tls1_2"
-MODES=tls1_2
+MODES="ssl3 tls1 tls1_1 tls1_2"
+#VERIFY="YES"
+VERIFY=""
+
+if [ "X$VERIFY" = "XYES" ];
+then
+ P_CLIENT_ARGS="crt_file=data_files/server2.crt key_file=data_files/server2.key"
+ O_SERVER_ARGS="-verify 10"
+fi
for MODE in $MODES;
do
echo "Running for $MODE"
echo "-----------"
-openssl s_server -cert data_files/server2.crt -key data_files/server2.key -www -quiet -cipher NULL,ALL -$MODE &
-PROCESS_ID=$!
-
-sleep 1
-
-CIPHERS=" \
+P_CIPHERS=" \
SSL-EDH-RSA-AES-128-SHA \
SSL-EDH-RSA-AES-256-SHA \
SSL-EDH-RSA-CAMELLIA-128-SHA \
@@ -32,10 +34,52 @@
SSL-EDH-RSA-DES-SHA \
"
-# Not supported by OpenSSL: SSL-RSA-NULL-SHA256
-for i in $CIPHERS;
+O_CIPHERS=" \
+ DHE-RSA-AES128-SHA \
+ DHE-RSA-AES256-SHA \
+ DHE-RSA-CAMELLIA128-SHA \
+ DHE-RSA-CAMELLIA256-SHA \
+ EDH-RSA-DES-CBC3-SHA \
+ AES256-SHA \
+ CAMELLIA256-SHA \
+ AES128-SHA \
+ CAMELLIA128-SHA \
+ DES-CBC3-SHA \
+ RC4-SHA \
+ RC4-MD5 \
+ NULL-MD5 \
+ NULL-SHA \
+ DES-CBC-SHA \
+ EDH-RSA-DES-CBC-SHA \
+ "
+
+if [ "$MODE" = "tls1_2" ];
+then
+ P_CIPHERS="$P_CIPHERS \
+ SSL-RSA-NULL-SHA256 \
+ SSL-RSA-AES-128-SHA256 \
+ SSL-EDH-RSA-AES-128-SHA256 \
+ SSL-RSA-AES-256-SHA256 \
+ SSL-EDH-RSA-AES-256-SHA256 \
+ "
+
+ O_CIPHERS="$O_CIPHERS \
+ NULL-SHA256 \
+ AES128-SHA256 \
+ DHE-RSA-AES128-SHA256 \
+ AES256-SHA256 \
+ DHE-RSA-AES256-SHA256 \
+ "
+fi
+
+openssl s_server -cert data_files/server2.crt -key data_files/server2.key -www -quiet -cipher NULL,ALL $O_SERVER_ARGS -$MODE &
+PROCESS_ID=$!
+
+sleep 1
+
+for i in $P_CIPHERS;
do
- RESULT="$( ../programs/ssl/ssl_client2 force_ciphersuite=$i )"
+ RESULT="$( ../programs/ssl/ssl_client2 $P_CLIENT_ARGS force_ciphersuite=$i )"
EXIT=$?
echo -n "OpenSSL Server - PolarSSL Client - $i : $EXIT - "
if [ "$EXIT" = "2" ];
@@ -56,27 +100,7 @@
sleep 1
-CIPHERS=" \
- DHE-RSA-AES128-SHA \
- DHE-RSA-AES256-SHA \
- DHE-RSA-CAMELLIA128-SHA \
- DHE-RSA-CAMELLIA256-SHA \
- EDH-RSA-DES-CBC3-SHA \
- AES256-SHA \
- CAMELLIA256-SHA \
- AES128-SHA \
- CAMELLIA128-SHA \
- DES-CBC3-SHA \
- RC4-SHA \
- RC4-MD5 \
- NULL-MD5 \
- NULL-SHA \
- DES-CBC-SHA \
- EDH-RSA-DES-CBC-SHA \
- "
-
-# Not supported by OpenSSL: NULL-SHA256
-for i in $CIPHERS;
+for i in $O_CIPHERS;
do
RESULT="$( ( echo -e 'GET HTTP/1.0'; echo; sleep 1 ) | openssl s_client -$MODE -cipher $i 2>&1)"
EXIT=$?
@@ -104,27 +128,20 @@
sleep 1
-CIPHERS=" \
- SSL-RSA-RC4-128-SHA \
- SSL-RSA-NULL-MD5 \
- SSL-EDH-RSA-AES-128-SHA \
- SSL-EDH-RSA-AES-256-SHA \
- SSL-EDH-RSA-CAMELLIA-128-SHA \
- SSL-EDH-RSA-CAMELLIA-256-SHA \
- SSL-EDH-RSA-DES-168-SHA \
- SSL-RSA-NULL-SHA \
- SSL-RSA-AES-256-SHA \
- SSL-RSA-CAMELLIA-256-SHA \
- SSL-RSA-AES-128-SHA \
- SSL-RSA-CAMELLIA-128-SHA \
- SSL-RSA-DES-168-SHA \
- SSL-RSA-RC4-128-MD5 \
- SSL-RSA-DES-SHA \
- SSL-EDH-RSA-DES-SHA \
- SSL-RSA-NULL-SHA256 \
- "
+# OpenSSL does not support RFC5246 Camellia ciphers with SHA256
+# Add for PolarSSL only test, which does support them.
+#
+if [ "$MODE" = "tls1_2" ];
+then
+ P_CIPHERS="$P_CIPHERS \
+ SSL-RSA-CAMELLIA-128-SHA256 \
+ SSL-EDH-RSA-CAMELLIA-128-SHA256 \
+ SSL-RSA-CAMELLIA-256-SHA256 \
+ SSL-EDH-RSA-CAMELLIA-256-SHA256 \
+ "
+fi
-for i in $CIPHERS;
+for i in $P_CIPHERS;
do
RESULT="$( ../programs/ssl/ssl_client2 force_ciphersuite=$i )"
EXIT=$?