#define FIXED_NONCE_LEN(x) ((x/2)<<24)
/* list of available SSLv3 ciphers (sorted by id) */
-SSL_CIPHER ssl3_ciphers[]={
+const SSL_CIPHER ssl3_ciphers[]={
/* The RSA ciphers */
-/* Cipher 01 */
- {
- 1,
- SSL3_TXT_RSA_NULL_MD5,
- SSL3_CK_RSA_NULL_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eNULL,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_STRONG_NONE,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
-/* Cipher 02 */
- {
- 1,
- SSL3_TXT_RSA_NULL_SHA,
- SSL3_CK_RSA_NULL_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eNULL,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
/* Cipher 04 */
{
1,
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF|SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD,
128,
128,
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
-/* Cipher 07 */
-#ifndef OPENSSL_NO_IDEA
- {
- 1,
- SSL3_TXT_RSA_IDEA_128_SHA,
- SSL3_CK_RSA_IDEA_128_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_IDEA,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-#endif
-
-/* Cipher 09 */
- {
- 1,
- SSL3_TXT_RSA_DES_64_CBC_SHA,
- SSL3_CK_RSA_DES_64_CBC_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
/* Cipher 0A */
{
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
-/* The DH ciphers */
-
-/* Cipher 0C */
- {
- 1,
- SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
- SSL3_CK_DH_DSS_DES_64_CBC_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 0D */
- {
- 1,
- SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
- SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
-/* Cipher 0F */
- {
- 1,
- SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
- SSL3_CK_DH_RSA_DES_64_CBC_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 10 */
- {
- 1,
- SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
- SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
112,
168,
/* The Ephemeral DH ciphers */
-/* Cipher 12 */
- {
- 1,
- SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
- SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 13 */
- {
- 1,
- SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
- SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
-/* Cipher 15 */
- {
- 1,
- SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
- SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
- SSL_kEDH,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 16 */
- {
- 1,
- SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
- SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
- SSL_kEDH,
- SSL_aRSA,
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
/* Cipher 18 */
{
1,
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-/* Cipher 1A */
- {
- 1,
- SSL3_TXT_ADH_DES_64_CBC_SHA,
- SSL3_CK_ADH_DES_64_CBC_SHA,
- SSL_kEDH,
- SSL_aNULL,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 1B */
- {
- 1,
- SSL3_TXT_ADH_DES_192_CBC_SHA,
- SSL3_CK_ADH_DES_192_CBC_SHA,
- SSL_kEDH,
- SSL_aNULL,
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
-/* Fortezza ciphersuite from SSL 3.0 spec */
-#if 0
-/* Cipher 1C */
- {
- 0,
- SSL3_TXT_FZA_DMS_NULL_SHA,
- SSL3_CK_FZA_DMS_NULL_SHA,
- SSL_kFZA,
- SSL_aFZA,
- SSL_eNULL,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_STRONG_NONE,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
-/* Cipher 1D */
- {
- 0,
- SSL3_TXT_FZA_DMS_FZA_SHA,
- SSL3_CK_FZA_DMS_FZA_SHA,
- SSL_kFZA,
- SSL_aFZA,
- SSL_eFZA,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_STRONG_NONE,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
-/* Cipher 1E */
- {
- 0,
- SSL3_TXT_FZA_DMS_RC4_SHA,
- SSL3_CK_FZA_DMS_RC4_SHA,
- SSL_kFZA,
- SSL_aFZA,
- SSL_RC4,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-#endif
-
/* New AES ciphersuites */
/* Cipher 2F */
{
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-/* Cipher 30 */
- {
- 1,
- TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
- TLS1_CK_DH_DSS_WITH_AES_128_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_AES128,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-/* Cipher 31 */
- {
- 1,
- TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
- TLS1_CK_DH_RSA_WITH_AES_128_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_AES128,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-/* Cipher 32 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
- TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES128,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-/* Cipher 36 */
- {
- 1,
- TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
- TLS1_CK_DH_DSS_WITH_AES_256_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
-/* Cipher 37 */
- {
- 1,
- TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
- TLS1_CK_DH_RSA_WITH_AES_256_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
-/* Cipher 38 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
- TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
- TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
- SSL_kEDH,
- SSL_aRSA,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
- /* Cipher 3A */
- {
- 1,
- TLS1_TXT_ADH_WITH_AES_256_SHA,
- TLS1_CK_ADH_WITH_AES_256_SHA,
- SSL_kEDH,
- SSL_aNULL,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
- /* TLS v1.2 ciphersuites */
- /* Cipher 3B */
- {
- 1,
- TLS1_TXT_RSA_WITH_NULL_SHA256,
- TLS1_CK_RSA_WITH_NULL_SHA256,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eNULL,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
- /* Cipher 3C */
- {
- 1,
- TLS1_TXT_RSA_WITH_AES_128_SHA256,
- TLS1_CK_RSA_WITH_AES_128_SHA256,
- SSL_kRSA,
- SSL_aRSA,
- SSL_AES128,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 3D */
- {
- 1,
- TLS1_TXT_RSA_WITH_AES_256_SHA256,
- TLS1_CK_RSA_WITH_AES_256_SHA256,
- SSL_kRSA,
- SSL_aRSA,
- SSL_AES256,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
- /* Cipher 3E */
- {
- 1,
- TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
- TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
- SSL_kDHd,
- SSL_aDH,
- SSL_AES128,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 3F */
- {
- 1,
- TLS1_TXT_DH_RSA_WITH_AES_128_SHA256,
- TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
- SSL_kDHr,
- SSL_aDH,
- SSL_AES128,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 40 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES128,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
+ SSL_kEDH,
+ SSL_aRSA,
+ SSL_AES256,
+ SSL_SHA1,
+ SSL_TLSV1,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
+ 256,
+ 256,
},
-
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
- /* Cipher 66 */
+ /* Cipher 3A */
{
1,
- TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
- TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
+ TLS1_TXT_ADH_WITH_AES_256_SHA,
+ TLS1_CK_ADH_WITH_AES_256_SHA,
SSL_kEDH,
- SSL_aDSS,
- SSL_RC4,
+ SSL_aNULL,
+ SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
+ 256,
+ 256,
},
-#endif
/* TLS v1.2 ciphersuites */
- /* Cipher 67 */
+ /* Cipher 3C */
{
1,
- TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
- SSL_kEDH,
+ TLS1_TXT_RSA_WITH_AES_128_SHA256,
+ TLS1_CK_RSA_WITH_AES_128_SHA256,
+ SSL_kRSA,
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
- /* Cipher 68 */
+ /* Cipher 3D */
{
1,
- TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
- TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
- SSL_kDHd,
- SSL_aDH,
+ TLS1_TXT_RSA_WITH_AES_256_SHA256,
+ TLS1_CK_RSA_WITH_AES_256_SHA256,
+ SSL_kRSA,
+ SSL_aRSA,
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
- /* Cipher 69 */
- {
- 1,
- TLS1_TXT_DH_RSA_WITH_AES_256_SHA256,
- TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
- SSL_kDHr,
- SSL_aDH,
- SSL_AES256,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
- /* Cipher 6A */
+ /* TLS v1.2 ciphersuites */
+ /* Cipher 67 */
{
1,
- TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
+ TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
SSL_kEDH,
- SSL_aDSS,
- SSL_AES256,
+ SSL_aRSA,
+ SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
+ 128,
+ 128,
},
/* Cipher 6B */
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
- /* Cipher 8B */
- {
- 1,
- TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
- TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA,
- SSL_kPSK,
- SSL_aPSK,
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
/* Cipher 8C */
{
1,
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-#ifndef OPENSSL_NO_SEED
- /* SEED ciphersuites from RFC4162 */
-
- /* Cipher 96 */
- {
- 1,
- TLS1_TXT_RSA_WITH_SEED_SHA,
- TLS1_CK_RSA_WITH_SEED_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_SEED,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 97 */
- {
- 1,
- TLS1_TXT_DH_DSS_WITH_SEED_SHA,
- TLS1_CK_DH_DSS_WITH_SEED_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_SEED,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 98 */
- {
- 1,
- TLS1_TXT_DH_RSA_WITH_SEED_SHA,
- TLS1_CK_DH_RSA_WITH_SEED_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_SEED,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 99 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_SEED_SHA,
- TLS1_CK_DHE_DSS_WITH_SEED_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_SEED,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 9A */
- {
- 1,
- TLS1_TXT_DHE_RSA_WITH_SEED_SHA,
- TLS1_CK_DHE_RSA_WITH_SEED_SHA,
- SSL_kEDH,
- SSL_aRSA,
- SSL_SEED,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher 9B */
- {
- 1,
- TLS1_TXT_ADH_WITH_SEED_SHA,
- TLS1_CK_ADH_WITH_SEED_SHA,
- SSL_kEDH,
- SSL_aNULL,
- SSL_SEED,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
-#endif /* OPENSSL_NO_SEED */
-
/* GCM ciphersuites from RFC5288 */
/* Cipher 9C */
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
128,
128,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
256,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
128,
128,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256,
- 256,
- },
-
- /* Cipher A0 */
- {
- 1,
- TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
- SSL_kDHr,
- SSL_aDH,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128,
- 128,
- },
-
- /* Cipher A1 */
- {
- 1,
- TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
- SSL_kDHr,
- SSL_aDH,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256,
- 256,
- },
-
- /* Cipher A2 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128,
- 128,
- },
-
- /* Cipher A3 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256,
- 256,
- },
-
- /* Cipher A4 */
- {
- 1,
- TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
- SSL_kDHd,
- SSL_aDH,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128,
- 128,
- },
-
- /* Cipher A5 */
- {
- 1,
- TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
- SSL_kDHd,
- SSL_aDH,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
256,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
128,
128,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
256,
256,
},
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- {
- 1,
- "SCSV",
- SSL3_CK_SCSV,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0
- },
-#endif
-
-#ifndef OPENSSL_NO_ECDH
- /* Cipher C001 */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
- TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_eNULL,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
- /* Cipher C002 */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
- TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_RC4,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher C003 */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
- TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
- /* Cipher C004 */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_AES128,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher C005 */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
- /* Cipher C006 */
- {
- 1,
- TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
- SSL_kEECDH,
- SSL_aECDSA,
- SSL_eNULL,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
/* Cipher C007 */
{
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
- /* Cipher C008 */
- {
- 1,
- TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
- SSL_kEECDH,
- SSL_aECDSA,
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
/* Cipher C009 */
{
1,
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
- /* Cipher C00B */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
- TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_eNULL,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
- /* Cipher C00C */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
- TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_RC4,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher C00D */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
- TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
- /* Cipher C00E */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_AES128,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
- /* Cipher C00F */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
- /* Cipher C010 */
- {
- 1,
- TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
- TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
- SSL_kEECDH,
- SSL_aRSA,
- SSL_eNULL,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
/* Cipher C011 */
{
1,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
- /* Cipher C012 */
- {
- 1,
- TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
- TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
- SSL_kEECDH,
- SSL_aRSA,
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
/* Cipher C013 */
{
1,
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
- /* Cipher C015 */
- {
- 1,
- TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
- TLS1_CK_ECDH_anon_WITH_NULL_SHA,
- SSL_kEECDH,
- SSL_aNULL,
- SSL_eNULL,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 0,
- 0,
- },
-
/* Cipher C016 */
{
1,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
- /* Cipher C017 */
- {
- 1,
- TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
- TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
- SSL_kEECDH,
- SSL_aNULL,
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 112,
- 168,
- },
-
/* Cipher C018 */
{
1,
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-#endif /* OPENSSL_NO_ECDH */
-#ifndef OPENSSL_NO_ECDH
/* HMAC based TLS v1.2 ciphersuites from RFC5289 */
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
128,
128,
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
- 256,
- 256,
- },
-
- /* Cipher C025 */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_AES128,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
- 128,
- 128,
- },
-
- /* Cipher C026 */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_AES256,
- SSL_SHA384,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
256,
256,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
128,
128,
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
- 256,
- 256,
- },
-
- /* Cipher C029 */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_AES128,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
- 128,
- 128,
- },
-
- /* Cipher C02A */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_AES256,
- SSL_SHA384,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
256,
256,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
128,
128,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256,
- 256,
- },
-
- /* Cipher C02D */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128,
- 128,
- },
-
- /* Cipher C02E */
- {
- 1,
- TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
- SSL_kECDHe,
- SSL_aECDH,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
256,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
128,
128,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256,
- 256,
- },
-
- /* Cipher C031 */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128,
- 128,
- },
-
- /* Cipher C032 */
- {
- 1,
- TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
- SSL_kECDHr,
- SSL_aECDH,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
256,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
128,
128,
},
-#endif /* OPENSSL_NO_ECDH */
{
1,
SSL_CHACHA20POLY1305,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
256,
0,
SSL_CHACHA20POLY1305,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
256,
0,
SSL_CHACHA20POLY1305,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
256,
0,
ssl3_handshake_write
};
-long ssl3_default_timeout(void)
- {
- /* 2 hours, the 24 hours mentioned in the SSLv3 spec
- * is way too long for http, the cache would over fill */
- return(60*60*2);
- }
-
int ssl3_num_ciphers(void)
{
return(SSL3_NUM_CIPHERS);
ssl3_release_read_buffer(s);
if (s->s3->wbuf.buf != NULL)
ssl3_release_write_buffer(s);
-#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
-#endif
-#ifndef OPENSSL_NO_ECDH
if (s->s3->tmp.ecdh != NULL)
EC_KEY_free(s->s3->tmp.ecdh);
-#endif
if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
OPENSSL_free(s->s3->tmp.certificate_types);
s->s3->tmp.num_certificate_types = 0;
-#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
{
DH_free(s->s3->tmp.dh);
s->s3->tmp.dh = NULL;
}
-#endif
-#ifndef OPENSSL_NO_ECDH
if (s->s3->tmp.ecdh != NULL)
{
EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL;
}
-#endif
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len;
if (s->s3->alpn_selected)
{
- free(s->s3->alpn_selected);
+ OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = NULL;
}
memset(s->s3,0,sizeof *s->s3);
s->s3->total_renegotiations=0;
s->s3->num_renegotiations=0;
s->s3->in_read_app_data=0;
- s->version=SSL3_VERSION;
+ s->version = s->method->version;
-#if !defined(OPENSSL_NO_NEXTPROTONEG)
if (s->next_proto_negotiated)
{
OPENSSL_free(s->next_proto_negotiated);
s->next_proto_negotiated = NULL;
s->next_proto_negotiated_len = 0;
}
-#endif
s->s3->tlsext_channel_id_valid = 0;
}
{
int ret=0;
- if (
- cmd == SSL_CTRL_SET_TMP_RSA ||
+ if (cmd == SSL_CTRL_SET_TMP_RSA ||
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
-#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH ||
- cmd == SSL_CTRL_SET_TMP_DH_CB ||
-#endif
- 0)
+ cmd == SSL_CTRL_SET_TMP_DH_CB)
{
if (!ssl_cert_inst(&s->cert))
{
return(ret);
}
break;
-#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
return(ret);
}
break;
-#endif
-#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH:
{
EC_KEY *ecdh = NULL;
return(ret);
}
break;
-#endif /* !OPENSSL_NO_ECDH */
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name)
{
ret = 1;
break;
- case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
- s->tlsext_status_type=larg;
- ret = 1;
- break;
-
- case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
- *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts;
- ret = 1;
- break;
-
- case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
- s->tlsext_ocsp_exts = parg;
- ret = 1;
- break;
-
- case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
- *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids;
- ret = 1;
- break;
-
- case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
- s->tlsext_ocsp_ids = parg;
- ret = 1;
- break;
-
- case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
- *(unsigned char **)parg = s->tlsext_ocsp_resp;
- return s->tlsext_ocsp_resplen;
-
- case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
- if (s->tlsext_ocsp_resp)
- OPENSSL_free(s->tlsext_ocsp_resp);
- s->tlsext_ocsp_resp = parg;
- s->tlsext_ocsp_resplen = larg;
- ret = 1;
- break;
-
-
case SSL_CTRL_CHAIN:
if (larg)
return ssl_cert_set1_chain(s->cert,
case SSL_CTRL_SELECT_CURRENT_CERT:
return ssl_cert_select_current(s->cert, (X509 *)parg);
-#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_CURVES:
{
const uint16_t *clist;
case SSL_CTRL_SET_ECDH_AUTO:
s->cert->ecdh_tmp_auto = larg;
return 1;
-#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
EVP_PKEY *ptmp;
int rv = 0;
sc = s->session->sess_cert;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
- if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
- && !sc->peer_ecdh_tmp)
+ if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp)
return 0;
-#endif
ptmp = EVP_PKEY_new();
if (!ptmp)
return 0;
- if (0);
- else if (sc->peer_rsa_tmp)
+ if (sc->peer_rsa_tmp)
rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
-#ifndef OPENSSL_NO_DH
else if (sc->peer_dh_tmp)
rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
-#endif
-#ifndef OPENSSL_NO_ECDH
else if (sc->peer_ecdh_tmp)
rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
-#endif
if (rv)
{
*(EVP_PKEY **)parg = ptmp;
EVP_PKEY_free(ptmp);
return 0;
}
-#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
SSL_SESSION *sess = s->session;
*pformat = sess->tlsext_ecpointformatlist;
return (int)sess->tlsext_ecpointformatlist_length;
}
-#endif
case SSL_CTRL_CHANNEL_ID:
s->tlsext_channel_id_enabled = 1;
{
int ret=0;
- if (
- cmd == SSL_CTRL_SET_TMP_RSA_CB ||
-#ifndef OPENSSL_NO_DSA
- cmd == SSL_CTRL_SET_TMP_DH_CB ||
-#endif
- 0)
+ if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB)
{
if (!ssl_cert_inst(&s->cert))
{
case SSL_CTRL_SET_TMP_RSA_CB:
/* Ignore the callback; temporary RSA keys are never used. */
break;
-#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
}
break;
-#endif
-#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH_CB:
{
s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
}
break;
-#endif
case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
s->tlsext_debug_cb=(void (*)(SSL *,int ,int,
unsigned char *, int, void *))fp;
return(0);
}
break;
-#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new=NULL,*dh;
return(0);
}
break;
-#endif
-#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH:
{
EC_KEY *ecdh = NULL;
return(0);
}
break;
-#endif /* !OPENSSL_NO_ECDH */
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
ctx->tlsext_servername_arg=parg;
break;
return 1;
break;
-#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_CURVES:
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg;
return 1;
-#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
case SSL_CTRL_SET_TMP_RSA_CB:
/* Ignore the callback; temporary RSA keys are never used. */
break;
-#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
}
break;
-#endif
-#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH_CB:
{
cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
}
break;
-#endif
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp;
break;
return NULL;
}
-SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
struct ssl_cipher_preference_list_st *server_pref)
{
- SSL_CIPHER *c,*ret=NULL;
+ const SSL_CIPHER *c,*ret=NULL;
STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
int i,ok;
size_t cipher_index;
}
#endif
- if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s))
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
{
prio = srvr;
in_group_flags = server_pref->in_group_flags;
c->name);
#endif
-#ifndef OPENSSL_NO_EC
/* if we are considering an ECC cipher suite that uses
* an ephemeral EC key check it */
if (alg_k & SSL_kEECDH)
ok = ok && tls1_check_ec_tmp_key(s, c->id);
-#endif /* OPENSSL_NO_EC */
if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c))
{
int ret=0;
const unsigned char *sig;
size_t i, siglen;
- int have_rsa_sign = 0, have_dsa_sign = 0;
-#ifndef OPENSSL_NO_ECDSA
+ int have_rsa_sign = 0;
int have_ecdsa_sign = 0;
-#endif
- int nostrict = 1;
- unsigned long alg_k;
/* If we have custom certificate types set, use them */
if (s->cert->client_certificate_types)
}
/* get configured sigalgs */
siglen = tls12_get_psigalgs(s, &sig);
- if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
- nostrict = 0;
for (i = 0; i < siglen; i+=2, sig+=2)
{
switch(sig[1])
have_rsa_sign = 1;
break;
- case TLSEXT_signature_dsa:
- have_dsa_sign = 1;
- break;
-#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
have_ecdsa_sign = 1;
break;
-#endif
}
}
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-
-#ifndef OPENSSL_NO_DH
- if (alg_k & (SSL_kDHr|SSL_kEDH))
- {
- /* Since this refers to a certificate signed with an RSA
- * algorithm, only check for rsa signing in strict mode.
- */
- if (nostrict || have_rsa_sign)
- p[ret++]=SSL3_CT_RSA_FIXED_DH;
-# ifndef OPENSSL_NO_DSA
- if (nostrict || have_dsa_sign)
- p[ret++]=SSL3_CT_DSS_FIXED_DH;
-# endif
- }
- if ((s->version == SSL3_VERSION) &&
- (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
- {
- p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
-# ifndef OPENSSL_NO_DSA
- p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
-# endif
- }
-#endif /* !OPENSSL_NO_DH */
if (have_rsa_sign)
p[ret++]=SSL3_CT_RSA_SIGN;
-#ifndef OPENSSL_NO_DSA
- if (have_dsa_sign)
- p[ret++]=SSL3_CT_DSS_SIGN;
-#endif
-#ifndef OPENSSL_NO_ECDH
- if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION))
- {
- if (nostrict || have_rsa_sign)
- p[ret++]=TLS_CT_RSA_FIXED_ECDH;
- if (nostrict || have_ecdsa_sign)
- p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
- }
-#endif
-#ifndef OPENSSL_NO_ECDSA
/* ECDSA certs can be used with RSA cipher suites as well
* so we don't need to check for SSL_kECDH or SSL_kEECDH
*/
if (have_ecdsa_sign)
p[ret++]=TLS_CT_ECDSA_SIGN;
}
-#endif
return(ret);
}