From 3eb2aff40116ecceab847c895cbf02cdb075d194 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 7 Feb 2016 20:17:07 +0100 Subject: [PATCH] Add support for minimum and maximum protocol version supported by a cipher Reviewed-by: Viktor Dukhovni MR: #1595 --- ssl/s3_lib.c | 534 ++++++++++++++++++++++++++------------- ssl/ssl_ciph.c | 196 +++++++------- ssl/ssl_lib.c | 4 +- ssl/ssl_locl.h | 21 +- ssl/ssl_txt.c | 2 +- ssl/statem/statem_clnt.c | 18 +- ssl/statem/statem_lib.c | 6 +- ssl/t1_lib.c | 41 ++- 8 files changed, 504 insertions(+), 318 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 51fb161dd6..093ff09e8f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -171,7 +171,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_MD5, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -187,7 +188,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -204,7 +206,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_RC4, SSL_MD5, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -220,7 +223,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -238,7 +242,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_IDEA, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -255,7 +260,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -271,7 +277,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -287,7 +294,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -304,7 +312,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_RC4, SSL_MD5, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -321,7 +330,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -337,7 +347,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -352,7 +363,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -367,7 +379,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -385,7 +398,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -400,7 +414,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -415,7 +430,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -430,7 +446,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -446,7 +463,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -462,7 +480,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -478,7 +497,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -494,7 +514,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -511,7 +532,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -527,7 +549,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -543,7 +566,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -559,7 +583,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -578,7 +603,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -594,7 +620,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_CAMELLIA128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -610,7 +637,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -626,7 +654,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_CAMELLIA128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -644,7 +673,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -660,7 +690,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -676,7 +707,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -692,7 +724,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -708,7 +741,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -725,7 +759,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aGOST01, SSL_eGOST2814789CNT, SSL_GOST89MAC, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC, 256, @@ -739,7 +774,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aGOST01, SSL_eNULL, SSL_GOST94, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE, SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94, 0, @@ -758,7 +794,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -774,7 +811,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_CAMELLIA256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -790,7 +828,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -806,7 +845,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_CAMELLIA256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -826,7 +866,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -843,7 +884,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -859,7 +901,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -875,7 +918,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -892,7 +936,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -909,7 +954,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -925,7 +971,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -941,7 +988,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -958,7 +1006,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -975,7 +1024,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -991,7 +1041,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1007,7 +1058,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -1027,7 +1079,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_SEED, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1043,7 +1096,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_SEED, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1059,7 +1113,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_SEED, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1075,7 +1130,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_SEED, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1095,7 +1151,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1111,7 +1168,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1127,7 +1185,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1143,7 +1202,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1159,7 +1219,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1175,7 +1236,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1191,7 +1253,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1207,7 +1270,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1225,7 +1289,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1241,7 +1306,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1257,7 +1323,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1273,7 +1340,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1289,7 +1357,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1305,7 +1374,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1321,7 +1391,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1337,7 +1408,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1353,7 +1425,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -1369,7 +1442,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, @@ -1385,7 +1459,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1401,7 +1476,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1417,7 +1493,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -1433,7 +1510,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, @@ -1449,7 +1527,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1465,7 +1544,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -1481,7 +1561,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -1497,7 +1578,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, @@ -1517,7 +1599,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1533,7 +1616,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1549,7 +1633,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1565,7 +1650,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -1581,7 +1667,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -1597,7 +1684,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_CAMELLIA256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -1613,7 +1701,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -1629,7 +1718,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_CAMELLIA256, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -1648,7 +1738,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -1665,7 +1756,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1682,7 +1774,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -1698,7 +1791,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1714,7 +1808,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -1730,7 +1825,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -1747,7 +1843,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1764,7 +1861,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -1780,7 +1878,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1796,7 +1895,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -1812,7 +1912,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -1829,7 +1930,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1846,7 +1948,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -1862,7 +1965,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1878,7 +1982,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -1896,7 +2001,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aSRP, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -1912,7 +2018,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -1928,7 +2035,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -1944,7 +2052,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aSRP, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1960,7 +2069,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1976,7 +2086,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1992,7 +2103,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aSRP, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -2008,7 +2120,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -2024,7 +2137,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -2044,7 +2158,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2060,7 +2175,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256, SSL_SHA384, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2077,7 +2193,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2093,7 +2210,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA384, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2111,7 +2229,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2127,7 +2246,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2143,7 +2263,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2159,7 +2280,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256GCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2177,7 +2299,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_RC4, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2194,7 +2317,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, @@ -2210,7 +2334,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2226,7 +2351,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, @@ -2242,7 +2368,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2258,7 +2385,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2274,7 +2402,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -2290,7 +2419,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, @@ -2306,7 +2436,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, @@ -2322,7 +2453,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2336,7 +2468,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2350,7 +2483,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2364,7 +2498,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2382,7 +2517,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2396,7 +2532,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2410,7 +2547,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2424,7 +2562,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2438,7 +2577,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2452,7 +2592,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2466,7 +2607,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2480,7 +2622,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, @@ -2496,7 +2639,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2512,7 +2656,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2528,7 +2673,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2544,7 +2690,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2560,7 +2707,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2576,7 +2724,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2592,7 +2741,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2608,7 +2758,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2624,7 +2775,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2640,7 +2792,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2656,7 +2809,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2672,7 +2826,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2688,7 +2843,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2704,7 +2860,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2720,7 +2877,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2736,7 +2894,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2752,7 +2911,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2768,7 +2928,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256CCM, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2784,7 +2945,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, @@ -2800,7 +2962,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256CCM8, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2817,7 +2980,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CHACHA20POLY1305, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2832,7 +2996,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_CHACHA20POLY1305, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2849,7 +3014,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CHACHA20POLY1305, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2866,7 +3032,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CHACHA20POLY1305, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2881,7 +3048,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CHACHA20POLY1305, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2896,7 +3064,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CHACHA20POLY1305, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2911,7 +3080,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CHACHA20POLY1305, SSL_AEAD, - SSL_TLSV1_2, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, @@ -2928,7 +3098,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aGOST12 | SSL_aGOST01, SSL_eGOST2814789CNT12, SSL_GOST89MAC12, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC, 256, @@ -2941,7 +3112,8 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_aGOST12 | SSL_aGOST01, SSL_eNULL, SSL_GOST12_256, - SSL_TLSV1, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, SSL_STRONG_NONE, SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC, 0, @@ -3749,6 +3921,14 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) return (2); } +/* + * ssl3_choose_cipher - choose a cipher from those offered by the client + * @s: SSL connection + * @clnt: ciphers offered by the client + * @srvr: ciphers enabled on the server? + * + * Returns the selected cipher or NULL when no common ciphers. + */ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr) { @@ -3799,11 +3979,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { c = sk_SSL_CIPHER_value(prio, i); - /* Skip TLS v1.2 only ciphersuites if not supported */ - if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) + /* Skip ciphers not supported by the protocol version */ + if (!SSL_IS_DTLS(s) && + ((s->version < c->min_tls) || (s->version > c->max_tls))) continue; - /* Skip TLS v1.0 ciphersuites if SSLv3 */ - if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION) + if (SSL_IS_DTLS(s) && + (DTLS_VERSION_LT(s->version, c->min_dtls) || + DTLS_VERSION_GT(s->version, c->max_dtls))) continue; mask_k = s->s3->tmp.mask_k; diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 16ff0b23b5..305728c3a8 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -319,122 +319,123 @@ typedef struct cipher_order_st { static const SSL_CIPHER cipher_aliases[] = { /* "ALL" doesn't include eNULL (must be specifically enabled) */ - {0, SSL_TXT_ALL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ALL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0}, /* "COMPLEMENTOFALL" */ - {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0}, /* * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * ALL!) */ - {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0}, + {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0}, /* * key exchange aliases (some of those using only a single bit here * combine multiple key exchange algs according to the RFCs, e.g. kDHE * combines DHE_DSS and DHE_RSA) */ - {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kEDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kDHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, - 0}, + {0, SSL_TXT_kEDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kDHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kEECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, - 0, 0, 0}, + {0, SSL_TXT_kEECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kRSAPSK, 0, SSL_kRSAPSK, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kECDHEPSK, 0, SSL_kECDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kDHEPSK, 0, SSL_kDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kRSAPSK, 0, SSL_kRSAPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kECDHEPSK, 0, SSL_kECDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kDHEPSK, 0, SSL_kDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, /* server authentication aliases */ - {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST12, 0, 0, SSL_aGOST12, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01 | SSL_aGOST12, 0, 0, 0, + {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aGOST12, 0, 0, SSL_aGOST12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01 | SSL_aGOST12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, /* aliases combining key exchange and server authentication */ - {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_PSK, 0, SSL_PSK, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_PSK, 0, SSL_PSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, /* symmetric encryption aliases */ - {0, SSL_TXT_DES, 0, 0, 0, SSL_DES, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_DES, 0, 0, 0, SSL_DES, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_GOST, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12, 0, - 0, 0, 0, 0, 0}, + 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8, 0, - 0, 0, 0, 0, 0}, + 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8, 0, - 0, 0, 0, 0, 0}, - {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0}, + 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0, - 0, 0}, - {0, SSL_TXT_AES_CCM, 0, 0, 0, SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0, - 0, 0}, + 0, 0, 0, 0, 0}, + {0, SSL_TXT_AES_CCM, 0, 0, 0, + SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, + 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_AES_CCM_8, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20, 0, 0, 0, 0, 0, 0 }, + {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0, 0, 0, + 0}, + {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0, 0, 0, + 0}, + {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA, 0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, /* MAC aliases */ - {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, - {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94, 0, 0, 0, 0, 0}, + {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94, 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_GOST89MAC, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12, 0, 0, - 0, 0, 0}, - {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0}, - {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0}, - {0, SSL_TXT_GOST12, 0, 0, 0, 0, SSL_GOST12_256, 0, 0, 0, 0, 0}, + 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_GOST12, 0, 0, 0, 0, SSL_GOST12_256, 0, 0, 0, 0, 0, 0, 0, 0}, /* protocol version aliases */ - {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0}, - {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0}, - {0, "TLSv1.0", 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0}, - {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0}, + {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL3_VERSION, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, TLS1_VERSION, 0, 0, 0, 0, 0, 0, 0}, + {0, "TLSv1.0", 0, 0, 0, 0, 0, TLS1_VERSION, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, TLS1_2_VERSION, 0, 0, 0, 0, 0, 0, 0}, /* strength classes */ - {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0}, - {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0}, - {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0}, + {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0}, + {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0}, + {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0}, /* FIPS 140-2 approved ciphersuite */ - {0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_FIPS, 0, 0, 0}, + {0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS, 0, 0, 0}, /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */ {0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 0, - SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, SSL_SSLV3, + SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS, 0, 0, 0,}, {0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 0, - SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3, + SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS, 0, 0, 0,}, }; @@ -892,7 +893,7 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, uint32_t alg_enc, - uint32_t alg_mac, uint32_t alg_ssl, + uint32_t alg_mac, int min_tls, uint32_t algo_strength, int rule, int32_t strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) @@ -904,7 +905,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, #ifdef CIPHER_DEBUG fprintf(stderr, "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n", - rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, + rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls, algo_strength, strength_bits); #endif @@ -960,7 +961,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, continue; if (alg_mac && !(alg_mac & cp->algorithm_mac)) continue; - if (alg_ssl && !(alg_ssl & cp->algorithm_ssl)) + if (min_tls && (min_tls != cp->min_tls)) continue; if (algo_strength && !(algo_strength & cp->algo_strength)) continue; @@ -1076,7 +1077,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, CERT *c) { - uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; + uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength; + int min_tls; const char *l, *buf; int j, multi, found, rule, retval, ok, buflen; uint32_t cipher_id = 0; @@ -1114,7 +1116,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, alg_auth = 0; alg_enc = 0; alg_mac = 0; - alg_ssl = 0; + min_tls = 0; algo_strength = 0; for (;;) { @@ -1266,15 +1268,13 @@ static int ssl_cipher_process_rulestr(const char *rule_str, * protocol version is considered part of the search pattern */ - if (ca_list[j]->algorithm_ssl) { - if (alg_ssl) { - alg_ssl &= ca_list[j]->algorithm_ssl; - if (!alg_ssl) { - found = 0; - break; - } - } else - alg_ssl = ca_list[j]->algorithm_ssl; + if (ca_list[j]->min_tls) { + if (min_tls != 0 && min_tls != ca_list[j]->min_tls) { + found = 0; + break; + } else { + min_tls = ca_list[j]->min_tls; + } } } @@ -1314,7 +1314,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, } else if (found) { ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac, - alg_ssl, algo_strength, rule, -1, head_p, + min_tls, algo_strength, rule, -1, head_p, tail_p); } else { while ((*l != '\0') && !ITEM_SEP(*l)) @@ -1505,7 +1505,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs. * TODO(openssl-team): is there an easier way to accomplish all this? */ - ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_2, 0, CIPHER_BUMP, -1, + ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, &head, &tail); /* @@ -1641,7 +1641,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg_enc = cipher->algorithm_enc; alg_mac = cipher->algorithm_mac; - ver = SSL_CIPHER_get_version(cipher); + ver = ssl_protocol_to_string(cipher->min_tls); switch (alg_mkey) { case SSL_kRSA: @@ -1809,19 +1809,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) const char *SSL_CIPHER_get_version(const SSL_CIPHER *c) { - uint32_t alg_ssl; - if (c == NULL) return "(NONE)"; - alg_ssl = c->algorithm_ssl; - - if (alg_ssl & SSL_SSLV3) - return "SSLv3"; - if (alg_ssl & SSL_TLSV1) - return "TLSv1.0"; - if (alg_ssl & SSL_TLSV1_2) - return "TLSv1.2"; - return "unknown"; + return ssl_protocol_to_string(c->min_tls); } /* return the actual cipher being used */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 0571150e60..ef8f6c0012 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3060,7 +3060,7 @@ SSL_METHOD *ssl_bad_method(int ver) return (NULL); } -const char *version_to_string(int version) +const char *ssl_protocol_to_string(int version) { if (version == TLS1_2_VERSION) return "TLSv1.2"; @@ -3082,7 +3082,7 @@ const char *version_to_string(int version) const char *SSL_get_version(const SSL *s) { - return version_to_string(s->version); + return ssl_protocol_to_string(s->version); } SSL *SSL_dup(SSL *s) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 2700145a80..ef5eb8cf53 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -378,11 +378,6 @@ # define SSL_GOST89MAC12 0x00000100U # define SSL_GOST12_512 0x00000200U -/* Bits for algorithm_ssl (protocol version) */ -# define SSL_SSLV3 0x00000002U -# define SSL_TLSV1 0x00000004U -# define SSL_TLSV1_2 0x00000008U - /* * When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make * sure to update this constant too @@ -517,7 +512,10 @@ struct ssl_cipher_st { uint32_t algorithm_auth; /* server authentication */ uint32_t algorithm_enc; /* symmetric encryption */ uint32_t algorithm_mac; /* symmetric authentication */ - uint32_t algorithm_ssl; /* (major) protocol version */ + int min_tls; /* minimum SSL/TLS protocol version */ + int max_tls; /* maximum SSL/TLS protocol version */ + int min_dtls; /* minimum DTLS protocol version */ + int max_dtls; /* maximum DTLS protocol version */ uint32_t algo_strength; /* strength and export flags */ uint32_t algorithm2; /* Extra flags */ int32_t strength_bits; /* Number of bits really used */ @@ -1347,8 +1345,13 @@ typedef struct ssl3_state_st { */ uint32_t mask_k; uint32_t mask_a; - /* Client only */ - uint32_t mask_ssl; + /* + * The following are used by the client to see if a cipher is allowed or + * not. It contains the minimum and maximum version the client's using + * based on what it knows so far. + */ + int min_ver; + int max_ver; } tmp; /* Connection binding to prevent renegotiation attacks */ @@ -1871,7 +1874,7 @@ struct openssl_ssl_test_functions { # endif }; -const char *version_to_string(int version); +const char *ssl_protocol_to_string(int version); # ifndef OPENSSL_UNIT_TEST diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 5bc5a72887..b2c6bf7ce6 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -111,7 +111,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) goto err; if (BIO_puts(bp, "SSL-Session:\n") <= 0) goto err; - s = version_to_string(x->ssl_version); + s = ssl_protocol_to_string(x->ssl_version); if (BIO_printf(bp, " Protocol : %s\n", s) <= 0) goto err; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 03f4a8f97e..26c4d10785 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1143,17 +1143,15 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED); goto f_err; } - /* Set version disabled mask now we know version */ - if (!SSL_USE_TLS1_2_CIPHERS(s)) - s->s3->tmp.mask_ssl = SSL_TLSV1_2; - else - s->s3->tmp.mask_ssl = 0; - /* Skip TLS v1.0 ciphersuites if SSLv3 */ - if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION) - s->s3->tmp.mask_ssl |= SSL_TLSV1; /* - * If it is a disabled cipher we didn't send it in client hello, so - * return an error. + * Now that we know the version, update the check to see if it's an allowed + * version. + */ + s->s3->tmp.min_ver = s->version; + s->s3->tmp.max_ver = s->version; + /* + * If it is a disabled cipher we either didn't send it in client hello, + * or it's not allowed for the selected protocol. So we return an error. */ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) { al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 6028066918..6be6e1d8a0 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1117,13 +1117,13 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_vers */ int ssl_set_client_hello_version(SSL *s) { - int min, max, ret; + int ver_min, ver_max, ret; - ret = ssl_get_client_min_max_version(s, &min, &max); + ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max); if (ret != 0) return ret; - s->client_version = s->version = max; + s->client_version = s->version = ver_max; return 0; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 2161d155e8..8f5342b39f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -982,24 +982,21 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, } /* - * Get a mask of disabled algorithms: an algorithm is disabled if it isn't - * supported or doesn't appear in supported signature algorithms. Unlike - * ssl_cipher_get_disabled this applies to a specific session and not global - * settings. + * Set a mask of disabled algorithms: an algorithm is disabled if it isn't + * supported, doesn't appear in supported signature algorithms, isn't supported + * by the enabled protocol versions or by the security level. + * + * This function should only be used for checking which ciphers are supported + * by the client. + * + * Call ssl_cipher_disabled() to check that it's enabled or not. */ void ssl_set_client_disabled(SSL *s) { s->s3->tmp.mask_a = 0; s->s3->tmp.mask_k = 0; - /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ - if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) - s->s3->tmp.mask_ssl = SSL_TLSV1_2; - else - s->s3->tmp.mask_ssl = 0; - /* Disable TLS 1.0 ciphers if using SSL v3 */ - if (s->client_version == SSL3_VERSION) - s->s3->tmp.mask_ssl |= SSL_TLSV1; ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); + ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver); # ifndef OPENSSL_NO_PSK /* with PSK there must be client callback set */ if (!s->psk_client_callback) { @@ -1015,12 +1012,28 @@ void ssl_set_client_disabled(SSL *s) #endif } +/* + * ssl_cipher_disabled - check that a cipher is disabled or not + * @s: SSL connection that you want to use the cipher on + * @c: cipher to check + * @op: Security check that you want to do + * + * Returns 1 when it's disabled, 0 when enabled. + */ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) { - if (c->algorithm_ssl & s->s3->tmp.mask_ssl - || c->algorithm_mkey & s->s3->tmp.mask_k + if (c->algorithm_mkey & s->s3->tmp.mask_k || c->algorithm_auth & s->s3->tmp.mask_a) return 1; + if (s->s3->tmp.max_ver == 0) + return 1; + if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver) + || (c->max_tls < s->s3->tmp.min_ver))) + return 1; + if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) + || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) + return 1; + return !ssl_security(s, op, c->strength_bits, 0, (void *)c); } -- 2.25.1