#pike __REAL_VERSION__ |
|
|
|
|
|
|
|
enum ProtocolVersion { |
PROTOCOL_SSL_3_0 = 0x300, |
PROTOCOL_TLS_1_0 = 0x301, |
PROTOCOL_TLS_1_1 = 0x302, |
PROTOCOL_TLS_1_2 = 0x303, |
PROTOCOL_TLS_1_3 = 0x304, |
|
PROTOCOL_DTLS_1_0 = 0xfeff, |
|
|
|
PROTOCOL_DTLS_1_2 = 0xfefd, |
|
|
} |
|
|
constant PROTOCOL_TLS_MAX = PROTOCOL_TLS_1_2; |
|
|
constant PACKET_change_cipher_spec = 20; |
constant PACKET_alert = 21; |
constant PACKET_handshake = 22; |
constant PACKET_application_data = 23; |
constant PACKET_heartbeat = 24; |
constant PACKET_types = (< PACKET_change_cipher_spec, |
PACKET_alert, |
PACKET_handshake, |
PACKET_application_data, |
PACKET_heartbeat, |
>); |
|
constant PACKET_MAX_SIZE = 0x4000; |
|
|
constant STATE_wait_for_hello = 0; |
constant STATE_wait_for_key_share = 1; |
constant STATE_wait_for_peer = 2; |
constant STATE_wait_for_verify = 3; |
constant STATE_wait_for_finish = 4; |
constant STATE_handshake_finished = 5; |
|
|
|
|
|
|
|
|
enum ConnectionState { |
CONNECTION_ready = 0x0000, |
|
|
CONNECTION_handshaking = 0x0100, |
|
|
CONNECTION_peer_closed = 0x0001, |
CONNECTION_peer_fatal = 0x0002, |
|
|
CONNECTION_local_closed = 0x0010, |
CONNECTION_local_fatal = 0x0020, |
CONNECTION_local_closing = 0x0040, |
CONNECTION_local_failing = 0x0080, |
|
|
CONNECTION_closed = 0x0011, |
CONNECTION_closing = 0x0051, |
|
CONNECTION_peer_down = 0x000f, |
CONNECTION_local_down = 0x00f0, |
|
CONNECTION_failing = 0x00a2, |
}; |
|
|
constant CIPHER_stream = 0; |
constant CIPHER_block = 1; |
constant CIPHER_aead = 2; |
constant CIPHER_types = (< CIPHER_stream, CIPHER_block, CIPHER_aead >); |
|
constant CIPHER_null = 0; |
constant CIPHER_rc4_40 = 2; |
constant CIPHER_rc2_40 = 3; |
constant CIPHER_des40 = 6; |
constant CIPHER_rc4 = 1; |
constant CIPHER_des = 4; |
constant CIPHER_3des = 5; |
constant CIPHER_fortezza = 7; |
constant CIPHER_idea = 8; |
constant CIPHER_aes = 9; |
constant CIPHER_aes256 = 10; |
constant CIPHER_camellia128 = 11; |
constant CIPHER_camellia256 = 12; |
constant CIPHER_chacha20 = 13; |
|
|
constant CIPHER_effective_keylengths = ([ |
CIPHER_null: 0, |
CIPHER_rc2_40: 16, |
CIPHER_rc4_40: 24, |
CIPHER_des40: 32, |
CIPHER_rc4: 38, |
CIPHER_des: 40, |
CIPHER_3des: 112, |
CIPHER_fortezza: 96, |
CIPHER_idea: 128, |
CIPHER_aes: 128, |
CIPHER_aes256: 256, |
CIPHER_camellia128: 128, |
CIPHER_camellia256: 256, |
CIPHER_chacha20: 256, |
]); |
|
|
enum HashAlgorithm { |
HASH_none = 0, |
HASH_md5 = 1, |
HASH_sha = 2, |
HASH_sha224 = 3, |
HASH_sha256 = 4, |
HASH_sha384 = 5, |
HASH_sha512 = 6, |
} |
|
|
enum CipherModes { |
MODE_cbc = 0, |
MODE_ccm_8 = 1, |
MODE_ccm = 2, |
MODE_gcm = 3, |
MODE_poly1305 = 4, |
} |
|
|
constant HASH_lookup = ([ |
#if constant(Crypto.SHA512) |
HASH_sha512: Crypto.SHA512, |
#endif |
#if constant(Crypto.SHA384) |
HASH_sha384: Crypto.SHA384, |
#endif |
HASH_sha256: Crypto.SHA256, |
#if constant(Crypto.SHA224) |
HASH_sha224: Crypto.SHA224, |
#endif |
HASH_sha: Crypto.SHA1, |
HASH_md5: Crypto.MD5, |
]); |
|
|
enum SignatureAlgorithm { |
SIGNATURE_anonymous = 0, |
SIGNATURE_rsa = 1, |
SIGNATURE_dsa = 2, |
SIGNATURE_ecdsa = 3, |
} |
|
|
enum KeyExchangeType { |
KE_null = 0, |
KE_rsa = 1, |
KE_rsa_export = 2, |
KE_dh_dss = 3, |
KE_dh_rsa = 4, |
KE_dhe_dss = 5, |
KE_dhe_rsa = 6, |
KE_dh_anon = 7, |
KE_dms = 8, |
KE_fortezza = 9, |
|
KE_ecdh_ecdsa = 10, |
KE_ecdhe_ecdsa= 11, |
KE_ecdh_rsa = 12, |
KE_ecdhe_rsa = 13, |
KE_ecdh_anon = 14, |
|
KE_psk = 15, |
KE_dhe_psk = 16, |
KE_rsa_psk = 17, |
|
KE_ecdhe_psk = 18, |
|
KE_srp_sha = 19, |
KE_srp_sha_rsa= 20, |
KE_srp_sha_dss= 21, |
|
KE_rsa_fips = 22, |
} |
|
constant KE_ecc_mask = (1<<KE_ecdh_ecdsa)|(1<<KE_ecdhe_ecdsa)| |
(1<<KE_ecdh_rsa)|(1<<KE_ecdhe_rsa)|(1<<KE_ecdh_anon); |
|
|
constant KE_Anonymous = (< |
KE_null, |
KE_dh_anon, |
KE_ecdh_anon, |
KE_psk, |
KE_dhe_psk, |
KE_ecdhe_psk, |
>); |
|
|
enum CompressionType { |
COMPRESSION_null = 0, |
COMPRESSION_deflate = 1, |
COMPRESSION_lzs = 64, |
} |
|
|
constant SIGN_server_certificate_verify = |
" "*64 + "TLS 1.3, server CertificateVerify\0"; |
constant SIGN_client_certificate_verify = |
" "*64 + "TLS 1.3, client CertificateVerify\0"; |
|
|
constant ALERT_warning = 1; |
constant ALERT_fatal = 2; |
constant ALERT_levels = (< ALERT_warning, ALERT_fatal >); |
|
constant ALERT_close_notify = 0; |
constant ALERT_unexpected_message = 10; |
constant ALERT_bad_record_mac = 20; |
constant ALERT_decryption_failed = 21; |
constant ALERT_record_overflow = 22; |
constant ALERT_decompression_failure = 30; |
constant ALERT_handshake_failure = 40; |
constant ALERT_no_certificate = 41; |
constant ALERT_bad_certificate = 42; |
constant ALERT_unsupported_certificate = 43; |
constant ALERT_certificate_revoked = 44; |
constant ALERT_certificate_expired = 45; |
constant ALERT_certificate_unknown = 46; |
constant ALERT_illegal_parameter = 47; |
constant ALERT_unknown_ca = 48; |
constant ALERT_access_denied = 49; |
constant ALERT_decode_error = 50; |
constant ALERT_decrypt_error = 51; |
constant ALERT_export_restriction = 60; |
constant ALERT_protocol_version = 70; |
constant ALERT_insufficient_security = 71; |
constant ALERT_internal_error = 80; |
constant ALERT_inappropriate_fallback = 86; |
constant ALERT_user_canceled = 90; |
constant ALERT_no_renegotiation = 100; |
constant ALERT_unsupported_extension = 110; |
constant ALERT_certificate_unobtainable = 111; |
constant ALERT_unrecognized_name = 112; |
constant ALERT_bad_certificate_status_response = 113; |
constant ALERT_bad_certificate_hash_value = 114; |
constant ALERT_unknown_psk_identity = 115; |
constant ALERT_no_application_protocol = 120; |
constant ALERT_descriptions = ([ |
ALERT_close_notify: "Connection closed.", |
ALERT_unexpected_message: "An inappropriate message was received.", |
ALERT_bad_record_mac: "Incorrect MAC.", |
ALERT_decryption_failed: "Decryption failure.", |
ALERT_record_overflow: "Record overflow.", |
ALERT_decompression_failure: "Decompression failure.", |
ALERT_handshake_failure: "Handshake failure.", |
ALERT_no_certificate: "Certificate required.", |
ALERT_bad_certificate: "Bad certificate.", |
ALERT_unsupported_certificate: "Unsupported certificate.", |
ALERT_certificate_revoked: "Certificate revoked.", |
ALERT_certificate_expired: "Certificate expired.", |
ALERT_certificate_unknown: "Unknown certificate problem.", |
ALERT_illegal_parameter: "Illegal parameter.", |
ALERT_unknown_ca: "Unknown certification authority.", |
ALERT_access_denied: "Access denied.", |
ALERT_decode_error: "Decoding error.", |
ALERT_decrypt_error: "Decryption error.", |
ALERT_export_restriction: "Export restrictions apply.", |
ALERT_protocol_version: "Unsupported protocol.", |
ALERT_insufficient_security: "Insufficient security.", |
ALERT_internal_error: "Internal error.", |
ALERT_inappropriate_fallback: "Inappropriate fallback.", |
ALERT_user_canceled: "User canceled.", |
ALERT_no_renegotiation: "Renegotiation not allowed.", |
ALERT_unsupported_extension: "Unsolicitaded extension.", |
ALERT_certificate_unobtainable: "Failed to obtain certificate.", |
ALERT_unrecognized_name: "Unrecognized host name.", |
ALERT_bad_certificate_status_response: "Bad certificate status response.", |
ALERT_bad_certificate_hash_value: "Invalid certificate signature.", |
ALERT_unknown_psk_identity: "Unknown PSK identity.", |
ALERT_no_application_protocol: "No compatible application layer protocol.", |
]); |
|
constant ALERT_deprecated = ([ |
ALERT_decryption_failed: PROTOCOL_TLS_1_2, |
ALERT_decompression_failure: PROTOCOL_TLS_1_3, |
ALERT_no_certificate: PROTOCOL_TLS_1_1, |
ALERT_export_restriction: PROTOCOL_TLS_1_1, |
]); |
|
constant CONNECTION_client = 0; |
constant CONNECTION_server = 1; |
constant CONNECTION_client_auth = 2; |
|
|
constant SSL_null_with_null_null = 0x0000; |
constant SSL_rsa_with_null_md5 = 0x0001; |
constant SSL_rsa_with_null_sha = 0x0002; |
constant SSL_rsa_export_with_rc4_40_md5 = 0x0003; |
constant SSL_rsa_with_rc4_128_md5 = 0x0004; |
constant SSL_rsa_with_rc4_128_sha = 0x0005; |
constant SSL_rsa_export_with_rc2_cbc_40_md5 = 0x0006; |
constant SSL_rsa_with_idea_cbc_sha = 0x0007; |
constant TLS_rsa_with_idea_cbc_sha = 0x0007; |
constant SSL_rsa_export_with_des40_cbc_sha = 0x0008; |
constant SSL_rsa_with_des_cbc_sha = 0x0009; |
constant TLS_rsa_with_des_cbc_sha = 0x0009; |
constant SSL_rsa_with_3des_ede_cbc_sha = 0x000a; |
constant SSL_dh_dss_export_with_des40_cbc_sha = 0x000b; |
constant SSL_dh_dss_with_des_cbc_sha = 0x000c; |
constant TLS_dh_dss_with_des_cbc_sha = 0x000c; |
constant SSL_dh_rsa_export_with_des40_cbc_sha = 0x000e; |
constant SSL_dh_dss_with_3des_ede_cbc_sha = 0x000d; |
constant SSL_dh_rsa_with_des_cbc_sha = 0x000f; |
constant TLS_dh_rsa_with_des_cbc_sha = 0x000f; |
constant SSL_dh_rsa_with_3des_ede_cbc_sha = 0x0010; |
constant SSL_dhe_dss_export_with_des40_cbc_sha = 0x0011; |
constant SSL_dhe_dss_with_des_cbc_sha = 0x0012; |
constant TLS_dhe_dss_with_des_cbc_sha = 0x0012; |
constant SSL_dhe_dss_with_3des_ede_cbc_sha = 0x0013; |
constant SSL_dhe_rsa_export_with_des40_cbc_sha = 0x0014; |
constant SSL_dhe_rsa_with_des_cbc_sha = 0x0015; |
constant TLS_dhe_rsa_with_des_cbc_sha = 0x0015; |
constant SSL_dhe_rsa_with_3des_ede_cbc_sha = 0x0016; |
constant SSL_dh_anon_export_with_rc4_40_md5 = 0x0017; |
constant SSL_dh_anon_with_rc4_128_md5 = 0x0018; |
constant SSL_dh_anon_export_with_des40_cbc_sha = 0x0019; |
constant SSL_dh_anon_with_des_cbc_sha = 0x001a; |
constant TLS_dh_anon_with_des_cbc_sha = 0x001a; |
constant SSL_dh_anon_with_3des_ede_cbc_sha = 0x001b; |
|
|
|
|
|
|
constant TLS_krb5_with_des_cbc_sha = 0x001e; |
constant TLS_krb5_with_3des_ede_cbc_sha = 0x001f; |
constant TLS_krb5_with_rc4_128_sha = 0x0020; |
constant TLS_krb5_with_idea_cbc_sha = 0x0021; |
constant TLS_krb5_with_des_cbc_md5 = 0x0022; |
constant TLS_krb5_with_3des_ede_cbc_md5 = 0x0023; |
constant TLS_krb5_with_rc4_128_md5 = 0x0024; |
constant TLS_krb5_with_idea_cbc_md5 = 0x0025; |
constant TLS_krb5_export_with_des_cbc_40_sha = 0x0026; |
constant TLS_krb5_export_with_rc2_cbc_40_sha = 0x0027; |
constant TLS_krb5_export_with_rc4_40_sha = 0x0028; |
constant TLS_krb5_export_with_des_cbc_40_md5 = 0x0029; |
constant TLS_krb5_export_with_rc2_cbc_40_md5 = 0x002a; |
constant TLS_krb5_export_with_rc4_40_md5 = 0x002b; |
constant TLS_psk_with_null_sha = 0x002c; |
constant TLS_dhe_psk_with_null_sha = 0x002d; |
constant TLS_rsa_psk_with_null_sha = 0x002e; |
constant TLS_rsa_with_aes_128_cbc_sha = 0x002f; |
constant TLS_dh_dss_with_aes_128_cbc_sha = 0x0030; |
constant TLS_dh_rsa_with_aes_128_cbc_sha = 0x0031; |
constant TLS_dhe_dss_with_aes_128_cbc_sha = 0x0032; |
constant TLS_dhe_rsa_with_aes_128_cbc_sha = 0x0033; |
constant TLS_dh_anon_with_aes_128_cbc_sha = 0x0034; |
constant TLS_rsa_with_aes_256_cbc_sha = 0x0035; |
constant TLS_dh_dss_with_aes_256_cbc_sha = 0x0036; |
constant TLS_dh_rsa_with_aes_256_cbc_sha = 0x0037; |
constant TLS_dhe_dss_with_aes_256_cbc_sha = 0x0038; |
constant TLS_dhe_rsa_with_aes_256_cbc_sha = 0x0039; |
constant TLS_dh_anon_with_aes_256_cbc_sha = 0x003a; |
constant TLS_rsa_with_null_sha256 = 0x003b; |
constant TLS_rsa_with_aes_128_cbc_sha256 = 0x003c; |
constant TLS_rsa_with_aes_256_cbc_sha256 = 0x003d; |
constant TLS_dh_dss_with_aes_128_cbc_sha256 = 0x003e; |
constant TLS_dh_rsa_with_aes_128_cbc_sha256 = 0x003f; |
constant TLS_dhe_dss_with_aes_128_cbc_sha256 = 0x0040; |
constant TLS_rsa_with_camellia_128_cbc_sha = 0x0041; |
constant TLS_dh_dss_with_camellia_128_cbc_sha = 0x0042; |
constant TLS_dh_rsa_with_camellia_128_cbc_sha = 0x0043; |
constant TLS_dhe_dss_with_camellia_128_cbc_sha = 0x0044; |
constant TLS_dhe_rsa_with_camellia_128_cbc_sha = 0x0045; |
constant TLS_dh_anon_with_camellia_128_cbc_sha = 0x0046; |
|
|
|
|
|
|
constant TLS_rsa_export1024_with_rc4_56_md5 = 0x0060; |
constant TLS_rsa_export1024_with_rc2_cbc_56_md5 = 0x0061; |
constant TLS_rsa_export1024_with_des_cbc_sha = 0x0062; |
constant TLS_dhe_dss_export1024_with_des_cbc_sha= 0x0063; |
constant TLS_rsa_export1024_with_rc4_56_sha = 0x0064; |
constant TLS_dhe_dss_export1024_with_rc4_56_sha = 0x0065; |
constant TLS_dhe_dss_with_rc4_128_sha = 0x0066; |
|
constant TLS_dhe_rsa_with_aes_128_cbc_sha256 = 0x0067; |
constant TLS_dh_dss_with_aes_256_cbc_sha256 = 0x0068; |
constant TLS_dh_rsa_with_aes_256_cbc_sha256 = 0x0069; |
constant TLS_dhe_dss_with_aes_256_cbc_sha256 = 0x006a; |
constant TLS_dhe_rsa_with_aes_256_cbc_sha256 = 0x006b; |
constant TLS_dh_anon_with_aes_128_cbc_sha256 = 0x006c; |
constant TLS_dh_anon_with_aes_256_cbc_sha256 = 0x006d; |
|
constant TLS_rsa_with_camellia_256_cbc_sha = 0x0084; |
constant TLS_dh_dss_with_camellia_256_cbc_sha = 0x0085; |
constant TLS_dh_rsa_with_camellia_256_cbc_sha = 0x0086; |
constant TLS_dhe_dss_with_camellia_256_cbc_sha = 0x0087; |
constant TLS_dhe_rsa_with_camellia_256_cbc_sha = 0x0088; |
constant TLS_dh_anon_with_camellia_256_cbc_sha = 0x0089; |
constant TLS_psk_with_rc4_128_sha = 0x008a; |
constant TLS_psk_with_3des_ede_cbc_sha = 0x008b; |
constant TLS_psk_with_aes_128_cbc_sha = 0x008c; |
constant TLS_psk_with_aes_256_cbc_sha = 0x008d; |
constant TLS_dhe_psk_with_rc4_128_sha = 0x008e; |
constant TLS_dhe_psk_with_3des_ede_cbc_sha = 0x008f; |
constant TLS_dhe_psk_with_aes_128_cbc_sha = 0x0090; |
constant TLS_dhe_psk_with_aes_256_cbc_sha = 0x0091; |
constant TLS_rsa_psk_with_rc4_128_sha = 0x0092; |
constant TLS_rsa_psk_with_3des_ede_cbc_sha = 0x0093; |
constant TLS_rsa_psk_with_aes_128_cbc_sha = 0x0094; |
constant TLS_rsa_psk_with_aes_256_cbc_sha = 0x0095; |
constant TLS_rsa_with_seed_cbc_sha = 0x0096; |
constant TLS_dh_dss_with_seed_cbc_sha = 0x0097; |
constant TLS_dh_rsa_with_seed_cbc_sha = 0x0098; |
constant TLS_dhe_dss_with_seed_cbc_sha = 0x0099; |
constant TLS_dhe_rsa_with_seed_cbc_sha = 0x009a; |
constant TLS_dh_anon_with_seed_cbc_sha = 0x009b; |
constant TLS_rsa_with_aes_128_gcm_sha256 = 0x009c; |
constant TLS_rsa_with_aes_256_gcm_sha384 = 0x009d; |
constant TLS_dhe_rsa_with_aes_128_gcm_sha256 = 0x009e; |
constant TLS_dhe_rsa_with_aes_256_gcm_sha384 = 0x009f; |
constant TLS_dh_rsa_with_aes_128_gcm_sha256 = 0x00a0; |
constant TLS_dh_rsa_with_aes_256_gcm_sha384 = 0x00a1; |
constant TLS_dhe_dss_with_aes_128_gcm_sha256 = 0x00a2; |
constant TLS_dhe_dss_with_aes_256_gcm_sha384 = 0x00a3; |
constant TLS_dh_dss_with_aes_128_gcm_sha256 = 0x00a4; |
constant TLS_dh_dss_with_aes_256_gcm_sha384 = 0x00a5; |
constant TLS_dh_anon_with_aes_128_gcm_sha256 = 0x00a6; |
constant TLS_dh_anon_with_aes_256_gcm_sha384 = 0x00a7; |
constant TLS_psk_with_aes_128_gcm_sha256 = 0x00a8; |
constant TLS_psk_with_aes_256_gcm_sha384 = 0x00a9; |
constant TLS_dhe_psk_with_aes_128_gcm_sha256 = 0x00aa; |
constant TLS_dhe_psk_with_aes_256_gcm_sha384 = 0x00ab; |
constant TLS_rsa_psk_with_aes_128_gcm_sha256 = 0x00ac; |
constant TLS_rsa_psk_with_aes_256_gcm_sha384 = 0x00ad; |
constant TLS_psk_with_aes_128_cbc_sha256 = 0x00ae; |
constant TLS_psk_with_aes_256_cbc_sha384 = 0x00af; |
constant TLS_psk_with_null_sha256 = 0x00b0; |
constant TLS_psk_with_null_sha384 = 0x00b1; |
constant TLS_dhe_psk_with_aes_128_cbc_sha256 = 0x00b2; |
constant TLS_dhe_psk_with_aes_256_cbc_sha384 = 0x00b3; |
constant TLS_dhe_psk_with_null_sha256 = 0x00b4; |
constant TLS_dhe_psk_with_null_sha384 = 0x00b5; |
constant TLS_rsa_psk_with_aes_128_cbc_sha256 = 0x00b6; |
constant TLS_rsa_psk_with_aes_256_cbc_sha384 = 0x00b7; |
constant TLS_rsa_psk_with_null_sha256 = 0x00b8; |
constant TLS_rsa_psk_with_null_sha384 = 0x00b9; |
constant TLS_rsa_with_camellia_128_cbc_sha256 = 0x00ba; |
constant TLS_dh_dss_with_camellia_128_cbc_sha256= 0x00bb; |
constant TLS_dh_rsa_with_camellia_128_cbc_sha256= 0x00bc; |
constant TLS_dhe_dss_with_camellia_128_cbc_sha256= 0x00bd; |
constant TLS_dhe_rsa_with_camellia_128_cbc_sha256= 0x00be; |
constant TLS_dh_anon_with_camellia_128_cbc_sha256= 0x00bf; |
constant TLS_rsa_with_camellia_256_cbc_sha256 = 0x00c0; |
constant TLS_dh_dss_with_camellia_256_cbc_sha256= 0x00c1; |
constant TLS_dh_rsa_with_camellia_256_cbc_sha256= 0x00c2; |
constant TLS_dhe_dss_with_camellia_256_cbc_sha256= 0x00c3; |
constant TLS_dhe_rsa_with_camellia_256_cbc_sha256= 0x00c4; |
constant TLS_dh_anon_with_camellia_256_cbc_sha256= 0x00c5; |
|
constant TLS_empty_renegotiation_info_scsv = 0x00ff; |
|
constant TLS_fallback_scsv = 0x5600; |
|
constant TLS_ecdh_ecdsa_with_null_sha = 0xc001; |
constant TLS_ecdh_ecdsa_with_rc4_128_sha = 0xc002; |
constant TLS_ecdh_ecdsa_with_3des_ede_cbc_sha = 0xc003; |
constant TLS_ecdh_ecdsa_with_aes_128_cbc_sha = 0xc004; |
constant TLS_ecdh_ecdsa_with_aes_256_cbc_sha = 0xc005; |
constant TLS_ecdhe_ecdsa_with_null_sha = 0xc006; |
constant TLS_ecdhe_ecdsa_with_rc4_128_sha = 0xc007; |
constant TLS_ecdhe_ecdsa_with_3des_ede_cbc_sha = 0xc008; |
constant TLS_ecdhe_ecdsa_with_aes_128_cbc_sha = 0xc009; |
constant TLS_ecdhe_ecdsa_with_aes_256_cbc_sha = 0xc00a; |
constant TLS_ecdh_rsa_with_null_sha = 0xc00b; |
constant TLS_ecdh_rsa_with_rc4_128_sha = 0xc00c; |
constant TLS_ecdh_rsa_with_3des_ede_cbc_sha = 0xc00d; |
constant TLS_ecdh_rsa_with_aes_128_cbc_sha = 0xc00e; |
constant TLS_ecdh_rsa_with_aes_256_cbc_sha = 0xc00f; |
constant TLS_ecdhe_rsa_with_null_sha = 0xc010; |
constant TLS_ecdhe_rsa_with_rc4_128_sha = 0xc011; |
constant TLS_ecdhe_rsa_with_3des_ede_cbc_sha = 0xc012; |
constant TLS_ecdhe_rsa_with_aes_128_cbc_sha = 0xc013; |
constant TLS_ecdhe_rsa_with_aes_256_cbc_sha = 0xc014; |
constant TLS_ecdh_anon_with_null_sha = 0xc015; |
constant TLS_ecdh_anon_with_rc4_128_sha = 0xc016; |
constant TLS_ecdh_anon_with_3des_ede_cbc_sha = 0xc017; |
constant TLS_ecdh_anon_with_aes_128_cbc_sha = 0xc018; |
constant TLS_ecdh_anon_with_aes_256_cbc_sha = 0xc019; |
constant TLS_srp_sha_with_3des_ede_cbc_sha = 0xc01a; |
constant TLS_srp_sha_rsa_with_3des_ede_cbc_sha = 0xc01b; |
constant TLS_srp_sha_dss_with_3des_ede_cbc_sha = 0xc01c; |
constant TLS_srp_sha_with_aes_128_cbc_sha = 0xc01d; |
constant TLS_srp_sha_rsa_with_aes_128_cbc_sha = 0xc01e; |
constant TLS_srp_sha_dss_with_aes_128_cbc_sha = 0xc01f; |
constant TLS_srp_sha_with_aes_256_cbc_sha = 0xc020; |
constant TLS_srp_sha_rsa_with_aes_256_cbc_sha = 0xc021; |
constant TLS_srp_sha_dss_with_aes_256_cbc_sha = 0xc022; |
constant TLS_ecdhe_ecdsa_with_aes_128_cbc_sha256= 0xc023; |
constant TLS_ecdhe_ecdsa_with_aes_256_cbc_sha384= 0xc024; |
constant TLS_ecdh_ecdsa_with_aes_128_cbc_sha256 = 0xc025; |
constant TLS_ecdh_ecdsa_with_aes_256_cbc_sha384 = 0xc026; |
constant TLS_ecdhe_rsa_with_aes_128_cbc_sha256 = 0xc027; |
constant TLS_ecdhe_rsa_with_aes_256_cbc_sha384 = 0xc028; |
constant TLS_ecdh_rsa_with_aes_128_cbc_sha256 = 0xc029; |
constant TLS_ecdh_rsa_with_aes_256_cbc_sha384 = 0xc02a; |
constant TLS_ecdhe_ecdsa_with_aes_128_gcm_sha256= 0xc02b; |
constant TLS_ecdhe_ecdsa_with_aes_256_gcm_sha384= 0xc02c; |
constant TLS_ecdh_ecdsa_with_aes_128_gcm_sha256 = 0xc02d; |
constant TLS_ecdh_ecdsa_with_aes_256_gcm_sha384 = 0xc02e; |
constant TLS_ecdhe_rsa_with_aes_128_gcm_sha256 = 0xc02f; |
constant TLS_ecdhe_rsa_with_aes_256_gcm_sha384 = 0xc030; |
constant TLS_ecdh_rsa_with_aes_128_gcm_sha256 = 0xc031; |
constant TLS_ecdh_rsa_with_aes_256_gcm_sha384 = 0xc032; |
constant TLS_ecdhe_psk_with_rc4_128_sha = 0xc033; |
constant TLS_ecdhe_psk_with_3des_ede_cbc_sha = 0xc034; |
constant TLS_ecdhe_psk_with_aes_128_cbc_sha = 0xc035; |
constant TLS_ecdhe_psk_with_aes_256_cbc_sha = 0xc036; |
constant TLS_ecdhe_psk_with_aes_128_cbc_sha256 = 0xc037; |
constant TLS_ecdhe_psk_with_aes_256_cbc_sha384 = 0xc038; |
constant TLS_ecdhe_psk_with_null_sha = 0xc039; |
constant TLS_ecdhe_psk_with_null_sha256 = 0xc03a; |
constant TLS_ecdhe_psk_with_null_sha384 = 0xc03b; |
constant TLS_rsa_with_aria_128_cbc_sha256 = 0xc03c; |
constant TLS_rsa_with_aria_256_cbc_sha384 = 0xc03d; |
constant TLS_dh_dss_with_aria_128_cbc_sha256 = 0xc03e; |
constant TLS_dh_dss_with_aria_256_cbc_sha384 = 0xc03f; |
constant TLS_dh_rsa_with_aria_128_cbc_sha256 = 0xc040; |
constant TLS_dh_rsa_with_aria_256_cbc_sha384 = 0xc041; |
constant TLS_dhe_dss_with_aria_128_cbc_sha256 = 0xc042; |
constant TLS_dhe_dss_with_aria_256_cbc_sha384 = 0xc043; |
constant TLS_dhe_rsa_with_aria_128_cbc_sha256 = 0xc044; |
constant TLS_dhe_rsa_with_aria_256_cbc_sha384 = 0xc045; |
constant TLS_dh_anon_with_aria_128_cbc_sha256 = 0xc046; |
constant TLS_dh_anon_with_aria_256_cbc_sha384 = 0xc047; |
constant TLS_ecdhe_ecdsa_with_aria_128_cbc_sha256= 0xc048; |
constant TLS_ecdhe_ecdsa_with_aria_256_cbc_sha384= 0xc049; |
constant TLS_ecdh_ecdsa_with_aria_128_cbc_sha256= 0xc04a; |
constant TLS_ecdh_ecdsa_with_aria_256_cbc_sha384= 0xc04b; |
constant TLS_ecdhe_rsa_with_aria_128_cbc_sha256 = 0xc04c; |
constant TLS_ecdhe_rsa_with_aria_256_cbc_sha384 = 0xc04d; |
constant TLS_ecdh_rsa_with_aria_128_cbc_sha256 = 0xc04e; |
constant TLS_ecdh_rsa_with_aria_256_cbc_sha384 = 0xc04f; |
constant TLS_rsa_with_aria_128_gcm_sha256 = 0xc050; |
constant TLS_rsa_with_aria_256_gcm_sha384 = 0xc051; |
constant TLS_dhe_rsa_with_aria_128_gcm_sha256 = 0xc052; |
constant TLS_dhe_rsa_with_aria_256_gcm_sha384 = 0xc053; |
constant TLS_dh_rsa_with_aria_128_gcm_sha256 = 0xc054; |
constant TLS_dh_rsa_with_aria_256_gcm_sha384 = 0xc055; |
constant TLS_dhe_dss_with_aria_128_gcm_sha256 = 0xc056; |
constant TLS_dhe_dss_with_aria_256_gcm_sha384 = 0xc057; |
constant TLS_dh_dss_with_aria_128_gcm_sha256 = 0xc058; |
constant TLS_dh_dss_with_aria_256_gcm_sha384 = 0xc059; |
constant TLS_dh_anon_with_aria_128_gcm_sha256 = 0xc05a; |
constant TLS_dh_anon_with_aria_256_gcm_sha384 = 0xc05b; |
constant TLS_ecdhe_ecdsa_with_aria_128_gcm_sha256= 0xc05c; |
constant TLS_ecdhe_ecdsa_with_aria_256_gcm_sha384= 0xc05d; |
constant TLS_ecdh_ecdsa_with_aria_128_gcm_sha256= 0xc05e; |
constant TLS_ecdh_ecdsa_with_aria_256_gcm_sha384= 0xc05f; |
constant TLS_ecdhe_rsa_with_aria_128_gcm_sha256 = 0xc060; |
constant TLS_ecdhe_rsa_with_aria_256_gcm_sha384 = 0xc061; |
constant TLS_ecdh_rsa_with_aria_128_gcm_sha256 = 0xc062; |
constant TLS_ecdh_rsa_with_aria_256_gcm_sha384 = 0xc063; |
constant TLS_psk_with_aria_128_cbc_sha256 = 0xc064; |
constant TLS_psk_with_aria_256_cbc_sha384 = 0xc065; |
constant TLS_dhe_psk_with_aria_128_cbc_sha256 = 0xc066; |
constant TLS_dhe_psk_with_aria_256_cbc_sha384 = 0xc067; |
constant TLS_rsa_psk_with_aria_128_cbc_sha256 = 0xc068; |
constant TLS_rsa_psk_with_aria_256_cbc_sha384 = 0xc069; |
constant TLS_psk_with_aria_128_gcm_sha256 = 0xc06a; |
constant TLS_psk_with_aria_256_gcm_sha384 = 0xc06b; |
constant TLS_dhe_psk_with_aria_128_gcm_sha256 = 0xc06c; |
constant TLS_dhe_psk_with_aria_256_gcm_sha384 = 0xc06d; |
constant TLS_rsa_psk_with_aria_128_gcm_sha256 = 0xc06e; |
constant TLS_rsa_psk_with_aria_256_gcm_sha384 = 0xc06f; |
constant TLS_ecdhe_psk_with_aria_128_cbc_sha256 = 0xc070; |
constant TLS_ecdhe_psk_with_aria_256_cbc_sha384 = 0xc071; |
constant TLS_ecdhe_ecdsa_with_camellia_128_cbc_sha256= 0xc072; |
constant TLS_ecdhe_ecdsa_with_camellia_256_cbc_sha384= 0xc073; |
constant TLS_ecdh_ecdsa_with_camellia_128_cbc_sha256 = 0xc074; |
constant TLS_ecdh_ecdsa_with_camellia_256_cbc_sha384 = 0xc075; |
constant TLS_ecdhe_rsa_with_camellia_128_cbc_sha256 = 0xc076; |
constant TLS_ecdhe_rsa_with_camellia_256_cbc_sha384 = 0xc077; |
constant TLS_ecdh_rsa_with_camellia_128_cbc_sha256 = 0xc078; |
constant TLS_ecdh_rsa_with_camellia_256_cbc_sha384 = 0xc079; |
constant TLS_rsa_with_camellia_128_gcm_sha256 = 0xc07a; |
constant TLS_rsa_with_camellia_256_gcm_sha384 = 0xc07b; |
constant TLS_dhe_rsa_with_camellia_128_gcm_sha256 = 0xc07c; |
constant TLS_dhe_rsa_with_camellia_256_gcm_sha384 = 0xc07d; |
constant TLS_dh_rsa_with_camellia_128_gcm_sha256 = 0xc07e; |
constant TLS_dh_rsa_with_camellia_256_gcm_sha384 = 0xc07f; |
constant TLS_dhe_dss_with_camellia_128_gcm_sha256 = 0xc080; |
constant TLS_dhe_dss_with_camellia_256_gcm_sha384 = 0xc081; |
constant TLS_dh_dss_with_camellia_128_gcm_sha256 = 0xc082; |
constant TLS_dh_dss_with_camellia_256_gcm_sha384 = 0xc083; |
constant TLS_dh_anon_with_camellia_128_gcm_sha256 = 0xc084; |
constant TLS_dh_anon_with_camellia_256_gcm_sha384 = 0xc085; |
constant TLS_ecdhe_ecdsa_with_camellia_128_gcm_sha256= 0xc086; |
constant TLS_ecdhe_ecdsa_with_camellia_256_gcm_sha384= 0xc087; |
constant TLS_ecdh_ecdsa_with_camellia_128_gcm_sha256 = 0xc088; |
constant TLS_ecdh_ecdsa_with_camellia_256_gcm_sha384 = 0xc089; |
constant TLS_ecdhe_rsa_with_camellia_128_gcm_sha256 = 0xc08a; |
constant TLS_ecdhe_rsa_with_camellia_256_gcm_sha384 = 0xc08b; |
constant TLS_ecdh_rsa_with_camellia_128_gcm_sha256 = 0xc08c; |
constant TLS_ecdh_rsa_with_camellia_256_gcm_sha384 = 0xc08d; |
constant TLS_psk_with_camellia_128_gcm_sha256 = 0xc08e; |
constant TLS_psk_with_camellia_256_gcm_sha384 = 0xc08f; |
constant TLS_dhe_psk_with_camellia_128_gcm_sha256 = 0xc090; |
constant TLS_dhe_psk_with_camellia_256_gcm_sha384 = 0xc091; |
constant TLS_rsa_psk_with_camellia_128_gcm_sha256 = 0xc092; |
constant TLS_rsa_psk_with_camellia_256_gcm_sha384 = 0xc093; |
constant TLS_psk_with_camellia_128_cbc_sha256 = 0xc094; |
constant TLS_psk_with_camellia_256_cbc_sha384 = 0xc095; |
constant TLS_dhe_psk_with_camellia_128_cbc_sha256 = 0xc096; |
constant TLS_dhe_psk_with_camellia_256_cbc_sha384 = 0xc097; |
constant TLS_rsa_psk_with_camellia_128_cbc_sha256 = 0xc098; |
constant TLS_rsa_psk_with_camellia_256_cbc_sha384 = 0xc099; |
constant TLS_ecdhe_psk_with_camellia_128_cbc_sha256 = 0xc09a; |
constant TLS_ecdhe_psk_with_camellia_256_cbc_sha384 = 0xc09b; |
constant TLS_rsa_with_aes_128_ccm = 0xc09c; |
constant TLS_rsa_with_aes_256_ccm = 0xc09d; |
constant TLS_dhe_rsa_with_aes_128_ccm = 0xc09e; |
constant TLS_dhe_rsa_with_aes_256_ccm = 0xc09f; |
constant TLS_rsa_with_aes_128_ccm_8 = 0xc0a0; |
constant TLS_rsa_with_aes_256_ccm_8 = 0xc0a1; |
constant TLS_dhe_rsa_with_aes_128_ccm_8 = 0xc0a2; |
constant TLS_dhe_rsa_with_aes_256_ccm_8 = 0xc0a3; |
constant TLS_psk_with_aes_128_ccm = 0xc0a4; |
constant TLS_psk_with_aes_256_ccm = 0xc0a5; |
constant TLS_dhe_psk_with_aes_128_ccm = 0xc0a6; |
constant TLS_dhe_psk_with_aes_256_ccm = 0xc0a7; |
constant TLS_psk_with_aes_128_ccm_8 = 0xc0a8; |
constant TLS_psk_with_aes_256_ccm_8 = 0xc0a9; |
constant TLS_psk_dhe_with_aes_128_ccm_8 = 0xc0aa; |
constant TLS_psk_dhe_with_aes_256_ccm_8 = 0xc0ab; |
constant TLS_ecdhe_ecdsa_with_aes_128_ccm = 0xc0ac; |
constant TLS_ecdhe_ecdsa_with_aes_256_ccm = 0xc0ad; |
constant TLS_ecdhe_ecdsa_with_aes_128_ccm_8 = 0xc0ae; |
constant TLS_ecdhe_ecdsa_with_aes_256_ccm_8 = 0xc0af; |
|
constant TLS_ecdhe_rsa_with_chacha20_poly1305_sha256 = 0xcc13; |
constant TLS_ecdhe_ecdsa_with_chacha20_poly1305_sha256 = 0xcc14; |
constant TLS_dhe_rsa_with_chacha20_poly1305_sha256 = 0xcc15; |
|
|
|
constant SSL_rsa_fips_with_des_cbc_sha = 0xFEFE; |
constant SSL_rsa_fips_with_3des_ede_cbc_sha = 0xFEFF; |
constant SSL_rsa_oldfips_with_des_cbc_sha = 0xFFE1; |
constant SSL_rsa_oldfips_with_3des_ede_cbc_sha = 0xFFE0; |
|
constant SSL_rsa_with_rc2_cbc_md5 = 0xFF80; |
constant SSL_rsa_with_idea_cbc_md5 = 0xFF81; |
constant SSL_rsa_with_des_cbc_md5 = 0xFF82; |
constant SSL_rsa_with_3des_ede_cbc_md5 = 0xFF83; |
|
|
|
|
constant SSL2_ck_rc4_128_with_md5 = 0x010080; |
constant SSL2_ck_rc4_128_export40_with_md5 = 0x020080; |
constant SSL2_ck_rc2_128_cbc_with_md5 = 0x030080; |
constant SSL2_ck_rc2_128_cbc_export40_with_md5 = 0x040080; |
constant SSL2_ck_idea_128_cbc_with_md5 = 0x050080; |
constant SSL2_ck_des_64_cbc_with_md5 = 0x060040; |
constant SSL2_ck_des_192_ede3_cbc_with_md5 = 0x0700c0; |
|
string fmt_constant(int c, string prefix) |
{ |
if (!has_suffix(prefix, "_")) prefix += "_"; |
foreach([array(string)]indices(this), string id) |
if (has_prefix(id, prefix) && (this[id] == c)) return id; |
return sprintf("%sunknown(%d)", prefix, c); |
} |
|
protected mapping(int:string) suite_to_symbol = ([]); |
|
string fmt_cipher_suite(int suite) |
{ |
if (!sizeof(suite_to_symbol)) { |
foreach([array(string)]indices(this), string id) |
if( has_prefix(id, "SSL_") || has_prefix(id, "TLS_") || |
has_prefix(id, "SSL2_") ) { |
suite_to_symbol[this[id]] = id; |
} |
} |
string res = suite_to_symbol[suite]; |
if (res) return res; |
return suite_to_symbol[suite] = sprintf("unknown(%d)", suite); |
} |
|
string fmt_cipher_suites(array(int) s) |
{ |
String.Buffer b = String.Buffer(); |
foreach(s, int c) |
b->sprintf(" %-6d: %s\n", c, fmt_cipher_suite(c)); |
return (string)b; |
} |
|
string fmt_signature_pairs(array(array(int)) pairs) |
{ |
String.Buffer b = String.Buffer(); |
foreach(pairs, [int hash, int signature]) |
b->sprintf(" <%s, %s>\n", |
fmt_constant(hash, "HASH"), |
fmt_constant(signature, "SIGNATURE")); |
return (string)b; |
} |
|
string fmt_version(ProtocolVersion version) |
{ |
if (version <= PROTOCOL_SSL_3_0) { |
return sprintf("SSL %d.%d", version>>8, version & 0xff); |
} |
version -= PROTOCOL_TLS_1_0 - 0x100; |
return sprintf("TLS %d.%d", version>>8, version & 0xff); |
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
constant CIPHER_SUITES = |
([ |
|
SSL_null_with_null_null : ({ 0, 0, 0 }), |
SSL_rsa_with_null_md5 : ({ KE_rsa_export, 0, HASH_md5 }), |
SSL_rsa_with_null_sha : ({ KE_rsa_export, 0, HASH_sha }), |
TLS_rsa_with_null_sha256 : ({ KE_rsa_export, 0, HASH_sha256, MODE_cbc }), |
|
|
|
#if constant(Crypto.Arctwo) |
SSL_rsa_export_with_rc2_cbc_40_md5 : |
({ KE_rsa_export, CIPHER_rc2_40, HASH_md5 }), |
#endif |
SSL_rsa_export_with_rc4_40_md5 : |
({ KE_rsa_export, CIPHER_rc4_40, HASH_md5 }), |
SSL_dhe_dss_export_with_des40_cbc_sha : |
({ KE_dhe_dss, CIPHER_des40, HASH_sha }), |
SSL_dhe_rsa_export_with_des40_cbc_sha : |
({ KE_dhe_rsa, CIPHER_des40, HASH_sha }), |
SSL_dh_dss_export_with_des40_cbc_sha : |
({ KE_dh_dss, CIPHER_des40, HASH_sha }), |
SSL_dh_rsa_export_with_des40_cbc_sha : |
({ KE_dh_rsa, CIPHER_des40, HASH_sha }), |
SSL_rsa_export_with_des40_cbc_sha : |
({ KE_rsa_export, CIPHER_des40, HASH_sha }), |
|
|
#if constant(Crypto.IDEA) |
SSL_rsa_with_idea_cbc_sha : ({ KE_rsa, CIPHER_idea, HASH_sha }), |
TLS_rsa_with_idea_cbc_sha : ({ KE_rsa, CIPHER_idea, HASH_sha }), |
SSL_rsa_with_idea_cbc_md5 : ({ KE_rsa, CIPHER_idea, HASH_md5 }), |
#endif |
SSL_rsa_with_des_cbc_sha : ({ KE_rsa, CIPHER_des, HASH_sha }), |
TLS_rsa_with_des_cbc_sha : ({ KE_rsa, CIPHER_des, HASH_sha }), |
SSL_rsa_with_des_cbc_md5 : ({ KE_rsa, CIPHER_des, HASH_md5 }), |
SSL_dhe_dss_with_des_cbc_sha : ({ KE_dhe_dss, CIPHER_des, HASH_sha }), |
TLS_dhe_dss_with_des_cbc_sha : ({ KE_dhe_dss, CIPHER_des, HASH_sha }), |
SSL_dhe_rsa_with_des_cbc_sha : ({ KE_dhe_rsa, CIPHER_des, HASH_sha }), |
TLS_dhe_rsa_with_des_cbc_sha : ({ KE_dhe_rsa, CIPHER_des, HASH_sha }), |
SSL_dh_dss_with_des_cbc_sha : ({ KE_dh_dss, CIPHER_des, HASH_sha }), |
TLS_dh_dss_with_des_cbc_sha : ({ KE_dh_dss, CIPHER_des, HASH_sha }), |
SSL_dh_rsa_with_des_cbc_sha : ({ KE_dh_rsa, CIPHER_des, HASH_sha }), |
TLS_dh_rsa_with_des_cbc_sha : ({ KE_dh_rsa, CIPHER_des, HASH_sha }), |
|
SSL_rsa_with_rc4_128_sha : ({ KE_rsa, CIPHER_rc4, HASH_sha }), |
SSL_rsa_with_rc4_128_md5 : ({ KE_rsa, CIPHER_rc4, HASH_md5 }), |
TLS_dhe_dss_with_rc4_128_sha : ({ KE_dhe_dss, CIPHER_rc4, HASH_sha }), |
|
|
|
SSL_rsa_fips_with_des_cbc_sha : ({ KE_rsa_fips, CIPHER_des, HASH_sha }), |
SSL_rsa_fips_with_3des_ede_cbc_sha : ({ KE_rsa_fips, CIPHER_3des, HASH_sha }), |
SSL_rsa_oldfips_with_des_cbc_sha : ({ KE_rsa_fips, CIPHER_des, HASH_sha }), |
SSL_rsa_oldfips_with_3des_ede_cbc_sha : ({ KE_rsa_fips, CIPHER_3des, HASH_sha }), |
|
|
SSL_dh_anon_export_with_rc4_40_md5: ({ KE_dh_anon, CIPHER_rc4_40, HASH_md5 }), |
SSL_dh_anon_export_with_des40_cbc_sha: ({ KE_dh_anon, CIPHER_des40, HASH_sha }), |
SSL_dh_anon_with_rc4_128_md5: ({ KE_dh_anon, CIPHER_rc4, HASH_md5 }), |
SSL_dh_anon_with_des_cbc_sha: ({ KE_dh_anon, CIPHER_des, HASH_sha }), |
TLS_dh_anon_with_des_cbc_sha: ({ KE_dh_anon, CIPHER_des, HASH_sha }), |
SSL_dh_anon_with_3des_ede_cbc_sha: ({ KE_dh_anon, CIPHER_3des, HASH_sha }), |
TLS_dh_anon_with_aes_128_cbc_sha: ({ KE_dh_anon, CIPHER_aes, HASH_sha }), |
TLS_dh_anon_with_aes_256_cbc_sha: ({ KE_dh_anon, CIPHER_aes256, HASH_sha }), |
TLS_dh_anon_with_aes_128_cbc_sha256: ({ KE_dh_anon, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_dh_anon_with_aes_256_cbc_sha256: ({ KE_dh_anon, CIPHER_aes256, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.ECC.Curve) |
TLS_ecdh_anon_with_null_sha: ({ KE_ecdh_anon, 0, HASH_sha }), |
TLS_ecdh_anon_with_rc4_128_sha: ({ KE_ecdh_anon, CIPHER_rc4, HASH_sha }), |
TLS_ecdh_anon_with_3des_ede_cbc_sha: ({ KE_ecdh_anon, CIPHER_3des, HASH_sha }), |
TLS_ecdh_anon_with_aes_128_cbc_sha: ({ KE_ecdh_anon, CIPHER_aes, HASH_sha }), |
TLS_ecdh_anon_with_aes_256_cbc_sha: ({ KE_ecdh_anon, CIPHER_aes256, HASH_sha }), |
#endif /* Crypto.ECC.Curve */ |
|
|
SSL_dhe_dss_with_3des_ede_cbc_sha : ({ KE_dhe_dss, CIPHER_3des, HASH_sha }), |
|
|
SSL_rsa_with_3des_ede_cbc_sha : ({ KE_rsa, CIPHER_3des, HASH_sha }), |
|
|
TLS_rsa_with_aes_128_cbc_sha : ({ KE_rsa, CIPHER_aes, HASH_sha }), |
|
SSL_rsa_with_3des_ede_cbc_md5 : ({ KE_rsa, CIPHER_3des, HASH_md5 }), |
SSL_dhe_rsa_with_3des_ede_cbc_sha : ({ KE_dhe_rsa, CIPHER_3des, HASH_sha }), |
SSL_dh_dss_with_3des_ede_cbc_sha : ({ KE_dh_dss, CIPHER_3des, HASH_sha }), |
SSL_dh_rsa_with_3des_ede_cbc_sha : ({ KE_dh_rsa, CIPHER_3des, HASH_sha }), |
|
TLS_dhe_dss_with_aes_128_cbc_sha : ({ KE_dhe_dss, CIPHER_aes, HASH_sha }), |
TLS_dhe_rsa_with_aes_128_cbc_sha : ({ KE_dhe_rsa, CIPHER_aes, HASH_sha }), |
TLS_dh_dss_with_aes_128_cbc_sha : ({ KE_dh_dss, CIPHER_aes, HASH_sha }), |
TLS_dh_rsa_with_aes_128_cbc_sha : ({ KE_dh_rsa, CIPHER_aes, HASH_sha }), |
TLS_rsa_with_aes_256_cbc_sha : ({ KE_rsa, CIPHER_aes256, HASH_sha }), |
TLS_dhe_dss_with_aes_256_cbc_sha : ({ KE_dhe_dss, CIPHER_aes256, HASH_sha }), |
TLS_dhe_rsa_with_aes_256_cbc_sha : ({ KE_dhe_rsa, CIPHER_aes256, HASH_sha }), |
TLS_dh_dss_with_aes_256_cbc_sha : ({ KE_dh_dss, CIPHER_aes256, HASH_sha }), |
TLS_dh_rsa_with_aes_256_cbc_sha : ({ KE_dh_rsa, CIPHER_aes256, HASH_sha }), |
|
#if constant(Crypto.ECC.Curve) |
|
TLS_ecdh_ecdsa_with_null_sha : ({ KE_ecdh_ecdsa, 0, HASH_sha }), |
TLS_ecdh_ecdsa_with_rc4_128_sha : ({ KE_ecdh_ecdsa, CIPHER_rc4, HASH_sha }), |
TLS_ecdh_ecdsa_with_3des_ede_cbc_sha : ({ KE_ecdh_ecdsa, CIPHER_3des, HASH_sha }), |
TLS_ecdh_ecdsa_with_aes_128_cbc_sha : ({ KE_ecdh_ecdsa, CIPHER_aes, HASH_sha }), |
TLS_ecdh_ecdsa_with_aes_256_cbc_sha : ({ KE_ecdh_ecdsa, CIPHER_aes256, HASH_sha }), |
|
TLS_ecdhe_ecdsa_with_null_sha : ({ KE_ecdhe_ecdsa, 0, HASH_sha }), |
TLS_ecdhe_ecdsa_with_rc4_128_sha : ({ KE_ecdhe_ecdsa, CIPHER_rc4, HASH_sha }), |
TLS_ecdhe_ecdsa_with_3des_ede_cbc_sha : ({ KE_ecdhe_ecdsa, CIPHER_3des, HASH_sha }), |
TLS_ecdhe_ecdsa_with_aes_128_cbc_sha : ({ KE_ecdhe_ecdsa, CIPHER_aes, HASH_sha }), |
TLS_ecdhe_ecdsa_with_aes_256_cbc_sha : ({ KE_ecdhe_ecdsa, CIPHER_aes256, HASH_sha }), |
|
TLS_ecdh_rsa_with_null_sha : ({ KE_ecdh_rsa, 0, HASH_sha }), |
TLS_ecdh_rsa_with_rc4_128_sha : ({ KE_ecdh_rsa, CIPHER_rc4, HASH_sha }), |
TLS_ecdh_rsa_with_3des_ede_cbc_sha : ({ KE_ecdh_rsa, CIPHER_3des, HASH_sha }), |
TLS_ecdh_rsa_with_aes_128_cbc_sha : ({ KE_ecdh_rsa, CIPHER_aes, HASH_sha }), |
TLS_ecdh_rsa_with_aes_256_cbc_sha : ({ KE_ecdh_rsa, CIPHER_aes256, HASH_sha }), |
|
TLS_ecdhe_rsa_with_null_sha : ({ KE_ecdhe_rsa, 0, HASH_sha }), |
TLS_ecdhe_rsa_with_rc4_128_sha : ({ KE_ecdhe_rsa, CIPHER_rc4, HASH_sha }), |
TLS_ecdhe_rsa_with_3des_ede_cbc_sha : ({ KE_ecdhe_rsa, CIPHER_3des, HASH_sha }), |
TLS_ecdhe_rsa_with_aes_128_cbc_sha : ({ KE_ecdhe_rsa, CIPHER_aes, HASH_sha }), |
TLS_ecdhe_rsa_with_aes_256_cbc_sha : ({ KE_ecdhe_rsa, CIPHER_aes256, HASH_sha }), |
|
|
|
TLS_ecdhe_ecdsa_with_aes_128_ccm : ({ KE_ecdhe_ecdsa, CIPHER_aes, HASH_sha256, MODE_ccm }), |
TLS_ecdhe_ecdsa_with_aes_256_ccm : ({ KE_ecdhe_ecdsa, CIPHER_aes256, HASH_sha256, MODE_ccm }), |
TLS_ecdhe_ecdsa_with_aes_128_ccm_8 : ({ KE_ecdhe_ecdsa, CIPHER_aes, HASH_sha256, MODE_ccm_8 }), |
TLS_ecdhe_ecdsa_with_aes_256_ccm_8 : ({ KE_ecdhe_ecdsa, CIPHER_aes256, HASH_sha256, MODE_ccm_8 }), |
|
#endif /* Crypto.ECC.Curve */ |
|
|
|
TLS_rsa_with_aes_128_cbc_sha256 : ({ KE_rsa, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_dhe_rsa_with_aes_128_cbc_sha256 : ({ KE_dhe_rsa, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_dhe_dss_with_aes_128_cbc_sha256 : ({ KE_dhe_dss, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_dh_rsa_with_aes_128_cbc_sha256 : ({ KE_dh_rsa, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_dh_dss_with_aes_128_cbc_sha256 : ({ KE_dh_dss, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_rsa_with_aes_256_cbc_sha256 : ({ KE_rsa, CIPHER_aes256, HASH_sha256, MODE_cbc }), |
TLS_dhe_rsa_with_aes_256_cbc_sha256 : ({ KE_dhe_rsa, CIPHER_aes256, HASH_sha256, MODE_cbc }), |
TLS_dhe_dss_with_aes_256_cbc_sha256 : ({ KE_dhe_dss, CIPHER_aes256, HASH_sha256, MODE_cbc }), |
TLS_dh_rsa_with_aes_256_cbc_sha256 : ({ KE_dh_rsa, CIPHER_aes256, HASH_sha256, MODE_cbc }), |
TLS_dh_dss_with_aes_256_cbc_sha256 : ({ KE_dh_dss, CIPHER_aes256, HASH_sha256, MODE_cbc }), |
|
#if constant(Crypto.ECC.Curve) |
|
|
TLS_ecdhe_ecdsa_with_aes_128_cbc_sha256 : ({ KE_ecdhe_ecdsa, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_ecdh_ecdsa_with_aes_128_cbc_sha256 : ({ KE_ecdh_ecdsa, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_ecdhe_rsa_with_aes_128_cbc_sha256 : ({ KE_ecdhe_rsa, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_ecdh_rsa_with_aes_128_cbc_sha256 : ({ KE_ecdh_rsa, CIPHER_aes, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_ecdhe_ecdsa_with_aes_256_cbc_sha384 : ({ KE_ecdhe_ecdsa, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
TLS_ecdh_ecdsa_with_aes_256_cbc_sha384 : ({ KE_ecdh_ecdsa, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
TLS_ecdhe_rsa_with_aes_256_cbc_sha384 : ({ KE_ecdhe_rsa, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
TLS_ecdh_rsa_with_aes_256_cbc_sha384 : ({ KE_ecdh_rsa, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.ECC.Curve */ |
|
|
|
TLS_rsa_with_aes_128_ccm: ({ KE_rsa, CIPHER_aes, HASH_sha256, MODE_ccm }), |
TLS_rsa_with_aes_256_ccm: ({ KE_rsa, CIPHER_aes256, HASH_sha256, MODE_ccm }), |
TLS_dhe_rsa_with_aes_128_ccm: ({ KE_dhe_rsa, CIPHER_aes, HASH_sha256, MODE_ccm }), |
TLS_dhe_rsa_with_aes_256_ccm: ({ KE_dhe_rsa, CIPHER_aes256, HASH_sha256, MODE_ccm }), |
TLS_rsa_with_aes_128_ccm_8: ({ KE_rsa, CIPHER_aes, HASH_sha256, MODE_ccm_8 }), |
TLS_rsa_with_aes_256_ccm_8: ({ KE_rsa, CIPHER_aes256, HASH_sha256, MODE_ccm_8 }), |
TLS_dhe_rsa_with_aes_128_ccm_8: ({ KE_dhe_rsa, CIPHER_aes, HASH_sha256, MODE_ccm_8 }), |
TLS_dhe_rsa_with_aes_256_ccm_8: ({ KE_dhe_rsa, CIPHER_aes256, HASH_sha256, MODE_ccm_8 }), |
|
#if constant(Crypto.Camellia) |
|
TLS_rsa_with_camellia_128_cbc_sha: ({ KE_rsa, CIPHER_camellia128, HASH_sha }), |
TLS_dhe_dss_with_camellia_128_cbc_sha: ({ KE_dhe_dss, CIPHER_camellia128, HASH_sha }), |
TLS_dhe_rsa_with_camellia_128_cbc_sha: ({ KE_dhe_rsa, CIPHER_camellia128, HASH_sha }), |
TLS_dh_dss_with_camellia_128_cbc_sha: ({ KE_dh_dss, CIPHER_camellia128, HASH_sha }), |
TLS_dh_rsa_with_camellia_128_cbc_sha: ({ KE_dh_rsa, CIPHER_camellia128, HASH_sha }), |
TLS_rsa_with_camellia_256_cbc_sha: ({ KE_rsa, CIPHER_camellia256, HASH_sha }), |
TLS_dhe_dss_with_camellia_256_cbc_sha: ({ KE_dhe_dss, CIPHER_camellia256, HASH_sha }), |
TLS_dhe_rsa_with_camellia_256_cbc_sha: ({ KE_dhe_rsa, CIPHER_camellia256, HASH_sha }), |
TLS_dh_dss_with_camellia_256_cbc_sha: ({ KE_dh_dss, CIPHER_camellia256, HASH_sha }), |
TLS_dh_rsa_with_camellia_256_cbc_sha: ({ KE_dh_rsa, CIPHER_camellia256, HASH_sha }), |
|
TLS_rsa_with_camellia_128_cbc_sha256: ({ KE_rsa, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
TLS_dhe_dss_with_camellia_128_cbc_sha256: ({ KE_dhe_dss, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
TLS_dhe_rsa_with_camellia_128_cbc_sha256: ({ KE_dhe_rsa, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
TLS_dh_dss_with_camellia_128_cbc_sha256: ({ KE_dh_dss, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
TLS_dh_rsa_with_camellia_128_cbc_sha256: ({ KE_dh_rsa, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
TLS_rsa_with_camellia_256_cbc_sha256: ({ KE_rsa, CIPHER_camellia256, HASH_sha256, MODE_cbc }), |
TLS_dhe_dss_with_camellia_256_cbc_sha256: ({ KE_dhe_dss, CIPHER_camellia256, HASH_sha256, MODE_cbc }), |
TLS_dhe_rsa_with_camellia_256_cbc_sha256: ({ KE_dhe_rsa, CIPHER_camellia256, HASH_sha256, MODE_cbc }), |
TLS_dh_dss_with_camellia_256_cbc_sha256: ({ KE_dh_dss, CIPHER_camellia256, HASH_sha256, MODE_cbc }), |
TLS_dh_rsa_with_camellia_256_cbc_sha256: ({ KE_dh_rsa, CIPHER_camellia256, HASH_sha256, MODE_cbc }), |
|
|
TLS_dh_anon_with_camellia_128_cbc_sha: ({ KE_dh_anon, CIPHER_camellia128, HASH_sha }), |
TLS_dh_anon_with_camellia_256_cbc_sha: ({ KE_dh_anon, CIPHER_camellia256, HASH_sha }), |
TLS_dh_anon_with_camellia_128_cbc_sha256: ({ KE_dh_anon, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
TLS_dh_anon_with_camellia_256_cbc_sha256: ({ KE_dh_anon, CIPHER_camellia256, HASH_sha256, MODE_cbc }), |
|
#if constant(Crypto.ECC.Curve) |
|
|
|
TLS_ecdh_ecdsa_with_camellia_128_cbc_sha256: ({ KE_ecdh_ecdsa, CIPHER_camellia128, HASH_sha256 }), |
TLS_ecdh_rsa_with_camellia_128_cbc_sha256: ({ KE_ecdh_rsa, CIPHER_camellia128, HASH_sha256 }), |
TLS_ecdhe_ecdsa_with_camellia_128_cbc_sha256: ({ KE_ecdhe_ecdsa, CIPHER_camellia128, HASH_sha256 }), |
TLS_ecdhe_rsa_with_camellia_128_cbc_sha256: ({ KE_ecdhe_rsa, CIPHER_camellia128, HASH_sha256 }), |
#if constant(Crypto.SHA384) |
TLS_ecdh_ecdsa_with_camellia_256_cbc_sha384: ({ KE_ecdh_ecdsa, CIPHER_camellia256, HASH_sha384 }), |
TLS_ecdh_rsa_with_camellia_256_cbc_sha384: ({ KE_ecdh_rsa, CIPHER_camellia256, HASH_sha384 }), |
TLS_ecdhe_ecdsa_with_camellia_256_cbc_sha384: ({ KE_ecdhe_ecdsa, CIPHER_camellia256, HASH_sha384 }), |
TLS_ecdhe_rsa_with_camellia_256_cbc_sha384: ({ KE_ecdhe_rsa, CIPHER_camellia256, HASH_sha384 }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.ECC.Curve */ |
#endif /* Crypto.Camellia */ |
|
#if constant(Crypto.AES.GCM) |
|
TLS_rsa_with_aes_128_gcm_sha256: ({ KE_rsa, CIPHER_aes, HASH_sha256, MODE_gcm }), |
TLS_dhe_rsa_with_aes_128_gcm_sha256: ({ KE_dhe_rsa, CIPHER_aes, HASH_sha256, MODE_gcm }), |
TLS_dhe_dss_with_aes_128_gcm_sha256: ({ KE_dhe_dss, CIPHER_aes, HASH_sha256, MODE_gcm }), |
TLS_dh_rsa_with_aes_128_gcm_sha256: ({ KE_dh_rsa, CIPHER_aes, HASH_sha256, MODE_gcm }), |
TLS_dh_dss_with_aes_128_gcm_sha256: ({ KE_dh_dss, CIPHER_aes, HASH_sha256, MODE_gcm }), |
|
#if constant(Crypto.SHA384) |
TLS_rsa_with_aes_256_gcm_sha384: ({ KE_rsa, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
TLS_dhe_rsa_with_aes_256_gcm_sha384: ({ KE_dhe_rsa, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
TLS_dhe_dss_with_aes_256_gcm_sha384: ({ KE_dhe_dss, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
TLS_dh_rsa_with_aes_256_gcm_sha384: ({ KE_dh_rsa, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
TLS_dh_dss_with_aes_256_gcm_sha384: ({ KE_dh_dss, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
|
#if constant(Crypto.ECC.Curve) |
TLS_ecdhe_ecdsa_with_aes_128_gcm_sha256: ({ KE_ecdhe_ecdsa, CIPHER_aes, HASH_sha256, MODE_gcm }), |
TLS_ecdh_ecdsa_with_aes_128_gcm_sha256: ({ KE_ecdh_ecdsa, CIPHER_aes, HASH_sha256, MODE_gcm }), |
TLS_ecdhe_rsa_with_aes_128_gcm_sha256: ({ KE_ecdhe_rsa, CIPHER_aes, HASH_sha256, MODE_gcm }), |
TLS_ecdh_rsa_with_aes_128_gcm_sha256: ({ KE_ecdh_rsa, CIPHER_aes, HASH_sha256, MODE_gcm }), |
|
#if constant(Crypto.SHA384) |
TLS_ecdhe_ecdsa_with_aes_256_gcm_sha384: ({ KE_ecdhe_ecdsa, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
TLS_ecdh_ecdsa_with_aes_256_gcm_sha384: ({ KE_ecdh_ecdsa, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
TLS_ecdhe_rsa_with_aes_256_gcm_sha384: ({ KE_ecdhe_rsa, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
TLS_ecdh_rsa_with_aes_256_gcm_sha384: ({ KE_ecdh_rsa, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.ECC.Curve */ |
|
|
TLS_dh_anon_with_aes_128_gcm_sha256: ({ KE_dh_anon, CIPHER_aes, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_dh_anon_with_aes_256_gcm_sha384: ({ KE_dh_anon, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
|
#if constant(Crypto.Camellia) |
|
TLS_rsa_with_camellia_128_gcm_sha256:({ KE_rsa, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
TLS_dhe_rsa_with_camellia_128_gcm_sha256:({ KE_dhe_rsa, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
TLS_dhe_dss_with_camellia_128_gcm_sha256:({ KE_dhe_dss, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
TLS_dh_rsa_with_camellia_128_gcm_sha256:({ KE_dh_rsa, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
TLS_dh_dss_with_camellia_128_gcm_sha256:({ KE_dh_dss, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_rsa_with_camellia_256_gcm_sha384:({ KE_rsa, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
TLS_dhe_rsa_with_camellia_256_gcm_sha384:({ KE_dhe_rsa, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
TLS_dhe_dss_with_camellia_256_gcm_sha384:({ KE_dhe_dss, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
TLS_dh_rsa_with_camellia_256_gcm_sha384:({ KE_dh_rsa, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
TLS_dh_dss_with_camellia_256_gcm_sha384:({ KE_dh_dss, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
|
|
TLS_dh_anon_with_camellia_128_gcm_sha256: ({ KE_dh_anon, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_dh_anon_with_camellia_256_gcm_sha384: ({ KE_dh_anon, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
|
#if constant(Crypto.ECC.Curve) |
|
TLS_ecdhe_ecdsa_with_camellia_128_gcm_sha256: ({ KE_ecdhe_ecdsa, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
TLS_ecdh_ecdsa_with_camellia_128_gcm_sha256: ({ KE_ecdh_ecdsa, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
TLS_ecdhe_rsa_with_camellia_128_gcm_sha256: ({ KE_ecdhe_rsa, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
TLS_ecdh_rsa_with_camellia_128_gcm_sha256: ({ KE_ecdh_rsa, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_ecdhe_ecdsa_with_camellia_256_gcm_sha384: ({ KE_ecdhe_ecdsa, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
TLS_ecdh_ecdsa_with_camellia_256_gcm_sha384: ({ KE_ecdh_ecdsa, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
TLS_ecdhe_rsa_with_camellia_256_gcm_sha384: ({ KE_ecdhe_rsa, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
TLS_ecdh_rsa_with_camellia_256_gcm_sha384: ({ KE_ecdh_rsa, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.ECC.Curve */ |
#endif /* Crypto.Camellia */ |
#endif /* Crypto.AES.GCM */ |
|
#if constant(Crypto.ChaCha20.POLY1305) && defined(NOT_BROKEN) |
#if constant(Crypto.ECC.Curve) |
|
TLS_ecdhe_rsa_with_chacha20_poly1305_sha256: ({ KE_ecdhe_rsa, CIPHER_chacha20, HASH_sha256, MODE_poly1305 }), |
TLS_ecdhe_ecdsa_with_chacha20_poly1305_sha256: ({ KE_ecdhe_ecdsa, CIPHER_chacha20, HASH_sha256, MODE_poly1305 }), |
#endif /* Crypto.ECC.Curve */ |
TLS_dhe_rsa_with_chacha20_poly1305_sha256: ({ KE_dhe_rsa, CIPHER_chacha20, HASH_sha256, MODE_poly1305 }), |
#endif /* Crypto.ChaCha20.POLY1305 */ |
|
|
TLS_psk_with_null_sha : ({ KE_psk, 0, HASH_sha }), |
TLS_psk_with_rc4_128_sha : ({ KE_psk, CIPHER_rc4, HASH_sha }), |
TLS_psk_with_3des_ede_cbc_sha : ({ KE_psk, CIPHER_3des, HASH_sha }), |
TLS_psk_with_aes_128_cbc_sha : ({ KE_psk, CIPHER_aes, HASH_sha }), |
TLS_psk_with_aes_256_cbc_sha : ({ KE_psk, CIPHER_aes256, HASH_sha }), |
#if constant(Crypto.AES.GCM) |
TLS_psk_with_aes_128_gcm_sha256 : ({ KE_psk, CIPHER_aes, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_psk_with_aes_256_gcm_sha384 : ({ KE_psk, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.AES.GCM */ |
TLS_psk_with_aes_128_cbc_sha256 : ({ KE_psk, CIPHER_aes, HASH_sha256, MODE_cbc }), |
TLS_psk_with_aes_256_cbc_sha384 : ({ KE_psk, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
TLS_psk_with_null_sha256 : ({ KE_psk, 0, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_psk_with_null_sha384 : ({ KE_psk, 0, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#if constant(Crypto.Camellia) |
#if constant(Crypto.Camellia.GCM) |
TLS_psk_with_camellia_128_gcm_sha256 : ({ KE_psk, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_psk_with_camellia_256_gcm_sha384 : ({ KE_psk, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.Camellia.GCM */ |
TLS_psk_with_camellia_128_cbc_sha256 : ({ KE_psk, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_psk_with_camellia_256_cbc_sha384 : ({ KE_psk, CIPHER_camellia256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.Camellia */ |
TLS_psk_with_aes_128_ccm : ({ KE_psk, CIPHER_aes, HASH_sha256, MODE_ccm }), |
TLS_psk_with_aes_256_ccm : ({ KE_psk, CIPHER_aes256, HASH_sha256, MODE_ccm }), |
TLS_psk_with_aes_128_ccm_8 : ({ KE_psk, CIPHER_aes, HASH_sha256, MODE_ccm_8 }), |
TLS_psk_with_aes_256_ccm_8 : ({ KE_psk, CIPHER_aes256, HASH_sha256, MODE_ccm_8 }), |
|
|
TLS_dhe_psk_with_null_sha : ({ KE_dhe_psk, 0, HASH_sha }), |
TLS_dhe_psk_with_rc4_128_sha : ({ KE_dhe_psk, CIPHER_rc4, HASH_sha }), |
TLS_dhe_psk_with_3des_ede_cbc_sha : ({ KE_dhe_psk, CIPHER_3des, HASH_sha }), |
TLS_dhe_psk_with_aes_128_cbc_sha : ({ KE_dhe_psk, CIPHER_aes, HASH_sha }), |
TLS_dhe_psk_with_aes_256_cbc_sha : ({ KE_dhe_psk, CIPHER_aes256, HASH_sha }), |
#if constant(Crypto.AES.GCM) |
TLS_dhe_psk_with_aes_128_gcm_sha256 : ({ KE_dhe_psk, CIPHER_aes, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_dhe_psk_with_aes_256_gcm_sha384 : ({ KE_dhe_psk, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.AES.GCM */ |
TLS_dhe_psk_with_aes_128_cbc_sha256 : ({ KE_dhe_psk, CIPHER_aes, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_dhe_psk_with_aes_256_cbc_sha384 : ({ KE_dhe_psk, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
TLS_dhe_psk_with_null_sha256 : ({ KE_dhe_psk, 0, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_dhe_psk_with_null_sha384 : ({ KE_dhe_psk, 0, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#if constant(Crypto.Camellia) |
#if constant(Crypto.Camellia.GCM) |
TLS_dhe_psk_with_camellia_128_gcm_sha256 : ({ KE_dhe_psk, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_dhe_psk_with_camellia_256_gcm_sha384 : ({ KE_dhe_psk, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.Camellia.GCM */ |
TLS_dhe_psk_with_camellia_128_cbc_sha256 : ({ KE_dhe_psk, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_dhe_psk_with_camellia_256_cbc_sha384 : ({ KE_dhe_psk, CIPHER_camellia256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.Camellia */ |
TLS_dhe_psk_with_aes_128_ccm : ({ KE_dhe_psk, CIPHER_aes, HASH_sha256, MODE_ccm }), |
TLS_dhe_psk_with_aes_256_ccm : ({ KE_dhe_psk, CIPHER_aes256, HASH_sha256, MODE_ccm }), |
TLS_psk_dhe_with_aes_128_ccm_8 : ({ KE_dhe_psk, CIPHER_aes, HASH_sha256, MODE_ccm_8 }), |
TLS_psk_dhe_with_aes_256_ccm_8 : ({ KE_dhe_psk, CIPHER_aes256, HASH_sha256, MODE_ccm_8 }), |
|
|
TLS_rsa_psk_with_null_sha : ({ KE_rsa_psk, 0, HASH_sha }), |
TLS_rsa_psk_with_rc4_128_sha : ({ KE_rsa_psk, CIPHER_rc4, HASH_sha }), |
TLS_rsa_psk_with_3des_ede_cbc_sha : ({ KE_rsa_psk, CIPHER_3des, HASH_sha }), |
TLS_rsa_psk_with_aes_128_cbc_sha : ({ KE_rsa_psk, CIPHER_aes, HASH_sha }), |
TLS_rsa_psk_with_aes_256_cbc_sha : ({ KE_rsa_psk, CIPHER_aes256, HASH_sha }), |
#if constant(Crypto.AES.GCM) |
TLS_rsa_psk_with_aes_128_gcm_sha256 : ({ KE_rsa_psk, CIPHER_aes, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_rsa_psk_with_aes_256_gcm_sha384 : ({ KE_rsa_psk, CIPHER_aes256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.AES.GCM */ |
TLS_rsa_psk_with_aes_128_cbc_sha256 : ({ KE_rsa_psk, CIPHER_aes, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_rsa_psk_with_aes_256_cbc_sha384 : ({ KE_rsa_psk, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
TLS_rsa_psk_with_null_sha256 : ({ KE_rsa_psk, 0, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_rsa_psk_with_null_sha384 : ({ KE_rsa_psk, 0, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#if constant(Crypto.Camellia) |
#if constant(Crypto.Camellia.GCM) |
TLS_rsa_psk_with_camellia_128_gcm_sha256 : ({ KE_rsa_psk, CIPHER_camellia128, HASH_sha256, MODE_gcm }), |
#if constant(Crypto.SHA384) |
TLS_rsa_psk_with_camellia_256_gcm_sha384 : ({ KE_rsa_psk, CIPHER_camellia256, HASH_sha384, MODE_gcm }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.Camellia.GCM */ |
TLS_rsa_psk_with_camellia_128_cbc_sha256 : ({ KE_rsa_psk, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_rsa_psk_with_camellia_256_cbc_sha384 : ({ KE_rsa_psk, CIPHER_camellia256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.Camellia */ |
|
|
#if constant(Crypto.ECC.Curve) |
TLS_ecdhe_psk_with_null_sha : ({ KE_ecdhe_psk, 0, HASH_sha }), |
TLS_ecdhe_psk_with_null_sha256 : ({ KE_ecdhe_psk, 0, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_ecdhe_psk_with_null_sha384 : ({ KE_ecdhe_psk, 0, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
TLS_ecdhe_psk_with_rc4_128_sha : ({ KE_ecdhe_psk, CIPHER_rc4, HASH_sha }), |
TLS_ecdhe_psk_with_3des_ede_cbc_sha : ({ KE_ecdhe_psk, CIPHER_3des, HASH_sha }), |
TLS_ecdhe_psk_with_aes_128_cbc_sha : ({ KE_ecdhe_psk, CIPHER_aes, HASH_sha }), |
TLS_ecdhe_psk_with_aes_256_cbc_sha : ({ KE_ecdhe_psk, CIPHER_aes256, HASH_sha }), |
TLS_ecdhe_psk_with_aes_128_cbc_sha256 : ({ KE_ecdhe_psk, CIPHER_aes, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_ecdhe_psk_with_aes_256_cbc_sha384 : ({ KE_ecdhe_psk, CIPHER_aes256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#if constant(Crypto.Camellia) |
TLS_ecdhe_psk_with_camellia_128_cbc_sha256 : ({ KE_ecdhe_psk, CIPHER_camellia128, HASH_sha256, MODE_cbc }), |
#if constant(Crypto.SHA384) |
TLS_ecdhe_psk_with_camellia_256_cbc_sha384 : ({ KE_ecdhe_psk, CIPHER_camellia256, HASH_sha384, MODE_cbc }), |
#endif /* Crypto.SHA384 */ |
#endif /* Crypto.Camellia */ |
#endif /* Crypto.ECC.Curve */ |
]); |
|
constant HANDSHAKE_hello_request = 0; |
constant HANDSHAKE_client_hello = 1; |
constant HANDSHAKE_server_hello = 2; |
constant HANDSHAKE_hello_verify_request = 3; |
constant HANDSHAKE_NewSessionTicket = 4; |
constant HANDSHAKE_client_key_share = 5; |
constant HANDSHAKE_hello_retry_request = 6; |
constant HANDSHAKE_server_key_share = 7; |
constant HANDSHAKE_certificate = 11; |
constant HANDSHAKE_server_key_exchange = 12; |
constant HANDSHAKE_certificate_request = 13; |
constant HANDSHAKE_server_hello_done = 14; |
constant HANDSHAKE_certificate_verify = 15; |
constant HANDSHAKE_client_key_exchange = 16; |
constant HANDSHAKE_finished = 20; |
constant HANDSHAKE_cerificate_url = 21; |
constant HANDSHAKE_certificate_status = 22; |
constant HANDSHAKE_supplemental_data = 23; |
constant HANDSHAKE_next_protocol = 67; |
|
|
|
constant AUTHLEVEL_none = 1; |
|
|
|
constant AUTHLEVEL_ask = 2; |
|
|
constant AUTHLEVEL_require = 3; |
|
|
|
constant AUTH_rsa_sign = 1; |
constant AUTH_dss_sign = 2; |
constant AUTH_rsa_fixed_dh = 3; |
constant AUTH_dss_fixed_dh = 4; |
constant AUTH_rsa_ephemeral_dh = 5; |
constant AUTH_dss_ephemeral_dh = 6; |
constant AUTH_fortezza_kea = 20; |
constant AUTH_fortezza_dms = 20; |
constant AUTH_ecdsa_sign = 64; |
constant AUTH_rsa_fixed_ecdh = 65; |
constant AUTH_ecdsa_fixed_ecdh = 66; |
|
|
enum CurveType { |
CURVETYPE_explicit_prime = 1, |
CURVETYPE_explicit_char2 = 2, |
CURVETYPE_named_curve = 3, |
} |
|
|
enum ECBasisType { |
ECBASIS_trinomial = 1, |
ECBASIS_pentanomial = 2, |
} |
|
|
|
enum NamedGroup { |
GROUP_sect163k1 = 1, |
GROUP_sect163r1 = 2, |
GROUP_sect163r2 = 3, |
GROUP_sect193r1 = 4, |
GROUP_sect193r2 = 5, |
GROUP_sect233k1 = 6, |
GROUP_sect233r1 = 7, |
GROUP_sect239k1 = 8, |
GROUP_sect283k1 = 9, |
GROUP_sect283r1 = 10, |
GROUP_sect409k1 = 11, |
GROUP_sect409r1 = 12, |
GROUP_sect571k1 = 13, |
GROUP_sect571r1 = 14, |
GROUP_secp160k1 = 15, |
GROUP_secp160r1 = 16, |
GROUP_secp160r2 = 17, |
GROUP_secp192k1 = 18, |
GROUP_secp192r1 = 19, |
GROUP_secp224k1 = 20, |
GROUP_secp224r1 = 21, |
GROUP_secp256k1 = 22, |
GROUP_secp256r1 = 23, |
GROUP_secp384r1 = 24, |
GROUP_secp521r1 = 25, |
|
GROUP_brainpoolP256r1 = 26, |
GROUP_brainpoolP384r1 = 27, |
GROUP_brainpoolP512r1 = 28, |
|
GROUP_ffdhe2048 = 256, |
GROUP_ffdhe3072 = 257, |
GROUP_ffdhe4096 = 258, |
GROUP_ffdhe6144 = 259, |
GROUP_ffdhe8192 = 260, |
|
GROUP_ffdhe_private0 = 508, |
GROUP_ffdhe_private1 = 509, |
GROUP_ffdhe_private2 = 510, |
GROUP_ffdhe_private3 = 511, |
|
GROUP_arbitrary_explicit_prime_curves = 0xFF01, |
GROUP_arbitrary_explicit_char2_curves = 0xFF02, |
} |
|
|
constant ECC_NAME_TO_CURVE = ([ |
"SECP_192R1": GROUP_secp192r1, |
"SECP_224R1": GROUP_secp224r1, |
"SECP_256R1": GROUP_secp256r1, |
"SECP_384R1": GROUP_secp384r1, |
"SECP_521R1": GROUP_secp521r1, |
]); |
|
|
enum PointFormat { |
POINT_uncompressed = 0, |
POINT_ansiX962_compressed_prime = 1, |
POINT_ansiX962_compressed_char2 = 2, |
} |
|
|
enum FragmentLength { |
FRAGMENT_512 = 1, |
FRAGMENT_1024 = 2, |
FRAGMENT_2048 = 3, |
FRAGMENT_4096 = 4, |
} |
|
|
enum CertificateType { |
CERTTYPE_x509 = 0, |
CERTTYPE_openpgp = 1, |
CERTTYPE_raw_public_key = 2, |
}; |
|
constant EXTENSION_server_name = 0; |
constant EXTENSION_max_fragment_length = 1; |
constant EXTENSION_client_certificate_url = 2; |
constant EXTENSION_trusted_ca_keys = 3; |
constant EXTENSION_truncated_hmac = 4; |
constant EXTENSION_status_request = 5; |
constant EXTENSION_user_mapping = 6; |
constant EXTENSION_client_authz = 7; |
constant EXTENSION_server_authz = 8; |
constant EXTENSION_cert_type = 9; |
constant EXTENSION_elliptic_curves = 10; |
constant EXTENSION_ec_point_formats = 11; |
constant EXTENSION_srp = 12; |
constant EXTENSION_signature_algorithms = 13; |
constant EXTENSION_use_srtp = 14; |
constant EXTENSION_heartbeat = 15; |
constant EXTENSION_application_layer_protocol_negotiation = 16; |
constant EXTENSION_status_request_v2 = 17; |
constant EXTENSION_signed_certificate_timestamp = 18; |
constant EXTENSION_client_certificate_type = 19; |
constant EXTENSION_server_certificate_type = 20; |
constant EXTENSION_padding = 21; |
constant EXTENSION_encrypt_then_mac = 22; |
constant EXTENSION_extended_master_secret = 23; |
constant EXTENSION_session_ticket_tls = 35; |
constant EXTENSION_extended_random = 40; |
constant EXTENSION_early_data = 128; |
constant EXTENSION_next_protocol_negotiation = 13172; |
constant EXTENSION_origin_bound_certificates = 13175; |
constant EXTENSION_encrypted_client_certificates= 13180; |
constant EXTENSION_channel_id = 30031; |
constant EXTENSION_channel_id_new = 30032; |
constant EXTENSION_old_padding = 35655; |
constant EXTENSION_renegotiation_info = 0xff01; |
|
constant ECC_CURVES = ([ |
#if constant(Crypto.ECC.Curve) |
GROUP_secp192r1: Crypto.ECC.SECP_192R1, |
GROUP_secp224r1: Crypto.ECC.SECP_224R1, |
GROUP_secp256r1: Crypto.ECC.SECP_256R1, |
GROUP_secp384r1: Crypto.ECC.SECP_384R1, |
GROUP_secp521r1: Crypto.ECC.SECP_521R1, |
#endif |
]); |
|
constant FFDHE_GROUPS = ([ |
GROUP_ffdhe2048: Crypto.DH.FFDHE2048, |
GROUP_ffdhe3072: Crypto.DH.FFDHE3072, |
GROUP_ffdhe4096: Crypto.DH.FFDHE4096, |
GROUP_ffdhe6144: Crypto.DH.FFDHE6144, |
GROUP_ffdhe8192: Crypto.DH.FFDHE8192, |
]); |
|
|
|
|
constant MODP_GROUPS = ([ |
GROUP_ffdhe3072: Crypto.DH.MODPGroup15, |
GROUP_ffdhe4096: Crypto.DH.MODPGroup16, |
GROUP_ffdhe6144: Crypto.DH.MODPGroup17, |
GROUP_ffdhe8192: Crypto.DH.MODPGroup18, |
]); |
|
enum HeartBeatModeType { |
HEARTBEAT_MODE_disabled = 0, |
HEARTBEAT_MODE_peer_allowed_to_send = 1, |
HEARTBEAT_MODE_peer_not_allowed_to_send = 1, |
}; |
|
enum HeartBeatMessageType { |
HEARTBEAT_MESSAGE_request = 1, |
HEARTBEAT_MESSAGE_response = 2, |
}; |
|
enum ALPNProtocol { |
ALPN_http_1_1 = "http/1.1", |
ALPN_spdy_1 = "spdy/1", |
ALPN_spdy_2 = "spdy/2", |
ALPN_spdy_3 = "spdy/3", |
ALPN_turn = "stun.turn", |
ALPN_stun = "stun.nat-discovery", |
ALPN_http_2 = "h2", |
ALPN_http_2_reserved = "h2c", |
}; |
|
protected mapping(string(8bit):array(HashAlgorithm|SignatureAlgorithm)) |
pkcs_der_to_sign_alg = ([ |
|
Standards.PKCS.Identifiers.rsa_md5_id->get_der(): |
({ HASH_md5, SIGNATURE_rsa }), |
Standards.PKCS.Identifiers.rsa_sha1_id->get_der(): |
({ HASH_sha, SIGNATURE_rsa }), |
Standards.PKCS.Identifiers.rsa_sha256_id->get_der(): |
({ HASH_sha256, SIGNATURE_rsa }), |
Standards.PKCS.Identifiers.rsa_sha384_id->get_der(): |
({ HASH_sha384, SIGNATURE_rsa }), |
Standards.PKCS.Identifiers.rsa_sha512_id->get_der(): |
({ HASH_sha512, SIGNATURE_rsa }), |
|
|
Standards.PKCS.Identifiers.dsa_sha_id->get_der(): |
({ HASH_sha, SIGNATURE_dsa }), |
Standards.PKCS.Identifiers.dsa_sha224_id->get_der(): |
({ HASH_sha224, SIGNATURE_dsa }), |
Standards.PKCS.Identifiers.dsa_sha256_id->get_der(): |
({ HASH_sha256, SIGNATURE_dsa }), |
|
|
Standards.PKCS.Identifiers.ecdsa_sha1_id->get_der(): |
({ HASH_sha, SIGNATURE_ecdsa }), |
Standards.PKCS.Identifiers.ecdsa_sha224_id->get_der(): |
({ HASH_sha224, SIGNATURE_ecdsa }), |
Standards.PKCS.Identifiers.ecdsa_sha256_id->get_der(): |
({ HASH_sha256, SIGNATURE_ecdsa }), |
Standards.PKCS.Identifiers.ecdsa_sha384_id->get_der(): |
({ HASH_sha384, SIGNATURE_ecdsa }), |
Standards.PKCS.Identifiers.ecdsa_sha512_id->get_der(): |
({ HASH_sha512, SIGNATURE_ecdsa }), |
]); |
|
|
|
|
class CertificatePair |
{ |
|
|
|
int cert_type; |
|
|
Crypto.Sign.State key; |
|
|
array(string(8bit)) certs; |
|
|
array(string(8bit)) issuers; |
|
|
array(string(8bit)) globs; |
|
|
array(array(HashAlgorithm|SignatureAlgorithm)) sign_algs; |
|
|
|
|
|
int(0..) ke_mask; |
|
|
|
|
|
int(0..) ke_mask_invariant; |
|
|
protected int bit_strength(int bits, int sign) |
{ |
|
switch(sign) { |
case SIGNATURE_rsa: |
|
break; |
case SIGNATURE_dsa: |
|
|
break; |
case SIGNATURE_ecdsa: |
|
|
|
|
|
|
bits = (bits * (bits - 64))>>4; |
if (bits < 0) bits = 128; |
break; |
} |
return bits; |
} |
|
|
|
protected int(0..1) `<(mixed o) |
{ |
if(!objectp(o)) return this < o; |
if( !o->key || !o->sign_algs ) return this < o; |
|
int s = sign_algs[0][1], os = o->sign_algs[0][1]; |
|
|
|
|
|
|
|
|
|
int bs = bit_strength(key->key_size(), s); |
int obs = bit_strength(o->key->key_size(), os); |
if( bs < obs ) return 0; |
if( bs > obs ) return 1; |
|
int h = sign_algs[0][0], oh = o->sign_algs[0][0]; |
if( h < oh ) return 0; |
if( h > oh ) return 1; |
|
if( s < os ) return 0; |
return 1; |
} |
|
|
|
protected void set_globs(Standards.X509.TBSCertificate tbs, |
array(string(8bit))|void extra) |
{ |
globs = Standards.PKCS.Certificate. |
decode_distinguished_name(tbs->subject)->commonName - ({ 0 }); |
|
if( tbs->ext_subjectAltName_dNSName ) |
globs += tbs->ext_subjectAltName_dNSName; |
|
if (extra) globs += extra; |
|
if (!sizeof(globs)) error("No common name.\n"); |
|
globs = Array.uniq( map(globs, lower_case) ); |
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
protected void create(Crypto.Sign.State key, array(string(8bit)) certs, |
array(string(8bit))|void extra_name_globs) |
{ |
if (!sizeof(certs)) { |
error("Empty list of certificates.\n"); |
} |
|
array(Standards.X509.TBSCertificate) tbss = |
map(certs, Standards.X509.decode_certificate); |
|
if (has_value(tbss, 0)) error("Invalid cert\n"); |
|
|
if (!key || !key->public_key_equal(tbss[0]->public_key->pkc)) { |
if(sizeof(tbss) > 1 && key && |
key->public_key_equal(tbss[-1]->public_key->pkc)) { |
tbss = reverse(tbss); |
certs = reverse(certs); |
} |
else |
error("Private key doesn't match certificate.\n"); |
} |
|
this::key = key; |
this::certs = certs; |
|
issuers = tbss->issuer->get_der(); |
|
sign_algs = map(map(tbss->algorithm, `[], 0)->get_der(), |
pkcs_der_to_sign_alg); |
|
if (has_value(sign_algs, 0)) error("Unknown signature algorithm.\n"); |
|
|
this::cert_type = ([ |
SIGNATURE_rsa: AUTH_rsa_sign, |
SIGNATURE_dsa: AUTH_dss_sign, |
SIGNATURE_ecdsa: AUTH_ecdsa_sign, |
])[sign_algs[0][1]]; |
|
set_globs(tbss[0], extra_name_globs); |
|
|
|
ke_mask = 0; |
ke_mask_invariant = 0; |
switch(sign_algs[0][1]) { |
case SIGNATURE_rsa: |
foreach(({ KE_rsa, KE_rsa_fips, KE_dhe_rsa, KE_ecdhe_rsa, KE_rsa_psk, |
KE_rsa_export, |
}), |
KeyExchangeType ke) { |
ke_mask |= 1<<ke; |
} |
ke_mask_invariant = ke_mask; |
break; |
case SIGNATURE_dsa: |
ke_mask |= 1<<KE_dhe_dss; |
if ((sizeof(sign_algs) == 1) || (sign_algs[1][1] == SIGNATURE_dsa)) { |
|
|
|
ke_mask |= 1<<KE_dh_dss; |
} else if (sign_algs[1][1] == SIGNATURE_rsa) { |
|
|
|
ke_mask |= 1<<KE_dh_rsa; |
} |
ke_mask_invariant = ke_mask | ((1<<KE_dh_dss) | (1<<KE_dh_rsa)); |
break; |
case SIGNATURE_ecdsa: |
ke_mask |= 1<<KE_ecdhe_ecdsa; |
if ((sizeof(sign_algs) == 1) || (sign_algs[1][1] == SIGNATURE_ecdsa)) { |
|
|
|
ke_mask |= 1<<KE_ecdh_ecdsa; |
} else if (sign_algs[1][1] == SIGNATURE_rsa) { |
|
|
|
|
ke_mask |= 1<<KE_ecdh_rsa; |
} |
ke_mask_invariant = ke_mask | ((1<<KE_ecdh_ecdsa) | (1<<KE_ecdh_rsa)); |
break; |
} |
if (!ke_mask) error("Certificate not useful for TLS!\n"); |
} |
|
protected string _sprintf(int c) |
{ |
string k = sprintf("%O", key); |
sscanf(k, "Crypto.%s", k); |
string h = fmt_constant(sign_algs[0][0], "HASH"); |
sscanf(h, "HASH_%s", h); |
return sprintf("CertificatePair(%s, %s, ({%{%O, %}}))", k, h, globs); |
} |
} |
|
|