[PATCH 09/10] Replace EDH-RSA-DES-CBC-SHA, etc. with DHE-RSA-DES-CBC-SHA

Fri, 20 Dec 2013 00:50:39 -0800 

Replace the full ciphersuites with "EDH-" in their labels with "DHE-"
so that all DHE ciphersuites are referred to in the same way.

Leave backward-compatible aliases for the ciphersuites in question so
that configurations which specify these explicitly will continue
working.
---
 ssl/s3_lib.c   | 12 ++++++------
 ssl/ssl3.h     | 11 +++++++++++
 ssl/ssl_ciph.c | 15 +++++++++++++++
 3 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 2f822bd..5c8aa13 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -428,7 +428,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* Cipher 11 */
        {
        1,
-       SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
+       SSL3_TXT_DHE_DSS_DES_40_CBC_SHA,
        SSL3_CK_DHE_DSS_DES_40_CBC_SHA,
        SSL_kDHE,
        SSL_aDSS,
@@ -444,7 +444,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* Cipher 12 */
        {
        1,
-       SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
+       SSL3_TXT_DHE_DSS_DES_64_CBC_SHA,
        SSL3_CK_DHE_DSS_DES_64_CBC_SHA,
        SSL_kDHE,
        SSL_aDSS,
@@ -460,7 +460,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* Cipher 13 */
        {
        1,
-       SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
+       SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA,
        SSL3_CK_DHE_DSS_DES_192_CBC3_SHA,
        SSL_kDHE,
        SSL_aDSS,
@@ -476,7 +476,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* Cipher 14 */
        {
        1,
-       SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
+       SSL3_TXT_DHE_RSA_DES_40_CBC_SHA,
        SSL3_CK_DHE_RSA_DES_40_CBC_SHA,
        SSL_kDHE,
        SSL_aRSA,
@@ -492,7 +492,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* Cipher 15 */
        {
        1,
-       SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
+       SSL3_TXT_DHE_RSA_DES_64_CBC_SHA,
        SSL3_CK_DHE_RSA_DES_64_CBC_SHA,
        SSL_kDHE,
        SSL_aRSA,
@@ -508,7 +508,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* Cipher 16 */
        {
        1,
-       SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
+       SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA,
        SSL3_CK_DHE_RSA_DES_192_CBC3_SHA,
        SSL_kDHE,
        SSL_aRSA,
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 17dd50c..c94b3a4 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -214,6 +214,17 @@ extern "C" {
 #define SSL3_TXT_DH_RSA_DES_64_CBC_SHA         "DH-RSA-DES-CBC-SHA"
 #define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA       "DH-RSA-DES-CBC3-SHA"
 
+#define SSL3_TXT_DHE_DSS_DES_40_CBC_SHA                
"EXP-DHE-DSS-DES-CBC-SHA"
+#define SSL3_TXT_DHE_DSS_DES_64_CBC_SHA                "DHE-DSS-DES-CBC-SHA"
+#define SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA      "DHE-DSS-DES-CBC3-SHA"
+#define SSL3_TXT_DHE_RSA_DES_40_CBC_SHA                
"EXP-DHE-RSA-DES-CBC-SHA"
+#define SSL3_TXT_DHE_RSA_DES_64_CBC_SHA                "DHE-RSA-DES-CBC-SHA"
+#define SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA      "DHE-RSA-DES-CBC3-SHA"
+
+/* This next block of six "EDH" labels is for backward compatibility
+   with older versions of OpenSSL.  New code should use the six "DHE"
+   labels above instead:
+ */
 #define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA                
"EXP-EDH-DSS-DES-CBC-SHA"
 #define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA                "EDH-DSS-DES-CBC-SHA"
 #define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA      "EDH-DSS-DES-CBC3-SHA"
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 6476434..1a2849a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -330,6 +330,21 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_HIGH,0,    0,0,0,0,0,SSL_HIGH,  0,0,0},
        /* FIPS 140-2 approved ciphersuite */
        {0,SSL_TXT_FIPS,0,    0,0,~SSL_eNULL,0,0,SSL_FIPS,  0,0,0},
+
+        /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
+       {0,SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,0,
+         
SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,},
+       {0,SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,0,
+         
SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,},
+       {0,SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,0,
+         
SSL_kDHE,SSL_aDSS,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,},
+       {0,SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,0,
+         
SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,},
+       {0,SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,0,
+         
SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,},
+       {0,SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,0,
+         
SSL_kDHE,SSL_aRSA,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,},
+
        };
 /* Search for public key algorithm with given name and 
  * return its pkey_id if it is available. Otherwise return 0
-- 
1.8.5.1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to