-#define SSL_MKEY_MASK 0x200000FFL
-#define SSL_kRSA 0x00000001L /* RSA key exchange */
-#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
-#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
-#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
-#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
-#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
-#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
-#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
-#define SSL_kECDH (SSL_kECDHr|SSL_kECDHe)
-#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
-#define SSL_EECDH (SSL_kEECDH|(SSL_AUTH_MASK^SSL_aNULL))
-#define SSL_kPSK 0x20000000L /* PSK */
-
-#define SSL_AUTH_MASK 0x10007f00L
-#define SSL_aRSA 0x00000100L /* RSA auth */
-#define SSL_aDSS 0x00000200L /* DSS auth */
-#define SSL_DSS SSL_aDSS
-#define SSL_aNULL 0x00000400L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aDH 0x00000800L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
-#define SSL_aECDH 0x00001000L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aKRB5 0x00002000L /* KRB5 auth */
-#define SSL_aECDSA 0x00004000L /* ECDSA auth*/
-#define SSL_ECDSA SSL_aECDSA
-#define SSL_aPSK 0x10000000L /* PSK auth */
-
-#define SSL_NULL (SSL_eNULL)
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
-#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
-#define SSL_ADH (SSL_kEDH|SSL_aNULL)
-#define SSL_ECDH (SSL_kECDH|SSL_kEECDH)
-#define SSL_AECDH (SSL_kEECDH|SSL_aNULL)
-#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5)
-#define SSL_PSK (SSL_kPSK|SSL_aPSK)
-
-#define SSL_ENC_MASK 0x0C3F8000L
-#define SSL_DES 0x00008000L
-#define SSL_3DES 0x00010000L
-#define SSL_RC4 0x00020000L
-#define SSL_RC2 0x00040000L
-#define SSL_IDEA 0x00080000L
-#define SSL_eNULL 0x00200000L
-#define SSL_AES 0x04000000L
-#define SSL_CAMELLIA 0x08000000L
-
-#define SSL_MAC_MASK 0x00c00000L
-#define SSL_MD5 0x00400000L
-#define SSL_SHA1 0x00800000L
-#define SSL_SHA (SSL_SHA1)
-
-#define SSL_SSL_MASK 0x03000000L
-#define SSL_SSLV2 0x01000000L
-#define SSL_SSLV3 0x02000000L
-#define SSL_TLSV1 SSL_SSLV3 /* for now */
-
-/* we have used 3fffffff - 2 bits left to go. */
+
+/* Bits for algorithm_mkey (key exchange algorithm) */
+/* RSA key exchange */
+# define SSL_kRSA 0x00000001L
+/* DH cert, RSA CA cert */
+/* no such ciphersuites supported! */
+# define SSL_kDHr 0x00000002L
+/* DH cert, DSA CA cert */
+/* no such ciphersuite supported! */
+# define SSL_kDHd 0x00000004L
+/* tmp DH key no DH cert */
+# define SSL_kEDH 0x00000008L
+/* Kerberos5 key exchange */
+# define SSL_kKRB5 0x00000010L
+/* ECDH cert, RSA CA cert */
+# define SSL_kECDHr 0x00000020L
+/* ECDH cert, ECDSA CA cert */
+# define SSL_kECDHe 0x00000040L
+/* ephemeral ECDH */
+# define SSL_kEECDH 0x00000080L
+/* PSK */
+# define SSL_kPSK 0x00000100L
+/* GOST key exchange */
+# define SSL_kGOST 0x00000200L
+/* SRP */
+# define SSL_kSRP 0x00000400L
+
+/* Bits for algorithm_auth (server authentication) */
+/* RSA auth */
+# define SSL_aRSA 0x00000001L
+/* DSS auth */
+# define SSL_aDSS 0x00000002L
+/* no auth (i.e. use ADH or AECDH) */
+# define SSL_aNULL 0x00000004L
+/* Fixed DH auth (kDHd or kDHr) */
+/* no such ciphersuites supported! */
+# define SSL_aDH 0x00000008L
+/* Fixed ECDH auth (kECDHe or kECDHr) */
+# define SSL_aECDH 0x00000010L
+/* KRB5 auth */
+# define SSL_aKRB5 0x00000020L
+/* ECDSA auth*/
+# define SSL_aECDSA 0x00000040L
+/* PSK auth */
+# define SSL_aPSK 0x00000080L
+/* GOST R 34.10-94 signature auth */
+# define SSL_aGOST94 0x00000100L
+/* GOST R 34.10-2001 signature auth */
+# define SSL_aGOST01 0x00000200L
+/* SRP auth */
+# define SSL_aSRP 0x00000400L
+
+/* Bits for algorithm_enc (symmetric encryption) */
+# define SSL_DES 0x00000001L
+# define SSL_3DES 0x00000002L
+# define SSL_RC4 0x00000004L
+# define SSL_RC2 0x00000008L
+# define SSL_IDEA 0x00000010L
+# define SSL_eNULL 0x00000020L
+# define SSL_AES128 0x00000040L
+# define SSL_AES256 0x00000080L
+# define SSL_CAMELLIA128 0x00000100L
+# define SSL_CAMELLIA256 0x00000200L
+# define SSL_eGOST2814789CNT 0x00000400L
+# define SSL_SEED 0x00000800L
+# define SSL_AES128GCM 0x00001000L
+# define SSL_AES256GCM 0x00002000L
+
+# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
+# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
+
+/* Bits for algorithm_mac (symmetric authentication) */
+
+# define SSL_MD5 0x00000001L
+# define SSL_SHA1 0x00000002L
+# define SSL_GOST94 0x00000004L
+# define SSL_GOST89MAC 0x00000008L
+# define SSL_SHA256 0x00000010L
+# define SSL_SHA384 0x00000020L
+/* Not a real MAC, just an indication it is part of cipher */
+# define SSL_AEAD 0x00000040L
+
+/* Bits for algorithm_ssl (protocol version) */
+# define SSL_SSLV2 0x00000001UL
+# define SSL_SSLV3 0x00000002UL
+# define SSL_TLSV1 SSL_SSLV3/* for now */
+# define SSL_TLSV1_2 0x00000004UL
+
+/* Bits for algorithm2 (handshake digests and other extra flags) */
+
+# define SSL_HANDSHAKE_MAC_MD5 0x10
+# define SSL_HANDSHAKE_MAC_SHA 0x20
+# define SSL_HANDSHAKE_MAC_GOST94 0x40
+# define SSL_HANDSHAKE_MAC_SHA256 0x80
+# define SSL_HANDSHAKE_MAC_SHA384 0x100
+# define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
+
+/*
+ * When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX make
+ * sure to update this constant too
+ */
+# define SSL_MAX_DIGEST 6
+
+# define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
+
+# define TLS1_PRF_DGST_SHIFT 10
+# define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
+# define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
+# define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
+# define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
+# define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
+# define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
+
+/*
+ * Stream MAC for GOST ciphersuites from cryptopro draft (currently this also
+ * goes into algorithm2)
+ */
+# define TLS1_STREAM_MAC 0x04