The Tor Browser / file diff

diff: security/nss/lib/ssl/sslenum.c

security/nss/lib/ssl/sslenum.c

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/nss/lib/ssl/sslenum.c	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,157 @@
     1.4 +/*
     1.5 + * Table enumerating all implemented cipher suites
     1.6 + * Part of public API.
     1.7 + *
     1.8 + * This Source Code Form is subject to the terms of the Mozilla Public
     1.9 + * License, v. 2.0. If a copy of the MPL was not distributed with this
    1.10 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
    1.11 +
    1.12 +#include "ssl.h"
    1.13 +#include "sslproto.h"
    1.14 +
    1.15 +/*
    1.16 + * The ordering of cipher suites in this table must match the ordering in
    1.17 + * the cipherSuites table in ssl3con.c.
    1.18 + *
    1.19 + * If new ECC cipher suites are added, also update the ssl3CipherSuite arrays
    1.20 + * in ssl3ecc.c.
    1.21 + *
    1.22 + * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
    1.23 + *
    1.24 + * The ordering is as follows:
    1.25 + *    * No-encryption cipher suites last
    1.26 + *    * Export/weak/obsolete cipher suites before no-encryption cipher suites
    1.27 + *    * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA.
    1.28 + *    * Within key agreement sections, order by symmetric encryption algorithm:
    1.29 + *      AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED,
    1.30 + *      then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a
    1.31 + *      strong cipher internationally, and is often hardware-accelerated.
    1.32 + *      Camellia also has wide international support across standards
    1.33 + *      organizations. SEED is only recommended by the Korean government. 3DES
    1.34 + *      only provides 112 bits of security. RC4 is now deprecated or forbidden
    1.35 + *      by many standards organizations.
    1.36 + *    * Within symmetric algorithm sections, order by message authentication
    1.37 + *      algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5.
    1.38 + *    * Within message authentication algorithm sections, order by asymmetric
    1.39 + *      signature algorithm: ECDSA, then RSA, then DSS.
    1.40 + *
    1.41 + * Exception: Because some servers ignore the high-order byte of the cipher
    1.42 + * suite ID, we must be careful about adding cipher suites with IDs larger
    1.43 + * than 0x00ff; see bug 946147. For these broken servers, the first four cipher
    1.44 + * suites, with the MSB zeroed, look like:
    1.45 + *      TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B }
    1.46 + *      TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
    1.47 + *      TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
    1.48 + *      TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
    1.49 + * The broken server only supports the third and fourth ones and will select
    1.50 + * the third one.
    1.51 + */
    1.52 +const PRUint16 SSL_ImplementedCiphers[] = {
    1.53 +#ifndef NSS_DISABLE_ECC
    1.54 +    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    1.55 +    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    1.56 +    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
    1.57 +     * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
    1.58 +     */
    1.59 +    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    1.60 +    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    1.61 +    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    1.62 +    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    1.63 +    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    1.64 +    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    1.65 +    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
    1.66 +    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
    1.67 +    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
    1.68 +    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    1.69 +#endif /* NSS_DISABLE_ECC */
    1.70 +
    1.71 +    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
    1.72 +    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    1.73 +    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    1.74 +    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
    1.75 +    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
    1.76 +    TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
    1.77 +    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    1.78 +    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    1.79 +    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
    1.80 +    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
    1.81 +    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
    1.82 +    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
    1.83 +    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
    1.84 +    TLS_DHE_DSS_WITH_RC4_128_SHA,
    1.85 +
    1.86 +#ifndef NSS_DISABLE_ECC
    1.87 +    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    1.88 +    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    1.89 +    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    1.90 +    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    1.91 +    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
    1.92 +    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
    1.93 +    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
    1.94 +    TLS_ECDH_RSA_WITH_RC4_128_SHA,
    1.95 +#endif /* NSS_DISABLE_ECC */
    1.96 +
    1.97 +    TLS_RSA_WITH_AES_128_GCM_SHA256,
    1.98 +    TLS_RSA_WITH_AES_128_CBC_SHA,
    1.99 +    TLS_RSA_WITH_AES_128_CBC_SHA256,
   1.100 +    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
   1.101 +    TLS_RSA_WITH_AES_256_CBC_SHA,
   1.102 +    TLS_RSA_WITH_AES_256_CBC_SHA256,
   1.103 +    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
   1.104 +    TLS_RSA_WITH_SEED_CBC_SHA,
   1.105 +    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
   1.106 +    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
   1.107 +    TLS_RSA_WITH_RC4_128_SHA,
   1.108 +    TLS_RSA_WITH_RC4_128_MD5,
   1.109 +
   1.110 +    /* 56-bit DES "domestic" cipher suites */
   1.111 +    TLS_DHE_RSA_WITH_DES_CBC_SHA,
   1.112 +    TLS_DHE_DSS_WITH_DES_CBC_SHA,
   1.113 +    SSL_RSA_FIPS_WITH_DES_CBC_SHA,
   1.114 +    TLS_RSA_WITH_DES_CBC_SHA,
   1.115 +
   1.116 +    /* export ciphersuites with 1024-bit public key exchange keys */
   1.117 +    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
   1.118 +    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
   1.119 +
   1.120 +    /* export ciphersuites with 512-bit public key exchange keys */
   1.121 +    TLS_RSA_EXPORT_WITH_RC4_40_MD5,
   1.122 +    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
   1.123 +
   1.124 +    /* ciphersuites with no encryption */
   1.125 +#ifndef NSS_DISABLE_ECC
   1.126 +    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
   1.127 +    TLS_ECDHE_RSA_WITH_NULL_SHA,
   1.128 +    TLS_ECDH_RSA_WITH_NULL_SHA,
   1.129 +    TLS_ECDH_ECDSA_WITH_NULL_SHA,
   1.130 +#endif /* NSS_DISABLE_ECC */
   1.131 +    TLS_RSA_WITH_NULL_SHA,
   1.132 +    TLS_RSA_WITH_NULL_SHA256,
   1.133 +    TLS_RSA_WITH_NULL_MD5,
   1.134 +
   1.135 +    /* SSL2 cipher suites. */
   1.136 +    SSL_EN_RC4_128_WITH_MD5,
   1.137 +    SSL_EN_RC2_128_CBC_WITH_MD5,
   1.138 +    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,  /* actually 112, not 192 */
   1.139 +    SSL_EN_DES_64_CBC_WITH_MD5,
   1.140 +    SSL_EN_RC4_128_EXPORT40_WITH_MD5,
   1.141 +    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
   1.142 +
   1.143 +    0
   1.144 +
   1.145 +};
   1.146 +
   1.147 +const PRUint16 SSL_NumImplementedCiphers = 
   1.148 +    (sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
   1.149 +
   1.150 +const PRUint16 *
   1.151 +SSL_GetImplementedCiphers(void)
   1.152 +{
   1.153 +    return SSL_ImplementedCiphers;
   1.154 +}
   1.155 +
   1.156 +PRUint16
   1.157 +SSL_GetNumImplementedCiphers(void)
   1.158 +{
   1.159 +    return SSL_NumImplementedCiphers;
   1.160 +}

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial