From 52b8dad8ec6eb0dcada52851af5f9498af7a91be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Sat, 17 Feb 2007 06:45:38 +0000 Subject: Reorganize the data used for SSL ciphersuite pattern matching. This change resolves a number of problems and obviates multiple kludges. A new feature is that you can now say "AES256" or "AES128" (not just "AES", which enables both). In some cases the ciphersuite list generated from a given string is affected by this change. I hope this is just in those cases where the previous behaviour did not make sense. --- CHANGES | 34 ++ LICENSE | 2 +- README | 2 +- crypto/opensslv.h | 2 +- ssl/d1_clnt.c | 19 +- ssl/d1_srvr.c | 68 +-- ssl/s2_lib.c | 144 +++-- ssl/s3_clnt.c | 110 ++-- ssl/s3_enc.c | 6 +- ssl/s3_lib.c | 1503 +++++++++++++++++++++++++++++++---------------------- ssl/s3_srvr.c | 233 ++++----- ssl/ssl.h | 92 +--- ssl/ssl_cert.c | 8 +- ssl/ssl_ciph.c | 572 +++++++++++--------- ssl/ssl_lib.c | 225 ++++---- ssl/ssl_locl.h | 106 ++-- ssl/t1_enc.c | 12 +- ssl/t1_lib.c | 68 +-- 18 files changed, 1838 insertions(+), 1368 deletions(-) diff --git a/CHANGES b/CHANGES index ec1cf226f5..80db3ae58d 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,28 @@ Changes between 0.9.8e and 0.9.9 [xx XXX xxxx] + *) Split the SSL/TLS algorithm mask (as used for ciphersuite string + processing) into multiple integers instead of setting + "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", + "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. + (These masks as well as the individual bit definitions are hidden + away into the non-exported interface ssl/ssl_locl.h, so this + change to the definition of the SSL_CIPHER structure shouldn't + affect applications.) This give us more bits for each of these + categories, so there is no longer a need to coagulate AES128 and + AES256 into a single algorithm bit, and to coagulate Camellia128 + and Camellia256 into a single algorithm bit, which has led to all + kinds of kludges. + + Thus, among other things, the kludge introduced in 0.9.7m and + 0.9.8e for masking out AES256 independently of AES128 or masking + out Camellia256 independently of AES256 is not needed here in 0.9.9. + + With the change, we also introduce new ciphersuite aliases that + so far were missing: "AES128", "AES256", "CAMELLIA128", and + "CAMELLIA256". + [Bodo Moeller] + *) Add support for dsa-with-SHA224 and dsa-with-SHA256. Use the leftmost N bytes of the signature input if the input is larger than the prime q (with N being the size in bytes of q). @@ -430,6 +452,13 @@ Changes between 0.9.8d and 0.9.8e [XX xxx XXXX] + *) Since AES128 and AES256 (and similarly Camellia128 and + Camellia256) share a single mask bit in the logic of + ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a + kludge to work properly if AES128 is available and AES256 isn't + (or if Camellia128 is available and Camellia256 isn't). + [Victor Duchovni] + *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): When a point or a seed is encoded in a BIT STRING, we need to @@ -1459,6 +1488,11 @@ Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] + *) Since AES128 and AES256 share a single mask bit in the logic of + ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a + kludge to work properly if AES128 is available and AES256 isn't. + [Victor Duchovni] + *) Have SSL/TLS server implementation tolerate "mismatched" record protocol version while receiving ClientHello even if the ClientHello is fragmented. (The server can't insist on the diff --git a/LICENSE b/LICENSE index c21f132db5..ff99d97241 100644 --- a/LICENSE +++ b/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/README b/README index 092ab7df41..d9a7fce247 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ OpenSSL 0.9.9-dev XX xxx XXXX - Copyright (c) 1998-2005 The OpenSSL Project + Copyright (c) 1998-2007 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/crypto/opensslv.h b/crypto/opensslv.h index dc3a89ad4e..3d665b803b 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -83,7 +83,7 @@ * should only keep the versions that are binary compatible with the current. */ #define SHLIB_VERSION_HISTORY "" -#define SHLIB_VERSION_NUMBER "0.9.8" +#define SHLIB_VERSION_NUMBER "0.9.9" #endif /* HEADER_OPENSSLV_H */ diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 2dd9da2fda..0f3dd708a6 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -4,7 +4,7 @@ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. */ /* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -274,7 +274,7 @@ int dtls1_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: /* Check if it is anon DH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { ret=ssl3_get_server_certificate(s); if (ret <= 0) goto end; @@ -335,7 +335,6 @@ int dtls1_connect(SSL *s) case SSL3_ST_CW_KEY_EXCH_B: ret=dtls1_send_client_key_exchange(s); if (ret <= 0) goto end; - l=s->s3->tmp.new_cipher->algorithms; /* EAY EAY EAY need to check for DH fix cert * sent back */ /* For TLS, cert_req is set to 2, so a cert chain @@ -684,7 +683,7 @@ int dtls1_send_client_key_exchange(SSL *s) { unsigned char *p,*d; int n; - unsigned long l; + unsigned long alg_k; #ifndef OPENSSL_NO_RSA unsigned char *q; EVP_PKEY *pkey=NULL; @@ -697,13 +696,13 @@ int dtls1_send_client_key_exchange(SSL *s) { d=(unsigned char *)s->init_buf->data; p= &(d[DTLS1_HM_HEADER_LENGTH]); - - l=s->s3->tmp.new_cipher->algorithms; + + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA - else if (l & SSL_kRSA) + else if (alg_k & SSL_kRSA) { RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; @@ -762,7 +761,7 @@ int dtls1_send_client_key_exchange(SSL *s) } #endif #ifndef OPENSSL_NO_KRB5 - else if (l & SSL_kKRB5) + else if (alg_k & SSL_kKRB5) { krb5_error_code krb5rc; KSSL_CTX *kssl_ctx = s->kssl_ctx; @@ -781,7 +780,7 @@ int dtls1_send_client_key_exchange(SSL *s) #ifdef KSSL_DEBUG printf("ssl3_send_client_key_exchange(%lx & %lx)\n", - l, SSL_kKRB5); + alg_k, SSL_kKRB5); #endif /* KSSL_DEBUG */ authp = NULL; @@ -894,7 +893,7 @@ int dtls1_send_client_key_exchange(SSL *s) } #endif #ifndef OPENSSL_NO_DH - else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr,*dh_clnt; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 67baf80dc2..450524a5e9 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -4,7 +4,7 @@ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. */ /* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -148,6 +148,7 @@ int dtls1_accept(SSL *s) unsigned long l,Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; long num1; + unsigned long alg_k; int ret= -1; int new_state,state,skip=0; @@ -237,11 +238,11 @@ int dtls1_accept(SSL *s) s->state=SSL3_ST_SW_HELLO_REQ_A; } - if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) - s->d1->send_cookie = 1; - else - s->d1->send_cookie = 0; - + if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) + s->d1->send_cookie = 1; + else + s->d1->send_cookie = 0; + break; case SSL3_ST_SW_HELLO_REQ_A: @@ -270,7 +271,7 @@ int dtls1_accept(SSL *s) if (ret <= 0) goto end; s->new_session = 2; - if ( s->d1->send_cookie) + if (s->d1->send_cookie) s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; else s->state = SSL3_ST_SW_SRVR_HELLO_A; @@ -303,7 +304,7 @@ int dtls1_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { ret=dtls1_send_server_certificate(s); if (ret <= 0) goto end; @@ -316,13 +317,13 @@ int dtls1_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: - l=s->s3->tmp.new_cipher->algorithms; + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; /* clear this, it may get reset by * send_server_key_exchange */ if ((s->options & SSL_OP_EPHEMERAL_RSA) #ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) + && !(alg_k & SSL_kKRB5) #endif /* OPENSSL_NO_KRB5 */ ) /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key @@ -336,8 +337,8 @@ int dtls1_accept(SSL *s) /* only send if a DH key exchange or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp - || (l & SSL_DH) - || ((l & SSL_kRSA) + || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) @@ -367,12 +368,12 @@ int dtls1_accept(SSL *s) /* never request cert in anonymous ciphersuites * (see section "Certificate request" in SSL 3 drafts * and in RFC 2246): */ - ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && + ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && /* ... except when the application insists on verification * (against the specs, but s3_clnt.c accepts this for SSL 3) */ !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || - /* never request cert in Kerberos ciphersuites */ - (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) + /* never request cert in Kerberos ciphersuites */ + (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) { /* no cert request */ skip=1; @@ -625,15 +626,15 @@ int dtls1_send_hello_verify_request(SSL *s) *(p++) = s->version & 0xFF; *(p++) = (unsigned char) s->d1->cookie_len; - if ( s->ctx->app_gen_cookie_cb != NULL && - s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &(s->d1->cookie_len)) == 0) - { - SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR); - return 0; - } - /* else the cookie is assumed to have - * been initialized by the application */ + if (s->ctx->app_gen_cookie_cb != NULL && + s->ctx->app_gen_cookie_cb(s, s->d1->cookie, + &(s->d1->cookie_len)) == 0) + { + SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR); + return 0; + } + /* else the cookie is assumed to have + * been initialized by the application */ memcpy(p, s->d1->cookie, s->d1->cookie_len); p += s->d1->cookie_len; @@ -784,7 +785,7 @@ int dtls1_send_server_key_exchange(SSL *s) EVP_MD_CTX_init(&md_ctx); if (s->state == SSL3_ST_SW_KEY_EXCH_A) { - type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; + type=s->s3->tmp.new_cipher->algorithm_mkey; cert=s->cert; buf=s->init_buf; @@ -889,7 +890,7 @@ int dtls1_send_server_key_exchange(SSL *s) n+=2+nr[i]; } - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) == NULL) @@ -1107,14 +1108,15 @@ int dtls1_send_server_certificate(SSL *s) if (s->state == SSL3_ST_SW_CERT_A) { x=ssl_get_server_send_cert(s); - if (x == NULL && - /* VRS: allow null cert if auth == KRB5 */ - (s->s3->tmp.new_cipher->algorithms - & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - != (SSL_aKRB5|SSL_kKRB5)) + if (x == NULL) { - SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); - return(0); + /* VRS: allow null cert if auth == KRB5 */ + if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || + (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) + { + SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); + return(0); + } } l=dtls1_output_cert_chain(s,x); diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c index debaece1d2..30ca8606e4 100644 --- a/ssl/s2_lib.c +++ b/ssl/s2_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 @@ -69,131 +122,158 @@ const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT; /* list of available SSLv2 ciphers (sorted by id) */ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ -/* NULL_WITH_MD5 v3 */ #if 0 +/* NULL_WITH_MD5 v3 */ { 1, SSL2_TXT_NULL_WITH_MD5, SSL2_CK_NULL_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_eNULL, + SSL_MD5, + SSL_SSLV2, SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE, 0, 0, 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif + /* RC4_128_WITH_MD5 */ { 1, SSL2_TXT_RC4_128_WITH_MD5, SSL2_CK_RC4_128_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_SSLV2, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* RC4_128_EXPORT40_WITH_MD5 */ { 1, SSL2_TXT_RC4_128_EXPORT40_WITH_MD5, SSL2_CK_RC4_128_EXPORT40_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_SSLV2, SSL_EXPORT|SSL_EXP40, SSL2_CF_5_BYTE_ENC, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* RC2_128_CBC_WITH_MD5 */ { 1, SSL2_TXT_RC2_128_CBC_WITH_MD5, SSL2_CK_RC2_128_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_RC2, + SSL_MD5, + SSL_SSLV2, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* RC2_128_CBC_EXPORT40_WITH_MD5 */ { 1, SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_RC2, + SSL_MD5, + SSL_SSLV2, SSL_EXPORT|SSL_EXP40, SSL2_CF_5_BYTE_ENC, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, -/* IDEA_128_CBC_WITH_MD5 */ + #ifndef OPENSSL_NO_IDEA +/* IDEA_128_CBC_WITH_MD5 */ { 1, SSL2_TXT_IDEA_128_CBC_WITH_MD5, SSL2_CK_IDEA_128_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_IDEA, + SSL_MD5, + SSL_SSLV2, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif + /* DES_64_CBC_WITH_MD5 */ { 1, SSL2_TXT_DES_64_CBC_WITH_MD5, SSL2_CK_DES_64_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_DES, + SSL_MD5, + SSL_SSLV2, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* DES_192_EDE3_CBC_WITH_MD5 */ { 1, SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_3DES, + SSL_MD5, + SSL_SSLV2, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, -/* RC4_64_WITH_MD5 */ + #if 0 +/* RC4_64_WITH_MD5 */ { 1, SSL2_TXT_RC4_64_WITH_MD5, SSL2_CK_RC4_64_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_SSLV2, SSL_NOT_EXP|SSL_LOW, SSL2_CF_8_BYTE_ENC, 64, 64, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif -/* NULL SSLeay (testing) */ + #if 0 +/* NULL SSLeay (testing) */ { 0, SSL2_TXT_NULL, @@ -203,8 +283,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 0, 0, 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 4a34b445ee..2a19ec496e 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -180,7 +180,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method, int ssl3_connect(SSL *s) { BUF_MEM *buf=NULL; - unsigned long Time=(unsigned long)time(NULL),l; + unsigned long Time=(unsigned long)time(NULL); long num1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; @@ -288,8 +288,8 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_B: /* Check if it is anon DH/ECDH */ /* or PSK */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) - && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && + !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { ret=ssl3_get_server_certificate(s); if (ret <= 0) goto end; @@ -350,7 +350,6 @@ int ssl3_connect(SSL *s) case SSL3_ST_CW_KEY_EXCH_B: ret=ssl3_send_client_key_exchange(s); if (ret <= 0) goto end; - l=s->s3->tmp.new_cipher->algorithms; /* EAY EAY EAY need to check for DH fix cert * sent back */ /* For TLS, cert_req is set to 2, so a cert chain @@ -940,10 +939,10 @@ int ssl3_get_server_certificate(SSL *s) i=ssl_verify_cert_chain(s,sk); if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) #ifndef OPENSSL_NO_KRB5 - && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - != (SSL_aKRB5|SSL_kKRB5) + && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && + (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) #endif /* OPENSSL_NO_KRB5 */ - ) + ) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); @@ -967,15 +966,15 @@ int ssl3_get_server_certificate(SSL *s) pkey=X509_get_pubkey(x); /* VRS: allow null cert if auth == KRB5 */ - need_cert = ((s->s3->tmp.new_cipher->algorithms - & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - == (SSL_aKRB5|SSL_kKRB5))? 0: 1; + need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && + (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) + ? 0 : 1; #ifdef KSSL_DEBUG printf("pkey,x = %p, %p\n", pkey,x); printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); - printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, - s->s3->tmp.new_cipher->algorithms, need_cert); + printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, + s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); #endif /* KSSL_DEBUG */ if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) @@ -1047,7 +1046,7 @@ int ssl3_get_key_exchange(SSL *s) EVP_MD_CTX md_ctx; unsigned char *param,*p; int al,i,j,param_len,ok; - long n,alg; + long n,alg_k,alg_a; EVP_PKEY *pkey=NULL; #ifndef OPENSSL_NO_RSA RSA *rsa=NULL; @@ -1080,7 +1079,7 @@ int ssl3_get_key_exchange(SSL *s) omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ - if (s->s3->tmp.new_cipher->algorithms & SSL_kPSK) + if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint) @@ -1123,12 +1122,13 @@ int ssl3_get_key_exchange(SSL *s) } param_len=0; - alg=s->s3->tmp.new_cipher->algorithms; + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; + alg_a=s->s3->tmp.new_cipher->algorithm_auth; EVP_MD_CTX_init(&md_ctx); #ifndef OPENSSL_NO_PSK - if (alg & SSL_kPSK) - { + if (alg_k & SSL_kPSK) + { char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; al=SSL_AD_HANDSHAKE_FAILURE; @@ -1164,7 +1164,7 @@ int ssl3_get_key_exchange(SSL *s) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); goto f_err; - } + } p+=i; n-=param_len; @@ -1172,7 +1172,7 @@ int ssl3_get_key_exchange(SSL *s) else #endif /* !OPENSSL_NO_PSK */ #ifndef OPENSSL_NO_RSA - if (alg & SSL_kRSA) + if (alg_k & SSL_kRSA) { if ((rsa=RSA_new()) == NULL) { @@ -1211,7 +1211,7 @@ int ssl3_get_key_exchange(SSL *s) n-=param_len; /* this should be because we are using an export cipher */ - if (alg & SSL_aRSA) + if (alg_a & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); else { @@ -1226,7 +1226,7 @@ int ssl3_get_key_exchange(SSL *s) ; #endif #ifndef OPENSSL_NO_DH - else if (alg & SSL_kEDH) + else if (alg_k & SSL_kEDH) { if ((dh=DH_new()) == NULL) { @@ -1280,14 +1280,14 @@ int ssl3_get_key_exchange(SSL *s) n-=param_len; #ifndef OPENSSL_NO_RSA - if (alg & SSL_aRSA) + if (alg_a & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); #else if (0) ; #endif #ifndef OPENSSL_NO_DSA - else if (alg & SSL_aDSS) + else if (alg_a & SSL_aDSS) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); #endif /* else anonymous DH, so no certificate or pkey. */ @@ -1295,7 +1295,7 @@ int ssl3_get_key_exchange(SSL *s) s->session->sess_cert->peer_dh_tmp=dh; dh=NULL; } - else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) + else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); @@ -1304,7 +1304,7 @@ int ssl3_get_key_exchange(SSL *s) #endif /* !OPENSSL_NO_DH */ #ifndef OPENSSL_NO_ECDH - else if (alg & SSL_kEECDH) + else if (alg_k & SSL_kEECDH) { EC_GROUP *ngroup; const EC_GROUP *group; @@ -1388,11 +1388,11 @@ int ssl3_get_key_exchange(SSL *s) */ if (0) ; #ifndef OPENSSL_NO_RSA - else if (alg & SSL_aRSA) + else if (alg_a & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); #endif #ifndef OPENSSL_NO_ECDSA - else if (alg & SSL_aECDSA) + else if (alg_a & SSL_aECDSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); #endif /* else anonymous ECDH, so no certificate or pkey. */ @@ -1403,7 +1403,7 @@ int ssl3_get_key_exchange(SSL *s) EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; } - else if (alg) + else if (alg_k) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); @@ -1508,7 +1508,7 @@ int ssl3_get_key_exchange(SSL *s) } else { - if (!(alg & SSL_aNULL) && !(alg & SSL_kPSK)) + if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) /* aNULL or kPSK do not need public keys */ { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); @@ -1584,8 +1584,7 @@ int ssl3_get_certificate_request(SSL *s) /* TLS does not like anon-DH with client cert */ if (s->version > SSL3_VERSION) { - l=s->s3->tmp.new_cipher->algorithms; - if (l & SSL_aNULL) + if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); @@ -1724,7 +1723,7 @@ int ssl3_send_client_key_exchange(SSL *s) { unsigned char *p,*d; int n; - unsigned long l; + unsigned long alg_k; #ifndef OPENSSL_NO_RSA unsigned char *q; EVP_PKEY *pkey=NULL; @@ -1746,12 +1745,12 @@ int ssl3_send_client_key_exchange(SSL *s) d=(unsigned char *)s->init_buf->data; p= &(d[4]); - l=s->s3->tmp.new_cipher->algorithms; + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA - else if (l & SSL_kRSA) + else if (alg_k & SSL_kRSA) { RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; @@ -1810,7 +1809,7 @@ int ssl3_send_client_key_exchange(SSL *s) } #endif #ifndef OPENSSL_NO_KRB5 - else if (l & SSL_kKRB5) + else if (alg_k & SSL_kKRB5) { krb5_error_code krb5rc; KSSL_CTX *kssl_ctx = s->kssl_ctx; @@ -1829,7 +1828,7 @@ int ssl3_send_client_key_exchange(SSL *s) #ifdef KSSL_DEBUG printf("ssl3_send_client_key_exchange(%lx & %lx)\n", - l, SSL_kKRB5); + l, SSL_kKRB5); #endif /* KSSL_DEBUG */ authp = NULL; @@ -1935,7 +1934,7 @@ int ssl3_send_client_key_exchange(SSL *s) n+=outl + 2; s->session->master_key_length= - s->method->ssl3_enc->generate_master_secret(s, + s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, tmp_buf, sizeof tmp_buf); @@ -1944,7 +1943,7 @@ int ssl3_send_client_key_exchange(SSL *s) } #endif #ifndef OPENSSL_NO_DH - else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr,*dh_clnt; @@ -2001,7 +2000,7 @@ int ssl3_send_client_key_exchange(SSL *s) #endif #ifndef OPENSSL_NO_ECDH - else if ((l & SSL_kECDH) || (l & SSL_kEECDH)) + else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey; @@ -2013,7 +2012,7 @@ int ssl3_send_client_key_exchange(SSL *s) * computation as part of client certificate? * If so, set ecdh_clnt_cert to 1. */ - if ((l & SSL_kECDH) && (s->cert != NULL)) + if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) { /* XXX: For now, we do not support client * authentication using ECDH certificates. @@ -2186,7 +2185,7 @@ int ssl3_send_client_key_exchange(SSL *s) } #endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_PSK - else if (l & SSL_kPSK) + else if (alg_k & SSL_kPSK) { char identity[PSK_MAX_IDENTITY_LEN]; unsigned char *t = NULL; @@ -2259,7 +2258,7 @@ int ssl3_send_client_key_exchange(SSL *s) psk_err = 0; psk_err: OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); + OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); if (psk_err != 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -2468,7 +2467,7 @@ int ssl3_send_client_certificate(SSL *s) int ssl3_check_cert_and_algorithm(SSL *s) { int i,idx; - long algs; + long alg_k,alg_a; EVP_PKEY *pkey=NULL; SESS_CERT *sc; #ifndef OPENSSL_NO_RSA @@ -2485,10 +2484,11 @@ int ssl3_check_cert_and_algorithm(SSL *s) goto err; } - algs=s->s3->tmp.new_cipher->algorithms; + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; + alg_a=s->s3->tmp.new_cipher->algorithm_auth; /* we don't have a certificate */ - if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5|SSL_kPSK)) + if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) return(1); #ifndef OPENSSL_NO_RSA @@ -2508,7 +2508,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) s->s3->tmp.new_cipher) == 0) { /* check failed */ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); - goto f_err; + goto f_err; } else { @@ -2522,20 +2522,20 @@ int ssl3_check_cert_and_algorithm(SSL *s) /* Check that we have a certificate if we require one */ - if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) + if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); goto f_err; } #ifndef OPENSSL_NO_DSA - else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) + else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); goto f_err; } #endif #ifndef OPENSSL_NO_RSA - if ((algs & SSL_kRSA) && + if ((alg_k & SSL_kRSA) && !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); @@ -2543,19 +2543,19 @@ int ssl3_check_cert_and_algorithm(SSL *s) } #endif #ifndef OPENSSL_NO_DH - if ((algs & SSL_kEDH) && + if ((alg_k & SSL_kEDH) && !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); goto f_err; } - else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) + else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); goto f_err; } #ifndef OPENSSL_NO_DSA - else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) + else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); goto f_err; @@ -2566,7 +2566,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) { #ifndef OPENSSL_NO_RSA - if (algs & SSL_kRSA) + if (alg_k & SSL_kRSA) { if (rsa == NULL || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) @@ -2578,7 +2578,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) else #endif #ifndef OPENSSL_NO_DH - if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { if (dh == NULL || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 1690663e04..8f3ba93d61 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -430,11 +430,11 @@ int ssl3_setup_key_block(SSL *s) if (s->session->cipher != NULL) { - if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) + if (s->session->cipher->algorithm_enc == SSL_eNULL) s->s3->need_empty_fragments = 0; #ifndef OPENSSL_NO_RC4 - if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) + if (s->session->cipher->algorithm_enc == SSL_RC4) s->s3->need_empty_fragments = 0; #endif } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 4527429b69..37d8ce49a5 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -168,217 +168,265 @@ const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; /* list of available SSLv3 ciphers (sorted by id) */ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ + /* The RSA ciphers */ /* Cipher 01 */ { 1, SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, - SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_eNULL, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 02 */ { 1, SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, - SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_eNULL, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 03 */ { 1, SSL3_TXT_RSA_RC4_40_MD5, SSL3_CK_RSA_RC4_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 04 */ { 1, SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 05 */ { 1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 06 */ { 1, SSL3_TXT_RSA_RC2_40_MD5, SSL3_CK_RSA_RC2_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_RC2, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 07 */ #ifndef OPENSSL_NO_IDEA { 1, SSL3_TXT_RSA_IDEA_128_SHA, SSL3_CK_RSA_IDEA_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_IDEA, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif + /* Cipher 08 */ { 1, SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_CK_RSA_DES_40_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 09 */ { 1, SSL3_TXT_RSA_DES_64_CBC_SHA, SSL3_CK_RSA_DES_64_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0A */ { 1, SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, - SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kRSA, + SSL_aRSA, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* The DH ciphers */ /* Cipher 0B */ { 0, SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kDHd, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0C */ { 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_DSS_DES_64_CBC_SHA, SSL3_CK_DH_DSS_DES_64_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHd, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0D */ { 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, SSL3_CK_DH_DSS_DES_192_CBC3_SHA, - SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHd, + SSL_aDH, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0E */ { 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kDHr, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 0F */ { 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_RSA_DES_64_CBC_SHA, SSL3_CK_DH_RSA_DES_64_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHr, + SSL_aDH, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 10 */ { 0, /* not implemented (non-ephemeral DH) */ SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, SSL3_CK_DH_RSA_DES_192_CBC3_SHA, - SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kDHr, + SSL_aDH, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* The Ephemeral DH ciphers */ @@ -387,143 +435,175 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_CK_EDH_DSS_DES_40_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aDSS, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 12 */ { 1, SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, SSL3_CK_EDH_DSS_DES_64_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aDSS, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 13 */ { 1, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, - SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aDSS, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 14 */ { 1, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_CK_EDH_RSA_DES_40_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 15 */ { 1, SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, SSL3_CK_EDH_RSA_DES_64_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 16 */ { 1, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, - SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aRSA, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 17 */ { 1, SSL3_TXT_ADH_RC4_40_MD5, SSL3_CK_ADH_RC4_40_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 18 */ { 1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 19 */ { 1, SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_CK_ADH_DES_40_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 1A */ { 1, SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_CK_ADH_DES_64_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 1B */ { 1, SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_kEDH, + SSL_aNULL, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Fortezza ciphersuite from SSL 3.0 spec */ @@ -533,13 +613,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, - SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, + SSL_kFZA, + SSL_aFZA, + SSL_eNULL, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 1D */ @@ -547,13 +629,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, - SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, + SSL_kFZA, + SSL_aFZA, + SSL_eFZA, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 1E */ @@ -561,13 +645,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_FZA_DMS_RC4_SHA, SSL3_CK_FZA_DMS_RC4_SHA, - SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, + SSL_kFZA, + SSL_aFZA, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif @@ -581,13 +667,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_64_CBC_SHA, SSL3_CK_KRB5_DES_64_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 1F */ @@ -595,13 +683,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_192_CBC3_SHA, SSL3_CK_KRB5_DES_192_CBC3_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 112, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 20 */ @@ -609,13 +699,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_128_SHA, SSL3_CK_KRB5_RC4_128_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_kKRB5,SSL_aKRB5, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, + SSL_NOT_EXP, + SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 21 */ @@ -623,13 +715,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_IDEA_128_CBC_SHA, SSL3_CK_KRB5_IDEA_128_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_IDEA, + SSL_SHA1, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 22 */ @@ -637,13 +731,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_64_CBC_MD5, SSL3_CK_KRB5_DES_64_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 23 */ @@ -651,13 +747,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_192_CBC3_MD5, SSL3_CK_KRB5_DES_192_CBC3_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_3DES, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 112, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 24 */ @@ -665,13 +763,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_128_MD5, SSL3_CK_KRB5_RC4_128_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 25 */ @@ -679,13 +779,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_IDEA_128_CBC_MD5, SSL3_CK_KRB5_IDEA_128_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_IDEA, + SSL_MD5, + SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 26 */ @@ -693,13 +795,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_40_CBC_SHA, SSL3_CK_KRB5_DES_40_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_SHA1, + |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 27 */ @@ -707,13 +811,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC2_40_CBC_SHA, SSL3_CK_KRB5_RC2_40_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC2, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 28 */ @@ -721,13 +827,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_40_SHA, SSL3_CK_KRB5_RC4_40_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC4, + SSL_SHA1, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 29 */ @@ -735,13 +843,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_DES_40_CBC_MD5, SSL3_CK_KRB5_DES_40_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_DES, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 2A */ @@ -749,13 +859,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC2_40_CBC_MD5, SSL3_CK_KRB5_RC2_40_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC2, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 2B */ @@ -763,13 +875,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_KRB5_RC4_40_MD5, SSL3_CK_KRB5_RC4_40_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_kKRB5, + SSL_aKRB5, + SSL_RC4, + SSL_MD5, + SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_KRB5 */ @@ -779,78 +893,90 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 30 */ { 0, TLS1_TXT_DH_DSS_WITH_AES_128_SHA, TLS1_CK_DH_DSS_WITH_AES_128_SHA, - SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 31 */ { 0, TLS1_TXT_DH_RSA_WITH_AES_128_SHA, TLS1_CK_DH_RSA_WITH_AES_128_SHA, - SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 32 */ { 1, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, - SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 33 */ { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, - SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 34 */ { 1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, - SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 35 */ @@ -858,78 +984,94 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, - SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 36 */ { 0, TLS1_TXT_DH_DSS_WITH_AES_256_SHA, TLS1_CK_DH_DSS_WITH_AES_256_SHA, - SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 37 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_RSA_WITH_AES_256_SHA, TLS1_CK_DH_RSA_WITH_AES_256_SHA, - SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 38 */ { 1, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, TLS1_CK_DHE_DSS_WITH_AES_256_SHA, - SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 39 */ { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, - SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, + /* Cipher 3A */ { 1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, - SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #ifndef OPENSSL_NO_CAMELLIA @@ -940,78 +1082,95 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 42 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 43 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 44 */ { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 45 */ { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 46 */ { 1, TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, - SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA128, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, #endif /* OPENSSL_NO_CAMELLIA */ @@ -1019,97 +1178,117 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ /* New TLS Export CipherSuites from expired ID */ #if 0 /* Cipher 60 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_MD5, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + }, + /* Cipher 61 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + SSL_kRSA, + SSL_aRSA, + SSL_RC2, + SSL_MD5, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + }, #endif + /* Cipher 62 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_DES, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 56, + }, + /* Cipher 63 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kEDH, + SSL_aDSS, + SSL_DES, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 56, + }, + /* Cipher 64 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + }, + /* Cipher 65 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - 0, - 56, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + SSL_kEDH, + SSL_aDSS, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + }, + /* Cipher 66 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, - TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, - SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS - }, + { + 1, + TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, + TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, + SSL_kEDH, + SSL_aDSS, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + }, #endif #ifndef OPENSSL_NO_CAMELLIA @@ -1120,78 +1299,94 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, /* Cipher 85 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHd, + SSL_aDH, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 86 */ { 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kDHr, + SSL_aDH, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 87 */ { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 88 */ { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, + /* Cipher 89 */ { 1, TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, - SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS }, #endif /* OPENSSL_NO_CAMELLIA */ @@ -1201,13 +1396,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, - SSL_kPSK|SSL_aPSK|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_kPSK, + SSL_aPSK, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 8B */ @@ -1215,13 +1412,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA, - SSL_kPSK|SSL_aPSK|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_kPSK, + SSL_aPSK, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 8C */ @@ -1229,13 +1428,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA, - SSL_kPSK|SSL_aPSK|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_kPSK, + SSL_aPSK, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, /* Cipher 8D */ @@ -1243,369 +1444,420 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA, - SSL_kPSK|SSL_aPSK|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_kPSK, + SSL_aPSK, + SSL_AES256, + SSL_SHA1, + SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_PSK */ #ifndef OPENSSL_NO_ECDH /* Cipher C001 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, - TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, - SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 0, - 0, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, + TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_eNULL, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, + 0, + }, /* Cipher C002 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, - TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, - SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_RC4, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP, + 0, + 128, + 128, + }, /* Cipher C003 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 168, - 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + }, /* Cipher C004 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHe|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDHe, + SSL_aECDH, + SSL_AES128, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + }, /* Cipher C005 */ - { - 1, - TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_ECD