[openssl-commits] [openssl] master update
Kurt Roeckx
kurt at openssl.org
Wed Mar 9 18:11:39 UTC 2016
The branch master has been updated
via ca3895f0b52628df29bcf87e139971904f4b9b28 (commit)
via 82478521aace0ac91221ed451fceeadc007def9d (commit)
via 29c4cf0cd12100cb45a6ef59fdbd435954d16d5d (commit)
via cdc72e497d14167d0744ef0dd52b9778c431fb59 (commit)
via d7a474264b4bc9c8ae87c897fe4c5803f97b5f8d (commit)
via 3eb2aff40116ecceab847c895cbf02cdb075d194 (commit)
via 068c358ac314032e9102b6741a0a99fdf15c5527 (commit)
via b11836a63a8973c2b61f8ccd10a085361bced2ea (commit)
via 6063453c5aec0e6a1ad0d628bc5d2b091bc23969 (commit)
via 7d65007238e86e59fcf31d23fcefa01e3b30cc37 (commit)
via e4646a8963fa6bc6f475afe7a9b9a46b151cfd1a (commit)
from ca74c38dc874e46ad913f2f6a7560125ad560aea (commit)
- Log -----------------------------------------------------------------
commit ca3895f0b52628df29bcf87e139971904f4b9b28
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Tue Mar 8 20:26:38 2016 +0100
Move disabling of RC4 for DTLS to the cipher list.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit 82478521aace0ac91221ed451fceeadc007def9d
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Wed Mar 9 18:30:43 2016 +0100
Remove DES cipher alias
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit 29c4cf0cd12100cb45a6ef59fdbd435954d16d5d
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:34:03 2016 +0100
Update ciphers -s documentation
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit cdc72e497d14167d0744ef0dd52b9778c431fb59
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:33:43 2016 +0100
Document SSL_get1_supported_ciphers
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit d7a474264b4bc9c8ae87c897fe4c5803f97b5f8d
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:20:01 2016 +0100
IDEA is not supported in TLS 1.2
This currently seems to be the only cipher we still support that should get
disabled.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit 3eb2aff40116ecceab847c895cbf02cdb075d194
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:17:07 2016 +0100
Add support for minimum and maximum protocol version supported by a cipher
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit 068c358ac314032e9102b6741a0a99fdf15c5527
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:07:21 2016 +0100
Add ssl_get_client_min_max_version() function
Adjust ssl_set_client_hello_version to get both the minimum and maximum and then
make ssl_set_client_hello_version use the maximum version.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit b11836a63a8973c2b61f8ccd10a085361bced2ea
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:11:56 2016 +0100
Make SSL_CIPHER_get_version return a const char *
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit 6063453c5aec0e6a1ad0d628bc5d2b091bc23969
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 17:52:22 2016 +0100
Remove unused code
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit 7d65007238e86e59fcf31d23fcefa01e3b30cc37
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:56:40 2016 +0100
Make function to convert version to string
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
commit e4646a8963fa6bc6f475afe7a9b9a46b151cfd1a
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Feb 7 20:44:27 2016 +0100
Constify security callbacks
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
MR: #1595
-----------------------------------------------------------------------
Summary of changes:
apps/s_cb.c | 4 +-
doc/apps/ciphers.pod | 18 +-
doc/ssl/SSL_get_ciphers.pod | 24 +-
doc/ssl/ssl.pod | 2 +-
include/openssl/ssl.h | 12 +-
ssl/d1_lib.c | 19 --
ssl/s3_lib.c | 534 +++++++++++++++++++++++++++++---------------
ssl/ssl_cert.c | 8 +-
ssl/ssl_ciph.c | 253 ++++++++++-----------
ssl/ssl_lib.c | 47 ++--
ssl/ssl_locl.h | 31 +--
ssl/ssl_txt.c | 17 +-
ssl/statem/statem_clnt.c | 18 +-
ssl/statem/statem_lib.c | 61 +++--
ssl/t1_lib.c | 41 ++--
15 files changed, 650 insertions(+), 439 deletions(-)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 3e9d0f6..047f2ce 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1285,7 +1285,7 @@ int ssl_load_stores(SSL_CTX *ctx,
typedef struct {
BIO *out;
int verbose;
- int (*old_cb) (SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+ int (*old_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
void *other, void *ex);
} security_debug_ex;
@@ -1314,7 +1314,7 @@ static STRINT_PAIR callback_types[] = {
{NULL}
};
-static int security_callback_debug(SSL *s, SSL_CTX *ctx,
+static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid,
void *other, void *ex)
{
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 344e218..9788fa3 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -36,9 +36,21 @@ Print a usage message.
=item B<-s>
-Only list supported ciphers: those consistent with the security level. This
-is the actual cipher list an application will support. If this option is
-not used then ciphers excluded by the security level will still be listed.
+Only list supported ciphers: those consistent with the security level, and
+minimum and maximum protocol version.
+This is closer to the actual cipher list an application will support.
+
+This program does not set up support for SRP and so SRP based ciphers will
+always be excluded when using this option.
+PSK ciphers are not enabled by default and it requires the B<-psk> to enable
+them.
+It also does not change the default list of supported signature algorithms.
+
+On a server the list of supported ciphers might also exclude other ciphers
+depending on the configured certificates and presence of DH parameters.
+
+If this option is not used then all ciphers that match the cipherlist will be
+listed.
=item B<-psk>
diff --git a/doc/ssl/SSL_get_ciphers.pod b/doc/ssl/SSL_get_ciphers.pod
index 65781da..5e4bc08 100644
--- a/doc/ssl/SSL_get_ciphers.pod
+++ b/doc/ssl/SSL_get_ciphers.pod
@@ -9,6 +9,7 @@ SSL_get_ciphers, SSL_get_cipher_list - get list of available SSL_CIPHERs
#include <openssl/ssl.h>
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
+ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl);
const char *SSL_get_cipher_list(const SSL *ssl, int priority);
@@ -18,8 +19,21 @@ SSL_get_ciphers() returns the stack of available SSL_CIPHERs for B<ssl>,
sorted by preference. If B<ssl> is NULL or no ciphers are available, NULL
is returned.
-SSL_get_client_ciphers() returns the stack of available SSL_CIPHERS matching the
-list sent by the client for B<ssl>. If B<ssl> is NULL, no ciphers are
+SSL_get1_supported_ciphers() returns the stack of enabled SSL_CIPHERs for
+B<ssl>, sorted by preference.
+The list depends on settings like the cipher list, the supported protocol
+versions, the security level, and the enabled signature algorithms.
+SRP and PSK ciphers are only enabled if the appropriate callbacks or settings
+have been applied.
+This is the list that will be sent by the client to the server.
+The list supported by the server might include more ciphers in case there is a
+hole in the list of supported protocols.
+The server will also not use ciphers from this list depending on the
+configured certificates and DH parameters.
+If B<ssl> is NULL or no ciphers are available, NULL is returned.
+
+SSL_get_client_ciphers() returns the stack of available SSL_CIPHERs matching the
+list received from the client on B<ssl>. If B<ssl> is NULL, no ciphers are
available, or B<ssl> is not operating in server mode, NULL is returned.
SSL_get_cipher_list() returns a pointer to the name of the SSL_CIPHER
@@ -29,7 +43,8 @@ is returned.
=head1 NOTES
-The details of the ciphers obtained by SSL_get_ciphers() can be obtained using
+The details of the ciphers obtained by SSL_get_ciphers(),
+SSL_get1_supported_ciphers() and SSL_get_client_ciphers() can be obtained using
the L<SSL_CIPHER_get_name(3)> family of functions.
Call SSL_get_cipher_list() with B<priority> starting from 0 to obtain the
@@ -40,6 +55,9 @@ to an internal cipher stack, which will be freed later on when the SSL
or SSL_SESSION object is freed. Therefore, the calling code B<MUST
NOT> free the return value itself.
+The stack returned by SSL_get1_supported_ciphers() should be freed using
+sk_SSL_CIPHER_free().
+
=head1 RETURN VALUES
See DESCRIPTION
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index fea4dc0..b6d3334 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -206,7 +206,7 @@ Return the internal name of I<cipher> as a string. These are the various
strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
definitions in the header files.
-=item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
+=item const char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
Returns a string like "C<SSLv3>" or "C<TLSv1.2>" which indicates the
SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index adfad4c..cc2a47f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1397,7 +1397,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
__owur const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
__owur int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
-__owur char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
+__owur const char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
__owur const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
__owur uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
__owur int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
@@ -1990,10 +1990,10 @@ int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
void SSL_set_security_level(SSL *s, int level);
__owur int SSL_get_security_level(const SSL *s);
void SSL_set_security_callback(SSL *s,
- int (*cb) (SSL *s, SSL_CTX *ctx, int op,
+ int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex));
-int (*SSL_get_security_callback(const SSL *s)) (SSL *s, SSL_CTX *ctx, int op,
+int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid,
void *other, void *ex);
void SSL_set0_security_ex_data(SSL *s, void *ex);
@@ -2002,11 +2002,11 @@ __owur void *SSL_get0_security_ex_data(const SSL *s);
void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
__owur int SSL_CTX_get_security_level(const SSL_CTX *ctx);
void SSL_CTX_set_security_callback(SSL_CTX *ctx,
- int (*cb) (SSL *s, SSL_CTX *ctx, int op,
+ int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex));
-int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (SSL *s,
- SSL_CTX *ctx,
+int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
+ const SSL_CTX *ctx,
int op, int bits,
int nid,
void *other,
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index d9c4ec6..f2daaf2 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -274,25 +274,6 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
return (ret);
}
-/*
- * As it's impossible to use stream ciphers in "datagram" mode, this
- * simple filter is designed to disengage them in DTLS. Unfortunately
- * there is no universal way to identify stream SSL_CIPHER, so we have
- * to explicitly list their SSL_* codes. Currently RC4 is the only one
- * available, but if new ones emerge, they will have to be added...
- */
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
-{
- const SSL_CIPHER *ciph = ssl3_get_cipher(u);
-
- if (ciph != NULL) {
- if (ciph->algorithm_enc == SSL_RC4)
- return NULL;
- }
-
- return ciph;
-}
-
void dtls1_start_timer(SSL *s)
{
#ifndef OPENSSL_NO_SCTP
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 51fb161..973274b 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -171,7 +171,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_MD5,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -187,7 +188,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -204,7 +206,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_RC4,
SSL_MD5,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -220,7 +223,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -238,7 +242,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_IDEA,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_1_VERSION,
+ DTLS1_VERSION, DTLS1_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -255,7 +260,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -271,7 +277,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -287,7 +294,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -304,7 +312,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_RC4,
SSL_MD5,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -321,7 +330,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -337,7 +347,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -352,7 +363,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -367,7 +379,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -385,7 +398,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -400,7 +414,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -415,7 +430,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -430,7 +446,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -446,7 +463,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -462,7 +480,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -478,7 +497,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -494,7 +514,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -511,7 +532,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -527,7 +549,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -543,7 +566,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -559,7 +583,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -578,7 +603,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -594,7 +620,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -610,7 +637,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -626,7 +654,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -644,7 +673,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -660,7 +690,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -676,7 +707,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -692,7 +724,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -708,7 +741,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -725,7 +759,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aGOST01,
SSL_eGOST2814789CNT,
SSL_GOST89MAC,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
@@ -739,7 +774,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aGOST01,
SSL_eNULL,
SSL_GOST94,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
0,
@@ -758,7 +794,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -774,7 +811,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -790,7 +828,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -806,7 +845,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -826,7 +866,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -843,7 +884,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -859,7 +901,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -875,7 +918,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -892,7 +936,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -909,7 +954,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -925,7 +971,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -941,7 +988,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -958,7 +1006,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -975,7 +1024,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -991,7 +1041,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1007,7 +1058,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1027,7 +1079,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_SEED,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1043,7 +1096,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_SEED,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1059,7 +1113,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_SEED,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1075,7 +1130,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_SEED,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1095,7 +1151,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1111,7 +1168,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1127,7 +1185,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1143,7 +1202,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1159,7 +1219,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1175,7 +1236,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1191,7 +1253,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1207,7 +1270,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1225,7 +1289,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1241,7 +1306,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1257,7 +1323,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1273,7 +1340,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1289,7 +1357,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1305,7 +1374,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1321,7 +1391,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1337,7 +1408,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1353,7 +1425,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -1369,7 +1442,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
@@ -1385,7 +1459,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1401,7 +1476,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1417,7 +1493,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -1433,7 +1510,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
@@ -1449,7 +1527,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1465,7 +1544,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -1481,7 +1561,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -1497,7 +1578,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
@@ -1517,7 +1599,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1533,7 +1616,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1549,7 +1633,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1565,7 +1650,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -1581,7 +1667,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -1597,7 +1684,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_CAMELLIA256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -1613,7 +1701,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -1629,7 +1718,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_CAMELLIA256,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -1648,7 +1738,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -1665,7 +1756,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1682,7 +1774,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1698,7 +1791,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1714,7 +1808,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1730,7 +1825,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -1747,7 +1843,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1764,7 +1861,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1780,7 +1878,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1796,7 +1895,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1812,7 +1912,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -1829,7 +1930,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1846,7 +1948,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1862,7 +1965,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1878,7 +1982,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1896,7 +2001,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aSRP,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1912,7 +2018,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1928,7 +2035,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1944,7 +2052,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aSRP,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1960,7 +2069,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1976,7 +2086,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1992,7 +2103,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aSRP,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2008,7 +2120,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2024,7 +2137,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2044,7 +2158,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2060,7 +2175,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES256,
SSL_SHA384,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2077,7 +2193,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2093,7 +2210,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA384,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2111,7 +2229,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2127,7 +2246,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2143,7 +2263,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2159,7 +2280,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2177,7 +2299,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2194,7 +2317,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2210,7 +2334,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2226,7 +2351,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2242,7 +2368,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2258,7 +2385,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2274,7 +2402,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
- SSL_SSLV3,
+ SSL3_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -2290,7 +2419,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -2306,7 +2436,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
@@ -2322,7 +2453,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2336,7 +2468,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_CAMELLIA256,
SSL_SHA384,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2350,7 +2483,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2364,7 +2498,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA384,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2382,7 +2517,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2396,7 +2532,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CAMELLIA256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2410,7 +2547,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2424,7 +2562,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CAMELLIA256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2438,7 +2577,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2452,7 +2592,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2466,7 +2607,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CAMELLIA128,
SSL_SHA256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2480,7 +2622,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CAMELLIA256,
SSL_SHA384,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
@@ -2496,7 +2639,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2512,7 +2656,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2528,7 +2673,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2544,7 +2690,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2560,7 +2707,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2576,7 +2724,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2592,7 +2741,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2608,7 +2758,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2624,7 +2775,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2640,7 +2792,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2656,7 +2809,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2672,7 +2826,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2688,7 +2843,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2704,7 +2860,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2720,7 +2877,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2736,7 +2894,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2752,7 +2911,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES128CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2768,7 +2928,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES256CCM,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2784,7 +2945,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES128CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
@@ -2800,7 +2962,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES256CCM8,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2817,7 +2980,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2832,7 +2996,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2849,7 +3014,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2866,7 +3032,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CHACHA20POLY1305,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2881,7 +3048,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CHACHA20POLY1305,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2896,7 +3064,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_CHACHA20POLY1305,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2911,7 +3080,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
- SSL_TLSV1_2,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
@@ -2928,7 +3098,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aGOST12 | SSL_aGOST01,
SSL_eGOST2814789CNT12,
SSL_GOST89MAC12,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
@@ -2941,7 +3112,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_aGOST12 | SSL_aGOST01,
SSL_eNULL,
SSL_GOST12_256,
- SSL_TLSV1,
+ TLS1_VERSION, TLS1_2_VERSION,
+ DTLS1_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
0,
@@ -3749,6 +3921,14 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
return (2);
}
+/*
+ * ssl3_choose_cipher - choose a cipher from those offered by the client
+ * @s: SSL connection
+ * @clnt: ciphers offered by the client
+ * @srvr: ciphers enabled on the server?
+ *
+ * Returns the selected cipher or NULL when no common ciphers.
+ */
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
STACK_OF(SSL_CIPHER) *srvr)
{
@@ -3799,11 +3979,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
c = sk_SSL_CIPHER_value(prio, i);
- /* Skip TLS v1.2 only ciphersuites if not supported */
- if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
+ /* Skip ciphers not supported by the protocol version */
+ if (!SSL_IS_DTLS(s) &&
+ ((s->version < c->min_tls) || (s->version > c->max_tls)))
continue;
- /* Skip TLS v1.0 ciphersuites if SSLv3 */
- if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
+ if (SSL_IS_DTLS(s) &&
+ (DTLS_VERSION_LT(s->version, c->min_dtls) ||
+ DTLS_VERSION_GT(s->version, c->max_dtls)))
continue;
mask_k = s->s3->tmp.mask_k;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 8915531..e17cffc 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -132,7 +132,7 @@
#include "internal/threads.h"
#include "ssl_locl.h"
-static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op,
+static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex);
@@ -1062,7 +1062,7 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
return 1;
}
-static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op,
+static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex)
{
@@ -1144,12 +1144,12 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op,
return 1;
}
-int ssl_security(SSL *s, int op, int bits, int nid, void *other)
+int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
{
return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
}
-int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other)
+int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
{
return ctx->cert->sec_cb(NULL, ctx, op, bits, nid, other,
ctx->cert->sec_ex);
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 6f2d970..c8c7f02 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -319,122 +319,122 @@ typedef struct cipher_order_st {
static const SSL_CIPHER cipher_aliases[] = {
/* "ALL" doesn't include eNULL (must be specifically enabled) */
- {0, SSL_TXT_ALL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_ALL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0},
/* "COMPLEMENTOFALL" */
- {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0},
/*
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
- {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
+ {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
* combine multiple key exchange algs according to the RFCs, e.g. kDHE
* combines DHE_DSS and DHE_RSA)
*/
- {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kEDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kDHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
- 0},
+ {0, SSL_TXT_kEDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kDHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kEECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0,
- 0, 0, 0},
+ {0, SSL_TXT_kEECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_ECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kRSAPSK, 0, SSL_kRSAPSK, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kECDHEPSK, 0, SSL_kECDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kDHEPSK, 0, SSL_kDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kRSAPSK, 0, SSL_kRSAPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kECDHEPSK, 0, SSL_kECDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kDHEPSK, 0, SSL_kDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
/* server authentication aliases */
- {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aGOST12, 0, 0, SSL_aGOST12, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01 | SSL_aGOST12, 0, 0, 0,
+ {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aGOST12, 0, 0, SSL_aGOST12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01 | SSL_aGOST12, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0},
- {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
/* aliases combining key exchange and server authentication */
- {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_PSK, 0, SSL_PSK, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_PSK, 0, SSL_PSK, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
/* symmetric encryption aliases */
- {0, SSL_TXT_DES, 0, 0, 0, SSL_DES, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_GOST, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12, 0,
- 0, 0, 0, 0, 0},
+ 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8, 0,
- 0, 0, 0, 0, 0},
+ 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8, 0,
- 0, 0, 0, 0, 0},
- {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0},
+ 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0,
- 0, 0},
- {0, SSL_TXT_AES_CCM, 0, 0, 0, SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0,
- 0, 0},
+ 0, 0, 0, 0, 0},
+ {0, SSL_TXT_AES_CCM, 0, 0, 0,
+ SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_AES_CCM_8, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0,
0, 0},
- {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20, 0, 0, 0, 0, 0, 0 },
+ {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0},
+ {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0},
+ {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
/* MAC aliases */
- {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0},
- {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_GOST89MAC, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12, 0, 0,
- 0, 0, 0},
- {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0},
- {0, SSL_TXT_GOST12, 0, 0, 0, 0, SSL_GOST12_256, 0, 0, 0, 0, 0},
+ 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_GOST12, 0, 0, 0, 0, SSL_GOST12_256, 0, 0, 0, 0, 0, 0, 0, 0},
/* protocol version aliases */
- {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0},
- {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0},
- {0, "TLSv1.0", 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
- {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0},
+ {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL3_VERSION, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, TLS1_VERSION, 0, 0, 0, 0, 0, 0, 0},
+ {0, "TLSv1.0", 0, 0, 0, 0, 0, TLS1_VERSION, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, TLS1_2_VERSION, 0, 0, 0, 0, 0, 0, 0},
/* strength classes */
- {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0},
- {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0},
- {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0},
+ {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0},
+ {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0},
+ {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0},
/* FIPS 140-2 approved ciphersuite */
- {0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_FIPS, 0, 0, 0},
+ {0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS, 0, 0, 0},
/* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
{0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 0,
- SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, SSL_SSLV3,
+ SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0,
SSL_HIGH | SSL_FIPS, 0, 0, 0,},
{0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 0,
- SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3,
+ SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0,
SSL_HIGH | SSL_FIPS, 0, 0, 0,},
};
@@ -768,7 +768,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
uint32_t disabled_auth,
uint32_t disabled_enc,
uint32_t disabled_mac,
- uint32_t disabled_ssl,
CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p)
@@ -788,22 +787,30 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
for (i = 0; i < num_of_ciphers; i++) {
c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
- if ((c != NULL) && c->valid &&
- (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
- !(c->algorithm_mkey & disabled_mkey) &&
- !(c->algorithm_auth & disabled_auth) &&
- !(c->algorithm_enc & disabled_enc) &&
- !(c->algorithm_mac & disabled_mac) &&
- !(c->algorithm_ssl & disabled_ssl)) {
- co_list[co_list_num].cipher = c;
- co_list[co_list_num].next = NULL;
- co_list[co_list_num].prev = NULL;
- co_list[co_list_num].active = 0;
- co_list_num++;
- /*
- * if (!sk_push(ca_list,(char *)c)) goto err;
- */
- }
+ if (c == NULL || !c->valid)
+ continue;
+ if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
+ continue;
+ if ((c->algorithm_mkey & disabled_mkey) ||
+ (c->algorithm_auth & disabled_auth) ||
+ (c->algorithm_enc & disabled_enc) ||
+ (c->algorithm_mac & disabled_mac))
+ continue;
+ if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) &&
+ c->min_tls == 0)
+ continue;
+ if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) &&
+ c->min_dtls == 0)
+ continue;
+
+ co_list[co_list_num].cipher = c;
+ co_list[co_list_num].next = NULL;
+ co_list[co_list_num].prev = NULL;
+ co_list[co_list_num].active = 0;
+ co_list_num++;
+ /*
+ * if (!sk_push(ca_list,(char *)c)) goto err;
+ */
}
/*
@@ -836,7 +843,6 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
uint32_t disabled_auth,
uint32_t disabled_enc,
uint32_t disabled_mac,
- uint32_t disabled_ssl,
CIPHER_ORDER *head)
{
CIPHER_ORDER *ciph_curr;
@@ -846,7 +852,6 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
uint32_t mask_auth = ~disabled_auth;
uint32_t mask_enc = ~disabled_enc;
uint32_t mask_mac = ~disabled_mac;
- uint32_t mask_ssl = ~disabled_ssl;
/*
* First, add the real ciphers as already collected
@@ -870,7 +875,6 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
uint32_t algorithm_auth = cipher_aliases[i].algorithm_auth;
uint32_t algorithm_enc = cipher_aliases[i].algorithm_enc;
uint32_t algorithm_mac = cipher_aliases[i].algorithm_mac;
- uint32_t algorithm_ssl = cipher_aliases[i].algorithm_ssl;
if (algorithm_mkey)
if ((algorithm_mkey & mask_mkey) == 0)
@@ -888,10 +892,6 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
if ((algorithm_mac & mask_mac) == 0)
continue;
- if (algorithm_ssl)
- if ((algorithm_ssl & mask_ssl) == 0)
- continue;
-
*ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
ca_curr++;
}
@@ -901,7 +901,7 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
uint32_t alg_auth, uint32_t alg_enc,
- uint32_t alg_mac, uint32_t alg_ssl,
+ uint32_t alg_mac, int min_tls,
uint32_t algo_strength, int rule,
int32_t strength_bits, CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p)
@@ -913,7 +913,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
#ifdef CIPHER_DEBUG
fprintf(stderr,
"Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
- rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl,
+ rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
algo_strength, strength_bits);
#endif
@@ -969,7 +969,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
continue;
if (alg_mac && !(alg_mac & cp->algorithm_mac))
continue;
- if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
+ if (min_tls && (min_tls != cp->min_tls))
continue;
if (algo_strength && !(algo_strength & cp->algo_strength))
continue;
@@ -1085,7 +1085,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
CIPHER_ORDER **tail_p,
const SSL_CIPHER **ca_list, CERT *c)
{
- uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
+ uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
+ int min_tls;
const char *l, *buf;
int j, multi, found, rule, retval, ok, buflen;
uint32_t cipher_id = 0;
@@ -1123,7 +1124,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
alg_auth = 0;
alg_enc = 0;
alg_mac = 0;
- alg_ssl = 0;
+ min_tls = 0;
algo_strength = 0;
for (;;) {
@@ -1275,15 +1276,13 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* protocol version is considered part of the search pattern
*/
- if (ca_list[j]->algorithm_ssl) {
- if (alg_ssl) {
- alg_ssl &= ca_list[j]->algorithm_ssl;
- if (!alg_ssl) {
- found = 0;
- break;
- }
- } else
- alg_ssl = ca_list[j]->algorithm_ssl;
+ if (ca_list[j]->min_tls) {
+ if (min_tls != 0 && min_tls != ca_list[j]->min_tls) {
+ found = 0;
+ break;
+ } else {
+ min_tls = ca_list[j]->min_tls;
+ }
}
}
@@ -1323,7 +1322,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
} else if (found) {
ssl_cipher_apply_rule(cipher_id,
alg_mkey, alg_auth, alg_enc, alg_mac,
- alg_ssl, algo_strength, rule, -1, head_p,
+ min_tls, algo_strength, rule, -1, head_p,
tail_p);
} else {
while ((*l != '\0') && !ITEM_SEP(*l))
@@ -1398,8 +1397,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
const char *rule_str, CERT *c)
{
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
- uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac,
- disabled_ssl;
+ uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
@@ -1424,7 +1422,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
disabled_auth = disabled_auth_mask;
disabled_enc = disabled_enc_mask;
disabled_mac = disabled_mac_mask;
- disabled_ssl = 0;
/*
* Now we have to collect the available ciphers from the compiled
@@ -1441,7 +1438,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
disabled_mkey, disabled_auth, disabled_enc,
- disabled_mac, disabled_ssl, co_list, &head,
+ disabled_mac, co_list, &head,
&tail);
/* Now arrange all ciphers by preference. */
@@ -1516,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
* TODO(openssl-team): is there an easier way to accomplish all this?
*/
- ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_2, 0, CIPHER_BUMP, -1,
+ ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
&head, &tail);
/*
@@ -1560,7 +1557,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
- disabled_mac, disabled_ssl, head);
+ disabled_mac, head);
/*
* If the rule_string begins with DEFAULT, apply the default rule
@@ -1652,7 +1649,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
alg_enc = cipher->algorithm_enc;
alg_mac = cipher->algorithm_mac;
- ver = SSL_CIPHER_get_version(cipher);
+ ver = ssl_protocol_to_string(cipher->min_tls);
switch (alg_mkey) {
case SSL_kRSA:
@@ -1818,21 +1815,11 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
return (buf);
}
-char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
+const char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
{
- uint32_t alg_ssl;
-
if (c == NULL)
return "(NONE)";
- alg_ssl = c->algorithm_ssl;
-
- if (alg_ssl & SSL_SSLV3)
- return "SSLv3";
- if (alg_ssl & SSL_TLSV1)
- return "TLSv1.0";
- if (alg_ssl & SSL_TLSV1_2)
- return "TLSv1.2";
- return "unknown";
+ return ssl_protocol_to_string(c->min_tls);
}
/* return the actual cipher being used */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2fa323a..ef8f6c0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3060,26 +3060,31 @@ SSL_METHOD *ssl_bad_method(int ver)
return (NULL);
}
-const char *SSL_get_version(const SSL *s)
-{
- if (s->version == TLS1_2_VERSION)
- return ("TLSv1.2");
- else if (s->version == TLS1_1_VERSION)
- return ("TLSv1.1");
- else if (s->version == TLS1_VERSION)
- return ("TLSv1");
- else if (s->version == SSL3_VERSION)
- return ("SSLv3");
- else if (s->version == DTLS1_BAD_VER)
- return ("DTLSv0.9");
- else if (s->version == DTLS1_VERSION)
- return ("DTLSv1");
- else if (s->version == DTLS1_2_VERSION)
- return ("DTLSv1.2");
+const char *ssl_protocol_to_string(int version)
+{
+ if (version == TLS1_2_VERSION)
+ return "TLSv1.2";
+ else if (version == TLS1_1_VERSION)
+ return "TLSv1.1";
+ else if (version == TLS1_VERSION)
+ return "TLSv1.0";
+ else if (version == SSL3_VERSION)
+ return "SSLv3";
+ else if (version == DTLS1_BAD_VER)
+ return "DTLSv0.9";
+ else if (version == DTLS1_VERSION)
+ return "DTLSv1";
+ else if (version == DTLS1_2_VERSION)
+ return "DTLSv1.2";
else
return ("unknown");
}
+const char *SSL_get_version(const SSL *s)
+{
+ return ssl_protocol_to_string(s->version);
+}
+
SSL *SSL_dup(SSL *s)
{
STACK_OF(X509_NAME) *sk;
@@ -3786,14 +3791,14 @@ int SSL_get_security_level(const SSL *s)
}
void SSL_set_security_callback(SSL *s,
- int (*cb) (SSL *s, SSL_CTX *ctx, int op,
+ int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex))
{
s->cert->sec_cb = cb;
}
-int (*SSL_get_security_callback(const SSL *s)) (SSL *s, SSL_CTX *ctx, int op,
+int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid,
void *other, void *ex) {
return s->cert->sec_cb;
@@ -3820,15 +3825,15 @@ int SSL_CTX_get_security_level(const SSL_CTX *ctx)
}
void SSL_CTX_set_security_callback(SSL_CTX *ctx,
- int (*cb) (SSL *s, SSL_CTX *ctx, int op,
+ int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex))
{
ctx->cert->sec_cb = cb;
}
-int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (SSL *s,
- SSL_CTX *ctx,
+int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
+ const SSL_CTX *ctx,
int op, int bits,
int nid,
void *other,
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index b9beca5..adce5ad 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -378,11 +378,6 @@
# define SSL_GOST89MAC12 0x00000100U
# define SSL_GOST12_512 0x00000200U
-/* Bits for algorithm_ssl (protocol version) */
-# define SSL_SSLV3 0x00000002U
-# define SSL_TLSV1 0x00000004U
-# define SSL_TLSV1_2 0x00000008U
-
/*
* When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
* sure to update this constant too
@@ -517,7 +512,10 @@ struct ssl_cipher_st {
uint32_t algorithm_auth; /* server authentication */
uint32_t algorithm_enc; /* symmetric encryption */
uint32_t algorithm_mac; /* symmetric authentication */
- uint32_t algorithm_ssl; /* (major) protocol version */
+ int min_tls; /* minimum SSL/TLS protocol version */
+ int max_tls; /* maximum SSL/TLS protocol version */
+ int min_dtls; /* minimum DTLS protocol version */
+ int max_dtls; /* maximum DTLS protocol version */
uint32_t algo_strength; /* strength and export flags */
uint32_t algorithm2; /* Extra flags */
int32_t strength_bits; /* Number of bits really used */
@@ -1347,8 +1345,13 @@ typedef struct ssl3_state_st {
*/
uint32_t mask_k;
uint32_t mask_a;
- /* Client only */
- uint32_t mask_ssl;
+ /*
+ * The following are used by the client to see if a cipher is allowed or
+ * not. It contains the minimum and maximum version the client's using
+ * based on what it knows so far.
+ */
+ int min_ver;
+ int max_ver;
} tmp;
/* Connection binding to prevent renegotiation attacks */
@@ -1636,7 +1639,7 @@ typedef struct cert_st {
custom_ext_methods cli_ext;
custom_ext_methods srv_ext;
/* Security callback */
- int (*sec_cb) (SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+ int (*sec_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
void *other, void *ex);
/* Security level */
int sec_level;
@@ -1851,7 +1854,7 @@ const SSL_METHOD *func_name(void) \
ssl3_put_cipher_by_char, \
ssl3_pending, \
ssl3_num_ciphers, \
- dtls1_get_cipher, \
+ ssl3_get_cipher, \
s_get_meth, \
dtls1_default_timeout, \
&enc_data, \
@@ -1871,6 +1874,8 @@ struct openssl_ssl_test_functions {
# endif
};
+const char *ssl_protocol_to_string(int version);
+
# ifndef OPENSSL_UNIT_TEST
void ssl_clear_cipher_ctx(SSL *s);
@@ -1912,8 +1917,8 @@ __owur int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
__owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags);
__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
-__owur int ssl_security(SSL *s, int op, int bits, int nid, void *other);
-__owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other);
+__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
+__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other);
int ssl_undefined_function(SSL *s);
__owur int ssl_undefined_void_function(void);
@@ -1984,6 +1989,7 @@ __owur int ssl_check_version_downgrade(SSL *s);
__owur int ssl_set_version_bound(int method_version, int version, int *bound);
__owur int ssl_choose_server_version(SSL *s);
__owur int ssl_choose_client_version(SSL *s, int version);
+int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_version);
__owur long tls1_default_timeout(void);
__owur int dtls1_do_write(SSL *s, int type);
@@ -2007,7 +2013,6 @@ __owur long dtls1_default_timeout(void);
__owur struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft);
__owur int dtls1_check_timeout_num(SSL *s);
__owur int dtls1_handle_timeout(SSL *s);
-__owur const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
void dtls1_start_timer(SSL *s);
void dtls1_stop_timer(SSL *s);
__owur int dtls1_is_timer_expired(SSL *s);
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index bdd802f..b2c6bf7 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -111,22 +111,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
goto err;
if (BIO_puts(bp, "SSL-Session:\n") <= 0)
goto err;
- if (x->ssl_version == SSL3_VERSION)
- s = "SSLv3";
- else if (x->ssl_version == TLS1_2_VERSION)
- s = "TLSv1.2";
- else if (x->ssl_version == TLS1_1_VERSION)
- s = "TLSv1.1";
- else if (x->ssl_version == TLS1_VERSION)
- s = "TLSv1";
- else if (x->ssl_version == DTLS1_VERSION)
- s = "DTLSv1";
- else if (x->ssl_version == DTLS1_2_VERSION)
- s = "DTLSv1.2";
- else if (x->ssl_version == DTLS1_BAD_VER)
- s = "DTLSv1-bad";
- else
- s = "unknown";
+ s = ssl_protocol_to_string(x->ssl_version);
if (BIO_printf(bp, " Protocol : %s\n", s) <= 0)
goto err;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 03f4a8f..26c4d10 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1143,17 +1143,15 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
goto f_err;
}
- /* Set version disabled mask now we know version */
- if (!SSL_USE_TLS1_2_CIPHERS(s))
- s->s3->tmp.mask_ssl = SSL_TLSV1_2;
- else
- s->s3->tmp.mask_ssl = 0;
- /* Skip TLS v1.0 ciphersuites if SSLv3 */
- if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
- s->s3->tmp.mask_ssl |= SSL_TLSV1;
/*
- * If it is a disabled cipher we didn't send it in client hello, so
- * return an error.
+ * Now that we know the version, update the check to see if it's an allowed
+ * version.
+ */
+ s->s3->tmp.min_ver = s->version;
+ s->s3->tmp.max_ver = s->version;
+ /*
+ * If it is a disabled cipher we either didn't send it in client hello,
+ * or it's not allowed for the selected protocol. So we return an error.
*/
if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
al = SSL_AD_ILLEGAL_PARAMETER;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 8effb0f..6be6e1d 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -693,7 +693,7 @@ int ssl_allow_compression(SSL *s)
return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
}
-static int version_cmp(SSL *s, int a, int b)
+static int version_cmp(const SSL *s, int a, int b)
{
int dtls = SSL_IS_DTLS(s);
@@ -764,7 +764,7 @@ static const version_info dtls_version_table[] = {
*
* Returns 0 on success, or an SSL error reason on failure.
*/
-static int ssl_method_error(SSL *s, const SSL_METHOD *method)
+static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
{
int version = method->version;
@@ -1006,23 +1006,26 @@ int ssl_choose_client_version(SSL *s, int version)
return SSL_R_UNSUPPORTED_PROTOCOL;
}
-/*-
- * ssl_set_client_hello_version - Work out what version we should be using for
- * the initial ClientHello if the version is initially (D)TLS_ANY_VERSION. We
- * apply any explicit SSL_OP_NO_xxx options, the MinProtocol and MaxProtocol
- * configuration commands, any Suite B or FIPS_mode() constraints and any floor
- * imposed by the security level here, so we don't advertise the wrong protocol
- * version to only reject the outcome later.
+/*
+ * ssl_get_client_min_max_version - get minimum and maximum client version
+ * @s: The SSL connection
+ * @min_version: The minimum supported version
+ * @max_version: The maximum supported version
+ *
+ * Work out what version we should be using for the initial ClientHello if the
+ * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
+ * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
+ * or FIPS_mode() constraints and any floor imposed by the security level here,
+ * so we don't advertise the wrong protocol version to only reject the outcome later.
*
* Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
* TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
* only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
*
- * @s: client SSL handle.
- *
- * Returns 0 on success or an SSL error reason number on failure.
+ * Returns 0 on success or an SSL error reason number on failure. On failure
+ * min_version and max_version will also be set to 0.
*/
-int ssl_set_client_hello_version(SSL *s)
+int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_version)
{
int version;
int hole;
@@ -1040,7 +1043,7 @@ int ssl_set_client_hello_version(SSL *s)
* versions they don't want. If not, then easy to fix, just return
* ssl_method_error(s, s->method)
*/
- s->client_version = s->version;
+ *min_version = *max_version = s->version;
return 0;
case TLS_ANY_VERSION:
table = tls_version_table;
@@ -1071,7 +1074,7 @@ int ssl_set_client_hello_version(SSL *s)
* If we again hit an enabled method after the new hole, it becomes
* selected, as we start from scratch.
*/
- version = 0;
+ *min_version = version = 0;
hole = 1;
for (vent = table; vent->version != 0; ++vent) {
/*
@@ -1087,18 +1090,40 @@ int ssl_set_client_hello_version(SSL *s)
hole = 1;
} else if (!hole) {
single = NULL;
+ *min_version = method->version;
} else {
version = (single = method)->version;
+ *min_version = version;
hole = 0;
}
}
+ *max_version = version;
+
/* Fail if everything is disabled */
if (version == 0)
return SSL_R_NO_PROTOCOLS_AVAILABLE;
- if (single != NULL)
- s->method = single;
- s->client_version = s->version = version;
+ return 0;
+}
+
+/*
+ * ssl_set_client_hello_version - Work out what version we should be using for
+ * the initial ClientHello.
+ *
+ * @s: client SSL handle.
+ *
+ * Returns 0 on success or an SSL error reason number on failure.
+ */
+int ssl_set_client_hello_version(SSL *s)
+{
+ int ver_min, ver_max, ret;
+
+ ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max);
+
+ if (ret != 0)
+ return ret;
+
+ s->client_version = s->version = ver_max;
return 0;
}
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2161d15..8f5342b 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -982,24 +982,21 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
}
/*
- * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
- * supported or doesn't appear in supported signature algorithms. Unlike
- * ssl_cipher_get_disabled this applies to a specific session and not global
- * settings.
+ * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
+ * supported, doesn't appear in supported signature algorithms, isn't supported
+ * by the enabled protocol versions or by the security level.
+ *
+ * This function should only be used for checking which ciphers are supported
+ * by the client.
+ *
+ * Call ssl_cipher_disabled() to check that it's enabled or not.
*/
void ssl_set_client_disabled(SSL *s)
{
s->s3->tmp.mask_a = 0;
s->s3->tmp.mask_k = 0;
- /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
- if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
- s->s3->tmp.mask_ssl = SSL_TLSV1_2;
- else
- s->s3->tmp.mask_ssl = 0;
- /* Disable TLS 1.0 ciphers if using SSL v3 */
- if (s->client_version == SSL3_VERSION)
- s->s3->tmp.mask_ssl |= SSL_TLSV1;
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
+ ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
# ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */
if (!s->psk_client_callback) {
@@ -1015,12 +1012,28 @@ void ssl_set_client_disabled(SSL *s)
#endif
}
+/*
+ * ssl_cipher_disabled - check that a cipher is disabled or not
+ * @s: SSL connection that you want to use the cipher on
+ * @c: cipher to check
+ * @op: Security check that you want to do
+ *
+ * Returns 1 when it's disabled, 0 when enabled.
+ */
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
{
- if (c->algorithm_ssl & s->s3->tmp.mask_ssl
- || c->algorithm_mkey & s->s3->tmp.mask_k
+ if (c->algorithm_mkey & s->s3->tmp.mask_k
|| c->algorithm_auth & s->s3->tmp.mask_a)
return 1;
+ if (s->s3->tmp.max_ver == 0)
+ return 1;
+ if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
+ || (c->max_tls < s->s3->tmp.min_ver)))
+ return 1;
+ if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
+ || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
+ return 1;
+
return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
}
More information about the openssl-commits
mailing list