Added new TLS ciphers

2025-10-02 06:38:20 +00:00 · 2011-01-28 16:18:57 -05:00 · 2011-01-28 16:18:57 -05:00 · c8076619ce
commit c8076619ce
parent c7a5bf071d
4 changed files with 69 additions and 2 deletions
--- a/policy/bro.init
+++ b/policy/bro.init
@ -905,7 +905,7 @@ global dns_max_queries = 5;

 # The maxiumum size in bytes for an SSL cipherspec.  If we see a packet that
 # has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs.
-const ssl_max_cipherspec_size = 45 &redef;
+const ssl_max_cipherspec_size = 68 &redef;

 # SSL and X.509 types.
 type cipher_suites_list: set[count];
--- a/policy/ssl-ciphers.bro
+++ b/policy/ssl-ciphers.bro
@ -223,6 +223,11 @@ const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
 const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
 const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1;
 const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0;
+const SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80;
+const SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81;
+const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82;
+const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83;
+const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF;


 # Cipher specifications native to TLS can be included in Version 2.0 client
--- a/src/SSLCiphers.cc
+++ b/src/SSLCiphers.cc
@ -399,6 +399,48 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 	//	128,
 	//	160
 	//},
+	
+	{ SSL_RSA_WITH_RC2_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_RC2,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ SSL_RSA_WITH_IDEA_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_IDEA,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ SSL_RSA_WITH_DES_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ SSL_RSA_WITH_3DES_EDE_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_3DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		168,
+		160
+	},
+	
 	// --- special SSLv3 FIPS ciphers
 	{ SSL_RSA_FIPS_WITH_DES_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
@ -1023,6 +1065,17 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		160
 	},
 	
+	{ TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+		SSL_CIPHER_TYPE_NULL,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_NULL,
+		SSL_KEY_EXCHANGE_NULL,
+		0,
+		0,
+		0
+	},
+	
 	
 };

--- a/src/SSLCiphers.h
+++ b/src/SSLCiphers.h
@ -253,11 +253,20 @@ enum SSL3_1_CipherSpec {
 	TLS_ECDHE_PSK_WITH_NULL_SHA              = 0xC039,
 	TLS_ECDHE_PSK_WITH_NULL_SHA256           = 0xC03A,
 	TLS_ECDHE_PSK_WITH_NULL_SHA384           = 0xC03B,
+	
 	// --- special SSLv3 FIPS ciphers
 	SSL_RSA_FIPS_WITH_DES_CBC_SHA            = 0xFEFE,
 	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA       = 0xFEFF,
 	SSL_RSA_FIPS_WITH_DES_CBC_SHA_2          = 0xFFE1,
-	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2     = 0xFFe0,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2     = 0xFFE0,
+
+	// Tags for SSL 2 cipher kinds which are not specified for SSL 3. 
+	SSL_RSA_WITH_RC2_CBC_MD5                 = 0xFF80,
+	SSL_RSA_WITH_IDEA_CBC_MD5                = 0xFF81,
+	SSL_RSA_WITH_DES_CBC_MD5                 = 0xFF82,
+	SSL_RSA_WITH_3DES_EDE_CBC_MD5            = 0xFF83,
+	
+	TLS_EMPTY_RENEGOTIATION_INFO_SCSV        = 0x00FF,
 };

 enum SSL_CipherType {