Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote branch 'origin/master' into topic/robin/logging-internals

Browse source
This commit is contained in:
Robin Sommer 2011-02-20 17:18:06 -08:00
commit c015605113
29 changed files with 1696 additions and 795 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitmodules vendored
View file

@ -10,3 +10,6 @@
[submodule "aux/broctl"] [submodule "aux/broctl"]
path = aux/broctl path = aux/broctl
url = git://git.icir.org/broctl url = git://git.icir.org/broctl
[submodule "aux/btest"]
path = aux/btest
url = git://git.icir.org/btest

25
CHANGES
View file

@ -1,3 +1,28 @@
1.6-dev.45 Tue Feb 8 21:28:01 PST 2011
- Fixing a number of compiler warnings. (Seth Hall and Robin Sommer)
1.6-dev.44 Tue Feb 8 20:11:44 PST 2011
- A number of updates to the SSL analyzer, including support for new
ciphers; SSL extensions; and bug fixes. The analyzer does not longer
throw weird for exceeding a predefined cipherspec_size anymore.
(Seth Hall and Rmkml).
- The various split*() BiFs now handle strings containing null bytes
correctly. (Seth Hall)
- Adding new aux/btest submodule. This is a framework we will use in
the future for doing unit tests. (Robin Sommer)
1.6-dev.41 Mon Feb 7 13:43:56 PST 2011
- Smarter way to increase the parent/child pipe's socket buffer.
(Craig Leres).
- Fixing bug with defining bro_int_t and bro_uint_t to be 64 bits wide
on some platforms. (Robin Sommer)
1.6-dev.39 Mon Jan 31 16:42:23 PST 2011 1.6-dev.39 Mon Jan 31 16:42:23 PST 2011
- Login's confused messages now go through weird.bro. (Robin Sommer) - Login's confused messages now go through weird.bro. (Robin Sommer)

2
VERSION
View file

@ -1 +1 @@
1.6-dev.39 1.6-dev.45

2
aux/bro-aux

@ -1 +1 @@
Subproject commit afa0a0d8b3fdfa5306507948f08ac9f07696eb21 Subproject commit 7e50bac938af1831ecf9660159145a3c2e77e13d

2
aux/broccoli

@ -1 +1 @@
Subproject commit 2b8a1c9c32dab2da9ebb54238c1b60e40bb8688f Subproject commit a1c6b6e59b3087b6b79a37a847c669b61ae2c522

2
aux/broctl

@ -1 +1 @@
Subproject commit 572efd43cf52e4c41b32a9c5a4a015f783370b41 Subproject commit fc940bbb72abbaef2e5f10ea4ab616ec9b61fe0a

1
aux/btest Submodule

@ -0,0 +1 @@
Subproject commit a2b04952ae91dcd27d5e68a42d5d26c291ecb1f5

4
policy/bro.init
View file

@ -966,8 +966,8 @@ global dns_skip_all_addl = T &redef;
global dns_max_queries = 5; global dns_max_queries = 5;
# The maxiumum size in bytes for an SSL cipherspec. If we see a packet that # The maxiumum size in bytes for an SSL cipherspec. If we see a packet that
# has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs. # has bigger cipherspecs, we won't do a comparisons of cipherspecs.
const ssl_max_cipherspec_size = 45 &redef; const ssl_max_cipherspec_size = 68 &redef;
# SSL and X.509 types. # SSL and X.509 types.
type cipher_suites_list: set[count]; type cipher_suites_list: set[count];

1014
policy/ssl-ciphers.bro
View file

File diff suppressed because it is too large Load diff

41
policy/ssl.bro
View file

@ -85,29 +85,28 @@ const myWeakCiphers: set[count] = {
SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
SSLv20_CK_DES_64_CBC_WITH_MD5, SSLv20_CK_DES_64_CBC_WITH_MD5,
SSLv3x_NULL_WITH_NULL_NULL, TLS_NULL_WITH_NULL_NULL,
SSLv3x_RSA_WITH_NULL_MD5, TLS_RSA_WITH_NULL_MD5,
SSLv3x_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA,
SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC4_40_MD5,
SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA,
SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DH_DSS_WITH_DES_CBC_SHA, TLS_DH_DSS_WITH_DES_CBC_SHA,
SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DH_RSA_WITH_DES_CBC_SHA, TLS_DH_RSA_WITH_DES_CBC_SHA,
SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DHE_DSS_WITH_DES_CBC_SHA, TLS_DHE_DSS_WITH_DES_CBC_SHA,
SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DHE_RSA_WITH_DES_CBC_SHA, TLS_DHE_RSA_WITH_DES_CBC_SHA,
SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5, TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
SSLv3x_DH_anon_WITH_RC4_128_MD5, TLS_DH_ANON_WITH_RC4_128_MD5,
SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DH_anon_WITH_DES_CBC_SHA, TLS_DH_ANON_WITH_DES_CBC_SHA,
SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA
}; };
const x509_ignore_errors: set[int] = { const x509_ignore_errors: set[int] = {

8
src/CMakeLists.txt
View file

@ -160,7 +160,7 @@ macro(BINPAC_TARGET pacFile)
add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h
${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc
COMMAND ${BinPAC_EXE} COMMAND ${BinPAC_EXE}
ARGS -d ${CMAKE_CURRENT_BINARY_DIR} ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR}
-I ${CMAKE_CURRENT_SOURCE_DIR} -I ${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/${pacFile} ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile}
DEPENDS ${BinPAC_EXE} ${pacFile} DEPENDS ${BinPAC_EXE} ${pacFile}
@ -177,9 +177,9 @@ binpac_target(binpac_bro-lib.pac)
binpac_target(bittorrent.pac binpac_target(bittorrent.pac
bittorrent-protocol.pac bittorrent-analyzer.pac) bittorrent-protocol.pac bittorrent-analyzer.pac)
binpac_target(dce_rpc.pac binpac_target(dce_rpc.pac
dce_rpc-protocol.pac dce_rpc-analyzer.pac) dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac)
binpac_target(dce_rpc_simple.pac binpac_target(dce_rpc_simple.pac
dce_rpc-protocol.pac) dce_rpc-protocol.pac epmapper.pac)
binpac_target(dhcp.pac binpac_target(dhcp.pac
dhcp-protocol.pac dhcp-analyzer.pac) dhcp-protocol.pac dhcp-analyzer.pac)
binpac_target(dns.pac binpac_target(dns.pac
@ -217,6 +217,8 @@ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
) )
set(dns_SRCS nb_dns.c nb_dns.h) set(dns_SRCS nb_dns.c nb_dns.h)
set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS
-fno-strict-aliasing)
set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc
SSLv2.cc SSLv3.cc SSLv3Automaton.cc) SSLv2.cc SSLv3.cc SSLv3Automaton.cc)

2
src/DCE_RPC.cc
View file

@ -82,7 +82,7 @@ UUID::UUID(const char* str)
} }
if ( i != 16 ) if ( i != 16 )
internal_error(fmt("invalid UUID string: %s", str)); internal_error("invalid UUID string: %s", str);
} }
typedef map<UUID, BroEnum::dce_rpc_if_id> uuid_map_t; typedef map<UUID, BroEnum::dce_rpc_if_id> uuid_map_t;

4
src/PrefixTable.cc
View file

@ -99,8 +99,8 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const
break; break;
default: default:
internal_error(fmt("Wrong index type %d for PrefixTable", internal_error("Wrong index type %d for PrefixTable",
value->Type()->Tag())); value->Type()->Tag());
return 0; return 0;
} }
} }

78
src/RemoteSerializer.cc
View file

@ -544,6 +544,36 @@ void RemoteSerializer::Init()
initialized = 1; initialized = 1;
} }
void RemoteSerializer::SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose)
{
int defsize = 0;
socklen_t len = sizeof(defsize);
if ( getsockopt(fd, SOL_SOCKET, opt, (void *)&defsize, &len) < 0 )
{
if ( verbose )
Log(LogInfo, fmt("warning: cannot get socket buffer size (%s): %s", what, strerror(errno)));
return;
}
for ( int trysize = size; trysize > defsize; trysize -= 1024 )
{
if ( setsockopt(fd, SOL_SOCKET, opt, &trysize, sizeof(trysize)) >= 0 )
{
if ( verbose )
{
if ( trysize == size )
Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK", defsize / 1024, trysize / 1024));
else
Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK (%dK was requested)", defsize / 1024, trysize / 1024, size / 1024));
}
return;
}
}
Log(LogInfo, fmt("warning: cannot increase %s socket buffer size from %dK (%dK was requested)", what, defsize / 1024, size / 1024));
}
void RemoteSerializer::Fork() void RemoteSerializer::Fork()
{ {
if ( child_pid ) if ( child_pid )
@ -562,25 +592,11 @@ void RemoteSerializer::Fork()
return; return;
} }
int bufsize; // Try to increase the size of the socket send and receive buffers.
socklen_t len = sizeof(bufsize); SetSocketBufferSize(pipe[0], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 1);
SetSocketBufferSize(pipe[0], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
if ( getsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, &bufsize, &len ) < 0 ) SetSocketBufferSize(pipe[1], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 0);
Log(LogInfo, fmt("warning: cannot get socket buffer size: %s", strerror(errno))); SetSocketBufferSize(pipe[1], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
else
Log(LogInfo, fmt("pipe's socket buffer size is %d, setting to %d", bufsize, SOCKBUF_SIZE));
bufsize = SOCKBUF_SIZE;
if ( setsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF,
&bufsize, sizeof(bufsize) ) < 0 ||
setsockopt(pipe[0], SOL_SOCKET, SO_RCVBUF,
&bufsize, sizeof(bufsize) ) < 0 ||
setsockopt(pipe[1], SOL_SOCKET, SO_SNDBUF,
&bufsize, sizeof(bufsize) ) < 0 ||
setsockopt(pipe[1], SOL_SOCKET, SO_RCVBUF,
&bufsize, sizeof(bufsize) ) < 0 )
Log(LogInfo, fmt("warning: cannot set socket buffer size to %dK: %s", bufsize / 1024, strerror(errno)));
child_pid = 0; child_pid = 0;
@ -1500,13 +1516,13 @@ bool RemoteSerializer::DoMessage()
{ {
// We shut the connection to this peer down, // We shut the connection to this peer down,
// so we ignore all further messages. // so we ignore all further messages.
DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%d", DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%" PRI_SOURCE_ID,
msgToStr(current_msgtype), msgToStr(current_msgtype),
current_peer ? current_peer->id : 0)); current_peer ? current_peer->id : 0));
return true; return true;
} }
DEBUG_COMM(fmt("parent: %s from child; peer is #%d", DEBUG_COMM(fmt("parent: %s from child; peer is #%" PRI_SOURCE_ID,
msgToStr(current_msgtype), msgToStr(current_msgtype),
current_peer ? current_peer->id : 0)); current_peer ? current_peer->id : 0));
@ -2603,7 +2619,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer)
bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len) bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len)
{ {
DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str)); DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
if ( ! child_pid ) if ( ! child_pid )
return false; return false;
@ -2627,7 +2643,7 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...)
#ifdef DEBUG #ifdef DEBUG
va_start(ap, nargs); va_start(ap, nargs);
DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)", DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ",%s)",
msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap))); msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap)));
va_end(ap); va_end(ap);
#endif #endif
@ -3058,7 +3074,7 @@ bool SocketComm::ProcessParentMessage()
} }
default: default:
internal_error(fmt("unknown msg type %d", parent_msgtype)); internal_error("unknown msg type %d", parent_msgtype);
return true; return true;
} }
@ -3228,7 +3244,7 @@ bool SocketComm::ForwardChunkToPeer()
{ {
#ifdef DEBUG #ifdef DEBUG
if ( parent_peer ) if ( parent_peer )
DEBUG_COMM(fmt("child: not connected to #%d", parent_id)); DEBUG_COMM(fmt("child: not connected to #%" PRI_SOURCE_ID, parent_id));
#endif #endif
} }
@ -3311,7 +3327,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
CMsg* msg = (CMsg*) c->data; CMsg* msg = (CMsg*) c->data;
DEBUG_COMM(fmt("child: %s from peer #%d", DEBUG_COMM(fmt("child: %s from peer #%" PRI_SOURCE_ID,
msgToStr(msg->Type()), peer->id)); msgToStr(msg->Type()), peer->id));
switch ( msg->Type() ) { switch ( msg->Type() ) {
@ -3788,7 +3804,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len)
#ifdef DEBUG #ifdef DEBUG
// str may already by constructed with fmt() // str may already by constructed with fmt()
const char* tmp = copy_string(str); const char* tmp = copy_string(str);
DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp)); DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
delete [] tmp; delete [] tmp;
#endif #endif
if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE, if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE,
@ -3807,7 +3823,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...)
#ifdef DEBUG #ifdef DEBUG
va_start(ap,nargs); va_start(ap,nargs);
DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap))); DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ",%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
va_end(ap); va_end(ap);
#endif #endif
@ -3843,7 +3859,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len)
#ifdef DEBUG #ifdef DEBUG
// str may already by constructed with fmt() // str may already by constructed with fmt()
const char* tmp = copy_string(str); const char* tmp = copy_string(str);
DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), peer->id, tmp)); DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)", msgToStr(type), peer->id, tmp));
delete [] tmp; delete [] tmp;
#endif #endif
@ -3862,7 +3878,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
#ifdef DEBUG #ifdef DEBUG
va_start(ap,nargs); va_start(ap,nargs);
DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)",
msgToStr(type), peer->id, fmt_uint32s(nargs, ap))); msgToStr(type), peer->id, fmt_uint32s(nargs, ap)));
va_end(ap); va_end(ap);
#endif #endif
@ -3883,7 +3899,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c) bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c)
{ {
DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, peer->id)); DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%" PRI_SOURCE_ID, c->len, peer->id));
if ( ! sendToIO(peer->io, c) ) if ( ! sendToIO(peer->io, c) )
{ {
Error(fmt("child: write error %s", io->Error()), peer); Error(fmt("child: write error %s", io->Error()), peer);

2
src/RemoteSerializer.h
View file

@ -297,6 +297,8 @@ protected:
bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only
bool SendToChild(ChunkedIO::Chunk* c); bool SendToChild(ChunkedIO::Chunk* c);
void SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose);
private: private:
enum { TYPE, ARGS } msgstate; // current state of reading comm. enum { TYPE, ARGS } msgstate; // current state of reading comm.
Peer* current_peer; Peer* current_peer;

2
src/SMB.cc
View file

@ -166,7 +166,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data)
const u_char* tmp = data_start + next; const u_char* tmp = data_start + next;
if ( data_start + next < data + body.length() ) if ( data_start + next < data + body.length() )
{ {
Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %d", next, data + body.length() - data_start)); Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRIuPTR, next, data + body.length() - data_start));
break; break;
} }

517
src/SSLCiphers.cc
View file

@ -319,52 +319,52 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
168, 168,
160 160
}, },
{ TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, { TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_CIPHER_TYPE_STREAM, SSL_CIPHER_TYPE_STREAM,
SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4, SSL_CIPHER_RC4,
SSL_MAC_MD5, SSL_MAC_MD5,
SSL_KEY_EXCHANGE_DH_ANON_EXPORT, SSL_KEY_EXCHANGE_DH_anon_EXPORT,
0, 0,
40, 40,
128 128
}, },
{ TLS_DH_ANON_WITH_RC4_128_MD5, { TLS_DH_anon_WITH_RC4_128_MD5,
SSL_CIPHER_TYPE_STREAM, SSL_CIPHER_TYPE_STREAM,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4, SSL_CIPHER_RC4,
SSL_MAC_MD5, SSL_MAC_MD5,
SSL_KEY_EXCHANGE_DH_ANON, SSL_KEY_EXCHANGE_DH_anon,
0, 0,
128, 128,
128 128
}, },
{ TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, { TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK, SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_DES40, SSL_CIPHER_DES40,
SSL_MAC_SHA, SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON, SSL_KEY_EXCHANGE_DH_anon,
0, 0,
40, 40,
160 160
}, },
{ TLS_DH_ANON_WITH_DES_CBC_SHA, { TLS_DH_anon_WITH_DES_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK, SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_DES, SSL_CIPHER_DES,
SSL_MAC_SHA, SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON, SSL_KEY_EXCHANGE_DH_anon,
0, 0,
56, 56,
160 160
}, },
{ TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK, SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES, SSL_CIPHER_3DES,
SSL_MAC_SHA, SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON, SSL_KEY_EXCHANGE_DH_anon,
0, 0,
168, 168,
160 160
@ -389,16 +389,48 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
96, 96,
160 160
}, },
{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_STREAM, { SSL_RSA_WITH_RC2_CBC_MD5,
SSL_FLAG_SSLv30, SSL_CIPHER_TYPE_BLOCK,
SSL_CIPHER_RC4, SSL_FLAG_SSLv20,
SSL_MAC_SHA, SSL_CIPHER_RC2,
SSL_KEY_EXCHANGE_FORTEZZA_KEA, SSL_MAC_MD5,
SSL_KEY_EXCHANGE_RSA,
0,
56,
160
},
{ SSL_RSA_WITH_IDEA_CBC_MD5,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv20,
SSL_CIPHER_IDEA,
SSL_MAC_MD5,
SSL_KEY_EXCHANGE_RSA,
0, 0,
128, 128,
160 160
}, },
{ SSL_RSA_WITH_DES_CBC_MD5,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv20,
SSL_CIPHER_DES,
SSL_MAC_MD5,
SSL_KEY_EXCHANGE_RSA,
0,
56,
160
},
{ SSL_RSA_WITH_3DES_EDE_CBC_MD5,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv20,
SSL_CIPHER_3DES,
SSL_MAC_MD5,
SSL_KEY_EXCHANGE_RSA,
0,
168,
160
},
// --- special SSLv3 FIPS ciphers // --- special SSLv3 FIPS ciphers
{ SSL_RSA_FIPS_WITH_DES_CBC_SHA, { SSL_RSA_FIPS_WITH_DES_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK, SSL_CIPHER_TYPE_BLOCK,
@ -522,12 +554,12 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
128, 128,
160 160
}, },
{ TLS_DH_ANON_WITH_AES_128_CBC_SHA, { TLS_DH_anon_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK, SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES, SSL_CIPHER_AES,
SSL_MAC_SHA, SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON, SSL_KEY_EXCHANGE_DH_anon,
0, 0,
128, 128,
160 160
@ -582,16 +614,459 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
256, 256,
160 160
}, },
{ TLS_DH_ANON_WITH_AES_256_CBC_SHA, { TLS_DH_anon_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK, SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES, SSL_CIPHER_AES,
SSL_MAC_SHA, SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON, SSL_KEY_EXCHANGE_DH_anon,
0, 0,
256, 256,
160 160
} },
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_RSA,
0,
128,
160
},
{ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_DSS,
0,
128,
160
},
{ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_RSA,
0,
128,
160
},
{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_DSS,
0,
128,
160
},
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_RSA,
0,
128,
160
},
{ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_anon,
0,
128,
160
},
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_RSA,
0,
256,
160
},
{ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_DSS,
0,
256,
160
},
{ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_RSA,
0,
256,
160
},
{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_DSS,
0,
256,
160
},
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_RSA,
0,
256,
160
},
{ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_anon,
0,
256,
160
},
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
168,
160
},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
128,
160
},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
256,
160
},
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
0,
160
},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
128,
160
},
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
168,
160
},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
128,
160
},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
256,
160
},
{ TLS_ECDHE_RSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
0,
160
},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
128,
160
},
{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
168,
160
},
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
128,
160
},
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
256,
160
},
{ TLS_ECDH_ECDSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
0,
160
},
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
128,
160
},
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
168,
160
},
{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
128,
160
},
{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
256,
160
},
{ TLS_ECDH_RSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
0,
160
},
{ TLS_ECDH_RSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
128,
160
},
{ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_anon,
0,
168,
160
},
{ TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_anon,
0,
128,
160
},
{ TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_anon,
0,
256,
160
},
{ TLS_ECDH_anon_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_anon,
0,
0,
160
},
{ TLS_ECDH_anon_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_anon,
0,
128,
160
},
{ TLS_RSA_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_RSA,
0,
128,
160
},
{ TLS_DH_DSS_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_DSS,
0,
128,
160
},
{ TLS_DH_RSA_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_RSA,
0,
128,
160
},
{ TLS_DHE_DSS_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_DSS,
0,
128,
160
},
{ TLS_DHE_RSA_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_RSA,
0,
128,
160
},
{ TLS_DH_anon_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_anon,
0,
128,
160
},
{ TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_CIPHER_TYPE_NULL,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_NULL,
SSL_KEY_EXCHANGE_NULL,
0,
0,
0
},
}; };
const uint SSL_CipherSpecs_Count = const uint SSL_CipherSpecs_Count =

321
src/SSLCiphers.h
View file

@ -12,14 +12,14 @@
*/ */
enum SSLv2_CipherSpec { enum SSLv2_CipherSpec {
// --- standard SSLv2 ciphers // --- standard SSLv2 ciphers
SSL_CK_RC4_128_WITH_MD5 = 0x010080, SSL_CK_RC4_128_WITH_MD5 = 0x010080,
SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080, SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080,
SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080, SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080,
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080, SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080,
SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080, SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080,
SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040, SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0, SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0,
SSL_CK_RC4_64_WITH_MD5 = 0x080080 SSL_CK_RC4_64_WITH_MD5 = 0x080080
}; };
@ -28,60 +28,245 @@ enum SSLv2_CipherSpec {
*/ */
enum SSL3_1_CipherSpec { enum SSL3_1_CipherSpec {
// --- standard SSLv3x ciphers // --- standard SSLv3x ciphers
TLS_NULL_WITH_NULL_NULL = 0x0000, TLS_NULL_WITH_NULL_NULL = 0x0000,
TLS_RSA_WITH_NULL_MD5 = 0x0001, TLS_RSA_WITH_NULL_MD5 = 0x0001,
TLS_RSA_WITH_NULL_SHA = 0x0002, TLS_RSA_WITH_NULL_SHA = 0x0002,
TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
TLS_RSA_WITH_RC4_128_MD5 = 0x0004, TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
TLS_RSA_WITH_RC4_128_SHA = 0x0005, TLS_RSA_WITH_RC4_128_SHA = 0x0005,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007, TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
TLS_RSA_WITH_DES_CBC_SHA = 0x0009, TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C, TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F, TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017, TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018, TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019, TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A, TLS_DH_anon_WITH_DES_CBC_SHA = 0x001A,
TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B, TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B,
// --- special SSLv3 ciphers // --- special SSLv3 ciphers
SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C, SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C,
SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D, SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D,
SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E, //SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E,
// --- special SSLv3 FIPS ciphers // -- RFC 2712 (ciphers not fully described in SSLCiphers.cc)
SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, TLS_KRB5_WITH_DES_CBC_SHA = 0x001E,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0XFEFF, TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F,
// --- new 56 bit export ciphers TLS_KRB5_WITH_RC4_128_SHA = 0x0020,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062, TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021,
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064, TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022,
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063, TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023,
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065, TLS_KRB5_WITH_RC4_128_MD5 = 0x0024,
TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066, TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026,
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027,
TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029,
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B,
// --- new AES ciphers // --- new AES ciphers
TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034, TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034,
TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A,
TLS_RSA_WITH_NULL_SHA256 = 0x003B,
TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
// -- RFC 4132
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041,
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042,
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045,
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046,
// -- Non-RFC. Widely deployed implementation (ciphers not fully described in SSLCiphers.cc)
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060,
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062,
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064,
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065,
TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066,
// -- RFC 5246 (ciphers not fully described in SSLCiphers.cc)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C,
TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D,
// -- RFC 5932
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084,
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085,
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089,
// -- RFC 4279 (ciphers not fully described in SSLCiphers.cc)
TLS_PSK_WITH_RC4_128_SHA = 0x008A,
TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
// -- RFC 4162
TLS_RSA_WITH_SEED_CBC_SHA = 0x0096,
TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097,
TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098,
TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099,
TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A,
TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B,
// -- RFC 5288 (ciphers not fully described in SSLCiphers.cc)
TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6,
TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7,
// -- RFC 5487 (ciphers not fully described in SSLCiphers.cc)
TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
// -- RFC 5932 (ciphers not fully described in SSLCiphers.cc)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA,
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB,
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0,
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1,
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
// -- RFC 4492
TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
TLS_ECDH_anon_WITH_NULL_SHA = 0xC015,
TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017,
TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019,
// -- RFC 5054 (ciphers not fully described in SSLCiphers.cc)
TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A,
TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B,
TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C,
TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D,
TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E,
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F,
TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020,
TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021,
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022,
// -- RFC 5289 (ciphers not fully described in SSLCiphers.cc)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
// -- RFC 5489 (ciphers not fully described in SSLCiphers.cc)
TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033,
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038,
TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039,
TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A,
TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B,
// --- special SSLv3 FIPS ciphers
SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF,
SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0,
// Tags for SSL 2 cipher kinds which are not specified for SSL 3.
SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80,
SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81,
SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82,
SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF,
}; };
enum SSL_CipherType { enum SSL_CipherType {
@ -99,7 +284,9 @@ enum SSL_BulkCipherAlgorithm {
SSL_CIPHER_DES40, SSL_CIPHER_DES40,
SSL_CIPHER_FORTEZZA, SSL_CIPHER_FORTEZZA,
SSL_CIPHER_IDEA, SSL_CIPHER_IDEA,
SSL_CIPHER_AES SSL_CIPHER_AES,
SSL_CIPHER_CAMELLIA,
SSL_CIPHER_SEED,
}; };
enum SSL_MACAlgorithm { enum SSL_MACAlgorithm {
@ -121,12 +308,18 @@ enum SSL_KeyExchangeAlgorithm {
SSL_KEY_EXCHANGE_DHE_DSS_EXPORT, SSL_KEY_EXCHANGE_DHE_DSS_EXPORT,
SSL_KEY_EXCHANGE_DHE_RSA, SSL_KEY_EXCHANGE_DHE_RSA,
SSL_KEY_EXCHANGE_DHE_RSA_EXPORT, SSL_KEY_EXCHANGE_DHE_RSA_EXPORT,
SSL_KEY_EXCHANGE_DH_ANON, SSL_KEY_EXCHANGE_DH_anon,
SSL_KEY_EXCHANGE_DH_ANON_EXPORT, SSL_KEY_EXCHANGE_DH_anon_EXPORT,
SSL_KEY_EXCHANGE_FORTEZZA_KEA, SSL_KEY_EXCHANGE_FORTEZZA_KEA,
// --- new 56 bit export ciphers // --- new 56 bit export ciphers
SSL_KEY_EXCHANGE_RSA_EXPORT1024, SSL_KEY_EXCHANGE_RSA_EXPORT1024,
SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
// -- Elliptic Curve key change algorithms (rfc4492)
SSL_KEY_EXCHANGE_ECDH_ECDSA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_KEY_EXCHANGE_ECDH_RSA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
SSL_KEY_EXCHANGE_ECDH_anon,
}; };
#if 0 #if 0

4
src/SSLProxy.cc
View file

@ -174,7 +174,6 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
if ( ! computeExpectedSize(data, length) ) if ( ! computeExpectedSize(data, length) )
return false; return false;
// Insert weird here replacing assert.
if ( neededSize > expectedSize ) if ( neededSize > expectedSize )
{ {
sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize"); sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize");
@ -277,8 +276,7 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
else if ( currentSize + length < expectedSize ) else if ( currentSize + length < expectedSize )
{ // another (middle) segment { // another (middle) segment
if ( length <= MIN_FRAGMENT_SIZE ) if ( length <= MIN_FRAGMENT_SIZE )
sslEndpoint->Parent()->Weird( "SSLProxy: Excessive small TCP Segment!" ); sslEndpoint->Parent()->Weird("SSLProxy: Excessive small TCP Segment!");
addData(data, length); addData(data, length);
break; break;
} }

224
src/SSLv3.cc
View file

@ -195,7 +195,7 @@ void SSLv3_Interpreter::printStats()
printf( "SSLv3x:\n" ); printf( "SSLv3x:\n" );
printf( "Note: Because handshake messages may be coalesced into a \n"); printf( "Note: Because handshake messages may be coalesced into a \n");
printf( " single SSLv3x record, the number of total messages for SSLv3x plus \n"); printf( " single SSLv3x record, the number of total messages for SSLv3x plus \n");
printf( " the number of total records seen for SSLv2 won't match \n"); printf( " the number of total records seen for SSLv3 won't match \n");
printf( " SSLProxy_Analyzer::totalRecords! \n"); printf( " SSLProxy_Analyzer::totalRecords! \n");
printf( "total connections = %u\n", totalConnections ); printf( "total connections = %u\n", totalConnections );
printf( "opened connections (complete handshake) = %u\n", openedConnections ); printf( "opened connections (complete handshake) = %u\n", openedConnections );
@ -383,84 +383,71 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
case SSL3_1_CERTIFICATE: case SSL3_1_CERTIFICATE:
{ {
if ( rec->length >= 3 ) const u_char* pData = rec->data;
uint32 certListLength =
uint32((pData[4] << 16) |
pData[5] << 8) | pData[6];
// Sum of all cert sizes has to match
// certListLength.
uint tempLength = 0;
uint certCount = 0;
while ( tempLength < certListLength )
{ {
const u_char* pData = rec->data; if ( tempLength + 3 <= certListLength )
uint32 certListLength =
uint32((pData[4] << 16) |
pData[5] << 8) | pData[6];
// Size consistency checks.
if ( certListLength + 3 != uint32(rec->length) )
{ {
if ( rec->endp->IsOrig() ) ++certCount;
Weird("SSLv3x: Corrupt length field in client certificate list!"); uint32 certLength =
else uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
Weird("SSLv3x: Corrupt length field in server certificate list!"); tempLength += certLength + 3;
return;
}
// Sum of all cert sizes has to match
// certListLength.
uint tempLength = 0;
uint certCount = 0;
while ( tempLength < certListLength )
{
if ( tempLength + 3 <= certListLength )
{
++certCount;
uint32 certLength =
uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
tempLength += certLength + 3;
}
else
{
Weird("SSLv3x: Corrupt length field in certificate list!");
return;
}
}
if ( tempLength > certListLength )
{
Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
return;
}
SSL_InterpreterEndpoint* pEp =
(SSL_InterpreterEndpoint*) rec->endp;
if ( certCount == 0 )
{ // we don't have a certificate...
if ( rec->endp->IsOrig() )
{
Weird("SSLv3x: Client certificate is missing!");
break;
}
else
{
Weird("SSLv3x: Server certificate is missing!");
break;
}
}
if ( certCount > 1 )
{ // we have a chain
analyzeCertificate(pEp,
rec->data + 7,
certListLength, 1, true);
} }
else else
{ {
// We have a single certificate. Weird("SSLv3x: Corrupt length field in certificate list!");
// FIXME. return;
analyzeCertificate(pEp,
rec->data + 10,
certListLength-3, 1, false);
} }
}
if ( tempLength > certListLength )
{
Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
return;
}
SSL_InterpreterEndpoint* pEp =
(SSL_InterpreterEndpoint*) rec->endp;
if ( certCount == 0 )
{
// we don't have a certificate, but this is valid
// according to RFC2246
if ( rec->endp->IsOrig() )
{
Weird("SSLv3x: Client certificate is missing!");
break;
}
else
{
Weird("SSLv3x: Server certificate is missing!");
break;
}
}
if ( certCount > 1 )
{ // we have a chain
analyzeCertificate(pEp,
rec->data + 7,
certListLength, 1, true);
} }
else else
Weird("SSLv3x: Certificate record too small!" ); {
// We have a single certificate.
// FIXME.
analyzeCertificate(pEp,
rec->data + 10,
certListLength-3, 1, false);
}
break; break;
} }
@ -554,7 +541,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
} }
else else
{ {
if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
{ {
if ( rec->length < 2 ) if ( rec->length < 2 )
{ {
@ -595,11 +582,11 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
switch (cipherSuite) switch (cipherSuite)
{ {
case TLS_NULL_WITH_NULL_NULL: case TLS_NULL_WITH_NULL_NULL:
case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5: case TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:
case TLS_DH_ANON_WITH_RC4_128_MD5: case TLS_DH_anon_WITH_RC4_128_MD5:
case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: case TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
case TLS_DH_ANON_WITH_DES_CBC_SHA: case TLS_DH_anon_WITH_DES_CBC_SHA:
case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA: case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
{ {
Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!"); Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
break; break;
@ -618,7 +605,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
break; break;
} }
if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT ) if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT )
Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!"); Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
// FIXME: Insert weird checks! // FIXME: Insert weird checks!
@ -654,7 +641,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
} }
else else
{ {
if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
{ {
if ( rec->length < 2 ) if ( rec->length < 2 )
{ {
@ -938,14 +925,6 @@ TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length,
{ {
int is_orig = (SSL_InterpreterEndpoint*) s == orig; int is_orig = (SSL_InterpreterEndpoint*) s == orig;
if ( length > ssl_max_cipherspec_size )
{
if ( is_orig )
Weird("SSLv2: Client has CipherSpecs > ssl_max_cipherspec_size");
else
Weird("SSLv2: Server has CipherSpecs > ssl_max_cipherspec_size");
}
const u_char* pCipher = data; const u_char* pCipher = data;
SSL_CipherSpec* pCipherSuiteTemp = 0; SSL_CipherSpec* pCipherSuiteTemp = 0;
uint16 cipherSuite; uint16 cipherSuite;
@ -1236,16 +1215,6 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
uint16 version, SSLv3_Endpoint const* e) uint16 version, SSLv3_Endpoint const* e)
: SSLv3_Record(data, len, version, e) : SSLv3_Record(data, len, version, e)
{ {
// Weird-check for minimum handshake length header.
if ( len < 4 )
{
e->Interpreter()->Weird("SSLv3x: Handshake-header-length too small!");
type = 255;
length = 0;
next = 0;
return;
}
// Don't analyze encrypted client handshake messages. // Don't analyze encrypted client handshake messages.
if ( e->IsOrig() && if ( e->IsOrig() &&
((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen && ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen &&
@ -1270,7 +1239,10 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
type = uint8(*(this->data)); type = uint8(*(this->data));
length = ExtractInt24(data, len, 1); length = ExtractInt24(data, len, 1);
if ( length + 4 < len )
if ( length == 0 ) // this is a special case to deal with 0 length certs
next = 0;
else if ( length + 4 < len )
next = new SSLv3_HandshakeRecord(data + length + 4, next = new SSLv3_HandshakeRecord(data + length + 4,
len - (length + 4), version, e); len - (length + 4), version, e);
else if ( length + 4 > len ) else if ( length + 4 > len )
@ -1328,7 +1300,9 @@ int SSLv3_HandshakeRecord::checkClientHello()
version != SSLProxy_Analyzer::SSLv31 ) version != SSLProxy_Analyzer::SSLv31 )
endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!"); endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!");
uint8 sessionIDLength = uint8(data[38]); uint16 offset = 38;
uint8 sessionIDLength = uint8(data[offset]);
offset += (1 + sessionIDLength);
if ( sessionIDLength > 32 ) if ( sessionIDLength > 32 )
{ {
endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!"); endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!");
@ -1336,29 +1310,38 @@ int SSLv3_HandshakeRecord::checkClientHello()
} }
uint16 cipherSuiteLength = uint16 cipherSuiteLength =
uint16(data[39 + sessionIDLength] << 8 ) | uint16(data[offset] << 8) | data[offset+1];
data[40 + sessionIDLength]; offset += (2 + cipherSuiteLength);
if ( cipherSuiteLength < 2 ) if ( cipherSuiteLength < 2 )
endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!"); endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!");
if ( cipherSuiteLength + sessionIDLength + 41 > recordLength ) if ( offset > recordLength )
{ {
endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!"); endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!");
return 0; return 0;
} }
uint8 compressionMethodLength = uint8 compressionMethodLength = uint8(data[offset]);
uint8(data[41 + sessionIDLength + cipherSuiteLength]); offset += (1 + compressionMethodLength);
if ( compressionMethodLength < 1 ) if ( compressionMethodLength < 1 )
endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!"); endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!");
if ( sessionIDLength + cipherSuiteLength + if ( offset < length )
compressionMethodLength + 38 != length )
{ {
endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!"); uint16 sslExtensionsLength =
return 0; uint16(data[offset] << 8) | data[offset+1];
offset += 2;
if ( sslExtensionsLength < 4 )
endp->Interpreter()->Weird("SSLv3x: Extensions length too small!");
// TODO: extract SSL extensions here
offset += sslExtensionsLength;
if ( offset != length+4 )
{
endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!");
return 0;
}
} }
return 1; return 1;
@ -1377,16 +1360,33 @@ int SSLv3_HandshakeRecord::checkServerHello()
version != SSLProxy_Analyzer::SSLv31 ) version != SSLProxy_Analyzer::SSLv31 )
endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!"); endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!");
uint8 sessionIDLength = uint8(data[38]); uint16 offset = 38;
uint8 sessionIDLength = uint8(data[offset]);
if ( sessionIDLength > 32 ) if ( sessionIDLength > 32 )
{ {
endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!"); endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!");
return 0; return 0;
} }
offset += (1 + sessionIDLength);
if ( (sessionIDLength + 38) != length ) offset += 3; // account for cipher and compression method
if ( offset < length )
{ {
endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!"); uint16 sslExtensionsLength =
uint16(data[offset] << 8) | data[offset+1];
offset += 2;
if ( sslExtensionsLength < 4 )
endp->Interpreter()->Weird("SSLv3x: Extensions length too small!");
// TODO: extract SSL extensions here
offset += sslExtensionsLength;
if ( offset != length+4 )
{
endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!");
return 0;
}
return 0; return 0;
} }

3
src/Scope.cc
View file

@ -11,9 +11,6 @@
static scope_list scopes; static scope_list scopes;
static Scope* top_scope; static Scope* top_scope;
extern const char* GLOBAL_MODULE_NAME = "GLOBAL";
// Returns it without trailing "::". // Returns it without trailing "::".
string extract_module_name(const char* name) string extract_module_name(const char* name)
{ {

2
src/Scope.h
View file

@ -59,7 +59,7 @@ protected:
id_list* inits; id_list* inits;
}; };
extern const char* GLOBAL_MODULE_NAME; static const char* GLOBAL_MODULE_NAME = "GLOBAL";
extern string extract_module_name(const char* name); extern string extract_module_name(const char* name);
extern string normalized_module_name(const char* module_name); // w/o :: extern string normalized_module_name(const char* module_name); // w/o ::

4
src/cq.c
View file

@ -570,8 +570,8 @@ cq_debugbucket(register struct cq_handle *hp,
bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri); bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri);
if (bp2 != buckets) { if (bp2 != buckets) {
fprintf(stderr, fprintf(stderr,
"%f in wrong bucket! (off by %d)\n", "%f in wrong bucket! (off by %ld)\n",
bp->pri, bp2 - buckets); bp->pri, (long)(bp2 - buckets));
cq_dump(hp); cq_dump(hp);
abort(); abort();
} }

4
src/dce_rpc.pac
View file

@ -8,5 +8,5 @@ analyzer DCE_RPC withcontext {
flow: DCE_RPC_Flow; flow: DCE_RPC_Flow;
}; };
%include "dce_rpc-protocol.pac" %include dce_rpc-protocol.pac
%include "dce_rpc-analyzer.pac" %include dce_rpc-analyzer.pac

3
src/main.cc
View file

@ -8,6 +8,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <signal.h> #include <signal.h>
#include <string.h>
#ifdef HAVE_GETOPT_H #ifdef HAVE_GETOPT_H
#include <getopt.h> #include <getopt.h>
#endif #endif
@ -424,7 +425,7 @@ int main(int argc, char** argv)
prog = argv[0]; prog = argv[0];
prefixes.append(""); // "" = "no prefix" prefixes.append(strdup("")); // "" = "no prefix"
char* p = getenv("BRO_PREFIXES"); char* p = getenv("BRO_PREFIXES");
if ( p ) if ( p )

2
src/parse.y
View file

@ -3,6 +3,8 @@
// See the file "COPYING" in the main distribution directory for copyright. // See the file "COPYING" in the main distribution directory for copyright.
%} %}
%expect 71
%token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY
%token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
%token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST %token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST

2
src/patricia.c
View file

@ -1027,7 +1027,7 @@ lookup_then_remove (patricia_tree_t *tree, char *string)
{ {
patricia_node_t *node; patricia_node_t *node;
if (node = try_search_exact (tree, string)) if ( (node = try_search_exact(tree, string)) )
patricia_remove (tree, node); patricia_remove (tree, node);
} }

172
src/strings.bif
View file

@ -154,27 +154,27 @@ function join_string_vec%(vec: string_vec, sep: string%): string
function edit%(arg_s: string, arg_edit_char: string%): string function edit%(arg_s: string, arg_edit_char: string%): string
%{ %{
const char* s = arg_s->AsString()->CheckString(); if ( arg_edit_char->Len() != 1 )
const char* edit_s = arg_edit_char->AsString()->CheckString();
if ( strlen(edit_s) != 1 )
builtin_run_time("not exactly one edit character", @ARG@[1]); builtin_run_time("not exactly one edit character", @ARG@[1]);
char edit_c = *edit_s; const u_char* s = arg_s->Bytes();
const u_char* edit_s = arg_edit_char->Bytes();
int n = strlen(s) + 1; u_char edit_c = *edit_s;
char* new_s = new char[n];
int n = arg_s->Len();
u_char* new_s = new u_char[n+1];
int ind = 0; int ind = 0;
for ( ; *s; ++s ) for ( int i = 0; i < n; ++i )
{ {
if ( *s == edit_c ) if ( s[i] == edit_c )
{ // Delete last character { // Delete last character
if ( --ind < 0 ) if ( --ind < 0 )
ind = 0; ind = 0;
} }
else else
new_s[ind++] = *s; new_s[ind++] = s[i];
} }
new_s[ind] = '\0'; new_s[ind] = '\0';
@ -214,75 +214,55 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t)
Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep,
int incl_sep, int max_num_sep) int incl_sep, int max_num_sep)
{ {
const BroString* str = str_val->AsString();
TableVal* a = new TableVal(internal_type("string_array")->AsTableType()); TableVal* a = new TableVal(internal_type("string_array")->AsTableType());
ListVal* other_strings = 0; ListVal* other_strings = 0;
if ( other_sep && other_sep->Size() > 0 ) if ( other_sep && other_sep->Size() > 0 )
other_strings = other_sep->ConvertToPureList(); other_strings = other_sep->ConvertToPureList();
// Currently let us assume that str is NUL-terminated. In const u_char* s = str_val->Bytes();
// the future we expect to change this by giving RE_Matcher a int n = str_val->Len();
// const char* segment. const u_char* end_of_s = s + n;
const char* s = str->CheckString();
int len = strlen(s);
const char* end_of_s = s + len;
int num = 0; int num = 0;
int num_sep = 0; int num_sep = 0;
while ( 1 ) int offset = 0;
while ( n >= 0 )
{ {
int offset = 0; offset = 0;
const char* t; // Find next match offset.
int end_of_match = 0;
if ( max_num_sep > 0 && num_sep >= max_num_sep ) while ( n > 0 &&
t = end_of_s; (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 )
else
{ {
for ( t = s; t < end_of_s; ++t ) // Move on to next byte.
{ ++offset;
offset = re->MatchPrefix(t); --n;
if ( other_strings )
{
val_list* vl = other_strings->Vals();
loop_over_list(*vl, i)
{
const BroString* sub =
(*vl)[i]->AsString();
if ( sub->Len() > offset &&
match_prefix(end_of_s - t,
t, sub->Len(),
(const char*) (sub->Bytes())) )
{
offset = sub->Len();
}
}
}
if ( offset > 0 )
break;
}
} }
Val* ind = new Val(++num, TYPE_COUNT); Val* ind = new Val(++num, TYPE_COUNT);
a->Assign(ind, new StringVal(t - s, s)); a->Assign(ind, new StringVal(offset, (const char*) s));
Unref(ind); Unref(ind);
if ( t >= end_of_s ) // No more separators will be needed if this is the end of string.
if ( n <= 0 )
break; break;
++num_sep;
if ( incl_sep ) if ( incl_sep )
{ // including the part that matches the pattern { // including the part that matches the pattern
ind = new Val(++num, TYPE_COUNT); ind = new Val(++num, TYPE_COUNT);
a->Assign(ind, new StringVal(offset, t)); a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset));
Unref(ind); Unref(ind);
} }
s = t + offset; if ( max_num_sep && num_sep >= max_num_sep )
break;
++num_sep;
n -= end_of_match;
s += offset + end_of_match;;
if ( s > end_of_s ) if ( s > end_of_s )
internal_error("RegMatch in split goes beyond the string"); internal_error("RegMatch in split goes beyond the string");
} }
@ -492,42 +472,38 @@ function subst_string%(s: string, from: string, to: string%): string
function to_lower%(str: string%): string function to_lower%(str: string%): string
%{ %{
const char* s = str->CheckString(); const u_char* s = str->Bytes();
int n = strlen(s) + 1; int n = str->Len();
char* lower_s = new char[n]; char* lower_s = new char[n];
char* ls = lower_s;
char* ls; for ( int i = 0; i < n; ++i)
for ( ls = lower_s; *s; ++s )
{ {
if ( isascii(*s) && isupper(*s) ) if ( isascii(s[i]) && isupper(s[i]) )
*ls++ = tolower(*s); *ls++ = tolower(s[i]);
else else
*ls++ = *s; *ls++ = s[i];
} }
*ls = '\0'; return new StringVal(new BroString(1, byte_vec(lower_s), n));
return new StringVal(new BroString(1, byte_vec(lower_s), n-1));
%} %}
function to_upper%(str: string%): string function to_upper%(str: string%): string
%{ %{
const char* s = str->CheckString(); const u_char* s = str->Bytes();
int n = strlen(s) + 1; int n = str->Len();
char* upper_s = new char[n]; char* upper_s = new char[n];
char* us = upper_s;
char* us; for ( int i = 0; i < n; ++i)
for ( us = upper_s; *s; ++s )
{ {
if ( isascii(*s) && islower(*s) ) if ( isascii(s[i]) && islower(s[i]) )
*us++ = toupper(*s); *us++ = toupper(s[i]);
else else
*us++ = *s; *us++ = s[i];
} }
*us = '\0'; return new StringVal(new BroString(1, byte_vec(upper_s), n));
return new StringVal(new BroString(1, byte_vec(upper_s), n-1));
%} %}
function clean%(str: string%): string function clean%(str: string%): string
@ -620,40 +596,35 @@ function str_split%(s: string, idx: index_vec%): string_vec
function strip%(str: string%): string function strip%(str: string%): string
%{ %{
const char* s = str->CheckString(); const u_char* s = str->Bytes();
int n = str->Len();
int n = strlen(s) + 1; if ( n == 0 )
char* strip_s = new char[n];
if ( n == 1 )
// Empty string. // Empty string.
return new StringVal(new BroString(1, byte_vec(strip_s), 0)); return new StringVal(new BroString(s, n, 1));
while ( isspace(*s) ) const u_char* sp = s;
++s;
strncpy(strip_s, s, n); // Move a pointer from the end of the string.
const u_char* e = sp + n - 1;
char* s2 = strip_s; while ( e > sp && isspace(*e) )
char* e = &s2[strlen(s2) - 1];
while ( e > s2 && isspace(*e) )
--e; --e;
e[1] = '\0'; // safe even if e hasn't changed, due to n = strlen + 1 // Move the pointer for the beginning of the string.
while ( isspace(*sp) && sp <= e )
++sp;
return new StringVal(new BroString(1, byte_vec(s2), (e-s2)+1)); return new StringVal(new BroString(sp, (e - sp + 1), 1));
%} %}
function string_fill%(len: int, source: string%): string function string_fill%(len: int, source: string%): string
%{ %{
const char* src = source->CheckString(); const u_char* src = source->Bytes();
int n = source->Len();
int sn = strlen(src);
char* dst = new char[len]; char* dst = new char[len];
for ( int i = 0; i < len; i += sn ) for ( int i = 0; i < len; i += n )
::memcpy((dst + i), src, min(sn, len - i)); ::memcpy((dst + i), src, min(n, len - i));
dst[len - 1] = 0; dst[len - 1] = 0;
@ -667,10 +638,11 @@ function string_fill%(len: int, source: string%): string
function str_shell_escape%(source: string%): string function str_shell_escape%(source: string%): string
%{ %{
unsigned j = 0; unsigned j = 0;
const char* src = source->CheckString(); const u_char* src = source->Bytes();
char* dst = new char[strlen(src) * 2 + 1]; unsigned n = source->Len();
byte_vec dst = new u_char[n * 2 + 1];
for ( unsigned i = 0; i < strlen(src); ++i ) for ( unsigned i = 0; i < n; ++i )
{ {
switch ( src[i] ) { switch ( src[i] ) {
case '`': case '"': case '\\': case '$': case '`': case '"': case '\\': case '$':
@ -688,7 +660,7 @@ function str_shell_escape%(source: string%): string
} }
dst[j] = '\0'; dst[j] = '\0';
return new StringVal(new BroString(1, byte_vec(dst), j)); return new StringVal(new BroString(1, dst, j));
%} %}
# Returns all occurrences of the given pattern in the given string (an empty # Returns all occurrences of the given pattern in the given string (an empty

39
src/util.h
View file

@ -11,6 +11,11 @@
#include <stdarg.h> #include <stdarg.h>
#include "config.h" #include "config.h"
// Expose C99 functionality from inttypes.h, which would otherwise not be
// available in C++.
#define __STDC_FORMAT_MACROS
#include <inttypes.h>
#if __STDC__ #if __STDC__
#define myattribute __attribute__ #define myattribute __attribute__
#else #else
@ -39,24 +44,21 @@
extern HeapLeakChecker* heap_checker; extern HeapLeakChecker* heap_checker;
#endif #endif
typedef unsigned long long int uint64; #include <stdint.h>
typedef unsigned int uint32;
typedef unsigned short uint16; typedef uint64_t uint64;
typedef unsigned char uint8; typedef uint32_t uint32;
typedef long long int int64; typedef uint16_t uint16;
typedef uint8_t uint8;
typedef int64_t int64;
typedef int32_t int32;
typedef int16_t int16;
typedef int8_t int8;
typedef int64 bro_int_t; typedef int64 bro_int_t;
typedef uint64 bro_uint_t; typedef uint64 bro_uint_t;
#if SIZEOF_LONG_LONG == 8
typedef unsigned long long uint64;
typedef long long int64;
#elif SIZEOF_LONG_INT == 8
typedef unsigned long int uint64;
typedef long int int64;
#else
# error "Couldn't reliably identify 64-bit type. Please report to bro@bro-ids.org."
#endif
// "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of // "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of
// pointer size. They can be cast safely to a pointer, e.g. in Lists, // pointer size. They can be cast safely to a pointer, e.g. in Lists,
// which represent their entities as void* pointers. // which represent their entities as void* pointers.
@ -64,9 +66,13 @@ typedef long int int64;
#if SIZEOF_VOID_P == 8 #if SIZEOF_VOID_P == 8
typedef uint64 ptr_compat_uint; typedef uint64 ptr_compat_uint;
typedef int64 ptr_compat_int; typedef int64 ptr_compat_int;
#define PRI_PTR_COMPAT_INT PRId64 // Format to use with printf.
#define PRI_PTR_COMPAT_UINT PRIu64
#elif SIZEOF_VOID_P == 4 #elif SIZEOF_VOID_P == 4
typedef uint32 ptr_compat_uint; typedef uint32 ptr_compat_uint;
typedef int ptr_compat_int; typedef int32 ptr_compat_int;
#define PRI_PTR_COMPAT_INT PRId32
#define PRI_PTR_COMPAT_UINT PRIu32
#else #else
# error "Unusual pointer size. Please report to bro@bro-ids.org." # error "Unusual pointer size. Please report to bro@bro-ids.org."
#endif #endif
@ -157,6 +163,7 @@ extern uint8 uhash_key[UHASH_KEY_SIZE];
// the obvious places (like Event.h or RemoteSerializer.h) // the obvious places (like Event.h or RemoteSerializer.h)
typedef ptr_compat_uint SourceID; typedef ptr_compat_uint SourceID;
#define PRI_SOURCE_ID PRI_PTR_COMPAT_UINT
static const SourceID SOURCE_LOCAL = 0; static const SourceID SOURCE_LOCAL = 0;
class BroObj; class BroObj;