X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=51fb161dd667bd0736801572d4bf668201dc345f;hp=54b8eba9cfd8f9ab96b0da8df8688d6e5c207814;hb=8f675b6e98087d5be05cc3ceb9af97cae18bd3e5;hpb=0982ecaaee78a106c5db440317b0a8a9c0022bed diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 54b8eba9cf..51fb161dd6 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,4 +1,3 @@ -/* ssl/s3_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -160,7 +159,7 @@ #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) /* list of available SSLv3 ciphers (sorted by id) */ -OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { +static const SSL_CIPHER ssl3_ciphers[] = { /* The RSA ciphers */ /* Cipher 01 */ @@ -173,7 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_MD5, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE, + SSL_STRONG_NONE, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -189,13 +188,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, /* Cipher 04 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, SSL3_TXT_RSA_RC4_128_MD5, @@ -226,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 07 */ #ifndef OPENSSL_NO_IDEA @@ -238,7 +239,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_IDEA, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -271,7 +272,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -294,6 +295,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher 18 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, SSL3_TXT_ADH_RC4_128_MD5, @@ -308,6 +310,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 1B */ { @@ -335,7 +338,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -350,7 +353,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -365,7 +368,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -398,7 +401,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -460,7 +463,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -509,7 +512,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA256, SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -557,7 +560,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -576,7 +579,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -592,7 +595,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -608,7 +611,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -658,7 +661,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -737,7 +740,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_GOST94, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE, + SSL_STRONG_NONE, SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94, 0, 0 @@ -756,7 +759,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -772,7 +775,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -788,7 +791,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -814,6 +817,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { #ifndef OPENSSL_NO_PSK /* PSK ciphersuites from RFC 4279 */ /* Cipher 8A */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_PSK_WITH_RC4_128_SHA, @@ -828,6 +832,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 8B */ { @@ -878,6 +883,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher 8E */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA, @@ -892,6 +898,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 8F */ { @@ -942,6 +949,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher 92 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA, @@ -956,6 +964,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 93 */ { @@ -1019,7 +1028,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_SEED, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -1035,7 +1044,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_SEED, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -1051,7 +1060,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_SEED, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -1151,7 +1160,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1167,7 +1176,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, @@ -1345,7 +1354,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA256, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -1361,7 +1370,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA384, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, 0, @@ -1409,7 +1418,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA256, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -1425,7 +1434,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA384, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, 0, @@ -1473,7 +1482,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA256, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -1489,7 +1498,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA384, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, 0, @@ -1509,7 +1518,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1525,7 +1534,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1541,7 +1550,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1573,7 +1582,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -1589,7 +1598,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -1605,7 +1614,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -1628,103 +1637,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { }, #endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Cipher FF */ - { - 1, - "SCSV", - SSL3_CK_SCSV, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0}, -#endif - #ifndef OPENSSL_NO_EC - /* Cipher C001 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, - TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_eNULL, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, - }, - - /* Cipher C002 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_RC4, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher C003 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, - }, - - /* Cipher C004 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_AES128, - SSL_SHA1, - SSL_SSLV3, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher C005 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_AES256, - SSL_SHA1, - SSL_SSLV3, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, - }, /* Cipher C006 */ { @@ -1736,13 +1649,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, /* Cipher C007 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, @@ -1757,6 +1671,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher C008 */ { @@ -1806,86 +1721,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256, }, - /* Cipher C00B */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, - TLS1_CK_ECDH_RSA_WITH_NULL_SHA, - SSL_kECDHr, - SSL_aECDH, - SSL_eNULL, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, - }, - - /* Cipher C00C */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, - SSL_kECDHr, - SSL_aECDH, - SSL_RC4, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher C00D */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHr, - SSL_aECDH, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, - }, - - /* Cipher C00E */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDHr, - SSL_aECDH, - SSL_AES128, - SSL_SHA1, - SSL_SSLV3, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher C00F */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, - SSL_kECDHr, - SSL_aECDH, - SSL_AES256, - SSL_SHA1, - SSL_SSLV3, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, - }, - /* Cipher C010 */ { 1, @@ -1896,13 +1731,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, /* Cipher C011 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, @@ -1917,6 +1753,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher C012 */ { @@ -1976,13 +1813,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, /* Cipher C016 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, @@ -1997,6 +1835,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher C017 */ { @@ -2090,7 +1929,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -2138,7 +1977,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -2186,7 +2025,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -2228,37 +2067,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256, }, - /* Cipher C025 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256, - SSL_kECDHe, - SSL_aECDH, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher C026 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384, - TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384, - SSL_kECDHe, - SSL_aECDH, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, /* Cipher C027 */ { @@ -2292,38 +2100,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256, }, - /* Cipher C029 */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, - SSL_kECDHr, - SSL_aECDH, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher C02A */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, - SSL_kECDHr, - SSL_aECDH, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - /* GCM based TLS v1.2 ciphersuites from RFC5289 */ /* Cipher C02B */ @@ -2358,38 +2134,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256, }, - /* Cipher C02D */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHe, - SSL_aECDH, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher C02E */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHe, - SSL_aECDH, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - /* Cipher C02F */ { 1, @@ -2422,40 +2166,9 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256, }, - /* Cipher C031 */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHr, - SSL_aECDH, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher C032 */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHr, - SSL_aECDH, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - /* PSK ciphersuites from RFC 5489 */ /* Cipher C033 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA, @@ -2470,6 +2183,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher C034 */ { @@ -2561,7 +2275,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -2577,7 +2291,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA256, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, @@ -2593,7 +2307,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_eNULL, SSL_SHA384, SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 0, 0, @@ -2609,7 +2323,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128}, @@ -2623,35 +2337,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1_2, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256}, - - { /* Cipher C074 */ - 1, - TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kECDHe, - SSL_aECDH, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128}, - - { /* Cipher C075 */ - 1, - TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - SSL_kECDHe, - SSL_aECDH, - SSL_CAMELLIA256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2665,7 +2351,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128}, @@ -2679,38 +2365,11 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, - { /* Cipher C078 */ - 1, - TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kECDHr, - SSL_aECDH, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128}, - - { /* Cipher C079 */ - 1, - TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, - SSL_kECDHr, - SSL_aECDH, - SSL_CAMELLIA256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256}, # endif /* OPENSSL_NO_CAMELLIA */ #endif /* OPENSSL_NO_EC */ @@ -2724,7 +2383,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2738,7 +2397,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2752,7 +2411,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2766,7 +2425,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2780,7 +2439,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2794,7 +2453,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2808,7 +2467,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2822,7 +2481,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2838,7 +2497,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2854,7 +2513,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2870,7 +2529,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2886,7 +2545,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2902,7 +2561,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2918,7 +2577,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2934,7 +2593,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2950,7 +2609,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2966,7 +2625,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2982,7 +2641,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2998,7 +2657,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -3014,7 +2673,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -3030,7 +2689,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -3046,7 +2705,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -3062,7 +2721,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -3078,7 +2737,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -3094,7 +2753,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -3110,7 +2769,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -3126,7 +2785,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -3142,14 +2801,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) # ifndef OPENSSL_NO_EC - /* Cipher CCA8 as per draft-ietf-tls-chacha20-poly1305-03 */ + /* Cipher CCA8 */ { 1, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, @@ -3284,7 +2943,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_GOST12_256, SSL_TLSV1, SSL_STRONG_NONE, - SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256, + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC, 0, 0}, #endif @@ -3388,6 +3047,7 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3->tmp.peer_sigalgs); ssl3_free_digest_list(s); OPENSSL_free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_proposed); #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); @@ -3401,37 +3061,24 @@ void ssl3_clear(SSL *s) ssl3_cleanup_key_block(s); sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); - s->s3->tmp.ciphers_raw = NULL; OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); - s->s3->tmp.pms = NULL; OPENSSL_free(s->s3->tmp.peer_sigalgs); - s->s3->tmp.peer_sigalgs = NULL; -#ifndef OPENSSL_NO_EC - s->s3->is_probably_safari = 0; -#endif #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3->tmp.pkey); - s->s3->tmp.pkey = NULL; EVP_PKEY_free(s->s3->peer_tmp); - s->s3->peer_tmp = NULL; #endif /* !OPENSSL_NO_EC */ ssl3_free_digest_list(s); - if (s->s3->alpn_selected) { - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - } + OPENSSL_free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_proposed); + /* NULL/zero-out everything in the s3 struct */ memset(s->s3, 0, sizeof(*s->s3)); ssl_free_wbio_buffer(s); - s->s3->renegotiate = 0; - s->s3->total_renegotiations = 0; - s->s3->num_renegotiations = 0; - s->s3->in_read_app_data = 0; s->version = SSL3_VERSION; #if !defined(OPENSSL_NO_NEXTPROTONEG) @@ -3456,9 +3103,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) int ret = 0; switch (cmd) { - case SSL_CTRL_GET_SESSION_REUSED: - ret = s->hit; - break; case SSL_CTRL_GET_CLIENT_CERT_REQUEST: break; case SSL_CTRL_GET_NUM_RENEGOTIATIONS: @@ -3598,23 +3242,24 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #ifndef OPENSSL_NO_HEARTBEATS - case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT: + case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT: if (SSL_IS_DTLS(s)) ret = dtls1_heartbeat(s); - else - ret = tls1_heartbeat(s); break; - case SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING: - ret = s->tlsext_hb_pending; + case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING: + if (SSL_IS_DTLS(s)) + ret = s->tlsext_hb_pending; break; - case SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS: - if (larg) - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_RECV_REQUESTS; - else - s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS; - ret = 1; + case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS: + if (SSL_IS_DTLS(s)) { + if (larg) + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; + else + s->tlsext_heartbeat &= ~SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; + ret = 1; + } break; #endif @@ -3800,7 +3445,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) #endif case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb = (void (*)(SSL *, int, int, - unsigned char *, int, void *))fp; + const unsigned char *, int, void *))fp; break; case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: @@ -4087,10 +3732,6 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) id = 0x03000000 | ((uint32_t)p[0] << 8L) | (uint32_t)p[1]; c.id = id; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); -#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES - if (cp == NULL) - fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]); -#endif return cp; } @@ -4153,6 +3794,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } tls1_set_cert_validity(s); + ssl_set_masks(s); for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { c = sk_SSL_CIPHER_value(prio, i); @@ -4164,7 +3806,6 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION) continue; - ssl_set_masks(s, c); mask_k = s->s3->tmp.mask_k; mask_a = s->s3->tmp.mask_a; #ifndef OPENSSL_NO_SRP