From c8076619ce54177def38e515c6466ebda237798f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 28 Jan 2011 16:18:57 -0500 Subject: [PATCH] Added new TLS ciphers --- policy/bro.init | 2 +- policy/ssl-ciphers.bro | 5 ++++ src/SSLCiphers.cc | 53 ++++++++++++++++++++++++++++++++++++++++++ src/SSLCiphers.h | 11 ++++++++- 4 files changed, 69 insertions(+), 2 deletions(-) diff --git a/policy/bro.init b/policy/bro.init index 1ba8f59b4d..e8f208bb6b 100644 --- a/policy/bro.init +++ b/policy/bro.init @@ -905,7 +905,7 @@ global dns_max_queries = 5; # The maxiumum size in bytes for an SSL cipherspec. If we see a packet that # has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs. -const ssl_max_cipherspec_size = 45 &redef; +const ssl_max_cipherspec_size = 68 &redef; # SSL and X.509 types. type cipher_suites_list: set[count]; diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro index 307565eb36..3926d591cd 100644 --- a/policy/ssl-ciphers.bro +++ b/policy/ssl-ciphers.bro @@ -223,6 +223,11 @@ const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE; const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF; const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1; const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0; +const SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80; +const SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81; +const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82; +const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83; +const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF; # Cipher specifications native to TLS can be included in Version 2.0 client diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc index 002262d853..400f7421ce 100644 --- a/src/SSLCiphers.cc +++ b/src/SSLCiphers.cc @@ -399,6 +399,48 @@ SSL_CipherSpec SSL_CipherSpecs[] = { // 128, // 160 //}, + + { SSL_RSA_WITH_RC2_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_RC2, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 56, + 160 + }, + { SSL_RSA_WITH_IDEA_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_IDEA, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 128, + 160 + }, + { SSL_RSA_WITH_DES_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_DES, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 56, + 160 + }, + { SSL_RSA_WITH_3DES_EDE_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_3DES, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 168, + 160 + }, + // --- special SSLv3 FIPS ciphers { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, @@ -1023,6 +1065,17 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 160 }, + { TLS_EMPTY_RENEGOTIATION_INFO_SCSV, + SSL_CIPHER_TYPE_NULL, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_NULL, + SSL_KEY_EXCHANGE_NULL, + 0, + 0, + 0 + }, + }; diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h index 408a3b1567..12b3ecc0aa 100644 --- a/src/SSLCiphers.h +++ b/src/SSLCiphers.h @@ -253,11 +253,20 @@ enum SSL3_1_CipherSpec { TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039, TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A, TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B, + // --- special SSLv3 FIPS ciphers SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF, SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1, - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFe0, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0, + + // Tags for SSL 2 cipher kinds which are not specified for SSL 3. + SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80, + SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81, + SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82, + SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83, + + TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF, }; enum SSL_CipherType {