#include <epan/ipv6-utils.h>
#include <wsutil/file_util.h>
-#include <svnversion.h>
-
/*
* Lookup tables
*/
{ 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
{ 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
{ 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
+
+ /* RFC 6209 */
+ { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
+ { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
+ { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
+ { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
+ { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
+
+ /* RFC 6367 */
+ { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
+ { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
+ { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
+ { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
+ { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
+ { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
+ { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
+ { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
+ { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
+ { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
+ { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
+
+ /* RFC 6655 */
+ { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
+ { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
+ { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
+ { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
+ { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
+ { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
+ { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
+ { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
+ { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
+ { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
+ { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
+ { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
+ { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
+ { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
+ { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
+ { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
/*
-0xC0,0x3C-FF Unassigned
+0xC0,0xAB-FF Unassigned
0xC1-FD,* Unassigned
0xFE,0x00-FD Unassigned
0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
{ 13, "signature_algorithms" }, /* RFC 5246 */
{ 14, "use_srtp" },
{ SSL_HND_HELLO_EXT_HEARTBEAT, "Heartbeat" }, /* RFC 6520 */
+ { SSL_HND_HELLO_EXT_ALPN, "Application Layer Protocol Negotiation" }, /* draft-ietf-tls-applayerprotoneg-01 */
{ 35, "SessionTicket TLS" }, /* RFC 4507 */
{ SSL_HND_HELLO_EXT_NPN, "next_protocol_negotiation"}, /* http://technotes.googlecode.com/git/nextprotoneg.html */
{ SSL_HND_HELLO_EXT_RENEG_INFO, "renegotiation_info" }, /* RFC 5746 */
case 0x0008:
case 0x0009:
case 0x000a:
- case 0x002e:
case 0x002f:
case 0x0035:
case 0x003b:
case 0x0062:
case 0x0064:
case 0x0084:
- case 0x0092:
- case 0x0093:
- case 0x0094:
- case 0x0095:
case 0x0096:
case 0x009c:
case 0x009d:
- case 0x00ac:
- case 0x00ad:
- case 0x00b6:
- case 0x00b7:
- case 0x00b8:
- case 0x00b9:
case 0x00ba:
case 0x00c0:
case 0xfefe:
case 0xc03a:
case 0xc03b:
return KEX_ECDH;
+ case 0x002C:
+ case 0x008A:
+ case 0x008B:
+ case 0x008C:
+ case 0x008D:
+ case 0x00A8:
+ case 0x00A9:
+ case 0x00AE:
+ case 0x00AF:
+ case 0x00B0:
+ case 0x00B1:
+ case 0xC064:
+ case 0xC065:
+ case 0xC06A:
+ case 0xC06B:
+ case 0xC08E:
+ case 0xC08F:
+ case 0xC094:
+ case 0xC095:
+ case 0xC0A4:
+ case 0xC0A5:
+ case 0xC0A8:
+ case 0xC0A9:
+ case 0xC0AA:
+ case 0xC0AB:
+ return KEX_PSK;
+ case 0x002E:
+ case 0x0092:
+ case 0x0093:
+ case 0x0094:
+ case 0x0095:
+ case 0x00AC:
+ case 0x00AD:
+ case 0x00B6:
+ case 0x00B7:
+ case 0x00B8:
+ case 0x00B9:
+ case 0xC068:
+ case 0xC069:
+ case 0xC06E:
+ case 0xC06F:
+ case 0xC092:
+ case 0xC093:
+ case 0xC098:
+ case 0xC099:
+ return KEX_RSA_PSK;
default:
break;
}
static gint
ssl_data_alloc(StringInfo* str, size_t len)
{
- str->data = g_malloc(len);
+ str->data = (guchar *)g_malloc(len);
/* the allocator can return a null pointer for a size equal to 0,
* and that must be allowed */
if (len > 0 && !str->data)
ssl_cipher_init(gcry_cipher_hd_t *cipher, gint algo, guchar* sk,
guchar* iv, gint mode)
{
- gint gcry_modes[]={GCRY_CIPHER_MODE_STREAM,GCRY_CIPHER_MODE_CBC};
+ gint gcry_modes[]={GCRY_CIPHER_MODE_STREAM,GCRY_CIPHER_MODE_CBC,GCRY_CIPHER_MODE_CTR};
gint err;
if (algo == -1) {
/* NULL mode */
if (!pk) return str;
#ifndef SSL_FAST
n = gcry_sexp_sprint(pk, GCRYSEXP_FMT_ADVANCED, NULL, 0);
- buf = ep_alloc(n);
+ buf = (gchar *)ep_alloc(n);
/*n = gcry_sexp_sprint(pk, GCRYSEXP_FMT_ADVANCED, buf, n);*/
str = buf;
#else /* SSL_FAST */
static gint
ssl_data_realloc(StringInfo* str, guint len)
{
- str->data = g_realloc(str->data, len);
+ str->data = (guchar *)g_realloc(str->data, len);
if (!str->data)
return -1;
str->data_len = len;
return 0;
}
-static const gchar *digests[]={
- "MD5",
- "SHA1",
- "SHA256",
- "SHA384"
+static const SslDigestAlgo digests[]={
+ {"MD5", 16},
+ {"SHA1", 20},
+ {"SHA256", 32},
+ {"SHA384", 48},
};
+/* get index digest index */
+static const SslDigestAlgo *
+ssl_cipher_suite_dig(SslCipherSuite *cs) {
+ return &digests[cs->dig - DIG_MD5];
+}
+
static const gchar *ciphers[]={
"DES",
"3DES",
"IDEA",
"AES",
"AES256",
+ "CAMELLIA128",
+ "CAMELLIA256",
+ "SEED",
"*UNKNOWN*"
};
static SslCipherSuite cipher_suites[]={
- {1,KEX_RSA,SIG_RSA,ENC_NULL,1,0,0,DIG_MD5,16,0, SSL_CIPHER_MODE_STREAM},
- {2,KEX_RSA,SIG_RSA,ENC_NULL,1,0,0,DIG_SHA,20,0, SSL_CIPHER_MODE_STREAM},
- {3,KEX_RSA,SIG_RSA,ENC_RC4,1,128,40,DIG_MD5,16,1, SSL_CIPHER_MODE_STREAM},
- {4,KEX_RSA,SIG_RSA,ENC_RC4,1,128,128,DIG_MD5,16,0, SSL_CIPHER_MODE_STREAM},
- {5,KEX_RSA,SIG_RSA,ENC_RC4,1,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_STREAM},
- {6,KEX_RSA,SIG_RSA,ENC_RC2,8,128,40,DIG_SHA,20,1, SSL_CIPHER_MODE_STREAM},
- {7,KEX_RSA,SIG_RSA,ENC_IDEA,8,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_STREAM},
- {8,KEX_RSA,SIG_RSA,ENC_DES,8,64,40,DIG_SHA,20,1, SSL_CIPHER_MODE_CBC},
- {9,KEX_RSA,SIG_RSA,ENC_DES,8,64,64,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {10,KEX_RSA,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {11,KEX_DH,SIG_DSS,ENC_DES,8,64,40,DIG_SHA,20,1, SSL_CIPHER_MODE_CBC},
- {12,KEX_DH,SIG_DSS,ENC_DES,8,64,64,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {13,KEX_DH,SIG_DSS,ENC_3DES,8,192,192,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {14,KEX_DH,SIG_RSA,ENC_DES,8,64,40,DIG_SHA,20,1, SSL_CIPHER_MODE_CBC},
- {15,KEX_DH,SIG_RSA,ENC_DES,8,64,64,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {16,KEX_DH,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {17,KEX_DH,SIG_DSS,ENC_DES,8,64,40,DIG_SHA,20,1, SSL_CIPHER_MODE_CBC},
- {18,KEX_DH,SIG_DSS,ENC_DES,8,64,64,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {19,KEX_DH,SIG_DSS,ENC_3DES,8,192,192,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {20,KEX_DH,SIG_RSA,ENC_DES,8,64,40,DIG_SHA,20,1, SSL_CIPHER_MODE_CBC},
- {21,KEX_DH,SIG_RSA,ENC_DES,8,64,64,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {22,KEX_DH,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {23,KEX_DH,SIG_NONE,ENC_RC4,1,128,40,DIG_MD5,16,1, SSL_CIPHER_MODE_STREAM},
- {24,KEX_DH,SIG_NONE,ENC_RC4,1,128,128,DIG_MD5,16,0, SSL_CIPHER_MODE_STREAM},
- {25,KEX_DH,SIG_NONE,ENC_DES,8,64,40,DIG_MD5,16,1, SSL_CIPHER_MODE_CBC},
- {26,KEX_DH,SIG_NONE,ENC_DES,8,64,64,DIG_MD5,16,0, SSL_CIPHER_MODE_CBC},
- {27,KEX_DH,SIG_NONE,ENC_3DES,8,192,192,DIG_MD5,16,0, SSL_CIPHER_MODE_CBC},
- {47,KEX_RSA,SIG_RSA,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {48,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
- {49,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
- {50,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
- {51,KEX_DH, SIG_RSA,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {52,KEX_DH,SIG_NONE,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
- {53,KEX_RSA,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {54,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
- {55,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
- {56,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
- {57,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
- {58,KEX_DH,SIG_NONE,ENC_AES256,16,256,256,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
- {59,KEX_RSA,SIG_RSA,ENC_NULL,1,0,0,DIG_SHA256,32,0, SSL_CIPHER_MODE_STREAM},
- {60,KEX_RSA,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC},
- {61,KEX_RSA,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC},
- {62,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
- {63,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
- {64,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
- {96,KEX_RSA,SIG_RSA,ENC_RC4,1,128,56,DIG_MD5,16,1, SSL_CIPHER_MODE_STREAM},
- {97,KEX_RSA,SIG_RSA,ENC_RC2,1,128,56,DIG_MD5,16,1, SSL_CIPHER_MODE_STREAM},
- {98,KEX_RSA,SIG_RSA,ENC_DES,8,64,64,DIG_SHA,20,1, SSL_CIPHER_MODE_STREAM},
- {99,KEX_DH,SIG_DSS,ENC_DES,8,64,64,DIG_SHA,16,1, SSL_CIPHER_MODE_CBC},
- {100,KEX_RSA,SIG_RSA,ENC_RC4,1,128,56,DIG_SHA,20,1, SSL_CIPHER_MODE_STREAM},
- {101,KEX_DH,SIG_DSS,ENC_RC4,1,128,56,DIG_SHA,20,1, SSL_CIPHER_MODE_STREAM},
- {102,KEX_DH,SIG_DSS,ENC_RC4,1,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_STREAM},
- {103,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
- {104,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
- {105,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
- {106,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
- {107,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC},
- {108,KEX_DH,SIG_NONE,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
- {109,KEX_DH,SIG_NONE,ENC_AES256,16,256,256,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
- /*{138,KEX_PSK,SIG_RSA,ENC_RC4,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},*/
- {139,KEX_PSK,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {140,KEX_PSK,SIG_RSA,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {141,KEX_PSK,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},
- {49169,KEX_DH,SIG_RSA,ENC_RC4,1,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
- {49187,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
- {49188,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA384,48,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
- {49189,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
- {49190,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA384,48,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
- {49191,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
- {49192,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA384,48,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
- {49193,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256,32,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
- {49194,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA384,48,0, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
- {-1, 0,0,0,0,0,0,0,0,0, 0}
+ {1,KEX_RSA,SIG_RSA,ENC_NULL,1,0,0,DIG_MD5, SSL_CIPHER_MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
+ {2,KEX_RSA,SIG_RSA,ENC_NULL,1,0,0,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
+ {3,KEX_RSA,SIG_RSA,ENC_RC4,1,128,40,DIG_MD5, SSL_CIPHER_MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
+ {4,KEX_RSA,SIG_RSA,ENC_RC4,1,128,128,DIG_MD5, SSL_CIPHER_MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
+ {5,KEX_RSA,SIG_RSA,ENC_RC4,1,128,128,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
+ {6,KEX_RSA,SIG_RSA,ENC_RC2,8,128,40,DIG_MD5, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
+ {7,KEX_RSA,SIG_RSA,ENC_IDEA,8,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_IDEA_CBC_SHA */
+ {8,KEX_RSA,SIG_RSA,ENC_DES,8,64,40,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
+ {9,KEX_RSA,SIG_RSA,ENC_DES,8,64,64,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_DES_CBC_SHA */
+ {10,KEX_RSA,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
+ {11,KEX_DH,SIG_DSS,ENC_DES,8,64,40,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
+ {12,KEX_DH,SIG_DSS,ENC_DES,8,64,64,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
+ {13,KEX_DH,SIG_DSS,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
+ {14,KEX_DH,SIG_RSA,ENC_DES,8,64,40,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
+ {15,KEX_DH,SIG_RSA,ENC_DES,8,64,64,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
+ {16,KEX_DH,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
+ {17,KEX_DH,SIG_DSS,ENC_DES,8,64,40,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
+ {18,KEX_DH,SIG_DSS,ENC_DES,8,64,64,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
+ {19,KEX_DH,SIG_DSS,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
+ {20,KEX_DH,SIG_RSA,ENC_DES,8,64,40,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
+ {21,KEX_DH,SIG_RSA,ENC_DES,8,64,64,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
+ {22,KEX_DH,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
+ {23,KEX_DH,SIG_NONE,ENC_RC4,1,128,40,DIG_MD5, SSL_CIPHER_MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
+ {24,KEX_DH,SIG_NONE,ENC_RC4,1,128,128,DIG_MD5, SSL_CIPHER_MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
+ {25,KEX_DH,SIG_NONE,ENC_DES,8,64,40,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
+ {26,KEX_DH,SIG_NONE,ENC_DES,8,64,64,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_DES_CBC_SHA */
+ {27,KEX_DH,SIG_NONE,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
+ {47,KEX_RSA,SIG_RSA,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_AES_128_CBC_SHA */
+ {48,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
+ {49,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
+ {50,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
+ {51,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
+ {52,KEX_DH,SIG_NONE,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
+ {53,KEX_RSA,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_AES_256_CBC_SHA */
+ {54,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
+ {55,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
+ {56,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
+ {57,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
+ {58,KEX_DH,SIG_NONE,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
+ {59,KEX_RSA,SIG_RSA,ENC_NULL,1,0,0,DIG_SHA256, SSL_CIPHER_MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
+ {60,KEX_RSA,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
+ {61,KEX_RSA,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
+ {62,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
+ {63,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
+ {64,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
+ {65,KEX_RSA,SIG_RSA,ENC_CAMELLIA128,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
+ {66,KEX_DH,SIG_DSS,ENC_CAMELLIA128,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
+ {67,KEX_DH,SIG_RSA,ENC_CAMELLIA128,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
+ {68,KEX_DH,SIG_DSS,ENC_CAMELLIA128,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
+ {69,KEX_DH,SIG_RSA,ENC_CAMELLIA128,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
+ {70,KEX_DH,SIG_NONE,ENC_CAMELLIA128,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
+ {96,KEX_RSA,SIG_RSA,ENC_RC4,1,128,56,DIG_MD5, SSL_CIPHER_MODE_STREAM},
+ {97,KEX_RSA,SIG_RSA,ENC_RC2,1,128,56,DIG_MD5, SSL_CIPHER_MODE_STREAM},
+ {98,KEX_RSA,SIG_RSA,ENC_DES,8,64,56,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
+ {99,KEX_DH,SIG_DSS,ENC_DES,8,64,56,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
+ {100,KEX_RSA,SIG_RSA,ENC_RC4,1,128,56,DIG_SHA, SSL_CIPHER_MODE_STREAM},
+ {101,KEX_DH,SIG_DSS,ENC_RC4,1,128,56,DIG_SHA, SSL_CIPHER_MODE_STREAM},
+ {102,KEX_DH,SIG_DSS,ENC_RC4,1,128,128,DIG_SHA, SSL_CIPHER_MODE_STREAM},
+ {103,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
+ {104,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
+ {105,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
+ {106,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
+ {107,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
+ {108,KEX_DH,SIG_NONE,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
+ {109,KEX_DH,SIG_NONE,ENC_AES256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
+ {132,KEX_RSA,SIG_RSA,ENC_CAMELLIA256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
+ {133,KEX_DH,SIG_DSS,ENC_CAMELLIA256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
+ {134,KEX_DH,SIG_RSA,ENC_CAMELLIA256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
+ {135,KEX_DH,SIG_DSS,ENC_CAMELLIA256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
+ {136,KEX_DH,SIG_RSA,ENC_CAMELLIA256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
+ {137,KEX_DH,SIG_NONE,ENC_CAMELLIA256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
+ {139,KEX_PSK,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC},
+ {140,KEX_PSK,SIG_RSA,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC},
+ {141,KEX_PSK,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC},
+ {150,KEX_RSA,SIG_RSA,ENC_SEED,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_SEED_CBC_SHA */
+ {151,KEX_DH,SIG_DSS,ENC_SEED,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
+ {152,KEX_DH,SIG_RSA,ENC_SEED,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
+ {153,KEX_DH,SIG_DSS,ENC_SEED,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
+ {154,KEX_DH,SIG_RSA,ENC_SEED,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
+ {155,KEX_DH,SIG_NONE,ENC_SEED,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
+ {156,KEX_RSA,SIG_RSA,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
+ {157,KEX_RSA,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
+ {158,KEX_DH,SIG_RSA,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
+ {159,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
+ {160,KEX_DH,SIG_RSA,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
+ {161,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
+ {162,KEX_DH,SIG_DSS,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
+ {163,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
+ {164,KEX_DH,SIG_DSS,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
+ {165,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
+ {166,KEX_DH,SIG_NONE,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
+ {167,KEX_DH,SIG_NONE,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
+ {186,KEX_RSA,SIG_RSA,ENC_CAMELLIA128,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
+ {187,KEX_DH,SIG_DSS,ENC_CAMELLIA128,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
+ {188,KEX_DH,SIG_RSA,ENC_CAMELLIA128,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
+ {189,KEX_DH,SIG_DSS,ENC_CAMELLIA128,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
+ {190,KEX_DH,SIG_RSA,ENC_CAMELLIA128,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
+ {191,KEX_DH,SIG_NONE,ENC_CAMELLIA128,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
+ {192,KEX_RSA,SIG_RSA,ENC_CAMELLIA256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
+ {193,KEX_DH,SIG_DSS,ENC_CAMELLIA256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
+ {194,KEX_DH,SIG_RSA,ENC_CAMELLIA256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
+ {195,KEX_DH,SIG_DSS,ENC_CAMELLIA256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
+ {196,KEX_DH,SIG_RSA,ENC_CAMELLIA256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
+ {197,KEX_DH,SIG_NONE,ENC_CAMELLIA256,16,256,256,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
+ {49153,KEX_DH,SIG_DSS,ENC_NULL,1,0,0,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
+ {49154,KEX_DH,SIG_DSS,ENC_RC4,1,128,128,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
+ {49155,KEX_DH,SIG_DSS,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
+ {49156,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
+ {49157,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
+ {49158,KEX_DH,SIG_DSS,ENC_NULL,1,0,0,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
+ {49159,KEX_DH,SIG_DSS,ENC_RC4,1,128,128,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
+ {49160,KEX_DH,SIG_DSS,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
+ {49161,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
+ {49162,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
+ {49163,KEX_DH,SIG_RSA,ENC_NULL,1,0,0,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
+ {49164,KEX_DH,SIG_RSA,ENC_RC4,1,128,128,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
+ {49165,KEX_DH,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
+ {49166,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
+ {49167,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
+ {49168,KEX_DH,SIG_RSA,ENC_NULL,1,0,0,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
+ {49169,KEX_DH,SIG_RSA,ENC_RC4,1,128,128,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
+ {49170,KEX_DH,SIG_RSA,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
+ {49171,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
+ {49172,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
+ {49173,KEX_DH,SIG_NONE,ENC_NULL,1,0,0,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
+ {49174,KEX_DH,SIG_NONE,ENC_RC4,1,128,128,DIG_SHA, SSL_CIPHER_MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
+ {49175,KEX_DH,SIG_NONE,ENC_3DES,8,192,192,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
+ {49176,KEX_DH,SIG_NONE,ENC_AES,16,128,128,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
+ {49177,KEX_DH,SIG_NONE,ENC_AES256,16,256,256,DIG_SHA, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
+ {49187,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
+ {49188,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA384, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
+ {49189,KEX_DH,SIG_DSS,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
+ {49190,KEX_DH,SIG_DSS,ENC_AES256,16,256,256,DIG_SHA384, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
+ {49191,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
+ {49192,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA384, SSL_CIPHER_MODE_CBC}, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
+ {49193,KEX_DH,SIG_RSA,ENC_AES,16,128,128,DIG_SHA256, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
+ {49194,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA384, SSL_CIPHER_MODE_CBC}, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
+ {49195,KEX_DH,SIG_DSS,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
+ {49196,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
+ {49197,KEX_DH,SIG_DSS,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
+ {49198,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
+ {49199,KEX_DH,SIG_RSA,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
+ {49200,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
+ {49201,KEX_DH,SIG_RSA,ENC_AES,4,128,128,DIG_SHA256, SSL_CIPHER_MODE_GCM}, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
+ {49202,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384, SSL_CIPHER_MODE_GCM}, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
+ {-1, 0,0,0,0,0,0,0, 0}
};
#define MAX_BLOCK_SIZE 16
return(0);
}
-static gint prf(SslDecryptSession* ssl,StringInfo* secret,gchar* usage,StringInfo* rnd1,StringInfo* rnd2,StringInfo* out)
+static gint prf(SslDecryptSession* ssl,StringInfo* secret,const gchar* usage,StringInfo* rnd1,StringInfo* rnd2,StringInfo* out)
{
gint ret;
if (ssl->version_netorder==SSLV3_VERSION){
ret = ssl3_prf(secret,usage,rnd1,rnd2,out);
}else if (ssl->version_netorder==TLSV1_VERSION || ssl->version_netorder==TLSV1DOT1_VERSION ||
- ssl->version_netorder==DTLSV1DOT0_VERSION || ssl->version_netorder==DTLSV1DOT2_VERSION ||
- ssl->version_netorder==DTLSV1DOT0_VERSION_NOT){
+ ssl->version_netorder==DTLSV1DOT0_VERSION || ssl->version_netorder==DTLSV1DOT0_VERSION_NOT){
ret = tls_prf(secret,usage,rnd1,rnd2,out);
}else{
if (ssl->cipher_suite.dig == DIG_SHA384){
{
SslFlow *flow;
- flow = se_alloc(sizeof(SslFlow));
+ flow = (SslFlow *)wmem_alloc(wmem_file_scope(), sizeof(SslFlow));
flow->byte_seq = 0;
flow->flags = 0;
- flow->multisegment_pdus = se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "ssl_multisegment_pdus");
+ flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
return flow;
}
if (compression == 0) return NULL;
ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
- decomp = se_alloc(sizeof(SslDecompress));
+ decomp = (SslDecompress *)wmem_alloc(wmem_file_scope(), sizeof(SslDecompress));
decomp->compression = compression;
switch (decomp->compression) {
#ifdef HAVE_LIBZ
SslDecoder *dec;
gint ciph;
- dec = se_alloc0(sizeof(SslDecoder));
+ dec = (SslDecoder *)wmem_alloc0(wmem_file_scope(), sizeof(SslDecoder));
/* Find the SSLeay cipher */
if(cipher_suite->enc!=ENC_NULL) {
ssl_debug_printf("ssl_create_decoder CIPHER: %s\n", ciphers[cipher_suite->enc-0x30]);
}
if (ciph == 0) {
ssl_debug_printf("ssl_create_decoder can't find cipher %s\n",
- ciphers[(cipher_suite->enc-0x30) > 7 ? 7 : (cipher_suite->enc-0x30)]);
+ ciphers[cipher_suite->enc > ENC_NULL ? ENC_NULL : (cipher_suite->enc-0x30)]);
return NULL;
}
memory allocation and waste samo more memory*/
dec->cipher_suite=cipher_suite;
dec->compression = compression;
- dec->mac_key.data = dec->_mac_key;
- ssl_data_set(&dec->mac_key, mk, cipher_suite->dig_len);
+ /* AEED ciphers don't have a MAC but need to keep the write IV instead */
+ if (mk == NULL) {
+ dec->write_iv.data = dec->_mac_key_or_write_iv;
+ ssl_data_set(&dec->write_iv, iv, cipher_suite->block);
+ } else {
+ dec->mac_key.data = dec->_mac_key_or_write_iv;
+ ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
+ }
dec->seq = 0;
dec->decomp = ssl_create_decompressor(compression);
dec->flow = ssl_create_flow();
return NULL;
}
- ssl_debug_printf("decoder initialized (digest len %d)\n", cipher_suite->dig_len);
+ ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
return dec;
}
}
/* Compute the key block. First figure out how much data we need*/
- needed=ssl_session->cipher_suite.dig_len*2;
+ needed=ssl_cipher_suite_dig(&ssl_session->cipher_suite)->len*2;
needed+=ssl_session->cipher_suite.bits / 4;
if(ssl_session->cipher_suite.block>1)
needed+=ssl_session->cipher_suite.block*2;
key_block.data_len = needed;
- key_block.data = g_malloc(needed);
+ key_block.data = (guchar *)g_malloc(needed);
ssl_debug_printf("ssl_generate_keyring_material sess key generation\n");
if (prf(ssl_session,&ssl_session->master_secret,"key expansion",
&ssl_session->server_random,&ssl_session->client_random,
ssl_print_string("key expansion", &key_block);
ptr=key_block.data;
- c_mk=ptr; ptr+=ssl_session->cipher_suite.dig_len;
- s_mk=ptr; ptr+=ssl_session->cipher_suite.dig_len;
+ /* AEAD ciphers do not have a separate MAC */
+ if (ssl_session->cipher_suite.mode == SSL_CIPHER_MODE_GCM) {
+ c_mk = s_mk = NULL;
+ } else {
+ c_mk=ptr; ptr+=ssl_cipher_suite_dig(&ssl_session->cipher_suite)->len;
+ s_mk=ptr; ptr+=ssl_cipher_suite_dig(&ssl_session->cipher_suite)->len;
+ }
c_wk=ptr; ptr+=ssl_session->cipher_suite.eff_bits/8;
s_wk=ptr; ptr+=ssl_session->cipher_suite.eff_bits/8;
s_iv=ptr; /*ptr+=ssl_session->cipher_suite.block;*/
}
- if(ssl_session->cipher_suite.export){
+ /* export ciphers work with a smaller key length */
+ if (ssl_session->cipher_suite.eff_bits < ssl_session->cipher_suite.bits) {
StringInfo iv_c,iv_s;
StringInfo key_c,key_s;
StringInfo k;
}
/* show key material info */
- ssl_print_data("Client MAC key",c_mk,ssl_session->cipher_suite.dig_len);
- ssl_print_data("Server MAC key",s_mk,ssl_session->cipher_suite.dig_len);
+ if (c_mk != NULL) {
+ ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(&ssl_session->cipher_suite)->len);
+ ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(&ssl_session->cipher_suite)->len);
+ }
ssl_print_data("Client Write key",c_wk,ssl_session->cipher_suite.bits/8);
ssl_print_data("Server Write key",s_wk,ssl_session->cipher_suite.bits/8);
guint8 buf[48];
gint16 temp;
- md=ssl_get_digest_by_name(digests[decoder->cipher_suite->dig-0x40]);
+ md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
- digests[decoder->cipher_suite->dig-0x40], md);
+ ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
if (ssl_hmac_init(&hm,decoder->mac_key.data,decoder->mac_key.data_len,md) != 0)
return -1;
pad_ct=(decoder->cipher_suite->dig==DIG_SHA)?40:48;
/* get cipher used for digest comptuation */
- md=ssl_get_digest_by_name(digests[decoder->cipher_suite->dig-0x40]);
+ md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
if (ssl_md_init(&mc,md) !=0)
return -1;
guint8 buf[20];
gint16 temp;
- md=ssl_get_digest_by_name(digests[decoder->cipher_suite->dig-0x40]);
+ md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
- digests[decoder->cipher_suite->dig-0x40], md);
+ ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
if (ssl_hmac_init(&hm,decoder->mac_key.data,decoder->mac_key.data_len,md) != 0)
return -1;
ssl_data_realloc(out_str, inl + 32);
}
+ /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
+ * (notation: { unencrypted, [ encrypted ] })
+ * GenericStreamCipher: { [content, mac] }
+ * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
+ * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
+ * GenericAEADCipher: { nonce_explicit, [content] }
+ * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
+ * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
+ */
+
+ /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
+ if (decoder->cipher_suite->mode == SSL_CIPHER_MODE_CBC) {
+ switch (ssl->version_netorder) {
+ case TLSV1DOT1_VERSION:
+ case TLSV1DOT2_VERSION:
+ case DTLSV1DOT0_VERSION:
+ case DTLSV1DOT2_VERSION:
+ case DTLSV1DOT0_VERSION_NOT:
+ if ((gint)inl < decoder->cipher_suite->block) {
+ ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
+ inl, decoder->cipher_suite->block);
+ return -1;
+ }
+ pad = gcry_cipher_setiv(decoder->evp, in, decoder->cipher_suite->block);
+ if (pad != 0) {
+ ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
+ gcry_strsource (pad), gcry_strerror (pad));
+ }
+
+ inl -= decoder->cipher_suite->block;
+ in += decoder->cipher_suite->block;
+ break;
+ }
+ }
+
+ /* Nonce for GenericAEADCipher */
+ if (decoder->cipher_suite->mode == SSL_CIPHER_MODE_GCM) {
+ /* 4 bytes write_iv, 8 bytes explicit_nonce, 4 bytes counter */
+ guchar gcm_nonce[16] = { 0 };
+
+ if ((gint)inl < SSL_EX_NONCE_LEN_GCM) {
+ ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for nonce %d\n",
+ inl, SSL_EX_NONCE_LEN_GCM);
+ return -1;
+ }
+ memcpy(gcm_nonce, decoder->write_iv.data, decoder->write_iv.data_len); /* salt */
+ memcpy(gcm_nonce + decoder->write_iv.data_len, in, SSL_EX_NONCE_LEN_GCM);
+ /* NIST SP 800-38D, sect. 7.2 says that the 32-bit counter part starts
+ * at 1, and gets incremented before passing to the block cipher. */
+ gcm_nonce[4 + SSL_EX_NONCE_LEN_GCM + 3] = 2;
+ pad = gcry_cipher_setctr (decoder->evp, gcm_nonce, sizeof (gcm_nonce));
+ if (pad != 0) {
+ ssl_debug_printf("ssl_decrypt_record failed: failed to set CTR: %s %s\n",
+ gcry_strsource (pad), gcry_strerror (pad));
+ return -1;
+ }
+ inl -= SSL_EX_NONCE_LEN_GCM;
+ in += SSL_EX_NONCE_LEN_GCM;
+ }
+
/* First decrypt*/
if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl))!= 0) {
ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
ssl_print_data("Plaintext", out_str->data, inl);
worklen=inl;
- /* Now strip off the padding*/
- if(decoder->cipher_suite->block!=1) {
+ /* RFC 5116 sect 5.1/5.3: AES128/256 GCM/CCM uses 16 bytes for auth tag */
+ if (decoder->cipher_suite->mode == SSL_CIPHER_MODE_GCM) {
+ if (worklen < 16) {
+ ssl_debug_printf("ssl_decrypt_record failed: missing tag, work %d\n", worklen);
+ return -1;
+ }
+ /* XXX - validate auth tag */
+ worklen -= 16;
+ }
+
+ /* strip padding for GenericBlockCipher */
+ if (decoder->cipher_suite->mode == SSL_CIPHER_MODE_CBC) {
pad=out_str->data[inl-1];
+ if (worklen <= pad) {
+ ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
+ pad, worklen);
+ return -1;
+ }
worklen-=(pad+1);
ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
pad, worklen);
}
- /* And the MAC */
- if (decoder->cipher_suite->dig_len > (gint)worklen)
- {
- ssl_debug_printf("ssl_decrypt_record wrong record len/padding outlen %d\n work %d\n",*outl, worklen);
- return -1;
+ /* MAC for GenericStreamCipher and GenericBlockCipher */
+ if (decoder->cipher_suite->mode == SSL_CIPHER_MODE_STREAM ||
+ decoder->cipher_suite->mode == SSL_CIPHER_MODE_CBC) {
+ if (ssl_cipher_suite_dig(decoder->cipher_suite)->len > (gint)worklen) {
+ ssl_debug_printf("ssl_decrypt_record wrong record len/padding outlen %d\n work %d\n",*outl, worklen);
+ return -1;
+ }
+ worklen-=ssl_cipher_suite_dig(decoder->cipher_suite)->len;
+ mac = out_str->data + worklen;
+ } else /* if (decoder->cipher_suite->mode == SSL_CIPHER_MODE_GCM) */ {
+ /* GenericAEADCipher has no MAC */
+ goto skip_mac;
}
- worklen-=decoder->cipher_suite->dig_len;
- mac = out_str->data + worklen;
- /* if TLS 1.1 or 1.2 we use the transmitted IV and remove it after (to not modify dissector in others parts)*/
- if(ssl->version_netorder==TLSV1DOT1_VERSION || ssl->version_netorder==TLSV1DOT2_VERSION){
- /* if stream cipher used, IV is not contained */
- worklen=worklen-(decoder->cipher_suite->block!=1 ? decoder->cipher_suite->block : 0);
- memcpy(out_str->data,out_str->data+(decoder->cipher_suite->block!=1 ? decoder->cipher_suite->block : 0),worklen);
- }
- if(ssl->version_netorder==DTLSV1DOT0_VERSION ||
- ssl->version_netorder==DTLSV1DOT2_VERSION ||
- ssl->version_netorder==DTLSV1DOT0_VERSION_NOT){
- worklen=worklen-decoder->cipher_suite->block;
- memcpy(out_str->data,out_str->data+decoder->cipher_suite->block,worklen);
- }
/* Now check the MAC */
ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %d)\n",
worklen, ssl->version_netorder, ct, decoder->seq);
return -1;
}
}
+skip_mac:
*outl = worklen;
*/
gnutls_x509_privkey_t priv_key;
gnutls_datum_t key;
- gint size, ret;
+ long size;
+ gint ret;
guint bytes;
- Ssl_private_key_t *private_key = g_malloc0(sizeof(Ssl_private_key_t));
+ Ssl_private_key_t *private_key = (Ssl_private_key_t *)g_malloc0(sizeof(Ssl_private_key_t));
/* init private key data*/
gnutls_x509_privkey_init(&priv_key);
g_free(private_key);
return NULL;
}
- key.data = g_malloc(size);
- key.size = size;
+ key.data = (unsigned char *)g_malloc(size);
+ key.size = (int)size;
bytes = (guint) fread(key.data, 1, key.size, fp);
if (bytes < key.size) {
ssl_debug_printf("ssl_load_key: can't read from file %d bytes, got %d\n",
}
}
-Ssl_private_key_t *
-ssl_load_pkcs12(FILE* fp, const gchar *cert_passwd) {
+/**
+ * Load a RSA private key from a PKCS#12 file.
+ * @param fp the file that contains the key data.
+ * @param cert_passwd password to decrypt the PKCS#12 file.
+ * @param[out] err error message upon failure; NULL upon success.
+ * @return a pointer to the loaded key on success; NULL upon failure.
+ */
+static Ssl_private_key_t *
+ssl_load_pkcs12(FILE* fp, const gchar *cert_passwd, const char** err) {
int i, j, ret;
int rest;
gnutls_x509_crt_t ssl_cert = NULL;
gnutls_x509_privkey_t ssl_pkey = NULL;
- Ssl_private_key_t *private_key = g_malloc0(sizeof(Ssl_private_key_t));
+ Ssl_private_key_t *private_key = (Ssl_private_key_t *)g_malloc0(sizeof(Ssl_private_key_t));
+ *err = NULL;
rest = 4096;
- data.data = g_malloc(rest);
+ data.data = (unsigned char *)g_malloc(rest);
data.size = rest;
p = data.data;
while ((len = fread(p, 1, rest, fp)) > 0) {
rest -= (int) len;
if (!rest) {
rest = 1024;
- data.data = g_realloc(data.data, data.size + rest);
+ data.data = (unsigned char *)g_realloc(data.data, data.size + rest);
p = data.data + data.size;
data.size += rest;
}
data.size -= rest;
ssl_debug_printf("%d bytes read\n", data.size);
if (!feof(fp)) {
- ssl_debug_printf( "Error during certificate reading.\n");
+ *err = "Error during certificate reading.";
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
+ g_free(data.data);
return 0;
}
ret = gnutls_pkcs12_init(&ssl_p12);
if (ret < 0) {
- ssl_debug_printf("gnutls_pkcs12_init(&st_p12) - %s", gnutls_strerror(ret));
+ *err = wmem_strdup_printf(wmem_file_scope(), "gnutls_pkcs12_init(&st_p12) - %s", gnutls_strerror(ret));
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
+ g_free(data.data);
return 0;
}
+
+ /* load PKCS#12 in DER or PEM format */
ret = gnutls_pkcs12_import(ssl_p12, &data, GNUTLS_X509_FMT_DER, 0);
+ if (ret < 0) {
+ *err = wmem_strdup_printf(wmem_file_scope(), "could not load PKCS#12 in DER format: %s", gnutls_strerror(ret));
+ ssl_debug_printf("%s\n", *err);
+
+ ret = gnutls_pkcs12_import(ssl_p12, &data, GNUTLS_X509_FMT_PEM, 0);
+ if (ret < 0) {
+ *err = wmem_strdup_printf(wmem_file_scope(), "could not load PKCS#12 in PEM format: %s", gnutls_strerror(ret));
+ ssl_debug_printf("%s\n", *err);
+ } else {
+ *err = NULL;
+ }
+ }
g_free(data.data);
if (ret < 0) {
- ssl_debug_printf("gnutls_pkcs12_import(ssl_p12, &data, GNUTLS_X509_FMT_DER, 0) - %s\n", gnutls_strerror(ret));
g_free(private_key);
return 0;
}
ret = gnutls_x509_crt_init(&ssl_cert);
if (ret < 0) {
- ssl_debug_printf( "gnutls_x509_crt_init(&ssl_cert) - %s\n", gnutls_strerror(ret));
+ *err = wmem_strdup_printf(wmem_file_scope(), "gnutls_x509_crt_init(&ssl_cert) - %s", gnutls_strerror(ret));
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
return 0;
}
ret = gnutls_x509_crt_import(ssl_cert, &data, GNUTLS_X509_FMT_DER);
if (ret < 0) {
- ssl_debug_printf( "gnutls_x509_crt_import(ssl_cert, &data, GNUTLS_X509_FMT_DER) - %s\n", gnutls_strerror(ret));
+ *err = wmem_strdup_printf(wmem_file_scope(), "gnutls_x509_crt_import(ssl_cert, &data, GNUTLS_X509_FMT_DER) - %s", gnutls_strerror(ret));
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
return 0;
}
ret = gnutls_x509_privkey_init(&ssl_pkey);
if (ret < 0) {
- ssl_debug_printf( "gnutls_x509_privkey_init(&ssl_pkey) - %s\n", gnutls_strerror(ret));
+ *err = wmem_strdup_printf(wmem_file_scope(), "gnutls_x509_privkey_init(&ssl_pkey) - %s", gnutls_strerror(ret));
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
return 0;
}
ret = gnutls_x509_privkey_import_pkcs8(ssl_pkey, &data, GNUTLS_X509_FMT_DER, cert_passwd,
(bag_type==GNUTLS_BAG_PKCS8_KEY) ? GNUTLS_PKCS_PLAIN : 0);
if (ret < 0) {
- ssl_debug_printf( "Can not decrypt private key - %s\n", gnutls_strerror(ret));
+ *err = wmem_strdup_printf(wmem_file_scope(), "Can not decrypt private key - %s", gnutls_strerror(ret));
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
return 0;
}
if (gnutls_x509_privkey_get_pk_algorithm(ssl_pkey) != GNUTLS_PK_RSA) {
- ssl_debug_printf("ssl_load_pkcs12: private key public key algorithm isn't RSA\n");
+ *err = "ssl_load_pkcs12: private key public key algorithm isn't RSA";
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
return 0;
}
private_key->x509_pkey = ssl_pkey;
private_key->sexp_pkey = ssl_privkey_to_sexp(ssl_pkey);
if ( !private_key->sexp_pkey ) {
+ *err = "ssl_load_pkcs12: could not create sexp_pkey";
+ ssl_debug_printf("%s\n", *err);
g_free(private_key);
return NULL;
}
Ssl_private_key_t * private_key;
if (!ssl_session) {
- return 0;
+ return 0;
}
/* we need to know which side of the conversation is speaking */
ssl_session->private_key = 0;
- private_key = g_hash_table_lookup(key_hash, &dummy);
+ private_key = (Ssl_private_key_t *)g_hash_table_lookup(key_hash, &dummy);
if (!private_key) {
ssl_debug_printf("ssl_find_private_key can't find private key for this server! Try it again with universal port 0\n");
dummy.port = 0;
- private_key = g_hash_table_lookup(key_hash, &dummy);
+ private_key = (Ssl_private_key_t *)g_hash_table_lookup(key_hash, &dummy);
}
if (!private_key) {
dummy.addr.data = ip_addr_any;
dummy.port = port;
- private_key = g_hash_table_lookup(key_hash, &dummy);
+ private_key = (Ssl_private_key_t *)g_hash_table_lookup(key_hash, &dummy);
}
if (!private_key) {
}
Ssl_private_key_t *
-ssl_load_pkcs12(FILE* fp, const gchar *cert_passwd _U_) {
+ssl_load_pkcs12(FILE* fp, const gchar *cert_passwd _U_, const char** err) {
+ *err = NULL;
ssl_debug_printf("ssl_load_pkcs12: impossible without gnutls. fp %p\n",fp);
return NULL;
}
{
SslAssociation* assoc;
- assoc = g_malloc(sizeof(SslAssociation));
+ assoc = (SslAssociation *)g_malloc(sizeof(SslAssociation));
assoc->tcp = tcp;
assoc->ssl_port = port;
gint
ssl_association_cmp(gconstpointer a, gconstpointer b)
{
- const SslAssociation *assoc_a=a, *assoc_b=b;
+ const SslAssociation *assoc_a=(SslAssociation *)a, *assoc_b=(SslAssociation *)b;
if (assoc_a->tcp != assoc_b->tcp) return (assoc_a->tcp)?1:-1;
return assoc_a->ssl_port - assoc_b->ssl_port;
}
assoc_tmp.tcp = tcp;
assoc_tmp.ssl_port = port;
- ret = g_tree_lookup(associations, &assoc_tmp);
+ ret = (SslAssociation *)g_tree_lookup(associations, &assoc_tmp);
ssl_debug_printf("association_find: %s port %d found %p\n", (tcp)?"TCP":"UDP", port, (void *)ret);
return ret;
SslRecordInfo* rec;
SslPacketInfo* pi;
- pi = p_get_proto_data(pinfo->fd, proto);
+ pi = (SslPacketInfo *)p_get_proto_data(pinfo->fd, proto, 0);
if (!pi)
{
- pi = se_alloc0(sizeof(SslPacketInfo));
- p_add_proto_data(pinfo->fd, proto, pi);
+ pi = (SslPacketInfo *)wmem_alloc0(wmem_file_scope(), sizeof(SslPacketInfo));
+ p_add_proto_data(pinfo->fd, proto, 0, pi);
}
- real_data = se_alloc(data_len);
+ real_data = (guchar *)wmem_alloc(wmem_file_scope(), data_len);
memcpy(real_data, data, data_len);
- rec = se_alloc(sizeof(SslRecordInfo));
+ rec = (SslRecordInfo *)wmem_alloc(wmem_file_scope(), sizeof(SslRecordInfo));
rec->id = record_id;
rec->real_data = real_data;
rec->data_len = data_len;
{
SslRecordInfo* rec;
SslPacketInfo* pi;
- pi = p_get_proto_data(pinfo->fd, proto);
+ pi = (SslPacketInfo *)p_get_proto_data(pinfo->fd, proto, 0);
if (!pi)
return NULL;
SslDataInfo *rec, **prec;
SslPacketInfo *pi;
- pi = p_get_proto_data(pinfo->fd, proto);
+ pi = (SslPacketInfo *)p_get_proto_data(pinfo->fd, proto, 0);
if (!pi)
{
- pi = se_alloc0(sizeof(SslPacketInfo));
- p_add_proto_data(pinfo->fd, proto,pi);
+ pi = (SslPacketInfo *)wmem_alloc0(wmem_file_scope(), sizeof(SslPacketInfo));
+ p_add_proto_data(pinfo->fd, proto, 0, pi);
}
- rec = se_alloc(sizeof(SslDataInfo)+data_len);
+ rec = (SslDataInfo *)wmem_alloc(wmem_file_scope(), sizeof(SslDataInfo)+data_len);
rec->key = key;
rec->plain_data.data = (guchar*)(rec + 1);
memcpy(rec->plain_data.data, data, data_len);
{
SslDataInfo* rec;
SslPacketInfo* pi;
- pi = p_get_proto_data(pinfo->fd, proto);
+ pi = (SslPacketInfo *)p_get_proto_data(pinfo->fd, proto, 0);
if (!pi) return NULL;
if ((gint)strlen(uats->password) == 0) {
private_key = ssl_load_key(fp);
} else {
- private_key = ssl_load_pkcs12(fp, uats->password);
+ const char *err = NULL;
+ private_key = ssl_load_pkcs12(fp, uats->password, &err);
+ if (err) {
+ fprintf(stderr, "%s\n", err);
+ }
}
if (!private_key) {
return;
}
- service = g_malloc(sizeof(SslService) + addr_len);
+ service = (SslService *)g_malloc(sizeof(SslService) + addr_len);
service->addr.type = addr_type[at];
service->addr.len = addr_len;
service->addr.data = ((guchar*)service) + sizeof(SslService);
ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
/* if item exists, remove first */
- tmp_private_key = g_hash_table_lookup(key_hash, service);
+ tmp_private_key = (Ssl_private_key_t *)g_hash_table_lookup(key_hash, service);
if (tmp_private_key) {
g_hash_table_remove(key_hash, service);
ssl_free_key(tmp_private_key);
/* allocate stringinfo chunks for session id and master secret data*/
StringInfo* session_id;
StringInfo* master_secret;
- session_id = se_alloc0(sizeof(StringInfo) + ssl->session_id.data_len);
- master_secret = se_alloc0(48 + sizeof(StringInfo));
+ session_id = (StringInfo *)wmem_alloc0(wmem_file_scope(), sizeof(StringInfo) + ssl->session_id.data_len);
+ master_secret = (StringInfo *)wmem_alloc0(wmem_file_scope(), 48 + sizeof(StringInfo));
master_secret->data = ((guchar*)master_secret+sizeof(StringInfo));
ssl_restore_session(SslDecryptSession* ssl, GHashTable *session_hash)
{
StringInfo* ms;
- ms = g_hash_table_lookup(session_hash, &ssl->session_id);
+ ms = (StringInfo *)g_hash_table_lookup(session_hash, &ssl->session_id);
if (!ms) {
ssl_debug_printf("ssl_restore_session can't find stored session\n");
return FALSE;
out->data_len = (guint)hex_len/2;
- out->data = se_alloc(out->data_len);
+ out->data = (guchar *)wmem_alloc(wmem_file_scope(), out->data_len);
for (i = 0; i < out->data_len; i++) {
guint8 a = from_hex_char(in[i*2]);
guint8 b = from_hex_char(in[i*2 + 1]);
line[bytes_read - 1] = 0;
bytes_read--;
}
+ if (bytes_read > 0 && line[bytes_read - 1] == '\r') {
+ line[bytes_read - 1] = 0;
+ bytes_read--;
+ }
ssl_debug_printf(" checking keylog line: %s\n", line);
if (!use_stderr && ssl_debug_file)
debug_file_must_be_closed = 1;
- ssl_debug_printf("Wireshark SSL debug log " VERSION
-#ifdef SVNVERSION
- " (" SVNVERSION " from " SVNPATH ")"
-#endif
- "\n\n");
+ ssl_debug_printf("Wireshark SSL debug log \n\n");
}
void
return;
fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
for (i=0; i<len; i+=16) {
+ fprintf(ssl_debug_file,"| ");
for (j=i, k=0; k<16 && j<len; ++j, ++k)
fprintf(ssl_debug_file,"%.2x ",data[j]);
for (; k<16; ++k)
fprintf(ssl_debug_file," ");
- fprintf(ssl_debug_file,"|");
- for (j=i, k=0; k<16 && j<len; ++j, ++k)
- fprintf(ssl_debug_file,"%c",isprint(data[j]) ? data[j] : '.');
+ fputc('|', ssl_debug_file);
+ for (j=i, k=0; k<16 && j<len; ++j, ++k) {
+ guchar c = data[j];
+ if (!isprint(c) || (c=='\t')) c = '.';
+ fputc(c, ssl_debug_file);
+ }
+ for (; k<16; ++k)
+ fputc(' ', ssl_debug_file);
fprintf(ssl_debug_file,"|\n");
}
}
/* checks for SSL and DTLS UAT key list fields */
gboolean
-ssldecrypt_uat_fld_ip_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
+ssldecrypt_uat_fld_ip_chk_cb(void* r _U_, const char* p, guint len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
{
if (!p || strlen(p) == 0u) {
*err = ep_strdup_printf("No IP address given.");
}
gboolean
-ssldecrypt_uat_fld_port_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
+ssldecrypt_uat_fld_port_chk_cb(void* r _U_, const char* p, guint len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
{
if (!p || strlen(p) == 0u) {
*err = ep_strdup_printf("No Port given.");
if (strcmp(p, "start_tls") != 0){
const gint i = atoi(p);
- if (i <= 0 || i > 65535) {
+ if (i < 0 || i > 65535) {
*err = ep_strdup_printf("Invalid port given.");
return FALSE;
}
}
gboolean
-ssldecrypt_uat_fld_protocol_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
+ssldecrypt_uat_fld_protocol_chk_cb(void* r _U_, const char* p, guint len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
{
if (!p || strlen(p) == 0u) {
*err = ep_strdup_printf("No protocol given.");
}
gboolean
-ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
+ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U_, const char* p, guint len _U_, const void* u1 _U_, const void* u2 _U_, const char** err)
{
ws_statb64 st;
}
gboolean
-ssldecrypt_uat_fld_password_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, const char ** err)
+ssldecrypt_uat_fld_password_chk_cb(void* r _U_, const char* p, guint len _U_, const void* u1 _U_, const void* u2 _U_, const char ** err)
{
- ssldecrypt_assoc_t* f = r;
+ ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
FILE *fp = NULL;
if (p && (strlen(p) > 0u)) {
fp = ws_fopen(f->keyfile, "rb");
if (fp) {
- if (!ssl_load_pkcs12(fp, p)) {
+ const char *msg = NULL;
+ if (!ssl_load_pkcs12(fp, p, &msg)) {
fclose(fp);
- *err = ep_strdup_printf("Invalid. Password is necessary only if you use PKCS#12 key file.");
+ *err = ep_strdup_printf("Could not load PKCS#12 key file: %s", msg);
return FALSE;
}
fclose(fp);