X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=ef65050cc4f617409e5c01c1d309ce8a9fa7cf7c;hp=292fb1b3cc059228a3de5eaf5f3ea3b89903c639;hb=580731aff3fc9855ea93ea734bd924febea027c3;hpb=f8e0a5573820bd7318782d4954c6643ff7e58102 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 292fb1b3cc..ef65050cc4 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,4 +1,3 @@ -/* ssl/s3_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -152,18 +151,23 @@ #include #include "ssl_locl.h" #include -#ifndef OPENSSL_NO_DH -# include -#endif +#include #include #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) -/* list of available SSLv3 ciphers (sorted by id) */ -OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { - -/* The RSA ciphers */ -/* Cipher 01 */ +/* + * The list of available ciphers, organized into the following + * groups: + * Always there + * EC + * PSK + * SRP (within that: RSA EC PSK) + * Cipher families: Chacha/poly, Camellila, Gost, IDEA, SEED + * Weak ciphers + */ +static SSL_CIPHER ssl3_ciphers[] = +{ { 1, SSL3_TXT_RSA_NULL_MD5, @@ -172,14 +176,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_MD5, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, - -/* Cipher 02 */ { 1, SSL3_TXT_RSA_NULL_SHA, @@ -188,1110 +191,1098 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, - -/* Cipher 03 */ { 1, - SSL3_TXT_RSA_RC4_40_MD5, - SSL3_CK_RSA_RC4_40_MD5, + SSL3_TXT_RSA_DES_192_CBC3_SHA, + SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA, SSL_aRSA, - SSL_RC4, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + SSL_3DES, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, + 112, + 168, }, - -/* Cipher 04 */ { 1, - SSL3_TXT_RSA_RC4_128_MD5, - SSL3_CK_RSA_RC4_128_MD5, - SSL_kRSA, - SSL_aRSA, - SSL_RC4, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, + SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA, + SSL3_CK_DHE_DSS_DES_192_CBC3_SHA, + SSL_kDHE, + SSL_aDSS, + SSL_3DES, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 112, + 168, }, - -/* Cipher 05 */ { 1, - SSL3_TXT_RSA_RC4_128_SHA, - SSL3_CK_RSA_RC4_128_SHA, - SSL_kRSA, + SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA, + SSL3_CK_DHE_RSA_DES_192_CBC3_SHA, + SSL_kDHE, SSL_aRSA, - SSL_RC4, + SSL_3DES, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 112, + 168, }, - -/* Cipher 06 */ { 1, - SSL3_TXT_RSA_RC2_40_MD5, - SSL3_CK_RSA_RC2_40_MD5, - SSL_kRSA, - SSL_aRSA, - SSL_RC2, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + SSL3_TXT_ADH_DES_192_CBC_SHA, + SSL3_CK_ADH_DES_192_CBC_SHA, + SSL_kDHE, + SSL_aNULL, + SSL_3DES, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, + 112, + 168, }, - -/* Cipher 07 */ -#ifndef OPENSSL_NO_IDEA { 1, - SSL3_TXT_RSA_IDEA_128_SHA, - SSL3_CK_RSA_IDEA_128_SHA, + TLS1_TXT_RSA_WITH_AES_128_SHA, + TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA, SSL_aRSA, - SSL_IDEA, + SSL_AES128, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_MEDIUM, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, -#endif - -/* Cipher 08 */ { 1, - SSL3_TXT_RSA_DES_40_CBC_SHA, - SSL3_CK_RSA_DES_40_CBC_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_DES, + TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, + TLS1_CK_DHE_DSS_WITH_AES_128_SHA, + SSL_kDHE, + SSL_aDSS, + SSL_AES128, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, + 128, + 128, }, - -/* Cipher 09 */ { 1, - SSL3_TXT_RSA_DES_64_CBC_SHA, - SSL3_CK_RSA_DES_64_CBC_SHA, - SSL_kRSA, + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, + TLS1_CK_DHE_RSA_WITH_AES_128_SHA, + SSL_kDHE, SSL_aRSA, - SSL_DES, + SSL_AES128, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, + 128, + 128, }, - -/* Cipher 0A */ { 1, - SSL3_TXT_RSA_DES_192_CBC3_SHA, - SSL3_CK_RSA_DES_192_CBC3_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, - }, - -/* The DH ciphers */ -/* Cipher 0B */ - { - 0, - SSL3_TXT_DH_DSS_DES_40_CBC_SHA, - SSL3_CK_DH_DSS_DES_40_CBC_SHA, - SSL_kDHd, - SSL_aDH, - SSL_DES, + TLS1_TXT_ADH_WITH_AES_128_SHA, + TLS1_CK_ADH_WITH_AES_128_SHA, + SSL_kDHE, + SSL_aNULL, + SSL_AES128, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, + 128, + 128, }, - -/* Cipher 0C */ { 1, - SSL3_TXT_DH_DSS_DES_64_CBC_SHA, - SSL3_CK_DH_DSS_DES_64_CBC_SHA, - SSL_kDHd, - SSL_aDH, - SSL_DES, + TLS1_TXT_RSA_WITH_AES_256_SHA, + TLS1_CK_RSA_WITH_AES_256_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_AES256, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, + 256, + 256, }, - -/* Cipher 0D */ { 1, - SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, - SSL3_CK_DH_DSS_DES_192_CBC3_SHA, - SSL_kDHd, - SSL_aDH, - SSL_3DES, + TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, + TLS1_CK_DHE_DSS_WITH_AES_256_SHA, + SSL_kDHE, + SSL_aDSS, + SSL_AES256, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + 256, + 256, }, - -/* Cipher 0E */ { - 0, - SSL3_TXT_DH_RSA_DES_40_CBC_SHA, - SSL3_CK_DH_RSA_DES_40_CBC_SHA, - SSL_kDHr, - SSL_aDH, - SSL_DES, + 1, + TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, + TLS1_CK_DHE_RSA_WITH_AES_256_SHA, + SSL_kDHE, + SSL_aRSA, + SSL_AES256, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, + 256, + 256, }, - -/* Cipher 0F */ { 1, - SSL3_TXT_DH_RSA_DES_64_CBC_SHA, - SSL3_CK_DH_RSA_DES_64_CBC_SHA, - SSL_kDHr, - SSL_aDH, - SSL_DES, + TLS1_TXT_ADH_WITH_AES_256_SHA, + TLS1_CK_ADH_WITH_AES_256_SHA, + SSL_kDHE, + SSL_aNULL, + SSL_AES256, SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, + 256, + 256, }, - -/* Cipher 10 */ { 1, - SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, - SSL3_CK_DH_RSA_DES_192_CBC3_SHA, - SSL_kDHr, - SSL_aDH, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_RSA_WITH_NULL_SHA256, + TLS1_CK_RSA_WITH_NULL_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_eNULL, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + 0, + 0, }, - -/* The Ephemeral DH ciphers */ -/* Cipher 11 */ { 1, - SSL3_TXT_DHE_DSS_DES_40_CBC_SHA, - SSL3_CK_DHE_DSS_DES_40_CBC_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + TLS1_TXT_RSA_WITH_AES_128_SHA256, + TLS1_CK_RSA_WITH_AES_128_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_AES128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, + 128, + 128, }, - -/* Cipher 12 */ { 1, - SSL3_TXT_DHE_DSS_DES_64_CBC_SHA, - SSL3_CK_DHE_DSS_DES_64_CBC_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, + TLS1_TXT_RSA_WITH_AES_256_SHA256, + TLS1_CK_RSA_WITH_AES_256_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_AES256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, + 256, + 256, }, - -/* Cipher 13 */ { 1, - SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA, - SSL3_CK_DHE_DSS_DES_192_CBC3_SHA, + TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256, + TLS1_CK_DHE_DSS_WITH_AES_128_SHA256, SSL_kDHE, SSL_aDSS, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_AES128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + 128, + 128, }, - -/* Cipher 14 */ { 1, - SSL3_TXT_DHE_RSA_DES_40_CBC_SHA, - SSL3_CK_DHE_RSA_DES_40_CBC_SHA, + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, + TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kDHE, SSL_aRSA, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + SSL_AES128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, + 128, + 128, }, - -/* Cipher 15 */ { 1, - SSL3_TXT_DHE_RSA_DES_64_CBC_SHA, - SSL3_CK_DHE_RSA_DES_64_CBC_SHA, + TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256, + TLS1_CK_DHE_DSS_WITH_AES_256_SHA256, SSL_kDHE, - SSL_aRSA, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, + SSL_aDSS, + SSL_AES256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, + 256, + 256, }, - -/* Cipher 16 */ { 1, - SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA, - SSL3_CK_DHE_RSA_DES_192_CBC3_SHA, + TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, + TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kDHE, SSL_aRSA, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_AES256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + 256, + 256, }, - -/* Cipher 17 */ { 1, - SSL3_TXT_ADH_RC4_40_MD5, - SSL3_CK_ADH_RC4_40_MD5, + TLS1_TXT_ADH_WITH_AES_128_SHA256, + TLS1_CK_ADH_WITH_AES_128_SHA256, SSL_kDHE, SSL_aNULL, - SSL_RC4, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, + SSL_AES128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, + 128, 128, }, - -/* Cipher 18 */ { 1, - SSL3_TXT_ADH_RC4_128_MD5, - SSL3_CK_ADH_RC4_128_MD5, + TLS1_TXT_ADH_WITH_AES_256_SHA256, + TLS1_CK_ADH_WITH_AES_256_SHA256, SSL_kDHE, SSL_aNULL, - SSL_RC4, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, + SSL_AES256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 256, + 256, + }, + { + 1, + TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - -/* Cipher 19 */ { 1, - SSL3_TXT_ADH_DES_40_CBC_SHA, - SSL3_CK_ADH_DES_40_CBC_SHA, + TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, + SSL_kRSA, + SSL_aRSA, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kDHE, - SSL_aNULL, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, + SSL_aRSA, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, 128, }, - -/* Cipher 1A */ { 1, - SSL3_TXT_ADH_DES_64_CBC_SHA, - SSL3_CK_ADH_DES_64_CBC_SHA, + TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kDHE, - SSL_aNULL, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, + SSL_aRSA, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, }, - -/* Cipher 1B */ { 1, - SSL3_TXT_ADH_DES_192_CBC_SHA, - SSL3_CK_ADH_DES_192_CBC_SHA, + TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kDHE, - SSL_aNULL, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + SSL_aDSS, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, -#ifndef OPENSSL_NO_PSK - /* Cipher 2C */ { 1, - TLS1_TXT_PSK_WITH_NULL_SHA, - TLS1_CK_PSK_WITH_NULL_SHA, - SSL_kPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, + TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384, + SSL_kDHE, + SSL_aDSS, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, }, - /* Cipher 2D */ { 1, - TLS1_TXT_DHE_PSK_WITH_NULL_SHA, - TLS1_CK_DHE_PSK_WITH_NULL_SHA, - SSL_kDHEPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, + TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, + TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, + SSL_kDHE, + SSL_aNULL, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, - /* Cipher 2E */ { 1, - TLS1_TXT_RSA_PSK_WITH_NULL_SHA, - TLS1_CK_RSA_PSK_WITH_NULL_SHA, - SSL_kRSAPSK, - SSL_aRSA, - SSL_eNULL, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, + TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, + TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, + SSL_kDHE, + SSL_aNULL, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, }, -#endif - -/* New AES ciphersuites */ -/* Cipher 2F */ { 1, - TLS1_TXT_RSA_WITH_AES_128_SHA, - TLS1_CK_RSA_WITH_AES_128_SHA, + TLS1_TXT_RSA_WITH_AES_128_CCM, + TLS1_CK_RSA_WITH_AES_128_CCM, SSL_kRSA, SSL_aRSA, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, -/* Cipher 30 */ - { - 1, - TLS1_TXT_DH_DSS_WITH_AES_128_SHA, - TLS1_CK_DH_DSS_WITH_AES_128_SHA, - SSL_kDHd, - SSL_aDH, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_AES128CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, -/* Cipher 31 */ { 1, - TLS1_TXT_DH_RSA_WITH_AES_128_SHA, - TLS1_CK_DH_RSA_WITH_AES_128_SHA, - SSL_kDHr, - SSL_aDH, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + TLS1_TXT_RSA_WITH_AES_256_CCM, + TLS1_CK_RSA_WITH_AES_256_CCM, + SSL_kRSA, + SSL_aRSA, + SSL_AES256CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, }, -/* Cipher 32 */ { 1, - TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, - TLS1_CK_DHE_DSS_WITH_AES_128_SHA, + TLS1_TXT_DHE_RSA_WITH_AES_128_CCM, + TLS1_CK_DHE_RSA_WITH_AES_128_CCM, SSL_kDHE, - SSL_aDSS, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_aRSA, + SSL_AES128CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, -/* Cipher 33 */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, - TLS1_CK_DHE_RSA_WITH_AES_128_SHA, + TLS1_TXT_DHE_RSA_WITH_AES_256_CCM, + TLS1_CK_DHE_RSA_WITH_AES_256_CCM, SSL_kDHE, SSL_aRSA, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + SSL_AES256CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, }, -/* Cipher 34 */ { 1, - TLS1_TXT_ADH_WITH_AES_128_SHA, - TLS1_CK_ADH_WITH_AES_128_SHA, - SSL_kDHE, - SSL_aNULL, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_RSA_WITH_AES_128_CCM_8, + TLS1_CK_RSA_WITH_AES_128_CCM_8, + SSL_kRSA, + SSL_aRSA, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - -/* Cipher 35 */ { 1, - TLS1_TXT_RSA_WITH_AES_256_SHA, - TLS1_CK_RSA_WITH_AES_256_SHA, + TLS1_TXT_RSA_WITH_AES_256_CCM_8, + TLS1_CK_RSA_WITH_AES_256_CCM_8, SSL_kRSA, SSL_aRSA, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_AES256CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, -/* Cipher 36 */ { 1, - TLS1_TXT_DH_DSS_WITH_AES_256_SHA, - TLS1_CK_DH_DSS_WITH_AES_256_SHA, - SSL_kDHd, - SSL_aDH, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + TLS1_TXT_DHE_RSA_WITH_AES_128_CCM_8, + TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8, + SSL_kDHE, + SSL_aRSA, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, - -/* Cipher 37 */ { 1, - TLS1_TXT_DH_RSA_WITH_AES_256_SHA, - TLS1_CK_DH_RSA_WITH_AES_256_SHA, - SSL_kDHr, - SSL_aDH, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_DHE_RSA_WITH_AES_256_CCM_8, + TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8, + SSL_kDHE, + SSL_aRSA, + SSL_AES256CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, - -/* Cipher 38 */ { 1, - TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, - TLS1_CK_DHE_DSS_WITH_AES_256_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + TLS1_TXT_PSK_WITH_AES_128_CCM, + TLS1_CK_PSK_WITH_AES_128_CCM, + SSL_kPSK, + SSL_aPSK, + SSL_AES128CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, - -/* Cipher 39 */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, - TLS1_CK_DHE_RSA_WITH_AES_256_SHA, - SSL_kDHE, - SSL_aRSA, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_PSK_WITH_AES_256_CCM, + TLS1_CK_PSK_WITH_AES_256_CCM, + SSL_kPSK, + SSL_aPSK, + SSL_AES256CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, - - /* Cipher 3A */ { 1, - TLS1_TXT_ADH_WITH_AES_256_SHA, - TLS1_CK_ADH_WITH_AES_256_SHA, - SSL_kDHE, - SSL_aNULL, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + TLS1_TXT_DHE_PSK_WITH_AES_128_CCM, + TLS1_CK_DHE_PSK_WITH_AES_128_CCM, + SSL_kDHEPSK, + SSL_aPSK, + SSL_AES128CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, - - /* TLS v1.2 ciphersuites */ - /* Cipher 3B */ { 1, - TLS1_TXT_RSA_WITH_NULL_SHA256, - TLS1_CK_RSA_WITH_NULL_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_eNULL, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, + TLS1_TXT_DHE_PSK_WITH_AES_256_CCM, + TLS1_CK_DHE_PSK_WITH_AES_256_CCM, + SSL_kDHEPSK, + SSL_aPSK, + SSL_AES256CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, }, - - /* Cipher 3C */ { 1, - TLS1_TXT_RSA_WITH_AES_128_SHA256, - TLS1_CK_RSA_WITH_AES_128_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_PSK_WITH_AES_128_CCM_8, + TLS1_CK_PSK_WITH_AES_128_CCM_8, + SSL_kPSK, + SSL_aPSK, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher 3D */ { 1, - TLS1_TXT_RSA_WITH_AES_256_SHA256, - TLS1_CK_RSA_WITH_AES_256_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_AES256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_PSK_WITH_AES_256_CCM_8, + TLS1_CK_PSK_WITH_AES_256_CCM_8, + SSL_kPSK, + SSL_aPSK, + SSL_AES256CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, - - /* Cipher 3E */ { 1, - TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, - TLS1_CK_DH_DSS_WITH_AES_128_SHA256, - SSL_kDHd, - SSL_aDH, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_DHE_PSK_WITH_AES_128_CCM_8, + TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8, + SSL_kDHEPSK, + SSL_aPSK, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher 3F */ { 1, - TLS1_TXT_DH_RSA_WITH_AES_128_SHA256, - TLS1_CK_DH_RSA_WITH_AES_128_SHA256, - SSL_kDHr, - SSL_aDH, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_DHE_PSK_WITH_AES_256_CCM_8, + TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8, + SSL_kDHEPSK, + SSL_aPSK, + SSL_AES256CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, + }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES128CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher 40 */ { 1, - TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256, - TLS1_CK_DHE_DSS_WITH_AES_128_SHA256, - SSL_kDHE, - SSL_aDSS, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES256CCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, + }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM_8, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES256CCM8, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, + }, -#ifndef OPENSSL_NO_CAMELLIA - /* Camellia ciphersuites from RFC4132 (128-bit portion) */ - - /* Cipher 41 */ +#ifndef OPENSSL_NO_EC { 1, - TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_CAMELLIA128, + TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, + SSL_kECDHE, + SSL_aECDSA, + SSL_eNULL, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 0, + 0, }, - - /* Cipher 42 */ { 1, - TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, - TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHd, - SSL_aDH, - SSL_CAMELLIA128, + TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHE, + SSL_aECDSA, + SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 112, + 168, }, - - /* Cipher 43 */ { 1, - TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHr, - SSL_aDH, - SSL_CAMELLIA128, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher 44 */ { 1, - TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_CAMELLIA128, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 256, + 256, }, - - /* Cipher 45 */ { 1, - TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHE, + TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, + TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, + SSL_kECDHE, SSL_aRSA, - SSL_CAMELLIA128, + SSL_eNULL, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 0, + 0, }, - - /* Cipher 46 */ { 1, - TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, - TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHE, - SSL_aNULL, - SSL_CAMELLIA128, + TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHE, + SSL_aRSA, + SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 112, + 168, }, -#endif /* OPENSSL_NO_CAMELLIA */ - - /* TLS v1.2 ciphersuites */ - /* Cipher 67 */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, - TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, - SSL_kDHE, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE, SSL_aRSA, SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher 68 */ { 1, - TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, - TLS1_CK_DH_DSS_WITH_AES_256_SHA256, - SSL_kDHd, - SSL_aDH, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE, + SSL_aRSA, SSL_AES256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - - /* Cipher 69 */ { 1, - TLS1_TXT_DH_RSA_WITH_AES_256_SHA256, - TLS1_CK_DH_RSA_WITH_AES_256_SHA256, - SSL_kDHr, - SSL_aDH, - SSL_AES256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_ECDH_anon_WITH_NULL_SHA, + TLS1_CK_ECDH_anon_WITH_NULL_SHA, + SSL_kECDHE, + SSL_aNULL, + SSL_eNULL, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + 0, + 0, }, - - /* Cipher 6A */ { 1, - TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256, - TLS1_CK_DHE_DSS_WITH_AES_256_SHA256, - SSL_kDHE, - SSL_aDSS, - SSL_AES256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, + SSL_kECDHE, + SSL_aNULL, + SSL_3DES, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + 112, + 168, }, - - /* Cipher 6B */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, - TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, - SSL_kDHE, - SSL_aRSA, + TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, + SSL_kECDHE, + SSL_aNULL, + SSL_AES128, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, + }, + { + 1, + TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, + SSL_kECDHE, + SSL_aNULL, SSL_AES256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - - /* Cipher 6C */ { 1, - TLS1_TXT_ADH_WITH_AES_128_SHA256, - TLS1_CK_ADH_WITH_AES_128_SHA256, - SSL_kDHE, - SSL_aNULL, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, + SSL_kECDHE, + SSL_aECDSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher 6D */ { 1, - TLS1_TXT_ADH_WITH_AES_256_SHA256, - TLS1_CK_ADH_WITH_AES_256_SHA256, - SSL_kDHE, - SSL_aNULL, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, + SSL_kECDHE, + SSL_aECDSA, SSL_AES256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_SHA384, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, - - /* GOST Ciphersuites */ - - { - 1, - "GOST2001-GOST89-GOST89", - 0x3000081, - SSL_kGOST, - SSL_aGOST01, - SSL_eGOST2814789CNT, - SSL_GOST89MAC, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC, - 256, - 256 - }, { 1, - "GOST2001-NULL-GOST94", - 0x3000083, - SSL_kGOST, - SSL_aGOST01, - SSL_eNULL, - SSL_GOST94, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE, - SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94, - 0, - 0 - }, - -#ifndef OPENSSL_NO_CAMELLIA - /* Camellia ciphersuites from RFC4132 (256-bit portion) */ - - /* Cipher 84 */ + TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_AES128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, { 1, - TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, - TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kRSA, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, + SSL_kECDHE, SSL_aRSA, - SSL_CAMELLIA256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_AES256, + SSL_SHA384, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, - /* Cipher 85 */ { 1, - TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHd, - SSL_aDH, - SSL_CAMELLIA256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, - - /* Cipher 86 */ { 1, - TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, - TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHr, - SSL_aDH, - SSL_CAMELLIA256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, - - /* Cipher 87 */ { 1, - TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_CAMELLIA256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, - - /* Cipher 88 */ { 1, - TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHE, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + SSL_kECDHE, SSL_aRSA, - SSL_CAMELLIA256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, +#endif /* OPENSSL_NO_EC */ - /* Cipher 89 */ +#ifndef OPENSSL_NO_PSK { 1, - TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, - TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHE, - SSL_aNULL, - SSL_CAMELLIA256, + TLS1_TXT_PSK_WITH_NULL_SHA, + TLS1_CK_PSK_WITH_NULL_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_eNULL, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + 0, + 0, }, -#endif /* OPENSSL_NO_CAMELLIA */ - -#ifndef OPENSSL_NO_PSK - /* PSK ciphersuites from RFC 4279 */ - /* Cipher 8A */ { 1, - TLS1_TXT_PSK_WITH_RC4_128_SHA, - TLS1_CK_PSK_WITH_RC4_128_SHA, - SSL_kPSK, + TLS1_TXT_DHE_PSK_WITH_NULL_SHA, + TLS1_CK_DHE_PSK_WITH_NULL_SHA, + SSL_kDHEPSK, SSL_aPSK, - SSL_RC4, + SSL_eNULL, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 0, + 0, + }, + { + 1, + TLS1_TXT_RSA_PSK_WITH_NULL_SHA, + TLS1_CK_RSA_PSK_WITH_NULL_SHA, + SSL_kRSAPSK, + SSL_aRSA, + SSL_eNULL, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 0, + 0, }, - - /* Cipher 8B */ { 1, TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, @@ -1300,14 +1291,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, }, - - /* Cipher 8C */ { 1, TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, @@ -1316,14 +1306,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher 8D */ { 1, TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, @@ -1332,30 +1321,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - - /* Cipher 8E */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA, - TLS1_CK_DHE_PSK_WITH_RC4_128_SHA, - SSL_kDHEPSK, - SSL_aPSK, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher 8F */ { 1, TLS1_TXT_DHE_PSK_WITH_3DES_EDE_CBC_SHA, @@ -1364,14 +1336,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, }, - - /* Cipher 90 */ { 1, TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA, @@ -1380,14 +1351,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher 91 */ { 1, TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA, @@ -1396,30 +1366,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - - /* Cipher 92 */ - { - 1, - TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA, - TLS1_CK_RSA_PSK_WITH_RC4_128_SHA, - SSL_kRSAPSK, - SSL_aRSA, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher 93 */ { 1, TLS1_TXT_RSA_PSK_WITH_3DES_EDE_CBC_SHA, @@ -1428,14 +1381,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, }, - - /* Cipher 94 */ { 1, TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA, @@ -1444,14 +1396,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher 95 */ { 1, TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA, @@ -1460,1217 +1411,408 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, -#endif /* OPENSSL_NO_PSK */ - -#ifndef OPENSSL_NO_SEED - /* SEED ciphersuites from RFC4162 */ - - /* Cipher 96 */ - { - 1, - TLS1_TXT_RSA_WITH_SEED_SHA, - TLS1_CK_RSA_WITH_SEED_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_SEED, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher 97 */ - { - 1, - TLS1_TXT_DH_DSS_WITH_SEED_SHA, - TLS1_CK_DH_DSS_WITH_SEED_SHA, - SSL_kDHd, - SSL_aDH, - SSL_SEED, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher 98 */ - { - 1, - TLS1_TXT_DH_RSA_WITH_SEED_SHA, - TLS1_CK_DH_RSA_WITH_SEED_SHA, - SSL_kDHr, - SSL_aDH, - SSL_SEED, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher 99 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_SEED_SHA, - TLS1_CK_DHE_DSS_WITH_SEED_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_SEED, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher 9A */ - { - 1, - TLS1_TXT_DHE_RSA_WITH_SEED_SHA, - TLS1_CK_DHE_RSA_WITH_SEED_SHA, - SSL_kDHE, - SSL_aRSA, - SSL_SEED, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher 9B */ - { - 1, - TLS1_TXT_ADH_WITH_SEED_SHA, - TLS1_CK_ADH_WITH_SEED_SHA, - SSL_kDHE, - SSL_aNULL, - SSL_SEED, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - -#endif /* OPENSSL_NO_SEED */ - - /* GCM ciphersuites from RFC5288 */ - - /* Cipher 9C */ - { - 1, - TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher 9D */ - { - 1, - TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, - SSL_kRSA, - SSL_aRSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher 9E */ - { - 1, - TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, - SSL_kDHE, - SSL_aRSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher 9F */ - { - 1, - TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, - SSL_kDHE, - SSL_aRSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher A0 */ - { - 1, - TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256, - SSL_kDHr, - SSL_aDH, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher A1 */ - { - 1, - TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384, - SSL_kDHr, - SSL_aDH, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher A2 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256, - TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256, - SSL_kDHE, - SSL_aDSS, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher A3 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384, - TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384, - SSL_kDHE, - SSL_aDSS, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher A4 */ - { - 1, - TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, - TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, - SSL_kDHd, - SSL_aDH, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher A5 */ - { - 1, - TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, - TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, - SSL_kDHd, - SSL_aDH, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher A6 */ - { - 1, - TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, - TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, - SSL_kDHE, - SSL_aNULL, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher A7 */ - { - 1, - TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, - TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, - SSL_kDHE, - SSL_aNULL, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, -#ifndef OPENSSL_NO_PSK - /* PSK ciphersuites from RFC5487 */ - - /* Cipher A8 */ - { - 1, - TLS1_TXT_PSK_WITH_AES_128_GCM_SHA256, - TLS1_CK_PSK_WITH_AES_128_GCM_SHA256, - SSL_kPSK, - SSL_aPSK, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher A9 */ - { - 1, - TLS1_TXT_PSK_WITH_AES_256_GCM_SHA384, - TLS1_CK_PSK_WITH_AES_256_GCM_SHA384, - SSL_kPSK, - SSL_aPSK, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher AA */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_AES_128_GCM_SHA256, - TLS1_CK_DHE_PSK_WITH_AES_128_GCM_SHA256, - SSL_kDHEPSK, - SSL_aPSK, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher AB */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_AES_256_GCM_SHA384, - TLS1_CK_DHE_PSK_WITH_AES_256_GCM_SHA384, - SSL_kDHEPSK, - SSL_aPSK, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher AC */ - { - 1, - TLS1_TXT_RSA_PSK_WITH_AES_128_GCM_SHA256, - TLS1_CK_RSA_PSK_WITH_AES_128_GCM_SHA256, - SSL_kRSAPSK, - SSL_aRSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher AD */ - { - 1, - TLS1_TXT_RSA_PSK_WITH_AES_256_GCM_SHA384, - TLS1_CK_RSA_PSK_WITH_AES_256_GCM_SHA384, - SSL_kRSAPSK, - SSL_aRSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher AE */ - { - 1, - TLS1_TXT_PSK_WITH_AES_128_CBC_SHA256, - TLS1_CK_PSK_WITH_AES_128_CBC_SHA256, - SSL_kPSK, - SSL_aPSK, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher AF */ - { - 1, - TLS1_TXT_PSK_WITH_AES_256_CBC_SHA384, - TLS1_CK_PSK_WITH_AES_256_CBC_SHA384, - SSL_kPSK, - SSL_aPSK, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher B0 */ - { - 1, - TLS1_TXT_PSK_WITH_NULL_SHA256, - TLS1_CK_PSK_WITH_NULL_SHA256, - SSL_kPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, - }, - - /* Cipher B1 */ - { - 1, - TLS1_TXT_PSK_WITH_NULL_SHA384, - TLS1_CK_PSK_WITH_NULL_SHA384, - SSL_kPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 0, - 0, - }, - - /* Cipher B2 */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA256, - TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA256, - SSL_kDHEPSK, - SSL_aPSK, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher B3 */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA384, - TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA384, - SSL_kDHEPSK, - SSL_aPSK, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher B4 */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_NULL_SHA256, - TLS1_CK_DHE_PSK_WITH_NULL_SHA256, - SSL_kDHEPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, - }, - - /* Cipher B5 */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_NULL_SHA384, - TLS1_CK_DHE_PSK_WITH_NULL_SHA384, - SSL_kDHEPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 0, - 0, - }, - - /* Cipher B6 */ - { - 1, - TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA256, - TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA256, - SSL_kRSAPSK, - SSL_aRSA, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher B7 */ - { - 1, - TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA384, - TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA384, - SSL_kRSAPSK, - SSL_aRSA, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* Cipher B8 */ - { - 1, - TLS1_TXT_RSA_PSK_WITH_NULL_SHA256, - TLS1_CK_RSA_PSK_WITH_NULL_SHA256, - SSL_kRSAPSK, - SSL_aRSA, - SSL_eNULL, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, - }, - - /* Cipher B9 */ - { - 1, - TLS1_TXT_RSA_PSK_WITH_NULL_SHA384, - TLS1_CK_RSA_PSK_WITH_NULL_SHA384, - SSL_kRSAPSK, - SSL_aRSA, - SSL_eNULL, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 0, - 0, - }, -#endif /* OPENSSL_NO_PSK */ - -#ifndef OPENSSL_NO_CAMELLIA - /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ - - /* Cipher BA */ - { - 1, - TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher BB */ - { - 1, - TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kDHd, - SSL_aDH, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher BC */ - { - 1, - TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kDHr, - SSL_aDH, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher BD */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kEDH, - SSL_aDSS, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher BE */ - { - 1, - TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kEDH, - SSL_aRSA, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher BF */ - { - 1, - TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kEDH, - SSL_aNULL, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher C0 */ - { - 1, - TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, - TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_CAMELLIA256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C1 */ - { - 1, - TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256, - TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kDHd, - SSL_aDH, - SSL_CAMELLIA256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C2 */ - { - 1, - TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256, - TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kDHr, - SSL_aDH, - SSL_CAMELLIA256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C3 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, - TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kEDH, - SSL_aDSS, - SSL_CAMELLIA256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C4 */ - { - 1, - TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kEDH, - SSL_aRSA, - SSL_CAMELLIA256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C5 */ - { - 1, - TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, - TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, - SSL_kEDH, - SSL_aNULL, - SSL_CAMELLIA256, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, -#endif - -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Cipher FF */ - { - 1, - "SCSV", - SSL3_CK_SCSV, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0}, -#endif - -#ifndef OPENSSL_NO_EC - /* Cipher C001 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, - TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_eNULL, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, - }, - - /* Cipher C002 */ { 1, - TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_PSK_WITH_AES_128_GCM_SHA256, + TLS1_CK_PSK_WITH_AES_128_GCM_SHA256, + SSL_kPSK, + SSL_aPSK, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher C003 */ { 1, - TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_3DES, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + TLS1_TXT_PSK_WITH_AES_256_GCM_SHA384, + TLS1_CK_PSK_WITH_AES_256_GCM_SHA384, + SSL_kPSK, + SSL_aPSK, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, }, - - /* Cipher C004 */ { 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_DHE_PSK_WITH_AES_128_GCM_SHA256, + TLS1_CK_DHE_PSK_WITH_AES_128_GCM_SHA256, + SSL_kDHEPSK, + SSL_aPSK, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher C005 */ { 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - SSL_kECDHe, - SSL_aECDH, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_DHE_PSK_WITH_AES_256_GCM_SHA384, + TLS1_CK_DHE_PSK_WITH_AES_256_GCM_SHA384, + SSL_kDHEPSK, + SSL_aPSK, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, - - /* Cipher C006 */ - { - 1, - TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, - SSL_kECDHE, - SSL_aECDSA, - SSL_eNULL, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, - }, - - /* Cipher C007 */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, - SSL_kECDHE, - SSL_aECDSA, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + TLS1_TXT_RSA_PSK_WITH_AES_128_GCM_SHA256, + TLS1_CK_RSA_PSK_WITH_AES_128_GCM_SHA256, + SSL_kRSAPSK, + SSL_aRSA, + SSL_AES128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher C008 */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHE, - SSL_aECDSA, - SSL_3DES, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + TLS1_TXT_RSA_PSK_WITH_AES_256_GCM_SHA384, + TLS1_CK_RSA_PSK_WITH_AES_256_GCM_SHA384, + SSL_kRSAPSK, + SSL_aRSA, + SSL_AES256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, }, - - /* Cipher C009 */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE, - SSL_aECDSA, + TLS1_TXT_PSK_WITH_AES_128_CBC_SHA256, + TLS1_CK_PSK_WITH_AES_128_CBC_SHA256, + SSL_kPSK, + SSL_aPSK, SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C00A */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - SSL_kECDHE, - SSL_aECDSA, + TLS1_TXT_PSK_WITH_AES_256_CBC_SHA384, + TLS1_CK_PSK_WITH_AES_256_CBC_SHA384, + SSL_kPSK, + SSL_aPSK, SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, - - /* Cipher C00B */ { 1, - TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, - TLS1_CK_ECDH_RSA_WITH_NULL_SHA, - SSL_kECDHr, - SSL_aECDH, + TLS1_TXT_PSK_WITH_NULL_SHA256, + TLS1_CK_PSK_WITH_NULL_SHA256, + SSL_kPSK, + SSL_aPSK, SSL_eNULL, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, - - /* Cipher C00C */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, - SSL_kECDHr, - SSL_aECDH, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - - /* Cipher C00D */ { 1, - TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHr, - SSL_aECDH, - SSL_3DES, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + TLS1_TXT_PSK_WITH_NULL_SHA384, + TLS1_CK_PSK_WITH_NULL_SHA384, + SSL_kPSK, + SSL_aPSK, + SSL_eNULL, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 0, + 0, }, - - /* Cipher C00E */ { 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDHr, - SSL_aECDH, + TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA256, + TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA256, + SSL_kDHEPSK, + SSL_aPSK, SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C00F */ { 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, - SSL_kECDHr, - SSL_aECDH, + TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA384, + TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA384, + SSL_kDHEPSK, + SSL_aPSK, SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, - - /* Cipher C010 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, - TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, - SSL_kECDHE, - SSL_aRSA, + TLS1_TXT_DHE_PSK_WITH_NULL_SHA256, + TLS1_CK_DHE_PSK_WITH_NULL_SHA256, + SSL_kDHEPSK, + SSL_aPSK, SSL_eNULL, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 0, 0, }, - - /* Cipher C011 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, - TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, - SSL_kECDHE, + TLS1_TXT_DHE_PSK_WITH_NULL_SHA384, + TLS1_CK_DHE_PSK_WITH_NULL_SHA384, + SSL_kDHEPSK, + SSL_aPSK, + SSL_eNULL, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 0, + 0, + }, + { + 1, + TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA256, + TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA256, + SSL_kRSAPSK, SSL_aRSA, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, + SSL_AES128, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C012 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHE, + TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA384, + TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA384, + SSL_kRSAPSK, SSL_aRSA, - SSL_3DES, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + SSL_AES256, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, }, - - /* Cipher C013 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE, + TLS1_TXT_RSA_PSK_WITH_NULL_SHA256, + TLS1_CK_RSA_PSK_WITH_NULL_SHA256, + SSL_kRSAPSK, SSL_aRSA, - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_eNULL, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 0, + 0, }, - - /* Cipher C014 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, - SSL_kECDHE, + TLS1_TXT_RSA_PSK_WITH_NULL_SHA384, + TLS1_CK_RSA_PSK_WITH_NULL_SHA384, + SSL_kRSAPSK, SSL_aRSA, - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, + SSL_eNULL, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 0, + 0, }, - - /* Cipher C015 */ +# ifndef OPENSSL_NO_EC { 1, - TLS1_TXT_ECDH_anon_WITH_NULL_SHA, - TLS1_CK_ECDH_anon_WITH_NULL_SHA, - SSL_kECDHE, - SSL_aNULL, - SSL_eNULL, + TLS1_TXT_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS1_CK_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + SSL_kECDHEPSK, + SSL_aPSK, + SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, + 112, + 168, }, - - /* Cipher C016 */ { 1, - TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, - TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, - SSL_kECDHE, - SSL_aNULL, - SSL_RC4, + TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, + SSL_kECDHEPSK, + SSL_aPSK, + SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C017 */ { 1, - TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, - SSL_kECDHE, - SSL_aNULL, - SSL_3DES, + TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, + SSL_kECDHEPSK, + SSL_aPSK, + SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + 256, + 256, }, - - /* Cipher C018 */ { 1, - TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, - SSL_kECDHE, - SSL_aNULL, + TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + SSL_kECDHEPSK, + SSL_aPSK, SSL_AES128, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C019 */ { 1, - TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, - SSL_kECDHE, - SSL_aNULL, + TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384, + TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384, + SSL_kECDHEPSK, + SSL_aPSK, SSL_AES256, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, -#endif /* OPENSSL_NO_EC */ + { + 1, + TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA, + TLS1_CK_ECDHE_PSK_WITH_NULL_SHA, + SSL_kECDHEPSK, + SSL_aPSK, + SSL_eNULL, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 0, + 0, + }, + { + 1, + TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA256, + TLS1_CK_ECDHE_PSK_WITH_NULL_SHA256, + SSL_kECDHEPSK, + SSL_aPSK, + SSL_eNULL, + SSL_SHA256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 0, + 0, + }, + { + 1, + TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA384, + TLS1_CK_ECDHE_PSK_WITH_NULL_SHA384, + SSL_kECDHEPSK, + SSL_aPSK, + SSL_eNULL, + SSL_SHA384, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 0, + 0, + }, +# endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_PSK */ #ifndef OPENSSL_NO_SRP - /* Cipher C01A */ { 1, TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA, @@ -2679,14 +1821,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aSRP, SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, }, - - /* Cipher C01B */ { 1, TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, @@ -2695,14 +1836,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, }, - - /* Cipher C01C */ { 1, TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, @@ -2711,14 +1851,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_3DES, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, }, - - /* Cipher C01D */ { 1, TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA, @@ -2727,14 +1866,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aSRP, SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C01E */ { 1, TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, @@ -2743,14 +1881,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C01F */ { 1, TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, @@ -2759,14 +1896,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C020 */ { 1, TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA, @@ -2775,14 +1911,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aSRP, SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - - /* Cipher C021 */ { 1, TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, @@ -2791,14 +1926,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - - /* Cipher C022 */ { 1, TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, @@ -2807,422 +1941,375 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aDSS, SSL_AES256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, -#endif /* OPENSSL_NO_SRP */ -#ifndef OPENSSL_NO_EC +#endif /* OPENSSL_NO_SRP */ - /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) +# ifndef OPENSSL_NO_RSA + { + 1, + TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, + TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, + SSL_kDHE, + SSL_aRSA, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, + }, +# endif /* OPENSSL_NO_RSA */ - /* Cipher C023 */ +# ifndef OPENSSL_NO_EC { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, + TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_kECDHE, - SSL_aECDSA, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_aRSA, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, + 256, + 256, }, - - /* Cipher C024 */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, + TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_kECDHE, SSL_aECDSA, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, +# endif /* OPENSSL_NO_EC */ - /* Cipher C025 */ +# ifndef OPENSSL_NO_PSK { 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256, - SSL_kECDHe, - SSL_aECDH, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_PSK_WITH_CHACHA20_POLY1305, + TLS1_CK_PSK_WITH_CHACHA20_POLY1305, + SSL_kPSK, + SSL_aPSK, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, + 256, + 256, }, - - /* Cipher C026 */ { 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384, - TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384, - SSL_kECDHe, - SSL_aECDH, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305, + TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305, + SSL_kECDHEPSK, + SSL_aPSK, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, - - /* Cipher C027 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, - SSL_kECDHE, - SSL_aRSA, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_DHE_PSK_WITH_CHACHA20_POLY1305, + TLS1_CK_DHE_PSK_WITH_CHACHA20_POLY1305, + SSL_kDHEPSK, + SSL_aPSK, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, + 256, + 256, }, - - /* Cipher C028 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, - SSL_kECDHE, + TLS1_TXT_RSA_PSK_WITH_CHACHA20_POLY1305, + TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305, + SSL_kRSAPSK, SSL_aRSA, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, +# endif /* OPENSSL_NO_PSK */ +#endif /* !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) */ - /* Cipher C029 */ +#ifndef OPENSSL_NO_CAMELLIA { 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, - SSL_kECDHr, - SSL_aECDH, - SSL_AES128, + TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher C02A */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, - SSL_kECDHr, - SSL_aECDH, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, - }, - - /* GCM based TLS v1.2 ciphersuites from RFC5289 */ - - /* Cipher C02B */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher C02C */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kEDH, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, }, - - /* Cipher C02D */ { 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHe, - SSL_aECDH, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA128, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, }, - - /* Cipher C02E */ { 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHe, - SSL_aECDH, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, - - /* Cipher C02F */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHE, - SSL_aRSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, + 256, + 256, }, - - /* Cipher C030 */ { 1, - TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHE, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kEDH, SSL_aRSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + SSL_CAMELLIA256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, - - /* Cipher C031 */ { 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHr, - SSL_aECDH, - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA256, + SSL_SHA256, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, - }, - - /* Cipher C032 */ - { - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHr, - SSL_aECDH, - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, }, - - /* PSK ciphersuites from RFC 5489 */ - /* Cipher C033 */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA, - TLS1_CK_ECDHE_PSK_WITH_RC4_128_SHA, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_RC4, + TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 256, + 256, }, - - /* Cipher C034 */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, - TLS1_CK_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_3DES, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + SSL_kDHE, + SSL_aDSS, + SSL_CAMELLIA256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, + 256, + 256, }, - - /* Cipher C035 */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_AES128, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_kDHE, + SSL_aRSA, + SSL_CAMELLIA256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, + 256, + 256, }, - - /* Cipher C036 */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_AES256, + TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, + TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, + SSL_kDHE, + SSL_aNULL, + SSL_CAMELLIA256, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - - /* Cipher C037 */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256, - TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_AES128, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C038 */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384, - TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_AES256, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + SSL_kDHE, + SSL_aDSS, + SSL_CAMELLIA128, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, - - /* Cipher C039 */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA, - TLS1_CK_ECDHE_PSK_WITH_NULL_SHA, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_eNULL, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_kDHE, + SSL_aRSA, + SSL_CAMELLIA128, SSL_SHA1, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, + 128, + 128, }, - - /* Cipher C03A */ { 1, - TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA256, - TLS1_CK_ECDHE_PSK_WITH_NULL_SHA256, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA256, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, + TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, + TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, + SSL_kDHE, + SSL_aNULL, + SSL_CAMELLIA128, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 0, - 0, + 128, + 128, }, - /* Cipher C03B */ +# ifndef OPENSSL_NO_EC { - 1, - TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA384, - TLS1_CK_ECDHE_PSK_WITH_NULL_SHA384, - SSL_kECDHEPSK, - SSL_aPSK, - SSL_eNULL, - SSL_SHA384, - SSL_TLSV1, - SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 0, - 0, - }, - -# ifndef OPENSSL_NO_CAMELLIA - { /* Cipher C072 */ 1, TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, @@ -3230,13 +2317,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, - 128}, - - { /* Cipher C073 */ + 128 + }, + { 1, TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, @@ -3244,41 +2332,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256}, - - { /* Cipher C074 */ - 1, - TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kECDHe, - SSL_aECDH, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128}, - - { /* Cipher C075 */ - 1, - TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - SSL_kECDHe, - SSL_aECDH, - SSL_CAMELLIA256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, - 256}, - - { /* Cipher C076 */ + 256 + }, + { 1, TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, @@ -3286,13 +2347,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, - 128}, - - { /* Cipher C077 */ + 128 + }, + { 1, TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, @@ -3300,44 +2362,17 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256}, - - { /* Cipher C078 */ - 1, - TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - SSL_kECDHr, - SSL_aECDH, - SSL_CAMELLIA128, - SSL_SHA256, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128}, - - { /* Cipher C079 */ - 1, - TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, - SSL_kECDHr, - SSL_aECDH, - SSL_CAMELLIA256, - SSL_SHA384, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, - 256}, -# endif /* OPENSSL_NO_CAMELLIA */ -#endif /* OPENSSL_NO_EC */ + 256 + }, +# endif /* OPENSSL_NO_EC */ -#if !defined(OPENSSL_NO_CAMELLIA) && !defined(OPENSSL_NO_PSK) - { /* Cipher C094 */ +# ifndef OPENSSL_NO_PSK + { 1, TLS1_TXT_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_PSK_WITH_CAMELLIA_128_CBC_SHA256, @@ -3345,13 +2380,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, - 128}, - - { /* Cipher C095 */ + 128 + }, + { 1, TLS1_TXT_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_PSK_WITH_CAMELLIA_256_CBC_SHA384, @@ -3359,13 +2395,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, - 256}, - - { /* Cipher C096 */ + 256 + }, + { 1, TLS1_TXT_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, @@ -3373,13 +2410,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, - 128}, - - { /* Cipher C097 */ + 128 + }, + { 1, TLS1_TXT_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, @@ -3387,13 +2425,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, - 256}, - - { /* Cipher C098 */ + 256 + }, + { 1, TLS1_TXT_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, @@ -3401,13 +2440,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, - 128}, - - { /* Cipher C099 */ + 128 + }, + { 1, TLS1_TXT_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, @@ -3415,13 +2455,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, - 256}, - - { /* Cipher C09A */ + 256 + }, + { 1, TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, @@ -3429,13 +2470,14 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA128, SSL_SHA256, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, - 128}, - - { /* Cipher C09B */ + 128 + }, + { 1, TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, @@ -3443,336 +2485,338 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_CAMELLIA256, SSL_SHA384, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, - 256}, -#endif + 256 + }, +# endif /* OPENSSL_NO_PSK */ + +#endif /* OPENSSL_NO_CAMELLIA */ + +#ifndef OPENSSL_NO_GOST + { + 1, + "GOST2001-GOST89-GOST89", + 0x3000081, + SSL_kGOST, + SSL_aGOST01, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC, + 256, + 256 + }, + { + 1, + "GOST2001-NULL-GOST94", + 0x3000083, + SSL_kGOST, + SSL_aGOST01, + SSL_eNULL, + SSL_GOST94, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94, + 0, + 0 + }, + { + 1, + "GOST2012-GOST8912-GOST8912", + 0x0300ff85, + SSL_kGOST, + SSL_aGOST12 | SSL_aGOST01, + SSL_eGOST2814789CNT12, + SSL_GOST89MAC12, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC, + 256, + 256 + }, + { + 1, + "GOST2012-NULL-GOST12", + 0x0300ff87, + SSL_kGOST, + SSL_aGOST12 | SSL_aGOST01, + SSL_eNULL, + SSL_GOST12_256, + TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC, + 0, + 0}, +#endif /* OPENSSL_NO_GOST */ - /* Cipher C09C */ +#ifndef OPENSSL_NO_IDEA { 1, - TLS1_TXT_RSA_WITH_AES_128_CCM, - TLS1_CK_RSA_WITH_AES_128_CCM, + SSL3_TXT_RSA_IDEA_128_SHA, + SSL3_CK_RSA_IDEA_128_SHA, SSL_kRSA, SSL_aRSA, - SSL_AES128CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + SSL_IDEA, + SSL_SHA1, + SSL3_VERSION, TLS1_1_VERSION, + DTLS1_VERSION, DTLS1_VERSION, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, +#endif - /* Cipher C09D */ +#ifndef OPENSSL_NO_SEED { 1, - TLS1_TXT_RSA_WITH_AES_256_CCM, - TLS1_CK_RSA_WITH_AES_256_CCM, + TLS1_TXT_RSA_WITH_SEED_SHA, + TLS1_CK_RSA_WITH_SEED_SHA, SSL_kRSA, SSL_aRSA, - SSL_AES256CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, + SSL_SEED, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, - - /* Cipher C09E */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_128_CCM, - TLS1_CK_DHE_RSA_WITH_AES_128_CCM, + TLS1_TXT_DHE_DSS_WITH_SEED_SHA, + TLS1_CK_DHE_DSS_WITH_SEED_SHA, SSL_kDHE, - SSL_aRSA, - SSL_AES128CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + SSL_aDSS, + SSL_SEED, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C09F */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_256_CCM, - TLS1_CK_DHE_RSA_WITH_AES_256_CCM, + TLS1_TXT_DHE_RSA_WITH_SEED_SHA, + TLS1_CK_DHE_RSA_WITH_SEED_SHA, SSL_kDHE, SSL_aRSA, - SSL_AES256CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, + SSL_SEED, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, - - /* Cipher C0A0 */ { 1, - TLS1_TXT_RSA_WITH_AES_128_CCM_8, - TLS1_CK_RSA_WITH_AES_128_CCM_8, - SSL_kRSA, - SSL_aRSA, - SSL_AES128CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + TLS1_TXT_ADH_WITH_SEED_SHA, + TLS1_CK_ADH_WITH_SEED_SHA, + SSL_kDHE, + SSL_aNULL, + SSL_SEED, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, +#endif /* OPENSSL_NO_SEED */ - /* Cipher C0A1 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, - TLS1_TXT_RSA_WITH_AES_256_CCM_8, - TLS1_CK_RSA_WITH_AES_256_CCM_8, + SSL3_TXT_RSA_RC4_128_MD5, + SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA, - SSL_AES256CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, + SSL_RC4, + SSL_MD5, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, - - /* Cipher C0A2 */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_128_CCM_8, - TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8, - SSL_kDHE, + SSL3_TXT_RSA_RC4_128_SHA, + SSL3_CK_RSA_RC4_128_SHA, + SSL_kRSA, SSL_aRSA, - SSL_AES128CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C0A3 */ { 1, - TLS1_TXT_DHE_RSA_WITH_AES_256_CCM_8, - TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8, + SSL3_TXT_ADH_RC4_128_MD5, + SSL3_CK_ADH_RC4_128_MD5, SSL_kDHE, - SSL_aRSA, - SSL_AES256CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C0A4 */ - { - 1, - TLS1_TXT_PSK_WITH_AES_128_CCM, - TLS1_CK_PSK_WITH_AES_128_CCM, - SSL_kPSK, - SSL_aPSK, - SSL_AES128CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + SSL_aNULL, + SSL_RC4, + SSL_MD5, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - /* Cipher C0A4 */ - { - 1, - TLS1_TXT_PSK_WITH_AES_256_CCM, - TLS1_CK_PSK_WITH_AES_256_CCM, - SSL_kPSK, - SSL_aPSK, - SSL_AES256CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C0A6 */ +# ifndef OPENSSL_NO_EC { 1, - TLS1_TXT_DHE_PSK_WITH_AES_128_CCM, - TLS1_CK_DHE_PSK_WITH_AES_128_CCM, - SSL_kDHEPSK, + TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_PSK_WITH_RC4_128_SHA, + SSL_kECDHEPSK, SSL_aPSK, - SSL_AES128CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C0A7 */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_AES_256_CCM, - TLS1_CK_DHE_PSK_WITH_AES_256_CCM, - SSL_kDHEPSK, - SSL_aPSK, - SSL_AES256CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C0A8 */ { 1, - TLS1_TXT_PSK_WITH_AES_128_CCM_8, - TLS1_CK_PSK_WITH_AES_128_CCM_8, - SSL_kPSK, - SSL_aPSK, - SSL_AES128CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, + TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, + SSL_kECDHE, + SSL_aNULL, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C0A9 */ - { - 1, - TLS1_TXT_PSK_WITH_AES_256_CCM_8, - TLS1_CK_PSK_WITH_AES_256_CCM_8, - SSL_kPSK, - SSL_aPSK, - SSL_AES256CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C0AA */ { 1, - TLS1_TXT_DHE_PSK_WITH_AES_128_CCM_8, - TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8, - SSL_kDHEPSK, - SSL_aPSK, - SSL_AES128CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, + SSL_kECDHE, + SSL_aECDSA, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C0AB */ - { - 1, - TLS1_TXT_DHE_PSK_WITH_AES_256_CCM_8, - TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8, - SSL_kDHEPSK, - SSL_aPSK, - SSL_AES256CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, - }, - - /* Cipher C0AC */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM, + TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, + TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE, - SSL_aECDSA, - SSL_AES128CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + SSL_aRSA, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, +# endif /* OPENSSL_NO_EC */ - /* Cipher C0AD */ +# ifndef OPENSSL_NO_PSK { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES256CCM, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, + TLS1_TXT_PSK_WITH_RC4_128_SHA, + TLS1_CK_PSK_WITH_RC4_128_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, - - /* Cipher C0AE */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM_8, - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES128CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA, + TLS1_CK_RSA_PSK_WITH_RC4_128_SHA, + SSL_kRSAPSK, + SSL_aRSA, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - - /* Cipher C0AF */ { 1, - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8, - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES256CCM8, - SSL_AEAD, - SSL_TLSV1_2, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, + TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA, + TLS1_CK_DHE_PSK_WITH_RC4_128_SHA, + SSL_kDHEPSK, + SSL_aPSK, + SSL_RC4, + SSL_SHA1, + SSL3_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 128, + 128, }, +# endif /* OPENSSL_NO_PSK */ + +#endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ -/* end of list */ }; + +static int cipher_compare(const void *a, const void *b) +{ + const SSL_CIPHER *ap = (const SSL_CIPHER *)a; + const SSL_CIPHER *bp = (const SSL_CIPHER *)b; + + return ap->id - bp->id; +} + +void ssl_sort_cipher_list(void) +{ + qsort(ssl3_ciphers, OSSL_NELEM(ssl3_ciphers), sizeof ssl3_ciphers[0], + cipher_compare); +} + + const SSL3_ENC_METHOD SSLv3_enc_data = { ssl3_enc, n_ssl3_mac, @@ -3781,7 +2825,6 @@ const SSL3_ENC_METHOD SSLv3_enc_data = { ssl3_change_cipher_state, ssl3_final_finish_mac, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, - ssl3_cert_verify_mac, SSL3_MD_CLIENT_FINISHED_CONST, 4, SSL3_MD_SERVER_FINISHED_CONST, 4, ssl3_alert_code, @@ -3839,7 +2882,7 @@ int ssl3_new(SSL *s) if ((s3 = OPENSSL_zalloc(sizeof(*s3))) == NULL) goto err; s->s3 = s3; - + #ifndef OPENSSL_NO_SRP if (!SSL_SRP_CTX_init(s)) goto err; @@ -3852,21 +2895,16 @@ int ssl3_new(SSL *s) void ssl3_free(SSL *s) { - if (s == NULL) + if (s == NULL || s->s3 == NULL) return; ssl3_cleanup_key_block(s); -#ifndef OPENSSL_NO_RSA - RSA_free(s->s3->peer_rsa_tmp); -#endif -#ifndef OPENSSL_NO_DH - DH_free(s->s3->tmp.dh); - DH_free(s->s3->peer_dh_tmp); -#endif -#ifndef OPENSSL_NO_EC - EC_KEY_free(s->s3->tmp.ecdh); - EC_KEY_free(s->s3->peer_ecdh_tmp); +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) + EVP_PKEY_free(s->s3->peer_tmp); + s->s3->peer_tmp = NULL; + EVP_PKEY_free(s->s3->tmp.pkey); + s->s3->tmp.pkey = NULL; #endif sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); @@ -3875,6 +2913,7 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3->tmp.peer_sigalgs); ssl3_free_digest_list(s); OPENSSL_free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_proposed); #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); @@ -3885,53 +2924,27 @@ void ssl3_free(SSL *s) void ssl3_clear(SSL *s) { - int init_extra; - ssl3_cleanup_key_block(s); sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); - s->s3->tmp.ciphers_raw = NULL; OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); - s->s3->tmp.pms = NULL; OPENSSL_free(s->s3->tmp.peer_sigalgs); - s->s3->tmp.peer_sigalgs = NULL; - -#ifndef OPENSSL_NO_RSA - RSA_free(s->s3->peer_rsa_tmp); - s->s3->peer_rsa_tmp = NULL; -#endif -#ifndef OPENSSL_NO_DH - DH_free(s->s3->tmp.dh); - s->s3->tmp.dh = NULL; - DH_free(s->s3->peer_dh_tmp); - s->s3->peer_dh_tmp = NULL; -#endif -#ifndef OPENSSL_NO_EC - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; - EC_KEY_free(s->s3->peer_ecdh_tmp); - s->s3->peer_ecdh_tmp = NULL; - s->s3->is_probably_safari = 0; +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) + EVP_PKEY_free(s->s3->tmp.pkey); + EVP_PKEY_free(s->s3->peer_tmp); #endif /* !OPENSSL_NO_EC */ - init_extra = s->s3->init_extra; ssl3_free_digest_list(s); - if (s->s3->alpn_selected) { - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - } + OPENSSL_free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_proposed); + /* NULL/zero-out everything in the s3 struct */ memset(s->s3, 0, sizeof(*s->s3)); - s->s3->init_extra = init_extra; ssl_free_wbio_buffer(s); - s->s3->renegotiate = 0; - s->s3->total_renegotiations = 0; - s->s3->num_renegotiations = 0; - s->s3->in_read_app_data = 0; s->version = SSL3_VERSION; #if !defined(OPENSSL_NO_NEXTPROTONEG) @@ -3944,7 +2957,7 @@ void ssl3_clear(SSL *s) #ifndef OPENSSL_NO_SRP static char *srp_password_from_info_cb(SSL *s, void *arg) { - return BUF_strdup(s->srp_ctx.info); + return OPENSSL_strdup(s->srp_ctx.info); } #endif @@ -3956,9 +2969,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) int ret = 0; switch (cmd) { - case SSL_CTRL_GET_SESSION_REUSED: - ret = s->hit; - break; case SSL_CTRL_GET_CLIENT_CERT_REQUEST: break; case SSL_CTRL_GET_NUM_RENEGOTIATIONS: @@ -3974,62 +2984,28 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_FLAGS: ret = (int)(s->s3->flags); break; -#ifndef OPENSSL_NO_RSA - case SSL_CTRL_NEED_TMP_RSA: - if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && - ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || - (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > - (512 / 8)))) - ret = 1; - break; - case SSL_CTRL_SET_TMP_RSA: - { - RSA *rsa = (RSA *)parg; - if (rsa == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); - return (ret); - } - if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); - return (ret); - } - RSA_free(s->cert->rsa_tmp); - s->cert->rsa_tmp = rsa; - ret = 1; - } - break; - case SSL_CTRL_SET_TMP_RSA_CB: - { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (ret); - } -#endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *dh = (DH *)parg; + EVP_PKEY *pkdh = NULL; if (dh == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); return (ret); } + pkdh = ssl_dh_to_pkey(dh); + if (pkdh == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); + return 0; + } if (!ssl_security(s, SSL_SECOP_TMP_DH, - DH_security_bits(dh), 0, dh)) { + EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL); - return (ret); + EVP_PKEY_free(pkdh); + return ret; } - if ((dh = DHparams_dup(dh)) == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); - return (ret); - } - if (!(s->options & SSL_OP_SINGLE_DH_USE)) { - if (!DH_generate_key(dh)) { - DH_free(dh); - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); - return (ret); - } - } - DH_free(s->cert->dh_tmp); - s->cert->dh_tmp = dh; + EVP_PKEY_free(s->cert->dh_tmp); + s->cert->dh_tmp = pkdh; ret = 1; } break; @@ -4045,48 +3021,43 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_EC case SSL_CTRL_SET_TMP_ECDH: { - EC_KEY *ecdh = NULL; + const EC_GROUP *group = NULL; + int nid; if (parg == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); - return (ret); - } - if (!EC_KEY_up_ref((EC_KEY *)parg)) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_ECDH_LIB); - return (ret); + return 0; } - ecdh = (EC_KEY *)parg; - if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) { - if (!EC_KEY_generate_key(ecdh)) { - EC_KEY_free(ecdh); - SSLerr(SSL_F_SSL3_CTRL, ERR_R_ECDH_LIB); - return (ret); - } + group = EC_KEY_get0_group((const EC_KEY *)parg); + if (group == NULL) { + SSLerr(SSL_F_SSL3_CTRL, EC_R_MISSING_PARAMETERS); + return 0; } - EC_KEY_free(s->cert->ecdh_tmp); - s->cert->ecdh_tmp = ecdh; - ret = 1; + nid = EC_GROUP_get_curve_name(group); + if (nid == NID_undef) + return 0; + return tls1_set_curves(&s->tlsext_ellipticcurvelist, + &s->tlsext_ellipticcurvelist_length, + &nid, 1); } break; - case SSL_CTRL_SET_TMP_ECDH_CB: - { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (ret); - } #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { + size_t len; + OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; ret = 1; if (parg == NULL) break; - if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { + len = strlen((char *)parg); + if (len == 0 || len > TLSEXT_MAXLEN_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } - if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) { + if ((s->tlsext_hostname = OPENSSL_strdup((char *)parg)) == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); return 0; } @@ -4137,23 +3108,24 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #ifndef OPENSSL_NO_HEARTBEATS - case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT: + case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT: if (SSL_IS_DTLS(s)) ret = dtls1_heartbeat(s); - else - ret = tls1_heartbeat(s); break; - case SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING: - ret = s->tlsext_hb_pending; + case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING: + if (SSL_IS_DTLS(s)) + ret = s->tlsext_hb_pending; break; - case SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS: - if (larg) - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_RECV_REQUESTS; - else - s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS; - ret = 1; + case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS: + if (SSL_IS_DTLS(s)) { + if (larg) + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; + else + s->tlsext_heartbeat &= ~SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; + ret = 1; + } break; #endif @@ -4237,11 +3209,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SHARED_CURVE: return tls1_shared_curve(s, larg); -# ifndef OPENSSL_NO_EC - case SSL_CTRL_SET_ECDH_AUTO: - s->cert->ecdh_tmp_auto = larg; - return 1; -# endif #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -4301,37 +3268,17 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 0; case SSL_CTRL_GET_SERVER_TMP_KEY: - if (s->server || !s->session) - return 0; - else { - EVP_PKEY *ptmp; - int rv = 0; -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) - if (!s->s3->peer_rsa_tmp && !s->s3->peer_dh_tmp && !s->s3->peer_ecdh_tmp) - return 0; -#endif - ptmp = EVP_PKEY_new(); - if (!ptmp) - return 0; -#ifndef OPENSSL_NO_RSA - else if (s->s3->peer_rsa_tmp) - rv = EVP_PKEY_set1_RSA(ptmp, s->s3->peer_rsa_tmp); -#endif -#ifndef OPENSSL_NO_DH - else if (s->s3->peer_dh_tmp) - rv = EVP_PKEY_set1_DH(ptmp, s->s3->peer_dh_tmp); -#endif -#ifndef OPENSSL_NO_EC - else if (s->s3->peer_ecdh_tmp) - rv = EVP_PKEY_set1_EC_KEY(ptmp, s->s3->peer_ecdh_tmp); -#endif - if (rv) { - *(EVP_PKEY **)parg = ptmp; - return 1; - } - EVP_PKEY_free(ptmp); +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) + if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { return 0; + } else { + EVP_PKEY_up_ref(s->s3->peer_tmp); + *(EVP_PKEY **)parg = s->s3->peer_tmp; + return 1; } +#else + return 0; +#endif #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { @@ -4344,33 +3291,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } #endif - case SSL_CTRL_CHECK_PROTO_VERSION: - /* - * For library-internal use; checks that the current protocol is the - * highest enabled version (according to s->ctx->method, as version - * negotiation may have changed s->method). - */ - if (s->version == s->ctx->method->version) - return 1; - /* - * Apparently we're using a version-flexible SSL_METHOD (not at its - * highest protocol version). - */ - if (s->ctx->method->version == TLS_method()->version) { -#if TLS_MAX_VERSION != TLS1_2_VERSION -# error Code needs update for TLS_method() support beyond TLS1_2_VERSION. -#endif - if (!(s->options & SSL_OP_NO_TLSv1_2)) - return s->version == TLS1_2_VERSION; - if (!(s->options & SSL_OP_NO_TLSv1_1)) - return s->version == TLS1_1_VERSION; - if (!(s->options & SSL_OP_NO_TLSv1)) - return s->version == TLS1_VERSION; - if (!(s->options & SSL_OP_NO_SSLv3)) - return s->version == SSL3_VERSION; - } - return 0; /* Unexpected state; fail closed. */ - default: break; } @@ -4382,30 +3302,16 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) int ret = 0; switch (cmd) { -#ifndef OPENSSL_NO_RSA - case SSL_CTRL_SET_TMP_RSA_CB: - { - s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; - } - break; -#endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; -#endif -#ifndef OPENSSL_NO_EC - case SSL_CTRL_SET_TMP_ECDH_CB: - { - s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; - } - break; #endif case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb = (void (*)(SSL *, int, int, - unsigned char *, int, void *))fp; + const unsigned char *, int, void *))fp; break; case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: @@ -4421,75 +3327,29 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { - CERT *cert; - - cert = ctx->cert; - switch (cmd) { -#ifndef OPENSSL_NO_RSA - case SSL_CTRL_NEED_TMP_RSA: - if ((cert->rsa_tmp == NULL) && - ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || - (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > - (512 / 8))) - ) - return (1); - else - return (0); - /* break; */ - case SSL_CTRL_SET_TMP_RSA: - { - RSA *rsa; - int i; - - rsa = (RSA *)parg; - i = 1; - if (rsa == NULL) - i = 0; - else { - if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) - i = 0; - } - if (!i) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_RSA_LIB); - return (0); - } else { - RSA_free(cert->rsa_tmp); - cert->rsa_tmp = rsa; - return (1); - } - } - /* break; */ - case SSL_CTRL_SET_TMP_RSA_CB: - { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); - } -#endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { - DH *new = NULL, *dh; - - dh = (DH *)parg; - if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, - DH_security_bits(dh), 0, dh)) { - SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); + DH *dh = (DH *)parg; + EVP_PKEY *pkdh = NULL; + if (dh == NULL) { + SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - if ((new = DHparams_dup(dh)) == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); + pkdh = ssl_dh_to_pkey(dh); + if (pkdh == NULL) { + SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE); return 0; } - if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) { - if (!DH_generate_key(new)) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); - DH_free(new); - return 0; - } + if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, + EVP_PKEY_security_bits(pkdh), 0, pkdh)) { + SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); + EVP_PKEY_free(pkdh); + return 1; } - DH_free(cert->dh_tmp); - cert->dh_tmp = new; + EVP_PKEY_free(ctx->cert->dh_tmp); + ctx->cert->dh_tmp = pkdh; return 1; } /* @@ -4507,35 +3367,26 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_EC case SSL_CTRL_SET_TMP_ECDH: { - EC_KEY *ecdh = NULL; + const EC_GROUP *group = NULL; + int nid; if (parg == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_ECDH_LIB); + SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - ecdh = EC_KEY_dup((EC_KEY *)parg); - if (ecdh == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_EC_LIB); + group = EC_KEY_get0_group((const EC_KEY *)parg); + if (group == NULL) { + SSLerr(SSL_F_SSL3_CTX_CTRL, EC_R_MISSING_PARAMETERS); return 0; } - if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) { - if (!EC_KEY_generate_key(ecdh)) { - EC_KEY_free(ecdh); - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_ECDH_LIB); - return 0; - } - } - - EC_KEY_free(cert->ecdh_tmp); - cert->ecdh_tmp = ecdh; - return 1; + nid = EC_GROUP_get_curve_name(group); + if (nid == NID_undef) + return 0; + return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, + &ctx->tlsext_ellipticcurvelist_length, + &nid, 1); } /* break; */ - case SSL_CTRL_SET_TMP_ECDH_CB: - { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); - } #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg = parg; @@ -4578,7 +3429,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME); return 0; } - if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) { + if ((ctx->srp_ctx.login = OPENSSL_strdup((char *)parg)) == NULL) { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR); return 0; } @@ -4608,9 +3459,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, parg); - case SSL_CTRL_SET_ECDH_AUTO: - ctx->cert->ecdh_tmp_auto = larg; - return 1; #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4687,29 +3535,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { - CERT *cert; - - cert = ctx->cert; - switch (cmd) { -#ifndef OPENSSL_NO_RSA - case SSL_CTRL_SET_TMP_RSA_CB: - { - cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; - } - break; -#endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { - cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; - } - break; -#endif -#ifndef OPENSSL_NO_EC - case SSL_CTRL_SET_TMP_ECDH_CB: - { - cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; + ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; #endif @@ -4763,15 +3593,11 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { SSL_CIPHER c; const SSL_CIPHER *cp; - unsigned long id; + uint32_t id; - id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; + id = 0x03000000 | ((uint32_t)p[0] << 8L) | (uint32_t)p[1]; c.id = id; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); -#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES - if (cp == NULL) - fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]); -#endif return cp; } @@ -4789,13 +3615,21 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) return (2); } -SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, +/* + * ssl3_choose_cipher - choose a cipher from those offered by the client + * @s: SSL connection + * @clnt: ciphers offered by the client + * @srvr: ciphers enabled on the server? + * + * Returns the selected cipher or NULL when no common ciphers. + */ +const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr) { - SSL_CIPHER *c, *ret = NULL; + const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i, ii, ok; - unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a; + unsigned long alg_k, alg_a, mask_k, mask_a; /* Let's see which ciphers we can support */ @@ -4834,25 +3668,26 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } tls1_set_cert_validity(s); + ssl_set_masks(s); for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { c = sk_SSL_CIPHER_value(prio, i); - /* Skip TLS v1.2 only ciphersuites if not supported */ - if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) + /* Skip ciphers not supported by the protocol version */ + if (!SSL_IS_DTLS(s) && + ((s->version < c->min_tls) || (s->version > c->max_tls))) + continue; + if (SSL_IS_DTLS(s) && + (DTLS_VERSION_LT(s->version, c->min_dtls) || + DTLS_VERSION_GT(s->version, c->max_dtls))) continue; - ssl_set_masks(s, c); mask_k = s->s3->tmp.mask_k; mask_a = s->s3->tmp.mask_a; - emask_k = s->s3->tmp.export_mask_k; - emask_a = s->s3->tmp.export_mask_a; #ifndef OPENSSL_NO_SRP if (s->srp_ctx.srp_Mask & SSL_kSRP) { mask_k |= SSL_kSRP; - emask_k |= SSL_kSRP; mask_a |= SSL_aSRP; - emask_a |= SSL_aSRP; } #endif @@ -4865,19 +3700,11 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; #endif /* OPENSSL_NO_PSK */ - if (SSL_C_IS_EXPORT(c)) { - ok = (alg_k & emask_k) && (alg_a & emask_a); -#ifdef CIPHER_DEBUG - fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n", - ok, alg_k, alg_a, emask_k, emask_a, (void *)c, c->name); -#endif - } else { - ok = (alg_k & mask_k) && (alg_a & mask_a); + ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, - alg_a, mask_k, mask_a, (void *)c, c->name); + fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, + alg_a, mask_k, mask_a, (void *)c, c->name); #endif - } # ifndef OPENSSL_NO_EC /* @@ -4894,7 +3721,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (ii >= 0) { /* Check security callback permits this cipher */ if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, - c->strength_bits, 0, c)) + c->strength_bits, 0, (void *)c)) continue; #if !defined(OPENSSL_NO_EC) if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) @@ -4914,8 +3741,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, int ssl3_get_req_cert_type(SSL *s, unsigned char *p) { int ret = 0; - int nostrict = 1; - unsigned long alg_k, alg_a = 0; + uint32_t alg_k, alg_a = 0; /* If we have custom certificate types set, use them */ if (s->cert->ctypes) { @@ -4924,8 +3750,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) } /* Get mask of algorithms disabled by signature list */ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK); - if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) - nostrict = 0; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; @@ -4933,36 +3757,23 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) if (s->version >= TLS1_VERSION) { if (alg_k & SSL_kGOST) { p[ret++] = TLS_CT_GOST01_SIGN; + p[ret++] = TLS_CT_GOST12_SIGN; + p[ret++] = TLS_CT_GOST12_512_SIGN; return (ret); } } #endif + if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { #ifndef OPENSSL_NO_DH - if (alg_k & (SSL_kDHr | SSL_kDHE)) { -# ifndef OPENSSL_NO_RSA - /* - * Since this refers to a certificate signed with an RSA algorithm, - * only check for rsa signing in strict mode. - */ - if (nostrict || !(alg_a & SSL_aRSA)) - p[ret++] = SSL3_CT_RSA_FIXED_DH; -# endif -# ifndef OPENSSL_NO_DSA - if (nostrict || !(alg_a & SSL_aDSS)) - p[ret++] = SSL3_CT_DSS_FIXED_DH; -# endif - } - if ((s->version == SSL3_VERSION) && - (alg_k & (SSL_kDHE | SSL_kDHd | SSL_kDHr))) { # ifndef OPENSSL_NO_RSA p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; # endif # ifndef OPENSSL_NO_DSA p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; # endif - } #endif /* !OPENSSL_NO_DH */ + } #ifndef OPENSSL_NO_RSA if (!(alg_a & SSL_aRSA)) p[ret++] = SSL3_CT_RSA_SIGN; @@ -4972,14 +3783,8 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) p[ret++] = SSL3_CT_DSS_SIGN; #endif #ifndef OPENSSL_NO_EC - if ((alg_k & (SSL_kECDHr | SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { - if (nostrict || !(alg_a & SSL_aRSA)) - p[ret++] = TLS_CT_RSA_FIXED_ECDH; - if (nostrict || !(alg_a & SSL_aECDSA)) - p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; - } /* - * ECDSA certs can be used with RSA cipher suites as well so we don't + * ECDSA certs can be used with RSA cipher suites too so we don't * need to check for SSL_kECDH or SSL_kECDHE */ if (s->version >= TLS1_VERSION) { @@ -4999,7 +3804,7 @@ static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len) if (len > 0xff) return 0; c->ctypes = OPENSSL_malloc(len); - if (!c->ctypes) + if (c->ctypes == NULL) return 0; memcpy(c->ctypes, p, len); c->ctype_num = len; @@ -5014,7 +3819,7 @@ int ssl3_shutdown(SSL *s) * Don't do anything much if we have not done the handshake or we don't * want to send messages :-) */ - if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) { + if (s->quiet_shutdown || SSL_in_before(s)) { s->shutdown = (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); return (1); } @@ -5085,11 +3890,11 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) * makes sense here; so disable handshake processing and try to read * application data again. */ - s->in_handshake++; + ossl_statem_set_in_handshake(s, 1); ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len, peek); - s->in_handshake--; + ossl_statem_set_in_handshake(s, 0); } else s->s3->in_read_app_data = 0; @@ -5128,11 +3933,10 @@ int ssl3_renegotiate_check(SSL *s) && !SSL_in_init(s)) { /* * if we are the server, and we have sent a 'RENEGOTIATE' - * message, we need to go to SSL_ST_ACCEPT. + * message, we need to set the state machine into the renegotiate + * state. */ - /* SSL_ST_ACCEPT */ - s->state = SSL_ST_RENEGOTIATE; - statem_set_renegotiate(s); + ossl_statem_set_renegotiate(s); s->s3->renegotiate = 0; s->s3->num_renegotiations++; s->s3->total_renegotiations++; @@ -5242,3 +4046,95 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, s->s3->tmp.pms = NULL; return s->session->master_key_length >= 0; } + +/* Generate a private key from parameters or a curve NID */ +EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm, int nid) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey = NULL; + if (pm != NULL) { + pctx = EVP_PKEY_CTX_new(pm, NULL); + } else { + /* + * Generate a new key for this curve. + * Should not be called if EC is disabled: if it is it will + * fail with an unknown algorithm error. + */ + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + } + if (pctx == NULL) + goto err; + if (EVP_PKEY_keygen_init(pctx) <= 0) + goto err; +#ifndef OPENSSL_NO_EC + if (pm == NULL && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0) + goto err; +#endif + + if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { + EVP_PKEY_free(pkey); + pkey = NULL; + } + + err: + EVP_PKEY_CTX_free(pctx); + return pkey; +} +/* Derive premaster or master secret for ECDH/DH */ +int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey) +{ + int rv = 0; + unsigned char *pms = NULL; + size_t pmslen = 0; + EVP_PKEY_CTX *pctx; + + if (privkey == NULL || pubkey == NULL) + return 0; + + pctx = EVP_PKEY_CTX_new(privkey, NULL); + + if (EVP_PKEY_derive_init(pctx) <= 0 + || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0 + || EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) { + goto err; + } + + pms = OPENSSL_malloc(pmslen); + if (pms == NULL) + goto err; + + if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) + goto err; + + if (s->server) { + /* For server generate master secret and discard premaster */ + rv = ssl_generate_master_secret(s, pms, pmslen, 1); + pms = NULL; + } else { + /* For client just save premaster secret */ + s->s3->tmp.pms = pms; + s->s3->tmp.pmslen = pmslen; + pms = NULL; + rv = 1; + } + + err: + OPENSSL_clear_free(pms, pmslen); + EVP_PKEY_CTX_free(pctx); + return rv; +} + +#ifndef OPENSSL_NO_DH +EVP_PKEY *ssl_dh_to_pkey(DH *dh) +{ + EVP_PKEY *ret; + if (dh == NULL) + return NULL; + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_DH(ret, dh) <= 0) { + EVP_PKEY_free(ret); + return NULL; + } + return ret; +} +#endif