views:

19

answers:

0

Hi,

Looking into ssl.h\ s3_lib.c, I saw a change with the value of field in SSL_CIPHER, starting with OpenSSL 1.0:

unsigned long algorithm2; /* Extra flags */

In the implementation (s3_lib.c), most of the ciphers use SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF for this flag, when in previous versions it always was set to 0.

What does it mean? The definitions of these constants, from ssl_locl.h, are:

/* Bits for algorithm2 (handshake digests and other extra flags) */
#define SSL_HANDSHAKE_MAC_MD5 0x10
#define SSL_HANDSHAKE_MAC_SHA 0x20
#define SSL_HANDSHAKE_MAC_GOST94 0x40
#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)

and:

#define TLS1_PRF_DGST_SHIFT 8
#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)

But can someone explain it better, please?

Thanks!