TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7ad00f9808510565512e36857f99ee2848065c9c / . / library / ssl_ciphersuites.c
blob: 38d873f964b00c1c1eace75a5f9372b7bd8dcc1f [file] [log] [blame]
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1/**
2 * \file ssl_ciphersuites.c
3 *
4 * \brief SSL ciphersuites for PolarSSL
5 *
6 * Copyright (C) 2006-2013, Brainspark B.V.
7 *
8 * This file is part of PolarSSL (http://www.polarssl.org)
9 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
10 *
11 * All rights reserved.
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License along
24 * with this program; if not, write to the Free Software Foundation, Inc.,
25 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 */
27
28#include "polarssl/config.h"
29
30#if defined(POLARSSL_SSL_TLS_C)
31
32#include "polarssl/ssl_ciphersuites.h"
33#include "polarssl/ssl.h"
34
35#include <stdlib.h>
36
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]37/*
38 * Ordered from most preferred to least preferred in terms of security.
39 */
40static const int ciphersuite_preference[] =
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]41{
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]42 /* All AES-256 ephemeral suites */
Paul Bakkera54e4932013-03-20 15:31:54 +0100[diff] [blame]43 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]44 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
Paul Bakkera54e4932013-03-20 15:31:54 +0100[diff] [blame]45 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]46 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]47 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]48 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]49
50 /* All CAMELLIA-256 ephemeral suites */
51 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]52 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]53 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]54
55 /* All AES-128 ephemeral suites */
Paul Bakkera54e4932013-03-20 15:31:54 +0100[diff] [blame]56 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]57 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
Paul Bakkera54e4932013-03-20 15:31:54 +0100[diff] [blame]58 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]59 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
60 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
61 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]62
63 /* All CAMELLIA-128 ephemeral suites */
64 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]65 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]66 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]67
68 /* All remaining > 128-bit ephemeral suites */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]69 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]70 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]71 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]72
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]73 /* The PSK ephemeral suites */
74 TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
75 TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
76 TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
77 TLS_DHE_PSK_WITH_RC4_128_SHA,
78
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]79 /* All AES-256 suites */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]80 TLS_RSA_WITH_AES_256_CBC_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]81 TLS_RSA_WITH_AES_256_GCM_SHA384,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]82 TLS_RSA_WITH_AES_256_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]83
84 /* All CAMELLIA-256 suites */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]85 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]86 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]87
88 /* All AES-128 suites */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]89 TLS_RSA_WITH_AES_128_CBC_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]90 TLS_RSA_WITH_AES_128_GCM_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]91 TLS_RSA_WITH_AES_128_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]92
93 /* All CAMELLIA-128 suites */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]94 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]95 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]96
97 /* All remaining > 128-bit suites */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]98 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]99 TLS_RSA_WITH_RC4_128_SHA,
100 TLS_RSA_WITH_RC4_128_MD5,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]101
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]102 /* The RSA PSK suites */
103 TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
104 TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
105 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
106 TLS_RSA_PSK_WITH_RC4_128_SHA,
107
108 /* The PSK suites */
109 TLS_PSK_WITH_AES_256_CBC_SHA,
110 TLS_PSK_WITH_AES_128_CBC_SHA,
111 TLS_PSK_WITH_3DES_EDE_CBC_SHA,
112 TLS_PSK_WITH_RC4_128_SHA,
113
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]114 /* Weak or NULL suites */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]115 TLS_DHE_RSA_WITH_DES_CBC_SHA,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]116 TLS_RSA_WITH_DES_CBC_SHA,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]117 TLS_ECDHE_RSA_WITH_NULL_SHA,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]118 TLS_RSA_WITH_NULL_SHA256,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]119 TLS_RSA_WITH_NULL_SHA,
120 TLS_RSA_WITH_NULL_MD5,
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]121
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]122 0
123};
124
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]125#define MAX_CIPHERSUITES 60
126static int supported_ciphersuites[MAX_CIPHERSUITES];
127static int supported_init = 0;
128
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]129static const ssl_ciphersuite_t ciphersuite_definitions[] =
130{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]131#if defined(POLARSSL_X509_PARSE_C) && defined(POLARSSL_RSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]132#if defined(POLARSSL_ECDH_C)
133#if defined(POLARSSL_AES_C)
134 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
135 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
136 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
137 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
138 POLARSSL_CIPHERSUITE_EC },
139 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
140 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
141 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
142 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
143 POLARSSL_CIPHERSUITE_EC },
Paul Bakkera54e4932013-03-20 15:31:54 +0100[diff] [blame]144#if defined(POLARSSL_SHA2_C)
145 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
146 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
147 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
148 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
149 POLARSSL_CIPHERSUITE_EC },
150#if defined(POLARSSL_GCM_C)
151 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
152 POLARSSL_CIPHER_AES_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
153 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
154 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
155 POLARSSL_CIPHERSUITE_EC },
156#endif /* POLARSSL_GCM_C */
157#endif /* POLARSSL_SHA2_C */
158#if defined(POLARSSL_SHA4_C)
159 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
160 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
161 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
162 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
163 POLARSSL_CIPHERSUITE_EC },
164#if defined(POLARSSL_GCM_C)
165 { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
166 POLARSSL_CIPHER_AES_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
167 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
168 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
169 POLARSSL_CIPHERSUITE_EC },
170#endif /* POLARSSL_GCM_C */
171#endif /* POLARSSL_SHA4_C */
172#endif /* POLARSSL_AES_C */
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]173
174#if defined(POLARSSL_CAMELLIA_C)
175#if defined(POLARSSL_SHA2_C)
176 { TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
177 POLARSSL_CIPHER_CAMELLIA_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
178 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
179 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
180 POLARSSL_CIPHERSUITE_EC },
181#endif /* POLARSSL_SHA2_C */
182#if defined(POLARSSL_SHA4_C)
183 { TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
184 POLARSSL_CIPHER_CAMELLIA_256_CBC, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
185 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
186 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
187 POLARSSL_CIPHERSUITE_EC },
188#endif /* POLARSSL_SHA4_C */
189#endif /* POLARSSL_CAMELLIA_C */
190
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]191#if defined(POLARSSL_DES_C)
192 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA",
193 POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
194 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
195 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
196 POLARSSL_CIPHERSUITE_EC },
197#endif /* POLARSSL_DES_C */
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]198
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]199#if defined(POLARSSL_ARC4_C)
200 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS-ECDHE-RSA-WITH-RC4-128-SHA",
201 POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
202 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
203 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
204 POLARSSL_CIPHERSUITE_EC },
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]205#endif /* POLARSSL_ARC4_C */
Paul Bakker27714b12013-04-07 23:07:12 +0200[diff] [blame]206
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]207#if defined(POLARSSL_CIPHER_NULL_CIPHER)
208 { TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
209 POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
210 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
211 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
212 POLARSSL_CIPHERSUITE_EC | POLARSSL_CIPHERSUITE_WEAK },
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]213#endif /* POLARSSL_CIPHER_NULL_CIPHER */
214#endif /* POLARSSL_ECDH_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]215
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]216#if defined(POLARSSL_ARC4_C)
217 { TLS_RSA_WITH_RC4_128_MD5, "TLS-RSA-WITH-RC4-128-MD5",
218 POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_MD5, POLARSSL_KEY_EXCHANGE_RSA,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]219 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]220 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
221 0 },
222
223 { TLS_RSA_WITH_RC4_128_SHA, "TLS-RSA-WITH-RC4-128-SHA",
224 POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]225 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]226 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
227 0 },
228#endif /* POLARSSL_ARC4_C */
229
230#if defined(POLARSSL_DHM_C)
231#if defined(POLARSSL_AES_C)
232#if defined(POLARSSL_SHA4_C) && defined(POLARSSL_GCM_C)
233 { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
234 POLARSSL_CIPHER_AES_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_DHE_RSA,
235 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
236 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
237 0 },
238#endif /* POLARSSL_SHA4_C && POLARSSL_GCM_C */
239
240#if defined(POLARSSL_SHA2_C)
241#if defined(POLARSSL_GCM_C)
242 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
243 POLARSSL_CIPHER_AES_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
244 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
245 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
246 0 },
247#endif /* POLARSSL_GCM_C */
248
249 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
250 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
251 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
252 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
253 0 },
254
255 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
256 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
257 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
258 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
259 0 },
260#endif /* POLARSSL_SHA2_C */
261
262 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
263 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_RSA,
264 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
265 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
266 0 },
267
268 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
269 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_RSA,
270 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
271 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
272 0 },
273#endif /* POLARSSL_AES_C */
274
275#if defined(POLARSSL_CAMELLIA_C)
276#if defined(POLARSSL_SHA2_C)
277 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
278 POLARSSL_CIPHER_CAMELLIA_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
279 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
280 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
281 0 },
282
283 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
284 POLARSSL_CIPHER_CAMELLIA_256_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
285 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
286 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
287 0 },
288#endif /* POLARSSL_SHA2_C */
289
290 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
291 POLARSSL_CIPHER_CAMELLIA_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_RSA,
292 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
293 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
294 0 },
295
296 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
297 POLARSSL_CIPHER_CAMELLIA_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_RSA,
298 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
299 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
300 0 },
301#endif /* POLARSSL_CAMELLIA_C */
302
303#if defined(POLARSSL_DES_C)
304 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
305 POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_RSA,
306 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
307 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
308 0 },
309#endif /* POLARSSL_DES_C */
310#endif /* POLARSSL_DHM_C */
311
312#if defined(POLARSSL_AES_C)
313#if defined(POLARSSL_SHA4_C) && defined(POLARSSL_GCM_C)
314 { TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
315 POLARSSL_CIPHER_AES_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_RSA,
316 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
317 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
318 0 },
319#endif /* POLARSSL_SHA4_C && POLARSSL_GCM_C */
320
321#if defined(POLARSSL_SHA2_C)
322#if defined(POLARSSL_GCM_C)
323 { TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
324 POLARSSL_CIPHER_AES_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
325 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
326 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
327 0 },
328#endif /* POLARSSL_GCM_C */
329
330 { TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
331 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
332 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
333 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
334 0 },
335
336 { TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
337 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
338 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
339 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
340 0 },
341#endif /* POLARSSL_SHA2_C */
342
343 { TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
344 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
345 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
346 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
347 0 },
348
349 { TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
350 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
351 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
352 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
353 0 },
354#endif /* POLARSSL_AES_C */
355
356#if defined(POLARSSL_CAMELLIA_C)
357#if defined(POLARSSL_SHA2_C)
358 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
359 POLARSSL_CIPHER_CAMELLIA_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
360 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
361 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
362 0 },
363
364 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
365 POLARSSL_CIPHER_CAMELLIA_256_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
366 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
367 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
368 0 },
369#endif /* POLARSSL_SHA2_C */
370
371 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
372 POLARSSL_CIPHER_CAMELLIA_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
373 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
374 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
375 0 },
376
377 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
378 POLARSSL_CIPHER_CAMELLIA_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
379 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
380 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
381 0 },
382#endif /* POLARSSL_CAMELLIA_C */
383
384#if defined(POLARSSL_DES_C)
385 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-WITH-3DES-EDE-CBC-SHA",
386 POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
387 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
388 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
389 0 },
390#endif /* POLARSSL_DES_C */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]391#endif /* POLARSSL_X509_PARSE_C && POLARSSL_RSA_C */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]392
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]393#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
394#if defined(POLARSSL_AES_C)
395 { TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
396 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_PSK,
397 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
398 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
399 0 },
400
401 { TLS_PSK_WITH_AES_256_CBC_SHA, "TLS-PSK-WITH-AES-256-CBC-SHA",
402 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_PSK,
403 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
404 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
405 0 },
406#endif /* POLARSSL_AES_C */
407
408#if defined(POLARSSL_DES_C)
409 { TLS_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-PSK-WITH-3DES-EDE-CBC-SHA",
410 POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_PSK,
411 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
412 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
413 0 },
414#endif /* POLARSSL_DES_C */
415
416#if defined(POLARSSL_ARC4_C)
417 { TLS_PSK_WITH_RC4_128_SHA, "TLS-PSK-WITH-RC4-128-SHA",
418 POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_PSK,
419 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
420 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
421 0 },
422#endif /* POLARSSL_ARC4_C */
423
424#if defined(POLARSSL_DHM_C)
425#if defined(POLARSSL_AES_C)
426 { TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
427 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_PSK,
428 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
429 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
430 0 },
431
432 { TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
433 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_PSK,
434 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
435 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
436 0 },
437#endif /* POLARSSL_AES_C */
438
439#if defined(POLARSSL_DES_C)
440 { TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA",
441 POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_PSK,
442 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
443 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
444 0 },
445#endif /* POLARSSL_DES_C */
446
447#if defined(POLARSSL_ARC4_C)
448 { TLS_DHE_PSK_WITH_RC4_128_SHA, "TLS-DHE-PSK-WITH-RC4-128-SHA",
449 POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_PSK,
450 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
451 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
452 0 },
453#endif /* POLARSSL_ARC4_C */
454#endif /* POLARSSL_DHM_C */
455
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]456#if defined(POLARSSL_X509_PARSE_C) && defined(POLARSSL_RSA_C)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]457#if defined(POLARSSL_AES_C)
458 { TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
459 POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
460 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
461 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
462 0 },
463
464 { TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
465 POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
466 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
467 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
468 0 },
469#endif /* POLARSSL_AES_C */
470
471#if defined(POLARSSL_DES_C)
472 { TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
473 POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
474 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
475 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
476 0 },
477#endif /* POLARSSL_DES_C */
478
479#if defined(POLARSSL_ARC4_C)
480 { TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
481 POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
482 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
483 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
484 0 },
485#endif /* POLARSSL_ARC4_C */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]486#endif /* POLARSSL_X509_PARSE_C && POLARSSL_RSA_C */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]487#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
488
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]489#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]490#if defined(POLARSSL_X509_PARSE_C) && defined(POLARSSL_RSA_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]491#if defined(POLARSSL_CIPHER_NULL_CIPHER)
492 { TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
493 POLARSSL_CIPHER_NULL, POLARSSL_MD_MD5, POLARSSL_KEY_EXCHANGE_RSA,
494 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
495 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
496 POLARSSL_CIPHERSUITE_WEAK },
497
498 { TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
499 POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
500 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
501 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
502 POLARSSL_CIPHERSUITE_WEAK },
503
504 { TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
505 POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
506 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
507 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
508 POLARSSL_CIPHERSUITE_WEAK },
509#endif /* POLARSSL_CIPHER_NULL_CIPHER */
510
511#if defined(POLARSSL_DES_C)
512#if defined(POLARSSL_DHM_C)
513 { TLS_DHE_RSA_WITH_DES_CBC_SHA, "TLS-DHE-RSA-WITH-DES-CBC-SHA",
514 POLARSSL_CIPHER_DES_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_RSA,
515 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
516 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
517 POLARSSL_CIPHERSUITE_WEAK },
518#endif /* POLARSSL_DHM_C */
519
520 { TLS_RSA_WITH_DES_CBC_SHA, "TLS-RSA-WITH-DES-CBC-SHA",
521 POLARSSL_CIPHER_DES_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA,
522 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
523 SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
524 POLARSSL_CIPHERSUITE_WEAK },
525#endif /* POLARSSL_DES_C */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]526#endif /* POLARSSL_X509_PARSE_C && POLARSSL_RSA_C */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]527
528#endif /* POLARSSL_ENABLE_WEAK_CIPHERSUITES */
529
530 { 0, "", 0, 0, 0, 0, 0, 0, 0, 0 }
531};
532
533const int *ssl_list_ciphersuites( void )
534{
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]535 /*
536 * On initial call filter out all ciphersuites not supported by current
537 * build based on presence in the ciphersuite_definitions.
538 */
539 if( supported_init == 0 )
540 {
541 const int *p = ciphersuite_preference;
542 int *q = supported_ciphersuites;
543
544 memset( supported_ciphersuites, 0x00, sizeof(supported_ciphersuites) );
545
546 while( *p != 0 )
547 {
548 if( ssl_ciphersuite_from_id( *p ) != NULL )
549 *(q++) = *p;
550
551 p++;
552 }
553 supported_init = 1;
554 }
555
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]556 return supported_ciphersuites;
557};
558
559const ssl_ciphersuite_t *ssl_ciphersuite_from_string( const char *ciphersuite_name )
560{
561 const ssl_ciphersuite_t *cur = ciphersuite_definitions;
562
563 if( NULL == ciphersuite_name )
564 return( NULL );
565
566 while( cur->id != 0 )
567 {
568 if( 0 == strcasecmp( cur->name, ciphersuite_name ) )
569 return( cur );
570
571 cur++;
572 }
573
574 return( NULL );
575}
576
577const ssl_ciphersuite_t *ssl_ciphersuite_from_id( int ciphersuite )
578{
579 const ssl_ciphersuite_t *cur = ciphersuite_definitions;
580
581 while( cur->id != 0 )
582 {
583 if( cur->id == ciphersuite )
584 return( cur );
585
586 cur++;
587 }
588
589 return( NULL );
590}
591
592const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
593{
594 const ssl_ciphersuite_t *cur;
595
596 cur = ssl_ciphersuite_from_id( ciphersuite_id );
597
598 if( cur == NULL )
599 return( "unknown" );
600
601 return( cur->name );
602}
603
604int ssl_get_ciphersuite_id( const char *ciphersuite_name )
605{
606 const ssl_ciphersuite_t *cur;
607
608 cur = ssl_ciphersuite_from_string( ciphersuite_name );
609
610 if( cur == NULL )
611 return( 0 );
612
613 return( cur->id );
614}
615
616#endif