diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c index 804a345594..fbdaac30d3 100644 --- a/crypto/cipher_extra/cipher_extra.c +++ b/crypto/cipher_extra/cipher_extra.c @@ -73,16 +73,19 @@ static const struct { const EVP_CIPHER *(*func)(void); } kCiphers[] = { {NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc}, + {NID_aes_128_cfb128, "aes-128-cfb", EVP_aes_128_cfb}, {NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr}, {NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb}, {NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm}, {NID_aes_128_ofb128, "aes-128-ofb", EVP_aes_128_ofb}, {NID_aes_192_cbc, "aes-192-cbc", EVP_aes_192_cbc}, + {NID_aes_192_cfb128, "aes-192-cfb", EVP_aes_192_cfb}, {NID_aes_192_ctr, "aes-192-ctr", EVP_aes_192_ctr}, {NID_aes_192_ecb, "aes-192-ecb", EVP_aes_192_ecb}, {NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm}, {NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb}, {NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc}, + {NID_aes_256_cfb128, "aes-256-cfb", EVP_aes_256_cfb}, {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr}, {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb}, {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, diff --git a/crypto/decrepit/evp/evp_do_all.c b/crypto/decrepit/evp/evp_do_all.c index f150c08533..1b2a833163 100644 --- a/crypto/decrepit/evp/evp_do_all.c +++ b/crypto/decrepit/evp/evp_do_all.c @@ -67,6 +67,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg); callback(EVP_rc4(), "rc4", NULL, arg); callback(EVP_chacha20_poly1305(), "chacha20-poly1305", NULL, arg); + + // Other possible historical aliases from OpenSSL. + callback(EVP_aes_128_cbc(), "aes128", NULL, arg); + callback(EVP_aes_256_cbc(), "aes256", NULL, arg); } void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher, diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c index 4aeb94f1fc..998d05cd4f 100644 --- a/crypto/fipsmodule/evp/evp.c +++ b/crypto/fipsmodule/evp/evp.c @@ -576,6 +576,7 @@ void *EVP_PKEY_get0(const EVP_PKEY *pkey) { case EVP_PKEY_RSA_PSS: case EVP_PKEY_DSA: case EVP_PKEY_EC: + case EVP_PKEY_DH: return pkey->pkey.ptr; default: return NULL; diff --git a/include/openssl/evp.h b/include/openssl/evp.h index f5c5f1b9c6..d45f4fb282 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1204,7 +1204,7 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, // EVP_PKEY_get0 returns the consumed key. The type of value returned will be // one of the following, depending on the type of the |EVP_PKEY|: -// |RSA|, |DSA| or |EC_KEY|. +// |DH|, |DSA|, |EC_KEY|, or |RSA|. // // This function is provided only for compatibility with OpenSSL. // Prefer the use the typed |EVP_PKEY_get0_*| functions instead. diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 82fdc87b99..b8c72aae62 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -5731,6 +5731,22 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // is intentionally not supported in AWS-LC. #define SSL_VERIFY_CLIENT_ONCE 0 +// SSL_OP_TLSEXT_PADDING is OFF by default in AWS-LC. Turning this ON in +// OpenSSL adds a padding extension to ensure the ClientHello size is never +// between 256 and 511 bytes in length. This is needed as a workaround for some +// implementations. +#define SSL_OP_TLSEXT_PADDING 0 + +// SSL_OP_SAFARI_ECDHE_ECDSA_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL defers ECDHE-ECDSA ciphers when the client appears to be Safari on +// OSX. OSX 10.8 ~ 10.8.3 has broken support for ECDHE-ECDSA ciphers. +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0 + +// SSL_OP_CRYPTOPRO_TLSEXT_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL adds the server-hello extension from the early version of cryptopro +// draft when GOST ciphersuite is negotiated (which we don't support). +#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 + // The following have no effect in both AWS-LC and OpenSSL. #define SSL_OP_EPHEMERAL_RSA 0 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0