From 06ca14ea45271c7032d27b596edb4e6e787d354d Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 26 Oct 2010 16:41:15 -0400 Subject: [PATCH 01/24] Updated SSL analyzer and Bro script with lots of new ciphers. --- policy/ssl-ciphers.bro | 1009 ++++++++++++++++++++++++---------------- policy/ssl.bro | 41 +- src/SSLCiphers.cc | 454 +++++++++++++++++- src/SSLCiphers.h | 310 +++++++++--- 4 files changed, 1316 insertions(+), 498 deletions(-) diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro index 143244d364..307565eb36 100644 --- a/policy/ssl-ciphers.bro +++ b/policy/ssl-ciphers.bro @@ -11,154 +11,218 @@ const SSLv20_CK_IDEA_128_CBC_WITH_MD5 = 0x050080; const SSLv20_CK_DES_64_CBC_WITH_MD5 = 0x060040; const SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0; -# --- sslv3x --- - -const SSLv3x_NULL_WITH_NULL_NULL = 0x0000; - -# The following CipherSuite definitions require that the server -# provide an RSA certificate that can be used for key exchange. The -# server may request either an RSA or a DSS signature-capable -# certificate in the certificate request message. - -const SSLv3x_RSA_WITH_NULL_MD5 = 0x0001; -const SSLv3x_RSA_WITH_NULL_SHA = 0x0002; -const SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; -const SSLv3x_RSA_WITH_RC4_128_MD5 = 0x0004; -const SSLv3x_RSA_WITH_RC4_128_SHA = 0x0005; -const SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; -const SSLv3x_RSA_WITH_IDEA_CBC_SHA = 0x0007; -const SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; -const SSLv3x_RSA_WITH_DES_CBC_SHA = 0x0009; -const SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A; - -# The following CipherSuite definitions are used for -# server-authenticated (and optionally client-authenticated) -# Diffie-Hellman. DH denotes cipher suites in which the server's -# certificate contains the Diffie-Hellman parameters signed by the -# certificate authority (CA). DHE denotes ephemeral Diffie-Hellman, -# where the Diffie-Hellman parameters are signed by a DSS or RSA -# certificate, which has been signed by the CA. The signing -# algorithm used is specified after the DH or DHE parameter. In all -# cases, the client must have the same type of certificate, and must -# use the Diffie-Hellman parameters chosen by the server. - -const SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B; -const SSLv3x_DH_DSS_WITH_DES_CBC_SHA = 0x000C; -const SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D; -const SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E; -const SSLv3x_DH_RSA_WITH_DES_CBC_SHA = 0x000F; -const SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; -const SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; -const SSLv3x_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; -const SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; -const SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; -const SSLv3x_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; -const SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; - -# The following cipher suites are used for completely anonymous -# Diffie-Hellman communications in which neither party is -# authenticated. Note that this mode is vulnerable to -# man-in-the-middle attacks and is therefore strongly discouraged. - -const SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017; -const SSLv3x_DH_anon_WITH_RC4_128_MD5 = 0x0018; -const SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019; -const SSLv3x_DH_anon_WITH_DES_CBC_SHA = 0x001A; -const SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B; - -# The final cipher suites are for the FORTEZZA token. - -const SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C; -const SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D; -# This seems to be assigned to a Kerberos cipher in TLS 1.1 -#const SSLv3x_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E; - - -# Following are some newer ciphers defined in RFC 4346 (TLS 1.1) - -# Kerberos ciphers - -const SSLv3x_KRB5_WITH_DES_CBC_SHA = 0x001E; -const SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F; -const SSLv3x_KRB5_WITH_RC4_128_SHA = 0x0020; -const SSLv3x_KRB5_WITH_IDEA_CBC_SHA = 0x0021; -const SSLv3x_KRB5_WITH_DES_CBC_MD5 = 0x0022; -const SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023; -const SSLv3x_KRB5_WITH_RC4_128_MD5 = 0x0024; -const SSLv3x_KRB5_WITH_IDEA_CBC_MD5 = 0x0025; - -# Kerberos export ciphers - -const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026; -const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027; -const SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028; -const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029; -const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A; -const SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B; - - -# AES ciphers - -const SSLv3x_RSA_WITH_AES_128_CBC_SHA = 0x002F; -const SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; -const SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; -const SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; -const SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; -const SSLv3x_DH_anon_WITH_AES_128_CBC_SHA = 0x0034; -const SSLv3x_RSA_WITH_AES_256_CBC_SHA = 0x0035; -const SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; -const SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; -const SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; -const SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; -const SSLv3x_DH_anon_WITH_AES_256_CBC_SHA = 0x003A; - -# Mostly more RFC defined suites -const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; # [RFC4132] -const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; # [RFC4132] -const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; # [RFC4132] -const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; # [RFC4132] -const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; # [RFC4132] -const TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046; # [RFC4132] - -# The following are tagged as "Widely Deployed implementation": -const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0x0047; -const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0x0048; -const TLS_ECDH_ECDSA_WITH_DES_CBC_SHA = 0x0049; -const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x004A; -const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0x004B; -const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0x004C; -const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060; -const TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061; -const TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; -const TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; -const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; -const TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; -const TLS_CK_DHE_DSS_WITH_RC4_128_SHA = 0x0066; - -const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; # [RFC4132] -const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; # [RFC4132] -const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; # [RFC4132] -const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; # [RFC4132] -const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; # [RFC4132] -const TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089; # [RFC4132] -const TLS_PSK_WITH_RC4_128_SHA = 0x008A; # [RFC4279] -const TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B; # [RFC4279] -const TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C; # [RFC4279] -const TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D; # [RFC4279] -const TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E; # [RFC4279] -const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F; # [RFC4279] -const TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090; # [RFC4279] -const TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091; # [RFC4279] -const TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092; # [RFC4279] -const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093; # [RFC4279] -const TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094; # [RFC4279] -const TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095; # [RFC4279] -const TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; # [RFC4162] -const TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097; # [RFC4162] -const TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098; # [RFC4162] -const TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099; # [RFC4162] -const TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A; # [RFC4162] -const TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B; # [RFC4162] +# --- TLS --- +const TLS_NULL_WITH_NULL_NULL = 0x0000; +const TLS_RSA_WITH_NULL_MD5 = 0x0001; +const TLS_RSA_WITH_NULL_SHA = 0x0002; +const TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; +const TLS_RSA_WITH_RC4_128_MD5 = 0x0004; +const TLS_RSA_WITH_RC4_128_SHA = 0x0005; +const TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; +const TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007; +const TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; +const TLS_RSA_WITH_DES_CBC_SHA = 0x0009; +const TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A; +const TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B; +const TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C; +const TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D; +const TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E; +const TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F; +const TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; +const TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; +const TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; +const TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; +const TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; +const TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; +const TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; +const TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; +const TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018; +const TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; +const TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A; +const TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B; +const SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C; +const SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D; +const TLS_KRB5_WITH_DES_CBC_SHA = 0x001E; +const TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F; +const TLS_KRB5_WITH_RC4_128_SHA = 0x0020; +const TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021; +const TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022; +const TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023; +const TLS_KRB5_WITH_RC4_128_MD5 = 0x0024; +const TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025; +const TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026; +const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027; +const TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028; +const TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029; +const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A; +const TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B; +const TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; +const TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; +const TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; +const TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; +const TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; +const TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; +const TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; +const TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; +const TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; +const TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; +const TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; +const TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; +const TLS_RSA_WITH_NULL_SHA256 = 0x003B; +const TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; +const TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; +const TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E; +const TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F; +const TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040; +const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; +const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; +const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; +const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; +const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; +const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; +const TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060; +const TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061; +const TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; +const TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; +const TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; +const TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; +const TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; +const TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; +const TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068; +const TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069; +const TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A; +const TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; +const TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C; +const TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D; +const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; +const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; +const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; +const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; +const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; +const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; +const TLS_PSK_WITH_RC4_128_SHA = 0x008A; +const TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B; +const TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C; +const TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D; +const TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E; +const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F; +const TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090; +const TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091; +const TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092; +const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093; +const TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094; +const TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095; +const TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; +const TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097; +const TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098; +const TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099; +const TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A; +const TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B; +const TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; +const TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D; +const TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; +const TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F; +const TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0; +const TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1; +const TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; +const TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3; +const TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4; +const TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5; +const TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6; +const TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7; +const TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8; +const TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9; +const TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA; +const TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB; +const TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC; +const TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD; +const TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE; +const TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF; +const TLS_PSK_WITH_NULL_SHA256 = 0x00B0; +const TLS_PSK_WITH_NULL_SHA384 = 0x00B1; +const TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2; +const TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3; +const TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4; +const TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5; +const TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6; +const TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7; +const TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8; +const TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9; +const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA; +const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB; +const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC; +const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD; +const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE; +const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF; +const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0; +const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1; +const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2; +const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3; +const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4; +const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5; +const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001; +const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002; +const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003; +const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004; +const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005; +const TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006; +const TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007; +const TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008; +const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009; +const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A; +const TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B; +const TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C; +const TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D; +const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E; +const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F; +const TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010; +const TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011; +const TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012; +const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013; +const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014; +const TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015; +const TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016; +const TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017; +const TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018; +const TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019; +const TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A; +const TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B; +const TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C; +const TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D; +const TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E; +const TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F; +const TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020; +const TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021; +const TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022; +const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023; +const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024; +const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025; +const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026; +const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027; +const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028; +const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029; +const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A; +const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B; +const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C; +const TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D; +const TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E; +const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F; +const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030; +const TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031; +const TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032; +const TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033; +const TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034; +const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035; +const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036; +const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037; +const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038; +const TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039; +const TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A; +const TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B; +const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE; +const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF; +const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1; +const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0; # Cipher specifications native to TLS can be included in Version 2.0 client @@ -186,196 +250,218 @@ const ssl_cipher_desc: table[count] of string = { "SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5", [SSLv20_CK_DES_64_CBC_WITH_MD5] = "SSLv20_CK_DES_64_CBC_WITH_MD5", - # --- sslv3x --- - [SSLv3x_NULL_WITH_NULL_NULL] = "SSLv3x_NULL_WITH_NULL_NULL", - - [SSLv3x_RSA_WITH_NULL_MD5] = "SSLv3x_RSA_WITH_NULL_MD5", - [SSLv3x_RSA_WITH_NULL_SHA] = "SSLv3x_RSA_WITH_NULL_SHA", - [SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5] = - "SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5", - [SSLv3x_RSA_WITH_RC4_128_MD5] = "SSLv3x_RSA_WITH_RC4_128_MD5", - [SSLv3x_RSA_WITH_RC4_128_SHA] = "SSLv3x_RSA_WITH_RC4_128_SHA", - [SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5] = - "SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5", - [SSLv3x_RSA_WITH_IDEA_CBC_SHA] = "SSLv3x_RSA_WITH_IDEA_CBC_SHA", - [SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_RSA_WITH_DES_CBC_SHA] = "SSLv3x_RSA_WITH_DES_CBC_SHA", - [SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA] = "SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA", - - [SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DH_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DH_DSS_WITH_DES_CBC_SHA", - [SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DH_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DH_RSA_WITH_DES_CBC_SHA", - [SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DHE_DSS_WITH_DES_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DHE_RSA_WITH_DES_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - - [SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5] = - "SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5", - [SSLv3x_DH_anon_WITH_RC4_128_MD5] = "SSLv3x_DH_anon_WITH_RC4_128_MD5", - [SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DH_anon_WITH_DES_CBC_SHA] = "SSLv3x_DH_anon_WITH_DES_CBC_SHA", - [SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA", - - [SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA] = - "SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA", - [SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] = - "SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA", - [SSLv3x_KRB5_WITH_DES_CBC_SHA] = - "SSLv3x_KRB5_WITH_DES_CBC_SHA", - [SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_KRB5_WITH_RC4_128_SHA] = - "SSLv3x_KRB5_WITH_RC4_128_SHA", - [SSLv3x_KRB5_WITH_IDEA_CBC_SHA] = - "SSLv3x_KRB5_WITH_IDEA_CBC_SHA", - [SSLv3x_KRB5_WITH_DES_CBC_MD5] = - "SSLv3x_KRB5_WITH_DES_CBC_MD5", - [SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5] = - "SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5", - [SSLv3x_KRB5_WITH_RC4_128_MD5] = - "SSLv3x_KRB5_WITH_RC4_128_MD5", - [SSLv3x_KRB5_WITH_IDEA_CBC_MD5] = - "SSLv3x_KRB5_WITH_IDEA_CBC_MD5", - [SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA] = - "SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA", - [SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] = - "SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", - [SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA] = - "SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA", - [SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5] = - "SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5", - [SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] = - "SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", - [SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5] = - "SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5", - [SSLv3x_RSA_WITH_AES_128_CBC_SHA] = - "SSLv3x_RSA_WITH_AES_128_CBC_SHA", - [SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA] = - "SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA", - [SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA] = - "SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA] = - "SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA] = - "SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA", - [SSLv3x_DH_anon_WITH_AES_128_CBC_SHA] = - "SSLv3x_DH_anon_WITH_AES_128_CBC_SHA", - [SSLv3x_RSA_WITH_AES_256_CBC_SHA] = - "SSLv3x_RSA_WITH_AES_256_CBC_SHA", - [SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA] = - "SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA", - [SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA] = - "SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA] = - "SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA] = - "SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA", - [SSLv3x_DH_anon_WITH_AES_256_CBC_SHA] = - "SSLv3x_DH_anon_WITH_AES_256_CBC_SHA", - - [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_NULL_SHA] = - "TLS_ECDH_ECDSA_WITH_NULL_SHA", - [TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - [TLS_ECDH_ECDSA_WITH_DES_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5] = - "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5", - [TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = - "TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5", - [TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA] = - "TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA", - [TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = - "TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", - [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA] = - "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA", - [TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = - "TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", - [TLS_CK_DHE_DSS_WITH_RC4_128_SHA] = - "TLS_CK_DHE_DSS_WITH_RC4_128_SHA", - [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", - [TLS_PSK_WITH_RC4_128_SHA] = - "TLS_PSK_WITH_RC4_128_SHA", - [TLS_PSK_WITH_3DES_EDE_CBC_SHA] = - "TLS_PSK_WITH_3DES_EDE_CBC_SHA", - [TLS_PSK_WITH_AES_128_CBC_SHA] = - "TLS_PSK_WITH_AES_128_CBC_SHA", - [TLS_PSK_WITH_AES_256_CBC_SHA] = - "TLS_PSK_WITH_AES_256_CBC_SHA", - [TLS_DHE_PSK_WITH_RC4_128_SHA] = - "TLS_DHE_PSK_WITH_RC4_128_SHA", - [TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = - "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", - [TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = - "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", - [TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = - "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", - [TLS_RSA_PSK_WITH_RC4_128_SHA] = - "TLS_RSA_PSK_WITH_RC4_128_SHA", - [TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = - "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", - [TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = - "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", - [TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = - "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", - [TLS_RSA_WITH_SEED_CBC_SHA] = - "TLS_RSA_WITH_SEED_CBC_SHA", - [TLS_DH_DSS_WITH_SEED_CBC_SHA] = - "TLS_DH_DSS_WITH_SEED_CBC_SHA", - [TLS_DH_RSA_WITH_SEED_CBC_SHA] = - "TLS_DH_RSA_WITH_SEED_CBC_SHA", - [TLS_DHE_DSS_WITH_SEED_CBC_SHA] = - "TLS_DHE_DSS_WITH_SEED_CBC_SHA", - [TLS_DHE_RSA_WITH_SEED_CBC_SHA] = - "TLS_DHE_RSA_WITH_SEED_CBC_SHA", - [TLS_DH_anon_WITH_SEED_CBC_SHA] = - "TLS_DH_anon_WITH_SEED_CBC_SHA" + # --- TLS --- + [TLS_NULL_WITH_NULL_NULL] = "TLS_NULL_WITH_NULL_NULL", + [TLS_RSA_WITH_NULL_MD5] = "TLS_RSA_WITH_NULL_MD5", + [TLS_RSA_WITH_NULL_SHA] = "TLS_RSA_WITH_NULL_SHA", + [TLS_RSA_EXPORT_WITH_RC4_40_MD5] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5", + [TLS_RSA_WITH_RC4_128_MD5] = "TLS_RSA_WITH_RC4_128_MD5", + [TLS_RSA_WITH_RC4_128_SHA] = "TLS_RSA_WITH_RC4_128_SHA", + [TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", + [TLS_RSA_WITH_IDEA_CBC_SHA] = "TLS_RSA_WITH_IDEA_CBC_SHA", + [TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", + [TLS_RSA_WITH_DES_CBC_SHA] = "TLS_RSA_WITH_DES_CBC_SHA", + [TLS_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DH_DSS_WITH_DES_CBC_SHA] = "TLS_DH_DSS_WITH_DES_CBC_SHA", + [TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", + [TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DH_RSA_WITH_DES_CBC_SHA] = "TLS_DH_RSA_WITH_DES_CBC_SHA", + [TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DHE_DSS_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_WITH_DES_CBC_SHA", + [TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + [TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DHE_RSA_WITH_DES_CBC_SHA] = "TLS_DHE_RSA_WITH_DES_CBC_SHA", + [TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5] = "TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5", + [TLS_DH_ANON_WITH_RC4_128_MD5] = "TLS_DH_ANON_WITH_RC4_128_MD5", + [TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DH_ANON_WITH_DES_CBC_SHA] = "TLS_DH_ANON_WITH_DES_CBC_SHA", + [TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA", + [SSL_FORTEZZA_KEA_WITH_NULL_SHA] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA", + [SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA", + [TLS_KRB5_WITH_DES_CBC_SHA] = "TLS_KRB5_WITH_DES_CBC_SHA", + [TLS_KRB5_WITH_3DES_EDE_CBC_SHA] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", + [TLS_KRB5_WITH_RC4_128_SHA] = "TLS_KRB5_WITH_RC4_128_SHA", + [TLS_KRB5_WITH_IDEA_CBC_SHA] = "TLS_KRB5_WITH_IDEA_CBC_SHA", + [TLS_KRB5_WITH_DES_CBC_MD5] = "TLS_KRB5_WITH_DES_CBC_MD5", + [TLS_KRB5_WITH_3DES_EDE_CBC_MD5] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", + [TLS_KRB5_WITH_RC4_128_MD5] = "TLS_KRB5_WITH_RC4_128_MD5", + [TLS_KRB5_WITH_IDEA_CBC_MD5] = "TLS_KRB5_WITH_IDEA_CBC_MD5", + [TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", + [TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", + [TLS_KRB5_EXPORT_WITH_RC4_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", + [TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", + [TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", + [TLS_KRB5_EXPORT_WITH_RC4_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", + [TLS_RSA_WITH_AES_128_CBC_SHA] = "TLS_RSA_WITH_AES_128_CBC_SHA", + [TLS_DH_DSS_WITH_AES_128_CBC_SHA] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA", + [TLS_DH_RSA_WITH_AES_128_CBC_SHA] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA", + [TLS_DHE_DSS_WITH_AES_128_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + [TLS_DHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + [TLS_DH_ANON_WITH_AES_128_CBC_SHA] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA", + [TLS_RSA_WITH_AES_256_CBC_SHA] = "TLS_RSA_WITH_AES_256_CBC_SHA", + [TLS_DH_DSS_WITH_AES_256_CBC_SHA] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA", + [TLS_DH_RSA_WITH_AES_256_CBC_SHA] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA", + [TLS_DHE_DSS_WITH_AES_256_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + [TLS_DHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + [TLS_DH_ANON_WITH_AES_256_CBC_SHA] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA", + [TLS_RSA_WITH_NULL_SHA256] = "TLS_RSA_WITH_NULL_SHA256", + [TLS_RSA_WITH_AES_128_CBC_SHA256] = "TLS_RSA_WITH_AES_128_CBC_SHA256", + [TLS_RSA_WITH_AES_256_CBC_SHA256] = "TLS_RSA_WITH_AES_256_CBC_SHA256", + [TLS_DH_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", + [TLS_DH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", + [TLS_DHE_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA", + [TLS_RSA_EXPORT1024_WITH_RC4_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5", + [TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5", + [TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA", + [TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", + [TLS_RSA_EXPORT1024_WITH_RC4_56_SHA] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA", + [TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", + [TLS_DHE_DSS_WITH_RC4_128_SHA] = "TLS_DHE_DSS_WITH_RC4_128_SHA", + [TLS_DHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + [TLS_DH_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", + [TLS_DH_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", + [TLS_DHE_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + [TLS_DHE_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + [TLS_DH_ANON_WITH_AES_128_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256", + [TLS_DH_ANON_WITH_AES_256_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256", + [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA", + [TLS_PSK_WITH_RC4_128_SHA] = "TLS_PSK_WITH_RC4_128_SHA", + [TLS_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_PSK_WITH_AES_128_CBC_SHA] = "TLS_PSK_WITH_AES_128_CBC_SHA", + [TLS_PSK_WITH_AES_256_CBC_SHA] = "TLS_PSK_WITH_AES_256_CBC_SHA", + [TLS_DHE_PSK_WITH_RC4_128_SHA] = "TLS_DHE_PSK_WITH_RC4_128_SHA", + [TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", + [TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", + [TLS_RSA_PSK_WITH_RC4_128_SHA] = "TLS_RSA_PSK_WITH_RC4_128_SHA", + [TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", + [TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", + [TLS_RSA_WITH_SEED_CBC_SHA] = "TLS_RSA_WITH_SEED_CBC_SHA", + [TLS_DH_DSS_WITH_SEED_CBC_SHA] = "TLS_DH_DSS_WITH_SEED_CBC_SHA", + [TLS_DH_RSA_WITH_SEED_CBC_SHA] = "TLS_DH_RSA_WITH_SEED_CBC_SHA", + [TLS_DHE_DSS_WITH_SEED_CBC_SHA] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA", + [TLS_DHE_RSA_WITH_SEED_CBC_SHA] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA", + [TLS_DH_ANON_WITH_SEED_CBC_SHA] = "TLS_DH_ANON_WITH_SEED_CBC_SHA", + [TLS_RSA_WITH_AES_128_GCM_SHA256] = "TLS_RSA_WITH_AES_128_GCM_SHA256", + [TLS_RSA_WITH_AES_256_GCM_SHA384] = "TLS_RSA_WITH_AES_256_GCM_SHA384", + [TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + [TLS_DHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + [TLS_DH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", + [TLS_DH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", + [TLS_DHE_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + [TLS_DHE_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + [TLS_DH_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", + [TLS_DH_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", + [TLS_DH_ANON_WITH_AES_128_GCM_SHA256] = "TLS_DH_ANON_WITH_AES_128_GCM_SHA256", + [TLS_DH_ANON_WITH_AES_256_GCM_SHA384] = "TLS_DH_ANON_WITH_AES_256_GCM_SHA384", + [TLS_PSK_WITH_AES_128_GCM_SHA256] = "TLS_PSK_WITH_AES_128_GCM_SHA256", + [TLS_PSK_WITH_AES_256_GCM_SHA384] = "TLS_PSK_WITH_AES_256_GCM_SHA384", + [TLS_DHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", + [TLS_DHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", + [TLS_RSA_PSK_WITH_AES_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", + [TLS_RSA_PSK_WITH_AES_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", + [TLS_PSK_WITH_AES_128_CBC_SHA256] = "TLS_PSK_WITH_AES_128_CBC_SHA256", + [TLS_PSK_WITH_AES_256_CBC_SHA384] = "TLS_PSK_WITH_AES_256_CBC_SHA384", + [TLS_PSK_WITH_NULL_SHA256] = "TLS_PSK_WITH_NULL_SHA256", + [TLS_PSK_WITH_NULL_SHA384] = "TLS_PSK_WITH_NULL_SHA384", + [TLS_DHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", + [TLS_DHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", + [TLS_DHE_PSK_WITH_NULL_SHA256] = "TLS_DHE_PSK_WITH_NULL_SHA256", + [TLS_DHE_PSK_WITH_NULL_SHA384] = "TLS_DHE_PSK_WITH_NULL_SHA384", + [TLS_RSA_PSK_WITH_AES_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", + [TLS_RSA_PSK_WITH_AES_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", + [TLS_RSA_PSK_WITH_NULL_SHA256] = "TLS_RSA_PSK_WITH_NULL_SHA256", + [TLS_RSA_PSK_WITH_NULL_SHA384] = "TLS_RSA_PSK_WITH_NULL_SHA384", + [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA", + [TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + [TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_NULL_SHA] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + [TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + [TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + [TLS_ECDH_RSA_WITH_NULL_SHA] = "TLS_ECDH_RSA_WITH_NULL_SHA", + [TLS_ECDH_RSA_WITH_RC4_128_SHA] = "TLS_ECDH_RSA_WITH_RC4_128_SHA", + [TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDH_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + [TLS_ECDH_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_RSA_WITH_NULL_SHA] = "TLS_ECDHE_RSA_WITH_NULL_SHA", + [TLS_ECDHE_RSA_WITH_RC4_128_SHA] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + [TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + [TLS_ECDH_ANON_WITH_NULL_SHA] = "TLS_ECDH_ANON_WITH_NULL_SHA", + [TLS_ECDH_ANON_WITH_RC4_128_SHA] = "TLS_ECDH_ANON_WITH_RC4_128_SHA", + [TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDH_ANON_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_128_CBC_SHA", + [TLS_ECDH_ANON_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA", + [TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", + [TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", + [TLS_SRP_SHA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", + [TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", + [TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", + [TLS_SRP_SHA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", + [TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", + [TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDHE_PSK_WITH_RC4_128_SHA] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA", + [TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", + [TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", + [TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", + [TLS_ECDHE_PSK_WITH_NULL_SHA] = "TLS_ECDHE_PSK_WITH_NULL_SHA", + [TLS_ECDHE_PSK_WITH_NULL_SHA256] = "TLS_ECDHE_PSK_WITH_NULL_SHA256", + [TLS_ECDHE_PSK_WITH_NULL_SHA384] = "TLS_ECDHE_PSK_WITH_NULL_SHA384", + [SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA", + [SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", + [SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2", + [SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2", }; @@ -385,101 +471,218 @@ const ssl_cipher_desc: table[count] of string = { const ssl_cipherset_EXPORT: set[count] = { SSLv20_CK_RC4_128_EXPORT40_WITH_MD5, SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5, - SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5, - SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5 + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_RC4_40_SHA, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_KRB5_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, }; # --- this set holds all DES ciphers const ssl_cipherset_DES: set[count] = { SSLv20_CK_DES_64_CBC_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_DSS_WITH_DES_CBC_SHA, - SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_RSA_WITH_DES_CBC_SHA, - SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_DSS_WITH_DES_CBC_SHA, - SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_anon_WITH_DES_CBC_SHA, - SSLv3x_KRB5_WITH_DES_CBC_SHA, - SSLv3x_KRB5_WITH_DES_CBC_MD5, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5 + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_DSS_WITH_DES_CBC_SHA, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_RSA_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_WITH_DES_CBC_SHA, + TLS_KRB5_WITH_DES_CBC_SHA, + TLS_KRB5_WITH_DES_CBC_MD5, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + SSL_RSA_FIPS_WITH_DES_CBC_SHA, + SSL_RSA_FIPS_WITH_DES_CBC_SHA_2, }; # --- this set holds all 3DES ciphers const ssl_cipherset_3DES: set[count] = { SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5, - SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA, - SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA, - SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5 + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_KRB5_WITH_3DES_EDE_CBC_SHA, + TLS_KRB5_WITH_3DES_EDE_CBC_MD5, + TLS_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA, + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2, }; # --- this set holds all RC2 ciphers const ssl_cipherset_RC2: set[count] = { SSLv20_CK_RC2_128_CBC_WITH_MD5, SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, }; # --- this set holds all RC4 ciphers const ssl_cipherset_RC4: set[count] = { SSLv20_CK_RC4_128_WITH_MD5, SSLv20_CK_RC4_128_EXPORT40_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5, - SSLv3x_RSA_WITH_RC4_128_MD5, - SSLv3x_RSA_WITH_RC4_128_SHA, - SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5, - SSLv3x_DH_anon_WITH_RC4_128_MD5, - SSLv3x_KRB5_WITH_RC4_128_SHA, - SSLv3x_KRB5_WITH_RC4_128_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5 + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_WITH_RC4_128_MD5, + TLS_RSA_WITH_RC4_128_SHA, + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_WITH_RC4_128_MD5, + TLS_KRB5_WITH_RC4_128_SHA, + TLS_KRB5_WITH_RC4_128_MD5, + TLS_KRB5_EXPORT_WITH_RC4_40_SHA, + TLS_KRB5_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_WITH_RC4_128_SHA, + TLS_PSK_WITH_RC4_128_SHA, + TLS_DHE_PSK_WITH_RC4_128_SHA, + TLS_RSA_PSK_WITH_RC4_128_SHA, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDH_RSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDH_ANON_WITH_RC4_128_SHA, + TLS_ECDHE_PSK_WITH_RC4_128_SHA, }; # --- this set holds all IDEA ciphers const ssl_cipherset_IDEA: set[count] = { SSLv20_CK_IDEA_128_CBC_WITH_MD5, - SSLv3x_RSA_WITH_IDEA_CBC_SHA, - SSLv3x_KRB5_WITH_IDEA_CBC_SHA, - SSLv3x_KRB5_WITH_IDEA_CBC_MD5 + TLS_RSA_WITH_IDEA_CBC_SHA, + TLS_KRB5_WITH_IDEA_CBC_SHA, + TLS_KRB5_WITH_IDEA_CBC_MD5 }; # --- this set holds all AES ciphers const ssl_cipherset_AES: set[count] = { - SSLv3x_RSA_WITH_AES_128_CBC_SHA, - SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA, - SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA, - SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA, - SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA, - SSLv3x_DH_anon_WITH_AES_128_CBC_SHA, - SSLv3x_RSA_WITH_AES_256_CBC_SHA, - SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA, - SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA, - SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA, - SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA, - SSLv3x_DH_anon_WITH_AES_256_CBC_SHA + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_DH_DSS_WITH_AES_128_CBC_SHA, + TLS_DH_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_DH_DSS_WITH_AES_256_CBC_SHA, + TLS_DH_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DH_ANON_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_DH_DSS_WITH_AES_128_CBC_SHA256, + TLS_DH_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DH_DSS_WITH_AES_256_CBC_SHA256, + TLS_DH_RSA_WITH_AES_256_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + TLS_DH_ANON_WITH_AES_128_CBC_SHA256, + TLS_DH_ANON_WITH_AES_256_CBC_SHA256, + TLS_PSK_WITH_AES_128_CBC_SHA, + TLS_PSK_WITH_AES_256_CBC_SHA, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DH_RSA_WITH_AES_128_GCM_SHA256, + TLS_DH_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS_DH_DSS_WITH_AES_128_GCM_SHA256, + TLS_DH_DSS_WITH_AES_256_GCM_SHA384, + TLS_DH_ANON_WITH_AES_128_GCM_SHA256, + TLS_DH_ANON_WITH_AES_256_GCM_SHA384, + TLS_PSK_WITH_AES_128_GCM_SHA256, + TLS_PSK_WITH_AES_256_GCM_SHA384, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, + TLS_PSK_WITH_AES_128_CBC_SHA256, + TLS_PSK_WITH_AES_256_CBC_SHA384, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_128_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_256_CBC_SHA, + TLS_SRP_SHA_WITH_AES_128_CBC_SHA, + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, + TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, + TLS_SRP_SHA_WITH_AES_256_CBC_SHA, + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, + TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, }; diff --git a/policy/ssl.bro b/policy/ssl.bro index 216abb2d10..6a347a14cc 100644 --- a/policy/ssl.bro +++ b/policy/ssl.bro @@ -85,29 +85,28 @@ const myWeakCiphers: set[count] = { SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSLv20_CK_DES_64_CBC_WITH_MD5, - SSLv3x_NULL_WITH_NULL_NULL, - SSLv3x_RSA_WITH_NULL_MD5, - SSLv3x_RSA_WITH_NULL_SHA, - SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5, - SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_RSA_WITH_DES_CBC_SHA, + TLS_NULL_WITH_NULL_NULL, + TLS_RSA_WITH_NULL_MD5, + TLS_RSA_WITH_NULL_SHA, + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_DSS_WITH_DES_CBC_SHA, - SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_RSA_WITH_DES_CBC_SHA, - SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_DSS_WITH_DES_CBC_SHA, - SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_DSS_WITH_DES_CBC_SHA, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_RSA_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5, - SSLv3x_DH_anon_WITH_RC4_128_MD5, - SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_anon_WITH_DES_CBC_SHA, - SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA, - SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_WITH_RC4_128_MD5, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_WITH_DES_CBC_SHA, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, }; const x509_ignore_errors: set[int] = { diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc index 1eaf3898e2..e8972beb21 100644 --- a/src/SSLCiphers.cc +++ b/src/SSLCiphers.cc @@ -389,16 +389,16 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 96, 160 }, - { SSL_FORTEZZA_KEA_WITH_RC4_128_SHA, - SSL_CIPHER_TYPE_STREAM, - SSL_FLAG_SSLv30, - SSL_CIPHER_RC4, - SSL_MAC_SHA, - SSL_KEY_EXCHANGE_FORTEZZA_KEA, - 0, - 128, - 160 - }, + //{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA, + // SSL_CIPHER_TYPE_STREAM, + // SSL_FLAG_SSLv30, + // SSL_CIPHER_RC4, + // SSL_MAC_SHA, + // SSL_KEY_EXCHANGE_FORTEZZA_KEA, + // 0, + // 128, + // 160 + //}, // --- special SSLv3 FIPS ciphers { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, @@ -591,7 +591,439 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 0, 256, 160 - } + }, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_DSS, + 0, + 128, + 160 + }, + { TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_RSA, + 0, + 128, + 160 + }, + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_DSS, + 0, + 128, + 160 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_ANON, + 0, + 128, + 160 + }, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_RSA, + 0, + 256, + 160 + }, + { TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_DSS, + 0, + 256, + 160 + }, + { TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_RSA, + 0, + 256, + 160 + }, + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_DSS, + 0, + 256, + 160 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_RSA, + 0, + 256, + 160 + }, + { TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_ANON, + 0, + 256, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 168, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 256, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 0, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 168, + 160 + }, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 128, + 160 + }, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 256, + 160 + }, + { TLS_ECDHE_RSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 0, + 160 + }, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 128, + 160 + }, + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 168, + 160 + }, + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 256, + 160 + }, + { TLS_ECDH_ECDSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 0, + 160 + }, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 168, + 160 + }, + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 128, + 160 + }, + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 256, + 160 + }, + { TLS_ECDH_RSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 0, + 160 + }, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 128, + 160 + }, + { TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 168, + 160 + }, + { TLS_ECDH_anon_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 128, + 160 + }, + { TLS_ECDH_anon_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 256, + 160 + }, + { TLS_ECDH_anon_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 0, + 160 + }, + { TLS_ECDH_anon_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 128, + 160 + }, + { TLS_RSA_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_DSS_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_DSS, + 0, + 128, + 160 + }, + { TLS_DH_RSA_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_RSA, + 0, + 128, + 160 + }, + { TLS_DHE_DSS_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_DSS, + 0, + 128, + 160 + }, + { TLS_DHE_RSA_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_anon_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_ANON, + 0, + 128, + 160 + }, + + }; const uint SSL_CipherSpecs_Count = diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h index 389c4d1992..5d13b5b8b6 100644 --- a/src/SSLCiphers.h +++ b/src/SSLCiphers.h @@ -12,14 +12,14 @@ */ enum SSLv2_CipherSpec { // --- standard SSLv2 ciphers - SSL_CK_RC4_128_WITH_MD5 = 0x010080, - SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080, - SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080, - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080, - SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080, - SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040, - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0, - SSL_CK_RC4_64_WITH_MD5 = 0x080080 + SSL_CK_RC4_128_WITH_MD5 = 0x010080, + SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080, + SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080, + SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080, + SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080, + SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040, + SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0, + SSL_CK_RC4_64_WITH_MD5 = 0x080080 }; @@ -28,60 +28,236 @@ enum SSLv2_CipherSpec { */ enum SSL3_1_CipherSpec { // --- standard SSLv3x ciphers - TLS_NULL_WITH_NULL_NULL = 0x0000, - TLS_RSA_WITH_NULL_MD5 = 0x0001, - TLS_RSA_WITH_NULL_SHA = 0x0002, - TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, - TLS_RSA_WITH_RC4_128_MD5 = 0x0004, - TLS_RSA_WITH_RC4_128_SHA = 0x0005, - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, - TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007, - TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, - TLS_RSA_WITH_DES_CBC_SHA = 0x0009, - TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, - TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, - TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C, - TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, - TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, - TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F, - TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, - TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, - TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, - TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, - TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, - TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017, - TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018, - TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019, - TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A, - TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B, - // --- special SSLv3 ciphers - SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C, - SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D, - SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E, - // --- special SSLv3 FIPS ciphers - SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0XFEFF, - // --- new 56 bit export ciphers - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062, - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064, - TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063, - TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065, - TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066, + TLS_NULL_WITH_NULL_NULL = 0x0000, + TLS_RSA_WITH_NULL_MD5 = 0x0001, + TLS_RSA_WITH_NULL_SHA = 0x0002, + TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, + TLS_RSA_WITH_RC4_128_MD5 = 0x0004, + TLS_RSA_WITH_RC4_128_SHA = 0x0005, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, + TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, + TLS_RSA_WITH_DES_CBC_SHA = 0x0009, + TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, + TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C, + TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, + TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F, + TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, + TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, + TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017, + TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019, + TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B, + // --- special SSLv3 ciphers + SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C, + SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D, + //SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E, + // -- RFC 2712 (ciphers not fully described in SSLCiphers.cc) + TLS_KRB5_WITH_DES_CBC_SHA = 0x001E, + TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F, + TLS_KRB5_WITH_RC4_128_SHA = 0x0020, + TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021, + TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022, + TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023, + TLS_KRB5_WITH_RC4_128_MD5 = 0x0024, + TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027, + TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A, + TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B, + // --- new AES ciphers - TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, - TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, - TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, - TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, - TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034, - TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, - TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, - TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, - TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A + TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, + TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, + TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, + TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034, + TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, + TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, + TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, + TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A, + TLS_RSA_WITH_NULL_SHA256 = 0x003B, + TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, + TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D, + TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E, + TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040, + // -- RFC 4132 + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041, + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042, + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046, + // -- Non-RFC. Widely deployed implementation (ciphers not fully described in SSLCiphers.cc) + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060, + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061, + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063, + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065, + TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066, + // -- RFC 5246 (ciphers not fully described in SSLCiphers.cc) + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067, + TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068, + TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, + TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C, + TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D, + // -- RFC 5932 + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084, + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085, + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089, + // -- RFC 4279 (ciphers not fully described in SSLCiphers.cc) + TLS_PSK_WITH_RC4_128_SHA = 0x008A, + TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B, + TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C, + TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D, + TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E, + TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091, + TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092, + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095, + // -- RFC 4162 + TLS_RSA_WITH_SEED_CBC_SHA = 0x0096, + TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097, + TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098, + TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099, + TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A, + TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B, + // -- RFC 5288 (ciphers not fully described in SSLCiphers.cc) + TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C, + TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F, + TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0, + TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, + TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4, + TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5, + TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6, + TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7, + // -- RFC 5487 (ciphers not fully described in SSLCiphers.cc) + TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8, + TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB, + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC, + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD, + TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE, + TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF, + TLS_PSK_WITH_NULL_SHA256 = 0x00B0, + TLS_PSK_WITH_NULL_SHA384 = 0x00B1, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3, + TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4, + TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7, + TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8, + TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9, + // -- RFC 5932 (ciphers not fully described in SSLCiphers.cc) + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA, + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB, + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF, + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0, + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1, + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5, + // -- RFC 4492 + TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005, + TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A, + TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B, + TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F, + TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010, + TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, + TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015, + TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016, + TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017, + TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018, + TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019, + // -- RFC 5054 (ciphers not fully described in SSLCiphers.cc) + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A, + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B, + TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C, + TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D, + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E, + TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F, + TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020, + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021, + TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022, + // -- RFC 5289 (ciphers not fully described in SSLCiphers.cc) + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C, + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D, + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030, + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031, + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032, + // -- RFC 5489 (ciphers not fully described in SSLCiphers.cc) + TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033, + TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038, + TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039, + TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A, + TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B, + // --- special SSLv3 FIPS ciphers + SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF, + SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFe0, }; enum SSL_CipherType { @@ -99,7 +275,9 @@ enum SSL_BulkCipherAlgorithm { SSL_CIPHER_DES40, SSL_CIPHER_FORTEZZA, SSL_CIPHER_IDEA, - SSL_CIPHER_AES + SSL_CIPHER_AES, + SSL_CIPHER_CAMELLIA, + SSL_CIPHER_SEED, }; enum SSL_MACAlgorithm { @@ -126,7 +304,13 @@ enum SSL_KeyExchangeAlgorithm { SSL_KEY_EXCHANGE_FORTEZZA_KEA, // --- new 56 bit export ciphers SSL_KEY_EXCHANGE_RSA_EXPORT1024, - SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 + SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024, + // -- Elliptic Curve key change algorithms (rfc4492) + SSL_KEY_EXCHANGE_ECDH_ECDSA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + SSL_KEY_EXCHANGE_ECDH_RSA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + SSL_KEY_EXCHANGE_ECDH_ANON, }; #if 0 From 5edf0eb75d2af64602f29b4e99e64c172c2892ea Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 26 Oct 2010 16:41:57 -0400 Subject: [PATCH 02/24] Modification from rmkml to support SSL extensions. --- src/SSLv3.cc | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/SSLv3.cc b/src/SSLv3.cc index 4d89f27ad8..d4b558ba79 100644 --- a/src/SSLv3.cc +++ b/src/SSLv3.cc @@ -941,9 +941,9 @@ TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length, if ( length > ssl_max_cipherspec_size ) { if ( is_orig ) - Weird("SSLv2: Client has CipherSpecs > ssl_max_cipherspec_size"); + Weird("SSLv3: Client has CipherSpecs > ssl_max_cipherspec_size"); else - Weird("SSLv2: Server has CipherSpecs > ssl_max_cipherspec_size"); + Weird("SSLv3: Server has CipherSpecs > ssl_max_cipherspec_size"); } const u_char* pCipher = data; @@ -1357,8 +1357,16 @@ int SSLv3_HandshakeRecord::checkClientHello() if ( sessionIDLength + cipherSuiteLength + compressionMethodLength + 38 != length ) { - endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!"); - return 0; + uint16 sslExtensionsLength = + uint16(data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 1 ] << 8 ) | data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 2 ]; + if ( sslExtensionsLength < 4 ) + endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); + if ( sessionIDLength + cipherSuiteLength + + compressionMethodLength + 2 + sslExtensionsLength + 38 != length ) + { + endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!"); + return 0; + } } return 1; @@ -1384,7 +1392,7 @@ int SSLv3_HandshakeRecord::checkServerHello() return 0; } - if ( (sessionIDLength + 38) != length ) + if ( (sessionIDLength + 45) != length ) { endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!"); return 0; From a598bdb5556a9f2038a52a473c53a7429d8b2491 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Dec 2010 15:23:54 -0500 Subject: [PATCH 03/24] Fixed the problem with do_split function which caused it to bail 1 separator early. --- src/strings.bif | 75 +++++++++++++++++++++---------------------------- 1 file changed, 32 insertions(+), 43 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 44b0c57eb6..2820726e30 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -198,7 +198,6 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t) Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, int incl_sep, int max_num_sep) { - const BroString* str = str_val->AsString(); TableVal* a = new TableVal(internal_type("string_array")->AsTableType()); ListVal* other_strings = 0; @@ -209,66 +208,56 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, // the future we expect to change this by giving RE_Matcher a // const char* segment. - const char* s = str->CheckString(); - int len = strlen(s); - const char* end_of_s = s + len; + const u_char* s = str_val->Bytes(); + int n = str_val->Len(); + const u_char* end_of_s = s + n; int num = 0; int num_sep = 0; + + int offset = 0; - while ( 1 ) + while ( n > 0 ) { - int offset = 0; - const char* t; - - if ( max_num_sep > 0 && num_sep >= max_num_sep ) - t = end_of_s; - else + offset = 0; + // Find next match offset. + int end_of_match; + while ( n > 0 && + (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) { - for ( t = s; t < end_of_s; ++t ) - { - offset = re->MatchPrefix(t); - - if ( other_strings ) - { - val_list* vl = other_strings->Vals(); - loop_over_list(*vl, i) - { - const BroString* sub = - (*vl)[i]->AsString(); - if ( sub->Len() > offset && - match_prefix(end_of_s - t, - t, sub->Len(), - (const char*) (sub->Bytes())) ) - { - offset = sub->Len(); - } - } - } - - if ( offset > 0 ) - break; - } + printf("character %d\n", offset); + // Move on to next character. + ++offset; + --n; } - + Val* ind = new Val(++num, TYPE_COUNT); - a->Assign(ind, new StringVal(t - s, s)); + a->Assign(ind, new StringVal(offset, (const char*) s)); Unref(ind); - if ( t >= end_of_s ) + // No more separators will be needed if this is the end of string. + if ( n <= 0 ) break; - ++num_sep; - if ( incl_sep ) { // including the part that matches the pattern ind = new Val(++num, TYPE_COUNT); - a->Assign(ind, new StringVal(offset, t)); + a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset)); Unref(ind); } - - s = t + offset; + + if ( max_num_sep && num_sep >= max_num_sep ) + break; + + ++num_sep; + + offset += end_of_match; + n -= end_of_match; + s += offset; + if ( s > end_of_s ) + { internal_error("RegMatch in split goes beyond the string"); + } } if ( other_strings ) From 61c99176ad9e8ca43bf7711ea385f5c97d507b33 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Dec 2010 15:59:08 -0500 Subject: [PATCH 04/24] Readded the other changes to remove CheckString calls from strings.bif. --- src/strings.bif | 107 ++++++++++++++++++++++-------------------------- 1 file changed, 49 insertions(+), 58 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 2820726e30..d3c1ca2e5d 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -138,27 +138,27 @@ function sort_string_array%(a: string_array%): string_array function edit%(arg_s: string, arg_edit_char: string%): string %{ - const char* s = arg_s->AsString()->CheckString(); - const char* edit_s = arg_edit_char->AsString()->CheckString(); - - if ( strlen(edit_s) != 1 ) + if ( arg_edit_char->Len() != 1 ) builtin_run_time("not exactly one edit character", @ARG@[1]); + + const u_char* s = arg_s->Bytes(); + const u_char* edit_s = arg_edit_char->Bytes(); - char edit_c = *edit_s; + u_char edit_c = *edit_s; - int n = strlen(s) + 1; - char* new_s = new char[n]; + int n = arg_s->Len(); + u_char* new_s = new u_char[n+1]; int ind = 0; - for ( ; *s; ++s ) + for ( int i=0; iCheckString(); - int n = strlen(s) + 1; + const u_char* s = str->Bytes(); + int n = str->Len(); char* lower_s = new char[n]; + char* ls = lower_s; - char* ls; - for ( ls = lower_s; *s; ++s ) + for (int i=0; iCheckString(); - int n = strlen(s) + 1; + const u_char* s = str->Bytes(); + int n = str->Len(); char* upper_s = new char[n]; - - char* us; - for ( us = upper_s; *s; ++s ) + char* us = upper_s; + + for (int i=0; iCheckString(); + const u_char* s = str->Bytes(); + int n = str->Len(); - int n = strlen(s) + 1; - char* strip_s = new char[n]; - - if ( n == 1 ) + if ( n == 0 ) // Empty string. - return new StringVal(new BroString(1, byte_vec(strip_s), 0)); + return new StringVal(new BroString(s, n, 1)); - while ( isspace(*s) ) - ++s; - - strncpy(strip_s, s, n); - - char* s2 = strip_s; - char* e = &s2[strlen(s2) - 1]; - - while ( e > s2 && isspace(*e) ) + const u_char* sp = s; + // Move a pointer to the end of the string + const u_char* e = &sp[n-1]; + while ( e > sp && isspace(*e) ) --e; - e[1] = '\0'; // safe even if e hasn't changed, due to n = strlen + 1 + // Move the pointer for the beginning of the string + while ( isspace(*sp) ) + ++sp; - return new StringVal(new BroString(1, byte_vec(s2), (e-s2)+1)); + return new StringVal(new BroString(sp, e-sp+1, 1)); %} function string_fill%(len: int, source: string%): string %{ - const char* src = source->CheckString(); - - int sn = strlen(src); + const u_char* src = source->Bytes(); + int n = source->Len(); char* dst = new char[len]; - for ( int i = 0; i < len; i += sn ) - ::memcpy((dst + i), src, min(sn, len - i)); + for ( int i = 0; i < len; i += n ) + ::memcpy((dst + i), src, min(n, len - i)); dst[len - 1] = 0; @@ -639,11 +629,12 @@ function string_fill%(len: int, source: string%): string # function str_shell_escape%(source: string%): string %{ - unsigned j = 0; - const char* src = source->CheckString(); - char* dst = new char[strlen(src) * 2 + 1]; + uint j = 0; + const u_char* src = source->Bytes(); + uint n = source->Len(); + byte_vec dst = new u_char[n * 2 + 1]; - for ( unsigned i = 0; i < strlen(src); ++i ) + for ( uint i = 0; i < n; ++i ) { switch ( src[i] ) { case '`': case '"': case '\\': case '$': @@ -661,7 +652,7 @@ function str_shell_escape%(source: string%): string } dst[j] = '\0'; - return new StringVal(new BroString(1, byte_vec(dst), j)); + return new StringVal(new BroString(1, dst, j)); %} # Returns all occurrences of the given pattern in the given string (an empty From 266acde342227a699e0639c53a04fbf1490f4435 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Dec 2010 16:01:19 -0500 Subject: [PATCH 05/24] Removed an accidental debugging printf. --- src/strings.bif | 1 - 1 file changed, 1 deletion(-) diff --git a/src/strings.bif b/src/strings.bif index d3c1ca2e5d..253709e858 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -224,7 +224,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, while ( n > 0 && (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) { - printf("character %d\n", offset); // Move on to next character. ++offset; --n; From 9cfef93522a55087814eab8c13ad866f19e1e439 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Jan 2011 14:40:37 -0500 Subject: [PATCH 06/24] Fixed bug in do_split implementation. Test suite succeeds! --- src/strings.bif | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 253709e858..2e499ca0c4 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -204,10 +204,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, if ( other_sep && other_sep->Size() > 0 ) other_strings = other_sep->ConvertToPureList(); - // Currently let us assume that str is NUL-terminated. In - // the future we expect to change this by giving RE_Matcher a - // const char* segment. - const u_char* s = str_val->Bytes(); int n = str_val->Len(); const u_char* end_of_s = s + n; @@ -215,7 +211,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, int num_sep = 0; int offset = 0; - while ( n > 0 ) { offset = 0; @@ -224,7 +219,7 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, while ( n > 0 && (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) { - // Move on to next character. + // Move on to next byte. ++offset; --n; } @@ -249,7 +244,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, ++num_sep; - offset += end_of_match; n -= end_of_match; s += offset; From c7a5bf071db9ba141405983b2ab7b27f78603403 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 19 Jan 2011 11:46:35 -0500 Subject: [PATCH 07/24] Prepared the old analyzer for extracting SSL extensions. --- src/SSLCiphers.cc | 44 +++++++++++++++++++++---------------------- src/SSLCiphers.h | 48 +++++++++++++++++++++++------------------------ src/SSLv3.cc | 46 +++++++++++++++++++++++++-------------------- 3 files changed, 72 insertions(+), 66 deletions(-) diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc index e8972beb21..002262d853 100644 --- a/src/SSLCiphers.cc +++ b/src/SSLCiphers.cc @@ -319,52 +319,52 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 168, 160 }, - { TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + { TLS_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_CIPHER_TYPE_STREAM, SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_RC4, SSL_MAC_MD5, - SSL_KEY_EXCHANGE_DH_ANON_EXPORT, + SSL_KEY_EXCHANGE_DH_anon_EXPORT, 0, 40, 128 }, - { TLS_DH_ANON_WITH_RC4_128_MD5, + { TLS_DH_anon_WITH_RC4_128_MD5, SSL_CIPHER_TYPE_STREAM, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_RC4, SSL_MAC_MD5, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 128 }, - { TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + { TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_DES40, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 40, 160 }, - { TLS_DH_ANON_WITH_DES_CBC_SHA, + { TLS_DH_anon_WITH_DES_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_DES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 56, 160 }, - { TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, + { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_3DES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 168, 160 @@ -522,12 +522,12 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 128, 160 }, - { TLS_DH_ANON_WITH_AES_128_CBC_SHA, + { TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 160 @@ -582,12 +582,12 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 256, 160 }, - { TLS_DH_ANON_WITH_AES_256_CBC_SHA, + { TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 256, 160 @@ -647,7 +647,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_CAMELLIA, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 160 @@ -707,7 +707,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_CAMELLIA, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 256, 160 @@ -917,7 +917,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_3DES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 168, 160 @@ -927,7 +927,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 128, 160 @@ -937,7 +937,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 256, 160 @@ -947,7 +947,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_NULL, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 0, 160 @@ -957,7 +957,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_RC4, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 128, 160 @@ -1017,7 +1017,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_SEED, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 160 diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h index 5d13b5b8b6..408a3b1567 100644 --- a/src/SSLCiphers.h +++ b/src/SSLCiphers.h @@ -51,11 +51,11 @@ enum SSL3_1_CipherSpec { TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, - TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017, - TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018, - TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019, - TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A, - TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B, + TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017, + TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018, + TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019, + TLS_DH_anon_WITH_DES_CBC_SHA = 0x001A, + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B, // --- special SSLv3 ciphers SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C, SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D, @@ -82,13 +82,13 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, - TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034, + TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034, TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, - TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A, + TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A, TLS_RSA_WITH_NULL_SHA256 = 0x003B, TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D, @@ -101,7 +101,7 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045, - TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046, // -- Non-RFC. Widely deployed implementation (ciphers not fully described in SSLCiphers.cc) TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060, TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061, @@ -116,15 +116,15 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, - TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C, - TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D, + TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C, + TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D, // -- RFC 5932 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088, - TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089, // -- RFC 4279 (ciphers not fully described in SSLCiphers.cc) TLS_PSK_WITH_RC4_128_SHA = 0x008A, TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B, @@ -144,7 +144,7 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098, TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099, TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A, - TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B, + TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B, // -- RFC 5288 (ciphers not fully described in SSLCiphers.cc) TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C, TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D, @@ -156,8 +156,8 @@ enum SSL3_1_CipherSpec { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4, TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5, - TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6, - TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7, + TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6, + TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7, // -- RFC 5487 (ciphers not fully described in SSLCiphers.cc) TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8, TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9, @@ -183,13 +183,13 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE, - TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4, - TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5, // -- RFC 4492 TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001, TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002, @@ -211,11 +211,11 @@ enum SSL3_1_CipherSpec { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, - TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015, - TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016, - TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017, - TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018, - TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019, + TLS_ECDH_anon_WITH_NULL_SHA = 0xC015, + TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016, + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017, + TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018, + TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019, // -- RFC 5054 (ciphers not fully described in SSLCiphers.cc) TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A, TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B, @@ -299,8 +299,8 @@ enum SSL_KeyExchangeAlgorithm { SSL_KEY_EXCHANGE_DHE_DSS_EXPORT, SSL_KEY_EXCHANGE_DHE_RSA, SSL_KEY_EXCHANGE_DHE_RSA_EXPORT, - SSL_KEY_EXCHANGE_DH_ANON, - SSL_KEY_EXCHANGE_DH_ANON_EXPORT, + SSL_KEY_EXCHANGE_DH_anon, + SSL_KEY_EXCHANGE_DH_anon_EXPORT, SSL_KEY_EXCHANGE_FORTEZZA_KEA, // --- new 56 bit export ciphers SSL_KEY_EXCHANGE_RSA_EXPORT1024, @@ -310,7 +310,7 @@ enum SSL_KeyExchangeAlgorithm { SSL_KEY_EXCHANGE_ECDHE_ECDSA, SSL_KEY_EXCHANGE_ECDH_RSA, SSL_KEY_EXCHANGE_ECDHE_RSA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, }; #if 0 diff --git a/src/SSLv3.cc b/src/SSLv3.cc index d4b558ba79..92d18c6f26 100644 --- a/src/SSLv3.cc +++ b/src/SSLv3.cc @@ -195,7 +195,7 @@ void SSLv3_Interpreter::printStats() printf( "SSLv3x:\n" ); printf( "Note: Because handshake messages may be coalesced into a \n"); printf( " single SSLv3x record, the number of total messages for SSLv3x plus \n"); - printf( " the number of total records seen for SSLv2 won't match \n"); + printf( " the number of total records seen for SSLv3 won't match \n"); printf( " SSLProxy_Analyzer::totalRecords! \n"); printf( "total connections = %u\n", totalConnections ); printf( "opened connections (complete handshake) = %u\n", openedConnections ); @@ -554,7 +554,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) } else { - if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) + if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) { if ( rec->length < 2 ) { @@ -595,11 +595,11 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) switch (cipherSuite) { case TLS_NULL_WITH_NULL_NULL: - case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5: - case TLS_DH_ANON_WITH_RC4_128_MD5: - case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: - case TLS_DH_ANON_WITH_DES_CBC_SHA: - case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA: + case TLS_DH_anon_EXPORT_WITH_RC4_40_MD5: + case TLS_DH_anon_WITH_RC4_128_MD5: + case TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA: + case TLS_DH_anon_WITH_DES_CBC_SHA: + case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: { Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!"); break; @@ -618,7 +618,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) break; } - if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT ) + if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT ) Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!"); // FIXME: Insert weird checks! @@ -654,7 +654,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) } else { - if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) + if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) { if ( rec->length < 2 ) { @@ -1328,7 +1328,9 @@ int SSLv3_HandshakeRecord::checkClientHello() version != SSLProxy_Analyzer::SSLv31 ) endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!"); - uint8 sessionIDLength = uint8(data[38]); + uint16 offset = 38; + uint8 sessionIDLength = uint8(data[offset]); + offset += (1 + sessionIDLength); if ( sessionIDLength > 32 ) { endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!"); @@ -1336,33 +1338,37 @@ int SSLv3_HandshakeRecord::checkClientHello() } uint16 cipherSuiteLength = - uint16(data[39 + sessionIDLength] << 8 ) | - data[40 + sessionIDLength]; + uint16(data[offset] << 8) | data[offset+1]; + offset += (2 + cipherSuiteLength); if ( cipherSuiteLength < 2 ) endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!"); - if ( cipherSuiteLength + sessionIDLength + 41 > recordLength ) + if ( offset > recordLength ) { endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!"); return 0; } - uint8 compressionMethodLength = - uint8(data[41 + sessionIDLength + cipherSuiteLength]); + uint8 compressionMethodLength = uint8(data[offset]); + offset += (1 + compressionMethodLength); if ( compressionMethodLength < 1 ) endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!"); - if ( sessionIDLength + cipherSuiteLength + - compressionMethodLength + 38 != length ) + if ( offset != length ) { uint16 sslExtensionsLength = - uint16(data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 1 ] << 8 ) | data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 2 ]; + uint16(data[offset] << 8 ) | data[offset+1]; + offset += 2; + if ( sslExtensionsLength < 4 ) endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); - if ( sessionIDLength + cipherSuiteLength + - compressionMethodLength + 2 + sslExtensionsLength + 38 != length ) + + // TODO: extract SSL extensions here + + offset += sslExtensionsLength; + if ( offset != length+4 ) { endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!"); return 0; From ef1650f6a2072bc686b265e1d0a5e5ec3529b80a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 20 Jan 2011 15:07:24 -0500 Subject: [PATCH 08/24] Cleaned up g++ warnings. --- src/DCE_RPC.cc | 2 +- src/PrefixTable.cc | 4 ++-- src/RemoteSerializer.cc | 26 +++++++++++++------------- src/SMB.cc | 2 +- src/cq.c | 2 +- src/dce_rpc.pac | 4 ++-- src/patricia.c | 2 +- 7 files changed, 21 insertions(+), 21 deletions(-) diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index fe163f2632..62f7806c51 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -82,7 +82,7 @@ UUID::UUID(const char* str) } if ( i != 16 ) - internal_error(fmt("invalid UUID string: %s", str)); + internal_error("invalid UUID string: %s", str); } typedef map uuid_map_t; diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc index e654b8440e..b3313c82e5 100644 --- a/src/PrefixTable.cc +++ b/src/PrefixTable.cc @@ -99,8 +99,8 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const break; default: - internal_error(fmt("Wrong index type %d for PrefixTable", - value->Type()->Tag())); + internal_error("Wrong index type %d for PrefixTable", + value->Type()->Tag()); return 0; } } diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index a9329cc9cb..6709ea0456 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -1505,13 +1505,13 @@ bool RemoteSerializer::DoMessage() { // We shut the connection to this peer down, // so we ignore all further messages. - DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%d", + DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%llu", msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); return true; } - DEBUG_COMM(fmt("parent: %s from child; peer is #%d", + DEBUG_COMM(fmt("parent: %s from child; peer is #%llu", msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); @@ -2610,7 +2610,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer) bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len) { - DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str)); + DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), str)); if ( ! child_pid ) return false; @@ -2635,7 +2635,7 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap, nargs); DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)", - msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap))); + msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -2715,7 +2715,7 @@ void RemoteSerializer::InternalCommError(const char* msg) #ifdef DEBUG_COMMUNICATION DumpDebugData(); #else - internal_error(msg); + internal_error(msg, ""); #endif } @@ -3065,7 +3065,7 @@ bool SocketComm::ProcessParentMessage() } default: - internal_error(fmt("unknown msg type %d", parent_msgtype)); + internal_error("unknown msg type %d", parent_msgtype); return true; } @@ -3235,7 +3235,7 @@ bool SocketComm::ForwardChunkToPeer() { #ifdef DEBUG if ( parent_peer ) - DEBUG_COMM(fmt("child: not connected to #%d", parent_id)); + DEBUG_COMM(fmt("child: not connected to #%d", (uint) parent_id)); #endif } @@ -3319,7 +3319,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer) CMsg* msg = (CMsg*) c->data; DEBUG_COMM(fmt("child: %s from peer #%d", - msgToStr(msg->Type()), peer->id)); + msgToStr(msg->Type()), (uint) peer->id)); switch ( msg->Type() ) { case MSG_PHASE_DONE: @@ -3795,7 +3795,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp)); + DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), tmp)); delete [] tmp; #endif if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE, @@ -3814,7 +3814,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); - DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3850,7 +3850,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), peer->id, tmp)); + DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), (uint) peer->id, tmp)); delete [] tmp; #endif @@ -3870,7 +3870,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", - msgToStr(type), peer->id, fmt_uint32s(nargs, ap))); + msgToStr(type), (uint) peer->id, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3890,7 +3890,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c) { - DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, peer->id)); + DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, (uint) peer->id)); if ( ! sendToIO(peer->io, c) ) { Error(fmt("child: write error %s", io->Error()), peer); diff --git a/src/SMB.cc b/src/SMB.cc index 7ee6986d3d..a950302090 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -166,7 +166,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data) const u_char* tmp = data_start + next; if ( data_start + next < data + body.length() ) { - Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %d", next, data + body.length() - data_start)); + Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %ld", next, data + body.length() - data_start)); break; } diff --git a/src/cq.c b/src/cq.c index 63e4275369..5263fb17b1 100644 --- a/src/cq.c +++ b/src/cq.c @@ -570,7 +570,7 @@ cq_debugbucket(register struct cq_handle *hp, bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri); if (bp2 != buckets) { fprintf(stderr, - "%f in wrong bucket! (off by %d)\n", + "%f in wrong bucket! (off by %ld)\n", bp->pri, bp2 - buckets); cq_dump(hp); abort(); diff --git a/src/dce_rpc.pac b/src/dce_rpc.pac index 0aa689b532..58c2250c26 100644 --- a/src/dce_rpc.pac +++ b/src/dce_rpc.pac @@ -8,5 +8,5 @@ analyzer DCE_RPC withcontext { flow: DCE_RPC_Flow; }; -%include "dce_rpc-protocol.pac" -%include "dce_rpc-analyzer.pac" +%include dce_rpc-protocol.pac +%include dce_rpc-analyzer.pac diff --git a/src/patricia.c b/src/patricia.c index c9d271803c..8e40cb5ef6 100644 --- a/src/patricia.c +++ b/src/patricia.c @@ -1027,7 +1027,7 @@ lookup_then_remove (patricia_tree_t *tree, char *string) { patricia_node_t *node; - if (node = try_search_exact (tree, string)) + if ( (node = try_search_exact(tree, string)) ) patricia_remove (tree, node); } From b7b29c6f92bd5ffa5ba4053e7fa9041ec8840d6c Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 20 Jan 2011 15:08:54 -0500 Subject: [PATCH 09/24] Added line to expect shift/reduce errors in parse.in This is the resolution that Gregor brought up in December, 2010 on the bro-dev list. --- src/parse.y | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/parse.y b/src/parse.y index b0bb39f0ea..1eed09cbf1 100644 --- a/src/parse.y +++ b/src/parse.y @@ -3,6 +3,8 @@ // See the file "COPYING" in the main distribution directory for copyright. %} +%expect 71 + %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF %token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST From fbf7d5ccc0c6566e6a195b400bbe99548dca49cf Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 20 Jan 2011 15:10:31 -0500 Subject: [PATCH 10/24] Cleaned up the output from running binpac. Added an extra dependency to the dce_rpc pac files and running binpac with the -q (quiet) flag which requires changes to binpac which will be committed soon. --- src/CMakeLists.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 81ed0d81af..927f5e660b 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -160,7 +160,7 @@ macro(BINPAC_TARGET pacFile) add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc COMMAND ${BinPAC_EXE} - ARGS -d ${CMAKE_CURRENT_BINARY_DIR} + ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR} -I ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile} DEPENDS ${BinPAC_EXE} ${pacFile} @@ -177,9 +177,9 @@ binpac_target(binpac_bro-lib.pac) binpac_target(bittorrent.pac bittorrent-protocol.pac bittorrent-analyzer.pac) binpac_target(dce_rpc.pac - dce_rpc-protocol.pac dce_rpc-analyzer.pac) + dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) binpac_target(dce_rpc_simple.pac - dce_rpc-protocol.pac) + dce_rpc-protocol.pac epmapper.pac) binpac_target(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) binpac_target(dns.pac From 668824d1b608079e629c755c917b594395e71187 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 20 Jan 2011 14:36:07 -0800 Subject: [PATCH 11/24] A few smaller tweaks. --- src/strings.bif | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 2e499ca0c4..76e4200b79 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -140,7 +140,7 @@ function edit%(arg_s: string, arg_edit_char: string%): string %{ if ( arg_edit_char->Len() != 1 ) builtin_run_time("not exactly one edit character", @ARG@[1]); - + const u_char* s = arg_s->Bytes(); const u_char* edit_s = arg_edit_char->Bytes(); @@ -150,7 +150,7 @@ function edit%(arg_s: string, arg_edit_char: string%): string u_char* new_s = new u_char[n+1]; int ind = 0; - for ( int i=0; i 0 ) { @@ -217,13 +217,13 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, // Find next match offset. int end_of_match; while ( n > 0 && - (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) + (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 ) { // Move on to next byte. ++offset; --n; } - + Val* ind = new Val(++num, TYPE_COUNT); a->Assign(ind, new StringVal(offset, (const char*) s)); Unref(ind); @@ -238,19 +238,17 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset)); Unref(ind); } - + if ( max_num_sep && num_sep >= max_num_sep ) break; - + ++num_sep; - + n -= end_of_match; s += offset; - + if ( s > end_of_s ) - { internal_error("RegMatch in split goes beyond the string"); - } } if ( other_strings ) @@ -463,7 +461,7 @@ function to_lower%(str: string%): string char* lower_s = new char[n]; char* ls = lower_s; - for (int i=0; iLen(); char* upper_s = new char[n]; char* us = upper_s; - - for (int i=0; i sp && isspace(*e) ) --e; - // Move the pointer for the beginning of the string - while ( isspace(*sp) ) + // Move the pointer for the beginning of the string. + while ( isspace(*sp) && sp <= e ) ++sp; - return new StringVal(new BroString(sp, e-sp+1, 1)); + if ( sp > e ) + return new StringVal(new BroString()); + else + return new StringVal(new BroString(sp, (e - sp + 1), 1)); %} function string_fill%(len: int, source: string%): string @@ -622,12 +624,12 @@ function string_fill%(len: int, source: string%): string # function str_shell_escape%(source: string%): string %{ - uint j = 0; + unsigned j = 0; const u_char* src = source->Bytes(); - uint n = source->Len(); + unsigned n = source->Len(); byte_vec dst = new u_char[n * 2 + 1]; - for ( uint i = 0; i < n; ++i ) + for ( unsigned i = 0; i < n; ++i ) { switch ( src[i] ) { case '`': case '"': case '\\': case '$': From 0fe30453cf9dfe92bafb2b8c993ef540a8468a1f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 21 Jan 2011 20:59:51 -0500 Subject: [PATCH 12/24] Removing some apparently unnecessary lines. --- src/strings.bif | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 76e4200b79..77ac90ddd4 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -598,10 +598,7 @@ function strip%(str: string%): string while ( isspace(*sp) && sp <= e ) ++sp; - if ( sp > e ) - return new StringVal(new BroString()); - else - return new StringVal(new BroString(sp, (e - sp + 1), 1)); + return new StringVal(new BroString(sp, (e - sp + 1), 1)); %} function string_fill%(len: int, source: string%): string From 64182833717f803e9f45c0f9d050a9732caf92e8 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 24 Jan 2011 13:43:49 -0500 Subject: [PATCH 13/24] Two more small compile time error fixes. --- src/Sessions.cc | 2 +- src/main.cc | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index fd443d4dcc..ffa5cd22f5 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1354,7 +1354,7 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr, const u_char* pkt) { DumpPacket(hdr, pkt); - internal_error(msg); + internal_error("%s", msg); } void NetSessions::Weird(const char* name, diff --git a/src/main.cc b/src/main.cc index 82866302fd..a8f283dcbc 100644 --- a/src/main.cc +++ b/src/main.cc @@ -8,6 +8,7 @@ #include #include #include +#include #ifdef HAVE_GETOPT_H #include #endif @@ -421,7 +422,7 @@ int main(int argc, char** argv) prog = argv[0]; - prefixes.append(""); // "" = "no prefix" + prefixes.append(strdup("")); // "" = "no prefix" char* p = getenv("BRO_PREFIXES"); if ( p ) From c8076619ce54177def38e515c6466ebda237798f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 28 Jan 2011 16:18:57 -0500 Subject: [PATCH 14/24] Added new TLS ciphers --- policy/bro.init | 2 +- policy/ssl-ciphers.bro | 5 ++++ src/SSLCiphers.cc | 53 ++++++++++++++++++++++++++++++++++++++++++ src/SSLCiphers.h | 11 ++++++++- 4 files changed, 69 insertions(+), 2 deletions(-) diff --git a/policy/bro.init b/policy/bro.init index 1ba8f59b4d..e8f208bb6b 100644 --- a/policy/bro.init +++ b/policy/bro.init @@ -905,7 +905,7 @@ global dns_max_queries = 5; # The maxiumum size in bytes for an SSL cipherspec. If we see a packet that # has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs. -const ssl_max_cipherspec_size = 45 &redef; +const ssl_max_cipherspec_size = 68 &redef; # SSL and X.509 types. type cipher_suites_list: set[count]; diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro index 307565eb36..3926d591cd 100644 --- a/policy/ssl-ciphers.bro +++ b/policy/ssl-ciphers.bro @@ -223,6 +223,11 @@ const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE; const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF; const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1; const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0; +const SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80; +const SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81; +const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82; +const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83; +const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF; # Cipher specifications native to TLS can be included in Version 2.0 client diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc index 002262d853..400f7421ce 100644 --- a/src/SSLCiphers.cc +++ b/src/SSLCiphers.cc @@ -399,6 +399,48 @@ SSL_CipherSpec SSL_CipherSpecs[] = { // 128, // 160 //}, + + { SSL_RSA_WITH_RC2_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_RC2, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 56, + 160 + }, + { SSL_RSA_WITH_IDEA_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_IDEA, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 128, + 160 + }, + { SSL_RSA_WITH_DES_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_DES, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 56, + 160 + }, + { SSL_RSA_WITH_3DES_EDE_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_3DES, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 168, + 160 + }, + // --- special SSLv3 FIPS ciphers { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, @@ -1023,6 +1065,17 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 160 }, + { TLS_EMPTY_RENEGOTIATION_INFO_SCSV, + SSL_CIPHER_TYPE_NULL, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_NULL, + SSL_KEY_EXCHANGE_NULL, + 0, + 0, + 0 + }, + }; diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h index 408a3b1567..12b3ecc0aa 100644 --- a/src/SSLCiphers.h +++ b/src/SSLCiphers.h @@ -253,11 +253,20 @@ enum SSL3_1_CipherSpec { TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039, TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A, TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B, + // --- special SSLv3 FIPS ciphers SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF, SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1, - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFe0, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0, + + // Tags for SSL 2 cipher kinds which are not specified for SSL 3. + SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80, + SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81, + SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82, + SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83, + + TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF, }; enum SSL_CipherType { From 1ccfca09ac6f04e508de764686c40670915d732c Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 28 Jan 2011 16:24:07 -0500 Subject: [PATCH 15/24] Fixes to SSL/TLS analyzer Analyzer can cope with zero length client and server certificates. It does still generate a weird though. Extended cipherspec_size weirds are not thrown anymore, they are incredibly overwhelming and should be handled completely at the scripting in my opinion. Integrated and expanded on patch Rmkml from ticket #209 that fixes problem with not parsing or expecting SSL extensions. SSL extensions still are not extracted and passed to script land, but the analyzer doesn't fail anymore. --- src/SSLProxy.cc | 2 - src/SSLv3.cc | 188 ++++++++++++++++++++++++------------------------ 2 files changed, 92 insertions(+), 98 deletions(-) diff --git a/src/SSLProxy.cc b/src/SSLProxy.cc index a0cf73b8fb..38ce3ba085 100644 --- a/src/SSLProxy.cc +++ b/src/SSLProxy.cc @@ -174,7 +174,6 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length) if ( ! computeExpectedSize(data, length) ) return false; - // Insert weird here replacing assert. if ( neededSize > expectedSize ) { sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize"); @@ -278,7 +277,6 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length) { // another (middle) segment if ( length <= MIN_FRAGMENT_SIZE ) sslEndpoint->Parent()->Weird( "SSLProxy: Excessive small TCP Segment!" ); - addData(data, length); break; } diff --git a/src/SSLv3.cc b/src/SSLv3.cc index 92d18c6f26..9343b5076f 100644 --- a/src/SSLv3.cc +++ b/src/SSLv3.cc @@ -383,84 +383,71 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) case SSL3_1_CERTIFICATE: { - if ( rec->length >= 3 ) + const u_char* pData = rec->data; + uint32 certListLength = + uint32((pData[4] << 16) | + pData[5] << 8) | pData[6]; + + // Sum of all cert sizes has to match + // certListLength. + uint tempLength = 0; + uint certCount = 0; + while ( tempLength < certListLength ) { - const u_char* pData = rec->data; - uint32 certListLength = - uint32((pData[4] << 16) | - pData[5] << 8) | pData[6]; - - // Size consistency checks. - if ( certListLength + 3 != uint32(rec->length) ) + if ( tempLength + 3 <= certListLength ) { - if ( rec->endp->IsOrig() ) - Weird("SSLv3x: Corrupt length field in client certificate list!"); - else - Weird("SSLv3x: Corrupt length field in server certificate list!"); - return; - } - - // Sum of all cert sizes has to match - // certListLength. - uint tempLength = 0; - uint certCount = 0; - while ( tempLength < certListLength ) - { - if ( tempLength + 3 <= certListLength ) - { - ++certCount; - uint32 certLength = - uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9]; - tempLength += certLength + 3; - } - else - { - Weird("SSLv3x: Corrupt length field in certificate list!"); - return; - } - } - - if ( tempLength > certListLength ) - { - Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain"); - return; - } - - SSL_InterpreterEndpoint* pEp = - (SSL_InterpreterEndpoint*) rec->endp; - - if ( certCount == 0 ) - { // we don't have a certificate... - if ( rec->endp->IsOrig() ) - { - Weird("SSLv3x: Client certificate is missing!"); - break; - } - else - { - Weird("SSLv3x: Server certificate is missing!"); - break; - } - } - - if ( certCount > 1 ) - { // we have a chain - analyzeCertificate(pEp, - rec->data + 7, - certListLength, 1, true); + ++certCount; + uint32 certLength = + uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9]; + tempLength += certLength + 3; } else { - // We have a single certificate. - // FIXME. - analyzeCertificate(pEp, - rec->data + 10, - certListLength-3, 1, false); + Weird("SSLv3x: Corrupt length field in certificate list!"); + return; } + } + if ( tempLength > certListLength ) + { + Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain"); + return; + } + + SSL_InterpreterEndpoint* pEp = + (SSL_InterpreterEndpoint*) rec->endp; + + if ( certCount == 0 ) + { + // we don't have a certificate, but this is valid + // according to RFC2246 + if ( rec->endp->IsOrig() ) + { + Weird("SSLv3x: Client certificate is missing!"); + break; + } + else + { + Weird("SSLv3x: Server certificate is missing!"); + break; + } + } + + if ( certCount > 1 ) + { // we have a chain + analyzeCertificate(pEp, + rec->data + 7, + certListLength, 1, true); } else - Weird("SSLv3x: Certificate record too small!" ); + { + // We have a single certificate. + // FIXME. + analyzeCertificate(pEp, + rec->data + 10, + certListLength-3, 1, false); + } + break; } @@ -938,13 +925,15 @@ TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length, { int is_orig = (SSL_InterpreterEndpoint*) s == orig; - if ( length > ssl_max_cipherspec_size ) - { - if ( is_orig ) - Weird("SSLv3: Client has CipherSpecs > ssl_max_cipherspec_size"); - else - Weird("SSLv3: Server has CipherSpecs > ssl_max_cipherspec_size"); - } + // This probably shouldn't be a weird. This data should be passed to + // script layer and dealt with there as appropriate. + //if ( length > ssl_max_cipherspec_size ) + // { + // if ( is_orig ) + // Weird("SSLv3: Client has CipherSpecs > ssl_max_cipherspec_size"); + // else + // Weird("SSLv3: Server has CipherSpecs > ssl_max_cipherspec_size"); + // } const u_char* pCipher = data; SSL_CipherSpec* pCipherSuiteTemp = 0; @@ -1236,16 +1225,6 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len, uint16 version, SSLv3_Endpoint const* e) : SSLv3_Record(data, len, version, e) { - // Weird-check for minimum handshake length header. - if ( len < 4 ) - { - e->Interpreter()->Weird("SSLv3x: Handshake-header-length too small!"); - type = 255; - length = 0; - next = 0; - return; - } - // Don't analyze encrypted client handshake messages. if ( e->IsOrig() && ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen && @@ -1270,7 +1249,10 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len, type = uint8(*(this->data)); length = ExtractInt24(data, len, 1); - if ( length + 4 < len ) + + if ( length == 0 ) // this is a special case to deal with 0 length certs + next = 0; + else if ( length + 4 < len ) next = new SSLv3_HandshakeRecord(data + length + 4, len - (length + 4), version, e); else if ( length + 4 > len ) @@ -1340,7 +1322,6 @@ int SSLv3_HandshakeRecord::checkClientHello() uint16 cipherSuiteLength = uint16(data[offset] << 8) | data[offset+1]; offset += (2 + cipherSuiteLength); - if ( cipherSuiteLength < 2 ) endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!"); @@ -1352,16 +1333,14 @@ int SSLv3_HandshakeRecord::checkClientHello() uint8 compressionMethodLength = uint8(data[offset]); offset += (1 + compressionMethodLength); - if ( compressionMethodLength < 1 ) endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!"); - if ( offset != length ) + if ( offset < length ) { uint16 sslExtensionsLength = - uint16(data[offset] << 8 ) | data[offset+1]; + uint16(data[offset] << 8) | data[offset+1]; offset += 2; - if ( sslExtensionsLength < 4 ) endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); @@ -1391,16 +1370,33 @@ int SSLv3_HandshakeRecord::checkServerHello() version != SSLProxy_Analyzer::SSLv31 ) endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!"); - uint8 sessionIDLength = uint8(data[38]); + uint16 offset = 38; + uint8 sessionIDLength = uint8(data[offset]); if ( sessionIDLength > 32 ) { endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!"); return 0; } - - if ( (sessionIDLength + 45) != length ) + offset += (1 + sessionIDLength); + + offset += 3; // account for cipher and compression method + if ( offset < length ) { - endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!"); + uint16 sslExtensionsLength = + uint16(data[offset] << 8) | data[offset+1]; + offset += 2; + if ( sslExtensionsLength < 4 ) + endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); + + // TODO: extract SSL extensions here + offset += sslExtensionsLength; + + if ( offset != length+4 ) + { + endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!"); + return 0; + } + return 0; } From 65687d86d834e722b39164c5d0664b1906510804 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 31 Jan 2011 12:19:11 -0500 Subject: [PATCH 16/24] *Now* this passes the test suite. I got the last fix wrong and I was still misunderstanding one behavior of the existing do_split function. When a separator match goes to the last character of the string, a blank string element should be appended to the string_array to indicate that a successful split occurred. --- src/strings.bif | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 77ac90ddd4..af3ebed149 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -211,7 +211,7 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, int num_sep = 0; int offset = 0; - while ( n > 0 ) + while ( n >= 0 ) { offset = 0; // Find next match offset. @@ -227,25 +227,25 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, Val* ind = new Val(++num, TYPE_COUNT); a->Assign(ind, new StringVal(offset, (const char*) s)); Unref(ind); - + // No more separators will be needed if this is the end of string. if ( n <= 0 ) break; - + if ( incl_sep ) { // including the part that matches the pattern ind = new Val(++num, TYPE_COUNT); a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset)); Unref(ind); } - + if ( max_num_sep && num_sep >= max_num_sep ) break; ++num_sep; n -= end_of_match; - s += offset; + s += offset + end_of_match;; if ( s > end_of_s ) internal_error("RegMatch in split goes beyond the string"); From ee6abcba72f5d64199928345740dd195a264296c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 3 Feb 2011 21:57:11 -0800 Subject: [PATCH 17/24] Updating submodule(s). --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 572efd43cf..3910266eb0 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 572efd43cf52e4c41b32a9c5a4a015f783370b41 +Subproject commit 3910266eb016a6dd30616c13ebe93a925fda2a72 From 51b3efbb1a803f0d9f464babb696a9338c22c4d7 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 4 Feb 2011 17:39:38 -0800 Subject: [PATCH 18/24] Fixing bug with defining bro_int_t and bro_uint_t as 64-bit in some platforms. --- src/util.h | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/util.h b/src/util.h index f4f007a27d..43e0f2c6c1 100644 --- a/src/util.h +++ b/src/util.h @@ -39,13 +39,9 @@ extern HeapLeakChecker* heap_checker; #endif -typedef unsigned long long int uint64; typedef unsigned int uint32; typedef unsigned short uint16; typedef unsigned char uint8; -typedef long long int int64; -typedef int64 bro_int_t; -typedef uint64 bro_uint_t; #if SIZEOF_LONG_LONG == 8 typedef unsigned long long uint64; @@ -57,6 +53,9 @@ typedef long int int64; # error "Couldn't reliably identify 64-bit type. Please report to bro@bro-ids.org." #endif +typedef int64 bro_int_t; +typedef uint64 bro_uint_t; + // "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of // pointer size. They can be cast safely to a pointer, e.g. in Lists, // which represent their entities as void* pointers. From 4d12ac861da59ca13d009586da5f1624aaeb299f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 4 Feb 2011 17:58:19 -0800 Subject: [PATCH 19/24] Smarter way to increase the parent/child pipe's socket buffer. (Craig Leres). This is from #383. --- src/RemoteSerializer.cc | 54 ++++++++++++++++++++++++++--------------- src/RemoteSerializer.h | 2 ++ 2 files changed, 37 insertions(+), 19 deletions(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 51add7c3df..22e98b29ae 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -544,6 +544,36 @@ void RemoteSerializer::Init() initialized = 1; } +void RemoteSerializer::SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose) + { + int defsize = 0; + socklen_t len = sizeof(defsize); + + if ( getsockopt(fd, SOL_SOCKET, opt, (void *)&defsize, &len) < 0 ) + { + if ( verbose ) + Log(LogInfo, fmt("warning: cannot get socket buffer size (%s): %s", what, strerror(errno))); + return; + } + + for ( int trysize = size; trysize > defsize; trysize -= 1024 ) + { + if ( setsockopt(fd, SOL_SOCKET, opt, &trysize, sizeof(trysize)) >= 0 ) + { + if ( verbose ) + { + if ( trysize == size ) + Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK", defsize / 1024, trysize / 1024)); + else + Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK (%dK was requested)", defsize / 1024, trysize / 1024, size / 1024)); + } + return; + } + } + + Log(LogInfo, fmt("warning: cannot increase %s socket buffer size from %dK (%dK was requested)", what, defsize / 1024, size / 1024)); + } + void RemoteSerializer::Fork() { if ( child_pid ) @@ -562,25 +592,11 @@ void RemoteSerializer::Fork() return; } - int bufsize; - socklen_t len = sizeof(bufsize); - - if ( getsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, &bufsize, &len ) < 0 ) - Log(LogInfo, fmt("warning: cannot get socket buffer size: %s", strerror(errno))); - else - Log(LogInfo, fmt("pipe's socket buffer size is %d, setting to %d", bufsize, SOCKBUF_SIZE)); - - bufsize = SOCKBUF_SIZE; - - if ( setsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, - &bufsize, sizeof(bufsize) ) < 0 || - setsockopt(pipe[0], SOL_SOCKET, SO_RCVBUF, - &bufsize, sizeof(bufsize) ) < 0 || - setsockopt(pipe[1], SOL_SOCKET, SO_SNDBUF, - &bufsize, sizeof(bufsize) ) < 0 || - setsockopt(pipe[1], SOL_SOCKET, SO_RCVBUF, - &bufsize, sizeof(bufsize) ) < 0 ) - Log(LogInfo, fmt("warning: cannot set socket buffer size to %dK: %s", bufsize / 1024, strerror(errno))); + // Try to increase the size of the socket send and receive buffers. + SetSocketBufferSize(pipe[0], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 1); + SetSocketBufferSize(pipe[0], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0); + SetSocketBufferSize(pipe[1], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 0); + SetSocketBufferSize(pipe[1], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0); child_pid = 0; diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h index a84a0619fa..6afec4ec6f 100644 --- a/src/RemoteSerializer.h +++ b/src/RemoteSerializer.h @@ -297,6 +297,8 @@ protected: bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only bool SendToChild(ChunkedIO::Chunk* c); + void SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose); + private: enum { TYPE, ARGS } msgstate; // current state of reading comm. Peer* current_peer; From 0d9de7d71997c783c273b1e2b7b00c9cf864b037 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 7 Feb 2011 14:07:29 -0800 Subject: [PATCH 20/24] Updating submodule(s). --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 3910266eb0..fc940bbb72 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 3910266eb016a6dd30616c13ebe93a925fda2a72 +Subproject commit fc940bbb72abbaef2e5f10ea4ab616ec9b61fe0a From 275c6e64cce6a0a9e187c347864c909e04b4ef03 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 8 Feb 2011 12:47:10 -0500 Subject: [PATCH 21/24] PRI macros are currently not working for some reason. --- src/RemoteSerializer.cc | 29 +++++++++++++++-------------- src/SMB.cc | 4 +++- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 6709ea0456..7d731c5204 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -159,6 +159,7 @@ #include #include #include +#include #include "config.h" #ifdef TIME_WITH_SYS_TIME @@ -1505,13 +1506,13 @@ bool RemoteSerializer::DoMessage() { // We shut the connection to this peer down, // so we ignore all further messages. - DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%llu", + DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%" PRId64, msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); return true; } - DEBUG_COMM(fmt("parent: %s from child; peer is #%llu", + DEBUG_COMM(fmt("parent: %s from child; peer is #%" PRId64, msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); @@ -2610,7 +2611,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer) bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len) { - DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), str)); + DEBUG_COMM(fmt("parent: (->child) %s (#%" PRId64 ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str)); if ( ! child_pid ) return false; @@ -2634,8 +2635,8 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap, nargs); - DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)", - msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("parent: (->child) %s (#%" PRId64 ",%s)", + msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3235,7 +3236,7 @@ bool SocketComm::ForwardChunkToPeer() { #ifdef DEBUG if ( parent_peer ) - DEBUG_COMM(fmt("child: not connected to #%d", (uint) parent_id)); + DEBUG_COMM(fmt("child: not connected to #%" PRId64, parent_id)); #endif } @@ -3318,8 +3319,8 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer) CMsg* msg = (CMsg*) c->data; - DEBUG_COMM(fmt("child: %s from peer #%d", - msgToStr(msg->Type()), (uint) peer->id)); + DEBUG_COMM(fmt("child: %s from peer #%" PRId64, + msgToStr(msg->Type()), peer->id)); switch ( msg->Type() ) { case MSG_PHASE_DONE: @@ -3795,7 +3796,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), tmp)); + DEBUG_COMM(fmt("child: (->parent) %s (#%" PRId64 ", %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp)); delete [] tmp; #endif if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE, @@ -3814,7 +3815,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); - DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("child: (->parent) %s (#%" PRId64 ",%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3850,7 +3851,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), (uint) peer->id, tmp)); + DEBUG_COMM(fmt("child: (->peer) %s to #%" PRId64 " (%s)", msgToStr(type), peer->id, tmp)); delete [] tmp; #endif @@ -3869,8 +3870,8 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", - msgToStr(type), (uint) peer->id, fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("child: (->peer) %s to #%" PRId64 " (%s)", + msgToStr(type), peer->id, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3890,7 +3891,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c) { - DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, (uint) peer->id)); + DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%" PRId64, c->len, peer->id)); if ( ! sendToIO(peer->io, c) ) { Error(fmt("child: write error %s", io->Error()), peer); diff --git a/src/SMB.cc b/src/SMB.cc index a950302090..5520ef4848 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -6,6 +6,7 @@ #include "SMB.h" #include "smb_pac.h" #include "Val.h" +#include "inttypes.h" namespace { const bool DEBUG_smb_ipc = true; @@ -166,7 +167,8 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data) const u_char* tmp = data_start + next; if ( data_start + next < data + body.length() ) { - Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %ld", next, data + body.length() - data_start)); + //Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRId32, next, data + body.length() - data_start)); + printf("ANDX buffer overlapping: next = %" PRId64 ", buffer_end = %" PRId32 " ", next, data + body.length() - data_start); break; } From 888719e922bd1cb154de17749825da184a969c8d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 8 Feb 2011 14:22:23 -0800 Subject: [PATCH 22/24] Adding new aux/btest submodule. --- .gitmodules | 3 +++ aux/btest | 1 + 2 files changed, 4 insertions(+) create mode 160000 aux/btest diff --git a/.gitmodules b/.gitmodules index e2dcd2b8a4..326e1fe506 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,3 +10,6 @@ [submodule "aux/broctl"] path = aux/broctl url = git://git.icir.org/broctl +[submodule "aux/btest"] + path = aux/btest + url = git://git.icir.org/btest diff --git a/aux/btest b/aux/btest new file mode 160000 index 0000000000..a2b04952ae --- /dev/null +++ b/aux/btest @@ -0,0 +1 @@ +Subproject commit a2b04952ae91dcd27d5e68a42d5d26c291ecb1f5 From b54445b725609b8439a643325c1457d63382d07b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 8 Feb 2011 20:28:56 -0500 Subject: [PATCH 23/24] Fixed problem with PRI macros. Thanks Gregor! --- src/RemoteSerializer.cc | 1 - src/SMB.cc | 4 +--- src/util.h | 6 ++++++ 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 7d731c5204..f185b0c4ff 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -159,7 +159,6 @@ #include #include #include -#include #include "config.h" #ifdef TIME_WITH_SYS_TIME diff --git a/src/SMB.cc b/src/SMB.cc index 5520ef4848..78caf55eab 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -6,7 +6,6 @@ #include "SMB.h" #include "smb_pac.h" #include "Val.h" -#include "inttypes.h" namespace { const bool DEBUG_smb_ipc = true; @@ -167,8 +166,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data) const u_char* tmp = data_start + next; if ( data_start + next < data + body.length() ) { - //Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRId32, next, data + body.length() - data_start)); - printf("ANDX buffer overlapping: next = %" PRId64 ", buffer_end = %" PRId32 " ", next, data + body.length() - data_start); + Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRIdPTR, next, data + body.length() - data_start)); break; } diff --git a/src/util.h b/src/util.h index f4f007a27d..4e648cee5d 100644 --- a/src/util.h +++ b/src/util.h @@ -11,6 +11,12 @@ #include #include "config.h" +#define _ISOC99_SOURCE +#define __STDC_LIMIT_MACROS +#define __STDC_CONSTANT_MACROS +#define __STDC_FORMAT_MACROS +#include "inttypes.h" + #if __STDC__ #define myattribute __attribute__ #else From f79a1f6e584df4369d9059ddbbab25b942380650 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 16 Feb 2011 08:44:33 -0800 Subject: [PATCH 24/24] Updating submodule(s). --- aux/bro-aux | 2 +- aux/broccoli | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/bro-aux b/aux/bro-aux index afa0a0d8b3..7e50bac938 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit afa0a0d8b3fdfa5306507948f08ac9f07696eb21 +Subproject commit 7e50bac938af1831ecf9660159145a3c2e77e13d diff --git a/aux/broccoli b/aux/broccoli index 2b8a1c9c32..a1c6b6e59b 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 2b8a1c9c32dab2da9ebb54238c1b60e40bb8688f +Subproject commit a1c6b6e59b3087b6b79a37a847c669b61ae2c522