X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=fc723a00a9759a637f54dd0c71174f02870e97a0;hb=0b8cd5acd6616888a3cde85d6127c93894dfe797;hp=b016718a82742b07c4a30ed73bd09acfc8940cc8;hpb=801136bcc2e6e4eb48df6d43401a1c1db6a9742c;p=oweals%2Fopenssl.git diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index b016718a82..fc723a00a9 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -132,7 +132,7 @@ #endif #include -const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; +const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) @@ -158,7 +158,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, 0, 0, 0, @@ -264,7 +264,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, SSL3_CK_DH_DSS_DES_192_CBC3_SHA, SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -343,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, SSL3_CK_DH_RSA_DES_192_CBC3_SHA, SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -488,7 +488,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -542,11 +542,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ #endif #ifndef OPENSSL_NO_KRB5 -/* The Kerberos ciphers -** 20000107 VRS: And the first shall be last, -** in hopes of avoiding the lynx ssl renegotiation problem. -*/ -/* Cipher 1E VRS */ +/* The Kerberos ciphers */ +/* Cipher 1E */ { 1, SSL3_TXT_KRB5_DES_64_CBC_SHA, @@ -560,21 +557,21 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 1F VRS */ +/* Cipher 1F */ { 1, SSL3_TXT_KRB5_DES_192_CBC3_SHA, SSL3_CK_KRB5_DES_192_CBC3_SHA, SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, - 112, + 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, -/* Cipher 20 VRS */ +/* Cipher 20 */ { 1, SSL3_TXT_KRB5_RC4_128_SHA, @@ -588,7 +585,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 21 VRS */ +/* Cipher 21 */ { 1, SSL3_TXT_KRB5_IDEA_128_CBC_SHA, @@ -602,7 +599,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 22 VRS */ +/* Cipher 22 */ { 1, SSL3_TXT_KRB5_DES_64_CBC_MD5, @@ -616,7 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 23 VRS */ +/* Cipher 23 */ { 1, SSL3_TXT_KRB5_DES_192_CBC3_MD5, @@ -624,13 +621,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, - 112, + 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, -/* Cipher 24 VRS */ +/* Cipher 24 */ { 1, SSL3_TXT_KRB5_RC4_128_MD5, @@ -644,7 +641,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 25 VRS */ +/* Cipher 25 */ { 1, SSL3_TXT_KRB5_IDEA_128_CBC_MD5, @@ -658,7 +655,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 26 VRS */ +/* Cipher 26 */ { 1, SSL3_TXT_KRB5_DES_40_CBC_SHA, @@ -672,7 +669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 27 VRS */ +/* Cipher 27 */ { 1, SSL3_TXT_KRB5_RC2_40_CBC_SHA, @@ -686,7 +683,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 28 VRS */ +/* Cipher 28 */ { 1, SSL3_TXT_KRB5_RC4_40_SHA, @@ -694,13 +691,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, - 128, + 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, -/* Cipher 29 VRS */ +/* Cipher 29 */ { 1, SSL3_TXT_KRB5_DES_40_CBC_MD5, @@ -714,7 +711,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 2A VRS */ +/* Cipher 2A */ { 1, SSL3_TXT_KRB5_RC2_40_CBC_MD5, @@ -728,7 +725,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, -/* Cipher 2B VRS */ +/* Cipher 2B */ { 1, SSL3_TXT_KRB5_RC4_40_MD5, @@ -736,21 +733,21 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, - 128, + 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_KRB5 */ -/* New AES ciphersuites */ +/* New AES ciphersuites */ /* Cipher 2F */ { 1, TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -763,7 +760,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_DSS_WITH_AES_128_SHA, TLS1_CK_DH_DSS_WITH_AES_128_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -776,7 +773,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_RSA_WITH_AES_128_SHA, TLS1_CK_DH_RSA_WITH_AES_128_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -789,7 +786,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -802,7 +799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -815,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -829,7 +826,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -842,7 +839,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_DSS_WITH_AES_256_SHA, TLS1_CK_DH_DSS_WITH_AES_256_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -855,7 +852,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_RSA_WITH_AES_256_SHA, TLS1_CK_DH_RSA_WITH_AES_256_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -868,7 +865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, TLS1_CK_DHE_DSS_WITH_AES_256_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -881,7 +878,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -894,15 +891,368 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +#ifndef OPENSSL_NO_CAMELLIA + /* Camellia ciphersuites from RFC4132 (128-bit portion) */ + + /* Cipher 41 */ + { + 1, + TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 42 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, + SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 43 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 44 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 45 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 46 */ + { + 1, + TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, + SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, +#endif /* OPENSSL_NO_CAMELLIA */ + +#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES + /* New TLS Export CipherSuites from expired ID */ +#if 0 + /* Cipher 60 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 61 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +#endif + /* Cipher 62 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 63 */ + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 64 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 65 */ + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 66 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, + TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, + SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, +#endif + +#ifndef OPENSSL_NO_CAMELLIA + /* Camellia ciphersuites from RFC4132 (256-bit portion) */ + + /* Cipher 84 */ + { + 1, + TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 85 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, + SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 86 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 87 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 88 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, + /* Cipher 89 */ + { + 1, + TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, + SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS + }, +#endif /* OPENSSL_NO_CAMELLIA */ + +#ifndef OPENSSL_NO_SEED + /* SEED ciphersuites from RFC4162 */ + + /* Cipher 96 */ + { + 1, + TLS1_TXT_RSA_WITH_SEED_SHA, + TLS1_CK_RSA_WITH_SEED_SHA, + SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, + + /* Cipher 97 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_DSS_WITH_SEED_SHA, + TLS1_CK_DH_DSS_WITH_SEED_SHA, + SSL_kDHd|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 98 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_RSA_WITH_SEED_SHA, + TLS1_CK_DH_RSA_WITH_SEED_SHA, + SSL_kDHr|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 99 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_SEED_SHA, + TLS1_CK_DHE_DSS_WITH_SEED_SHA, + SSL_kEDH|SSL_aDSS|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 9A */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_SEED_SHA, + TLS1_CK_DHE_RSA_WITH_SEED_SHA, + SSL_kEDH|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 9B */ + { + 1, + TLS1_TXT_ADH_WITH_SEED_SHA, + TLS1_CK_ADH_WITH_SEED_SHA, + SSL_kEDH|SSL_aNULL|SSL_SEED|SSL_SHA1|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +#endif /* OPENSSL_NO_SEED */ + #ifndef OPENSSL_NO_ECDH - /* Cipher 47 */ + /* Cipher C001 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, @@ -916,7 +1266,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 48 */ + /* Cipher C002 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, @@ -930,21 +1280,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 49 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_DES_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA, - SSL_kECDH|SSL_aECDSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_LOW, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 4A */ + /* Cipher C003 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, @@ -958,13 +1294,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4B */ + /* Cipher C004 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, @@ -972,7 +1308,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4C */ + /* Cipher C005 */ { 1, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, @@ -986,7 +1322,77 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4D */ + /* Cipher C006 */ + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, + 0, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C007 */ + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C008 */ + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C009 */ + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C00A */ + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C00B */ { 1, TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, @@ -1000,7 +1406,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4E */ + /* Cipher C00C */ { 1, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, @@ -1014,41 +1420,69 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 4F */ + /* Cipher C00D */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, + SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C00E */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher C00F */ { 1, - TLS1_TXT_ECDH_RSA_WITH_DES_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_DES_CBC_SHA, - SSL_kECDH|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_LOW, + TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, + SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 56, - 56, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 50 */ + /* Cipher C010 */ { 1, - TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, - SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, + SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, 0, - 168, - 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 51 */ + /* Cipher C011 */ { 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, 0, 128, 128, @@ -1056,49 +1490,49 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 52 */ + /* Cipher C012 */ { 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, - SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, - 256, - 256, + 168, + 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 53 */ + /* Cipher C013 */ { 1, - TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_40_SHA, - TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_40_SHA, - SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 40, + 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 54 */ + /* Cipher C014 */ { 1, - TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_56_SHA, - TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_56_SHA, - SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 56, - 128, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 55 */ + /* Cipher C015 */ { 1, TLS1_TXT_ECDH_anon_WITH_NULL_SHA, @@ -1112,7 +1546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 56 */ + /* Cipher C016 */ { 1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, @@ -1126,21 +1560,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 57 */ - { - 1, - TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA, - SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_LOW, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 58 */ + /* Cipher C017 */ { 1, TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, @@ -1154,198 +1574,35 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, - /* Cipher 59 */ - { - 1, - TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA, - TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA, - SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, - 0, - 40, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 5A */ + /* Cipher C018 */ { 1, - TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA, - TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA, - SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, + TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 5B */ - /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */ - { - 1, - TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA, - TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA, - SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP40, - 0, - 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - /* Cipher 5C */ - /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */ + /* Cipher C019 */ { 1, - TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA, - TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA, - SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, + TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, + SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 56, - 128, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - #endif /* OPENSSL_NO_ECDH */ -#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES - /* New TLS Export CipherSuites */ - /* Cipher 60 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 61 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 62 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 63 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 64 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 65 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 66 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, - TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, - SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS - }, -#endif - -#ifndef OPENSSL_NO_ECDH - /* Cipher 77 XXX: ECC ciphersuites offering forward secrecy - * are not yet specified in the ECC/TLS draft but our code - * allows them to be implemented very easily. To add such - * a cipher suite, one needs to add two constant definitions - * to tls1.h and a new structure in this file as shown below. We - * illustrate the process for the made-up cipher - * ECDHE-ECDSA-AES128-SHA. - */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - - /* Cipher 78 XXX: Another made-up ECC cipher suite that - * offers forward secrecy (ECDHE-RSA-AES128-SHA). - */ - { - 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -#endif /* !OPENSSL_NO_ECDH */ /* end of list */ }; @@ -1465,12 +1722,23 @@ void ssl3_clear(SSL *s) } #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) + { DH_free(s->s3->tmp.dh); + s->s3->tmp.dh = NULL; + } #endif #ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) + { EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; + } #endif +#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_EC + s->s3->is_probably_safari = 0; +#endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_TLSEXT */ rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; @@ -1647,6 +1915,77 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } break; #endif /* !OPENSSL_NO_ECDH */ +#ifndef OPENSSL_NO_TLSEXT + case SSL_CTRL_SET_TLSEXT_HOSTNAME: + if (larg == TLSEXT_NAMETYPE_host_name) + { + if (s->tlsext_hostname != NULL) + OPENSSL_free(s->tlsext_hostname); + s->tlsext_hostname = NULL; + + ret = 1; + if (parg == NULL) + break; + if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) + { + SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); + return 0; + } + if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) + { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); + return 0; + } + } + else + { + SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); + return 0; + } + break; + case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: + s->tlsext_debug_arg=parg; + ret = 1; + break; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: + s->tlsext_status_type=larg; + ret = 1; + break; + + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: + *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; + ret = 1; + break; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: + s->tlsext_ocsp_exts = parg; + ret = 1; + break; + + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: + *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; + ret = 1; + break; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: + s->tlsext_ocsp_ids = parg; + ret = 1; + break; + + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: + *(unsigned char **)parg = s->tlsext_ocsp_resp; + return s->tlsext_ocsp_resplen; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: + if (s->tlsext_ocsp_resp) + OPENSSL_free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = parg; + s->tlsext_ocsp_resplen = larg; + ret = 1; + break; + +#endif /* !OPENSSL_NO_TLSEXT */ default: break; } @@ -1697,6 +2036,12 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; +#endif +#ifndef OPENSSL_NO_TLSEXT + case SSL_CTRL_SET_TLSEXT_DEBUG_CB: + s->tlsext_debug_cb=(void (*)(SSL *,int ,int, + unsigned char *, int, void *))fp; + break; #endif default: break; @@ -1831,6 +2176,42 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) } break; #endif /* !OPENSSL_NO_ECDH */ +#ifndef OPENSSL_NO_TLSEXT + case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: + ctx->tlsext_servername_arg=parg; + break; + case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: + case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: + { + unsigned char *keys = parg; + if (!keys) + return 48; + if (larg != 48) + { + SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); + return 0; + } + if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) + { + memcpy(ctx->tlsext_tick_key_name, keys, 16); + memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); + memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); + } + else + { + memcpy(keys, ctx->tlsext_tick_key_name, 16); + memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); + memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); + } + return 1; + } + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: + ctx->tlsext_status_arg=parg; + return 1; + break; + +#endif /* !OPENSSL_NO_TLSEXT */ /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) @@ -1875,6 +2256,23 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; +#endif +#ifndef OPENSSL_NO_TLSEXT + case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: + ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp; + break; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: + ctx->tlsext_status_cb=(int (*)(SSL *,void *))fp; + break; + + case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: + ctx->tlsext_ticket_key_cb=(int (*)(SSL *,unsigned char *, + unsigned char *, + EVP_CIPHER_CTX *, + HMAC_CTX *, int))fp; + break; + #endif default: return(0); @@ -1921,6 +2319,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, SSL_CIPHER *c,*ret=NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i,j,ok; + CERT *cert; unsigned long alg,mask,emask; @@ -2004,6 +2403,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, j=sk_SSL_CIPHER_find(allow,c); if (j >= 0) { +#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT) + if ((alg & SSL_kECDHE) && (alg & SSL_aECDSA) && s->s3->is_probably_safari) + { + if (!ret) ret=sk_SSL_CIPHER_value(allow,j); + continue; + } +#endif ret=sk_SSL_CIPHER_value(allow,j); break; } @@ -2070,6 +2476,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) int ssl3_shutdown(SSL *s) { + int ret; /* Don't do anything much if we have not done the handshake or * we don't want to send messages :-) */ @@ -2087,18 +2494,32 @@ int ssl3_shutdown(SSL *s) #endif /* our shutdown alert has been sent now, and if it still needs * to be written, s->s3->alert_dispatch will be true */ + if (s->s3->alert_dispatch) + return(-1); /* return WANT_WRITE */ } else if (s->s3->alert_dispatch) { /* resend it if not sent */ #if 1 - s->method->ssl_dispatch_alert(s); + ret=s->method->ssl_dispatch_alert(s); + if(ret == -1) + { + /* we only get to return -1 here the 2nd/Nth + * invocation, we must have already signalled + * return 0 upon a previous invoation, + * return WANT_WRITE */ + return(ret); + } #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ s->method->ssl_read_bytes(s,0,NULL,0,0); + if(!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) + { + return(-1); /* return WANT_READ */ + } } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -2232,4 +2653,3 @@ need to go to SSL_ST_ACCEPT. } return(ret); } -