1 files changed, 82 insertions, 3 deletions
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index 60978613ef..88ec5fb527 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -59,12 +59,14 @@
 #ifndef HEADER_TLS1_H 
 #define HEADER_TLS1_H 
-#include "buffer.h"
+#include <openssl/buffer.h>
 #ifdef  __cplusplus
 extern "C" {
 #endif
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES    1
 #define TLS1_VERSION                    0x0301
 #define TLS1_VERSION_MAJOR              0x03
 #define TLS1_VERSION_MINOR              0x01
@@ -75,13 +77,71 @@ extern "C" {
 #define TLS1_AD_ACCESS_DENIED           49      /* fatal */
 #define TLS1_AD_DECODE_ERROR            50      /* fatal */
 #define TLS1_AD_DECRYPT_ERROR           51
-#define TLS1_AD_EXPORT_RESTRICION       60      /* fatal */
+#define TLS1_AD_EXPORT_RESTRICTION      60      /* fatal */
 #define TLS1_AD_PROTOCOL_VERSION        70      /* fatal */
 #define TLS1_AD_INSUFFICIENT_SECURITY   71      /* fatal */
 #define TLS1_AD_INTERNAL_ERROR          80      /* fatal */
-#define TLS1_AD_USER_CANCLED            90
+#define TLS1_AD_USER_CANCELLED          90
 #define TLS1_AD_NO_RENEGOTIATION        100
+/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
+ * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
+ * s3_lib.c).  We actually treat them like SSL 3.0 ciphers, which we probably
+ * shouldn't. */
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5          0x03000060
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5      0x03000061
+#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA         0x03000062
+#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA     0x03000063
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA          0x03000064
+#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA      0x03000065
+#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
+  /* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */
+#define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
+#define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
+#define TLS1_CK_DH_RSA_WITH_AES_128_SHA                 0x03000031
+#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA                0x03000032
+#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA                0x03000033
+#define TLS1_CK_ADH_WITH_AES_128_SHA                    0x03000034
+#define TLS1_CK_RSA_WITH_AES_256_SHA                    0x03000035
+#define TLS1_CK_DH_DSS_WITH_AES_256_SHA                 0x03000036
+#define TLS1_CK_DH_RSA_WITH_AES_256_SHA                 0x03000037
+#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA                0x03000038
+#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA                0x03000039
+#define TLS1_CK_ADH_WITH_AES_256_SHA                    0x0300003A
+/* XXX
+ * Inconsistency alert:
+ * The OpenSSL names of ciphers with ephemeral DH here include the string
+ * "DHE", while elsewhere it has always been "EDH".
+ * (The alias for the list of all such ciphers also is "EDH".)
+ * The specifications speak of "EDH"; maybe we should allow both forms
+ * for everything. */
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5         "EXP1024-RC4-MD5"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5     "EXP1024-RC2-CBC-MD5"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA        "EXP1024-DES-CBC-SHA"
+#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA    "EXP1024-DHE-DSS-DES-CBC-SHA"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA         "EXP1024-RC4-SHA"
+#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA     "EXP1024-DHE-DSS-RC4-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA               "DHE-DSS-RC4-SHA"
+  /* AES ciphersuites from draft-ietf-tls-ciphersuite-06.txt */
+#define TLS1_TXT_RSA_WITH_AES_128_SHA                   "AESdraft128-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA                "DH-DSS-AESdraft128-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA                "DH-RSA-AESdraft128-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA               "DHE-DSS-AESdraft128-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA               "DHE-RSA-AESdraft128-SHA"
+#define TLS1_TXT_ADH_WITH_AES_128_SHA                   "ADH-AESdraft128-SHA"
+#define TLS1_TXT_RSA_WITH_AES_256_SHA                   "AESdraft256-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA                "DH-DSS-AESdraft256-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA                "DH-RSA-AESdraft256-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA               "DHE-DSS-AESdraft256-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AESdraft256-SHA"
+#define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AESdraft256-SHA"
 #define TLS_CT_RSA_SIGN                 1
 #define TLS_CT_DSS_SIGN                 2
 #define TLS_CT_RSA_FIXED_DH             3
@@ -108,6 +168,25 @@ extern "C" {
 #define TLS_MD_MASTER_SECRET_CONST              "master secret"
 #define TLS_MD_MASTER_SECRET_CONST_SIZE         13
+#ifdef CHARSET_EBCDIC
+#undef TLS_MD_CLIENT_FINISH_CONST
+#define TLS_MD_CLIENT_FINISH_CONST    "\x63\x6c\x69\x65\x6e\x74\x20\x66\x69\x6e\x69\x73\x68\x65\x64"  /*client finished*/
+#undef TLS_MD_SERVER_FINISH_CONST
+#define TLS_MD_SERVER_FINISH_CONST    "\x73\x65\x72\x76\x65\x72\x20\x66\x69\x6e\x69\x73\x68\x65\x64"  /*server finished*/
+#undef TLS_MD_SERVER_WRITE_KEY_CONST
+#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*server write key*/
+#undef TLS_MD_KEY_EXPANSION_CONST
+#define TLS_MD_KEY_EXPANSION_CONST    "\x6b\x65\x79\x20\x65\x78\x70\x61\x6e\x73\x69\x6f\x6e"  /*key expansion*/
+#undef TLS_MD_CLIENT_WRITE_KEY_CONST
+#define TLS_MD_CLIENT_WRITE_KEY_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*client write key*/
+#undef TLS_MD_SERVER_WRITE_KEY_CONST
+#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*server write key*/
+#undef TLS_MD_IV_BLOCK_CONST
+#define TLS_MD_IV_BLOCK_CONST         "\x49\x56\x20\x62\x6c\x6f\x63\x6b"  /*IV block*/
+#undef TLS_MD_MASTER_SECRET_CONST
+#define TLS_MD_MASTER_SECRET_CONST    "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"  /*master secret*/
+#endif
 #ifdef  __cplusplus
 }
 #endif

diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h index 60978613ef..88ec5fb527 100644 --- a/src/lib/libssl/tls1.h +++ b/src/lib/libssl/tls1.h
@@ -59,12 +59,14 @@
59	#ifndef HEADER_TLS1_H	59	#ifndef HEADER_TLS1_H
60	#define HEADER_TLS1_H	60	#define HEADER_TLS1_H
61		61
62	#include "buffer.h"	62	#include <openssl/buffer.h>
63		63
64	#ifdef __cplusplus	64	#ifdef __cplusplus
65	extern "C" {	65	extern "C" {
66	#endif	66	#endif
67		67
		68	#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1
		69
68	#define TLS1_VERSION 0x0301	70	#define TLS1_VERSION 0x0301
69	#define TLS1_VERSION_MAJOR 0x03	71	#define TLS1_VERSION_MAJOR 0x03
70	#define TLS1_VERSION_MINOR 0x01	72	#define TLS1_VERSION_MINOR 0x01
@@ -75,13 +77,71 @@ extern "C" {
75	#define TLS1_AD_ACCESS_DENIED 49 /* fatal */	77	#define TLS1_AD_ACCESS_DENIED 49 /* fatal */
76	#define TLS1_AD_DECODE_ERROR 50 /* fatal */	78	#define TLS1_AD_DECODE_ERROR 50 /* fatal */
77	#define TLS1_AD_DECRYPT_ERROR 51	79	#define TLS1_AD_DECRYPT_ERROR 51
78	#define TLS1_AD_EXPORT_RESTRICION 60 /* fatal */	80	#define TLS1_AD_EXPORT_RESTRICTION 60 /* fatal */
79	#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */	81	#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
80	#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */	82	#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
81	#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */	83	#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
82	#define TLS1_AD_USER_CANCLED 90	84	#define TLS1_AD_USER_CANCELLED 90
83	#define TLS1_AD_NO_RENEGOTIATION 100	85	#define TLS1_AD_NO_RENEGOTIATION 100
84		86
		87	/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
		88	* (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
		89	* s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably
		90	* shouldn't. */
		91	#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060
		92	#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061
		93	#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
		94	#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
		95	#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
		96	#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
		97	#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066
		98
		99	/* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */
		100
		101	#define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F
		102	#define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030
		103	#define TLS1_CK_DH_RSA_WITH_AES_128_SHA 0x03000031
		104	#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA 0x03000032
		105	#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA 0x03000033
		106	#define TLS1_CK_ADH_WITH_AES_128_SHA 0x03000034
		107
		108	#define TLS1_CK_RSA_WITH_AES_256_SHA 0x03000035
		109	#define TLS1_CK_DH_DSS_WITH_AES_256_SHA 0x03000036
		110	#define TLS1_CK_DH_RSA_WITH_AES_256_SHA 0x03000037
		111	#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA 0x03000038
		112	#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039
		113	#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A
		114
		115	/* XXX
		116	* Inconsistency alert:
		117	* The OpenSSL names of ciphers with ephemeral DH here include the string
		118	* "DHE", while elsewhere it has always been "EDH".
		119	* (The alias for the list of all such ciphers also is "EDH".)
		120	* The specifications speak of "EDH"; maybe we should allow both forms
		121	* for everything. */
		122	#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5"
		123	#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5"
		124	#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DES-CBC-SHA"
		125	#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DHE-DSS-DES-CBC-SHA"
		126	#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA "EXP1024-RC4-SHA"
		127	#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA"
		128	#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA"
		129	/* AES ciphersuites from draft-ietf-tls-ciphersuite-06.txt */
		130	#define TLS1_TXT_RSA_WITH_AES_128_SHA "AESdraft128-SHA"
		131	#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AESdraft128-SHA"
		132	#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AESdraft128-SHA"
		133	#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AESdraft128-SHA"
		134	#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AESdraft128-SHA"
		135	#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AESdraft128-SHA"
		136
		137	#define TLS1_TXT_RSA_WITH_AES_256_SHA "AESdraft256-SHA"
		138	#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AESdraft256-SHA"
		139	#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AESdraft256-SHA"
		140	#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AESdraft256-SHA"
		141	#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AESdraft256-SHA"
		142	#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AESdraft256-SHA"
		143
		144
85	#define TLS_CT_RSA_SIGN 1	145	#define TLS_CT_RSA_SIGN 1
86	#define TLS_CT_DSS_SIGN 2	146	#define TLS_CT_DSS_SIGN 2
87	#define TLS_CT_RSA_FIXED_DH 3	147	#define TLS_CT_RSA_FIXED_DH 3
@@ -108,6 +168,25 @@ extern "C" {
108	#define TLS_MD_MASTER_SECRET_CONST "master secret"	168	#define TLS_MD_MASTER_SECRET_CONST "master secret"
109	#define TLS_MD_MASTER_SECRET_CONST_SIZE 13	169	#define TLS_MD_MASTER_SECRET_CONST_SIZE 13
110		170
		171	#ifdef CHARSET_EBCDIC
		172	#undef TLS_MD_CLIENT_FINISH_CONST
		173	#define TLS_MD_CLIENT_FINISH_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x66\x69\x6e\x69\x73\x68\x65\x64" /client finished/
		174	#undef TLS_MD_SERVER_FINISH_CONST
		175	#define TLS_MD_SERVER_FINISH_CONST "\x73\x65\x72\x76\x65\x72\x20\x66\x69\x6e\x69\x73\x68\x65\x64" /server finished/
		176	#undef TLS_MD_SERVER_WRITE_KEY_CONST
		177	#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" /server write key/
		178	#undef TLS_MD_KEY_EXPANSION_CONST
		179	#define TLS_MD_KEY_EXPANSION_CONST "\x6b\x65\x79\x20\x65\x78\x70\x61\x6e\x73\x69\x6f\x6e" /key expansion/
		180	#undef TLS_MD_CLIENT_WRITE_KEY_CONST
		181	#define TLS_MD_CLIENT_WRITE_KEY_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" /client write key/
		182	#undef TLS_MD_SERVER_WRITE_KEY_CONST
		183	#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" /server write key/
		184	#undef TLS_MD_IV_BLOCK_CONST
		185	#define TLS_MD_IV_BLOCK_CONST "\x49\x56\x20\x62\x6c\x6f\x63\x6b" /IV block/
		186	#undef TLS_MD_MASTER_SECRET_CONST
		187	#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /master secret/
		188	#endif
		189
111	#ifdef __cplusplus	190	#ifdef __cplusplus
112	}	191	}
113	#endif	192	#endif