diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-06-01 01:46:14 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-06-01 01:46:14 +0000 |
| commit | 70b444e77643e8ad72591af495361a2242706faf (patch) | |
| tree | 116116f1fda3be50fe73b951f4c28cb95fc99023 /lib | |
| parent | bd0ad6b394b22f2f8ec33c238f2c4a4f35357058 (diff) | |
Use C99 initialisers for cipher_aliases. This improves readability,
removes the need for zero values to be specified (meaning that we usually
specify two fields instead of 12), makes the field names grepable and
protects from future field reordering/removal.
ok beck@ miod@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 424 |
1 files changed, 332 insertions, 92 deletions
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 456a7536b74..b3bcc66f668 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -223,109 +223,349 @@ typedef struct cipher_order_st { } CIPHER_ORDER; static const SSL_CIPHER cipher_aliases[] = { - /* "ALL" doesn't include eNULL (must be specifically enabled) */ - {0, SSL_TXT_ALL, 0, 0, 0,~SSL_eNULL, 0, 0, 0, 0, 0, 0}, - /* "COMPLEMENTOFALL" */ - {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, - - /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */ - {0, SSL_TXT_CMPDEF, 0, SSL_kEDH|SSL_kEECDH, SSL_aNULL,~SSL_eNULL, 0, 0, 0, 0, 0, 0}, - - /* key exchange aliases - * (some of those using only a single bit here combine - * multiple key exchange algs according to the RFCs, - * e.g. kEDH combines DHE_DSS and DHE_RSA) */ - {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0}, - - {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ - {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ - {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ - {0, SSL_TXT_kEDH, 0, SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_DH, 0, SSL_kDHr|SSL_kDHd|SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0}, - - {0, SSL_TXT_kKRB5, 0, SSL_kKRB5, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kECDHe, 0, SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kECDH, 0, SSL_kECDHr|SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kEECDH, 0, SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ECDH, 0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0}, - - {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0}, + /* "ALL" doesn't include eNULL (must be specifically enabled) */ + { + .name = SSL_TXT_ALL, + .algorithm_enc = ~SSL_eNULL, + }, + /* "COMPLEMENTOFALL" */ + { + .name = SSL_TXT_CMPALL, + .algorithm_enc = SSL_eNULL, + }, + + /* + * "COMPLEMENTOFDEFAULT" + * (does *not* include ciphersuites not found in ALL!) + */ + { + .name = SSL_TXT_CMPDEF, + .algorithm_mkey = SSL_kEDH|SSL_kEECDH, + .algorithm_auth = SSL_aNULL, + .algorithm_enc = ~SSL_eNULL, + }, + + /* + * key exchange aliases + * (some of those using only a single bit here combine multiple key + * exchange algs according to the RFCs, e.g. kEDH combines DHE_DSS + * and DHE_RSA) + */ + { + .name = SSL_TXT_kRSA, + .algorithm_mkey = SSL_kRSA, + }, + { + /* no such ciphersuites supported! */ + .name = SSL_TXT_kDHr, + .algorithm_mkey = SSL_kDHr, + }, + { + /* no such ciphersuites supported! */ + .name = SSL_TXT_kDHd, + .algorithm_mkey = SSL_kDHd, + }, + { + /* no such ciphersuites supported! */ + .name = SSL_TXT_kDH, + .algorithm_mkey = SSL_kDHr|SSL_kDHd, + }, + { + .name = SSL_TXT_kEDH, + .algorithm_mkey = SSL_kEDH, + }, + { + .name = SSL_TXT_DH, + .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kEDH, + }, + + { + .name = SSL_TXT_kKRB5, + .algorithm_mkey = SSL_kKRB5, + }, + + { + .name = SSL_TXT_kECDHr, + .algorithm_mkey = SSL_kECDHr, + }, + { + .name = SSL_TXT_kECDHe, + .algorithm_mkey = SSL_kECDHe, + }, + { + .name = SSL_TXT_kECDH, + .algorithm_mkey = SSL_kECDHr|SSL_kECDHe, + }, + { + .name = SSL_TXT_kEECDH, + .algorithm_mkey = SSL_kEECDH, + }, + { + .name = SSL_TXT_ECDH, + .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kEECDH, + }, + + { + .name = SSL_TXT_kPSK, + .algorithm_mkey = SSL_kPSK, + }, + { + .name = SSL_TXT_kSRP, + .algorithm_mkey = SSL_kSRP, + }, + { + .name = SSL_TXT_kGOST, + .algorithm_mkey = SSL_kGOST, + }, + /* server authentication aliases */ - {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aKRB5, 0, 0, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ - {0, SSL_TXT_aECDH, 0, 0, SSL_aECDH, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST94, 0, 0, SSL_aGOST94, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST94|SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, - + { + .name = SSL_TXT_aRSA, + .algorithm_auth = SSL_aRSA, + }, + { + .name = SSL_TXT_aDSS, + .algorithm_auth = SSL_aDSS, + }, + { + .name = SSL_TXT_DSS, + .algorithm_auth = SSL_aDSS, + }, + { + .name = SSL_TXT_aKRB5, + .algorithm_auth = SSL_aKRB5, + }, + { + .name = SSL_TXT_aNULL, + .algorithm_auth = SSL_aNULL, + }, + { + /* no such ciphersuites supported! */ + .name = SSL_TXT_aDH, + .algorithm_auth = SSL_aDH, + }, + { + .name = SSL_TXT_aECDH, + .algorithm_auth = SSL_aECDH, + }, + { + .name = SSL_TXT_aECDSA, + .algorithm_auth = SSL_aECDSA, + }, + { + .name = SSL_TXT_ECDSA, + .algorithm_auth = SSL_aECDSA, + }, + { + .name = SSL_TXT_aPSK, + .algorithm_auth = SSL_aPSK, + }, + { + .name = SSL_TXT_aGOST94, + .algorithm_auth = SSL_aGOST94, + }, + { + .name = SSL_TXT_aGOST01, + .algorithm_auth = SSL_aGOST01, + }, + { + .name = SSL_TXT_aGOST, + .algorithm_auth = SSL_aGOST94|SSL_aGOST01, + }, + /* aliases combining key exchange and server authentication */ - {0, SSL_TXT_EDH, 0, SSL_kEDH,~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_EECDH, 0, SSL_kEECDH,~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_KRB5, 0, SSL_kKRB5, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ADH, 0, SSL_kEDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_AECDH, 0, SSL_kEECDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, - - + { + .name = SSL_TXT_EDH, + .algorithm_mkey = SSL_kEDH, + .algorithm_auth = ~SSL_aNULL, + }, + { + .name = SSL_TXT_EECDH, + .algorithm_mkey = SSL_kEECDH, + .algorithm_auth = ~SSL_aNULL, + }, + { + .name = SSL_TXT_NULL, + .algorithm_enc = SSL_eNULL, + }, + { + .name = SSL_TXT_KRB5, + .algorithm_mkey = SSL_kKRB5, + .algorithm_auth = SSL_aKRB5, + }, + { + .name = SSL_TXT_RSA, + .algorithm_mkey = SSL_kRSA, + .algorithm_auth = SSL_aRSA, + }, + { + .name = SSL_TXT_ADH, + .algorithm_mkey = SSL_kEDH, + .algorithm_auth = SSL_aNULL, + }, + { + .name = SSL_TXT_AECDH, + .algorithm_mkey = SSL_kEECDH, + .algorithm_auth = SSL_aNULL, + }, + { + .name = SSL_TXT_PSK, + .algorithm_mkey = SSL_kPSK, + .algorithm_auth = SSL_aPSK, + }, + { + .name = SSL_TXT_SRP, + .algorithm_mkey = SSL_kSRP, + }, + /* symmetric encryption aliases */ - {0, SSL_TXT_DES, 0, 0, 0, SSL_DES, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128|SSL_AES128GCM, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256|SSL_AES256GCM, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM|SSL_AES256GCM, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_CAMELLIA , 0, 0, 0, SSL_CAMELLIA128|SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0}, - + { + .name = SSL_TXT_DES, + .algorithm_enc = SSL_DES, + }, + { + .name = SSL_TXT_3DES, + .algorithm_enc = SSL_3DES, + }, + { + .name = SSL_TXT_RC4, + .algorithm_enc = SSL_RC4, + }, + { + .name = SSL_TXT_RC2, + .algorithm_enc = SSL_RC2, + }, + { + .name = SSL_TXT_IDEA, + .algorithm_enc = SSL_IDEA, + }, + { + .name = SSL_TXT_SEED, + .algorithm_enc = SSL_SEED, + }, + { + .name = SSL_TXT_eNULL, + .algorithm_enc = SSL_eNULL, + }, + { + .name = SSL_TXT_AES128, + .algorithm_enc = SSL_AES128|SSL_AES128GCM, + }, + { + .name = SSL_TXT_AES256, + .algorithm_enc = SSL_AES256|SSL_AES256GCM, + }, + { + .name = SSL_TXT_AES, + .algorithm_enc = SSL_AES, + }, + { + .name = SSL_TXT_AES_GCM, + .algorithm_enc = SSL_AES128GCM|SSL_AES256GCM, + }, + { + .name = SSL_TXT_CAMELLIA128, + .algorithm_enc = SSL_CAMELLIA128, + }, + { + .name = SSL_TXT_CAMELLIA256, + .algorithm_enc = SSL_CAMELLIA256, + }, + { + .name = SSL_TXT_CAMELLIA, + .algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256, + }, + /* MAC aliases */ - {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, - {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94, 0, 0, 0, 0, 0}, - {0, SSL_TXT_GOST89MAC, 0, 0, 0, 0, SSL_GOST89MAC, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0}, - + { + .name = SSL_TXT_MD5, + .algorithm_mac = SSL_MD5, + }, + { + .name = SSL_TXT_SHA1, + .algorithm_mac = SSL_SHA1, + }, + { + .name = SSL_TXT_SHA, + .algorithm_mac = SSL_SHA1, + }, + { + .name = SSL_TXT_GOST94, + .algorithm_mac = SSL_GOST94, + }, + { + .name = SSL_TXT_GOST89MAC, + .algorithm_mac = SSL_GOST89MAC, + }, + { + .name = SSL_TXT_SHA256, + .algorithm_mac = SSL_SHA256, + }, + { + .name = SSL_TXT_SHA384, + .algorithm_mac = SSL_SHA384, + }, + /* protocol version aliases */ - {0, SSL_TXT_SSLV2, 0, 0, 0, 0, 0, SSL_SSLV2, 0, 0, 0, 0}, - {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0}, - {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0}, - {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0}, - + { + .name = SSL_TXT_SSLV2, + .algorithm_ssl = SSL_SSLV2, + }, + { + .name = SSL_TXT_SSLV3, + .algorithm_ssl = SSL_SSLV3, + }, + { + .name = SSL_TXT_TLSV1, + .algorithm_ssl = SSL_TLSV1, + }, + { + .name = SSL_TXT_TLSV1_2, + .algorithm_ssl = SSL_TLSV1_2, + }, + /* export flag */ - {0, SSL_TXT_EXP, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0}, - {0, SSL_TXT_EXPORT, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0}, - + { + .name = SSL_TXT_EXP, + .algo_strength = SSL_EXPORT, + }, + { + .name = SSL_TXT_EXPORT, + .algo_strength = SSL_EXPORT, + }, + /* strength classes */ - {0, SSL_TXT_EXP40, 0, 0, 0, 0, 0, 0, SSL_EXP40, 0, 0, 0}, - {0, SSL_TXT_EXP56, 0, 0, 0, 0, 0, 0, SSL_EXP56, 0, 0, 0}, - {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0}, - {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0}, - {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0}, + { + .name = SSL_TXT_EXP40, + .algo_strength = SSL_EXP40, + }, + { + .name = SSL_TXT_EXP56, + .algo_strength = SSL_EXP56, + }, + { + .name = SSL_TXT_LOW, + .algo_strength = SSL_LOW, + }, + { + .name = SSL_TXT_MEDIUM, + .algo_strength = SSL_MEDIUM, + }, + { + .name = SSL_TXT_HIGH, + .algo_strength = SSL_HIGH, + }, + /* FIPS 140-2 approved ciphersuite */ - {0, SSL_TXT_FIPS, 0, 0, 0,~SSL_eNULL, 0, 0, SSL_FIPS, 0, 0, 0}, + { + .name = SSL_TXT_FIPS, + .algorithm_enc = ~SSL_eNULL, + .algo_strength = SSL_FIPS, + }, }; + /* Search for public key algorithm with given name and * return its pkey_id if it is available. Otherwise return 0 */ |