diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2010-10-01 22:59:02 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2010-10-01 22:59:02 +0000 |
commit | 367b2622e0527401666a65476f4111fdda2e3c12 (patch) | |
tree | dc507d2394eb3b616bd9eae56d17671899a24a05 /lib/libssl/s3_lib.c | |
parent | ae9cbeba0dc25f0e95e6a0e50b6c161bf6384e17 (diff) |
resolve conflicts, fix local changes
Diffstat (limited to 'lib/libssl/s3_lib.c')
-rw-r--r-- | lib/libssl/s3_lib.c | 2247 |
1 files changed, 1475 insertions, 772 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 5aa7bb21da1..d6b047c9955 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -121,16 +121,46 @@ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. * */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ #include <stdio.h> #include <openssl/objects.h> #include "ssl_locl.h" #include "kssl_lcl.h" +#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_EC +#include "../crypto/ec/ec_lcl.h" +#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_TLSEXT */ #include <openssl/md5.h> #ifndef OPENSSL_NO_DH #include <openssl/dh.h> #endif -#include <openssl/pq_compat.h> const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; @@ -138,217 +168,265 @@ const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; /* list of available SSLv3 ciphers (sorted by id) */ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ + /* The RSA ciphers */ /* Cipher 01 */ { 1, SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, - SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_eNULL, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 02 */ { 1, SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, - SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_eNULL, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 03 */ { 1, SSL3_TXT_RSA_RC4_40_MD5, SSL3_CK_RSA_RC4_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 04 */ { 1, SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 05 */ { 1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 06 */ { 1, SSL3_TXT_RSA_RC2_40_MD5, SSL3_CK_RSA_RC2_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC2, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 07 */ #ifndef OPENSSL_NO_IDEA { 1, SSL3_TXT_RSA_IDEA_128_SHA, SSL3_CK_RSA_IDEA_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_IDEA, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif + /* Cipher 08 */ { 1, SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_CK_RSA_DES_40_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 09 */ { 1, SSL3_TXT_RSA_DES_64_CBC_SHA, SSL3_CK_RSA_DES_64_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0A */ { 1, SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, - SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* The DH ciphers */ /* Cipher 0B */ { 0, SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kDHd, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0C */ { - 0, + 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_DSS_DES_64_CBC_SHA, SSL3_CK_DH_DSS_DES_64_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHd, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0D */ { - 0, + 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, SSL3_CK_DH_DSS_DES_192_CBC3_SHA, - SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHd, + SSL_aDH, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0E */ { - 0, + 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kDHr, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0F */ { - 0, + 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_RSA_DES_64_CBC_SHA, SSL3_CK_DH_RSA_DES_64_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHr, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 10 */ { - 0, + 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, SSL3_CK_DH_RSA_DES_192_CBC3_SHA, - SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHr, + SSL_aDH, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* The Ephemeral DH ciphers */ @@ -357,158 +435,193 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_CK_EDH_DSS_DES_40_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aDSS, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 12 */ { 1, SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, SSL3_CK_EDH_DSS_DES_64_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aDSS, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 13 */ { 1, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, - SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aDSS, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 14 */ { 1, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_CK_EDH_RSA_DES_40_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 15 */ { 1, SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, SSL3_CK_EDH_RSA_DES_64_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 16 */ { 1, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, - SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aRSA, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 17 */ { 1, SSL3_TXT_ADH_RC4_40_MD5, SSL3_CK_ADH_RC4_40_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 18 */ { 1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 19 */ { 1, SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_CK_ADH_DES_40_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 1A */ { 1, SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_CK_ADH_DES_64_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 1B */ { 1, SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, -/* Fortezza */ +/* Fortezza ciphersuite from SSL 3.0 spec */ +#if 0 /* Cipher 1C */ { 0, SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, - SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, + SSL_kFZA, + SSL_aFZA, + SSL_eNULL, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 1D */ @@ -516,45 +629,50 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, - SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, + SSL_kFZA, + SSL_aFZA, + SSL_eFZA, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, -#if 0 /* Cipher 1E */ { 0, SSL3_TXT_FZA_DMS_RC4_SHA, SSL3_CK_FZA_DMS_RC4_SHA, - SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, + SSL_kFZA, + SSL_aFZA, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif #ifndef OPENSSL_NO_KRB5 -/* The Kerberos ciphers */ +/* The Kerberos ciphers*/ /* Cipher 1E */ { 1, SSL3_TXT_KRB5_DES_64_CBC_SHA, SSL3_CK_KRB5_DES_64_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 1F */ @@ -562,13 +680,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_192_CBC3_SHA, SSL3_CK_KRB5_DES_192_CBC3_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 20 */ @@ -576,13 +696,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_128_SHA, SSL3_CK_KRB5_RC4_128_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 21 */ @@ -590,13 +712,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_IDEA_128_CBC_SHA, SSL3_CK_KRB5_IDEA_128_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_IDEA, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 22 */ @@ -604,13 +728,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_64_CBC_MD5, SSL3_CK_KRB5_DES_64_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 23 */ @@ -618,13 +744,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_192_CBC3_MD5, SSL3_CK_KRB5_DES_192_CBC3_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_3DES, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 24 */ @@ -632,13 +760,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_128_MD5, SSL3_CK_KRB5_RC4_128_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 25 */ @@ -646,13 +776,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_IDEA_128_CBC_MD5, SSL3_CK_KRB5_IDEA_128_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_IDEA, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 26 */ @@ -660,13 +792,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_40_CBC_SHA, SSL3_CK_KRB5_DES_40_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 27 */ @@ -674,13 +808,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC2_40_CBC_SHA, SSL3_CK_KRB5_RC2_40_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC2, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 28 */ @@ -688,13 +824,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_40_SHA, SSL3_CK_KRB5_RC4_40_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 29 */ @@ -702,13 +840,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_40_CBC_MD5, SSL3_CK_KRB5_DES_40_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 2A */ @@ -716,13 +856,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC2_40_CBC_MD5, SSL3_CK_KRB5_RC2_40_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC2, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 2B */ @@ -730,13 +872,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_40_MD5, SSL3_CK_KRB5_RC4_40_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_KRB5 */ @@ -746,78 +890,90 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 30 */ { 0, TLS1_TXT_DH_DSS_WITH_AES_128_SHA, TLS1_CK_DH_DSS_WITH_AES_128_SHA, - SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 31 */ { 0, TLS1_TXT_DH_RSA_WITH_AES_128_SHA, TLS1_CK_DH_RSA_WITH_AES_128_SHA, - SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 32 */ { 1, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, - SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 33 */ { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, - SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 34 */ { 1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, - SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 35 */ @@ -825,78 +981,94 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, - SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 36 */ { 0, TLS1_TXT_DH_DSS_WITH_AES_256_SHA, TLS1_CK_DH_DSS_WITH_AES_256_SHA, - SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 37 */ { - 0, + 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_RSA_WITH_AES_256_SHA, TLS1_CK_DH_RSA_WITH_AES_256_SHA, - SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 38 */ { 1, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, TLS1_CK_DHE_DSS_WITH_AES_256_SHA, - SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 39 */ { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, - SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 3A */ { 1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, - SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #ifndef OPENSSL_NO_CAMELLIA @@ -907,78 +1079,95 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 42 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 43 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 44 */ { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 45 */ { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 46 */ { 1, TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, - SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, #endif /* OPENSSL_NO_CAMELLIA */ @@ -986,98 +1175,174 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ /* New TLS Export CipherSuites from expired ID */ #if 0 /* Cipher 60 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 56, + 128, + }, + /* Cipher 61 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + SSL_kRSA, + SSL_aRSA, + SSL_RC2, + SSL_MD5, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 56, + 128, + }, #endif + /* Cipher 62 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 56, + 56, + }, + /* Cipher 63 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kEDH, + SSL_aDSS, + SSL_DES, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 56, + 56, + }, + /* Cipher 64 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 56, + 128, + }, + /* Cipher 65 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + SSL_kEDH, + SSL_aDSS, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 56, + 128, + }, + /* Cipher 66 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, - TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, - SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS - }, + { + 1, + TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, + TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, + SSL_kEDH, + SSL_aDSS, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, #endif + { + 1, + "GOST94-GOST89-GOST89", + 0x3000080, + SSL_kGOST, + SSL_aGOST94, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|TLS1_STREAM_MAC, + 256, + 256 + }, + { + 1, + "GOST2001-GOST89-GOST89", + 0x3000081, + SSL_kGOST, + SSL_aGOST01, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|TLS1_STREAM_MAC, + 256, + 256 + }, + { + 1, + "GOST94-NULL-GOST94", + 0x3000082, + SSL_kGOST, + SSL_aGOST94, + SSL_eNULL, + SSL_GOST94, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, + 0, + 0 + }, + { + 1, + "GOST2001-NULL-GOST94", + 0x3000083, + SSL_kGOST, + SSL_aGOST01, + SSL_eNULL, + SSL_GOST94, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, + 0, + 0 + }, #ifndef OPENSSL_NO_CAMELLIA /* Camellia ciphersuites from RFC4132 (256-bit portion) */ @@ -1087,81 +1352,163 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, /* Cipher 85 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 86 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 87 */ { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 88 */ { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 89 */ { 1, TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, - SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, #endif /* OPENSSL_NO_CAMELLIA */ +#ifndef OPENSSL_NO_PSK + /* Cipher 8A */ + { + 1, + TLS1_TXT_PSK_WITH_RC4_128_SHA, + TLS1_CK_PSK_WITH_RC4_128_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + + /* Cipher 8B */ + { + 1, + TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, + TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 168, + 168, + }, + + /* Cipher 8C */ + { + 1, + TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, + TLS1_CK_PSK_WITH_AES_128_CBC_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + + /* Cipher 8D */ + { + 1, + TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, + TLS1_CK_PSK_WITH_AES_256_CBC_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, +#endif /* OPENSSL_NO_PSK */ + #ifndef OPENSSL_NO_SEED /* SEED ciphersuites from RFC4162 */ @@ -1170,13 +1517,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_SEED_SHA, TLS1_CK_RSA_WITH_SEED_SHA, - SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 97 */ @@ -1184,13 +1533,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_SEED_SHA, TLS1_CK_DH_DSS_WITH_SEED_SHA, - SSL_kDHd|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 98 */ @@ -1198,13 +1549,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_RSA_WITH_SEED_SHA, TLS1_CK_DH_RSA_WITH_SEED_SHA, - SSL_kDHr|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 99 */ @@ -1212,13 +1565,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_DHE_DSS_WITH_SEED_SHA, TLS1_CK_DHE_DSS_WITH_SEED_SHA, - SSL_kEDH|SSL_aDSS|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 9A */ @@ -1226,13 +1581,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_DHE_RSA_WITH_SEED_SHA, TLS1_CK_DHE_RSA_WITH_SEED_SHA, - SSL_kEDH|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 9B */ @@ -1240,376 +1597,487 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ADH_WITH_SEED_SHA, TLS1_CK_ADH_WITH_SEED_SHA, - SSL_kEDH|SSL_aNULL|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_SEED */ #ifndef OPENSSL_NO_ECDH /* Cipher C001 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, - TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, - SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, + TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_eNULL, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 0, + 0, + }, /* Cipher C002 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, - SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C003 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 168, - 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 168, + 168, + }, /* Cipher C004 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C005 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, /* Cipher C006 */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, - SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, + SSL_kEECDH, + SSL_aECDSA, + SSL_eNULL, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 0, + 0, + }, /* Cipher C007 */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, - SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, + SSL_kEECDH, + SSL_aECDSA, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C008 */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 168, - 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + SSL_kEECDH, + SSL_aECDSA, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 168, + 168, + }, /* Cipher C009 */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kEECDH, + SSL_aECDSA, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C00A */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSL_kEECDH, + SSL_aECDSA, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, /* Cipher C00B */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, - TLS1_CK_ECDH_RSA_WITH_NULL_SHA, - SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, + TLS1_CK_ECDH_RSA_WITH_NULL_SHA, + SSL_kECDHr, + SSL_aECDH, + SSL_eNULL, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 0, + 0, + }, /* Cipher C00C */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, - SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, + TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, + SSL_kECDHr, + SSL_aECDH, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C00D */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, - SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 168, - 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHr, + SSL_aECDH, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 168, + 168, + }, /* Cipher C00E */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDHr, + SSL_aECDH, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C00F */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, - SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, + SSL_kECDHr, + SSL_aECDH, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, /* Cipher C010 */ - { - 1, - TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, - TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, - SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, + SSL_kEECDH, + SSL_aRSA, + SSL_eNULL, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 0, + 0, + }, /* Cipher C011 */ - { - 1, - TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, - TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, - SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_kEECDH, + SSL_aRSA, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C012 */ - { - 1, - TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 168, - 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + SSL_kEECDH, + SSL_aRSA, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 168, + 168, + }, /* Cipher C013 */ - { - 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_kEECDH, + SSL_aRSA, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C014 */ - { - 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, - SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSL_kEECDH, + SSL_aRSA, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, /* Cipher C015 */ - { - 1, - TLS1_TXT_ECDH_anon_WITH_NULL_SHA, - TLS1_CK_ECDH_anon_WITH_NULL_SHA, - SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_anon_WITH_NULL_SHA, + TLS1_CK_ECDH_anon_WITH_NULL_SHA, + SSL_kEECDH, + SSL_aNULL, + SSL_eNULL, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 0, + 0, + }, /* Cipher C016 */ - { - 1, - TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, - TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, - SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, + TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, + SSL_kEECDH, + SSL_aNULL, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C017 */ - { - 1, - TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, - SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 168, - 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, + SSL_kEECDH, + SSL_aNULL, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 168, + 168, + }, /* Cipher C018 */ - { - 1, - TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, - SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, + SSL_kEECDH, + SSL_aNULL, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, /* Cipher C019 */ - { - 1, - TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, - SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, + SSL_kEECDH, + SSL_aNULL, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, #endif /* OPENSSL_NO_ECDH */ +#ifdef TEMP_GOST_TLS +/* Cipher FF00 */ + { + 1, + "GOST-MD5", + 0x0300ff00, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_MD5, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, + { + 1, + "GOST-GOST94", + 0x0300ff01, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_GOST94, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256 + }, + { + 1, + "GOST-GOST89MAC", + 0x0300ff02, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256 + }, + { + 1, + "GOST-GOST89STREAM", + 0x0300ff03, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF|TLS1_STREAM_MAC, + 256, + 256 + }, +#endif /* end of list */ }; SSL3_ENC_METHOD SSLv3_enc_data={ ssl3_enc, - ssl3_mac, + n_ssl3_mac, ssl3_setup_key_block, ssl3_generate_master_secret, ssl3_change_cipher_state, @@ -1628,17 +2096,12 @@ long ssl3_default_timeout(void) return(60*60*2); } -IMPLEMENT_ssl3_meth_func(sslv3_base_method, - ssl_undefined_function, - ssl_undefined_function, - ssl_bad_method) - int ssl3_num_ciphers(void) { return(SSL3_NUM_CIPHERS); } -SSL_CIPHER *ssl3_get_cipher(unsigned int u) +const SSL_CIPHER *ssl3_get_cipher(unsigned int u) { if (u < SSL3_NUM_CIPHERS) return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); @@ -1660,10 +2123,8 @@ int ssl3_new(SSL *s) if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; memset(s3,0,sizeof *s3); - EVP_MD_CTX_init(&s3->finish_dgst1); - EVP_MD_CTX_init(&s3->finish_dgst2); - pq_64bit_init(&(s3->rrec.seq_num)); - pq_64bit_init(&(s3->wrec.seq_num)); + memset(s3->rrec.seq_num,0,sizeof(s3->rrec.seq_num)); + memset(s3->wrec.seq_num,0,sizeof(s3->wrec.seq_num)); s->s3=s3; @@ -1678,11 +2139,18 @@ void ssl3_free(SSL *s) if(s == NULL) return; +#ifdef TLSEXT_TYPE_opaque_prf_input + if (s->s3->client_opaque_prf_input != NULL) + OPENSSL_free(s->s3->client_opaque_prf_input); + if (s->s3->server_opaque_prf_input != NULL) + OPENSSL_free(s->s3->server_opaque_prf_input); +#endif + ssl3_cleanup_key_block(s); if (s->s3->rbuf.buf != NULL) - OPENSSL_free(s->s3->rbuf.buf); + ssl3_release_read_buffer(s); if (s->s3->wbuf.buf != NULL) - OPENSSL_free(s->s3->wbuf.buf); + ssl3_release_write_buffer(s); if (s->s3->rrec.comp != NULL) OPENSSL_free(s->s3->rrec.comp); #ifndef OPENSSL_NO_DH @@ -1696,11 +2164,10 @@ void ssl3_free(SSL *s) if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); - EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); - EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); - pq_64bit_free(&(s->s3->rrec.seq_num)); - pq_64bit_free(&(s->s3->wrec.seq_num)); - + if (s->s3->handshake_buffer) { + BIO_free(s->s3->handshake_buffer); + } + if (s->s3->handshake_dgst) ssl3_free_digest_list(s); OPENSSL_cleanse(s->s3,sizeof *s->s3); OPENSSL_free(s->s3); s->s3=NULL; @@ -1711,6 +2178,15 @@ void ssl3_clear(SSL *s) unsigned char *rp,*wp; size_t rlen, wlen; +#ifdef TLSEXT_TYPE_opaque_prf_input + if (s->s3->client_opaque_prf_input != NULL) + OPENSSL_free(s->s3->client_opaque_prf_input); + s->s3->client_opaque_prf_input = NULL; + if (s->s3->server_opaque_prf_input != NULL) + OPENSSL_free(s->s3->server_opaque_prf_input); + s->s3->server_opaque_prf_input = NULL; +#endif + ssl3_cleanup_key_block(s); if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); @@ -1733,10 +2209,13 @@ void ssl3_clear(SSL *s) wp = s->s3->wbuf.buf; rlen = s->s3->rbuf.len; wlen = s->s3->wbuf.len; - - EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); - EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); - + if (s->s3->handshake_buffer) { + BIO_free(s->s3->handshake_buffer); + s->s3->handshake_buffer = NULL; + } + if (s->s3->handshake_dgst) { + ssl3_free_digest_list(s); + } memset(s->s3,0,sizeof *s->s3); s->s3->rbuf.buf = rp; s->s3->wbuf.buf = wp; @@ -1936,7 +2415,31 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) s->tlsext_debug_arg=parg; ret = 1; break; - + +#ifdef TLSEXT_TYPE_opaque_prf_input + case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT: + if (larg > 12288) /* actual internal limit is 2^16 for the complete hello message + * (including the cert chain and everything) */ + { + SSLerr(SSL_F_SSL3_CTRL, SSL_R_OPAQUE_PRF_INPUT_TOO_LONG); + break; + } + if (s->tlsext_opaque_prf_input != NULL) + OPENSSL_free(s->tlsext_opaque_prf_input); + if ((size_t)larg == 0) + s->tlsext_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + else + s->tlsext_opaque_prf_input = BUF_memdup(parg, (size_t)larg); + if (s->tlsext_opaque_prf_input != NULL) + { + s->tlsext_opaque_prf_input_len = (size_t)larg; + ret = 1; + } + else + s->tlsext_opaque_prf_input_len = 0; + break; +#endif + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: s->tlsext_status_type=larg; ret = 1; @@ -2194,13 +2697,20 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) } return 1; } - + +#ifdef TLSEXT_TYPE_opaque_prf_input + case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG: + ctx->tlsext_opaque_prf_input_callback_arg = parg; + return 1; +#endif + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: ctx->tlsext_status_arg=parg; return 1; break; #endif /* !OPENSSL_NO_TLSEXT */ + /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) @@ -2250,7 +2760,13 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp; break; - + +#ifdef TLSEXT_TYPE_opaque_prf_input + case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB: + ctx->tlsext_opaque_prf_input_callback = (int (*)(SSL *,void *, size_t, void *))fp; + break; +#endif + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: ctx->tlsext_status_cb=(int (*)(SSL *,void *))fp; break; @@ -2271,17 +2787,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) /* This function needs to check if the ciphers required are actually * available */ -SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) +const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { - SSL_CIPHER c,*cp; + SSL_CIPHER c; + const SSL_CIPHER *cp; unsigned long id; id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; c.id=id; - cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c, - (char *)ssl3_ciphers, - SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER), - FP_ICC ssl_cipher_id_cmp); + cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); if (cp == NULL || cp->valid == 0) return NULL; else @@ -2307,10 +2821,14 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { SSL_CIPHER *c,*ret=NULL; STACK_OF(SSL_CIPHER) *prio, *allow; - int i,j,ok; - + int i,ii,ok; +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_EC) + unsigned int j; + int ec_ok, ec_nid; + unsigned char ec_search1 = 0, ec_search2 = 0; +#endif CERT *cert; - unsigned long alg,mask,emask; + unsigned long alg_k,alg_a,mask_k,mask_a,emask_k,emask_a; /* Let's see which ciphers we can support */ cert=s->cert; @@ -2326,73 +2844,237 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif #ifdef CIPHER_DEBUG - printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); - for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) - { - c=sk_SSL_CIPHER_value(srvr,i); - printf("%p:%s\n",c,c->name); - } - printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); - for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) + printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr); + for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) + { + c=sk_SSL_CIPHER_value(srvr,i); + printf("%p:%s\n",(void *)c,c->name); + } + printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt); + for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) { c=sk_SSL_CIPHER_value(clnt,i); - printf("%p:%s\n",c,c->name); + printf("%p:%s\n",(void *)c,c->name); } #endif if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) - { - prio = srvr; - allow = clnt; - } + { + prio = srvr; + allow = clnt; + } else - { - prio = clnt; - allow = srvr; - } + { + prio = clnt; + allow = srvr; + } for (i=0; i<sk_SSL_CIPHER_num(prio); i++) { c=sk_SSL_CIPHER_value(prio,i); ssl_set_cert_masks(cert,c); - mask=cert->mask; - emask=cert->export_mask; + mask_k = cert->mask_k; + mask_a = cert->mask_a; + emask_k = cert->export_mask_k; + emask_a = cert->export_mask_a; #ifdef KSSL_DEBUG - printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); +/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ #endif /* KSSL_DEBUG */ - alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); + alg_k=c->algorithm_mkey; + alg_a=c->algorithm_auth; + #ifndef OPENSSL_NO_KRB5 - if (alg & SSL_KRB5) - { - if ( !kssl_keytab_is_available(s->kssl_ctx) ) - continue; - } + if (alg_k & SSL_kKRB5) + { + if ( !kssl_keytab_is_available(s->kssl_ctx) ) + continue; + } #endif /* OPENSSL_NO_KRB5 */ +#ifndef OPENSSL_NO_PSK + /* with PSK there must be server callback set */ + if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL) + continue; +#endif /* OPENSSL_NO_PSK */ + if (SSL_C_IS_EXPORT(c)) { - ok=((alg & emask) == alg)?1:0; + ok = (alg_k & emask_k) && (alg_a & emask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, - c,c->name); + printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a, + (void *)c,c->name); #endif } else { - ok=((alg & mask) == alg)?1:0; + ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, + printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c, c->name); #endif } +#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_EC + if ( + /* if we are considering an ECC cipher suite that uses our certificate */ + (alg_a & SSL_aECDSA || alg_a & SSL_aECDH) + /* and we have an ECC certificate */ + && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL) + /* and the client specified a Supported Point Formats extension */ + && ((s->session->tlsext_ecpointformatlist_length > 0) && (s->session->tlsext_ecpointformatlist != NULL)) + /* and our certificate's point is compressed */ + && ( + (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info != NULL) + && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key != NULL) + && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key != NULL) + && (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data != NULL) + && ( + (*(s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data) == POINT_CONVERSION_COMPRESSED) + || (*(s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info->key->public_key->data) == POINT_CONVERSION_COMPRESSED + 1) + ) + ) + ) + { + ec_ok = 0; + /* if our certificate's curve is over a field type that the client does not support + * then do not allow this cipher suite to be negotiated */ + if ( + (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec != NULL) + && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group != NULL) + && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth != NULL) + && (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_prime_field) + ) + { + for (j = 0; j < s->session->tlsext_ecpointformatlist_length; j++) + { + if (s->session->tlsext_ecpointformatlist[j] == TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime) + { + ec_ok = 1; + break; + } + } + } + else if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_characteristic_two_field) + { + for (j = 0; j < s->session->tlsext_ecpointformatlist_length; j++) + { + if (s->session->tlsext_ecpointformatlist[j] == TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2) + { + ec_ok = 1; + break; + } + } + } + ok = ok && ec_ok; + } + if ( + /* if we are considering an ECC cipher suite that uses our certificate */ + (alg_a & SSL_aECDSA || alg_a & SSL_aECDH) + /* and we have an ECC certificate */ + && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL) + /* and the client specified an EllipticCurves extension */ + && ((s->session->tlsext_ellipticcurvelist_length > 0) && (s->session->tlsext_ellipticcurvelist != NULL)) + ) + { + ec_ok = 0; + if ( + (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec != NULL) + && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group != NULL) + ) + { + ec_nid = EC_GROUP_get_curve_name(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group); + if ((ec_nid == 0) + && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth != NULL) + ) + { + if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_prime_field) + { + ec_search1 = 0xFF; + ec_search2 = 0x01; + } + else if (EC_METHOD_get_field_type(s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group->meth) == NID_X9_62_characteristic_two_field) + { + ec_search1 = 0xFF; + ec_search2 = 0x02; + } + } + else + { + ec_search1 = 0x00; + ec_search2 = tls1_ec_nid2curve_id(ec_nid); + } + if ((ec_search1 != 0) || (ec_search2 != 0)) + { + for (j = 0; j < s->session->tlsext_ellipticcurvelist_length / 2; j++) + { + if ((s->session->tlsext_ellipticcurvelist[2*j] == ec_search1) && (s->session->tlsext_ellipticcurvelist[2*j+1] == ec_search2)) + { + ec_ok = 1; + break; + } + } + } + } + ok = ok && ec_ok; + } + if ( + /* if we are considering an ECC cipher suite that uses an ephemeral EC key */ + (alg_k & SSL_kEECDH) + /* and we have an ephemeral EC key */ + && (s->cert->ecdh_tmp != NULL) + /* and the client specified an EllipticCurves extension */ + && ((s->session->tlsext_ellipticcurvelist_length > 0) && (s->session->tlsext_ellipticcurvelist != NULL)) + ) + { + ec_ok = 0; + if (s->cert->ecdh_tmp->group != NULL) + { + ec_nid = EC_GROUP_get_curve_name(s->cert->ecdh_tmp->group); + if ((ec_nid == 0) + && (s->cert->ecdh_tmp->group->meth != NULL) + ) + { + if (EC_METHOD_get_field_type(s->cert->ecdh_tmp->group->meth) == NID_X9_62_prime_field) + { + ec_search1 = 0xFF; + ec_search2 = 0x01; + } + else if (EC_METHOD_get_field_type(s->cert->ecdh_tmp->group->meth) == NID_X9_62_characteristic_two_field) + { + ec_search1 = 0xFF; + ec_search2 = 0x02; + } + } + else + { + ec_search1 = 0x00; + ec_search2 = tls1_ec_nid2curve_id(ec_nid); + } + if ((ec_search1 != 0) || (ec_search2 != 0)) + { + for (j = 0; j < s->session->tlsext_ellipticcurvelist_length / 2; j++) + { + if ((s->session->tlsext_ellipticcurvelist[2*j] == ec_search1) && (s->session->tlsext_ellipticcurvelist[2*j+1] == ec_search2)) + { + ec_ok = 1; + break; + } + } + } + } + ok = ok && ec_ok; + } +#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_TLSEXT */ + if (!ok) continue; - j=sk_SSL_CIPHER_find(allow,c); - if (j >= 0) + ii=sk_SSL_CIPHER_find(allow,c); + if (ii >= 0) { - ret=sk_SSL_CIPHER_value(allow,j); + ret=sk_SSL_CIPHER_value(allow,ii); break; } } @@ -2402,12 +3084,24 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, int ssl3_get_req_cert_type(SSL *s, unsigned char *p) { int ret=0; - unsigned long alg; + unsigned long alg_k; + + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg=s->s3->tmp.new_cipher->algorithms; +#ifndef OPENSSL_NO_GOST + if (s->version >= TLS1_VERSION) + { + if (alg_k & SSL_kGOST) + { + p[ret++]=TLS_CT_GOST94_SIGN; + p[ret++]=TLS_CT_GOST01_SIGN; + return(ret); + } + } +#endif #ifndef OPENSSL_NO_DH - if (alg & (SSL_kDHr|SSL_kEDH)) + if (alg_k & (SSL_kDHr|SSL_kEDH)) { # ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_FIXED_DH; @@ -2417,7 +3111,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) # endif } if ((s->version == SSL3_VERSION) && - (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) + (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { # ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; @@ -2434,10 +3128,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) p[ret++]=SSL3_CT_DSS_SIGN; #endif #ifndef OPENSSL_NO_ECDH - /* We should ask for fixed ECDH certificates only - * for SSL_kECDH (and not SSL_kECDHE) - */ - if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION)) + if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { p[ret++]=TLS_CT_RSA_FIXED_ECDH; p[ret++]=TLS_CT_ECDSA_FIXED_ECDH; @@ -2446,7 +3137,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) #ifndef OPENSSL_NO_ECDSA /* ECDSA certs can be used with RSA cipher suites as well - * so we don't need to check for SSL_kECDH or SSL_kECDHE + * so we don't need to check for SSL_kECDH or SSL_kEECDH */ if (s->version >= TLS1_VERSION) { @@ -2458,6 +3149,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) int ssl3_shutdown(SSL *s) { + int ret; /* Don't do anything much if we have not done the handshake or * we don't want to send messages :-) */ @@ -2475,18 +3167,32 @@ int ssl3_shutdown(SSL *s) #endif /* our shutdown alert has been sent now, and if it still needs * to be written, s->s3->alert_dispatch will be true */ + if (s->s3->alert_dispatch) + return(-1); /* return WANT_WRITE */ } else if (s->s3->alert_dispatch) { /* resend it if not sent */ #if 1 - s->method->ssl_dispatch_alert(s); + ret=s->method->ssl_dispatch_alert(s); + if(ret == -1) + { + /* we only get to return -1 here the 2nd/Nth + * invocation, we must have already signalled + * return 0 upon a previous invoation, + * return WANT_WRITE */ + return(ret); + } #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ s->method->ssl_read_bytes(s,0,NULL,0,0); + if(!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) + { + return(-1); /* return WANT_READ */ + } } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -2592,9 +3298,6 @@ int ssl3_renegotiate(SSL *s) if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); - if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - return(0); - s->s3->renegotiate=1; return(1); } |